decode_telt.py

import datetime
from twisted.protocols import portforward
from twisted.internet.protocol import DatagramProtocol
from twisted.internet import reactor
import getopt, sys
import binascii
from random import randint


lst_full=[]
lst_data=[]
verbose = False
notuntil = 0
request = 0
count = 1
proto = "tcp"
localport = 0
desthost = ""
destport = 0
testclient = 0
testserver = 0
smth_x=0
smth_y=0
x_=20
change=0
pent_c=0
g_count=0
rnd_angle=0
rnd_coord=0
pent = [[600056480,303452580],[598401910,304894530],[599464550,301303380],[599478320,305629240],[598401910,301990020]]
overflowstrings = ["A" * 255, "A" * 256, "A" * 257, "A" * 420, "A" * 511, "A" * 512, "A" * 1023, "A" * 1024, "A" * 2047, "A" * 2048, "A" * 4096, "A" * 4097, "A" * 5000, "A" * 10000, "A" * 20000, "A" * 32762, "A" * 32763, "A" * 32764, "A" * 32765, "A" * 32766, "A" * 32767, "A" * 32768, "A" * 65534, "A" * 65535, "A" * 65536, "%x" * 1024, "%n" * 1025 , "%s" * 2048, "%s%n%x%d" * 5000, "%s" * 30000, "%s" * 40000, "%.1024d", "%.2048d", "%.4096d", "%.8200d", "%99999999999s", "%99999999999d", "%99999999999x", "%99999999999n", "%99999999999s" * 1000, "%99999999999d" * 1000, "%99999999999x" * 1000, "%99999999999n" * 1000, "%08x" * 100, "%%20s" * 1000,"%%20x" * 1000,"%%20n" * 1000,"%%20d" * 1000, "%#0123456x%08x%x%s%p%n%d%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%%#0123456x%%x%%s%%p%%n%%d%%o%%u%%c%%h%%l%%q%%j%%z%%Z%%t%%i%%e%%g%%f%%a%%C%%S%%08x"]

def crc16(buff, crc = 0, poly = 0xA001):
    l = len(buff)
    i = 0
    while i < l:
        ch = ord(buff[i])
        uc = 0
        while uc < 8:
            if (crc & 1) ^ (ch & 1):
                crc = (crc >> 1) ^ poly
            else:
                crc >>= 1
            ch >>= 1
            uc += 1
        i += 1
    return crc

def zero_fill(str, count):
    tmp=len(str)
    i=0
    while i<count-tmp:
        str="0"+str
        i=i+1
    return str

def bitflipping(data):
    l = len(data)
    n = int(l*7/100)

    for i in range(0,n):
        r = randint(0,l-1)
        data = data[0:r] + chr(randint(0,255)) + data[r+1:]
    return data

def bofinjection(data):
    l = len(data)
    r = randint(0,len(overflowstrings)-1)
    data = data[0:r] + overflowstrings[r] + data[r-l:]
    return data

def fuzz(data):
    print "Fuzz ON"
    r = randint(0,0)
    if r==0:
        data = bitflipping(data)

    r = randint(0,0)
    if r==1:
        data = bofinjection(data)
    return data
def add_hex2(hex1, hex2):
    return hex(int(hex1, 16) + int(hex2, 16))

def lst_print_data(lst): ##print only data
    all=[]
    str=""
    all.append(lst[2])
    all.append(lst[3])
    for x in lst[4]:
        all.append(x[0])
        all.append(x[1])
        all.append(x[2])
        all.append(x[3])
        all.append(x[4])
        all.append(x[5])
        all.append(x[6])
        all.append(x[7])
        for y in x[8]:
            all.extend(y)
    all.append(lst[5])
    for z in all:
        str=str+z
    return str

def lst_print(lst): ##print all packet
    all=[]
    str=""
    all.append(lst[0])
    all.append(lst[1])
    all.append(lst[2])
    all.append(lst[3])
    for x in lst[4]:
        all.append(x[0])
        all.append(x[1])
        all.append(x[2])
        all.append(x[3])
        all.append(x[4])
        all.append(x[5])
        all.append(x[6])
        all.append(x[7])
        for y in x[8]:
            all.extend(y)
    all.append(lst[5])
    all.append(lst[6])
    for z in all:
        str=str+z
    return str

def parce_imei(case2):
    global count
    count=0
    lst_imei=[]
    lst_imei.append(case2[:4]) ##[0] - imei size
    lst_imei.append(case2[4:]) ##[1]- imei
    print "===Hello IMEI: "+ lst_imei[1].decode("hex")+"==="

def parce_data(case):
    global x_
    global change
    global pent_c
    change=0
    y_=0
    lst_avl=[]
    lst_io_full=[]
    lst_io_1b=[]
    lst_io_2b=[]
    lst_io_4b=[]
    lst_io_8b=[]
    lst_avl.append(case[x_:x_+16])    ## [2][i][0] - timestamp
    lst_avl.append(case[x_+16:x_+18]) ## [2][i][1] - Priority
    lst_avl.append(case[x_+18:x_+26]) ## [2][i][2]- long
    lst_avl.append(case[x_+26:x_+34]) ## [2][i][3]- lat
    lst_avl.append(case[x_+34:x_+38]) ## [2][i][4]- Alt
    lst_avl.append(case[x_+38:x_+42]) ## [2][i][5]- Angle
    lst_avl.append(case[x_+42:x_+44]) ## [2][i][6]- Satellites
    lst_avl.append(case[x_+44:x_+48]) ## [2][i][7]- Speed
    ##io##
    lst_io_full.append(case[x_+48:x_+50]) ## [2][i][8][0]- Event IO ID
    lst_io_full.append(case[x_+50:x_+52]) ## [2][i][8][1] - N of Total IO
    l1b_x=x_+52
    l1b_y=x_+54
    ################
    lst_io_full.append(case[l1b_x:l1b_y]) ## [2][i][8][2] - N1 of One Byte IO
    io_1b=int('0x'+lst_io_full[2],16)
    l2b_x=l1b_x+2+io_1b*4
    l2b_y=l1b_y+2+io_1b*4
    lst_io_full.append(lst_io_1b) ## [2][i][8][3] - List of 1b IO
    lst_io_full.append(case[l2b_x:l2b_y]) ## [2][i][8][4] - N2 of Two Byte IO
    io_2b=int('0x'+lst_io_full[4],16)
    l4b_x=l2b_x+2+io_2b*6
    l4b_y=l2b_y+2+io_2b*6
    lst_io_full.append(lst_io_2b) ## [2][i][8][5] - List of 2b IO
    lst_io_full.append(case[l4b_x:l4b_y]) ## [2][i][8][6] - N4 of Four Byte IO
    io_4b=int('0x'+lst_io_full[6],16)
    l8b_x=l4b_x+2+io_4b*10
    l8b_y=l4b_y+2+io_4b*10
    lst_io_full.append(lst_io_4b) ## [2][i][8][7] - List of 4b IO
    lst_io_full.append(case[l8b_x:l8b_y]) ## [2][i][8][8] - N8 of Eight Byte IO
    io_8b=int('0x'+lst_io_full[8],16)
    lst_io_full.append(lst_io_8b) ## [2][i][8][9] - List of 8b IO
    ################
    dt = datetime.datetime.fromtimestamp(float(str(int('0x'+lst_avl[0],16))[:10])).strftime('%Y-%m-%d %H:%M:%S')
    print "\tTimeStamp: " + lst_avl[0] + " ("+ dt +")"
    print "\tPriority: " + lst_avl[1]
    print "\tGPS Element:"
    lat = float(int('0x'+lst_avl[2],16))/10000000
    print "\t\tLatitude: " + lst_avl[2] + " (" + str(lat) +" E)"
    lon = float(int('0x'+lst_avl[3],16))/10000000
    print "\t\tLatitude: " + lst_avl[3] + " (" + str(lon) +" N)"
    ##change coord
    if rnd_coord:
        #pentagramm
        lst_avl[2]=hex(pent[pent_c][1]).replace('0x','')
        lst_avl[3]=hex(pent[pent_c][0]).replace('0x','')
        #change lat and long (+64)
       # lst_avl[2]=add_hex2('0x'+lst_avl[2],'0x'+str(64*g_count)).replace('0x','')
       # lst_avl[3]=add_hex2('0x'+lst_avl[3],'0x'+str(64*g_count)).replace('0x','')
        lat = float(int('0x'+lst_avl[2],16))/10000000
        print "\t\t--->New Latitude: " + lst_avl[2] + " (" + str(lat) +" E)"
        lon = float(int('0x'+lst_avl[3],16))/10000000
        print "\t\t--->New Latitude: " + lst_avl[3] + " (" + str(lon) +" N)"
        pent_c=pent_c+1
        if pent_c==len(pent):
            pent_c=0
        change=1
    alt =int('0x'+lst_avl[4],16)
    print "\t\tAltitude: "+ lst_avl[4] + " (" + str(alt) +" meters)"
    ang =int('0x'+lst_avl[5],16)
    print "\t\tAngle: "+ lst_avl[5] + " (" + str(ang) +")"
    ##change angle
    if rnd_angle:
         lst_avl[5]=zero_fill(hex(randint(200,300)).replace('0x',''),4)
         ang =int('0x'+lst_avl[5],16)
         print "\t\t--->New Angle: "+ lst_avl[5] + " (" + str(ang) +")"
    sat=int('0x'+lst_avl[6],16)
    print "\t\tSattelites: "+ lst_avl[6] + " (" + str(sat) +" visible sattelites)"
    spd=int('0x'+lst_avl[7],16)
    print "\t\tSpeed: "+ lst_avl[7] + " (" + str(spd) +" km/h)"
    ###change speed
    if smth_x>0 and smth_y>0:
        lst_avl[7]=zero_fill(hex(randint(smth_x,smth_y)).replace('0x',''),4)
        spd=int('0x'+lst_avl[7],16)
        print "\t\t--->New Speed: "+ lst_avl[7] + " (" + str(spd) +" km/h)"
        change=1
    print "\tIO Element:"
    io_id=int('0x'+lst_io_full[0],16)
    print "\t\tEvent IO ID: " + lst_io_full[0] + " (" + str(io_id) +")"
    io_total=int('0x'+lst_io_full[1],16)
    print "\t\tTotal ID:" + lst_io_full[1] + " (" + str(io_total) +" IO elements)"
    x_=x_+50 ## THINK!!! it's correct if all IO counters exist when Global counter eq 0
    print "\t\tCount of 1 byte IO: " + lst_io_full[2] + " (" + str(io_1b) +")"
    x_=l1b_y
    for i in range(io_1b):
        lst_io_1b.append(case[l1b_x+2+i*4:l1b_y+2+i*4]) ## [2][i][8][3][i*2] - N'st IO ID
        lst_io_1b.append(case[l1b_x+4+i*4:l1b_y+4+i*4]) ## [2][i][8][3][i*2+1] - N'st IO value
        tmp_io1=int('0x'+lst_io_1b[i*2],16)
        tmp_io2=int('0x'+lst_io_1b[i*2+1],16)
        print "\t\t\tIO ID: " + lst_io_1b[i*2] + " (" + str(tmp_io1)+ ")"
        print "\t\t\t"+str(tmp_io1) + "'st IO value: " + lst_io_1b[i*2+1] + " (" + str(tmp_io2)+ ")"
        y_=l1b_y+4+i*4
        k=i+1
    print "\t\tCount of 2 byte IO: " + lst_io_full[4] + " (" + str(io_2b) +")"
    x_=l2b_y
    for i in range(io_2b):
        lst_io_2b.append(case[l2b_x+2+i*6:l2b_y+2+i*6]) ##[2][i][8][5][i*2] - N'st IO ID
        lst_io_2b.append(case[l2b_x+4+i*6:l2b_y+6+i*6]) ##[2][i][8][5][i*2+1] - N'st IO value
        tmp_io1=int('0x'+lst_io_2b[i*2],16)
        tmp_io2=int('0x'+lst_io_2b[i*2+1],16)
        print "\t\t\tIO ID: " + lst_io_2b[i*2] + " (" + str(tmp_io1)+ ")"
        print "\t\t\t"+str(tmp_io1) + "'st IO value: " + lst_io_2b[i*2+1] + " (" + str(tmp_io2)+ ")"
        y_=l2b_y+6+i*6
    print "\t\tCount of 4 byte IO: " + lst_io_full[6] + " (" + str(io_4b) +")"
    x_=l4b_y
    for i in range(io_4b):
        lst_io_4b.append(case[l4b_x+2+i*10:l4b_y+2+i*10]) ##[2][i][8][7][i*2] - N'st IO ID
        lst_io_4b.append(case[l4b_x+4+i*10:l4b_y+10+i*10]) ##[2][i][8][7][i*2+1] - N'st IO value
        tmp_io1=int('0x'+lst_io_4b[i*2],16)
        tmp_io2=int('0x'+lst_io_4b[i*2+1],16)
        print "\t\t\tIO ID: " + lst_io_4b[i*2] + " (" + str(tmp_io1)+ ")"
        print "\t\t\t"+str(tmp_io1) + "'st IO value: " + lst_io_4b[i*2+1] + " (" + str(tmp_io2)+ ")"
        y_=l4b_y+10+i*10
    print "\t\tCount of 8 byte IO: " + lst_io_full[8] + " (" + str(io_8b) +")"
    x_=l8b_y
    for i in range(io_8b):
        lst_io_8b.append(case[l4b_x+2+i*18:l4b_y+2+i*18]) ##[2][i][8][9][i*2] - N'st IO ID
        lst_io_8b.append(case[l4b_x+4+i*18:l4b_y+18+i*18]) ##[2][i][8][9][i*2+1] - N'st IO value
        tmp_io1=int('0x'+lst_io_8b[i*2],16)
        tmp_io2=int('0x'+lst_io_8b[i*2+1],16)
        print "\t\t\tIO ID: " + lst_io_8b[i*2] + " (" + str(tmp_io1)+ ")"
        print "\t\t\t"+str(tmp_io1) + "'st IO value: " + lst_io_8b[i*2+1] + " (" + str(tmp_io2)+ ")"
        y_= l4b_y+18+i*18
    if y_>0 and x_<y_:
        x_=y_
    lst_avl.append(lst_io_full)
    lst_data.append(lst_avl)
    print "count:"+str(g_count)


def parce(case):
    global lst_full
    global lst_data
    global x_
    global change
    global g_count
    x_=20 #data offset
    lst_full=[]
    lst_data=[]
    print("\n==========start parser============")
    lst_full.append(case[:8]) ## [0] - 4 zero bytes
    lst_full.append(case[8:16]) ## [1] - Size of Data
    lst_full.append(case[16:18]) ## [2] - codecID
    lst_full.append(case[18:20]) ## [3] - Number of Data
    lst_full.append(lst_data) ## [4][0] - Data
    lst_full.append(case[-10:-8]) ## [5] - Number of Data2
    lst_full.append(case[-8:]) ## [6] - CRC16
    Dat_S = int('0x'+lst_full[1],16)
    print "Data size: " + lst_full[1]+ " ("+str(Dat_S)+" bytes)"
    print "codecID: " + lst_full[2]
    NoD = int('0x'+lst_full[3],16)
    print "Number of Data: " + lst_full[3] + " ("+str(NoD)+")"
    for i in range(NoD):
        print "Data #" + str(i+1)+":"
        parce_data(case)
    NoD2= int('0x'+lst_full[5],16)
    print "Number of Data2: " + lst_full[5] + " ("+str(NoD2)+")"
    print "CRC16: " + lst_full[6]
    if change==1:
        olo = lst_print_data(lst_full)
        lst_full[6]=zero_fill(hex(crc16(olo.decode("hex"))).replace('0x',''),8)
        print "--->New CRC: "+ lst_full[6]
        change=0
    g_count=g_count+15
    return lst_print(lst_full)

def server_dataReceived(self, data):
    global verbose
    global notuntil
    global request
    global count
    global testserver

    if testserver:
        if request < notuntil:
            request = request + 1
        else:
            data = fuzz(data)
    if verbose:
        print "Client ------> server"
        print binascii.b2a_hex(data)
        if (count and len(data)<35):
            parce_imei(binascii.b2a_hex(data))
        else:
            print "Start"
            count=1
            data=binascii.a2b_hex(parce(binascii.b2a_hex(data)))
    portforward.Proxy.dataReceived(self, data)

portforward.ProxyServer.dataReceived = server_dataReceived

def client_dataReceived(self, data):
    global verbose
    global notuntil
    global request
    global testclient

    if testclient:
        if request < notuntil:
            request = request + 1
        else:
            data = fuzz(data)
    if verbose:
        print "Server ------> Client"
        print "%r" % data

    portforward.Proxy.dataReceived(self, data)

portforward.ProxyClient.dataReceived = client_dataReceived

def starttcpproxy():
    reactor.listenTCP(localport, portforward.ProxyFactory(desthost, destport))
    reactor.run()

def usage():
    #print "###############################################################"
    print "python decode_telt.py -l <localport> -r <remotehost> -p <remoteport> [options]"
    print
    print " [options]"
    print "     -c: Fuzz only client side (both otherwise)"
    print "     -s: Fuzz only server side (both otherwise)"
    print "     -w: Number of requests to send before start fuzzing"
    print "     -v: Verbose (outputs network traffic)"
    print "     -x: Random Speed. From x"
    print "     -y: Random Speed. To y"
    print "     -a: Random angle"
    print "     -k: Pentagram"
    print "     -h: Help page"

def main():
    global notuntil
    global proto
    global localport
    global desthost
    global destport
    global testclient
    global testserver
    global verbose
    global smth_x
    global smth_y
    global rnd_angle
    global rnd_coord
    try:
        opts, args = getopt.getopt(sys.argv[1:], "vakhcsl:r:p:w:x:y:", ["help"])
    except getopt.GetoptError:
        usage()
        sys.exit(2)
    try:
        for o, a in opts:
            if o in ("-h", "--help"):
                usage()
                sys.exit()
            if o == "-l":
                localport=int(a)
            if o == "-r":
                desthost=a
            if o == "-p":
                destport=int(a)
            if o == "-v":
                verbose = True
            if o == "-a":
                rnd_angle = 1
            if o == "-k":
                rnd_coord = 1
            if o == "-w":
                notuntil=int(a)
            if o == "-c": # Only client
                testclient=1
            if o == "-s": # Only server
                testserver=0
            if o == "-x":
                smth_x=int(a)
            if o == "-y":
                smth_y=int(a)
    except:
        usage()
        sys.exit(2)

    if localport==0 or desthost=="" or destport==0:
        usage()
        sys.exit(2)
    else:
        if proto=="tcp":
            starttcpproxy()

if __name__ == '__main__':
    main()