Ambrogio lawn mover

Has anyone seen an integration to this lawn mover? - Ambrogio robots has SIM card and cloud integration, including APP for android and ios.

+1 for this :slight_smile: But im not sure it will be possible, unless there is some kind of api into Ambrogio’s cloud-interface

Hi Rasmus
Google can’t help, no one seems to have found an API to Ambrogio lawn movers, I have asked Ambrogi - there must be one in the cloud, my Ambrogio store lawn details in the cloud and I can initiate the mover to access specific area without using the BT interface. Coming back when I hear from them.

Hi, did you guys make any progress on this at all?
I also have an Ambrogio mower i’d like to get working with HA

No I wrote to Ambrogio support about an API, but no response from them

+1 for Ambrogio HA integration. As lawn mover has Bluetooth integrated, which is supported by HA now, this should be a chance. Anybody can help ?

@Milan_Rozek @KurtSejr @Gjorret
It turns out. someone figured out the api calls :wink: :wink:
I basically followed this on an Android emulator in Android Studio
Are any of you able to write an integration?
I’ve fudged it with shell scripts which write out to local JSON files, then read as sensors.
Its all POST calls and one auth call for the header

1 Like

Very nice @gavinwoolley !
I havnt written an integration before, so no clue how, but could be interesting to do.
Can you share your api calls?
Wonder if they are the same for all models?

I found that Ambrogio outsourced their IOT to this companies module
who has this REST API guide
it is fitted with this IOT module GE910-QUAD V3: A Quad-Band GSM | GPRS Wireless Module | Telit

I’d say all the calls are standard
What i cant identify yet… is the values for AUTH
i know what mine are. because i captured them.
It looks like it might grab an Identifier from google first then use the mower IMEI.

It kind of needs another person to capture theirs and we can work out if its unique or shared.

Hello, can you share the details about the API calls ? URL, payload, ect…?

I can try to write an integration with those info…

I can. but i cant give you any of the auth details.
They are specific to me and i dont know where they come from.
So you wont be able to use it, until you can capture your auth call. then maybe we could compare payload and see where those values come from.
I posted earlier in this thread on how i did it via android studio and mitmproxy

I have PCAPdroid installed on my phone and I see the Ambrogio App is calling the url:

Where can I get the auth details ? Can I use this app ?

only if you have an old android SDK version or rooted android device.
otherwise it cant install the root cert required to decrypt the HTTPS traffic
I did not.
So i had to use Android Studio, download an android emulator with SDK < 28 in order to see the traffic

so if you extract the android apk. there is a file called
the mqttToken is the appToken the API wants
since its baked into the APK as a static file, that value must be shared by all users

        "command": "api.authenticate",
        "params": {
            "appId": "",
            "appToken": "DJMYYngGNEit40vA",
            "thingKey": ""

the appId and thingKey are the same value
just trying to figure what that is
there is another file called apiKey.txt
which is base64 encoded and contains some AWS auth flow token exchange for some reason

looks the same as this tiktok call TikTok API Decoded -

so now i can see the value being used as appId and thingKey is the userId in a response payload from

POST*******************-****** HTTP/1.1
Content-Type: application/json
X-Android-Package: it.centrosistemi.ambrogioremote
X-Android-Cert: ************
Accept-Language: en-US
X-Client-Version: Android/Fallback/X21000008/FirebaseCore-Android
X-Firebase-GMPID: 1:373506005239:android:07fcd128132313f3
X-Firebase-Client: *********************
Content-Length: 529
User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; AOSP on IA Emulator Build/PSR1.180720.122)
Connection: Keep-Alive
Accept-Encoding: gzip



  "access_token": "******",
  "expires_in": "3600",
  "token_type": "Bearer",
  "refresh_token": "***",
  "user_id": "theValueWeNeed",
  "project_id": "373506005239"

no idea how to reproduce that

i used this guide to make MITM proxy work on an android

but it could be any proxy. the issue is android and extra security added after SDK 28

Can you explain me the steps one by one in order, so I can try to make an integration? So step 1 is calling googleapis with which parameters?

I sign into the Ambrogio app with my googleId
so i guess my auth flow involves google and some google firebase app that ambrogio own.

I dont actually get it, i dont know what values are exchanged or what to use as goggle key.

But once that google auth flow has returned a user_id that can be used in the ambrogio devicewise api call as the appId and thingKey which will then return a sessionId which is used in all subsequent calls to the api.
I dont know how to dig deeper, maybe needs more understanding of how the google auth flow works to a firebase app.

you really need to get a local dev env with a virtual android running so you can capture and decode all the auth flow.
i used this Download Android Studio & App Tools - Android Developers
with this virtual device

and follow all this guide System CA on Android Emulator
wont take long to get up and running and capturing data


I am going to give this a go, just finished writing an integration for Masthertherm Heatpumps, so unless someone else has already started I am going to setup a repo for the Ambrogio.

Not sure how much can be done and also have to take care as there is a bandwidth limit on the mower sim. Also what you can get and control is limited.

Would also be interested in anyone who knows how to debug the bluetooth calls that might be more interesting with some sort of network bluetooth module.

1 Like

Some anlaysis based on the APP and above.
The APP uses googleapis account to retrieve which gets back some details that include a LocalID, from that it does some things with Firebase but they are mainly for the App nothing really interesting.

Next it authenticates with devicewise using appToken, appId and thingKey. (loving the naming). The appId and thingKey are the localID rerieved from above.

The appToken must be internal to the android app its not retrieved from anywhere.

Everything of interest happens with devicewise, suppose the integration could piggy back off the googleapis and rip the APIkey out fo the app, don’t much like doing that though.

I found that key in a txt file in root of the app package. It must be static