The Current State of MyQ - From the codeowner

Hi Everyone -

It has been basically impossible for me to get information out to users over the past few weeks during these issues due to constant github issues being created. So I am writing this forum post so that there is a central place I can put information where it is highly visible. Feel free to skip all of this and just read the TLDR

A rundown of events so far:

Beginning of September, users started experiencing an issue that was seemingly fixed by adding a useragent. The previous github repository for myq was abandoned, so in order to make the change - I created a github organization and published the repository there. I personally do not have a MyQ device, so I was at the mercy of some other users testing for me. But the solution I settled on was if the use got a 400 error, it would generate a user-agent. And that seemingly fixed the problems on September 26th

On September 29th users started having issues again - it was fixed October 2nd by parsing a few additional tags for the login, and changing some of the things we do when we login.

A few days later, it broke again, and was fixed October 10th.

It broke the next morning and was fixed October 11th

It worked until October 18th, however, for some users it never started working, this is because they manually applied fixes that weren’t being overridden. This is just a brief reminder that if you aren’t aware of what terminal commands someone gives you are doing, you shouldn’t do them, and instead wait for official fixes. But that is besides the point

So What’s going on now?

MyQ has enabled cloudflare bot protection which uses Machine Learning to determine what is a bot and what isn’t.

This makes the task much harder to overcome. There are some changes that seem promising, but the issue is once I make said changes and everyone updates their myq instance, the bot protection will pick that up and myq will again be broken - this is partially why some other implementations of the myq api are still working, they have a smaller user count and the bot protection has not picked up on it (yet).

Let me make a few things clear, this has nothing to do with rate limiting. I have seen a lot of users talk about how we should implement a option to change how frequently we poll for data, or just don’t use the api as much as we do now. The issue is only with authenticating - that is the only part that the anti bot protection is enabled. It does not matter how frequently you get data from myq, as soon as you need to reauth yourself, you can end up getting a 429 error - it is not a 429 error in the traditional sense.

I am in discussion with a few other third party myq developers and we will attempt to fix the problem, but it does not seem like there is an easy solution. I am primarily talking with the developer of the homebridge version of myq who has been maintaining that api for 10 years.

MyQ is explicitly attempting to block third party integrations, and when it comes down to it - when you have a team of software engineers getting paid to block us vs people attempting to reverse engineer the api in their free time, the paid software engineers are going to win over the long term.

What do you recommend we do?

I would recommend one of the following options

1. Use one of the recommended partners for myq and integrate that into home assistant.

2. Buy a fully local solution such as Ratgdo, open garage, or meross. In my opinion, ratgdo is the best as it gives you all of the data you could want, but they are backordered and the other options are good as well.

3. Wait and see if we get it fixed

4. Wait for a HomeKit addon to myq which is supposedly coming soon

If you switch off of myq, I’d delete your account and remove the device, no need to allow access into your home anymore.

I would also recommend making your voice heard and tweeting at myq - while it is unlikely it will change anything, I think it is helpful to make your voice heard.

FAQ

Q) What if myq only logged in when I need to update the state of my garage door

A) This would still probably fail with the bot protection - our issues have no relation to how frequently we ping their servers

Q) Why is MyQ doing this?

A) We are playing a game of cat and mouse with MyQ and right now it looks like the cat is winning. You can see here that myq has openly stated that they want to block all non-supported apis for ‘security’. In reality, I believe it is for one of the following three reasons:

1. They want to lower server cost

2. They want you to see their ads for their other products - if you aren’t using the app, it is unlikely you will buy their other products

3. They want to sell their subscription services, like the MyQ Tesla app which they are selling for $45 a year.

If they really cared about user security, they would give users the option to connect with their device 100% locally.

Q) Why don’t you just make Home Assistant a supported partner of MyQ?

A) This is not something MyQ seems interested in. I reached out September 27th to get added to the Works with MyQ portal. On September 28th - It routed me to someone in sales who has been attempting to help me and connect me with someone in corporate. October 4th I followed up, and was told I should hear from someone in a few days. October 12th- I followed up again and was told again my request was forwarded to someone in corporate. October 19th - I followed up once more and heard nothing. I sent one more follow up this morning, October 23rd, and I let them know I was planning to recommend all of our users to ditch MyQ, and they told me they forwarded the request to their boss to try to get corporate to respond. But I am not optimistic.

Q) So is this integration dead?

A) Right now - no, a fix seems possible, so the integration is not dead and I hope it never will be, but that is a possibility in the long term.

TLDR: MyQ has added cloudflare bot protection to the authentication step of the login phase, it is incredibly hard to beat, we will continue to attempt to get the api working again, but it may be a losing battle. This is why you should always prefer to have non-cloud devices, you are at the mercy of a company. I would recommend looking at local options such as RATGDO, OpenGarage, Meross, etc. If that isn’t an option for you -all you can do is wait and hope we figure this out or attempt to connect to a ‘supported’ myq partner and then add that to home assistant.

My Latest update (11/6/2023) -

The MyQ Integration will be officially removed from Home Assistant in 2023.12 Read about that here.

This is unfortunate, but it is seemingly the best move forward. Since I last updated, MyQ has continued to lock down their api - they are also doing a Firebase app check - That is in addition to the CloudFlare bot protection - and the REST call checks. It’s a whole lot of effort just to block third party integrations from communicating with the myq servers.

I know some people are still attempting to find a solution - and I’d be happy to help implement as long as it seems like it can truly be a long lasting solution.

Just a random thought, can you ask the user to re-authenticate when it returns 429? Assuming there is a challenge to be solved such as captcha or sth else.

Note: don’t have myq but managing an integration which requires captcha challenge to be solved in random times and i am redirecting this request to the user and submit it back.

Thanks for the info on what’s going on! Honestly I’m not the slightest bit surprised that this is the direction MyQ is deciding to take. In regards to trying to avoid bot protection mode, there should obviously be some way the partners and mobile app can interact with the API without being blocked by bot protection mode, such as an exclusive authorization token or unique user agent for each user + device (such as the device model and some sort of unique ID for each device that has the mobile app installed).

Whatever it may be, I’m under the impression that Cloudflare’s bot protection is designed to block traffic that appears to be coming from the same application spread across multiple geographic locations (virtually or physically). I may be wrong but that is what it appears to be in practice.

Maybe a bandaid solution could be to use a UUID unique to each Home Assistant installation that is part of the user agent. I know continually trying to bypass this type of protection can result in more effort than would be present in the proper solution (Home Assistant somehow getting accepted as an API partner), it could work while MyQ is possibly considering allowing Home Assistant to become an API partner.

First of all, thank you so much for all of your hard work on this, even going so far as to try to work with myQ themselves on an official partnership.

At this point, I pretty much assume this is a lost cause. You will probably be able to fix it from time to time for short whiles, but it will always break again. MyQ just doesn’t want to have it, and they do have the edge. They just want our money, and better, free alternatives like Home Assistant are in the way. I’ve already begun making plans to move away from them, and as soon as they require a subscription for something as basic as guest access for my family, I will drop them completely. Besides, Ratgdo does have more features than myQ allows that I’m looking forward to as soon an some of my questions about v2.5 are answered.

This is beyond captchas. Cloudflare’s bot protection uses ML to analyze how an application accesses the API internally, how and in what sequence it calls the API endpoints, and scores this against a ‘legitimate’ use pattern only known to the original API developer (MyQ in this case). It’s very effective.

Lash L thank you for the detailed explanation of the issues. I am most appreciative of your efforts to resolve the myQ on going issues. Just as a side note. Some body better warn Ratdgo he’s going to see an increase of orders.

We vote with our money. When technology becomes a burden, we should cast our votes elsewhere.

Thanks much for your efforts on this. I have 4 garage doors and 3 of them are using this. Buying more hardware seems so ridiculous when the current can do it. Sorry state of home automation.

If you are able to actually speak with them, is there a way they could offer this support as a fee? They might not want to bother or might not want to have this advertised as a fee. If I saw the fee when buying the hardware I would have chosen different hardware. Which if I saw they didn’t have API support I would have too. Your integration got me to this hardware.

Anyway, keep up the good fight and if you need help with anything please let me know how I can.

Thank-you for the detailed update man. MyQ, what an epic failure on their part. Certainly the last device I ever buy with their logo or affiliation attached to it.

Have you tried using curl_cffi as a replacement for python requests? We have seen success in getting past cloudflare for a different cloud service integration over on the Scrypted camera platform. There is also cloudscraper, which contains captcha solvers, but its TLS profile does not match real browsers the same way as curl_cffi.

I’m confident Chamberlain’s stance is 100% cost/revenue driven. Several years ago they were struggling with cloud costs and keep their infrastructure up with the traffic volume. They don’t want to provide infrastructure resources to applications that aren’t generating revenue for them.

Thank you for the work on this, but with modern bot protection I think our only real way forward with MyQ is as you say 3rd party service or maybe even a Nabh Casa relation?

Thank you for creating the integration that makes the garage door access.

It is however disappointing that the extension has been made more difficult for developers customize the interface and control privately. It appears that this was never the intent of their parent company, MyQ.

While promising for a native support of the respective products, we are left alone with a non-working solution with added promotional content that cannot be opt-out. Likely a deal was reached with Apple and MyQ in the product development phase.

In hope a solution reaches that the HomeBridge option can be revitalized once more for the existing users.

I will repeat here what I’ve said in different places on the forum.

A DIY solution to allow you to get rid of MyQ cloud dependency is not at all complicated.

You basically need three things:

1. a method of sensing the door position - I use an ultrasonic sensor on an ESP module but you can use a door tilt sensor as well
2. a dry contact relay - either a hacked Sonoff Basic or easier but more expensive zwave dry contact relay
3. a spare remote control paired to the door

generally, you just need to solder the dry contact relay contacts across the activation button contacts inside the remote the remote. then when you activate the dry contact relay the door sees it as someone pressing the remote so the door operates.

if anyone wants more details just ask.

I appreciate the work done here.

Python-MyQ/pymyq/request.py at master · Python-MyQ/Python-MyQ (github.com)

I noticed that the User Agent still is a random one.

Every time Home-Assistant updates I force the user-agent to MyQ iOS Client v1.93.

And it works every time.

Review bomb the app and blast Chamberlain and myQ on Twitter.

Thank you for the detailed explanation. I’ve had enough of Chamberland’s antics! My order has been placed with RATGDO. Although the device is on backorder, I’m sure the wait will be worth it once it arrives.

Since we are now fully in the realm of “MyQ is trying to nuke third party integrations” It is likely just going to keep escalating until they give in on third party access / make an official Home Assistant integration or DMCA everything like Mazda did.

If the native apps are using the same APIs that have Cloudflare Bot Protection on, they have to have a way to get past it. I would check out to see how it is doing it. If they are doing the really “stupid” thing, they are using Cloudflare Service tokens embeded directly in the app. You might need to emulate the User Agent of the native app.

Thank you so much for your hard work. Its a shame these companies treat their CUSTOMERS like this! Don’t forget, every one of us PAID $$ for one of their devices! For what, to be treated like this??

Guess its time to get rid of MyQ. I like Ratgdo, looks cool, way cheaper too. Think I’m gunna go with that.

It’s cute that they think they are going to sell any of their obvious moneygrab services to anyone from the home automation community. Especially after this type of behavior. Their paid services are for people who barely know how to use their phone. We all configured our own ecosystem to consolidate the functionality of all these apps. Man I can’t wait for my RatGDO’s to arrive, and go local-only.

FWIW MyQ garages speak MQTT-secure directly to their servers on Azure. I’m going to be devoting many evenings attemping MITM on these connections or attempting to dump / upload custom firmware to it that point to my HA MQTT server with a hot CA

To everyone reading this post, before you do anything else please pull up the myQ app on your phone and provide a scathing review.