nielsole
Ecoflow BLE - for all Devices, not only for Delta 2 :)
Hi all :) Yes, BLE - right way.
Hassio - stuck on open port 8055 v1ckxy - stuck on declaring the basic principles of working offline tolwi - realize only user corporate MQTT
BUT - exist much more interesting solutions. Absolute independence of the device from the corporation, from the presence of the Internet. With support for a much wider range of devices. and using DEVICE mqtt (LOCAL mqtt server :)) ). So. let's start: Please install mobile app - nrf connect. Find and connect to device. Look to RAW ble header. So.... 0 - RAW - (topic,lenght)data(topic,lenght)data(topic,lenght)data.... 02-01-06 1B-FF-B5-B5-12 52-33-33-31-5A-45-42-34-5A-45-42-47-30-FF-FF-FF 63-00-20-BC-5F-01-93 11-FF-C5-C5-12 36-02-13-50-34-47-FF-FF-FF-FF-FF-FF 5D-0C-09 52-33-33-2D-30-34-35-34-00- 14-0D a) Device SN - 52-33-33-31-5A-45-42-34-5A-45-42-47-30-FF-FF-FF (utf8) b) battery level - 63 and some other data c) 36-02-13-50-34-47-FF-FF-FF-FF-FF-FF - CPU Id d) 52-33-33-2D-30-34-35-34 - short name of device (utf8) 1 - install JADX (dex to java) application and decompile in ecoflow.apk - *.dex files (look on com/ecoflow folder) 2 - If you're not normal at all - IDA (not free) or Ghidra Software Reverse Engineering Framework (free) to disasm base packet engine placed on \lib\arm64-v8a\libnative-lib.so in apk file So. let's focus on the first option. Examine the files and you will get a list of many commands, like for mqtt, iot, ble for - ALL different devices. everything else is correct. But this is not enough. 1 - the device model is determined by the first two or three bytes of the serial number (attachment). 2 - to send commands, to receive data (full) - MANDATORY! needs to be configured MTU (Maximum Transmission Unit) 136 for start - will be enough (for DELTA 2). Chinese programmers didn't properly implement package merging :) 3 - the number of commands is not limited to those described and implemented by hassio. So - for start i recommend doing the module under the number 53(decimal) (ble/wifi module)
53 - 53 - 0 : Reconnect to mqtt 53 - 53 - 5 : (0/1) enable-disable wifi module. And Yes. This open some intresing ports of device; PORT STATE SERVICE VERSION 340/tcp filtered unknown 1062/tcp filtered veracity 1216/tcp filtered etebac5 1600/tcp filtered issd 2030/tcp filtered device2 3333/tcp filtered dec-notes 4006/tcp filtered pxc-spvr 5051/tcp filtered ida-agent 5432/tcp filtered postgresql 6543/tcp filtered mythtv 9968/tcp filtered unknown 10002/tcp filtered documentum 10617/tcp filtered unknown 50000/tcp filtered ibm-db2 52869/tcp filtered unknown
53 - 53 - 8 - wifi networks - (id)(name lenght)(name)... (id)(name lenght)(name)... 53 - 53 - 4 WiFI connection - MAC/IP/WiFi Name (32 bytes)/Password(32 bytes) 53 - 53 - 10 - (0/1) connect/disconnect MQTT connection 53 - 53 - 51 - disable BLE module. Restatr device manualy to enable BLE 53 - 53 - 52 - BLE RAW Data - COD(class of device)/MAC/MAC?/RAW 53 - 53 - 112 - isenabled - wifi/?/mqqt 53 - 53- 32 - callback - when device connecting 53 - 53 - 11 - in private email message :)
53 - 1 - 65 - FRONT PANEL SN and CPU 53 - 1 - 64 - Frp - SN 53 - 1 - 5 - WIFI Ver 53 - 1 - 20 - reconnect
And many other interesting, not mention in apk file sources,,,because exist device firmware, and in this firmware realize some options ONLY for internal using and absolutly not for public and not for ecoflow GUI developers :)
FINALY. 1- i has MY OWN mqtt SERVER. 2 - divice connected to it, and thinks it's a corporate server. 3 - i has mqtt client, which is connected to the corporate server, but not as a user - as a real device. 4 - my client and server communicate with each other to monitor everything that and how the corporate system manages the device.
subscribed: /ota/module/inform/80/R331ZEB4ZEBFFFFF/reply /ota/wifi/inform/80/R331ZEB4ZEBFFFFF/reply /ota/wifi/upgrade/80/R331ZEB4ZEBFFFFF /ota/wifi/progress/80/R331ZEB4ZEBFFFFF/reply /ota/device/inform/80/R331ZEB4ZEBFFFFF/reply /ota/device/upgrade/80/R331ZEB4ZEBFFFFF /ota/device/progress/80/R331ZEB4ZEBFFFFF/reply /sys/80/R331ZEB4ZEBFFFFF/thing/event/post_reply /sys/80/R331ZEB4ZEBFFFFF/thing/property/set /sys/80/R331ZEB4ZEBFFFFF/thing/property/get /sys/80/R331ZEB4ZEBFFFFF/thing/battery/get
/sys/80/R331ZEB4ZEBFFFFF/thing/property/get@AtMostOnce /sys/80/R331ZEB4ZEBFFFFF/thing/property/set@AtMostOnce /sys/80/R331ZEB4ZEBFFFFF/thing/event/post_reply@AtMostOnce /sys/80/R331ZEB4ZEBFFFFF/thing/battery/get@AtMostOnce /ota/wifi/upgrade/80/R331ZEB4ZEBFFFFF@AtMostOnce /ota/wifi/progress/80/R331ZEB4ZEBFFFFF/reply@AtMostOnce /ota/device/upgrade/80/R331ZEB4ZEBFFFFF@AtMostOnce /ota/device/progress/80/R331ZEB4ZEBFFFFF/reply@AtMostOnce
post topics /sys/80/R331ZEB4ZEBFFFFF/thing/property/post /ota/wifi/inform/80/R331ZEB4ZEBFFFFF /ota/device/inform/80/R331ZEB4ZEBFFFFF /ota/module/inform/80/R331ZEB4ZEBFFFFF
commands like operateType : analysisExtSc/analysisIntSc/analysisVol etc... (do not exist in app - only for device) and many other. 1 when device connecting to mqtt throw BLE command (connect to wifi) in this command exist path to certificate (the same like for user) but path - https://api.ecoflow.com/iot-auth/device/certification If change this path in command to own (for example - 192.168.2.33:8080/cert) and intercept this connection you can see request from device - ?sn=R331ZEB4ZEBFFFFF&cpuId=360213503447303832155FFF&timeStamp=123132333"&sign=Y7VJLGVhsQy_N3KKVngeOtPjG0BaH0AwTDiqEss44ds 2 run this request to corporate host and you recive json data like for user but some differ {"code":"0","data":{"clientId":"R331ZEB4ZEFFFFFF","password":"d23f87052c92489ea1cf43f1463fFFFF","port":"8883","productKey":"80","protocol":"mqtts","url":"mqtt.ecoflow.com","username":"device-eb3bb8586a874f9ab0f3755fc3FFFFFF"},"message":""} This is credetials for mqqt server for DEVICE (not for user). And this operations needed only once. 3 - Now you has 2 ways. 1 - just using mqtt with connection to corporate host like device 2 - replace in request mqtt server and port to own. for example ,"url":"192.168.33.33" etc 3 - device remember this and not needed this do every time - just once. 4 - after this - the most interesting will begin
So. I am completely independent, I know everything that happens. I don't need a corporation, and it doesn't need to know what and how I have. I don't need internet. I don't need authentication and verification. I wish you all the same :)
Very important! Don't use brute force to find interesting commands and modules. There is a command (without parameters) - which is simple in the inverter - changes the voltage and in an instant - your capacitors (in the literal sense) explode. Yes - it looks like a self-destruct command :) It's funny, but who knows this command and just has a phone with bluetooth - can really burn the device with one click. someone else's device :) (module 4 ..commandset 13+ )
Hi, very interesting what you´ve found out !
I have a few questions to the process:
- where do I change the mqtt-server for my delta2 ? is it in the app "nrf connect" ?
- what about the credentials of the mqtt server? how should this message look like? {"code":"0","data":{"clientId":"R331ZEB4ZEFFFFFF","password":"d23f87052c92489ea1cf43f1463fFFFF","port":"8883","productKey":"80","protocol":"mqtts","url":"mqtt.ecoflow.com","username":"device-eb3bb8586a874f9ab0f3755fc3FFFFFF"},"message":""}
Hi. 1 - the app "nrf connect" ONLY for look on device and get RAW data (SN + CPU id etc) - just for info 2 – BLE Commands (like hassio for open port commands) contain command – connect to WiFi.In ,obile app = when connect to wi-fi network – you select wifi, input assword… and…and device connect to mqtt ecoflow server.So – this command contain wifi name, wifi password, certificate URL. – if you change this url for own.. The most important thing is all - you need to be able to send commands to the device using bluetoos.Hassio system – works in open port. BLE = the same. It does not matter - you need to be able to send commands to the device. If you can do this, you can replace the certification url with your own. If you can intercept the certification request, then you can replace the meaning in the answer. It sounds difficult - but it is made quite easily. 3 - By intercepting a request from a certification device - you perform a real request to the server. From the server you will receive a login and password for the device. But you can return the device not entirely correct data. For example - changing the mqtt server to other
Impressive information you have found out! Reversing libnative is not too hard, just keep in mind that there are v2 and v3 packets and they differ a little. Also the only useful thing you can get from there is packet (Frame) structure and basic xor obfuscation algo that is already known.
I wonder how you can obtain the firmware and analyze possible internal and not so internal commands.
It is also pretty scary that there are such dangerous commands, it might be a good idea somehow to protect from those commands. In theory, Ecoflow can also issue that command via MQTT from the server and explode your device.
Interesting that it seems that topics for user and device completely differ. Very interesting find! It may be cool to bridge your MQTT to Ecoflow server (if you want) and both have reliability and control of your own server and ability to use EF Cloud GUI app for control and management.
Yes, I have already done all this and get it. (xor, obfuscation etc... em... no. Just - is china (not free) lib for data with header - 7bytes) :) and... PLEASE - don't talk to me in the language that's been put into your head. Have your head. What you are given as a solution - always check. you real.... do you really think that 7 bytes per message is normal? and do you really think that (oh gods - how smart you need to be) - inverting is the meaning of the whole process? seriously ? )))))) XOR ? )))) realy ??? ))) cool ))) ambelivible! )))) it is really difficult to come to this with data before and with data after) "v2 and v3 "- don't repeat without knowing what other people are saying. That's why I'm alone, but I don't talk nonsense.
"It may be cool to bridge your MQTT to Ecoflow server (if you want) and both have reliability and control of your own server" All this has already been done for a long time - I wrote about it. And I don’t even need EF Cloud GUI - I see everything and control everything. When you have your own mqtt server, you no longer need EF Cloud GUI :) at the same time, neither the device nor the ecoflow server knows that they are completely listening :) for investigate - device<-->my mqtt srv<--->my mqtt client with device account<---->ecoflow.mqtt for me - device<-->my mqtt srv
In the list of topics to which the device itself is subscribed and uses - there is an update.The device first of all sends the firmware numbers of all its modules. The server returns whether they are the latest or not. There is a lot of work for investigate. There are many things that are still not clear. But there is something to deal with. That's why I gave this information. So that people would start doing something further, and not get stuck on what they have. BUT. BLE commands (some commands) not duplicated in mqqt and for me - more interesting then mqtt. But the most interesting is the open ports that appear after sending the wifi shutdown command. but I don't have enough for that.
it also makes sense not to do such a long way and see how it turns out - &sign= for /iot-auth/device/certification may be the same like for user but needed some like this to https://api.ecoflow.com/auth/login but using ""scene"": ""IOT_DEVICE"", instead of IOT_APP and using some other like SN&cpuId instead of email and password. - i do not not know. or change "userType"": ""ECOFLOW" to some other.... needed investigate this. Wireshark do not displayed post data. but this is all possible - but not interested for me.
Now the most important thing is that I don't post my sources - just because - almost all of you use python. methods for dotnet are obviously not suitable for you, in my opinion - just the meaning is important. BUT - for intercept request i used - EmbedIO nuget, RestSharp for send requests, for mqtt - client/server i used MQTTnet and I have no idea what analogues for this all there are in python - but definitely they are :)
and I want to repeat, in fact, the most important thing among this heap of text. That - over which I suffered for a whole month to understand. The truth turned out to be simple, but the price for it was paid by time. "!!! needs to be configured MTU !!!" for BLE. among all I have written - oddly enough - this is the most important thing. +100$ to repair burnt capacitors :))))
i do not know - what this data mean after send BLE cmd 53 - 53 - 9 01 00 00 00 02 00 00 00 00 01 02 03 04 05 06 00 0A 0A 0A 0A 00 54 00 00 AA AA AA AA Guid ? cert hash ? or... i do not know 53 - 53 - 71 53 - 53 - 26 53 - 53 - 3 why not callback or how using 53 - 53 - 1 - Bluetooth distribution network setting domain name 53 - 53 - 54 for delta pro: len + String //iot password verification ???? and many other... I'm waiting for people - with whom it will be possible to talk and who will already tell me where, how and why. I also have many questions. But so far I see only one thing - people are content with what they have.
Corporate mqtt server ? auth + online ? - seriously ? does that make sense? I even admit that I am far from being a pioneer. They just don't talk about it so that the exploit is not closed. Or sell for money. :)
for a very long time - I just wanted to write a mobile application, not as dull as what we have. Where can I pull widgets on the screen. Where can I view graphs of all values... similar https://github.com/berezhinskiy/ecoflow_exporter (many thanks to this man! I brought out all the parameters including from an additional battery - and watched how my device lives, how it breathes.) but in mobile version. where the display of data is implemented both through bluetooth and through the mqtt, store data, the ability to export this data to other systems. I have been quietly working on this. I don't need HomeAssistanse. but now I'm just tired. Maybe someday I will see a decent mobile application that raises three services (BLE/IOT/MQTT), can change MQTT SERVER!!! and contain OWN, OFFLINE!. etc.... but now I'm just tired.
Unbinding from cloud MQTT server is pretty important because during periods of winter blackouts first of all connection to those servers was unreliable, and sometimes even the server itself was offline for prolonged time periods, that caused instability in collected metrics and alerts about blackouts. I had some development with hardware ESP32 module that bridges bluetooth to local wifi and microservices that pull data and provide it to prometheus, but BLE turned out to be unstable just as well as the MQTT cloud. Moreover, somehow, when ESP32 module is used then sometimes delta2 forgets about it's wifi credentials and fails to connect (when BLE is not used it worked for months without such effect).
v2 and v3 - thats result of my understanding that I obtained from analyzing android application and the native library first of all, not from someone else's code. But I have not encountered v3 packets in the wild, only v2, and they differ very slightly (2 extra bytes in header).
About burnt capacitors I hope that it would not start fire, just stop working. Also replacing capacitors would not help, you need also to reset voltage to correct values? I do not understand how that command does not accept some parameters, maybe if called without parameters it assumed some default (0x00 or 0xFF) or garbage from memory and changed to inadequate values?
And yes, kind of agree, that if you have full control it is more reliable - but you need time to make your own app and I think you would not be able to upgrade firmware in that way.
And maybe that MTU thing is the source of problems with my ESP32 module, now I process data in stream and scan for valid structure packets, but maybe increasing MTU will help too. Thanks!
1 - ble - cannot be unstable. nothing is more stable. there is a delay. but stability. stability is stable. 2 - increasing MTU - you can send data, you can receive data. But data that does not fit into the size of one packet will either not be valid or, if commands are sent, will not be accepted. Think whatever - maybe it was intended - but for me - it's just a deadline for the developers))) 3- v2 и v3 - sorry. yes - thi is jus "of my understanding" and sorry - imagine how much time I spent on all this, so as not to listen and look towards those who did the inversion of bytes :) 4- I don't know how this command destroyed the capacitors. The system went through the commands for 2 days. And I'm very happy that I was at home. The specialist said that what happened could not have happened due to the human factor. Nothing is destroyed - what people do - when the outlet is connected to the water. Only capacitors - only when drawing a sinusoid. And this is a programming call. And this is clearly not a translation of the simtema from 60 hertz to 50 and 220 volts to 110. I don’t know what it was. But I don't want to try again. 5 - "you would not be able to upgrade firmware in that way" - Well, of course, I can not update the firmware. BUT - I can MYSELF indicate when I want to update it :) I repeat - there is a firmware update. There is a module update. These are different things. Everything is much more complicated than it seems. 6 - "bridges bluetooth to local wifi" - prometheus not guilty. Delays, instability, etc. - I experienced all this trash myself too. If you do not use the network. If you do not become attached to the corporate server. If you write your own (although I asked Prometheus to adapt its functionality) a bluetooth-mqtt server, everything will work without interruptions. AND - YES - MTU!!! without this, you will receive incomplete packages. without this, your commands to the device will be ignored. And only for one reason )))) yes - it's funny - but ... someone did not combine the received packets. more precisely - I did - but with errors ... and it's not me))) although - maybe there was a cunning plan in this))) - which is unlikely)
emm.. maybe this will help :) and sorry - this is not pyton solution :) but - not exist v1 v2 v3 etc... not exist... this is only samle... AA-02 ... and yes ))) cool - super achievement - xor )))) I really hope that we will start talking at a different level - when all this is done. I really hope that nielsole will find time for a normal and understandable implementation in python. tell me how I can help - I will try to give everything that I have.
Simple GET. Without sign and timestams params - working too :), strange, unsequre, but working. https://api.ecoflow.com/iot-auth/device/certification?sn=R331ZEB4ZEBFFFFFF&cpuId=3602135034473038321FFFFF
MQTT SNIFFER :) example (attechment): 192.168.0.105 - local ip.
1 - connect to ecoflow mqtt srv with device credetials - localdevcli.cs 1.1 started mqtt client connected as device to ecoflow.mqtt 1.2 listened port 8088 to get posts from localdevsrv.cs (2)
2 - run local mqtt srv - localdevsrv.cs 2.1 started mqtt server on port 8883 2.2 listened port 8089 to get posts from localdevcli.cs (1)
Run BLE command to connect to WIFI + intercept request + change responce (set mqtt srv 192.168.0.105) so: 1 - device connected to localdevsrv.cs (2) and start sending data. 2 - all sended data will be transfer to localdevcli.cs (1) and sended to ecoflow.mqtt 3 - all data from ecoflow.mqtt transfer throw localdevcli.cs (1) to localdevsrv.cs (2)
You will see all data,command etc... this is all ONLY - binding and periphery. - it's secondary. You need to be able to send a command to connect to a Wi-Fi network. I gave everything necessary for this. Without it, all of this is meaningless. Attached src only for test, This all can be implemented in one scope (for mobile, pyton, for ... all the same how and on what). For ordinary users, all this can be done automatically without even pressing a single button. But you need to be able to send commands. I ended up here - because nielsole is the only one person who became interested and described at least something for BLE. but... it seems to me that people have not realized the potential of this all yet. So, can you get firmare? Yes. But this not needed for me. After close this exploit... no problem: Ble data, ble-mqtt hub, etc. :) life.
Around Security. 1 - BLE always ON - the stock program does not make it possible to disable this, but this possible and In this case, the Wi-Fi part will work. 2 - BLE advert. Raw data contain device SN and CPU ID - this is terrible - these are the two values that are needed to join the device to ecoflow MQTT server - (as device!) "sign" param - if not exist in req - ignored! (unbelievable) 3 - the command for obtaining information on the connected Wi-Fi network contains the network name and password (unencrypted) Having someone else's connected device - just by running the bluetooth on my device - I can also make it my own and manage it - I know the login and password of the network to which it is connected. These are obvious miscalculations - which will definitely be corrected in new firmware versions. If you take away the ability to enter the certification URL in the command to connect the device (and this was initially stupidly done), then everything described above will cease to be relevant. But... what then remains. I think the bluetooth interface will remain. I mean it will be possible to make at least a BLE-APP hub. Which is also not bad. Aalthough it would be correct to make the BLE commands authorized as well (I think someday they will do this too). Who is already worried about security - it is recommended to disable the BLE module (at least something). Know everything that the neighbor has (his password on the network) know all his data and how he manages the system. To be able to put out all his energy or just burn his devices. All you need is a mobile phone with bluetooth and a distance of 50 meters. It's better to visit once :)
Opened and documented online offline api with authorization. Software with a button - "advanced" (rather than an iridescent green bar) - and everyone would be bored :)
jegres1709 you wrote a little incorrectly - you can change it not to local ... but to ANY! manadged MQTT server with TLS :) But no one will answer you now. All this is more serious, all this is more dangerous, this needs to be investigate, This will change and redefine the popularity of topics and much on which people are already promoted will become unnecessary. Just not needed. Device send data like /ota/module/inform/80/R331ZEBFFFFFFFFF { "id": 3541, "params": [{ "moduleAddr": 5, "moduleVersion": "5.1.0.166", "loaderVersion": "3.0.0.1" }, { "moduleAddr": 6, "moduleVersion": "2.11.2.4", "loaderVersion": "2.11.0.0" }, { "moduleAddr": 3, "moduleVersion": "2.11.2.4", "loaderVersion": "2.11.0.0" }, { "moduleAddr": 2, "moduleVersion": "1.2.1.25", "loaderVersion": "2.7.1.9" }] } So device send to server current versions for each module (loader and firmware) Server decides whether to update the firmware or not. And sends a response. Well, now think about what you can do if all this can be changed. Are you sure that a simple person needs all this? In the end, you can simply send incorrect data to the server or any of your data and use their server just for your own purposes. In general, not using their server is a huge loss and they do not have all the information. I think you can also get money for showing this exploit :)
it would be nice to have a precise instruction how to change the mqtt server to be independent from ecoflow and to prevent wifi reconnects with a fallback scenario. other things are not very interesting for me.
we are already able to read all relevant data and to change states of switches and some values.
so if you could share with us the needed hardware and software and also the steps how to proceed , i would appreciate it very much!
Well, about MTU, I did not care about it, in ESP32 I appended all data to a ring buffer and another method was reading from it and parsing valid packets. Increasing MTU might increase stability (since packets will get cut and lost much less often), and I did not yet try issuing commands to the device so I think I did not encounter that problem. About the instability - ESP32 sometimes lost connection to Ecoflow, sometimes very often - but that might be because of WiFi + BLE running simultaneously, I guess if I use ESP32 with Ethernet (such as, for example, ESP32-POE module) it will be way more stable.
"sign" param - if not exist in req - ignored! (unbelievable)
Omg, thats total BS!
Just for test. If in one network - mobile(android), ps(windows), ecoflow(delta2).
1-on pc run mqtt server exe and click Start btn.
2-install on mobile apk (i do not write how install apk from third party sources).
run it. in right part if you see - MySSID, MyIP, MQTT Server IP - all ok. input wifi password.
Click on device item to connect throw BLE. If connected - just click SEND button in top. 33-53-53-11 - this is command to connect throw wifi. But app changing certificate url, intercept it, and replace mqtt url. So after this in you`r PC you can see connected device. And you can connect to this local server throw other programs, subscribe or post any topics etc... like you work with ecoflow mqtt, but without credentials. For this local mqtt server you can connect using any name or password or client id.
If all ok - forget mobile app. You can restart ecoflow, you can reopen on computer mqtt app... device will try connect to this (local) mqtt.
after you play enough and you like it or you don't like it. Launch the branded application and connect to the network through it - everything will return as it was.
THIS IS ONLY FOR TEST. (programs are not completed and raw) test.zip
thank you very much! it´s amazing!
Now I need only to get my existing MQTT Mosquitto broker working. Somehow it couldn´t appear in the mobile app, but only the mqtt server created by you. is there anything I have to configure on my broker to be available?
stop. It's not for use at all. these are just old sketches. these two apps are SPECIALLY made to work together. just for fun. in your case, you need the mobile application to redirect to your broker immediately OR (which is better) so that my broker sends everything mirrored to your broker through itself. why is it better - because some requests from ecoflows need to be answered, I doubt that your broker will be able to do this or you need to write a script for it, so that when a certain request is received, you need to definitely answer. if you look closely, occasionally ecoflow sends its versions of modules. and should send only once. because it expects an answer - are they fresh or not and if an update is needed. I didn't auto-reply. it was also planned to add an auto-connect in my broker to a real ecoflow server. a mobile application is generally like a primitive example of working with bluetooth. no settings etc. I just wanted you to see it all with your eyes and think about the perspectives. it's better than writing a bunch of text.
Sorry, you're speaking as a user(not developer), and a lot of things are wrong, but that's not the point. you can just see with your own eyes that it works, and with this everything you can do anything and many times cooler than with what everyone uses. Now, we need a normal programmer who will do all this for a wide range of people for different models, with open portable code, etc. I just showed and explained to the maximum how it all works. as you can see, I give any source code without question.
okay, understood :) as you can see I´m only a user and want to get rid of the orignal server. my problem is that I have reconnects and due to this I can not set some of the values etc. in home assistant. ( Ne0-Hack3r made it possible 4 month ago.) But the reconnects/disconnects started maybe 2 month ago and I´m pretty sure that Ecoflow did something on their mqtt servers. so I saw a chance here to change it to my already exisitng mqtt broker and everything will be running fine again, just on my own server. anyway, thank you for demonstrating that it works in general and I will wait for development and have to deal with the reconnects!
"change it to my already exisitng mqtt broker" MQTT Mosquitto broker. I am not familiar with HA, mosquito etc. So. You has own mqtt broker. Ok. This is local program? You know IP and port?. Or it in cloud or has some address?
Do you can connect to it throw: as example
- 192.168.55.66:8883
- superpuper.mqtt : 8883 (similar "ecofow.mqtt") Your brocker support tls auth? You can manage it and set allow for any clients connect to it? Working on port 8883? Or needed add this as option too?
If you can. So for test i can add to mobile app option and before run connect command, you can input own mqtt server name or ip. (Similar like wifi pwd)
yes, i have a mosquitto broker running in home assistant in my local network , so i know ip and port for sure and it supports tls auth and is working on port 8883. is tls mandatory or is any port like 1883 allowed? if it´s not too much effort, to add the option for port change too.. that would be very great, if you could do it !
only ip or address WITHOUT port. we assume that the port is always 8883. By the way - if you enter the address of a branded ecoflow server - it will connect to it (mqtt.ecoflow.com) if field was empty - so used ip adress of mqtt server for windows in previous topics. Now this is only - TEST. you are just one minute late with the answer. add a port - it's 5 minutes of work. If you will connected to own broker, in any cases - I do not recommend using this as a ready-made solution. Your server needs to be able to answer - that the firmware is the latest. I don't know if this can be done on your server. that is, to what extent it can be managed. Or needed like "system" client listened device and send answer.
For developers: device post info into topic /ota/module/inform/80/R331ZEB4ZEBFFFFF -> { "id": 3541, "params": [{ "moduleAddr": 5, "moduleVersion": "5.1.0.166", "loaderVersion": "3.0.0.1" blah-blah. So - mqtt broсker must send to subscribed by device topic - answer /ota/module/inform/80/R331ZEB4ZEBFFFFF/reply {"id": 3541 res: "ok"} - as example - I just don't remember and there are no logs at hand. AND (I think it's so clear) - everything works with commands to the device as you do ... just the name of the topic is different. /sys/80/R331ZEB4ZEBFFFFF/thing/property/set like so clear as "80" - this is product id.
And yes. "it´s amazing!", but for 3 persons :)))
TLS. If this is managed server, you can add support tls, but allow all clients and skip check certificate etc. In my broker i just set tls, but return OK without checks certs, users etc. Without tls at all - my broker get errors when device connecting. Some wrong in transactions data. So. Tls must sets, but all checks must ignored. I hope you can customize it.
And main question. Why you need connect to some other mqtt brocker? Left this on windows. And you can work with it. Connect to it, post and listen topics etc.
FOR ALL: you need to understand that using a connection to a corporate server, logging in there under the account of the program !, is just a useless program that is not designed for long-term use by itself. And each time raise a cry that the connection falls off. or the identifier needs to be changed, and so on - this is stupid. The most stable and the longest. it connects - like the device itself. this is what is designed for long-term work and what they cannot change quickly in one fell swoop. when this simple and understandable thought reaches the majority of people. then all this will be much more relevant.
---please redownload file BluetoothScannerNew.zip
that helps a lot! I managed to connect to my mqtt broker. Now I have to investigate the data to work with HA. Some of the switches (like enable/disable USB, AC, DC, etc.) are working already!
"Why you need connect to some other mqtt brocker" : because I´m running a proxmox server with HomeAssistant 24/7 on a tiny machine and not on my main pc.
"And yes. "it´s amazing!", but for 3 persons :)))": I think with this thread/issue it will reach much more people, who will work on this :)
Pff.. so problem only with different system. Proxmox - lunux. I used Library mqttnet https://github.com/dotnet/MQTTnet/discussions/1355 works on lunux. Mayby in Python exist solutiin too. So - needed just write mqttserver with path throw connection to real server (more adaptive) but portable for diff. platforms. Besides. if your mini computer is equipped with a bluetooth module. You don't even need a mobile phone app. libraries for working with ble are ported to any platform. All this can be done in one program with one click. Besides. All mqtt commands has analigue for BLE. Ble has more serious and interesting commands. Ideally, you can write a duplicate system. for some reason: one will fall off, another will work. put it all through a connection to a proprietary server and you will get a working and functional mobile program. (poor functionality, but even so). prospects for directions and developments - a lot. the main desire.
jegres1709, AND. I repeat. don't take it as a complete solution. the server MUST respond that the firmware does not need to be updated. without it - 1 - the device litters the air by constantly sending versions of its modules. 2 - my device disconnected after a while. probably believed that since the server does not respond to its requests, then something is wrong. We don't need instability here. but ... this is guesswork, or maybe an accident. In any case, there is a semi-solution, but there is a full-fledged solution.
Skydev0h MTU. skipping an incomplete package is wrong. you can still get data from it. to wait only for a full-fledged one is to skip more than half of the packets. correct mtu - all packages are full. and not "maybe" -that's for sure :) i uploaded source code.
For me: for windows and android - enough (what I know, I did it.) All this - in main - not a problem. I think I've done my part of the job.
So.. needed normal developer on Python :) Two is better. (BLE, MQTT) :))))
jegres1709 change mqtt port added + checkbox. unchecked - just simple normal connection without interception and changes broker etc.
To check stability. After Connect to your broker (or simple after connect), you can send command 33-53-53-51 - Disable bluetooth module. Wi-Fi will stay connected but BLE will be disabled. So - less consumption, much safer (if that bothers you at all). the device is not strained yet by sending a bunch of data via bluetooth. To turn it back on - you need to turn off and turn on the device.
Good luck. I don't work in this area anymore. If you need something from me (advice, consultation, source code) - contact me.
@ipalchuk
I loaded this on a Fire 8 Tablet (Amazon) and the app starts but then closes after a few seconds (no error displayed). I do not know if the Fire 8 is too old or is missing something that a normal android device would have. My mobile devices are iOS and this old Fire 8 is the only android device I have other than android emulators (BlueStacks on Win10) and, unfortunately, there is no BLE support in Android emulation...
I am not a developer but I am familiar with coding and scripting. Most of my scripting experience in recent years is Power Shell on Windows. I've never done any coding for BLE so I'm outside my knowledge on that. Like @jegres1709 my primary interest is configuring my EcoFlow devices to use my own local MQTT broker over WiFi and controlling everything using Home Assistant via MQTT.
I think the problem is in the android version, although it may be in the device itself. can do it under iOS (yes, can do it for everything), but I don’t do it. I do not regard this application as an application at all. This is an example. jegres1709 was able to run. he got it working. All. that's enough for me. let the rest be done by programmers who can do it in public, with a beautiful design, description, instructions, forums and other things that do not interest me. Sorry.
I think the problem is in the android version, although it may be in the device itself. can do it under iOS (yes, can do it for everything), but I don’t do it. I do not regard this application as an application at all. This is an example. jegres1709 was able to run. he got it working. All. that's enough for me. let the rest be done by programmers who can do it in public, with a beautiful design, description, instructions, forums and other things that do not interest me. Sorry.
I tried it on an old Samsung Android Tablet I borrowed as well but it would not install so I think it does require a recent version of full Android on a device that is not outdated. If I understood a bit more about BLE and how to interface properly I might be able to create and share a Power Shell script for changing the MQTT configuration on the device...
and it would only be for windows devices with bluetooth. this is not line-by-line execution of commands. This program. which has functionality. you won't do it in Power Shell. С#, java, python etc, but not shell
and it would only be for windows devices with bluetooth. this is not line-by-line execution of commands. This program. which has functionality. you won't do it in Power Shell. С#, java, python etc, but not shell
It could be built in Power Shell cross platform with the appropriate module. But, as I said, I am not familiar with BLE communication or programming for it. I realize this would not be a robotic script but once the correct address for D2 is known (or can be programmatically obtained) it should just be a matter of connecting and sending the correct sequence to configure D2 to use local MQTT. The script could use a configuration file or even hard coded variables for the device and local MQTT server address/port (to provide an easy way to switch the device back to "local mode" as needed).
Obviously, the local MQTT server would need to be configured correctly but it appears those of us integrating with Home Assistant could use the local Mosquito Broker for the local MQTT and configure everything else using YAML for MQTT sensors in HA. We just need an easy way to point the device to Mosquito Broker without having to learn and program for BLE...
@ipalchuk
I was able to install Bluetooth LE Explorer on a NUC with windows 10 and connect to the D2 over BLE...
I can see data continually changing on one of the charastics:
I can also write data to the other characteristic:
But I'm not certain what to send. Do I send a command in HEX followed by the parameters for MQTT IP/Port in UTF8? Does everything need to be converted to HEX and sent in a single write? This is where my understanding of BLE is limited...
what does the android program do: 1 - increases mtu (read the beginning of the topic) without this, commands that do not fit into one package will not be accepted. and the necessary command just does not fit. 2 - sends a command to the connection in which it changes the url of the certificate (read the beginning of the topic) TO YOUR OWN one, which is listening! (For interception!) 2.1 command is a set of bytes - there is a data structure, it is described. there is a header, command, checksum, data. yes - the text is transmitted as utf8 bytes. there is a description of how to count two types of checksums. Do you collect all this with a script too? 3 - INTERCEPTS! request. (what script are you going to do it with???) a script that will raise the local site? 4 - sends the request to a real server to get a real answer. 5 - replaces the mqtt server in the response and sends it to the device. With apparent simplicity for the user, everything is not at all simple. Ble, commands, connection etc... please read the main topic, review code etc.. https://github.com/nielsole/ecoflow-bt-reverse-engineering/blob/master/experimental/main.py
I in this topic proceed from the fact that the person already knows all this. here, so not everything is simple, so as not to interfere with elementary explanations here. Behind all this, the essence and meaning is lost.
Yes, you can send comand in single write in hex .. this is usb off. : aa 02 01 00 a0 0d 00 00 00 00 00 00 21 02 20 22 00 d7 46 a dynamically changing characteristic is just a stream of data about itself, parameters, etc., that the device gives.
So? me to describe the structure, basic principles, logic, calculation with explanations of what each byte means, why this way and not otherwise .. ? Can I explain why you can not cross out anything on your screenshots, since these are common basic interfaces and just a data set that does not contain anything personal? are you sure that this topic (not for every programmer) should also contain similar explanations? Mmmm....
Needed normal Python or Java developer, and all will be done for crossplatforms, etc. or people find it difficult or not interesting :)
@ipalchuk Thank you for added explanations. I redacted certain numbers in the screen shots as I did not know what may or may not be personal (still learning about all of this).
If I am understanding correctly, part of the process is to setup a web server that will answer the HTTP query for MQTT by pointing to the URL/port of my local MQTT server and what is being sent over BLE is a command pointing to the URL of that local HTTP server (intercept). Is that correct? If so that may be part of what I was not understanding in the sequence.