OTP for my Account

[zwizwi]

Got the email. Since then, I don't have a password anymore. How can I log in?

We’re rolling out a One-Time Password (OTP) for the MyDolphin™ Plus app: a unique personalized code sent to you over email to log into the app.

Starting this week, you’ll need to use a OTP to access the app.

Here's how to switch to the new login:

Open the MyDolphin™ Plus app.
Enter your email on the login screen.
Check your inbox for an email from us with your personalized OTP.
Enter the OTP into the app.
A note about pairing your robot: 
If you logged in with the same email as before, you’ll be able to use the app immediately - no pairing needed

If you logged in before with 

1. Bluetooth® connection
   OR
   Facebook, Google, or Apple, without providing Maytronics your current email

you’ll have to do the pairing again 

Note: For the next year, you won’t have to log in with OTP again. Just open the MyDolphin+ App and enjoy your Dolphin.

To keep your account secure, you’ll be asked to refresh your login once every 12 months.

[elad-bar]

For now, since I don't have that issue, I cannot assist, will leave it open,
Already contacted product dept. Of Maytronics to ask for more cooperation with us,
They will get back to me after learning the details

[Kapncanada]

I'm new to my dolphin plus.
After setting up the app there is no password and I'm unable to setup this. Any tips?

[alexandrezia]

I'm new to dolphin plus too, never had a password.
The password less flow must be implemented so people can continue/start to use this integration.

[elad-bar]

If that flow must be implemented, you can either develop and contribute or wait for it

[sh00t2kill]

I used mitmproxy to reverse engineer the authentication request originally.

I get the feeling that maytronics have implemented this specifically to stop us, but let's hope not.

If any of the requesters have the know-how it would be super helpful if you could do the same abs reverse engineer the flow.

The app must be saving some sort of authentication token somewhere and using that in place of credentials.

[Kapncanada]

So is this a dead end until someone develops this?

[sh00t2kill]

Could be a dead end for the integration entirely.

Even if we manage to get it working, obtaining said token may require steps well beyond a normal user type thing.

I hope not, but I'm not feeling overly positive about the whole thing.

For those who have new accounts and no longer have a password; have you tried loading an older version of the app, and then resetting your password?

[elad-bar]

If the logic is to do once a year otp and then you get the token for a year, don't see a problem,
We just need to find that endpoint and trigger it,
But for now since i don't have that suth mechanism, i cannot investigate it, if you have the ability pls share how to trigger and what is the next step endpoint.

I don't think it has something with us, companies around the world are under constant cyber attacks, if a database of public company is getting exposed as result from that they are in deep s**t, to avoid it having an otp is much safer and much simpler to implement and maintain,
Btw, i'm using roborock and their login is also otp, so i'm not concerned

[andreacoppini]

Hey, just adding my support here. I just bought a Dolphin Active and I went straight to OTP authentication, no password. Unfortunately I can't code so I don't know how I can help restore this integration

[elad-bar]

@sh00t2kill can you post here how to install and configure mitmproxy so ppl with enough tech understanding, time and otp auth for mydolphin will have the ability to explain what are the endpoints involved in that process (trigger otp and authenticate using otp, extract token)?

[sh00t2kill]

There are a myriad of guides and howtos online.

This one looks pretty good. https://dev.to/sudo_overflow/reverse-engineering-a-private-api-with-mitm-proxy-20ia

Note that you can't do it on an Android phone, you need iOS due to how certificate's work on Android.

[sh00t2kill]

Having said that, I'd be very surprised if it's not still using aws cognito under the hood, so we can potentially just look up the python sdk docs.

[elad-bar]

Depends on what they are doing with the token that resulted from verifying the otp,
I don't have any iOS device so we will need someone that will assist us with that

[andreacoppini]

I have an iPhone, but a windows PC. Can I install mitmproxy on my windows machine and set the iPhone’s proxy to the windows machine’s IP? Would that get the date you would need? A On 15 Jun 2024, at 16:43, Elad Bar ***@***.***> wrote:  Depends on what they are doing with the token that resulted from verifying the otp, I don't have any iOS device so we will need someone that will assist us with that — Reply to this email directly, view it on GitHub<#199 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ALJBOV26SUUR6MEXJJDA3R3ZHRHILAVCNFSM6AAAAABI6I3ZY2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNRZHAYTSNBUGM>. You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[elad-bar]

Maybe that conversation should be done in discord for faster response

[Kapncanada]

Anyone have a discord group invite / link?

[elad-bar]

https://discord.com/invite/A4WwEUrT

[sh00t2kill]

@Kapncanada @andreacoppini @alexandrezia and anyone else who reported not being able to connect HA to mydolphin due to not having a password -- please join the discord.

I have a potential work around to generate a password, but I would like a few people to try it before making it public.

[hiwo64]

I have also the problem to connect with HA

[zwizwi]

I have also the problem to connect with HA

Join the discord, maybe we have a solution!
https://discord.com/invite/A4WwEUrT

[hiwo64]

THX, but the link doesn`t work i always get a "invitation invalid"

[Isehwurscht]

Same here. New Invite or update this post. thx

[elad-bar]

released beta version v1.0.16b0 with workaround.

as part of:

1. setting up new integration for user with OTP
2. For existing integration that stopped working due to OTP using the re-configure in integration space under devices & services -> intergation

Expected result

• Tick within the setup popup the "Reset account password (Workaround for OTP)"
• API call will be sent for the forgot password endpoint (which will restore the credentails mode instead of OTP)
• Process will reset your credentials in the form and will ask you to re-enter them,
• Complete forgot password flow according the MyDolphin flow
• Reentered in the form
• DON'T tick the reset account password checkbox
• Integration will perform full login and setup flow.

pls update how it works for you

thanks

[Isehwurscht]

Expected result

• Tick within the setup popup the "Reset account password (Workaround for OTP)"
• API call will be sent for the forgot password endpoint (which will restore the credentails mode instead of OTP)
• Process will reset your credentials in the form and will ask you to re-enter them,
• Complete forgot password flow according the MyDolphin flow
• Reentered in the form
• DON'T tick the reset account password checkbox
• Integration will perform full login and setup flow.

Sorry does not work for me.

I uninstall the 1.0.15 and reinstall the 1.0.16b
The i have to reconfigure the new version.
If i set the User and Passwort and the Checkbox - i get the new window so i can reenter the User and Passwort.
But then nothing happens. -> Invalid server details
And idea?

[elad-bar]

can you pls run it with debug logs and share the logs (if your email / password are in logs, remove them)

thanks

[Isehwurscht]

Status update None --> Failed to access API, Failed to send HTTP request, Endpoint: https://mbapp18.maytronics.com/api/users/ForgotPassword/, Method: POST, Error: 'NoneType' object has no attribute 'post', Line: 171
Status update Establishing connection to API --> Failed to access API, Failed to login into MyDolphin Plus service, Error: 'str' object has no attribute 'get', Line: 344

Logger: custom_components.mydolphin_plus.managers.rest_api
Quelle: custom_components/mydolphin_plus/managers/rest_api.py:262
Integration: mydolphin_plus (Dokumentation, Probleme)
Erstmals aufgetreten: 08:06:49 (8 Vorkommnisse)
Zuletzt protokolliert: 08:21:27

Empty response of reset password

All i found

[elad-bar]

thanks for the log, found it - session (object for http calls) was not initialized,
v1.0.16b1

pls redownload and try again
thanks

[elad-bar]

released v1.0.16b2 with is email exists check before reset password

[Isehwurscht]

Works now!
Thanks

[elad-bar]

b1 or b2?
thanks

[MaxVonEvil]

Hmm, worth a shot for sure - Any pointers as to where I can get my grubby little mittens on that older version?

[sh00t2kill]

https://apkpure.com/mydolphin-plus/com.maytronics.app/versions

[MaxVonEvil]

Thank you! I'll give it a try tomorrow!

[MaxVonEvil]

Well, v2.5 was a bust, installing and running it just throws "Sorry, looks like something went wrong yadda yadda try again".

I guess they've changed the API so much those older version of the app do not work anymore. I'll try and create a new account and see if I can add the robot to that.

[canz78]

Hello, I am having issues signing in, I am a new MyDolphin Plus user, i just got the new robot last week. Whenever I enter my email for the user name and click the check box for the OTP workaround. It says "expected str" I haven't gotten any reset emails either. Any Ideas, did I miss a step. Thanks.

[MaxVonEvil]

Whoa, that doesn't bode well. So much for setting up a new account in my case, @canz78 do tell if you make any headway with this. Right now I'm running my bot with no HA integration as I cant't get past the Maytronix mandatory MFA prompt crap even with an existing old acct, and was considering to do a new one.

@sh00t2kill - any suggestions? In terms of development options, any way perhaps to get the MFA challenge back to Maytronics via the integration?

[canz78]

Whoa, that doesn't bode well. So much for setting up a new account in my case, @canz78 do tell if you make any headway with this. Right now I'm running my bot with no HA integration as I cant't get past the Maytronix mandatory MFA prompt crap even with an existing old acct, and was considering to do a new one.

@sh00t2kill - any suggestions? In terms of development options, any way perhaps to get the MFA challenge back to Maytronics via the integration?

Hello, I have not figured any way around this as of yet, hopefully someone will have some suggestions.

So i was finally able to catch up on this, and @sh00t2kill your process to create the account worked perfectly. I was able to get it setup in my HA. Thanks again for your work on this issue.

[MaxVonEvil]

So folks. we're a month down the road and it seems Maytronics really effed things up for us with their stupid OTP requirement. Any new recommendations here or is this HA integration a lost cause?

[elad-bar]

It is holidays period here, will try contacting them after the holidays

[MaxVonEvil]

Anything us here in the community can do to help resolve this issue?
@elad-bar Presuming the holidays are over on your end, did you get any useful response from MayTronics - I'll be happy to to help test any way to circumvent the OTP crap.

[sh00t2kill]

Maytronics have gone cold unfortunately.

It's a matter of time at the moment, and neither of us have it.

[elad-bar]

It would be great if someone can work on the OTP implementation,
There are test files in the project to run it over CLI.

Adjustments from making it work with OTP to supporting it in HA UI should be pretty simple.

Regarding time as @sh00t2kill mentioned, up until December it will be huge challenge for me to get coding something related to it.

If someone can help with the OTP, please text in Discord.

[sh00t2kill]

Has anyone had any luck with MITMproxy and tracing the process used to save the otp and then auth after that?

I no longer have access to an apple mobile device, so I am unable to do it.

[sh00t2kill]

@MaxVonEvil @canz78 and anyone else ... I think i have a new workaround that im keen to try out. Long story short, i can create an account on the "old" platform, and i can auth as it.

I just dont know how that will handle an existing account without a password, but maybe we will get lucky.

Please let me know if its something you are interested in.

[MaxVonEvil]

Morning! Very interested, however I had to send my E70 for warranty repairs, as it woke up stone-dead yesterday. As soon as I get it back in a week or so, I will be happy to help test, yet hopefully someone will beat me to the punch in the meantime

…

On Tue, Oct 22, 2024, 03:13 sh00t2kill ***@***.***> wrote: @MaxVonEvil <https://github.com/MaxVonEvil> @canz78 <https://github.com/canz78> and anyone else ... I think i have a new workaround that im keen to try out. Please let me know if its something you are interested in. — Reply to this email directly, view it on GitHub <#199 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AEXRQVHRP2KSYLOCH6SEVUDZ4YQMBAVCNFSM6AAAAABI6I3ZY2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIMRYHA3TENBVGQ> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[joedj]

I was able to get this working today by following this process:

1. Download the 2.5 APK and install it in Android Studio emulator
2. Run the old Android app and sign up for new account with a password, using a new email address (I was unable to use the email address for my existing OTP-only account, the android app just said "Something went wrong")
3. Sign out of my OTP-only account on iPhone and sign-in with the new account I created on Android. This sent an OTP email to the new account.
4. Go through the usual device setup process on iPhone
5. Add/configure the HomeAssistant integration using the email address and password of the new account

@sh00t2kill I'm happy to help out too and have some experience working on this kinda stuff, also would love a working Discord link (the invite links mentioned earlier in this issue are now invalid)

[sh00t2kill]

Your around is, in a nutshell, what I was going to get a user to do, just via curl and not needing the app. I worked out the api endpoints.

I'll create a new discord invite.

[sh00t2kill]

https://discord.gg/Kr8REcHk

[kenclarktaylor]

Hello, I was hoping to generate an account password to use this integration. Would you be able to share the curl endpoints with me? Thanks in advance.

[sh00t2kill]

I confirmed this works with another user over the weekend.

EDIT: It seems that a password "too complex" can cause a login issue. $ have been reported to cause problems, and unconfirmed reports of issues with %.

Step 1: Create a new account, using this curl command to hit the Maytronics API endpoint. Note that it doesnt work with an existing email address, it has to be unique.

If you have issues with the below command, remove the \ characters and paste each element on a single line. Windows command line uses a different new line characters. It should work on any unix shell, WSL, and the HA terminal addon.

curl -X POST "https://mbapp18.maytronics.com/api/users/register/" \
     -H "appkey: 346BDE92-53D1-4829-8A2E-B496014B586C" \
     -H "Content-Type: application/x-www-form-urlencoded; charset=utf-8" \
     --data-urlencode "email=<EMAIL>" \
     --data-urlencode "password=<PASSWORD>" \
     --data-urlencode "firstName=<FIRST NAME" \
     --data-urlencode "lastName=<LAST NAME>"

Ensure you get a JSON response that looks like: {"Status":"1","Data":{"Email":xxxx ... If you got something else, something likely went wrong, so give it another go. It does enforce some password complexity, so likely you had a password thats too simple.
Step 2: Sign out of the mobile app
Step 3: Sign into the mobile app, using the new account you created
Step 4: Let the mobile app uplift the account to OTP.
Step 5: Add the robot to the mobile app
Step 6: Add the integration to home assistant, using the email address and password you created at step 1
Step 7: Profit!

[kenclarktaylor]

Confirmed working for me as well! Big thanks @sh00t2kill, much appreciated.

[paddysking]

So here's a strange turn of events...

I can sign in to the mobile app with this newly created login... but not into the website or the Home Assistant integration. It comes up saying 'invalid account' on Home Assistant, and "We can't log you in. Make sure your username and password are correct." on the Maytronics website.

From what I see the only thing I am doing possibly differently is following the email link to verify the account once it's been created?

[sh00t2kill]

The maytronics website is a different thing, so that wont help you.

You could try making a request to the login API endpoint
Jump on discord and we can try and troubleshoot it.

[paddysking]

Cheers, please can I have a new invite link?

[sh00t2kill]

https://discord.gg/sS4gDj2QWP

This one should never expire.

[swissmike64]

I confirmed this works with another user over the weekend.

Step 1: Create a new account, using this curl command to hit the Maytronics API endpoint. Note that it doesnt work with an existing email address, it has to be unique.

curl -X POST "https://mbapp18.maytronics.com/api/users/register/" \
     -H "appkey: 346BDE92-53D1-4829-8A2E-B496014B586C" \
     -H "Content-Type: application/x-www-form-urlencoded; charset=utf-8" \
     --data-urlencode "email=<EMAIL>" \
     --data-urlencode "password=<PASSWORD>" \
     --data-urlencode "firstName=<FIRST NAME" \
     --data-urlencode "lastName=<LAST NAME>"

Ensure you get a JSON response that looks like: {"Status":"1","Data":{"Email":xxxx ... If you got something else, something likely went wrong, so give it another go. It does enforce some password complexity, so likely you had a password thats too simple. Step 2: Sign out of the mobile app Step 3: Sign into the mobile app, using the new account you created Step 4: Let the mobile app uplift the account to OTP. Step 5: Add the robot to the mobile app Step 6: Add the integration to home assistant, using the email address and password you created at step 1 Step 7: Profit!

Bad Hostname:

C:\Windows\System32>curl -X POST "https://mbapp18.maytronics.com/api/users/register/" \

<TITLE>Length Required</TITLE>

Length Required

---

HTTP Error 411. The request must be chunked or have a content length.

curl: (3) URL rejected: Bad hostname

[sh00t2kill]

I confirmed this works with another user over the weekend.
Step 1: Create a new account, using this curl command to hit the Maytronics API endpoint. Note that it doesnt work with an existing email address, it has to be unique.

curl -X POST "https://mbapp18.maytronics.com/api/users/register/" \
     -H "appkey: 346BDE92-53D1-4829-8A2E-B496014B586C" \
     -H "Content-Type: application/x-www-form-urlencoded; charset=utf-8" \
     --data-urlencode "email=<EMAIL>" \
     --data-urlencode "password=<PASSWORD>" \
     --data-urlencode "firstName=<FIRST NAME" \
     --data-urlencode "lastName=<LAST NAME>"

Ensure you get a JSON response that looks like: {"Status":"1","Data":{"Email":xxxx ... If you got something else, something likely went wrong, so give it another go. It does enforce some password complexity, so likely you had a password thats too simple. Step 2: Sign out of the mobile app Step 3: Sign into the mobile app, using the new account you created Step 4: Let the mobile app uplift the account to OTP. Step 5: Add the robot to the mobile app Step 6: Add the integration to home assistant, using the email address and password you created at step 1 Step 7: Profit!

Bad Hostname:

C:\Windows\System32>curl -X POST "https://mbapp18.maytronics.com/api/users/register/" \

<TITLE>Length Required</TITLE> ## Length Required HTTP Error 411. The request must be chunked or have a content length.

curl: (3) URL rejected: Bad hostname

The provided command is for Linux. You need to use the Windows new line character, which IIRC is ^

If all else fails put the full curl command all on a single line

[swissmike64]

I confirmed this works with another user over the weekend.
Step 1: Create a new account, using this curl command to hit the Maytronics API endpoint. Note that it doesnt work with an existing email address, it has to be unique.

curl -X POST "https://mbapp18.maytronics.com/api/users/register/" \
     -H "appkey: 346BDE92-53D1-4829-8A2E-B496014B586C" \
     -H "Content-Type: application/x-www-form-urlencoded; charset=utf-8" \
     --data-urlencode "email=<EMAIL>" \
     --data-urlencode "password=<PASSWORD>" \
     --data-urlencode "firstName=<FIRST NAME" \
     --data-urlencode "lastName=<LAST NAME>"

Ensure you get a JSON response that looks like: {"Status":"1","Data":{"Email":xxxx ... If you got something else, something likely went wrong, so give it another go. It does enforce some password complexity, so likely you had a password thats too simple. Step 2: Sign out of the mobile app Step 3: Sign into the mobile app, using the new account you created Step 4: Let the mobile app uplift the account to OTP. Step 5: Add the robot to the mobile app Step 6: Add the integration to home assistant, using the email address and password you created at step 1 Step 7: Profit!

Bad Hostname:
C:\Windows\System32>curl -X POST "https://mbapp18.maytronics.com/api/users/register/" \

<TITLE>Length Required</TITLE> ## Length Required HTTP Error 411. The request must be chunked or have a content length. curl: (3) URL rejected: Bad hostname

The provided command is for Linux. You need to use the Windows new line character, which IIRC is ^

If all else fails put the full curl command all on a single line

Account was succesfully created and i also confirmed the mail from Maytronics to complete the Account creation process:

{"Status":"1","Data":{"Email":"michael.testuser@ji5.de","UserID":0,"AppKey":"346BDE92-53D1-4829-8A2E-B496014B586C","FirstName":
xxxxx
xxxxx
xxxxxx
":null,"OTP":null},"Alert":"Succeed"}

-->> But i was not able to login with the new created account in the app; it tells me, that the mail-adress does not exist even it is typed 100% correctly. Passwort should be complex enough like Abcedfghe1984$%. Also a second try with another new mail account was not succesful.

Any ideas? Thanks a lot :-)

[sh00t2kill]

I was helping another user with this.
The API seems to work with those complicated passwords, but the application doesnt. It doesnt seem to like all characters. $ and % in particular seem to cause issues.

Unfortunately you will have to try again, with a different email address - try a a password without those characters in it.