search

iMicknl / python-overkiz-api

Async Python wrapper to interact with internal Somfy TaHoma API, or other OverKiz API's.
MIT License
45 stars 27 forks source link

Support for "Sauter Smart Control" (Brandt brand) #1202

Open Mincka opened 3 months ago

Mincka commented 3 months ago

Hello,

I have a Sauter oven and I saw that the mobile app "Sauter Smart Control" is based on Overkiz. It has the same look and feel than the Brandt app. Sauter is a brand of the Brandt group so it makes sense.

So I tried to login with Brandt Smart Control on the HA Integration, but I got a login failed error. Out of curiosity, I tried to log in with my Sauter credentials on the Brandt Smart Control and it failed.

I had a look at the DNS request made to the server from my mobile app, and the host is the same than the one used for Server.BRANDT: ha3-1.overkiz.com.

Server.BRANDT: OverkizServer(
        name="Brandt Smart Control",
        endpoint="https://ha3-1.overkiz.com/enduser-mobile-web/enduserAPI/",
        manufacturer="Brandt",
        configuration_url=None,
    ),

I also found the same path /enduser-mobile-web/enduserAPI/ by having a quick look at the dex files of the APK, without decompiling it. Maybe there's a dedicated API endpoint on the same server. I am not sure yet since I did not setup traffic interception. Or, maybe there's an additional parameter in the POST request for the login, or a dedicated header for brands affiliated to Brandt.

Did you see such setup with multiple brands hosted on the same server / endpoint?

iMicknl commented 3 months ago

CozyTouch (and some others) are indeed using a seperate login endpoint to generate a JWT token, which can be used to authenticate to Overkiz. If you are able to reverse engineer the login method used for Brandt, we can include this here.

Mincka commented 3 months ago

For now, the host for sure is the same, it has been confirmed with the DNS request. Based on the code, it looks like it's also using the same endpoint. That why I'm not sure at this stage how Brandt differentiates itself from its subsidiaries for the authentication against their directory.

iMicknl commented 3 months ago

Are you sure they don't leverage a separate API for authentication?

Mincka commented 3 months ago

I dug into the dex files with Jadx but could not find much more. There are mentions of a "Sauter" protocol, so maybe something specific is done during the authentication.

It seems there's certificate pinning so it makes traffic interception harder. Did you patch the APK for the reverse engineering of the API? Could you share more about this?

iMicknl commented 1 month ago

I haven't been working on this in detail and this is out of scope for our work here, thus we can't support you here on this repository unfortunately.

Mincka commented 1 month ago

I don't get why you're saying this is out of scope.

The Sauter app is clearly using the Overkiz API. Its implemention is very close to the Brandt one.

It requires additional research to find the parameters required for the authentication on this specific realm, but it could be supported by this module.

I can understand that you don't want to share more about the reverse engineering here, but not why requesting the support for another brand using the Overkiz API is not something that is done in the scope of this project.

iMicknl commented 1 month ago

What is not working in your scenario? Is log-in not working? Sauter might be using a different auth method, which can be used to retrieve auth tokens for their Overkiz server.