Possibly breaking changes in FW 1.7.41

[bingestam]

Hi. This library only works with firmare version 1.7.14. With a the firmware update of the dongle to version 1.7.41, the API is no longer accessible. According to this thread: https://community.home-assistant.io/t/add-elna-to-home-assistant/486541/41

My own dongle is still on firmware version 1.7.2 which also restricts access to the API.

[bitcanon]

Hi,

I had my suspicions that this would happen so I have added rules in my firewall denying Elna access to the internet. This will off course disable the energy readings inside the Eon Elna phone app. But I will rather keep my energy readings local.

So, I'm still on firmware 1.7.14 and the local API still works.

Since this is a firmware issue and I don't want to upgrade (and break) my Elna there is little to do about this issue. But I will keep it open until a new firmware is rolled out for the Elna device (hopefully).

Sidenote For anyone interested; when the Elna device boots up it makes a few DNS queries of which one of them is a request for a record pointing to a firmware server (I think it is a CNAME record if I remember correctly).

[VGerris]

Great that this is tracked here too. I wrote Eon to ask to remove the limit. I there any way to downgrade the firmware or do we have an idea on how to authenticate ? Something does, but my guess is it is not the app directly. If so, decompiling the app may give us the auth that is used. Perhaps another way is for someone with the know how to intercept and sniff the traffic? The thing is that there are alternatives for like 30 bucks that just work, so it needs to be someone with the motivation and time to do so ( I have the first, not the second ). Ideally a firmware is developed that makes it possible to shut off the data sending externally if preferred.

[bitcanon]

Great that this is tracked here too. I wrote Eon to ask to remove the limit. I there any way to downgrade the firmware or do we have an idea on how to authenticate ? Something does, but my guess is it is not the app directly. If so, decompiling the app may give us the auth that is used. Perhaps another way is for someone with the know how to intercept and sniff the traffic? The thing is that there are alternatives for like 30 bucks that just work, so it needs to be someone with the motivation and time to do so ( I have the first, not the second ). Ideally a firmware is developed that makes it possible to shut off the data sending externally if preferred.

Did you get a reply from Eon about the issue?

My guess is that they will not re-enable the local API and make Elna a subscription service (if they haven't already).

If/when the local API on my Elna gets disabled I will give this one a try: https://www.homewizard.com/p1-meter/

The HomeWizard P1 even has a documented JSON API: https://homewizard-energy-api.readthedocs.io/getting-started.html

[VGerris]

not yet. Note that the data in the device is just usage, the 'smart' things on top are Eon's software with algorithms and tools for visualization, so there is no straight forward reason to block users from their own data. I wrote the manufacturer too, perhaps there is a reason for some authentication, as long as they document it.

When I don't get a reply soon I will get https://www.zuidwijk.com/product/slimmelezer-plus/ which seems to work too. All open source, working with HA and no crap sent to a cloud. More likely to keep working, one never knows when a manufacturer changes, like those Elna tools.

The one you mention should work too. I do hope we will try to hack into this dongle, or reflash the firmware all together. By the way, I tried some basic auth, JWT and random url attempts to get in to the url, but no success. Nothing much from wireshark yet either, I am not sure how to run it to intercept traffic going from Eon to dongle and back. That traffic must contain the domain it comes from and given the headers show SAMEORIGIN perhaps it would already work by faking the domain with javascript. I didn´t have time to try, hoep someone will :).

[bitcanon]

I did a quick look in my DNS and found that Elna resolves four domain names on bootup:

• sb.net2grid.com
• gateway.n2g-iona.net
• pool.ntp.org
• google.com

When looking closed at the DNS record sb.net2grid.com, it is pointing to a firmware endpoint in AWS. Not really surprised that it contacts Google as well for some reason (probably more privacy violations).

sb.net2grid.com

nslookup sb.net2grid.com

Non-authoritative answer:
Name:    firmware-elb-1799667725.eu-west-1.elb.amazonaws.com
Addresses:  52.48.142.176
          63.33.133.196
Aliases:  sb.net2grid.com

gateway.n2g-iona.net

nslookup gateway.n2g-iona.net

Non-authoritative answer:
Name:    ipha-elb-d51a5a474b1b23c0.elb.eu-central-1.amazonaws.com
Addresses:  3.120.5.47
          18.184.57.75
          18.196.54.174
Aliases:  gateway.n2g-iona.net

Most likely the session between the Elna and AWS is TLS-encrypted, but you don't know until you try 😄

[VGerris]

mmm, interesting :). If it is possible to capture an earlier ( working ) firmware, perhaps an update can be faked by versioning it newer and point DNS to the local location hosting it. A lot to reverse engineer that way :). I'm guessing the cloud is not authenticating to the dongle directly, you think the app does ? So for the domain sb.net2grid.com may be a good bet to try with JavaScript.

This shows a Fedora default configured webserver : firmware-elb-1799667725.eu-west-1.elb.amazonaws.com The dongle does only seem to run on port 80, or perhaps another obfuscated port for SSL then, but 80 is non-SSL.

Let's keep sharing new discoveries, perhaps we can get access, would be nice. Thanks!