aso824
commented
2 years ago Thanks :smile:
Sign key is stored on the Yeelock server and it seems that app never store it - the person who you would share your lock cannot just turn on airplane mode and still use lock if you revoke permission. QR code works in similar way, app still need to contact with the server.
If you feel unsafe about giving your credentials, dig into code and execute curl request manually: https://github.com/aso824/yeehack/blob/master/fetch.py
First, you need to get access token using OAuth flow, then you can call GET endpoint to get list of your locks.
Hope that it answer all your questions :+1:
First of all: Absolutely great work, thanks for this!! I'm also in the HA thread where this all started and found this there :)
One thing I'm wondering and wanted to ask if you already looked into it is if there is another way of obtaining the sign key, which doesn't include entering the Yeelock Account credentials. I was thinking if it could maybe work with the QR code that comes with the Lock. If it's either in the QR or gives an easy way to obtain it. But apparently the QR only has a link to an URL that doesn't work, neither with GET/PUT or POST: https://mp.yeeloc.com/add?data=LHkpYE3dzcnaIQ5q. This is not the serial of the lock, so it's something else.
I tried around with Fiddler a bit to see which requests the app does, but I'm not too experienced with that and could not get anything out of it. Mostly because it's SSL, so you don't see what it does and if you try to let Fiddler decrypt it, you obviously run into a bad SSL chain and the app doesn't seem to make the call.
Wondering if you found out a bit more :)
Greetings,
Andy!