What happens when MyQ changes their API?

[TRI0N]

From my understanding the MyQ Node Server is using a "hacked" API and charging a subscription? Beyond ethics of hacking and charging. What happens with MyQ decides to fix their API to close the breach? What then?

I'm looking to redo my garage door systems and the idea of paying for a hacked API that could be potential broken if MyQ updates their API. I don't want to be left with a broken system.


TRI0N 

[lilyoyo1]

11 minutes ago, TRI0N said:

From my understanding the MyQ Node Server is using a "hacked" API and charging a subscription? Beyond ethics of hacking and charging. What happens with MyQ decides to fix their API to close the breach? What then?

I'm looking to redo my garage door systems and the idea of paying for a hacked API that could be potential broken if MyQ updates their API. I don't want to be left with a broken system.


TRI0N 

It would be broken until repaired

[TRI0N]

8 minutes ago, lilyoyo1 said:

It would be broken until repaired

So the API eventually will be usable in a none hacked version or we wait for another hack? If the later, then I will need to look at other options for garage door control. I can't (I'm sure others as well) use or put money towards something that 1) I'm knowingly paying for a hack. Which potentially puts me in breach of intellectual property laws. 2) It can be broken at any time.

TRI0N

[bpwwer]

Trying to bring some of the deep, dark secrets of home automation into the light?

Many companies are unwilling to publish/support a public API to their hardware and only provide a mobile application to control said hardware.  My guess, is that this is all cost driven.  The cost to maintain documentation and support for a public API for very little gain in sales isn't worth it.

So to use that hardware with home automation, the API needs to be reverse engineered.  In most cases, those that are doing this, aren't causing enough issues for the companies to actively block the use.  So in general it works.

However, should the company decide to update/change the API, those using a reverse engineered solution are blocked until the work can be done to handle the update/change.  It's a risk we take.

My understanding is that @Goose66 is trying to mitigate that risk somewhat by charging a fee to support the efforts to deal with updates and changes to the API.

The legality of this is somewhat a grey area.  In the US reverse-engineering is considered fair use under federal copyright law. Furthermore, the DMCA (Digital Millennium Copyright Act) contains an explicit provision allowing reverse-engineering for purposes of interoperability.  I believe node servers fall under the umbrella of interoperability.  We're not trying to steal anything from MyQ, just trying to use legally purchased equipment in a way the manufacturer isn't directly supporting.

[TRI0N]

2 minutes ago, bpwwer said:

Trying to bring some of the deep, dark secrets of home automation into the light?

Many companies are unwilling to publish/support a public API to their hardware and only provide a mobile application to control said hardware.  My guess, is that this is all cost driven.  The cost to maintain documentation and support for a public API for very little gain in sales isn't worth it.

So to use that hardware with home automation, the API needs to be reverse engineered.  In most cases, those that are doing this, aren't causing enough issues for the companies to actively block the use.  So in general it works.

However, should the company decide to update/change the API, those using a reverse engineered solution are blocked until the work can be done to handle the update/change.  It's a risk we take.

My understanding is that @Goose66 is trying to mitigate that risk somewhat by charging a fee to support the efforts to deal with updates and changes to the API.

The legality of this is somewhat a grey area.  In the US reverse-engineering is considered fair use under federal copyright law. Furthermore, the DMCA (Digital Millennium Copyright Act) contains an explicit provision allowing reverse-engineering for purposes of interoperability.  I believe node servers fall under the umbrella of interoperability.  We're not trying to steal anything from MyQ, just trying to use legally purchased equipment in a way the manufacturer isn't directly supporting.

In my case it's something I need to avoid. It could literally have all my decades of certified courses and credential stippled from me if the company (MyQ) decided to go after those who knowing breached their product. For example, Sony has gone after people that hacked (rooted) their PlayStations. Simply, you may have bought a PlayStation but you do not have right to modify their engineering. Now I'm not saying MyQ is the same way but that is a risk I cannot take.

TRI0N

[bpwwer]

@TRI0N it's good that you're investigating to make sure you aren't taking risks you can't afford.  So you should also be aware that many node servers are using reverse engineered API's, The MyQ is just a little more transparent about it. 

You may have to do a bit of digging to find out if the node server is using something you're comfortable with or not.  And even then, it may not be 100% black and white.

For example, Emporia doesn't make the API to get data from their devices public, but they have worked with the developer that reverse engineered it and have said it's ok as long as folks don't abuse the servers. 

[TRI0N]

12 minutes ago, bpwwer said:

@TRI0N it's good that you're investigating to make sure you aren't taking risks you can't afford.  So you should also be aware that many node servers are using reverse engineered API's, The MyQ is just a little more transparent about it. 

You may have to do a bit of digging to find out if the node server is using something you're comfortable with or not.  And even then, it may not be 100% black and white.

For example, Emporia doesn't make the API to get data from their devices public, but they have worked with the developer that reverse engineered it and have said it's ok as long as folks don't abuse the servers. 

Maybe the wrong terms are being used. Are we "Hacking" a API or are we just using a work around that doesn't actually hack their engineering?

TRI0N

[bpwwer]

I guess you'll need to define what you mean by "Hacking".

I specifically used the term "reverse engineering" because that term is better defined.  It specifically means that you don't have access to the code and are simply using examining how the companies components interact with each other and use that information to replication the interactions.  "reverse engineering" is legal, at least in the U.S.

I would define "hacking" as using various methods to gain access to the actual code that was written and using that code in an implementation.  I'm not aware of any node servers that do that.

For MyQ, you'd have to ask @Goose66 how he figured out the API, but I'd guess it wasn't by having access to the mobile application code or the MyQ device firmware.  

 

[TRI0N]

1 hour ago, bpwwer said:

I guess you'll need to define what you mean by "Hacking".

I specifically used the term "reverse engineering" because that term is better defined.  It specifically means that you don't have access to the code and are simply using examining how the companies components interact with each other and use that information to replication the interactions.  "reverse engineering" is legal, at least in the U.S.

I would define "hacking" as using various methods to gain access to the actual code that was written and using that code in an implementation.  I'm not aware of any node servers that do that.

For MyQ, you'd have to ask @Goose66 how he figured out the API, but I'd guess it wasn't by having access to the mobile application code or the MyQ device firmware.  

 

Hacking and Reversed Engineering are pretty well defined and completely different things. I don't attempt to change the meaning of words. Hacking means you compromised someone's engineered code either by modifying the code directly or indirectly, can be for good or bad. While reverse engineering is where you attempt to duplicate a product into your own product which in most cases would require hacking to achieve and honestly Reverse Engineering that compromises anyone's Patent Product is NOT Legal, especially if you are reselling it.

TRI0N

Edited March 25, 2023 by TRI0N

[lilyoyo1]

3 hours ago, TRI0N said:

So the API eventually will be usable in a none hacked version or we wait for another hack? If the later, then I will need to look at other options for garage door control. I can't (I'm sure others as well) use or put money towards something that 1) I'm knowingly paying for a hack. Which potentially puts me in breach of intellectual property laws. 2) It can be broken at any time.

TRI0N

It's not the developers fault Chamberlain chooses to operate this way but your reasoning is understandable. In regards to being broken at anytime, that applies to anything. A bug can break how your system currently runs at which point you would wait for a fix. Ditto for server issues. 

However, what most people feel (who has purchased) is that they are paying for someone who has taken the time to hack it to provide them the opportunity to use their current system vs the time it takes to find other alternatives/swap out systems. 

There's no breach of intellectual property laws. It would be a breach if you took their work, made your own device, and tried to sell it. 

[TRI0N]

41 minutes ago, lilyoyo1 said:

There's no breach of intellectual property laws. It would be a breach if you took their work, made your own device, and tried to sell it. 

and that is where the real question come in. Is this API really hacked or reversed engineered and being sold as a service. I can understand a bug that could have a patch fix momentarily. But needing to re-hack a product is a whole different ballgame. Could take months if it ever gets re-hacked and at what extent? Not something you would want happening on entry points into your home not functional at any ungiven time. 

Simply is MyQ using a work around that uses what is available thru their API or is it truly being hacked, rewritten and distributed?

Pretty much this isn't going to go for me... Anyone else have a working example of a Z-Wave Controlled Garage Door? Such as using something like the Zooz Multi-Relay with a good garage door product. I'm really was into getting a Chamberlin that mounts on the wall. I installed one for a friend and I like it a lot, it would clear the headway in our garage to be used for other things.

Product I was interested in: https://www.amazon.com/Chamberlain-Smart-Garage-Door-Opener/dp/B07WRHPDC8?source=ps-sl-shoppingads-lpcontext&ref_=fplfs&psc=1&smid=ATVPDKIKX0DER

Possible idea on what: Zooz Multi-Relay with a LiftMaster Wall Mount? Any recommendations would be great. 

Note: I just realized that LiftMaster is owned by Chamberlin.   Anyone any other option would be nice to know about.

TRI0N

Edited March 25, 2023 by TRI0N

[lilyoyo1]

22 minutes ago, TRI0N said:

and that is where the real question come in. Is this API really hacked or reversed engineered and being sold as a service. I can understand a bug that could have a patch fix momentarily. But needing to re-hack a product is a whole different ballgame. Could take months if it ever gets re-hacked and at what extent? Not something you would want happening on entry points into your home not functional at any ungiven time. 

Simply is MyQ using a work around that uses what is available thru their API or is it truly being hacked, rewritten and distributed?

Pretty much this isn't going to go for me... Anyone else have a working example of a Z-Wave Controlled Garage Door? Such as using something like the Zooz Multi-Relay with a good garage door product. I'm really was into getting a Chamberlin that mounts on the wall. I installed one for a friend and I like it a lot, it would clear the headway in our garage to be used for other things.

Product I was interested in: https://www.amazon.com/Chamberlain-Smart-Garage-Door-Opener/dp/B07WRHPDC8?source=ps-sl-shoppingads-lpcontext&ref_=fplfs&psc=1&smid=ATVPDKIKX0DER

Possible idea on what: Zooz Multi-Relay with a LiftMaster Wall Mount? Any recommendations would be great. 

Note: I just realized that LiftMaster is owned by Chamberlin.   Anyone any other option would be nice to know about.

TRI0N

I'm just using the language you used. Not all bugs are fixed quickly. 

Modern garage door openers require different solutions depending on setup. 

[MrBill]

Reverse Engineering is simply starting with the results and working backwards to find out how it works.  To what level that is taken is subjective.  In the case of the reverse engineering it's just of the API commands themselves, it's not even recreating the server side of MyQ.  it's simply using tools to understand what the app on the phone is saying to the server to make X happen or check the status of Y.    No on is reverse engineering the servers or the product, yes they are reverse engineering the API.

Unfortunately MyQ doesn't want to share their API because supporting polling from another half million clients would cost real dollars by increasing traffic.  It's unclear why myQ doesn't push messages to clients rather that requiring polling.   If published, they also need to monitor who's miss using the API... with the current stance anyone not using the official app (client) is misusing the connection.

-----

The red and white wire from MyQ operators to wall controls is carrying data.  The operators still are designed to operate with that pair being connected to a single momentary push button, however it doesn't work well with other wall controls or other accessories using the same wire to wire a relay to mimic a push button when also using most wall controls. 

This MyQ button can be easily modified by soldering leads on to the button.  specifically LM883 converts a push button to a data signal rather than shorting the two leads as the button is pushed.  Someone sells a modified version of 883 with the leads already soldered on to add a relay, but I can't find the link to the modified version.  Here's a youtube to help understand.

[matapan]

If you're concerned about the ramifications of using this node server, you can always use an IO Linc with your setup to generate the momentary contact necessary to open and close the gargage door, then use a door sensor to monitor if the garage door is open or not. I have a magnetic contact sensor mounted on the floor of my garage and the other component mounted to the door. Use a program to trigger the necessary contact to open and close the door and monitor the state of the sensor. This works pretty well.

[dbuss]

54 minutes ago, TRI0N said:

Anyone else have a working example of a Z-Wave Controlled Garage Door?

I've been using this for several years.

https://www.amazon.com/GoControl-GD00Z-8-GC-Z-Wave-Security-Black/dp/B085LKPHK6/ref=sr_1_5?crid=S93T8O5LJWZW&keywords=z-wave+garage+door+opener&qid=1679780209&sprefix=z-wave+gargae+door+opener%2Caps%2C135&sr=8-5

[TRI0N]

14 minutes ago, dbuss said:

I've been using this for several years.

https://www.amazon.com/GoControl-GD00Z-8-GC-Z-Wave-Security-Black/dp/B085LKPHK6/ref=sr_1_5?crid=S93T8O5LJWZW&keywords=z-wave+garage+door+opener&qid=1679780209&sprefix=z-wave+gargae+door+opener%2Caps%2C135&sr=8-5

Yep that is another option I'm looking at too. I have no problems doing I/O relay's etc or soldering circuit boards (grew up building Heath Kits).  So even if the Garage door isn't smart that is fine with me. I really like the package in the RJO70 by Chamberlin but the main goal is a well mount motor. Using sensors and such is fine. I liked how the Chamberlin also included to automated internal locking system that comes with it, the backup battery was also a nice plus since I will be retiring the Ryobi one that had that option. I'm going to look Genie Wall Mount and see what I can do with it..


TRI0N

Edited March 25, 2023 by TRI0N

[TRI0N]

Looks like that GoControl can be wired right into the Chamberlin just like you would any other normal button 2 wire hook up? Is there something I'm missing why this might not work with Chamberlin? The Genie 6170 is an acceptable solution too.

TRI0N

Edited March 25, 2023 by TRI0N

[Goose66]

The MyQ node server uses the MyQ API utilized by Chamberlain's mobile app. The API is not public, so use of the API is made possible by hacking (yes, that is the proper term). I wouldn't say that the API was "reversed engineered" or suggest that hacking the API is protected by "fair use" because using such legal terms invoke the Google v. Oracle case, which is not at issue here. Unlike Google v. Oracle and related cases, the API is not being "copied," in that it is MyQ's implementation of the API that is being used in the way it was intended - no code, data structures, or APIs were copied or recreated. 

Now that is not to say that the use of the hacked MyQ API is legal or not legal. I am an intellectual property attorney, but I'm not your intellectual property attorney, so I can't give you any legal advice. But it's common knowledge (and therefore not legal advice) that the primary place you should look to determine whether your activity in regard to the MyQ cloud service is allowed or disallowed is whatever EULAs or other agreements you have agreed to with Chamberlain regarding use of the MyQ products and services.

All that said, I wouldn't buy Chamberlain garage door openers because the MyQ node server is available. I'm not a big fan of using cloud services nor hacked APIs. I wrote the MyQ node server because I already had Chamberlain (actually Liftmaster) garage door openers in my home, just as I wrote the iAqualink node server (also uses a hacked API) because I already had a Jandy (Zodiac) pool controller. These are both very good products, and I am happy with them. But if I was deciding on what to buy at this point, I would certainly favor a product that lends itself to local control and/or integration with HA systems.

Edited March 25, 2023 by Goose66

[carealtor]

Seems like "emulate" or "imitate" would be better words than "hacked".  The nodeserver is imitating the app.