tuya-cli list-app not working after updating app

[Apollon77]

It seems that with the most current Smartlife App 3.14.0 changes the way how communication works ... and so the sync process is dead (again)

Should we have a generic issue for this here or in one of the other repos/libs?

I'm currently collecting more infos and will post here

[Apollon77]

• The communication goes against /app.json on the tuya server
• parameter seems a bit different
• there is NO request with "tuya.m.my.group.device.list" anymore :-(
• postdata seems base64 encoded, but binary - so assumption is: encrypted with App key from App :-(
• response is also encoded and looks also base64 encoded, but encrypted ... like

{
    "result": "pqDJk2h+Pz3G07U9HTXEjx8dNL5SH+chwcbqm37WvTHmfXZ7ARkzIADC4RTQoy6Jr3JjCXXcu1wzyCBJJ04Dfcms/jXJPJ1Hx064Dx0Za/0rQlsCnmlS3Yb+xB9WXO5YYZy7AflPAeVaZMe0mmFXyji93EZuazx0SQOVW85Crl3GSm5Y5E+jNg7273pXKhFO6XuuWjR5Jg9mm6NA5dhFJOagYPwNMzghAI+vfl0jD5nmIo/xri32t0+00P/d+tl3+yiaUk/OzYTK3kyfe3moqclwpGBlHE/yY5vdBNnc2Nz9Iz+yW2RrVUXzoBafaiSm6dJBj9weRO4//yKq8mQImKRjClV1FyYUbFh+3BZXF2I9tnqZSHvhoLSmzIT1ZBE8turUDtb6PIcixV0yWnWT1wMTaLqfAR8rz98uo/QAh17yvbPHblhSd5dg6CpS/Z3lac5kdxbiHyWnwNvZkbkj+YfIuEpihOfwESV6wwFFWcYkChR+OGt9Y/IpMEvnjoyL7VdwA1PJNYUNsXvR+rP1O1y08VNhbZCQ0TDWqh7veDZ6+dquVCRqaap2rqRNFxLqYj4dLOiGUV6BfeunD5IjHoakmHEEcGw0rkwqsVGlLBkaPL+YAm32VxJ4Xm0tjPF3TBQbHQdNAcF34r4cAnyDB0okNV6qewSJ2YcO50lb41amt0CGibauX8aTEASRYOQPDhTv54MgFidw9EPE/R78M2VBOm2mJhbsavoW6zDPICcN7TXJkfVnMOjLXF7h9yhuub0ClVf8m7qso31tuEKY+RFGgwifC2/HGW++jctXtKvP0vdloQFj63sFXfydHXAsgp+p/+B8XCiSGUSIOaaKWOVHq70bgUK1tKTdS/fraF3JcKRgZRxP8mOb3QTZ3NjcwOvmnE4sQtVehPVmEydKz1JvFuW76luPJO2Hwn0ELJ+MIAFXlI7CYnNQjiU46SZyRdarVpaxt6RP9kKaJ9Bnc4wGoNubdCzMlqMyL1KKSNWVwdRlbcpUU97w1gwgvzC8UDjFQd3XCifC8Agn5kilrAgDV3mTZekTns/V29QcE4OnfZJaudh2ntTc8NYcK7X5XM0h+CrLhc9gIGDW5SF/jnKK0ljeaDijHC4x4hCWHr+VHKEjg9CXNJssqOvKgNVS7GmvJHkERWSMg/vs3qh+JKP41pvWpGDuSltgKly7UWCn5YhzlH0Uoqx10oT5ezA85DAd3oX7x2ugPox/M01X4ZkzLozu+QjeEJUCQMnysZI=",
    "t": 1577393623,
    "sign": "2c2be2d22ef9862aa1e6a066f0a59be4"
}

It seems that the Tuya App (which is still 3.13.x) still works ... but unknown how long

I also have reports from tests with older Android APK versions where the App was not able to login because too old. Users test further

@kueblc @codetheweb

[Apollon77]

I have a charles file ... send me email (github account) nd I send the file if interested ...

[kueblc]

Looks pretty similar to the new HTTP API we implemented in tuya-convert. Wonder what the AES key might be. Do you have a capture starting from registration?

[Apollon77]

Do you have a capture starting from registration?

May a login be enough too? Then I could capture it

[Apollon77]

Ok, it seems to be an app key ... I logged out and closed the app ... the next open started directly again with encrypted messages.

Here the data of the very first request of the app even before loging request:

time=1577397372&lang=de&deviceId=A547DB0A-5342-4321-AB1D-1AE046ABA4C2&et=0.0.2&osSystem=13.3&bundleId=com.tuya.smartlife&lon=0&channel=oem&appVersion=3.14.0&ttid=sdk_appstore@fvsrjwtvqs4wpuy8r9qd&os=IOS&v=2.0&sign=09f6b7aa916cb384707a196216c330fa79edc15fcca43d203b62ba13f1240292&platform=iPhone%208&postData=SAxbIIUq3Lcapdld284NnOJ6L%2FPRM%2FKNJ1T4W74kOUiEusLWOBqev5X9nmzuOFms&requestId=9A510BE5-078D-4D54-A215-6896197EB2E8&sdkVersion=3.14.1&timeZoneId=Europe%2FBerlin&lat=0&clientId=fvsrjwtvqs4wpuy8r9qd&a=tuya.m.app.ad.list&appRnVersion=5.21&

[codetheweb]

Interesting, it still works with the latest version of the TuyaSmart app on iOS.

I assume they're going to start rolling out this change to all whitelabeled apps, but it seems like they would've started with their own.

[Apollon77]

Version 3.12.6 on Android also seems to work ... 3.13.x interestingly not

[JustH4ppy]

Yes, i tried all last versions. I don‘t know why but I was not able to install the 3.13.x versions from Smart Life App, but 3.12.6 worked for me. Maybe somebody can try 3.13.x apk‘s on there Android device (I tried with MeMu)

[slomanl1]

Where do I get 3.12.6 version of SmartLife apk file? Link please.

[JustH4ppy]

@slomanl1 https://www.apkmirror.com/apk/tuya-inc/smart-life-smart-living/smart-life-smart-living-3-12-6-release/smart-life-smart-living-3-12-6-android-apk-download/

[spitfire4all]

Hi, 3-12-6 works for me. Thank you for quick reaktion.

Regards HDM

[jajajaime]

I am experiencing the same with the TuyaSmart app v3.14.0 :(

[JustH4ppy]

@jajajaime yep, Tuya App also got updated today. Only way atm is to use Smart Life or Tuya via apk at Version 3.12.6

[dutch2005]

And make sure to disable the feature to use mobile data if no internet via WiFi

I also had IPv6 enabled, had to disable the gateway address temporarly else it would not work (it would just go to tuya on the ipv6 address... (if this is not possible, try set-up a static IP-address instead of DHCP)

could possibly be worked around by using the FQDN (fullyqualified domain name) of the device displaying the QR-code but i didnt test that...)

[codetheweb]

Hey @kueblc: going by the API that you've been working with, do you think there's any hope of continuing to use the MITM method to retrieve device keys? If not, any ideas on the next best method?

[mazafra1]

Version 3.14 on iOS 13 does NOT work anymore.

[JustH4ppy]

@mazafra1 Version 3.14 was the reason why it‘s not working anymore. Use atm Android Simulator with Version 3.12.6 apk.

[Apollon77]

I think as soon as we find out what the aes key is we have a chance ...

[kueblc]

@codetheweb I wouldn't give up hope just yet, as @Apollon77 says we have a chance as long as the AES key is static or easily computed. We'll need more data, preferably pcaps along with app/account information.

[Apollon77]

Or disassemble the apk?! Maybe also in comparism to an older working version to know where to look at ...

But I have no Experience in how to do that :-(

[kueblc]

Certainly, I can do this, but it becomes a lot easier paired with operational data such as stored app data, (non-critical) user credentials, and network captures.

[FirstS0ul]

@HappyTeaFriend How did you do that? With MEmu ist doesn't work. i think of the emulated wifi card.

[JustH4ppy]

@FirstS0ul It works with MeMu, I testet it with it. Did you installed the right certificate etc? And did you use Version 3.12.16 as apk? (Not from Play Store)

[FirstS0ul]

@HappyTeaFriend oh okay. The app doesn't even start the discovery for my tuya device...

or can i add my lamp with the actual ios app, and login with my account on android?!

EDIT: LOL... That worked. Damit...

[juerg-schaerer]

I am new to this devices as I got them from Amazon today with the intent to flash them. As I received non ESPs this seems not to work. Nevertheless for Android there is an App in the Play Store called "STL Smart Home". It is dated 01.09.2019. I have been able to retrieve ID and KEY once installed CA Cert an enabled the Proxy. STL Smart Home also exists for IOS but I have not tested it. When pairing the plug then with "Smart Live" again it gets the same ID. Hope the KEY stays the same as well?

[Apollon77]

I would expect the key to change ...

[malcolmrbnsn]

My keys haven’t changed. My two lights whose keys I retrieved in an older version of TuyaSmart are still locally controllable.

[Apollon77]

My keys haven’t changed.

Also after repairing with a different app?

[kalety]

Hi!, the iOS app "Ucomen Home" still gets both id and key...

[farmdude]

It seems that with the most current Smartlife App 3.14.0 changes the way how communication works ... and so the sync process is dead (again)

Should we have a generic issue for this here or in one of the other repos/libs?

I'm currently collecting more infos and will post here

I just ran into the issue not working. My app was updated automatically a day ago. I was going to add some more devices to my Homebridge. But when I went to try and add them with this, it gives me an error message when I try and refresh the list in the tuya smart app.

[farmdude]

Interesting, it still works with the latest version of the TuyaSmart app on iOS.

I assume they're going to start rolling out this change to all whitelabeled apps, but it seems like they would've started with their own.

I tried it with the latest iOS update for tuya smart. I didn't realize that this was ever an issue. the app auto updated to the latest version. Now when I try to collect the key information because I was adding some more devices, I cannot do that anymore.

[farmdude]

tuya smart version 13.4.1

[JustH4ppy]

@farmdude yes, that‘s already known. Atm it‘s just possible with Tuya, Smart Life etc apk on Version 3.12.6 via Android device or Android Emulator on mac or Windows like Memu or Bluestacks.

[friartuck6000]

@codetheweb I wouldn't give up hope just yet, as @Apollon77 says we have a chance as long as the AES key is static or easily computed. We'll need more data, preferably pcaps along with app/account information.

I'm not sure how but I stumbled upon this:

https://docs.tuya.com/en/iot/open-api/message-service/message-service#Data%20signature

... the data is first BASE64 decoded, and then the middle 16 bits of the accessKey are used for AES decryption, thereby obtaining true device state data...

I'm super new to this scene, so I don't know that this API is related, but maybe there's a chance they're using the same algorithm? Even if they are though, not sure how to track down the accessKey a given app is using (iOS apps at least).

[farmdude]

@farmdude yes, that‘s already known. Atm it‘s just possible with Tuya, Smart Life etc apk on Version 3.12.6 via Android device or Android Emulator on mac or Windows like Memu or Bluestacks.

@HappyTeaFriend Would you have an apk of the 3.12.6? I installed MEMU and have tried to install Apks from various sites, but all it ever says is app not installed. I have unknown sources allowed and also allow it directly when trying to install. It does allow me to install the current version, but won't let me install anything previous even with the current uninstalled.

[Apollon77]

Please scroll up in this issue and you will already find a link.

[malcolmrbnsn]

@farmdude did the APK work for you? Installing old versions of both tuyaSmart and Smart Life APKs fail for me on rooted BlueStacks.

[farmdude]

Yes. I used memu and the apk mentioned and it worked perfect!

Sent from my iPhone

On Jan 13, 2020, at 12:36 AM, Malcolm Robinson notifications@github.com wrote:

 @farmdude did the APK work for you? Installing old versions of both tuyaSmart and Smart Life APKs fail for me on rooted BlueStacks.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

[kalety]

Please, can you explain in detail the steps you follow?. For example, how to put de certificate, is I use emu in windows..... Thank you!

Enviado desde mi iPad

El 13 ene 2020, a las 12:08, farmdude notifications@github.com escribió:

Yes. I used memu and the apk mentioned and it worked perfect!

Sent from my iPhone

On Jan 13, 2020, at 12:36 AM, Malcolm Robinson notifications@github.com wrote:

 @farmdude did the APK work for you? Installing old versions of both tuyaSmart and Smart Life APKs fail for me on rooted BlueStacks.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe. — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

[odechr]

Download “STL Smart Home” (for Android) Make an account Add your device ONLY to this app first. Follow normal instruction to obtain your KEY and ID. Note this down. Delete the device from “STL Smart Home” Add your device to “Smart Life” APP.

This worked for me. As described earlier in some post here.

Update: Well, after trying both the stl app and the old version of smart life app I see that they return different keys for the same device. So I assume it's not that easy.

[Apollon77]

As assumed: a pairing process generated a new local key. In the end the question is how you want to control it afterwards - if only via other tools then apps then it is fine to have multiple apps ;-)

[odechr]

I will try later today and install the STL Smart home, get the key and leave those devices there while i ill try to add them to homey (smart hub).

Hopefully someone will be able to crack the code to snitch the key in the new version in the future :)

[codetheweb]

I spent a bit of time looking into this today.

1. I don't think sniffing traffic will be a good solution anymore, even assuming we can properly decrypt the traffic. It's trivial for Tuya to change the key whenever they want and make us repeat the entire process of obtaining the key again. Additionally, the legality of including such a key in the CLI tool's source code is questionable at best.
2. I think the best solution going forward will be to use the link module that TuyAPI provides. The main downside is that after devices are registered using it, they cannot be controlled using official apps. So, for example, the official Tuya HA module and TuyAPI could not be used at the same time.

That being said, the link module as included in the CLI package isn't currently working because of changes Tuya has made to their cloud API offerings. I'll try to work on it this weekend and see what changes need to be made.

[kalety]

We wait it!, thousands os thanks MAX!

[Apollon77]

But the link idea also needs more stuff from the users to be done. But yes. The encryption stuff is really bad for our approach. :-(

[Bablakeluke]

@codetheweb By injecting some code into the smart life app I've managed to successfully get the device list with localKey's by using its code API (it's sending "s.m.dev.list" now). Could potentially wrap it up in a public rest API which tuya-cli then uses or something. Super experimental at this point though!

[Bablakeluke]

The AES encryption key is based on some static values in the app and the request ID, with its actual generation being handled by native code (specifically libjnimain.so in the Android apk - the same as the signature stuff). They've gone to extensive lengths to hide it, so I'd certainly agree they'll just change it as soon as they see an implementation pop up online. So much for the open smart home. But anyway, this is also new in the latest version - the certs are being pinned, but only in the tuya app itself - not 3rd parties:

if (context != null && "com.tuya.smart".equals(context.getPackageName())) {
            CertificatePinner createPinner = new TuyaCertificatePinner().createPinner();
            if (createPinner != null) {
                L.i(TAG, "builder.certificatePinner");
                builder.certificatePinner(createPinner);
            } else {
                L.i(TAG, "builder do not set certificatePinner!");
            }
        }

The accepted cert list is a .json file in the app resources - here's the top chunk of it:

[
  {
    "domain": "a1.tuyacn.com",
    "certs": [
      {
        "eTime": 1602142278,
        "sha256": "fd2910b0f61f3932b572a16ba15927cb768f4728d7c4d54d70838a11e51c87ae",
        "ver": "sha256/YhNNie7EoILoelAxSWD9rlGeQCILjsfs4E1RaoC1x90="
      },
      {
        "eTime": 1935558000,
        "sha256": "973a41276ffd01e027a2aad49e34c37846d3e976ff6a620b6712e33832041aa6",
        "ver": "sha256/8Rw90Ej3Ttt8RRkrg+WYDS9n7IS03bk5bjP/UXPtaY8="
      },
...

The if (createPinner != null) { check is useful though - the pinner is null if the json file is empty, so just deleting it turns the pinning off.

[Apollon77]

But this seems to be SSL certificate pinning ... then it becomes even more problematic :-( SO basiclly they added in the last versions that the payload itself got encrypted, that they can require the app to be up to date for uers to use (to allow faster change of certs maybe) and cert pinning for the ssl certs itself ... hm ... bad

[botti007]

i was wondering also if in the discovery mode of smartconfig the aes key is modified. so can anyone help how can we extract it again an other question what does the two keys fixed_key.bmp and t_s.bmp ????

[kueblc]

Nice work @Bablakeluke

@botti007 https://github.com/nalajcie/tuya-sign-hacking