Closed tota-5 closed 4 years ago
jhonathas
commented
4 years ago I don't know if it helps, but for me, in the version that Broadlink doesn't work with HA (44057), it also doesn't work with Broadlink Manager. Broadlink that runs with HA (44059) also works in Broadlink Manager.
dennisadvani
commented
4 years ago Hey @jhonathas, when you say 44059 works in HA, you can set it up the RM Mini 3 as a switch and send and learn codes using Home Assistant natively?
jhonathas
commented
4 years ago Only code sending works. The learn part does not work on any version.
dennisadvani
commented
4 years ago Strange, I did have an option to upgrade a few weeks ago but I held off to avoid adding variables to the work being done in this thread but I don't seem to have the option anymore. 44057 seems to be the latest version according to both the Broadlink and IHC apps. What's everyone else finding?
CC: @jhonathas
jhonathas
commented
4 years ago @dennisadvani I wish I had the option to update because my last version is 44057, and the 3 broadlinks that I have in this version, don't work. Since what I have in version 44059 can control the devices, the learning mode just doesn't work.
felipediel
commented
4 years ago Hi guys. I just packaged the tools I've developed to hack the Broadlink protocol. They still don't have documentation, but I left some examples for you to understand how they work. Now you can easily decrypt, filter and analyze the messages exchanged by the device, whether they come from Wireshark or the debugging tool that I have already made available. Make good use of it and I hope someone can come up with a solution.
felipediel
commented
4 years ago Some clues to solve 0x5f36's problem:
The best way to solve this problem is to access a COMMAND_REQUEST from the official app and understand what is going on.
chemelli74
commented
4 years ago @felipediel, I have wireshark on board of my Fritzbox router, so maybe I can help. Let me know what I can do and I'll go for it.
My device (info from mobile app):
Model: RM MINI 3
FCC ID: 2ACDZ-RMMINI3-RM
Company: Hangzhou Gubei Electronics Technology Co. Ltd.
Made: China
PID: 3727
IoT Cloud: 10.197.219.180
Firmware: v44057
Data Cloud: China
SDK: 2.13
One more info: Broadlink Manager was not working until I did a reset and reconfigured the device with the oldest app, E-Control.
Simone
felipediel
commented
4 years ago @chemelli74 Sure, any capture from the official app is welcome now. Just make sure to run this file and send me the debug.txt so I can intercept the key and decrypt the packets.
felipediel
commented
4 years ago I have decrypted, filtered and tabulated all the captures we have done so far. If anyone wants to take a look, it's all here, including the test files. Maybe with more people looking at the problem we will be able to solve it faster.
We still need a capture in which the device is being controlled locally by the official app. I was unable to decrypt @Siytek's captures because there is a cloud in the middle, so I need to intercept his key in another way (debug.txt). I was also unable to decrypt @dennisadvani's captures because the router scrambled the data.
Siytek
commented
4 years ago Been away for a couple of days but finally got round to it! Hope there is something useful in there for you @felipediel
felipediel
commented
4 years ago @Siytek This debug comes from test_solution4.py. I need a debug coming from this file.
Siytek
commented
4 years ago dennisadvani
commented
4 years ago Hey @felipediel, I had another go at the packet capture, this time with wireshark's monitor mode to capture packets. The RM Mini 3's MAC ends with 3e:ba and I was using IHC to send commands. Link to the capture here.
chemelli74
commented
4 years ago @chemelli74 Sure, any capture from the official app is welcome now. Just make sure to run this file and send me the debug.txt so I can intercept the key and decrypt the packets.
Which of the 3 officlal apps you want me to use ?
Simone
felipediel
commented
4 years ago @dennisadvani Scrambled :( How about running the app on BlueStacks?
@Siytek I couldn't extract your key because your device failed to authenticate. But I found something interesting that confirms my first hypothesis.
So the last byte is evil and we need to get rid of it. If this byte is set, your device won't authenticate locally. My guess is that when you add the device to the new Broadlink App and select a cloud, your device loses it's local capabilities and this byte is set. The only way to rollback the process is by resetting the device and doing the workaround proposed by @QuadrifoglioVerde.
Would you mind confirming it by doing the workaround and running the debug tool again?
@chemelli74 Preferably e-Control app running on BlueStacks.
Siytek
commented
4 years ago @dennisadvani Scrambled :( How about running the app on BlueStacks?
@Siytek I couldn't extract your key because your device failed to authenticate. But I found something interesting that confirms my first hypothesis.
- Here is a HELLO_RESPONSE coming from @bbreton09's device. Last byte is zero and bytes 48 to 51 carry some information. This device authenticated successfully.
- Here is a HELLO_RESPONSE coming from your device. Same device, same firmware, but check the last byte. Last byte is set and bytes 48 to 51 are empty. This device failed to authenticate.
So the last byte is evil and we need to get rid of it. If this byte is set, your device won't authenticate locally. My guess is that when you add the device to the new Broadlink App and select a cloud, your device loses it's local capabilities and this byte is set. The only way to rollback the process is by resetting the device and doing the workaround proposed by @QuadrifoglioVerde.
Would you mind confirming it by doing the workaround and running the debug tool again?
@chemelli74 Preferably e-Control app running on BlueStacks.
Very interesting @felipediel! I can confirm that resetting the device back to AP pairing mode and then using Broadlink Manager to configure it gave me a debug file with successful authentication. Let me know what you think, grab the file here.
felipediel
commented
4 years ago Great! The authentication problem is solved. Now we need to send a COMMAND_REQUEST that works.
I was unable to decrypt your captures with your local key. The cloud is triangulating the authentication, so the keys are different. But one thing I noticed is that the payload of the COMMAND_REQUEST is half the size of the payload being sent by the API.
So let's play with CBC mode padding algorithm again. Here's the test file.
bbreton09
commented
4 years ago Hi, my debug for the test solution 5. No blink led.
dennisadvani
commented
4 years ago Hey @felipediel, I was able to get the Broadlink apps working in BlueStacks but unfortunately BlueStacks creates a NAT network of its own preventing it from properly communicating directly with the RM Mini 3. It can talk to the internet, just not to the device. Couldn't find a way to bridge the network.
Siytek
commented
4 years ago @felipediel glad it helped but sadly not surprising that the cloud is triangulating the key as my device ceases to function even with the official app when I disconnect the internet.
Here's my latest debug output: debug5.txt
I did some reading and am wondering if I can capture the triangulated key with a Kali Linux based router setup on a RPi. If I successfully captured the traffic between the RM Mini and the cloud by running Wireshark on the router, would the dump give you what you need?
@dennisadvani if you have an iOS device you can use rvictl with Wireshark to capture the traffic on the iOS device (running Broadlink app) - it's Mac based but I found this for windows/linux
felipediel
commented
4 years ago @felipediel glad it helped but sadly not surprising that the cloud is triangulating the key as my device ceases to function even with the official app when I disconnect the internet.
Here's my latest debug output: debug5.txt
I did some reading and am wondering if I can capture the triangulated key with a Kali Linux based router setup on a RPi. If I successfully captured the traffic between the RM Mini and the cloud by running Wireshark on the router, would the dump give you what you need?
I don't think I would be able to decrypt those messages, since the cloud controls the keys. It would be more difficult to trick her into handing over the key, which is the method I am using for local communications.
Let's wait for @dennisadvani, maybe he can capture a local communication.
@dennisadvani if you have an iOS device you can use rvictl with Wireshark to capture the traffic on the iOS device (running Broadlink app) - it's Mac based but I found this for windows/linux
I can confirm that the second option works gracefully on Windows. If you are using Linux Mint, however, you will have a hard time installing libimobiledevice, as this distribution uses another library for interacting with iOS and libimobiledevice is not available in the default repository.
felipediel
commented
4 years ago I discarded previous tests that did not pass the authentication step and I created a new test with things that may be worth testing again. Hope it works.
Siytek
commented
4 years ago I discarded previous tests that did not pass the authentication step and I created a new test with things that may be worth testing again. Hope it works.
Still nothing from the illusive white LED... debug6.txt
felipediel
commented
4 years ago Okay, I just found something interesting.
This is the payload of the COMMAND_REQUEST being sent by the API:
>>> payload = b'\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'This is the payload checksum:
>>> checksum = bytes([0xb2, 0xbe])Let's convert it to integer as little endian:
>>> checksum = int.from_bytes(checksum, 'little')Then we subtract the magic number 0xbeaf:
>>> checksum = checksum - 0xbeafThe result is 3, which matches the sum of the payload.
>>> checksum
3
>>> checksum == sum(payload)
TrueThis is the payload checksum of the COMMAND_REQUEST being sent by the official app:
>>> checksum = bytes([0xb4, 0xbe])Now let's repeat the above process. The result is 5. So there are only two extra bits that we need to find out their position. The payload could be in this list, for example:
>>> some_possibilities = [
b'\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00',
b'\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x01',
b'\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
]So we can use brute force to find out the right combination. There are only 15504 ways to group 5 bits in 16 places. I am creating a program that will take at most 4h18 to find the answer. I will keep you informed.
dennisadvani
commented
4 years ago Hey @felipediel, @Siytek, Good news, managed to get a clean capture directly. You can find it here. I used the Broadlink app to send commands to a 44057 based RM Mini 3. In the end I used the Memu emulator which supports bridge mode networking. Let me know if you need any other captures.
Edit: Forgot to mention that the emulator and RM Mini 3 didn't have access to the internet but I temporarily provided internet to the emulator to login and configure a remote in Broadlink.
Siytek
commented
4 years ago @felipediel @dennisadvani some great progress!
More than happy to run the brute force on my Linux server when it’s ready.
felipediel
commented
4 years ago @dennisadvani Great! Captures are very clean. I'm gonna try to decrypt them right now. I don't know if I am happy or sad, because I was really excited about a brute force script that I just finished. Well, maybe if I can't decrypt your messages it will serve as a last resource.
felipediel
commented
4 years ago @dennisadvani I don't have your key on my files. Please run this file and send me the debug.txt. The evil byte must be disabled.
dennisadvani
commented
4 years ago Here you go @felipediel.
felipediel
commented
4 years ago We did it! Here is the local communication. Make sure to disable line wrap to get a good view of it. The communication model is quite different. What were you doing during these captures?
dennisadvani
commented
4 years ago Hey @felipediel, I setup a random TV set top box and was pressing the power toggle a couple of times. Happy to capture some specific scenarios and remotes if it helps.
felipediel
commented
4 years ago Great! Now that we know how to access the messages, we need to capture the device:
If you can provide the codes, it will help the analysis.
Siytek
commented
4 years ago @dennisadvani Great! Captures are very clean. I'm gonna try to decrypt them right now. I don't know if I am happy or sad, because I was really excited about a brute force script that I just finished. Well, maybe if I can't decrypt your messages it will serve as a last resource.
Definitely a bit sad that the brute force is not required, I was looking forward to beating the bits out of Broadlink 🤣 but amazing news that you cracked it, well done!
dennisadvani
commented
4 years ago Hey @felipediel, @Siytek,
Sorry about crashing your brute force party 😃 I've managed to run a few captures and sends using a Samsung TV Remote. First I've captured the codes using a 0x2737 based RM Mini 3 and put the captures into a text file as a reference.
I've then switched to a 0x5f36 based device and used the Broadlink App to learn the same 3 codes from the Samsung remote and then the app then asks to test what it has just learnt so I've done a test send straight after. I've then done 3 more captures with just a send without learning through the app.
Files here.
felipediel
commented
4 years ago Great! Everything decrypted here. This solution might work.
bbreton09
commented
4 years ago Great! Everything decrypted here. This solution might work.
Yes led blink ! I can register code ! Bravo !
felipediel
commented
4 years ago Tonight I will do a pull request. Thanks to everyone who contributed to the solution!
dennisadvani
commented
4 years ago Awesome work @felipediel, thank you!
jhonathas
commented
4 years ago Congratulations, @felipediel, @dennisadvani and everyone who contributed. Great job.
nickollasaranha
commented
4 years ago Great job guys @felipediel @dennisadvani and everyone else! Now I will finally be able to learn some codes
tota-5
commented
4 years ago great work guys! Im sorry i couldnt contribute more! Im happy that it got worked out! As soon as the pull request is done, ill notify people on my groups that have been asking about this issue!
luisfosoares
commented
4 years ago Thank you so much for your hard work!
I have same device but when I try to run solution7 I have the following error
_LOGGER.debug("Mac: %s", device.mac.hex()) AttributeError: 'bytearray' object has no attribute 'hex'
Any help? @felipediel thanks
goose2600
commented
4 years ago @luisfosoares, try using python3
elafargue
commented
4 years ago So, is there a specific requirement for initializing that firmware release of RM Mini 3 so that it is compatible with this code? Specific Broadlink app, or just the python CLI ?
felipediel
commented
4 years ago @elafargue You need to ensure the local capabilities of the device:
Please let me know if you have any problems after doing this.
felipediel
commented
4 years ago Hi guys. I've made some changes to keep the code clean. Can we do a final test?
dennisadvani
commented
4 years ago Hey @felipediel, here you go:
dennis@ubuntu:~/Desktop$ python3 debug.py Traceback (most recent call last): File "debug.py", line 1026, in <module> device.send_data(code) File "debug.py", line 610, in send_data packet += data TypeError: can't concat NoneType to bytearray
goose2600
commented
4 years ago @felipediel, here is (learning power on code for Samsung TV): debug.txt
SpyrosKyriazos
commented
4 years ago Here is another one if needed.
The different (I don't know if it's new or not) RM Mini colored red does not work with broadlink component.
I used broadlink_cli to try to get it into learning mode and got the following:
AttributeError: device instance has no attribute 'enter_learning'
In home assistant, the commands just don't execute in the device, altho the buttons goes from on to off normally.
The firmware on this is 44057 Model: RM mini 3 FCC ID: 2ACDZ-RMMINI3-RM
On intelligent home center app from broadlink, the devices work as intended. It has no firmware upgrades available for it. On e-control app, it shows as unrecognized device, but shows.
Using broadlink manager gives the following:
It seems that even tho it's looks like exactly the same model, it operates differently and has a different model number and api to authenticate and recieve learn and send signals.