First up: this isn't criticism of the original post in the slightest, it's a wonderful journey through figuring out how a weird device that wants to be on your wifi works.
If you have a device that speaks to an Android app, you want https://github.com/niklashigi/apk-mitm - it'll strip pretty much every known certificate pinning implementation from an apk, and it'll also rewrite the manifest so it'll trust the user-installed certs without having to root your device to modify the system store. Uninstall the original app, sideload the output of apk-mitm, and then you can use mitmproxy on a stock device.
The other thing is that if a device is providing encrypted data to an app, and the app is displaying the decrypted data, then the app inherently either contains the decryption key somewhere or downloads it from somewhere. https://github.com/skylot/jadx will turn an apk into something that approximates Java, and digging through that will often let you figure out what the key is. But some vendors will decide that the appropriate way to handle this is to kick the cryptography out to native code, at which point you're into having to RE something in Ghidra. Depending on your mindset this is either incredibly tedious or incredibly fun, but it's generally possible.
The author was able to build on top of work that had been done by others, but if you're ever faced with a situation where nobody else has done that work, don't just give up. It's worth spending time trying to figure out how code running on a device you own works, and even if you don't succeed in the end you're probably going to learn a lot in the process.
Even if it's not for a device. I have an app that like most apps only gets worse every update. I stopped all auto updates, backdated, all good. Eventually it stopped being able to connect to the servers. I heard about cert pinning, saw this repo, and tried it. Flawless victory.
And because its ad URLs are out of date or something, I see no ads. Which I don't feel bad about because again, all their development effort was in turning something working into something not working.
"The author was able to build on top of work that had been done by others, but if you're ever faced with a situation where nobody else has done that work, don't just give up." If I couldn't strike lucky with an xor brute force, my next plan of attack was to start poking at whatever android app they had. It was only because my friend happened to find that someone else had already done it on github that I managed to take the shortcut. If we hadn't found that github I'd probably have a far more detailed writeup so that other people could follow on with their own appliance, if they happen to have the same/a similar one.
+1 on this... I was actually surprised this wasn't one of the earlier efforts, as to me it would have been one of the first things I tried. Given the webview aspects of the app, I wouldn't be surprised if it was using something webcrypto was capable of int he app ui, with the key relatively obvious to yank out.
I'm a big fan of using web rendering for UI apps, but most devs are less interested in how to implement real security. Or add theatrical additions that just don't work with reality.
not to overshadow apk-mitm, but i find PCAPdroid and its MITM plugin (which uses mitmproxy under the hood!) to be convenient, if you want to look at things on the device.
I did something with my Bosch washing machine (not like the OP). My washing machine is at the other end of the house from my home office. Sometimes I would put a load of washing on, and despite setting an alarm, might forget (perhaps I am in an important meeting etc).
So I decided to solve it.
Using the Bosch API - I can tell both when a cycle is complete, and if the door is open. Currently I use their default version, but there is a local hosted option I'll be switching too now the proof of concept works.
So using Home Assistant I have a simple script that detects when a washing machine cycle is complete AND the door has NOT been opened. This implies my washing machine has wet clothes still in it.
So Home Assistant will alert my phone (and my wife only if she is home based upon presence detection) once every 15mins that there are wet clothes waiting in the washing machine.
My washing machine is a "dumb" machine from the '90s. The wash cycles run based on the position of a glorified timer knob: it doesn't have a computer or sensors to detect if it needs extra time aside from the water fill stages. Thanks to this consistency, I just set a 40 minute timer on my phone, and it's always done by then. Can't get much simpler than that. If I need reminders, there's always the alarm snooze function.
It's actually really, really easy to get the state of a "dumb" washing machine (or any other electric machine) into Home Assistant using a smart plug. You can use something really basic like "power draw for > n seconds followed by no power for > m seconds" to detect when a cycle is finished. You can get way fancier and look at power draw curves to determine what part of a cycle it's in, or which cycle, if you really want to. You can add a door sensor (recommend Samsung) if you want to know if the door's been opened.
Unfortunately it's much harder to do the same for an electric dryer, since there's no inexpensive or good smart plugs for 240V last I checked.
Keep that dumb washing machine from the 90s, I can almost guarantee you that a new washing machine is not meant to last as long. Maybe 6-7 years if you are lucky.
I occasionally do a washing load before bed that I know I might not wake up for to put into the dryer. Fortunately, my machine has an "extended tumble" cycle of sorts that will keep the clothes fresh all night at the expense of a bit more water, but while saving my bedtime routine. We end up with a lot of these nighttime loads because we're toasted all day watching kids and we prioritize laundry off-peak electricity hours. Love my Electrolux, but I imagine many brands have a comparable feature.
The equivalent on mine (a Bosch) is to wait to start anything at all until 1 cycle-time less than ten specified number of hours. Churning all night instead seems a peculiar design choice.
Does your machine not have a delayed start function? I’m standing in front of about 40 washing machines right now and they all appear to have this function.
I have been planning to implement something similar with my countertop oven - however having no API or other connectivity, I was planning on simply plugging it via a smart plug, and using the power draw measurements to determine whether it's idle or not (that is, arm when power draw transitions to above idle, then alert once it drops back to idle).
Yeah I tried to use the builtin sensor on my LG one but it turns out, there's no 'door open' sensor per se, only the 'locked successfully' signal. So I had to add an external Zigbee reed switch door sensor..
I have a G-Shock 5600 watch that can alert me when my washing machine is finished. At the start of the cycle I take note of the total time it takes, I set that time on the timer of the watch and hit start. It will beep once the washing machine is finished. Been doing that for about 15 years now.
Respect, but this is kinda the hard way - I just plugged mine (dumb machine, not smart) in via an energy metering plug, and when energy use drops to less than 10W for more than 2 minutes, it’s done - very simple homeassistant automation. Convenient for me as the machine is 500m from the house.
One reason I can think of - in some places where houses are small (like in cities the UK) you might not have a garage on your property and might rent one nearby (they are often in little rows, e.g. [1]). So they might have that kind of situation and have the washing machine there if it's a very small house?
It's tough times: their villa has a washing room in the servants block away from the house, but now they had to release everyone but the valet, housekeeping, masseur and hairdresser, so the washer role has been eliminated and now they need the notification for their valet to go pick it up.
This is what I do - when the washer finishes, a light turns on in the kitchen letting us know. Then, when the dryer has drawn power for 10 seconds, the light turns back off, because that’s a good indication that someone dealt with the wet laundry. (Sometimes things get out of sync but not often!)
Some washing machines (mine at least) have some "smart" features that adjust the wash time depending on some factors. Nothing more annoying than coming to the laundry after my phone alarm goes off, and seeing the timer on my washing machine go UP(!!!) from 0:01 to 0:02 ...
I used Shelly plugs for for the washer and the dryer. Put little Go application on my server in the basement and get Telegram notifications + HTTP interface updates about the different states (running, finished, standby).
I do the same,works great. I liked it so much that im doing the same with my microwave, after removing the annoying beeper it had. Now i get a decent single short beep and can monitor how often I've used it.
Nex is a cybersecurity student in a house of similar people, they're gonna take every way :3
quote:
> The plan is, in future, since we can't hack something that doesn't have a brain, to instead attach a brain to it. The dishwasher is easy, we can just whack that on a smart plug and monitor when the power use surges and drops. The dryer is a bit more difficult, since they pull a LOT of power, and smart plugs typically either don't support that much power, or are incredibly expensive. So that's likely going to be some fancy vibration sensor-based thingy
I have a magnetic Zigbee vibration sensor on my washer and dryer connected to Home Assistant. I hadn't thought of monitoring smart outlet current/voltage instead, that's a good idea too.
That's how I do it. I have a smart plug on the washer dryer and the power consumption gets sent via MQTT to Node-RED where some simple monitoring and trigger conditions update a dashboard and send an email to myself when the washing machine starts and when it stops. That's good enough for our needs.
The machine does have an app and Bluetooth, but I can't see the point of spending the time reverse engineering the protocol, and the app is never going to be activated on my phone because it wants access to camera, sound, phone and my contacts list.
Unless you are using a rooted Android, putting your own certificates on your phone is annoying. They need to be in the system certificate store which is, as far as I know, only possible with a Magisk module.
An easier way is to run an Android virtual device with an older Android version on your computer. You can then use some scripts to add the certificates and proxy the traffic to Burpsuite or mitmproxy. That way you also don't have to switch devices.
It would also be interesting to use APKLab or Jadx to look at the code of the app. Maybe you can find the key derivation algorithm. The app and the washing machine must somehow generate keys or have pre-shared secrets.
If I understand correctly, the app only works if both devices are in the same network? I like that
Im hacking my fridge, its not software but a hardware hack, its an expensive motorhome fridge, runs on gas, 12vd, and 220v, it had an internal fire on the electronic controller, so it fried the cables and internals but the fridge is still more or less ok. the idea, is to rather than buying a new control board (250usd) which would need extensive work to refit as all plugs cables are shot, to replace this with a new system that i basically cobble together out of parts from an old gas boiler, so the gas boiler has all the parts on the motherboard to make the spark generator, for the gas burner, then all i need is the logic and safety, and i might be able to have it run on gas only with some different logic and control, it saves me a new fridge, and its a fun project to show my 9 year old boy about electronic engineering. I know its not a job for everyone as there is gas involved etc. but normally I get a lot of resistance on my similar hacks but when there finished the blowback normally dies down. It's a fun job, if anyone is interested in hearing how it will go, let me know and ill consider making a full post about it.
I started "hacking" my propane grill (OK just trying to cludge some repairs) and decided after a few hours that I am not confident enough in my own work to muck with anything around flammable fuel.
The washing machine REALLY liked talking to... itself? I don't think whoever engineered their networking stack knew what a loopback interface was, because it was sending a lot of traffic from itself to its own IP address. I didn't think this was relevant, so I ignored it. It really liked sending traffic to 255.255.255.255 every second, for some reason. Again, ignored
Are those gratuitous ARPs? This is a common behaviour.
Possibly, I completely forget ARP exists most of the time. I didn't pay much mind to it anyway, I was too bemused at the constant requests from/to its own IP rather than using loopback
Readit News
If you have a device that speaks to an Android app, you want https://github.com/niklashigi/apk-mitm - it'll strip pretty much every known certificate pinning implementation from an apk, and it'll also rewrite the manifest so it'll trust the user-installed certs without having to root your device to modify the system store. Uninstall the original app, sideload the output of apk-mitm, and then you can use mitmproxy on a stock device.
The other thing is that if a device is providing encrypted data to an app, and the app is displaying the decrypted data, then the app inherently either contains the decryption key somewhere or downloads it from somewhere. https://github.com/skylot/jadx will turn an apk into something that approximates Java, and digging through that will often let you figure out what the key is. But some vendors will decide that the appropriate way to handle this is to kick the cryptography out to native code, at which point you're into having to RE something in Ghidra. Depending on your mindset this is either incredibly tedious or incredibly fun, but it's generally possible.
The author was able to build on top of work that had been done by others, but if you're ever faced with a situation where nobody else has done that work, don't just give up. It's worth spending time trying to figure out how code running on a device you own works, and even if you don't succeed in the end you're probably going to learn a lot in the process.
And because its ad URLs are out of date or something, I see no ads. Which I don't feel bad about because again, all their development effort was in turning something working into something not working.
I'm a big fan of using web rendering for UI apps, but most devs are less interested in how to implement real security. Or add theatrical additions that just don't work with reality.
So I decided to solve it.
Using the Bosch API - I can tell both when a cycle is complete, and if the door is open. Currently I use their default version, but there is a local hosted option I'll be switching too now the proof of concept works.
So using Home Assistant I have a simple script that detects when a washing machine cycle is complete AND the door has NOT been opened. This implies my washing machine has wet clothes still in it.
So Home Assistant will alert my phone (and my wife only if she is home based upon presence detection) once every 15mins that there are wet clothes waiting in the washing machine.
Very simple - works perfectly.
Unfortunately it's much harder to do the same for an electric dryer, since there's no inexpensive or good smart plugs for 240V last I checked.
Deleted Comment
Often a button labelled ‘Ending in’.
Australian market.
It works with all brands regardless of API.
1. https://www.alamy.com/stock-photo-row-of-private-car-garages...
Smart plugs are cheap enough where it doesn't take a lot of convenience to justify it.
I used Shelly plugs for for the washer and the dryer. Put little Go application on my server in the basement and get Telegram notifications + HTTP interface updates about the different states (running, finished, standby).
This saved a lot of forgotten loads .
quote:
> The plan is, in future, since we can't hack something that doesn't have a brain, to instead attach a brain to it. The dishwasher is easy, we can just whack that on a smart plug and monitor when the power use surges and drops. The dryer is a bit more difficult, since they pull a LOT of power, and smart plugs typically either don't support that much power, or are incredibly expensive. So that's likely going to be some fancy vibration sensor-based thingy
The machine does have an app and Bluetooth, but I can't see the point of spending the time reverse engineering the protocol, and the app is never going to be activated on my phone because it wants access to camera, sound, phone and my contacts list.
Edit: It seems some integration work has been done for HA: https://github.com/home-assistant-HomeWhiz/home-assistant-Ho...
An easier way is to run an Android virtual device with an older Android version on your computer. You can then use some scripts to add the certificates and proxy the traffic to Burpsuite or mitmproxy. That way you also don't have to switch devices.
It would also be interesting to use APKLab or Jadx to look at the code of the app. Maybe you can find the key derivation algorithm. The app and the washing machine must somehow generate keys or have pre-shared secrets.
If I understand correctly, the app only works if both devices are in the same network? I like that
Are those gratuitous ARPs? This is a common behaviour.