bartek/hcpy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

readme: better details on psk

Browse Source
This commit is contained in:
Trammell Hudson
2022-01-30 20:25:10 +01:00
parent 60307a5b1f
commit 71cde3de4d
1 changed files with 19 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
README.md
View File

@@ -10,6 +10,14 @@ interface to subscribe to events.
*WARNING: This is not ready for prime time!* *WARNING: This is not ready for prime time!*
The dishwasher has a local HTTPS port open (and the dryer
seems to have unencrypted HTTP). Attempting to connect to
the HTTPS port with `curl` results in a cryptic protocol error
due to the non-standard cipher selection, `ECDHE-PSK-CHACHA20-POLY1305`.
PSK also requires that both sides agree on a symetric key,
so it is necessary to figure out what that key is before any
further progress can be made.
## Finding the PSK ## Finding the PSK
@@ -19,14 +27,18 @@ You will need to set the dishwasher to "`Local network only`"
in the setup application so that your phone will connect in the setup application so that your phone will connect
directly to it, rather than going through the cloud services. directly to it, rather than going through the cloud services.
You'll also need to find the PSK for your devices with a rooted You'll also need a rooted Android phone running `frida-server`
Android phone and the `find-psk.frida` script for Frida. and the `find-psk.frida` script. This will hook the callback
from the OpenSSL library `hcp::client_psk_callback` that is called
when OpenSSL has made a connection and now needs to establish
the PSK.
``` ```
frida --no-pause -f com.bshg.homeconnect.android.release -U -l find-psk.frida frida --no-pause -f com.bshg.homeconnect.android.release -U -l find-psk.frida
``` ```
It should print a message like: It should start the Home Connect application and eventually
print a message like:
``` ```
psk callback hint 'HCCOM_Local_App' psk callback hint 'HCCOM_Local_App'
@@ -36,7 +48,7 @@ psk 32 0x6ee63fb2f0
00000010 73 f9 2e 01 fc d8 26 80 49 89 4c 19 d7 2e cd cb s.....&.I.L..... 00000010 73 f9 2e 01 fc d8 26 80 49 89 4c 19 d7 2e cd cb s.....&.I.L.....
``` ```
Which gives you the 32-byte PSK value. Which gives you the 32-byte PSK value to copy into the `hcpy` program.
## SSL logging ## SSL logging
@@ -63,3 +75,6 @@ RX: {'sID': 2354590730, 'msgID': 3182729968, 'resource': '/ci/services', 'versio
RX: {'sID': 2354590730, 'msgID': 3182729969, 'resource': '/iz/info', 'version': 1, 'action': 'RESPONSE', 'data': [{'deviceID': '....', 'eNumber': 'SX65EX56CN/11', 'brand': 'SIEMENS', 'vib': 'SX65EX56CN', 'mac': '....', 'haVersion': '1.4', 'swVersion': '3.2.10.20200911163726', 'hwVersion': '2.0.0.2', 'deviceType': 'Dishwasher', 'deviceInfo': '', 'customerIndex': '11', 'serialNumber': '....', 'fdString': '0201', 'shipSki': '....'}]} RX: {'sID': 2354590730, 'msgID': 3182729969, 'resource': '/iz/info', 'version': 1, 'action': 'RESPONSE', 'data': [{'deviceID': '....', 'eNumber': 'SX65EX56CN/11', 'brand': 'SIEMENS', 'vib': 'SX65EX56CN', 'mac': '....', 'haVersion': '1.4', 'swVersion': '3.2.10.20200911163726', 'hwVersion': '2.0.0.2', 'deviceType': 'Dishwasher', 'deviceInfo': '', 'customerIndex': '11', 'serialNumber': '....', 'fdString': '0201', 'shipSki': '....'}]}
``` ```
There are other things that can be hooked in the application
to get the mappings of the `uid` to actual menu settings and
XML files of the configuratio parameters. TODO: document this.