Very interesting - are there other api's

[drinkwater99]

Other than the https://app-prod.mysa.cloud/users/readingsForUser, do you know what other api's are possible ? For example, to set the thermostat SetPoint

[fdurand]

It's a little bit more complex, to set temperature i need to use mqtt but i wasn't able to make it work (enable to sign the request). Right now i am just able to fetch the current temperature of the thermostat. I will make another try with https://docs.aws.amazon.com/sdk-for-go/api/service/iot/

[drinkwater99]

It's a little bit more complex, to set temperature i need to use mqtt but i wasn't able to make it work (enable to sign the request). Right now i am just able to fetch the current temperature of the thermostat. I will make another try with https://docs.aws.amazon.com/sdk-for-go/api/service/iot/

Cool, if you can (and if you want) please let me know if you make any progress on that. I am curious, how did you find out what the pool id and client id values are and also the readingsForUser api url ?

[fdurand]

I decrypted the ssl traffic with mitmproxy. (a rooted phone, a modified mysa android app and a pptp connection to my laptop) If you are interested on how to do it i can add a file in this repository to explain the steps.

[drinkwater99]

Yes, I would be very interested about the steps to do that.

FYI based on your code, I was able to do the same in .NET Core :

https://github.com/drinkwater99/MySa

[fdurand]

procedure uploaded. Let me know if it works on your side.

[drinkwater99]

procedure uploaded. Let me know if it works on your side.

Thanks for steps !

I followed the first steps which you indicated to download, modify, recreate and sign the apk. There was no existing network_security_config.xml in the /res/xml/ folder so I added it and added a reference to it in the AndroidManifest.xml file. I then installed the apk on an old Android phone running 4.4 and was able to intercept communication using the Fiddler proxy app. I can now see all decrypted communication (I see there are many more endpoints at app-prod.mysa.cloud).

Seems like for the SetPoint there is a WebSocket that is established using mqtt protocol (as you mentioned).

[fdurand]

Yes and my issue is just that i am not able to sign it. I tried multiples way to sign the mqtt request https://github.com/fdurand/mysa-thermostats/blob/master/main.go#L240 but it always failed and triggered an error.

Maybe you will be luckier than me.

[drinkwater99]

I will fiddle with it and let you know if make any progress, but like you said, I have a feeling it won't be easy...

[fdurand]

Here the response when i try to do mqtt:

{"message":"The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.","traceId":"...."}

I believe that i miss the "AWS Secret Access Key" who is probably somewhere in the apk.

[drinkwater99]

No luck on my end either :(