Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Certificate Pinning? #1

Open
fearoffish opened this issue Feb 22, 2018 · 14 comments
Open

Certificate Pinning? #1

fearoffish opened this issue Feb 22, 2018 · 14 comments

Comments

@fearoffish
Copy link

Hi, I've configured Burp as my proxy and configured my phone to use it (certificates installed, all HTTP and HTTPS websites working through it just fine), however the app fails to negotiate the ssl handshake. Have they implemented certificate pinning, do you know?

@bmedicke
Copy link
Owner

bmedicke commented Feb 23, 2018

Likely. It's been a while since I captured my secret, which is still working. I sent Anova a mail before publishing this project and they asked me to sit on it for a while (which I did for a couple of months) so they could work on their public API.

Nothing ever came of that so I put it online, guess they used the time to pin the certificate.

If you have an Android or a jailbroken iPhone you could try to patch the app and get around it. It might even work in the Android emulator which would make it very easy for everyone to get their secret.

I'm a bit pressed for time at the moment so I'm not sure if I'll give that a go any time soon (personally I'm still waiting for the Joule to get to Europe).

If anyone decides to try that feel free to let me know.

@deftdawg
Copy link

@fearoffish If I may... There is another approach you can take to determine your device's info.

The device also listens on port 9988... Connecting to this port via TCP, it is possible to determine the device's name and secret.

Start by grabbing @TheUbuntuGuy's protocol decoder script, then use netcat... And with some luck you may be able to capture the info...

curl -O https://gist.githubusercontent.com/TheUbuntuGuy/225492a8dec816d49b70d9c21811e8b1/raw/47f591fbe370f47e58d7813bd61a3af72679729c/fuckuanova.py
export ANOVA_IP=..... # Whatever the IP of it is...
while ! ping -c 1 ${ANOVA_IP} -t 1 2>&1 >/dev/null; do echo -n .; done; echo; nc ${ANOVA_IP} 9988 | xxd -plain -l 100 | tr -d '\n' | sed -e $'s/1668/16\\\n68/g' | tee -a rawdump.txt
python3 fuckuanova.py | less

There is an element of luck to this, as you must catch the device as it is just coming on... a ping loop may be too slow, but netcat -z wasn't reliable from OSX... So you may have to figure out a faster way to poll that the port is has just come up.

Essentially, you're looking for a long (20+) packet that contains 'anova f56-xxxxxxxxx' and followed by another packet that looks like gibberish a packet or two after (usually there's a firmware version packet in between)

@bmedicke
Copy link
Owner

bmedicke commented Dec 13, 2018

Fantastic, thank you so much for bringing it to my attention @jumpkick!
This worked on the second try for me. And a big thank you to @TheUbuntuGuy.

I'll link to this issue in the readme.

For anyone that's giving this method a go you are looking for these two lines:

screenshot 2018-12-13 at 05 58 32

The first one is you cooker_id the second you secret.

Edit: I just found out about a video by @TheUbuntuGuy that goes into detail how he reverse-engineered the Anova software. If you're at all interested in the process it's definitely worth a watch:
https://www.youtube.com/watch?v=xDDPFHhY7ec

@danodemano
Copy link
Contributor

FYI if you have a rooted Android device there is a WAY easier to to get this. Both the ID and Secret are stored in this file: /data/data/com.anovaculinary.android/shared_prefs/com.anovaculinary.android_preferences.xml

You have to have the device connected to your wifi and logged into your account. Then just open that file and you will see the ID and Secret. I gave up trying to get it with the NetCat method (after 2 days of failing) and used a rooted Android tablet instead.

@FuzzyMistborn
Copy link

Neither option is working with the new Anova Precision that just came out :-(

@danodemano
Copy link
Contributor

@FuzzyMistborn - try a packet capture with this: https://play.google.com/store/apps/details?id=com.minhui.networkcapture&hl=en_US

Doesn't seem to work on Android 10 but I was able to get it working right on Android 6 and got the cooker ID and secret.

I don't have a new Anova to test with though unfortunately so I can't really help you there. :/ My "older" device works via this method with the current version of the app.

@niekbuurmah2o
Copy link

Neither option is working with the new Anova Precision that just came out :-(

That's what I'm finding as well. The Anova Precision Cooker 2.0 doesn't seem to engage with this script - having watched the @TheUbuntuGuy's video above, I now know the problem could be in any one of far too many steps :( Biggest risk is they've now properly secured the communication :( In my case, that's &^&@ because I don't even want to use this thing for cooking, I want it to control the temperature of equipment in a lab!

@TheUbuntuGuy
Copy link

Can anyone who has a 'new' unit take a packet capture from their router? That will easily allow us to see how the new communication works between the cooker and their API. If they saw the light and used something more integrated like an ESP32 in the new design, it's possible that they implemented a similar key pinning in the device as well.

@Geoff-S
Copy link

Geoff-S commented Dec 22, 2020

After much hair pulling, I was finally able to get my Precision Cooker to work via the app.
I have a trace of the cooker connecting to anova which I'll upload https://github.com/Geoff-S/Anova-Precision-Cooker for anyone interested.
Forgot to mention, it's a tcpdump i.e. Wireshark

@Br3nda
Copy link

Br3nda commented Jan 18, 2021

I had a look in /data/data/com.anovaculinary.android/shared_prefs/com.anovaculinary.android_preferences.xml but i only see facebook stuff (I don't have facebook or facebook installed)

The keys aren't there anymore

@Geoff-S
Copy link

Geoff-S commented Jan 18, 2021

I think the keys would be in the cooker firmware, not the app.
App connects to cooker to tell it what SSID to use to connect to anova. (I think)

@trisk
Copy link

trisk commented Jan 29, 2021

On my rooted phone, I did a grep -r f56 /data/data/com.anovaculinary.android out of desperation and found the ID and secret in the following:

/data/data/com.anovaculinary.android/cache/http-cache/2d0e2ee0700dc78993d93b5d41959dfc.0:https://api.anovaculinary.com/cookers/anova%20f56-XXXXXXXXXXX?secret=XXXXXXXXXX
/data/data/com.anovaculinary.android/cache/http-cache/2d0e2ee0700dc78993d93b5d41959dfc.1:{"status":{"cooker_id":"anova f56-XXXXXXXXXXX","firmware_version":"ver 2.7.7","is_running":false,"current_temp":129.9,"target_temp":124,"temp_unit":"f","speaker_mode":true,"is_timer_running":false,"timer_length":1920}}
/data/data/com.anovaculinary.android/cache/http-cache/40697e66b132c326507ca16c8cc26978.0:https://api.anovaculinary.com/cookers/anova%20f56-XXXXXXXXXXX?secret=XXXXXXXXXX

Interestingly, the two secrets were different although the device ID was the same (I only have one original WiFi cooker).

@jdchaiken
Copy link

I think the keys would be in the cooker firmware, not the app.
App connects to cooker to tell it what SSID to use to connect to anova. (I think)

I would think there should be certs on both. If I understand how it works correctly, the cooker opens a reverse proxy back to anovaculinary.com and receives directions and the app connects directly to anovaculinary.com and sends directions.

In theory you could forge packets from anovaculinary directly to the cooker or probably better to obtain a new JWT in your app to send messages to anovaculinary.com which then sends through the reverse proxy.

@k7franklin
Copy link

@fearoffish If I may... There is another approach you can take to determine your device's info.

The device also listens on port 9988... Connecting to this port via TCP, it is possible to determine the device's name and secret.

Start by grabbing @TheUbuntuGuy's protocol decoder script, then use netcat... And with some luck you may be able to capture the info...

curl -O https://gist.githubusercontent.com/TheUbuntuGuy/225492a8dec816d49b70d9c21811e8b1/raw/47f591fbe370f47e58d7813bd61a3af72679729c/fuckuanova.py
export ANOVA_IP=..... # Whatever the IP of it is...
while ! ping -c 1 ${ANOVA_IP} -t 1 2>&1 >/dev/null; do echo -n .; done; echo; nc ${ANOVA_IP} 9988 | xxd -plain -l 100 | tr -d '\n' | sed -e $'s/1668/16\\\n68/g' | tee -a rawdump.txt
python3 fuckuanova.py | less

There is an element of luck to this, as you must catch the device as it is just coming on... a ping loop may be too slow, but netcat -z wasn't reliable from OSX... So you may have to figure out a faster way to poll that the port is has just come up.

Essentially, you're looking for a long (20+) packet that contains 'anova f56-xxxxxxxxx' and followed by another packet that looks like gibberish a packet or two after (usually there's a firmware version packet in between)

What is the version of the firmware that allows this connection?

I've bought one anova precision cooker wifi + bt and my friend too. His cooker is on 2.7.7 an mine in 2.7.9. The mine refuses all the connections in netcast, the other allowed and answered the intent with all data, perfectly.

i've saw that my cooker uses an ESPRESSIF chip, i think is a ESP32. The cooker of my friend not, is other brand chip.

There is the only difference? can we try to downgrade the firmware? Exists other way to get the secret?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests