How to decrypt a XBEE S1 packet encrypted knowing the key?

Question

I sniffed a XBEE S1 packet and it's normally a full 802.15.4 packet. The AES encryption is enable on my module xbee s1 and I know the key. What is the algorithm to decrypt the data payload ?

Normally, in a 802.15.4 packet, there is the flag "Security level" that say what AES is used (AES-CCM, AES-CTR or AES-CBC). Here the flag is at 0 (None). I think that is AES-CTR, Wireshark can decrypt AES-CCM and it doesn't work. I looked in the 802.15.4 specification how to decrypt the AES-CTR and I think that I don't understand how the nonce is build because my decryption doesn't work. Can someone explain to me how to decrypt a XBEE S1 packet ?

Thanks !

score 0 · Accepted Answer · answered Mar 18 '15 at 09:54

I found why I couldn't decrypt the packet.

XBEE S1 modules use AES-CTR but they don't really respect the 802.15.4 specifications during encryption. The field of security reserved, the key id mode and the sec level are not in the packet however they should be... That shifts the reading of one byte.

And, normally, during encryption, the frame counter and the data payload must be used in big endian. With Xbee S1 modules, they are used in little endian.

How to decrypt a XBEE S1 packet encrypted knowing the key?

1 Answers1