Notes about new Orvibo products

David Gray edited this page Feb 12, 2017 · 7 revisions

This will be a sort of scratch-pad of information I've gathered about the newer Orvibo products. The information could be right, wrong, or somewhere in between, and may not make any sense to anyone but me, but it'll slowly organise itself.

  • Newer Orvibo products (I'll call them v2, though it's looking like it's actually v3, with the Kepler being v2) use a different format to the legacy (v1) products.
  • There are two kinds of protocols used by v2 -- PK and DK. PK has encrypted JSON payload, not sure about DK, but might just be a "legacy-ish" protocol (like v1, where the info is raw in the packet and you need to parse it yourself), as there's no string padding or anything to suggest it's encrypted JSON again. DK packets are usually longer than PK. EDIT: DK packets are encrypted with a separate key. Don't know if the key is the same across all Orvibo products
  • Some packets are two individual Orvibo packets joined together. I've only seen this in setup packets that list all WiFi networks in range
  • Some packets contain encrypted JSON, but also have a bunch of other data at the start. Hard to tell (at this stage) where the data actually is.
  • Unless explicitly mentioned, everything here will refer to PK
  • The decryption key is 16 byes and obtainable from the Kepler APK. Encryption type is AES/ECB/PKCS5Padding (for all you Java folks out there). In the HomeMate app, there's a bunch of certificates. Not sure what they're used for at this stage, but the app seems to be VERY server-dependent at first glance, which doesn't bode well for us.
  • Confirmation: Devices only respond to commands from the server -- you cannot use these devices (the SmartCube, Coco and B25, at least) if you have no internet. There might be a way to set the server on the device, but it may be hard-coded. Investigation continues
    • I've just purchased a monitor-mode compatible WiFi adapter to capture packets going between the B25 and the server. This should also let me get packets between my phone and the server / device.
  • Most of the info in this page comes from the Kepler APK. The HomeMate app is mostly a bunch of .SO files (so, C or C++) and I don't know how to decompile and work with those, without learning assembly, which I'm not that keen to do.
  • I can create and decode packets, but no devices respond when I send these packets out. It's almost as if they're listening for instructions from an external server
    • If this is correct, then that could possibly mean a server emulator and DNS redirection or finding a way to trick the devices into listening to us
  • Packets are checksummed. This is a crc32 of the encrypted JSON and comes just after the magic word, packet size and protocol identifier ("pk" or "dk")
  • B25 only has one port open (I think) in AP mode: 8295
  • Kepler uses a chip made by MXCHIP. EasyLink setup code for iOS can be found here and in the Kepler APK
Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.