Conversation
Newer eufy devices (e.g. E340 doorbell) use elliptic-curve cryptography instead of RSA for P2P session key exchange. The cloud cipher API already returns an ecc_private_key field for these devices, but the local Cipher interface did not expose it. Add the optional ecc_private_key property so downstream code can detect whether a device uses ECC and act accordingly.
Some eufy devices negotiate the P2P session key using ECDH (prime256v1) rather than RSA. This adds a dedicated decryption function that handles the three envelope formats observed in the wild: - Raw shared-secret derivation (short key payloads) - Full ECIES envelope (public key + IV + ciphertext + HMAC) - Graceful fallback for unexpected formats The function uses the ECC private key returned by the cipher API to compute the shared secret and derive a 16-byte AES session key.
Devices that use ECC keys send encrypted payloads that RSA cannot decrypt. Instead of failing outright, the session now attempts RSA first and, on failure, transparently falls back to ECDH when an ECC private key is available. If both methods fail, encryption degrades gracefully to Level 1 so the connection is not lost. Additionally, guard AES-ECB decryption against non-block-aligned data. Some command responses (e.g. 36-byte status replies) carry a non-zero signCode but are not actually encrypted. Attempting to decrypt them caused crashes; the guard skips decryption when the payload length is not a multiple of 16 bytes.
The E340 (T8214) is a standalone device where the station serial number matches the device serial number — making it an integrated device. Add it to the serial-number-based detection list so that P2P connection routing and protocol-version decisions handle it correctly, just like other self-contained cameras and doorbells.
The E340 doorbell uses the same livestream command format as the Outdoor Pan & Tilt Camera (CMD_DOORBELL_SET_PAYLOAD) — a JSON payload containing accountId, encryptkey, streamtype, and related fields. Without this, the generic branch would send CMD_START_REALTIME_MEDIA which the E340 does not understand. Route the E340 through the existing Outdoor PT Camera livestream path rather than duplicating the logic, since the payload format is identical.
Same ECDH+livestream pattern as the E340 doorbell: the T8425 uses ECDH key exchange and needs the CMD_DOORBELL_SET_PAYLOAD path to produce video data. Also adds T8425 to isIntegratedDeviceBySn (was the only floodlight model missing from the list).
Fix ECDH livestream for E340 doorbell and T8425 floodlight
Parameter Parser accept object
Release/3.7.1
martijnpoppen
approved these changes
Feb 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Release 3.7.1