Smartap Shower Control: Getting started with reverse engineering a smart home device?

Awesome news, thanks @mav1
Just sent you a few coffees- best of luck!

Well unfortunately we haven’t been as lucky as you others that have had a full refund the people who we bought ours from have sent me an email telling me hard lines because it still works as a tap but they will give me £50 as a ‘gesture of goodwill”!, Does anyone have a copy of the warranty?

Hi All
So happy I’ve found this forum! I have a smart tap and am in the same boat, unfortunately. Have been going back and forth with the retailer to try to get a full refund and have agreed to a partial refund reluctantly, as the taps are still working; just that the smart feature isn’t working. If I was to take it further, I’ve had use of the tap for around 3 years so from advice from citizen advice I wouldn’t be able to claim for a full refund anyways !

Hi @mav,

I’ve been away so only just got around to trying out the steps to get my SmarTap onto the Wi-Fi network.

It is now connected OK so thank you for the steps to get this working.

One problem I have now though is that having realised I connected the main shower head to outlet 3 and not outlet 1, I can’t seem to be able to convince the unit to use this outlet. I was hoping to be able to program the unit accordingly without re-plumbing.

I have sent these parameters to the unit but it still doesn’t work.

Any ideas? I see some earlier posts have been sending ‘7’ so I tried 7 on all outlets I hear some whirring going on when pressing the power button but still can’t get anything out of the shower unit.

Thanks for any help.

Adrian

Hi @brownadb,

As I mentioned in the last post on this, I’m not 100% as to how the numbers correspond to the physical outlets - I’ve had a quick look again this evening into the pairing_factory.js, pairing_diverter-controller.js, app_controller.js files etc within the APK and the logic behind all this is horrible!

A pure guess (?!) at this stage would be to go into pairing mode again as previously described and post _SL_P_OU3 : 4

I’ll try and spend more time looking into it, but as far as I can make out there’s a question of outlet order and the number of clicks you can cycle through in order to activate the different outlets. I.e. on the main controller you could control all 3 outlets if you so wish. The app has some very complicated means of calculating the correct output based on the physical permutation you’ve chosen.

Mav.

Hey @mav, thanks very much for the reply and looking into the code behind this.

I’ll give that suggestion a try

Adrian

Hi @mav,

That worked, thanks. Saves a bit of re-plumbing!

Adrian

Hi Mav

Really appreciate your efforts

Just reading through all the messages so trying to catch up and get up to speed

Am I right by saying you can control all 3 outlets on / off via sending simple commands through postman ?

Just thinking if this is the case , could postman not be installed on a raspberry pie and use Open source software like Domoticz and send commands via Alexa - Domoticz - postman to activate the shower

My knowledge is limited on codeing but willing to help in anyway

Regards

John

Hi John,

That was the case prior to the SmarTap server getting switched off. The app to server on the cloud traffic was previously easy to replicate via postman.

The target now is to be able to recreate some of the fundamental server to eValve traffic that facilitates remote operation of the eValve.
Previously the TLS encryption between between the SmarTap server and eValve prevented easy replication. Now as the server isn’t communicating we’re currently attempting to analyse the firmware of the eValve to see what can be done.

Welcome to the thread!

Mav

I’m fairly well stumped I think.

The Shower does reach out to a configurable URL (originally hosted on Amazon named lb.smartap-tech.com) to open a TLS encrypted WebSocket channel of communication. The mobile App (Android/IOS) was sending messages to an App on Amazon. These messages from the Phone or Alexa etc were then interpreted and then rerouted down the WebSocket channel to the Shower. So we tell Alex or Phone App, it tells an Amazon-hosted App, and Amazon App relays a message to the permanently connected Shower to do something.

I’ve had success both via DNS and reconfiguring the URL inside the Shower in inviting the Shower to connect to a different server than Amazon. This works fine. Sadly even when I have a Websockets Server program sitting and waiting on the right port for the Shower to connect to, when the Shower goes through security handshakes with this server (socket.connect), the certificates loaded on the Shower itself do not accept my WebSockets server’s identity on the other end. Good security by Smartap but painful situation for us!

Perhaps when someone has done the clever electronics to physically connect a PC to the shower, we might flash different certificates into the shower and have better results but I’m a software person not a hardware/firmware one, plus I cannot see everyone buying the kit to enable them to flash certificates into their physical Shower unless it costs peanuts.

The CC3200 chip inside the Shower does have an “Over the Air” method of using WIFI periodically to pull updated files from what is usually a Dropbox set-up. I think this was how it was intended that the CC3200 firmware, and the shower application code and the certificates would have been updated had Smartap kept going as a business. So either prompted somehow by a combination of the Shower push buttons or just triggered by time, the Shower would look at a Dropbox account for newer versions of files and then download them and reboot.

So at the moment I cannot really see any progress without being able to put new certificates into the filesystems on the Shower and that would mean one of either (1) the “Over the Air” cleverness - which we don’t have access to or (2) the “over the wire” flash alternative that seems to depend upon @mav1 and @Rich3 but would mean every user buying electronics to allow this flashing!

Doh! I hope Plumbworld are as forthcoming with a refund as VictoriaPlum have been for you others. At the moment I’m awaiting a response from a Ticket raised with them.

Hi,

Some sterling effort here and thought I’d chip in.

I’ve got a couple of eValves and got a full refund from VictoriaPlum when the services first went dark in 2022 as the company was no longer trading so anyone bought from VictoriaPlum go get a refund as the system was guaranteed for 5 years.

Not so good, reading above it seems the latest outage is going to be it as the eValve only talks to the AWS Service and no access to the certs so impossible to even reconfigure locally given the architecture. Even my £10 led light controllers can be configured locally without internet so spectacularly poor software design but you live and learn.

Concern I have now is spares and one of the eValves runs 3 outlets for bath, overhead and hand shower with a second single press button when it inevitably goes wrong. Anyone got a recommendation for a similar solution that uses same of bigger control panels to avoid chopping lots of tiles?

PS I’ve got a copy of 3.3.2 IOS IPA file should someone make a breakthrough and need the app to reinstall. Not sure how useful given Alexa skill is no longer available.

Hey Tony - welcome. There is still hope - @mav1 appears to be making some stellar progress with hardware / firmware hacking - I think that’s the only route that is likely to save us right now… so don’t lose hope yet!

@TonyF1 - Yes, a few users have successfully swapped out for a Mira option, though no smart functionality - a good solution if shower not working at all. One helpful user documented on the Facebook group ’

https://m.facebook.com/groups/1052238648976202/permalink/1269939127206152/

wow, I’m only just getting caught up on this thread, some amazing work so far!

I’ve not done much hardware hacking / firmware messing unfortunately, but hacking is my day job so I’m hoping I can contribute to the effort.

I can’t see anything that I would have done differently up to this point and I definitely think @mav1 is headed in the right direction currently.

@mav1 - would you be able to share the steps you’ve taken to grab the firmware, kit you’ve used, and/or the data you’ve retrieved? Or equally is there anything specific you’ve been looking at so far that I might be able to help with?

Onward!

@mav1, Wow amazing job, can you share how and what you used to successfully extract the firmware?

Have you tried searching for the lb.smartap-tech API call, if it’s stored as a string we could replace it with our own version?

Has anyone tried to get the source code for the app from the new buyer?

Can you please share with me? I have been searching everywhere! I lost the app on a restore of my iPhone.

@mav1 I’d be similarly interested in all the things mentioned by @rant

I’m also interested in whether you’ve gone via the UART and how easy or difficult or £££ that might have been? Even physically how accessible within the plastic case the CC3200 board is and what you needed to go from perhaps USB to 6 pin UART.

I’ll try and work out how to PM you my eMail address.

Good evening all,

Sorry I’ve been quiet recently - work and family etc.!

@rant welcome to the community! I certainly don’t do this for a living, and it’s great that you’ve joined the effort. Please do get in touch if you’ve got any ideas or see some glaring errors!

Here’s an annotated version of @gmoney’s photo (thanks George!), he is now definitely the official photographer of the group.

CC3200 Pinout1436×1908 481 KB

There’s ultimately still a lot to fill in on the above picture, and it still needs to be determined whether what looks to be jumpers on the underside of the board will faciliate UART/SWD in addition to the JTAG connection I’ve managed to make. If you can access UART then it would make life seemingly a bit easier and open up the use of tools like CC3200tool etc…

On that note, I don’t yet have clarity on what each test port is for yet. Some staring at the technical documentation is required perhaps.

@apr in terms of getting into the wifi module which is fully sealed, I took the approach of using a stanley knife heated by a blow torch to cut along the evident join. Caution:there’s not a huge amount of space on the other side and you do run the risk of hitting/overheating components!! I compared notes with @gmoney who has complete access to the underside, where as I don’t currently. I will try to glean everything I can before taking the additional risk to cut away the plastic that’s keeping the PCB in place.

I’ve purchased a Texas Instruments LaunchXL CC3200 which has a JTAG in-circuit debugger connector. I chose this board to make the physical connection because I thought it might also be useful later down the line. You may be able to use a cheaper JTAG interface to make the connection but can’t say for sure. By connecting the corresponding ports on the LaunchXL to the CC3200MOD as per the image above, and then subsequently using the Texas Instrument’s Uniflash, I was able to dump the contents of the module’s SRAM flash memory. I’ll need to write this up in fuller detail when I’m next able. If you get this far, do check the memory address ranges in the datasheet for the CC3200MOD as its not immediately obvious otherwise that you’re on the right track. (I’ve also tried other tools like OpenOCD but not had much success so far).

You then need to use an appropriate decompiler to convert the binary into something human interpretable → in the first instance assembly and most decompilers I’ve used on this will translate this into some psuedo C. The time consuming and extremely challenging thing about this is you lose 90% of the context of the programming that was originally there before it was compiled into binary - no function or variable labels, no easily determinable file structure etc… As ever, more from me to come soon.

@APR it would be good to chat, your work on the websocket is a piece of the puzzle I haven’t gotten to yet and some real hurdles to overcome.

Thanks to everyone for the support given to date!

Hi everyone,

Luckily refund form VP was successful!

Just a thought (could be a silly one) is there not a way we could simulate the physical controller? As I’m aware they used to sell extra ‘buttons’ in order to pre-warm the shower etc?

I remember doing this years ago with a much dumber Aqualisa shower and a bog standard rf relay and an rfxcom.

As I say just a silly thought, I’m also not sure how you’d go about simulating the encoder if you wanted temp control etc?

Cheers for all the work on this everyone!