-
Notifications
You must be signed in to change notification settings - Fork 155
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Decrypting Razer to Tuya broadcast commands #464
Comments
While I'm not familiar with this system, I'd love to take a look at it if you could post some packet captures. |
Thanks for your interest! These are some of the
These are Red: |
I'll see if I can find another light that supports this protocol so I can compare having a single or multiple devices |
Unfortunately the protocol is similar but not the same as the normal 6699 one.
Using the first one as an example, it breaks down as: I assume the client logs into each device the normal way and registers a shared key with it before using said key for broadcasts, but I'm not positive. Back when I was adding support for protocol 3.5 I remember seeing some stuff for UDP commands when I was poking around the gateway firmware in ghidra but didn't really dig into it at the time. I'll see if I can find it again. |
I wanted to give an update on this. I've recently been able to get the full source code for their app, since they didn't delete the source maps when they published it. So the packet is no longer a mystery to me hahah! I've been able to add my own logging to their official app, so I can now easily see what they encrypt and how, using which keys etc. It seems that the broadcast packet contains the data for all the lights and they encrypt the data for each light with a device specific key and the same nonce for all devices in the packet. The result of that is just concatenated in the broadcast packet and how many devices there are and the length of their individual packet is stored in part of the broadcast packet as well. Some lights only support one color and will only receive one color, some support more colors and receive more colors in the data (because it's connected to razer they get only 4, but who knows if they support more). The keys used per device are saved in the local storage of the application. I'm still figuring out if this is a key that is negotiated with the device or if it's the actual private key of the device. The color data being sent is this Where the first device supports multiple colors and the second device only one. I'm pretty sure I'll keep you posted :) |
Ooooh, interesting! Any tips on how to extract the source maps? The color is usually sent as HSV with the S and V multiplied by 10; That full |
I'm still interested in hearing how you did it, but I think I also got it figured out. It looks like command 0x05 packets are encrypted with the fixed key '6f36045d84b042e01e29b7c819e37cf7' and consist of 4 bytes of 0x00 followed by a 16-byte token and finally a 16-byte random number. It then expects a command 0x06 response containing a hmac and the session key. It then uses this negotiated session key to encrypt command 0x10 data. |
If you install the app I linked, you'll have to look for the You'll need to extract the contents. I used NodeJS and the command |
Ah, that's really close to what I did, except I used |
And you actually don't need to install the app, 7z extracts it without needing to install. Which is good as I run Linux and wasn't looking forward to seeing how well it works under Wine 🤣 |
This seems to be the case indeed! I think the trailing bytes are a checksum. Other devices I've decrypted usually use something like a XOR checksum. But I could be wrong |
I was wrong.. It's data that tells the device about how many zones there are and their length. You can find it in the |
I've been working this out and I've figured out almost everything (I will make a new repo soon with my test project), but unfortunately we still need the local key for each device. |
Hi, I'm a person who stumbled upon this conversation, I own a razer chroma Battletron light bar and would like it to work with the signalRGB app or another RGB app. I'd love if you could operate the LED bars with an SignalRGB or any other app like OpenRGB. |
I'm working on it! The problem I'm having right now is that you NEED the local key of each device to communicate with them. So I'm currently working on implementing the official tuya api to get this up and running. If you already have the keys to your devices (or know how to get them) you will be able to test the plugin for signalrgb soon |
I have no experience with this, I hope you can find a way to get the local keys of the devices as I have no idea how to get them. I'm still going to try to find a way to find the local keys of the devices. |
I managed to get the local key of the battletron light bar, so I could test your signalRGB plugin. Is that the local keys are changed at each connection or the local key is unique for each device ? |
Local keys are unique for each device. Devices use these local keys to negotiate session keys for each connection. |
If you are not going to be using TinyTuya's cloud functions and only need the local keys then you can use something like https://github.com/blakadder/tuya-uncover to get them without needing to sign up for a developer account. |
I have a problem with the battletron led bar, when I control the led bar with razer chroma, the led bar has a very low frame rate to change color. I don't know if the problem is with my wifi network or the LSC_battletron app. But I think it's coming from the app because normally, if I understand correctly, the data goes through the tuya cloud and then to the battletron led bar, I think it affects the frame rate to change color. |
I have a quick question for the SignalRGB plugin, we will be able to control the leds individually or controlled only 4 leds like in razer synapse ? |
Will this lightbar battletron be compatible with tinytuya in the future ? |
It sounds like @fu-raz is making a signalrgb plug-in, no idea if they're also adding it to TinyTuya or not. I can add it to TinyTuya if they don't. Unfortunately the postal service is taking their sweet time delivering the light bar I ordered for testing. |
Maybe @fu-raz does the signalRGB plugin. A SignalRGB developer told me that tuya devices are on the list of wifi devices that will be added in the very distant future. However, I don't know if the battletron's light bars will be compatible. Hopefully @fu-raz will give you some news about the SignalRGB plugin battletron lighbars. |
I saw that furaz created a signalRGB plugin! I'm going to try it soon! |
Sorry I haven't been very active here. I finally managed to make this work in a node js project. The problem I run into is that I not only need the local key, but I also need the product Id. There's a white list with products that can be used and right now there's no other way of determining if the device supports the razer protocol. I will post the test project on my github if you're interested. |
This is a very very early test project, no where near working. I'm working with the devs on Discord to get certain features to make this work. But I'm having trouble decrypting the messages using plain javascript. I don't have access to actual Crypto functions, so I have to rely on projects like https://github.com/Hinaser/jscrypto/ to get GCM working. So far it's not haha! |
Hello, I was a little interested in your nodejs project, I would like to know how to install , I think it is easy. |
Well, my light bar finally came in, but I'm super busy and it's going to be a while before I can get to it. Are you planning on adding support to TinyTuya, @fu-raz ? |
hello ! @uzlonewolf |
I've never programmed anything in Python, so I don't think that's a good idea. But might be a nice challenge for when I get everything up and running. I'd be willing to test though. I have the light bar and also the ball |
LSC has recently released a string of products that can connect to Razer Synapse through an app. I've been trying to recreate the packets to be able to control these devices through software like SignalRGB. The problem is, I can't seem to decrypt the packets with the color data.
From what I've learned so far is:
The packets that are broadcast use the same structure as the 3.5 protocol. So starting with
00006699
and ending with00009966
If I follow the structure it seems to send the commands
00000005
and00000010
, not sure what they do.I've tried numerous way to decrypt the package. I'm pretty sure it's just a JSON containing RGB values and maybe brightness. The LSC Battletron app (https://qr.lscsmartconnect.nl/software/BattletronDesktopDownload) does have a fairly extensive log file, which does show 'things', but I'm not sure if what I need is in there.
I have some captured packages that set my lamp to red, so I do know that the same package can work multiple times. I can post some example packets if anyone cares :)
Since these are broadcast packages (multiple devices should respond to the same command), I'm pretty sure (but not 100%) that they aren't encrypted using the local device key(s), but maybe I'm wrong and that's the solution to all of this.
Does anyone have any experience with this?
The text was updated successfully, but these errors were encountered: