Integrated Oscilloscope in TNC640

[Md-aliy7]

Hi,

Commenting on that quoted part in one of your replies:

first, regarding your comment with connection to the TNC640: I was referring to the TNCopt software. I used it to connect to a programming station while capturing the TCP packages. Up to a certain point I could follow the data but then some encrypted password was used. This is similar/the same as when recoding the connection between TNCscope and a TNC640. Until we manage to reverse the encryption I don't see any way to make it work.

Did you find any way to decrypt the data in TNC640?
Could you try any AI assistance like Chatgpt, google bard, or Microsoft Bing AI?
Probably one of them may help.

[drunsinn]

@Md-aliy7 no, I haven't been able to make any progress in decoding the data. I will try your recommendation but I don't have any experience in using these LLM's. Still, it is worth a shot.
Will let you know if I make any progress.

[Md-aliy7]

I am also trying to figure out how it was encrypted.
Here I share some packets for specific values (3000 & -3000) mm/min
and (5000 & -5000) mm/min.
The highlighted parts include these specific values:

-specific_numbers.pdf

[Md-aliy7]

NOTE: Not all of what I wrote here is correct for 100%, I am just trying to figure out how the data changes.

-) From what I could notice,
each value reading consists of 16 bytes like (0xdc, 0x05, 0x00, 0x00, 0x00, 0x70, 0xa7, 0x40).

(Considering we have added more than one channel to read different data parameters -I still need to investigate it more-)

-) For any nominal position channel data:
{
The bytes numbers (1,2,11,12) seem to be the real representative of the value reading: in this example (0xdc,0x70).

The bytes numbers (3,4,5,6,7,8,9,10) seem to be randomly assigned such that if the value reading does not change, they will not change. If the value reading changes, they repeat themselves each 5 or near number of readings, regardless of the value reading.
In this example: (0x05, 0x00, 0x00, 0x00)
}

-) For any nominal velocity channel data:
It's similar to the nominal position, but the bytes that are the real representative of the value reading seem to be different.
Most probably, the bytes numbers (1,2,3,4) are real representatives.
The rest of bytes before the the sign bytes seem to be randomly assigned such that if the value reading does not change, they will not change. If the value reading changes, they repeat themselves after some specific number of readings, regardless of the value reading.

-) The next part is correct for nominal and actual (position & velocity) channels data:
{
**The last two bytes represent the sign of the readings:
If the read value is positive, they become 0x40
If the read value is negative, they become 0xc0
If the read value is zero, they become 0x00
}

-) In each packet, the transferred data starts after the first 36 bytes, i.e., from the 37th byte.

-) Different from iTNC530 whose packets contain 32 readings for any data collected from the channels,
TNC640 packets contain only 31 readings.**

[Md-aliy7]

Investigation.zip
This capturing is good for diverse situations of two variables (nominal position and velocity in x axis).
It shows when one of them is fixed or changes, how the other changes.

[Md-aliy7]

In typical connection between TNC640 & TNCscope:

[drunsinn]

Thanks for the data and your research so far. I also found some of the relations you mentioned.
From what I found, the encryption uses the key number, the current date and the random value read from the control. What I haven't been able to determine how these values are mixed together.

At least the encrypted data isn't compressed or anything. The package header (S_OD in this case) isn't encrypted and the length of the data also matches what is expected. The data on the other hand is encrypted.

[Md-aliy7]

I am considering asking some cryptography experts from freelance websites.
What do you think?

If I am correct, this is a description of the problems we have:

(If you are an expert in cryptography, Wireshark, and computer networks, I will supply you with some network packets. The payload is encrypted and we have the decrypted numerical data. Your work is to find the encryption method used and prove it's the right one by testing other data we already have.)

[drunsinn]

A professional will probably have more success than us poking around in the dark. You might also add that one part of the key is the date as well as a secret key sent by the control.

One thing that makes me a bit worried is the current story between Nintendo and the folks of the dolphin emulator. I don't want to get into any trouble with Heidenhain for including the encryption stuff directly into pyLSV2. I am trying to think of a way on how the actually en/decryption code is part of the user application while the library only offers some way to plug in these functions. I will think about how this might be achievable...