A C++ utility designed to decrypt raw Wireless M-Bus (W-MBus) telegrams using the AES-128 algorithm. I did take help of wmbusmeters code source and credits to them
Critical Note (OMS/WMBus Security Mode 5): As per section 9.3.5 of the W-MBus standard, Symmetric Encryption with Security Mode 5 uses AES-CBC with a persistent 128-bit key and a dynamic IV based on the Transport Layer's Access Number.
This tool processes internal, hardcoded W-MBus data to output the decrypted telegram.
The W-MBus telegram is composed of unencrypted header fields followed by the encrypted payload.
| Field Name | Description | Encryption Status |
|---|---|---|
| Header Fields | L, C, M, A, CI, and Transport Layer fields (e.g., Access Number) | Unencrypted |
| Encrypted Data | The data payload, containing application data and integrity check (CRC/MAC). Must be padded to a 16-byte block size for CBC mode. | AES-128 Encrypted |
This implementation uses AES-128 in Cipher Block Chaining (CBC) mode, as specified for W-MBus Security Mode 5.
- Extract Header and Encrypted Data: Separate the unencrypted header from the encrypted payload.
- Generate IV (Initialization Vector): A 128-bit IV is constructed dynamically, specifically based on the Access Number of the Transport Layer.
- As currently implemented, the IV is:
c5142785895070079d9d9d9d9d9d9d9d.
- As currently implemented, the IV is:
- Decrypt (CBC Mode): The AES-128 CBC algorithm is applied to the Encrypted Data using the 128-bit Key and the derived IV.
- Padding: After decryption, the padding (which depends on the application protocol) must be correctly stripped from the payload.
- Construct Output: The final telegram is the concatenation of the original Unencrypted Header and the Decrypted Payload.
This project uses C++ (g++), the make utility, and the OpenSSL library for cryptographic operations.
- C++ Compiler (g++ supporting C++17)
makeutility- OpenSSL Development Libraries (required for
libsslandlibcryptolinking)
Use the provided Makefile to compile the project:
make./wmbus_decryptAES-128 Key:
4255794d3dccfd46953146e701b7db68
Raw Encrypted Telegram:
a144c5142785895070078c20607a9d00902537ca231fa2da5889Be8df367
3ec136aeBfB80d4ce395Ba98f6B3844a115e4Be1B1c9f0a2d5ffBB92906aa388deaa
82c929310e9e5c4c0922a784df89cf0ded833Be8da996eB5885409B6c9867978dea
24001d68c603408d758a1e2B91c42eBad86a9B9d287880083BB0702850574d7B51
e9c209ed68e0374e9B01feBfd92B4cB9410fdeaf7fB526B742dc9a8d0682653Constructed IV:
c5 14 27 85 89 50 70 07 9d 9d 9d 9d 9d 9d 9d 9d
Decrypted payload (hex):
2f 2f 04 6d a4 30 3a 39 04 13 80 11 00 00 01 fd 17 00 42 6c ff ff 44 13 00 00 00 00 44 93
3c 00 00 00 00 84 01 13 00 00 00 00 c4 01 13 00 00 00 00 84 02 13 12 00 00 00 c4 02 13 00
00 00 00 84 03 13 ff ff ff ff c4 03 13 ff ff ff ff 84 04 13 ff ff ff ff c4 04 13 ff ff ff
ff 84 05 13 ff ff ff ff c4 05 13 ff ff ff ff 84 06 13 ff ff ff ff c4 06 13 ff ff ff ff 84
07 13 ff ff ff ff c4 07 13 ff ff ff ff 84 08 13 ff ff ff ff 2f 2f 2f 2f
Decrypted telegram with header (Not parsed):
A144C5142785895070078C20607A9D0090252F2F046DA4303A3904138011000001FD
1700426CFFFF44130000000044933C0000000084011300000000C4011300000000840
21312000000C4021300000000840313FFFFFFFFC40313FFFFFFFF840413FFFFFFFFC40
413FFFFFFFF840513FFFFFFFFC40513FFFFFFFF840613FFFFFFFFC40613FFFFFFFF840
713FFFFFFFFC40713FFFFFFFF840813FFFFFFFF2F2F2F2F
a144c5142785895070078c20607a9d00
90252f2f046da4303a39041380110000
01fd1700426cffff4413000000004493
3c0000000084011300000000c4011300
00000084021312000000c40213000000
00840313ffffffffc40313ffffffff84
0413ffffffffc40413ffffffff840513
ffffffffc40513ffffffff840613ffff
ffffc40613ffffffff840713ffffffff
c40713ffffffff840813ffffffff2f2f
2f2fVasanth Nayak