├── .Screenshots
    ├── ScreenShot.png
    ├── configure.png
    ├── create_sch.png
    ├── delete.png
    ├── discover.png
    ├── extract.png
    └── schedule.png
├── .gitignore
├── Auto Extract Parameters.pdf
├── README.md
├── Switcher V2 Rooted Device.pdf
├── Switcher V2 UnRooted Device.pdf
├── extractV3.py
└── switcher.py


/.Screenshots/ScreenShot.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/NightRang3r/Switcher-V2-Python/7240bf1faef87d3dc1d642420bb66fe83538579b/.Screenshots/ScreenShot.png


--------------------------------------------------------------------------------
/.Screenshots/configure.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/NightRang3r/Switcher-V2-Python/7240bf1faef87d3dc1d642420bb66fe83538579b/.Screenshots/configure.png


--------------------------------------------------------------------------------
/.Screenshots/create_sch.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/NightRang3r/Switcher-V2-Python/7240bf1faef87d3dc1d642420bb66fe83538579b/.Screenshots/create_sch.png


--------------------------------------------------------------------------------
/.Screenshots/delete.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/NightRang3r/Switcher-V2-Python/7240bf1faef87d3dc1d642420bb66fe83538579b/.Screenshots/delete.png


--------------------------------------------------------------------------------
/.Screenshots/discover.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/NightRang3r/Switcher-V2-Python/7240bf1faef87d3dc1d642420bb66fe83538579b/.Screenshots/discover.png


--------------------------------------------------------------------------------
/.Screenshots/extract.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/NightRang3r/Switcher-V2-Python/7240bf1faef87d3dc1d642420bb66fe83538579b/.Screenshots/extract.png


--------------------------------------------------------------------------------
/.Screenshots/schedule.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/NightRang3r/Switcher-V2-Python/7240bf1faef87d3dc1d642420bb66fe83538579b/.Screenshots/schedule.png


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | # Ignore Mac DS_Store files
2 | .DS_Store
3 | .gitignore
4 | 


--------------------------------------------------------------------------------
/Auto Extract Parameters.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/NightRang3r/Switcher-V2-Python/7240bf1faef87d3dc1d642420bb66fe83538579b/Auto Extract Parameters.pdf


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Description
  2 | 
  3 | This script is a result of an extensive reasearch of the Switcher V2 Protocol which was performed by Aviad Golan ([@AviadGolan](https://twitter.com/AviadGolan)) and Shai rod ([@NightRang3r](https://twitter.com/NightRang3r))
  4 | 
  5 | 
  6 | ### Important Update
  7 | 
  8 | Recent changes in the Switcher firmware broke some functionality in our script and the home assistant components mainly the required values extraction process.
  9 | 
 10 | * Switcher V2: Firmware 3.21 (Based on ESP chipset) and 72.32 (Qualcomm chipset)  
 11 | * Switcher Touch with firmware 1.51
 12 | 
 13 | But don't worry...the good news is that the **"phone_id"** and **"device_password"** values doesn't really matter anymore
 14 | The only required value you need to extract is the **"device_id"** which is still supported by the script using the discover feature:
 15 | 
 16 | ```
 17 | ~# python switcher.py discover
 18 | ```
 19 | 
 20 | So an exmaple configuration of the script would look like this:
 21 | 
 22 | ```
 23 | ########## CHANGE TO YOUR PARAMS ##########
 24 | switcherIP = "10.0.0.18" 
 25 | phone_id = "0000"  
 26 | device_id = "ceb91c"
 27 | device_pass = "00000000"
 28 | ########## DO NOT CHANGE BYOND THIS LINE  ##########
 29 | ```
 30 | 
 31 | **Earlier firmaware versions can still use the extract feature in this script in order to get the required values**
 32 | 
 33 | 
 34 | **Features:**
 35 | 
 36 | * Turn Device ON/OFF
 37 | * Turn Device ON/OFF using a timer
 38 | * Get Device State and Information
 39 | * Create and Delete Schedules 
 40 | * Enable/Disable a Schedule 
 41 | * Change Device name
 42 | * Change Auto shutdown configuration
 43 | * Auto discover device IP Address and State
 44 | * Configure Switcher in Access Point Mode
 45 | 
 46 | 
 47 | ![alt text](https://raw.githubusercontent.com/NightRang3r/Switcher-V2-Python/master/.Screenshots/ScreenShot.png)
 48 | 
 49 | 
 50 | Product homepage: [https://www.switcher.co.il/](https://www.switcher.co.il/)
 51 | 
 52 | ### Home Asssistant Component
 53 | 
 54 | Home assistant users can use this script as a command line [switch](https://home-assistant.io/components/switch.command_line/) or use the following component created by [@TomerFI](https://github.com/TomerFi/) based on this script:
 55 | 
 56 | [https://github.com/TomerFi/home-assistant-custom-components/tree/master/switcher_aio](https://github.com/TomerFi/home-assistant-custom-components/tree/master/switcher_aio)
 57 | 
 58 | ### Requirements
 59 | 
 60 | This script requires Python 2.7 
 61 | 
 62 | 
 63 | In order to use the script you will need to extract the following parameters from a rooted android device, from a packet capture or using the "extract" feature and adjust the script parameters accordingly:
 64 | 
 65 | * switcherIP
 66 | * phone_id
 67 | * device_id
 68 | * device_pass
 69 | 
 70 | [i] The **"extract"**, **"Auto Discover"** and **"Configure Switcher in AP Mode"** features **DOES NOT require** the **switcherIP, phone_id, device_id, device_pass** parameters in order to operate
 71 | 
 72 | 
 73 | There are 3 ways to extract the required values:
 74 | 
 75 | 1. Manually from a rooted Android Device from the switcher app sqlite db
 76 | 2. Manually an unrooted Android device using a packet capture application
 77 | 3. Automatically using **THIS script**
 78 | 
 79 | **To extract the values using this script please look at the [usage example in the usage section](https://github.com/NightRang3r/Switcher-V2-Python#extract-required-values)**
 80 | 
 81 | #### switcherIP = "0.0.0.0"
 82 | 
 83 | Change IP Address to your switcher IP
 84 | 
 85 | #### phone_id = "0000"
 86 | 
 87 | Can be found in the sqlite db on a rooted android device (/data/data/com.ogemary.smarthome/databases/myDB) in "phone" table **"uid"** column, value needs to be converted into hex and turn hex value to Little Endian
 88 | or from packet capture of an "on/off" command (a record with 147 length in wireshark, 93 bytes data (186 chars)) copy 4 chars value from 89-93 or bytes 44-46
 89 | 
 90 | #### device_id = "000000"
 91 | 
 92 | Can be found in the sqlite db on a rooted android device  (/data/data/com.ogemary.smarthome/databases/myDB) in "device" table **"did"** column needs to be converted into hex and turn hex value to Little Endian
 93 | or from packet capture of an "on/off" command (a record with 147 length in wireshark, 93 bytes data (186 chars)) copy 6 chars value from 81-87 or bytes 40-43
 94 | 
 95 | #### device_pass = "00000000"
 96 | 
 97 | Can be found in the sqlite db on a rooted android device  (/data/data/com.ogemary.smarthome/databases/myDB) in "device" table **"devicepass"** column needs to be viewd in binary mode, copy the 8 digits password
 98 |  or from packet capture of an "on/off" command (a record with 147 length in wireshark, 93 bytes data (186 chars)) copy 8 chars value from 97-105 or bytes 48-52
 99 | 
100 | **Example of captured ON/OFF Packet from local lan connection to switcher device (Required values are highlighted):**
101 |                                                                                     
102 |  fef05d0002320102c49d8448340001000000000000000000bccbb05a00000000000000000000f0fe**44bc1e**00**711a**0000**36373731**0000000000000000000000000000000000000000000000000000000001060001000000000073290d1d
103 | 
104 | 
105 | You can use this tool to convert the values into HEX:
106 | 
107 | [https://www.binaryhexconverter.com/decimal-to-hex-converter](https://www.binaryhexconverter.com/decimal-to-hex-converter)
108 | 
109 | Use this tool to convert to little endian:
110 | 
111 | [https://www.scadacore.com/tools/programming-calculators/online-hex-converter/](https://www.scadacore.com/tools/programming-calculators/online-hex-converter/)
112 | 
113 | 
114 |  **Example conversion of "did" to little endian :**
115 |  <pre>
116 |  did from db = 2004123
117 |  Converted to hex = 1E949B
118 |  Little endian =  9B941E
119 |  </pre>
120 | 
121 | 
122 | # Usage:
123 | 
124 | ### Extract Required Values
125 | 
126 | This feature will attempt to extract the required parameters for the operation of this script or the home assistant component
127 | 
128 | How it works ?
129 | 
130 | 1. The script will listen and wait for a broadcast message from your switcher device and will extract the **device_id** paramter from the broadcast message.
131 | 2. The script will send a "magic" packet which will retrun the **phone_id** parameter
132 | 3. The script will Perform a Brute Force attack in order to find the **device_password**
133 | 4. A file with the extracted information will be created in the same directory of the script.
134 | 
135 | **Please notice the process can take between 10 seconds to 10 minutes!**
136 | 
137 | This is a guided process, which requires user intervention, **You will need to click the "Update" button in the "Auto close" screen or turn ON your switcher device in the Switcher App when prompted**.
138 | 
139 | <pre> ~# python switcher.py extract</pre>
140 | 
141 | ![alt text](https://raw.githubusercontent.com/NightRang3r/Switcher-V2-Python/master/.Screenshots/extract.png)
142 | 
143 | ### Discover Switcher IP Address and State
144 | 
145 | 
146 | This is a "passive" feature that will **listen** to broadcasts sent by your switcher device which contains the following information:
147 | 
148 | * Device IP Address
149 | * Device MAC Address
150 | * Device Name
151 | * Device ID
152 | * Device state (ON/OFF)
153 | * Electric Current
154 | * Power Consumption
155 | * Auto shutdown value as configured in the switcher app
156 | * Auto shutdown counter
157 | 
158 | **[i]** This feature **DOES NOT** require the **switcherIP**, **phone_id**, **device_id**, **device_pass** parameters in order to operate
159 | 
160 | <pre> ~# python switcher.py discover</pre>
161 | 
162 | ![alt text](https://raw.githubusercontent.com/NightRang3r/Switcher-V2-Python/master/.Screenshots/discover.png)
163 | 
164 | 
165 | ### Configure Switcher in Access Point Mode
166 | 
167 | **[i]** This feature **DOES NOT** require the **switcherIP**, **phone_id**, **device_id**, **device_pass** parameters in order to operate
168 | 
169 | This feature will allow you to configure your switcher device without the official application directly from this script!
170 | This is a guided process that allowes you to associate you device to your WiFi network.
171 | 
172 | Please make sure the switcher device is in **ACCESS POINT MODE** by holding the WiFi configuration button on the switcher device for 10 seconds (until you see the blue led blinking fast) and that you are connected to the WiFi network **"Switcher Boiler XXXX"**
173 | 
174 | **WARNING::: You will not be able to control your switcher from your mobile device anymore**, But, You can always reconfigure your switcher using the official app in order to gain back control via the app but, in order to use with this script/home assistant as well you will need to extract the  **switcherIP**, **phone_id**, **device_id**, **device_pass** and configure them in the script/home assistant component as described in this readme file.
175 | 
176 | __Why and when use this feature ?__
177 | 
178 | 1. You don't own a smart phone / tablet or you want to control your device using this script or Home Assistant **ONLY!**
179 | 2. The switcher app or service are not available anymore.
180 | 
181 | You don't need to configure anything in the script in order to use this feature, It will produce the necessary parameters required by this script or the home assistant component for controling the device.
182 | 
183 | <pre> ~# python switcher.py configure</pre>
184 | 
185 | ![alt text](https://raw.githubusercontent.com/NightRang3r/Switcher-V2-Python/master/.Screenshots/configure.png)
186 | 
187 | 
188 | 
189 | 
190 | ### Turn off Switcher
191 | 
192 | <pre> ~# python switcher.py 0</pre>
193 | 
194 | ### Turn on Switcher
195 | 
196 | <pre> ~# python switcher.py 1</pre>
197 | 
198 | ### Turn on Switcher for X minutes
199 | 
200 | Value can be 1-60 minutes
201 | 
202 | <pre> ~# python switcher.py t10</pre>
203 | <pre> ~# python switcher.py t30</pre>
204 | <pre> ~# python switcher.py t60</pre>
205 | 
206 | ### Get Switcher State
207 | 
208 | Get state will disaply the following information:
209 | 
210 | * Device Name
211 | * Device state (ON/OFF)
212 | * Electric Current
213 | * Power Consumption
214 | * Auto shutdown value as configured in the switcher app
215 | * Auto shutdown counter
216 | 
217 | Example:
218 | 
219 | <pre> ~# python switcher.py 2</pre>
220 | 
221 | 
222 | ### Set Auto shutdown 
223 | 
224 | This will change the Auto shutdown value for your switcher device and will override the app setting, the change will reflect in the switcher app.
225 | 
226 | Value can be 01:00 - 23:59
227 | 
228 | Format:
229 | 
230 | <pre> ~# python switcher.py mHH:MM</pre>
231 | 
232 | Here are some examples:
233 | 
234 | 3 hours example:
235 | <pre> ~# python switcher.py m03:00</pre>
236 | 
237 | 3 hours and 30 minutes example:
238 | <pre> ~# python switcher.py m03:30 </pre>
239 | 
240 | ### Schedules Information
241 | 
242 | The schedules time zone is set based on the time configured in the computer that is running this script, In case of clock/time zone changes (SUMMER/WINTER) you will need to delete the existing schedules and create them again!
243 | 
244 | ### Schedule retrieval
245 | 
246 | <pre> ~# python switcher.py list </pre>
247 | 
248 | ![alt text](https://raw.githubusercontent.com/NightRang3r/Switcher-V2-Python/master/.Screenshots/schedule.png)
249 | 
250 | ### Create Schedule
251 | 
252 | <pre> ~# python switcher.py create </pre>
253 | 
254 | Step 1: When prompted enter a day you would like to schedule and type "exit" or press the enter key when finished
255 | Available options: sun, mon, tue, wed, thu, fri, sat
256 | Or use: "all" to select all days or "once" for one time only schedule
257 | 
258 | Step 2: When prompted enter start time in the following format: HH:MM
259 | 
260 | Step 3: When prompted enter end time in the following format: HH:MM
261 | 
262 | ![alt text](https://raw.githubusercontent.com/NightRang3r/Switcher-V2-Python/master/.Screenshots/create_sch.png)
263 | 
264 | 
265 | 
266 | ### Delete Schedule
267 | 
268 | This will show a all the schedule entries with the ID's, You will be prompted to enter a valid ID
269 | 
270 | <pre> ~# python switcher.py del </pre>
271 | 
272 | ![alt text](https://raw.githubusercontent.com/NightRang3r/Switcher-V2-Python/master/.Screenshots/delete.png)
273 | 
274 | 
275 | ### Enable Schedule
276 | 
277 | This will show a all the schedule entries with the ID's, You will be prompted to enter a valid ID
278 | 
279 | <pre> ~# python switcher.py enable </pre>
280 | 
281 | 
282 | ### Disable Schedule
283 | 
284 | This will show a all the schedule entries with the ID's, You will be prompted to enter a valid ID
285 | 
286 | <pre> ~# python switcher.py disable </pre>
287 | 
288 | 
289 | 
290 | ### Change device name
291 | 
292 | This will allow you to change your switcher device name
293 | 
294 | <pre> ~# python switcher.py nNAME </pre>
295 | 
296 | <pre> ~# python switcher.py nBoiler </pre>
297 | 
298 | <pre> ~# python switcher.py nSwitcher </pre>
299 | 


--------------------------------------------------------------------------------
/Switcher V2 Rooted Device.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/NightRang3r/Switcher-V2-Python/7240bf1faef87d3dc1d642420bb66fe83538579b/Switcher V2 Rooted Device.pdf


--------------------------------------------------------------------------------
/Switcher V2 UnRooted Device.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/NightRang3r/Switcher-V2-Python/7240bf1faef87d3dc1d642420bb66fe83538579b/Switcher V2 UnRooted Device.pdf


--------------------------------------------------------------------------------
/extractV3.py:
--------------------------------------------------------------------------------
  1 | # Reverse Engineering and coding by Aviad Golan @AviadGolan and Shai Rod @NightRang3r
  2 | 
  3 | #!/usr/bin/env python
  4 | 
  5 | import binascii as ba
  6 | import time
  7 | import struct
  8 | import socket
  9 | import sys
 10 | import os
 11 | import datetime
 12 | import re
 13 | import signal
 14 | 
 15 | ########## CHANGE TO YOUR PARAMS ##########
 16 | switcherIP = "0.0.0.0" 
 17 | device_id = "000000"
 18 | device_pass = "00000000"
 19 | UDP_IP = "0.0.0.0"
 20 | UDP_PORT = 20002
 21 | sCommand = "0"
 22 | ########## DO NOT CHANGE BYOND THIS LINE  ##########
 23 | 
 24 | if len(sys.argv) != 2:
 25 | 	print "\r\n********* Usage: ./" + sys.argv[0] + " phone_id *********\r\n"
 26 | 	sys.exit()
 27 | 
 28 | phone_id = sys.argv[1]
 29 | 
 30 | def crcSignFullPacketComKey(pData, pKey):
 31 | 	crc = ba.hexlify(struct.pack('>I', ba.crc_hqx(ba.unhexlify(pData), 0x1021)))
 32 | 	pData = pData + crc[6:8] + crc[4:6]
 33 | 	crc = crc[6:8] + crc[4:6] + ba.hexlify( pKey )
 34 | 	crc = ba.hexlify(struct.pack('>I', ba.crc_hqx(ba.unhexlify(crc), 0x1021)))
 35 | 	pData = pData + crc[6:8] + crc[4:6]
 36 | 	return pData
 37 | 
 38 | def getTS():
 39 | 	return ba.hexlify(struct.pack('<I', int(round(time.time())))) 
 40 | 
 41 | def sTimer(sMinutes):
 42 |     sSeconds = int(sMinutes) * 60
 43 |     sDelay = struct.pack('<I', sSeconds)
 44 |     return ba.hexlify(sDelay)
 45 | 
 46 | 
 47 | def sigint_handler(signum, frame):
 48 | 	print '[+] Stopped...'
 49 | 	sys.exit(0)
 50 | 
 51 |  
 52 | signal.signal(signal.SIGINT, sigint_handler)
 53 | 
 54 | ############# DO NOT CHANGE ############
 55 | pSession = "00000000"
 56 | pKey = "00000000000000000000000000000000"
 57 | ############# DO NOT CHANGE ############
 58 | 
 59 | 
 60 | print """
 61 | 		=========================================================
 62 | 	   	+ Switcher V2 Python                                    +
 63 | 	 	+ Reverse Engineering and Coding By:                    +
 64 | 	 	+ Aviad Golan (@AviadGolan) and Shai Rod (@NightRang3r) +
 65 | 	 	=========================================================
 66 | 	 """
 67 | 	
 68 | try:
 69 | 	sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) 
 70 | 	sock.bind((UDP_IP, UDP_PORT))
 71 | 	while True:
 72 | 		print "[*] Waiting for broadcast from Switcher device..."
 73 | 		data, addr = sock.recvfrom(1024) 
 74 | 		if ba.hexlify(data)[0:4] != "fef0" and len(data) != 165:
 75 | 				print "[!] Not a switcher broadcast message!"
 76 | 		else:
 77 | 			b = ba.hexlify(data)[152:160]
 78 | 			ip_addr = int(b[6:8] + b[4:6] + b[2:4] + b[0:2] , 16)
 79 | 			switcherIP = socket.inet_ntoa(struct.pack("<L", ip_addr))
 80 | 			device_id = ba.hexlify(data)[36:42]
 81 | 			print "[+] Device ID: " + device_id
 82 | 			break
 83 | 
 84 | except Exception as e:
 85 | 	print("[!] Something went wrong...")
 86 | 	print "[!] " + str(e)
 87 | 
 88 | try:
 89 | 	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 90 | 	s.connect((switcherIP, 9957)) 
 91 | 	
 92 | 	data = "fef052000232a100" + pSession + "340001000000000000000000"  + getTS() + "00000000000000000000f0fe1c00" + phone_id + "0000" + device_pass + "00000000000000000000000000000000000000000000000000000000"
 93 | 	data = crcSignFullPacketComKey(data, pKey)
 94 | 	print ("[*] Sending Login Packet to Switcher...")
 95 | 	s.send(ba.unhexlify(data))
 96 | 	res = s.recv(1024)
 97 | 	pSession2 = ba.hexlify(res)[16:24]
 98 | 	if not pSession2:
 99 | 		s.close()
100 | 		print ("[!] Operation failed, Could not acquire SessionID, Please try again...")
101 | 		sys.exit()
102 | 	else:
103 | 		data = "fef0300002320103" + pSession2 + "340001000000000000000000" + getTS() + "00000000000000000000f0fe" + device_id + "00"
104 | 		data = crcSignFullPacketComKey(data, pKey)
105 | 		s.send(ba.unhexlify(data))
106 | 		res = s.recv(1024)
107 | 		print ("[+] Received SessionID: " + pSession2)	
108 | 		print "[+] Using Phone ID: " + phone_id
109 | 		brute_start = time.time()			
110 | 		for i in range(0, 9999):
111 | 			device_pass = ba.hexlify("%04d"%(i))
112 | 			sys.stdout.write("\r[*] Brute forcing Device Password, Please wait:" + device_pass)
113 | 			sys.stdout.flush()
114 | 			data = "fef05d0002320102" + pSession2 + "340001000000000000000000" + getTS() + "00000000000000000000f0fe" + device_id + "00" + phone_id + "0000" + device_pass + "000000000000000000000000000000000000000000000000000000000106000" + sCommand + "0000000000"
115 | 			data = crcSignFullPacketComKey(data, pKey)
116 | 			s.send(ba.unhexlify(data))
117 | 			res = s.recv(1024)
118 | 			if len(res) > 44 and len(res) < 60:
119 | 				brute_end = time.time()
120 | 				total_time= time.strftime("%H:%M:%S", time.gmtime(brute_end-brute_start))
121 | 				print "\r\n[+] Found password in: " + total_time
122 | 				print "[+] Switcher IP: " +  addr[0]
123 | 				print "[+] Device ID: " + device_id
124 | 				print "[+] Phone ID:" + phone_id
125 | 				print "[+] Device Password: " + device_pass
126 | 				s.close()
127 | 				file = open('switcher.txt', 'w') 
128 | 				file.write("switcherIP = " +  '"' + addr[0] + '"\r')
129 | 				file.write("phone_id = " + '"' +  phone_id + '"\r')
130 | 				file.write("device_id = " + '"' + device_id + '"\r')
131 | 				file.write("device_pass = " + '"' + device_pass + '"\r')
132 | 				file.close() 
133 | 				print "[+] Information was written to " + os.getcwd() + "/switcher.txt"
134 | 				sys.exit()
135 | except Exception as e:
136 | 	print("[!] Something went wrong...")
137 | 	print "[!] " + str(e)
138 | 
139 | 
140 | 


--------------------------------------------------------------------------------
/switcher.py:
--------------------------------------------------------------------------------
  1 | # Reverse Engineering and coding by Aviad Golan @AviadGolan and Shai Rod @NightRang3r
  2 | 
  3 | #!/usr/bin/env python
  4 | 
  5 | import binascii as ba
  6 | import time
  7 | import struct
  8 | import socket
  9 | import sys
 10 | import os
 11 | import datetime
 12 | import re
 13 | import signal
 14 | 
 15 | ########## CHANGE TO YOUR PARAMS ##########
 16 | switcherIP = "0.0.0.0" 
 17 | phone_id = "0000"  
 18 | device_id = "000000"
 19 | device_pass = "00000000"
 20 | ########## DO NOT CHANGE BYOND THIS LINE  ##########
 21 | 
 22 | 
 23 | UDP_IP = "0.0.0.0"
 24 | UDP_PORT = 20002
 25 | 
 26 | id_list = []
 27 | data_list = []
 28 | 
 29 | 
 30 | def banner():
 31 | 	print """
 32 | 		=========================================================
 33 | 	   	+ Switcher V2 Python                                    +
 34 | 	 	+ Reverse Engineering and Coding By:                    +
 35 | 	 	+ Aviad Golan (@AviadGolan) and Shai Rod (@NightRang3r) +
 36 | 	 	=========================================================	 
 37 | """
 38 | 	print "Usage:\r"
 39 | 	print "======\r"
 40 | 	print "Off command:" + " ./" + sys.argv[0] + " 0\r"
 41 | 	print "On command:" + " ./" + sys.argv[0] + " 1\r"
 42 | 	print "On command duration in minutes:" + " ./" + sys.argv[0] + " t30\r"
 43 | 	print "Get State:" + " ./" + sys.argv[0] + " 2\r"
 44 | 	print "Set Auto shutdown setting (in hours):" + " ./" + sys.argv[0] + " m03:00\r"
 45 | 	print "Retrieve Schedule from device:"  + " ./" + sys.argv[0] + " list\r"
 46 | 	print "Create a Schedule:" +  " ./" + sys.argv[0] + " create\r"
 47 | 	print "Delete Schedule from device:" + " ./" + sys.argv[0] + " del\r"
 48 | 	print "Enable Schedule:" + " ./" + sys.argv[0] + " enable\r"
 49 | 	print "Disable Schedule:" + " ./" + sys.argv[0] + " disable\r"
 50 | 	print "Change switcher name:" " ./" + sys.argv[0] + " nNAME\r"
 51 | 	print "Auto detect Switcher IP Address and state:" + " ./" + sys.argv[0] + " discover\r"
 52 | 	print "Configure Switcher in AP Mode:" + " ./" + sys.argv[0] + " configure\r"
 53 | 	print "Auto Extract the needed values for this script (device_id, phone_id and device_pass):" + " ./" + sys.argv[0] + " extract\r\n"
 54 | 	sys.exit (1)
 55 | 
 56 | if len (sys.argv) != 2:
 57 | 	banner()
 58 | elif sys.argv[1] == "0":
 59 | 	sCommand = "0"
 60 | elif sys.argv[1] == "1":
 61 | 	sCommand = "1"
 62 | elif sys.argv[1] == "2":
 63 | 	sCommand = "2"
 64 | elif sys.argv[1].startswith('t'):
 65 | 	sCommand = "1"
 66 | elif sys.argv[1].startswith('m'):
 67 | 	sCommand = "2"
 68 | elif sys.argv[1].startswith('n'):
 69 | 	sCommand = "2"
 70 | elif  sys.argv[1] == "list":
 71 | 	sCommand = "3"
 72 | elif  sys.argv[1] == "del":
 73 | 	sCommand = "3"
 74 | elif  sys.argv[1] == "create":
 75 | 	sCommand = "3"
 76 | elif  sys.argv[1] == "enable":
 77 | 	sCommand = "3"
 78 | elif  sys.argv[1] == "disable":
 79 | 	sCommand = "3"
 80 | elif  sys.argv[1] == "discover":
 81 | 	sCommand = "3"
 82 | elif sys.argv[1] == "configure":
 83 | 	sCommand = "3"
 84 | elif sys.argv[1] == "extract":
 85 | 	sCommand = "3"
 86 | else:
 87 | 	banner()
 88 | 
 89 | # CRC 
 90 | def crcSignFullPacketComKey(pData, pKey):
 91 | 	crc = ba.hexlify(struct.pack('>I', ba.crc_hqx(ba.unhexlify(pData), 0x1021)))
 92 | 	pData = pData + crc[6:8] + crc[4:6]
 93 | 	crc = crc[6:8] + crc[4:6] + ba.hexlify( pKey )
 94 | 	crc = ba.hexlify(struct.pack('>I', ba.crc_hqx(ba.unhexlify(crc), 0x1021)))
 95 | 	pData = pData + crc[6:8] + crc[4:6]
 96 | 	return pData
 97 | 
 98 | # Generate Time Stamp
 99 | def getTS():
100 | 	return ba.hexlify(struct.pack('<I', int(round(time.time())))) 
101 | # Generate Timer value
102 | def sTimer(sMinutes):
103 |     sSeconds = int(sMinutes) * 60
104 |     sDelay = struct.pack('<I', sSeconds)
105 |     return ba.hexlify(sDelay)
106 | 
107 | # Get Power consumption and Elctrical current
108 | def getPower(res):
109 | 	b = ba.hexlify(res)[154:162]
110 | 	i = int(b[2:4]+b[0:2], 16)
111 | 	return "[+] Electric Current is: %.1f" % (i/float(220)) + "(A)\r\n" + "[+] Power consumption is: " + str(i) + "(W)"
112 | 
113 | # Auto shutdown countdown
114 | def sTime(res):
115 | 	b = ba.hexlify(res)[178:186]
116 | 	open_time = int(b[6:8] + b[4:6] + b[2:4] + b[0:2] , 16)
117 | 	m, s = divmod(open_time, 60)
118 | 	h, m = divmod(m, 60)
119 | 	print "[*] Auto shutdown device in: %d:%02d:%02d" % (h, m, s)
120 | 
121 | #  Generate auto shutdown time 
122 | def setAutoClose(hours):
123 | 	h, m = hours.split(':')
124 | 	mSeconds = int(h) * 3600 + int(m) * 60 
125 | 	if mSeconds < 3600:
126 | 		print "[!] Value Can't be less than 1 hour!"
127 | 		sys.exit()
128 | 	elif mSeconds > 86340:
129 | 		print "[!] Value can't be more than 23 hours and 59 minutes!"
130 | 		sys.exit()
131 | 	else:
132 | 		print "[+] Auto shutdown was set to " + str(hours) + " Hour(s)"
133 | 		return ba.hexlify(struct.pack('<I', mSeconds))
134 | 
135 | def getAutoClose(res):
136 | 	b = ba.hexlify(res)[194:202]
137 | 	open_time = int(b[6:8] + b[4:6] + b[2:4] + b[0:2] , 16)
138 | 	m, s = divmod(open_time, 60)
139 | 	h, m = divmod(m, 60)
140 | 	print "[+] Device is configured to auto shutdown in: %d:%02d" % (h, m)  + " hour(s)"
141 | 	
142 | 
143 | days = { 0x80:"Sun", 0x02:"Mon", 0x04:"Tue", 0x08:"Wed", 0x10:"Thu", 0x20:"Fri", 0x40:"Sat"}
144 | hourRe = re.compile(r'^([0-9]|0[0-9]|1[0-9]|2[0-3]):[0-5][0-9]$')
145 | 
146 | 
147 | def getDays(byteVal):
148 | 	retVal = ""
149 | 	for day in days:
150 | 		if ( day & byteVal  != 0x00):
151 | 			retVal = retVal + days[day] + " "
152 | 	return retVal
153 | 
154 | def reverseInd(data):
155 | 	b = data
156 | 	timeStamp = int(b[6:8] + b[4:6] + b[2:4] + b[0:2] , 16)
157 | 	return time.strftime("%H:%M", time.localtime(timeStamp))
158 | 
159 | 
160 | def GetSch(buffer, phone_id):
161 | 	split_string = lambda x, n: [x[i:i+n] for i in range(0, len(x), n)]
162 | 	s = buffer[90:-8]
163 | 	split = split_string(s,32)
164 | 	if len(split) == 0:
165 | 		print "[+] There are no entries on your Schedule"
166 | 		sys.exit()
167 | 	else:
168 | 		for i in range(len(split)):
169 | 			print "\r"
170 | 			print "[+] Schedule ID : " + str(int(split[i][0:2], 16))
171 | 			id_list.append(str(int(split[i][0:2], 16)))
172 | 			if int(split[i][2:4], 16) == 0:
173 | 				print "[+] Enabled: False"
174 | 			elif int(split[i][2:4], 16) == 1:
175 | 				print "[+] Enabled: True"
176 | 			if split[i][4:6] == "00":
177 | 				print "[+] Occurs: Once"
178 | 			elif split[i][4:6] == "fe":
179 | 				print "[+] Occurs: Every Day"
180 | 			else:
181 | 				print "[+] Days: " + getDays(bytearray(ba.unhexlify((split[i][4:6])))[0])
182 | 			print "[+] Start time: " + reverseInd(split[i][8:16])
183 | 			print "[+] End time: " + reverseInd(split[i][16:24])
184 | 			time_id = split[i][0:2]
185 | 			on_off = split[i][2:4]
186 | 			week = split[i][4:6]
187 | 			timstate = split[i][6:8]
188 | 			start_time = reverseInd(split[i][8:16])
189 | 			end_time = reverseInd(split[i][16:24])
190 | 			total_time=(datetime.datetime.strptime(end_time,'%H:%M') - datetime.datetime.strptime(start_time,'%H:%M'))
191 | 			print "[+] Duration: " + str(total_time) + "\n"
192 | 			start_time = split[i][8:16]
193 | 			end_time = split[i][16:24]
194 | 			data_list.append(time_id + on_off + week + timstate + start_time + end_time)
195 | 
196 | 
197 | def sigint_handler(signum, frame):
198 | 	print '[+] Stopped...'
199 | 	sys.exit(0)
200 | 
201 |  
202 | signal.signal(signal.SIGINT, sigint_handler)
203 | 
204 | ############# DO NOT CHANGE ############
205 | pSession = "00000000"
206 | pKey = "00000000000000000000000000000000"
207 | ############# DO NOT CHANGE ############
208 | 
209 | 
210 | print """
211 | 		=========================================================
212 | 	   	+ Switcher V2 Python                                    +
213 | 	 	+ Reverse Engineering and Coding By:                    +
214 | 	 	+ Aviad Golan (@AviadGolan) and Shai Rod (@NightRang3r) +
215 | 	 	=========================================================
216 | 	 """
217 | if sys.argv[1] == "extract":
218 | 	phone_id = "0000"  
219 | 	device_pass = "00000000"
220 | 	UDP_IP = "0.0.0.0"
221 | 	UDP_PORT = 20002
222 | 	sCommand = "0"
223 | 	try:
224 | 		sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) 
225 | 		sock.bind((UDP_IP, UDP_PORT))
226 | 		while True:
227 | 			print "[*] Waiting for broadcast from Switcher device..."
228 | 			data, addr = sock.recvfrom(1024) 
229 | 			if ba.hexlify(data)[0:4] != "fef0" and len(data) != 165:
230 | 					print "[!] Not a switcher broadcast message!"
231 | 			else:
232 | 				b = ba.hexlify(data)[152:160]
233 | 				ip_addr = int(b[6:8] + b[4:6] + b[2:4] + b[0:2] , 16)
234 | 				switcherIP = socket.inet_ntoa(struct.pack("<L", ip_addr))
235 | 				device_id = ba.hexlify(data)[36:42]
236 | 				break
237 | 
238 | 	except Exception as e:
239 | 		print("[!] Something went wrong...")
240 | 		print "[!] " + str(e)
241 | 
242 | 	try:
243 | 		s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
244 | 		s.connect((switcherIP, 9957)) 
245 | 		
246 | 		data = "fef052000232a100" + pSession + "340001000000000000000000"  + getTS() + "00000000000000000000f0fe1c00" + phone_id + "0000" + device_pass + "00000000000000000000000000000000000000000000000000000000"
247 | 		data = crcSignFullPacketComKey(data, pKey)
248 | 		print ("[*] Sending Login Packet to Switcher...")
249 | 		s.send(ba.unhexlify(data))
250 | 		res = s.recv(1024)
251 | 		pSession2 = ba.hexlify(res)[16:24]
252 | 		if not pSession2:
253 | 			s.close()
254 | 			print ("[!] Operation failed, Could not acquire SessionID, Please try again...")
255 | 			sys.exit()
256 | 		else:
257 | 			data = "fef0300002320103" + pSession2 + "340001000000000000000000" + getTS() + "00000000000000000000f0fe" + device_id + "00"
258 | 			data = crcSignFullPacketComKey(data, pKey)
259 | 			s.send(ba.unhexlify(data))
260 | 			res = s.recv(1024)
261 | 			print ("[+] Received SessionID: " + pSession2)
262 | 			print ('\r\nInstructions:\r')
263 | 			print ('\r\nOpen your Switcher App, perform one of the following actions and press the "Enter" key immediately:\r\n1. Click the "Update" button in the "Auto Shutdown" screen, or...\n2. Turn on device\n')
264 | 			message  = raw_input('[+] Press the "Enter" key to continue...')
265 | 			print ("[*] Waiting for a valid Phone ID Packet...")
266 | 			data = "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
267 | 			s.send(ba.unhexlify(data))
268 | 			res = s.recv(1024)
269 | 			if len(res) != 87:
270 | 				print "[!] Failed to get data, Please try again!"
271 | 				s.close()
272 | 				sys.exit()
273 | 			else:
274 | 				print "[+] Found Phone ID Packet!"
275 | 				brute_start = time.time()			
276 | 				phone_id = ba.hexlify(res)[156:160]
277 | 				for i in range(0, 9999):
278 | 					device_pass = ba.hexlify("%04d"%(i))
279 | 					sys.stdout.write("\r[*] Brute forcing Device Password, Please wait:" + device_pass)
280 | 					sys.stdout.flush()
281 | 					data = "fef05d0002320102" + pSession2 + "340001000000000000000000" + getTS() + "00000000000000000000f0fe" + device_id + "00" + phone_id + "0000" + device_pass + "000000000000000000000000000000000000000000000000000000000106000" + sCommand + "0000000000"
282 | 					data = crcSignFullPacketComKey(data, pKey)
283 | 					s.send(ba.unhexlify(data))
284 | 					res = s.recv(1024)
285 | 					if len(res) > 44 and len(res) < 60:
286 | 						brute_end = time.time()
287 | 						total_time= time.strftime("%H:%M:%S", time.gmtime(brute_end-brute_start))
288 | 						print "\r\n[+] Found password in: " + total_time
289 | 						print "[+] Switcher IP: " +  addr[0]
290 | 						print "[+] Device ID: " + device_id
291 | 						print "[+] Phone ID:" + phone_id
292 | 						print "[+] Device Password: " + device_pass
293 | 						s.close()
294 | 						file = open('switcher.txt', 'w') 
295 | 						file.write("switcherIP = " +  '"' + addr[0] + '"\r')
296 | 						file.write("phone_id = " + '"' +  phone_id + '"\r')
297 | 						file.write("device_id = " + '"' + device_id + '"\r')
298 | 						file.write("device_pass = " + '"' + device_pass + '"\r')
299 | 						file.close() 
300 | 						print "[+] Information was written to " + os.getcwd() + "/switcher.txt"
301 | 						sys.exit()
302 | 	except Exception as e:
303 | 		print("[!] Something went wrong...")
304 | 		print "[!] " + str(e)
305 | 
306 | 
307 | if sys.argv[1] == "discover":
308 | 	try:
309 | 		sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) 
310 | 		sock.bind((UDP_IP, UDP_PORT))
311 | 		while True:
312 | 			print "[*] Waiting for broadcast from Switcher device...(Press CTRL+C to abort)"
313 | 			data, addr = sock.recvfrom(1024) 
314 | 			if ba.hexlify(data)[0:4] != "fef0" and len(data) != 165:
315 | 				print "[!] Not a switcher broadcast message!"
316 | 			else:
317 | 				b = ba.hexlify(data)[152:160]
318 | 				ip_addr = int(b[6:8] + b[4:6] + b[2:4] + b[0:2] , 16)
319 | 				print "[+] Switcher IP Address: " + socket.inet_ntoa(struct.pack("<L", ip_addr))
320 | 				print "[+] Switcher MAC Address: " + ba.hexlify(data)[160:172].upper()
321 | 				print "[+] Switcher Name: " + data[42:74]
322 | 				print "[+] Device ID: " + ba.hexlify(data)[36:42]
323 | 				if ba.hexlify(data)[266:270] == "0000":
324 | 					print "[+] Device is OFF"
325 | 				else:
326 | 					print "[+] Device is ON" 
327 | 				b = ba.hexlify(data)[310:318]
328 | 				open_time = int(b[6:8] + b[4:6] + b[2:4] + b[0:2] , 16)
329 | 				imin = open_time / 60 % 60
330 | 				ihour = open_time / 60 / 60
331 | 				isec = open_time - ((imin * 60) + (ihour * 3600))
332 | 				print "[*] Device is set to auto shutdown in: " + (str(ihour) + " Hour(s) " + str(imin) + " Minute(s) " + str(isec) + " Second(s)")
333 | 				
334 | 				b = ba.hexlify(data)[294:302]
335 | 				open_time = int(b[6:8] + b[4:6] + b[2:4] + b[0:2] , 16)
336 | 				m, s = divmod(open_time, 60)
337 | 				h, m = divmod(m, 60)
338 | 				print "[*] Auto shutdown device in: %d:%02d:%02d" % (h, m, s)
339 | 				b = ba.hexlify(data)[270:278]
340 | 				i = int(b[2:4]+b[0:2], 16)
341 | 				print "[+] Electric Current is: %.1f" % (i/float(220)) + "(A)\r\n" + "[+] Power consumption is: " + str(i) + "(W)\r\n"
342 | 				
343 | 	except Exception as e:
344 | 		print("[!] Something went wrong...")
345 | 		print "[!] " + str(e)
346 | 
347 | 
348 | if sys.argv[1] == "configure":
349 | 	print "\r\n****** WARNING ******\r"
350 | 	print "\rUse this option to configure your switcher to work with this script/home assistant component only or if you don't have a smartphone or the switcher app/servers are no longer available, You won't be able to control it using the official switcher app unless you reset your switcher and reconfigure it using the app again!!!\r"
351 | 	print "\r****** WARNING ******\r\n"
352 | 	phone_id = "00000000"
353 | 
354 | 	completeFlag = False
355 | 	while True and not completeFlag:	
356 | 		message  = raw_input('Choose a Device Password: ')
357 | 		if ((not message and not completeFlag)) or ((len(message)) != 8) or not (message.isdigit()):
358 | 			print "[!] Please enter an 8 digit password"
359 | 		else:
360 | 			device_pass = message + "00000000000000000000000000000000000000000000000000000000"
361 | 			admin_pass = device_pass
362 | 			break
363 | 
364 | 	completeFlag = False
365 | 	while True and not completeFlag:	
366 | 		message  = raw_input('Enter WiFi SSID: ')
367 | 		if ((not message and not completeFlag)) or ((len(message)) < 1):
368 | 			print "[!] Please enter Wifi SSID"
369 | 		else:
370 | 			ssid = ba.hexlify(message) + (32-len(message))*"00"
371 | 			break
372 | 
373 | 	completeFlag = False
374 | 	while True and not completeFlag:	
375 | 		message  = raw_input('Enter WiFi Password: ')
376 | 		if ((not message and not completeFlag)) or ((len(message)) < 8):
377 | 			print "[!] Wifi Password needs to be at least 8 chars!"
378 | 		else:
379 | 			wifi_pass = ba.hexlify(message) + (32-len(message))*"00"
380 | 			break
381 | 
382 | 	print '\r\n*** Please make sure the switcher device is in ACCESS POINT MODE by holding the wifi configuration button on the switcher device for 10 seconds (until you see the blue led blinking fast) and that you are connected to the WiFi network "Switcher Boiler XXXX" ***\r\n'
383 | 	message  = raw_input('If your switcher is in access point mode press enter to continue...')
384 | 
385 | 	try:
386 | 		sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) 
387 | 		sock.bind((UDP_IP, UDP_PORT))
388 | 		print "[*] Waiting for broadcast from Switcher device...(Press CTRL+C to abort)"
389 | 		while True:
390 | 			data, addr = sock.recvfrom(1024) 
391 | 			if (( ba.hexlify(data)[0:4] != "fef0" and len(data) != 165 )) or (( addr[0] != "192.168.1.1" )) or (( addr[0] != "192.168.4.1" )):
392 | 				print "[!] Not a switcher configuration broadcast message!"
393 | 			else:
394 | 				b = ba.hexlify(data)[152:160]	 
395 | 				switcherIP = addr[0]
396 | 				device_id = ba.hexlify(data)[36:42] + "000000"
397 | 				print "[+] Switcher Access Point Address: " + addr[0]
398 | 				print "[+] Device ID: " + ba.hexlify(data)[36:42]
399 | 				sock.close()
400 | 				break
401 | 	except Exception as e:
402 | 		print("[!] Something went wrong...")
403 | 		print "[!] " + str(e)
404 | 
405 | 	try:
406 | 		s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
407 | 		s.connect((switcherIP, 9957)) 
408 | 		data = "fef0b1000232a20000000000340001000000" + device_id + getTS() + "00000000000000000000f0fe" + phone_id + device_pass + admin_pass + ssid + wifi_pass + "01"
409 | 		data = crcSignFullPacketComKey(data, pKey)
410 | 		s.send(ba.unhexlify(data))
411 | 		res = s.recv(1024)
412 | 		s.close()
413 | 		print "[+] Phone ID: " + phone_id[0:4]
414 | 		print "[+] Device password: " + device_pass[0:8]
415 | 		file = open('switcher.txt', 'w') 
416 | 		file.write("phone_id = " + '"' +  phone_id[0:4] + '"\r')
417 | 		file.write("device_id = " + '"' + device_id[0:6]  + '"\r')
418 | 		file.write("device_pass = " + '"' + device_pass[0:8] + '"\r')
419 | 		file.close() 
420 | 		print "[+] Information was written to " + os.getcwd() + "/switcher.txt"
421 | 		print ("[+] Done!")
422 | 		s.close()
423 | 		sys.exit()
424 | 
425 | 	except Exception as e:
426 | 		print("[!] Something went wrong...")
427 | 		print "[!] " + str(e)
428 | 
429 | 
430 | try:
431 | 	time.sleep(3)
432 | 	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
433 | 	s.connect((switcherIP, 9957)) 
434 | 	data = "fef052000232a100" + pSession + "340001000000000000000000"  + getTS() + "00000000000000000000f0fe1c00" + phone_id + "0000" + device_pass + "00000000000000000000000000000000000000000000000000000000"
435 | 	data = crcSignFullPacketComKey(data, pKey)
436 | 	print ("[*] Sending Login Packet to Switcher...")
437 | 	s.send(ba.unhexlify(data))
438 | 	res = s.recv(1024)
439 | 	pSession2 = ba.hexlify(res)[16:24]
440 | 	if not pSession2:
441 | 		s.close()
442 | 		print ("[!] Operation failed, Could not acquire SessionID, Please try again...")
443 | 		sys.exit()
444 | 	else:
445 | 		print ("[+] Received SessionID: " + pSession2)
446 | 
447 | 	data = "fef0300002320103" + pSession2 + "340001000000000000000000" + getTS() + "00000000000000000000f0fe" + device_id + "00"
448 | 	data = crcSignFullPacketComKey(data, pKey)
449 | 	print ("[*] Getting Switcher state...")
450 | 	s.send(ba.unhexlify(data))
451 | 	res = s.recv(1024)
452 | 	print "[+] Device Name: " + res[40:72]
453 | 	state = ba.hexlify(res)[150:154]
454 | 	if sys.argv[1] == "0" and state == "0000":
455 | 		s.close()
456 | 		print "[+] Device is already OFF"
457 | 		print getPower(res)
458 | 		sys.exit()
459 | 	elif sys.argv[1] == "1" and state == "0100":
460 | 		s.close()
461 | 		print "[+] Device is already ON"
462 | 		print getPower(res)
463 | 		sTime(res)
464 | 		sys.exit()
465 | 	elif sys.argv[1] == "2" and state == "0100":
466 | 		s.close()
467 | 		print "[+] Device is ON"
468 | 		print getPower(res)
469 | 		getAutoClose(res)
470 | 		sTime(res)
471 | 		sys.exit()
472 | 	elif sys.argv[1] == "2" and state == "0000":
473 | 		s.close()
474 | 		print "[+] Device is OFF"
475 | 		print getPower(res)
476 | 		getAutoClose(res)
477 | 		sys.exit()
478 | 	elif sys.argv[1].startswith('t'):
479 | 		try:
480 | 			sMinutes = int(sys.argv[1][1:])
481 | 		except:
482 | 			print ("[!] " + sys.argv[1][1:] + " Is not a valid number!")
483 | 			sys.exit()
484 | 		if sMinutes > 0 and sMinutes <=60:
485 | 			print "[+] Turning Switcher ON for " + str(sMinutes) + " minutes..."
486 | 			data = "fef05d0002320102" + pSession2 + "340001000000000000000000" + getTS() + "00000000000000000000f0fe" + device_id + "00" + phone_id + "0000" + device_pass + "000000000000000000000000000000000000000000000000000000000106000" + sCommand + "00"  + sTimer(sMinutes)
487 | 			data = crcSignFullPacketComKey(data, pKey)
488 | 			s.send(ba.unhexlify(data))
489 | 			res = s.recv(1024)
490 | 			s.close()
491 | 			print ("[+] Done!")
492 | 		else:
493 | 			print "[!] Enter a value between 1-60 minutes"
494 | 			sys.exit()
495 | 	elif sys.argv[1].startswith('m'):
496 | 		if not hourRe.match(sys.argv[1][1:]):
497 | 			print "[!] Please enter a value between 01:00 - 23:59"
498 | 			sys.exit()
499 | 	
500 | 		else:
501 | 			auto_close = setAutoClose(sys.argv[1][1:])
502 | 			data ="fef05b0002320102" + pSession2 + "340001000000000000000000" + getTS() + "00000000000000000000f0fe" + device_id + "00" + phone_id + "0000" + device_pass + "00000000000000000000000000000000000000000000000000000000040400" + auto_close
503 | 			data = crcSignFullPacketComKey(data, pKey)
504 | 			s.send(ba.unhexlify(data))
505 | 			res = s.recv(1024)
506 | 			s.close()
507 | 	elif sys.argv[1] == "list":
508 | 		print "[*] Retrieving schedule from device..."
509 | 		data = "fef0570002320102" + pSession2 + "340001000000000000000000" + getTS() + "00000000000000000000f0fe" + device_id + "00" + phone_id + "0000" + device_pass + "00000000000000000000000000000000000000000000000000000000060000"
510 | 		data = crcSignFullPacketComKey(data, pKey)
511 | 		s.send(ba.unhexlify(data))
512 | 		res = s.recv(1024)
513 | 		GetSch(ba.hexlify(res), phone_id + "0000")
514 | 		s.close()
515 | 	elif sys.argv[1] == "del":
516 | 		print "[*] Retrieving schedule from device..."
517 | 		data = "fef0570002320102" + pSession2 + "340001000000000000000000" + getTS() + "00000000000000000000f0fe" + device_id + "00" + phone_id + "0000" + device_pass + "00000000000000000000000000000000000000000000000000000000060000"
518 | 		data = crcSignFullPacketComKey(data, pKey)
519 | 		s.send(ba.unhexlify(data))
520 | 		res = s.recv(1024)
521 | 		GetSch(ba.hexlify(res), phone_id + "0000")
522 | 		
523 | 		completeFlag = False
524 | 		while True and not completeFlag:	
525 | 			message  = raw_input('Enter The Schedule ID you want to Delete: ')
526 | 			if not message and not completeFlag:
527 | 				print "[!] Please enter a valid ID"
528 | 			else:
529 | 				if message not in id_list:
530 | 					print "[!] ID does not exist"
531 | 				else:
532 | 					completeFlag = True
533 | 					sch_id = "0" + message
534 | 					data = "fef0580002320102" + pSession2 + "340001000000000000000000" + getTS() + "00000000000000000000f0fe" + device_id + "00" + phone_id + "0000" + device_pass + "00000000000000000000000000000000000000000000000000000000080100" + sch_id
535 | 					data = crcSignFullPacketComKey(data, pKey)
536 | 					s.send(ba.unhexlify(data))
537 | 					res = s.recv(1024)
538 | 					s.close()
539 | 					print "[+] Entry " + message + " has been deleted"
540 | 					print ("[+] Done!")
541 | 	
542 | 	elif sys.argv[1] == "create":
543 | 
544 | 		print "[*] Retrieving schedule from device..."
545 | 		data = "fef0570002320102" + pSession2 + "340001000000000000000000" + getTS() + "00000000000000000000f0fe" + device_id + "00" + phone_id + "0000" + device_pass + "00000000000000000000000000000000000000000000000000000000060000"
546 | 		data = crcSignFullPacketComKey(data, pKey)
547 | 		s.send(ba.unhexlify(data))
548 | 		res = s.recv(1024)
549 | 		if int(ba.hexlify(res[44:45]),16) == 8:
550 | 			print "[!] You can't create more than 8 entries"
551 | 			s.close()
552 | 			sys.exit()
553 | 
554 | 		all_days = []
555 | 		
556 | 		day_of_week = { "sun":128, "mon":2, "tue":4, "wed":8, "thu":16, "fri":32, "sat":64, "all":254, "once":0 }
557 | 		print '\r\nEnter a day you would like to schedule and type "exit" or press the enter key when finished\r'
558 | 		print "Available options: sun, mon, tue, wed, thu, fri, sat\r"
559 | 		print 'Or use: "all" to select all days or "once" for one time only schedule\r' 
560 | 		completeFlag = False
561 | 		while True:
562 | 			s_days = raw_input('Enter day: ')
563 | 			if (((not s_days and completeFlag)) or (s_days == "exit" and completeFlag)):
564 | 				break
565 | 			elif s_days not in day_of_week:
566 | 				print "[!] Please enter a valid value"
567 | 			else:
568 | 				all_days.append(day_of_week[s_days])
569 | 				completeFlag = True
570 | 
571 | 		
572 | 		completeFlag = False
573 | 		while True and not completeFlag:
574 | 			start_time = raw_input('Enter start time (HH:MM): ')
575 | 			if (not start_time or not hourRe.match(start_time)):
576 | 				print "[!] Please enter a valid value"
577 | 			else:
578 | 				completeFlag = True
579 | 				start_time = time.mktime(time.strptime(time.strftime("%d/%m/%Y") + ' ' + start_time, "%d/%m/%Y %H:%M"))  
580 | 				start_time = ba.hexlify(struct.pack('<I', int(start_time)))
581 | 			
582 | 		completeFlag = False
583 | 		while True and not completeFlag:
584 | 			end_time = raw_input('Enter end time (HH:MM): ')
585 | 			if (not end_time or not hourRe.match(end_time)):
586 | 				print "[!] Please enter a valid value"
587 | 			else:
588 | 				completeFlag = True
589 | 				end_time = time.mktime(time.strptime(time.strftime("%d/%m/%Y") + ' ' + end_time, "%d/%m/%Y %H:%M")) 
590 | 				end_time = ba.hexlify(struct.pack('<I', int(end_time)))
591 | 		print "[+] Schedule request sent to device..."
592 | 		on_off = "01" # enabled / disabled
593 | 		week = "%02x" % (int(sum(all_days)))
594 | 		timstate = "01" 
595 | 		start_time = start_time
596 | 		end_time = end_time
597 | 		data = "fef0630002320102" + pSession2 + "340001000000000000000000" + getTS() + "00000000000000000000f0fe" + device_id + "00" + phone_id + "0000" + device_pass + "00000000000000000000000000000000000000000000000000000000030c00ff" + on_off + week + timstate + start_time + end_time
598 | 		data = crcSignFullPacketComKey(data, pKey)
599 | 		s.send(ba.unhexlify(data))
600 | 		res = s.recv(1024)
601 | 		s.close()
602 | 		print "[+] Done!"
603 | 	
604 | 	elif sys.argv[1].startswith('n'):
605 | 		if len(sys.argv[1][1:]) > 32 or len(sys.argv[1][1:]) < 1:
606 | 			print "[!] You must enter a minimum string of 1 char maximum 64 chars"
607 | 			sys.exit()
608 | 		else:
609 | 			print "[*] Changing device name from " + res[40:72] + " to: " + sys.argv[1][1:]
610 | 			switcher_name = ba.hexlify(sys.argv[1][1:]) + (32-len(sys.argv[1][1:]))*"00"
611 | 			data = "fef0740002320202" + pSession2 + "340001000000000000000000" + getTS() + "00000000000000000000f0fe" + device_id + "00" + phone_id + "0000" + device_pass + "00000000000000000000000000000000000000000000000000000000" + switcher_name
612 | 			data = crcSignFullPacketComKey(data, pKey)
613 | 			s.send(ba.unhexlify(data))
614 | 			res = s.recv(1024)
615 | 			s.close()
616 | 			print "[+] Done!"
617 | 	elif sys.argv[1] == "enable":
618 | 		data = "fef0570002320102" + pSession2 + "340001000000000000000000" + getTS() + "00000000000000000000f0fe" + device_id + "00" + phone_id + "0000" + device_pass + "00000000000000000000000000000000000000000000000000000000060000"
619 | 		data = crcSignFullPacketComKey(data, pKey)
620 | 		s.send(ba.unhexlify(data))
621 | 		res = s.recv(1024)
622 | 		GetSch(ba.hexlify(res), phone_id + "0000")
623 | 		completeFlag = False
624 | 		while True and not completeFlag:	
625 | 			message  = raw_input('Enter The Schedule ID you want to enable (type "exit" to exit): ')
626 | 			if message == "exit":
627 | 				print "[+] Done!"
628 | 				break	
629 | 			if not message and not completeFlag:
630 | 				print "[!] Please enter a valid ID"	
631 | 			else:
632 | 				if message not in id_list:
633 | 					print "[!] ID does not exist"
634 | 				else:
635 | 					sch_data = data_list[int(message)]
636 | 					time_id = data_list[int(message)][0:2]
637 | 					on_off = data_list[int(message)][2:4]
638 | 					if on_off== "01":
639 | 						print "[!] Schedule is already Enabled"
640 | 					else:
641 | 						on_off = "01"
642 | 						week = data_list[int(message)][4:6]
643 | 						timstate = data_list[int(message)][6:8]
644 | 						start_time = data_list[int(message)][8:16]
645 | 						end_time = data_list[int(message)][16:24]
646 | 						data = "fef0630002320102" + pSession2 + "340001000000000000000000" + getTS() + "00000000000000000000f0fe" + device_id + "00" + phone_id + "0000" + device_pass + "00000000000000000000000000000000000000000000000000000000070c00" + time_id + on_off + week + timstate + start_time + end_time
647 | 						data = crcSignFullPacketComKey(data, pKey)
648 | 						s.send(ba.unhexlify(data))
649 | 						res = s.recv(1024)
650 | 						s.close()
651 | 						sys.exit()
652 | 						print ("[+] Done!")
653 | 	elif sys.argv[1] == "disable":
654 | 			data = "fef0570002320102" + pSession2 + "340001000000000000000000" + getTS() + "00000000000000000000f0fe" + device_id + "00" + phone_id + "0000" + device_pass + "00000000000000000000000000000000000000000000000000000000060000"
655 | 			data = crcSignFullPacketComKey(data, pKey)
656 | 			s.send(ba.unhexlify(data))
657 | 			res = s.recv(1024)
658 | 			GetSch(ba.hexlify(res), phone_id + "0000")
659 | 			completeFlag = False
660 | 			while True and not completeFlag:	
661 | 				message  = raw_input('Enter The Schedule ID you want to disable (type "exit" to exit): ')
662 | 				if message == "exit":
663 | 					print "[+] Done!"
664 | 					break	
665 | 				if not message and not completeFlag:
666 | 					print "[!] Please enter a valid ID"	
667 | 				else:
668 | 					if message not in id_list:
669 | 						print "[!] ID does not exist"
670 | 					else:
671 | 						sch_data = data_list[int(message)]
672 | 						time_id = data_list[int(message)][0:2]
673 | 						on_off = data_list[int(message)][2:4]
674 | 						if on_off== "00":
675 | 							print "[!] Schedule is already Disabled"
676 | 						else:
677 | 							on_off = "00"
678 | 							week = data_list[int(message)][4:6]
679 | 							timstate = data_list[int(message)][6:8]
680 | 							start_time = data_list[int(message)][8:16]
681 | 							end_time = data_list[int(message)][16:24]
682 | 							data = "fef0630002320102" + pSession2 + "340001000000000000000000" + getTS() + "00000000000000000000f0fe" + device_id + "00" + phone_id + "0000" + device_pass + "00000000000000000000000000000000000000000000000000000000070c00" + time_id + on_off + week + timstate + start_time + end_time
683 | 							data = crcSignFullPacketComKey(data, pKey)
684 | 							s.send(ba.unhexlify(data))
685 | 							res = s.recv(1024)
686 | 							s.close()
687 | 							sys.exit()
688 | 							print ("[+] Done!")
689 | 	else:
690 | 		data = "fef05d0002320102" + pSession2 + "340001000000000000000000" + getTS() + "00000000000000000000f0fe" + device_id + "00" + phone_id + "0000" + device_pass + "000000000000000000000000000000000000000000000000000000000106000" + sCommand + "0000000000"
691 | 		data = crcSignFullPacketComKey(data, pKey)
692 | 		if sCommand == "0":
693 | 			print ("[*] Sending OFF Command to Switcher...")
694 | 		elif sCommand == "1":
695 | 			print ("[*] Sending ON Command to Switcher...")
696 | 
697 | 		s.send(ba.unhexlify(data))
698 | 		res = s.recv(1024)
699 | 		s.close()
700 | 		print ("[+] Done!")
701 | 
702 | except SystemExit:
703 |     print("[+] Done!\r\n")
704 | except Exception as e:
705 | 	print("[!] Something went wrong...")
706 | 	print "[!] " + str(e)
707 | 


--------------------------------------------------------------------------------