search

pdugas / homeassistant-recteq

Recteq Integration for Home Assistant
MIT License
5 stars 1 forks source link

MQTT #6

Open pdugas opened 4 years ago

pdugas commented 4 years ago

It's been suggested the cloud connection for the grill is via MQTT. This guy says he's been successful hijacking DNS to have his devices connect to a local MQTT server instead of the vendor's instance.

If I get on the firewall and sniff the grill's MAC address, I can see the periodic broadcasts to udp:6667 and when I fiddle in the app, I see additional traffic on tcp:8886. Perhaps that's MQTT. I wonder if we could do something similar to get async comm to the grill instead of relying on polling. 

# tcpdump -n -i lag0 ether host ec:fa:bc:6a:d1:0e
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lag0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:36:04.068514 IP 10.10.0.116.49154 > 255.255.255.255.6667: UDP, length 188
12:36:05.276415 ARP, Request who-has 10.10.0.116 tell 10.10.0.116, length 46
12:36:09.068083 IP 10.10.0.116.49154 > 255.255.255.255.6667: UDP, length 188
12:36:12.451077 IP 100.21.156.247.8886 > 10.10.0.116.44017: Flags [P.], seq 676013862:676014075, ack 2953521119, win 65535, length 213
12:36:12.595263 IP 10.10.0.116.44017 > 100.21.156.247.8886: Flags [.], ack 213, win 3615, length 0
12:36:12.656234 IP 10.10.0.116.44017 > 100.21.156.247.8886: Flags [P.], seq 1:214, ack 213, win 3615, length 213
12:36:12.739453 IP 100.21.156.247.8886 > 10.10.0.116.44017: Flags [P.], seq 213:282, ack 214, win 65535, length 69
12:36:12.842436 IP 10.10.0.116.44017 > 100.21.156.247.8886: Flags [.], ack 282, win 3546, length 0
12:36:13.967322 IP 10.10.0.116.44017 > 100.21.156.247.8886: Flags [P.], seq 214:427, ack 282, win 3546, length 213
12:36:14.049280 IP 100.21.156.247.8886 > 10.10.0.116.44017: Flags [P.], seq 282:351, ack 427, win 65535, length 69
12:36:14.080555 IP 10.10.0.116.49154 > 255.255.255.255.6667: UDP, length 188
12:36:14.092430 IP 10.10.0.116.44017 > 100.21.156.247.8886: Flags [.], ack 351, win 3477, length 0
12:36:15.298710 ARP, Request who-has 10.10.0.116 tell 10.10.0.116, length 46
12:36:16.154205 IP 100.21.156.247.8886 > 10.10.0.116.44017: Flags [P.], seq 351:564, ack 427, win 65535, length 213
12:36:16.336150 IP 10.10.0.116.44017 > 100.21.156.247.8886: Flags [P.], seq 427:640, ack 564, win 3264, length 213
12:36:16.421209 IP 100.21.156.247.8886 > 10.10.0.116.44017: Flags [P.], seq 564:633, ack 640, win 65535, length 69
12:36:16.595469 IP 10.10.0.116.44017 > 100.21.156.247.8886: Flags [.], ack 633, win 3195, length 0
12:36:17.999128 IP 10.10.0.116.44017 > 100.21.156.247.8886: Flags [P.], seq 640:853, ack 633, win 3195, length 213
12:36:18.082948 IP 100.21.156.247.8886 > 10.10.0.116.44017: Flags [P.], seq 633:702, ack 853, win 65535, length 69
12:36:18.092447 IP 10.10.0.116.44017 > 100.21.156.247.8886: Flags [.], ack 702, win 3126, length 0
12:36:19.067961 IP 10.10.0.116.49154 > 255.255.255.255.6667: UDP, length 188
12:36:21.155307 ARP, Request who-has 10.10.0.116 tell 10.10.0.1, length 28
12:36:21.445076 ARP, Reply 10.10.0.116 is-at ec:fa:bc:6a:d1:0e, length 46
pdugas commented 4 years ago

Need to sniff DNS traffic from the grill to see what hostname it's resolving to make that connection to 100.21.156.247.