AVM Fritz!Box API Getting valid session id

I am trying to read and write commands to AVM home-automation devices (like DECT200),
but I don’t know how to get a valid session id (sid).
The technical note from avm only provide login examples in python and java, and i did not manage to translate them to xojo.

Has someone already achieved this or is willing to help out?

b.t.w. Is it allowed to post download links for external pdf documents here?


Usually both Python and Java are not that different compared to Xojo. Why don’t you post your example code and what you tried in Xojo?

My xojo code is not in a state to be shown yet (spagetti code trying to figure out whats wrong with the calculations), i will rebuild it and send it tomorrow…
The python code is as follows:

#!/usr/bin/env python3
# vim: expandtab sw=4 ts=4


Get a sid (session ID) via PBKDF2 based challenge response algorithm.
Fallback to MD5 if FRITZ!OS has no PBKDF2 support.
AVM 2020-09-25

import sys
import hashlib
import time
import urllib.request
import urllib.parse
import xml.etree.ElementTree as ET

LOGIN_SID_ROUTE = "/login_sid.lua?version=2"

class LoginState:
 def __init__(self, challenge: str, blocktime: int):
 self.challenge = challenge
 self.blocktime = blocktime
 self.is_pbkdf2 = challenge.startswith("2$")

def get_sid(box_url: str, username: str, password: str) -> str:
 """ Get a sid by solving the PBKDF2 (or MD5) challenge-response 
process. """
 state = get_login_state(box_url)
 except Exception as ex:
 raise Exception("failed to get challenge") from ex

if state.is_pbkdf2:
 print("PBKDF2 supported")
 challenge_response = calculate_pbkdf2_response(state.challenge,
 print("Falling back to MD5")
 challenge_response = calculate_md5_response(state.challenge,

if state.blocktime > 0:
 print(f"Waiting for {state.blocktime} seconds...")

 sid = send_response(box_url, username, challenge_response)
 except Exception as ex:
 raise Exception("failed to login") from ex
 if sid == "0000000000000000":
 raise Exception("wrong username or password")
 return sid

def get_login_state(box_url: str) -> LoginState:

""" Get login state from FRITZ!Box using login_sid.lua?version=2 """
 url = box_url + LOGIN_SID_ROUTE
 http_response = urllib.request.urlopen(url)
 xml = ET.fromstring(http_response.read())
 # print(f"xml: {xml}")
 challenge = xml.find("Challenge").text
 blocktime = int(xml.find("BlockTime").text)
 return LoginState(challenge, blocktime)

def calculate_pbkdf2_response(challenge: str, password: str) -> str:
 """ Calculate the response for a given challenge via PBKDF2 """
 challenge_parts = challenge.split("$")
 # Extract all necessary values encoded into the challenge
 iter1 = int(challenge_parts[1])
 salt1 = bytes.fromhex(challenge_parts[2])
 iter2 = int(challenge_parts[3])
 salt2 = bytes.fromhex(challenge_parts[4])
 # Hash twice, once with static salt...
 hash1 = hashlib.pbkdf2_hmac("sha256", password.encode(), salt1, iter1)
 # Once with dynamic salt.
 hash2 = hashlib.pbkdf2_hmac("sha256", hash1, salt2, iter2)
 return f"{challenge_parts[4]}${hash2.hex()}"

def calculate_md5_response(challenge: str, password: str) -> str:
 """ Calculate the response for a challenge using legacy MD5 """
 response = challenge + "-" + password
 # the legacy response needs utf_16_le encoding
 response = response.encode("utf_16_le")
 md5_sum = hashlib.md5()
 response = challenge + "-" + md5_sum.hexdigest()

return response

def send_response(box_url: str, username: str, challenge_response: str) ->
 """ Send the response and return the parsed sid. raises an Exception on 
error """
 # Build response params
 post_data_dict = {"username": username, "response": challenge_response}
 post_data = urllib.parse.urlencode(post_data_dict).encode()
 headers = {"Content-Type": "application/x-www-form-urlencoded"}
 url = box_url + LOGIN_SID_ROUTE
 # Send response
 http_request = urllib.request.Request(url, post_data, headers)
 http_response = urllib.request.urlopen(http_request)
 # Parse SID from resulting XML.
 xml = ET.fromstring(http_response.read())
 return xml.find("SID").text

def main():
 if len(sys.argv) < 4:
 f"Usage: {sys.argv[0]} http://fritz.box user pass"

url = sys.argv[1]
 username = sys.argv[2]
 password = sys.argv[3]
sid = get_sid(url, username, password)
 print(f"Successful login for user: {username}")
 print(f"sid: {sid}")

if __name__ == "__


I gave up trying to convert the python code. I ended up with 12 functions and no valid return.

The docs say in short how the response has to be calculated from the given challenge code.
I have the monkeybread and einhugur plugins but did not find the proper methods.
Here the chapter how to compute it. Any hints very welcome!

The format of the challenge is defined as follows, separated by $ signs:
The response is formed as follows:
<hash1> = pbdkf2_hmac_sha256(<password>, <salt1>, <iter1>)
<response> = <salt2>$ + pbdkf2_hmac_sha256(<hash1>, <salt2>, <iter2>)

The example challenge “2$10000$5A1711$2000$5A1722” and the password “1example!“ 
(utf8-encoded) results in:
hash1 = pbdkf2_hmac_sha256(“1example!”, 5A1711, 10000)
=> 0x23428e9dec39d95ac7a40514062df0f9e94f996e17c398c79898d0403b332d3b (hex)
response = 5A1722$ + pbdkf2_hmac_sha256(hash1, 5A1722, 2000).hex()
=> 5A1722$1798a1672bca7c6463d6b245f82b53703b0f50813401b03e4045a5861e689adb
Note: the hash1 is not stringified, but remains a raw bytes value.
The numbers iter1 und iter2 are the “iteration” parameters for PBKDF2 of the 1. und 2. round, 
respectively. These are kept variabel and may change in future releases of FRITZ!OS, in order to 
PBKDF2-based login future-proof.

Can you link the docs directly?

The code below is the try with minimum code, but even the hash1 computation is wrong:

Funktion Get_ResponseString(challenge as string, password as string) as string

// Debug/Test
Var d_challenge As String = "2$10000$5A1711$2000$5A1722"
Var d_password As String = "1example!"
challenge = d_challenge
password = d_password
// Debug/Text

Var challengeParts() As String = challenge.Split("$")

If UBound(challengeParts) = 4 Then
  ' Extract challenge parameters
  Var iter1 As Integer = Val(challengeParts(1))
  Var salt1 As MemoryBlock = HexDecode(challengeParts(2))
  Var iter2 As Integer = Val(challengeParts(3))
  Var salt2 As MemoryBlock = HexDecode(challengeParts(4))
  ' Compute hash1
  ' Test-Result shoud be: 0x23428e9dec39d95ac7a40514062df0f9e94f996e17c398c79898d0403b332d3b (hex)
  Var hash1 As MemoryBlock = Crypto.PBKDF2(password, salt1, iter1, 65, Crypto.HashAlgorithms.SHA256)
  ' Compute hash2
  Var hash1b As String = hash1
  Var hash2 As MemoryBlock = Crypto.PBKDF2(hash1b, salt2, iter2, 65, Crypto.HashAlgorithms.SHA256)
  ' Build the response string
  ' Test-Result should be: 5A1722$1798a1672bca7c6463d6b245f82b53703b0f50813401b03e4045a5861e689adb
  Return challengeParts(4) + "$" + BytesToHexString(hash2)
  ' Handle incorrect challenge format
  Return ""
End If

End Function
Function HexDecode (hexString as string) as Memoryblock

Var hexChars As String = "0123456789ABCDEF"
hexString = ReplaceAll(hexString, " ", "")
hexString = Uppercase(hexString)

If Len(hexString) Mod 2 <> 0 Then
  hexString = "0" + hexString
End If

Var result As New MemoryBlock(Len(hexString) / 2)

For i As Integer = 1 To Len(hexString) Step 2
  Var hexByte As String = Mid(hexString, i, 2)
  Var byteValue As Integer = 16 * InStr(hexChars, Mid(hexByte, 1, 1)) - 1 + InStr(hexChars, Mid(hexByte, 2, 1)) - 1
  result.Byte(i / 2) = byteValue

Return result

Function BytesToHexString(bytes as MemoryBlock) as string

Var hexChars As String = "0123456789ABCDEF"
Var hexString As String = ""

For i As Integer = 0 To bytes.Size - 1
  Var byteValue As Integer = bytes.Byte(i)
  hexString = hexString + Mid(hexChars, (byteValue \ 16) + 1, 1) + Mid(hexChars, (byteValue Mod 16) + 1, 1)

Return hexString
Dim challenge As String = "2$10000$5A1711$2000$5A1722"
Dim password As String = "1example!"

Dim iter1 As Integer = Val(NthField(challenge, "$", 2))
Dim iter2 As Integer = Val(NthField(challenge, "$", 4))
Dim salt1 As String = DecodeHex(NthField(challenge, "$", 3))
Dim salt2 As String = DecodeHex(NthField(challenge, "$", 5))

Dim hash1 As String = Crypto.PBKDF2(salt1, password, iter1, 32, Crypto.HashAlgorithms.SHA2_256)
Dim hash2 As String = Crypto.PBKDF2(salt2, hash1, iter2, 32, Crypto.HashAlgorithms.SHA2_256)
Dim response As String = EncodeHex(salt2) + "$" + EncodeHex(hash2)

The problem with your version is that you need a 32 byte SHA2_256 hash rather than a 65 byte SHA256 hash.

My habit of thinking around 3 corners. Thank you so much!