tuya-cli list-app not working after updating app

[Apollon77]

It seems that with the most current Smartlife App 3.14.0 changes the way how communication works ... and so the sync process is dead (again)

Should we have a generic issue for this here or in one of the other repos/libs?

I'm currently collecting more infos and will post here

[Apollon77]

• The communication goes against /app.json on the tuya server
• parameter seems a bit different
• there is NO request with "tuya.m.my.group.device.list" anymore :-(
• postdata seems base64 encoded, but binary - so assumption is: encrypted with App key from App :-(
• response is also encoded and looks also base64 encoded, but encrypted ... like

{
	"result": "pqDJk2h+Pz3G07U9HTXEjx8dNL5SH+chwcbqm37WvTHmfXZ7ARkzIADC4RTQoy6Jr3JjCXXcu1wzyCBJJ04Dfcms/jXJPJ1Hx064Dx0Za/0rQlsCnmlS3Yb+xB9WXO5YYZy7AflPAeVaZMe0mmFXyji93EZuazx0SQOVW85Crl3GSm5Y5E+jNg7273pXKhFO6XuuWjR5Jg9mm6NA5dhFJOagYPwNMzghAI+vfl0jD5nmIo/xri32t0+00P/d+tl3+yiaUk/OzYTK3kyfe3moqclwpGBlHE/yY5vdBNnc2Nz9Iz+yW2RrVUXzoBafaiSm6dJBj9weRO4//yKq8mQImKRjClV1FyYUbFh+3BZXF2I9tnqZSHvhoLSmzIT1ZBE8turUDtb6PIcixV0yWnWT1wMTaLqfAR8rz98uo/QAh17yvbPHblhSd5dg6CpS/Z3lac5kdxbiHyWnwNvZkbkj+YfIuEpihOfwESV6wwFFWcYkChR+OGt9Y/IpMEvnjoyL7VdwA1PJNYUNsXvR+rP1O1y08VNhbZCQ0TDWqh7veDZ6+dquVCRqaap2rqRNFxLqYj4dLOiGUV6BfeunD5IjHoakmHEEcGw0rkwqsVGlLBkaPL+YAm32VxJ4Xm0tjPF3TBQbHQdNAcF34r4cAnyDB0okNV6qewSJ2YcO50lb41amt0CGibauX8aTEASRYOQPDhTv54MgFidw9EPE/R78M2VBOm2mJhbsavoW6zDPICcN7TXJkfVnMOjLXF7h9yhuub0ClVf8m7qso31tuEKY+RFGgwifC2/HGW++jctXtKvP0vdloQFj63sFXfydHXAsgp+p/+B8XCiSGUSIOaaKWOVHq70bgUK1tKTdS/fraF3JcKRgZRxP8mOb3QTZ3NjcwOvmnE4sQtVehPVmEydKz1JvFuW76luPJO2Hwn0ELJ+MIAFXlI7CYnNQjiU46SZyRdarVpaxt6RP9kKaJ9Bnc4wGoNubdCzMlqMyL1KKSNWVwdRlbcpUU97w1gwgvzC8UDjFQd3XCifC8Agn5kilrAgDV3mTZekTns/V29QcE4OnfZJaudh2ntTc8NYcK7X5XM0h+CrLhc9gIGDW5SF/jnKK0ljeaDijHC4x4hCWHr+VHKEjg9CXNJssqOvKgNVS7GmvJHkERWSMg/vs3qh+JKP41pvWpGDuSltgKly7UWCn5YhzlH0Uoqx10oT5ezA85DAd3oX7x2ugPox/M01X4ZkzLozu+QjeEJUCQMnysZI=",
	"t": 1577393623,
	"sign": "2c2be2d22ef9862aa1e6a066f0a59be4"
}

It seems that the Tuya App (which is still 3.13.x) still works ... but unknown how long

I also have reports from tests with older Android APK versions where the App was not able to login because too old. Users test further

@kueblc @codetheweb

[Apollon77]

I have a charles file ... send me email (github account) nd I send the file if interested ...

[kueblc]

Looks pretty similar to the new HTTP API we implemented in tuya-convert. Wonder what the AES key might be. Do you have a capture starting from registration?

[Apollon77]

Do you have a capture starting from registration?

May a login be enough too? Then I could capture it

[Apollon77]

Ok, it seems to be an app key ... I logged out and closed the app ... the next open started directly again with encrypted messages.

Here the data of the very first request of the app even before loging request:

time=1577397372&lang=de&deviceId=A547DB0A-5342-4321-AB1D-1AE046ABA4C2&et=0.0.2&osSystem=13.3&bundleId=com.tuya.smartlife&lon=0&channel=oem&appVersion=3.14.0&ttid=sdk_appstore@fvsrjwtvqs4wpuy8r9qd&os=IOS&v=2.0&sign=09f6b7aa916cb384707a196216c330fa79edc15fcca43d203b62ba13f1240292&platform=iPhone%208&postData=SAxbIIUq3Lcapdld284NnOJ6L%2FPRM%2FKNJ1T4W74kOUiEusLWOBqev5X9nmzuOFms&requestId=9A510BE5-078D-4D54-A215-6896197EB2E8&sdkVersion=3.14.1&timeZoneId=Europe%2FBerlin&lat=0&clientId=fvsrjwtvqs4wpuy8r9qd&a=tuya.m.app.ad.list&appRnVersion=5.21&

[codetheweb]

Interesting, it still works with the latest version of the TuyaSmart app on iOS.

I assume they're going to start rolling out this change to all whitelabeled apps, but it seems like they would've started with their own.

[Apollon77]

Version 3.12.6 on Android also seems to work ... 3.13.x interestingly not

[JustH4ppy]

Yes, i tried all last versions. I don‘t know why but I was not able to install the 3.13.x versions from Smart Life App, but 3.12.6 worked for me.
Maybe somebody can try 3.13.x apk‘s on there Android device (I tried with MeMu)

[slomanl1]

Where do I get 3.12.6 version of SmartLife apk file? Link please.

[JustH4ppy]

@slomanl1 https://www.apkmirror.com/apk/tuya-inc/smart-life-smart-living/smart-life-smart-living-3-12-6-release/smart-life-smart-living-3-12-6-android-apk-download/

[spitfire4all]

Hi,
3-12-6 works for me.
Thank you for quick reaktion.

Regards
HDM

[jajajaime]

I am experiencing the same with the TuyaSmart app v3.14.0 :(

[JustH4ppy]

@jajajaime yep, Tuya App also got updated today. Only way atm is to use Smart Life or Tuya via apk at Version 3.12.6

[dutch2005]

And make sure to disable the feature to use mobile data if no internet via WiFi

I also had IPv6 enabled, had to disable the gateway address temporarly else it would not work (it would just go to tuya on the ipv6 address... (if this is not possible, try set-up a static IP-address instead of DHCP)

could possibly be worked around by using the FQDN (fullyqualified domain name) of the device displaying the QR-code but i didnt test that...)

[codetheweb]

Hey @kueblc: going by the API that you've been working with, do you think there's any hope of continuing to use the MITM method to retrieve device keys? If not, any ideas on the next best method?

[mazafra1]

Version 3.14 on iOS 13 does NOT work anymore.

[JustH4ppy]

@mazafra1 Version 3.14 was the reason why it‘s not working anymore. Use atm Android Simulator with Version 3.12.6 apk.

[Apollon77]

I think as soon as we find out what the aes key is we have a chance ...

[kueblc]

@codetheweb I wouldn't give up hope just yet, as @Apollon77 says we have a chance as long as the AES key is static or easily computed. We'll need more data, preferably pcaps along with app/account information.

[Apollon77]

Or disassemble the apk?! Maybe also in comparism to an older working version to know where to look at ...

But I have no Experience in how to do that :-(

[kueblc]

Certainly, I can do this, but it becomes a lot easier paired with operational data such as stored app data, (non-critical) user credentials, and network captures.

[FirstS0ul]

@HappyTeaFriend
How did you do that? With MEmu ist doesn't work. i think of the emulated wifi card.

[JustH4ppy]

@FirstS0ul
It works with MeMu, I testet it with it. Did you installed the right certificate etc? And did you use Version 3.12.16 as apk? (Not from Play Store)

[FirstS0ul]

@HappyTeaFriend
oh okay. The app doesn't even start the discovery for my tuya device...

or can i add my lamp with the actual ios app, and login with my account on android?!

EDIT: LOL... That worked. Damit...

[kalety]

Please, can you explain in detail the steps you follow?. For example, how to put de certificate, is I use emu in windows..... Thank you! Enviado desde mi iPad

…

El 13 ene 2020, a las 12:08, farmdude ***@***.***> escribió: Yes. I used memu and the apk mentioned and it worked perfect! Sent from my iPhone > On Jan 13, 2020, at 12:36 AM, Malcolm Robinson ***@***.***> wrote: > >  > @farmdude did the APK work for you? Installing old versions of both tuyaSmart and Smart Life APKs fail for me on rooted BlueStacks. > > — > You are receiving this because you were mentioned. > Reply to this email directly, view it on GitHub, or unsubscribe. — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

[odechr]

Download “STL Smart Home” (for Android)
Make an account
Add your device ONLY to this app first.
Follow normal instruction to obtain your KEY and ID. Note this down.
Delete the device from “STL Smart Home”
Add your device to “Smart Life” APP.

This worked for me. As described earlier in some post here.

Update:
Well, after trying both the stl app and the old version of smart life app I see that they return different keys for the same device. So I assume it's not that easy.

[Apollon77]

As assumed: a pairing process generated a new local key. In the end the question is how you want to control it afterwards - if only via other tools then apps then it is fine to have multiple apps ;-)

[odechr]

I will try later today and install the STL Smart home, get the key and leave those devices there while i ill try to add them to homey (smart hub).

Hopefully someone will be able to crack the code to snitch the key in the new version in the future :)

[codetheweb]

I spent a bit of time looking into this today.

1. I don't think sniffing traffic will be a good solution anymore, even assuming we can properly decrypt the traffic. It's trivial for Tuya to change the key whenever they want and make us repeat the entire process of obtaining the key again. Additionally, the legality of including such a key in the CLI tool's source code is questionable at best.
2. I think the best solution going forward will be to use the link module that TuyAPI provides. The main downside is that after devices are registered using it, they cannot be controlled using official apps. So, for example, the official Tuya HA module and TuyAPI could not be used at the same time.

That being said, the link module as included in the CLI package isn't currently working because of changes Tuya has made to their cloud API offerings. I'll try to work on it this weekend and see what changes need to be made.

[kalety]

We wait it!, thousands os thanks MAX!

[Apollon77]

But the link idea also needs more stuff from the users to be done. But yes. The encryption stuff is really bad for our approach. :-(

[Bablakeluke]

@codetheweb By injecting some code into the smart life app I've managed to successfully get the device list with localKey's by using its code API (it's sending "s.m.dev.list" now). Could potentially wrap it up in a public rest API which tuya-cli then uses or something. Super experimental at this point though!

[Bablakeluke]

The AES encryption key is based on some static values in the app and the request ID, with its actual generation being handled by native code (specifically libjnimain.so in the Android apk - the same as the signature stuff). They've gone to extensive lengths to hide it, so I'd certainly agree they'll just change it as soon as they see an implementation pop up online. So much for the open smart home. But anyway, this is also new in the latest version - the certs are being pinned, but only in the tuya app itself - not 3rd parties:

if (context != null && "com.tuya.smart".equals(context.getPackageName())) {
            CertificatePinner createPinner = new TuyaCertificatePinner().createPinner();
            if (createPinner != null) {
                L.i(TAG, "builder.certificatePinner");
                builder.certificatePinner(createPinner);
            } else {
                L.i(TAG, "builder do not set certificatePinner!");
            }
        }

The accepted cert list is a .json file in the app resources - here's the top chunk of it:

[
  {
    "domain": "a1.tuyacn.com",
    "certs": [
      {
        "eTime": 1602142278,
        "sha256": "fd2910b0f61f3932b572a16ba15927cb768f4728d7c4d54d70838a11e51c87ae",
        "ver": "sha256/YhNNie7EoILoelAxSWD9rlGeQCILjsfs4E1RaoC1x90="
      },
      {
        "eTime": 1935558000,
        "sha256": "973a41276ffd01e027a2aad49e34c37846d3e976ff6a620b6712e33832041aa6",
        "ver": "sha256/8Rw90Ej3Ttt8RRkrg+WYDS9n7IS03bk5bjP/UXPtaY8="
      },
...

The if (createPinner != null) { check is useful though - the pinner is null if the json file is empty, so just deleting it turns the pinning off.

[Apollon77]

But this seems to be SSL certificate pinning ... then it becomes even more problematic :-(
SO basiclly they added in the last versions that the payload itself got encrypted, that they can require the app to be up to date for uers to use (to allow faster change of certs maybe) and cert pinning for the ssl certs itself ... hm ... bad

[botti007]

i was wondering also if in the discovery mode of smartconfig the aes key is modified.
so can anyone help how can we extract it again
an other question what does the two keys fixed_key.bmp and t_s.bmp ????

[kueblc]

Nice work @Bablakeluke

@botti007 https://github.com/nalajcie/tuya-sign-hacking

[Apollon77]

did someone tried the 3.14 encrypted data with te key from this page (https://github.com/nalajcie/tuya-sign-hacking#tldr) or did they changed the key?

[botti007]

what is the difference between tuya smart link ( smartconfig) protocol v3.2 and v3.3

[swiergot]

Hi,

Trying to do list-app with Smart Life 3.12.6. I can see in tcpdump that the phone is directing traffic to the proxy, but no results displayed by tuya-cli. I have HTC U12+ with Android 9.

Is this supposed to work at all?

Thanks.

Take care,
Jarek

[JustH4ppy]

@swiergot this should still work. Tested it last week.

[swiergot]

@HappyTeaFriend Thanks. Is your phone rooted? Did you do anything special to set up the certificate. All I can do is install it, I could not find any option to fully trust it. Do you have the internet when the proxy is configured? I don't but I read somewhere this is normal. Finally, what did you do in Smart Life? Just refresh devices?

Any tips how to debug this appreciated.

[swiergot]

Nevermind. I feel like an idiot after spending one day and a half trying to get this working only to find out I have something else listening on port 8001...

[codetheweb]

Update to #280 (comment):

I've created a new package (written in TypeScript) for Tuya's OpenAPI (https://github.com/TuyaAPI/openapi), rather than further muddying the @tuyapi/cloud package.

I started to integrate it into the Link package (https://github.com/TuyaAPI/link), however it doesn't seem to be working with my test device. I'm not sure if the SmartLink protocol changed or if my code never correctly followed the spec in the first case, but that requires investigation if anyone wants to take a stab at it.

I'll work on it some more next weekend if I have time, but no ETA on when it will be working yet - sorry.

[LoloBee]

I think that they've implemented SSLPinning techniques in their app.

Burp Proxy reports "Unknown certificate" when trying to refresh devices.

[codetheweb]

The link package has been updated/fixed, as well as the CLI package and the general setup instructions.

[Apollon77]

Should we really close it? I would still love to get a proxy style solution because much easier for the users ...

[codetheweb]

I would too, but unless they revert back to not encrypting the traffic and not pinning SSL certificates (both of which seem unlikely) the proxy solution won't work.

[botti007]

@codetheweb can we bypass SSLpinning using frida ??

[codetheweb]

You can try if you want, I'm not going to be removing the list-app functionality.

But I will not continue to maintain it, so if you want any updates to be made to it please open a PR.

[mazafra1]

The link package has been updated/fixed, as well as the CLI package and the general setup instructions.

Some questions about the setup intructions:

• Do the devices need to be unregistered OR already registered in the Tuya mobile app?
• In Cloud API Authorization are shown AccessId and Key Secret BUT different AppKey and Secret are shown inside the App SDK, which ones should we used?
• Does the device where the link command is running be connected to the same network where the Tuya devices are?

Thanks,

[codetheweb]

@mazafra1 I've clarified the instructions, thanks for the questions.

I'm locking this issue; if there are further questions or problems please open a new one.

If another method of obtaining the local key is found I'll be sure to post here so current commentators are still notified.