Smart cat door recommendations

Forums › Gadgets, robotics, home automation, electronics (including wearables) › Smart cat door recommendations

Shadowfoot

First time caller
329 posts

Ultimate Geek

Trusted

Lifetime subscriber

#298480 20-Jun-2022 17:53

We're moving to a house without a cat door in it, and I would like to have one that reads the microchip to impose a curfew. There is a discussion in 2019 indicating Sureflap has the curfew capability.

The house is not double-glazed, but I expect this will be done in the next couple of years. I would prefer to minimise cost and not need to replace the cat door when that is done.

The laundry door is a possibility. It has glass now, but an option is to have just the top glazed, with the cat door in the bottom half. How easy it is to move a cat door from a glass door to a solid one?

There is a ranch slider in the family room. It has the advantage of not needing to be concerned about other internal doors being closed. I understand it would need to be made with the cat door.

The house is a brick house. How difficult is it to have a cat door tunnel in this?

In addition to this, I would like to be able to see the state of the door, and maybe the number of times it;'s been used, so wifi or similar would be good. This then has an issue with batteries.

Any suggestions or recommendations? This is not an option http://www.youtube.com/watch?v=zhreJRfNbqk

Twitter: @Shadowfoot
Mastodon: @Shadowfoot@tech.lgbt
Blue Sky: shadowfoot.bsky.social
Threads: @shadowfoot

1 | 2

BDFL - Memuneh
76398 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2932299 20-Jun-2022 19:16

@BarTender

Please support Geekzone by subscribing, or using one of our referral links: Dosh referral: 00001283 | Sharesies | Goodsync | Mighty Ape | Backblaze

freitasm on Keybase | My technology disclosure

MightyApe

You will find anything you want at MightyApe (affiliate link).

BarTender

3530 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2932301 20-Jun-2022 19:26

So...... Funny story. Spent a bit of time doing some stuff with the SurePet / SureFlap "Connect" series of internet enabled cat flaps, pet doors and feeders. You can get tunnel extenders for the doors if needed.

If you have a normal sized cat the Dual Scan is good and has the ability to have 4 curfews and can have "inside only" cats that don't unlock for the indoors only cat, if they are more chunky or a small dog, as we have both a grumpy old cat and 11kg dog who both fit through the Pet Door is what you will need but it doesn't do dual scan so can't scan animals attempting to exit.

Personally I would get it installed in the laundry door rather than installing it in the brick wall as installing and removing a pane of glass is a lot cheaper than a brick wall.

Then when you have decided which door you want you can wander over to my documentation page where I have completely reverse engineered the SurePetCare stack and hooked it into my local HomeAssistant stack: https://pethublocal.github.io/

I even built it as a Home Assistant add-on so it is very straightforward to install once you have done the DNS poisoning.

Also have a spare Hub I have already hacked and a spare Cat Door.. and just picked up a Pet Door off Trademe (yes I think I have a problem!) which we could come to some agreement over if that works.

I'll be talking about this at my Kawaiicon talk next week.

Edit, with some links, and now I have a second Pet Door to complete the collection.

and

mdf

3321 posts

Uber Geek

Trusted

#2932307 20-Jun-2022 20:01

We've just been shopping for something with a curfew mode too. Sureflap seems to be the main game in town. We went with the SurePet option and didn't get the Smarthub but might have to now if only to integrate with HASS. Works well, seems reliable. The Sureflap website will ship to NZ addresses pretty promptly.

We also needed a new door, so I fitted the flap while everything was off the hinges. It was a fairly easy DIY process to install the flap in a wooden door, but you will almost certainly need professional support to install in brick or double glazing.

I was pretty pleased with myself at hanging a door from scratch for the first time (and getting it right) but @Bartender's reversing engineering definitely puts me in the shade! Super impressed with that effort.

BarTender

3530 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2932315 20-Jun-2022 20:22

mdf:

We've just been shopping for something with a curfew mode too. Sureflap seems to be the main game in town. We went with the SurePet option and didn't get the Smarthub but might have to now if only to integrate with HASS. Works well, seems reliable. The Sureflap website will ship to NZ addresses pretty promptly.

We also needed a new door, so I fitted the flap while everything was off the hinges. It was a fairly easy DIY process to install the flap in a wooden door, but you will almost certainly need professional support to install in brick or double glazing.

I was pretty pleased with myself at hanging a door from scratch for the first time (and getting it right) but @Bartender's reversing engineering definitely puts me in the shade! Super impressed with that effort.

When you purchased the door you need to get the "Connect" series rather than the normal one. The devices talk a modified XORed 802.15.4 aka Zigbee style protocol. I did go down the path building my own hub but that just turned out to be a bit too hard with a number of things they have in the hub, and it turns out hacking the hub was easier as I have figured out how to extract the certificate password from the hub so can fully MITM all the traffic back to their cloud service which is how I reverse engineered it.

A lot of work has gone into it, but overall I am quite stoked with everything I have achieved.

and

neb

8906 posts

Uber Geek

Trusted

Lifetime subscriber

#2932357 21-Jun-2022 07:59

BarTender:
Then when you have decided which door you want you can wander over to my documentation page where I have completely reverse engineered the SurePetCare stack and hooked it into my local HomeAssistant stack: https://pethublocal.github.io/

Responding to the cert check comment on there, have you looked to see what it's checking in the cert? From experience with Android apps they rarely do a proper check but simply check the domain name, the issuer name, the key fingerprint, or something similar, so if you can find out where they stop checking, e.g. the issuer name, you could create your own certs starting from that point and spoof the certs as well.

BarTender

3530 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2932371 21-Jun-2022 08:19

neb:
BarTender:

Then when you have decided which door you want you can wander over to my documentation page where I have completely reverse engineered the SurePetCare stack and hooked it into my local HomeAssistant stack: https://pethublocal.github.io/

Responding to the cert check comment on there, have you looked to see what it's checking in the cert? From experience with Android apps they rarely do a proper check but simply check the domain name, the issuer name, the key fingerprint, or something similar, so if you can find out where they stop checking, e.g. the issuer name, you could create your own certs starting from that point and spoof the certs as well.

Yes, the hub used to not verify the server certificate in firmware 2.43 when I started. But it now it does in firmware 2.201. I am 100% confident my project had something to do with that change. But the request to the credentials endpoint returns a PKCS12 client certificate that the hub uses to authenticate to AWS IoT MQTT endpoint. That PKCS12 has a password on it, which is based on a 16 byte key in the hub's persistent flash, which I have figured out is also used to XOR the firmware so I figured out how to find the XOR key for the firmware and then convert that into the PKCS12 Client Certificate password.

About the firmware: https://pethublocal.github.io/firmware

Calculating the PKCS12 Certificate password based on the unique XOR key used to XOR each hubs firmware: https://github.com/PetHubLocal/pethublocal/blob/main/pethublocal/functions.py#L1178-L1229

Validating the PKCS12 Certificate Password based on the firmware is correct: https://pethublocal.github.io/certificate#mqtt-tls-aws-iot-traffic

Downgrading the firmware from 2.201 to 2.43 using the XOR key found above and re-XORing the 2.43 firmware with the hub specific XOR key: https://github.com/PetHubLocal/pethublocal/blob/main/pethublocal/functions.py#L1232-L1266

and

neb

8906 posts

Uber Geek

Trusted

Lifetime subscriber

#2932378 21-Jun-2022 08:40

Nice work, particularly the XOR-key-search trick!

And that's Microsoft's gift to the world of PKI (apart from broken PKI software), once you can put private keys in a PKCS #12 you don't need to do cert generation properly with the key held by the client but can just ship the private key around over open networks or in email. Still, at least they try and do per-client keys rather than a shared key across all devices like many vendors do.

Do they checksum or sign the firmware? Looks like they chain up to the Amazon Root #1, if it's possible to modify the firmware you could search for the byte string for that and overwrite it with your own cert, and conveniently leave out the OCSP data as well in case they ever decide to perform those checks.

freitasm

BDFL - Memuneh
76398 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2932382 21-Jun-2022 08:51

You folks should see @BarTender next week at Kawaiicon.

Please support Geekzone by subscribing, or using one of our referral links: Dosh referral: 00001283 | Sharesies | Goodsync | Mighty Ape | Backblaze

freitasm on Keybase | My technology disclosure

BarTender

3530 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2932390 21-Jun-2022 09:20

neb: Nice work, particularly the XOR-key-search trick! And that's Microsoft's gift to the world of PKI (apart from broken PKI software), once you can put private keys in a PKCS #12 you don't need to do cert generation properly with the key held by the client but can just ship the private key around over open networks or in email. Still, at least they try and do per-client keys rather than a shared key across all devices like many vendors do. Do they checksum or sign the firmware? Looks like they chain up to the Amazon Root #1, if it's possible to modify the firmware you could search for the byte string for that and overwrite it with your own cert, and conveniently leave out the OCSP data as well in case they ever decide to perform those checks.

Generating your own client cert is easy, and that isn't the issue as you can return the existing cert when connecting to the local MQTT Broker on 8883 and your local broker just accepts it's an AWS cert as the hostname it connects to is returned in the credentials request so I point it to the local MQTT broker. Having a smaller cert doesn't significantly reduce the boot time so there isn't much point.

What I am trying to figure out is the CRC calculation on the firmware file. That way I could byte patch the firmware hostname it connects to so it is something other than the hard-coded value of "hub . api . surehub . io" as the first step in setting everything up is poisoning that DNS entry. If anyone knows Ghidra and able to understand assembler, I have the exact function call that is being made and logs from the upgrade showing the steps it takes at that point. Just need to figure out the calculation for the firmware CRC and it's all over.

and

neb

8906 posts

Uber Geek

Trusted

Lifetime subscriber

#2932399 21-Jun-2022 09:55

BarTender:
What I am trying to figure out is the CRC calculation on the firmware file. That way I could byte patch the firmware hostname it connects to so it is something other than the hard-coded value of "hub . api . surehub . io" as the first step in setting everything up is poisoning that DNS entry. If anyone knows Ghidra and able to understand assembler, I have the exact function call that is being made and logs from the upgrade showing the steps it takes at that point. Just need to figure out the calculation for the firmware CRC and it's all over.

Mark Adler (of zlib fame) did a CRC-spoofer some years ago that let you change what you want and then it'll make compensating changes to restore the CRC... ah, here it is. You do need to know the CRC polynomial though.

Edited to add: There's a bunch of writeups around on doing that if you can't locate the CRC table in the binary, e.g. this one, but it's not much fun.

BarTender

3530 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2932475 21-Jun-2022 12:54

neb:
BarTender:

What I am trying to figure out is the CRC calculation on the firmware file. That way I could byte patch the firmware hostname it connects to so it is something other than the hard-coded value of "hub . api . surehub . io" as the first step in setting everything up is poisoning that DNS entry. If anyone knows Ghidra and able to understand assembler, I have the exact function call that is being made and logs from the upgrade showing the steps it takes at that point. Just need to figure out the calculation for the firmware CRC and it's all over.

Mark Adler (of zlib fame) did a CRC-spoofer some years ago that let you change what you want and then it'll make compensating changes to restore the CRC... ah, here it is. You do need to know the CRC polynomial though. Edited to add: There's a bunch of writeups around on doing that if you can't locate the CRC table in the binary, e.g. this one, but it's not much fun.

I have had a number of fairly solid cracks at brute forcing the various CRC values using https://reveng.sourceforge.io/ without any success, both the XORed version of the firmware and the CRC on the MiWi radio frames. As I have the firmware fully decompiled in Ghidra it's my view if someone smarter than me can look at the function(s) being called and say "oh it's this poly,init,rev and xor you idiot" and would be totally ok with that. But I have parked it due to time commitments. But planning to bring that up during the talk and see if anyone wants to pick up that mantle.

and

richms

26418 posts

Uber Geek

Trusted

Subscriber

#2932479 21-Jun-2022 13:09

The sureflap is about it, and its very very limited in how smart it is.

There is no way to know which room a cat is in, it only knows of "outside" and "inside" so if a cat leaves the bedroom, it is now outside because thats the way the door is installed. Then if it goes into the spare room, its "inside" because of that

There is no way to have the cat feeder and the door sync, so if the greedy bastard is inside then not open for the timid cat that gets pushed out of the way.

No way to set a cat to be outside only, meaning that I cant have one cat allowed into the bedroom, and out of it, and another cat only allowed to leave since I let him in manually unless I physically take the door out and turn it around so that its going the other way.

The phone app is just a web view to the really really slow web interface.

Richard rich.ms

BarTender

3530 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2932486 21-Jun-2022 13:28

So let me break this down....

richms: The sureflap is about it, and its very very limited in how smart it is.

1) There is no way to know which room a cat is in, it only knows of "outside" and "inside" so if a cat leaves the bedroom, it is now outside because thats the way the door is installed. Then if it goes into the spare room, its "inside" because of that

2) There is no way to have the cat feeder and the door sync, so if the greedy bastard is inside then not open for the timid cat that gets pushed out of the way.

3) No way to set a cat to be outside only, meaning that I cant have one cat allowed into the bedroom, and out of it, and another cat only allowed to leave since I let him in manually unless I physically take the door out and turn it around so that its going the other way.

4) The phone app is just a web view to the really really slow web interface.

1) This is true of the official cloud, but each door reports the action so you can write node-red code or similar automation in Home Assistant to update the location based on which door the cat passed through

2) Semi-correct, the tags are provisioned on all the remote devices and there is no workflow in the cloud to change the provisioning state, it would also consume battery each time you update it from the cloud as all the units are completely independent.

That being said there is the "Intruder" custom mode that can be set on the feeder that means if the feeder detects more than one tag, then it closes the feeder. That is what I would have turned on so the greedy bugger doesn't steal food and when the proper cat goes away the feeder closes rather than staying open because the IR link is still broken.

3) I am fairly certain you have a dual scan Cat Flap not the Pet Door so you can provision animals to be inside only with the door mounted in reverse, so both animals could exit aka "come in", but only the "allowed" cat can enter and the non-allowed cat would be set to inside only so couldn't enter. Alternatively you can also turn on "Non-Selective exit" custom mode and only have the allowed cat provisioned on the door, so any cat can exit, but only the provisioned cat can enter. The Pet Door doesn't have dual scan so can let any animal out.

4) The MQTT feed is directly off the Hub and remote devices, sometimes response times are slow as they are battery operated, but.. it is much more responsive locally than back to the official cloud.

We have tweeted more than a few times saying have you wanted to check out my local stack saying I have figured out a lot of the custom codes, and that you can do some great automation with Home Assistant.. to which you have said you weren't interested ¯\_(ツ)_/¯

and

neb

8906 posts

Uber Geek

Trusted

Lifetime subscriber

#2932949 22-Jun-2022 06:49

BarTender:
I have had a number of fairly solid cracks at brute forcing the various CRC values using https://reveng.sourceforge.io/ without any success, both the XORed version of the firmware and the CRC on the MiWi radio frames. As I have the firmware fully decompiled in Ghidra it's my view if someone smarter than me can look at the function(s) being called and say "oh it's this poly,init,rev and xor you idiot" and would be totally ok with that. But I have parked it due to time commitments. But planning to bring that up during the talk and see if anyone wants to pick up that mantle.

Another possibility, and this will require digging into the Ghidra output, is that they may be including extra metadata in the checksum, or alternatively skipping metadata. The latter is quite common (drove me nuts with some signed COFF images where I just couldn't get the hash value right), hash the image as loaded into memory rather than the entire file so the metadata is never checked, at which point you modify the load address to overwrite the loader and get instant code execution.

I'm sure there'll be people at Kawaiicon who can assist with this :-).

freitasm

BDFL - Memuneh
76398 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2932960 22-Jun-2022 07:58

While interesting I think we veered too much off topic now.

Please support Geekzone by subscribing, or using one of our referral links: Dosh referral: 00001283 | Sharesies | Goodsync | Mighty Ape | Backblaze

freitasm on Keybase | My technology disclosure

1 | 2