new Tuya Device Type request

[u253195]

When will Tuya device "smart lock" type be supported? Thanks all.

[Sthopeless]

@schachar good!!

Lock password you refer to the Lock Pincode? Seems you have the same lock as @rospogrigio

How do you unlock the lock via Tuya mobile APP?

[schachar]

@Sthopeless Yes, lock pin code

I just click the lock icon, then there is an "open" button.

I will try to check with the API what are the lock's supported unlock methods. I see there is an API for that. Now that the whole authentication / temp-password work, it should be easy.

For my lock, I have pin codes programmed for the external keypad (Bluetooth keypad), but I'm assuming you are referring to another pin code :)

[Sthopeless]

@schachar All my locks have a keypad and came with a default 6 digits pincode so if yours are 6 digits I suggest trying just to confirm.

My WiFi version to unlock via the APP, I have to type a code on the lock keypad to initiate a request. After that is done I am able to unlocked via the APP.

The API command for this doesn't require pincode but still requires you to request the lock ticket and then use only the ticket_id.

Please have a look here: tuya documentation url

If you have Postman configured (it's easier for debugging IMO) you can create POST request to {{url}}/v1.0/devices/{{zigbee_lock}}/door-lock/password-ticket to get the Ticket_ID

Then create another POST request to {{url}}/v1.0/devices/{{zigbee_lock}}/door-lock/password-free/open-door with body { "ticket_id":"CHD8hlbO" } Replacing the ticket_id with the one you got one last msg

{{zigbee_lock}} it's a environment I have with my lock UUID, do that same or replace it directly with your lock UUID same applies to {{url}}

[schachar]

password-free works!!! :)

[Sthopeless]

@schachar glad to hear!

So I'm assuming same should work for @rospogrigio.

Anyways this is where the fun ends and we realize we are dependent on the API to control the locks.. meh 😉

[schachar]

Well at least until someone reverse engineers the codes used for Zigbee / Bluetooth

[haritan]

password-free works!!! :)

@schachar so you can open and close the lock?

[fabitom]

I can confirm with M531. It working.

[nourmehdi]

@formatBCE @rospogrigio sorry i took too long to answer back , i had lot of work . Very good news , today i successfully managed to intercept airbnk API calls between the airbnk app on android and burp suite using a trusted TLS certificate to MITM the connexion . It was tricky using a rooted android and trusting the certificate at the OS levels , i managed to see every call made by the app when locking and unlocking the lock . Then using burp i tried to repeat the request to see if the lock will respond via the wifi bridge . First it was not successfull but digging for more than 30 mins i found that the API call got , locksn(lock serial number) , userid(fix element for each user) and token (changed everytime the app is installed on a new device ) and an uuid in the request form , so i had the generate a random uuid online and put it back in the request form , and it was successfull the lock was locking and unlocking normally just by using a simple API call to the airbnk cloud server . The major issue about this solution , is that users should have a mean to intercept TLS communication to get at least the token and the user id and the lockSn , and then by using an REST API integration in HomeAssistant , will be able to lock and unlock via web UI . This integration will lack the lock information status( closed or open or jammed) , but it can be provided by an integration that can read bluetooth advertising packets , since in the lock advertised data , there's some bits that provides lock status . unfortunately we still rely on the airbnk cloud to operate the lock . it's true that's more easy like that because in order to get rid of the cloud , we have to rewrite the entire bluetooth communication using python along the OTP algorithm(successfully decompiled) and it's just a time issue .

[rospogrigio]

@nourmehdi very good! So how do you suggest we should proceed? Do you have some code or procedure for us to test, to check if our devices behave the same?

[nourmehdi]

@rospogrigio yes of course , the most time consuming part is to extract the token ,snlock information ..., the problem is that you must have a rooted android phone to proceed, i tried to do this in emulator , all was ok except when i tried to enter to the lock menu in the app ( to open or close) , the android app called for bluetooth permission wich crashed the app immediately because the android emulator don't have bluetooth support , and this despite that in the emulator we won't be using the bluetooth but only the API call , the app crashed everytime . so i found an old GALAXY S6 and performed a root , because i didn't want to root my phone . if you have an android phone rooted or that you can root , i can give step by step instructions .

[rospogrigio]

I too have my old Galaxy S8 that can use for the purpose so yes, please provide instructions... thank you!

[nourmehdi]

perfect so first of all i recommend to root using magisk root utility , install magisk apk and then open the app , this step is important to see if your s8 got ramdisk or not , so install magisk apk from this site , https://magiskmanager.com/ , and then install trusting unknown sources , and then open the app , and check , ramdisk : Yes , SAR : No , if it's ok we will continue . we proceed like that to avoid being stuck at any steps .

[formatBCE]

@nourmehdi great news! I've installed rooted Android to spare Raspberry Pi. Ready to test that!

[fabitom]

@nourmehdi I don't have W100 bridge so one question. Does the app can control w100 locally or it needs always cloud ?

[nourmehdi]

@fabitom unfortunately i have already intercepted connexion beteween the W100 and the cloud , it's NON secure MQTT protocol , and the app always send an API CALL to airbnk cloud , and then the cloud generate an OTP password and then send it to the bridge via MQTT wich then relay it to the lock via bluetooth , so answer is no the app cannot control bridge directly the only direct control is via bluetooth

[nourmehdi]

@formatBCE great , i forgot to say that there's a change from android 7.0 and up , android no longer trust user certificate that's why the android must be rooted to install the certificate at system level , wich android have you installed on you raspberry ?

[EnginDzhemil]

@nourmehdi Hi, I have a rooted Samsung j5 with android 10. Ramdisk: Yes, SAR: Yes. Can it be used?

[formatBCE]

@nourmehdi it doesn't matter - Airbnk app is crashing on that device too, despite working Bluetooth and WiFi... Gonna try to get some old rooted device.

[nourmehdi]

@formatBCE if you can install android 6.0 on you Rpi , you don't need to root to trust certificate , installing the certificate at user level will be enough to MITM the connexion

[nourmehdi]

@EnginDzhemil once you have your device rooted ( android 7.0 anf above ) you can proceed . We are looking for /system/etc/security/cacerts , this is the path where the android store the system certificate , and we need to place burp certificiate here . Download burp suite community go to proxy options , and then export the certificate in DER format (first choice) . Once you got your certificate ,There are several ways , using adb tools , using module(root) that can import certificate from user store to system store automatically , or installing the certificate at user level and then using file explorer in android copy certificate from user certificate directory to system certificate directory . I found some quick steps in the web you can try .you need to convert the exported burp certificate to known android format using openssl tool(windows or linux) 1 - use openssl to get your certificate.pem hash : openssl x509 -inform PEM -subject_hash_old -in certificate.pem | head -n -1 2 - rename your certificate.pem to the hash you got with the extension .0 (for example 2d00226e.0) 3 - move your hash.0 somewhere on your phone 4 - open a terminal on your phone (ex : termux app) or use adb shell 5 - remount your /system in rw : mount -o rw,remount,rw /system 6 - move your hash.0 to the cacerts directory : mv hash.0 /system/etc/security/cacerts/ 7 - give it some perms : chmod 644 /system/etc/security/cacerts/hash.0 8 - remount your /system in ro : mount -o ro,remount,ro /system

And then reboot after this step go to wifi settings on your phone and in burp proxy settings ,add a proxy and select listen to all interfaces and put a port number not used by your system ( ex 8080 or 8083) , and then activate proxy and activate http intercept in burp , and then back to wifi settings on android , select proxy out your proxy ip and port , every request from now is redirected to computer , and you should be able to intercept it to forward it or drop it .

[EnginDzhemil]

@nourmehdi It worked! I will start experimenting with the requests. Thank you.

[nourmehdi]

@EnginDzhemil perfect , the api calls you're looking for are those made to the airbnk cloud server , disregard all api calls to other servers , in the api you have a field called "mark" , can be set to 1 or to 2 , one for closing and the other for opening lock , leave everything as it is ( token , userid ...) only change mark field and uuid(you can generate it online uuid version 4 , because uuid is unique) , and then play with the requests using burp repeater or postman or any other tools . The api you're looking for is lockorunlockchilddevice ...., have fun , and i'm here if you need any help

[EnginDzhemil]

@nourmehdi Yeah already tried most of the requests. We can even request login code, then login and get token without even owning a mobile device. I will do my best to document most of the apis and create a proof of concept app in nodejs.

[nourmehdi]

@EnginDzhemil perfect good work . I'm trying to reverse bluetooth and otp algorithm , to get rid of the cloud dependency . Hope it will work

[fabitom]

does the w100 really use esp32 and built-in BT stack ? if so cen we upload firmware to other esp32 and test this ? I've some free esp32 modules...

[nourmehdi]

@fabitom indeed the W100 use ESP32 WIFI+BT chip , the firmware can be dumped and flashed on other ESP32 , but there's some challenge . The W100 communicate with airbnk cloud via non secure MQTT , and unfortunately the OTP to open the lock is comming from the cloud to the ESP32 VIA mqtt then relayed to the lock via BT, so the ESP32 is no more than a relay , it would have been interesting if the OTP algorithm was hardcoded in the esp32 firmware ,but it is not the case .

[formatBCE]

@nourmehdi so basically, it will always rely on cloud. But if we reverse-engineer AUTH flow, we can write an integration for HA. I'm curious, if Airbnk application does work over BT without internet connection. That would mean, that OTP logic is included into the app also.

[fabitom]

@nourmehdi what about serial number ? its used only for pairing ? did you try to change serial number for w100 and check if it works ? imho w100 shoud use serial or... only app and lock can use serial in encryption/otp... do you know if the serial number is hardcoded in firmware ?

[EnginDzhemil]

Definitely there is local opt generation. I have seen the code in the decompiled apk. When you disable the w100 wifi bridge, open the app on device screen and disable phones wifi and try to unlock/lock it works. The bluetooth hci logs shows several read/write requests. I am guessing the mobile app requests a challenge from the lock, it generates otp using the challenge and uses it to operate the lock. I am very new to this android/bluetooth reverse engineering, if any of you have an idea what our next steps would be to reproduce this with esp32 or raspberry pi, I am all ears.

[rospogrigio]

@nourmehdi I have started following your procedure but when I launch the command at step 1) I get the following error:

openssl x509 -inform PEM -subject_hash_old -in certificate.pem | head -n -1
unable to load certificate
139667923669632:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE

how am I supposed to trust the certificate? Maybe @EnginDzhemil can help too... Let me know please, thank you

[nourmehdi]

@formatBCE you are right as i mentioned few months ago , the w100 and the airbnk app rely on the cloud for otp generarion but fortunately the airbnk app got otp algorithm in the source code and is using it during bluetooth lock operations . During the lock opening operations , the airbnk app dont use otp . Instead it uses only some binding , manifacture , sn ... information , and then a kind of signature protocol to encrypt via AES the payload and then send it via bluetooth , i have successfully reversed the bluetooth gatt profiles the lock is using for write/read/notify . Now im working on python , i've found a library to use the bluetooth HCI to communicate with the lock , this library is imported into python code , and used to write read lock bluetootk characterestics , once this interface is complete , i will be rewriting the open close algorithm from java to python and then test it . I was able to sniff bluetooth com , with android phone using wireshark and dumping the btsnoop data from phone . And the reverse job was done using JADX GUI .

[nourmehdi]

@fabitom i think even if the serial number is encoded in the firmware it is useless , we want something free from the cloud , and the path of reversing the apk is the way for that

[nourmehdi]

@rospogrigio are you sure you replaced certificate.pem in the command , by the name of your certificate exported from burp ?

[rospogrigio]

@rospogrigio are you sure you replaced certificate.pem in the command , by the name of your certificate exported from burp ?

yes... Edit: I get the same output on my PC and on my RPi. Am I supposed to do anything before I export the certificate? I have just launched Burp with the default options and exported it. I also tried to re-generate it, with no luck.

[nourmehdi]

@EnginDzhemil exactly , the airbnk app when connected to bluetooth automaticly switch to using direct communicatiln instead of remote . And in this case the otp generation is done from the source code , for the challenge betwen the lock and the airbnk app , i haven't noticed something like that , dumping the bt hci logs only shows airbnk app trying to read lock bluetooth profiles , and then the app sends a write request to a characterestic whose uuid begin with ..fff2 , it send a payload of a fixed HEX code ( i found it in the decompiled apk ) , the lock reply with a notification using a characteristic whose uuid begin with ..fff3, this reponse from the lock using the fff3 characteristic is all the app need to know( wich lock is it ,wich softversion , firmware , battery, lock status ....) and after receiving that the app will use different functions to generate the open or close payload . And for information you will found all binding keys app keys .. used during this process in the sqlite database stored in android /data/data/..airbnk package name../databases/AirbnkDB

[nourmehdi]

@rospogrigio wich openssl version you got ?

[rospogrigio]

@rospogrigio wich openssl version you got ?

1.1.1d on RPi, 1f on my PC. Burp is v2021.8.2 Build 9403, if it can help.

[nourmehdi]

@rospogrigio wich openssl version you got ?

1.1.1d on RPi, 1f on my PC. Burp is v2021.8.2 Build 9403, if it can help.

If you exported the certificate directly from burp it is in DER format , i recommend to start again export the certificate from burp using first choice DER and name your certificate MITM.der for example , and then save it into a folder , then next step convert it to pem using this command , openssl x509 -inform der -in MITM.der -out certificate.pem , once you got your pem format , use above steps and continue , let me know

[EnginDzhemil]

@nourmehdi Yes, your explanation makes more sense. As I said I am very new to this. I didn't know what was looking for in the logs. Thank you for taking the time to explain.

[rospogrigio]

Thank you @nourmehdi I managed to convert and install the certificate, now I'm having problems in intercepting the traffic but that could be due to the configuration of my office's network, I'll retry from home. Thank you in the meantime!

[nourmehdi]

Thank you @nourmehdi I managed to convert and install the certificate, now I'm having problems in intercepting the traffic but that could be due to the configuration of my office's network, I'll retry from home. Thank you in the meantime!

Perfect , you re welcome , if your office is using VPN could make troubles , try at home and let us know

[rospogrigio]

OK I'm trying from home and can intercept some calls but I see no request to airbnk servers... I'll try some more and maybe with another device but if you have suggestions they are more than welcome, thank you,,,

[nourmehdi]

@rospogrigio try to access to https://www.google.com and see if it is intercepted in burp if it's not check if you got some ssl error on the android web page( proof that the ssl certificate is not trusted) , means the certificate is not configured correctly . At the same time on your android phone go to settings>Lock screen and security>Other security settings>view security certificates(system) and look in the list for Portswigger(portSwigger Ca) , if you find it , it s ok , if not , means that the certificate is not recognised by your android and that you missed one of the steps mentionned in the previous comment .

[rospogrigio]

OK I tried with another device, Android 9 (the other was Android 10). Almost the same behavior, and I noticed: 1) Portswigger is not present in the list 2) in Burp's Dashboard page, in the Event log frame I get several "_Received fatal alert: certificateunknown" events Maybe the import procedure is not working? Is there anything else I can try?

[EnginDzhemil]

@rospogrigio Try opening burpsuiteIp:port on devices browser. It should show Burp Suite page, on top right corner there is CA Certificate button, click it and import the certificate, restart and try again intercepting.

[nourmehdi]

@rospogrigio if the Portswigger CA is not present in the list means the certificate is not trusted by the system , that's why you're unable to intercept tls traffic , i doubt there's a missed step from above . Just be sure that the hash.0 file is existing in the /system/etc/security/cacerts/ directory

[rospogrigio]

Mmmm I think I know what is wrong. If I try to open the other certificates present, they have much more data. In detail, mine only contains the hash and the ----BEGIN/END CERTIFICATE---- part, while the others then also contain info about Issuer, Validity etc... maybe there's something wrong in the conversion from DER to PEM?

Edit: I also tried what @EnginDzhemil suggested, but no luck... how can I move the certificate from user space to system space?

[nourmehdi]

@ hmm if it's empty so probably the conversion was not successfull , you can try to convert your DER certificate using windows certificate tool , juste rename your exported burp certificate and give it extension .crt , then double click on the certificate in windows , then click on details TAB , then down click on copy to a file , click next and then select second choice , x509 base 64 encoded , then click on next give it a name a .pem extension , and then skip the der to pem conversion with openssl and start with the hash command , hope it will work

[rospogrigio]

OK I think I did it. The command I used to convert to pem was: openssl x509 -inform der -in cacert.der -text -fingerprint > certificate.pem -text exports certificate info, and -fingerprint adds the SHA1 fingerprint. I also edited it moving the -----BEGIN/END CERTIFICATE---- part to the top, but it's probably not needed. Now the certificate is recognized and I can see the API calls (to the url https://wehereapi.seamooncloud.com , the app has now been renamed to WeHere...). Will try to play with these and see what I can achieve. Thank you for the help and support, looking forward to seeing where your analysis will take!