Until recently, the Google Home app used to communicate with the device over port 8008 (HTTP) and did not require any authentication. Everything in the unofficial documentation worked as expected.
A few days (weeks) ago, Google pushed a new update to all GH devices and all endpoints (except /setup/eureka_info
) started returning 403 (forbidden) errors. The app had switched over to port 8443 and HTTPS.
Lots happened over at #39. Finally, the only changes required are:
- Change port from 8008 to 8443
- Change protocol from http to https
- Add a new header (for all requests)
cast-local-authorization-token
Note: Since this is https, the CA will likely not be trusted by your device. "Enable Insecure Requests" or "Allow Self Signed Certificates" when making requests. For example, pass the -k
/--insecure
flag with curl and verify=False
with python's requests.
The token required for cast-local-authorization-token
can be obtained by 2 methods. As of now, I'm not sure if this token expires or when it does or even how the app gets it in the first place.
/TODO: Add more info
2 ways: From app data directory on android or with Frida.
Both require root. First one recommended.
This extracts the token from the app's data folder. The script finds tokens of all devices which might have this token. Only NodeJs is required, a browser friendly page coming soon.
Note: I ported the same code to a website so you don't have to download the script and NodeJs. The website finds all devices and tokens from the file and everything happens offline. Nothing from the file leaves the browser. https://rithvikvibhu.github.io/gh-web-proto-decode/
- With a root file manager, pull this file:
/data/data/com.google.android.apps.chromecast.app/files/home_graph*.proto
- Run
node decodeProtoFile.js <file>
to extract tokens. (script attached)
Frida injects and hooks onto running applications. The script logs all requests along with the needed header.
- Install and set up Frida and ADB
- Connect the phone to PC and copy Frida Server
- Open the Google Home app on the phone
- Use this script (thanks @TheKalin!)
- Open GH settings in the app. The header with token will be printed.
dans mon fichier proto, je vois des lignes:
#google.com:api-project-XXXXXXXXXXXX[] XXXXXXXXXXXXXXXXXXXXXX*X
C'est ca?