Ecoflow BLE - for all Devices, not only for Delta 2 :) #2
Comments
|
Hi, I have a few questions to the process:
|
|
Hi.
1 - the app "nrf connect" ONLY for look on device and get RAW data (SN + CPU id etc) - just for info
2 – BLE Commands (like hassio for open port commands) contain command – connect to WiFi.In ,obile app = when connect to wi-fi network – you select wifi, input assword… and…and device connect to mqtt ecoflow server.So – this command contain wifi name, wifi password, certificate URL. – if you change this url for own.. The most important thing is all - you need to be able to send commands to the device using bluetoos.Hassio system – works in open port. BLE = the same. It does not matter - you need to be able to send commands to the device. If you can do this, you can replace the certification url with your own. If you can intercept the certification request, then you can replace the meaning in the answer. It sounds difficult - but it is made quite easily.
3 - By intercepting a request from a certification device - you perform a real request to the server. From the server you will receive a login and password for the device. But you can return the device not entirely correct data. For example - changing the mqtt server to other
|
|
Impressive information you have found out! I wonder how you can obtain the firmware and analyze possible internal and not so internal commands. It is also pretty scary that there are such dangerous commands, it might be a good idea somehow to protect from those commands. In theory, Ecoflow can also issue that command via MQTT from the server and explode your device. Interesting that it seems that topics for user and device completely differ. Very interesting find! It may be cool to bridge your MQTT to Ecoflow server (if you want) and both have reliability and control of your own server and ability to use EF Cloud GUI app for control and management. |
|
Yes, I have already done all this and get it. (xor, obfuscation etc... em... no. Just - is china (not free) lib for data with header - 7bytes) :)
and... PLEASE - don't talk to me in the language that's been put into your head. Have your head. What you are given as a solution - always check. you real.... do you really think that 7 bytes per message is normal? and do you really think that (oh gods - how smart you need to be) - inverting is the meaning of the whole process? seriously ? )))))) XOR ? )))) realy ??? ))) cool ))) ambelivible! )))) it is really difficult to come to this with data before and with data after) "v2 and v3 "- don't repeat without knowing what other people are saying. That's why I'm alone, but I don't talk nonsense.
"It may be cool to bridge your MQTT to Ecoflow server (if you want) and both have reliability and control of your own server"
All this has already been done for a long time - I wrote about it. And I don’t even need EF Cloud GUI - I see everything and control everything. When you have your own mqtt server, you no longer need EF Cloud GUI :) at the same time, neither the device nor the ecoflow server knows that they are completely listening :)
for investigate -
device<-->my mqtt srv<--->my mqtt client with device account<---->ecoflow.mqtt
for me -
device<-->my mqtt srv
In the list of topics to which the device itself is subscribed and uses - there is an update.The device first of all sends the firmware numbers of all its modules. The server returns whether they are the latest or not. There is a lot of work for investigate. There are many things that are still not clear. But there is something to deal with. That's why I gave this information. So that people would start doing something further, and not get stuck on what they have.
BUT. BLE commands (some commands) not duplicated in mqqt and for me - more interesting then mqtt.
But the most interesting is the open ports that appear after sending the wifi shutdown command. but I don't have enough for that.
----
it also makes sense not to do such a long way and see how it turns out - &sign= for
/iot-auth/device/certification
may be the same like for user but needed some like this to
https://api.ecoflow.com/auth/login
but using
""scene"": ""IOT_DEVICE"", instead of IOT_APP
and using some other like SN&cpuId instead of email and password. - i do not not know.
or change "userType"": ""ECOFLOW" to some other.... needed investigate this.
Wireshark do not displayed post data. but this is all possible - but not interested for me.
------------------
Now the most important thing is that I don't post my sources - just because - almost all of you use python. methods for dotnet are obviously not suitable for you, in my opinion - just the meaning is important.
BUT - for intercept request i used - EmbedIO nuget, RestSharp for send requests, for mqtt - client/server i used MQTTnet
and I have no idea what analogues for this all there are in python - but definitely they are :)
-------
and I want to repeat, in fact, the most important thing among this heap of text. That - over which I suffered for a whole month to understand. The truth turned out to be simple, but the price for it was paid by time.
**"!!! needs to be configured MTU !!!" for BLE.**
among all I have written - oddly enough - this is the most important thing.
+100$ to repair burnt capacitors :))))
-------------
i do not know - what this data mean after send BLE cmd
53 - 53 - 9
01 00 00 00 02 00 00 00 00 01 02 03 04 05 06 00 0A 0A 0A 0A 00 54 00 00 AA AA AA AA
Guid ? cert hash ? or...
i do not know
53 - 53 - 71
53 - 53 - 26
53 - 53 - 3
why not callback or how using
53 - 53 - 1 - Bluetooth distribution network setting domain name
53 - 53 - 54 for delta pro: len + String //iot password verification ????
and many other...
I'm waiting for people - with whom it will be possible to talk and who will already tell me where, how and why. I also have many questions. But so far I see only one thing - people are content with what they have.
Corporate mqtt server ? auth + online ? - seriously ? does that make sense? I even admit that I am far from being a pioneer. They just don't talk about it so that the exploit is not closed. Or sell for money. :)
----
for a very long time - I just wanted to write a mobile application, not as dull as what we have. Where can I pull widgets on the screen. Where can I view graphs of all values... similar
https://github.com/berezhinskiy/ecoflow_exporter (many thanks to this man! I brought out all the parameters including from an additional battery - and watched how my device lives, how it breathes.)
but in mobile version. where the display of data is implemented both through bluetooth and through the mqtt, store data, the ability to export this data to other systems. I have been quietly working on this. I don't need HomeAssistanse. but now I'm just tired. Maybe someday I will see a decent mobile application that raises three services (BLE/IOT/MQTT), can change MQTT SERVER!!! and contain OWN, OFFLINE!. etc.... but now I'm just tired.
|
|
Unbinding from cloud MQTT server is pretty important because during periods of winter blackouts first of all connection to those servers was unreliable, and sometimes even the server itself was offline for prolonged time periods, that caused instability in collected metrics and alerts about blackouts. I had some development with hardware ESP32 module that bridges bluetooth to local wifi and microservices that pull data and provide it to prometheus, but BLE turned out to be unstable just as well as the MQTT cloud. Moreover, somehow, when ESP32 module is used then sometimes delta2 forgets about it's wifi credentials and fails to connect (when BLE is not used it worked for months without such effect). v2 and v3 - thats result of my understanding that I obtained from analyzing android application and the native library first of all, not from someone else's code. But I have not encountered v3 packets in the wild, only v2, and they differ very slightly (2 extra bytes in header). About burnt capacitors I hope that it would not start fire, just stop working. Also replacing capacitors would not help, you need also to reset voltage to correct values? I do not understand how that command does not accept some parameters, maybe if called without parameters it assumed some default (0x00 or 0xFF) or garbage from memory and changed to inadequate values? And yes, kind of agree, that if you have full control it is more reliable - but you need time to make your own app and I think you would not be able to upgrade firmware in that way. And maybe that MTU thing is the source of problems with my ESP32 module, now I process data in stream and scan for valid structure packets, but maybe increasing MTU will help too. Thanks! |
|
1 - ble - cannot be unstable. nothing is more stable. there is a delay. but stability. stability is stable. |
|
emm.. maybe this will help :) and sorry - this is not pyton solution :) |
|
Simple GET. Without sign and timestams params - working too :), strange, unsequre, but working. MQTT SNIFFER :) 1 - connect to ecoflow mqtt srv with device credetials - localdevcli.cs 2 - run local mqtt srv - localdevsrv.cs Run BLE command to connect to WIFI + intercept request + change responce (set mqtt srv 192.168.0.105) You will see all data,command etc... this is all ONLY - binding and periphery. - it's secondary. |
ipalchuk
changed the title
|
Around Security. Opened and documented online offline api with authorization. Software with a button - "advanced" (rather than an iridescent green bar) - and everyone would be bored :) jegres1709 |
|
it would be nice to have a precise instruction how to change the mqtt server to be independent from ecoflow and to prevent wifi reconnects with a fallback scenario. other things are not very interesting for me. we are already able to read all relevant data and to change states of switches and some values. so if you could share with us the needed hardware and software and also the steps how to proceed , i would appreciate it very much! |
|
Well, about MTU, I did not care about it, in ESP32 I appended all data to a ring buffer and another method was reading from it and parsing valid packets. Increasing MTU might increase stability (since packets will get cut and lost much less often), and I did not yet try issuing commands to the device so I think I did not encounter that problem. About the instability - ESP32 sometimes lost connection to Ecoflow, sometimes very often - but that might be because of WiFi + BLE running simultaneously, I guess if I use ESP32 with Ethernet (such as, for example, ESP32-POE module) it will be way more stable.
Omg, thats total BS! |
|
Just for test. If in one network - mobile(android), ps(windows), ecoflow(delta2). after you play enough and you like it or you don't like it. Launch the branded application and connect to the network through it - everything will return as it was. THIS IS ONLY FOR TEST. (programs are not completed and raw) |
|
thank you very much! it´s amazing! Now I need only to get my existing MQTT Mosquitto broker working. Somehow it couldn´t appear in the mobile app, but only the mqtt server created by you. |
|
stop. It's not for use at all. these are just old sketches. these two apps are SPECIALLY made to work together. just for fun. in your case, you need the mobile application to redirect to your broker immediately OR (which is better) so that my broker sends everything mirrored to your broker through itself. why is it better - because some requests from ecoflows need to be answered, I doubt that your broker will be able to do this or you need to write a script for it, so that when a certain request is received, you need to definitely answer. if you look closely, occasionally ecoflow sends its versions of modules. and should send only once. because it expects an answer - are they fresh or not and if an update is needed. I didn't auto-reply. it was also planned to add an auto-connect in my broker to a real ecoflow server. a mobile application is generally like a primitive example of working with bluetooth. no settings etc. Sorry, you're speaking as a user(not developer), and a lot of things are wrong, but that's not the point. you can just see with your own eyes that it works, and with this everything you can do anything and many times cooler than with what everyone uses. |
|
okay, understood :) |
|
"change it to my already exisitng mqtt broker" Do you can connect to it throw: as example
If you can. So for test i can add to mobile app option and before run connect command, you can input own mqtt server name or ip. (Similar like wifi pwd) |
|
yes, i have a mosquitto broker running in home assistant in my local network , so i know ip and port for sure and it supports tls auth and is working on port 8883. |
|
only ip or address WITHOUT port. we assume that the port is always 8883. For developers: And yes. "it´s amazing!", but for 3 persons :))) TLS. If this is managed server, you can add support tls, but allow all clients and skip check certificate etc. And main question. Why you need connect to some other mqtt brocker? Left this on windows. And you can work with it. Connect to it, post and listen topics etc. FOR ALL: ---please redownload file |
|
that helps a lot! I managed to connect to my mqtt broker. Now I have to investigate the data to work with HA. Some of the switches (like enable/disable USB, AC, DC, etc.) are working already! "Why you need connect to some other mqtt brocker" : because I´m running a proxmox server with HomeAssistant 24/7 on a tiny machine and not on my main pc. "And yes. "it´s amazing!", but for 3 persons :)))": I think with this thread/issue it will reach much more people, who will work on this :) |
|
Pff.. so problem only with different system. Proxmox - lunux. I used Library mqttnet dotnet/MQTTnet#1355 works on lunux. Mayby in Python exist solutiin too. So - needed just write mqttserver with path throw connection to real server (more adaptive) but portable for diff. platforms. jegres1709, AND. I repeat. don't take it as a complete solution. the server MUST respond that the firmware does not need to be updated. without it - 1 - the device litters the air by constantly sending versions of its modules. 2 - my device disconnected after a while. probably believed that since the server does not respond to its requests, then something is wrong. We don't need instability here. but ... this is guesswork, or maybe an accident. In any case, there is a semi-solution, but there is a full-fledged solution. Skydev0h MTU. skipping an incomplete package is wrong. you can still get data from it. to wait only for a full-fledged one is to skip more than half of the packets. correct mtu - all packages are full. and not "maybe" -that's for sure :) i uploaded source code. For me: for windows and android - enough (what I know, I did it.) So.. needed normal developer on Python :) |
|
jegres1709 To check stability. After Connect to your broker (or simple after connect), you can send command 33-53-53-51 - Disable bluetooth module. Good luck. I don't work in this area anymore. If you need something from me (advice, consultation, source code) - contact me. |
|
Thank you very much! I think you helped a lot already! |
|
I loaded this on a Fire 8 Tablet (Amazon) and the app starts but then closes after a few seconds (no error displayed). I do not know if the Fire 8 is too old or is missing something that a normal android device would have. My mobile devices are iOS and this old Fire 8 is the only android device I have other than android emulators (BlueStacks on Win10) and, unfortunately, there is no BLE support in Android emulation... I am not a developer but I am familiar with coding and scripting. Most of my scripting experience in recent years is Power Shell on Windows. I've never done any coding for BLE so I'm outside my knowledge on that. Like @jegres1709 my primary interest is configuring my EcoFlow devices to use my own local MQTT broker over WiFi and controlling everything using Home Assistant via MQTT. |
|
I think the problem is in the android version, although it may be in the device itself. can do it under iOS (yes, can do it for everything), but I don’t do it. I do not regard this application as an application at all. This is an example. |
I tried it on an old Samsung Android Tablet I borrowed as well but it would not install so I think it does require a recent version of full Android on a device that is not outdated. If I understood a bit more about BLE and how to interface properly I might be able to create and share a Power Shell script for changing the MQTT configuration on the device... |
|
and it would only be for windows devices with bluetooth. this is not line-by-line execution of commands. This program. which has functionality. you won't do it in Power Shell. С#, java, python etc, but not shell |
It could be built in Power Shell cross platform with the appropriate module. But, as I said, I am not familiar with BLE communication or programming for it. I realize this would not be a robotic script but once the correct address for D2 is known (or can be programmatically obtained) it should just be a matter of connecting and sending the correct sequence to configure D2 to use local MQTT. The script could use a configuration file or even hard coded variables for the device and local MQTT server address/port (to provide an easy way to switch the device back to "local mode" as needed). Obviously, the local MQTT server would need to be configured correctly but it appears those of us integrating with Home Assistant could use the local Mosquito Broker for the local MQTT and configure everything else using YAML for MQTT sensors in HA. We just need an easy way to point the device to Mosquito Broker without having to learn and program for BLE... |
@jegres1709 - That set of bytes must be transmitted to the device immediately after opening the connection otherwise the device will close the connection within a couple seconds. Take a look at: |
|
works great! thank you very much ! just blocked the internet connection for D2 in my fritzbox again |
|
@Ne0-Hack3r For some reason I can't get it correctly to do the command to set mqtt server, can you give access to repo to take a look at the scripts? |
|
@Ne0-Hack3r thanks a lot, looks very interesting. Guess it's time to finally take control over those Deltas from the corporates. |
As long as we don't have to keep updating firmware and they don't keep erecting new barriers. If I could just gain local control of my SHP I'd block internet to/from all EF devices and feel much more secure and "in control" of my own devices. |
|
@Ne0-Hack3r could I have invite also, please? |
|
Hi, @Ne0-Hack3r can I get an invite too? Thanks in advance |
|
Hello, @Ne0-Hack3r I am trying to figure this up to have linux applicatoin that can connect to the ecoflow. |
|
@Ne0-Hack3r, could you please invite me to the ef-mqtt-hacks-ha repository? I live in a region with a lot of blackouts and would like to monitor the ecoflow properly. Thanks in advance. |
|
Hello there, @Ne0-Hack3r, can I join the ef-mqtt-hacks-ha repo as well? Thanks! |
|
@isouriadakis @luiseduardobrito @rawdigits @shaddow501 |
|
@Ne0-Hack3r could you please invite me to the ef-mqtt-hacks-ha repo too? I am looking into the possibility of building a dongle that will automatically start any generator when the battery level drops to a certain point. |
|
@legomind - done. |
|
@Ne0-Hack3r could you send me an invite, or make your repo public? Thanks in advance. |
|
@Ne0-Hack3r could you send me an invite too |
|
Doh - i was away when the invite was sent. If you have a chance to send it again, I promise I'll be available to click the link. :) |
|
Would it be possible to get an invite to your repo as well? |
|
Invites sent |
|
Would it be possible to get an invite to your repo as well? |
|
@loicpipoz - done. |
|
Hey, I'd too like to request access to that repo. Thanks! |
|
I've been away from this project for a while. Invite sent. |
|
@Ne0-Hack3r can you give me access, too? I am tried my best to get it working myself but I cannot figure out what data I have to send to prevent the device from terminating the connection... |
|
Also all of my commands start with |
Done. |
|
@Ne0-Hack3r |
|
Hi @Ne0-Hack3r, could you please invite me to your private repository? Thank you! |
and others
Hi all :)
Yes, BLE - right way.
Hassio - stuck on open port 8055
v1ckxy - stuck on declaring the basic principles of working offline
tolwi - realize only user corporate MQTT
BUT - exist much more interesting solutions. Absolute independence of the device from the corporation, from the presence of the Internet. With support for a much wider range of devices. and using DEVICE mqtt (LOCAL mqtt server :)) ).
So. let's start:
Please install mobile app - nrf connect. Find and connect to device. Look to RAW ble header. So....
0 - RAW - (topic,lenght)data(topic,lenght)data(topic,lenght)data....
02-01-06 1B-FF-B5-B5-12 52-33-33-31-5A-45-42-34-5A-45-42-47-30-FF-FF-FF 63-00-20-BC-5F-01-93 11-FF-C5-C5-12 36-02-13-50-34-47-FF-FF-FF-FF-FF-FF 5D-0C-09 52-33-33-2D-30-34-35-34-00- 14-0D
a) Device SN - 52-33-33-31-5A-45-42-34-5A-45-42-47-30-FF-FF-FF (utf8)
b) battery level - 63 and some other data
c) 36-02-13-50-34-47-FF-FF-FF-FF-FF-FF - CPU Id
d) 52-33-33-2D-30-34-35-34 - short name of device (utf8)
1 - install JADX (dex to java) application and decompile in ecoflow.apk - *.dex files (look on com/ecoflow folder)
2 - If you're not normal at all - IDA (not free) or Ghidra Software Reverse Engineering Framework (free) to disasm base packet engine placed on \lib\arm64-v8a\libnative-lib.so in apk file
So. let's focus on the first option.
Examine the files and you will get a list of many commands, like for mqtt, iot, ble for - ALL different devices.
everything else is correct. But this is not enough.
1 - the device model is determined by the first two or three bytes of the serial number (attachment).
2 - to send commands, to receive data (full) - MANDATORY! needs to be configured MTU (Maximum Transmission Unit) 136 for start - will be enough (for DELTA 2). Chinese programmers didn't properly implement package merging :)
3 - the number of commands is not limited to those described and implemented by hassio.
So - for start i recommend doing the module under the number 53(decimal) (ble/wifi module)
53 - 53 - 0 : Reconnect to mqtt
53 - 53 - 5 : (0/1) enable-disable wifi module. And Yes. This open some intresing ports of device;
PORT STATE SERVICE VERSION
340/tcp filtered unknown
1062/tcp filtered veracity
1216/tcp filtered etebac5
1600/tcp filtered issd
2030/tcp filtered device2
3333/tcp filtered dec-notes
4006/tcp filtered pxc-spvr
5051/tcp filtered ida-agent
5432/tcp filtered postgresql
6543/tcp filtered mythtv
9968/tcp filtered unknown
10002/tcp filtered documentum
10617/tcp filtered unknown
50000/tcp filtered ibm-db2
52869/tcp filtered unknown
53 - 53 - 8 - wifi networks - (id)(name lenght)(name)... (id)(name lenght)(name)...
53 - 53 - 4 WiFI connection - MAC/IP/WiFi Name (32 bytes)/Password(32 bytes)
53 - 53 - 10 - (0/1) connect/disconnect MQTT connection
53 - 53 - 51 - disable BLE module. Restatr device manualy to enable BLE
53 - 53 - 52 - BLE RAW Data - COD(class of device)/MAC/MAC?/RAW
53 - 53 - 112 - isenabled - wifi/?/mqqt
53 - 53- 32 - callback - when device connecting
53 - 53 - 11 - in private email message :)
53 - 1 - 65 - FRONT PANEL SN and CPU
53 - 1 - 64 - Frp - SN
53 - 1 - 5 - WIFI Ver
53 - 1 - 20 - reconnect
And many other interesting, not mention in apk file sources,,,because exist device firmware, and in this firmware realize some options ONLY for internal using and absolutly not for public and not for ecoflow GUI developers :)
FINALY.
1- i has MY OWN mqtt SERVER.
2 - divice connected to it, and thinks it's a corporate server.
3 - i has mqtt client, which is connected to the corporate server, but not as a user - as a real device.
4 - my client and server communicate with each other to monitor everything that and how the corporate system manages the device.
subscribed:
/ota/module/inform/80/R331ZEB4ZEBFFFFF/reply
/ota/wifi/inform/80/R331ZEB4ZEBFFFFF/reply
/ota/wifi/upgrade/80/R331ZEB4ZEBFFFFF
/ota/wifi/progress/80/R331ZEB4ZEBFFFFF/reply
/ota/device/inform/80/R331ZEB4ZEBFFFFF/reply
/ota/device/upgrade/80/R331ZEB4ZEBFFFFF
/ota/device/progress/80/R331ZEB4ZEBFFFFF/reply
/sys/80/R331ZEB4ZEBFFFFF/thing/event/post_reply
/sys/80/R331ZEB4ZEBFFFFF/thing/property/set
/sys/80/R331ZEB4ZEBFFFFF/thing/property/get
/sys/80/R331ZEB4ZEBFFFFF/thing/battery/get
/sys/80/R331ZEB4ZEBFFFFF/thing/property/get@AtMostOnce
/sys/80/R331ZEB4ZEBFFFFF/thing/property/set@AtMostOnce
/sys/80/R331ZEB4ZEBFFFFF/thing/event/post_reply@AtMostOnce
/sys/80/R331ZEB4ZEBFFFFF/thing/battery/get@AtMostOnce
/ota/wifi/upgrade/80/R331ZEB4ZEBFFFFF@AtMostOnce
/ota/wifi/progress/80/R331ZEB4ZEBFFFFF/reply@AtMostOnce
/ota/device/upgrade/80/R331ZEB4ZEBFFFFF@AtMostOnce
/ota/device/progress/80/R331ZEB4ZEBFFFFF/reply@AtMostOnce
post topics
/sys/80/R331ZEB4ZEBFFFFF/thing/property/post
/ota/wifi/inform/80/R331ZEB4ZEBFFFFF
/ota/device/inform/80/R331ZEB4ZEBFFFFF
/ota/module/inform/80/R331ZEB4ZEBFFFFF
commands like operateType : analysisExtSc/analysisIntSc/analysisVol etc... (do not exist in app - only for device) and many other.
1
when device connecting to mqtt throw BLE command (connect to wifi) in this command exist path to certificate (the same like for user) but path -
https://api.ecoflow.com/iot-auth/**device**/certification
If change this path in command to own (for example - 192.168.2.33:8080/cert)
and intercept this connection you can see request from device -
?sn=R331ZEB4ZEBFFFFF&cpuId=360213503447303832155FFF&timeStamp=123132333"&sign=Y7VJLGVhsQy_N3KKVngeOtPjG0BaH0AwTDiqEss44ds
2
run this request to corporate host and you recive json data like for user but some differ
{"code":"0","data":{"clientId":"R331ZEB4ZEFFFFFF","password":"d23f87052c92489ea1cf43f1463fFFFF","port":"8883","productKey":"80","protocol":"mqtts","url":"mqtt.ecoflow.com","username":"device-eb3bb8586a874f9ab0f3755fc3FFFFFF"},"message":""}
This is credetials for mqqt server for DEVICE (not for user). And this operations needed only once.
3 -
Now you has 2 ways.
1 - just using mqtt with connection to corporate host like device
2 - replace in request mqtt server and port to own. for example ,"url":"192.168.33.33" etc
3 - device remember this and not needed this do every time - just once.
4 - after this - the most interesting will begin
So.
I am completely independent, I know everything that happens. I don't need a corporation, and it doesn't need to know what and how I have. I don't need internet. I don't need authentication and verification.
I wish you all the same :)
Very important! Don't use brute force to find interesting commands and modules. There is a command (without parameters) - which is simple in the inverter - changes the voltage and in an instant - your capacitors (in the literal sense) explode. Yes - it looks like a self-destruct command :) It's funny, but who knows this command and just has a phone with bluetooth - can really burn the device with one click. someone else's device :) (module 4 ..commandset 13+ )
Assets.zip
The text was updated successfully, but these errors were encountered: