uvNikita/roomba-j7-hass.md Secret

## roomba-j7-hass.md

      
    Raw
  

              roomba-j7-hass.md
            
          
    Patch irobot apk using apk-mitm


Enable USB debugging on the phone


Enable adb on PC


Connect phone to PC via USB


Pull roomba apks from the phone
$ adb devices
List of devices attached
RF8M81QSMMJ	device

$ adb shell pm list packages
...

$ adb shell pm path com.irobot.home
package:/data/app/.../base.apk
package:/data/app/.../split_config.arm64_v8a.apk
package:/data/app/.../split_config.xxhdpi.apk

$ adb pull /data/app/.../base.apk com.irobot.home.apk
$ adb pull /data/app/.../split_config.arm64_v8a.apk config.arm64_v8a.apk
$ adb pull /data/app/.../split_config.xxhdpi.apk config.xxhdpi.apk


Download xapk from https://apkpure.com/irobot-home/com.irobot.home, extract files into irobot-xapk folder


Copy manifest.json
$ cp irobot-xapk/manifest.json manifest.json


Create new xapk
$ apack irobot.zip com.irobot.home.apk config.arm64_v8a.apk config.xxhdpi.apk manifest.json
$ mv irobot.zip irobot.xapk


Patch irobot.xapk with apk-mitm
$ apk-mitm irobot.xapk


Extract patched apks from xapk
$ aunpack irobot-patched.xapk


Uninstall irobot application from the phone
adb uninstall com.irobot.home


Install apks with install-multiple
$ adb install-multiple com.irobot.home.apk config.arm64_v8a.apk config.xxhdpi.apk


Use mitmproxy to get BLID and password


Install and run mitmproxy
$ mitmproxy


Open port 8080
$ sudo iptables -I INPUT 1 -p tcp --dport 8080 -j ACCEPT


Follow instuctions to configure proxy on the phone with installed CA: https://medium.com/testvagrant/intercept-ios-android-network-calls-using-mitmproxy-4d3c94831f62


Run irobot application, login


Select request to /v2/login in mitmproxy: check robots dict in response, BLID is entry's key and password is in the password field