Great project! Exactly what I was looking for. I have a Yeelight RGBW with an updated firmware and noticed that indeed the token in the "Hello" packet is missing. I did manage to extract the device token from the Yeelight Android app and was then able to decrypt the packets.
To extract the token you need to access the app's private files. If your phone is rooted you can just find the file miot.xml with a root file explorer in the app's private directory. If your phone is not rooted you need to backup the app's files using adb like so:
adb backup '-noapk com.yeelight.cherry' -f /your/local/path/yeelight.ab
After extracting the tar file open the following XML file:
./apps/com.yeelight.cherry/sp/miot.xml
This XML file contains a set element called deviceList and inside it you will find an HTML escaped JSON string for your device. This JSON contains a token value with your device token encoded as a simple 16 byte hexadecimal string. You can use this token to decrypt the MiHome binary protocol packets sent from the phone to the Xiaomi device.
This file may also be useful for decrypting the Xiaomi cloud protocol since it contains some interesting values about the Xiaomi user like mMacAlgorithm and mMacKey.
Great project! Exactly what I was looking for. I have a Yeelight RGBW with an updated firmware and noticed that indeed the token in the "Hello" packet is missing. I did manage to extract the device token from the Yeelight Android app and was then able to decrypt the packets.
To extract the token you need to access the app's private files. If your phone is rooted you can just find the file
miot.xml
with a root file explorer in the app's private directory. If your phone is not rooted you need to backup the app's files usingadb
like so:adb backup '-noapk com.yeelight.cherry' -f /your/local/path/yeelight.ab
The .ab file is pretty well documented and there are many extractors for it. I personally used this simple python method: http://stackoverflow.com/questions/29055634/python-unpack-android-backup
After extracting the tar file open the following XML file:
./apps/com.yeelight.cherry/sp/miot.xml
This XML file contains a
set
element calleddeviceList
and inside it you will find an HTML escaped JSON string for your device. This JSON contains atoken
value with your device token encoded as a simple 16 byte hexadecimal string. You can use this token to decrypt the MiHome binary protocol packets sent from the phone to the Xiaomi device.This file may also be useful for decrypting the Xiaomi cloud protocol since it contains some interesting values about the Xiaomi user like
mMacAlgorithm
andmMacKey
.