new pro control app info

[marcews]

The Nefit pro control app recently started to show a graph for used KWH and generated KWH for my heatpump. Does this mean the endpoint for KWH consumption can now be found through sniffing the app traffic or analysing the APK for this app?

I have been looking a long time how to implement the KWH consumption data in my own php dashboard...

[robertklep]

I think you'll have the best chance of finding out the endpoints by analysing the APK, sniffing XMPP traffic has been made quite difficult lately (you'll need an XMPP proxy to begin with, but I believe that the apps started using TLS pinning so MITM is out of the question).

[marcews]

Thank you Robert, I already had the APK open in Android studio but no clue where to begin. Any suggestions where or how I can find the endpoints in the APK?

Thank you,

Marc

Van: Robert Klep [email protected] Verzonden: zondag 17 januari 2021 19:37 Aan: robertklep/bosch-xmpp [email protected] CC: Marc Van Riesen [email protected]; Author [email protected] Onderwerp: Re: [robertklep/bosch-xmpp] new pro control app info (#12)

I think you'll have the best chance of finding out the endpoints by analysing the APK, sniffing XMPP traffic has been made quite difficult lately (you'll need an XMPP proxy to begin with, but I believe that the apps started using TLS pinning so MITM is out of the question).

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/robertklep/bosch-xmpp/issues/12#issuecomment-761859047, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ALMLXVAKTTK4LWUTWJVAKWDS2MU6TANCNFSM4WGHCXOA.

[robertklep]

You need to decompile the classes.dex file inside the APK file, and/or look for known endpoints (for instance, the substring /dhwCircuits/ is a good one to start with) inside the files contained in the APK.

[marcews]

Done but I cannot find the endpoints that are definitely working. For example

bosch-xmpp --serial=--access-key=-password=*** ivt get /system/appliance/actualSupplyTemperature

gives

{"id":"/system/appliance/actualSupplyTemperature","type":"floatValue","writeable ":0,"recordable":0,"value":38,"unitOfMeasure":"C","state":[{"open":-3276.8},{"sh

So I would expect a search result for "actualSupplyTemperature" (also available in the app) but no result form the classes.dex...

Nefit ProControl_v3.8.1_apkpure.com.zip

Any ideas?

Thank you, Marc

[robertklep]

Have you looked at the .dump file in assets/demo/? There are a few endpoints mentioned there that return values in kWh.

I decompiled classes.dex with jadx and found plenty of references to "actualSupplyTemperature":

$ grep -ir 'SupplyTemperature' .
./sources/p075d/p081b/p082a/p083a/p104e/p107c/p108c/p109k/p110c/C2900f.java:            alternativeHomeFloorPage.f10492g0.getSupplyTemperature(heatingCircuit, alternativeHomeFloorPage.mo14727A(), new C2901g(alternativeHomeFloorPage, heatingCircuit, this.f7988b));
./sources/com/bosch/p072tt/icomdata/path/PathComponents.java:    public static final String PATH_ACTUAL_SUPPLY_TEMPERATURE = "actualSupplyTemperature";
./sources/com/bosch/p072tt/icomdata/path/PathComponents.java:    public static final String PATH_SUPPLY_TEMPERATURE_SETPOINT = "supplyTemperatureSetpoint";
./sources/com/bosch/p072tt/icomdata/block/HeatingCircuit.java:    public FloatValue getActualSupplyTemperature() {
./sources/com/bosch/p072tt/icomdata/block/HeatingCircuit.java:    public FloatValue getSupplyTemperatureSetpoint() {
./sources/com/bosch/p072tt/icomdata/block/HeatingCircuit.java:    public void setActualSupplyTemperature(FloatValue floatValue) {
./sources/com/bosch/p072tt/icomdata/block/HeatingCircuit.java:    public void setSupplyTemperatureSetpoint(FloatValue floatValue) {
./sources/com/bosch/p070de/p071tt/heathub/mvc/info/InfoModel.java:                arrayList.add(new InfoRequest(pathID.getLastComponent(), RequestService.createActualSupplyTemperaturePath(pathID.getLastComponent()), TemplateType.FLOAT_VALUE, Interval.TEMPERATURE));
./sources/com/bosch/p070de/p071tt/heathub/mvc/info/InfoModel.java:                arrayList.add(new InfoRequest(pathID.getLastComponent(), RequestService.createSupplyTemperatureSetpointPath(pathID.getLastComponent()), TemplateType.FLOAT_VALUE, Interval.TEMPERATURE));
./sources/com/bosch/p070de/p071tt/heathub/mvc/info/InfoModel.java:                arrayList.add(new InfoRequest("general", RequestService.createApplianceActualSupplyTemperaturePath(), TemplateType.FLOAT_VALUE, Interval.TEMPERATURE));
./sources/com/bosch/p070de/p071tt/heathub/mvc/alternativehome/floorcontrol/view/model/AlternativeHomeFloorModelMapper.java:                    str3 = context.getString(C0638R.string.sensor_actualSupplyTemperature);
./sources/com/bosch/p070de/p071tt/heathub/RequestService.java:    public static Path createActualSupplyTemperaturePath(String str) {
./sources/com/bosch/p070de/p071tt/heathub/RequestService.java:    public static Path createApplianceActualSupplyTemperaturePath() {
./sources/com/bosch/p070de/p071tt/heathub/RequestService.java:    public static Path createSupplyTemperatureSetpointPath(String str) {
./sources/com/bosch/p070de/p071tt/heathub/C0638R.java:        public static final int info_actualsupplytemperature = 2131624546;
./sources/com/bosch/p070de/p071tt/heathub/C0638R.java:        public static final int info_supplytemperaturesetpoint = 2131624571;
./sources/com/bosch/p070de/p071tt/heathub/C0638R.java:        public static final int sensor_actualSupplyTemperature = 2131624737;
./sources/com/bosch/p070de/p071tt/heathub/service/coreresource/CoreResourceManagerService.java:    public void getSupplyTemperature(HeatingCircuit heatingCircuit, String str, Callback<Measurement> callback) {
./sources/com/bosch/p070de/p071tt/heathub/service/coreresource/CoreResourceManagerService.java:        this.f7727a.getSupplyTemperature(heatingCircuit, str, new C4775y0(callback));
./sources/com/bosch/p070de/p071tt/heathub/service/comprovider/ComProviderRequestService.java:    public void getSupplyTemperature(HeatingCircuit heatingCircuit, String str, Callback<Measurement> callback) {
./sources/com/bosch/p070de/p071tt/heathub/service/comprovider/ComProviderPaths.java:    public static final String PATH_CAN_SUPPLY_TEMPERATURE = "/heatingCircuits/%s/supplyTemperatureSetpoint";
./sources/com/bosch/p070de/p071tt/heathub/service/comprovider/ComProviderPaths.java:    public static final String PATH_EMS_SUPPLY_TEMPERATURE = "/heatingCircuits/%s/actualSupplyTemperature";
./sources/com/bosch/p070de/p071tt/heathub/service/ResourceManagerService.java:    void getSupplyTemperature(HeatingCircuit heatingCircuit, String str, Callback<Measurement> callback);
./sources/com/bosch/p070de/p071tt/heathub/service/RequestService.java:    void getSupplyTemperature(HeatingCircuit heatingCircuit, String str, Callback<Measurement> callback);

[marcews]

Thank you Robert, I have found this demo and indeed the endpoints but:

1. A lot of endpoints do not give a result (especially the history ones) but a 404 not founderror which I can understand. I imagine not all systems (gasheater or heatpump) have the same endpoints.
2. Is there any way to trace back in the APK to which endpoint the request form the app for "Historie""is directed? See lower part of the screenshot.

Thank you again for your help!

Marc

[robertklep]

A quick look doesn't yield any endpoints for that type of data. The app can't be decompiled entirely and is partly obfuscated, so perhaps it's because of that.

[Bulforce]

I think you guys are taking the wrong approach here, there is no need to decompile any app in order to discover all available endpoints.

What I would do is to use the built in discovery. Once the appliance is connected (no matter what appliance) and you have successful setup for connecting with this client, all you need to do is query the base endpoints like /system /heatSources etc.

for example bosch-xmpp ... get /system will return something like that: {"id":"/system","type":"refEnum","references":[{"id":"/system/appliance"},{"id":"/system/autoAway"},{"id":"/system/awayMode"},{"id":"/system/brand"},{"id":"/system/fireplace"},{"id":"/system/hydraulicBalancing"},{"id":"/system/info"},{"id":"/system/interfaces"},{"id":"/system/location"},{"id":"/system/sensors"}]}

The references node contains all available endpoints for the base node for your home, the list can be different for another home. Each of the endpoints can return some readings, or even have more endpoints nested.

Since your home is different, there is no fixed list of endpoints, besides the base nodes, you have to query those in order to discover what is available for you. For example you can use /devices to get references related to all of the connected devices like heat sources, thermostat valves and etc then query the refs /devices/dev1 /devices/dev2 get simple list with /devices/list

Keep in mind that some of the base endpoints will give you 404, I dont have solar elements and the /solarCircuit gives me 404

What I am trying to tell you is that no matter what you will discover by decompile those apps, may not even be applicable to your house setup. The only valid endpoints for your particular setup are those that you can get by querying the base endpoints.

[robertklep]

@Bulforce not all Bosch/Nefit devices support autodiscovery of endpoints.

[Bulforce]

ok, noted that. I think all devices will support it at some point.