Recovering encryption key about homeassistant-greeclimatecomponent HOT 28 CLOSED

Hi,
Unfortunately Android developers are allowed to create an application with allowBackup:false option, which disallows creating offline backup with adb backup ;/ In this case you simply cannot obtain encryption key with this method from unrooted android phone:

grep android:allowBackup EWPE\ Smart_v1.8.3.10_apkpure.com/AndroidManifest.xml                                                                                  
31:    <application android:allowBackup="false" android:icon="@drawable/icon" android:label="@string/app_name" android:name="com.stub.StubApp" android:networkSecurityConfig="@xml/network_security_config" android:supportsRtl="true" android:theme="@style/AppTheme">

Fortunately! I've digged in older versions of this application and it seems like version 1.5.1.2 allows creating backups:

grep android:allowBackup EWPE\ Smart_v1.5.1.2_apkpure.com/AndroidManifest.xml                                                                                   
38:    <application android:allowBackup="true" android:icon="@drawable/icon" android:label="@string/app_name" android:name="com.gree.application.GreeApplaction" android:supportsRtl="true" android:theme="@style/AppTheme">

So you could remove you current version and try it with the older one downloaded and installed manually from apkmirror, apkpure or similar website.

If it'll work for you, please let us know, so we can update the readme.

from homeassistant-greeclimatecomponent.

Backup is not encrypted if you leave 'password prompt' empty while doing adb backup. It's a compressed tar with 24 bytes of header, that's why decompressing requires steps such as:
dd if=data.ab bs=1 skip=24 | python -c "import zlib,sys;sys.stdout.write(zlib.decompress(sys.stdin.read()))" | tar -xvf -

As I am running the app on an emulator (mEMU), the andorid is rooted and I can access the file structure where the gree.db lies inside the database folder.
I've extracted that but it still cannot be opened via an sql editor. That's why I wrote that the db might be encrypted.

install older version and copy db from data/data/com.gree.ewpe without backup #64 (comment)
on look in logcat #64 (comment)

Cool, this did the trick.
So, to summarize , these didn't work:

1. adb backup didn't work, even with the older version of the app suggested above, the returned size of the backup was 47 bytes only
2. logcat displayed the encrypted communication (see tomikaa87's great explanation from the link that was provided on the main page of the project), but this needs decoding of the encrypted info that is in the "pack", but doesn't list the key any more, neither does it with the app version 1.5.xx listed above. I wanted another method that didn't need the decode of the pack content.
3. the gree.db on any newer version is somehow encrypted, as I could not open the db files.

What did work:

1. Loaded the old version of the app (make sure you cancel the update) and then open the db file with an sql editor.
   I have used an emulator on PC (to have root access), then opened the db file with and editor (I've used SQLite Editor, and there I've opened one on the tables, called db_device_xxxxxx
   https://ibb.co/6mppCNp
   Afterwards, you will see the privates keys in the table:
   https://ibb.co/RbD08Wy

from homeassistant-greeclimatecomponent.

@srozb can you help out here? I think this is the part you used, right?

from homeassistant-greeclimatecomponent.

Another way to get encryption key:

1. Unlock developer options on phone
2. In developer options enable USB dedugging
3. Install/open Android Studio and open/create any project
4. Connect phone to PC, confirm USB debugging dialog
5. Open logcat panel in Android Studio, run EWPE or Gree+ app and sign in.
6. In logcat panel you can see a lot of logs, and something like this:
   { "r": 200, "devs": [ { "mac": "XXXX", "pmac": "", "name": "XXXX", "brand": "", "catalog": "", "mid": "10001", "vender": "1", "key": "XXXX", "barCode": "", "longitude": "0", "latitude": "0", "altitude": "0", "city": "", "bindTime": "2020-03-18 16:09:07", "selfLearning": 0, "ssid": "", "autoRepair": 0, "authorize": "", "thirdpartyId": "" }, { "mac": "XXXX", "pmac": "", "name": "XXXX", "brand": "", "catalog": "", "mid": "10001", "vender": "1", "key": "XXXX", "barCode": "", "longitude": "0", "latitude": "0", "altitude": "0", "city": "", "bindTime": "2020-06-12 08:52:47", "selfLearning": 0, "ssid": "", "autoRepair": 0, "authorize": "", "thirdpartyId": "" } ] } where "key" is your encryption key. Works on Win/Unix with latest version of EWPE/Gree+ app.

from homeassistant-greeclimatecomponent.

@Hagakurje's solution seems to be much better. I'm unable to verify but most certainly above steps should be enough to obtain a key:

1. make sure usb debugging is enabled on the phone and it's seen in device listing: adb devices
2. run adb logcat "GR_DeviceManage:D *:S" on your computer, this should print all the debug info created by EWPE app.
3. run EWPE app on your mobile, which should trigger debug line with encryption key on your logcat.

Installing Android SDK Platform-Tools should suffice.

from homeassistant-greeclimatecomponent.

I've recently installed 2 Gree Fairy airconditioner units.
The protocol seems different:
(I've modified the uid and token as I'm posting it publicly, but also with this one it doesn't work):

6-24 20:24:01.999 12657 18899 E GR_DeviceManage: TCP_Socket_In:java.io.BufferedReader@d3d4355 06-24 20:24:02.097 12657 18894 D requestAsyn: urlStr = https://eugrih.gree.com/App/QueryOnline params={"api":{"appId":"5686063144437916735","r":1593001441780,"t":"2020-06-24 12:23:58","vc":"bc84bf054448d2d87cFFfe2474b9463b"},"datVc":"27b652d23a8249e0c1b81ccb0ff53d24","macs":["f4911ec48edb","f4911ec4643c"],"token":"cbb279de748405ad3f681cFF9f34ed5b","uid":154FF36} 06-24 20:24:02.097 12657 18894 D requestAsyn: doPost result1: {"r":200,"online":[{"mac":"f4911ec48edb","svr":"eu01.as.gree.com:6000","ctime":"2020-06-24 10:20:31","isSSL":false},{"mac":"f4911ec4643c","svr":"eu02.as.gree.com:16380","ctime":"2020-06-24 10:33:47","isSSL":false}],"offline":[]} 06-24 20:24:02.097 12657 18894 V DbManager1234: result = {"r":200,"online":[{"mac":"f4911ec48edb","svr":"eu01.as.gree.com:6000","ctime":"2020-06-24 10:20:31","isSSL":false},{"mac":"f4911ec4643c","svr":"eu02.as.gree.com:16380","ctime":"2020-06-24 10:33:47","isSSL":false}],"offline":[]}

from homeassistant-greeclimatecomponent.

This looks like a communication between APK on your mobile phone and the Gree Cloud Service. I would recommend trying to sniff and decrypt the traffic - that helped me with troubleshooting.

Here's my script to decrypt traffic:
https://gist.github.com/ae51049f6e69ba149b0c24ab3db535c7

from homeassistant-greeclimatecomponent.

Yes, it's captured with ADB.
Thanks for your script, however what should I decrypt with it ? The token: ?

from homeassistant-greeclimatecomponent.

Knowing the encryption key, it should allow you to decrypt the communication between HVAC and mobile phone and compare it with what's been sent by home-assistant.

from homeassistant-greeclimatecomponent.

I also saw you scan script, however port 7000 is not open on neither of the devices.

from homeassistant-greeclimatecomponent.

Oh, now I saw the explanation on tomikaa87's page. So the pack is encoded with a generic key, and later on they will exchange the AES key. And this "pack" should be decrypted :)

Thanks, will try once I have some free time.

from homeassistant-greeclimatecomponent.

that's right, and it's UDP by the way.

from homeassistant-greeclimatecomponent.

Do you guys have any idea how the gree.db is encrypted ? I tried to open it with an sqlite browser, but doesn't recognize the format.

from homeassistant-greeclimatecomponent.

Hi,
Unfortunately Android developers are allowed to create an application with allowBackup:false option, which disallows creating offline backup with adb backup ;/ In this case you simply cannot obtain encryption key with this method from unrooted android phone:

grep android:allowBackup EWPE\ Smart_v1.8.3.10_apkpure.com/AndroidManifest.xml                                                                                  
31:    <application android:allowBackup="false" android:icon="@drawable/icon" android:label="@string/app_name" android:name="com.stub.StubApp" android:networkSecurityConfig="@xml/network_security_config" android:supportsRtl="true" android:theme="@style/AppTheme">

Fortunately! I've digged in older versions of this application and it seems like version 1.5.1.2 allows creating backups:

grep android:allowBackup EWPE\ Smart_v1.5.1.2_apkpure.com/AndroidManifest.xml                                                                                   
38:    <application android:allowBackup="true" android:icon="@drawable/icon" android:label="@string/app_name" android:name="com.gree.application.GreeApplaction" android:supportsRtl="true" android:theme="@style/AppTheme">

So you could remove you current version and try it with the older one downloaded and installed manually from apkmirror, apkpure or similar website.

If it'll work for you, please let us know, so we can update the readme.

Nope, I've tried it and the created backup is still ~47 bytes.

from homeassistant-greeclimatecomponent.

I have also tried to backup th gree.db on a rooted emulated phone, however the db seems to be encrypted and I cannot open with any sql editor.

from homeassistant-greeclimatecomponent.

Backup is not encrypted if you leave 'password prompt' empty while doing adb backup. It's a compressed tar with 24 bytes of header, that's why decompressing requires steps such as:

dd if=data.ab bs=1 skip=24 | python -c "import zlib,sys;sys.stdout.write(zlib.decompress(sys.stdin.read()))" | tar -xvf -

from homeassistant-greeclimatecomponent.

Backup is not encrypted if you leave 'password prompt' empty while doing adb backup. It's a compressed tar with 24 bytes of header, that's why decompressing requires steps such as:

dd if=data.ab bs=1 skip=24 | python -c "import zlib,sys;sys.stdout.write(zlib.decompress(sys.stdin.read()))" | tar -xvf -

It looks like the ADB backup is not succesfull. It generates an 47 byte long file with the following content:
ANDROID BACKUP 4 1 none xÚb��£�ŒT ÿÿ� � �

So this highly drives me into the direction that the backup was not succesfull I've also tried the older apk suggested above, but still the same result.

from homeassistant-greeclimatecomponent.

Backup is not encrypted if you leave 'password prompt' empty while doing adb backup. It's a compressed tar with 24 bytes of header, that's why decompressing requires steps such as:

dd if=data.ab bs=1 skip=24 | python -c "import zlib,sys;sys.stdout.write(zlib.decompress(sys.stdin.read()))" | tar -xvf -

As I am running the app on an emulator (mEMU), the andorid is rooted and I can access the file structure where the gree.db lies inside the database folder.
I've extracted that but it still cannot be opened via an sql editor. That's why I wrote that the db might be encrypted.

from homeassistant-greeclimatecomponent.

Backup is not encrypted if you leave 'password prompt' empty while doing adb backup. It's a compressed tar with 24 bytes of header, that's why decompressing requires steps such as:
dd if=data.ab bs=1 skip=24 | python -c "import zlib,sys;sys.stdout.write(zlib.decompress(sys.stdin.read()))" | tar -xvf -

As I am running the app on an emulator (mEMU), the andorid is rooted and I can access the file structure where the gree.db lies inside the database folder.
I've extracted that but it still cannot be opened via an sql editor. That's why I wrote that the db might be encrypted.

install older version and copy db from data/data/com.gree.ewpe without backup #64 (comment)
on look in logcat #64 (comment)

from homeassistant-greeclimatecomponent.

So, I can now confirm that the component works also with the Gree Fairy (GWH12ACC-K6DNA1D ) air conditioners.

from homeassistant-greeclimatecomponent.

Hi, Maybe I got something wrong (@RobHofmann please correct me if necessary) but IMHO there is no need to extract the key. This is now done automatically by the component using the generic GREE key. In my climate.yaml I only provide the following (of course the real MAC) and it works like a charm every time:

- platform: gree
  name: Conditioner
  host: 192.168.0.20
  mac: 'xx:xx:xx:xx:xx:xx'
  port: 7000
  timeout: 10
  target_temp_step: 1
  temp_sensor: sensor.ap_living_temp
  health: input_boolean.ac_health
  sleep: input_boolean.ac_sleep
  eightdegheat: input_boolean.ac_eightdegheat

So why do you keep trying to extract the key from the mobile device?? Try the method I have posted above. Those are the specific sections in the code that take care of getting the encryption key directly from the device:

if encryption_key:
            _LOGGER.info('Using configured encryption key: {}'.format(encryption_key))
            self._encryption_key = encryption_key.encode("utf8")
        else:
            self._encryption_key = self.GetDeviceKey().encode("utf8")
            _LOGGER.info('Fetched device encrytion key: %s' % str(self._encryption_key))

and

    def GetDeviceKey(self):
        _LOGGER.info('Retrieving HVAC encryption key')
        GENERIC_GREE_DEVICE_KEY = "a3K8Bx%2r8Y7#xDh"
        cipher = AES.new(GENERIC_GREE_DEVICE_KEY.encode("utf8"), AES.MODE_ECB)
        pack = base64.b64encode(cipher.encrypt(self.Pad('{"mac":"' + str(self._mac_addr) + '","t":"bind","uid":0}').encode("utf8"))).decode('utf-8')
        jsonPayloadToSend = '{"cid": "app","i": 1,"pack": "' + pack + '","t":"pack","tcid":"' + str(self._mac_addr) + '","uid": 0}'
        return self.FetchResult(cipher, self._ip_addr, self._port, self._timeout, jsonPayloadToSend)['key']

from homeassistant-greeclimatecomponent.

Unless you had configured your device with mobile app before and encryption key was randomly generated and stored in both devices for further communication. That was my case and key extraction was required to set up this component.
Keep also in mind that there are various brands based on Gree hardware with slightly different protocol implementation. For example my Innova HVAC requires Device ID parameter to be explicitly defined which is not required in case of some other brands.

from homeassistant-greeclimatecomponent.

@srozb is right.

For most Gree AC's it is NOT mandatory to extract the encryption key. However if you are currently using a mobile app and you want to keep using that (which I personally dont do), you need to get the encryptionkey fro the mobile app. If you dont get the key in this scenario, HomeAssistant will overwrite the key and your app will stop working.

Having said that, there are some more obscure implementations of the Gree protocol for AC's, which might require the key (like @srozb suggests)

Again: i personally recommend using HomeAssistant without any mobile apps to make life easy, but I can see this being different for other people.

from homeassistant-greeclimatecomponent.

I'm sorry to ask this question here, but it is related and I don't want to open another issue if it's not the case. I have two Gree ACs for which I did the setup through the Gree official app, and then I added them in Home Assistant without the encryption key. This worked great but in the last month the ACs don't respond to commands all the time, and the official app is not working as well. In order to fix this I have to unplug them and plug them back in, after which they will be visible in the official app, and they will also work in Home Assistant. A neighbor has exactly the same ACs and he's also having the same issue, so I'm guessing the problem could be related to Gree servers perhaps.
Would adding the encryption key help me in any way? I tried many things, from troubleshooting Wifi network, to changing the MAC address("-" instead of ":" and viceversa), but nothing worked, and it's annoying to have flows like "if temperature too high -> check if AC is responding -> if not -> turn smart plug off/on -> issue commands". Maybe someone had these issues as well and they know how to fix this. I have no problem in uninstalling the official app because I'm trying to replace everything with Home Assistant, but I don't know if I can do the wifi setup without their app.

from homeassistant-greeclimatecomponent.

I doubt that will work, but you can always give it a try. If the AC's suddenly stop working it indicates an issue with the AC itself (where the Gree server runs). You can try to contact the vendor to check if theres any fixes for this. It sounds like the Gree server is crashing. Does the AC come with a remote? and does it still respond to the remote?

from homeassistant-greeclimatecomponent.

Yes, it always responds to the remote. I thought the commands from this component go through a cloud API from gree, and then to the actual AC. But if the component communicates directly with the server inside the AC, I should talk with Gree and ask them to replace the WiFi modules or see if they can fix it.

from homeassistant-greeclimatecomponent.

Yeah, It sounds like the gree server is indeed crashing or something like that. This integration communicates directly to the AC's without any clouds (my AC's dont have any access to the internet).

from homeassistant-greeclimatecomponent.

Closing this for now. If something pops up, let me know. I'm thinking about integrating #71 as the desired method of getting the encryptionkey from the AC's. Have to test it before I will update the readme.

from homeassistant-greeclimatecomponent.