Do you have the ways to get the GenericKey? (old: "a3K8Bx%2r8Y7#xDh")

[hemingfei]

I bought a new Gree AC, it can controlled by gree's APP, and I used the udp try to controll myself. it can be discovered but cannot bind. my old gree AC can be discovered and bind success. so the problem is the new one changed the GenericKey. Do you have way to get or hack the new generic key? please, I really want to get it. My 5 gree ACs, only the last one cannot controll myself.

[hemingfei]

could you give me a guide on how to find the position in the android apk file?

[tomikaa87]

Hi @hemingfei,

Do you have a capture of the bind process with the new AC units? I should check if the base protocol is the same. AFAIK the latest version of the Gree app moved the encryption key from the Java code into a native shared library so it needs a native disassembler to find it. I can check it. Which Gree app do you use? Can you give me a Play Store link to it?

[hemingfei]

the capture is the discover but cannot bind.

the apk I use is in http://www.5you.com/apk/362297.html

[hemingfei]

the AC i cannot bind is in the list as the follow capture:

open the APP->1->2->3

scroll down to see the ac pic

[tomikaa87]

Since search works in your case, the generic key is correct because it can decrypt the response packet. Can you create a capture of the binding process via Wireshark or https://play.google.com/store/apps/details?id=app.greyshirts.sslcapture? I think there is a difference in the base protocol and the AC unit doesn't accept the current bind request format.

[hemingfei]

I used this App to see the message, I control the Gree+ APP, turn on/off the AC's light. the message is shown in the screenshot. {"cid":"app","i":0,"pack":"Zm28npf23WR1CUHB/ZJldS4HbX01iBw9pjTJuzRKIZ1q9XohBIK04REex2/NXYK2qWqIVBBFgKUm2kXWd5OGPCWirboUwDdqyjN0/bgy61Dom8SXQCzWjuO38Wol3OOf","t":"pack","tcid":"f4911ef8f0f0","uid":12813103}

{"t":"pack","i":0,"uid":12813103,"cid":"f4911ef8f0f0","tcid":"53c3bf0212c4","pack":"UigBHq/IHIao6zm8J32fystjYcM6aZugv3v7vuzg5xoccH46GKQPqNIM7jovaWKtUFG3w+OPD8GQTZyRHQrEiaaQKtckDCKOVAxg27f8/vP1H08DEaJSwWFCtYKXBJILIIyRGSPtxXTmrZsux0BEt08WJK1aOKPEo7ZvGv2rU7BG7MoyFTvPbwsZMiWZ08vYTY+HfpnApS874kfeSsb/kg=="}

the msg is ok with the format of controlling. how I get the ‘pack’ encrypted content to see if the json changed?

And also, my problem is at the binding process, cannot bind.

[hemingfei]

I will try 1 see if the binding have response 2 try tcp msg.

another question: my another gree AC which I have binding success, when I send another discovery "t": "scan", there is no response.

[hemingfei]

I checked the process again, and find all the process is OK and the new gree has no response when binding.

Then I tried to catch the msg, want to see the binding process details. using your Android app I found when I opened the APP, I cannot running the Gree+ APP to discover and bind devices I dont know why, but it can use after binding and see the msg of controlling devices. Then I used window software Charles to catch the msg, unfortunately it can only catch the msg of communicating with internet such as communicating with gree's server, It cannot catch the msg in the address of home (192.168.x.x ). I will continue working on it and want to find the details of the binding process.

[tomikaa87]

At first glance, these new units use the uid field which is defaulted to 0 in the script. It's worth a try to set that field to the value that comes from the unit in the scan response.

[tg44]

Any progress on this? I have the same issue, I can send the broadcast, get a response, but the pack: 'LP24Ek0OaYogxs3iQLjL4BZGC1L9UK8LWYY9r9h4dgWMa9lM2RqI/KytvJ32IsGSZXrOr+MakVzzXHbghPeyijnWMzaLQaaw1aFXlE9k71L0cMm8bsr/y4FkxumpRg1t0xV8+/m47OTBNaX/8aUl1ZJhYuNQNgXxv5Sro8mBB9BzMQoS41XpnORSG7+GfavhnKYbt0iIDsdp8/ftXlA9Hi9SYH2dzE8EeLZzuqwrQT280gq9HxK8Loa8WXVjgZcP4Vf5MjKxa60Xt5J1oI+lsxUuXTHkgunLg76WWGy+euo=' has "invalid key len"

[tomikaa87]

@tg44 No progress on this unfortunately. I've tried disassembling multiple versions of the official Apps, but didn't find the encryption-related codes with the method I've used previously -- not even the old generic key which was stored in plain text before. Just as I've mentioned and you've found out, the new app versions hide these things somehow. The native library is suspicious but all of the disassemblers I've tried gave the same results with the many randomly-named empty exported functions. At that point I don't have other ideas where to continue. Someone with more experience in this field should take a look at the new apps.

[tg44]

Do we have catched firmware files?

[tomikaa87]

Please check this issue for updates: https://github.com/tomikaa87/gree-remote/issues/52