Hi, I’m also new to the forum… I have Smartap for about two years. Mine is now also push button only to switch on. I was wondering if I use a smart relay (lightwave). If I hardwired in that I can then use the lightwave app and alexa to turn it on for me. If so does anyone know which wires in the switch panel I would need to tap into…???
I think you’d struggle with that route - there is a lot more going on that on/off - you have temperature control etc.
What you describe is possible using a solenoid valve (and this does use solenoid valves I think), but you’d be basically removing anything smarttap to make it work
Hello all,
First time posting on this forum, although I’ve been watching this discussion very closely for a long time as I’m in a similar position to you all. Thanks to @vaderag for kicking things off and to everyone who has contributed to date. I purchased the SmarTap system around three years ago, and soon after enquired about the alleged API only to be advised that it was intended for the Queo hotel version only.
Apart from the occasional blip of a server going down and losing the app & Alexa control for a day or so, the system for me has worked perfectly. I’m really happy with it, apart from the nagging concern that one day the server will be switched off and the shower and bath system which I designed my bathroom for will stop functioning. To that end at Christmas time I thought I’d renew my efforts in trying to figure it all out.
I have some potentially good news, and some bad. The good news is, after decompiling the app and trawling through the source code, it is exceptionally easy to communicate via the SmarTap server with your shower. So far, with the use of Postman I’ve managed to communicate via a websocket to the server and can get live status data on the shower, as well as start and stop the three different outlets, adjust flow and temp etc.
Live usage snippet:
{
"msg": {
"uVer": 1,
"f16Cold_DP": 9.49609375,
"f16Hot_DP": 3.18359375,
"u8ScenarioState": 0,
"u8Empty": 0,
"u8Diagnose": 0,
"f16MixFlowEst": 0,
"f16ColdFlowEst": 0,
"f16HotFlowEst": 0,
"u32MixFlowMeter": 94260,
"u32ColdFlowMeter": 29850,
"u32HotFlowMeter": 64346,
"f16ColdTemp": 24.08203125,
"f16HotTemp": 24.16015625,
"f16MixTemp": 24.16015625,
"u8StateFbk": 0,
"f16FlowSetFbk": 25,
"f16TempSetFfbk": 38,
"u16ActiveOutletsFbk": 1,
"f16LimitsTempHiFbk": 47,
"f16LimitsTempLowFbk": 10,
"f16LimitsFlowHiOutlet1Fbk": 25,
"f16LimitsFlowHiOutlet2Fbk": 25,
"f16LimitsFlowHiOutlet3Fbk": 25,
"f16LimitsFlowLowFbk": 4,
"f16LimitsMaxShowerVolumeFbk": 0,
"u16LimitsMaxShowerTimeFbk": 0,
"u8OutputSeqStatus": 0,
"DATE": "2023-01-12T10:59:16+00:00",
"WIFISN": "XXXXXXXXX",
"INFOTYPE": 18,
"INFOCNT": 0,
"MSG": "ApiOut Info"
},
"msgType": "message"
If I wasn’t concerned that anyday the lights might get switched off on the SmarTap server, this would all feel like a real win.
Prior to the company being sold, I was keen to be able to integrate the system into my smart home, build clever automations and capture usage data etc. This is all possible with the above approach. However, the real challenge obviously is making the system work when you take the server out the loop.
The bad news… to date I, like the rest of you, have been unable to decrypt the server/client (eValve) TLS 1.2 traffic. As an amateur I haven’t been able so far to get an MITM approach to work between the hardware and the server. I simply don’t know how to get the hardware to accept a self-signed certificate of a mitmproxy when you can’t alter the certificate it uses that is built into the firmware flash. Without this I’m unsure what the explicit commands are that are issued by the server.
Through trawling through the app source and using the info kindly provided on this discussion I’ve been able to establish a couple of things:
-
If you take nothing else from this post, decompile the app and have a look at the resources/assets/www/js folder. It will give you a huge amount of insight as to how the app operates and how to communicate with the eValve via the server manually.
-
The system uses a CC3200 wifi mcu, which provides web server capability. The default html page that’s returned on a GET request is its eValve local ip address/www/main.html.
{"ssidList":["XXXXXX"],"lowPowerMode":false,"serial":"XXXXXXXXX","dns":"lb.smartap-tech.com","port":80,"outlet1":1,"outlet2":2,"outlet3":4,"k3Outlet":false,"swVer":"0x355","wnpVer":"2.:.0.000","mac":"XXXXXXXXXXX"}"oldAppVer":"pkey:0000,XXXXXXXXX
<\\/div>"
-
When you enter the pairing process and connect to the hardware via the eValve SSID via the 192.168.1.1 IP address utilising basic authentication with content type == application/x-www-form-urlencoded. During the process you directly write data via some custom html POST tokens (__SL_P_XYZ). This allows the writing of data into the firmware such as your network SSID, wifi authentication type, password and also what your outlets are (See pairing-factory.js in the source for more info and if interested the CC3200 user guide: https://www.ti.com/lit/ug/swru368c/swru368c.pdf?ts=1673740438830 ).
-
My guess at this stage is by using the correct 3 character (XYZ) custom post request to the eValve during normal operation, it might trigger the operation of the shower.
-
My 4-year old daughter owns a CC3200 herself, in a Toniebox which is a speaker which plays audiobooks for children. There has been a lot of progress elsewhere to reverse engineer this system by more knowledgeable people than me and there are tools that can be used to lift files directly off the chipset including the appropriate client certificate. Link: https://github.com/toniebox-reverse-engineering/toniebox . The contributors on this github thread could well help with the mitm issue I mentioned above.
-
From what I’ve read so far about the above approach to get the necessary data, is that it is enabled through connection through the CC3200 serial/UART ports. @gmoney helped to clarify that the eValve has a custom CC3200 PCB which must have the right ports, but some work would be needed to establish the right connection.
-
That said, once connected it should be relatively simple to extract the required data to decipher the hardware/server comms. However, as my eValve is fully functioning and buried under my bath, I am extremely reticent to disconnect everything to experiment with it!
There’s plenty more but as a SmartThings person writing their first post I’ve probably wittered on far too much and am most likely outstaying my welcome!
As you might tell, I’m a little paranoid about spelling out precisely how to access the websocket publicly, purely because I can’t imagine there’s a huge amount of inclination/necessity by the new owners to keep the server running and whilst I haven’t done anything beyond what their app does I wouldn’t want to give them a reason to pull the plug. Just yet anyway. 
That all said, I’d be more than happy to run anyone through how I went about it via PM – please do get in touch if its useful. Also, I would really like to get access to a second SmarTap system in order to crack this. If anyone has one that they would be happy to sell I would be keen!
For now, I’ll keep trying with the mitm stuff and will also look over old versions of the app to see if there’s anything new I can glean from them.
Anyway, thanks again and hope anything of the above is useful.
2 Likes
Oh wow! Where to begin but by saying, amazing work and welcome aboard!!
As you say, if it wasn’t for the impending doom of the server going down, this would be a massive win - the dream I expect many of us always had is in reach there!
I can’t help on any of the requests (similarly, at this moment my system is working and the wife would kill me if I messed it up!) but I will absolutely keep eyes peeled for a second unit
Do you mind if I share your post on a Facebook group as might get a few more eyes?
1 Like
Of course! I think I’ve found the group you’re referring to 
.
Also worth adding there’s a chance that we might be able to get some people at least back connected to the server. Certainly worth a try!
Hi Everyone, not sure if this will help anyone having issues getting their shower online but it helped me.
I’ve moved my shower to new networks a few times and each time it has been a bit of a fiddle.
When I got my shower, it wouldn’t connect to the wifi with the android version of the app. It wasn’t passing the credentials to the shower even though it said it did.
I used a borrowed iPhone to get it connected and just assumed the latest android app from Google play store v1.3.2 was slightly broken.
Once connected to the network I could sign into the android app and do everything I needed, like changing settings or controlling the shower.
Two days ago I changed my router and wanted a new network name (SSID) so I tried to use the android app and it still didn’t work. I borrowed an iPhone and discovered the app has been removed from the apple app store. If you still have it on an iPhone, don’t remove it!!!
So now I’m in a panic about having to rip it out as it won’t connect to the old SSID either.
I downloaded Version 1.3.0 of the android app from apkpure instead of using the latest version in the app store and my shower connected to WiFi instantly.
I now have voice control back and my IFTTT/Smartthings integration.
Once you’ve connected the shower to your network, switch back to the latest version of the app.
Sideloading apps from sites such as apkpure could put your phone at risk. If you decide to take the risk as i did, please remove the app as soon as you get what you need.
2 Likes
Wow, lots of cool stuff happening lately!
@mav1 thanks so much for taking to the time to post, it’s really interesting to read! Like you said this means we could have cloud control, which is an awesome achievement! Bravo!
I think for my scenario I’m still pretty snookered as I cant access the account my shower was originally registered to, therefore there are no comms between their server and my shower, as its like it was never setup. I’ve managed to play around with posting stuff but only managed to get the outlets to change, that must have gone through their server somehow - but it didnt last.
@steven Thanks for your post, I think this could be an option for me to get things working once more! Im the opposite though and only have an iphone, which just isnt passing the final stage of setup. I will see if I can borrow an android device and get that app version though, fingers crossed!
Thanks all!
1 Like
Wow, this is a blow! But hopefully will give the community the impetus to strive for a solution.
This could be a good time to pester the original team and ask if they can throw us bone when it comes to working out the comms from server to device? @vaderag did you ever hear back from the CEO guy?
Cheers,
G
No I didn’t - let me chase…
Edit. No luck. He came back to me really quick but he’s not got any connection there any more
Hi, Right, I’ve also received the email. So I gather that’s it, back to a normal on/off shower 
not impressed at all… I wouldn’t mind but you can still buy the shower on some websites
I guess this thread might be getting a lot a views as I too received the support email today.
I’ve read the thread from the top and I’m impressed with the technical discussion and the desire to retain automation of the valve. I consider myself a bit of a techie but this stuff is way out of my league!
One question, can I assume that, if they pull access to the service on AWS, unless there was a way of bringing the ‘service’ to a local server, it would be pointless getting access to the API?
I’ve done a bit of searching myself this afternoon re Smarap the company and I’ve mailed Masco in the vain attempt of getting some response.
There are also 21 people still listed on LinkedIn as employees including the CTO (https://www.linkedin.com/in/yuval-klein-aa1b055/). I retired a couple of years ago but would be happy to get LinkedIn premium it it’s worth reaching out to them.
I’ve actually emailed the CTO earlier - I was pointed his way by the contact I had above. I’m only holding limited hope for a response tho
Oh wow. Well this doesn’t look good. So quick update from me, I managed to buy a spare unit from another frustrated customer.
I managed to manually connect the spare to my network despite having issues through the app. I was planning to write this up in case it was of use. All the things I could do with my original I could do with the spare.
I spoke with George about how he got into his WiFi module without killing it and then took the plunge with a hot Stanley knife and hoped. I currently have access to the top side of the pcb and everything is still working fine.
I’ve done a lot of reading up and had a good feeling as previously discussed about reverse engineering it. However when looking the MCU in the flesh I realised that it looks like the ports on the pcb aren’t UART but instead JTAG.
As this is a custom board it’s difficult to work out whether there still is Uart ports accessible. I’d assume so but unsure. With JTAG, with some of the reading I’ve done a similar reverse engineering approach could/should be possible, but it’s a trickier route (anyone with any experience of jtag? Nope didn’t think so!).
BUT, if the cloud server is shut down, this is all irrelevant. As stated before I can freely access the server and do lots of things but without it communicating to the eValve it’d be more difficult to reverse engineer.
As of right now I still have connection and full control through alexa and the app. Goodness knows how long we have though.
I’ll try and commit some time to it and see what can be done but really need more time.
Sorry everyone!
2 Likes
Help us mav-wan Kenobi, you are our only hope!! 
Seriously tho, thanks for your research into this…
1 Like
Through the urls the app points to, I believe we’re using parts of the api when we’re connecting to the server with the app.
Unfortunately, the server to eValve traffic is encrypted so how the server tells the eValve to work isn’t 100% clear. I was hoping to resolve this issue but could do with the server to staying alive for the foreseeable.
Sorry for spamming, but reacting to events (during kids’ bedtime). If you can get jtag/uart up and running, even if the server goes off there’s a chance you can copy the firmware, decompile the binary and potentially reverse engineer the html post commands…
…or, as my wife has just pointed out, just buy a new shower. We’ll see about that.
1 Like
Lol. I recon your wife and mine would get on well
But where’s the fun in that… Besides, you’ve bought the second shower for hacking now 
1 Like
I muttered “… It’s the principle”. And the plumbing.
Not to mention a lot of people have been mis-sold to!
2 Likes
Can’t say for certain but couldn’t access smartap just now via Alexa, first time in a while… Given the notice above, suspect it’s doomsday