Ledvance WiFi bulbs

Hi, thank you very much for your investigation. I also had luck with my ledvance GU10 RGBW bulbs. I used the emulator in Android Studio (on windows with Pixel 2 XL API 28, Android 9 x86). It has to be a specific image because otherwise the adb root command will not work (on images with Google Play).

3 Likes

i’m just having a little issue with the colors, but probably the issue is somewhere else, all the light blue (i.e Azure, sky blue) colors turns my bulb in more near to violet color… probably a misconfiguration of localtyuya?

maybe you got something wrong in the configuration. colors look fine for me.

Hey, could you do a small writeup on this method? I was in the middle of sourcing a Pixel 2 for the
sole purpose of getting the localkey from a couple of bulbs, but this seems easier and more financially sane :wink:

I already got the Pixel 2 XL API 28 Android 9 image set up, but don’t know how to proceed from there.

EDIT: Seems I got it setup, and it works with the Chrome example, however when running the command from FrancYescO, it just says “Started tracing 0 functions.” and nothing happens when I refresh the list of devices by swiping down on the android emulator. I do this from remote, as I’m trying to help my brother, could that be the issue?

Hello,

same issue on my side:

Step 1 Download & Install the latest version of Android Studio from here: https://developer.android.com/studio

(in my case 2020.3.1)

Step 2 On the first startup of Android Studio you have to complete the setup wizard:

r/homeassistant - Guide on extract a local key from a Ledvance Bulb (for Local Tuya)

r/homeassistant - Guide on extract a local key from a Ledvance Bulb (for Local Tuya)

Keep everything on default settings

r/homeassistant - Guide on extract a local key from a Ledvance Bulb (for Local Tuya)

Step 3 Open an empty folder (e.g. on your desktop)

r/homeassistant - Guide on extract a local key from a Ledvance Bulb (for Local Tuya)

r/homeassistant - Guide on extract a local key from a Ledvance Bulb (for Local Tuya)

Step 4 Open the AVD Manager and create a virtual device

r/homeassistant - Guide on extract a local key from a Ledvance Bulb (for Local Tuya)

Step 5 Select a device without Play Store (important!!) E.g. Pixel 2 XL

r/homeassistant - Guide on extract a local key from a Ledvance Bulb (for Local Tuya)

Step 6 Click on Download for the Pie system image (API Level 28, Android 9.0)

r/homeassistant - Guide on extract a local key from a Ledvance Bulb (for Local Tuya)

Step 7 Select the downloaded image and click next

Step 8 Now you can start the emulator (play button)

r/homeassistant - Guide on extract a local key from a Ledvance Bulb (for Local Tuya)

r/homeassistant - Guide on extract a local key from a Ledvance Bulb (for Local Tuya)

Step 9 Download python 3.9.x

From here https://www.python.org/downloads/release/python-396/

If you are using Windows 10 64bit I would recommend the installer:

https://www.python.org/ftp/python/3.9.6/python-3.9.6-amd64.exe

Step 10 Run the installer and make sure you select “Add Python 3.9 to PATH”

r/homeassistant - Guide on extract a local key from a Ledvance Bulb (for Local Tuya)

Step 11. Open powershell and install frida tools via pip:

pip install frida-tools

Step 12. Download frida-server from https://github.com/frida/frida/releases

(I used frida-server-15.0.17-android-x86.xz)

Step 13. Extract to a directory via 7zip, WinRAR,… and rename the file to frida-server

Step 14 Setup adb (you can follow this guide https://medium.com/androiddevelopers/help-adb-is-not-found-93e9ed8a67ee)

On Windows I just added C:\Users\[your username]\AppData\Local\Android\Sdk\platform-tools to my PATH variable.

Step 15 Run the adb commands from the directory, where you have extraced frida-server to:

adb root
adb push frida-server /data/local/tmp/
adb shell "chmod 755 /data/local/tmp/frida-server"
adb shell "/data/local/tmp/frida-server &"

(press CTRL+C, this will not stop the server)

Step 16 Download the ldvwifi apk that FrancYescO mentioned: https://m.allfreeapk.com/ledvance-smart-wifi,17068539/download.html.
EDIT: Link is broken now. You may want to look at hints here: https://community.home-assistant.io/t/howto-ledvance-smart-plug-wifi-in-home-assistant-solution/350280?u=flag

Step 17 Run from the same directory where you have downloaded com-ldvsmartwifi-smart-1.apk:

adb install com-ldvsmartwifi-smart-1.apk

Step 18 At this point you have an emulated rooted device with frida-server and the old LEDVANCE SMART+ WiFi Apk installed. Now you can do the last steps that are mentioned by FrancYescO (no macos is needed):

login to the app on the android device, than on macos launch this command with the app in foreground frida-trace -U --decorate -j '*!*encodeString*/isu' -F, refresh the list of device and you will get on the terminal a json-like blob, copy in a text editor and ctrl+f for localKey (oviusly if you have more than one device you will get multiple keys, also if you configured any group in the app)

Hint for windows users: If the last command outputs Started tracing 0 functions. Press Ctrl+C to stop., you should try it in powershell or in cmd.exe without quotes (frida-trace -U --decorate -j *!*encodeString*/isu -F). If it is sucessfull it should trace 2 functions.

10 Likes

Hey :slight_smile:
Thanks for your guide, but I ended up like rgrabot and jacobtc, frida-trace said it’s tracing 0 functions and no output… I’m trying to get this stupid localkey since Friday…

I tried android 9 and 7 (emulated in Android Studio) and 5 different versions of frida-server, always with the same result… Python Version is the same as yours, Windows 10 x64 as well.

MITM Attacks won’t work either, the communication with tuya-cloud looks AES-encrypted and I did not manage to get the AES key so far…

pretty frustrating

Do you get any warnings or errors when you start the frida-server on the emulated device?

If you get something like this:

> adb shell "/data/local/tmp/frida-server &"
Unable to load SELinux policy from the kernel: Failed to open file ?/sys/fs/selinux/policy?: Permission denied

you are running the command in user mode instead of root and it will not work.

If the server runs sucessfully there should be no output.

Nope, everything seems to check out, I just get “Started tracing 0 functions” and nothing happens when I refresh the app on the virtual device.
frida

I just tried everything again and version of frida-server has to be very specific indeed. I even used the wrong one when writing my guide:
It has to be frida-server-15.0.17-android-x86.xz (not frida-server-15.0.17-android-arm.xz). They both start without any problems but only the x86 version (also not the 64bit version) works because it must match your ABI.
Also make sure if you are using e.g. frida-server version 15.0.17, it should also match your cli version:

❯ frida-trace --version
15.0.17

Btw. you can also check if you are in root mode the following way:
If enter a shell command without root it will give you a $ character at the end

❯ adb shell
generic_x86_arm:/ $

But if you are successfully in root mode you will get a #

❯ adb root
❯ adb shell
generic_x86_arm:/ #

I did install the x86 version. Everything seems to check out.

Again, frida does seem to work, as the Chrome example given in the frida documentation seems to work fine.

I think I found the issue: make sure you are not running this command in cmd.exe (the terminal in android studio is cmd.exe by default)
Try it in powershell in a directory where you write files.
With cmd.exe i got the same thing:

frida-trace -U --decorate -j ‘*!encodeString/isu’ -F
Started tracing 0 functions. Press Ctrl+C to stop.

vs in powershell

❯ frida-trace -U --decorate -j '*!*encodeString*/isu' -F
Instrumenting...
MMKV.encodeString: Auto-generated handler at "C:\\Users\\[...]\\__handlers__\\com.tuya.smart.mmkv.MMKV\\encodeString.js"
ByteString.encodeString: Auto-generated handler at "C:\\Users\\[...]\\__handlers__\\okio.ByteString\\encodeString.js"
Started tracing 2 functions. Press Ctrl+C to stop.

I’m going crazy… I have absolutely no idea why, but using powershell seemed to solve the problem :slight_smile:

Thank you!

Seems like cmd.exe handles string parameters differently. It would work without qotes:

frida-trace -U --decorate -j *!*encodeString*/isu -F

I’m glad I could help!

1 Like

Awesome! Powershell gave me an error, buyt running without quotes in cmd did the trick!

I’m guessing the device_id is easy to obtain?

In the app you can see the device_id as the Virtual ID:

Awesome, thanks! Should be easy to do then :slight_smile:

EDIT: The device_id string can also be found named “devId” in the blob.

I’m guessing that there is no reason to sign up for an Tuya IOT dev account anymore, as we got the localkey this other way, correct?

That is correct, if you use this method and local tuya, there is no need for the tuya iot account.

@Flag you are awesome !!!

Worked :slight_smile:

Unfortunately, I have now another question about the Tuya local integration.

How do you configure this part: