Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New introduced payload and result encryption #7

Open
TA2k opened this issue Nov 1, 2022 · 6 comments
Open

New introduced payload and result encryption #7

TA2k opened this issue Nov 1, 2022 · 6 comments

Comments

@TA2k
Copy link

TA2k commented Nov 1, 2022

Only as an information the new tuya app introduced an encryption for payload and result.
Every request is encrypted with a different key (e.g. OTM0ZTA4ZDBmZGM3ODg0NQ==) and algorithm AES/GCM/NoPadding
The same key is used from the server to encrypt the result.

At the start of the app the app receives daily app secrets. This is encrypted with a static AES key.
{ "lineAppSecret":"", "daily_app_secret_android":"e79fcuyfp9384h98m5ysyjrnt3n949gq", "single_half_fish_eye_appsecret":"", "oppo_app_key":"7jfld5WBbxs8okO8Go008k8os", "mi_app_key":"5201740956699", "simAppSecret":"33490A16A4F330645AC3D5E93E58C1A2", "wbAppSecret":"7447cd7e1640df89fd7fa96e2284dba4", "youzan_client_secret":"", "googleAppSecret":"9411361456-jf9b3ntbq591geui2v6vneh6bnptnbhg.apps.googleusercontent.com", "qqMusicAppPubilcKey":"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrp4sMcJjY9hb2J3sHWlwIEBrJlw2Cimv+rZAQmR8V3EI+0PUK14pL8OcG7CY79li30IHwYGWwUapADKA01nKgNeq7+rSciMYZv6ByVq+ocxKY8az78HwIppwxKWpQ+ziqYavvfE5+iHIzAc8RvGj9lL6xx1zhoPkdaA0agAyuMQIDAQAB", "vivo_app_secret":"424fabb9-9aa9-4c1b-bc02-07b73eecbcde", "oppo_app_secret":"578CFbaB864A671117F2d09D27DC9b25", "simAppKey":"300012044602", "single_half_fish_eye_appkey_android":"ZX2E2dJlpS/J0FCUDHjRPkAACOqoM1NUnKU7B0dyRlLqCtRxKXi8O9JG5rNeOc5wlQyh62OdlLbue1MwRa8Jfw==", "speech_recognition_secret_key_xunfei":"58b66248", "wxAppKey":"wx90d34ffcd1b02f8e", "xg_access_key":"ASBE5P34Z95N", "xg_secret_key":"d3d506625faf5bce3e4dee10cb247252", "speech_recognition_secret_key_google":"", "single_half_fish_eye_appsecret_enterprise":"", "qqAppSecret":"PtuSHVFkATBULecy", "wxAppSecret":"af87ac9961130297bed2ba8436be5b7e", "phone_number_one_click_login_appsecret":"", "single_half_fish_eye_appkey":"", "twAppSecret":"", "oppo_master_secret":"4d8665cc501369C3AdBb12C1203b0946", "single_half_fish_eye_appkey_enterprise":"", "lineNotifyClientSecret":"", "umeng_key":"557ad12c67e58e79ee003311", "fbAppSecret":"", "qqAppKey":"1104955102", "googleAppKey":"9411361456-jf9b3ntbq591geui2v6vneh6bnptnbhg.apps.googleusercontent.com", "twAppKey":"", "fbAppKey":"", "meizu_app_key":"1af86b89cf1f402793d917fa8e637d02", "qqMusicLocalPrivateKey":"MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAKTcvYmAry0tj1ht6SyUJ57Cb06EnDv47lREzEleqqymrwYYYLi7TX7NJvzhfzozxya2ezg93OtFhorzVzPzb6CUdtMjXqyUIkJX79MiEcm5h8ogU2+MRy27lCTzO7l9kLyKUHLK1sAfWzAXBeffTjHYXGaSCrERRY9VuUjlChT/AgMBAAECgYBEjnrPFFFEcz654jLl09JKBcbtmt2xXsoVBusA07obw9Disv59s339beh5nngexutZIOdKswcMW0QgwiKQOvo+3LBtfGWKahYtEDpqIkbMGkOaMN3GK4LbBZUC7fDq+NQFxScJAqIQITCmkliM6kTKZJ19UOqkas1qQA18XKCtaQJBANNFNrjRD5DpllQAEZBHOAP7m4EZmOB47wUwoONVAUZPieoLZDSJYKvOlAKoptFMPVloNiiT3Ts8FWHOv12J/wUCQQDHxDj1vGAxhCWg9AIKK0yqqdBwULh/I7YIkmJqSVx0GJ8s3Q95JO1FfsQWGdW1O5i1ZkOSIPylgKj9qN9/R9szAkEAz4SbxJutM4UNoQLUPaiGz/qzevKepFaFSM7EKagUcXCtIdQAoE4UQ43M+nOYL9s4I3rmP6NF2eohgonmlEV41QJBAI1QsR6dEMtWeSwAEUVSVhzQniQl5i4CfC5aJ4aauO1j0Y5yHxUK21JzF5Gu2vAm5aNFYX2JGlCV0HYItXobweMCQQDOY2FBxsweAjNRTr9CW+7BnByB6yXnmUZ+NQzI0ccbxIZUy/2BPMjk6HEEkgSx7CB1iyUFkGWLWFpgcxdEmOTU", "daily_app_key_android":"uwwwxsrk735fmva99jyq", "phone_number_one_click_login_appkey":"", "wbAppKey":"2491980946", "lineAppKey":"", "umeng_secret":"4ab855aafc363a59da66a55148108ea7" }

@pergolafabio
Copy link

so what does it mean, we cant use the login method anymore with secret2 and certsign?

@TA2k
Copy link
Author

TA2k commented Dec 21, 2022

At the moment you can. but maybe it will deactivate in the future

@pergolafabio
Copy link

do you have a sample script somewhere? i always get SING VALIDATE FAILED or username/password mismatch

@pergolafabio
Copy link

ah, i know why, seems i had an @ in my password, it doenst like

when i now launch a test script, i get "APP NEED UPGRADE"

@pergolafabio
Copy link

I tested this one below

const apiKeys = require('./keys.json');
const Cloud = require('@tuyapi/cloud');
const is = require('is');
const api = new Cloud({key: apiKeys.key, secret: apiKeys.secret,secret2: apiKeys.secret2, certSign: apiKeys.certSign, apiEtVersion: '0.0.1', region: 'EU'});
const apiResult = api.login({email: '[email protected]', password: 'xxx'});

with keys:

{
  "key": "3fjrekuxank9eaej3gcx",
  "secret": "aq7xvqcyqcnegvew793pqjmhv77rneqc",
  "secret2": "vay9g59g9g99qf3rtqptmc3emhkanwkx",
  "certSign": "93:21:9F:C2:73:E2:20:0F:4A:DE:E5:F7:19:1D:C6:56:BA:2A:2D:7B:2F:F5:D2:4C:D5:5C:4B:61:55:00:1E:40" 
}

@pergolafabio
Copy link

i receive :


/home/debian/node_modules/@tuyapi/cloud/index.js:247
      throw new TuyaCloudRequestError({code: data.errorCode, message: data.errorMsg});
            ^

TuyaCloudRequestError: Please update the app.
    at TuyaCloud.request (/home/debian/node_modules/@tuyapi/cloud/index.js:247:13)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async TuyaCloud.login (/home/debian/node_modules/@tuyapi/cloud/index.js:305:23) {
  code: 'APP_NEED_UPGRADE'
}

Node.js v19.2.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants