How to detect Tuya Device by using port 6668? #405
-
|
I am currently attempting to establish connections with Tuya devices from outside the network via port 6668 (TCP). My objective is to construct a packet that, when sent over port 6668, can elicit a valid response from a Tuya device. To identify Tuya devices, I am looking for packets that start with "\x00\x00U\xaa" and end with "\x00\x00\xaaU." However, I am encountering difficulties in constructing the correct payload for this purpose. For instance, I have attempted the following payload:
Unfortunately, the Tuya device does not seem to recognize this payload, and consequently, it does not provide any response message. Interestingly, I noticed that on Shodan (https://www.shodan.io/host/46.121.76.117), there is evidence of successful communication with a Tuya device, as indicated by the following response: Note: I want to cause the device to send such response without passing it any specific details like gwId, device Id etc.. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
|
Getting a response is going to depend on the device version. v3.4/v3.5 devices will not respond at all unless you successfully complete a 3-way handshake with the correct key first, v3.1 is going to use a different payload format, and v3.3 should respond like the device above. That response is to a DP_QUERY with the wrong key. Something like this should get you there: import tinytuya
import socket
dummy_payload = bytes(bytearray.fromhex('deadbeef112233445566778899aabbccddeeffb00bface112233feedbabe74f0'))
msg = tinytuya.TuyaMessage(0, tinytuya.DP_QUERY, 0, dummy_payload, 0, True, tinytuya.PREFIX_55AA_VALUE, False)
msg = tinytuya.pack_message(msg,hmac_key=None)
print( 'sending:', msg )
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout( 4 )
sock.connect(('46.121.76.117', 6668))
sock.sendall(msg)
print( 'recv:', sock.recv( 1024 ) )Gives me: DEBUG:TinyTuya [1.12.9]
DEBUG:Python 3.7.3 (default, Oct 31 2022, 14:04:00)
[GCC 8.3.0] on linux
DEBUG:Using PyCrypto (3, 9, '7')
sending: b'\x00\x00U\xaa\x00\x00\x00\x00\x00\x00\x00\n\x00\x00\x00(\xde\xad\xbe\xef\x11"3DUfw\x88\x99\xaa\xbb\xcc\xdd\xee\xff\xb0\x0b\xfa\xce\x11"3\xfe\xed\xba\xbet\xf0\xfc\x8d\xe0\xdd\x00\x00\xaaU'
recv: b'\x00\x00U\xaa\x00\x00\x00\x01\x00\x00\x00\n\x00\x00\x00,\x00\x00\x00\x01e\xfa\x91\xca5h\x01V\x8c\x9c:\xeb\xfc7\xad\xdc\rq\xdd\x98\xdf\xbd\xbc\x84]N\xd3\x95b\xf6G\x06K\x9f\xcb\xd6\x00\x00\xaaU' |
Beta Was this translation helpful? Give feedback.
-
|
v3.1 is (mostly) unencrypted and without a "version protocol" section. Unfortunately I don't have any online at the moment to get an example from. I have never seen a v3.2 myself, but from what I've heard it's similar to v3.3. |
Beta Was this translation helpful? Give feedback.
-
|
Ok, now that it is no longer 2am I can dig out my v3.1's without pissing off the downstairs neighbors 🤣 They respond to the above dummy_payload with: |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for your help! |
Beta Was this translation helpful? Give feedback.
Getting a response is going to depend on the device version. v3.4/v3.5 devices will not respond at all unless you successfully complete a 3-way handshake with the correct key first, v3.1 is going to use a different payload format, and v3.3 should respond like the device above.
That response is to a DP_QUERY with the wrong key. Something like this should get you there: