Roborock app support for Roborock S6 MaxV #282
Comments
|
Hi, there is a discussion to try to find out if we can get Roborock app to work with this plugin: #104 But you are correct, apparently, the issue with the Roborock app is that it reissues the token, voiding the token assigned to this plugin in the config. I personally don't use that app (and knowing it breaks the integration, I feel like I won't even try 😅). But I'd love it if anyone can find a way to extract the token from that app (everyone praises it, so I bet it's way better than the Xiaomi Mi app). |
afharo
added
duplicate
|
I gave up to gather the local token (with the assumption that they aren't using any local control, instead an online-only control) but tried instead to replicate the login behaviour in the app in order to write a homebridge plugin which utilizes their API but that is also very painful. They are using HMAC for authentication and at some point my decompiler fails to decompile the APK properly. Basically they are using different sources for their secret like some data gathered from a request to a tuya server, md5(url) and at some point they use the Tuya SDK to do the HMAC_SHA_256 encryption. I bet they are adding some salt or something there because their function don't look very standardized. |
|
Wow! Thank you for looking into that! It does seem complex indeed. |
|
@Zer0x00 I stumbled on this page googling for info and though I would let you know some things. |
|
@ghvader Thanks for your info. The S6 series is afaik currently the only one which changes the token when changing from Tuya to Roborock so no luck there :/ It seems to me that they are using MQTT with SSL authentication to provide their functions. |
|
I posted this on another thread, but wanted to relay it here. I found the token in the roborock app / backup files ripped from an iOS device (iphone). Using a program called iBackup Viewer. Then located under: Sub: With this information, Im thinking two things can happen.
All input is welcomed! :) |
|
Just curios... wonder if there is a work around using either IFTTT, Shortcuts, or both... Example: I have a wall mounted Ipad. lets say its logged into the RoboRock App. wonder if you could create an relay, from Homekit>homebridge>IFTTT>Roborock OR something similar... |
Hello,
I just got the Roborock S6 MaxV today and tested both available apps.
With the Xiaomi Mi Home App you can name the rooms and I got a newer firmware version as with the Roborock app.
During the connection establishing phase I was also able to sniff the required token with Charles Proxy (iOS).
The Roborock app seems to be far more optimized for these vacuum cleaners even if you can't name your rooms.
It has some features I don't want to miss, like the camera view.
But what's far more concerning for me: I just found out that on every new connection the device token changes itself.
On an issue this was confirmed. Is there any way to gather the device token while using the Roborock app?
The sniffing method didn't work. The only result I was getting was the following response to a GET request to https://api-eu.roborock.com/user/homes/
{ "api": "è�·å��家åºè¯¦ç»�ä¿¡æ�¯", "result": { "id": "<id>", "name": "Mein Zuhause", "lon": null, "lat": null, "geoName": null, "devDisplayOrder": null, "products": [{ "id": "<id>", "name": "Roborock S6 MaxV", "code": "a10", "model": "roborock.vacuum.a10", "iconUrl": null, "attribute": null, "capability": 2, "category": "s6", "schema": [{ "id": "101", "name": "rpc_request", "code": "rpc_request", "mode": "rw", "type": "RAW", "property": null, "desc": null }, { "id": "102", "name": "rpc_response", "code": "rpc_response", "mode": "rw", "type": "RAW", "property": null, "desc": null }] }], "devices": [{ "duid": "<duid here>", "name": "<name here>", "attribute": null, "activeTime": "<activetime here>", "localKey": "<localkey here>", "runtimeEnv": null, "timeZoneId": "Europe/Berlin", "iconUrl": "", "productId": "<product id here>", "lon": null, "lat": null, "share": false, "shareTime": null, "online": false, "fv": "01.46.00", "pv": "1.0", "roomId": null, "tuyaUuid": "<uuid here>", "tuyaMigrated": false, "extra": "{\"xxxx\": \"xxxx\", \"RRPhotoPrivacyVersion\": \"1\", \"RRMonitorPrivacyVersion\": \"1\"}" }], "receivedDevices": [], "rooms": [] }, "status": "ok", "success": true }As you can see there are multiple fields like
duid,localKeyandtuyaUuidwhich could(?) be responsible for the secure connection.localKeychanges on each connect so unfortunately this can't be used as a replacement for token (didn't look into miio to validate if token can be replaced by anything so this is full speculation). AlsolocalKeyis too short in comparison withtoken.Did anyone else take any effort to make this plugin usable with the Roborock app or better did anyone manage to extract the used token while using the Roborock app?
In every case thank you for developing and sharing such a great plugin!
//Update 1:
I looked into the app by doing a backup of it and couldn't spot any obvious places where such a token could be stored.
One place which is very similiar to the sniff at the top and stores some more things which look suspicious is located at Roborock.app\Container\Library\Preferences\com.roborock.smart.plist
Obviously this file contains some details I won't publish so if someone has interest to look into it he can write me private.
//Update 2:
I also tried to use an old version of the Roborock app on an android emulator and gather the files of the application.
There are also some interesting strings but nothing clearly showing "token". I've already tried different strings but no luck...
The text was updated successfully, but these errors were encountered: