search

Flying-Toast / qiyi_smartcube_protocol

Reverse engineering the bluetooth protocol used by the QiYi Smart Cube
25 stars 4 forks source link

struggling to successfully send App Hello #3

Open thondascully opened 3 weeks ago

thondascully commented 3 weeks ago

Hi! I'm having issues with sending the initial App Hello msg. Below is the script currently writing the App Hello message.

Writing in python (script partially included):

def encrypt_message(data):
    padded_len = math.ceil(len(data) / 16) * 16
    padded_data = data.ljust(padded_len, b'\x00')
    cipher = AES.new(CUBE_KEY, AES.MODE_ECB)
    encrypted_message = cipher.encrypt(padded_data)
    return encrypted_message

def create_app_hello():
    print("creating App Hello msg...") 
    message = bytearray([
        0xfe, 0x15, 0x00, 0x6b, 0x01, 0x00, 0x00, 0x22, 0x06, 0x00, 0x02, 0x08, 0x00
    ] + list(reversed(bytes.fromhex(CUBE_ADDRESS.replace(':', '')))))
    message += crc16_modbus(message)
    encrypted_message = encrypt_message(bytes(message))
    return encrypted_message[:20], encrypted_message[20:]

...

cube = Peripheral(CUBE_ADDRESS)
cube.setDelegate(CubeDelegate(cube))

service = cube.getServiceByUUID(UUID("fff0"))
char = service.getCharacteristics(UUID("fff6"))[0]

app_hello_chunk1, app_hello_chunk2 = create_app_hello()
char.write(app_hello_chunk1, withResponse=True)
char.write(app_hello_chunk2, withResponse=True)

try:
    while True:
        if cube.waitForNotifications(1.0):
            print("Waiting for notifications...")
except KeyboardInterrupt:
    print("Disconnecting from cube")
finally:
    cube.disconnect()

Terminal output:

attempting to connect to cube...
successfully connected to cube
creating App Hello msg

msg before encryption: b'fe15006b010000220600020800<REVERSE MAC>d94a'
msg before encryption (with padding): b'fe15006b010000220600020800<REVERSE MAC>d94a0000000000000000000000'

encrypted message: b'fe021808925fa310aa1859c6f701b7ed8..c2f72dd2662e7e47447768af'

sending first chunk of App Hello message: b'fe021808925fa310aa1859c6f701b7ed8..'
sending second chunk of App Hello message: b'c2f72dd2662e7e47447768af'

Afterwards, I receive no Cube Hello message in response. I'm curious to know where I am messing up.

thondascully commented 3 weeks ago

Resolved! I was lazy and sent my messages in two chunks instead of manually increasing the 20 byte soft cap

thondascully commented 3 weeks ago

nvm. Let me know if you have any ideas :)

Flying-Toast commented 3 weeks ago

Nothing looks immediately wrong to me, but it is hard to tell with only part of the code. Id suggest using the wireshark plugin to sniff the traffic coming from your program, and see if something goes wrong there.

Flying-Toast commented 3 weeks ago

try flipping the checksum bytes, looks like you may be sending them big-endian

thondascully commented 3 weeks ago

I tried. No bueno. I have an iPhone, so I didn't pursue the wireshark plugin. I've never used wireshark before, so I'm not sure how to manage the capturing. I installed wireshark and installed the two plugins you provided, but I haven't tried capturing packets

I love this project and seek to get it working on my end. Would you mind reaching out to my email so that I can share my script with you?

{username} [at] berkeley [dot] edu