EasyControl CT200

[doudz]

Do you know if it works with CT200 ? If yes, where can I find the required password ? (I found serial and access key in Info panel of the android App)

[robertklep]

I don't know if the CT200 is supported, but if your device only has a serial number and access key I don't think it is (the reason for that is because for supported devices, serial and access key are used for authenticating with the Bosch backend servers and the password is used to encrypt/decrypt your device's data, so not even Bosch can access it).

[doudz]

I think there's a password, because I remember that the EasyControl app ask me to change the CT200 password, but I just can't remember it, I don't know how I could retrieve/change it :thinking:

[robertklep]

I can't help you there 😅 you could try and install the commandline tool and try different passwords, there's no rate limiting or maximum-bad-password-limit as far as I know.

[doudz]

I manage to reset my CT200 and set a new password :smile: But it doesn't work... I get :

Unhandled rejection XMPP authentication failure

events.js:201
    throw err; // Unhandled 'error' event
    ^

Error [ERR_UNHANDLED_ERROR]: Unhandled error. ('XMPP authentication failure')
    at Client.emit (events.js:199:17)
    at Client._handleAuthState (/usr/local/lib/node_modules/bosch-xmpp/node_modules/node-xmpp-client/lib/Client.js:295:10)
    at Client._handleStanza (/usr/local/lib/node_modules/bosch-xmpp/node_modules/node-xmpp-client/lib/Client.js:233:12)
    at Client.onStanza (/usr/local/lib/node_modules/bosch-xmpp/node_modules/node-xmpp-client/lib/Client.js:221:8)
    at Connection.emit (events.js:210:5)
    at Connection.onStanza (/usr/local/lib/node_modules/bosch-xmpp/node_modules/node-xmpp-core/lib/Connection.js:377:10)
    at StreamParser.<anonymous> (/usr/local/lib/node_modules/bosch-xmpp/node_modules/node-xmpp-core/lib/Connection.js:231:10)
    at StreamParser.emit (events.js:210:5)
    at SaxLtx.<anonymous> (/usr/local/lib/node_modules/bosch-xmpp/node_modules/@xmpp/streamparser/index.js:69:14)
    at SaxLtx.emit (events.js:210:5)
    at SaxLtx._handleTagOpening (/usr/local/lib/node_modules/bosch-xmpp/node_modules/ltx/lib/parsers/ltx.js:40:12)
    at SaxLtx.write (/usr/local/lib/node_modules/bosch-xmpp/node_modules/ltx/lib/parsers/ltx.js:159:18)
    at StreamParser.write (/usr/local/lib/node_modules/bosch-xmpp/node_modules/@xmpp/streamparser/index.js:134:17)
    at Connection.onData (/usr/local/lib/node_modules/bosch-xmpp/node_modules/node-xmpp-core/lib/Connection.js:310:17)
    at TLSSocket.emit (events.js:215:7)
    at addChunk (_stream_readable.js:309:12) {
  code: 'ERR_UNHANDLED_ERROR',
  context: 'XMPP authentication failure'
}

[robertklep]

XMPP authentication uses the serial number and the access key (so not the password). If your access key has hyphens (-) in it, try leaving them out. There are also some known issues with passwords that contain special characters (!, ?, etc), so if you manage to get passed the XMPP authentication but it still fails, try using a simple password.

[doudz]

no hyphens and no special characters... maybe the authentification system is different ? I tried to capture traffic of the android app but most of the traffic is encrypted by TLS

[robertklep]

Are you using the "ivt" client or the "nefit" client?

[doudz]

I tried nefit

[robertklep]

You could try the "ivt" client, but afaik the CT100 also uses "nefit" so I would have expected it to work. The XMPP authentication error means that the client is able to connect to the server properly, it's just that the credentials are not working. Try a few permutation of serial/access key/password (so instead of passing the password to --password, use the access key, and vice versa).

[doudz]

no luck ivt give the same result permutation too (I tried all combinations serial/access-key/password)

I tried to set --xmpp-host 139.15.227.114 and it gives the same

[robertklep]

Hmm too bad :( If your password exceeds 10 characters, that might be an issue as well, so try using a shorter one if it's longer than that.

[doudz]

no, password is short

[robertklep]

I doubt that it will shed any light on the matter, but you could run the CLI tool in debug mode so it outputs a lot of additional data:

$ env DEBUG=* bosch-xmpp nefit get …

[doudz]

Looking deeper in android app I see new f("rrc2", "charlie.ticx.boschtt.net") it makes me suppose host is different and key prefix (or something like this) has changed

[doudz]

I also found a list of remote functions

"/gateway/versionFirmware"
"/gateway/versionFirmwareBuild"
"/gateway/versionHardware"
"/gateway/hmip/versionApplication"
"/gateway/hmip/versionOS"
"/gateway/wifi/versionFirmware"
"/gateway/wifi/versionFirmwareBuild"
"/gateway/zigbee/versionFirmware"
"/gateway/wizardStepsDone"
"/gateway/tosAccepted"
"/gateway/update/enabled"
"/gateway/installer/contactName"
"/gateway/installer/email"
"/gateway/installer/companyName"
"/gateway/installer/phone"
"/gateway/time/current"
"/gateway/user/address"
"/gateway/user/email"
"/gateway/user/name"
"/gateway/user/phone"
"/gateway/DateTime"
"/gateway/ui/eco"
"/gateway/update/lastCheck"
"/gateway/update/lastUpdate"
"/gateway/update/state"
"/gateway/ui/icons"
"/gateway/notificationLight/enabled"
"/gateway/productType"
"/gateway/pirSensitivity"
"/gateway/ui/splashScreen"
"/gateway/time/timeZone"
"/gateway/time/timeZoneUtcOffset"
"/gateway/userPassword"
"/gateway/uuid"

[robertklep]

Interesting. If it uses a different host, it may as well use an entirely different way of authenticating and encryption/decryption (both authentication and encryption/decryption use prefixes and "magic" values, which are different for IVT and Nefit devices, hence the two different client implementations, and might very well be different again for your CT200 device).

I'd be happy to take a look at the app code to see if I can work out how it operates. Feel free to e-mail me at robert AT klep DOT name

[doudz]

done :smile:
it's a bit hard to read since sources have been decompiled using jadx

[JoniVR]

I'm running into the same issue with the CT200. I was considering forking your homebridge-nefit-easy and trying to support it (CT200) with this api, but I'm getting the same Unhandled rejection XMPP authentication failure.

Anyways, thanks for all the work you put in this.

[doudz]

I manage to get authentification working with the following :tada: : host : charlie.ticx.boschtt.net RRC_CONTACTPREFIX : `rrc2contact ACCESSKEY_PREFIX :C42i9NNp_`

Now I suppose RRC_GATEWAYPREFIX is `rrc2gateway` I have to found the magic key now User agent is probably different too, EasyControl maybe

[doudz]

Trying to call /system/location/latitude

<message to="rrc2gateway_123456789@charlie.ticx.boschtt.net" from="rrc2contact_123456789@charlie.ticx.boschtt.net"><body>GET /system/location/latitude HTTP/1.1&#13;
User-Agent: EasyControl&#13;
&#13;
</body></message>

I got error 401

<message to="rrc2contact_123456789@charlie.ticx.boschtt.net/8nuecr0zjo" type="chat" xml:lang="en" from="rrc2gateway_123456789@charlie.ticx.boschtt.net/RRC-RestApi"><body>HTTP/1.1 401 Unauthorized
Seq-No: 0
Content-Length: 12
WWW-Authenticate: Basic realm=&quot;rrc2&quot;
Content-Type: application/json
Connection: close

Unauthorized</body></message>

any ideas ? (looks like RRC_GATEWAYPREFIX is really `rrc2gateway`)

[robertklep]

Great work! I'm afraid I have no idea where the 401 is coming from, perhaps other endpoints do work? Like /gateway/versionFirmware

[doudz]

Same error 401

[doudz]

Update : User Agent is "rrc2" Every message should have a Seq number and the first message should trigger /gateway/uuid

<message to="rrc2gateway_123456789@charlie.ticx.boschtt.net" type="chat"><body>GET /gateway/uuid HTTP/1.1
User-Agent: rrc2
Seq-No: 8

</body></message>

[doudz]

Now I'm able to ask any endpoints but every reponses are encrypted... :thinking: Tried endpoints

/gateway/uuid
/gateway/versionFirmware
/gateway/versionFirmwareBuild
/gateway/tosAccepted
/energy/historyEntries
/gateway/time/timeZone

sample response for /gateway/time/timeZone

<message to="rrc2contact_123456789@charlie.ticx.boschtt.net/8gxy3jlvz0" type="chat" xml:lang="en" from="rrc2gateway_123456789@charlie.ticx.boschtt.net/RRC-RestApi"><body>HTTP/1.1 200 OK
Seq-No: 6
Content-Length: 152
Content-Type: application/json
Connection: close

FmRaOJ2PRq8sucU8S8OQdcsqsynk/hWwdLmhcSOPoeRvG3d7nTA92SvP17+y5jgIPIJnja7piaVroF4Rraxt+02R7X6xRaGKyThQ0SvTRBGfMaphqwKCZh7nPZClL/wDvfK/rlXfIvgF2PiMneozYQ==</body></message>

[robertklep]

The encryption is likely similar to the devices that are already supported, but it will probably use a different magic (which I assume is compiled into the native library).

[doudz]

The encryption is likely similar to the devices that are already supported, but it will probably use a different magic (which I assume is compiled into the native library).

I tried the nefit and ivt magic keys but none works... How did you find such magic keys ? I tried to decompile an old EasyControl Android app but I didn't find any key

[robertklep]

I can't remember where I got the IVT-magic from, but the Nefit magic was hardcoded in the Java-part of the app (a few years ago, anyway).

Do you have the native lib available for me somewhere? I can take a look at it as well.

[doudz]

https://mega.nz/#!H4VFzKRT!0YrRYs0IhxxwKuuHoV9rBKZHwP4Xe9xT4B5KgpXGl9M this is the x86 version

[doudz]

The magic key is probably hidden somewhere

even I know the access key prefix is C42i9NNp_ I can't find it in the android apk Maybe if we found where the access key prefix is hidden we will found the magic key too

[octa22]

Hi guys, the prefix C42i9NNp_ is definitely split into more strings. I guess the magic key as well...

[doudz]

the funny thing is that the prefix appears clearly in the x86_64 version of the lib

[robertklep]

It looks like it's being loaded into memory "manually":

Same for the gateway prefix:

[doudz]

I also notice that nefit and ivt access key prefix are in the lib, so I suppose magic for nefit and ivt are also in the lib but again I didn't manage to find them Finding then could help us to find the new magic

[doudz]

@robertklep what tool did you use to disassemble ?

[robertklep]

@doudz Hopper

[doudz]

it's not 75735458393830414a6a5651566b3635516b76574f4c615038452b795249504f

[GitDuff]

it's not 75735458393830414a6a5651566b3635516b76574f4c615038452b795249504f

Yep I realised that as soon as I posted it :) I decompiled a different version of Bosch app (not for the CT200)

[robertklep]

@GitDuff your string is actually a hex representation of a Base-64-encoded string, which is intriguing regardless 😅it decodes to some binary data (also likely not a magic number, because the ones that I have are 32 bytes whereas the decoded data is 24 bytes).

[doudz]

The magic key looks like a SHA256 hash and since I can't find known magic keys in *.so file I suppose the key is not hard coded but computed from other string

[robertklep]

I guess that has changed, the previous magic numbers were hardcoded in the apps.

[Skratotriasok]

Hi all. I am also having trouble connecting to the CT200. I get info that the gateway was reset and then that it failed. I also get this msg in the EasyControl app when I have the the device off line... Can you help?

[doudz]

@Skratotriasok CT200 is not supported yet

[Skratotriasok]

Hi Robert

Thanks. So what does it really mean? If I understand correctly they will not troubleshoot. Still the device should work or not? The device itself connects to the boiler, connects to their server and has no issues using wifi. However, the app seems to not to work properly and does not seem to be connecting to the server or the server is not forwarding data to the CT200. So is there nothing I can do about this? This is work anywhere else in EU or not at all? I have tried VPN on my mobile to germany or London. Also used hotspot on my mobile phone with VPN to see if that can be issue...

On Tue, 24 Mar 2020, 08:33 Sébastien RAMAGE, notifications@github.com wrote:

@Skratotriasok https://github.com/Skratotriasok CT200 is not supported yet

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/robertklep/bosch-xmpp/issues/4#issuecomment-603075764, or unsubscribe https://github.com/notifications/unsubscribe-auth/AO5QIC43D4QL73CKO4Y7HFLRJBO5TANCNFSM4KCDMJRA .

[robertklep]

@Skratotriasok if you have problems with the official Bosch app, there's nothing I can do to help you. But even if it was working, this module (bosch-xmpp) will not work with CT200's because we don't know the correct access/encryption keys.

[federicofenoglio]

Hi Robert (and others contributors), this is a great job done. I spent some time reading and trying changes for being able to get connected a Buderus TC100 device. I think this is quite similar to the Junkers CT200, but sold with another brand. After several tentatives I've been able to pass authentication step to the bosch site with the settings pointed out by doudz: _accesskeyprefix = 'C42i9NNp' _rrc_contactprefix = 'rrc2contact' _rrc_gatewayprefix = 'rrc2gateway' host='charlie.ticx.boschtt.net' User-Agent: rrc2

Authentication is passed but when requiring the sample command /gateway/time/timeZone_I get the following: ERROR init/raw_message_callback : Error decrypting message. Password incorrect? ERROR rootstanza/exception : Error handling {jabber:client}message stanza

As you said before, I'm expecting that the magic is wrong. Looking for that, I extracted from the adroid app of the device the following (from the file libcomlib-android.so of the arm lib) here the file libcom.zip

0045c140: 3961 6c6c 6f63 6174 6f72 4953 345f 4545 9allocatorIS4_EE 0045c150: 4676 7645 4545 0000 0000 0000 0000 0000 FvvEEE.......... 0045c160: 5a4e 3643 6f6d 4c69 6231 3154 6173 6b4d ZN6ComLib11TaskM 0045c170: 616e 6167 6572 3136 5374 6172 7454 6173 anager16StartTas 0045c180: 6b4d 616e 6167 6572 4576 4533 245f 3000 kManagerEvE3$_0. 0045c190: 1243 3675 396a 5075 1672 7263 636f 6e74 .C6u9jPu.rrccont 0045c1a0: 1672 7263 6761 7465 1243 7437 5a52 3033 .rrcgate.Ct7ZR03 0045c1b0: 1872 7263 3263 6f6e 1872 7263 3267 6174 .rrc2con.rrc2gat 0045c1c0: 1243 3432 6939 4e4e 1c67 7365 7276 6963 .C42i9NN.gservic 0045c1d0: 1877 6464 7763 6f6e 1877 6464 7767 6174 .wddwcon.wddwgat 0045c1e0: 1243 6132 3152 3033 1a67 7365 7276 6963 .Ca21R03.gservic 0045c1f0: 9f61 5cf0 6557 30c5 fc3b a0be caba f962 .a.eW0..;.....b 0045c200: 0c32 e6b4 c4a7 ceec e6c1 5bf0 9043 c8fd .2........[..C.. 0045c210: 3273 5d4c 5856 7d7e 5f71 7436 2953 766f 2s]LXV}~qt6)Svo 0045c220: 7528 487d 4d75 6f70 4d73 7a5b 5a2e 4c70 u(H}MuopMsz[Z.Lp 0045c230: ae70 017e 6085 08cc a12e e1bc f177 98d1 .p.~`........w.. 0045c240: ffcb a2d5 7b56 0c63 dde9 2444 2e18 f807 ....{V.c..$D.... 0045c250: d291 86eb 865f ae94 d09e aa55 660f 6ee0 ..........Uf.n. 0045c260: 3451 0981 f448 cb2e 1009 9d5b c277 c69d 4Q...H.....[.w.. 0045c270: e4c4 5e7f 0c68 3de5 49ad 3bd1 9eb7 35f2 ..^..h=.I.;...5. 0045c280: 8b28 f0b8 f3ba 028b 2f23 d19d c332 945a .(....../#...2.Z 0045c290: 41e8 9469 ef7e d0de 87ee c75a 42e9 e0a8 A..i.~.....ZB... 0045c2a0: 4c22 a277 7898 7b0b b299 fca9 ca48 e2a8 L".wx.{......H.. 0045c2b0: 049f ab7a 021b ebde 8e92 58f1 bab7 7982 ...z......X...y. 0045c2c0: 1233 e2e4 29e6 2174 bf15 4173 9b6d 11fd .3..).!t..As.m.. 0045c2d0: 89d8 c61e f693 ccbc e7a1 09b4 cf1b 3b8b ..............;. 0045c2e0: 0329 6fb0 bdee 0e9e 3d38 233c d50b 2112 .)o.....=8#<..!. 0045c2f0: 3d01 ab03 3c70 d4aa 3950 a222 2978 ed83 =...<p..9P.")x.. 0045c300: 4d58 b784 9b90 2879 c896 2ca5 41cb 00b7 MX....(y..,.A... 0045c310: 4e36 436f 6d4c 6962 384d 6167 6963 4b65 N6ComLib8MagicKe 0045c320: 7945 0000 0000 0000 0000 0000 0000 0000 yE.............. 0045c330: 4e36 436f 6d4c 6962 3955 7365 7241 6765 N6ComLib9UserAge 0045c340: 6e74 4500 0000 0000 0000 0000 0000 0000 ntE............. 0045c350: 4e36 436f 6d4c 6962 3136 4164 6170 7465 N6ComLib16Adapte 0045c360: 7243 6f6e 7461 696e 6572 4500 0000 0000 rContainerE.....

I don't know if this might help you (or anyone else) to extract the new magic. I'm not that good for this - and in case that what I see here is really the magic or not :-(

However thank you so much for your efforts and hopefully this might be a new step for common resolution.

Please let me know if I can do anything more with my search ...

[robertklep]

@federicofenoglio yes, the magic key is used with decryption :( I have looked at that file before but haven't been able to extract a magic key from it, sadly.

[pszafer]

Hi, I had short view for all your work to find magic key of CT200. I don't own it, so I can't help straightforward, but I have some tcpdump's of android app in use.

What's interesting android app is always connecting to bosch cloud via https first, then it is going to xmpp bosch server. It's just a thought, but maybe (big maybe) it is downloading magic key from http server first...

[robertklep]

@pszafer that could very well be what's happening, which would make retrieving the magic key even more difficult (unless it's possible to MITM the traffic, but I doubt it).

[federicofenoglio]

While looking at packets captured from the app during login procedure I remember a different server accessed. I can see there if there's anything useful. Unfortunately I'm really beginner on this and I don't know how to decode the SSL packets.. I was hoping that the key would had been found in the section of data that I attached before (there's the word MagicKey following a long block of data)

[robertklep]

@federicofenoglio sadly, it doesn't look like it. I ran the .so file through a disassembler and it's just a bunch of zeroes (which adds to the hypotheses that it will be filled in later with the actual key, once it has been retrieved from somewhere).