Grayda / node-orvibo

A node.js package to control Orvibo products
78 stars 18 forks source link

Newer Orvibo Smart Sockets #11

Open jimbo-83 opened 7 years ago

jimbo-83 commented 7 years ago

Do you know if this plugin will support the newer smart sockets? I think the model is B25, I have been trawling various places for an answer on this and can't find resolution anywhere and as someone who is diffo not a coder I'm struggling but really want to make use of this with my Sockets!

Grayda commented 7 years ago

Hmm, I didn't realise they had a new version of the socket out. I might have to dig one up and see. However the answer is, it depends.

Right now there are two major versions of the Orvibo protocol. The first, which we'll call "legacy", is fully supported by node-orvibo. Almost anything the official Orvibo app can do, node-orvibo can do.

Then there's the newer version, which I'll call "PK" (because the string "PK" (or sometimes "DK") appears towards the start of the packets, and Orvibo refers to it as a "protocol type"). It's somewhat similar to the legacy protocol, but is encrypted and has an entirely different way of transmitting data (uses JSON instead of just tacking the information to the end of the packet).

PK isn't supported yet. A number of months ago I got a Kepler gas detector, but I could barely get it to respond, so I didn't make much progress. About a week ago I received a Coco smart strip (like the socket, but in a power strip) and a Smart Cube (which is a cloud-connected version of the Orvibo AllOne, an IR blaster for controlling TVs and such). Since then I've made some progress. I can encrypt and decrypt the PK messages and I can recreate the packets used to communicate with the device.

However that's as far as I've got. It shouldn't be too hard to start adding in features, but I haven't got there yet.

So to cut a long story short, if the B25 uses the legacy protocol, I'm 95% confident it'll work. My code might need some tweaking to suit, but most things should be there. If it uses the PK protocol, it definitely won't work yet, but I'm working on it. I've got almost a month off from work in about a week's time, so that'll give me a better chance to tackle the issue.

Let me know if you've got any other questions!

jimbo-83 commented 7 years ago

Hey David,

I think that it's safe to assume that they will be using the same newer protocol as I have tried the "legacy" stuff as well as the Orvibo Platform. I also think they were released at the same time as the Coco. They run on the HomeMate App rather than the Wiwo one.

I really appreciate your reply as I'm 0% knowledgeable in code but I see so much value in this software! It really is so cool, HomeKit technology is so over priced at this point yet other systems are so much more affordable but clunky. This really is a great answer!

Thanks again

J

jimbo-83 commented 7 years ago

Hey David,

I think that it's safe to assume that they will be using the same newer protocol as I have tried the "legacy" stuff as well as the Orvibo Platform. I also think they were released at the same time as the Coco. They run on the HomeMate App rather than the Wiwo one.

I really appreciate your reply as I'm 0% knowledgeable in code but I see so much value in this software! It really is so cool, HomeKit technology is so over priced at this point yet other systems are so much more affordable but clunky. This really is a great answer!

Thanks again

J

Sent from my iPhone

On 11 Dec 2016, at 09:53, David Gray notifications@github.com wrote:

Hmm, I didn't realise they had a new version of the socket out. I might have to dig one up and see. However the answer is, it depends.

Right now there are two major versions of the Orvibo protocol. The first, which we'll call "legacy", is fully supported by node-orvibo. Almost anything the official Orvibo app can do, node-orvibo can do.

Then there's the newer version, which I'll call "PK" (because the string "PK" (or sometimes "DK") appears towards the start of the packets, and Orvibo refers to it as a "protocol type"). It's somewhat similar to the legacy protocol, but is encrypted and has an entirely different way of transmitting data (uses JSON instead of just tacking the information to the end of the packet).

PK isn't supported yet. A number of months ago I got a Kepler gas detector, but I could barely get it to respond, so I didn't make much progress. About a week ago I received a Coco smart strip (like the socket, but in a power strip) and a Smart Cube (which is a cloud-connected version of the Orvibo AllOne, an IR blaster for controlling TVs and such). Since then I've made some progress. I can encrypt and decrypt the PK messages and I can recreate the packets used to communicate with the device.

However that's as far as I've got. It shouldn't be too hard to start adding in features, but I haven't got there yet.

So to cut a long story short, if the B25 uses the legacy protocol, I'm 95% confident it'll work. My code might need some tweaking to suit, but most things should be there. If it uses the PK protocol, it definitely won't work yet, but I'm working on it. I've got almost a month off from work in about a week's time, so that'll give me a better chance to tackle the issue.

Let me know if you've got any other questions!

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

Grayda commented 7 years ago

Yeah, I guessed they were the newer protocol. Watch this space though, as the newer protocol just seems to be the same ol' Orvibo stuff, just packaged into a different format, so it might be rather trivial to implement this stuff.

karl0ss commented 7 years ago

@Grayda I would love for this to work on B25 as well, I can either supply you a B25 for free if you want, or can donate some £ to you if you get it working after if you want?

Grayda commented 7 years ago

@karl0ss: I'd certainly appreciate the donation. I'm in the process of rewriting the library so it's easier to add new products (I'm envisioning a plugin system using architect which I've used before). I've got the new protocol sort of worked out, but right now I can just encode and decode packets, not control things.

Send me an email at grayda@solidinc.org if you want to chat further :)

karl0ss commented 7 years ago

@Grayda I've sent you an email mate.

karl0ss commented 7 years ago

I've ordered David a B25, so hopefully with the actual device, he will be able to get it working for us :)

JCotton1123 commented 7 years ago

@Grayda I recently purchased a S25, what I assume to be the american version of the B25. I've done some packet captures and I see the pk/dk string at the start of the packet as you described above. I was wondering if you could provide any info on the decryption/encryption process including how to derive the key so that I can experiment with my socket. I am more then happy to contribute any information or code I am able to put together.

Grayda commented 7 years ago

@jcotton1123: Check out my last commit which added tools to encode and decode packets. The key can be obtained by downloading the Kepler APK then using an APK decompiler (I used an online one, but apktool works great too). Not in front of my computer so I can't remember the path, but I think the key is in an AESCoder jar file as a const. Possibly called "key". The Home mate app doesn't have the key as it's stored server side, but the Kepler APK has it

Not sure if I can legally do it, but I might write a tool that "brute forces" the key so people don't have to decompile APKs to get it. The key is alphanumeric and fairly short, so brute forcing it won't be hard.

I'm almost done rewriting the S20 / Allone code for node-orvibo2, so the base of that should make the DK / PK stuff a cinch to add because node-orvibo2 is modular

JCotton1123 commented 7 years ago

@Grayda Thanks. This never occurred to me as an iOS user.

I found the key. For anyone else thats looking, it can be found in com/orvibo/lib/kepler/core/AESCoder.java.

Looking forward to seeing the new node-orvibo2 lib. Hopefully I can contribute some code.

karl0ss commented 7 years ago

Hopefully we can have working B25's soon :)

@Grayda Is the one I sent you working ok?

Grayda commented 7 years ago

@karl0ss: Yep, working fine with the HomeMate app!

I'm just about to start on the "v2" code. While I'm doing that, I'm asking a few people (the EFF, the 'legaladvice' subreddit, maybe a lawyer if necessary) about the legalities of distributing the key. Brute-forcing the whole key would take literally forever (with over 200 trillion combinations), so I'm trying to find out if I can include the whole key (in the name of 'interoperability'), or part of the key, then use a tool to unscramble the rest (which would take ~400ms to unscramble). I can't seem to find any info, so I'm reaching out to a few places, just to protect me, and anyone who uses this library.

In the meantime, you can see the progress over on http://github.com/grayda/node-orvibo2. There's so many changes going on, and so different methods and such, that it was better to start from scratch.

karl0ss commented 7 years ago

Ok cool, thank you so much for looking at this :)

Grayda commented 7 years ago

@karl0ss and others:

I've created a wiki page here which documents my findings with the newer sockets so far.

Right now I haven't gotten anywhere. I'm sending the correct commands, but the B25, the Coco and the SmartCube aren't responding. I'm wondering if they're waiting for those commands to come from the server (which requires signing up for a HomeMate account) or if there's something I'm not doing.

EDIT: Yeah, looks like they wait for sever commands, because as soon as I unplug my internet (but leave WiFi going), everything stops. I'm wondering if the server is hard-coded into the devices, or if they can be changed when being set up. This'll be my next point of investigation. I've just purchased a WiFi adapter that does monitor mode, so I'll be able to sniff packets that go from the socket to the server. Hopefully that'll shed some light. If I can't set the server, then it might take a man-in-the-middle attack to get things running. That'll be tons of fun (/sarcasm)

I'm currently pawing through a bunch of pcap packets to see what is going on. I might have to buy a WiFi dongle that does monitor mode so I can get a clearer picture of what is being sent.

On a separate note, the HomeMate app sends your (precise, I think) location to the server, along with what type of phone you have. Worth keeping in mind if you're privacy conscious. Android Nougat lets you turn off those permissions, or you can install a GPS spoofer to fake your location prior to running HomeMate.

I'll keep everyone updated as I make progress.

karl0ss commented 7 years ago

Thanks for the update mate, sounds like these new ones are a right pita...

kalinon commented 7 years ago

I posed an issue here: https://github.com/cherezov/orvibo/issues/13 for the new S31 blocks. It has some wireshark dumps that may be helpful.

karl0ss commented 7 years ago

Guessing this project is now dead for the new plugs?

insertjokehere commented 7 years ago

I'm working on getting something going so I can control my Orvibo "S20c" switches, which also use the "Homemate" app, with the goal of a Homemate-to-MQTT bridge so I can control my switches from Homeassistant.

I've been writing up my notes on blog, and have written a tool that can decode 'PK' and 'DK' packets (hat tip to @Grayda, would never have worked out getting the 'PK' key from Kepler!)

Would be really interested if my tool works with other 'Homemate' devices

Grayda commented 7 years ago

@karl0ss: I hit a brick wall and had a bunch of other stuff pop up (work and home projects that chewed up almost all of my free time). Will seems to be on the same track as me, so hopefully between us we'll get something, anything.

@insertjokehere: Good write up! I was holding off from fiddling with DNS and such, because I wanted to see if I could "soft re-program" the switches so they'd accept commands from any connection and negate the need to write an entire (or partial) "server" just to get this working. I thought perhaps through an "AP mode" like the original Socket but nothing yet.

On a separate yet related note, if anyone has experience with decompiling and reading C code, let me know. The Kepler APK is basically a small amount of Java around a large C++ blob, which makes gleaning secrets about how stuff operates, a nightmare.

insertjokehere commented 7 years ago

@Grayda I've got a working server implementation in insertjokehere/homemate-bridge that might be of some use. As for the question of distributing the key, did you hear back from the EFF?

One possible solution: running classes.dex from the Kepler APK through the GNU strings utility yields ~5000 strings that are at least 16 characters long. This is probably a reasonable search space, and doesn't involve distributing any part of the key, and automates getting the key from the APK without having to actually decompile it

honcheng commented 7 years ago

@insertjokehere you listed that your solution works for S20c. Is S20c different from S20? Will it work for S25 and B25?

insertjokehere commented 7 years ago

@honcheng S20c is different from the S20 - the S20c uses the new 'Homemate' app and protocol whereas the S20 uses the old 'WiWo' app.

I don't know if it will work with the S25 or B25 - I don't have one to test with (and not sure they make them in a form that is compatible with my local electrical system) - but would be interested in hearing about any results

honcheng commented 7 years ago

@insertjokehere thanks. I have both S20 and S25. S25 only works for HomeMate app, different protocol. I'll try it with your implementation and report back.

Grayda commented 7 years ago

@insertjokehere Nice! I'll have to brush up on my Python (I've only ever coded one thing in Python, and that was hacked together from various examples) and have a look.

I don't like the idea of having to set up DNS, mostly because it doesn't feel as self-contained as node-orvibo is (you don't need to know IP addresses or anything, you just run it and it goes), but ultimately I might have to just stop my sooking and do it, and look for a non-DNS solution later, if one exists.

In the meantime, I took your great idea of using strings, and I wrote a bash script: https://gist.github.com/Grayda/eb48093bcfb96bfeec9c58ea301f2668 . I tried to expand the regex to be as vague as possible while only returning the one line. I'm not a lawyer, so I hope I can do this!

markbosshard commented 7 years ago

@Grayda sorry the stupid question: is there any node-orvibo2 (as you announced on stikonas.eu's github) or something similar to easily control a B25 yet? thanks a lot :) best, Mark

Grayda commented 7 years ago

Hi @markbosshard, sorry for the late reply. Not yet. I made a start on it, but lots of other things got in the way (full time job, project work after hours etc.). Right now insertjokehere's code is the only way I know of to control those sockets.

Also as I mentioned before, if anyone knows how to decompile C code found within Android apps, let me know, as that may contain some info I need to move forward a little.

vrm42 commented 7 years ago

Hi, Grayda, please tell me which script did you mean as the only way to control B25 sockets. I'm desperately seeking a working solution. Thank you!

insertjokehere commented 7 years ago

@vrm42 insertjokehere/homemate-bridge will let you control these sockets through MQTT or HomeAssistant (probably, I don't have any B25s to test with, but other users have managed to get them to work).

Its not super easy to get set up and running, and the docs are a bit sketchy. I keep meaning to tidy it up, but Life etc

vrm42 commented 7 years ago

Thanks for your quick reply. That solution seems dark magic to me. I don't see anything there that I could put into a bash script.

sandysound commented 7 years ago

Hey guys, I've actually built something very similar to @insertjokehere but on node to control the B25 sockets. You still have to change your dns settings to point the to system running the server. It's at https://github.com/sandysound/orvibo-b25-server Also I should mention I got a lot of my understanding of how these sockets worked from reading @Grayda and @insertjokehere 's research and blog posts so thanks guys!

karl0ss commented 6 years ago

Just to let people know, there is an official echo skill out now for homemate, and it supports our b25 :)

Bodge-IT commented 6 years ago

@karl0ss but now way to have it work with node-red and cloud(assistants) at same time. Also no HomeAssistant. Dissapointed in Orvibo

vrm42 commented 6 years ago

I'm very satisfied with the B25 model. Sandysound's method is perfectly working and I learned a new way to control the unit without its original cloud-based system. You need an one dollar worth usb programmer and the free arduino software. It has an ESP8266 plugin so you can replace the original firmware with a simple script. The script contains your WiFi SSID, password, a static IP and gateway for the socket, a webserver with ON/OFF buttons and the current status report of the relay. So you can control it with curl.

Grayda commented 6 years ago

@vrm42 Can you provide more details on this? I'm really interested in what you've found out about cloudless control.

vrm42 commented 6 years ago

You need a programmer: PL2303 USB-TTL / USB-STC-ISP. Disassemle the socket. Five pins have to be soldered to the 5V, TX, TX, GPIO0, GND pinouts. Connect these pins to the programmer. 5V to 5V, RX to TX, TX to RX, GPIO0 and GND to GND. Download Arduino IDE software (1.8.5). Under File, Preferences, additional boards manager urls put: http://arduino.esp8266.com/stable/package_esp8266com_index.json. Under Tools, Board Manager install ESP8266. Restart the software. Under Tools, Programmer select AVRISP mkII (for the model mentioned above). Under Tools, Board select Generic ESP8266. In the skecth edit field paste the following code, put your stuffs into it (ssid, password, ip, mask, gateway) and press upload (right arrow).

include

include

define relay 5

define button 14

MDNSResponder mdns;

int On = LOW; const char ssid = "your SSID here"; const char password = "your wifi password here"; String webPage="";

ESP8266WebServer server(80);

void handleroot() { int cstat = digitalRead(relay); webPage = "

Socket ID

<a href=\"ON1\"> <a href=\"OFF1\">

"; webPage += "Status"; webPage += cstat; server.send(200, "text/html", webPage); delay(100); }

void red() { digitalWrite(4, LOW); digitalWrite(12, HIGH); }

void blue() { digitalWrite(4, HIGH); digitalWrite(12, LOW); }

void setup() { pinMode(relay, OUTPUT); pinMode(4,OUTPUT); pinMode(12,OUTPUT); pinMode(button,INPUT); Serial.begin(9600); WiFi.begin(ssid, password); while (WiFi.status() != WL_CONNECTED) { Serial.print("."); delay(200); Serial.print("."); delay(200); Serial.print("."); delay(200); Serial.println(); }

IPAddress ip(192, 168, 1, 64); IPAddress gateway(192, 168, 1, 1); Serial.print(F("Setting static ip to : ")); Serial.println(ip); IPAddress subnet(255, 255, 255, 0); WiFi.config(ip, gateway, subnet);

red();

server.on("/", handle_root); server.on("/", [](){server.send(200, "text/html", webPage);}); server.on("/ON1", []() { server.send(200, "text/html", webPage); digitalWrite(relay, HIGH); On = HIGH; blue(); });

server.on("/OFF1", []() { server.send(200, "text/html", webPage); digitalWrite(relay, LOW); On = LOW; red(); });

server.begin(); }

void loop() { int value = digitalRead(button); if (value == LOW) { if (On == LOW) { digitalWrite(relay, HIGH); blue(); On = HIGH; delay(500); } else { digitalWrite(relay, LOW); red(); On = LOW; delay(500); } } server.handleClient(); }

Please note that the Webpage part of the code is messed up by this forum engine, so check the source.

This will erase the original firmware! I don't know how to put it back. In case of any error during the upload process simply disconnect the programmer from the pc and then reconnect. It happens all the times. Now you can connect to the socket with your browser.

CodeWilliamson commented 5 years ago

You need a programmer: PL2303 USB-TTL / USB-STC-ISP. Disassemle the socket. Five pins have to be soldered to the 5V, TX, TX, GPIO0, GND pinouts. Connect these pins to the programmer. 5V to 5V, RX to TX, TX to RX, GPIO0 and GND to GND. Download Arduino IDE software (1.8.5). Under File, Preferences, additional boards manager urls put: http://arduino.esp8266.com/stable/package_esp8266com_index.json. Under Tools, Board Manager install ESP8266. Restart the software. Under Tools, Programmer select AVRISP mkII (for the model mentioned above). Under Tools, Board select Generic ESP8266. In the skecth edit field paste the following code, put your stuffs into it (ssid, password, ip, mask, gateway) and press upload (right arrow).

include

include

define relay 5

define button 14

MDNSResponder mdns;

int On = LOW; const char ssid = "your SSID here"; const char password = "your wifi password here"; String webPage="";

ESP8266WebServer server(80);

void handle_root() { int cstat = digitalRead(relay); webPage = "

Socket ID

ON OFF

"; webPage += "Status_"; webPage += cstat; server.send(200, "text/html", webPage); delay(100); } void red() { digitalWrite(4, LOW); digitalWrite(12, HIGH); }

void blue() { digitalWrite(4, HIGH); digitalWrite(12, LOW); }

void setup() { pinMode(relay, OUTPUT); pinMode(4,OUTPUT); pinMode(12,OUTPUT); pinMode(button,INPUT); Serial.begin(9600); WiFi.begin(ssid, password); while (WiFi.status() != WL_CONNECTED) { Serial.print("."); delay(200); Serial.print("."); delay(200); Serial.print("."); delay(200); Serial.println(); }

IPAddress ip(192, 168, 1, 64); IPAddress gateway(192, 168, 1, 1); Serial.print(F("Setting static ip to : ")); Serial.println(ip); IPAddress subnet(255, 255, 255, 0); WiFi.config(ip, gateway, subnet);

red();

server.on("/", handle_root); server.on("/", {server.send(200, "text/html", webPage);}); server.on("/ON1", { server.send(200, "text/html", webPage); digitalWrite(relay, HIGH); On = HIGH; blue(); });

server.on("/OFF1", { server.send(200, "text/html", webPage); digitalWrite(relay, LOW); On = LOW; red(); });

server.begin(); }

void loop() { int value = digitalRead(button); if (value == LOW) { if (On == LOW) { digitalWrite(relay, HIGH); blue(); On = HIGH; delay(500); } else { digitalWrite(relay, LOW); red(); On = LOW; delay(500); } } server.handleClient(); }

Please note that the Webpage part of the code is messed up by this forum engine, so check the source.

This will erase the original firmware! I don't know how to put it back. In case of any error during the upload process simply disconnect the programmer from the pc and then reconnect. It happens all the times. Now you can connect to the socket with your browser.

I'd love to use this sketch but can't figure out where to connect on the board, any idea?

fdurand commented 4 years ago

Don't know if it still relevant but it's the only place i saw a discussion about the new way you can control the orvibo stuff. I reverse engineering the Homemate application and i create a golang client who is able to talk to the cloud and trigger a scene. It's a POC (who needs some love) but it works.

https://github.com/fdurand/homemate-api-trace

Since it can trigger a scene, it's doable to control any kinds of orvibo devices.

Btw thanks to @insertjokehere to help me to understand the last part of how to decrypt the json payload.