ecoflow-bt-reverse-engineering
ecoflow-bt-reverse-engineering copied to clipboard
nielsole
Ecoflow BLE - for all Devices, not only for Delta 2 :)
Hi all :) Yes, BLE - right way.
Hassio - stuck on open port 8055 v1ckxy - stuck on declaring the basic principles of working offline tolwi - realize only user corporate MQTT
BUT - exist much more interesting solutions. Absolute independence of the device from the corporation, from the presence of the Internet. With support for a much wider range of devices. and using DEVICE mqtt (LOCAL mqtt server :)) ). So. let's start: Please install mobile app - nrf connect. Find and connect to device. Look to RAW ble header. So.... 0 - RAW - (topic,lenght)data(topic,lenght)data(topic,lenght)data.... 02-01-06 1B-FF-B5-B5-12 52-33-33-31-5A-45-42-34-5A-45-42-47-30-FF-FF-FF 63-00-20-BC-5F-01-93 11-FF-C5-C5-12 36-02-13-50-34-47-FF-FF-FF-FF-FF-FF 5D-0C-09 52-33-33-2D-30-34-35-34-00- 14-0D a) Device SN - 52-33-33-31-5A-45-42-34-5A-45-42-47-30-FF-FF-FF (utf8) b) battery level - 63 and some other data c) 36-02-13-50-34-47-FF-FF-FF-FF-FF-FF - CPU Id d) 52-33-33-2D-30-34-35-34 - short name of device (utf8) 1 - install JADX (dex to java) application and decompile in ecoflow.apk - *.dex files (look on com/ecoflow folder) 2 - If you're not normal at all - IDA (not free) or Ghidra Software Reverse Engineering Framework (free) to disasm base packet engine placed on \lib\arm64-v8a\libnative-lib.so in apk file So. let's focus on the first option. Examine the files and you will get a list of many commands, like for mqtt, iot, ble for - ALL different devices. everything else is correct. But this is not enough. 1 - the device model is determined by the first two or three bytes of the serial number (attachment). 2 - to send commands, to receive data (full) - MANDATORY! needs to be configured MTU (Maximum Transmission Unit) 136 for start - will be enough (for DELTA 2). Chinese programmers didn't properly implement package merging :) 3 - the number of commands is not limited to those described and implemented by hassio. So - for start i recommend doing the module under the number 53(decimal) (ble/wifi module)
53 - 53 - 0 : Reconnect to mqtt 53 - 53 - 5 : (0/1) enable-disable wifi module. And Yes. This open some intresing ports of device; PORT STATE SERVICE VERSION 340/tcp filtered unknown 1062/tcp filtered veracity 1216/tcp filtered etebac5 1600/tcp filtered issd 2030/tcp filtered device2 3333/tcp filtered dec-notes 4006/tcp filtered pxc-spvr 5051/tcp filtered ida-agent 5432/tcp filtered postgresql 6543/tcp filtered mythtv 9968/tcp filtered unknown 10002/tcp filtered documentum 10617/tcp filtered unknown 50000/tcp filtered ibm-db2 52869/tcp filtered unknown
53 - 53 - 8 - wifi networks - (id)(name lenght)(name)... (id)(name lenght)(name)... 53 - 53 - 4 WiFI connection - MAC/IP/WiFi Name (32 bytes)/Password(32 bytes) 53 - 53 - 10 - (0/1) connect/disconnect MQTT connection 53 - 53 - 51 - disable BLE module. Restatr device manualy to enable BLE 53 - 53 - 52 - BLE RAW Data - COD(class of device)/MAC/MAC?/RAW 53 - 53 - 112 - isenabled - wifi/?/mqqt 53 - 53- 32 - callback - when device connecting 53 - 53 - 11 - in private email message :)
53 - 1 - 65 - FRONT PANEL SN and CPU 53 - 1 - 64 - Frp - SN 53 - 1 - 5 - WIFI Ver 53 - 1 - 20 - reconnect
And many other interesting, not mention in apk file sources,,,because exist device firmware, and in this firmware realize some options ONLY for internal using and absolutly not for public and not for ecoflow GUI developers :)
FINALY. 1- i has MY OWN mqtt SERVER. 2 - divice connected to it, and thinks it's a corporate server. 3 - i has mqtt client, which is connected to the corporate server, but not as a user - as a real device. 4 - my client and server communicate with each other to monitor everything that and how the corporate system manages the device.
subscribed: /ota/module/inform/80/R331ZEB4ZEBFFFFF/reply /ota/wifi/inform/80/R331ZEB4ZEBFFFFF/reply /ota/wifi/upgrade/80/R331ZEB4ZEBFFFFF /ota/wifi/progress/80/R331ZEB4ZEBFFFFF/reply /ota/device/inform/80/R331ZEB4ZEBFFFFF/reply /ota/device/upgrade/80/R331ZEB4ZEBFFFFF /ota/device/progress/80/R331ZEB4ZEBFFFFF/reply /sys/80/R331ZEB4ZEBFFFFF/thing/event/post_reply /sys/80/R331ZEB4ZEBFFFFF/thing/property/set /sys/80/R331ZEB4ZEBFFFFF/thing/property/get /sys/80/R331ZEB4ZEBFFFFF/thing/battery/get
/sys/80/R331ZEB4ZEBFFFFF/thing/property/get@AtMostOnce /sys/80/R331ZEB4ZEBFFFFF/thing/property/set@AtMostOnce /sys/80/R331ZEB4ZEBFFFFF/thing/event/post_reply@AtMostOnce /sys/80/R331ZEB4ZEBFFFFF/thing/battery/get@AtMostOnce /ota/wifi/upgrade/80/R331ZEB4ZEBFFFFF@AtMostOnce /ota/wifi/progress/80/R331ZEB4ZEBFFFFF/reply@AtMostOnce /ota/device/upgrade/80/R331ZEB4ZEBFFFFF@AtMostOnce /ota/device/progress/80/R331ZEB4ZEBFFFFF/reply@AtMostOnce
post topics /sys/80/R331ZEB4ZEBFFFFF/thing/property/post /ota/wifi/inform/80/R331ZEB4ZEBFFFFF /ota/device/inform/80/R331ZEB4ZEBFFFFF /ota/module/inform/80/R331ZEB4ZEBFFFFF
commands like operateType : analysisExtSc/analysisIntSc/analysisVol etc... (do not exist in app - only for device) and many other. 1 when device connecting to mqtt throw BLE command (connect to wifi) in this command exist path to certificate (the same like for user) but path - https://api.ecoflow.com/iot-auth/device/certification If change this path in command to own (for example - 192.168.2.33:8080/cert) and intercept this connection you can see request from device - ?sn=R331ZEB4ZEBFFFFF&cpuId=360213503447303832155FFF&timeStamp=123132333"&sign=Y7VJLGVhsQy_N3KKVngeOtPjG0BaH0AwTDiqEss44ds 2 run this request to corporate host and you recive json data like for user but some differ {"code":"0","data":{"clientId":"R331ZEB4ZEFFFFFF","password":"d23f87052c92489ea1cf43f1463fFFFF","port":"8883","productKey":"80","protocol":"mqtts","url":"mqtt.ecoflow.com","username":"device-eb3bb8586a874f9ab0f3755fc3FFFFFF"},"message":""} This is credetials for mqqt server for DEVICE (not for user). And this operations needed only once. 3 - Now you has 2 ways. 1 - just using mqtt with connection to corporate host like device 2 - replace in request mqtt server and port to own. for example ,"url":"192.168.33.33" etc 3 - device remember this and not needed this do every time - just once. 4 - after this - the most interesting will begin
So. I am completely independent, I know everything that happens. I don't need a corporation, and it doesn't need to know what and how I have. I don't need internet. I don't need authentication and verification. I wish you all the same :)
Very important! Don't use brute force to find interesting commands and modules. There is a command (without parameters) - which is simple in the inverter - changes the voltage and in an instant - your capacitors (in the literal sense) explode. Yes - it looks like a self-destruct command :) It's funny, but who knows this command and just has a phone with bluetooth - can really burn the device with one click. someone else's device :) (module 4 ..commandset 13+ )
