Tuya Garage door opener

[jchristianj]

Hi!
I'm about to purchase this garage door opener:
https://www.amazon.com/dp/B07GGRCH23/ref=cm_sw_em_r_mt_dp_U_ea58CbW6D87JX

Will it be possible to add it to Homekit by Homebridge and your plugin on my Raspberry pi?
Main point is, I would like to have it shown as a garage door in Homekit, not as a switch. It should indicate feedback of the door (open/closed) in the icon as well.
Can you confirm it will be working like this?

Thanks and regards,
Christian

[rangerek]

therte is already a thread for garage door opener here

[jchristianj]

Sorry, was not aware that this is the same device.
Anyhow, the thread ist stuck 2 months ago. Any progress on this?

[AMoo-Miki]

Please give the latest rc release a shot by doing npm i -g homebridge-tuya-lan@rc. The documentation has been updated for all the new devices released with v1.4.0; please refer to the Supported Devices page.

The Setup Instructions have changed in case you need to obtain a fresh id and key.

[unvalider]

Hi,

I have configured and installed the latest release for this plugin in homebridge but I am hitting the following error continuously, any advice on what I am doing so wrong would be appreciated.

[TuyaAccessory] Socket had a problem and will reconnect to Garage Door (Error: ERR_PING_TIMED_OUT). This is common for v3.3 devices.

[AMoo-Miki]

If the device works, the ping timeout is not that important. Does it work?

[AMoo-Miki]

@jchristianj, my own garage door opener shows up as a garage door with Homekit's animation and everything. Having it as a switch would be so ugly.

[unvalider]

@AMoo-Miki , thanks for the reply. The garage door opener does not work. I've tested ping from shell and it takes 200ms first try, then drops to 10ms, so network shouldn't be an issue.

The controller does work from the native Tuya app, but not via homebridge.

[AMoo-Miki]

The ping timeout is different from the ping you checked; it is a Tuya thing. Add `"pingTimeout": 3600 to prevent the socket from timing out.

Also make sure that the Tuya app is not running on your phone as that will block the device from talking to this plugin.

Do you see anything in the logs that Ready to handle ... with signature? What is the signature?

[unvalider]

2019-09-07 06:02:53,stdout,"�[37m[9/7/2019, 6:02:53 AM]�[39m �[36m[TuyaLan]�[39m Ready to handle Garage Door (GarageDoor:3.3) with signature {"7":0}

I haven't had any matching logs in the last hour current time being 7:44 am (UTC).

I have completely uninstalled the Tuya app from my phone after getting the ID and keys.

[AMoo-Miki]

This is great.

Add this to your config file for this device: "dpAction": 7 and give it a shot.

[unvalider]

After applying changes to the config.json, and restarting the docker container, I get the following error:
[TuyaAccessory] Socket had a problem and will reconnect to Garage Door (ECONNRESET). This is common for v3.3 devices.
Current config.json contents (related to this device)
"platform": "TuyaLan", "devices": [{ "name": "Garage Door", "type": "GarageDoor", "manufacturer": "Tuya", "model": "Garage Opener", "id": "<< removed >>", "key": " << removed >>", "version": "3.3", "dpaction": 7, "pingTimeout": 3600 }]

Spotted I'd mistyped dpAction as dpaction. Fixed and trying again.

[AMoo-Miki]

You are better off without the version in the config unless you know your device is indeed a 3.3. The plugin figures this out for itself. If your device is really a 3.1, having the 3.3 could explain the ping timeouts and it could prevent the plugin from communicating correctly.

[AMoo-Miki]

I deleted your message because it had your key in it. Are you able to control the door now?

[unvalider]

Fixed: JSON section now reads;
"platforms": [{ "platform": "TuyaLan", "devices": [{ "name": "Garage Door", "type": "GarageDoor", "manufacturer": "Tuya", "model": "Garage Opener", "id": "<< removed >>", "key": "<< removed >>", "dpAction": 7, "pingTimeout": 3600
Still receiving error message:
[TuyaAccessory] Socket had a problem and will reconnect to Garage Door (ECONNRESET). This is common for v3.3 devices.

[AMoo-Miki]

ECONNRESET is normal; ignore it.

Do you see the signature line? Can you open the Home app and try to open the garage door? When you do, what messages do you see in the log?

[unvalider]

No change. Device is now showing in HomeKit with a red Open state - and not responding to change state actions.

[AMoo-Miki]

Do you see any messages in the log?

[unvalider]

After container restart, had the following log messages:

`2019-09-07 08:03:48,stdout,"�[37m[9/7/2019, 8:03:48 AM]�[39m �[36m[TuyaLan]�[39m Discovered Garage Door ( << id >> ) identified as GarageDoor (3.3)

2019-09-07 08:03:48,stdout,"�[37m[9/7/2019, 8:03:48 AM]�[39m �[36m[TuyaLan]�[39m Connected to Garage Door
"

2019-09-07 08:04:24,stdout,[TuyaAccessory] Socket had a problem and will reconnect to Garage Door (ECONNRESET). This is common for v3.3 devices.
`

[AMoo-Miki]

No Ready to handle ... with signature message?

PS, id is not important, key is the one you need to hide.

[unvalider]

Nothing in the logs, this is the most recent records.
Just thought I'd double-check that it's even a compatible device, this is the device I purchased:
https://s.click.aliexpress.com/e/LBsAra0g

Terminal only has the ECONNRESET records, nothing else is tagged [TuyaAccessories] or [TuyaLan]

[AMoo-Miki]

Without the Tuya app, how do you control the device?

[unvalider]

My HomeBridge links to HomeKit for control.
For testing purposes I removed the app to cut over to HomeKit; I haven't had issues using the device in the Tuya app.

[AMoo-Miki]

Gotcha. When you said you uninstalled the Tuya app, I thought maybe you had a different one. Still thinking :)

[AMoo-Miki]

That line that says Discovered ... can you check the entire line. Also, can you update to the latest rc release as it has some additional logging.

[unvalider]

Discovered line:
[9/7/2019, 8:30:28 AM] [TuyaLan] Discovered Garage Door (30302582840d8e79a346) identified as GarageDoor (3.3)

Was on homebridge-tuya-lan v1.5.0-rc.3, just updated to rc.5.

Restarting now, will advise status.

[AMoo-Miki]

I just pushed another rc (v1.5.0-rc.6) with one extra log message. Can you please try that?

How are you powering the device? Can you power cycle it?

[unvalider]

Updated to rc6.

Logs:
[9/7/2019, 8:44:48 AM] [TuyaLan] Discovered Garage Door (30302582840d8e79a346) identified as GarageDoor (3.3) [9/7/2019, 8:44:48 AM] [TuyaLan] Connected to Garage Door [TuyaAccessory] Sending first query Garage Door (3.3) [TuyaAccessory] Socket had a problem and will reconnect to Garage Door (ECONNRESET). This is common for v3.3 devices. [TuyaAccessory] Sending first query Garage Door (3.3)

Physically disconnecting from AC and reconnecting. Will attempt power-cycle now.

[AMoo-Miki]

Something odd is happening here. This device gave us the signature before and now it is refusing to give it to us.

[unvalider]

`[9/7/2019, 8:51:02 AM] Loaded plugin: homebridge-tuya-lan
[9/7/2019, 8:51:02 AM] Registering platform 'homebridge-tuya-lan.TuyaLan'
[9/7/2019, 8:51:02 AM] ---
[9/7/2019, 8:51:02 AM] Loading 4 platforms...
[9/7/2019, 8:51:02 AM] [TuyaLan] Initializing TuyaLan platform...
[9/7/2019, 8:51:02 AM] [TuyaLan] Marked Garage Door unreachable by faulting Service.Garage Door.Target Door State
[9/7/2019, 8:51:02 AM] [TuyaLan] Starting discovery...
[TuyaDiscovery] Discovery started on port 6666.
[TuyaDiscovery] Discovery started on port 6667.
Setup Payload:
X-HM://0023ISYWY6N8L
Scan this code with your HomeKit app on your iOS device to pair with Homebridge:
Or enter this code with your HomeKit app on your iOS device to pair with Homebridge:

┌────────────┐     
│ removed │     
└────────────┘     

[9/7/2019, 8:51:04 AM] Homebridge is running on port 51758.
[9/7/2019, 8:51:05 AM] [TuyaLan] Discovered Garage Door (30302582840d8e79a346) identified as GarageDoor (3.3)
[9/7/2019, 8:51:05 AM] [TuyaLan] Connected to Garage Door
[TuyaAccessory] Sending first query Garage Door (3.3)
[TuyaAccessory] Socket had a problem and will reconnect to Garage Door (ECONNRESET). This is common for v3.3 devices.
[TuyaAccessory] Sending first query Garage Door (3.3)
[TuyaAccessory] Socket had a problem and will reconnect to Garage Door (ECONNRESET). This is common for v3.3 devices.
[TuyaAccessory] Sending first query Garage Door (3.3)
`

[AMoo-Miki]

Can you try to re-get the id and key to see if it might have changed? The device is kicking us out as soon as we send the first query which could be due to a bad key. I have heard of devices changing keys in certain conditions.

[unvalider]

"devices": [ { "intro": false, "name": "Garage Door", "type": "GarageDoor", "manufacturer": "Tuya", "model": "Garage Opener", "id": "30302582840d8e79a346", "key": " << removed >>", "flipState": true, "pingTimeout": 3600 ...

[AMoo-Miki]

Get rid of flipState for now. pingTimeout is also not needed anymore. I don't expect any real change now:

1. The device will be accessible in the Home app (but it will not show its status correctly)
2. I am hoping ECONNRESET won't show up any more.

[unvalider]

"devices": [ { "intro": false, "name": "Garage Door", "type": "GarageDoor", "manufacturer": "Tuya", "model": "Garage Opener", "id": "30302582840d8e79a346", "key": "<< removed >>" } ]

[AMoo-Miki]

Config is good. How does the device act?

[unvalider]

Device didn't react - but the logs are now showing more information on status changes from iOS

logs
[9/7/2019, 9:54:00 AM] [TuyaLan] Connected to Garage Door [9/7/2019, 9:54:00 AM] [TuyaLan] Ready to handle Garage Door (GarageDoor:3.3) with signature {} [TuyaAccessory] Sending first query to Garage Door (3.3) [TuyaAccessory] Sending Garage Door {"1":true} [TuyaAccessory] Socket had a problem and will reconnect to Garage Door (ECONNRESET) [TuyaAccessory] GarageDoor changed: {} [TuyaAccessory] Sending first query to Garage Door (3.3) [TuyaAccessory] Sending Garage Door {"1":true} [TuyaAccessory] Socket had a problem and will reconnect to Garage Door (Error: ERR_PING_TIMED_OUT) [TuyaAccessory] GarageDoor changed: {} [TuyaAccessory] Sending first query to Garage Door (3.3) [TuyaAccessory] Sending Garage Door {"1":true} [TuyaAccessory] Socket had a problem and will reconnect to Garage Door (Error: ERR_PING_TIMED_OUT) [TuyaAccessory] GarageDoor changed: {} [TuyaAccessory] Sending first query to Garage Door (3.3)

[AMoo-Miki]

:( One step forward and on back.

What operating system are you on? Do you have a Mac handy? These are $50 locally :( I am tempted to order one just to test it.

I have this in my cart, ready for checkout; is it the one you have?

[unvalider]

We're on a 2017 MacBook Pro on Catalina public beta. HomeBridge is on a Synology DiskStation inside a Docker container.

[unvalider]

That one looks the same. I'm about to spin up Wireshark to see what's going in/out

[AMoo-Miki]

Cool. That is what I was going to propose. Here is how you can tap in:

1. Get your phone's EDID (click on the serial number in itunes to show the EDID and then use the edit menu to copy)
2. Remove all DNS servers from DNS configuraion of your WiFi connection of the phone after changing it to Manual, and add a fake but valid IP (10.0.0.253). This will force Tuya's app to talk to the devices locally when it can't reach the internet.
3. Make sure Tuya app is killed.
4. rvictl -s <EDID>.
5. sudo tcpdump -i rvi0 -w trace.pcap
6. Open Tuya's app. Wait for 30 seconds.
7. Open the door. Close the door.
8. Ctrl+C to kill tcpdump.
9. rvictl -x <EDID> to end the routing.
10. Change the DNS on your phone to Automatic.

Now, I would trust me not to look at anything but Tuya on your dump but I wouldn't fault you if you don't. So either send me your pcap and key so I can decode it (i'll give you my email), or let me know and I will write an app to decode it on your end.

PS, if you choose to send me your key, we will filter out the pcap to not have any information other than the device communication.

[unvalider]

I might shoot you an email, it's a bit easier, because there's a bit of background noise in the pcap I've captured.

[unvalider]

Just as a side note, the captures are from macOS from the native Home app there. I didn't have access to the transmissions being sent/received from the iOS app; this computer doesn't have Xcode installed at the moment. Happy to do so later on (it's 9pm in my local timezone :|

[AMoo-Miki]

Of course. To make sure you don't share your bank account details with me:

1. Open Wireshark.
2. Drop the pcap file into it. It will show you an error about cut short; hit OK.
3. In the filter box, enter (ip.dst == 10.0.0.129 or ip.src == 10.0.0.129) and tcp but replace the IP for your device's IP, Hit enter to apply the filter
4. Right click on any of the rows and choose Follow and TCP Stream; this will open a new dialog.
5. At the bottom, change Show and save data as to YAML or C Array and then hit Save as.
6. Mail me the file you saved as well as your key (which is used to decrypt it) at amoo_miki@yahoo.com

[unvalider]

Thanks, I've just sent through the pcap file to your email now.

[AMoo-Miki]

@unvalider I sent you an email; your device is not there anywhere in the trace :(

I created a complete set of instructions for this and it is a bit more complete that what we discussed here. See if you can follow that and get the trace.

[unvalider]

Thanks.
I will run an new capture in a few hours and send it though, I appreciate your assistance in trying to get this to work.

[AMoo-Miki]

Of course; whenever you get a chance. It's my pleasure.

[unvalider]

new packet captures have been sent through.

[AMoo-Miki]

Got your email. Decoded. The only difference I see is that I am not sending a CRC otherwise the plugin's commands are identical to those of the app. I will add CRC and let you know.

[AMoo-Miki]

There were 3 sections in a message that I was not handling: (1) control counter, (2) 8 characters that I haven't figured out, and (3) CRC checksum. I have added the CRC checksum and am hoping that is all that is needed to get your device to work.

Please update to the latest rc release with npm i -g homebridge-tuya-lan@rc. After you restart homebridge, please also power-cycle the device to make sure it is in a clean state.

[unvalider]

Hi @AMoo-Miki
I have been using the Garage Door opener successfully through HomeKit since updating to the latest rc. The open & close states are displaying correctly and homebridge is no longer throwing errors at me.

[AMoo-Miki]

Hurray! Thanks for helping figure this out; I would have renamed this accessory in your honor but I fear people will get confused >:\

Let's hope @jchristianj also reports back that the problem is solved.

[singhrajtomar]

Fixed: JSON section now reads;
"platforms": [{ "platform": "TuyaLan", "devices": [{ "name": "Garage Door", "type": "GarageDoor", "manufacturer": "Tuya", "model": "Garage Opener", "id": "<< removed >>", "key": "<< removed >>", "dpAction": 7, "pingTimeout": 3600
Still receiving error message:
[TuyaAccessory] Socket had a problem and will reconnect to Garage Door (ECONNRESET). This is common for v3.3 devices.

Hi,
I am also using a Garage Door Opener by Tuya, May I know how did you find the ID and Key of the device?

Thank You

[crampus]

@singhrajtomar I was with @unvalider when he was setting his up, and I have the same model.

There used to be a method which was available as a part of homebridge-tuya-lan, called tuya-lan-find, which would (by putting your iPhone into a proxy environment for a Man-In-The-Middle style configuration) enable the id and key to be retrieved from the Tuya Smart app. Tuya patched their app, and this no longer works. There are other alternate apps that also worked with the proxy find service; Ucomen Home, and Smart Life; these too appear to be patched in current versions.

I can't even get Ucomen Home to recognise the opener anymore; even though this was the way it was initially set up; and the key appears to have changed; so I'm unable to get it set back up.

[singhrajtomar]

@singhrajtomar I was with @unvalider when he was setting his up, and I have the same model.

There used to be a method which was available as a part of homebridge-tuya-lan, called tuya-lan-find, which would (by putting your iPhone into a proxy environment for a Man-In-The-Middle style configuration) enable the id and key to be retrieved from the Tuya Smart app. Tuya patched their app, and this no longer works. There are other alternate apps that also worked with the proxy find service; Ucomen Home, and Smart Life; these too appear to be patched in current versions.

I can't even get Ucomen Home to recognise the opener anymore; even though this was the way it was initially set up; and the key appears to have changed; so I'm unable to get it set back up.

how should we intercept the id and key then? do we have to use wireshark or similar tool then?

[crampus]

@singhrajtomar The ID can be retrieved through the TuyaSmart app.

The key cannot be retrieved; it’s used to encrypt the traffic.

You could in theory try brute-force; but you’d need to know the encryption algorithm in use, and given the keys are 16-character hexadecimal, there’s about 18,446,744,070,737,095,500 (18 quintillion) possible combinations, even if your computer could attempt 10 keys per second, you would be in for a wait of approximately 5 billion years to exhaust all possibilities.

[crampus]

I have the beginnings of a theory, but it's untested, as the files I want to test are encrypted with a key I am uncertain on how to retrieve.

I went on a bit of a deep-dive to see if I can find any more information on the Tuya app yesterday. Tuya have been so generous as to include a list of all the other libraries used as a part of developing the Tuya Smart Application within the settings section of the app.

As at 15/04/2020, this stood as:

CocoaAsyncSocket
DACircularProgress
dsBridge
EZAudio
FLAnimatedImage
HMSegmentedControl
IOKeyboardManager
KSCrash
libextobjc
lottie-ios
Masony
MBProgressHUD
MJRefresh
MMKV
MQTTClient
NJKWebViewProgress
OpenSSL-Universal
Reachability
SDVersion
SDWebImage
SQLCipher
SSZipArchive
UICKeyChainStore
YYModel
TZImagePickerConroller
react-native
FFMPeg

Packages relevant to database encryption: OpenSSL, MMKV, UICKeyChainStore and SQLCipher.
OpenSSL doesn't help us much as it's a broad-scope en/decryption toolkit, however:

MMKV uses AES-128-CFB for encryption and decryption
SQLCipher uses AES-256-CBC for encryption and decryption
UICKeyChainStore is a library to simplify native iOS/macOS keychain integration.

After performing an un-encrypted iOS backup to my Mac, and then browsing said backup with a third party utility (iBackup Browser: "freemium" commercial software), I was able to access the file storage used by Tuya Smart, cross-checking against Ucomen Home. They're all the same on the back-end.

I could be way off; however, my instincts say that the key for the devices is stored in /AppDomain-com.tuya.smart/Documents/tuyasmartcfg.db; which is AES-256 CBC encrypted, and the key used to decrypt the contents of the .db file could possibly be stored in /AppDomain-com.tuya.smart/Documents/mmkv/{{uid}}, which isn't viewable with any plaintext editors I tried, or it could be generated randomly or as a function of some other unique key, such as the TYUniqueIdentifier key in/AppDomain-com.tuya.smart/Library/Preferences/com.tuya.smart.plist. I have so far been unable to decrypt this database or the MMKV raw data file. It could also be the other way around; or the two could be independent. This is beyond what I know for sure.

🧂 (salt warning) 🧂
You know... It'd be nice if Tuya would come to the open source party just give us a little Advanced/Developer menu that lets the app expose the device key natively so we don't have to try and compromise the entire app platform just to open their potential market up to the Apple ecosystem's IoT/home automation market segment (thus more paying customers of the Tuya brand) or anything 🙄 🔫

Update: 16/04
Found UICKeyChainStore is a github repo. Linked accordingly.
Turns out this uses an app identifier, which looks to be in the exact same form as the TYUniqueIdentifier key in/AppDomain-com.tuya.smart/Library/Preferences/com.tuya.smart.plist. One mystery solved. That key is for the KeyChain integration.

[crampus]

Okay. So after looking all over the Internet, there’s really only one solution.

Keys are next to impossible to retrieve from iOS, but thanks to being able to install older APKs outside the Play Store on Android, it’s pretty easy to grab keys.

What you’ll need:
• An Android device note: BlueStacks for Windows/Mac gets hung up on setting a lockscreen passcode (as it doesn’t have a lockscreen; so Android can’t add in certificate trusts) - you will need a dedicated Android/AOSP x86/x64 distro bare metal or in a VM with a dedicated WLAN NIC, if you don’t have a native Android device.
• Installation from external sources enabled
• Packet Capture (1.7.2 tested) or later
• Tuya Smart Life (3.6.1 tested) later versions or other branded versions might work, but I make no guarantees or warrants of fitness for any given configuration, device, or sexual identity.

1. Set up the packet capture app certificates.
2. Filter to the Tuya app.
3. Start a capture
4. Trigger your IoT device
5. Stop the Capture
6. Decrypt the SSL packets
7. You will get a JSON payload with the local_key in plaintext.
8. Plug and play into your configs.
9. Magic.