Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
# -*- coding: binary -*-
2

3
module Rex
4
module Proto
5
module ACPP
6
  # From what I've been able to gather from the very limited findings on the
7
  # web about this protocol, playing with it against a real Airport device and
8
  # referencing the airport-utils package in Debian/Ubuntu, the format of (at
9
  # least) the login message is:
10
  #
11
  # acpp            # the header tag, always exactly acpp (4 bytes)
12
  # unknown1        # unknown 4-byte field.  Almost always 0x00000001
13
  # messageChecksum # checksum of the message, 4 bytes
14
  # payloadChecksum # checksum of the payload, 4 bytes
15
  # payloadSize     # size of the payload, 4 bytes
16
  # unknown2        # unknown 8-byte field.  probably some sort of
17
  #                   request/response identifier.  generally 0 for requests, 1 for replies
18
  # messageType     # the type of message, 4 bytes.  see below.
19
  # status          # the status of this message, 4 bytes.
20
  #                   generally 0 for success and !0 for failure.
21
  # unknown3        # unknown 12-byte field, seemingly always 0.  Probably 'reserved'
22
  # password        # 32-byte password, 'encrypted' by XOR'ing it with a 256-byte static key (see XOR_KEY)
23
  # unknown4        # unknown 48-byte field, always 0.
24
  #
25
  # There are several possible message types:
26
  #
27
  #   * 20 -- retrieve settings (payload is some list of settings to obtain)
28
  #   * 21 -- update settings (and if the 'acRB' setting is set, it reboots)
29
  #   * 3  -- Upload firmware
30
  #
31
  # TODO: if you find more, add them above.
32
  #
33
  # When the message type is anything other than 20 or 3, payloadSize is set to -1 and
34
  # payloadChecksum is set to 1.  It may be a bug that 21 doesn't look at the
35
  # checksum.  Adler32 is used to compute the checksum.
36
  #
37
  # The message payload is a bit of an unknown right now, as it *seems* like
38
  # the payload always comes in a subsequent request.  Simply appending
39
  # a payload to the existing message does not appear to work (but this needs
40
  # more testing)
41

42
  # This was taken from airport-util's AirportInforRecord for ease of copying, but can
43
  # also be obtained by XOR'ing the null-padded known plain text with the appropriate 32-byte
44
  # ciphertext from an airport-util request
45
  XOR_KEY = [
46
    14, 57, -8, 5, -60, 1, 85, 79, 12, -84,
47
    -123, 125, -122, -118, -75, 23, 62, 9, -56, 53,
48
    -12, 49, 101, 127, 60, -100, -75, 109, -106, -102,
49
    -91, 7, 46, 25, -40, 37, -28, 33, 117, 111,
50
    44, -116, -91, -99, 102, 106, 85, -9, -34, -23,
51
    40, -43, 20, -47, -123, -97, -36, 124, 85, -115,
52
    118, 122, 69, -25, -50, -7, 56, -59, 4, -63,
53
    -107, -113, -52, 108, 69, -67, 70, 74, 117, -41,
54
    -2, -55, 8, -11, 52, -15, -91, -65, -4, 92,
55
    117, -83, 86, 90, 101, -57, -18, -39, 24, -27,
56
    36, -31, -75, -81, -20, 76, 101, -35, 38, 42,
57
    21, -73, -98, -87, 104, -107, 84, -111, -59, -33,
58
    -100, 60, 21, -51, 54, 58, 5, -89, -114, -71,
59
    120, -123, 68, -127, -43, -49, -116, 44, 5, -3,
60
    6, 10, 53, -105, -66, -119, 72, -75, 116, -79,
61
    -27, -1, -68, 28, 53, -19, 22, 26, 37, -121,
62
    -82, -103, 88, -91, 100, -95, -11, -17, -84, 12,
63
    37, 29, -26, -22, -43, 119, 94, 105, -88, 85,
64
    -108, 81, 5, 31, 92, -4, -43, 13, -10, -6,
65
    -59, 103, 78, 121, -72, 69, -124, 65, 21, 15,
66
    76, -20, -59, 61, -58, -54, -11, 87, 126, 73,
67
    -120, 117, -76, 113, 37, 63, 124, -36, -11, 45,
68
    -42, -38, -27, 71, 110, 89, -104, 101, -92, 97,
69
    53, 47, 108, -52, -27, 93, -90, -86, -107, 55,
70
    30, 41, -24, 21, -44, 17, 69, 95, 28, -68,
71
    -107, 77, -74, -70, -123, 39
72
  ].pack("C*")
73

74
  class Message
75
    # @return [Integer] the type of this message
76
    attr_accessor :type
77
    # @return [String] the password to attempt to authenticate with
78
    attr_accessor :password
79
    # @return [String] the optional message payload
80
    attr_accessor :payload
81
    # @return [Integer] the status of this message
82
    attr_accessor :status
83

84
    def initialize
85
      @payload = ''
86
      @type = 0
87
      @status = 0
88
      @password = ''
89
      @unknown1 = 1
90
      @unknown2 = ''
91
      @unknown3 = ''
92
      @unknown4 = ''
93
    end
94

95
    # Determines if this message has a successful status code
96
    #
97
    # @return [Boolean] true iff @status is 0, false otherwise
98
    def successful?
99
      @status == 0
100
    end
101

102
    # Get this Message as a String
103
    #
104
    # @return [String] the string representation of this Message
105
    def to_s
106
      with_checksum(Zlib.adler32(with_checksum(0)))
107
    end
108

109
    # Compares this Message and another Message for equality
110
    #
111
    # @param other [Message] the Message to compare
112
    # @return [Boolean] true iff the two messages are equal, false otherwise
113
    def ==(other)
114
      other.type == @type &&
115
        other.status == @status &&
116
        other.password == @password &&
117
        other.payload == @payload
118
    end
119

120
    # Decodes the provided data into a Message
121
    #
122
    # @param data [String] the data to parse as a Message
123
    # @param validate_checksum [Boolean] true to validate the message and
124
    #   payload checksums, false to not.  Defaults to true.
125
    # @return [Message] the decoded Message
126
    def self.decode(data, validate_checksum = true)
127
      data = data.dup
128
      fail "Incorrect ACPP message size #{data.size} -- must be 128" unless data.size == 128
129
      fail 'Unexpected header' unless 'acpp' == data.slice!(0, 4)
130
      _unknown1 = data.slice!(0, 4)
131
      read_message_checksum = data.slice!(0, 4).unpack('N').first
132
      read_payload_checksum = data.slice!(0, 4).unpack('N').first
133
      _read_payload_size = data.slice!(0, 4).unpack('N').first
134
      _unknown2 = data.slice!(0, 8)
135
      type = data.slice!(0, 4).unpack('N').first
136
      status = data.slice!(0, 4).unpack('N').first
137
      _unknown3 = data.slice!(0, 12)
138
      password = Rex::Encoding::Xor::Generic.encode(data.slice!(0, 32), XOR_KEY).first.strip
139
      _unknown4 = data.slice!(0, 48)
140
      payload = data
141
      m = new
142
      m.type = type
143
      m.password = password
144
      m.status = status
145
      m.payload = payload
146

147
      # we can now validate the checksums if desired
148
      if validate_checksum
149
        actual_message_checksum = Zlib.adler32(m.with_checksum(0))
150
        if actual_message_checksum != read_message_checksum
151
          fail "Invalid message checksum (expected #{read_message_checksum}, calculated #{actual_message_checksum})"
152
        end
153
        # I'm not sure this can ever happen -- if the payload checksum is wrong, then the
154
        # message checksum will also be wrong.  So, either I misunderstand the protocol
155
        # or having two checksums is useless
156
        actual_payload_checksum = Zlib.adler32(payload)
157
        if actual_payload_checksum != read_payload_checksum
158
          fail "Invalid payload checksum (expected #{read_payload_checksum}, calculated #{actual_payload_checksum})"
159
        end
160
      end
161
      m
162
    end
163

164
    def with_checksum(message_checksum)
165
      [
166
        'acpp',
167
        @unknown1,
168
        message_checksum,
169
        Zlib.adler32(@payload),
170
        @payload.size,
171
        @unknown2,
172
        @type,
173
        @status,
174
        @unknown3,
175
        Rex::Encoding::Xor::Generic.encode([@password].pack('a32').slice(0, 32), XOR_KEY).first,
176
        @unknown4,
177
        payload
178
      ].pack('a4NNNNa8NNa12a32a48a*')
179
    end
180
  end
181
end
182
end
183
end
184

185