Can this pull from MQTTS?

[crlogic]

A few details I found from serial console that smarter people might know what to do with it. Feel free to delete if not relevant.

Snippets..

MQTTComms: MQTT Server Configured: mqtts://a2poo8btpqc3gs-ats.iot.us-east-2.amazonaws.com:8883

MQTTComms: MQTTComms_PublishBinaryReadings Topic: $aws/rules/prodIngestBinaryToSQS/prod/binary/$SERIAL/meter

MQTTComms: TOPIC=prod/minions/emporia/ct/v1/$SERIAL/cmd
MQTTComms: DATA={"cmd":"set","live_meter_updates":60}
MQTTComms: DATA={"cmd":"query_debug"}

MQTTComms: SUBSCRIBE to topic prod/minions/emporia/ct/v1/broadcast/cmd
MQTTComms: SUBSCRIBE to topic prod/minions/emporia/ct/v1/broadcast/fw
MQTTComms: SUBSCRIBE to topic prod/minions/emporia/ct/v1/broadcast/verify

http://fwsrv.emporiaenergy.com:21100

plus two plain text certs and one RSA private key pulled from esptool bin backup.

[magico13]

Right now there's nothing like this set up for local access. There was some talk on this forum post but I don't know of any real advancements made on this front. Really hoping for official MQTT access so we can get realtime local data.

[crkochan]

What should be a link to forum post is instead a link to a Humble bundle.

[magico13]

Hmm, it sure was. Must've had my clipboard out of order, fixed now. Here's the full link

https://community.emporiaenergy.com/topic/api-to-pull-data/#post-7806

[crlogic]

Debating a JTAG programmer to pull from the SAMD in hopes of further probing.

If the ESP32 serial headers are any indication [not being connected], then the SAMD headers are not connected either and manually probing that IC would be a pity.

On Wed, Aug 4, 2021 at 4:07 PM Michael Marvin @.***> wrote:

Hmm, it sure was. Must've had my clipboard out of order, fixed now. Here's the full link

https://community.emporiaenergy.com/topic/api-to-pull-data/#post-7806

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/magico13/PyEmVue/issues/23#issuecomment-892939410, or unsubscribe https://github.com/notifications/unsubscribe-auth/AASNI4YDZLUZO4BOTZZUAX3T3GMY7ANCNFSM5BDELLKA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email .

[magico13]

Someone mentioned to me, might have been on Reddit, that they've intercepted the serial communication and sent it out via an esp32 to their local network. Let me see if I can find that message.

Found it: https://www.reddit.com/r/homeassistant/comments/ou6w0s/whole_home_energy_monitor_for_us/h71g75h

[crlogic]

That would be ideal!

On Wed, Aug 4, 2021 at 4:17 PM Michael Marvin @.***> wrote:

Someone mentioned to me, might have been on Reddit, that they've intercepted the serial communication and sent it out via an esp32 to their local network. Let me see if I can find that message.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/magico13/PyEmVue/issues/23#issuecomment-892945224, or unsubscribe https://github.com/notifications/unsubscribe-auth/AASNI45PQTXF3HPOMFYLOCTT3GN5RANCNFSM5BDELLKA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email .

[magico13]

Looks like they actually did do a write up of how they connected everything. Might be worth trying to go through their steps and see if it's still writing out that data on the serial line. https://docs.google.com/document/d/1tDGpX2XjyVnq4ThRZn4hKrfLy4UUmnX5uWzNcnqArd4/edit?usp=drivesdk

[crlogic]

Is that a Gen1 Vue?

The Gen2 [which I have] does not appear to use the ESP for data collection. The SAMD is connected to two multiplexers and the prevailing theory is that the ESP needs to probe the SAMD for information as I see no serial input on any pins of the ESP.

I got stuck trying to figure out how that 'probe' operation might work. Without a datasheet providing hex/bytearray values that the ESP might use to trigger the SAMD to spit out a measurement, the only thought I have is pulling a bin from the SAMD. But that is above my pay grade.

On Wed, Aug 4, 2021 at 4:23 PM Michael Marvin @.***> wrote:

Looks like they actually did do a write up of how they connected everything. Might be worth trying to go through their steps and see if it's still writing out that data on the serial line. https://docs.google.com/document/d/1tDGpX2XjyVnq4ThRZn4hKrfLy4UUmnX5uWzNcnqArd4/edit?usp=drivesdk

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/magico13/PyEmVue/issues/23#issuecomment-892949229, or unsubscribe https://github.com/notifications/unsubscribe-auth/AASNI442QOGMQEER3JLPZU3T3GOU7ANCNFSM5BDELLKA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email .

[magico13]

I do believe it is a gen 1 which is also what I have. Unfortunately this sort of hardware hacking isn't something I've got any experience with so all I can do is wish you (or anyone else who tries it) luck.

[crlogic]

We all have to start somewhere. This is my first time!

The Vue2 appears to be a good lesson for designers. Don't expose the sensitive IP to an ESP32. The second MCU is a great roadblock for those who haven't done this before.

On Wed, Aug 4, 2021, 4:36 PM Michael Marvin @.***> wrote:

I do believe it is a gen 1 which is also what I have. Unfortunately this sort of hardware hacking isn't something I've got any experience with so all I can do is wish you (or anyone else who tries it) luck.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/magico13/PyEmVue/issues/23#issuecomment-892956967, or unsubscribe https://github.com/notifications/unsubscribe-auth/AASNI44MKZN4M4PL7UNI34DT3GQFPANCNFSM5BDELLKA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email .

[mitchese]

Have you determined which lines of the ESP32 are connected to the SAMD? I'm working on reversing this, the project started out as an easy AnalogRead of the expanders from the esp32 ... nope :( I've pulled a dump of the esp32 firmware (easy), but the samd is possibly above my pay grade as well for reversing.

It seems to be that the ESP is calling some "protos.DeviceReadings" to do reading, and it looks like it's some kind of serial data. I think it may be the ESP pins 11 and 36 (these are the two that I've found so far). I'll try to scope these when I get a bit of time to see if anything interesting/easy is being sent

[crlogic]

Someone who I'll call 312 has been poking as well.

I2c between the ESP & SAMD

SAMD Pins to ESP Pins:

Pin 19 to Pin 13 (IO14) Pin 18 to Pin 11 (IO26) Pin 16 to Pin 33 (IO21) Pin 15 to Pin 36 (IO22)

Need to decipher encoding.. type, len, data

"2a 19 100b210080a9c484040041310000e0f3aa4fc5403d9352c043 2a 14 08ab07100b1d10474f422d3564d7403d9829c043"

On Thu, Aug 19, 2021 at 6:15 PM Sean @.***> wrote:

Have you determined which lines of the ESP32 are connected to the SAMD? I'm working on reversing this, the project started out as an easy AnalogRead of the expanders from the esp32 ... nope :( I've pulled a dump of the esp32 firmware (easy), but the samd is possibly above my pay grade as well for reversing.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/magico13/PyEmVue/issues/23#issuecomment-902287227, or unsubscribe https://github.com/notifications/unsubscribe-auth/AASNI46ZA3KS6EU4BAIORMLT5V7BJANCNFSM5BDELLKA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email .

[flaviut]

For the Vue 2, the pins are also IO21 & IO22. I go into more detail on everything in that post, and it's likely to be useful in reversing the Vue 1 too.

I also have a long dump of I2C inputs -> MQTT data outputs here, as well as a dump of the calibration data from the Vue 2's NVS partition.

If anyone is interested in reverse engineering this, please have at it!

[crlogic]

@flaviut - that is a great blog post. Perhaps this should move to an ESPHome discussion since flashing and I2C is now known. We just need to figure out lambda data parsing..

[flaviut]

@crlogic Looks like @Maelstrom96 has figured out the parsing here: https://github.com/flaviut/emporia-vue2-reversing/issues/1#issuecomment-977014050. I don't know if this is the same for the Vue 1, but it's a pretty good place to start.

[magico13]

Doing some issue cleanup so I'm closing this out. For anyone who stumbles upon this issue in the future, I definitely recommend checking out @flaviut's gist on flashing ESPHome for local access https://gist.github.com/flaviut/93a1212c7b165c7674693a45ad52c512