search

Grayda / node-orvibo

A node.js package to control Orvibo products
78 stars 18 forks source link

Orvibo Keplar #4

Closed hongkongkiwi closed 8 years ago

hongkongkiwi commented 8 years ago

Hi there, for your reference you can now buy the Orvibo Keplar device from GearBest: http://www.gearbest.com/access-control/pp_236317.html

Grayda commented 8 years ago

I'll add that to the README, thanks!

Coincidentally, I finally managed to buy a Kepler from a dissatisfied backer, and it literally arrived yesterday, so I'm watching Terminator 2 on Netflix while staring down the barrel of some Kepler wireshark dumps. I also watched the GearBest video last night, so coincidence indeed!

I can't get the app to connect to the Kepler, no matter what I do, but the device responds to commands I copied and repeated from the wireshark dumps, so there's a good chance that once I get the format worked out (most of the message seems to be AES encrypted with a key stored somewhere in the app. I think), the my code should be able to grab info from it.

hongkongkiwi commented 8 years ago

Ah nice! Really appreciate all the work you've done on this. I've been using a SmartThings Hub and it's quite straightforward to write drivers for it.

Was going to take your node module, make an API server for it and then create a SmartThings app to control all the functions that your module provides.

Thanks for pulling out the code into a separate node module.

Grayda commented 8 years ago

Until I started work on another project, I was working on a RESTful server (as part of the examples) that could be used with systems like that, but I didn't get too far with it, and planned to continue once I'd implemented promises in the code.

But just as a quick update, I managed to find the AES key in the app and can now decrypt messages. Naturally I won't be able to distribute the key, but it was very simple to find.

Now work can really commence :)

hongkongkiwi commented 8 years ago

Yes, Android apps they are very easy to decompile.

Perhaps you could check the hash of the key in your code and make sure the key is correct or not that way. If it's correct to your pre-coded hash then you can enable this module otherwise throw an error.

That could be a legit way to check whether their entered key is the correct one.

hongkongkiwi commented 8 years ago

Where did you find the disgruntled Kepler customer?

Grayda commented 8 years ago

I managed to find him after doing a Google "search by image" on his Kickstarter avatar which after much searching, lead me to his deviantART page. Because I've been a long time member there too, I just messaged him and mentioned who I was, what I was doing and offered to buy the unit from him. Took many months to get the unit, as we were both busy and forgot what was going on, but I was in no real rush.

I also contacted several other Kickstarter backers by Googling their name, searching for their avatar, or trawling through their comments to see if they let slip an email address or other identifying info (such as where they lived, so I could Google their name + their city / country and narrow them down).

I went full private investigator on them, but nothing illegal. I also made sure to straight up say what I planned to use the unit for, and link to this repo.

Also, good point about the hash. I'll look into that :)