FRMPayload decryption

Hello I have some unclear points in decryption procedure of FRMPayload. The picture below shows some unclear moments.

• What is the value of i ? What is initial value of it ?

• How the S looks for FRMPayload in the example in picture ?

• What means : to the first len(pld) octets ?

Maybe someone please, can give an example how S, i, k and performed steps will look like, for FRMPayload, shown in picture ?

You can find the ChirpStack implementation of the encryption / decryption of the FRMPayload here:

Basically what happens is that a vector of cyphertext S is produced some whole number of 16 byte blocks (S1, S2…) at least as long as the message. The plaintext A that’s encrypted to do this has each block (A1, A2…) stuffed with a variety of things shown in the picture, one of which is i the counter of blocks, starting from 1 and incrementing in each following block.

The message is then XOR’d with the vector of cyphertext, trimmed before or after to the actual length of the message.

One of the things to note is that it’s always the AES encrypt operation, never decrypt, as this keeps the device firmware smaller.