Certificate Pinning?

[fearoffish]

Hi, I've configured Burp as my proxy and configured my phone to use it (certificates installed, all HTTP and HTTPS websites working through it just fine), however the app fails to negotiate the ssl handshake. Have they implemented certificate pinning, do you know?

[bmedicke]

Likely. It's been a while since I captured my secret, which is still working. I sent Anova a mail before publishing this project and they asked me to sit on it for a while (which I did for a couple of months) so they could work on their public API.

Nothing ever came of that so I put it online, guess they used the time to pin the certificate.

If you have an Android or a jailbroken iPhone you could try to patch the app and get around it. It might even work in the Android emulator which would make it very easy for everyone to get their secret.

I'm a bit pressed for time at the moment so I'm not sure if I'll give that a go any time soon (personally I'm still waiting for the Joule to get to Europe).

If anyone decides to try that feel free to let me know.

[deftdawg]

@fearoffish If I may... There is another approach you can take to determine your device's info.

The device also listens on port 9988... Connecting to this port via TCP, it is possible to determine the device's name and secret.

Start by grabbing @TheUbuntuGuy's protocol decoder script, then use netcat... And with some luck you may be able to capture the info...

curl -O https://gist.githubusercontent.com/TheUbuntuGuy/225492a8dec816d49b70d9c21811e8b1/raw/47f591fbe370f47e58d7813bd61a3af72679729c/fuckuanova.py
export ANOVA_IP=..... # Whatever the IP of it is...
while ! ping -c 1 ${ANOVA_IP} -t 1 2>&1 >/dev/null; do echo -n .; done; echo; nc ${ANOVA_IP} 9988 | xxd -plain -l 100 | tr -d '\n' | sed -e $'s/1668/16\\\n68/g' | tee -a rawdump.txt
python3 fuckuanova.py | less

There is an element of luck to this, as you must catch the device as it is just coming on... a ping loop may be too slow, but netcat -z wasn't reliable from OSX... So you may have to figure out a faster way to poll that the port is has just come up.

Essentially, you're looking for a long (20+) packet that contains 'anova f56-xxxxxxxxx' and followed by another packet that looks like gibberish a packet or two after (usually there's a firmware version packet in between)

[bmedicke]

Fantastic, thank you so much for bringing it to my attention @jumpkick!
This worked on the second try for me. And a big thank you to @TheUbuntuGuy.

I'll link to this issue in the readme.

For anyone that's giving this method a go you are looking for these two lines:

The first one is you cooker_id the second you secret.

Edit: I just found out about a video by @TheUbuntuGuy that goes into detail how he reverse-engineered the Anova software. If you're at all interested in the process it's definitely worth a watch:
https://www.youtube.com/watch?v=xDDPFHhY7ec

[danodemano]

FYI if you have a rooted Android device there is a WAY easier to to get this. Both the ID and Secret are stored in this file: /data/data/com.anovaculinary.android/shared_prefs/com.anovaculinary.android_preferences.xml

You have to have the device connected to your wifi and logged into your account. Then just open that file and you will see the ID and Secret. I gave up trying to get it with the NetCat method (after 2 days of failing) and used a rooted Android tablet instead.

[FuzzyMistborn]

Neither option is working with the new Anova Precision that just came out :-(

[danodemano]

@FuzzyMistborn - try a packet capture with this: https://play.google.com/store/apps/details?id=com.minhui.networkcapture&hl=en_US

Doesn't seem to work on Android 10 but I was able to get it working right on Android 6 and got the cooker ID and secret.

I don't have a new Anova to test with though unfortunately so I can't really help you there. :/ My "older" device works via this method with the current version of the app.

[niekbuurmah2o]

Neither option is working with the new Anova Precision that just came out :-(

That's what I'm finding as well. The Anova Precision Cooker 2.0 doesn't seem to engage with this script - having watched the @TheUbuntuGuy's video above, I now know the problem could be in any one of far too many steps :( Biggest risk is they've now properly secured the communication :( In my case, that's &^&@ because I don't even want to use this thing for cooking, I want it to control the temperature of equipment in a lab!

[TheUbuntuGuy]

Can anyone who has a 'new' unit take a packet capture from their router? That will easily allow us to see how the new communication works between the cooker and their API. If they saw the light and used something more integrated like an ESP32 in the new design, it's possible that they implemented a similar key pinning in the device as well.

[Geoff-S]

After much hair pulling, I was finally able to get my Precision Cooker to work via the app.
I have a trace of the cooker connecting to anova which I'll upload https://github.com/Geoff-S/Anova-Precision-Cooker for anyone interested.
Forgot to mention, it's a tcpdump i.e. Wireshark

[Br3nda]

I had a look in /data/data/com.anovaculinary.android/shared_prefs/com.anovaculinary.android_preferences.xml but i only see facebook stuff (I don't have facebook or facebook installed)

The keys aren't there anymore

[Geoff-S]

I think the keys would be in the cooker firmware, not the app.
App connects to cooker to tell it what SSID to use to connect to anova. (I think)

[trisk]

On my rooted phone, I did a grep -r f56 /data/data/com.anovaculinary.android out of desperation and found the ID and secret in the following:

/data/data/com.anovaculinary.android/cache/http-cache/2d0e2ee0700dc78993d93b5d41959dfc.0:https://api.anovaculinary.com/cookers/anova%20f56-XXXXXXXXXXX?secret=XXXXXXXXXX
/data/data/com.anovaculinary.android/cache/http-cache/2d0e2ee0700dc78993d93b5d41959dfc.1:{"status":{"cooker_id":"anova f56-XXXXXXXXXXX","firmware_version":"ver 2.7.7","is_running":false,"current_temp":129.9,"target_temp":124,"temp_unit":"f","speaker_mode":true,"is_timer_running":false,"timer_length":1920}}
/data/data/com.anovaculinary.android/cache/http-cache/40697e66b132c326507ca16c8cc26978.0:https://api.anovaculinary.com/cookers/anova%20f56-XXXXXXXXXXX?secret=XXXXXXXXXX

Interestingly, the two secrets were different although the device ID was the same (I only have one original WiFi cooker).

[jdchaiken]

I think the keys would be in the cooker firmware, not the app.
App connects to cooker to tell it what SSID to use to connect to anova. (I think)

I would think there should be certs on both. If I understand how it works correctly, the cooker opens a reverse proxy back to anovaculinary.com and receives directions and the app connects directly to anovaculinary.com and sends directions.

In theory you could forge packets from anovaculinary directly to the cooker or probably better to obtain a new JWT in your app to send messages to anovaculinary.com which then sends through the reverse proxy.

[k7franklin]

@fearoffish If I may... There is another approach you can take to determine your device's info.

The device also listens on port 9988... Connecting to this port via TCP, it is possible to determine the device's name and secret.

Start by grabbing @TheUbuntuGuy's protocol decoder script, then use netcat... And with some luck you may be able to capture the info...

curl -O https://gist.githubusercontent.com/TheUbuntuGuy/225492a8dec816d49b70d9c21811e8b1/raw/47f591fbe370f47e58d7813bd61a3af72679729c/fuckuanova.py
export ANOVA_IP=..... # Whatever the IP of it is...
while ! ping -c 1 ${ANOVA_IP} -t 1 2>&1 >/dev/null; do echo -n .; done; echo; nc ${ANOVA_IP} 9988 | xxd -plain -l 100 | tr -d '\n' | sed -e $'s/1668/16\\\n68/g' | tee -a rawdump.txt
python3 fuckuanova.py | less

There is an element of luck to this, as you must catch the device as it is just coming on... a ping loop may be too slow, but netcat -z wasn't reliable from OSX... So you may have to figure out a faster way to poll that the port is has just come up.

Essentially, you're looking for a long (20+) packet that contains 'anova f56-xxxxxxxxx' and followed by another packet that looks like gibberish a packet or two after (usually there's a firmware version packet in between)

What is the version of the firmware that allows this connection?

I've bought one anova precision cooker wifi + bt and my friend too. His cooker is on 2.7.7 an mine in 2.7.9. The mine refuses all the connections in netcast, the other allowed and answered the intent with all data, perfectly.

i've saw that my cooker uses an ESPRESSIF chip, i think is a ESP32. The cooker of my friend not, is other brand chip.

There is the only difference? can we try to downgrade the firmware? Exists other way to get the secret?