Lockly WiFi Hub

I gave up on these and installed Baldwin touchscreen z-waves instead

Hi, I tried a while ago and di capture some traffic but couldn’t really make sense of it.
I would need to try that again and see what I can extrat.

Would you be interested in helping me take a look if I sent some logs?

Any news regarding Lockly? If intercepting and dumping pcap logs using ntopng would help, let me know.

I have the lock as well and was hoping I could bypass getting the hub via an ESP32 chip to pass those BLE commands myself. While yes I could just buy the hub, doing it myself seems like much more fun if it’s possible :stuck_out_tongue:

Twenty fifthing this

I cannot believe that the best door lock (Lockly) and the best home automation system (HA) cannot and have not been integrated.
This make no sense .

Well they have their own Wifi hub setup and I don’t think they want anyone interfacing with their system or something.
I’m currently trying to reverse engineer the bluetooth packets but way out of my depth. Be nice to find someone who knew what they were doing ;p

Please keep me updated with your progress!!

Sorry for photo, but basically I’m trying to pair with the lock but getting kicked out because of auth reasons I imagine. Not sure how to get past that or emulate my phone auth or something. So pretty stumped for now unless someone has some more experience in this area.

So did you get the above by trying to pair the computer running HA with the lock directly?

yup. So just today I’ve ended up getting wireshark and the bleak lib in python to play nice so I can play on windows which my main OS :stuck_out_tongue:

I’ve grabbed some services and characterstics, but I’m still trying to pair that data with the logs from my phone/app, and I still have no idea if I need to send some kind of auth packets or not. Defs looking for some assistance on this… ;p

data.characteristics[5].uuid’ 0000fff2-0000-1000-8000-00805f9b34fb’
data.characteristics[2].uuid’ 0000fff1-0000-1000-8000-00805f9b34fb’
data.characteristics[8].uuid’ 0000fff4-0000-1000-8000-00805f9b34fb’
data.characteristics[13].uuid’ 00002a23-0000-1000-8000-00805f9b34fb’
data.characteristics[15].uuid’ 00002a24-0000-1000-8000-00805f9b34fb’
data.characteristics[17].uuid’ 00002a25-0000-1000-8000-00805f9b34fb’
data.characteristics[19].uuid’ 00002a26-0000-1000-8000-00805f9b34fb’
data.characteristics[21].uuid’ 00002a27-0000-1000-8000-00805f9b34fb’
data.characteristics[29].uuid’ 00002a50-0000-1000-8000-00805f9b34fb’
data.characteristics[27].uuid’ 00002a2a-0000-1000-8000-00805f9b34fb’
data.characteristics[25].uuid’ 00002a29-0000-1000-8000-00805f9b34fb’
data.characteristics[23].uuid’ 00002a28-0000-1000-8000-00805f9b34fb’

data.services[1].uuid ‘0000fff0-0000-1000-8000-00805f9b34fb’
data.services[12].uuid ‘0000180a-0000-1000-8000-00805f9b34fb’

"UUID: " + data.descriptors[4].uuid + " " + data.descriptors[4].description + " CharUUID: " + data.descriptors[4].characteristic_uuid
‘UUID: 00002901-0000-1000-8000-00805f9b34fb Characteristic User Description CharUUID: 0000fff1-0000-1000-8000-00805f9b34fb’
‘UUID: 00002901-0000-1000-8000-00805f9b34fb Characteristic User Description CharUUID: 0000fff2-0000-1000-8000-00805f9b34fb’
‘UUID: 00002902-0000-1000-8000-00805f9b34fb Client Characteristic Configuration CharUUID: 0000fff4-0000-1000-8000-00805f9b34fb’
‘UUID: 00002901-0000-1000-8000-00805f9b34fb Characteristic User Description CharUUID: 0000fff4-0000-1000-8000-00805f9b34fb’

According to my router (MAC address lookup), the Wi-Fi gateway is based on a espressif chip.
If I can help in any way, sniffing the wifi traffic, etc, just ping me.

As far as I can see, mine communicates with 47.89.226.64 on port 1883, TLS encrypted.

I’m assuming the way it works is:

  1. Wifi Hub is turned on and searches and connects to the lock via BT and hub is connected to your home wifi.
  2. Lock then pairs with the hub via BT
  3. Hub enables all the features of the lock like the app does

I suspect it’s still communicating with the lock via BT using whatever auth/pairing setup a phone would use, which I haven’t been able to figure out.

Packet inspection might be required for sniffing those packets, but not sure it would help ;p

I had some time today and set up an Android Virtual Device with MITM attack on the https connecion. Installed the Lockly App on there and was able to talk to the Lockly Cloud (and therefore my Lock) and sniff the traffic.

Here’s a stream of calls being the result of me logging in.

Quite different from APIs I havee seen in the past where each call seems to gt passed a “para” which most of the time is a unique seemingly random encoded string.

I’m kind of stuck there. Even the login call doesn’t pass the username / password but sends a bunch of random strings

If there are any experts here who could shed some light on this…

1 Like

Bit of a stretch, but can you try decoding them here?
https://base64.guru/tools/character-encoding

Cheers mate. Nah I had tried base64 decoding but it gives me more gibberish so possibly not base 64 encoded.
I’m thinking that might be a hash of my username/password created on the client side and sent across the wire? In which case, no chance to decode it.
I wonder if I can peek at the code in the APK to see what these things are?

I did already try decompling the apk, but decomplied java is not the same as having the source, so didn’t mean much to me unfortuantely.
Plenty of dex2jar type sites if you wanna have a go.

you’re quite right. I just got into the APK and boy is it confusing…

Will start a thread here to rubbre duck my findings as I’m playing around with the app

I can see that the following string is the only thing that changes when I enter a different password.
Thinking it might be hashed (or encoded, really as it looks a bit longer than most hashes) of the username and the password

I can also see that the hasn/encoded string is the same length, regardless of the size of the credentials I enter. Makes me think it might be a hash