Retrieve localkey for Tuya Based Devices Using Bluestacks and Frida

I wrote this to get the localkey for Proscenic M8 Pro robot vacuum. But this would apply for any Tuya based device. I know - it is possible to retrieve localkey using a developer account in Tuya. But that is not always possible for all Tuya based devices. Some of them refuse to connect to/via Tuya app. This is for such devices.

The general idea is -

  1. you connect the device(s) to your network using their custom app (installed on your phone or on Bluestacks),
  2. using Frida, trace the apps method/function calls,
  3. dump those trace details to a file,
  4. search and find localkey in that file,
  5. the value would be next to it.

You need: -

  1. Bluestacks (rooted)
  2. termux on Bluestacks
  • install Python via termux
  1. Frida
  • server
  • frida-trace
  • frida core devkit

I have mentioned adb in the steps below. It’s not really a requirement. I just happened to use it. I used version 16.0.19 of Frida because that was the latest version. Any version after that should work, I believe.

Also, this guide shows using Proscenic app. So, you will have to adjust this guide accordingly for your app - like, install that app (and not Proscenic), retrieve the process id for that app, etc.

Now, the steps: -

Install Bluestacks

Enable root

Install Proscenic M8 Pro app on Bluestacks

Install termux on Bluestacks and run below commands

On Termux Terminal

  • Needed for later to avoid error messages

Download from Github, Frida Core Devkit and save it to /data/local/tmp/
Then, run the following command.

export FRIDA_CORE_DEVKIT=/data/local/tmp/frida-core/

  • Just make sure everything is up to date

pkg upgrage

  • Install Python3

package install python

  • Run necessary updates
pip install --upgrade pip
pip install --upgrade pip setuptools wheel
  • Install frida-tools client on Bluestacks

pip install frida-tools

  • Download frida-server from github latest
  • Make sure the architecture/release matches.
  • I used android_x86_64 for Bluestacks
  • Extract it and rename to frida-server
  • Using ADB push it to /data/local/tmp

On your Windows machine command line

adb push ./frida-server /data/local/tmp/

Login to Bluestacks shell

adb shell

  • Become root

su

  • Make it executable

chmod 755 /data/local/tmp/frida-server

  • use below command to run frida-server in the background

/data/local/tmp/frida-server &
You may have to hit CTRL + C to exit (and that’s OK, server will continue to run).

On Bluestacks UI

  • Run the Proscenic app and login with your credentials

Open termux

  • Run the following command to become the superuser/root

su

  • Run the following command to get the PID of the Proscenic app [ change this ‘robot’ to match your app ]

ps -ef | grep robot

  • Quit root
exit
frida-trace -H 127.0.0.1:27042 --decorate -j '*!*encodeString*' -p <PID from the above command> -o <a folder location to save frida_trace outputs to a local file>

The -H is to connect to the frida-server running on local Bluestacks machine.
The -j is to trace all methods called encodeString in any class in the PID

Go back to the Proscenic app and pull down the main/first screen/page to refresh your device list.
Now retrieve the file where frida-trace would have dumped all its output. Check/search for localkey in it. The value you are looking for would be next to it.

This would work with any app using Tuya and localkey to connect to Tuya. Just make sure to get the PID of the app that you are attempting to trace and give that PID to frida-trace.