Friday, November 20, 2009

Advanced Digi Discovery Protocol Notes

This is a continuation of my previous post.

So I've come further in my analysis of the ADDP protocol. I've got what is almost a complete breakdown, only missing the definition of 2 fields and a few error codes I haven't seen yet.

I haven't formalized it yet, though all the required information is contained in this summary. With it and some common sense you can create a working implementation. I'll formalize it over the weekend for those of you who appreciate such things (edit: See my new post 'Advanced Digi Discovery Protocol Explained').

Also have a look at: JDigiDiscover. It's what I have so far for an implementation. It's not done yet, either. And *cough* excuse the 70 minute GUI job.

Here's some notes. Have fun.
++++++++++++++++++++++++++++++++++
+ Packet Examples and Breakdowns +
++++++++++++++++++++++++++++++++++

Discovery Request:
---------------------------------------------------------------------------------
0000 44 49 47 49 00 01 00 06 ff ff ff ff ff ff DIGI..........

Discovery Response:
---------------------------------------------------------------------------------
0000 44 49 47 49 00 02 00 60 01 06 00 40 9d 31 a9 0a DIGI...`...@.1..
0010 02 04 0a 00 00 e7 03 04 ff ff ff 00 0b 04 0a 00 ................
0020 00 01 0d 0f 44 69 67 69 20 43 6f 6e 6e 65 63 74 ....Digi Connect
0030 20 4d 45 10 01 00 07 01 00 08 1e 56 65 72 73 69 ME........Versi
0040 6f 6e 20 38 32 30 30 30 38 35 36 5f 46 36 20 30 on 82000856_F6 0
0050 37 2f 32 31 2f 32 30 30 36 0e 04 00 00 03 03 13 7/21/2006.......
0060 04 00 00 04 03 12 01 01 ........

Configuration Request:
---------------------------------------------------------------------------------
0000 44 49 47 49 00 03 00 17 0a 00 00 e7 ff ff ff 00 DIGI............
0010 0a 00 00 01 00 40 9d 31 a9 0a 04 64 62 70 73 .....@.1...dbps

Configuration Success Response:
---------------------------------------------------------------------------------
0000 44 49 47 49 00 04 00 28 0a 01 00 09 14 4f 70 65 DIGI...(.....Ope
0010 72 61 74 69 6f 6e 20 53 75 63 63 65 73 73 66 75 ration Successfu
0020 6c 11 01 00 01 06 00 40 9d 31 a9 0a 0c 02 00 01 l......@.1......

Configuration Failure Response:
---------------------------------------------------------------------------------
0000 44 49 47 49 00 04 00 29 0a 01 ff 09 19 55 6e 61 DIGI...).....Una
0010 62 6c 65 20 74 6f 20 6c 6f 61 64 2f 73 61 76 65 ble to load/save
0020 20 76 61 6c 75 65 11 01 06 01 06 00 40 9d 31 99 value......@.1.
0030 de .

Reboot Request:
---------------------------------------------------------------------------------
0000 44 49 47 49 00 05 00 0b 00 40 9d 31 a9 0a 04 64 DIGI.....@.1...d
0010 62 70 73 bps

Reboot Response:
---------------------------------------------------------------------------------
0000 44 49 47 49 00 06 00 24 0a 01 00 09 14 4f 70 65 DIGI...$.....Ope
0010 72 61 74 69 6f 6e 20 53 75 63 63 65 73 73 66 75 ration Successfu
0020 6c 11 01 00 01 06 00 40 9d 31 a9 0a l......@.1..

Discovery Request Breakdown:
---------------------------------------------------------------------------------
44 49 47 49 DIGI - Magic
00 01 .. - Packet type (0001)
00 06 .` - Payload size (6 bytes)
ff ff ff ff ff ff ...... - Target MAC

Discovery Response Breakdown (104 bytes):
---------------------------------------------------------------------------------
44 49 47 49 DIGI - Magic
00 02 .. - Packet type (0002)
00 60 .` - Payload size (96 bytes)
01 06 00 40 9d 31 99 de ...@.1.. - Mac address
02 04 0a 00 00 b4 ...... - IP Address
03 04 ff ff ff 00 ...... - Subnet Mask
0b 04 00 00 00 00 ...... - Gateway Address
0d 0f 44 69 67 69 20 43 ..Digi C
6f 6e 6e 65 63 74 20 4d 45 onnect ME - Device Name
10 01 01 ... - DHCP Enabled
0f 04 0a 00 00 04 ...... - SNMP Traps Host ??
07 01 00 ... - ??
08 1e 56 65 72 ..Ver
73 69 6f 6e 20 38 32 30 30 sion 8200
30 38 35 36 5f 46 36 20 30 0856_F6 0
37 2f 32 31 2f 32 30 30 36 7/21/2006 - Software Version
0e 04 00 00 03 03 ...... - Real Port
13 04 00 00 04 03 ...... - Encrypted Real Port
12 01 01 . - Serial port count

Configuration Request Breakdown
---------------------------------------------------------------------------------
44 49 47 49 DIGI - Magic
00 03 .. - Packet type (0003)
00 17 .` - Payload size (23 bytes)
0a 00 00 e7 .... - New IP Address
ff ff ff 00 .... - New Subnet Mask
0a 00 00 01 .... - New Gateway
00 40 9d 31 a9 0a .@.1.. - Target MAC Address
04 64 62 70 73 .dbps - Authentication Data

Configuration Success Response Breakdown
---------------------------------------------------------------------------------
44 49 47 49 DIGI - Magic
00 04 .. - Packet type (0004)
00 28 .( - Payload size (40 bytes)
0a 01 00 ... - Result flag (see codes below)
09 14 4f 70 ..Op
65 72 61 74 69 6f 6e 20 53 eration S
75 63 63 65 73 73 66 75 6c uccessful - Result Message
11 01 00 ... - Error code. (see codes below)
01 06 00 40 9d 31 a9 0a ...@.1.. - Mac Address
0c 02 00 01 .... - Configuration Error Code

Reboot Request Breakdown
---------------------------------------------------------------------------------
44 49 47 49 DIGI - Magic
00 05 .. - Packet type (0005)
00 0b .` - Payload size (11 bytes)
00 40 9d 31 a9 0a ...... - Target MAC
04 64 62 70 73 .dbps - Authentication Data

Reboot Response Breakdown
---------------------------------------------------------------------------------
44 49 47 49 DIGI - Magic
00 06 .. - Packet type (0006)
00 24 .( - Payload size (36 bytes)
0a 01 00 ... - Result flag (see codes below)
09 14 4f 70 ..Op
65 72 61 74 69 6f 6e 20 53 eration S
75 63 63 65 73 73 66 75 6c uccessful - Result Message
11 01 00 ... - Error code
01 06 00 40 9d 31 a9 0a ...@.1.. - Mac Address

+++++++++
+ Codes +
+++++++++
Packet Types:
0x0001: Discovery Request
0x0002: Discovery Response
0x0003: Static Network Configuration Request
0x0004: Static Network Configuration Response
0x0005: Reboot Request
0x0006: Reboot Response
0x0007: DHCP Network Configuration Request
0x0008: DHCP Network Configuration Response

Field Types:
0x01: 6 byte MAC address
0x02: 4 byte IP address
0x03: 4 byte Netmask
0x04: String Network Name
0x05: UNSEEN
0x06: UNSEEN
0x07: 1 byte - UNKNOWN - seen in discovery responses
0x08: String Firmware
0x09: String Result message
0x0a: 1 byte Result flag - see "Result Flags"
0x0b: 4 byte IP Gateway
0x0c: 2 byte Configuration error code - see "Configuration Errors"
0x0d: String device name
0x0e: 4 byte Real Port number
0x0f: 4 byte SNMP Traps host IP address ??
0x10: 1 byte DHCP Enabled flag. 0x01 = enabled, 0x00 = disabled
0x11: 1 byte Error code
0x12: 1 byte Serial Port Count
0x13: 4 byte Encrypted Real Port number

Error codes (0x11):
0x00: Success
0x01: Authentication Failure
0x03: Invalid Value
0x06: Unable to save value

Result flags (0x0a):
0x00: Success
0xff: Error

Configuration Errors (0x0c):
0x0001: Digi in different subnet than sender

+++++++++
+ Notes +
+++++++++
Authentication data in "Configuration Request" and "Reboot Request" packets. This is an oddity.
I frankly don't know why they have this in there. I doubt they're using decryption and this
information is needed for the key, since these packets are used for initial configuration. Further, this value doesn't change when you change your root user's
password. Frankly it can't, because the Digi tool doesn't prompt for a password, and this "has"
to always work, or at least I figure they meant for it to always work (unless explicitely disabled).

It's a very insecure way of doing it. They might as well have left out the password. I guess it
decreases the chance of a corrupt packet to reconfigure the device. It certainly doesn't block
hackers. A more secure option would probably have be to do a packet challenge and based on the
response encrypt a string and send it to the device. This way it's very difficult to discover,
as people would need to reverse engineer this challenge algorithm.

This design sort of indicates to me a 9th packet type which is a factory default reset packet.
Their style certainly makes this possible.

+++++++++
+ Todos +
+++++++++
1. Investigate the possibility of more packets.
2. Find the purpose of field 0x07
3. Find more error codes.
4. See if fields 0x05 and 0x06 exist and what they're for.
5. Investigate whether fields above 0x13 exist.

No comments: