Appliance manufacturer Haier has been integrating IoT features into their newer products, and as is so common these days, users are expected to install their “hOn” mobile application to access them. Not satisfied with that limitation, [Andre Basche] reverse engineered the protocol used by the app, and released a Python library and associated Home Assistant plugin to interface with a wide array of Haier appliances, which includes brands like Hoover, Candy, GE Appliances and others.
Unfortunately, it looks like his efforts have gotten him into a bit of legal hot water. In an issue recently opened on the project’s GitHub page, [Andre] explains the circumstances and legal options that have led him to consider pulling the repositories completely — mostly due to the cost of mounting a legal defense to the cease & desist from Haier Europe.
What’s ironic here is that Haier has been part of the Connectivity Standard Alliance (CSA) since 2022, whose goal is to ‘promote universal open IoT standards’, including Matter.
It’s possible that a legal defense will be mounted against this C&D from Haier within the coming days. Yet regardless of the outcome here, it remains problematic that these IoT-enabled Haier appliances are connected to the Haier servers. Ideally they would be controlled locally, which is the goal of projects like [Miguel Ángel López Vicente]’s ESP Haier, that uses an ESP8266 to connect Haier AC units to the local WiFi and e.g. HA instances, all without requiring internet access.
This is sadly just one more example of why building your own off-line smart home can be such an incredible struggle.
Thanks to [Ar3itrary] for the tip.
Boycott Haier products and flood customer service with unsatisfied messages is one way to exert pressure on those jerks.
Agreed. I have bought 2x fridges and a dishwasher specifically from LG because of their excellent integration. I would not buy a product where I can’t have local control.
I was recently buying their wash machine because of that plugin. I will return it back. Wtf
Haier smart appliances and hon app should be used as a case study of design failure. Example: during heating up oven desired temperature is displayed twice but current temp is not displayed. Also app fails to pass wifi credentials to appliance and there is no manual ssid/password input available even though there is couple inches of touch screen.
They don’t want you to have offline access for two reasons.
1. They want the app reporting how their products are being used for Metadata analysis.
2. They are being ordered in some EU countries to control what temperature you can set your house at to achieve climate goals.
1. There is no reason to do this with an app. The device is connected to WiFi and the internet. This is meant to collect information on people for marketing purposes, most likely in the us market due to GDPR in the EU.
2. There is no legitimate reason to have the Internet enforce this. Sufficiently secured firmware should provide this capability. He did not reverse the firmware. He simply reversed to control protocol. This will not circumvent any limitations imposed by the firmware.
“Connected” devices do not get long term support (LTS) and those same appliances and apps will stop getting updates and will be discontinued within 5-7years.
I hope that the EFF comes in to help fight this case. It is rediculous and it strains credulity that this is a legitimate argument.
Court decisions in the past (including I believe the decision over the clean-room reverse engineering of the IBM BIOS by Compaq) have found that clean room reverse engineering is legal and not a copyright violation. We need a group like the EFF or someone to step up in these cases (there was one that involved Mazda a while back IIRC) and help the producers of these clearly legal clean room tools fight the manufacturers and stop the BS claims around “copyright violations”.
What we need is the interop equivalent of SLAPP statutes that protect journalists from lawfare by making it easier for courts to throw out intimidating lawsuits and award costs to the victim.
Problem with all this is the internet is basically global, the company is global so the developer can probably be ‘held accountable’ for their ‘evil practices’ in a place they have never even heard of with all the international agreements. So even if the legal system of the US/EU puts more protections in place to prevent the big companies throwing their money around to ‘legally’ bully the open-source developer…
Seems to me the real solution has to be for some larger group with the funding to fight at least some of these battles and win some serious compensation from the companies, end up with them being forbidden from trading while the legal action is going on etc – if the companies can even remotely expect it is going to hurt to go after the opensource reverse engineering crowd they won’t unless they have a real slam dunk legal case they can be reasonably sure of winning. It will tank their numbers short term which seems to be all the beancounters care about, and probably do them no good long term either.
And cut off one of the ways for rich assholes to make gobs of money off quenching initiatives subbed at the greater good? Good luck changing all the paid off politicians’ and judges’ minds.
IMHO, Home Assistant should have a “Brand that refuse to interact with us” page on the home page. Pay some support to remove the listing. Using Name and Shame is the only legal way that can’t be fought for since it’s not related to self claimed copyright violation, and is actually justified by the C&D letter (the Haier name in such page should link to a copy of the C&D letter).
That way, people who intend to connect some appliance to HA will just avoid buying from such brand.
+1
Hall of shame
That page should list alternative products that do have a working implementation and whether that integration is via a supported API. I for one would always refer to that page when purchasing new kit.
+1
+1
Fantastic idea. I would know who to avoid buying from and would honestly stay away.
Definitely for it. And buy their products.
+1!
+1
Yes please, I bought many products that a Google search misleaded me to buy something that was a pain or impossible to use for these reasons.
I would love a “these won’t cooperate” but all these alternatives does.
Unfortunately, that kind of clean room means that one person documents the behavior and another person who doesn’t have access to the hardware writes the code to match the behavior so you can prove nothing is infringed. And BIOS had no encryption keys or DRM – which I don’t know is relevant to this case.
Well that’s a company I won’t be purchasing anything from, good to know.
I noticed that Haier was one of the first companies to import major appliances from China. Sometime after that other major appliance companies followed suit. I have always considered Country of Origin since then, and try to find stuff manufactured in the USA.
Unfortunately, a lot of “Made in America” products are made by prisoners, under effectively slave labor.
Is that a problem? Assuming they are prisoners for a valid reason it seems fine to me – prison isn’t meant to be holiday from paying rent etc… If the prisoners can be put to use, hopefully learn some skills and self discipline etc in the process – which then might mean they don’t go straight back to being prisoners after release – To me it sounds like exactly what should happen assuming it can be done safely.
+1 …. if i was prisoner I’d be very glad to have a half decent job to do.
I would agree if there was a minimum wage requirement for prison labor. I’ve actually been inside a prison production facility (basically a production plant inside the prison) and it was surprisingly normal. No armed guards or anything patrolling, and they were making hardwood flooring, so plenty of saws and knives and whatnot.
The issue I had was that the company was paying nearly nothing for the labor. In the area of a dollar or less per hour.
Also, in a twist that could only be described as truly American, they refused to hire those workers into their outside plants upon their release because of their record.
I think the problematic part that a lot of people have issue with is the “prisoners for a valid reason”
The US has the highest incarceration rate for minor offences in the developed world, which makes people a bit leery of why that “prison labor” might exist in the first place.
Is that a problem?
As of last year, our incarceration rate was 531 per 100,000 people. Excluding a few countries where these numbers are either not available or reliable, that places us third, behind such noted paragons of freedom Rwanda (621) and El Salvador (1086).
You tell me – is that a problem, when the US has one of the highest incarceration rates in the world?
Tutunkommon: That happens with states, too. A number of US states use prison labor for firefighting, for instance – and not only are those prisoners paid dismal rates, they often can’t obtain the same job once they’re released, due to that very same prison record.
It pretty much amounts to modern slavery – and, what’s worse is it’s absolutely legal here.
The 14th amendment, which reversed slavery in the U.S., also outlaws modern slavery including prisoners. Prison inmates make, at best, just 25 cents an hour. Officially they typically make more but then the prison system takes most of it back away for the cost of their incarceration and supervision. They can send that measly 25 cents an hour to their families outside but it all gets eaten up by exorbitant transaction fees. Or they can spend it at the canteen which charges 300-500% more than typical retail. A small pastry you can buy at the [overpriced] convenience store for $1 is $3 at the prison canteen. And if the inmate does have ANY money, they have to start paying for things that are otherwise provided, food at the cafeteria, laundry, medical care…. In Florida, the inmates receive no money at all, they are paid in “gain time” which they would either get anyway or are ineligible for due to their crime. The private industries that “hire” them are typically owned and operated by legislators and other gov’t officials or their families. They don’t include it on most lists, but the corrections industry is one of the biggest and most profitable businesses in the U.S.
@Tutunkommon
>I would agree if there was a minimum wage requirement for prison labor.
I really don’t see why they should have to get paid anything at all really – they are prisoners, so they have effectively zero cost of living and are actively a cost to the state – so any money you give them should be taking that into account. Of the approximately £10 an hour ‘living wage’ for an adult here at least 40% of that is going to spent on rent and utilities 20% odd for food, another heap for all the other consumables of life – clothing etc – all costs the prisoner doesn’t have at all (and it is probably more than these percentages especially on rent as that is insanely high here – so somewhat arbitrary numbers).
It seems to me they probably should get something for the work as much as anything to help put their mindset into the work=reward without consequences. But what that should be probably isn’t a great deal.
>Also, in a twist that could only be described as truly American, they refused to hire those workers into their outside plants upon their release because of their record.
Now that to me doesn’t make sense, assuming they are actively needing more workers anyway. The ex-prisoner with a good working result from the prison should be a better candidate than the average citizen. Though if work is really scare in that region maybe they won’t be…
@Foldi-One
Even if you don’t believe in the rights of prisoners, they should be fairly paid because if they aren’t it is a massive incentive to have more prisoners. In democracies in general, but in the United States in particular, the financial motivations behind politics can’t be understated.
If a company has the opportunity to get access to extremely cheap labour through the prison system, that company may choose to lobby, or fund astroturf political groups to encourage legislation that puts innocent or undeserving people in the position of providing that company cheap labour.
The judicial system is supposed to be about individual reform when possible and protection of the public when necessary. Not the furthering of private business.
>Is that a problem?
Yes. Slave labor depresses wages for everyone else. Pay prisoners minimum wage (and raise the minimum wage, while you’re at it).
@steve
I don’t see the correlation – the pay the prisoners get (if any) isn’t directly related to the cost of their labour to whomever is benefiting from it. There are guards, housing, food, heat, transport etc costs to be paid here – costs that are not money for the prisoner. So while their labour is bound to be somewhat cheaper than a normal worker out in the world to the employer, it probably should be in line with the increased risks to their capitol investments having a room full of convicts.
If the US justice system really is so broken that you can get folks trapped into working as slave labour that is another problem altogether. I’m certainly no up on what passes for justice in the US (Though it certainly does look broken from here with Trump so often admitting to things that must be crimes others are in jail for…) But actually getting into prison in the first place is supposed to require a jury if the defendant wants one no? In which case the general public in effect determine if you go to the ‘slave labour’ camp… You can lobby all you like and virtually go to war with the poorer folks, but they still are supposed to get a say both by election and jury duty… So that lobbying aught to be mostly wasted money.
Why would a company hire an ex-prisoner ex-employee when they can just hire another prisoner for almost free?
Prisoners- assuming they were convicted in a court of law by a jury of their peers in a fair trial with proper representation- owe a debt to society. Thank you. Please drive through.
The question is how that debt to society should be repaid — can you just buy your way out by paying a fine? Is loss of freedom enough, and how is that valued? Or do you have to put in $X of work as well, and how is that compensated or accounted for, is it fair market value? Does the work have to be “hard labor” to qualify? Do we need to send people to Siberia?
And don’t get me started on the various sentencing inequities, especially between blue collar and white collar crime.
It’s a little ugly for folks who have never seen the inside of a prison or jail to discount the humanity of those inside, without any knowledge of how they got there except for some naive expectation of “justice” or “they must have deserved it” or “they don’t look like me”.
“thrown into prison without due process for the January 6 protest in DC”
Hooooboy…
Colorado resident buys legal marijuana for anxiety, goes to Texas with now illegal substance now owes dept to society. Fact is many laws are in place to convict and incarcerate people for cheap labor. These laws are what keep words like freedom perpetually wrong here in the U.S. A doctor performing a life saving abortion in Texas will have his freedoms removed and owe his dept to society. Thank you “peers”, that’s fair! Were all f***ed. There is no real freedom. Please drive thru.
citation required
Fine by me. They are repaying the debt that they incur to society by being criminals. Criminals deserve to be treated poorly.
But while doing so they’re also depressing the wages in whichever industry is buying their labor. Those industries are not paying prevailing non-incarcerated wages for that work which they would need to if they couldn’t use prison labor.
Buying “Made in the USA” is hardly much better than China given their use of prison labour and lack of a lot basic workers’ rights most of us in more forward thinking countries are take for granted.
Given the choice I’d much rather pay a bit more and get something made closer to home rather than from thousand of kilometres away using the modern equivalent of indentured servitude in the US and China.
Haier always has been Chinese. They started as a refrigerator company in Qingdao in the 1920s and became a state owned enterprise when the PRC was formed.
I suspected as much, they only appeared in the markets when the deluge of C^4* began.
*Cheap Chinese Commie Crap
Same here.
I meant same here about their product boycott
chatgpt “write me a pyton utility to decode Haier devices IOT protocols for use as a home assistant plugin.”
Wasn’t me guvnor.. the OpenAI did it.
(BTW I may have just “git cloned” the Andre0512 repo and hidden it somewhere.. perhaps, and then again, I might not have ). ;~)
If they didn’t do the crime they wouldn’t be doing the time. Incarceration rate is a bogus “statistic” intended to turn criminal perpetrators into victims. Crime would go down if more offenders were imprisoned because you can’t commit crime while you’re doing time. Most offenders are convicted of multiple crimes before ever doing any time.
Poe’s law in action?
Unless you happen to be in a minority
How stupid are Haier… The first thing I, and a lot of other people, look at when buying an appliance is Home Assistant support. A company willing to embrace open access can build up a loyal user base. Instead they have chosen the opposite path… for what? Is selling user data really that profitable?
Also, reverse engineering is legal… Hope some legal assistance is available for author.
Not that I believe Haier has suffered, but just what percentage of people do you think buying home appliances have an intent to use it with smart home automation? Something like 0.01% maybe? And you wonder why these big corporations don’t care? Vent and pontificate all you want, but one might say, get over yourselves.
That is somewhat logically inconsistent. If the number of buyers who might use the open interface is only a 0.01%, what would be the point of the cease and desist. Haier’s reaction only makes sense if they see the potential for a significant number of users to go the open IoT route in the future and want to nip this in the bud.
Yes and no. They may also send out a cease and desist to everything they’re made aware of just so there’s precedent/pattern of behaviour in the future if there is actually a big case. It costs them peanuts to send out threatening letters to small time operators like this. Similar to how you have to go after all trademark violations if you want to protect your trademark.
C&D are rarely about loss of revenue and mostly to protect IP, even if frivolous.
I find it hard to believe that Haier would have any legal base for such a thing. At least here in the EU there are some mechanisms to attempt to protect consumer rights. And in general, when you buy a product you own it and you can do whatever you like with it., an this is regardless what nonsense companies put in their EULA.
But apart from that. At least here in The Netherlands there are places you can go to for some free legal advice. For example:
https://www.juridischloket.nl/
https://rechtswinkel.nl/
Addition:
After reading some comments on github, they don’t let themselves being intimated and are already taking plenty of action in that direction.
The problem might not be a product owners access to Haider servers.
The problem might be a third party creating and distributing a not-from-Haider-product/software that uses Haider servers/services.
It is like selling pentagonal sockets for fire hydrants so the public can use water for free.
Havent been to a harbor freight lately?
This clearly is to control the devices in an offline way. That obviously means that nobody is using thier servers.
The “hey we make support open standard” flag is just there to control what will be opened.
The other part is mess with IoT, nearly for each device i get there is a need to create a new account to a different manufactorer. I dont think the core competence of this guys is server security, salted passwords, separation of customers data in different spaces etc. There are standards existing to make things happen locally. I do not need to know if the dishwasher in germany is ready when i am working in atlanta. But If i need, i could dial in with wireguard and take a look.
There is no need for the manufactorer to know when my dishwasher uses how many liquids, is it even allowed that the ring cam stores the videos in online space only?
Orrr, thats anoying at all.
Do you part, fork the two repo.
Haier wants to play stupid games? They can win the Streisand effect.
Yep, especially if you live in some lawless failed state like Somalia where Haia cant touch you.
…. maybe Hackerday could move it’s offices to Mogadishu? I bet there’s some cheap real estate available.
The real estate might be cheap, but you’ve got to figure in the “protection” payments to the local warlords.
Someone should find a state that doesn’t give a stuff about western IP laws and set up a place to host all the stuff that big corporations want taken down.
Haier should focus on making an air conditioner that doesn’t fail in a suspiciously precise mode after a suspiciously similar period of time as observed on multiple units of certain models.
It’s because big Corpos like Haier think they own you and your data.
https://www.lexology.com/library/detail.aspx?g=f5b1193c-f423-4f96-bca5-03f5145ecf15
I don’t understand why this is a problem. He should just remove the repository completely and provide the library to whomever wants it directly. You can easily do that through a subreddit or discord anonymously.
The Github is not only about providing the software, it’s also a platform where other can easily contribute towards the project. I’d argue the latter is way more valuable.
It would be interesting to see if Haier have used any OpenSource code, and failed to declare it.
Just a thought. ;~)
Let’s fork it. Will see if they can send a C&D to everyone!
It’s not a solution on itself, but until the community finds one, this + press might eventually put some pressure, the other way around.
Luckily don’t use any of their products. Let it be known if iot involved and cannot be isolated locally, hard no go.
Wow, my first ever fork on Github! Thank you Haier, I would never have taken the plunge otherwise!
Apparently, this is an issue with Haier Europe, and not Haier USA https://www.reddit.com/r/homeassistant/comments/19a615l/haier_us_supports_home_assistant_and_open_iot/
What a dumb move! Technical users will boycott them and tell others, unless the API was directly abusing their servers there is no way they are losing money.
Maybe they’re losing the ability to harvest and sell user data, in which case ALSO shame on them.
Guess I have to look up all the models they make and put them on my shit-list.
It would be nice to have a central site that lists brands that do not support open standard in the iot space and to list companies that try threaten legal action against developers for making it so we can use our bought devices locally with links to the legal documents sent to the devs. If there is such a place already i cant find it.
I see that right-wing knee-jerk reactionaries are out in force today. Here’s a great article about legal modern slavery in the US:
https://www.theguardian.com/us-news/2022/sep/27/slavery-loophole-unpaid-labor-in-prisons
Everyone who thinks that prison is for punishment should hope that they don’t ever have to go there. Let’s hope that it remains unlikely, and you won’t be sent there for, oh, I don’t know, forking an “illegal” GitHub repository.
Remember, the laws you push for, and the punishments you agree should be allowed can apply to you.
Is it really a loophole when it is very specifically included in the text of the 13th Amendment?
“Neither slavery nor involuntary servitude, except as a punishment for crime whereof the party shall have been duly convicted, shall exist within the United States, or any place subject to their jurisdiction.”
Notice the “except as a punishment for crime whereof the party shall have been duly convicted”, by design aka not a loophole. Now if you want to strike out the “except … duly convicted” I can fully get behind that and have pitched that very thing as something to push for in an Article 5 convention.
Fact: Every American agrees to every local, state, and federal law and punishment. If you’re born here you are born with this knowledge. Beats. Battlestar Galactica.
Michael!!
Funny, considering how the US slavers were nearly uniformly Democrats…
Both parties are the same. They hang out together, go to the same parties, fly to the same islands. Treating politics like team sports is a low-IQ take.
Pretending the Republican and Democratic parties are exactly the same as they were nearly 170 years ago is a bit of a stretch.
So what’s your point?
1. Haier is shooting itself in the foot. This attitude will cost them customers and bad pubilicity.
2. The cease and desist is not about the reverse engineering. It is about communication with Haier’s servers in violation of the terms of service that allow the users access to the servers.
The pyhOn project reads data about the various devices from the Haier servers.
https://github.com/Andre0512/pyhon
The hon project uses pyhOn to determine what things you can control on your devices.
https://github.com/Andre0512/hon
The difficulty is that pyhOn talks to the Haier servers in violation of their terms of service – at least, that’s the claim. I haven’t hunted down a copy of the terms of service.
Haier is complaining that pyhOn breaks the rules by talking to their servers. Since hon uses pyhOn, hon breaks the rules as well.
If we’re going to slap Haier around, then we should slap them around for the proper reason. It’s about violating the terms of service for server access, not for reverse engineering the protocol to talk directly to the devices.
We now return to the ongoing roast of the Haier dweebs.
Thank you for clarifying the issue.
Perhaps pyhOn should shift from accessing the Haier servers to talking to the appliances directly, which should be legal. Might be tough to reverse engineer the appliance-to-server protocol, it’s likely encrypted.
The hon project talks to the devices directly. To do so, it has to ask the Haier servers what the device can do. For that it uses pyhOn.
The problem of directly controlling the devices is solved. The problem is that hon needs to ask Haier what controls the device has before it can send commands to the device.
I see. How about instead of asking the Haier servers what the device can do, just included a lookup table of devices and capabilities in pyhOn?
There’s probably a unique id for each device? MAC id or something I expect.
Which is fully legal assuming it was a clean room reverse engineering of the protocol which is entirely possible because I did it once win AOL’s aim and I made my own client that did everything aim (at the time) could do and I never looked at a byte of aim source code… Let’s hope he did it properly otherwise what he did is technically illegal but if he did it right then it’s legal and precedent has been set already.
Contacting the service isn’t illegal and never has been
maybe use https://github.com/MiguelAngelLV/esphaier as a base to replicate / displace their servers entirely with an open alternative, ideally fully on-prem.
So wouldn’t it be the users of said app violating the terms? Yes the app makes it possible but then the company themselves should’ve made offline use available in the first place as requiring online to use a device you own is bs as the company wants that so they can mine and sell your data
Violation of TOS is not a legal issue. It’s fully legal to clean room reverse engineer something and use the same protocols to get info from a server and precedent has been set for it.
It all depends on how he made it which should be easily proven without needing a lawyer
It is time to teach Haier that the little guy they are bullying is really just the very tip of the little toe of a giant far greater than Haier could ever be?
Just a thought about the pros and cons of HA in general:
Home automation can be more than just light switches… in my house, for example, I use IOBroker on a RasPi to control photovoltaics, energy storage and -consumption. I’m glad that it’s possible to set up such a (local net only) system on your own, with the help of a RasPi, a few sensors, ESP32s and software. And without any cloud.
To turn on the light, however, all I need is a simple power switch – that hasn’t changed ;-)
So everyone has their own application profile for home automation.
It’s pertinent info that while Haier Europe is the one sending the C&D, Haier Americas (and GE) use both a different app and are generally supportive of use of their API and, by extension, the Home Assistant community. Basically if you’re in the US, this shouldn’t really have an effect on any purchasing decisions.
As was pointed out by Haier USA in a Tweet, this threat was from the European company, which is a separate entity from Haier USA. Haier USA not only supports Home Assistant, they provide an SDK so that developers can develop against their products.
The developer of pyhOn has created a FAQ about the takedown request with updates and more details.
https://github.com/Andre0512/hon/blob/main/takedown_faq.md
Haier has a Facebook page with messaging enabled.
Send them your two cents.
Interesting, AC “plugin” used direct communication with the device and for that we used documentation downloaded from haier`s own website. I think even the lower level UART protocol is called hON. There is no calling home from the device this way.
Maybe they are actually doing good by motivating users to remove their devices from hON altogether, because with this plugin they still have access to your home as it just uses their online service.
Well, I’d never heard of this company before until I read this, and now I certainly won’t be buying any of their products. I hope that’s the case for many other readers, and that the bad press and lost potential business is worth it.
If he legitimately reverse engineered it as in clean room style then he doesn’t even need a lawyer because the law is clear and precedent has been set many times already.
If he didn’t do it properly then … Remove the repo wait 6 months and release it again anonymously and have ai make code changes and add obscuration so it doesn’t get tied to him.
Just because you’re legally right doesn’t mean you “don’t need a lawyer”, at least not in the States. You still have to answer the suit in some manner. C’mon, there’s a reason that legal intimidation often works. Not everyone has infinite pockets or the benefit of donated legal representation.
Sadly, very short sighted of these companies.
BTW Haier also owns Fisher & Paykel.
….since neither of the products are no longer HA friendly then they are off my list of future purchases until their policy (and attitude changes).
Haier Europe Also has google reviews, also let the know your 2c worth on there (and rate them accordingly)