Tuicemens

Pages: [1]

Author Topic: Hacking the X10 Wi-Fi HUB  (Read 2369 times)

Tuicemen

  • Administrator
  • Hero Member
  • *****
  • Helpful Rating: 26
  • Offline Offline
  • Posts: 3711
  • Making Home Automation Fun!
    • Tuicemen.com
Hacking the X10 Wi-Fi HUB
« on: November 21, 2017, 02:19:46 PM »

With the slow progress of the SmartPhone app I thought I'd give this a try.
The manufacture still refuses to release the protocol but I'm hopeful they will see the benefit of releasing it once the WM100 goes into production.
I discovered the WM100 port 18883 and since there is nowhere currently to change this I suspect it is hard coded in the device.
Typing in the address and port in my browser doesn't get a reply.
I figured I'd download and install Wireshark as I had sniffed out code for other Wi-Fi devices before with this.
Unfortunately it has been so long since I've used this last and the interface has change I'm Unsure how to proceed on that front.
I can get the IP to respond but I was missing something.
I then remembered each Smartphone you wish to use the app with  must scan the QR code.
So I figured the app is sending this info each time possibly or at least initial setup.
So I had to figure out what was in the QR code.
There are several QR readers available. I downloaded and installed the QR desktop reader generator from Code Two, this allows you to use your webcam or a saved image to read.
using this I found the Code contained the text {"appkey":"26e884fe-9f25-948537","uid":"Xim8Am5m2GsFvcGd7Pup82nqGxyeDem28y"} (edited in case it is unique).
this looks like a Jason input string to me.
Since debugging calls  to the HA-Bridge also sent these I had a bit of experience and knew I would require Chrome's Postman plugin.
Unfortunately both a post and get results in no response so I'm not entering something right.
 (cB)
I think I can just use Postman to test codes once I can sniff things out with Wireshark.
So I really need help with Wireshark and maybe Postman.
Logged
Get the inside scoop and member perks in the
Members Only Section!

Please don't email me Automation questions 
The forum is for that!

ITguy

  • Full Member
  • **
  • Helpful Rating: 2
  • Offline Offline
  • Posts: 57
Re: Hacking the X10 Wi-Fi HUB
« Reply #1 on: November 22, 2017, 09:44:13 AM »

There is a whole series on using wireshark at hak5.org.  Try a google search using: site:hak5.org "wireshark"
Logged

Tuicemen

  • Administrator
  • Hero Member
  • *****
  • Helpful Rating: 26
  • Offline Offline
  • Posts: 3711
  • Making Home Automation Fun!
    • Tuicemen.com
Re: Hacking the X10 Wi-Fi HUB
« Reply #2 on: November 22, 2017, 12:27:06 PM »

Thanks ITguy,
I'll look into it.
Logged
Get the inside scoop and member perks in the
Members Only Section!

Please don't email me Automation questions 
The forum is for that!

Tuicemen

  • Administrator
  • Hero Member
  • *****
  • Helpful Rating: 26
  • Offline Offline
  • Posts: 3711
  • Making Home Automation Fun!
    • Tuicemen.com
Re: Hacking the X10 Wi-Fi HUB
« Reply #3 on: January 03, 2018, 04:26:17 PM »

I had put this on the back burner as I didn't wish to mess up my testings of the app.
The other day I received a production build version so I started to look at it a bit more.
Since I didn't need to setup port forwarding on my router for internet access I assume this uses P2P. The setup requires holding a sync button until a light starts to flash this opens a gate way which can be seen on your Wi-Fi Networks page called Setup.
I scanned the QR code and compared it to my proto type the APPkey part is the same which I suspected the UID is unique.
This looks like I may be able to  establish a bit of a link since this appears to use a standard IOT setup. :)!  :0~
« Last Edit: January 04, 2018, 05:09:00 PM by Tuicemen »
Logged
Get the inside scoop and member perks in the
Members Only Section!

Please don't email me Automation questions 
The forum is for that!

Tuicemen

  • Administrator
  • Hero Member
  • *****
  • Helpful Rating: 26
  • Offline Offline
  • Posts: 3711
  • Making Home Automation Fun!
    • Tuicemen.com
Re: Hacking the X10 Wi-Fi HUB
« Reply #4 on: January 04, 2018, 05:20:39 PM »

I had thought I might be able to get into this when I found this  write up for the itead sonoff devices.
https://blog.ipsumdomus.com/sonoff-switch-complete-hack-without-firmware-upgrade-1b2d6632c01
Logged
Get the inside scoop and member perks in the
Members Only Section!

Please don't email me Automation questions 
The forum is for that!

Tuicemen

  • Administrator
  • Hero Member
  • *****
  • Helpful Rating: 26
  • Offline Offline
  • Posts: 3711
  • Making Home Automation Fun!
    • Tuicemen.com
Re: Hacking the X10 Wi-Fi HUB
« Reply #5 on: July 03, 2018, 10:24:16 AM »

It looks like the WM100 and app may use MQTT.
Using Wireshark you can see the requests and responses to and from the broker.
Others have reported they think it uses MQTT as well.

I have no experiance with MQTT so It may be a while before I'm up to speed with this.
Other IOT devices have been hacked using ones own MQTT broker so the WM100 may also fall victim to this. :)!

« Last Edit: July 11, 2018, 04:04:56 PM by Tuicemen »
Logged
Get the inside scoop and member perks in the
Members Only Section!

Please don't email me Automation questions 
The forum is for that!

Tuicemen

  • Administrator
  • Hero Member
  • *****
  • Helpful Rating: 26
  • Offline Offline
  • Posts: 3711
  • Making Home Automation Fun!
    • Tuicemen.com
Re: Hacking the X10 Wi-Fi HUB
« Reply #6 on: July 03, 2018, 11:06:18 AM »

I decided to search hacking IoT using MQTT.
This resulted in some surprising info.
https://morphuslabs.com/hacking-the-iot-with-mqtt-8edaf0d07b9b
Since the developer was able to gain access apearently to my WM100 during testing by simply supplying them with the QR code of the WM100, I suspect no authorization is being used or the QR is the authorization.
Logged
Get the inside scoop and member perks in the
Members Only Section!

Please don't email me Automation questions 
The forum is for that!

Tuicemen

  • Administrator
  • Hero Member
  • *****
  • Helpful Rating: 26
  • Offline Offline
  • Posts: 3711
  • Making Home Automation Fun!
    • Tuicemen.com
Re: Hacking the X10 Wi-Fi HUB
« Reply #7 on: July 11, 2018, 03:56:44 PM »

A few users have emailed me their discoveries which almost confirms the use of MQTT
I see Ha-Bridge has a MQTT helper this may come in handy.
I suspect now the UID found in the QR code is the client ID.
Topics I suspect are: Devices, Rooms, Scenes, Setup
The Broker IP and port can be found using Wireshark  I suspect this is the same for everyone but I may be wrong.
The content message may take a bit to figure out ::) :`)
If anyone discovers anything new or can confirm info already reported here or else where please share!
 (Chr)

Logged
Get the inside scoop and member perks in the
Members Only Section!

Please don't email me Automation questions 
The forum is for that!

Tuicemen

  • Administrator
  • Hero Member
  • *****
  • Helpful Rating: 26
  • Offline Offline
  • Posts: 3711
  • Making Home Automation Fun!
    • Tuicemen.com
Re: Hacking the X10 Wi-Fi HUB
« Reply #8 on: September 10, 2018, 10:57:35 AM »

Recent issues with the server and slow software development has lead to more users thinking about this.
My ideal option would be to keep the cloud connection option either the existing server or a new one but allow local control thus allowing options only available from each to work together.
Logged
Get the inside scoop and member perks in the
Members Only Section!

Please don't email me Automation questions 
The forum is for that!

Knightrider

  • Programmer
  • Full Member
  • *****
  • Helpful Rating: 5
  • Offline Offline
  • Posts: 65
  • Home Automator since 1988
    • This Automated House
Re: Hacking the X10 Wi-Fi HUB
« Reply #9 on: September 24, 2018, 10:09:13 AM »

if I get a little time, i may try poking around using LUA. I wiresharked the open requests back to Lana Del Ray, California.

I think I may be on the right track.

Was going to poke around a bit on this rainy Ohio day, but Just got called out to tarp a leaky roof and may be out all day on that project.

When it rains, it pours.
Logged
Tuicemen Software picks up where AHP left off!

Satisfied BVC user since November 2007

Proud Supporter of Xenia Kids and Robots. 
Introducing kids to high technology and teamwork since 2009.
Pages: [1]