Getting your Samsung Smart Air Conditioner to work with OpenHAB

You probably bought a Samsung Smart Air Conditioner and want to use it in OpenHAB. You also found out there is some extra work needed before things get working. Maybe you investigated a little and came acros a SSL handshake error. I guess that is why you landed on this page. I will explain how to properly install the certificates to get things working. My apologies for the old looking layout, but priority was to share the info, I will soon add some nice themes.

A little background. Samsung decided to use their own certificates. Both for the ac and the client side (the Samsung Remote Airconditioner app). This is against industry best practice, and in fact not possible to implement thoroughly as it means they would have to give every user a personal keyfile. Did you receive one? No, Samsung opted to give everyone the same personal key file (yes, re-read that again, mass distribution on public places like Google Playstore of things that should be personal and secret when you implement SSL correctly). Side effect from this change, in July 2015, is the openHAB ac binding stop functioning correctly for those users that received the new software. You will receive updates when you are using the out-of-home service. This service runs over a Korean server and by using the service you agree to updates even if it breaks your OpenHAB binding. New units (2016 and up) are also shipped with the new software. The good news is however that Samsung did not make things this secure that no communication is possible anymore between your air condioner and OpenHAB. Once you have the ac and the app, in fact you will have all you need.

Luckily, the binding has been updated by the author and when you give it the right certificate and tell your computer to trust your air conditioner, things will be working again. This webpage shows you how to do this. A little warning, this will work untill Samsungs changes the software again. If you continue using their service, you risk receiving another update. Unregistering and denying the ac access to the internet in your router can prevent this. This possibilty is hidden in the terms and conditions of teh smart appliance service by Samsung. Don't say you haven't been warned.

"Samsung may automatically download and install updates from time to time (including firmware updates for the devices you registered with the Services) ("Software Updates"). Such Software Updates may be in various forms and are generally provided for the purposes of improving the performance, security and reliability of the Services or any product or device used to access the Services. Such updates may include bug fixes, enhancements to the Services or parts thereof, products or devices and updates and enhancements to any software previously installed (including entirely new versions)."

Personally I unregistered because Samsung have demonstrated not to understand secure communications. I have had contact with them and they are unwilling to help or implement proper ways of communicating. Letters from my lawyer have not been answered. But luckily for you the poor programming skills led to a solution outlined below. As I strongly feel it is my right to have my air conditioner talk to openHAB if I desire so and  as I don't believe in closed protocols (nobody can win the Internet of Things war) I decided to publish this guide.

Now, let's get on with things:

Step 1. Extract the ac's certificate and let your computer trust it

The first thing to do is to extract the root certificate from your ac. Root certificates are usualy signed by Certification Authorities like VeriSign. The certificated is however not signed by a Certification Authority, but by Samsung itself. This self sifgned certicificate needs to be added to the Java truststore to be trusted by OpenHAB.

Extract the certificate like this, mind entering the correct ip address for your ac unit in the command:

echo -n | openssl s_client -connect 192.168.1.136:2878 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > samsungcert.crt

Don't mind the error message, it is part of the deal. Now we need to find the location of your Java cacerts:

sudo find / | grep cacerts

The output will tell you the correct path. Now add the key to your trusted certificates with the keytool utility:

sudo keytool -import -trustcacerts -keystore /usr/lib/jvm/jdk-8-oracle-arm32-vfp-hflt/jre/lib/security/cacerts -storepass changeit -noprompt -alias mycert -file samsungcert.crt

Step 2. Download or extract the keyfile from the app to supply to the OpenHAB binding

There is a long version of this and a short one. The short one is downloading it here. Prepare the file like this:

base64 -di < pasted.txt > cert.pem

The long one is extracting it from the app, To follow.

Step 3. Using the keyfile in OpenHAB

Here is an example openhab.cfg configuration for the Samsung ac binding:

samsungac:Woon.host=192.168.1.145
samsungac:Woon.mac=BC8CAA7226CF
samsungac:Woon.token=6acb7452-bb3f-429c-912c-72bfbb5bf052
samsungac:Woon.certificate=/home/domorino/ac/cert.pem