Open btsimonh opened 3 years ago
atc1441
commented
3 years ago Hey.
The key is generated actively while connected to the thermometer, it is a random key but with handshake, so its not possible to just calculate a new one with the mac. Also it is timingly important that it will be directly activated otherwise the thermometer goes into timeout.
btsimonh
commented
3 years ago yep, proposing to send the mac so the page know to filter to that specific one :). Relying on the PC doing the activation being in range of the same sensor.... so exactly what you do - just delivering the key to where it is needed directly. The only use interaction needed should be to give permission in the browser?
love the code - must have taken some determination to work out what to do!
just ordered two on Amazon; I have earlier non-encrypted models, but need to diagnose a BLE crash in tasmota on this sensor anyway.
atc1441
commented
3 years ago Ok got what you meant.
Filtering should be easy with a simple http argument. Extracting the key could be done via an iframe
And yes that was the hardest AES encryption I ever "hacked"
btsimonh
commented
3 years ago i'll get my crash sorted, and come back to you with a proposal in a week or so :)
btsimonh
commented
3 years ago hi atc1441, odd question: Is there any indication that these MI devices could forward advertisments received? It seems strange that the ads would contain the MAC in the service data, and there is reportedly a 'mesh' flag in the header bytes?
atc1441
commented
3 years ago Hey. In general this is possible and the TLSR8251 also has it advertised as a feature so i am not shure
Only thing that speaks against it is the battery, i am not shure if a mesh is a good idea on battery powered devices as the would need to listen all the time for the data.
Maybe there are different devices that can do it and they use the protocoll.
Also when including the mac in the advertising it is simpler to parse that data, no need to handle where it is from.
btsimonh
commented
3 years ago hi atc1441,
ok, I now have a Tasmota which puts up a link when the sensor is encrypted, and we don't have a key. the link is currently: https://atc1441.github.io/TelinkFlasher.html?mac=A4C1387FC1E1&cb=http%3A%2F%2F192.168.1.212%2Fmikey and it can take a callback by navigating to (the address in 'cb' plus query string with key and mac): http://192.168.1.212/mikey?key=c18844d4b0c71fde41166465127c4728&mac=A4C1386A1E24
so, before I embark on a modified version of the flasher html, I note the comment
Do you think it is possible to almost completely automate the procedure?
br, Simon
p.s. hoverboards? - haha! I was going to say 'look up bipropellant' - but I see you already use it - the project I started :).
atc1441
commented
3 years ago Hey, that looks like a good way to get into TelinkFlasher and back out of it, what still is needed for the user is to click on the correct BLE device in the Search selector as for security reasons that can not be automated.
And yes the MAC problem may still be there :-/ i tried to get the mac somehow but it was not possible to pull it into javascript without experimental features enabled.
it looks like WebBluetooth does not really plan to activate the Mac feature as most devices these days use fake MACs to prevent tracking.
So it would be possible to click on the Telink flasher link, it will open the BLE device searching on its own and the user has to click on the correct one, then it will activate it on its own and goes back to Tasmota with the new key
To the Hoverboard, yes the bipropellant firmware was just the most advanced of them all :) i think we even wrote already on that because i made an Arduino version of the Protocol side to use it there, but dont know for shure anymore its a bit longer ago :D to many project in between. ... found it https://github.com/bipropellant/bipropellant-hoverboard-firmware/issues/57#issuecomment-507134302 and here https://github.com/bipropellant/bipropellant-hoverboard-firmware/issues/36 :)
Have a great day.
btsimonh
commented
3 years ago I was looking for an aduino compat lib for phail's esp32 code.. so will look at yours (& add as a private driver in tasmota...!!!).
We MAY be able to have the user connect, and then wait for an advert - because they contain the MAC!
Will have a think & a play with your HTML, and let you know how it goes.
br, s
atc1441
commented
3 years ago The problem on the Advertising will be that its not really possible to listen for them in WebBluetooth as well :-/
btsimonh
commented
3 years ago my first attempt: https://github.com/btsimonh/atc1441.github.io
you can see it in operation here with a query string: https://btsimonh.github.io/atc1441.github.io/TelinkFlasherTasmota.html?mac=A4C1387FC1E1&cb=http%3A%2F%2F192.168.1.212%2Fmikey
I have not tested the flashing yet. May be good to have some links to 'known' firmwares, and even a link to 'restore original'.
btsimonh
commented
3 years ago Q: the name is not writable. Would the hardware be capable of storing a name change?
Hi ATC1441, I've been working hard on BLE in Tasmota ESP32, and had an idea about getting the keys for the sensors... From reading your web source, you can obtain the key without reference to the MI website?....
So. As Tasmota is memory constrained, we could detect if a sensor is not yet Activated (or not activated with a known key), and provide a link to a page (here or in the Tasmota github), and the query string could indicate a Tasmota URL (to the specific local device) to set the key against the MAC.
i.e. the user would see his sensor appear in tasmota with a 'pair' link (only when key is unavailable/not working). When clicked, this link would take them to a variation of your code, telling it the MAC which you want to Activate, and then once the activation is done, would call back to Tasmota with the required key?
Does this sound possible?
br, Simon