Philips Zymed Site Encryption

I am in the process of upgrading the Philips Zymed Holter system including a new Central Link. I have a list of site codes, user id, and passwords for all my locations, but since I was not the originator of the document and could not verify the passwords were entered correctly in the spreadsheet I set out to decrypt the password and site information. The Philips Zymed Central Link software stores the site information in the registry for version 2.8 and in a configuration files under “all users” on version 2.9.

On my version 2.8 system I found the key located in the registry located under the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Zymed\. I exported the entire Zymed sub key structure. You will see a value labeled RemoteConfig under HKEY_LOCAL_MACHINE\SOFTWARE\Zymed\Zybit Central\0.1\Configure. You will see a hex encoded string. Using my 17 years of experience, I started by looking for a pattern in the hex encoded string and found a pattern.

I started to decipher the encryption by adding a new site to my site list and providing a known key sequence to the description and password. I entered the entire alphabet in uppercase and lowercase. I noted the offset in the letter that was entered and the encoded hex value that it produced. I noted all of the values entered and went a head with replacing all of the values in the registry export with the known values. After going through a few iterations of the offsets you start to see the site code, descriptions, and password being revealed.

After more evaluation the encoding algorithm is simply an offset within a byte. To decrypt a value you simply need to know a little subtraction and hex to ASCII conversion. The base of the encryption starts with 255 (FF) as it’s offset. You take the a sample value like BE and subtract it from FF. So it is FF-BE=41 HEX or 65 ASCII. This is the value A.

Needless to say, I was able to successfully verify my spreadsheet full of site information before I migrated to the new server.

You may be asking yourself why didn’t you just export and re-import the registry? It is because version 2.9 does not store the RemoteConfig in the registry anymore.

** Note this information is provide for educational purposes only. **

Comments (0)

› No comments yet.