GHLocalApi Update

README.md

GHLocalApi Update

The Gist

Until recently, the Google Home app used to communicate with the device over port 8008 (HTTP) and did not require any authentication. Everything in the unofficial documentation worked as expected.

A few days (weeks) ago, Google pushed a new update to all GH devices and all endpoints (except /setup/eureka_info) started returning 403 (forbidden) errors. The app had switched over to port 8443 and HTTPS.

The Fix

Lots happened over at #39. Finally, the only changes required are:

• Change port from 8008 to 8443
• Change protocol from http to https
• Add a new header (for all requests) cast-local-authorization-token

Note: Since this is https, the CA will likely not be trusted by your device. "Enable Insecure Requests" or "Allow Self Signed Certificates" when making requests. For example, pass the -k/--insecure flag with curl and verify=False with python's requests.

The Token

The token required for cast-local-authorization-token can be obtained by 2 methods. As of now, I'm not sure if this token expires or when it does or even how the app gets it in the first place.

/TODO: Add more info

Getting the token

2 ways: From app data directory on android or with Frida.

Both require root. First one recommended.

App Data Dir (Android)

This extracts the token from the app's data folder. The script finds tokens of all devices which might have this token. Only NodeJs is required, a browser friendly page coming soon.

Note: I ported the same code to a website so you don't have to download the script and NodeJs. The website finds all devices and tokens from the file and everything happens offline. Nothing from the file leaves the browser. https://rithvikvibhu.github.io/gh-web-proto-decode/

• With a root file manager, pull this file: /data/data/com.google.android.apps.chromecast.app/files/home_graph*.proto
• Run node decodeProtoFile.js <file> to extract tokens. (script attached)

With Frida (Android)

Frida injects and hooks onto running applications. The script logs all requests along with the needed header.

• Install and set up Frida and ADB
• Connect the phone to PC and copy Frida Server
• Open the Google Home app on the phone
• Use this script (thanks @TheKalin!)
• Open GH settings in the app. The header with token will be printed.

decodeProtoFile.js

const fs = require('fs');
const util = require('util');
const rawproto = require('rawproto');


const filename = process.argv[2] || 'home_graph.pb';


console.log(`[*] Reading proto binary... (${filename})`)
var buffer = fs.readFileSync(filename)

console.log(buffer)


console.log(`[*] Parsing file...`)
var data = rawproto.getData(buffer);
// detailedLog(data);


console.log('[*] Extracting tokens...\n')
data.forEach(val => {
    if (val['2'] && Array.isArray(val['2'])) {
        val['2'].forEach(val2 => {
            if (val2['7'] && Array.isArray(val2['7'])) {
                var device = null;
                var token = null;
                try {
                    var deviceObject = getObjByKey(val2['7'], '17')['17'][0];
                    device = (deviceObject ? (deviceObject['2'] || deviceObject['1']) + ', ' : '' ) + getObjByKey(val2['7'], '18')['18'][0]['2']
                } catch (err) { console.log(err) }
                try {
                    var tokenObject = getObjByKey(val2['7'], '28');
                    token = tokenObject ? tokenObject['28'] : null;
                } catch (err) { console.log(err) }
                if (device || token) {
                    console.log('Device:\t', device)
                    console.log('Token:\t', token)
                    console.log('-----')
                }
            }
        })
    }
})

console.log('\n[*] Done!\n')


function detailedLog(obj) {
    console.log(util.inspect(obj, {showHidden: false, depth: null}))
}

function getObjByKey(arr, key) {
    return arr.filter(v => v[key])[0]
}

@benjamingwynn I am on the same firmware and the same curl just worked for me. The only thing I can think of is an invalid token. Can you re-check if the whole token was copied (maybe a letter missed at the end, etc.)?

@roflcoopter Sorry for the late reply, I just saw your comment. I just used it with my file and there weren't any errors. But I don't have a lot of devices so it is probably breaking in some specific cases. If you don't mind, can you send me the proto file at [email protected]? I'll fix the script to handle that kind of case.

@rithvikvibhu the problem went away after a while, sadly i dont have the proto-file anymore. Must have been something temporarily wrong with it as both your implementation and another python implementation I've been using was having the same issue decoding it.

@rithvikvibhu thanks for the quick reply, I think the key is correct, although we have a lot of Chromecast devices on the network so it could be misreported maybe? Do you know how many characters long a key should be?

@benjamingwynn which method are you using? (a) Frida or (b) locally running nodejs script with proto file or (c) the web decoding webpage?

In the case of Frida, the script doesn't process anything. It just lists all network requests. Since you say there are a lot of devices, then maybe the token is for the next/previous request to a different device instead?

All the tokens I've seen till now have been 108 chars long.

@rithvikvibhu I used the web decoding page on my Android phone directly after grabbing the file with Solid Explorer and moving it to the data directory.

I tried two of the speakers listed, but the one I was trying to get to work originally (Benjamin's Room) had really weird formatting. Here's a very obfuscated copy of the table extracted. The key for the top speaker didn't work either, even though the formatting seemed correct.

That's really weird (and interesting :p)

If I'm understanding correctly, out of the 7 tokens, the two tokens you've tested (1st and 10th), didn't work.
See if you can test a few others too.

As for the weird object, I've never seen that before and I'd like to take a look at that proto file.

@rithvikvibhu I just spent some time retesting this, really weird behavior though.

I can access the first device via port HTTP:8008 without a token just fine, but the tenth device (the one I want to actually use for this project) returns 403 Forbidden over HTTP:8008 and 401 Unauthorized over HTTPS:8443 with the cast-local-authorization-token above (the one with weird JS object surrounding it).

Weirdly, both devices are marked with the exact same version number, cast version number, country code and language, and both are on the preview program and linked to the same accounts/home.

I can send the file via email or something, not all of the devices on this network are mine and I don't want to expose their keys.

For a few weeks, while Google was rolling out the switch from 8008 to 8443, some devices kept fluctuating with every reboot. But then, 8443 became more frequent and 8008 didn't work anymore. All this happened without the version number changing. Probably with feature flags.

Maybe somehow the first GH is still using 8008. Rebooting it a few times might switch it to 8443. You may(not) want to try this, whatever suits you.

For the 10th GH, it looks like the token isn't being extracted properly (the js object instead of string points to that). Of course, you wouldn't want to upload the proto file here on GitHub. If possible, please send it to [email protected]. FYI, the tokens expire every few days.

@rithvikvibhu That's fascinating, I can mess around with those two devices some more later and ask a couple of my flatmates if I can experiment on their devices too. I'll make sure to renew the token later.

I've sent you an email with the proto file attached, if you have telegram/whatever chat app we can try resolve this privately there to save spamming this gist?

well, I just got my chromecast, can't connect from pc, casting is being distupted from phone, so I figured out to update. current firmware is 1.42.172094. device is not finding new firmware when rebooting, so I wanted to force it. I got to all this gist stuff and I found out my master token and access token. I got my local access token so I should be able to make autnenticated calls but they fail with:

~> curl -H "cast-local-authorization-token: i7YQu6bgnYqBm6+TpO5fRM+ekXm+ASnIuKmZ7/1eBu0kDnT733TLzLwW7rNFth7/HebEOrttqKECtva/7ItFwAfq8NFOgq2Pjmb3TxQA7mA=" --verbose --insecure https://192.168.0.122:8443/setup/bluetooth/status

*   Trying 192.168.0.122:8443...
* Connected to 192.168.0.122 (192.168.0.122) port 8443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=US; ST=California; L=Mountain View; O=Google Inc; OU=Cast; CN=ADW2ZFQ FA8FCA7DC655
*  start date: Mar  5 08:00:00 2019 GMT
*  expire date: Apr 13 06:33:28 2040 GMT
*  issuer: C=US; ST=California; L=Mountain View; O=Google Inc; OU=Cast; CN=Chromecast ICA 12
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET /setup/bluetooth/status HTTP/1.1
> Host: 192.168.0.122:8443
> User-Agent: curl/7.73.0
> Accept: */*
> cast-local-authorization-token: i7YQu6bgnYqBm6+TpO5fRM+ekXm+ASnIuKmZ7/1eBu0kDnT733TLzLwW7rNFth7/HebEOrttqKECtva/7ItFwAfq8NFOgq2Pjmb3TxQA7mA=
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
< Content-Length:0
< 
* Connection #0 to host 192.168.0.122 left intact

just want to say it's so disappointing when nothing works... returning the device
thank's for all support, good luck in life

@zapphyre I don't think Chromecasts have bluetooth modules, only Google Home devices do. But the rest of the docs should apply to Chromecasts as well.

Hi, I am trying gh-web-proto-decode with my home_graphXXXX.proto but no devices found. Does gh-web-proto-decode working ?

Thanks for your reply.

Hello,
I try to decode my proto file, I can upload it but the decode "Button" do nothing.
How can How can I recover the google Home token otherwise ?
THanks for your reply.

Bonjour,
Votre page web ne marche plus?
J'ai utilisé VMOS sur un smartphone Android. J'ai activé root, j'ai téléchargé le fichier .proto
Mais quand je clique sur "Decode", rien ne se passe.
Le site a un problème?

The last update to this decoder was ~1.5 years ago. The proto file layout would've probably changed. I'll try to fix it this week.
In the mean time, you can simply open it in a text editor and look for a 108-char string that is close to your email address (ignore the garbage looking parts).

Merci.
Donc si je comprends bien, je peux trouver le token de chaque appareil avec un éditeur de texte dans le fichier .proto?
C’est un token par appareil?
J’ai 14 Google Home chez moi.

pour avoir ce fichier proto, j’ai accédé à la racine. C’est bien comme ça qu’il faut faire?

Pourrais je te demander plus de renseignements sur l'API GHLocal que tu as?
En fait, je suis l'administrateur du groupe Google Home FR sur Facebook.
J'ai aussi une chaîne Youtube: La Maison de Jeed Home.

Depuis une mise à jour il y a plus d'un an sur les Nest Hub, il y a une mise en veille automatique après 10 minutes qui affiche l'heure même si un cast web est en cours.
Avec Fuchsia OS, c'est au bout de 30 secondes.

Je veux désactiver ce mode veille automatique. C'est pour cela que je cherche les token de mes appareils en espérant pouvoir le désactiver comme ça vu que Google ne propose pas l'option sur son app smartphone.

Peux tu me dire si tu connais cette option et laquelle est-ce?

Tu vas aider beaucoup de gens si tu la connais.
J'ai demandé de nombreuses fois à Google mais ils restent fermés et ne partagent rien.

dans mon fichier proto, je vois des lignes:
#google.com:api-project-XXXXXXXXXXXX[] XXXXXXXXXXXXXXXXXXXXXX*X
C'est ca?

The api-project-* is different. The actual token will be on its own and exactly 108 chars (only: letters, numbers, +, /).

Yes, it's 1 token per device, and only lasts about a day before it becomes invalid (and will need to be extracted again). So manually getting it every time is a pain, automated scripts help (like https://gist.github.com/rithvikvibhu/952f83ea656c6782fbd0f1645059055d). In the same link, @leikoilja has posted his cool python library that abstracts away all the complex logic: https://github.com/leikoilja/glocaltokens.

I don't have any Nest devices, so can't really be of much help here. If it's not possible to set it via the mobile app, then it may not be possible to do it via the API. Again, just guessing here.
Maybe you can open an issue on https://github.com/rithvikvibhu/GHLocalApi/issues/ in case someone stumbles upon it and knows how to change the sleep timeout.

Been working on getting my Nest Thermostats with remote access for some time now, your work and Leikoilja's has been a great help, thx. When using Leikoilja's glocaltlokens package and I can capture my HomeGraph, but haven't been able to figure out how to decode the status values. Here is a sample of my HomeGraph Nest Device/Status

states {
  name: "ambientAirHumidity"
  value: "\035{\024.>"
}
states {
  name: "ambientAirTemperatureC"
  value: "\035\000\000\274A"
}
states {
  name: "ambientAirTemperature"
  value: "\035\000\000\224B"
}
states {
  name: "thermostatTemperatureSetpointC"
  value: "\035\000\000PA"
}
states {
  name: "thermostatTemperatureSetpoint"
  value: "\035\000\000\\B"
}

For Example I can change the "thermostatTemperatureSetpoint" via my iphone, then refresh the HomeGraph, and the value changes, so I know the HomeGraph is seeing my changes, BUT I haven't been able to decode the value, ie, value: "\035\000\000\B, any ideas on how to do this would be appreciated

Thanks