error 3005:UnauthorizedOperation when using update command

[amazingproducer]

INFO:root:Pushing firmware URL to device.
Traceback (most recent call last):
  File "wyze_updater.py", line 401, in <module>
    args.action(creds, args)
  File "wyze_updater.py", line 286, in update_devices
    push_update(creds, dev_info['product_model'], mac, url, md5)
  File "wyze_updater.py", line 164, in push_update
    return run_action(creds, model, "upgrade", mac, {"url": update_url, "md5": md5, "model": model})
  File "wyze_updater.py", line 158, in run_action
    return device_api(
  File "wyze_updater.py", line 141, in device_api
    raise RuntimeError('Request failed, error %s:%s' % (rsp['code'], rsp['msg']))
RuntimeError: Request failed, error 3005:UnauthorizedOperation

Is this Wyze denying my request? Information about my device:

Device type:      Light (WLPA19)
Firmware version: 1.2.0.106

[amazingproducer]

I'm using python3.8 and have not enabled MFA -- is MFA a requirement?

[elahd]

I see the same on my end. MFA isn't a requirement. It looks like Wyze changed their API in a way that breaks WyzeUpdater. I'll take a look today or tomorrow.

[elahd]

Yep, Wyze changed their API -- it looks like they're actually validating firmware upgrade requests against a list of approved URLs. There go the fruits of 100+ hours of my life 😭.

The upload request payload used to be:

{
   "action_params":{
      "model":"WLPP1",
      "url":"https:\/\/s3-us-west-2.amazonaws.com\/wuv2\/upgrade\/WLPP1\/firmware\/1.2.0.80a.bin",
      "md5":"b26317e115923f5975218aacbeceb92a"
   }
}

Now, it's:

{
   "action_params":{
      "model":"WLPP1",
      "url":"https:\/\/s3-us-west-2.amazonaws.com\/wuv2\/upgrade\/WLPP1\/firmware\/1.2.0.80a.bin",
      "md5":"b26317e115923f5975218aacbeceb92a",
      "firmware_ver":"1.2.0.80"
   }
}

If the URL field contains an unofficial firmware URL, the request runs long and the server returns a 500 error. The same happens if firmware_ver and url binary don't match. Wyze is probably keeping a table on their end with official URLs for each firmware version and is only passing through legit URLs.

There's one more approach that can be used to upgrade firmware OTA. Wyze manages devices using the AWS IoT framework and their devices don't validate server certificates (not validating seems to be common with these types of devices):

This means that Wyze plugs are probably susceptible to MITM attacks. They could be connected to a WiFi network created on, say, a Raspberry Pi, that routes AWS IoT traffic to a local, rogue AWS IoT server that feeds the device a custom firmware URL.

Regardless of approach, I don't have much free time right now and would have to hold off on finding a workaround. I'd be happy to help anyone willing to invest time into building a new loader. esp2ino should still work once loaded onto a device.

[tony-fav]

Wow. I just got my starter kit bulbs and plugs completely flashed over last week. Glad I did. MITM definitely seems like the right approach for future work. Maybe even just a local DNS reroute of those URLs?

[amazingproducer]

Shucks. I guess for now, my wyze bulbs will continue to languish, unused. The idea of asking a Seattle startup for permission every time i want to use my lights is disgusting.

[testventure]

Dang! I saw this same error and missed the window by just a couple days. Too bad. If only they'd make the bulbs friendlier to other hubs I'd stick with their stuff.

[HclX]

Can you downgrade the firmware?

[elahd]

@HclX Wyze is filtering requests via their API servers without involving individual devices. Device firmware is actually unchanged and this impacts all firmware versions.

[Jsostmann]

@elahd @HclX lol, after trying to flash a few plugs from a Linux and Windows machine and replicating this Request failed, error 3005:UnauthorizedOperation I had a bad feeling they had blocked off their API's.

If you can open the plug up I'm sure you can still manually flash it

[diogosalazar]

Just attempted to flash my first device in order to move away from Wyze and ran into this error. Bummer