Hello. Thank you @Shereef for this script,
and @Apollon77 for https://github.com/Apollon77/alexa-remote
I spent a whole day to get the HTTP sniffer working (but without succeess)
I tried on my non rooted phone and on android emulators on WSL. During this research, I've found a much simpler solution, that only requires some javascript entered in the browser console.
I noticed, that you will get/have a valid cookie, if you are logged in in your amazon account. So the whole HTTP sniffing is not needed. (It is/was only needed for reverse enginerring, so thanks for that work)
We can call the APIs directly from the browser (until amazon will change something, e.g. check for user agent..., csrf)
We can also delete ghost devices, that cannot be deleted in the app
Delete all Smarthome devices in ~ 1 minute
(Improved solution - one-liner)
I tried this multiple times. It seems, that no CSRF value is needed (see comments below
- Ensure, that you are logged in in your amazon (.de/.com) account
- Check under which of the following URLs you'll get a list of your devices:
- If you have found the URL, that returns a json with your devices, paste this script in the developer-console (use at own risk!):
devices = await (await fetch('/nexus/v1/graphql', { method: 'POST', headers: {"Content-Type": "application/json","Accept": "application/json"}, body: JSON.stringify({query: `query { endpoints { items { friendlyName legacyAppliance { applianceId }}} } `})})).json();for (const device of devices.data.endpoints.items) console.log(await fetch(`/api/phoenix/appliance/${encodeURIComponent(device.legacyAppliance.applianceId)}`, { method: "DELETE", headers: { "Accept": "application/json", "Content-Type": "application/json"}}))
- Refresh the page. (should be empty - if not you may have a CSRF problem)
- Say
Alexa discover devices
- Refresh page again (should show devices only provided by active skills)
Delete all Smarthome devices with CSRF value
Try this, if the above will not work:
- Ensure, that you are logged in in your amazon (.de/.com) account
- Check under which of the following URLs you'll get a list of your devices:
- Get the csrf number:
- open www.amazon.com / www.amazon.de in a new browser tab and put any article in your basket
- open your basket
- open dev-tools (F12) wait a while until the network calms down and clear network tab
- increase the quantity of the article
- you should see a
ref=ox_sc_update_quantity request. Inspect that request for a csrf header or a csrf= value in the cookie header. Copy that number
- if you only find a
anti-csrftoken-a2z - you may try that string, too
- Switch back to the tab with the JSON
- Enter the following in the dev-tools (browser console) - copy line by line
csrf='<insert-csrf-value-here>'
devices = await (await fetch('/nexus/v1/graphql', { method: 'POST', headers: {"Content-Type": "application/json","Accept": "application/json"}, body: JSON.stringify({query: `query { endpoints { items { friendlyName legacyAppliance { applianceId }}} } `})})).json()
for (const device of devices.data.endpoints.items) console.log(await fetch(`/api/phoenix/appliance/${encodeURIComponent(device.legacyAppliance.applianceId)}`, { method: "DELETE", headers: { "Accept": "application/json", "Content-Type": "application/json", "csrf" : csrf }}))What the javascript does
The first line sets the CSRF value. (which is used by the third line)
The second line fetches all appliance-IDs from the graphql endpoint (you may inspect the devices.data.endpoints.items value before continuing with line 3)
The third line iterates over all devices and deletes them.
The script itself must run, while a page is open, you may notice, it uses fetch('/nexus/v1/graphql') without hostname. So if you execute it, it will use the same host (with all cookies) from the current page. So it is important, that you execute it in the tab, where the JSON is returend
Note: If the browser (I use firefox) renders the JSON as JSON, it will not work. Luckily https://alexa.amazon.de/api/behaviors/entities?skillId=amzn1.ask.1p.smarthome returns text/html - although it is JSON. You may also just open https://alexa.amazon.de/ if this is a problem.
The most difficult part for me, was to get the correct applianceIds and pass them correctly encoded to the /api/phoenix/appliance/ endpoint. Note: This endpoint always returns with 200, nevertheless, the device could be deleted or not
You may have to run the script twice.
CSRF Token
To perform a successful delete, you may need a valid csrf value which is either a number (csrf=) or a string with about 60 chars.
This string is normally set in the anti-csrftoken-a2z header. The numeric value is set either in the csrf header or on the cookie.
You may find a valid csrf tokem in the page source of https://www.amazon.de/alexa-privacy/apd/myad?disableGlobalNav=true&ref=activityHistory
While I've got a numeric value on firefox, I got the anti-csrftoken-a2z in edge. In edge I had the https://alexa.amazon.de/ page open, so it might be sufficient, if a correct referrer is set. In this case, set anything to csrf value
Hello. Thank you @Shereef for this script,
and @Apollon77 for https://github.com/Apollon77/alexa-remote
I spent a whole day to get the HTTP sniffer working (but without succeess)
I tried on my non rooted phone and on android emulators on WSL. During this research, I've found a much simpler solution, that only requires some javascript entered in the browser console.
I noticed, that you will get/have a valid cookie, if you are logged in in your amazon account. So the whole HTTP sniffing is not needed. (It is/was only needed for reverse enginerring, so thanks for that work)
We can call the APIs directly from the browser (until amazon will change something, e.g. check for user agent..., csrf)
We can also delete
ghostdevices, that cannot be deleted in the appDelete all Smarthome devices in ~ 1 minute
(Improved solution - one-liner)
I tried this multiple times. It seems, that no CSRF value is needed (see comments below
Alexa discover devicesDelete all Smarthome devices with CSRF value
Try this, if the above will not work:
If you've found the correct URL (some JSON retured) keep that page open
ref=ox_sc_update_quantityrequest. Inspect that request for acsrfheader or acsrf=value in the cookie header. Copy that numberanti-csrftoken-a2z- you may try that string, tooWhat the javascript does
The first line sets the CSRF value. (which is used by the third line)
The second line fetches all appliance-IDs from the graphql endpoint (you may inspect the
devices.data.endpoints.itemsvalue before continuing with line 3)The third line iterates over all devices and deletes them.
The script itself must run, while a page is open, you may notice, it uses
fetch('/nexus/v1/graphql')without hostname. So if you execute it, it will use the same host (with all cookies) from the current page. So it is important, that you execute it in the tab, where the JSON is returendNote: If the browser (I use firefox) renders the JSON as JSON, it will not work. Luckily https://alexa.amazon.de/api/behaviors/entities?skillId=amzn1.ask.1p.smarthome returns
text/html- although it is JSON. You may also just open https://alexa.amazon.de/ if this is a problem.The most difficult part for me, was to get the correct applianceIds and pass them correctly encoded to the
/api/phoenix/appliance/endpoint. Note: This endpoint always returns with 200, nevertheless, the device could be deleted or notYou may have to run the script twice.
CSRF Token
To perform a successful delete, you may need a valid
csrfvalue which is either a number (csrf=) or a string with about 60 chars.This string is normally set in the
anti-csrftoken-a2zheader. The numeric value is set either in thecsrfheader or on the cookie.You may find a valid csrf tokem in the page source of https://www.amazon.de/alexa-privacy/apd/myad?disableGlobalNav=true&ref=activityHistory
While I've got a numeric value on firefox, I got the
anti-csrftoken-a2zin edge. In edge I had thehttps://alexa.amazon.de/page open, so it might be sufficient, if a correct referrer is set. In this case, set anything to csrf value