The tracker is a great and powerful device with an incredible price-to-value ratio, but it's not free of security vulnerabilities and some setup-glitches. Still, it's a good option for many use cases and it allows you to use your own 'cloud'. Unfortunately, the API is poorly documented. This article should bring more light on that.
Be aware that as soon as the Internet connection can be established by the tracker, the location and the ICCID (unique identifier of the SIM card) will be sent to the My TK-Star cloud. Unfortunately, there is no simple way to avoid this completely. Most cell providers don't require a proper APN configuration, making the Internet work immediately without any user action. Before you send an SMS to the tracker, switching the data connection off, it's already too late. Moreover, I did not find any way to delete the tracking history on the My TK-Star website.
The default credentials to the My TK-Star cloud are composed of the serial number of the device and the password 123456. The serial numbers are just consecutive integers. Many people don't change the password. Be aware of this and change the password as soon as possible, even if you are not going to use TK-Star's service.
You can (and absolutely should) change the admin password of 123456 to a value of your selection. Otherwise anyone can control the tracker without your knowledge (as the device does not report getting any requests). Still, this 'password protection' seems not to be water-proof. Even after changing the password, some of the commands get answered no matter if followed by the password of your choice or by the default 123456. Moreover, at least the command begin offers a way to remove the administrator's phone no. by sending the request from any other phone no. It saves you in case you mistyped your own number when registering it as an administrator, but it opens a backdoor to potential attackers as well.
It seems that the ID of the device can be modified. It could become a vulnerability, depending on your setup. The device's ID is used as an identifier to access the My TK-Star website. By changing the ID one could redirect the device's reports to a different account.
The data connection to the server is not encrypted in any way. Depending on the cell network provider (not limited to the SIM card issuer, but also related to the one the tracker is connected to), it can be of an issue.
The customer support is at the same time great and not-so-great. They respond almost immediately to any questions, but they can't really help you more than 'try to switch it off an on again'. Still, they are very patient and polite.
The device works in data-only mode in a 4G network (obviously not supporting VoLTE, at least not for my cell provider). Any voice calls require the device to jump to a 2G/3G network, which in some cases may be impossible.
As you may guess, my suggestion differs from the official flow:
1. Insert the SIM card (the action turns the device on).
2. Disable the official cloud (text nogprs123456 and/or adminip123456 127.0.0.1 1234). This way you get time to set it up and minimize the risk of unwillingly sharing data with the 'cloud'. Please note, it can happen the device is fast enough to send the geo-location and the SIM card identifier to their servers anyway.
3. Read through the rest of this article.
The complete configuration can (must?) be done via text messages. Trying to find a complete list is a waste of time. Even the official support does not offer anything like that. The software seems to be (almost) identical to many other devices of this class, so they simply do work here as well. Mostly.
If not stated otherwise, the ****** denotes the current password.
| Command | Description | Comment | Response |
|---|---|---|---|
admin****** PHONE_NO |
Set the phone number to be the administrator. | Only one phone number works (although other documents say up to 3 or even 5). Both international notations 'double zero' and 'plus' seem to work. Invalid number makes most of the commands to be rejected. The command begin seems to work to reset the setting. |
admin ok or Invalid Command if trying to put additional numbers |
adminip****** ADDRESS PORT |
Set the cloud address and port number. | Default: www.mytkstar.net 7700. | adminip ok |
apn****** APN |
Set the APN address. | Default: cmnet. | apn ok |
apnpasswd****** PASSWORD |
Set the password for the APN. | Default empty. | apnpasswd ok |
apnuser****** USERNAME |
Set the username for the APN. | Default empty. | apnuser ok |
begin****** |
Reset the tracker's configuration. | The administrator's phone number and reporting frequency seems to get reset. The cloud address seems to stay intact. | begin ok |
check****** |
Get settings of the device (firmware version, ID, cloud address, GPS signal, cellular signal, administrator phone no. and some empty fields). A longer SMS gets divided into separate messages. | TK905D(70ELASE)_V_X.X Firmware v.3.0 says LTE, v.2.7 says GSM |
|
G******# |
Get the current position. | Lat:XX.XXXX |
|
gprs****** |
Activate data connection and reporting to the cloud. | Seems to be activated per default. | gprs ok |
imei****** |
Get the IMEI of the cell modem. | ID:XXXXXXXXXX, |
|
monitor****** |
Enter audio monitoring mode (opposite to tracker). A phone call should be answered by the device and the surrounding sounds should be hearable to the caller. |
The model as available in Germany responds to the call, but there is no microphone built-in. The used modem does not seem to support analog microphone at all. | monitor ok |
move****** |
Create a geofence as a circle of 500m around the current location. | Hard to test, whether it is really 500m. | move okfor alarm format - see table below |
move****** DISTANCE |
Create a geofence as a circle of given distance in meters around the current location. | Alarm message sent to the administrator and to SOS-numbers after moving out of the area. Re-entering the area not tested yet. The distance is hard to test: imprecise and probably dependent on the frequency of position monitoring. No alarm on firmware version 2.7. Works on v.3.0. | move okfor alarm format - see table below |
noadmin****** |
Remove the administrator's phone number. | Only the administrator may do it. | noadmin ok |
nogprs****** |
Deactivate data connection (stops reporting to the cloud). | The connection was not interrupted immediately. | nogprs ok |
nomove****** |
Deactivate the circle geofence. | Works fine. | nomove ok |
nospeed****** |
Deactivate the speed alarm. | Works fine. | nospeed ok |
password****** XXXXXX |
Change password to XXXXXX. Apparently it must be of 6 digits (not tested). |
Default: 123456. | password ok |
shock****** |
Set an alarm on vibration of the device. | Sends an alarm in case of vibration, but only in the sleep-until-shock mode. The SMS does report a cell ID instead of a position - probably no GPS fix yet after wake-up. | shock okfor alarm format - see table below |
sleep****** off |
Deactivate the sleep mode. | Works fine. | sleep off ok |
sleep****** shock |
Enter a power save mode (GPS off) until a vibration is detected, SMS is received or a voice call is received. After 5 minutes back to sleep. | Default on. | sleep shock ok |
sleep****** time |
Enter a power save mode (GPS off) until an SMS is received or a voice call is received. After 5 minutes back to sleep. | Works fine, but it does not accept a delay value as an argument. | sleep time ok or Invalid Command if trying to add a number as an argument |
sos,NUMBER |
Register an SOS phone number. | Works fine. Up to 3 numbers supported. | SOS!S1:phone no. 1,S2:phone no. 2,S3:phone no. 3 |
sossms****** |
Enable SOS SMS. | The hardware seems to be prepared for an SOS button, but it seems to be ignored by the firmware. | sossms ok |
speed****** XXX |
Set alarm in case the speed exceeds XXX km/h. |
Per default off. Works fine. The intervals in which the message becomes resent is unpredictable. | speed ok for alarm format - see table below |
tXXXUYYYn****** |
Request YYYY (number) consecutive position reports per SMS in the interval of XXX units U. The unit may be one of s: seconds, m: minutes, h: hours. |
Works fine. | no confirmation, for data delivery format - see table below |
timezone****** +-Z |
Change the time zone to + or - number of full hours (Z) in relation to UTC. Apparently the offset of 0 requires a leading plus symbol. | Default: 0. Works fine. | time ok |
tracker****** |
Enter tracker mode (opposite to monitor). A phone call should trigger a position report response via SMS to the calling number (not tested yet). 5 consecutive calls to a fresh device should register the number as an administrator (not tested). |
Probably the default mode. | tracker ok |
vibalm****** |
Activate vibration SMS alarm. | Not getting any alarms. Probably required to enter the sleep-until-shock mode. | vibrator sms alarm set ok |
upload****** SECONDS |
Set the cloud position reporting interval in seconds. Result may be affected by the sleep mode and alarms. | Default: 30. Works fine. | upload ok |
| Description | Message |
|---|---|
| Battery low alarm (yes, no new-line after the battery %, at least on firmware v.2.7). | bat: low |
| Move alarm. | move alarm! |
| Shock (vibration) alarm. | sensor alarm! |
| Speed alarm. | speed alarm! |
Position reports triggered by tXXXUYYYn******. |
Lac:xxxx xxxxxxx |
| Command | Description | Comment |
|---|---|---|
#99#id#ID_NUMBER## |
Set the ID of the device to the given ID_NUMBER. |
Not tested. Mentioned by ^1. |
222 |
Same as monitor? |
Not clear if supported, not tested. |
adm,PHONE_NO |
Same as admin? |
Not clear if supported, not tested. |
auto0 |
Turn off "auto arm by standby 10 minutes". | Not clear if supported, not tested. |
auto1 |
Turn on "auto arm by standby 10 minutes". | Not clear if supported, not tested. |
format |
Restore factory settings. | Apparently doable by the administrator only. Not tested. |
gprs0 |
Same as nogprs******? |
Not clear if supported, not tested. |
gprs1 |
Same as gprs******? |
Not clear if supported, not tested. |
help me |
Turn off the alarm activated by the SOS button. | The device does not have such a button. Not clear if supported, not tested. |
LAG1 |
Switch SMS responses to English. | Not clear if supported, not tested. |
LAG2 |
Switch SMS responses to Chinese. | Not clear if supported, not tested. |
LED****** STATE |
Turn LEDs on/off. STATE: on or off. |
Not clear if supported, not tested. |
noshock****** |
Deactivate the alarm on vibration of the device. | |
nostokade****** |
Deactivate box geofence. | Not clear if supported, not tested. |
notn****** |
Disable consecutive position reports tXXXUYYYn. |
Not tested. |
novibalm****** |
Deactivate vibration SMS alarm. | Not clear if supported, not tested. |
novibcall****** |
Deactivate vibration phone alarm. | Not clear if supported, not tested. |
pwd******,XXXXXX |
Same as password? |
Not clear if supported, not tested. |
RST |
Same as format. |
Not clear if supported, not tested. |
run,X |
Set 'moving upload interval' to X seconds. Range 10..300. See stop. |
Not clear if supported, not tested. |
sos,, |
Unregister any SOS phone number. | Not clear if supported, not tested. |
soscall****** |
Enable SOS call. | Not clear if supported, not tested. |
stop,X |
Set 'stopping upload interval' to Xseconds. Range 10..300. See run. |
Not clear if supported, not tested. |
time,+-Z |
Same as timezone? |
Not clear if supported, not tested. |
vibcall****** |
Activate vibration call alarm. | Not clear if supported, not tested. |
At least for the device model of mine these commands did not work so far.
| Command | Description | Comment | Response |
|---|---|---|---|
nososcall****** |
Disable SOS call. | Doesn't work. | Password Error |
nosossms****** |
Disable SOS SMS. | Doesn't work. | Password Error |
param1 |
Request some parameters of the device (firmware?, device ID?, IP, port, APN, IMEI?, ...). Doable by the administrator only. | Testing negative: no response from the device. | |
param2 |
Request some parameters of the device (administrator's no., SOS no., mileage?, arming time?, disarming time?, alarm time interval?). Doable by the administrator only. | Testing negative: no response from the device. | |
sleep****** on |
Activate the sleep mode. Dependency to the shock-mode and the time-mode unclear. | Doesn't work. | Invalid Command |
smslink****** |
Doesn't work. | Invalid Command |
|
status |
Request status data of the device (battery, GPRS, GSM, ACC, Oil&Power, Power). Doable by the administrator only. | Testing negative: no response from the device. | |
stockade****** LON1,LAT1;LON2,LAT2 |
Create a geofence as a box defined by diagonal coordinates in the format XXX.XXX[WE] for the longitude and XX.XXX[NS] for the latitude. | No matter the format, getting always 'Password Error'. Already tried: XX.XXXN,X.XXXE;XX.XXXN,X.XXXE (top-left;bottom-right and vice-versa), X.XXXE,XX.XXXN;X.XXXE,XX.XXXN (bottom-right;top-left), XX.XXX,X.XXX;XX.XXX,X.XXX (bottom-right;top-left), 00X.XXXE,XX.XXXN;00X.XXXE,XX.XXXN (top-left;bottom-right), with both the 123456 and my personal password. |
Password Error |
where |
Same as G******#? |
No response from the device. |
Called a 'GPRS Protocol' by the manufacturer.
The device establishes a TCP connection to the address as configured by the adminip command and keeps sending datagrams. The connection gets closed if there is no traffic from the device for a period of time. Each datagram consists of readable characters, it is surrounded with square brackets and fits (for as far as observed so far) in a single TCP packet. There are no separators between the packets.
| [ | SG | * | XXXXXXXXXX | * | XXXX | * | XX...[, comma separated values] | ] |
|---|---|---|---|---|---|---|---|---|
| Datagram beginning | Manufacturer ID (char) | Separator | Device unique ID (dec) | Separator | Datagram length (hex) | Separator | Message type identifier and optionally 'Data Fields' | Datagram end |
The datagram length seems to take into account the 'comma separated values' part, including the message type identifier. Because of some reason, the short (parameter-less messages) are generated with a value of 0009, which can't be explained.
Sent by the device whenever an alarm is triggered. Data fields are identical to the UD/UD2 structure.
It is not possible to know the trigger of the alarm (in opposite to the SMS messages).
Apparently expects the device to get a response in form [SG*XXXXXXXXXX*0002*AL], where the XXXXXXXXXX is the device ID as reported by the device itself.
The meaning of this message is not clear.
Apparently expects the device to get a response in form [SG*XXXXXXXXXX*0002*LK], where the XXXXXXXXXX is the device ID as reported by the device itself.
| No. | Field's format | Description |
|---|---|---|
| 0 | LK | Message type: LK. |
| 1 | 0 | Always 0. No idea. |
| 2 | X | An integer that seems to be equal to the battery charge percentage. |
Sent by the device to announce the ICCID number of the SIM card.
| No. | Field's format | Description |
|---|---|---|
| 0 | CCID | Message type: CCID. |
| 1 | XXXXXX... | CCID value. |
The two message types are identical in their syntax. The UD type is used for immediate reporting, while the UD2 type is generated out of the internally buffered data, while the device was offline for any reason.
| No. | Field's format | Description |
|---|---|---|
| 0 | UD or UD2 | Message type: UD or UD2. |
| 1 | DDMMYY | UTC date of generation of the message. Note: a buffered message can be sent by the device long later than it was generated. |
| 2 | HHMMSS | UTC time of generation of the message. Note: a buffered message can be sent by the device long later than it was generated. |
| 3 | A or V | A: position data available. V: position data void. |
| 4 | XX.XXXX | Latitude (degrees, decimal notation). |
| 5 | N or S | N: north. S: south. |
| 6 | XXX.XXXX | Longitude (degrees, decimal notation). |
| 7 | W or E | W: west. E: east. |
| 8 | XX.XXX | Speed (km/h, decimal notation). |
| 9 | XXX | Direction / heading (degrees, integer notation, always three digits). |
| 10 | X | Altitude (m, integer notation). |
| 11 | X | Integer number (maybe number of satellites?). |
| 12 | X | Integer number, mostly multiply of 10, like 60, 70, 80, 100 (at most). Somehow correlates to the number of satellites (the more satellites - the higher value here). No idea. |
| 13 | X | Battery percentage. |
| 14 | 0 | Always 0. No idea. |
| 15 | 50 | Always 50. No idea. |
| 16 | 00000000 | Always zeroes. Maybe mileage? Maybe vehicle status? |
| 17 | X | Number of LBS cells (see fields 21..23). |
| 18 | 1 | Always 1. No idea. |
| 19 | XXX | MCC. |
| 20 | X | MNC. |
| 21 + (n*3) | X | Area code of the n-th cell. For n = 0..no_of_cells-1. |
| 22 + (n*3) | X | Cell-ID of the n-th cell. For n = 0..no_of_cells-1. |
| 23 + (n*3) | X | Some value of the n-th cell. For n = 0..no_of_cells-1. No idea. |
| last - 1 | Always empty. No idea. | |
| last | 00 | Always 00. No idea. |
gmarfjan's TKSTAR-TK915 SMS Commands
Next: What is wrong with Osram LED bulbs?