IKEA Trådfri Gateway [Zigbee]

yeah, and soon integrated in HASS!

1 Like

I also spoofed the traffic yesterday and found out that they are using DTLS v1.2 for security. The cipher used is TLS_PSK_WITH_AES_128_CCM_8. The problem right now is to “find” the shared key used. A security code is printed on the gateway. This is used when pairing the application with the gateway. l tried to use this (converted it to hex first) in Wireshark but the data is still encrypted.

Perhaps is the code hashed with MD5 and then used in the TLS handshake…it can also have been “or:ed” with the MAC and hashed and used as a key…

Still a lots of trial and error…any suggestions?

Interestingly, I was able to add my Philips Hue bulbs into the IKEA app by using the IKEA remote to pair the lights. Unfortunately, I could no longer control the light from the Hue app having done this pairing.

1 Like

Downloaded the APK-file for the app from Google Play, renamed it to a .zip-ending and had a look at the files in there. There is, among other things, a key-file and reference to WolfSSL and CoAP in the dex-file.

Decompiled the dex using dex2jar and viewed it in jd-gui. Still on the search for the structure of the psk (pre-shared key) and the client identity. Found a key-file in the apk with the key Bar12345Bar12345 (seems to be default when using CoAp library). Tried that one as psk but no luck.

Some suggestions for psk

  • Security code (printed on the gateway)
  • Serial number (MAC-address). Also printed on the gateway
  • Key from file, key-file.txt (Bar12345Bar12345)
  • Some of the parameters above hashed together

More info regarding the libraries used:

Do you have multiple bulbs it would be nice with 2 dumps, one where you turn off 1 light and another where you turn off the other.

Also it could be usefull if you provide multiple dumps turning off the same light, just to see if it sends the exact same data each time.

But the good news is that it seems to send the data directly from the phone to the gateway instead of using some cloud service.

Also could you include the response the app sends?
Now i have never used tcpdump but couldn’t you write something like (dst 192.168.0.129 and src 192.168.0.188) or (src 192.168.0.129 and dst 192.168.0.188)?

Also the following might be usefull the java documentation for wolfSSL https://www.wolfssl.com/documentation/wolfssl-jni-javadocs/index.html

Edit: It seems the WolfSSLContext controls the encryption and it is created in the /com/ikea/tradfri/lightning/coap/WolfConnector.java class, the problem is if DTLS works the same way that TLS does then we wont be able to decrypt it even if we manage to find the key as that key is only used to encrypt not decrypt…
At least i managed to find the cipherlist PSK-AES128-CCM-8:PSK-AES128-CBC-SHA256;

I found the same keys when listening to the traffic between ios and gateway. I.e. PSK-AES128-CCM-8:PSK-AES128-CBC-SHA256

@stenehall i don’t think that is the key, my guess is that it just describes how to encrypt and sign the packets.

As the network packets are encrypted the way forward has to be to decompile the APK and add breakpoints to study the data.
I have some other projects i want to finish first then ill look at it (not having a physical android phone might make this impossible for me to do), but i found a nice tutorials if anyone is up for the task.

Perhaps useful information (Newer version of Wireshark to decode DTLS properly).

https://ask.wireshark.org/questions/55487/decrypt-application-data-pending-dtls-abbreviated-handshake-using-psk

More information about cipher used

http://vs0.inf.ethz.ch/

Client identity and pre-shared key are mandatory to make the magic happen. Then we could listen to the traffic from the application to the server and write an application that act as the app (still have to use DTLS but thats a minor issue).

It seems they are working on DTLS 1.2 in PyDTL so that shouldn’t be a problem, tho it would add a dependency on OpenSSL.

https://bitsex.net/software/2017/coap-endpoints-on-ikea-tradfri/

6 Likes

Thanks for the link @Danielhiversen! From there, it shouldn’t be that tricky to build an integration into HA. Just tried downloading a few python-based CoAP-implementations, of which one was based on Python3. Have to resume tomorrow as I’m on a too low version level of Python.

1 Like

Nice work. Had problems with PSK in a too old version of Wireshark when rev. engineering communication. Are you using the PSK unmodified from the sec code? What are they using as “Client Identity” in DTLS?

…and again, really great work. Time to download CoAP- and DTLS-library in fav. lang.

Another forum has linked to this thread and an interesting post regarding libcoap and the dtls branch was just posted. Check out the post by arturo182 here:
ttps://github.com/bwssytems/ha-bridge/issues/570

1 Like

After pairing the hue bulb with the IKEA gateway did it work as intended from the IKEA app? (Was it a white or multi colored bulb?)
Also any chance you could try with a hue light strip? (it seems IKEA has no plans of adding a smart light strip when i asked their support last time).

Based on what I’ve found so far online, I’ve put together a very simple implementation on my raspberry pi. Taking no credit of all the hard work others have put in and just put my code here if you want to play around :slight_smile:

I first installed the libcoap-library as such:

apt-get install libtool

git clone --recursive https://github.com/obgm/libcoap.git
cd libcoap
git checkout dtls
git submodule update --init --recursive
./autogen.sh
./configure --disable-documentation --disable-shared
make
sudo make install

I’ve put together a very simple Python-script that I’m planning to execute by running a shell_command:

Edit: depreceated, please look at the Github-link below instead.

You then run the code by invoking:

python ikea.py "65537"  "100" "Yellow"

Or, from within Home assistant as a shell command:

ikealight_off: '/usr/bin/python3 /home/homeassistant/.homeassistant/extraconfig/python_code/ikea.py "65537"  "0" "Yellow"'
2 Likes

To make code maintenance a bit easier, I’ve put the script here:

https://github.com/ggravlingen/home-assistant/blob/master/extraconfig/python_code/ikea.py

2 Likes

I just wrote a minimal web interface for controlling the brightness of Trådfri bulbs.
It’s absolutely dirty code, but I just wanted an working example to start with for now.
You need to install libcoap with dtls like I described here: https://github.com/bwssytems/ha-bridge/issues/570#issuecomment-292036357
You also need to have Flask installed.
Then you can download the server https://gist.github.com/r41d/65be2c7a111ac6c32f24d762ba38612c
Place it one the same level in the file system as the libcoap folder and heed the instructions in the file.
The interface is ugly as hell, but it’s a first step.
Have fun.

2 Likes

I wonder how feasible will it be to wrap the integration with Tradfri with the Hue API. Given the Hue is widely adopted it would give instant compatibility with many other platforms.

1 Like