# Find the correct IV by trying all combinations from hello packet # Hello packet: 0E 00 70 00 01 00 34 9A 0F 0C A8 BC 0D B3 E6 07 import Bitwise # Raw packet from client packet = <<0x7C, 0xA8, 0x7B, 0xA8, 0xBF, 0x0A, 0xCD, 0xDE, 0xC7, 0x71, 0xAC>> <> = packet IO.puts("Raw packet: #{Base.encode16(packet)}") IO.puts("raw_seq: 0x#{Integer.to_string(raw_seq, 16)} (#{raw_seq})") IO.puts("") # For header validation to pass: raw_seq ^ seq_base == 112 target_seq_base = bxor(raw_seq, 112) IO.puts("Need seq_base: 0x#{Integer.to_string(target_seq_base, 16)} (#{target_seq_base})") IO.puts("") # seq_base = (r2 & 0xFF) | ((r3 << 8) & 0xFF00) # So: r2 = lower byte, r3 = upper byte target_r2 = target_seq_base &&& 0xFF target_r3 = (target_seq_base >>> 8) &&& 0xFF IO.puts("Need recv_iv[2] = 0x#{Integer.to_string(target_r2, 16)} (#{target_r2})") IO.puts("Need recv_iv[3] = 0x#{Integer.to_string(target_r3, 16)} (#{target_r3})") IO.puts("") # Bytes available in hello packet (positions 6-13): # 34 9A 0F 0C A8 BC 0D B3 bytes = [0x34, 0x9A, 0x0F, 0x0C, 0xA8, 0xBC, 0x0D, 0xB3] IO.puts("Available bytes from hello packet:") Enum.each(Enum.with_index(bytes), fn {b, i} -> IO.puts(" [#{i}]: 0x#{Integer.to_string(b, 16)}") end) IO.puts("") # Find matching bytes IO.puts("Looking for matches...") Enum.each(Enum.with_index(bytes), fn {b2, i2} -> Enum.each(Enum.with_index(bytes), fn {b3, i3} -> if b2 == target_r2 and b3 == target_r3 do IO.puts("Found match! recv_iv[2]=0x#{Integer.to_string(b2, 16)} at [#{i2}], recv_iv[3]=0x#{Integer.to_string(b3, 16)} at [#{i3}]") # Construct full IV (need to determine r0 and r1 too) # Try different combinations for r0 and r1 Enum.each(Enum.with_index(bytes), fn {b0, i0} -> Enum.each(Enum.with_index(bytes), fn {b1, i1} -> iv = <> IO.puts(" Possible IV: #{Base.encode16(iv)} (bytes[#{i0}][#{i1}][#{i2}][#{i3}])") end) end) end end) end)