Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Need assist to sniff TCP with wireshark/协助使用wireshark帮忙抓包 #13

Closed
duchenpaul opened this issue Jun 19, 2020 · 19 comments
Closed

Need assist to sniff TCP with wireshark/协助使用wireshark帮忙抓包 #13

duchenpaul opened this issue Jun 19, 2020 · 19 comments

Comments

@duchenpaul
Copy link

我有一个美的的热水器, 我折腾了几天没有成功抓到包, 可以给个简单的教程教我抓包分析里面的协议么,
我到时候会分享出来, 甚至完善这个项目的代码.
谢谢
@mac-zhou
Copy link
Owner

你可以先运行midea-discover -d此工具是帮助发现局域网内的美的设备

@duchenpaul
Copy link
Author

我把你的代码摘出来跑过了, 我的型号是T0xE3, 所以你不可能发现的了得, 没错6445端口是有东西的, 我先捣鼓两天, 有进展话你知

@duchenpaul
Copy link
Author

我在路由器上用tcpdump试图抓包, 但是没有收获, 192.168.31.180是我的热水器地址, 你可以帮忙看看什么原因么

tcpdump -i br-lan dst 192.168.31.180 -w target.cap
tcpdump -i br-lan src 192.168.31.180 -w target.cap

@mac-zhou
Copy link
Owner

  • 6445端口只是发现协议,你不要在此浪费时间 重要的是要处理热水器6444端口通讯的数据
  • 我不知道你网络和路由型号,没办法帮到你。但抓包的原则上越接近热水器越好,比如在热水器锁在AP上抓包
    你可能需要这样抓包:
    tcpdump -i any host 192.168.31.180 -p -nn -s 0 -w midea.pcap -vvv
  • 你可以运行midea-discover看看 我的库是否可以支持你设备协议数据的解密,报文是以5a5a开头的,不支持8370开头的
  • 如果我的库支持解密你的数据,你的重点应该放在我解密之后的数据,你可能会看到相关变化,知道规则

@duchenpaul
Copy link
Author

8370的, 有事做咯!

INFO:msmart.cli:Debug mode active
INFO:msmart.cli:Discovering devices with UDP Broadcast, press CTRL-C to quit...
INFO:msmart.cli:Midea Local Data 192.168.31.180 837000c8200f00005a5a0111b8007a8000000000f197320a1706141431820600009600000000000000000180000000003d2d2a5d91b3b35a0439ad15b61f8d32bce6ad2b6757881d771c94a56d0972bb5245048f7a5dc6c52a83fa7c22e0b8da97a2d910b60f398f154e84b51959f87599511fc6d165e30922240666aff67c18a337d864e15a8c397d9983652746509d4bdfb3e16e33d88768cc4c3d0658937d96fbcce99f70c976413c2f05f60f82e7b64f24e548dac159bb384cdaab4fc2dd1cbfe865aac8ec05b402ae5ae8bbd8d2
ERROR:msmart.security:aes_decrypt error: ValueError('Padding is incorrect.',) - data: 3d2d2a5d91b3b35a0439ad15b61f8d32bce6ad2b6757881d771c94a56d0972bb5245048f7a5dc6c52a83fa7c22e0b8da97a2d910b60f398f154e84b51959f875

@duchenpaul
Copy link
Author

我想知道你代码里面的appkey和signkey是哪里找的, 目前看这appkey应该在两个不同的协议之间通用的, 你的tcpdump可以使用, 我继续要就看看, 谢谢你的支持

@mac-zhou
Copy link
Owner

旧版本app里找到了
新版本中已经找不到了

@mac-zhou mac-zhou mentioned this issue Jun 23, 2020
Closed
@mac-zhou
Copy link
Owner

8370的, 有事做咯!

INFO:msmart.cli:Debug mode active
INFO:msmart.cli:Discovering devices with UDP Broadcast, press CTRL-C to quit...
INFO:msmart.cli:Midea Local Data 192.168.31.180 837000c8200f00005a5a0111b8007a8000000000f197320a1706141431820600009600000000000000000180000000003d2d2a5d91b3b35a0439ad15b61f8d32bce6ad2b6757881d771c94a56d0972bb5245048f7a5dc6c52a83fa7c22e0b8da97a2d910b60f398f154e84b51959f87599511fc6d165e30922240666aff67c18a337d864e15a8c397d9983652746509d4bdfb3e16e33d88768cc4c3d0658937d96fbcce99f70c976413c2f05f60f82e7b64f24e548dac159bb384cdaab4fc2dd1cbfe865aac8ec05b402ae5ae8bbd8d2
ERROR:msmart.security:aes_decrypt error: ValueError('Padding is incorrect.',) - data: 3d2d2a5d91b3b35a0439ad15b61f8d32bce6ad2b6757881d771c94a56d0972bb5245048f7a5dc6c52a83fa7c22e0b8da97a2d910b60f398f154e84b51959f875

https://github.com/mac-zhou/midea-msmart/blob/master/msmart/cli.py 刚刚做了更新 你可以自己手工运行试试

@duchenpaul
Copy link
Author

一样的呀 已经确认我跟你的协议不一样,

INFO:msmart.cli:Debug mode active
INFO:msmart.cli:Discovering devices with UDP Broadcast, press CTRL-C to quit...
INFO:msmart.cli:Midea Local Data 192.168.31.180 837000c8200f00005a5a0111b8007a8000000000af2e050c1706141431820600009600000000000000000180000000003d2d2a5d91b3b35a0439ad15b61f8d32bce6ad2b6757881d771c94a56d0972bb5245048f7a5dc6c52a83fa7c22e0b8da97a2d910b60f398f154e84b51959f87599511fc6d165e30922240666aff67c18a337d864e15a8c397d9983652746509d4bdfb3e16e33d88768cc4c3d0658937d96fbcce99f70c976413c2f05f60f82e7cfe0b65fd4f7c93e2ca9d87b4d43e40b1cbfe865aac8ec05b402ae5ae8bbd8d2
Traceback (most recent call last):
  File "/usr/local/bin/midea-discover", line 11, in <module>
    load_entry_point('msmart==0.1.19', 'console_scripts', 'midea-discover')()
  File "/usr/local/lib/python3.6/dist-packages/Click-7.0-py3.6.egg/click/core.py", line 764, in __call__
    return self.main(*args, **kwargs)
  File "/usr/local/lib/python3.6/dist-packages/Click-7.0-py3.6.egg/click/core.py", line 717, in main
    rv = self.invoke(ctx)
  File "/usr/local/lib/python3.6/dist-packages/Click-7.0-py3.6.egg/click/core.py", line 956, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/usr/local/lib/python3.6/dist-packages/Click-7.0-py3.6.egg/click/core.py", line 555, in invoke
    return callback(*args, **kwargs)
  File "/usr/local/lib/python3.6/dist-packages/msmart-0.1.19-py3.6.egg/msmart/cli.py", line 80, in discover
UnboundLocalError: local variable 'm_support' referenced before assignment

@mac-zhou
Copy link
Owner

发现协议(udp.port == 6445)是可以解的,控制协议(tcp and data[:2] == 8370)无解
cli.py 又做了更新,请帮测一下看看

@duchenpaul
Copy link
Author

不确定你的ssid之类的是否对的, 明文是这个, 我的ssid不是这个是Wolfstein

0000E321151100TD705251402154120U
midea_e3_2154

INFO:msmart.cli:Debug mode active
INFO:msmart.cli:Discovering devices with UDP Broadcast, press CTRL-C to quit...
INFO:msmart.cli:Midea Local Data 192.168.31.180 837000c8200f00005a5a0111b8007a80000000007a2e00001706141431820600009600000000000000000180000000003d2d2a5d91b3b35a0439ad15b61f8d32bce6ad2b6757881d771c94a56d0972bb5245048f7a5dc6c52a83fa7c22e0b8da97a2d910b60f398f154e84b51959f87599511fc6d165e30922240666aff67c18a337d864e15a8c397d9983652746509d4bdfb3e16e33d88768cc4c3d0658937d96fbcce99f70c976413c2f05f60f82e78a88773deeaf7f16126f61a398027e821cbfe865aac8ec05b402ae5ae8bbd8d2
DEBUG:msmart.packet_builder:Finalize request data: aa20ac00000000000003418100ff03ff000200000000000000000000000026d175
DEBUG:msmart.lan:Sending to 192.168.31.180:6444 5a5a011168002000000000001526140c1706141431820600009600000000000000000000000000006b000a76e27eed2c3647e57d8602df8b7760b65cc8abde8d47750695623f1296137efcc7f8fe55c6253e8dc10f59f57ae7996a5cf6960fec05fc767cc7c85941
INFO:msmart.lan:Couldn't connect with Device 192.168.31.180:6444
DEBUG:msmart.device:refresh - Recieved from 192.168.31.180, 318206000096: 
INFO:msmart.cli:*** Found a unsupported '0xe3' at 192.168.31.180 - id: 164926744592945 - sn: 21151100TD705251402154120U - ssid: midea_e3_2154

@duchenpaul
Copy link
Author

另外, 我搞他家的微信小程序, 里面api.js 里面有好多小秘密

wechat_app.zip

@mac-zhou
Copy link
Owner

不确定你的ssid之类的是否对的, 明文是这个, 我的ssid不是这个是Wolfstein

0000E321151100TD705251402154120U
midea_e3_2154

INFO:msmart.cli:Debug mode active
INFO:msmart.cli:Discovering devices with UDP Broadcast, press CTRL-C to quit...
INFO:msmart.cli:Midea Local Data 192.168.31.180 837000c8200f00005a5a0111b8007a80000000007a2e00001706141431820600009600000000000000000180000000003d2d2a5d91b3b35a0439ad15b61f8d32bce6ad2b6757881d771c94a56d0972bb5245048f7a5dc6c52a83fa7c22e0b8da97a2d910b60f398f154e84b51959f87599511fc6d165e30922240666aff67c18a337d864e15a8c397d9983652746509d4bdfb3e16e33d88768cc4c3d0658937d96fbcce99f70c976413c2f05f60f82e78a88773deeaf7f16126f61a398027e821cbfe865aac8ec05b402ae5ae8bbd8d2
DEBUG:msmart.packet_builder:Finalize request data: aa20ac00000000000003418100ff03ff000200000000000000000000000026d175
DEBUG:msmart.lan:Sending to 192.168.31.180:6444 5a5a011168002000000000001526140c1706141431820600009600000000000000000000000000006b000a76e27eed2c3647e57d8602df8b7760b65cc8abde8d47750695623f1296137efcc7f8fe55c6253e8dc10f59f57ae7996a5cf6960fec05fc767cc7c85941
INFO:msmart.lan:Couldn't connect with Device 192.168.31.180:6444
DEBUG:msmart.device:refresh - Recieved from 192.168.31.180, 318206000096: 
INFO:msmart.cli:*** Found a unsupported '0xe3' at 192.168.31.180 - id: 164926744592945 - sn: 21151100TD705251402154120U - ssid: midea_e3_2154

这是你热水器的SSID,也就是热水器处于AP模式等待配对时候的SSID, 不是现在所连接的

@duchenpaul
Copy link
Author

不确定你的ssid之类的是否对的, 明文是这个, 我的ssid不是这个是Wolfstein

0000E321151100TD705251402154120U
midea_e3_2154

INFO:msmart.cli:Debug mode active
INFO:msmart.cli:Discovering devices with UDP Broadcast, press CTRL-C to quit...
INFO:msmart.cli:Midea Local Data 192.168.31.180 837000c8200f00005a5a0111b8007a80000000007a2e00001706141431820600009600000000000000000180000000003d2d2a5d91b3b35a0439ad15b61f8d32bce6ad2b6757881d771c94a56d0972bb5245048f7a5dc6c52a83fa7c22e0b8da97a2d910b60f398f154e84b51959f87599511fc6d165e30922240666aff67c18a337d864e15a8c397d9983652746509d4bdfb3e16e33d88768cc4c3d0658937d96fbcce99f70c976413c2f05f60f82e78a88773deeaf7f16126f61a398027e821cbfe865aac8ec05b402ae5ae8bbd8d2
DEBUG:msmart.packet_builder:Finalize request data: aa20ac00000000000003418100ff03ff000200000000000000000000000026d175
DEBUG:msmart.lan:Sending to 192.168.31.180:6444 5a5a011168002000000000001526140c1706141431820600009600000000000000000000000000006b000a76e27eed2c3647e57d8602df8b7760b65cc8abde8d47750695623f1296137efcc7f8fe55c6253e8dc10f59f57ae7996a5cf6960fec05fc767cc7c85941
INFO:msmart.lan:Couldn't connect with Device 192.168.31.180:6444
DEBUG:msmart.device:refresh - Recieved from 192.168.31.180, 318206000096: 
INFO:msmart.cli:*** Found a unsupported '0xe3' at 192.168.31.180 - id: 164926744592945 - sn: 21151100TD705251402154120U - ssid: midea_e3_2154

这是你热水器的SSID,也就是热水器处于AP模式等待配对时候的SSID, 不是现在所连接的

嗯 我现在也这么认为

@mac-zhou
Copy link
Owner

另外, 我搞他家的微信小程序, 里面api.js 里面有好多小秘密

wechat_app.zip

8370这种数据如果最终没办法解密的话 你可以尝试搞云版本的插件 国外是有开发者做了midea cloud的版本,我也是从那边受到一些启发来做本地局域网版本的
我自己是不会去开发云版本的,家里的2台美的空调都已经完美工作的。

@duchenpaul
Copy link
Author

云版本的插件是指模仿app发request 包给cloud api?
我似乎没找到太多美的的DIY, 我甚至想过吧热水器拆了用看电脑板的串口输出, 不过还是蛮费工程的

@duchenpaul
Copy link
Author

duchenpaul commented Jun 25, 2020
edited
Loading

美的美居会下载相应智能电器的组件, 这个是E3 热水器品类的, 里面可能有相关透传信息, 以及各种key的生成方式
来源: http://mjfile-pro.smartmidea.net/T0xE3_<YYYYMMDD>.zip

T0xE3_20190423.zip

@mac-zhou
Copy link
Owner

mac-zhou commented Jun 25, 2020 via email

@duchenpaul
Copy link
Author

先关了, 有进展在新开issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mac-zhou @duchenpaul