mikenemat
commented
7 years ago Hello Nicola,
For reverse-engineering the protocol, Wireshark was used only for the local discovery part where a broadcast packet containing PLUM solicits replies from the lightpads.
The bulk of the reverse-engineering for controlling the lightpads and obtaining various tokens and identifiers was performed using Burp Suite to Man-In-The-Middle the HTTPS communication. Burp Suite acts as an HTTP proxy. You run it on your desktop and then configure the proxy settings in your iphone to go through it. You can then install the Burp CA certificate on the iphone to prevent HTTPS cert issues.
Not sure what credential issue you're referring to, but I'll take a stab at it. The lightpads are not controlled by credentials in the traditional sense. Your credentials are used to log in to the Plum cloud service and obtain something called a house token. This is used to authenticate against all of your lightpads locally. You pass the house access token as a HTTP header in all of your requests and then the lightpads accept them. It appears to be static. My python script will obtain the house token for you.
Regarding provisioning/account creation - no. I haven't touched this at all. My goal for this project was purely to aid in the development of my OpenHAB plugin (also available on GitHub). I'm hoping to take a crack at this (and other hardware-level reverse-engineering) in the future but it will be at least 2-3 months until I have time to do that.
Resetting the lightpad is very straightforward. There is a reboot lightpad command inside the Plum app on the iPhone. If you can't use that, you can use burp suite to reverse engineer it and call it via a HTTP request the same way my python script calls other functions. That being said, I can't think of a use-case where you would need to reset the lightpad when it is still reachable via the app. Usually you are rebooting them for a more serious issue. I've never had to do it in via software entire year I've had them running. I did have to flip the breaker once or twice when they dropped from the network, but that hasn't been an issue in many months. I think it was fixed via a firmware update a long time ago.
Hi Mike,
This is not a really issue, since I did not find any other means to contact you. I'm currently porting your code to work as a standalone application on android.
I was wondering how did you managed to reverse engineer the communication protocol. I read that you used wireshark, did you use a man in the middle technique to sniff the https communication ? How did you by pass the credential issue ?
Also, as I want my application to be really standalone, did you manage to debug the account creation and the bluetooth initial setup of the switch ?
Last thing, did you find a way to reset the lightpad by software ( beside turning off the breaker or remove the faceplace and pulling on the tab ) ?
Thanks,
Nicola