Ambrogio lawn mover

KurtSejr · May 28, 2021, 8:37am

Has anyone seen an integration to this lawn mover? - Ambrogio robots has SIM card and cloud integration, including APP for android and ios.

Gjorret · July 21, 2021, 1:56pm

+1 for this But im not sure it will be possible, unless there is some kind of api into Ambrogio’s cloud-interface

KurtSejr · July 22, 2021, 9:19am

Hi Rasmus
Google can’t help, no one seems to have found an API to Ambrogio lawn movers, I have asked Ambrogi - there must be one in the cloud, my Ambrogio store lawn details in the cloud and I can initiate the mover to access specific area without using the BT interface. Coming back when I hear from them.

gavinwoolley · September 3, 2021, 3:52pm

Hi, did you guys make any progress on this at all?
I also have an Ambrogio mower i’d like to get working with HA

KurtSejr · September 4, 2021, 6:14am

Hi
No I wrote to Ambrogio support about an API, but no response from them
/Kurt

Milan_Rozek · October 14, 2022, 12:02pm

+1 for Ambrogio HA integration. As lawn mover has Bluetooth integrated, which is supported by HA now, this should be a chance. Anybody can help ?

gavinwoolley · October 14, 2022, 12:55pm

@Milan_Rozek @KurtSejr @Gjorret
It turns out. someone figured out the api calls
I basically followed this on an Android emulator in Android Studio
https://docs.mitmproxy.org/stable/howto-install-system-trusted-ca-android/#instructions-for-api-level--28-1
Are any of you able to write an integration?
I’ve fudged it with shell scripts which write out to local JSON files, then read as sensors.
Its all POST calls and one auth call for the header

Gjorret · October 17, 2022, 10:24am

Very nice @gavinwoolley !
I havnt written an integration before, so no clue how, but could be interesting to do.
Can you share your api calls?
Wonder if they are the same for all models?

gavinwoolley · October 17, 2022, 10:49am

I found that Ambrogio outsourced their IOT to this companies module
who has this REST API guide
https://docs.devicewise.com/Content/Products/IoT_Portal_API_Reference_Guide/HTTP_Interface/REST-API.htm
it is fitted with this IOT module GE910-QUAD V3: A Quad-Band GSM | GPRS Wireless Module | Telit

I’d say all the calls are standard
What i cant identify yet… is the values for AUTH
i know what mine are. because i captured them.
It looks like it might grab an Identifier from google first then use the mower IMEI.

It kind of needs another person to capture theirs and we can work out if its unique or shared.

StefanoGiu · November 15, 2022, 3:57pm

Hello, can you share the details about the API calls ? URL, payload, ect…?

I can try to write an integration with those info…

gavinwoolley · November 16, 2022, 1:52pm

I can. but i cant give you any of the auth details.
They are specific to me and i dont know where they come from.
So you wont be able to use it, until you can capture your auth call. then maybe we could compare payload and see where those values come from.
I posted earlier in this thread on how i did it via android studio and mitmproxy

StefanoGiu · November 16, 2022, 2:06pm

I have PCAPdroid installed on my phone and I see the Ambrogio App is calling the url: https://api-de.devicewise.com/rest/auth

Where can I get the auth details ? Can I use this app ?

gavinwoolley · November 16, 2022, 2:19pm

only if you have an old android SDK version or rooted android device.
otherwise it cant install the root cert required to decrypt the HTTPS traffic
I did not.
So i had to use Android Studio, download an android emulator with SDK < 28 in order to see the traffic
https://docs.mitmproxy.org/stable/howto-install-system-trusted-ca-android/#instructions-for-api-level--28-1

gavinwoolley · November 16, 2022, 4:34pm

so if you extract the android apk. there is a file called koin.properties
the mqttToken is the appToken the API wants
since its baked into the APK as a static file, that value must be shared by all users

        "command": "api.authenticate",
        "params": {
            "appId": "",
            "appToken": "DJMYYngGNEit40vA",
            "thingKey": ""
        }
    }

the appId and thingKey are the same value
just trying to figure what that is
there is another file called apiKey.txt
which is base64 encoded and contains some AWS auth flow token exchange for some reason

looks the same as this tiktok call TikTok API Decoded - Pastebin.com

gavinwoolley · November 16, 2022, 5:01pm

so now i can see the value being used as appId and thingKey is the userId in a response payload from https://securetoken.googleapis.com/v1/token?
REQUEST

POST https://securetoken.googleapis.com/v1/token?key=*******************-****** HTTP/1.1
Content-Type: application/json
X-Android-Package: it.centrosistemi.ambrogioremote
X-Android-Cert: ************
Accept-Language: en-US
X-Client-Version: Android/Fallback/X21000008/FirebaseCore-Android
X-Firebase-GMPID: 1:373506005239:android:07fcd128132313f3
X-Firebase-Client: *********************
Content-Length: 529
User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; AOSP on IA Emulator Build/PSR1.180720.122)
Host: securetoken.googleapis.com
Connection: Keep-Alive
Accept-Encoding: gzip

{"grantType":"refresh_token","refreshToken":"*********-****************"}

RESPONSE


{
  "access_token": "******",
  "expires_in": "3600",
  "token_type": "Bearer",
  "refresh_token": "***",
  "user_id": "theValueWeNeed",
  "project_id": "373506005239"
}

no idea how to reproduce that

i used this guide to make MITM proxy work on an android
https://docs.mitmproxy.org/stable/howto-install-system-trusted-ca-android/

but it could be any proxy. the issue is android and extra security added after SDK 28

StefanoGiu · November 17, 2022, 1:12pm

Can you explain me the steps one by one in order, so I can try to make an integration? So step 1 is calling googleapis with which parameters?

gavinwoolley · November 17, 2022, 2:03pm

I sign into the Ambrogio app with my googleId
so i guess my auth flow involves google and some google firebase app that ambrogio own.

I dont actually get it, i dont know what values are exchanged or what to use as goggle key.

But once that google auth flow has returned a user_id that can be used in the ambrogio devicewise api call as the appId and thingKey which will then return a sessionId which is used in all subsequent calls to the api.
I dont know how to dig deeper, maybe needs more understanding of how the google auth flow works to a firebase app.

you really need to get a local dev env with a virtual android running so you can capture and decode all the auth flow.
i used this Download Android Studio & App Tools - Android Developers
with this virtual device

and follow all this guide System CA on Android Emulator
wont take long to get up and running and capturing data

droogish · March 15, 2023, 2:37pm

Hi,

I am going to give this a go, just finished writing an integration for Masthertherm Heatpumps, so unless someone else has already started I am going to setup a repo for the Ambrogio.

Not sure how much can be done and also have to take care as there is a bandwidth limit on the mower sim. Also what you can get and control is limited.

Would also be interested in anyone who knows how to debug the bluetooth calls that might be more interesting with some sort of network bluetooth module.

droogish · March 16, 2023, 6:10pm

Some anlaysis based on the APP and above.
The APP uses googleapis account to retrieve which gets back some details that include a LocalID, from that it does some things with Firebase but they are mainly for the App nothing really interesting.

Next it authenticates with devicewise using appToken, appId and thingKey. (loving the naming). The appId and thingKey are the localID rerieved from above.

The appToken must be internal to the android app its not retrieved from anywhere.

Everything of interest happens with devicewise, suppose the integration could piggy back off the googleapis and rip the APIkey out fo the app, don’t much like doing that though.

gavinwoolley · March 16, 2023, 6:28pm

I found that key in a txt file in root of the app package. It must be static