Smartap Shower Control: Getting started with reverse engineering a smart home device?

vaderag · November 19, 2021, 7:52am

Not sure if this is the best place to post but I want to try and localise a smart home device I have

SmartTap shower valve (https://victoriaplum.com/brands/smartap) - good device and works really well a lot of the time, but every now and then their servers go down and the device can no longer be controlled via smart methods

When I bought it I read somewhere they had local API control (which is part of the reason I went there) but never managed to find it and I’ve been in contact with the creators and never got any traction there
Given they are a small company I always have the worry that one day I’ll wake up to find they’re gone and be left with an expensive manual control

So… How do I go about trying to reverse engineer myself? Realise this is a huge question, but at the moment I’m just not really sure where to start - any guides?

Troon · November 19, 2021, 8:09am

First step would be to sniff the network traffic coming out of the app, and going to the tap. Best outcome possible for you is that it’s not encrypted and authenticated — but that would be a pretty shoddy effort from them if so.

See if you can send packets to the tap “manually”.

vaderag · November 19, 2021, 11:43am

Thanks, can you suggest a good tool to do this (presumably the best thing to do this is on the phone side? So Android in my case)

Edit, found Packet Capture but all I see is an SSL call to aws with no data

danielperna84 · November 19, 2021, 2:16pm

You could use a script like this to sniff the packets more easily.

Since you have already discoverd it’s encrypting the traffic, you can use mitmproxy and hope the device doesn’t verify the Certificates at AWS.

That being said, if the certificate is verified there probably is not much you can do without taking the hardware apart.

francisp · November 19, 2021, 3:18pm

You could try to decompile the .apk

http://www.javadecompilers.com/apk

Sjeffrey · November 20, 2021, 11:23pm

Iam very interested in this. I was told by smartap that they only let hotels and big customers have the rest api. Most dossapointing. Wasn’t sure if their api is local or to their cloud server.

Popping the ip address in the browser brings up some json, shame it doesn’t include its state or anything useful.

vaderag · November 21, 2021, 8:24am

Oh interesting that you’ve been told that, I never even got that level of info from them, just that they don’t have one available
I suspect it might still go via their servers even if you got the API from them tbh

I’m currently back working via the app but not Alexa, so local support is definitely something I’d love to have…

Sjeffrey · November 21, 2021, 1:47pm

To be honest I don’t use anything smart on it, as I couldn’t integrate easily.

They suggested using ifttt or alexa. I think you can setup a routine in alexa and maybe find a way to activate that from ha. But what I’m after really is some form of state.

I had it linked to alexa, but every time I said to turn on bathroom lights, the shower would start aswell. Unlinked and now we just use dumb. Can’t even remember last time logged into the app either.

I’ll try sniffing some packets tonight and see what happens.

Other thing I was wondering is if its possible to sit something on the button wire which would sense what lights are on and be able to send button pushes. Not sure what protocol the buttons use though. I’ve got a device which does something similar on my layz hot tub to make a dumb device smart.

Do yiu know if the smartap app talks direct to the device or is that over the cloud?

Stu

vaderag · November 21, 2021, 5:06pm

Yeah, I use it with Alexa - I preheat the shower with my morning routine and have it run the kids bath to the right depth and temperature

I’m not 100% sure whether the app talks direct, I believe not, but today I wonder differently as I can activate via app but not Alexa…unsure tho

Interested to learn more of what you find. I haven’t had chance to try myself!

Also interested in the wire side device you’re referring to - even outside of this app I possibly have some uses…

vaderag · November 23, 2021, 9:06pm

Any luck? I’m currently able to control via the app but not Alexa

vaderag · November 24, 2021, 9:15am

So I took a look at the output of inputting the IP… Interesting… there are a few things that spring to mind

{"ssidList":["WIFI NAME"],
"lowPowerMode":false,
"serial":"DEVICE SERIAL",
"dns":"lb.smartap-tech.com",
"port":80,
"outlet1":1,
"outlet2":2,
"outlet3":4,
"k3Outlet":true,"
swVer":"0x355",
"wnpVer":"2.:.0.000",
"mac":"MAC ADDRESS"}"
oldAppVer":"pkey:KEY
<\\/div>"

The thing that really springs to mind is the key which seems related to “oldAppVer” - this makes me wonder if the old app maintained a direct connection which utilises that key for pairing somehow… might be worth investigating. It could also be related to the initial pairing process to give wifi

Otherwise it seems to be utilising their own dns server for some reason… i wonder if changing that somehow could provide some inroads

The other thing is that outlet assignment seems stored on the device (makes sense)

Edit. Just realised i misread that and the pkey isn’t related to the oldAppver they’re separate… still interesting

Sjeffrey · November 25, 2021, 11:57am

yes, that seems to have some configuration settings. wish it would show state aswell.

the dns isnt dns server, but the server it connects to - it appears to be a load balancer in AWS.

I did a quick packet sniff, there seems to be some encrypted data TLS. but it doesnt seem to make much sense, or a protocol i recognise at all.

I really want to packet capture anything between the app and device, particularly in setup, but im not sure how i can do that at the mo. not sure i have the skills (or patients) to figure this out.

vaderag · November 25, 2021, 12:59pm

I’m in a similar boat - I also tried decompiling the app (both new and old version)
It seems it’s basically a web interface packaged up and using a lot of a package called Cordova
Havent got much further as I fear my skills might be reaching their limits…

Sjeffrey · November 25, 2021, 1:35pm

Can you see if it ever accesses the device locally and what endpoints it’s accesses?

I think this would be the key.

Sjeffrey · November 25, 2021, 1:44pm

I’ve also noticed availability of smartap is now non existent in UK and the company website is down. Doesn’t look good. Wish I had of gone with the mira system.

vaderag · November 25, 2021, 1:50pm

I don’t see a way it accesses locally… I’m going to try see what happens if i kill internet to my phone at some point

Alexa is back up however, so i haven’t lost all hope

Jimster · March 15, 2022, 11:42am

Did anyone get anywhere with this?? I’m in the same boat with trying to get local control. When I purchased the e-valve I was told there was an API to allow local control, but then after I handed over the money I was told this was only for hotels

Sjeffrey · March 15, 2022, 12:01pm

unfortunatly i havent managed to progress. Seems pretty closed off, and yes i met the same api for hotels resistantce.

I think the brand may have dissapeard as victoria plum no longer sell and the smartap website has been in maintenance mode for 6 months or so.

Such a shame as it works quite well.

vaderag · March 15, 2022, 12:34pm

Yeah, same. Mine has completely stopped working in the past week so back to a dumb system… I’ve tried contacting Victoria Plumb and the company which purchased them and heard nothing… Really frustrating

I’m wondering if I can Jimmy something up with an esp32 or something but probably more effort than it’s worth. Very annoying tho

Sjeffrey · March 15, 2022, 3:38pm

when you say stopped working - i presume its still working locally and you havent had to rip it out?

I was wondering if something could be made with ESP to sit inline on the controller cable. I just dont know how to figure out what language it talks. But that must report its status to the controllers for the LEDs to show correctly.