Better way to get the local key

[csobrinho]

I believe there is a better and faster way to get the local key. You can open the manufacturer app, link the device and then dump the memory of the process using:

adb shell am dumpheap {package_name}

Then open this on Android Studio and search for allocations of either byte[8] or SecretKeySpec. The key will present itself.

I believe it should also work with non rooted phones but haven't tested it

[Apollon77]

But this would be android only, or?!

[codetheweb]

Whether this is faster and better is a matter of opinion. As Ingo said, this would only work on Android. And many users might find the current recommend method easier. Having said that, I'm happy to accept a PR for this that adds it to the docs.

…

On Aug 3, 2020, at 00:15, Ingo Fischer ***@***.***> wrote:  But this would be android only, or?! — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.

[ProPuke]

Unless I'm mistaken the current method seems to be signing up for a developer account, which costs $300 a year after the first 3 months?

If so a better method would be much appreciated.

[alanfoster99]

@ProPuke that seems to be the case; the developer account apparently was free previously, but I can find no way to follow the workflow described anymore, and the $300 seems required now

[alanfoster99]

@ProPuke I spoke too soon. I went back and created another account directly from iot.tuya.com and this time was able to get into the free portion. The first time I created the account from their main page. Hope the same works for you.

[geoffwoollams]

Just tried this, worked perfectly. No root required on Android 10 (Lineage OS 17.1). Got confirmed working keys for my 8 new lights! My steps:

Install your Tuya app. I used the Kogan SmarterHome app. Add your devices to the app.
With usb debugging enabled and cable connected, get the memory dump (replacing com.kogan.smarterhome if you use something else):
adb shell am dumpheap com.kogan.smarterhome /data/local/tmp/tuya.hprof
adb pull /data/local/tmp/tuya.hprof %USERPROFILE%\Desktop\tuya.hprof

Now run the file through hprof-conv (Installed with Android Studio).
hprof-conv %USERPROFILE%\Desktop\tuya.hprof %USERPROFILE%\Desktop\tuya-conv.hprof

Open tuya-conv.hprof in Eclipse Memory Analyzer.
There may be a quicker way of doing this part but open the Histogram, scroll to the bottom of the list to the bold 'Total' and right click then expand all.
Sort by class name then scroll to com.tuya.sdk.device.presenter.TuyaDeviceMonitorManager. Right click it and click List Object -> outgoing.
This should list an instance for each of your devices.
Under mIDevListener.b you will find devId, localKey, name, mac.

Edit 2021: The Kogan app no longer allows debugging so this method doesn't work. Altering the app to enable debugging doesn't work either as it crashes when you login. I did however manage to get the keys using with a rooted device setting the global debugging flag instead.

[tomporter518]

I have tried the approach and it does NOT work with the Smart Life app (com.tuya.smartlife). That application does not allow attaching to the process for debugging as the appropriate flag appears to not be set.

[MagneFire]

Just tried the method described by @geoffwoollams, it works perfectly. Initially I tried the method described by @csobrinho, but I couldn't find the keys, even though there were multiple instances of SecretKeySpec.

I am using the LSC smart app for Android which is not debuggable. Following this guide: https://gist.github.com/nstarke/615ca3603fdded8aee47fab6f4917826 allowed the app to become debuggable. @tomporter518 this may be helpful to you.

[rootik]

Just tried this, worked perfectly. No root required on Android 10 (Lineage OS 17.1). Got confirmed working keys for my 8 new lights! My steps:

Install your Tuya app. I used the Kogan SmarterHome app. Add your devices to the app.
With usb debugging enabled and cable connected, get the memory dump (replacing com.kogan.smarterhome if you use something else):
adb shell am dumpheap com.kogan.smarterhome /data/local/tmp/tuya.hprof
adb pull /data/local/tmp/tuya.hprof %USERPROFILE%\Desktop\tuya.hprof

Now run the file through hprof-conv (Installed with Android Studio).
hprof-conv %USERPROFILE%\Desktop\tuya.hprof %USERPROFILE%\Desktop\tuya-conv.hprof

Open tuya-conv.hprof in Eclipse Memory Analyzer.
There may be a quicker way of doing this part but open the Histogram, scroll to the bottom of the list to the bold 'Total' and right click then expand all.
Sort by class name then scroll to com.tuya.sdk.device.presenter.TuyaDeviceMonitorManager. Right click it and click List Object -> outgoing.
This should list an instance for each of your devices.
Under mIDevListener.b you will find devId, localKey, name, mac.

Cheers
I was able to get the local device key with this method, using Android Studio, instead of Eclipse, and the same Kogan Smarter Home app, you mentioned, running in an emulator.

[codetheweb]

Closing for now, still happy to accept a PR for the docs if someone wants to edit them.

[Gigadoc2]

For future readers (I hope this is an appropriate place to put that information), for the current Tuya Smart App (and probably the SDK in general) the objects you are looking for are of the class com.thingclips.smart.sdk.bean.DeviceBean.

[fume]

For future readers (I hope this is an appropriate place to put that information), for the current Tuya Smart App (and probably the SDK in general) the objects you are looking for are of the class com.thingclips.smart.sdk.bean.DeviceBean.

for the people like me who weren't able to renew the free IoT Core plan on the Tuya Developer Console, i can confirm that taking the heap dump via adb shell (on a rooted device or rooted emulator) for the Smart Life app (com.tuya.smartlife) and searching for the class com.thingclips.smart.sdk.bean.DeviceBean is the way to go.

[JsSusenka]

@fume Had you faced this error when dumping memory of the application? Just to note, I tried both rooted device and rooted emulator, but faced the same issue. Can you perhaps give me a little hint, on how to take the heapdump? Thanks

-> ~/Developer/tmp/android_dump adb shell am dumpheap com.tuya.smartlife
File: /data/local/tmp/heapdump-20241225-152014.prof

Exception occurred while executing 'dumpheap':
java.lang.SecurityException: Process not debuggable: com.tuya.smartlife
	at com.android.server.am.ActivityManagerService.enforceDebuggable(ActivityManagerService.java:6203)
	at com.android.server.am.ActivityManagerService.dumpHeap(ActivityManagerService.java:17953)
	at com.android.server.am.ActivityManagerShellCommand.runDumpHeap(ActivityManagerShellCommand.java:1343)
	at com.android.server.am.ActivityManagerShellCommand.onCommand(ActivityManagerShellCommand.java:291)
	at com.android.modules.utils.BasicShellCommandHandler.exec(BasicShellCommandHandler.java:97)
	at android.os.ShellCommand.exec(ShellCommand.java:38)
	at com.android.server.am.ActivityManagerService.onShellCommand(ActivityManagerService.java:10471)
	at android.os.Binder.shellCommand(Binder.java:1230)
	at android.os.Binder.onTransact(Binder.java:1043)
	at android.app.IActivityManager$Stub.onTransact(IActivityManager.java:5675)
	at com.android.server.am.ActivityManagerService.onTransact(ActivityManagerService.java:2812)
	at android.os.Binder.execTransactInternal(Binder.java:1505)
	at android.os.Binder.execTransact(Binder.java:1444)```

[fume]

@fume Had you faced this error when dumping memory of the application? Just to note, I tried both rooted device and rooted emulator, but faced the same issue. Can you perhaps give me a little hint, on how to take the heapdump? Thanks

-> ~/Developer/tmp/android_dump adb shell am dumpheap com.tuya.smartlife
File: /data/local/tmp/heapdump-20241225-152014.prof

Exception occurred while executing 'dumpheap':
java.lang.SecurityException: Process not debuggable: com.tuya.smartlife
	at com.android.server.am.ActivityManagerService.enforceDebuggable(ActivityManagerService.java:6203)
	at com.android.server.am.ActivityManagerService.dumpHeap(ActivityManagerService.java:17953)
	at com.android.server.am.ActivityManagerShellCommand.runDumpHeap(ActivityManagerShellCommand.java:1343)
	at com.android.server.am.ActivityManagerShellCommand.onCommand(ActivityManagerShellCommand.java:291)
	at com.android.modules.utils.BasicShellCommandHandler.exec(BasicShellCommandHandler.java:97)
	at android.os.ShellCommand.exec(ShellCommand.java:38)
	at com.android.server.am.ActivityManagerService.onShellCommand(ActivityManagerService.java:10471)
	at android.os.Binder.shellCommand(Binder.java:1230)
	at android.os.Binder.onTransact(Binder.java:1043)
	at android.app.IActivityManager$Stub.onTransact(IActivityManager.java:5675)
	at com.android.server.am.ActivityManagerService.onTransact(ActivityManagerService.java:2812)
	at android.os.Binder.execTransactInternal(Binder.java:1505)
	at android.os.Binder.execTransact(Binder.java:1444)```

HI @JsSusenka, yes i had the same exact error in the beginning, but then i tried it on a rooted emulator (BlueStack 5) and worked as expected. Can you confirm that adb is connected to the right device/emulator?

[geoffwoollams]

Hi! I got that error too and sorted it with the global debuggable flag. I can’t find any info on that now but I found this which looks like it might be helpful for you: https://www.apriorit.com/dev-blog/736-mobile-a-brief-guide-to-making-any-android-application-debuggable

Follow the guide and hopefully it’ll help. It suggests the builds from android studio should work ootb:

We should note that Android Studio provides an engineering build of a system image for emulators by default. Such a build has root access and enables the debugging of processes and applications regardless of the android:debuggable flag’s state in the AndroidManifest.xml file.

[piyushgarg]

For heapdump exception install https://github.com/Mygod/debuggable.prop