Support for Smart Light App

[doshisunny]

I have ceiling fan with light which also has remote.
https://www.amazon.com/gp/product/B09XBB5V1F

I does not work with any of the apps mentioned in docs but it works with Smart Light App
https://play.google.com/store/apps/details?id=ai.argrace.remotecontrol&hl=en_US

I was trying to capture commands by getting raw databut issue is output changes every time may be because of encoding not sure. Due to this I am not able to get it working.
Any idea how to tackle it?
Really appreciate your help.

[tdragon]

I have a similar lamp. The captured commands work, but there seems to be some cycle - the same command can be repeated only after some time or several other commands.

This is my capture:

Off light: 15.FF.F9.09.83.FB.54.10.E0.98.76.95.A5.F1.B1.56.EF.98.20.E3.76.02
On light: 15.FF.F9.09.83.87.E6.6F.52.2A.0A.E9.17.43.CD.2A.5D.2A.5C.1F.4B.6C
Fan Off: 15.FF.F9.09.83.43.C4.A0.70.08.CE.2D.35.61.09.EE.7F.08.9B.9B.AF.96
Fan On: 15.FF.F9.09.83.6B.C7.8B.73.0B.E6.05.36.62.21.C6.7C.0B.B3.F3.6D.C2 

Counter clock: 
	15.FF.F9.09.83.AA.C8.4F.7C.04.27.C4.39.6D.E0.08.E2.04.75.32.CE.98
	15.FF.F9.09.83.05.B7.FE.03.7B.88.6B.46.12.4F.A7.9D.7B.DA.9D.B7.42 
Clockwise:
1. 15.FF.F9.09.83.1F.FE.CC.4A.32.92.71.0F.5B.55.BD.D4.32.C0.87.96.4A 
2. 15.FF.F9.09.83.9A.18.4A.AC.D4.17.F4.E9.BD.D0.38.32.D4.45.02.73.78
3. 15.FF.F9.09.83.13.A8.C2.1C.64.9E.7D.59.0D.59.B1.82.64.CC.8B.C2.0A
4. 15.FF.F9.09.83.99.6F.4F.DB.A3.14.F7.9E.CA.D3.3B.45.A3.46.01.1A.22 
5. 15.FF.F9.09.83.D8.31.0F.85.FD.55.B6.C0.94.92.7A.1B.FD.07.40.45.2C
6. 15.FF.F9.09.83.34.B4.E0.00.78.B9.5A.45.11.7E.96.9E.78.EB.AC.C3.B0
7.  15.FF.F9.09.83.F9.81.2C.35.4D.74.97.70.24.B3.5B.AB.4D.26.61.F7.CE
8. 15.FF.F9.09.83.6F.D6.45.62.1A.E2.01.27.73.25.CD.FC.1A.B0.F7.A7.5C 

Speed 1, clockwise:
15.FF.F9.09.83.5D.79.92.CD.B5.D0.33.88.DC.17.FF.53.B5.89.85.5C.5C

Speed2: 15.FF.F9.09.83.15.B9.D9.0D.75.98.7B.48.1C.5F.B7.90.75.C1.8D.DE.6A
Speed3: 15.FF.F9.09.83.AC.B5.61.01.79.21.C2.44.10.E6.0E.9D.79.78.34.D4.80 
Speed4: 15.FF.F9.09.83.90.DB.52.6F.17.1D.FE.2A.7E.DA.32.F4.17.44.08.B8.A4 
Speed5: 15.FF.F9.09.83.16.DD.D5.69.11.9B.78.2C.78.5C.B4.F3.11.C2.8E.B0.90
Speed6: 15.FF.F9.09.83.26.56.E6.E2.9A.AB.48.A7.F3.6C.84.7B.9A.F2.BE.39.DC

???  15.FF.F9.09.83.4D.93.8C.27.5F.C0.23.62.36.07.EF.BD.5F.99.D5.FC.6C 
Speed 5: 15.FF.F9.09.83.04.E0.C2.54.2C.89.6A.11.45.4E.A6.CF.2C.D0.9C.8F.DC 
Speed 4: 15.FF.F9.09.83.5C.2E.9B.9A.E2.D1.32.DF.8B.16.FE.06.E2.88.C4.41.1A
Speed 2: 15.FF.F9.09.83.C2.C5.06.71.09.4F.AC.34.60.88.60.EC.09.16.5A.AA.10 
Speed 1:  15.FF.F9.09.83.FB.DB.3E.6F.17.76.95.2A.7E.B1.59.F1.17.2F.63.B4.28 
Speed 0:  15.FF.F9.09.83.4F.34.95.80.F8.C2.21.C5.91.05.ED.9F.F8.9A.D7.D8.1E 

The "clockwise" section - this is the same button pressed in the app. After 8 I can repeat 1st and it works.

[tdragon]

My remote also produces a different logs, but I was not able to repeat any of commants:

[10:20:55][D][esp32_ble_tracker:270]: Starting scan...
[10:20:59][D][ble_adv_handler:297]: raw - 1E.FF.56.55.18.87.52.B6.5F.2B.5E.00.FC.31.51.48.F2.4A.08.24.0A.AB.FC.FE.2C.B7.5A.34.FB.60.57 (31)
[10:20:59][D][remote - v1:134]: Decoded KO (crc16_2) - AA.98.43.AF.0B.46.46.46.09.12.4B.00.00.83.09.00.F1.F1.C2.F0.3A.2C.93.72 (24)
[10:20:59][D][ble_adv_handler:297]: raw - 19.FF.F9.09.04.39.E4.90.43.9A.5C.5C.9E.19.34.45.71.DB.7C.5C.8F.8D.CA.41.51.2C (26)
[10:21:00][D][ble_adv_handler:297]: raw - 19.FF.F9.09.03.39.E4.90.43.9A.5C.5C.9E.19.34.45.71.DB.7C.5C.8F.8D.CA.41.51.2B (26)
[10:21:02][D][ble_adv_handler:297]: raw - 1E.FF.06.00.01.0F.20.02.DD.F6.DF.55.85.C4.39.72.DF.22.D9.8E.35.B3.64.4A.4C.CB.A4.2F.73.61.CA (31)
[10:21:04][D][ble_adv_handler:297]: raw - 1B.FF.75.00.42.04.01.80.8E.BC.14.85.C7.5D.DA.26.4B.03.7B.53.2F.01.00.00.00.00.00.00 (28)
[10:21:05][D][ble_adv_handler:297]: raw - 02.01.1A.02.0A.04.0A.FF.4C.00.10.05.03.18.2C.6C.3D (17)
[10:21:05][D][ble_adv_handler:297]: raw - 02.01.1A.07.03.0F.18.0A.18.FF.FE.11.09.4A.61.62.72.61.20.45.76.6F.6C.76.65.32.20.38.35 (29)
[10:21:06][D][ble_adv_handler:297]: raw - 07.FF.4C.00.12.02.14.03 (8)
[10:21:07][D][ble_adv_handler:297]: raw - 1B.FF.75.00.42.04.01.80.60.D0.D0.03.6E.B3.09.D2.D0.03.6E.B3.08.01.2F.00.00.00.00.00 (28)
[10:21:10][D][ble_adv_handler:297]: raw - 1E.FF.56.55.18.87.52.B6.5F.2B.5E.00.FC.31.51.48.F2.4A.08.24.0A.6B.FC.4F.9D.1B.EB.0C.2D.60.57 (31)
[10:21:10][D][remote - v1:134]: Decoded KO (crc16_2) - AA.98.43.AF.0B.46.46.46.09.12.4B.00.00.83.0A.00.7C.7C.F7.7D.26.47.93.72 (24)
[10:21:10][D][ble_adv_handler:297]: raw - 19.FF.F9.09.04.B4.D2.4A.28.14.6A.86.F5.72.EE.73.FC.56.4A.86.E4.E7.10.77.DA.30 (26)
[10:21:10][D][ble_adv_handler:297]: raw - 19.FF.F9.09.03.B4.D2.4A.28.14.6A.86.F5.72.EE.73.FC.56.4A.86.E4.E7.10.77.DA.2F (26)
[10:21:13][D][ble_adv_handler:297]: raw - 0D.16.2C.FE.00.40.00.0A.0A.C8.11.A1.13.3C.02.0A.F5 (17)
[10:21:16][D][ble_adv_handler:297]: raw - 07.FF.4C.00.12.02.00.01 (8)
[10:21:17][D][ble_adv_handler:297]: raw - 1E.FF.56.55.18.87.52.B6.5F.2B.5E.00.FC.31.51.48.F2.4A.08.24.0A.EB.FC.3D.EF.47.99.F5.EC.60.57 (31)
[10:21:17][D][remote - v1:134]: Decoded KO (crc16_2) - AA.98.43.AF.0B.46.46.46.09.12.4B.00.00.83.0B.00.32.32.CD.33.B9.C4.93.72 (24)
[10:21:17][D][ble_adv_handler:297]: raw - 19.FF.F9.09.03.8A.29.A5.96.2B.91.69.4B.CC.01.88.C2.68.B1.69.5A.5A.FF.8C.E6.39 (26)
[10:21:17][D][ble_adv_handler:297]: raw - 19.FF.F9.09.04.8A.29.A5.96.2B.91.69.4B.CC.01.88.C2.68.B1.69.5A.5A.FF.8C.E6.3A (26)
[10:21:17][W][component:237]: Component esp32_ble_tracker took a long time for an operation (56 ms).
[10:21:17][W][component:238]: Components should block for at most 30 ms.
[10:21:19][D][ble_adv_handler:297]: raw - 02.01.1A.1B.FF.4C.00.0C.0E.08.D7.1A.4F.2E.9C.73.A9.5D.C1.D1.42.08.6A.10.06.44.1D.55.6B.6B.28 (31)
[10:21:21][D][ble_adv_handler:297]: raw - 1E.16.F3.FE.4A.17.23.5A.4C.4E.50.11.32.A7.6E.3D.29.C1.4C.44.3A.51.42.63.4B.E9.AD.E3.94.4D.7F (31)
[10:21:22][D][ble_adv_handler:297]: raw - 1E.FF.56.55.18.87.52.B6.5F.2B.5E.00.FC.31.51.48.F2.4A.08.24.0A.0B.FC.20.F2.C0.84.F1.BC.60.57 (31)
[10:21:22][D][remote - v1:134]: Decoded KO (crc16_2) - AA.98.43.AF.0B.46.46.46.09.12.4B.00.00.83.0C.00.8A.8A.2C.8B.99.CE.93.72 (24)
[10:21:22][D][ble_adv_handler:297]: raw - 19.FF.F9.09.04.25.96.58.62.83.2E.94.BF.38.FC.37.6D.C7.0E.94.AE.AF.02.33.47.B1 (26)
[10:21:22][D][ble_adv_handler:297]: raw - 19.FF.F9.09.03.25.96.58.62.83.2E.94.BF.38.FC.37.6D.C7.0E.94.AE.AF.02.33.47.B0 (26)
[10:21:22][D][ble_adv_handler:297]: raw - 02.01.1A.02.0A.0C.0C.FF.4C.00.10.07.3C.1F.5D.7A.36.C7.08 (19)
[10:21:25][D][ble_adv_handler:297]: raw - 1A.FF.4C.00.12.02.6E.02.07.11.06.FE.A0.5D.11.D2.73.70.C1.59.B0.C8.52.20.42.25.C1 (27)
[10:21:25][D][ble_adv_handler:297]: raw - 02.01.1A.1B.FF.4C.00.0C.0E.08.D8.1A.72.BD.E8.EA.69.D4.07.26.86.E8.D1.10.06.44.1D.55.6B.6B.28 (31)
[10:21:27][D][ble_adv_handler:297]: raw - 1E.FF.56.55.18.87.52.B6.5F.2B.5E.00.FC.31.51.48.F2.4A.08.24.0A.8B.FC.FC.2E.B7.58.AA.7A.60.57 (31)
[10:21:27][D][remote - v1:134]: Decoded KO (crc16_2) - AA.98.43.AF.0B.46.46.46.09.12.4B.00.00.83.0D.00.B1.B1.C2.B0.43.AD.93.72 (24)
[10:21:27][D][ble_adv_handler:297]: raw - 19.FF.F9.09.04.89.24.90.40.2E.9C.5C.9D.1A.34.85.C1.6B.BC.5C.8C.82.CA.81.E9.B7 (26)
[10:21:27][D][ble_adv_handler:297]: raw - 19.FF.F9.09.03.89.24.90.40.2E.9C.5C.9D.1A.34.85.C1.6B.BC.5C.8C.82.CA.81.E9.B6 (26)
[10:21:30][D][ble_adv_handler:297]: raw - 1E.FF.56.55.18.87.52.B6.5F.2B.5E.00.FC.31.51.48.F2.4A.08.24.0A.4B.FC.BC.6E.E7.18.56.73.60.57 (31)
[10:21:30][D][remote - v1:134]: Decoded KO (crc16_2) - AA.98.43.AF.0B.46.46.46.09.12.4B.00.00.83.0E.00.B3.B3.C8.B2.7C.3D.93.72 (24)
[10:21:30][D][ble_adv_handler:297]: raw - 19.FF.F9.09.04.B2.CB.2E.B9.16.73.E2.64.E3.8A.6A.FA.50.53.E2.75.7A.74.6E.D4.4C (26)
[10:21:30][D][ble_adv_handler:297]: raw - 19.FF.F9.09.03.B2.CB.2E.B9.16.73.E2.64.E3.8A.6A.FA.50.53.E2.75.7A.74.6E.D4.4B (26)
[10:21:31][D][ble_adv_handler:297]: raw - 1E.FF.06.00.01.09.20.02.26.DA.62.FA.74.AE.51.AA.CE.80.E9.0D.58.58.94.D2.AF.88.4E.FF.8F.AB.99 (31)
[10:21:33][D][ble_adv_handler:297]: raw - 07.FF.4C.00.12.02.10.01 (8)
[10:21:33][D][ble_adv_handler:297]: raw - 1E.FF.56.55.18.87.52.B6.5F.2B.5E.00.FC.31.51.94.F2.4A.88.44.0A.CB.FC.0C.DE.0B.A8.F2.40.60.57 (31)
[10:21:33][D][remote - v1:134]: Decoded KO (crc16_2) - AA.98.43.AF.0B.46.46.46.32.12.4B.01.06.83.0F.00.BE.BE.FF.BF.59.F1.93.72 (24)
[10:21:33][D][ble_adv_handler:297]: raw - 19.FF.F9.09.04.B7.DE.7B.EE.12.66.B7.33.B4.DF.7F.FF.55.46.B7.0F.EF.21.7B.C7.42 (26)
[10:21:33][D][ble_adv_handler:297]: raw - 19.FF.F9.09.03.B7.DE.7B.EE.12.66.B7.33.B4.DF.7F.FF.55.46.B7.0F.EF.21.7B.C7.41 (26)
[10:21:35][D][ble_adv_handler:297]: raw - 02.01.1A.1B.FF.75.00.42.04.01.01.67.F4.FE.FB.58.40.39.F6.FE.FB.58.40.38.24.00.00.00.00.00.00 (31)
[10:21:35][D][ble_adv_handler:297]: raw - 19.FF.F9.09.04.35.D4.50.43.8F.6C.9C.9E.19.F4.75.7D.D7.4C.9C.A2.45.0A.71.43.52 (26)
[10:21:35][D][ble_adv_handler:297]: raw - 1E.FF.56.55.18.87.52.B6.5F.2B.5E.00.FC.31.51.94.F2.4A.88.44.0A.33.FC.6F.BD.93.CB.C1.11.60.57 (31)
[10:21:36][D][remote - v1:134]: Decoded KO (crc16_2) - AA.98.43.AF.0B.46.46.46.32.12.4B.01.06.83.10.00.78.78.E6.79.95.7B.93.72 (24)
[10:21:36][D][ble_adv_handler:297]: raw - 19.FF.F9.09.03.35.D4.50.43.8F.6C.9C.9E.19.F4.75.7D.D7.4C.9C.A2.45.0A.71.43.51 (26)
[10:21:39][D][ble_adv_handler:297]: raw - 02.01.1A.17.FF.4C.00.09.08.13.21.C0.A8.0A.90.1B.58.16.08.00.35.5F.CA.42.C5.D8.77 (27)
[10:21:39][D][ble_adv_handler:297]: raw - 07.FF.4C.00.12.02.00.00 (8)
[10:21:40][D][ble_adv_handler:297]: raw - 02.01.1A.1B.FF.4C.00.0C.0E.08.D9.1A.DB.E8.47.BB.B0.6C.3D.D7.82.B2.94.10.06.44.1D.55.6B.6B.28 (31)
[10:21:40][D][ble_adv_handler:297]: raw - 1E.FF.56.55.18.87.52.B6.5F.2B.5E.00.FC.31.51.94.F2.4A.88.44.0A.B3.FC.35.E7.05.91.0D.4A.60.57 (31)
[10:21:40][D][remote - v1:134]: Decoded KO (crc16_2) - AA.98.43.AF.0B.46.46.46.32.12.4B.01.06.83.11.00.22.22.8F.23.A6.A1.93.72 (24)
[10:21:40][D][ble_adv_handler:297]: raw - 19.FF.F9.09.04.FE.F8.E1.87.45.40.2D.5A.DD.45.59.B6.1C.60.2D.66.80.BB.5D.8A.EA (26)
[10:21:40][D][ble_adv_handler:297]: raw - 19.FF.F9.09.03.FE.F8.E1.87.45.40.2D.5A.DD.45.59.B6.1C.60.2D.66.80.BB.5D.8A.E9 (26)
[10:21:40][D][ble_adv_handler:297]: raw - 02.01.1A.02.0A.0C.0A.FF.4C.00.10.05.12.1C.F1.36.4B (17)
[10:21:41][D][ble_adv_handler:297]: raw - 02.01.1A.1B.FF.4C.00.0C.0E.08.DA.1A.D8.B8.C3.15.C7.53.2F.98.19.77.9D.10.06.44.1D.55.6B.6B.28 (31)

[doshisunny]

@tdragon How did you setup this in esphome config? Is it working for you with this multiple?
(I did not see if it was repeating after certain number of times. I just though its creating new. I will capture again and see what is repeat frequency)

[tdragon]

No, it doesn't work.
I followed the doc and captured events from the app.

[NicoIIT]

Hi guys,

I installed the Smart Light app and managed to capture the android logs of the transaction, showing the different steps of the build of the message. I also decompiled the app with jadx and get some info, but unfortunately I did not manage to decompile the C/C++ library (called via JNI and probably obfuscated) that performs the final encryption. I tried the standard algos we have from other app but none of them are working.

Here are my findings so far, based on Android logs:

** Transaction FAN ON (previously OFF), tx 4, device 3, grp 1 (3rd device added in Living Room area):

{ NativeMap: {"ftdCmd":"","argCmd":"8381000901","deviceType":8,"deviceId":3,"groupAddr":1} }
8381000901 => the first encoding, containing the command code, the group, the deviceid, the devicetype and various indicators. As it is available directly in Android logs, this should be easy to build for each command.

seq = 04050010 => a sequencing:
* '04' is the number of transactions issued since the start of the app
* '05' is the number of app start (increased at each app "session")
* '0010' seems to be fixed data

pid = 7F5E0010, a kind of phone ID. It is allocated when the app is installed, and different only in case you reset the app storage and use a brand new account. The part '0010' seems fixed.

pid = 040500107F5E0010838100090114, simply an aggregation of the previous data (seq, argCmd, pid), and a basic checkcum(14) at the end.
=> this is the output of the function "BeaconEncryptUtils.dataWithCmd"

After that, this buffer is sent to another method "BeaconEncryptUtils.dataEncrypt" that produces the following encrypted output:
84B96017DEAC749C9BC5F3905AAC6DE2D157
The encrypted buffer is 4 bytes longer than the initial pid buffer, the following being added on top of the encrypted data:

• The (84) at the beginning seems to be fixed
• The (57) at the end is a checksum.
• 2 more bytes (usually either at the beginning: B9.60, or a the end: E2.D1, but not sure...), could be a seed, a crc16, a pivot used for xor or anything that would allow the decryption on the Fan side...
  => This encryption is the only remaining step to be "hacked" but I did not find a way to do it as of now...

To finish the standard BLE ADV process with Company Id = 2553 (F9.09) then produces the following output captured by our component:
[16:29:29][D][main:774]: raw - 15.FF.F9.09.84.B9.60.17.DE.AC.74.9C.9B.C5.F3.90.5A.AC.6D.E2.D1.57 (25)

Please note that this app is also controlling devices without using BLE Advertising (standard BLE GATT control, wifi...), so even if we manage to revert the encryption algo (which would require a significant effort btw I already spent the week end on it without success..), there is no guarantee this would effectively work for your devices...

Could you please try to capture a Light ON / Light OFF message and try to inject it or setup a template HA light as explained here, this would guarantee your lights are effectively using BLE ADV (and maybe build a basic way to command your light from HA if we do not succeed...)

Thanks in advance

[tdragon]

Hi @NicoIIT
Thanks for your post. I was also looking into this app and stopped on the native lib.
My captured light on/off messages are:

Off light: 15.FF.F9.09.83.FB.54.10.E0.98.76.95.A5.F1.B1.56.EF.98.20.E3.76.02
On light: 15.FF.F9.09.83.87.E6.6F.52.2A.0A.E9.17.43.CD.2A.5D.2A.5C.1F.4B.6C

They works when injected, but only first time. Then I have to send 5 other messages to make them work again. Probably the lamp remembers 5 last messages.