bartek/hcpy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

readme: better details on psk

Browse Source
This commit is contained in:
Trammell Hudson
2022-01-30 20:25:10 +01:00
parent 60307a5b1f
commit 71cde3de4d
1 changed files with 19 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
README.md
View File

@@ -10,6 +10,14 @@ interface to subscribe to events.
*WARNING: This is not ready for prime time!*
The dishwasher has a local HTTPS port open (and the dryer
seems to have unencrypted HTTP). Attempting to connect to
the HTTPS port with `curl` results in a cryptic protocol error
due to the non-standard cipher selection, `ECDHE-PSK-CHACHA20-POLY1305`.
PSK also requires that both sides agree on a symetric key,
so it is necessary to figure out what that key is before any
further progress can be made.
## Finding the PSK
@@ -19,14 +27,18 @@ You will need to set the dishwasher to "`Local network only`"
in the setup application so that your phone will connect
directly to it, rather than going through the cloud services.
You'll also need to find the PSK for your devices with a rooted
Android phone and the `find-psk.frida` script for Frida.
You'll also need a rooted Android phone running `frida-server`
and the `find-psk.frida` script. This will hook the callback
from the OpenSSL library `hcp::client_psk_callback` that is called
when OpenSSL has made a connection and now needs to establish
the PSK.
```
frida --no-pause -f com.bshg.homeconnect.android.release -U -l find-psk.frida
```
It should print a message like:
It should start the Home Connect application and eventually
print a message like:
```
psk callback hint 'HCCOM_Local_App'
@@ -36,7 +48,7 @@ psk 32 0x6ee63fb2f0
00000010 73 f9 2e 01 fc d8 26 80 49 89 4c 19 d7 2e cd cb s.....&.I.L.....
```
Which gives you the 32-byte PSK value.
Which gives you the 32-byte PSK value to copy into the `hcpy` program.
## SSL logging
@@ -63,3 +75,6 @@ RX: {'sID': 2354590730, 'msgID': 3182729968, 'resource': '/ci/services', 'versio
RX: {'sID': 2354590730, 'msgID': 3182729969, 'resource': '/iz/info', 'version': 1, 'action': 'RESPONSE', 'data': [{'deviceID': '....', 'eNumber': 'SX65EX56CN/11', 'brand': 'SIEMENS', 'vib': 'SX65EX56CN', 'mac': '....', 'haVersion': '1.4', 'swVersion': '3.2.10.20200911163726', 'hwVersion': '2.0.0.2', 'deviceType': 'Dishwasher', 'deviceInfo': '', 'customerIndex': '11', 'serialNumber': '....', 'fdString': '0201', 'shipSki': '....'}]}
```
There are other things that can be hooked in the application
to get the mappings of the `uid` to actual menu settings and
XML files of the configuratio parameters. TODO: document this.