Adding support for push to talk (A long road ahead)

[entropin]

Hi, I have a fun project am working on, and as a part of this, I need to add push to talk to my Neolink build. So this if my first intro to try and learn reversing.

So am starting with learning WireShark and to start I'm tackling something smaller. But am already in over my head

Am trying to figure out the "flip camera" button in the Reolink client for myselfe just to understand the process, but I could use some pointers.

When I open WireShark and record this action of the Official Reolink Client.

Its is listad as type: (Write), 25
But the Main Payload is marked as Binary, and no XML is visible, what would be the next step to find out what was actually sent?
So I need to Decompile the client? Or could I possibly view this info if i extend the lua WS plugin?

Am completely green to this, so feel free to use small words :D

[QuantumEntangledAndy]

So this became more complicated recently with the release of AES encryption which wireshark has no easy way to deal with. If you use a modern client and a camera with the newest firmware it will all show as binary because wireshark can't decide the AES.

To confirm this have a look at the 01 login sequence bytes 17-18 of the header of the legacy login will be either 01dc or 03dc. The reply will be either 00dd 01dd or 02dd. If the reply is 02dd then wireshark can't read it. In such a case I recommend you try and find and old reolink client app from last year and use that for your testing or downgrade the firmware of your camera.

[entropin]

I write my playground audio code in C# while learning Rust, but .net core dose not allow for CFB mode, so i converted Neolink Decoding/encoding into an DLL so I can use it in c# this might be an extreme edge case else am happy to to a PR with the DLL

[QuantumEntangledAndy]

Are you sure C# dosen't have CFB? This stackoverflow seems to suggest that it does

The following is the example given in the above link, perhaps I am misunderstanding something

using System;
using System.Text;
using System.Security.Cryptography;
using System.IO;

namespace AesCFB8Mode
{
    class AESCFB8Example
    {
        static void Example()
        {
            //
            // Encrypt a small sample of data
            //
            String Plain = "The quick brown fox";
            byte[] plainBytes = Encoding.UTF8.GetBytes(Plain);
            Console.WriteLine("plaintext length is " + plainBytes.Length);
            Console.WriteLine("Plaintext is " + BitConverter.ToString(plainBytes));

            byte [] savedKey = new byte[16];
            byte [] savedIV = new byte[16];
            byte[] cipherBytes;
            using (RijndaelManaged Aes128 = new RijndaelManaged())
            {
                //
                // Specify a blocksize of 128, and a key size of 128, which make this
                // instance of RijndaelManaged an instance of AES 128.
                //
                Aes128.BlockSize = 128;
                Aes128.KeySize = 128;

                //
                // Specify CFB8 mode
                //
                Aes128.Mode = CipherMode.CFB;
                Aes128.FeedbackSize = 8;
                Aes128.Padding = PaddingMode.None;
                //
                // Generate and save random key and IV.
                //
                Aes128.GenerateKey();
                Aes128.GenerateIV();

                Aes128.Key.CopyTo(savedKey, 0);
                Aes128.IV.CopyTo(savedIV, 0);

                using (var encryptor = Aes128.CreateEncryptor())
                using (var msEncrypt = new MemoryStream())
                using (var csEncrypt = new CryptoStream(msEncrypt, encryptor, CryptoStreamMode.Write))
                using (var bw = new BinaryWriter(csEncrypt, Encoding.UTF8))
                {
                    bw.Write(plainBytes);
                    bw.Close();

                    cipherBytes = msEncrypt.ToArray();
                    Console.WriteLine("Cipher length is " + cipherBytes.Length);
                    Console.WriteLine("Cipher text is " + BitConverter.ToString(cipherBytes));
                }
            }

            //
            // Now decrypt the cipher back to plaintext
            //

            using (RijndaelManaged Aes128 = new RijndaelManaged())
            {
                Aes128.BlockSize = 128;
                Aes128.KeySize = 128;
                Aes128.Mode = CipherMode.CFB;
                Aes128.FeedbackSize = 8;
                Aes128.Padding = PaddingMode.None;

                Aes128.Key = savedKey;
                Aes128.IV = savedIV;

                using (var decryptor = Aes128.CreateDecryptor())
                using (var msEncrypt = new MemoryStream(cipherBytes))
                using (var csEncrypt = new CryptoStream(msEncrypt, decryptor, CryptoStreamMode.Read))
                using (var br = new BinaryReader(csEncrypt, Encoding.UTF8))
                {
                    //csEncrypt.FlushFinalBlock();
                    plainBytes = br.ReadBytes(cipherBytes.Length);

                    Console.WriteLine("Decrypted plain length is " + plainBytes.Length);
                    Console.WriteLine("Decrypted plain text bytes is " + BitConverter.ToString(plainBytes));
                    Console.WriteLine("Decrypted plain text is " + Encoding.UTF8.GetString(plainBytes));
                }
            }
        }

        static void Main(string[] args)
        {
            Example();
        }
    }
}

[QuantumEntangledAndy]

Also if your just doing some light testing code you can login with the 01dc code instead of 03dc during legacy login and that will force the camera to use the older bcencrypt mode, which is much easier to encode/decode in a simple function.

[entropin]

Yes, it is supposed in .net framework, but not in .net core and i need it to run on Linux.

Aes128.Mode = CipherMode.CFB will throw an error in .net core

Am 85% sure i spent a few hours on this yesterday before i created the rust DLL, but i did not see this example, maybe this uses some smart trick :) Will test it!

Any how it nice to know that i can use Neolink in DLL form anyhow :)

[QuantumEntangledAndy]

I see well we are planning to add c bindings to make it available in other langauges to the whole project at some point. Maybe I should start working on seperating out the neolink-core from the other components so we could move towards this

[entropin]

I am not finding any of those byte sequences, but am sill learning how to oriant myself I WS but I get two login event every time. One legacy and one modern, BIACHUAN and BIACHUAN XML protocol. I have an E1 Pro, but if I downgrade is the same protocol in use?only encrypted? So if I manage to push the audio stream, it should still work with an updated camera? Does every camera have its own Public/private key or is Reolink clue involved somehow or hardcoded?

…

On Tue, Jul 27, 2021 at 2:37 AM Andrew King ***@***.***> wrote: My PR #152 <#152> incudes updated documentation that goes into more detail of this login sequence maybe have a read or the files changed in that PR. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#182 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAKP5LY3JSDWLD2OYSLBD7DTZX5ULANCNFSM5BBBILNA> .

[entropin]

Yes sorry, I was using email to respond before so this was a side effect :D

So, the end goal for me right now is to open a terminal and be able to run:
#neolink -push admin:[email protected] -i /dir/file/sound.mp3

And haveing that short audio file or stream playing on the camera.

(Neolink should not need to care about the encoding/decoding, the input need to take care of that by it self)

The reason being that i have connected all my indoor cameras audio streams to a virtual Google Assistant running on my NAS, am using it for home automation, but it would be so much cooler if i could also pipe back the response.

[QuantumEntangledAndy]

I see I think it might be good to try and work on #157 the idea is to make neolink a rust crate then create submodules for various different functions like

neolink-rtsp

neolink-say

neolink-mqtt

We could also push the sound bytes over mqtt if we wanted. But we should start with your more direct command line for the testing.

I also believe the encoding for the sound is communicated at some point during the capabilities handshake. I think I remember it being adpcm for my camera.

[QuantumEntangledAndy]

Anyways I think the actual sending of sound won't be hard. We just need to observe the packets from the official client and replicate it. Neolink already has most of the infrastructure setup for this with minimal changes.

[QuantumEntangledAndy]

If you want to have a go at it please do and feel free to ask any and all questions as you try it out.

p.s. I'm in a UTC+7 timezone so might reply at odd times for you.

[entropin]

Hehe that gives me hope! Am not expecting any help, but all I can get is extremely welcomed :) Do you have a camera with two way audio? Or dose it make sense for me to expose one for you if/when you are helping me debugging packages? :D

[entropin]

[QuantumEntangledAndy]

Yes we do know the key and yes I've looked into getting it to decode in wireshark. The bigger issue is a lack of native AES support in lua. We'd have to link in another library. At that point I stopped working on it because the benefits didn't seem worth it when we can just connect in an older client.

I believe I have the AES key explained in the PR I mentioned in my previous post.