[beeforpork]

Hmm, I don't see any encryption. In the first screenshot 'cyberchef.avif' in the 'input window, the data is just unencrypted hex ASCII. I can fairly easily read the hex: even judging only from the first byte 7D, it is most probably JSON:

    7D   = { 
    0D0A = CRLF
    09   = TAB
    22   = "
    73   = s
    74   = t
    61   = a
    74   = t
    75   = u
    73   = s
    4C   = L
    74   = a
    ....

So that is just the 'decoded' text. Where's the mentioned XOR encryption?

Also, the 'key' in the second screen shot is a nibble (=one hex character) out of alignment of the listed bytes. It also is not cut from the gap that is in the input text now, as suggested by the visual presentation: the 'key' is 'D0A097D0D0A7D' which is 13 hex digits, and again, a nibble out of byte alignment. It looks like a 0 must have preceeded to make it '0D0A09...' = CRLF TAB, and it total that's 'CRLF TAB { CRLF {'. But the gap was originally '24F70...', which, aligned to bytes, was '224F70...' = '"Op...'

So, the screen shots appear to be bogus or fake or edited.

Why? What's going on here?

[timedout_uk]

Sorry about that, the screenshots were taken after I'd already done everything and was writing up the blog, since I didn't have the original data to hand. I forgot to include this in the post, but at some point after rebooting the washing machine (I still can't get over how insane that sounds) while writing my notification script, the machine started returning unencrypted yet still encoded data, which is why in the script's poll loop attempts to deserialize the bytes as JSON first, only on failure trying to run it through decryption. Sometimes it's returning encrypted data, sometimes it isn't, and sometimes it's just spitting actual garbage down the wire. I did also modify the screenshots to blank out some bytes, but you can probably see where that is. None of this was faked, it's just an incredibly dumb smart appliance. If I can capture it sending encrypted data again, I'll update the post with corrected screenshots.