Can't retrieve indoor or outdoor temperature for MAW12V1QWT (U Inverter Window A/C)

[elahd]

Msmart returns 0 degress for both indoor and outdoor temperature. Also returns an incorrect target temperature:

{'id': '1d0a0100000d', 'name': '192.168.4.6', 'power_state': True, 'prompt_tone': False, 'target_temperature': 25, 'operational_mode': <operational_mode_enum.cool: 2>, 'fan_speed': <fan_speed_enum.Auto: 102>, 'swing_mode': <swing_mode_enum.Off: 0>, 'eco_mode': False, 'turbo_mode': False, 'indoor_temperature': 0.0, 'outdoor_temperature': 0.0}

This is passing through to hass in a strange way, as well:

With current temperature showing up incorrectly (probably by converting 0C to 32F) and showing a weird temperature set number.

[mac-zhou]

you add this to your configuration.yaml and show me the debug log

logger:
  default: info
  logs:
    msmart: debug

[elahd]

Hi Mac,

This snippet represents the pattern of msmart data that appear in the logs. The full log file is huge and contains a lot of unrelated data. Is this sufficient?

2020-07-17 18:52:55 DEBUG (SyncWorker_0) [msmart.packet_builder] Finalize request data: aa20ac00000000000003418100ff03ff0002000000000000000000000000371223
2020-07-17 18:52:55 DEBUG (SyncWorker_0) [msmart.lan] Sending to 192.168.4.6:6444 5a5a0111680020000000000009373412110714141d0a0100000d00000000000000000000000000006b000a76e27eed2c3647e57d8602df8b5d83c3d3bf05b1f7b20afd3884fc5234fabd9611a01068eac9c473549748254266a68f44cad7bfb785046231be43e2bc

[...]

2020-07-17 18:53:03 INFO (SyncWorker_0) [msmart.lan] Couldn't connect with Device 192.168.4.6:6444
2020-07-17 18:53:03 DEBUG (SyncWorker_0) [msmart.device] refresh - Recieved from 192.168.4.6, 1d0a0100000d: 

[...]

2020-07-17 18:53:12 DEBUG (SyncWorker_7) [msmart.packet_builder] Finalize request data: aa20ac00000000000003418100ff03ff00020000000000000000000000000c8cd4
2020-07-17 18:53:12 DEBUG (SyncWorker_7) [msmart.lan] Sending to 192.168.4.6:6444 5a5a01116800200000000000120c3512110714141d0a0100000d00000000000000000000000000006b000a76e27eed2c3647e57d8602df8b8b688a2805c90be589e77c77786e94e5beb10a3f262d838d74d1930679f6ac102743cd448d29e435771156f0950972ab

etc...

Thanks again.

[kueblc]

I'm using a similar model, and it appears to use a new protocol that isn't supported yet. I have been working on adding support. If you are willing, create a network capture of the communication between the AC and the cloud using a tool such as WireShark or tcpdump. This data will assist in the reverse engineering of the new protocol.

[elahd]

@kueblc Between the AC and the cloud or the AC and my phone? AC<->Cloud communication is encrypted. Does the AC do SSL cert validation or can it just be MITM'd with a fake certificate?

I'm poking around a bit myself:

1. Decompiled the Android APK to get the new SDK. Function names are obfuscated. The message builder algorithm is a Rube Goldberg machine of magic strings and external function calls. Haven't finished sifting through that.
2. Tried exploring an alternate approach: replacing the Smart Kit USB dongle with an ESP8266. I took a firmware dump of the Smart Kit firmware and sniffed some of the UART comms between the Smart Kit and the AC itself, but I may be in over my head here. For what it's worth, it looks like UART communication is much simpler than communication over IP.

What have you found on your end?

AC -> Phone Data Captures (UDP) 837000b8200f04085a5a0111a8007a800000000000000000000000001d0a0100000d00000000000000000000000000008af22ba9782309b82db07399f95b7af2808bcfa840ddc318ec2202e3183205e5c05eadba650c040ae988e9dc770d1155bc3d108ec92a744b5dcd3518efacc8a3128d6ffcfaabb718deceafbd06021b4b0305a504e9e35c553636c63a1e9cdd21f31443d17c3aac03a7656614ae1dca44d899b6eb315e5e6c17a90e883249393f7679c95491ded5cb6fabd73057d8717d

(UDP) 837000b8200f04075a5a0111a8007a800000000000000000000000001d0a0100000d00000000000000000000000000008af22ba9782309b82db07399f95b7af2808bcfa840ddc318ec2202e3183205e5c05eadba650c040ae988e9dc770d1155bc3d108ec92a744b5dcd3518efacc8a3128d6ffcfaabb718deceafbd06021b4b0305a504e9e35c553636c63a1e9cdd21f31443d17c3aac03a7656614ae1dca44d899b6eb315e5e6c17a90e883249393f7679c95491ded5cb6fabd73057d8717d

(TCP) 8370008e2063c0307e882647aa13ce72fc4fac68bdd3e6cc05505536d8cfb24024a7a3c7ea4b3492fc9e546e876e9996a7402a2fd2d900531db368b6368fe0969224cb6857925fad74eb2a34f84ae1051a749188bcebac444764e23ca5a66d54a1b7552061d63faa01985f0e0b58aab0a715aa0d85d86f37a880dfb04fdd6ebc4aae3d1fd303b7bb4144b897152a8c7f3f3d82572abd

Phone -> AC Data Captures (TCP) 8370008e206680f428a6da8dd326b6176e18b10fc4842550dcffe4b776cf4ae2b0184cff68ba19c7844b541e18d8d54500a8c85b8aa2ddf33883bbc7f2d41338d9b6a3acc831623a9b3a2dda7993a7ccdcd9c96a8958b6e2fa4f1467c197c81cccd460491a3f6280a9d317be497abaaaca68fc61a4e146d63d41b41dd5ea85bb1c53a6756137d48754fb097813bd36f345c435d3d6ae

(TCP) 8370008e20660fd3da3cb0ec713f7055cbd0f14a3157b8a8a0bc00bca06cd7e27d2367875e33f2fd379eda27503d0c0bba8f0fe6df8216b5e312ea1ce83fd6fb463608e3646dd6322d2d662b999d869c13447c3b0cbc566be6572b992edd9573b16956b870d3ae5e983325346a1ae837a899a24aa87f5bc1e3fff38f856b0c8cfc86cb48956bdc28eb72a0d523eb4c7097fc590bbbbd

Smart Kit <-> AC Data Captures UART Capture.xlsx Unfortunately, I didn't make a note of how I connected the logic analyzer 🤦‍♂️. Serial 1 / Serial 2 refer to UART TX / RX channels. One is for comms from the AC, the other is to the AC.

[kueblc]

Between the AC and the cloud or the AC and my phone?

AC and cloud. Trying to understand the cloud handshake. AC and phone has been solved.

AC<->Cloud communication is encrypted. Does the AC do SSL cert validation or can it just be MITM'd with a fake certificate?

They thought they were being sneaky by putting the traffic over port 443, but it is not actually SSL/TLS. There are no certificates. The protocol is the same 8370 protocol, just with a different handshake.

What have you found on your end?

I have also reversed engineered the Android SDK and successfully replicated the local communication. See https://github.com/kueblc/midea-msmart/tree/support-8370

Others are trying the second approach as well, replacing the WiFi hardware.

Join the Telegram group where we are discussing our ideas and progress. https://t.me/joinchat/BhU6LRytPXLsiqTIar0jqg

[seppe912]

Hello kueblc, i got an SK-103 wifi stick which will be find with discover as a supportet Protocoll 3 device:

22.08 08:42 msmart.cli DEBUG Midea Local Data 192.168.178.80 5a5a0111a8007a80000000000000000000000000a99100000012000000000000000000000000000003ed0628a5844485ef4501f937db456f370e9e5f4f939ce754af13b17d3d951c5bba106fb18ae0300ff40910de5101216d2257804fe941f9f3b7bda6c8256507f13e7784445e5328eb483a660cc2da36682b11e235eef961e588bd6fd663cf18f31443d17c3aac03a7656614ae1dca445a59c818543f1acf379d2d8ad51fb38f
22.08 08:42 msmart.cli INFO *** Found a supported 'ac' (0) at 192.168.178.80:6444 - id: 19791209337257 - sn: 000000P0000000Q1F0C9D1C178030000 - ssid: net_ac_7803 - mac: f0c9d1c17803 - protocol: 3

when i use the code like in exampe.py i´ll get an error:

22.08 08:48 msmart.lan DEBUG Attempting new connection to 192.168.178.80:6444
22.08 08:48 msmart.lan DEBUG Sending to 192.168.178.80:6444 837000402000000031ed2327583931e3c13d8addaa3ec95b5b36031a46265bfd5f946d96e1d2f4fd44574fc2525e2a51f929389b6cff4357c3b74b151d1a340e8b13e1e4ce76f836
22.08 08:48 msmart.lan DEBUG Received from 192.168.178.80:6444 83700005200f00004552524f52
22.08 08:48 Midea2Lox.py ERROR (, Exception('authentication failed'), )

my code:

....

        device = ac('192.168.178.80','19791209337257')

        # If the device is using protocol 3 (aka 8370), you must authenticate with your
        # WiFi network's credentials for local control
        #device.authenticate('YOUR_AC_MAC', 'YOUR_WIFI_SSID', 'YOUR_WIFI_PW')
        device.authenticate('f0c9d1c17803', 'Fritzbox7490', 'WIFI-PASS')
        device.refresh() 

......

(Wifi Pass deleted.) on authenticate ill get the error, authentication failed... whats wrong?

[mac-zhou]

The new version already supports 8370. Please Try.