前言
最近在調研 小米開放平臺 API 的能力,發現能力支持的實在有點少,沒辦法只能另闢蹊徑去逆向 Consule UI 的能力。
逆向工程最重要解決的就是“認證”。有沒有辦法自動登錄鑑權,或者使用一個長久可靠、可續期的 token,直接決定了該 Consule UI 是否可逆向。
逆向工程-認證
- 首先,抓到小米開放平臺登錄接口:/pass/serviceLoginAuth2
curl 'https://account.xiaomi.com/pass/serviceLoginAuth2' \
-H 'Accept: application/json, text/plain, */*' \
-H 'Accept-Language: zh-CN,zh;q=0.9' \
-H 'Cache-Control: no-cache' \
-H 'Connection: keep-alive' \
-H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
-H 'Cookie: deviceId=wb_855aaa14-cb23-48ff-b828-708c627c48eb; pass_ua=web; pExpireTime=0; passInfo=login-end; JSESSIONID=aaa0jIoVQRTDN9uNTktqy; uLocale=zh_CN' \
-H 'EUI: S6ApR6Vvom5JQTG2gxT3xfAuoMfXOpav/MdbTMcfQCVZVEqvzxSbBBCugod8JFANCLI0qafUfXANofq3TkjkUWu5xhbqrFOa/uwPi3jmmWEo3Kl7dbtQW2FyHaeOfypuAcyZpAhbPnxG9e4+sV9fQB/MvkQRIgn+7PUAWlf9rfU=.dXNlcg==' \
-H 'Origin: https://account.xiaomi.com' \
-H 'Pragma: no-cache' \
-H 'Referer: https://account.xiaomi.com/fe/service/login/password?_locale=zh_CN&sid=mideveloper&qs=%253Fcallback%253Dhttps%25253A%25252F%25252Fdev.mi.com%25252Fsts%25253Fsign%25253DNUzuBPDqs94TS1jFRue%2525252BFtqq%2525252BrA%2525253D%252526followup%25253Dhttps%2525253A%2525252F%2525252Fdev.mi.com%2525252Fhome%2526sid%253Dmideveloper%2526_locale%253Dzh_CN&callback=https%3A%2F%2Fdev.mi.com%2Fsts%3Fsign%3DNUzuBPDqs94TS1jFRue%252BFtqq%252BrA%253D%26followup%3Dhttps%253A%252F%252Fdev.mi.com%252Fhome&_sign=5OL5w4GfqMJ2CWGnfv7yBBxpc7A%3D&serviceParam=%7B%22checkSafePhone%22%3Afalse%2C%22checkSafeAddress%22%3Afalse%2C%22lsrp_score%22%3A0.0%7D&showActiveX=false&theme=&needTheme=false&bizDeviceType=' \
-H 'Sec-Fetch-Dest: empty' \
-H 'Sec-Fetch-Mode: cors' \
-H 'Sec-Fetch-Site: same-origin' \
-H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36' \
-H 'X-Requested-With: XMLHttpRequest' \
-H 'sec-ch-ua: "Chromium";v="106", "Google Chrome";v="106", "Not;A=Brand";v="99"' \
-H 'sec-ch-ua-mobile: ?0' \
-H 'sec-ch-ua-platform: "macOS"' \
--data-raw 'bizDeviceType=&needTheme=false&theme=&showActiveX=false&serviceParam=%7B%22checkSafePhone%22%3Afalse%2C%22checkSafeAddress%22%3Afalse%2C%22lsrp_score%22%3A0.0%7D&callback=https%3A%2F%2Fdev.mi.com%2Fsts%3Fsign%3DNUzuBPDqs94TS1jFRue%252BFtqq%252BrA%253D%26followup%3Dhttps%253A%252F%252Fdev.mi.com%252Fhome&qs=%253Fcallback%253Dhttps%25253A%25252F%25252Fdev.mi.com%25252Fsts%25253Fsign%25253DNUzuBPDqs94TS1jFRue%2525252BFtqq%2525252BrA%2525253D%252526followup%25253Dhttps%2525253A%2525252F%2525252Fdev.mi.com%2525252Fhome%2526sid%253Dmideveloper%2526_locale%253Dzh_CN&sid=mideveloper&_sign=5OL5w4GfqMJ2CWGnfv7yBBxpc7A%3D&user=xxxx&hash=xxxx&_json=true&policyName=miaccount&captCode=' \
--compressed
把這個 cUrl 精簡一下:
curl --location --request POST 'https://account.xiaomi.com/pass/serviceLoginAuth2?callback=https://dev.mi.com/sts?sign=NUzuBPDqs94TS1jFRue%2BFtqq%2BrA%3D&qs=%3Fcallback%3Dhttps%253A%252F%252Fdev.mi.com%252Fsts%253Fsign%253DNUzuBPDqs94TS1jFRue%25252BFtqq%25252BrA%25253D%2526followup%253Dhttps%25253A%25252F%25252Fdev.mi.com%25252Fhome%26sid%3Dmideveloper%26_locale%3Dzh_CN&sid=mideveloper&user=xxxx&cc=+86&hash=xxxx&_json=true&captCode=
' \
--header 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
--header 'EUI: YbSRNpc/gnpq1tgbE9y37EagHk+tgIrYnrJUap0FOYzCsUSBi6p1tbf9kT5G4DJUB7Vya+0q7dnFDTBVYRK8NNgGqt1JMAg6quLUNXLBlsK8KJDo9rGxFczOau8lLo/OH/jtDLLm51XbOWq42gdxVuKaJk9/FmgC+2qh+FOocio=.dXNlcg==' \
--header 'Origin: https://account.xiaomi.com' \
然後發現我們需要解決的問題有 user、hash、captCode、EUI。
- user:用戶名,密文,需要弄清除怎麼加密的;
- hash:密碼,密文,需要弄清楚怎麼加密的;
- captCode:驗證碼,觸發時機未知;
- EUI:Request Header
然後,就去翻小米 js 中加密這些的邏輯,在這個 JS 裏面。核心代碼是下面這段(有些變量被我重命名了):
function Pt(ttttt) {
var e, r;
ttttt = ttttt || {};
// 16 位固定字符隨機字符串
var iiii = function (t) {
for (var e = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*", r = "", i = 0; i < t; i++) {
var n = Math.floor(Math.random() * e.length);
r += e.substring(n, n + 1)
}
return r
}(16), s = new Ct({});
s.setPublicKey("MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYEVrK/4Mahiv0pUJgTybx4J9P5dUT/Y0PuwMbk+gMU+jrZnBiXGv6/hCH1avIhoBcE535F8nJQQN3UavZdFkYidsoXuEnat3+eVTp3FslyhRwIBDF09v4vDhRtxFOT+R7uH7h/mzmyA2/+lfIMWGIrffXprYizbV76+YQKhoqFQIDAQAB");
var h = s.encrypt(window.btoa(iiii)), u = l.a.parse("0102030405060708"), f = l.a.parse(iiii),
p = window.btoa(a()(ttttt).join(",")), gggg = {};
return o()(e = a()(ttttt)).call(e, (function (e) {
var r = ttttt[e], i = c.a.encrypt(r, f, {iv: u, padding: d.a});
i = i.toString(), gggg[e] = i
})), {EUI: n()(r = "".concat(h, ".")).call(r, p), encryptedParams: gggg}
}
直接說結論,隨機生成 16 位字符串作爲密鑰,先 Base64 後,再 RSA 加密,publicKey 就是這串:
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCYEVrK/4Mahiv0pUJgTybx4J9P5dUT/Y0PuwMbk+gMU+jrZnBiXGv6/hCH1avIhoBcE535F8nJQQN3UavZdFkYidsoXuEnat3+eVTp3FslyhRwIBDF09v4vDhRtxFOT+R7uH7h/mzmyA2/+lfIMWGIrffXprYizbV76+YQKhoqFQIDAQAB
加密出來的信息和 "user" 字符串的 Base64 拼接就是 EUI,並傳遞給服務端;user 是用 AES 加密的,密鑰就是隨機生成的 16 位字符串,iv 向量是固定的 0102030405060708 , padding 方式是 AES/ECB/PKCS5Padding ; hash 是密碼簡單 MD5,沒有加 salt 操作;captCode 觸發時機無法知曉。
逆向工程-鑑權
有了以上信息後,我們就能直接通過 username + password 的方式登錄小米開放平臺了,返回信息如下:
&&&START&&&{
"qs": "?callback=https%3A%2F%2Fdev.mi.com%2Fsts%3Fsign%3DNUzuBPDqs94TS1jFRue%252BFtqq%252BrA%253D%26followup%3Dhttps%253A%252F%252Fdev.mi.com%252Fhome&sid=mideveloper&_locale=zh_CN",
"ssecurity": "MEQ+3bDLm2toC7OuIPia1g==",
"code": 0,
"passToken": "xxx",
"description": "成功",
"securityStatus": 0,
"nonce": 6417736210287713280,
"userId": xxx,
"cUserId": "xxx",
"result": "ok",
"psecurity": "69f4VnfI6mcnMwLl990Aaw==",
"captchaUrl": null,
"location": "https://dev.mi.com/sts?sign=xxx%20Ftqq%20rA%3D&d=wb_7a366d72-c639-4390-a584-6e4122f1543f&ticket=0&pwd=1&p_ts=1667104077000&fid=0&p_lm=1&auth=kqQrNRt4ljohm2qZoQgkBnh06dJS4UD7yYgG7QXOdXBHP1x9d5WfqCE2q18jd2rGoLLgpuSKEw60oGsYHIpHqzIGxESRIInKhS8DGDfN9bwsYXpLCctCK8D%2BHk7Gb399N1houCp9gqcaZEeDfsWMu1%2BBgs8iPsQcQ8DpL8Peay8%3D&m=1&_group=DEFAULT&tsl=0&p_ca=0&p_ur=CN&p_idc=China&nonce=EzbXp8ocSecBp%2Fdr&_ssign=RP2a7pLwZ%2BygW9aoH%2BK6uvKWf54%3D",
"pwd": 1,
"child": 0,
"desc": "成功"
}
然後直接訪問返回的 location 地址,在 reponse 的 header 的 set-cookie 信息裏面就能找到 serviceToken 的信息,這個就是開放平臺的鑑權信息,Consule UI 所有的接口都能用 serviceToken 來訪問。
curl 'https://dev.mi.com/uiueapi/myitems/undefined/0' \
-H 'authority: dev.mi.com' \
-H 'cookie: serviceToken=Xv5lATucFWfMVEEue0csFBgx7IPAbtamENHgyJjhFU4qOMuwbpOLB3TX0oDJTmKguEgDrYw2qar0xiEQK1rQvIq3OZ0k7JCF/DXCnMRAr727GzINrcV2qRC6JGxScmMA835wenAdpBRixjxFdTKyPT/zwlUTT4h42NxxxxxWwYJ5d1DeWmvDwIq+so7dsE/ibzDcnPJRhhatIefbBbgyHpsBzTMa7Vgw057finoamZs7hc2q7E/mt+xmavAsLollWm0H7QC7qhsTqvUOSYDJXD2Df7bnadM8I0PM97ME=; userId=xxx' \
-H 'referer: https://dev.mi.com/distribute' \
--compressed