-
-
Notifications
You must be signed in to change notification settings - Fork 345
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
General Discussion #5
Comments
Yep. To find the prefix and suffix for new devices, you'll have to fire up Wireshark and sniff the packets going to your device. The data portion of the packet starts with a version number (probably 3.1) and ends with I'm guessing this padding has an actual meaning, but so far I haven't been able to find anything. @blackrozes has suggested that it's just random data with a few special bytes in the beginning and end as devices seem to expect a fixed packet length. If you have any theories, I'd love to hear them. |
Yeah I've just checked in Wireshark and it fits your description perfectly. Are you sure everything before the As to theories, I'm noticing that the 8th hex value (starting from |
Oh wow thanks. I was going to say "sorry for the confusion, I meant that you shouldn't include the TCP packet metadata", but then I looked at |
Updated with b766439. I've now whittled them down to this:
I tried tearing out the Is it working with your device yet? |
I think the devices are expecting a special packet size. In my script I create a buffer with this size and put the data inside like this:
|
Okay I've done some analysis of these packets and have figured some stuff out: Prefix & Suffix The first half - 8 bytes The second half - The final value (the 16th byte of the whole prefix) is the size in bytes of the subsequent packet (obviously as a hex value). This is the length of the encrypted data in bytes plus the suffix - basically everything after the prefix. From my tests the suffix has always been 8 bytes. I have no idea how the suffix is created, but it doesn't seem to change anything and I've had good results leaving it as 000000000000aa55. I'm still not quite there with getting this working on these devices yet, but knowing how the prefix work feels like most of the heavy lifting. Connections & Broadcasts When the device is not connected, it sends out UDP broadcast packets to the network every 3-6 seconds. This contains plaintext JSON with the following information: This could be used as a way of enumerating devices on the network and all information other than the key. Furthering the enumeration aspect, we get a plaintext list of commands available on the device from the initial connection handshake: sending the One thing I've struggled with is actually decrypting the packets sent/received using the key. Has anyone got a deciphering script? |
@jepsonrob thanks, that's really helpful. Receiving Broadcasted MessagesFor anyone interested, you can receive the UDP broadcasted packets with a simple script:
I may add auto discovery functionality soon, although it's not a huge priority for me so if some else wants to do it and open a pull request I'd be very grateful. For Decrypting:Basically, just do the reverse of this:
I'll try to add a specific decryption function within the next couple days. |
@jepsonrob when you say, " not connected, it sends out UDP broadcast". Do you mean on the network but no devices are connected to it? I tried both @codetheweb 's suggested js listener script and a Python script based on SSDP discovery code on port 6666 and I'm not seeing anything. BTW thanks for excellent write ups, I now have a Python version, its rough and ready but works :-) https://github.com/clach04/python-tuya One thing I've noticed is that if there are spaces in the json payload, the device will not respond. Not an issue under js, but the Python stdlib library adds spaces. |
@clach04 - that's exactly what I mean, yep. It's potentially useful for enumeration because all devices on the network can see these packets in plaintext and they contain a bunch of useful information. And your issue with the JSON payload & spaces might come from the last 2 characters in the prefix - it needs to be the total length of the rest of the payload in hexadecimal. Using spaces will increase the size of the payload and if the value isn't the correct size then the command goes ignored. |
@jepsonrob thanks for the length info, that's it for sure. I added support for this in clach04/python-tuya@fc4612f - I'm not sure if its a single byte for length or not (I've only coded it for a single byte and I've not yet added sanity check for that in case the payload goes above 255 bytes). Thanks also for confirming about broadcast. Sadly, as per my previous comment, I'm not seeing this on my network (using code above i.e. something sitting on port 6666, I've not tried wiresharking the network). Any pointers? I've created a wiki https://github.com/clach04/python-tuya/wiki to store progress and other useful related docs. E.g. I figured out the timer for the SM-PW701U device. |
@clach04 - try using this python script and see if anything comes through: it's working for me! from socket import *
s=socket(AF_INET, SOCK_DGRAM)
s.bind(('',6666))
m=s.recvfrom(1024)
print m[0] And yeah I've only had it working for a single byte which is driving me crazy because the payload I need is over 255. Interestingly though, when I'm looking at the packets sent in Wireshark there's never anything over 255 bytes in size! I feel like this means I'm getting something wrong with my JSON payload and it's coming in too large, but I can't quite figure out how to decrypt the outgoing packets so I can't see the intended behaviour. Nice work on the python version by the way! That wiki is a useful resource - I'm going to write a no-stupid-questions type of tutorial for this we've got it working with other devices, probably just to help people with IFTTT integration, and I'll link out to that for further reading. |
@jepsonrob that script worked fine. My script also worked fine this morning (not sure why, maybe too tired last night). Interesting notes:
@jepsonrob script (slightly modified):
My script:
|
@jepsonrob for decrypting packets, try this (needs my Python module, https://github.com/clach04/python-tuya):
EDIT only supports 255 lengths (could be updated if it turns out protocol supports it. |
FYI, the UID is now no longer required when constructing an instance thanks to @jepsonrob. |
I read through #2 where accessing the Tuya API directly was briefly discussed. It would be preferable to be able to access the device IDs and localKeys without having to sniff traffic (especially since this appears to no longer be possible in recent versions of Android with the Packet Capture app). It is possible to retrieve the Android App's API Key and Secret from the app source code. I believe these are the values: However, I attempted to use the API documentation but was unable to successfully authenticate. Here's a fiddle that I was working with: https://dotnetfiddle.net/QzIVrP I think the problem may be with the signing. When I logcat the Tuya Android app I see that the "sign" parameter is 40 characters long, however according to the documentation it should only be 32 characters since it's just a hex string representing a 128-bit MD5 hash. Anyway, not sure if you'd want to fiddle around with it any more, but it really would be nice for the API to be able to fetch the device localKeys. |
@Marcus-L keep us posted. I'm going to be a bit of a nay-sayer and say that I suspect we do not need API access to the cloud to register the device and get an encryption key. My gut tells me that registration of the device can be figured out. RE packet capture problems, can you clarify which app/version and the problems you had? I'm using https://play.google.com/store/apps/details?id=com.xenon.jinvoo&hl=en v1.0.3 which appears to be the latest and still works for me with https://play.google.com/store/apps/details?id=app.greyshirts.sslcapture&hl=en - but I'm thinking I should back it up and post here! |
Forgot to add there is a chance the key is usable client side to interact with devices? I've not tried to decompile it (and probably won't have time), is that how you made this progress? |
Besides, this was intended to be a project to control devices entirely locally - no calling back to home. Sorry if that came off as a bit too stern. Maybe you're not planning to do that :). In any case, good luck mapping out the API. |
No worries @codetheweb, wasn't planning on hard-coding those keys into anything, Just exploring the API possibilities. As @clach04 mentioned it's likely to be possible to do everything locally. None of this would be necessary of course if the manufacturers would just release open tools, some documentation or even just rough specs! Or if the Tuya or Jinvoo app were to show the localKey settings. But here we are. |
OK, thanks for the clarification. 😀
… On Dec 6, 2017, at 11:50, Marcus Lum ***@***.***> wrote:
No worries @codetheweb, wasn't planning on hard-coding those keys into anything, Just exploring the API possibilities. As @clach04 mentioned it's likely to be possible to do everything locally. None of this would be necessary of course if the manufacturers would just release open tools, some documentation or even just rough specs! Or if the Tuya or Jinvoo app were to show the localKey settings. But here we are.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
No problem, thanks for the useful protocol info. I did a rough port of the api to .NET Standard here: https://github.com/Marcus-L/m4rcus.TuyaCore I poked around a bit to try to see if I could find any more info on the discovery/localKeying process but didn't come up with anything useful. |
If you have a rooted Android phone, you can retrieve the settings from the app (Smart Life) data storage. The keys/configured devices are located at /data/data/com.tuya.smartlife/shared_prefs/dev_data_storage.xml There's a string in there (the only data) called "tuya_data". You need to html entity decode the string and it contains a JSON string (yes, this is slightly ridiculous). Inside the JSON string are the keys. |
Hi everyone, I just bought a couple of the outlets that work on this protocol but when I try to sniff the traffic using Charles, I don't get any GET requests like the ones mentioned here but only a few POST requests but it looks like the traffic is encrypted. I added tuyaus.com to the SSL Proxy in Charles but it did not help. I am not sure if it is the SSL encryption or Tuya is using their own encryption but it definitely looks like they changed the API or something like that. Or maybe I am doing something wrong. |
@nijave I'm not sure where you read |
The documentation from tuya themselves states the following:
Moreover it says:
If I get it right this means that there is a preset device specific key (the authKey). For the first communication during activation the first 8 byte(??) are used as AES encryption key. During the activation two other keys - the localKey AND the secKey- should be transmitted to the device. From there on secKey is used for HTTPS communication whereas localKey is used for MQTT communication. But that can't be correct as I cannot see the secKey anywhere. If the original app is able to retrieve the authKey from the devices, we should be able to do so also, don't we? |
Perhaps, but I doubt we can without also having an API key. |
Please open a new issue with additional details if you believe there's a bug or want further support. A network dump would be helpful. |
How do I get a result like this in node red?? |
Hi, I created a few wrappers around this library to be used within python. The idea was that seen as this is consistently maintained, I wrote an IPC wrapper that uses file descriptors to communicate. The first github repo below shows my findings on how the roborock vacuum communicates, and the rest are the IPC node code, the python implementation for the IPC, a library for communicating via roborock, and finally a wrapper round it all to be used by home assistant. Hopefully it is useful to some other people out their too https://github.com/89jd/roborock_comms https://github.com/89jd/tuyapi-ipc https://github.com/89jd/pytuyapi-ipc |
Hello everyone, |
You only need the Tuya platform to access the data that lets you connect to the device (IP, ID, and Key if my memory is correct). This api uses a LAN connection so you will still be able to use your solution after your trial ends. |
Hi! I just found this project, and it seem snow that Tuya's "Cloud Development" section is now paid. Is there a way to go through the Setup process without paying for cloud developer access? The site does offer a free trial, but what happens when the trial is over? How can I keep access? |
Hi. Set orders work perfect like this one to set a new temperatur (it is json): But how can i just read a value like dps:3 for the room temperatur? I must somehow use the get() operation but i tried nearly every way and nothign works. Can someone please help here? |
Try using If you need further help, please open a new issue. |
Hi guys. I used tinytuya (on windows) to get my list of encryption keys and it worked flawlessly after I figured out my own user errors.. I had to re-add a device onto my wifi today and ran it again through linux (because to be honest I can't remember what I did through windows to get it to work) and now I get this error: Traceback (most recent call last): Any ideas? |
It sounds like something else is listening on that port. Please open an issue at the tinytuya repo, they'll be better able to help you than we can since you're not using TuyAPI. Edit: tried to convert this thread to a discussion since this repo now has access to those, but GitHub went and broke. :( |
Sorry i forgot to comment that I figured that out.. I had to stop the HA container.. but now I am getting a bunch of my devices failing to poll |
I noticed the warning about sensors not working--does this also apply to smart plugs that sense power consumption? I have some Tuya-based power-sensing plugs I'm trying to get working and don't want to go down a rabbit hole unnecessarily if the power sensing can't work with tuyapi. |
I've done this before and it works great 👍 |
Hi, I dont get it, how to setup my E14 RGB led bulb. I dont get, what I should do with that response? My main DP is 20, okay. But what should I setup in the RGB part in the settings? Nothing seems to work. |
I recommend checking out some of the source for homebridge-tuya to see an example of how to encode color. |
Hi, I wonder if anyone can help. I'm using tuya api for a personal project, a sort of smart life app for local control of tuya devices. I will share the code if I get it finished. So far so good apart from RGB control. According to the information here the following code should set the bulb color to yellow
On/off switch and white mode/brightness work fine. It's a generic tuya bulb sold under the brand name 'bomcosy'. Thanks for your efforts in developing such a great api. |
@goatzen Your bulb might be different, try geting the schema and then just try editing different bits and see what happens. If you want an alternative refertence I'm pretty sure this project https://github.com/TheAgentK/tuya-mqtt has lots of details about setting the color of bulbs |
Hello. Is it possible to capture sensor wi-fi traffic and catch events locally without cloud? Please give me a direction. |
Official local control and more: see #501 |
I have tuya IR smart device, I want sniff its local network UDP messages. Actually, when device is in boot mode its acts as an Access Point. And on smart life when we add device, we give our router credentials and it starts scanning for the device. |
I think Wireshark might be what you're looking for? |
There is no such thing as "IoT Data Analytics". I can find the rest just fine. Just the data one is unavailable (not listed). |
I'm trying to get this to work with some smart bulbs and light strip, but currently the only missing piece for me is how you got the prefix & suffix in requests.json.
Are they just the packet header/footer or is there more to it than that?
Awesome work here by the way, thanks for all your work!
The text was updated successfully, but these errors were encountered: