Support for controlling Reolink Floodlight

[kevin-david]

https://reolink.com/product/reolink-floodlight/ - is a relatively new device that after some reverse engineering appears to use the same protocol as the cameras do, unsurprisingly.

I hacked up a little test function and it doesn't seem like it'd be hard to at least get a few things working:

kevin@Kevins-MBP-2 in neolink/ on master 
› RUST_LOG=info ./target/debug/neolink test-flood 192.168.1.130:9000 <password>                                                                                                             [12:03:09]
[2022-11-27T17:03:16Z INFO  neolink] Neolink v0.3.0-343-gb6dd2e6 debug
Connecting to camera at "192.168.1.130:9000"
Device info: Ok(DeviceInfo { resolution: Resolution { name: "", width: 0, height: 0 } })
LED state: LedState { version: "1.1", channel_id: 0, led_version: Some(2), state: "auto", light_state: "open" }
Version: VersionInfo { name: "Backyard Floodlight", serialNumber: "00000000065536", buildDay: "build 22090741", hardwareVersion: "F1_5628M", cfgVersion: "v3.0.0.0", firmwareVersion: "v3.0.0.1311_22090741", detail: "F1_5628MS00E1W01100000000" }

Things controllable via the app:

• Light mode: Motion, nighttime, schedule
  • Motion: Light duration
  • Nighttime: usual brightness, motion triggered brightness
  • Schedule: per-day with state on/off
• Brightness
• On/off

I'll keep hacking away as I get time but if anyone wants to collaborate, that'd be great!

Side note: any recent guides to getting a pcap file off an Android device? I used mitmproxy with an emulator, which worked but doesn't work well with binary data.

[QuantumEntangledAndy]

Not familiar with android, we just use the offical app and client from a laptop with wireshark to grab the packets. You might be better of with having some sort of packet capture on the router rather then the android.

Have you seen our documentation about the protocols in dissector? I've listed all know messge types in neolink/dissector/messages.md and one of them might control your floodgate

We have a branch that should be able to control LED state already in motionStream. Which you can use on that branch like this:

neolink status-light --config=config.toml CameraName on

I think it only does LEDs not flood lights but it might be a good place to start

[kevin-david]

Thanks - I forgot that it would be trivial to capture emulator traffic by just running Wireshark on the emulator host, so I have a packet capture that I'm playing with. Woohoo!

From what I can tell there are a few new message types. To start, it looks like message type 288 is floodlight on/off but I'm not getting usable XML out of Wireshark - just Binary data. Is this new or a known limitation of the wireshark analyzer?

Example:

0000   ec 71 db 61 9c bb 3c 52 82 77 3d d3 08 00 45 00   .q.a..<R.w=...E.
0010   01 65 e4 67 40 00 40 06 d0 79 c0 a8 01 df c0 a8   .e.g@.@..y......
0020   01 82 aa e0 23 28 fa 05 19 5a 2b 85 50 b1 80 18   ....#(...Z+.P...
0030   01 f5 86 09 00 00 01 01 08 0a 8c 79 a8 50 3a 28   ...........y.P:(
0040   7c c8 f0 de bc 0a 20 01 00 00 19 01 00 00 ff 01   |..... .........
0050   00 00 00 00 14 64 68 00 00 00 ba bf 82 39 3e 3f   .....dh......9>?
0060   da 93 ef de c7 a6 71 d1 d8 ed 49 f5 5b 47 b0 c7   ......q...I.[G..
0070   e4 0f 25 8c 6d f5 fe 20 c1 c2 55 dc 93 a5 e4 bc   ..%.m.. ..U.....
0080   3b b2 6c 08 25 8d 05 23 e5 b9 8f 4e d7 a1 57 c4   ;.l.%..#...N..W.
0090   1c da 07 a9 17 1c bc e0 01 ce 36 00 2e d5 78 78   ..........6...xx
00a0   59 83 20 29 ff b0 8b 07 5d 67 97 51 79 ae c1 20   Y. )....]g.Qy.. 
00b0   77 a6 79 b0 35 9a cd 5c 14 71 85 2e ba 09 96 5f   w.y.5..\.q....._
00c0   36 b6 ba bf 82 39 3e 3f da 93 ef de c7 a6 71 d1   6....9>?......q.
00d0   d8 ed 49 f5 5b 47 b0 c7 e4 0f 25 8c 6d f5 fe 20   ..I.[G....%.m.. 
00e0   c1 c2 55 dc 93 a5 e4 bc 3b b2 6c 2f 32 9d 19 73   ..U.....;.l/2..s
00f0   9c ec d8 e0 bd 73 85 af 47 01 9d 38 2b 40 2b e1   .....s..G..8+@+.
0100   e3 0e 2f 16 d2 22 d3 2c c6 fe 26 e9 94 59 5e e7   ../..".,..&..Y^.
0110   36 62 6a 27 ac 84 55 34 8b 1e 92 db 72 db 76 6d   6bj'..U4....r.vm
0120   19 6e 59 98 0a f8 a3 99 de ec 5f ab b4 43 58 b2   .nY......._..CX.
0130   20 12 3c 76 59 a6 68 86 9a 51 2c cb 58 f1 cf 20    .<vY.h..Q,.X.. 
0140   4c e3 cf d1 2b d9 6a 58 dd b1 14 39 4d b3 fc ca   L...+.jX...9M...
0150   51 3e 04 28 67 db 2c b9 13 15 a1 c7 f0 33 77 79   Q>.(g.,......3wy
0160   47 99 de e3 3b d0 32 ed fd 55 24 82 22 54 45 02   G...;.2..U$."TE.
0170   6b aa b8                                          k..

Shows up as:

Baichuan IP Camera Protocol, unknown:288 message
    Baichuan Message Header, length: 24, type 288
        magic: 180150000
        messageId: 288 (unknown)
        messageLen: 281
        xmlEncryptionOffset: -1 (& 0xF == 15)
        channel_id: -1
        streamID: 1 SD (Fluent)
        unknown: 0
        messageHandle: 0
        messageClass: 25620 (modern)
        status_code: 0
        binOffset: 104
    Baichuan Message Body, modern, length: 281, type 288
        Meta Payload
        Binary (in Meta Payload)
        Main Payload
        Binary (in Main Payload)

[QuantumEntangledAndy]

The newer xml traffic is AES encrypted, we know the key but wireshark dosent' have a decent AES decryption module built into it. The easiest thing is to usually use an older client (like two years ago) before AES was added.

[QuantumEntangledAndy]

If your curious the AES is

128bit CFB IV: "0123456789abcdef" Password: "NONCE-PASSWORD" Where NONCE is transmissed during login (look at the packets in wireshark with the message id of 1) And the PASSWORD is your login password for the camera

You might be able to find an online decryptor to handle it

[kevin-david]

Thanks - once I figured out the MD5, uppercase, and substring madness I got some useful messages! The cyberchef tool was useful to iterate fast:

• [Get the MD5-based key](https://cyberchef.org/#recipe=MD5()To_Upper_case('All')Take_bytes(0,16,false)&input=SU5TRVJUX05PTkNFLUlOU0VSVF9QQVNTV09SRA)
• Use it to decrypt hex streams from wireguard pcapsAES_Decrypt(%7B'option':'UTF8','string':'INSERT_KEY'%7D,%7B'option':'UTF8','string':'0123456789abcdef'%7D,'CFB','Hex','Raw',%7B'option':'Hex','string':''%7D,%7B'option':'Hex','string':''%7D)&input=MDAwMDAwMDEwMDA2NTI1NTBhMDAwMjAyMDAwMDA4MDA0NTAwMDJiODQ1OWYwMDAwNDAwNjY0NjdjMGE4MDE4MjBhMDAwMjEwMjMyOGRjNTIxZDQ0ZTJlYmFmMzk2NzE1NTAxODIyMzhmYmQ3MDAwMGYwZGViYzBhZDkwMDAwMDA3ODAyMDAwMGYwMDQwMDAwYzgwMDAwMDAwMDAwMDAwMDk4MmViZWIxNWY3ZDg3Zjg3ZWQ0MjI3NWFlNGI1NWE5ZmM0ZmQ4YTIzYzRkYjcyMTYyMmYwZTk2NTNlMjljZjNmMzAzYTBjOWZiMWY5OWE3YWY0YjJjOTExOWRmZmU1NTY4YzQwNGE3MmNhN2E1MGE3NzU2Yjg4OTVlN2VmNGZmMzE1NDFmMWNhMjQyOWMyZGNkZjQ3MDg2MmFmMTE2NGU1NmNhM2Q2ZDc5YWM3NTRmNjE1M2NkOTdmYThkYmUxZWIxMDU4ZjEyZGU5N2M1NzE4MzdhNzBmZTY5YTNlNGIxYzgzY2U5M2M1ZGY1MDA4OGJlMzk5MDc1MWIwMzJkNmRjYzZlZDk0ZWZkM2ExY2E3MjFkZjZlOTg2NDE2NzlkN2YwOGM5OGYwNmRjMGI2MGY1Nzg0ZDJlYjdkYjI3MTJkMzZkNWQyZDc0NjA3ZTRiOThjMmZiNGFmMGFjMTI1ZWQ0YjUzNzE1YWU1MjY1MDU1YjIyNDhhZTdhYWY1MjdkODEwOTA4OWU0YTliYjljMmYwMDNiNmEzMzIxNTQ2NjgwZTlhZTcwNGM4NzdiMmE1MDQ4YTFmYjU1MGExODVmMWRjMjgwZDdkMzIyYzU0NDQ1YTBjOWVjZDZmMzk3YmYzOTMyNjQ4YWE5MmU0NDQzOTAzMTllZGQzOGY2ZmUyZTdlMDliZDQ0YWE5YTRhOTIzNmNiMmU1ZDJiOGNjZmZjOGYxNGZjMGI5YWFhZGQxYjI0NzEwYWIzZjI2ZjgyNDYwMDE3ZmU3ZjM3Y2YxMTU3YThlNDRkMzM2ODUxNDE4OTYxN2VlODcwZjBlZTU5ZDE0NzhlOWFkYzJjOGZkM2Y1YzM4MTFkZDEzYzQ2ODAyZjI0ZmE3NDU0Y2FiODE0YjIxNTA0YWE1NjEyY2I5MGQ0YzJjNThiYWU3ZWZiNzM0MDU4YzdkYzU3Mzc1N2EzYTc0NmU1M2RlZmNkODYxNmY1OTM1Nzk1MTdlYzJkYWNkMTNlOWUwYmMzZWMzNjFlNzlkYmEyNTI3ZWEzYTg5MTg1MTFhMDJmNDY0YThhYWFhNjBkNjhhYTZkZTllYTk5Mzc2MTA3NjE5NGM3NTU4ODQ0OTczMTI0Njc1ZGUzMjZjOTEwOGUyNjFhYjBkYmI2OWRiODM0NDkzYTEwNmFjZjYxZTA0ZTc1YmE2NmU0YzVhNGU5MWE4ZTVlOGI5OGZhMzY2OTlmZDcyOThjOTJlNzk1OGU2ODMxN2M4NzY5YmNhODNhOGRhYjAyYzA1MTNmMzNiYzJjZWIxYzFjYmQzNDgwOTFiN2IxZDFjZjk4ODFmN2I5NGE5YjU3YmMzYTRlN2YyYTQ4N2NlMjcwMzNjMTY0YmQ2MDViNDlhYzc0YjE5NDg0NDQyOWE0NWY0YTZhMDZhMGE4MmI3OGE4NDVhMzUwNWMxMTRiZDI3MWNkMjJiNmQ3NzRlY2EyY2EzZDFjOTdmZWViYzQ2NjhkNjViN2Q0YjA2MzFmZjljYTlhNzFhNjlkZjI0YjM1MzRjYTQ5MmFiZTVmNGVkZmQwYzUxM2JjZDc1MGI3OTdkZTQ4NGUwMTQwM2FjNDY3N2VkM2Y1Y2RhZDJkZDgzNWJiM2I5M2FmMzNlMzY2NjZlYWQ0OTU0Nzc2MDcxMjQ4MDgzMjgyZGRlNDJmYTU2MTc4OTg4NDE2OWU)

Also found that a wireshark filter of baichuan && !(baichuan.msg_id == 93) was really useful.

Most set events have this meta payload:

<Extension version="1.1">
<channelId>0</channelId>
</Extension>

Here's a turn-on (288) event...

<?xml version="1.0" encoding="UTF-8" ?>
<body>
<FloodlightManual version="1.1">
<channelId>0</channelId>
<status>1</status>
<duration>180</duration>
</FloodlightManual>
</body>

Also received a message 291 (status update?):

<?xml version="1.0" encoding="UTF-8" ?>
<body>
<FloodlightStatusList version="1.1">
<FloodlightStatus>
<channel>0</channel>
<status>1</status>
</FloodlightStatus>
</FloodlightStatusList>
</body>

And turn-off event (again 288):

<?xml version="1.0" encoding="UTF-8" ?>
<body>
<FloodlightManual version="1.1">
<channelId>0</channelId>
<status>0</status>
<duration>180</duration>
</FloodlightManual>
</body>

I captured a lot more events too, expand to see...

Setting brightness, type 290 - this also seems to be used to change the mode from motion to nighttime to schedule, and possibly set schedules: ```xml 0 1 1 0 92 300 none 2 18 0 6 0 1000 1900 0 100 10 ``` received a type 438 from the floodlight, some kind of status report again? ```xml 0 1 1 2 0 300 92 100 1 18 0 6 0 1000 2300 1000 1900 1000 1900 32 0 1 100 100 100 5 600 10 10 none ``` message id 264 seems to be an audio configuration: ```xml 0 0 0 85 0 0 0 0 0 0 1 ``` Setting the motion sensitivity (type 213) is a bit different: ```xml 0 ``` ```xml 0 1 1 16 0 0 Sunday 0 23 0 Monday 0 23 0 Tuesday 0 23 0 Wednesday 0 23 0 Thursday 0 23 0 Friday 0 23 0 Saturday 0 23 0 none ```

I can add these to https://github.com/thirtythreeforty/neolink/blob/master/dissector/messages.md - unfortunately I didn't save the full bytes, but can go get them if that's useful for something

[QuantumEntangledAndy]

Go ahead and add them to the messages.md.

We should be able to work up a PR for controlling the floodgates from here.

However ThirtyThreeForty hasn't merged many PRs lately (I think mostly he's moved on from neolink with other life things).

I have limited write access to this repo from the days when ThirtyThreeForty was more active. (Cannot merge my own PRs).

If you want it in master here you'll have to work up the PR yourself or you I can work it into my own fork which has other features like statusLED etc in it

[kevin-david]

Sounds good, PR here: https://github.com/thirtythreeforty/neolink/pull/327

Would be happy to have it in your fork as well. My goal ultimately is to control this via Home Assistant, so the MQTT support added in your fork is really interesting!

[QuantumEntangledAndy]

I see. I have an mqtt in one of my branches. If you can work up the controls we can add it to there and then home assistant can send the command over mqtt.

[QuantumEntangledAndy]

I'm working on a rewrite on my branch though and master is currently in a non operative state. Maybe be best to merge in to my fork after that is done.

[kevin-david]

Yeah, for sure - happy to work on support over in your fork.

To clarify, do you think I should wait until you're done with the rewrite to even start taking a look at adding support? Or are you just saying you'd like to wait until your rewrite is done before putting a PR up / merging the change? Either way is fine with me, just want to make the best use of my time!

[QuantumEntangledAndy]

My changes are all happening in the rtsp folder so as long as you mostly working elsewhere it will be easy to merge in. So go ahead and get started if you want. Just need to warn you that rtsp functionality is currently non operative until after I've finished up but others should still work fine.

[nmbgeek]

Any chance progress has been made on this? I checked in @kevin-david branches and it looks like progress stopped in January. Wish I could help but I have never touched rust.

[kevin-david]

Yep, my latest update is over here: https://github.com/QuantumEntangledAndy/neolink/pull/14#issuecomment-1404536029

Because my ultimate goal is to get it into Home Assistant, I started this discussion as well: https://github.com/starkillerOG/reolink_aio/issues/20. But I think the better approach is going to be modifying Neolink, because porting that code is going to be a ton of work. That said @nmbgeek, if you know Python well, it might be viable to get something basic working.

Unfortunately I haven't been able to prioritize taking another look at it for a while, and I am also very, very new to Rust so it's been slow going when I'm able to. In the meantime I'd recommend sharing feedback with Reolink about adding HTTP support for the floodlight in case they can trivially add that.

[nmbgeek]

I don't own one yet but did drop a message to their support and pre-sales consulting about adding HTTP to the Floodlight. Home Assistant is my goal here is as well. I currently have Sengled Motion PAR38 (zigbee bulbs with motion detector built in) but they don't seem to work 100% with ZHA and I would like to add more exterior lighting without having to run 120v.

[kevin-david]

Thanks to some heroic efforts by @QuantumEntangledAndy, the floodlight is now supported in his fork: https://github.com/QuantumEntangledAndy/neolink/pull/14

I'm planning to take a look at MQTT discovery next to get this wired up to home assistant easily, in addition to putting the MQTT version of the app into the shape of a home assistant addon.

[nmbgeek]

Thanks @kevin-david I had actually checked in on his repository yesterday and saw there was more activity. Do you happen to know if the PIR is directional or if there would be any other issue "ceiling" mounting it under my eave?

[kevin-david]

@nmbgeek Not sure - I would recommend asking Reolink about it, since mine is mounted "normally" on a deck post. I can say the PIR is pretty sensitive at least, and it works much better than camera-motion-based detection.