Tcp connection reverse engineering

[rb338 5]

I've got several WiFi RGBW LED controllers which I can control with apps for Android and iOS.

Now, my goal is to make a virtual device in the HC2 so I can control the LEDs from there. To reverse engineer the protocol, I installed an Android client with the app on my PC and enabled Wireshark to find out what happens.

I'm a total newbie on this area, so maybe anyone can help out here?

First step: turn it on and off.

What did I do: start Wireshark, make the app connect, push power (turns it off) and push power again (turns it on).

What do I see?

Every second the app sends a package (length: 1, data: ff).

When I push the power button it sends a package (length: 12, data: 5535656302000212a9bfaaaa)

When I push powe again it sends a package (length: 12, data: 5535656302000212abc1aaaa)

When I "follow" the TCP package and show it as a C array, it tells me:

char peer1_0[] = {

0x55, 0x35, 0x65, 0x63, 0x02, 0x00, 0x02, 0x12,

0xa9, 0xbf, 0xaa, 0xaa };

char peer1_1[] = {

0x55, 0x35, 0x65, 0x63, 0x02, 0x00, 0x02, 0x12,

0xab, 0xc1, 0xaa, 0xaa };

I've included a screenshot as well.

Can anyone help me along? Once I can get the on/off commands to the device, I can figure out how to control R, G, B and W using a slider

Please login or register to see this image.

/emoticons/default_smile.png" alt=":)" srcset="https://forum.fibaro.com/uploads/emoticons/[email protected] 2x" width="20" height="20" />

For example, I don't know in what format I have to send the package. I'm also not sure if the 1 byte ff package every second is necessary, this might be just a keep-alive for the connection.

Thanks for any help!!

Please login or register to see this attachment.

[kiwi 2]

I have first think it is about RGBW fibaro's ...

What it the brand of your lights ?

Maybe the best way is to set an netcat on a server that listen to tcp port 8889 and try every things.

Are you sure that the data is give in one way only ?

[rb338 5]

Thanks for the netcat tip

Please login or register to see this image.

/emoticons/default_smile.png" alt=":)" srcset="https://forum.fibaro.com/uploads/emoticons/[email protected] 2x" width="20" height="20" />

I opened a netcat and tried connecting to it using the iPhone app for the LED controller.

It works fine, the app doesn't seem to send anything except when pressing a button.

So, dumping the data to a hex file with netcat gives me:

< 00000000 55 97 a2 4e 02 00 02 12 a9 bf aa aa # U..N........

< 0000000c 55 97 a2 4e 02 00 02 12 ab c1 aa aa # U..N........

< 00000018 55 97 a2 4e 02 00 02 02 81 87 aa aa # U..N........

< 00000024 55 97 a2 4e 02 00 02 03 84 8b aa aa # U..N........

< 00000030 55 97 a2 4e 02 00 02 04 87 8f aa aa # U..N........

< 0000003c 55 97 a2 4e 02 00 02 05 8a 93 aa aa # U..N........

This is the buttons: OFF, ON, Reg, Green, Blue, White.

Seems like the same stuff I got from Wireshark.

All I can guess is, once I can get this junk over to the controller with Fibaro, I'm done. Not sure how though

Please login or register to see this image.

/emoticons/default_wink.png" alt=";)" srcset="https://forum.fibaro.com/uploads/emoticons/[email protected] 2x" width="20" height="20" />

Oh, the RGBW controllers are from Sunricher. I bought them just before Fibaro released theirs

Please login or register to see this image.

/emoticons/default_sad.png" alt=":(" srcset="https://forum.fibaro.com/uploads/emoticons/[email protected] 2x" width="20" height="20" />

[ Added: 2013-12-04, 22:11 ]

Wow, turning it on and off is working now.

Simple:

local socket = Net.FTcpSocket("192.168.1.20",8899);

local packet = string.char(0x55,0x97,0xa2,0x4e,0x02,0x00,0x02,0x12,0xa9,0xbf,0xaa,0xaa);

local bytes,errorcode = socket:write(packet);

Cool!

Now to check out the other buttons etc.