I havenāt seen anything but I am also interested in this and have it flagged.
Craig
I havenāt seen anything but I am also interested in this and have it flagged.
Craig
I just tried decompiling the android app, as far as I can see the app is only a stub (It downloads the full app on launch). I donāt have an android phone however, which means I canāt get hold of the actual code.
Another idea I had would be to capture the actual bluetooth packages, but I donāt have the equipment for this either.
If someone have access to both an android phone and a lock, you could try this: http://nilhcem.com/iot/reverse-engineering-simple-bluetooth-devices to get a log of the bluetooth packages.
I got one of the locks, and it doesnāt seem to integrate with anything at all. I have an iPhone, and it works fine with the iOS app, but I donāt really want to use that. Can we sniff the traffic with a Raspberry?
Iām interested in this too, maybe itās possible to sniff/capture the packets with btlejack:
I think I will give that a try, but I will have to get the hardware (bluetooth sniffer) so this will take some time. Any other suggestions?
I captured 4 unlocks, also Iām gathering all the info I have here: https://github.com/cnrd/yeelock
It looks like the value is changing every time you unlock, but Iām unsure what this value is.
Also I tried unlocking while in airplane mode, you cannot use the app in airplane mode, som Iām afraid that they are actually generating an āunlock codeā on their servers.
This does not mean that it is impossible to reverse.
Unfortunately I can confirm this, it seems like it needs internet access to unlock it. I have sniffed the network traffic at my access point. The app is connecting to api.yeeloc.com, unfortunately the traffic is encrypted.
Here is a full unlock dump: https://pastebin.com/raw/LbZA2q4B
Thanks for the tipā¦ Iāve setup mitmproxy, itās running now for a few minutes, i donāt really have time now to analyze everything. But this response from the server looks promising
[
{
"add_time": "2019-03-09 03:37:08",
"ble_sign_key": "6A66714348537769",
"last_unlock_datetime": "2019-03-11 00:58:11",
"lock_id": 114413,
"lock_name": "Drawer lock",
"lock_sn": "B0E8rC98",
"lock_type": "CTS",
"type": "user",
"unlock_times": 17
}
]
As soon as I have the hardware to sniff the bluetooth traffic, I may be able to find some relations. I have also downloaded and decompiled the apk, I will have a close look at it in the next days.
@tom-x1 from what I could gather the apk is just a stub (downloading on launch), I did get it from a 3. party site, so that may also be why.
Are you on Android? If yes have you tried enabling Bluetooth HCI Snooping in the developer menu? If you look at my GitHub link, there is a full log of 4 different unlocks.
Combining the logs may be a great step forward in understanding the value sent, as it is currently pretty magical.
Hopefully we will be able to reverse whatever algorithm they are using.
Unfortunately i donāt have an Android device. Iāve ordered a Adafruit BT Sniffer https://www.adafruit.com/product/2269 but it will take about 2 weeks until delivery.
Also interestedā¦
Any updates on this?
Iāve tried to sniff the BT traffic with the adafruit dongle and an microbit. Unfortunately I have not found any useful information inside the sniffed traffic. But Iām also not really familiar with bluetoothā¦ so if anyone here has a deeper knowledge of BTLE I could provide a pcap fileā¦
I would love to use it in HAā¦ theoretically, do you think itās possible to add it?
And why they have not included it in Xiaomi Home appā¦ at least we could do some automationsā¦ damnā¦
as I want to move it forward I wrote them a feedback in the android app and I will also contact them by their websiteā¦ maybe you could also do it? they are on www.yeeloc.com
I would love to see the pcap.
Indeed not working in airplane mode but without internet (wifi and data off) I am able to unlock!
So I dont think it needs to be connected to internet for unlock operations.
What platform are you on? As on iOS it will log me out of the app if I try to open it with no network connection.
Iām using Android.
Any chance you can dump the apk file and upload it somewhere?
If you have adb it should be as easy as:
adb pull /data/app/com.yeeloc.yisuobao.apk ./
Sure it is here: https://drive.google.com/open?id=1-2OBVmvykCgjlrFrbFHPpaGfu-gtsQ3M
Found it on a different location (/data/app/com.yeeloc.yisuobao-1F6mYwf8FmgTLMaPUyLrDA==/base.apk)