Need assist to sniff TCP with wireshark/协助使用wireshark帮忙抓包

[duchenpaul]

我有一个美的的热水器, 我折腾了几天没有成功抓到包, 可以给个简单的教程教我抓包分析里面的协议么, 我到时候会分享出来, 甚至完善这个项目的代码. 谢谢

[mac-zhou]

你可以先运行midea-discover -d此工具是帮助发现局域网内的美的设备

[duchenpaul]

我把你的代码摘出来跑过了, 我的型号是T0xE3, 所以你不可能发现的了得, 没错6445端口是有东西的, 我先捣鼓两天, 有进展话你知

[duchenpaul]

我在路由器上用tcpdump试图抓包, 但是没有收获, 192.168.31.180是我的热水器地址, 你可以帮忙看看什么原因么

tcpdump -i br-lan dst 192.168.31.180 -w target.cap
tcpdump -i br-lan src 192.168.31.180 -w target.cap

[mac-zhou]

• 6445端口只是发现协议，你不要在此浪费时间 重要的是要处理热水器6444端口通讯的数据
• 我不知道你网络和路由型号，没办法帮到你。但抓包的原则上越接近热水器越好，比如在热水器锁在AP上抓包 你可能需要这样抓包： tcpdump -i any host 192.168.31.180 -p -nn -s 0 -w midea.pcap -vvv
• 你可以运行midea-discover看看 我的库是否可以支持你设备协议数据的解密，报文是以5a5a开头的，不支持8370开头的
• 如果我的库支持解密你的数据，你的重点应该放在我解密之后的数据，你可能会看到相关变化，知道规则

[duchenpaul]

8370的, 有事做咯!

INFO:msmart.cli:Debug mode active
INFO:msmart.cli:Discovering devices with UDP Broadcast, press CTRL-C to quit...
INFO:msmart.cli:Midea Local Data 192.168.31.180 837000c8200f00005a5a0111b8007a8000000000f197320a1706141431820600009600000000000000000180000000003d2d2a5d91b3b35a0439ad15b61f8d32bce6ad2b6757881d771c94a56d0972bb5245048f7a5dc6c52a83fa7c22e0b8da97a2d910b60f398f154e84b51959f87599511fc6d165e30922240666aff67c18a337d864e15a8c397d9983652746509d4bdfb3e16e33d88768cc4c3d0658937d96fbcce99f70c976413c2f05f60f82e7b64f24e548dac159bb384cdaab4fc2dd1cbfe865aac8ec05b402ae5ae8bbd8d2
ERROR:msmart.security:aes_decrypt error: ValueError('Padding is incorrect.',) - data: 3d2d2a5d91b3b35a0439ad15b61f8d32bce6ad2b6757881d771c94a56d0972bb5245048f7a5dc6c52a83fa7c22e0b8da97a2d910b60f398f154e84b51959f875

[duchenpaul]

我想知道你代码里面的appkey和signkey是哪里找的, 目前看这appkey应该在两个不同的协议之间通用的, 你的tcpdump可以使用, 我继续要就看看, 谢谢你的支持

[mac-zhou]

旧版本app里找到了 新版本中已经找不到了

[mac-zhou]

8370的, 有事做咯!

INFO:msmart.cli:Debug mode active
INFO:msmart.cli:Discovering devices with UDP Broadcast, press CTRL-C to quit...
INFO:msmart.cli:Midea Local Data 192.168.31.180 837000c8200f00005a5a0111b8007a8000000000f197320a1706141431820600009600000000000000000180000000003d2d2a5d91b3b35a0439ad15b61f8d32bce6ad2b6757881d771c94a56d0972bb5245048f7a5dc6c52a83fa7c22e0b8da97a2d910b60f398f154e84b51959f87599511fc6d165e30922240666aff67c18a337d864e15a8c397d9983652746509d4bdfb3e16e33d88768cc4c3d0658937d96fbcce99f70c976413c2f05f60f82e7b64f24e548dac159bb384cdaab4fc2dd1cbfe865aac8ec05b402ae5ae8bbd8d2
ERROR:msmart.security:aes_decrypt error: ValueError('Padding is incorrect.',) - data: 3d2d2a5d91b3b35a0439ad15b61f8d32bce6ad2b6757881d771c94a56d0972bb5245048f7a5dc6c52a83fa7c22e0b8da97a2d910b60f398f154e84b51959f875

https://github.com/mac-zhou/midea-msmart/blob/master/msmart/cli.py 刚刚做了更新 你可以自己手工运行试试

[duchenpaul]

一样的呀 已经确认我跟你的协议不一样,

INFO:msmart.cli:Debug mode active
INFO:msmart.cli:Discovering devices with UDP Broadcast, press CTRL-C to quit...
INFO:msmart.cli:Midea Local Data 192.168.31.180 837000c8200f00005a5a0111b8007a8000000000af2e050c1706141431820600009600000000000000000180000000003d2d2a5d91b3b35a0439ad15b61f8d32bce6ad2b6757881d771c94a56d0972bb5245048f7a5dc6c52a83fa7c22e0b8da97a2d910b60f398f154e84b51959f87599511fc6d165e30922240666aff67c18a337d864e15a8c397d9983652746509d4bdfb3e16e33d88768cc4c3d0658937d96fbcce99f70c976413c2f05f60f82e7cfe0b65fd4f7c93e2ca9d87b4d43e40b1cbfe865aac8ec05b402ae5ae8bbd8d2
Traceback (most recent call last):
  File "/usr/local/bin/midea-discover", line 11, in <module>
    load_entry_point('msmart==0.1.19', 'console_scripts', 'midea-discover')()
  File "/usr/local/lib/python3.6/dist-packages/Click-7.0-py3.6.egg/click/core.py", line 764, in __call__
    return self.main(*args, **kwargs)
  File "/usr/local/lib/python3.6/dist-packages/Click-7.0-py3.6.egg/click/core.py", line 717, in main
    rv = self.invoke(ctx)
  File "/usr/local/lib/python3.6/dist-packages/Click-7.0-py3.6.egg/click/core.py", line 956, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/local/lib/python3.6/dist-packages/Click-7.0-py3.6.egg/click/core.py", line 555, in invoke
    return callback(*args, **kwargs)
  File "/usr/local/lib/python3.6/dist-packages/msmart-0.1.19-py3.6.egg/msmart/cli.py", line 80, in discover
UnboundLocalError: local variable 'm_support' referenced before assignment

[mac-zhou]

发现协议(udp.port == 6445)是可以解的，控制协议(tcp and data[:2] == 8370)无解 cli.py 又做了更新，请帮测一下看看

[duchenpaul]

不确定你的ssid之类的是否对的, 明文是这个, 我的ssid不是这个是Wolfstein

0000E321151100TD705251402154120U
midea_e3_2154

INFO:msmart.cli:Debug mode active
INFO:msmart.cli:Discovering devices with UDP Broadcast, press CTRL-C to quit...
INFO:msmart.cli:Midea Local Data 192.168.31.180 837000c8200f00005a5a0111b8007a80000000007a2e00001706141431820600009600000000000000000180000000003d2d2a5d91b3b35a0439ad15b61f8d32bce6ad2b6757881d771c94a56d0972bb5245048f7a5dc6c52a83fa7c22e0b8da97a2d910b60f398f154e84b51959f87599511fc6d165e30922240666aff67c18a337d864e15a8c397d9983652746509d4bdfb3e16e33d88768cc4c3d0658937d96fbcce99f70c976413c2f05f60f82e78a88773deeaf7f16126f61a398027e821cbfe865aac8ec05b402ae5ae8bbd8d2
DEBUG:msmart.packet_builder:Finalize request data: aa20ac00000000000003418100ff03ff000200000000000000000000000026d175
DEBUG:msmart.lan:Sending to 192.168.31.180:6444 5a5a011168002000000000001526140c1706141431820600009600000000000000000000000000006b000a76e27eed2c3647e57d8602df8b7760b65cc8abde8d47750695623f1296137efcc7f8fe55c6253e8dc10f59f57ae7996a5cf6960fec05fc767cc7c85941
INFO:msmart.lan:Couldn't connect with Device 192.168.31.180:6444
DEBUG:msmart.device:refresh - Recieved from 192.168.31.180, 318206000096: 
INFO:msmart.cli:*** Found a unsupported '0xe3' at 192.168.31.180 - id: 164926744592945 - sn: 21151100TD705251402154120U - ssid: midea_e3_2154

[duchenpaul]

另外, 我搞他家的微信小程序, 里面api.js 里面有好多小秘密

wechat_app.zip

[mac-zhou]

不确定你的ssid之类的是否对的, 明文是这个, 我的ssid不是这个是Wolfstein

0000E321151100TD705251402154120U
midea_e3_2154

INFO:msmart.cli:Debug mode active
INFO:msmart.cli:Discovering devices with UDP Broadcast, press CTRL-C to quit...
INFO:msmart.cli:Midea Local Data 192.168.31.180 837000c8200f00005a5a0111b8007a80000000007a2e00001706141431820600009600000000000000000180000000003d2d2a5d91b3b35a0439ad15b61f8d32bce6ad2b6757881d771c94a56d0972bb5245048f7a5dc6c52a83fa7c22e0b8da97a2d910b60f398f154e84b51959f87599511fc6d165e30922240666aff67c18a337d864e15a8c397d9983652746509d4bdfb3e16e33d88768cc4c3d0658937d96fbcce99f70c976413c2f05f60f82e78a88773deeaf7f16126f61a398027e821cbfe865aac8ec05b402ae5ae8bbd8d2
DEBUG:msmart.packet_builder:Finalize request data: aa20ac00000000000003418100ff03ff000200000000000000000000000026d175
DEBUG:msmart.lan:Sending to 192.168.31.180:6444 5a5a011168002000000000001526140c1706141431820600009600000000000000000000000000006b000a76e27eed2c3647e57d8602df8b7760b65cc8abde8d47750695623f1296137efcc7f8fe55c6253e8dc10f59f57ae7996a5cf6960fec05fc767cc7c85941
INFO:msmart.lan:Couldn't connect with Device 192.168.31.180:6444
DEBUG:msmart.device:refresh - Recieved from 192.168.31.180, 318206000096: 
INFO:msmart.cli:*** Found a unsupported '0xe3' at 192.168.31.180 - id: 164926744592945 - sn: 21151100TD705251402154120U - ssid: midea_e3_2154

这是你热水器的SSID，也就是热水器处于AP模式等待配对时候的SSID, 不是现在所连接的

[duchenpaul]

不确定你的ssid之类的是否对的, 明文是这个, 我的ssid不是这个是Wolfstein

0000E321151100TD705251402154120U
midea_e3_2154

INFO:msmart.cli:Debug mode active
INFO:msmart.cli:Discovering devices with UDP Broadcast, press CTRL-C to quit...
INFO:msmart.cli:Midea Local Data 192.168.31.180 837000c8200f00005a5a0111b8007a80000000007a2e00001706141431820600009600000000000000000180000000003d2d2a5d91b3b35a0439ad15b61f8d32bce6ad2b6757881d771c94a56d0972bb5245048f7a5dc6c52a83fa7c22e0b8da97a2d910b60f398f154e84b51959f87599511fc6d165e30922240666aff67c18a337d864e15a8c397d9983652746509d4bdfb3e16e33d88768cc4c3d0658937d96fbcce99f70c976413c2f05f60f82e78a88773deeaf7f16126f61a398027e821cbfe865aac8ec05b402ae5ae8bbd8d2
DEBUG:msmart.packet_builder:Finalize request data: aa20ac00000000000003418100ff03ff000200000000000000000000000026d175
DEBUG:msmart.lan:Sending to 192.168.31.180:6444 5a5a011168002000000000001526140c1706141431820600009600000000000000000000000000006b000a76e27eed2c3647e57d8602df8b7760b65cc8abde8d47750695623f1296137efcc7f8fe55c6253e8dc10f59f57ae7996a5cf6960fec05fc767cc7c85941
INFO:msmart.lan:Couldn't connect with Device 192.168.31.180:6444
DEBUG:msmart.device:refresh - Recieved from 192.168.31.180, 318206000096: 
INFO:msmart.cli:*** Found a unsupported '0xe3' at 192.168.31.180 - id: 164926744592945 - sn: 21151100TD705251402154120U - ssid: midea_e3_2154

这是你热水器的SSID，也就是热水器处于AP模式等待配对时候的SSID, 不是现在所连接的

嗯 我现在也这么认为

[mac-zhou]

另外, 我搞他家的微信小程序, 里面api.js 里面有好多小秘密

wechat_app.zip

8370这种数据如果最终没办法解密的话 你可以尝试搞云版本的插件 国外是有开发者做了midea cloud的版本，我也是从那边受到一些启发来做本地局域网版本的 我自己是不会去开发云版本的，家里的2台美的空调都已经完美工作的。

[duchenpaul]

云版本的插件是指模仿app发request 包给cloud api? 我似乎没找到太多美的的DIY, 我甚至想过吧热水器拆了用看电脑板的串口输出, 不过还是蛮费工程的

[duchenpaul]

美的美居会下载相应智能电器的组件, 这个是E3 热水器品类的, 里面可能有相关透传信息, 以及各种key的生成方式 来源: http://mjfile-pro.smartmidea.net/T0xE3_<YYYYMMDD>.zip

T0xE3_20190423.zip

[mac-zhou]

组件一般处理是解密后数据 未解密，这个组件就没啥意义 美的app从新版本之后就加解密开始用lua插件了，我暂时未找到办法 mac_zhou

在 2020年6月25日，11:51，Chenny Du notifications@github.com 写道：



美的美居会下载相应智能电器的组件, 这个是E3 热水器品类的, 里面可能有相关透传信息, 以及各种key的生成方式 T0xE3_20190423.ziphttps://github.com/mac-zhou/midea-msmart/files/4829006/T0xE3_20190423.zip

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/mac-zhou/midea-msmart/issues/13#issuecomment-649198965, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AA4KC73YWZ5EVO4NMNWH2LLRYLCUTANCNFSM4OCY6U2A.

[duchenpaul]

先关了, 有进展在新开issue