From 71cde3de4d7a6b06e7b0927edd1fc6ae5eeabd6a Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Sun, 30 Jan 2022 20:25:10 +0100 Subject: [PATCH] readme: better details on psk --- README.md | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 1ed0627..86969c3 100644 --- a/README.md +++ b/README.md @@ -10,6 +10,14 @@ interface to subscribe to events. *WARNING: This is not ready for prime time!* +The dishwasher has a local HTTPS port open (and the dryer +seems to have unencrypted HTTP). Attempting to connect to +the HTTPS port with `curl` results in a cryptic protocol error +due to the non-standard cipher selection, `ECDHE-PSK-CHACHA20-POLY1305`. +PSK also requires that both sides agree on a symetric key, +so it is necessary to figure out what that key is before any +further progress can be made. + ## Finding the PSK @@ -19,14 +27,18 @@ You will need to set the dishwasher to "`Local network only`" in the setup application so that your phone will connect directly to it, rather than going through the cloud services. -You'll also need to find the PSK for your devices with a rooted -Android phone and the `find-psk.frida` script for Frida. +You'll also need a rooted Android phone running `frida-server` +and the `find-psk.frida` script. This will hook the callback +from the OpenSSL library `hcp::client_psk_callback` that is called +when OpenSSL has made a connection and now needs to establish +the PSK. ``` frida --no-pause -f com.bshg.homeconnect.android.release -U -l find-psk.frida ``` -It should print a message like: +It should start the Home Connect application and eventually +print a message like: ``` psk callback hint 'HCCOM_Local_App' @@ -36,7 +48,7 @@ psk 32 0x6ee63fb2f0 00000010 73 f9 2e 01 fc d8 26 80 49 89 4c 19 d7 2e cd cb s.....&.I.L..... ``` -Which gives you the 32-byte PSK value. +Which gives you the 32-byte PSK value to copy into the `hcpy` program. ## SSL logging @@ -63,3 +75,6 @@ RX: {'sID': 2354590730, 'msgID': 3182729968, 'resource': '/ci/services', 'versio RX: {'sID': 2354590730, 'msgID': 3182729969, 'resource': '/iz/info', 'version': 1, 'action': 'RESPONSE', 'data': [{'deviceID': '....', 'eNumber': 'SX65EX56CN/11', 'brand': 'SIEMENS', 'vib': 'SX65EX56CN', 'mac': '....', 'haVersion': '1.4', 'swVersion': '3.2.10.20200911163726', 'hwVersion': '2.0.0.2', 'deviceType': 'Dishwasher', 'deviceInfo': '', 'customerIndex': '11', 'serialNumber': '....', 'fdString': '0201', 'shipSki': '....'}]} ``` +There are other things that can be hooked in the application +to get the mappings of the `uid` to actual menu settings and +XML files of the configuratio parameters. TODO: document this.