Open mbafford opened 4 years ago
Late to the party here...Frustrating that they don't expose more local (direct mqtt client) settings on the device when it's clearly capable. I'm tempted to set this up and spam the hell out of the api with no actual changes - just command it to turn the light on repeatedly to get the same status/command with a new nonce counter to compare against the checksum. With any luck it's something dumb like serial number * nonce mod some big prime. https://www.litter-robot.com/ca/litter-robot/parts/litter-robot-iii-connect-upgrade-kit.html Connect motherboard compared to https://www.litter-robot.com/ca/litter-robot/parts/litter-robot-3-open-air-main-circuit-board.html seems basically identical save adding an esp daughterboard. I wonder if they're just using it as a wifi bridge or if any work is being done on the actual esp. Probably a good serial debug test pad in the serial lines between those two...but above my budget to get one of each 😃
I never did anything else with this project - just monitoring the communication was enough to provide the main value I wanted (notification when I needed to check in on the litter robot).
I've since upgraded to the Litter Robot 4 and the app and the robot itself have worked a lot better, so I never even tried intercepting the 4's traffic. I even have the Home Assistant integration setup and it works well. Ideally, I'd go back to a cloud-less approach like I used to have, but I'm pretty happy with it as-is.
But they could so-easily just provide an HTTP endpoint on the device, which I would definitely appreciate. Like you said, looks like they are just running an ESP daughterboard for the comms - at least on the 3.
Unfortunately, I didn't think to keep my upgrade board when I upgraded or I'd send it to you to poke at.
Placeholder to encourage open discussion regarding reverse engineering the checksum.
Observations
AOK,serial,1,same_counter,new_checksum
. _TODO: determine ifnew_checksum
is consistent when message number is consistent._NOK,serial,1,bad_counter,new_checksum
thenNOK,serial,8,bad_counter,new_checksum
- the two new_checksums are different.Potential data-points influencing checksums
Based on 7 days of data, I did some simple analysis of checksums as generated by the robot. Surprisingly, most data-points do not impact the checksum - or they do in a way that multiple values can have the same impact (modulo math?) - for example, looking at checksums seen 11 times over a 7 day period, the CS codes and the message numbers could be entirely unique for each message with the same checksum.
This leads me to believe that the checksum is not based specifically on the message.
query results of
select checksum, count(distinct model), count(distinct serial), ...
: