jterrace / pyharmony

Python library for connecting to and controlling the Logitech Harmony Link
BSD 3-Clause "New" or "Revised" License
129 stars 104 forks source link

How did you sniff the protocol? #7

Closed mark-hahn closed 9 years ago

mark-hahn commented 9 years ago

I have implemented that config example in the code (using the gatorade fork) and the config query works great. But I am unable to get the VolumeDown keypress example to work. I have tried to sniff my wifi with wireshark to see the packets but my laptop's adapter and/or driver can't capture anything but it's own traffic. How did you two, @jterrace and @petele, capture the packets? Is there any trick other than the normal airmon-ng and wireshark stuff?

If I can get this to work I promise I'll release a new generation of code with some of the to-do list filled out.

My failed communication is below. Any idea what could be wrong? I added the timestamp=0 based on another issue here but it didn't make a difference. I can tell the command is parsed properly because if I misspell anything I get worse errors.

Request:
     <iq type="get" id="#{identity}">
       <oa xmlns="connect.logitech.com"                  
           mime="vnd.logitech.harmony/vnd.logitech.harmony.engine?holdAction">
          action={"command"::"VolumeDown","type"::"IRCommand", "deviceId"::"19685842"}:status=press:timestamp=0
       </oa>
     </iq>
Response:
    <iq id="278a394f-4d9e-43cf-bc26-5dd204b837bd" to="278a394f-4d9e-43cf-bc26-5dd204b837bd" type="get">
      <oa xmlns='connect.logitech.com' mime='vnd.logitech.harmony/vnd.logitech.harmony.engine?holdAction' 
          errorcode='504' errorstring='Insufficient Arguments'>
      </oa>
    </iq>
jterrace commented 9 years ago

I used tcpdump on my DD-WRT

mark-hahn commented 9 years ago

Wow. That was a quick response. Thanks. A DD-WRT sounds really cool. I'll check it out.

On Tue, May 12, 2015 at 2:01 PM, Jeff Terrace notifications@github.com wrote:

I used tcpdump on my DD-WRT

— Reply to this email directly or view it on GitHub https://github.com/jterrace/pyharmony/issues/7#issuecomment-101418781.

brendandebeasi commented 9 years ago

You can also use something like Charles proxy or Wireshark

On May 12, 2015, at 2:03 PM, mark-hahn notifications@github.com wrote:

Wow. That was a quick response. Thanks. A DD-WRT sounds really cool. I'll check it out.

On Tue, May 12, 2015 at 2:01 PM, Jeff Terrace notifications@github.com wrote:

I used tcpdump on my DD-WRT

— Reply to this email directly or view it on GitHub https://github.com/jterrace/pyharmony/issues/7#issuecomment-101418781.

— Reply to this email directly or view it on GitHub https://github.com/jterrace/pyharmony/issues/7#issuecomment-101419545.

mark-hahn commented 9 years ago

Wireshark can't sniff wifi on windows and my only unix box is my laptop which doesn't have the right driver/adapter. And I just discovered I can't run DD-WRT on my DIR-655 router. Maybe I can pick up a cheap router.

I'll keep investigating. Thanks for the tips.

On Tue, May 12, 2015 at 2:04 PM, Brendan DeBeasi notifications@github.com wrote:

You can also use something like Charles proxy or Wireshark

On May 12, 2015, at 2:03 PM, mark-hahn notifications@github.com wrote:

Wow. That was a quick response. Thanks. A DD-WRT sounds really cool. I'll check it out.

On Tue, May 12, 2015 at 2:01 PM, Jeff Terrace notifications@github.com wrote:

I used tcpdump on my DD-WRT

— Reply to this email directly or view it on GitHub <https://github.com/jterrace/pyharmony/issues/7#issuecomment-101418781 .

— Reply to this email directly or view it on GitHub < https://github.com/jterrace/pyharmony/issues/7#issuecomment-101419545>.

— Reply to this email directly or view it on GitHub https://github.com/jterrace/pyharmony/issues/7#issuecomment-101420306.

jterrace commented 9 years ago

I had the same issue - I wasn't able to get Wireshark to run on my wifi network. I already had DD-WRT on my router, so I was able to SSH in and run tcmpdump, then open that output file in Wireshark.

brendandebeasi commented 9 years ago

Charles runs cross-platform and is pretty easy to setup. The free trial works with only a nag screen.

On May 12, 2015, at 2:10 PM, Jeff Terrace notifications@github.com wrote:

I had the same issue - I wasn't able to get Wireshark to run on my wifi network. I already had DD-WRT on my router, so I was able to SSH in and run tcmpdump, then open that output file in Wireshark.

— Reply to this email directly or view it on GitHub https://github.com/jterrace/pyharmony/issues/7#issuecomment-101421869.

mark-hahn commented 9 years ago

Charles runs cross-platform and is pretty easy to setup.

mark-hahn commented 9 years ago

My understanding is that an adapter/driver will either be able to capture promiscuous wifi traffic or not be able to, no matter what the software. Mine apparently cannot. I tried wireshark and tcpdump and tshark.

mark-hahn commented 9 years ago

Possibly stupid question. Does the wifi traffic, particularly the harmony traffic, appear also on the wired lan? Is it like a bridge or a router?

Oh, I guess I answered my own question. It is called a router. So it was a stupid question.

brendandebeasi commented 9 years ago

You would basically want to capture the traffic between your iPhone and the harmony link. If you follow the iPhone setup on the charles website, enabled charles on your computer, and then open / run the harmony app you can sniff the traffic.

On May 12, 2015, at 2:20 PM, mark-hahn notifications@github.com wrote:

Possibly stupid question. Does the wifi traffic, particularly the harmony traffic, appear also on the wired lan? Is it like a bridge or a router?

Oh, I guess I answered my own question. It is called a router. So it was a stupid question.

— Reply to this email directly or view it on GitHub https://github.com/jterrace/pyharmony/issues/7#issuecomment-101425382.

mark-hahn commented 9 years ago

If you follow the iPhone setup on the charles website,

That sounds cool. Now I have to see if it works on an android.

On Tue, May 12, 2015 at 2:22 PM, Brendan DeBeasi notifications@github.com wrote:

You would basically want to capture the traffic between your iPhone and the harmony link. If you follow the iPhone setup on the charles website, enabled charles on your computer, and then open / run the harmony app you can sniff the traffic.

On May 12, 2015, at 2:20 PM, mark-hahn notifications@github.com wrote:

Possibly stupid question. Does the wifi traffic, particularly the harmony traffic, appear also on the wired lan? Is it like a bridge or a router?

Oh, I guess I answered my own question. It is called a router. So it was a stupid question.

— Reply to this email directly or view it on GitHub < https://github.com/jterrace/pyharmony/issues/7#issuecomment-101425382>.

— Reply to this email directly or view it on GitHub https://github.com/jterrace/pyharmony/issues/7#issuecomment-101425794.

mark-hahn commented 9 years ago

OK, I am stuck again. Android could only proxy the browser. So I dug up an old iPad. I installed Charles on a windows PC, set it up as a proxy, and pointed the iPad proxy at it.

I could see traffic from the harmony IOS app but it was only the HTTP traffic. The app would go to port 8088 on the hub, get an HTTP ping, and then start using xmpp. The xmpp would talk directly to the hub and not use my proxy. I'm sure this is what was happening because when shutting down the proxy the remote would keep working until the app detected the missing ping and started asking to connect to a hub.

So I am back to square one. Any ideas?

mark-hahn commented 9 years ago

I'll continue to post my progress here in case someone feels masochistic enough to follow this.

I'm back to square zero. I found an old linksys wrt54g router in my junk pile and even found a power adapter that worked. After much effort I'm now running dd-wrt on it. I've configured it several different ways and it works great. Cool software.

I was kind of baffled as to why the tiny busybox linux was missing key commands like ls, df, ipkg, etc. After poking around in settings I discovered that I have a whopping 300 KB of ram remaining of my 8 MB total. I now realize there is no hope of running anything like tcpdump on it.

so ...

I have had unbelievable luck finding stuff to try. Many things almost worked. But I'm screwed, at least for now.

jterrace commented 9 years ago

I think I followed these instructions to install tcpdump: http://emtunc.org/blog/04/2011/installing-tcpdump-on-dd-wrt-wrt54gl/

You do have to be careful to write a very explicit filter when capturing, since you don't have much space available.

mark-hahn commented 9 years ago

I tried those instructions. My dd-wrt doesn't have JFFS2 nor the ipkg command. I assume this is because of the small amount of ram in my particular wrt54g. Despite the same name, there are many versions with different amounts of ram and flash. I can replace my linksys code with dd-wrt as alternative router software but I doubt I could run anything else at the same time. I can't even install anything else, no matter how small.

I have one more piece of hardware here. That is an HP-stream mini desktop. It has wifi built-in. I'll see if I can find a solution using that. If not then I'm going to have to get new hardware. Either a USB wifi adapter or different router.

brendandebeasi commented 9 years ago

If you have a jailbroken iPhone I believe you can use tcpdump locally.

On May 13, 2015, at 1:01 PM, mark-hahn notifications@github.com wrote:

I tried those instructions. My dd-wrt doesn't have JFFS2 nor the ipkg command. I assume this is because of the small amount of ram in my particular wrt54g. Despite the same name, there are many versions with different amounts of ram and flash. I can replace my linksys code with dd-wrt as alternative router software but I doubt I could run anything else at the same time. I can't even install anything else, no matter how small.

I have one more piece of hardware here. That is an HP-stream mini desktop. It has wifi built-in. I'll see if I can find a solution using that. If not then I'm going to have to get new hardware. Either a USB wifi adapter or different router. — Reply to this email directly or view it on GitHub https://github.com/jterrace/pyharmony/issues/7#issuecomment-101796913.

mark-hahn commented 9 years ago

If you have a jailbroken iPhone

The only ios product I have is an old iPad 2. It is running ios6 which is not breakable. I could upgrade to the latest ios8 but I'd get ios8.3 which is also not breakable.

A sane person would give up after all I've gone through but golly-darn-it I'm not giving up. I'll look into cheap hardware I could buy.

brendandebeasi commented 9 years ago

You can almost certainly run tcpdump on android. I just have experience with iOS http://www.kandroid.org/online-pdk/guide/tcpdump.html http://www.kandroid.org/online-pdk/guide/tcpdump.html

On May 13, 2015, at 2:44 PM, mark-hahn notifications@github.com wrote:

If you have a jailbroken iPhone

The only ios product I have is an old iPad 2. It is running ios6 which is not breakable. I could upgrade to the latest ios8 but I'd get ios8.3 which is also not breakable.

A sane person would give up after all I've gone through but golly-darn-it I'm not giving up. I'll look into cheap hardware I could buy.

— Reply to this email directly or view it on GitHub https://github.com/jterrace/pyharmony/issues/7#issuecomment-101825202.

mark-hahn commented 9 years ago

You can almost certainly run tcpdump on android.

I hadn't considered actually running tcpdump on my phone. I just tried using the charles proxy on windows and enabling a proxy on android.

I'll try it but it looks like a lot of work. But hey, what's another day after two whole days. (grin) It's a good thing I'm retired.

I'll have to break my phone to get root, put android tools on my pc, and learn all this stuff. And then it may not work. I'll google to see if the wifi chip in my galaxy note 3 can go into monitor mode.

mark-hahn commented 9 years ago

BTW, the broadcom chip in the HP stream mini doesn't support monitor mode. So I've tried 8 (!) ways to sniff my wifi. Running tcpdump on android will be my ninth.

mark-hahn commented 9 years ago

I just ordered a Panda USB Adapter. The web says it works well in monitor mode. I'll get it tomorrow and let you know how it goes and hopefully give you updated details on xmpp commands.

mark-hahn commented 9 years ago

I finally captured the packets with wireshark. They look pretty much the same as my requests that failed. The only difference is the id field appears to be something keyed to my phone. It is 88413ad726cb858#hltetmo#sm-n900t-28-19 where sm-n900t is the model of my phone. The security auth key is in the from field, not the id. I have copied that id field value to my id field and I'm still getting the "not enough arguments" error. i definitely have the same number of arguments. I'll do more captures to see if that id field changes.

A tidbit of info: The press and release requests are 10 to 100 ms apart. There is no way my finger is that fast. So the phone is sending them both when I press (or maybe release) the key on my phone.

mark-hahn commented 9 years ago

I give up. Logitech won the battle.

I've spent the last two days writing my software to send out exactly what the phone sent out and I keep getting that "not enough arguments" error. getConfig works but startActivity and holdAction give that error.

I even studied the xmpp rfc to understand the wireShark capture exactly. I learned what all the miscellaneous fields in the xml packets meant and where necessary I put in my own. I was optimistic and I continually improved my app until is was a great module to do everything with the hub. It is great except that it doesn't work.

As much as it pains me I'm going to buy some IR emitter that I can control for sure to sit next to the hub. Does anyone have any suggestions? I'll do a bunch of googling.

P.S. If I was a paranoid person I'd think logitech put some low level key below the xmpp protocol just to block doing what we want. In other words the missing argument is hidden. Needless to say I'm not going to look at packets at the tcp/ip level.

mark-hahn commented 9 years ago

For any lurkers in the future:

I ended up using an iTach flex wifi. This is a little device the size of a stick of gum. It learns and sends IR over wifi and has a large database of codes. It has a well-documented api for developers. You can use http requests or talk directly over tcp/ip, which is what I did. I highly recommend it. The negative is that it costs more then $90, but it was the cheapest wifi solution.