Ecoflow BLE - for all Devices, not only for Delta 2 :)

[ipalchuk]

Hi all :) Yes, BLE - right way.

Hassio - stuck on open port 8055 v1ckxy - stuck on declaring the basic principles of working offline tolwi - realize only user corporate MQTT

BUT - exist much more interesting solutions. Absolute independence of the device from the corporation, from the presence of the Internet. With support for a much wider range of devices. and using DEVICE mqtt (LOCAL mqtt server :)) ). So. let's start: Please install mobile app - nrf connect. Find and connect to device. Look to RAW ble header. So.... 0 - RAW - (topic,lenght)data(topic,lenght)data(topic,lenght)data.... 02-01-06 1B-FF-B5-B5-12 52-33-33-31-5A-45-42-34-5A-45-42-47-30-FF-FF-FF 63-00-20-BC-5F-01-93 11-FF-C5-C5-12 36-02-13-50-34-47-FF-FF-FF-FF-FF-FF 5D-0C-09 52-33-33-2D-30-34-35-34-00- 14-0D a) Device SN - 52-33-33-31-5A-45-42-34-5A-45-42-47-30-FF-FF-FF (utf8) b) battery level - 63 and some other data c) 36-02-13-50-34-47-FF-FF-FF-FF-FF-FF - CPU Id d) 52-33-33-2D-30-34-35-34 - short name of device (utf8) 1 - install JADX (dex to java) application and decompile in ecoflow.apk - *.dex files (look on com/ecoflow folder) 2 - If you're not normal at all - IDA (not free) or Ghidra Software Reverse Engineering Framework (free) to disasm base packet engine placed on \lib\arm64-v8a\libnative-lib.so in apk file So. let's focus on the first option. Examine the files and you will get a list of many commands, like for mqtt, iot, ble for - ALL different devices. everything else is correct. But this is not enough. 1 - the device model is determined by the first two or three bytes of the serial number (attachment). 2 - to send commands, to receive data (full) - MANDATORY! needs to be configured MTU (Maximum Transmission Unit) 136 for start - will be enough (for DELTA 2). Chinese programmers didn't properly implement package merging :) 3 - the number of commands is not limited to those described and implemented by hassio. So - for start i recommend doing the module under the number 53(decimal) (ble/wifi module)

53 - 53 - 0 : Reconnect to mqtt 53 - 53 - 5 : (0/1) enable-disable wifi module. And Yes. This open some intresing ports of device; PORT STATE SERVICE VERSION 340/tcp filtered unknown 1062/tcp filtered veracity 1216/tcp filtered etebac5 1600/tcp filtered issd 2030/tcp filtered device2 3333/tcp filtered dec-notes 4006/tcp filtered pxc-spvr 5051/tcp filtered ida-agent 5432/tcp filtered postgresql 6543/tcp filtered mythtv 9968/tcp filtered unknown 10002/tcp filtered documentum 10617/tcp filtered unknown 50000/tcp filtered ibm-db2 52869/tcp filtered unknown

53 - 53 - 8 - wifi networks - (id)(name lenght)(name)... (id)(name lenght)(name)... 53 - 53 - 4 WiFI connection - MAC/IP/WiFi Name (32 bytes)/Password(32 bytes) 53 - 53 - 10 - (0/1) connect/disconnect MQTT connection 53 - 53 - 51 - disable BLE module. Restatr device manualy to enable BLE 53 - 53 - 52 - BLE RAW Data - COD(class of device)/MAC/MAC?/RAW 53 - 53 - 112 - isenabled - wifi/?/mqqt 53 - 53- 32 - callback - when device connecting 53 - 53 - 11 - in private email message :)

53 - 1 - 65 - FRONT PANEL SN and CPU 53 - 1 - 64 - Frp - SN 53 - 1 - 5 - WIFI Ver 53 - 1 - 20 - reconnect

And many other interesting, not mention in apk file sources,,,because exist device firmware, and in this firmware realize some options ONLY for internal using and absolutly not for public and not for ecoflow GUI developers :)

FINALY. 1- i has MY OWN mqtt SERVER. 2 - divice connected to it, and thinks it's a corporate server. 3 - i has mqtt client, which is connected to the corporate server, but not as a user - as a real device. 4 - my client and server communicate with each other to monitor everything that and how the corporate system manages the device.

subscribed: /ota/module/inform/80/R331ZEB4ZEBFFFFF/reply /ota/wifi/inform/80/R331ZEB4ZEBFFFFF/reply /ota/wifi/upgrade/80/R331ZEB4ZEBFFFFF /ota/wifi/progress/80/R331ZEB4ZEBFFFFF/reply /ota/device/inform/80/R331ZEB4ZEBFFFFF/reply /ota/device/upgrade/80/R331ZEB4ZEBFFFFF /ota/device/progress/80/R331ZEB4ZEBFFFFF/reply /sys/80/R331ZEB4ZEBFFFFF/thing/event/post_reply /sys/80/R331ZEB4ZEBFFFFF/thing/property/set /sys/80/R331ZEB4ZEBFFFFF/thing/property/get /sys/80/R331ZEB4ZEBFFFFF/thing/battery/get

/sys/80/R331ZEB4ZEBFFFFF/thing/property/get@AtMostOnce /sys/80/R331ZEB4ZEBFFFFF/thing/property/set@AtMostOnce /sys/80/R331ZEB4ZEBFFFFF/thing/event/post_reply@AtMostOnce /sys/80/R331ZEB4ZEBFFFFF/thing/battery/get@AtMostOnce /ota/wifi/upgrade/80/R331ZEB4ZEBFFFFF@AtMostOnce /ota/wifi/progress/80/R331ZEB4ZEBFFFFF/reply@AtMostOnce /ota/device/upgrade/80/R331ZEB4ZEBFFFFF@AtMostOnce /ota/device/progress/80/R331ZEB4ZEBFFFFF/reply@AtMostOnce

post topics /sys/80/R331ZEB4ZEBFFFFF/thing/property/post /ota/wifi/inform/80/R331ZEB4ZEBFFFFF /ota/device/inform/80/R331ZEB4ZEBFFFFF /ota/module/inform/80/R331ZEB4ZEBFFFFF

commands like operateType : analysisExtSc/analysisIntSc/analysisVol etc... (do not exist in app - only for device) and many other. 1 when device connecting to mqtt throw BLE command (connect to wifi) in this command exist path to certificate (the same like for user) but path - https://api.ecoflow.com/iot-auth/**device**/certification If change this path in command to own (for example - 192.168.2.33:8080/cert) and intercept this connection you can see request from device - ?sn=R331ZEB4ZEBFFFFF&cpuId=360213503447303832155FFF&timeStamp=123132333"&sign=Y7VJLGVhsQy_N3KKVngeOtPjG0BaH0AwTDiqEss44ds 2 run this request to corporate host and you recive json data like for user but some differ {"code":"0","data":{"clientId":"R331ZEB4ZEFFFFFF","password":"d23f87052c92489ea1cf43f1463fFFFF","port":"8883","productKey":"80","protocol":"mqtts","url":"mqtt.ecoflow.com","username":"device-eb3bb8586a874f9ab0f3755fc3FFFFFF"},"message":""} This is credetials for mqqt server for DEVICE (not for user). And this operations needed only once. 3 - Now you has 2 ways. 1 - just using mqtt with connection to corporate host like device 2 - replace in request mqtt server and port to own. for example ,"url":"192.168.33.33" etc 3 - device remember this and not needed this do every time - just once. 4 - after this - the most interesting will begin

---

So. I am completely independent, I know everything that happens. I don't need a corporation, and it doesn't need to know what and how I have. I don't need internet. I don't need authentication and verification. I wish you all the same :)

Very important! Don't use brute force to find interesting commands and modules. There is a command (without parameters) - which is simple in the inverter - changes the voltage and in an instant - your capacitors (in the literal sense) explode. Yes - it looks like a self-destruct command :) It's funny, but who knows this command and just has a phone with bluetooth - can really burn the device with one click. someone else's device :) (module 4 ..commandset 13+ )

Assets.zip

[jegres1709]

Hi, very interesting what you´ve found out !

I have a few questions to the process:

1. where do I change the mqtt-server for my delta2 ? is it in the app "nrf connect" ?
2. what about the credentials of the mqtt server? how should this message look like? {"code":"0","data":{"clientId":"R331ZEB4ZEFFFFFF","password":"d23f87052c92489ea1cf43f1463fFFFF","port":"8883","productKey":"80","protocol":"mqtts","url":"mqtt.ecoflow.com","username":"device-eb3bb8586a874f9ab0f3755fc3FFFFFF"},"message":""}

[ipalchuk]

Hi. 1 - the app "nrf connect" ONLY for look on device and get RAW data (SN + CPU id etc) - just for info 2 – BLE Commands (like hassio for open port commands) contain command – connect to WiFi.In ,obile app = when connect to wi-fi network – you select wifi, input assword… and…and device connect to mqtt ecoflow server.So – this command contain wifi name, wifi password, certificate URL. – if you change this url for own.. The most important thing is all - you need to be able to send commands to the device using bluetoos.Hassio system – works in open port. BLE = the same. It does not matter - you need to be able to send commands to the device. If you can do this, you can replace the certification url with your own. If you can intercept the certification request, then you can replace the meaning in the answer. It sounds difficult - but it is made quite easily. 3 - By intercepting a request from a certification device - you perform a real request to the server. From the server you will receive a login and password for the device. But you can return the device not entirely correct data. For example - changing the mqtt server to other  

[Skydev0h]

Impressive information you have found out! Reversing libnative is not too hard, just keep in mind that there are v2 and v3 packets and they differ a little. Also the only useful thing you can get from there is packet (Frame) structure and basic xor obfuscation algo that is already known.

I wonder how you can obtain the firmware and analyze possible internal and not so internal commands.

It is also pretty scary that there are such dangerous commands, it might be a good idea somehow to protect from those commands. In theory, Ecoflow can also issue that command via MQTT from the server and explode your device.

Interesting that it seems that topics for user and device completely differ. Very interesting find! It may be cool to bridge your MQTT to Ecoflow server (if you want) and both have reliability and control of your own server and ability to use EF Cloud GUI app for control and management.

[ipalchuk]

Yes, I have already done all this and get it. (xor, obfuscation etc... em... no. Just - is china (not free) lib for data with header - 7bytes) :) and... PLEASE - don't talk to me in the language that's been put into your head. Have your head. What you are given as a solution - always check. you real.... do you really think that 7 bytes per message is normal? and do you really think that (oh gods - how smart you need to be) - inverting is the meaning of the whole process? seriously ? )))))) XOR ? )))) realy ??? ))) cool ))) ambelivible! )))) it is really difficult to come to this with data before and with data after) "v2 and v3 "- don't repeat without knowing what other people are saying. That's why I'm alone, but I don't talk nonsense.

"It may be cool to bridge your MQTT to Ecoflow server (if you want) and both have reliability and control of your own server" All this has already been done for a long time - I wrote about it. And I don’t even need EF Cloud GUI - I see everything and control everything. When you have your own mqtt server, you no longer need EF Cloud GUI :) at the same time, neither the device nor the ecoflow server knows that they are completely listening :) for investigate - device<-->my mqtt srv<--->my mqtt client with device account<---->ecoflow.mqtt for me - device<-->my mqtt srv

In the list of topics to which the device itself is subscribed and uses - there is an update.The device first of all sends the firmware numbers of all its modules. The server returns whether they are the latest or not. There is a lot of work for investigate. There are many things that are still not clear. But there is something to deal with. That's why I gave this information. So that people would start doing something further, and not get stuck on what they have.  BUT. BLE commands (some commands) not duplicated in mqqt and for me - more interesting then mqtt. But the most interesting is the open ports that appear after sending the wifi shutdown command. but I don't have enough for that.

it also makes sense not to do such a long way and see how it turns out - &sign= for /iot-auth/device/certification may be the same like for user but needed some like this to https://api.ecoflow.com/auth/login but using ""scene"": ""IOT_DEVICE"", instead of IOT_APP and using some other like SN&cpuId instead of email and password. - i do not not know. or change "userType"": ""ECOFLOW" to some other.... needed investigate this. Wireshark do not displayed post data. but this is all possible - but not interested for me.

Now the most important thing is that I don't post my sources - just because - almost all of you use python. methods for dotnet are obviously not suitable for you, in my opinion - just the meaning is important. BUT - for intercept request i used - EmbedIO nuget, RestSharp for send requests, for mqtt - client/server i used MQTTnet and I have no idea what analogues for this all there are in python - but definitely they are :)

and I want to repeat, in fact, the most important thing among this heap of text. That - over which I suffered for a whole month to understand. The truth turned out to be simple, but the price for it was paid by time. "!!! needs to be configured MTU !!!" for BLE. among all I have written - oddly enough - this is the most important thing. +100$ to repair burnt capacitors :))))

i do not know - what this data mean after send BLE cmd 53 - 53 - 9 01 00 00 00 02 00 00 00 00 01 02 03 04 05 06 00 0A 0A 0A 0A 00 54 00 00 AA AA AA AA Guid ? cert hash ? or... i do not know 53 - 53 - 71 53 - 53 - 26 53 - 53 - 3 why not callback or how using 53 - 53 - 1 - Bluetooth distribution network setting domain name 53 - 53 - 54 for delta pro: len + String //iot password verification ???? and many other... I'm waiting for people - with whom it will be possible to talk and who will already tell me where, how and why. I also have many questions. But so far I see only one thing - people are content with what they have.

Corporate mqtt server ? auth + online ? - seriously ? does that make sense? I even admit that I am far from being a pioneer. They just don't talk about it so that the exploit is not closed. Or sell for money. :)

for a very long time - I just wanted to write a mobile application, not as dull as what we have. Where can I pull widgets on the screen. Where can I view graphs of all values... similar https://github.com/berezhinskiy/ecoflow_exporter (many thanks to this man! I brought out all the parameters including from an additional battery - and watched how my device lives, how it breathes.) but in mobile version. where the display of data is implemented both through bluetooth and through the mqtt, store data, the ability to export this data to other systems. I have been quietly working on this. I don't need HomeAssistanse. but now I'm just tired. Maybe someday I will see a decent mobile application that raises three services (BLE/IOT/MQTT), can change MQTT SERVER!!! and contain OWN, OFFLINE!. etc.... but now I'm just tired.

[Skydev0h]

Unbinding from cloud MQTT server is pretty important because during periods of winter blackouts first of all connection to those servers was unreliable, and sometimes even the server itself was offline for prolonged time periods, that caused instability in collected metrics and alerts about blackouts. I had some development with hardware ESP32 module that bridges bluetooth to local wifi and microservices that pull data and provide it to prometheus, but BLE turned out to be unstable just as well as the MQTT cloud. Moreover, somehow, when ESP32 module is used then sometimes delta2 forgets about it's wifi credentials and fails to connect (when BLE is not used it worked for months without such effect).

v2 and v3 - thats result of my understanding that I obtained from analyzing android application and the native library first of all, not from someone else's code. But I have not encountered v3 packets in the wild, only v2, and they differ very slightly (2 extra bytes in header).

About burnt capacitors I hope that it would not start fire, just stop working. Also replacing capacitors would not help, you need also to reset voltage to correct values? I do not understand how that command does not accept some parameters, maybe if called without parameters it assumed some default (0x00 or 0xFF) or garbage from memory and changed to inadequate values?

And yes, kind of agree, that if you have full control it is more reliable - but you need time to make your own app and I think you would not be able to upgrade firmware in that way.

And maybe that MTU thing is the source of problems with my ESP32 module, now I process data in stream and scan for valid structure packets, but maybe increasing MTU will help too. Thanks!

[ipalchuk]

1 - ble - cannot be unstable. nothing is more stable. there is a delay. but stability. stability is stable. 2 - increasing MTU - you can send data, you can receive data. But data that does not fit into the size of one packet will either not be valid or, if commands are sent, will not be accepted. Think whatever - maybe it was intended - but for me - it's just a deadline for the developers))) 3- v2 и v3 - sorry. yes - thi is jus "of my understanding" and sorry - imagine how much time I spent on all this, so as not to listen and look towards those who did the inversion of bytes :) 4- I don't know how this command destroyed the capacitors. The system went through the commands for 2 days. And I'm very happy that I was at home. The specialist said that what happened could not have happened due to the human factor. Nothing is destroyed - what people do - when the outlet is connected to the water. Only capacitors - only when drawing a sinusoid. And this is a programming call. And this is clearly not a translation of the simtema from 60 hertz to 50 and 220 volts to 110. I don’t know what it was. But I don't want to try again. 5 - "you would not be able to upgrade firmware in that way" - Well, of course, I can not update the firmware. BUT - I can MYSELF indicate when I want to update it :) I repeat - there is a firmware update. There is a module update. These are different things. Everything is much more complicated than it seems. 6 - "bridges bluetooth to local wifi" - prometheus not guilty. Delays, instability, etc. - I experienced all this trash myself too. If you do not use the network. If you do not become attached to the corporate server. If you write your own (although I asked Prometheus to adapt its functionality) a bluetooth-mqtt server, everything will work without interruptions. AND - YES - MTU!!! without this, you will receive incomplete packages. without this, your commands to the device will be ignored. And only for one reason )))) yes - it's funny - but ... someone did not combine the received packets. more precisely - I did - but with errors ... and it's not me))) although - maybe there was a cunning plan in this))) - which is unlikely)

[ipalchuk]

emm.. maybe this will help :) and sorry - this is not pyton solution :) but - not exist v1 v2 v3 etc... not exist... this is only samle... AA-02 ... and yes ))) cool - super achievement - xor )))) I really hope that we will start talking at a different level - when all this is done. I really hope that nielsole will find time for a normal and understandable implementation in python. tell me how I can help - I will try to give everything that I have.

BTEcoflow.zip

[ipalchuk]

Simple GET. Without sign and timestams params - working too :), strange, unsequre, but working. https://api.ecoflow.com/iot-auth/device/certification?sn=R331ZEB4ZEBFFFFFF&cpuId=3602135034473038321FFFFF

MQTT SNIFFER :) example (attechment): 192.168.0.105 - local ip.

1 - connect to ecoflow mqtt srv with device credetials - localdevcli.cs 1.1 started mqtt client connected as device to ecoflow.mqtt 1.2 listened port 8088 to get posts from localdevsrv.cs (2)

2 - run local mqtt srv - localdevsrv.cs 2.1 started mqtt server on port 8883 2.2 listened port 8089 to get posts from localdevcli.cs (1)

Run BLE command to connect to WIFI + intercept request + change responce (set mqtt srv 192.168.0.105) so: 1 - device connected to localdevsrv.cs (2) and start sending data. 2 - all sended data will be transfer to localdevcli.cs (1) and sended to ecoflow.mqtt 3 - all data from ecoflow.mqtt transfer throw localdevcli.cs (1) to localdevsrv.cs (2)

You will see all data,command etc... this is all ONLY - binding and periphery. - it's secondary. You need to be able to send a command to connect to a Wi-Fi network. I gave everything necessary for this. Without it, all of this is meaningless. Attached src only for test, This all can be implemented in one scope (for mobile, pyton, for ... all the same how and on what). For ordinary users, all this can be done automatically without even pressing a single button. But you need to be able to send commands. I ended up here - because nielsole is the only one person who became interested and described at least something for BLE. but... it seems to me that people have not realized the potential of this all yet. So, can you get firmare? Yes. But this not needed for me. After close this exploit... no problem: Ble data, ble-mqtt hub, etc. :) life.

localmqttclisrv.zip

[ipalchuk]

Around Security. 1 - BLE always ON - the stock program does not make it possible to disable this, but this possible and In this case, the Wi-Fi part will work. 2 - BLE advert. Raw data contain device SN and CPU ID - this is terrible - these are the two values that are needed to join the device to ecoflow MQTT server - (as device!) "sign" param - if not exist in req - ignored! (unbelievable) 3 - the command for obtaining information on the connected Wi-Fi network contains the network name and password (unencrypted) Having someone else's connected device - just by running the bluetooth on my device - I can also make it my own and manage it - I know the login and password of the network to which it is connected. These are obvious miscalculations - which will definitely be corrected in new firmware versions. If you take away the ability to enter the certification URL in the command to connect the device (and this was initially stupidly done), then everything described above will cease to be relevant. But... what then remains. I think the bluetooth interface will remain. I mean it will be possible to make at least a BLE-APP hub. Which is also not bad. Aalthough it would be correct to make the BLE commands authorized as well (I think someday they will do this too). Who is already worried about security - it is recommended to disable the BLE module (at least something). Know everything that the neighbor has (his password on the network) know all his data and how he manages the system. To be able to put out all his energy or just burn his devices. All you need is a mobile phone with bluetooth and a distance of 50 meters. It's better to visit once :)

Opened and documented online offline api with authorization. Software with a button - "advanced" (rather than an iridescent green bar) - and everyone would be bored :)

jegres1709 you wrote a little incorrectly - you can change it not to local ... but to ANY! manadged MQTT server with TLS :) But no one will answer you now. All this is more serious, all this is more dangerous, this needs to be investigate, This will change and redefine the popularity of topics and much on which people are already promoted will become unnecessary. Just not needed. Device send data like /ota/module/inform/80/R331ZEBFFFFFFFFF { "id": 3541, "params": [{ "moduleAddr": 5, "moduleVersion": "5.1.0.166", "loaderVersion": "3.0.0.1" }, { "moduleAddr": 6, "moduleVersion": "2.11.2.4", "loaderVersion": "2.11.0.0" }, { "moduleAddr": 3, "moduleVersion": "2.11.2.4", "loaderVersion": "2.11.0.0" }, { "moduleAddr": 2, "moduleVersion": "1.2.1.25", "loaderVersion": "2.7.1.9" }] } So device send to server current versions for each module (loader and firmware) Server decides whether to update the firmware or not. And sends a response. Well, now think about what you can do if all this can be changed. Are you sure that a simple person needs all this? In the end, you can simply send incorrect data to the server or any of your data and use their server just for your own purposes. In general, not using their server is a huge loss and they do not have all the information. I think you can also get money for showing this exploit :)

[jegres1709]

it would be nice to have a precise instruction how to change the mqtt server to be independent from ecoflow and to prevent wifi reconnects with a fallback scenario. other things are not very interesting for me.

we are already able to read all relevant data and to change states of switches and some values.

so if you could share with us the needed hardware and software and also the steps how to proceed , i would appreciate it very much!

[Skydev0h]

Well, about MTU, I did not care about it, in ESP32 I appended all data to a ring buffer and another method was reading from it and parsing valid packets. Increasing MTU might increase stability (since packets will get cut and lost much less often), and I did not yet try issuing commands to the device so I think I did not encounter that problem. About the instability - ESP32 sometimes lost connection to Ecoflow, sometimes very often - but that might be because of WiFi + BLE running simultaneously, I guess if I use ESP32 with Ethernet (such as, for example, ESP32-POE module) it will be way more stable.

"sign" param - if not exist in req - ignored! (unbelievable)

Omg, thats total BS!

[ipalchuk]

Just for test. If in one network - mobile(android), ps(windows), ecoflow(delta2). 1-on pc run mqtt server exe and click Start btn. 2-install on mobile apk (i do not write how install apk from third party sources). run it. in right part if you see - MySSID, MyIP, MQTT Server IP - all ok. input wifi password.
Click on device item to connect throw BLE. If connected - just click SEND button in top. 33-53-53-11 - this is command to connect throw wifi. But app changing certificate url, intercept it, and replace mqtt url. So after this in you`r PC you can see connected device. And you can connect to this local server throw other programs, subscribe or post any topics etc... like you work with ecoflow mqtt, but without credentials. For this local mqtt server you can connect using any name or password or client id. If all ok - forget mobile app. You can restart ecoflow, you can reopen on computer mqtt app... device will try connect to this (local) mqtt.

after you play enough and you like it or you don't like it. Launch the branded application and connect to the network through it - everything will return as it was.

THIS IS ONLY FOR TEST. (programs are not completed and raw) test.zip

[jegres1709]

thank you very much! it´s amazing!

Now I need only to get my existing MQTT Mosquitto broker working. Somehow it couldn´t appear in the mobile app, but only the mqtt server created by you. is there anything I have to configure on my broker to be available?

[ipalchuk]

stop. It's not for use at all. these are just old sketches. these two apps are SPECIALLY made to work together. just for fun. in your case, you need the mobile application to redirect to your broker immediately OR (which is better) so that my broker sends everything mirrored to your broker through itself. why is it better - because some requests from ecoflows need to be answered, I doubt that your broker will be able to do this or you need to write a script for it, so that when a certain request is received, you need to definitely answer. if you look closely, occasionally ecoflow sends its versions of modules. and should send only once. because it expects an answer - are they fresh or not and if an update is needed. I didn't auto-reply. it was also planned to add an auto-connect in my broker to a real ecoflow server. a mobile application is generally like a primitive example of working with bluetooth. no settings etc. I just wanted you to see it all with your eyes and think about the perspectives. it's better than writing a bunch of text.

Sorry, you're speaking as a user(not developer), and a lot of things are wrong, but that's not the point. you can just see with your own eyes that it works, and with this everything you can do anything and many times cooler than with what everyone uses. Now, we need a normal programmer who will do all this for a wide range of people for different models, with open portable code, etc. I just showed and explained to the maximum how it all works. as you can see, I give any source code without question.

[jegres1709]

okay, understood :) as you can see I´m only a user and want to get rid of the orignal server. my problem is that I have reconnects and due to this I can not set some of the values etc. in home assistant. ( Ne0-Hack3r made it possible 4 month ago.) But the reconnects/disconnects started maybe 2 month ago and I´m pretty sure that Ecoflow did something on their mqtt servers. so I saw a chance here to change it to my already exisitng mqtt broker and everything will be running fine again, just on my own server. anyway, thank you for demonstrating that it works in general and I will wait for development and have to deal with the reconnects!

[ipalchuk]

"change it to my already exisitng mqtt broker" MQTT Mosquitto broker. I am not familiar with HA, mosquito etc. So. You has own mqtt broker. Ok. This is local program? You know IP and port?. Or it in cloud or has some address?

Do you can connect to it throw: as example 1) 192.168.55.66:8883 2) superpuper.mqtt : 8883 (similar "ecofow.mqtt") Your brocker support tls auth? You can manage it and set allow for any clients connect to it? Working on port 8883? Or needed add this as option too?

If you can. So for test i can add to mobile app option and before run connect command, you can input own mqtt server name or ip. (Similar like wifi pwd)

[jegres1709]

yes, i have a mosquitto broker running in home assistant in my local network , so i know ip and port for sure and it supports tls auth and is working on port 8883. is tls mandatory or is any port like 1883 allowed? if it´s not too much effort, to add the option for port change too.. that would be very great, if you could do it !

[ipalchuk]

only ip or address WITHOUT port. we assume that the port is always 8883. By the way - if you enter the address of a branded ecoflow server - it will connect to it (mqtt.ecoflow.com) if field was empty - so used ip adress of mqtt server for windows in previous topics. Now this is only - TEST. you are just one minute late with the answer. add a port - it's 5 minutes of work. If you will connected to own broker, in any cases - I do not recommend using this as a ready-made solution. Your server needs to be able to answer - that the firmware is the latest. I don't know if this can be done on your server. that is, to what extent it can be managed. Or needed like "system" client listened device and send answer.

For developers: device post info into topic /ota/module/inform/80/R331ZEB4ZEBFFFFF -> { "id": 3541, "params": [{ "moduleAddr": 5, "moduleVersion": "5.1.0.166", "loaderVersion": "3.0.0.1" blah-blah. So - mqtt broсker must send to subscribed by device topic - answer /ota/module/inform/80/R331ZEB4ZEBFFFFF/reply {"id": 3541 res: "ok"} - as example - I just don't remember and there are no logs at hand. AND (I think it's so clear) - everything works with commands to the device as you do ... just the name of the topic is different. /sys/80/R331ZEB4ZEBFFFFF/thing/property/set like so clear as "80" - this is product id.

And yes. "it´s amazing!", but for 3 persons :)))

TLS. If this is managed server, you can add support tls, but allow all clients and skip check certificate etc. In my broker i just set tls, but return OK without checks certs, users etc. Without tls at all - my broker get errors when device connecting. Some wrong in transactions data. So. Tls must sets, but all checks must ignored. I hope you can customize it.

And main question. Why you need connect to some other mqtt brocker? Left this on windows. And you can work with it. Connect to it, post and listen topics etc.

FOR ALL: you need to understand that using a connection to a corporate server, logging in there under the account of the program !, is just a useless program that is not designed for long-term use by itself. And each time raise a cry that the connection falls off. or the identifier needs to be changed, and so on - this is stupid. The most stable and the longest. it connects - like the device itself. this is what is designed for long-term work and what they cannot change quickly in one fell swoop. when this simple and understandable thought reaches the majority of people. then all this will be much more relevant.

---please redownload file BluetoothScannerNew.zip

[jegres1709]

that helps a lot! I managed to connect to my mqtt broker. Now I have to investigate the data to work with HA. Some of the switches (like enable/disable USB, AC, DC, etc.) are working already!

"Why you need connect to some other mqtt brocker" : because I´m running a proxmox server with HomeAssistant 24/7 on a tiny machine and not on my main pc.

"And yes. "it´s amazing!", but for 3 persons :)))": I think with this thread/issue it will reach much more people, who will work on this :)

[ipalchuk]

Pff.. so problem only with different system. Proxmox - lunux. I used Library mqttnet https://github.com/dotnet/MQTTnet/discussions/1355 works on lunux. Mayby in Python exist solutiin too. So - needed just write mqttserver with path throw connection to real server (more adaptive) but portable for diff. platforms. Besides. if your mini computer is equipped with a bluetooth module. You don't even need a mobile phone app. libraries for working with ble are ported to any platform. All this can be done in one program with one click. Besides. All mqtt commands has analigue for BLE. Ble has more serious and interesting commands. Ideally, you can write a duplicate system. for some reason: one will fall off, another will work. put it all through a connection to a proprietary server and you will get a working and functional mobile program. (poor functionality, but even so). prospects for directions and developments - a lot. the main desire.

jegres1709, AND. I repeat. don't take it as a complete solution. the server MUST respond that the firmware does not need to be updated. without it - 1 - the device litters the air by constantly sending versions of its modules. 2 - my device disconnected after a while. probably believed that since the server does not respond to its requests, then something is wrong. We don't need instability here. but ... this is guesswork, or maybe an accident. In any case, there is a semi-solution, but there is a full-fledged solution.

Skydev0h MTU. skipping an incomplete package is wrong. you can still get data from it. to wait only for a full-fledged one is to skip more than half of the packets. correct mtu - all packages are full. and not "maybe" -that's for sure :) i uploaded source code.

For me: for windows and android - enough (what I know, I did it.) All this - in main - not a problem. I think I've done my part of the job.

So.. needed normal developer on Python :) Two is better. (BLE, MQTT) :))))

[ipalchuk]

jegres1709 change mqtt port added + checkbox. unchecked - just simple normal connection without interception and changes broker etc.

To check stability. After Connect to your broker (or simple after connect), you can send command 33-53-53-51 - Disable bluetooth module. Wi-Fi will stay connected but BLE will be disabled. So - less consumption, much safer (if that bothers you at all). the device is not strained yet by sending a bunch of data via bluetooth. To turn it back on - you need to turn off and turn on the device.

Good luck. I don't work in this area anymore. If you need something from me (advice, consultation, source code) - contact me.

BluetoothScanner.zip

[jegres1709]

Thank you very much! I think you helped a lot already!

[Ne0-Hack3r]

@ipalchuk

BluetoothScanner.zip

I loaded this on a Fire 8 Tablet (Amazon) and the app starts but then closes after a few seconds (no error displayed). I do not know if the Fire 8 is too old or is missing something that a normal android device would have. My mobile devices are iOS and this old Fire 8 is the only android device I have other than android emulators (BlueStacks on Win10) and, unfortunately, there is no BLE support in Android emulation...

I am not a developer but I am familiar with coding and scripting. Most of my scripting experience in recent years is Power Shell on Windows. I've never done any coding for BLE so I'm outside my knowledge on that. Like @jegres1709 my primary interest is configuring my EcoFlow devices to use my own local MQTT broker over WiFi and controlling everything using Home Assistant via MQTT.

[ipalchuk]

I think the problem is in the android version, although it may be in the device itself. can do it under iOS (yes, can do it for everything), but I don’t do it. I do not regard this application as an application at all. This is an example. jegres1709 was able to run. he got it working. All. that's enough for me. let the rest be done by programmers who can do it in public, with a beautiful design, description, instructions, forums and other things that do not interest me. Sorry.

[Ne0-Hack3r]

I think the problem is in the android version, although it may be in the device itself. can do it under iOS (yes, can do it for everything), but I don’t do it. I do not regard this application as an application at all. This is an example. jegres1709 was able to run. he got it working. All. that's enough for me. let the rest be done by programmers who can do it in public, with a beautiful design, description, instructions, forums and other things that do not interest me. Sorry.

I tried it on an old Samsung Android Tablet I borrowed as well but it would not install so I think it does require a recent version of full Android on a device that is not outdated. If I understood a bit more about BLE and how to interface properly I might be able to create and share a Power Shell script for changing the MQTT configuration on the device...

[ipalchuk]

and it would only be for windows devices with bluetooth. this is not line-by-line execution of commands. This program. which has functionality. you won't do it in Power Shell. С#, java, python etc, but not shell

[Ne0-Hack3r]

and it would only be for windows devices with bluetooth. this is not line-by-line execution of commands. This program. which has functionality. you won't do it in Power Shell. С#, java, python etc, but not shell

It could be built in Power Shell cross platform with the appropriate module. But, as I said, I am not familiar with BLE communication or programming for it. I realize this would not be a robotic script but once the correct address for D2 is known (or can be programmatically obtained) it should just be a matter of connecting and sending the correct sequence to configure D2 to use local MQTT. The script could use a configuration file or even hard coded variables for the device and local MQTT server address/port (to provide an easy way to switch the device back to "local mode" as needed).

Obviously, the local MQTT server would need to be configured correctly but it appears those of us integrating with Home Assistant could use the local Mosquito Broker for the local MQTT and configure everything else using YAML for MQTT sensors in HA. We just need an easy way to point the device to Mosquito Broker without having to learn and program for BLE...

[Ne0-Hack3r]

@ipalchuk

I was able to install Bluetooth LE Explorer on a NUC with windows 10 and connect to the D2 over BLE...

I can see data continually changing on one of the charastics:

I can also write data to the other characteristic:

But I'm not certain what to send. Do I send a command in HEX followed by the parameters for MQTT IP/Port in UTF8? Does everything need to be converted to HEX and sent in a single write? This is where my understanding of BLE is limited...

[ipalchuk]

what does the android program do: 1 - increases mtu (read the beginning of the topic) without this, commands that do not fit into one package will not be accepted. and the necessary command just does not fit. 2 - sends a command to the connection in which it changes the url of the certificate (read the beginning of the topic) TO YOUR OWN one, which is listening! (For interception!) 2.1 command is a set of bytes - there is a data structure, it is described. there is a header, command, checksum, data. yes - the text is transmitted as utf8 bytes. there is a description of how to count two types of checksums. Do you collect all this with a script too? 3 - INTERCEPTS! request. (what script are you going to do it with???) a script that will raise the local site? 4 - sends the request to a real server to get a real answer. 5 - replaces the mqtt server in the response and sends it to the device. With apparent simplicity for the user, everything is not at all simple. Ble, commands, connection etc... please read the main topic, review code etc.. https://github.com/nielsole/ecoflow-bt-reverse-engineering/blob/master/experimental/main.py

I in this topic proceed from the fact that the person already knows all this. here, so not everything is simple, so as not to interfere with elementary explanations here. Behind all this, the essence and meaning is lost.

Yes, you can send comand in single write in hex .. this is usb off. : aa 02 01 00 a0 0d 00 00 00 00 00 00 21 02 20 22 00 d7 46 a dynamically changing characteristic is just a stream of data about itself, parameters, etc., that the device gives.

So? me to describe the structure, basic principles, logic, calculation with explanations of what each byte means, why this way and not otherwise .. ? Can I explain why you can not cross out anything on your screenshots, since these are common basic interfaces and just a data set that does not contain anything personal? are you sure that this topic (not for every programmer) should also contain similar explanations? Mmmm....

Needed normal Python or Java developer, and all will be done for crossplatforms, etc. or people find it difficult or not interesting :)

[Ne0-Hack3r]

@ipalchuk Thank you for added explanations. I redacted certain numbers in the screen shots as I did not know what may or may not be personal (still learning about all of this).

If I am understanding correctly, part of the process is to setup a web server that will answer the HTTP query for MQTT by pointing to the URL/port of my local MQTT server and what is being sent over BLE is a command pointing to the URL of that local HTTP server (intercept). Is that correct? If so that may be part of what I was not understanding in the sequence.

[ipalchuk]

BLE COMMAND TO CONNECT THROW WIFI: BODY(data): 1 - wifi name 2 -wifi password 3- url for get auth data, mqtt address erc. : https://api.ecoflow.com/iot-auth/device/certification

If replace 3 to own managed url (examle: http://192.168.0.100:8080/cert, And intercept it. Device after ble command will send request to this address: http://192.168.0.100:8080/cert?sn=R331ZEB4ZEBFFFFFF&cpuId=3602135034473038321FFFFF

In interception part code: you can send real data to server to get auth credentials for mqtt server (if needed). AND needed return responce to device with you local mqtt server.

So device now always will connect to you mqtt server. PLEASE READ THIS TOPIC again. All this exist and explained.

I repeat the question, do you really think that this is the place where I am going to explain basic things to everyone? Do you know people who, in topics, chew on everyone what, how and why? show me, I'll ask them myself. I also have many questions.

[Ne0-Hack3r]

BLE COMMAND TO CONNECT THROW WIFI: BODY(data): 1 - wifi name 2 -wifi password 3- url for get auth data, mqtt address erc. : https://api.ecoflow.com/iot-auth/device/certification

If replace 3 to own managed url (examle: http://192.168.0.100:8080/cert, And intercept it. Device after ble command will send request to this address: http://192.168.0.100:8080/cert?sn=R331ZEB4ZEBFFFFFF&cpuId=3602135034473038321FFFFF

In interception part code: you can send real data to server to get auth credentials for mqtt server (if needed). AND needed return responce to device with you local mqtt server.

This is the explanation I needed. Thank you.

[Ne0-Hack3r]

Simple GET. Without sign and timestams params - working too :), strange, unsequre, but working. https://api.ecoflow.com/iot-auth/device/certification?sn=R331ZEB4ZEBFFFFFF&cpuId=3602135034473038321FFFFF

I'm getting "signature failed" when sending just sn/cpuid so perhaps Ecoflow fixed that...

[ipalchuk]

such a security hole - not surprised :)

I described above what they will do. in new firmware, they will remove the ability to enter the certification address too. it would be terribly for them to be deprived of the ability to take away user data. so don't rush to update :)

to see in the application if there is a new firmware - you need to join the mqqt server. Is it really not clear why this idiocy is made? :)

and why the great gurus, who have spawned many applications for HA and not only, are in no hurry to do this in public.

BLE advertisement data, they will also change. idiocy to show everyone the serial number and cpuid. that's bullshit.

And they will also close the bluetooth through authentication. be able to an outsider in someone else's house to burn the power system? it's like attaching headphones to someone else's phone without the knowledge of the owner :)

let them do it. we'll find something else. this will be more valuable.

[Ne0-Hack3r]

@ipalchuk

I found a Power Shell module for BLE and I now have scripts for both the intercept of HTTP and writing BLE commands. I was able to successfully send a Byte Array with the sequence to turn USB output OFF and was able to confirm that works.

Apologies if I'm missing something from the discussion above, but I did not find the sequence required to reconnect MQTT (have D2 contact my intercept for certification). What are the specific bytes that need to be sent and the format of the command to supply the new URL, port, etc.?

[ipalchuk]

Read this 3 times. This is around command.

• header, data length, Crc8, data, crc16 in right way. https://github.com/nielsole/ecoflow-bt-reverse-engineering/tree/master/commands

Src 33 (dec) Dst 54 (dec) Cmdset 54 (dec) Cmdid 11 (dec)

Data: Len. Wifi mame (1byte) Wifi name utf8 Len. Wifi pwd (1byte) Wifi pwd (ascii) Cert url (utf8)

And you must set MTU. Usb on/off comnand has small data (1 byte body), so placed in one package. But fior this command needed increase MTU. By default 27bytes. Usb on/off - 19. But connect to wifi will be more then 27.

do not understand - read the 4th time.

usb off. : aa 02 - header 01 - data len 00 a0 - crc8 0d 00 00 00 00 00 00 21 - src 02 - dst 20 - cmdset 22 - cmdid 00 - DATA (just ONE BYTE 0/1 ENABLE/DISABLE) d7 46 - crc16

do not understand - read the 5th time. So, i do not know how you form this byte array in shall, without minimal knolage of develepment. Minimal program you can write (for form command data byte array) PS For crc16 needed right matrix. Review my source code and find it.or hassio code. In google, online generators crc16 you do not find right. It can be different, but exist some, where you can change matrix. Crc8/16 calculatated based on ALL data bytes before.

If there are questions about the above, I will not answer them. this is the minimum knowledge that a person must have in order to be able to talk with him on this topic. it doesn't get any clearer. it is either understood or not.

But your stubbornness appeals to me :) For me it will be easier for you to write a program for Windows. And it's easier for you to find a normal phone on android :) But that won't be interesting :) Having a working ble (get/set data), you might wonder why you need mqtt at all :)))

[ipalchuk]

a bit of history. contacting the support service, you get a login and a password to receive scarce data. This is a mockery of users. for cool versions through the port, a person has learned to work with the device. the port is closed (later opened) there is a person who gives you the opportunity to work through the mqtt program. but those who work through the port saw this mqtt in the coffin :). it is buggy, it is being remade and people are thrown from side to side. but the saviors are still tweaking their authentication and you can still bow to the corporation. what are you all doing??? why do you, like horses with a visor, see only what they give you? mqtt? ha mosquito? mindlessly install the program and think that you control everything? you all forgot how to think with your head and do not want to read more than 10 words in a sentence. Don't listen or trust anyone. I gave funds in the first post. decompile the source code, and anyone who understands a little about programming will understand that it was written in China by Indians. They don't need to use code obfuscators as usual. they already have a complete mess in the code. it's trash. A box that gives out 200 parameters is not always good, especially if there is no normal documentation and an open description of the interface. Oh my God! mqtt! moscito! hack installed, io brokers installed. I can, in the presence of the Internet and a normal connection, and if everything does not break, turn on and off a couple of checkboxes and change a couple of parameters. You are limited people :(

let's go through the stupidity. 1 - do not install quiet coolers? - greed. I changed it to noctua - the device is no longer audible. 2 - two for blowing in and one for blowing out - engineering idiocy and greed. 3 - passive mode. coolers start when the temperature changes by 60 degrees and heat up only to 55. - idiocy, forcing the device to cool every 5 minutes. without the ability to adjust the lower limit. 4 - absolutely incorrect calculation of the balance, if the limits are set other than 0-100% 5 - internal consumption is not taken into account and if the consumption is less than 25-30W. 6 - paththrow on AC only. 7 - inverter - average china, operating at extremely high temperatures. to die quickly. 8 - why do you send all the data to ble every time? why not change? you have 7 bytes for flags in each packet and you only thought of inserting xor? Was there a deadline? :)

And this list can go on and on. Something will be treated programmatically, and something hardware will remain so.

AMEN.

[ipalchuk]

Ne0-Hack3r 1 - double-click by found device to connect 2,3 - sets all as you want- undestandable as for me. Checkbox 2 - start/stop webserver on port 8080 for interception. 4 - fill wifi name and pwd and click Connect 5 - if this program will be intercept url - so wait intercepted url in this field - just for info or for history. you can copy this url and see result... but.. programm already all done everything (send this to corporate srv, replaced mqtt server and port and re-send "fixed" responce to device), so there's nothing left to do. "Sign" param you can save and reuse it. Or get real device credentials for mqtt.ecoflow. etc. For test, you can run my test mqtt server for windows (some posts above in attachment) and see connection and working process, or use own.

Good luck.

PS. Windows sets by default mtu 512. So problems only on android with 22 mtu. I didn't know that.

For Windows MQTTBrokerReplaser_Win.zip

[ipalchuk]

But. i repeat. you will have this but needed this. if you`r managed mosquito mqtt broker throw script or some other methods can this - no problem. Personally, it all works for me as it should. But I have a software solution (as I want, so be it). How you will (if you will) implement this - I do not know.

[Ne0-Hack3r]

@ipalchuk Thank you! I will try this out very soon! I have been working on a power shell script to handle all these pieces as well. I resolved the CRC8 and CRC16 and have been able to generate the byte streams to turn on/off AC/USB/12V using my CRC8 and CRC16 functions (using the matrix tables from the python code from hassio). I've been working on a function to format the data stream for the WiFi/Certificate-URL so your application will help me not only accomplish my goal of pointing to to my own MQTT server but also help me validate this final function in power shell.

I appreciate your help not only in accomplishing the goal of local MQTT control but also in my learning and exploration of how to work with these byte streams and BLE communication. It is always exciting to learn and understand something new!

[ipalchuk]

Ok, sounds cool. will be progress, Some corrections - 1> for cmd 53 53 11: Header, data(body) len, crc8, flags(7bytes), command(4 bytes), Data(body): 1- Length of Wifi mame (1byte) 2- Wifi name (utf8) 3- Len. Wifi pwd (1byte) 4- Wifi pwd (ascii) - not utf8 5- Cert url (utf8) - (as you see - without length byte as prefix.), Crc16

So - body for you'r packet - byte array where the above data goes sequentially in this sequence. Function - string to bytearray, I think you will find it :) 2> own interception - this chine devs - fix one, broken two. - so - get data needed WITHOUT! header "content-type", "application/json;charset=UTF-8" before (some weeks ago - all will be ok) so use only header "User-Agent", "ESP32 HTTP Client/1.0" 3> better repeat all incoming header data like (in feature this devs can block requests if will be some differ) - string sd = DateTime.UtcNow.ToString("ddd, dd MMM yyy HH:mm:ss ") + "GMT"; HttpContext.Response.Headers.Add("Date: " + sd); HttpContext.Response.Headers.Add("Content-Type: text/html;charset=UTF-8"); HttpContext.Response.Headers.Add("Content-Length: " + responce.Length); HttpContext.Response.Headers.Add("Connection: keep-alive"); HttpContext.Response.Headers.Add("Vary: Origin"); HttpContext.Response.Headers.Add("Vary: Access-Control-Request-Method"); HttpContext.Response.Headers.Add("Vary: Access-Control-Request-Headers"); HttpContext.Response.Headers.Add("Strict-Transport-Security: max-age=15724800; includeSubDomains"); 4> ALL mqtt commands has BLE analogues. BLE has more commands. 5> this some extended version - so can be possible send separate commands and preview cmd packet data. I don't want to do packet parsing for notifications (results) etc. I have all this in android. You understood the basis - then it's up to you. 6> this understandable, but. Commands (some) not only send data. So some commands after sending, return throw notify result data. So for example command 33 53 53 112 - will return packet with connection status... etc. All Packets structure the same, different body - serialized to bytearray data.

Debug.zip

[ipalchuk]

For the future. to understand how it all can be found by oneself and how it is all found by others. Enough of these two screenshots (decompilator). mqtt and ble commands. And here is the cmd number and what's in the command body etc. You don't need details. But for beginners or those who want to do this - it will be clear. It's not as difficult as it seems. but not very easy. At the very beginning, I told all this. And remember. Exists commands wich not exist in app - app only for users.

[Ne0-Hack3r]

For the future. to understand how it all can be found by oneself and how it is all found by others.

Very helpful. Thank you. I had started playing with JADX but using the EcoFlow_4.3.1.188_apkcombo.com.apk and was having a hard time finding the relevant code. I did a search for "Set_ac_switch" and still did not find that. I am wondering if I downloaded the wrong APK or I'm not fully understanding how to use JADX (I have not done mobile app dev or decompilation before)

[Ne0-Hack3r]

@ipalchuk

Thanks for the revised explanation and your debug updates for the BLE windows application.

I have connected my Delta 2 with the local MQTT Server you provided and was able to connect MQTT explorer to that as well. I tried to configure a bridge in mosquitto.conf to connect to local MQTT to test integration with Home Assistant but I have not been able to get that to work (with or without TLS)

In MQTT Explorer I had to enable TLS but disable "validate certificate" to achieve connection so I assume my issue with mosquitto broker is not being able to ignore validation when connecting over TLS on port 8883

Does this mean Delta 2 does a TLS connection to your MQTT server but does not validate the certificate presented by the MQTT server? Or is your intercept instructing Delta 2 to not use TLS?

I was planning to send the following JSON using HTTP intercept:

{
  "code": "0",
  "data": {
    "clientId": "R33-XXXX",
    "password": "MyMqttPw",
    "port": "1883",
    "productKey": "80",
    "protocol": "mqtt",
    "url": "10.99.88.9",
    "username": "MyMqttID"
  },
  "message": ""
}

Will it work to instruct the Delta 2 to connect without TLS on port 1883 to my local MQTT?

[ipalchuk]

JADX - this is all renamed for me. and prepare to normal look. t2, ee4, cc etc - as for me - not normal :) so you do not find Set_ac_switch. but you can find 33, 4, 32, 6 or "ac_switch" and rename generated function names for all code. So in next time - you can see understandable code. + GUI allow rename and go to declaration and find usages... so - step by step - and you will has normal view of code. app version - doesn't matter

MQTT explorer, mosquitto, Home Assistant - not for me, i has all my own, writed by me programs. Read this topic again. DEVICE always using tls. ecoflow mqtt server always using tls. In MY SERVER - i just ignore validation (of user and of cert). In responce you can get cliendid, username, password. So why needed this changing? left as is and add this to your config. In feature this needed to connect as device to mqtt.ecoflow.com. But.. as you wish. why one password - "password": "MyMqttPw" in screen - Test12345 ? and different usernames. Why you change protocol. as i remember - mqtts And maybe i do not undestand. My Mqtt server not needed if you using own, So for intercept and replace mqtt fields just add ip and port for your mqtt server and click - connect. in my screenshot in field (5) copy url and run it in browser - you will have real normal cliendid, username, password - this not changing and can be reusing in next time. So if your broker not allowed all users and needed username and password... but - tls cert - this is some other point.

[Ne0-Hack3r]

JADX - this is all renamed for me. and prepare to normal look. t2, ee4, cc etc - as for me - not normal :) so you do not find Set_ac_switch. but you can find 33, 4, 32, 6 and rename generated functions for all code. So in next time - you can see understandable code. + GUI allow rename and go to declaration and find usages... so - step by step - and you will has normal view of code.

ok - I think that is making sense now.

MQTT explorer, mosquitto, Home Assistant - not for me, i has all my own, writed by me programs. Read this topic again. DEVICE always using tls. ecoflow mqtt server always using tls. In MY SERVER - i just ignore validation (of user and of cert). In responce you can get cliendid, username, password. So why needed this changing? left as is and add this to your config. In feature this needed to connect as device to mqtt.ecoflow.com. But.. as you wish. why one password - "password": "MyMqttPw" in screen - Test12345 ? and different usernames. Why you change protocol. as i remember - mqtts And maybe i do not undestand. My Mqtt server not needed if you using own, So for intercept and replace mqtt fields just add ip and port for your mqtt server and click - connect. in my screenshot in field (5) copy url and run it in browser - you will have real normal cliendid, username, password. So if your broker not allowed all users and needed username and password... but - tls cert - this is some other point.

My MQTT server requires ID/Password. I did try setting up a user with ID/PW matching those from api.echoflow.com but would prefer to use my own friendly names instead of long GUIDs. I was hoping to use mqtt on port 1883 without TLS as my MQTT server is not configured for TLS. The Mosquitto MQTT broker is integrated with Home Assistant so I either need to bridge that to your MQTT server or (better) direct the D2 to connect to mine directly. Once the MQTT server on HA has the messages I can pull them into dashboards, automations, etc.

I understand that your MQTT server can decide to ignore user, password, and validation but if I configure my MQTT server to use TLS (with my own internal CA signed certificate) will the D2 accept that? Or do I need to provide a publicly verifiable certificate to satisfy validation on the D2 itself?

[ipalchuk]

without TLS - I think it won't work. with tls, the header of internal commands is different. I tried to give for device server without tls - it did not work - he wrote errors. I wrote about it. What to change in response so that the device itself stops using TLS - I don’t know, and I think that this is not configurable. But... I can't help you here. what's the difference how long the name and password are - the main point is that they will work for a corporate server. But ... here I am not an adviser - I have no aesthetic considerations in this regard. certificate - X509Certificate2 you better not use my server for sure - because it's just a test. this is a sketch. it's hard to call it a server at all. an essence - I did not go deep into concepts of certification. I bend down the programs to the device and not the device to the programs. In your case - I can not say anything.

My server used any first valid finded in system :) X509Store store = new X509Store(StoreLocation.CurrentUser); X509Certificate2 certificate; try { store.Open(OpenFlags.ReadOnly); X509Certificate2Collection certCollection = store.Certificates; X509Certificate2Collection currentCerts = certCollection.Find(X509FindType.FindByTimeValid, DateTime.Now, false); certificate = currentCerts[0]; } finally { store.Close(); }

and .WithEncryptionCertificate(certificate) .WithEncryptionSslProtocol(SslProtocols.Tls12) and ValidatingConnection = {always - all ok ! you fit. }

so - this compatible for device :)

[Ne0-Hack3r]

without TLS - I think it won't work.

I got it to work without TLS using "mqtt" (instead of mqtts) on port 1883 (instead of 8883) by sending the custom JSON I referenced above to connect D2 to the integrated Mosquitto MQTT server on Home Assistant.

I can now see the MQTT published to my own MQTT server directly:

you better not use my server for sure - because it's just a test.

I fully understood this. Everything I am doing at this point is only for testing, learning and discovery. I really appreciate all of you help getting to this point. Now that I have the MQTT localized I may begin to further explore the BLE side of things.

Thank you again!

[ipalchuk]

Well, you see the difference - when more than one person is doing something. BLE you can leave for a snack. The device is subscribed to the topics - blabla/upgrade. and /progress and the data (Payload) in the topic is not only text (can be just bytes- in general - this is bytearray (stream) :) ). and the gold in it all is the firmware file. and if now all sent(post topics) data is redirected to the corporate server... and its responses(subs topics) are returned to the device and all this is logged. That 1 - you will know what and to which topic you need to send, so that the device does not constantly send its data to the topic "inform" - it is waiting for an answer about the presence or absence of a new version. in offline - it clogs the air. and the device may eventually turn off altogether (without answers) - I wrote all about it. 2 - click on the mobile phone - install the update. and I think - the body of the firmware will begin to be sent to the device (not sure but most likely). From the logs, you can turn it into a file - and you have what all hackers want to have. that which contains within itself is everything - firmware :) although personally I don't think it's interesting to you. you now have something to do :) but this is the road to custom firmware. and opportunities for many unknowns to become known. (although ecoflow is certainly not an iPhone - but just a Chinese box) -----ps but in general it's sad that two months later from the creation of the topic ... people's lack of due attention to this all. Now let's look at other devices - distribution panels for example. Some people are looking for topics for the user(app) account, where can get some data. All this is asked and asked by the great gurus. in private repositories. and so on. And another option - you have ALL topics of the device itself, where everything is. Any difference? it's sad.

[ipalchuk]

so. first of all needed answer for this inform posts to this subs (bla-bla/reply)... as for me - absolutly undestandable. around all and id. (as for me). and the device will not send it constantly.

how to do it. there are two options - add a new client who will send this to the topic. or - in the library that I use - it's called - InjectApplicationMessage. see for yourself here. It is better to have a client in parallel, which is connected to the corporate server as a device and at the same time can work with your broker. And then - you will get both online and offline and a sniffer and everything will work in any state.

just for fun i added client wich connected to mqtt.ecoflow as device in parallel to this test demo broker. Did not checked offline, errors etc. so - needed internet - just online. BUT. you connect to this server. open mobile app (only corporate mqtt) BUT - it will work. switch something in the mobile application and you will see how it all goes through this local server. This is to understand what you need to strive for. I understand that you already have something to pick, discuss, show, etc. :) but believe me - it's all for me in 3-4 months - it's no longer impressive and not interesting. But stopping only in offline mode is not enough.

1 - some topics (ended by "@AtMostOnce") and maybe there are others (they dynamically appear) - not explored. see first post. 2 - the device from which the user unsubscribed (logout from the application) or did not install the application at all - has fewer topics. well...etc.

MQTTBrokerSNIFFER.zip