Did Dreo API block this?

[JeffSteinbok]

Describe Your Problem: I manage the HomeAssistant HACS integration and noticed today that logins started to fail. Wonder if you see the same thing and if you're able to get a new trace from the app to see what they may have changed?

Logs:

[JeffSteinbok]

Ok, something seems up with the US endpoint. I can login with the EU endpoint, but not US. Oddly the iOS app still works, so wondering if they changed endpoint recently?

[zyonse]

Just checked and I'm getting the same thing with the homebridge plugin. I'll get some newer logs from the app when I'm back in town tomorrow.

[JeffSteinbok]

Thanks. I never did take the time to get Android Studio & Frida setup, else I'd have a look.

[JeffSteinbok]

I think I got Frida working and all. App looks to be continually banging on the API and getting 403s back.

[JeffSteinbok]

@zyonse - Looks like the URL changed to "website-api" and they have some new required headers: "ua": "dreo/2.5.12 (sdk_gphone64_x86_64;android 14;Scale/2.75)",

It's also not returning the region code like it used it.

[JeffSteinbok]

You can find me on discord at @JeffStei.

I'm still struggling to get the app working right on the emulator. If you get it working, would love to understand the steps to see what I missed.

[edabe]

Thank you for working on this, @JeffSteinbok... much appreciated. I tried website-api-us.dreo-cloud.com with the new user agent, but no luck - still getting 403.

I can authenticate against the EU endpoint, but then I can't manage / get status of my US device.

[fawnlake1]

Hi, just adding that I as well have the same issue now with a Dreo tower fan and I get:

[1/8/2024, 12:34:54 AM] [Dreo Platform] error retrieving token: AxiosError: Request failed with status code 403 at settle (/usr/lib/node_modules/homebridge-dreo/node_modules/axios/lib/core/settle.js:19:12) at IncomingMessage.handleStreamEnd (/usr/lib/node_modules/homebridge-dreo/node_modules/axios/lib/adapters/http.js:585:11) at IncomingMessage.emit (node:events:526:35) at endReadableNT (node:internal/streams/readable:1589:12) at processTicksAndRejections (node:internal/process/task_queues:82:21) { code: 'ERR_BAD_REQUEST', ... .... .... ... .... .... [1/8/2024, 12:34:54 AM] [Dreo Platform] Authentication error: Server returned invalid access_token [1/8/2024, 12:34:54 AM] [Dreo Platform] Make sure your email/password are correct

Many thanks for all your efforts on this great plugin!

[JeffSteinbok]

I'm trying to get it all to work on the Android emulator, but so far, just get this loop of requests. Hopefully @zyonse can get it working so we can get a trace.

[JeffSteinbok]

Thank you for working on this, @JeffSteinbok... much appreciated. I tried website-api-us.dreo-cloud.com with the new user agent, but no luck - still getting 403.

I can authenticate against the EU endpoint, but then I can't manage / get status of my US device.

Same.

[andy-cooper]

Same problem, except I can't even authenticate against the EU endpoint. I've been trying to use the website login to debug this, but haven't made any progress here either. It looks like there are a number of potential US-base hostnames that can be used - app-api-us.dreo-cloud.com, website-api-us.dreo-cloud.com . None of them seem to have any different behaviors.

Using chrome debugger, the JSON payload has a different client ID, client secret and himei, but otherwise is essentially the same.

Here's an example payload with my credentials redacted

{ "client_id": "6c2bfbdd497f4addbb77449edd3d73ec", "client_secret": "460df321de794ea08110cb3ed32c7452", "grant_type": "email-password", "scope": "all", "email": "REDACTED", "password": "REDACTED", "encrypt": "ciphertext", "himei": "4fe6a6e9d2968d7220f9708159cc93ba" }

[derailius]

Same problem, except I can't even authenticate against the EU endpoint. I've been trying to use the website login to debug this, but haven't made any progress here either. It looks like there are a number of potential US-base hostnames that can be used - app-api-us.dreo-cloud.com, website-api-us.dreo-cloud.com . None of them seem to have any different behaviors.

Using chrome debugger, the JSON payload has a different client ID, client secret and himei, but otherwise is essentially the same.

Here's an example payload with my credentials redacted

{ "client_id": "", "client_secret": "", "grant_type": "email-password", "scope": "all", "email": "REDACTED", "password": "REDACTED", "encrypt": "ciphertext", "himei": "" }

you're gonna wanna change your password asap now.

[JeffSteinbok]

There's a web login? Got a link?

[andy-cooper]

Same problem, except I can't even authenticate against the EU endpoint. I've been trying to use the website login to debug this, but haven't made any progress here either. It looks like there are a number of potential US-base hostnames that can be used - app-api-us.dreo-cloud.com, website-api-us.dreo-cloud.com . None of them seem to have any different behaviors. Using chrome debugger, the JSON payload has a different client ID, client secret and himei, but otherwise is essentially the same. Here's an example payload with my credentials redacted { "client_id": "", "client_secret": "", "grant_type": "email-password", "scope": "all", "email": "REDACTED", "password": "REDACTED", "encrypt": "ciphertext", "himei": "" }

you're gonna wanna change your password asap now.

I redacted it before posting and replaced it with the word "REDACTED"

[andy-cooper]

There's a web login? Got a link?

Go to https://www.dreo.com and click on the little person icon on the top right, or try click on https://dreo.com/account/home

[edabe]

I tried to poke the iOS app network traffic via Charles SSL proxy - the app-api-us.dreo-cloud.com connection is rejected with SSL handshake with client failed - Remote host terminated the handshake and the app fails to authenticate / retrieve any information. :(

SSL proxy settings seem correct as it is able to decode other https requests (like www.dreo-cloud.com)

[JeffSteinbok]

Unfortunately the app uses Cert Pinning so this doesn't work.

[edabe]

Right... just came to that conclusion

[zyonse]

Pretty sure I just figured out what was wrong, the 'ua' string in the request header needed to be changed. Will push an update shortly.

[zyonse]

Should be fixed in v3.2.3, please test it out and let me know.

[edabe]

I'm not using homebridge, so I can't test. But I updated the ua in my local environment and it seems to work.

Thank you @zyonse!

If you have the time, would you mind sharing some insights about how you managed to troubleshoot this?

[mccarron]

@zyonse I just updated and it's working great here now. Thanks for the quick fix!

[fawnlake1]

@zyonse Wanted to confirm that it is working again and really appreciate your quick fix!

[andy-cooper]

@JeffSteinbok I'll also confirm it's working in HAOS again - thank you!

[zyonse]

If you have the time, would you mind sharing some insights about how you managed to troubleshoot this?

@edabe The Dreo app also stopped connecting in the Android Studio emulator, so I figured they must have implemented some sort of server-side block. In the network requests we use, the most obvious difference between Homebridge/Emulator users and a normal app user is that 'ua' (AKA user agent) string. I just changed it from x86_64 to arm64 and it immediately started working.

[edabe]

Thank you @zyonse Also, thank you for pointing this out in the README: https://github.com/JeffSteinbok/hass-dreo/blob/main/contributing.md

It is helping me understand how to trace the network requests from the app and circumvent the SSL cert pinning