search

robertklep / bosch-xmpp

Protocol implementation for Bosch XMPP protocols
MIT License
47 stars 8 forks source link

new pro control app info #12

Open marcews opened 3 years ago

marcews commented 3 years ago

The Nefit pro control app recently started to show a graph for used KWH and generated KWH for my heatpump. Does this mean the endpoint for KWH consumption can now be found through sniffing the app traffic or analysing the APK for this app?

I have been looking a long time how to implement the KWH consumption data in my own php dashboard...

robertklep commented 3 years ago

I think you'll have the best chance of finding out the endpoints by analysing the APK, sniffing XMPP traffic has been made quite difficult lately (you'll need an XMPP proxy to begin with, but I believe that the apps started using TLS pinning so MITM is out of the question).

marcews commented 3 years ago

Thank you Robert, I already had the APK open in Android studio but no clue where to begin. Any suggestions where or how I can find the endpoints in the APK?

Thank you,

Marc

Van: Robert Klep notifications@github.com Verzonden: zondag 17 januari 2021 19:37 Aan: robertklep/bosch-xmpp bosch-xmpp@noreply.github.com CC: Marc Van Riesen marc@ews.nl; Author author@noreply.github.com Onderwerp: Re: [robertklep/bosch-xmpp] new pro control app info (#12)

I think you'll have the best chance of finding out the endpoints by analysing the APK, sniffing XMPP traffic has been made quite difficult lately (you'll need an XMPP proxy to begin with, but I believe that the apps started using TLS pinning so MITM is out of the question).

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/robertklep/bosch-xmpp/issues/12#issuecomment-761859047, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ALMLXVAKTTK4LWUTWJVAKWDS2MU6TANCNFSM4WGHCXOA.

robertklep commented 3 years ago

You need to decompile the classes.dex file inside the APK file, and/or look for known endpoints (for instance, the substring /dhwCircuits/ is a good one to start with) inside the files contained in the APK.

marcews commented 3 years ago

Done but I cannot find the endpoints that are definitely working. For example

bosch-xmpp --serial=--access-key=-password=*** ivt get /system/appliance/actualSupplyTemperature

gives

{"id":"/system/appliance/actualSupplyTemperature","type":"floatValue","writeable ":0,"recordable":0,"value":38,"unitOfMeasure":"C","state":[{"open":-3276.8},{"sh

So I would expect a search result for "actualSupplyTemperature" (also available in the app) but no result form the classes.dex...

Nefit ProControl_v3.8.1_apkpure.com.zip

Any ideas?

Thank you, Marc

robertklep commented 3 years ago

Have you looked at the .dump file in assets/demo/? There are a few endpoints mentioned there that return values in kWh.

I decompiled classes.dex with jadx and found plenty of references to "actualSupplyTemperature":

$ grep -ir 'SupplyTemperature' .
./sources/p075d/p081b/p082a/p083a/p104e/p107c/p108c/p109k/p110c/C2900f.java:            alternativeHomeFloorPage.f10492g0.getSupplyTemperature(heatingCircuit, alternativeHomeFloorPage.mo14727A(), new C2901g(alternativeHomeFloorPage, heatingCircuit, this.f7988b));
./sources/com/bosch/p072tt/icomdata/path/PathComponents.java:    public static final String PATH_ACTUAL_SUPPLY_TEMPERATURE = "actualSupplyTemperature";
./sources/com/bosch/p072tt/icomdata/path/PathComponents.java:    public static final String PATH_SUPPLY_TEMPERATURE_SETPOINT = "supplyTemperatureSetpoint";
./sources/com/bosch/p072tt/icomdata/block/HeatingCircuit.java:    public FloatValue getActualSupplyTemperature() {
./sources/com/bosch/p072tt/icomdata/block/HeatingCircuit.java:    public FloatValue getSupplyTemperatureSetpoint() {
./sources/com/bosch/p072tt/icomdata/block/HeatingCircuit.java:    public void setActualSupplyTemperature(FloatValue floatValue) {
./sources/com/bosch/p072tt/icomdata/block/HeatingCircuit.java:    public void setSupplyTemperatureSetpoint(FloatValue floatValue) {
./sources/com/bosch/p070de/p071tt/heathub/mvc/info/InfoModel.java:                arrayList.add(new InfoRequest(pathID.getLastComponent(), RequestService.createActualSupplyTemperaturePath(pathID.getLastComponent()), TemplateType.FLOAT_VALUE, Interval.TEMPERATURE));
./sources/com/bosch/p070de/p071tt/heathub/mvc/info/InfoModel.java:                arrayList.add(new InfoRequest(pathID.getLastComponent(), RequestService.createSupplyTemperatureSetpointPath(pathID.getLastComponent()), TemplateType.FLOAT_VALUE, Interval.TEMPERATURE));
./sources/com/bosch/p070de/p071tt/heathub/mvc/info/InfoModel.java:                arrayList.add(new InfoRequest("general", RequestService.createApplianceActualSupplyTemperaturePath(), TemplateType.FLOAT_VALUE, Interval.TEMPERATURE));
./sources/com/bosch/p070de/p071tt/heathub/mvc/alternativehome/floorcontrol/view/model/AlternativeHomeFloorModelMapper.java:                    str3 = context.getString(C0638R.string.sensor_actualSupplyTemperature);
./sources/com/bosch/p070de/p071tt/heathub/RequestService.java:    public static Path createActualSupplyTemperaturePath(String str) {
./sources/com/bosch/p070de/p071tt/heathub/RequestService.java:    public static Path createApplianceActualSupplyTemperaturePath() {
./sources/com/bosch/p070de/p071tt/heathub/RequestService.java:    public static Path createSupplyTemperatureSetpointPath(String str) {
./sources/com/bosch/p070de/p071tt/heathub/C0638R.java:        public static final int info_actualsupplytemperature = 2131624546;
./sources/com/bosch/p070de/p071tt/heathub/C0638R.java:        public static final int info_supplytemperaturesetpoint = 2131624571;
./sources/com/bosch/p070de/p071tt/heathub/C0638R.java:        public static final int sensor_actualSupplyTemperature = 2131624737;
./sources/com/bosch/p070de/p071tt/heathub/service/coreresource/CoreResourceManagerService.java:    public void getSupplyTemperature(HeatingCircuit heatingCircuit, String str, Callback<Measurement> callback) {
./sources/com/bosch/p070de/p071tt/heathub/service/coreresource/CoreResourceManagerService.java:        this.f7727a.getSupplyTemperature(heatingCircuit, str, new C4775y0(callback));
./sources/com/bosch/p070de/p071tt/heathub/service/comprovider/ComProviderRequestService.java:    public void getSupplyTemperature(HeatingCircuit heatingCircuit, String str, Callback<Measurement> callback) {
./sources/com/bosch/p070de/p071tt/heathub/service/comprovider/ComProviderPaths.java:    public static final String PATH_CAN_SUPPLY_TEMPERATURE = "/heatingCircuits/%s/supplyTemperatureSetpoint";
./sources/com/bosch/p070de/p071tt/heathub/service/comprovider/ComProviderPaths.java:    public static final String PATH_EMS_SUPPLY_TEMPERATURE = "/heatingCircuits/%s/actualSupplyTemperature";
./sources/com/bosch/p070de/p071tt/heathub/service/ResourceManagerService.java:    void getSupplyTemperature(HeatingCircuit heatingCircuit, String str, Callback<Measurement> callback);
./sources/com/bosch/p070de/p071tt/heathub/service/RequestService.java:    void getSupplyTemperature(HeatingCircuit heatingCircuit, String str, Callback<Measurement> callback);
marcews commented 3 years ago

Thank you Robert, I have found this demo and indeed the endpoints but:

1) A lot of endpoints do not give a result (especially the history ones) but a 404 not founderror which I can understand. I imagine not all systems (gasheater or heatpump) have the same endpoints. 2) Is there any way to trace back in the APK to which endpoint the request form the app for "Historie""is directed? See lower part of the screenshot.

Thank you again for your help! pro control screenshot

Marc

robertklep commented 3 years ago

A quick look doesn't yield any endpoints for that type of data. The app can't be decompiled entirely and is partly obfuscated, so perhaps it's because of that.

Bulforce commented 2 years ago

I think you guys are taking the wrong approach here, there is no need to decompile any app in order to discover all available endpoints.

What I would do is to use the built in discovery. Once the appliance is connected (no matter what appliance) and you have successful setup for connecting with this client, all you need to do is query the base endpoints like /system /heatSources etc.

for example bosch-xmpp ... get /system will return something like that: {"id":"/system","type":"refEnum","references":[{"id":"/system/appliance"},{"id":"/system/autoAway"},{"id":"/system/awayMode"},{"id":"/system/brand"},{"id":"/system/fireplace"},{"id":"/system/hydraulicBalancing"},{"id":"/system/info"},{"id":"/system/interfaces"},{"id":"/system/location"},{"id":"/system/sensors"}]}

The references node contains all available endpoints for the base node for your home, the list can be different for another home. Each of the endpoints can return some readings, or even have more endpoints nested.

Since your home is different, there is no fixed list of endpoints, besides the base nodes, you have to query those in order to discover what is available for you. For example you can use /devices to get references related to all of the connected devices like heat sources, thermostat valves and etc then query the refs /devices/dev1 /devices/dev2 get simple list with /devices/list

Keep in mind that some of the base endpoints will give you 404, I dont have solar elements and the /solarCircuit gives me 404

What I am trying to tell you is that no matter what you will discover by decompile those apps, may not even be applicable to your house setup. The only valid endpoints for your particular setup are those that you can get by querying the base endpoints.

robertklep commented 2 years ago

@Bulforce not all Bosch/Nefit devices support autodiscovery of endpoints.

Bulforce commented 2 years ago

ok, noted that. I think all devices will support it at some point.