| View previous topic :: View next topic |
| Author |
Message |
joanandk
Apprentice
Joined: 12 Feb 2017
Posts: 169
|
 Posted: Thu Dec 02, 2021 2:58 pm Post subject: Reverseengineering smoke alarm |
 |
|
Hi,
I have a Chinese smoke detector kit with 5 smoke detectors and a gateway (866MHz -> WiFi). The gateway is only usable with the proprietary cloud solution. As I have a DNS and HTTP server, I was playing with the thought, to fake the cloud to the gateway.
I just need to know what commands and answers are send between the WiFi and cloud. I have seen that the communication is done via HTTPS. So using Wireshark, I did not get very far. An admin told me, it is possible that these devices do not check the certificate, so if I put up my own HTTPS server and sniff the communication.
Question: Is there any scripts which would log the communication? Or do I have to setup an Apache server, write a PHP script which logs the communication?
Thanks and BR
PS: The gateway is a Siterwell GS198. |
|
| Back to top |
|
 |
turtles
Veteran
Joined: 31 Dec 2004
Posts: 1657
|
| Posted: Sun Dec 05, 2021 3:18 am Post subject: Re: Reverseengineering smoke alarm |
|
|
| joanandk wrote: | Hi,
and a gateway (866MHz -> WiFi) |
I'd open up the gateway and see if some I2C, SPI or UART could be intercepted off the chip that does the 866MHz modem.
_________________
Donate to Gentoo |
|
| Back to top |
|
|
molletts
Tux's lil' helper
Joined: 16 Feb 2013
Posts: 119
|
| Posted: Sun Dec 05, 2021 9:15 pm Post subject: |
|
|
| You could look at installing Squid in transparent https interception ("SSL bump") mode. It's some years since I last set it up (I think it was about 2012, actually!) but I don't recall it being too difficult. There are quite a few sets of instructions online for how to do it. As long as the device doesn't check the certificate that's returned when it connects to the cloud service, you will be able to see its traffic. You should be able to give Wireshark a copy of the fake certificate that Squid issued to the device which will allow it to decrypt the stream. |
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3137
|
| Posted: Sun Dec 05, 2021 9:58 pm Post subject: |
|
|
| Quote: | | Question: Is there any scripts which would log the communication? Or do I have to setup an Apache server, write a PHP script which logs the communication? |
mitmproxy
You will probably want to run it non-interactively (mitmdump) and increase the output verbosity level.
If you want to modify the traffic, python addons can do that, and there are many many simple examples on project's website. |
|
| Back to top |
|
|
joanandk
Apprentice
Joined: 12 Feb 2017
Posts: 169
|
| Posted: Mon Dec 06, 2021 9:47 am Post subject: |
|
|
Thanks at all.
@turtles: This was what I was going to do. But as I lack an oscilloscope/logic analyzer, I have started to put some money aside to buy one next year. I have already opened up the gateway, the WiFi module is an ESP32-WROOM-32D. The 866MHz is a module with the A7129 chip.
@molletts: Thanks for the tip on Squid. I did not see this on my search. I will give it a try, if mitmproxy fails.
@szatox: mitmproxy too did not pop up on my search. I will try it over Christmas and report back.
BR |
|
| Back to top |
|
|
|
Portage & Programming
