Kyocera address book password decryption

I needed to extract the SMB password associated with some address book entries on our Kyocera printers today (Kyocera 4550i’s, specifically) because we’d lost the original password for an account they were using, and we needed to recover it without having to reconfigure every printer in the company. No problem, thinks I, I’ll use KMNet Viewer to dump out the address book to XML from the printer, and just read out the password in the XML.

No such luck. The password’s encrypted in the XML file.

Fortunately, with a little patience and RedGate’s brilliant .NET reflector, I managed to find where the encryption happens, and to extract the relevant keys. The story of how I got this out of the code isn’t particularly exciting, but the final result is that I got the keys to decrypt any password saved in a dump from KMNet viewer. Unfortunately, it’s a fixed key used every time, so you can’t even set your own password to protect your address book dumps – it’s only enough to deter casual snoopers. Not an impressive level of security.

Anyway, without further ado, the relevant information is:-

Passwords are encrypted with DES, in CBC mode, using a key of 41F4A305F38B468F, and an IV of 01820D0B383ECB7C. These are derived from a few variations on the theme of Kyocera’s name via RFC2898; rather than reproduce the original values here, I’ve just included the resulting keys. I found http://des.online-domain-tools.com/ worked fine with these values if you want a quick and dirty online DES decryptor to let you read your address book files.

I hope that’s useful to someone!

10 thoughts on “Kyocera address book password decryption”

  1. Hi Jamie,

    I tried to decrypt password in a XML file extracted from Netviewer with your method but don’t work for me…
    Please could you detail how did you find the keys, perhaps kyocera have changed them.

    1. Not aware of a problem there, but it’s likely down to which character set it uses. You may find it’s in CP1251 instead of UTF-8 or vice-versa, and whichever format you’re displaying it in may not match. If you’re using that des.online-domain-tools.com site, try downloading the text as a binary file (there’s an option just under the decrypted text for it), rename the file to end .txt, and try experimenting with the options under File->Open->Encoding in Notepad – ANSI vs. UTF-8 is likely to correct symbol problems.

  2. My first question, if I could speak to the author of this post, would be what version of KMN was used to to produce this ciphertext; second, is it possible they are using the same key and IV with more recent versions (post-2020)?

    Questions aside, that’s some good work, champ. I’ve recently started using Net Viewer, and had a similar inkling when I saw the XML export versus the CSV. The “Password” field actually had a value! That search led me here. Haven’t used much crypto in the past, but I have a rudimentary understanding of some of the bare-bones basics. This is as good a reason as any to learn it, with a great incentive. Cheers for inspiration.

    1. Hi,
      I used version 5.5.313 for this. If you’ve got an XML file and want to decrypt it, the easiest way is using that http://des.online-domain-tools.com/ site I mentioned.

      Make sure you set the Plaintext/Hex radio buttons for both the input text and key to hex, and select input type text, function DES, Mode CBC, Key 41F4A305F38B468F, Key type Hex, Init. Vector ea a7 58 e1 77 88 3e 4d, and it seems to work fine.

      I’m afraid I don’t have the time to investigate any changes in later versions, but I’d be surprised if any version older than the one I mentioned were different. For later versions, I hope Kyocera have improved security, but I doubt it!

  3. I’m curious how you discovered the Key and IV for this, that would be an interesting article to read.

    However, this worked for me perfectly today. Thank you so much, this has saved me quite a bit of time!

  4. I to would love to know how you discovered the key, ive been looking in net reflector to reverse engineer your work so I can learn and cant find it anywhere.

    1. I’m sorry, I did this 5 years ago and at this point I have no real memory of the details. Broadly speaking, I just worked backwards from the calls to the normal .NET encryption APIs.

  5. Hi Jamie,

    Thanks very much for sharing your information, it works very good using the website.
    I develop a small program to create files for injecting in copier.
    I want to create a VBS script that convert the entry string with this cryptage but it’s so hard…
    I used the object : System.Security.Cryptography.TripleDESCryptoServiceProvider
    If you know how to do it, I’m very interressed !
    Could you help me please ?

Leave a Reply to Chris Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.