What do you think about somehow redirecting lb.smartap-tech.com to a “local” websocket listener? I’m considering installing a local DNS to try and persuade the shower to connect to some local listener under my control. At that point the messages from the Shower to what was the Amazon websocket server might hopefully become readable?
In the pairing steps, it looks like POSTs to 192.168.1.1 URLs are how you configure a fresh shower (WIFI and outlets set-up).
After this the shower connects out to lb.smartap-tech.com to read “what to do next” messages (which originate from phone Apps or Alexa etc). If we can coax the shower to look locally for all this by either amending “lb.smartap-tech.com” or spoofing this via local DNS then we might be in business?
What do you think?
Obviously all this guesswork would be unnecessary if some kind person at Smartap would open source the websockets code for us all as Paul suggested.
After receiving the same cut and paste response as @vaderag to my initial reply, I’ve had another go at ‘pestering’!
Hi, thanks for the update. To say I’m annoyed is an understatement!
*How can you design and sell a ‘state of the art’ product whose only real selling point was its automation capabilities and then two years later, turn off the very thing that people bought it for? *
It’s not that you ‘cannot’ support the product, it’s that you have chosen not to because of the cost.
If there is no future for the company and/ or the product, the very least you can do is provide access to the source code and API’s. There are enough capable people out there who like me are left with a 4,000 Shekel manual shower valve and are willing to work on a solution to once again automate the valve.
I appreciate this isn’t a decision you can make so can you provide me with the contact details of your (or Masco’s) CEO please ?
So I have my shower attempting to connect to a local equivalent of smartap-tech.com using dnsmasq on a raspberry pi resolving smartap-tech.com to a local machine under my control.
The next thing, I think, is to see if a self signed certificate and a WSS server is enough to establish a communication path with the shower? Out of my comfort zone by quite a long distance now…
Nice work @APR I think this is the logical path, I can see my evalve sniffing out the network on Wireshark but its dropping in and out constantly (as its failing to connect to the server). Great idea on using DNS to redirect it locally, I assume this is how @mav1 was doing his MITM attempts?
The holy grail would be firmware extraction and then dissection BUT none of these methods are guaranteed, unfortunately. I am also no expert but I would just be careful when trying to authenticate over your local network as this may have the potential to brick your device.
@MartinLon are you able to share the email you are using to contact them? My account went a while ago so I didnt get the original notification, BUT I very much want to add to the pestering lol…
So I am not a techie like you people on here but I do have a Smartap that’s not at all smart anymore and I am a member on the Facebook group and have been through the same trials as everyone else! I know it’s not going to be a popular post but how about we ask them if they would do a subscription so they would get money to keep the server going? I guess it would be how much it is worth to everyone. To me it means I won’t have to redo my bathroom!?
@APR, @gmoney when I tried the MITM, I simply used various flavours of MITMProxy on a Pi and on an unbuntu VM with a dedicated capture/sniffer wlan. I wasn’t at all successful because I could see no way of getting the self-signed certificate on to the eValve. Hence why I then started looking into physical interfacing through the CC3200 module, where the TLS certificate, key etc. is held.
In terms of using a DNS spoof now - it certainly would be interesting to see if you can glean anything from the eValve. Generally speaking, I think the valve itself doesn’t initiate any comms. with the server by itself. - that’s typically triggered in the first instance by the app, Alexa etc.
As you mentioned @APR, when you undertake the pairing process the app does send an html post with key/values which include: "__SL_P_CON": "connect". This is one of the custom html post tokens which I referred to in my first post. This process also only uses basic authentication so can easily be triggered in Postman. It would be interesting to see what is received by the DNS server when that command is run?
Reiterating @gmoney’s warning I would certainly urge caution when posting key/values to the eValve. I’ve been tempted to try random combinations, but as you are interacting with firmware, there is a chance you might overwrite something you really don’t want to.
I’m currently weighing up a few options about what to do next and they’re primarily cost-driven. To achieve the reverse engineered solution there are a few options:
Seek to connect to the wifi MCU as I have been planning to do. If I knew the full pinout of the custom CC3200MOD board I could achieve this with a low cost jtag/uart emulator such as Texas Instruments’ LaunchXL programmer/debugger board (approx £40)
Alternatively, I could get a JTAGulator, which essentially is a tool that will analyse all available physical external connections on the board to help you work out the JTAG/UARTs pinouts. These are currently available in the UK for approx. £215.
Give up on the WIFI route for now, and concentrate on using an oscilloscope/function generator to intercept / seek to replicate the signals from the physical controllers. Again, an oscilliscope would cost more money.
The only guaranteed outcome from any of the above is they will cost me more money in addition to the £160 I’ve just spent on a second eValve!
@vaderag, from a consumer rights perspective, I wonder if its possible to create a poll / survey / better way on this thread (or the FB group?) to get a sense of the vendors people used to buy their SmarTaps from? It might be that there are 1 or 2 main companies that we’ve all used. Maybe instead of trying to appeal to the plundered OEM, we look to the resellers for some support? Just a thought.
There is now a new law protecting consumers from unsupported expensive smart products but I don’t know if it will help our case because we bought before this was in place. It is called the Product Security and Telecommunications Infrastructure (PSTI) Act. As far as I was aware there was only a few outlets that sold Smartap but my guess would be that it would be a couple of outlets with many different websites.
From a consumer rights perspective (at least in the UK), I believe you can / should get your money back.
When things looked bad around a year ago (we lost access for a couple of months if I recall) I contacted Victoria Plum where I purchased the device and followed the SAD FART rules - once the functionality of a SMARTtap stopped being smart, I pushed the “as described” and “reasonable length of time” angle and ultimately got a refund for the device.
To tackle your direct question @mav1 - they did connect me with their technical support as part of this journey, who were no more knowledgeable about the API or any alternative fixes as we were. Given I offered them as an “out” rather than refund me £ I think if they’d had them they’d have offered them up at that stage
Worth noting that such requests are addressed individually and so there is no guarantee that what worked for me will work for others. That said I would highly suggest everyone open a case with Victoria Plum if you purchased from them (be prepared for some back and forth), and if that fails you may also be covered under Section 75, although I did not try that route
Good Luck!
Re the rest of your post @mav1 - what would you estimate your chances of success? Can we club together to hep with some of the costs? Maybe set up a Patreon or similar? Knowing what people are like there would probably be more overhead on you as people like a feedback loop, but would that help?
We could easily cover options 1 and between everyone engaged here and on FB I would think we could get to #2 as well
So I have just been talking to Mira regarding there platinum eValve and they have told me that although they don’t currently have the ability to be used via Alexa or other the new version is coming out in August and that will have the options that we have now. It also has the option to do bathfill. Mira couldn’t tell me how many outlets they are planning on putting on this though in my set up I would need 2 in the shower and 1 bathfill so hopefully I won’t have to buy 2 but she did say that running 2 would not be a problem to each other. The controllers are currently Bluetooth connected but she didn’t know if they would be useable on the new system or it would be new controllers as well. Hope this helps
Thanks @mav1 & @vaderag, I’d be more than happy to chuck in a few £ to fund some test kit if it could help find a solution! I hope others would be too!
I checked my order with VP and it was Jul-20 so out of warranty but will definitely open a case with them. At the end of the day, we were all mis-sold!
Although the Mira looks a good alternative, I’m a bit (very!) loath to spend more money on a valve that doesn’t give me what I used to have. That, and the costs of changing over.
I know Terry (over on the FB group) has changed his and his posts are brilliant in showing how he has reworked the plumbing and faceplate but I cant imagine the work I’d have to do to swap mine!! The valve is positioned in a stud wall. One side, the wet room with shower, rain head & jets, the other side, just enough access through a built in wardrobe should the SmartAp valve itself need replacing. I planned for the valve developing terminal issues - not the company itself
So I’m watching closley in how I can support the ‘brains’ to get us automated again
Hi everyone. I have had my smartap system for about 2 years and have been concerned that one day the remote server would become unavailable, a few things to add to other people’s comments and please do correct me if I’m incorrect about anything. The CC3200 microcontroller from Texas Instruments datasheet lists 2x UART, 1x SPI and JTAG interfaces as well as multiple gpio pins:
Welcome @Rich3 ! Sounds like you’re on a similar track as @mav1 - this hardware hacking stuff is way over my head, but I’m very happy to help in any way I can!
Hi Vanderag! Well like everyone else here, I really would like to get the smart functionality working again. There is also the other option of using an esp32, a few relays and components and replace the core controls. I think this might be a big job though to control the equipment accurately.
