Tuya Garage door opener

[jchristianj]

Hi! I'm about to purchase this garage door opener: https://www.amazon.com/dp/B07GGRCH23/ref=cm_sw_em_r_mt_dp_U_ea58CbW6D87JX

Will it be possible to add it to Homekit by Homebridge and your plugin on my Raspberry pi? Main point is, I would like to have it shown as a garage door in Homekit, not as a switch. It should indicate feedback of the door (open/closed) in the icon as well. Can you confirm it will be working like this?

Thanks and regards, Christian

[AMoo-Miki]

:( One step forward and on back.

What operating system are you on? Do you have a Mac handy? These are $50 locally :( I am tempted to order one just to test it.

I have this in my cart, ready for checkout; is it the one you have?

[unvalider]

We're on a 2017 MacBook Pro on Catalina public beta. HomeBridge is on a Synology DiskStation inside a Docker container.

[unvalider]

That one looks the same. I'm about to spin up Wireshark to see what's going in/out

[AMoo-Miki]

Cool. That is what I was going to propose. Here is how you can tap in:

1. Get your phone's EDID (click on the serial number in itunes to show the EDID and then use the edit menu to copy)
2. Remove all DNS servers from DNS configuraion of your WiFi connection of the phone after changing it to Manual, and add a fake but valid IP (10.0.0.253). This will force Tuya's app to talk to the devices locally when it can't reach the internet.
3. Make sure Tuya app is killed.
4. rvictl -s <EDID>.
5. sudo tcpdump -i rvi0 -w trace.pcap
6. Open Tuya's app. Wait for 30 seconds.
7. Open the door. Close the door.
8. Ctrl+C to kill tcpdump.
9. rvictl -x <EDID> to end the routing.
10. Change the DNS on your phone to Automatic.

Now, I would trust me not to look at anything but Tuya on your dump but I wouldn't fault you if you don't. So either send me your pcap and key so I can decode it (i'll give you my email), or let me know and I will write an app to decode it on your end.

PS, if you choose to send me your key, we will filter out the pcap to not have any information other than the device communication.

[unvalider]

I might shoot you an email, it's a bit easier, because there's a bit of background noise in the pcap I've captured.

[unvalider]

Just as a side note, the captures are from macOS from the native Home app there. I didn't have access to the transmissions being sent/received from the iOS app; this computer doesn't have Xcode installed at the moment. Happy to do so later on (it's 9pm in my local timezone :|

[AMoo-Miki]

Of course. To make sure you don't share your bank account details with me:

1. Open Wireshark.
2. Drop the pcap file into it. It will show you an error about cut short; hit OK.
3. In the filter box, enter (ip.dst == 10.0.0.129 or ip.src == 10.0.0.129) and tcp but replace the IP for your device's IP, Hit enter to apply the filter
4. Right click on any of the rows and choose Follow and TCP Stream; this will open a new dialog.
5. At the bottom, change Show and save data as to YAML or C Array and then hit Save as.
6. Mail me the file you saved as well as your key (which is used to decrypt it) at amoo_miki@yahoo.com

[unvalider]

Thanks, I've just sent through the pcap file to your email now.

[AMoo-Miki]

@unvalider I sent you an email; your device is not there anywhere in the trace :(

I created a complete set of instructions for this and it is a bit more complete that what we discussed here. See if you can follow that and get the trace.

[unvalider]

Thanks. I will run an new capture in a few hours and send it though, I appreciate your assistance in trying to get this to work.

[AMoo-Miki]

Of course; whenever you get a chance. It's my pleasure.

[unvalider]

new packet captures have been sent through.

[AMoo-Miki]

Got your email. Decoded. The only difference I see is that I am not sending a CRC otherwise the plugin's commands are identical to those of the app. I will add CRC and let you know.

[AMoo-Miki]

There were 3 sections in a message that I was not handling: (1) control counter, (2) 8 characters that I haven't figured out, and (3) CRC checksum. I have added the CRC checksum and am hoping that is all that is needed to get your device to work.

Please update to the latest rc release with npm i -g homebridge-tuya-lan@rc. After you restart homebridge, please also power-cycle the device to make sure it is in a clean state.

[unvalider]

Hi @AMoo-Miki I have been using the Garage Door opener successfully through HomeKit since updating to the latest rc. The open & close states are displaying correctly and homebridge is no longer throwing errors at me.

[AMoo-Miki]

Hurray! Thanks for helping figure this out; I would have renamed this accessory in your honor but I fear people will get confused >:\

Let's hope @jchristianj also reports back that the problem is solved.

[singhrajtomar]

Fixed: JSON section now reads; "platforms": [{ "platform": "TuyaLan", "devices": [{ "name": "Garage Door", "type": "GarageDoor", "manufacturer": "Tuya", "model": "Garage Opener", "id": "<< removed >>", "key": "<< removed >>", "dpAction": 7, "pingTimeout": 3600 Still receiving error message: [TuyaAccessory] Socket had a problem and will reconnect to Garage Door (ECONNRESET). This is common for v3.3 devices.

Hi, I am also using a Garage Door Opener by Tuya, May I know how did you find the ID and Key of the device?

Thank You

[crampus]

@singhrajtomar I was with @unvalider when he was setting his up, and I have the same model.

There used to be a method which was available as a part of homebridge-tuya-lan, called tuya-lan-find, which would (by putting your iPhone into a proxy environment for a Man-In-The-Middle style configuration) enable the id and key to be retrieved from the Tuya Smart app. Tuya patched their app, and this no longer works. There are other alternate apps that also worked with the proxy find service; Ucomen Home, and Smart Life; these too appear to be patched in current versions.

I can't even get Ucomen Home to recognise the opener anymore; even though this was the way it was initially set up; and the key appears to have changed; so I'm unable to get it set back up.

[singhrajtomar]

@singhrajtomar I was with @unvalider when he was setting his up, and I have the same model.

There used to be a method which was available as a part of homebridge-tuya-lan, called tuya-lan-find, which would (by putting your iPhone into a proxy environment for a Man-In-The-Middle style configuration) enable the id and key to be retrieved from the Tuya Smart app. Tuya patched their app, and this no longer works. There are other alternate apps that also worked with the proxy find service; Ucomen Home, and Smart Life; these too appear to be patched in current versions.

I can't even get Ucomen Home to recognise the opener anymore; even though this was the way it was initially set up; and the key appears to have changed; so I'm unable to get it set back up.

how should we intercept the id and key then? do we have to use wireshark or similar tool then?

[crampus]

@singhrajtomar The ID can be retrieved through the TuyaSmart app.

The key cannot be retrieved; it’s used to encrypt the traffic.

You could in theory try brute-force; but you’d need to know the encryption algorithm in use, and given the keys are 16-character hexadecimal, there’s about 18,446,744,070,737,095,500 (18 quintillion) possible combinations, even if your computer could attempt 10 keys per second, you would be in for a wait of approximately 5 billion years to exhaust all possibilities.

[crampus]

I have the beginnings of a theory, but it's untested, as the files I want to test are encrypted with a key I am uncertain on how to retrieve.

I went on a bit of a deep-dive to see if I can find any more information on the Tuya app yesterday. Tuya have been so generous as to include a list of all the other libraries used as a part of developing the Tuya Smart Application within the settings section of the app.

As at 15/04/2020, this stood as:

CocoaAsyncSocket
DACircularProgress
dsBridge
EZAudio
FLAnimatedImage
HMSegmentedControl
IOKeyboardManager
KSCrash
libextobjc
lottie-ios
Masony
MBProgressHUD
MJRefresh
MMKV
MQTTClient
NJKWebViewProgress
OpenSSL-Universal
Reachability
SDVersion
SDWebImage
SQLCipher
SSZipArchive
UICKeyChainStore
YYModel
TZImagePickerConroller
react-native
FFMPeg

Packages relevant to database encryption: OpenSSL, MMKV, UICKeyChainStore and SQLCipher. OpenSSL doesn't help us much as it's a broad-scope en/decryption toolkit, however:

MMKV uses AES-128-CFB for encryption and decryption SQLCipher uses AES-256-CBC for encryption and decryption UICKeyChainStore is a library to simplify native iOS/macOS keychain integration.

After performing an un-encrypted iOS backup to my Mac, and then browsing said backup with a third party utility (iBackup Browser: "freemium" commercial software), I was able to access the file storage used by Tuya Smart, cross-checking against Ucomen Home. They're all the same on the back-end.

I could be way off; however, my instincts say that the key for the devices is stored in /AppDomain-com.tuya.smart/Documents/tuyasmartcfg.db; which is AES-256 CBC encrypted, and the key used to decrypt the contents of the .db file could possibly be stored in /AppDomain-com.tuya.smart/Documents/mmkv/{{uid}}, which isn't viewable with any plaintext editors I tried, or it could be generated randomly or as a function of some other unique key, such as the TYUniqueIdentifier key in/AppDomain-com.tuya.smart/Library/Preferences/com.tuya.smart.plist. I have so far been unable to decrypt this database or the MMKV raw data file. It could also be the other way around; or the two could be independent. This is beyond what I know for sure.

🧂 (salt warning) 🧂 You know... It'd be nice if Tuya would come to the open source party just give us a little Advanced/Developer menu that lets the app expose the device key natively so we don't have to try and compromise the entire app platform just to open their potential market up to the Apple ecosystem's IoT/home automation market segment (thus more paying customers of the Tuya brand) or anything 🙄 🔫

Update: 16/04 Found UICKeyChainStore is a github repo. Linked accordingly. Turns out this uses an app identifier, which looks to be in the exact same form as the TYUniqueIdentifier key in/AppDomain-com.tuya.smart/Library/Preferences/com.tuya.smart.plist. One mystery solved. That key is for the KeyChain integration.

[crampus]

Okay. So after looking all over the Internet, there’s really only one solution.

Keys are next to impossible to retrieve from iOS, but thanks to being able to install older APKs outside the Play Store on Android, it’s pretty easy to grab keys.

What you’ll need: • An Android device note: BlueStacks for Windows/Mac gets hung up on setting a lockscreen passcode (as it doesn’t have a lockscreen; so Android can’t add in certificate trusts) - you will need a dedicated Android/AOSP x86/x64 distro bare metal or in a VM with a dedicated WLAN NIC, if you don’t have a native Android device. • Installation from external sources enabled • Packet Capture (1.7.2 tested) or later • Tuya Smart Life (3.6.1 tested) later versions or other branded versions might work, but I make no guarantees or warrants of fitness for any given configuration, device, or sexual identity.

1. Set up the packet capture app certificates.
2. Filter to the Tuya app.
3. Start a capture
4. Trigger your IoT device
5. Stop the Capture
6. Decrypt the SSL packets
7. You will get a JSON payload with the local_key in plaintext.
8. Plug and play into your configs.
9. Magic.