Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsGadgets, robotics, home automation, electronics (including wearables)Reverse Engineering Lockly API for Smart Locks
gcorgnet

1101 posts

Uber Geek
+1 received by user: 274

ID Verified

#284189 6-Apr-2021 12:10
Send private message

Hey guys,

 

Has anyone managed to reverse engineer an API before? I am trying to figure out how my Lockly Smart lock works and how it talks to the Cloud so that I can create an integration for Home Assistant.
So far, I have managed to sniff the packets by using a MITM attack on the SSL encryption using a rooted Android Phone.
I can see a token and some POST being made but the data going back and forth seems pretty cryptic to me and hard to make sense of it.

Anyone up for a challenge?

Create new topic
davidcole
6112 posts

Uber Geek
+1 received by user: 1476

Trusted

  #2687146 6-Apr-2021 12:54
Send private message

Have a chat to @bartender he was playing with a pet feeder and worked out its communication.




Previously known as psycik

Home Assistant: Gigabyte AMD A8 Brix, Home Assistant with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Shelly Humidity and Temperature sensors
Media:Chromecast v2, ATV4 4k, ATV4, HDHomeRun Dual
Server Host Plex Server 3x3TB, 4x4TB using MergerFS, Samsung 850 evo 512 GB SSD, Proxmox Server with 1xW10, 2xUbuntu 22.04 LTS, Backblaze Backups, usenetprime.com fastmail.com Sharesies Trakt.TV Sharesight 



neb

neb
11294 posts

Uber Geek
+1 received by user: 10018

Trusted
Lifetime subscriber

  #2687585 6-Apr-2021 21:56
Send private message

Could you post some hex dumps of the packets? It should be reasonably straightforward since you can trigger any messaging you want and then see what changes in the data in response to lock open, lock shut, whatever else the Lockly thing does.

gcorgnet

1101 posts

Uber Geek
+1 received by user: 274

ID Verified

  #2687641 7-Apr-2021 08:19
Send private message

neb: Could you post some hex dumps of the packets? It should be reasonably straightforward since you can trigger any messaging you want and then see what changes in the data in response to lock open, lock shut, whatever else the Lockly thing does.


I'll try but since these packets somehow contain everything one needs to open up my front door, I want to make sure I know which part are safe to share and which part I should scrubb off :-)
I mean a Bearer token is still required, which I wouldn't be sharing but there's bound to be some identifiers in there which I should keep to myself, I imagine. Knowing which is which is the hard part.



neb

neb
11294 posts

Uber Geek
+1 received by user: 10018

Trusted
Lifetime subscriber

  #2687917 7-Apr-2021 16:02
Send private message

gcorgnet:

 

I'll try but since these packets somehow contain everything one needs to open up my front door, I want to make sure I know which part are safe to share and which part I should scrubb off :-)

 

 

Ah, good point... yeah, that's always a problem.  Many years ago a friend of mine who maintained mainframes for a part of government that dealt with classified information used to be given redacted core dumps (printed, not in electronic form, so they could be tracked) where the text contents had been carefully cut out with a razor.  The government censors didn't realise that the same information was in the hex dumps that were printed alongside the text...

gcorgnet

1101 posts

Uber Geek
+1 received by user: 274

ID Verified

  #2687921 7-Apr-2021 16:15
Send private message

haha, brilliant... that's the concern here... some of it is not human readable but it could be a simple ROT substitution or similar so a bit weary of sharing all of this before I understand it a bit more.

neb

neb
11294 posts

Uber Geek
+1 received by user: 10018

Trusted
Lifetime subscriber

  #2687922 7-Apr-2021 16:18
Send private message

You could always PM it to anyone who's interested, I'm sure it's a pretty small audience.  Downside is you can no longer crowdsource the details, or at least would be relying on a very small crowd.  Since this site is rapidly indexed by Google, I can see why you probably wouldn't want the details online until you knew what parts to remove.

 
 
 
 

Support Geekzone with one-off or recurring donations Donate via PressPatron.
rscole86
5002 posts

Uber Geek
+1 received by user: 467

Moderator
Trusted
Lifetime subscriber

  #2687940 7-Apr-2021 16:38
Send private message

You could create a private forum here and invite those you wish to share your information with?

gcorgnet

1101 posts

Uber Geek
+1 received by user: 274

ID Verified

  #2883594 9-Mar-2022 11:50
Send private message

Hi all,

 

I hahve captured soome traffic between a virual Android device and the Lockly API.

See here for details: https://community.home-assistant.io/t/lockly-wifi-hub/124501/34?u=guillaume_corgnet

 

Hopefully there's someone here who would know how to make sense of this as I'mm stumped

neb

neb
11294 posts

Uber Geek
+1 received by user: 10018

Trusted
Lifetime subscriber

  #2884028 9-Mar-2022 21:58
Send private message

gcorgnet:

I hahve captured soome traffic between a virual Android device and the Lockly API.

See here for details: https://community.home-assistant.io/t/lockly-wifi-hub/124501/34?u=guillaume_corgnet

 

Hopefully there's someone here who would know how to make sense of this as I'mm stumped

 

 

It's definitely base64 since it's got the padding at the end, but some bugger has gone and redacted portions of it. Could you PM me the full strings?

 

 

Oh, and I saw the earlier comment about use of TLS, let me guess, they aren't checking the certs and so will accept any MITM proxy as a legit client or server?

 

 

Edited to add: And please send the text in the form of text, not a screenshot :-).

gcorgnet

1101 posts

Uber Geek
+1 received by user: 274

ID Verified

  #2884076 10-Mar-2022 07:14
Send private message

@neb Here's an example string I generated by using a wrong username/password. (I used "username@domain.com" and "somepassword")

 

STLITVRh01jB9s58MOsKDX3EHuDkmT+ydiKSphbIl2HlPYD4zg0XGRQB2N8wmp1H0JjwqQe0wKlwiuYZnQET4EHfDTAhWLCzEn5EVfb9Tcquvlbh4LdI6hvfCgvjBDLIEwAA65mL8onsEyidR/hJgBnDbKbft5g5kqTpKRoRebeHQvKrHLETE6ecV1JUvTtRLg4+KhrZeNXFuGOlvEIutZFL5NOlWb7eOgFh8uPc1kwP0Wk/Qmk1QjyBDM0EjsX+IjbK3CBSKNgVpEjf3GeCD8Udclu/JXmWQD2+QlURvJ3a99BgtkobovdbEelH4upBFOAZT/tqzgoYE7UbCAi4HA==

 

 

 

Since that string is the only think that changes when changing the username of password (and is the same acrros login attempts when using the same credentials), I think it's safe to assume it is either a hash or an encoding of the credentials.

neb

neb
11294 posts

Uber Geek
+1 received by user: 10018

Trusted
Lifetime subscriber

  #2884605 10-Mar-2022 23:19
Send private message

Thanks! Nothing obvious in there, it's 256 bytes so way more than what you'd need to encode a password hash, and nothing terribly structured-looking. Can you capture ones with different username and password, e.g. changing just username or just password? Variable-length passwords, so "1", "12", "123", etc? Empty values or ones that consist of just a null? The easiest way into things like this is to make small incremental changes and see what happens in the transmitted value...

Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright