Smartap Shower Control: Getting started with reverse engineering a smart home device?

Yeah, sorry, it still works locally, just all smart functions are dead… which for a product branded SmartTap is somewhat unfortunate

OMG im so happy I found this post! I have had the Smartap Shower system installed for about 2 years. But for the past year I’ve had no smart features, and also outlet selection control!

I honestly think the company is a write-off, they got bought out and since then there have been no updates on the app or website - apart from it going into maintenance mode recently. I am honestly surprised their servers are still up, I’ve also not had an email response from them in about a year :sweat_smile:

I am totally locked out of app control as I can’t complete the setup, it says I need to be an admin user, very annoying. So for me a mitm setup trying to capture whats been sent from my phone isn’t possible.

However, there is some light! :grinning: I have managed to successfully change the shower’s function by posting an amended version of the JSON back to the shower’s IP, mine spit out the following in browser:

"outlet1":7,"outlet2":0,"outlet3":0

And the shower was coming out of 1 outlet with the second button doing nothing,

I posted back the full string but amended it to the following part only:

"outlet1":7,"outlet2":7,"outlet3":7

Now it comes out of all three outlets simultaneously! but the button still does nothing, so very slight progress. Weirdly the JSON in browser hasnt updated.

I am attempting to reverse engineer the API in postman, but im not a dev - for me this would be the perfect solution, and as you mentioned state change in HA would be amazing, just not sure how limited the options would be by sending JSON directly to the shower unit. Like in the JSON you cant see anything about temperature or flow.

I have photos of the Shower PCBs if you think this would help, Im up for hardware hacking with an ESP but again its not something I am experienced in. I also found this, which looks like the start of something but also means there must be more of us out there!

Hi Gmoney

Nice find with posting back the joson.

In case it helps mine returns the following

“outlet1”:1,“outlet2”:4,“outlet3”:2,“k3Outlet”:true,"

i think that someone else has an example output, similar to mine, but outlet 2,3 reversed.

My setup, has the outlet 1 as a shower, outlet 3 as a hand shower, and outlet 2 as the bath. The bath is controlled seperately on its own button.

when you send that json to it, what does it return?

Stu

ps would be interested to see the PCB photos, and figure out exactly what is happening.

Hey Stu,

Thanks for the reply :smiley:

Yeah, mine seems weird by comparison - my current working theory is maybe the numbers act like channels, and you are both seeing 1, 2, 4 as 3 is assigned to the k3 outlet, maybe? I have reset mine and I’m now on 7, meaning it could be that 1-3 was used on the first setup, then I must of reset again and got 4-6, after this I was stuck with just one outlet working (7). Now its coming out of all three at the same time as i posted back all 7s. So next I will try sending:

"outlet1":1,"outlet2":2,"outlet3":3

Then see what happens.

when you send that json to it, what does it return?

I just get a success message, the IPs output in browser doesnt change - this is bad news for maintaining a reliable state in HA.

Might be useful to throw out my http output too:

`{"ssidList":["WIFI"],
"lowPowerMode":false,
"serial":"SERIAL",
"dns":"lb.smartaptech.com",
"port":80,
"outlet1":7,
"outlet2":0,
"outlet3":0,
"k3Outlet":false,
"swVer":"0x355",
"wnpVer":"2.:.0.000",
"mac":"MAC"
}"oldAppVer":"pkey:PASSKEY
<\\/div>"`

Good to see we are all the same for swVer (software version?) and wnpVer (no clue what that could be :rofl:).

Here are all the PCBs, the smaller green board is for the wifi and is in its own small case:







I guess the pin holes on the left are likely to be some sort of UART that was used to load the firmware, but I’m a real novice at hardware hacking, so couldn’t say with any certainty.

Thanks,

G

1 Like

Thanks so much for jumping in here - hopefully we can get somewhere (tho I’m a little out of my depth!)

So I don’t know is this happenstance or something changing but I’ve just returned from a trip and while Alexa is still not working the app itself has started working again (but intermittently). I’ll get the evalve offline error mostly but occasionally it will actually function… so there is obviously something still running on AWS but perhaps at low capacity… not sure.
Don’t think it changes much, clearly still on it’s way out, but figured it was worth mentioning…

Any progress anyone?!
I put a page ( Home · serans1/showerjs Wiki (github.com) ) on that github directing passersby to here in case others can help

I’ve also managed to connect with the CEO of Smattap (I guess former CEO now), he said they tried reaching out to retails to continue the cloud infrastructure but the retailers weren’t interested.
I’ve asked if there is any way we can either get the hotel control options made available or even the possibility of a sub to help support the continued cloud model and he’s going to reach out to the purchasers and see what he can do :crossed_fingers:

2 Likes

Hi vaderag!

Sorry for the radio silence on this, long story but I broke both my elbows last month so was pretty immobile for some time, I still need a few more weeks of recovery but well enough to type now!

Just to echo your sentiment, I am well out of my depth here too, with very little programming experience but I’m determined! (and it seems so are you!)

Obviously not much of an update from me but some minor progress made. I can now cycle through three outlets with the physical button once more! :partying_face: and tbh I think this was more a mis-configuration from me when going through the setup in the past - there is a point in the setup UI where you can select the outlets but you have to add each one and its not particularly intuitive/clear. However I still get stuck at the connecting to the internet stage, with the same error message:


So I am still unable to complete the setup and therefore not able to get any app functionality or voice control… BUT this does prove that outlet setup can be changed locally! And also, means that I have a shower that works fine with the physical buttons… YAY

This has changed my http output slightly, I’m now getting:

{"ssidList":["MY WI-FI","NEARBY SSID","NEARBY SSID","NEARBY SSID","NEARBY SSID"],
"lowPowerMode":false,
"serial":"*SERIAL*",
"dns":"lb.smartap-tech.com",
"port":80,
"outlet1":1,
"outlet2":2,
"outlet3":4,
"k3Outlet":false,
"swVer":"0x355",
"wnpVer":"2.:.0.000",
"mac":"*MAC*"}
"oldAppVer":"pkey:0000,*PASSKEY*<\\/div>"

So this does backup the theory on the outlets having their own channels. Also, now it shows my neighbour’s wifi SSIDs, which is weird as its still on my network, and looking at what its doing doesn’t show anything interesting (to me at least!):
image

I’m planning to play around and see if I can discover something new with postman and firing JSON at it… I double checked the old site and can confirm they stated it uses the REST API, which means there is some sort of standard protocol to go on - but again… NOOB, so maybe some one that knows this stuff and reads this would be willing to help?

Couple more breadcrumbs:

  • The servers must be functioning in some capacity as you say, otherwise how would we be able to log into the app at all?

  • I came across this when going through old emails:
    image
    I’m sure I found a troubleshooting PDF once that had similar instructions but ive just spent about 40 mins looking high and low and cant find it :sob: And I remember setting my phone up with this network and the device connected, maybe a different approach to the MITM idea?

  • Also when trying to work out what email I might of used for an admin account I discovered that reset password emails dont go through, but you can tell if an account was setup with an email in app, if you go to forget password and then get a message that says we have sent you a reset link then thats and email thats been previously setup, otherwise you get no response message.

Im really bummed as ive overhauled my home network and want to update the wifi password, along with network IP range but cant cos the blinking shower will fall off and then ill have no access at all (first world problems, ey?)

That’s it from me, ill continue shooting with the API but im not hopeful lol, maybe discord begging is the way to go lol.

Great idea with contacting the old CEO, have you heard anything more from him? Maybe the CTO would be worth trying too? I just feel like there must be a PDF somewhere that has all the API info and we could make it work, but getting that is the hurdle! Good luck!

G

1 Like

Mine not working from Alexa but I’m able to control my shower by IFTTT using the command trigger

Not heard anything more - he was holidaying in Thailand when I messaged so don’t want to bug him!
The challenge will be that any such document (if it exists) won’t be theirs any more - it’ll be the company that bought them that owns it, so depending on their future plans or not will depend on weather there is any chance of getting it at all!

Welcome! Everything seems intermittent - Alexa stops then starts depending on the week - my best guess on this is that there is some money set aside to ‘keep the lights on’ but once the cap is hit it shuts down until the following week or month

Anyone got any luck with this anything I can do to help

I have 2 smart showers both stopped working on IFTTT and unable to login to the app this week

I’ve tried sniffing the traffic to/from the device with WireShark - but I’m no expert! The communications between Amazon Cloud and the local device are protected by TLS 1.2 encryption and so I’m kind of snookered in terms of going any further with understanding how we might localise it. Phone speaks to Cloud. Cloud (perhaps MQTT???) brokers a message for the shower. Shower connects to Cloud and waits for messages for activity. It almost feels that to localise will probably need a rewrite of the firmware on the shower - which isn’t going to happen unless SmartTap released their original code to the Community.
Maybe a local equivalent of what they are hosting on Amazon might work. But changing the Amazon location URL and then decyphering the TLS messages to understand what the shower needs to be told is beyond me!

1 Like

Thanks for the thread; I found it earlier today and have spent the afternoon trying to find out a little more; I have two Smartap units, and was another of the people gulled into buying them by the promise that they had a REST API.

Breaking out Wireshark didn’t shed much light, as all traffic seems to be encrypted. This includes the conversation between the iOS app and the Smartap AWS server, and also that between the Smartap hardware and a different AWS host. So, doing a bit more digging (as suggested above), I set up mitmproxy to allow inspection of the packets passing between my phone and the internet. This works for HTTPS, and shows an interesting-looking POST request being issued at the point where I tell the bath to fill using the app:

https://lb.smartap-tech.com/api/usages/upsertWithWhere?where={"id":7373}&access_token=<redacted>

HTTP/1.1 200 OK
X-Powered-By: Express
Vary: Origin, Accept-Encoding
Access-Control-Allow-Credentials: true
Content-Type: application/json; charset=utf-8
Content-Length: 242
ETag: W/"f2-g02inekVZRZZoroiBGyACpkgADI"
Date: Sun, 25 Sep 2022 17:00:01 GMT
Connection: keep-alive

{
  "relID": 2198,
  "userID": 1946,
  "title": "Bath",
  "type": "init_bathFill",
  "defaultUsage": false,
  "dateModified": "2021-01-01T14:13:34.000Z",
  "dateLastUsed": "2022-09-25T16:14:30.000Z",
  "backgroundImage": "images/BG-Pref/17.png",
  "serial": 318230421,
  "id": 7373
}
Response file saved.
> 2022-09-25T180001.200.json

Response code: 200 (OK); Time: 331ms (331 ms); Content length: 242 bytes (242 B)

This seemed promising. However, it doesn’t actually cause anything to happen. So far as I can tell, this REST-style request seems to be setting up another conversation which does not happen over HTTP(S) - possibly MQTT. There’s quite a lot of back-and-forth between the app and the cloud when looking at the Wireshark logs, but as it’s all encrypted as well, I haven’t yet been able to validate any assumptions.

Next step, when time permits, will be to try to proxy the non-HTTP traffic and see what’s going on in there, but I’m fairly new to this kind of reverse-engineering and the tooling for (what I suspect to be) MQTT will take a bit more research.

In the meantime, pestering either the CEO or the new acquirers might be our best avenue? The signs at the moment indicate that the Smartap has become abandonware, in which case they may as well share their documentation as a gesture toward the community (which they have otherwise let down).

1 Like

Great to have someone else enter the fray!!
Nice work, I’m at the end of my skillset here, but glad to see people like you pushing things forward!!

I’m new here and a complete novice so please be gentle with me ! My Smartap shower does everything except connect to Wifi. In other words, I can find the Evalve and install it on the app, configure shower profiles and login etc. But no app control nor Alexa/IFTTT control, button oerations only.

Is it feasible to hard wire the eValve via ethernet ? There’s no socket on the Wifi module.

Welcome!
There is no hard wired option that I know of, but I have found that WiFi was weak in the past. You could try moving your router a bit closer or using an extender if you have issues
I hope one day someone will hack this for local use but it’s a slim hope… Not sure there are that many of us out here!

Hi, I’m also new to the forum… I have Smartap for about two years. Mine is now also push button only to switch on. I was wondering if I use a smart relay (lightwave). If I hardwired in that I can then use the lightwave app and alexa to turn it on for me. If so does anyone know which wires in the switch panel I would need to tap into…???

I think you’d struggle with that route - there is a lot more going on that on/off - you have temperature control etc.
What you describe is possible using a solenoid valve (and this does use solenoid valves I think), but you’d be basically removing anything smarttap to make it work

Hello all,

First time posting on this forum, although I’ve been watching this discussion very closely for a long time as I’m in a similar position to you all. Thanks to @vaderag for kicking things off and to everyone who has contributed to date. I purchased the SmarTap system around three years ago, and soon after enquired about the alleged API only to be advised that it was intended for the Queo hotel version only.

Apart from the occasional blip of a server going down and losing the app & Alexa control for a day or so, the system for me has worked perfectly. I’m really happy with it, apart from the nagging concern that one day the server will be switched off and the shower and bath system which I designed my bathroom for will stop functioning. To that end at Christmas time I thought I’d renew my efforts in trying to figure it all out.

I have some potentially good news, and some bad. The good news is, after decompiling the app and trawling through the source code, it is exceptionally easy to communicate via the SmarTap server with your shower. So far, with the use of Postman I’ve managed to communicate via a websocket to the server and can get live status data on the shower, as well as start and stop the three different outlets, adjust flow and temp etc.

Live usage snippet:

{
    "msg": {
        "uVer": 1,
        "f16Cold_DP": 9.49609375,
        "f16Hot_DP": 3.18359375,
        "u8ScenarioState": 0,
        "u8Empty": 0,
        "u8Diagnose": 0,
        "f16MixFlowEst": 0,
        "f16ColdFlowEst": 0,
        "f16HotFlowEst": 0,
        "u32MixFlowMeter": 94260,
        "u32ColdFlowMeter": 29850,
        "u32HotFlowMeter": 64346,
        "f16ColdTemp": 24.08203125,
        "f16HotTemp": 24.16015625,
        "f16MixTemp": 24.16015625,
        "u8StateFbk": 0,
        "f16FlowSetFbk": 25,
        "f16TempSetFfbk": 38,
        "u16ActiveOutletsFbk": 1,
        "f16LimitsTempHiFbk": 47,
        "f16LimitsTempLowFbk": 10,
        "f16LimitsFlowHiOutlet1Fbk": 25,
        "f16LimitsFlowHiOutlet2Fbk": 25,
        "f16LimitsFlowHiOutlet3Fbk": 25,
        "f16LimitsFlowLowFbk": 4,
        "f16LimitsMaxShowerVolumeFbk": 0,
        "u16LimitsMaxShowerTimeFbk": 0,
        "u8OutputSeqStatus": 0,
        "DATE": "2023-01-12T10:59:16+00:00",
        "WIFISN": "XXXXXXXXX",
        "INFOTYPE": 18,
        "INFOCNT": 0,
        "MSG": "ApiOut Info"
    },
    "msgType": "message"

If I wasn’t concerned that anyday the lights might get switched off on the SmarTap server, this would all feel like a real win.

Prior to the company being sold, I was keen to be able to integrate the system into my smart home, build clever automations and capture usage data etc. This is all possible with the above approach. However, the real challenge obviously is making the system work when you take the server out the loop.

The bad news… to date I, like the rest of you, have been unable to decrypt the server/client (eValve) TLS 1.2 traffic. As an amateur I haven’t been able so far to get an MITM approach to work between the hardware and the server. I simply don’t know how to get the hardware to accept a self-signed certificate of a mitmproxy when you can’t alter the certificate it uses that is built into the firmware flash. Without this I’m unsure what the explicit commands are that are issued by the server.

Through trawling through the app source and using the info kindly provided on this discussion I’ve been able to establish a couple of things:

  • If you take nothing else from this post, decompile the app and have a look at the resources/assets/www/js folder. It will give you a huge amount of insight as to how the app operates and how to communicate with the eValve via the server manually.

  • The system uses a CC3200 wifi mcu, which provides web server capability. The default html page that’s returned on a GET request is its eValve local ip address/www/main.html.

{"ssidList":["XXXXXX"],"lowPowerMode":false,"serial":"XXXXXXXXX","dns":"lb.smartap-tech.com","port":80,"outlet1":1,"outlet2":2,"outlet3":4,"k3Outlet":false,"swVer":"0x355","wnpVer":"2.:.0.000","mac":"XXXXXXXXXXX"}"oldAppVer":"pkey:0000,XXXXXXXXX
<\\/div>"
  • When you enter the pairing process and connect to the hardware via the eValve SSID via the 192.168.1.1 IP address utilising basic authentication with content type == application/x-www-form-urlencoded. During the process you directly write data via some custom html POST tokens (__SL_P_XYZ). This allows the writing of data into the firmware such as your network SSID, wifi authentication type, password and also what your outlets are (See pairing-factory.js in the source for more info and if interested the CC3200 user guide: https://www.ti.com/lit/ug/swru368c/swru368c.pdf?ts=1673740438830 ).

  • My guess at this stage is by using the correct 3 character (XYZ) custom post request to the eValve during normal operation, it might trigger the operation of the shower.

  • My 4-year old daughter owns a CC3200 herself, in a Toniebox which is a speaker which plays audiobooks for children. There has been a lot of progress elsewhere to reverse engineer this system by more knowledgeable people than me and there are tools that can be used to lift files directly off the chipset including the appropriate client certificate. Link: https://github.com/toniebox-reverse-engineering/toniebox . The contributors on this github thread could well help with the mitm issue I mentioned above.

  • From what I’ve read so far about the above approach to get the necessary data, is that it is enabled through connection through the CC3200 serial/UART ports. @gmoney helped to clarify that the eValve has a custom CC3200 PCB which must have the right ports, but some work would be needed to establish the right connection.

  • That said, once connected it should be relatively simple to extract the required data to decipher the hardware/server comms. However, as my eValve is fully functioning and buried under my bath, I am extremely reticent to disconnect everything to experiment with it!

There’s plenty more but as a SmartThings person writing their first post I’ve probably wittered on far too much and am most likely outstaying my welcome!

As you might tell, I’m a little paranoid about spelling out precisely how to access the websocket publicly, purely because I can’t imagine there’s a huge amount of inclination/necessity by the new owners to keep the server running and whilst I haven’t done anything beyond what their app does I wouldn’t want to give them a reason to pull the plug. Just yet anyway. :blush:

That all said, I’d be more than happy to run anyone through how I went about it via PM – please do get in touch if its useful. Also, I would really like to get access to a second SmarTap system in order to crack this. If anyone has one that they would be happy to sell I would be keen!

For now, I’ll keep trying with the mitm stuff and will also look over old versions of the app to see if there’s anything new I can glean from them.

Anyway, thanks again and hope anything of the above is useful.

2 Likes

Oh wow! Where to begin but by saying, amazing work and welcome aboard!!

As you say, if it wasn’t for the impending doom of the server going down, this would be a massive win - the dream I expect many of us always had is in reach there!

I can’t help on any of the requests (similarly, at this moment my system is working and the wife would kill me if I messed it up!) but I will absolutely keep eyes peeled for a second unit

Do you mind if I share your post on a Facebook group as might get a few more eyes?

1 Like

Of course! I think I’ve found the group you’re referring to :grinning_face_with_smiling_eyes:.

Also worth adding there’s a chance that we might be able to get some people at least back connected to the server. Certainly worth a try!