I haven’t opened mine as I was planning to return it, I don’t like to support companies who do things like this (no local API, too much data shared).
If it uses a serial connection to the main board, this is good news, it means we can capture the commands and either reflash the ESP32 or fit a new one.
The best option is to tap the serial connection from start up to look for any initialisation commands, then watch out for data coming back.
I might just open and reverse engineer it for us if you’re not too sure what you’re looking at.
Thanks!
Would be great if you could have a look at it as i’m not quite sure how to decode the serial communication (i just use console in the arduino ide or putty, but the communication doesn’t seem to use ascii characters; i guess you would need to look at the raw hex…)
I will try myself if you decide to return yours as i really want local access and i have a couple of friends with the same device
Unfortunately, my unit is in use most of the time so i need to find a moment where i could open it again
Well if it helps, happy to throw in my Duux Threesixty 2 for testing since I don’t use it that much. I don’t have cable to hook it up to my computer yet, but will get one and help with this.
Just got a brand new DUUX Threesixty 2 in today and was looking forward to integrating it into my home assistant setup. Unfortinately i cannot find a way to do this.
Any advise or updates on this topic?
I don’t think I’ll need this connector for the approach I’m taking; my plan is not to deal with the existing microcontroller at all.
I’ve gotten my equipment out over Christmas and ready to capture everything on the UART. I’m waiting for some parts to build a modified version of the cable between the two boards, so I can tap it and grab everything with my logic analyser.
I’m planning to replace the existing ESP32 board altogether, for a couple of reasons; allow the existing one to remain untouched so it can be restored if required, and also so we know exactly what hardware and code is running.
I use the heater in my home office where I work and it’s been pretty chilly lately so it has been in use most days, so I can’t have it stripped for too long at a time.
If anyone has any experience with Bluetooth capture in Android, I’d also be interested in another approach I’ve been considering; the app appears to configure the heater over Bluetooth on first connection, and if we could grab the protocol, it may be possible to specify the MQTT server during setup, that would potentially allow a software-only solution, for anyone who doesn’t want to modify the heater; but that’s all speculation until we can capture the comms over that channel.
I can do this myself but it’s not my first priority.
I’m also not going to touch the hardware at the moment because I’m using it every day this winter. But I am extremely frustrated with the mandatory DUUX WAN server connection because their app is very broken, and I just cannot control the darn thing 90% of the time. It has me crawling under the desk six times a day. It is even displaying a message letting me know how useless the control app is:
So I applaud every attempt at making this thing more useful. It is frustrating to know technically all the ESP32 module needs is a way to set a custom local MQTT-server. (DUUX should put this option in the app. Tucked away under “advanced”, not to scare easily satisfied customers away.)
It would be nice to download the firmware and use binwalk to figure out the ESP32 module contains a small Linux distro with configuration files rather than a single binary. Because the former can be hacked and the latter can’t (at least not by me).
Well that add a new dimension; this sort of issue with cloud services is one of the reasons I don’t want anything that’s “connected”; what happens if they go under or shut down the servers, useless heater?
The Linux idea is quite unlikely in my opinion, an ESP32 isn’t really the right platform for a microcontroller.
That’s not to say there won’t be configuration. There is a flash chip on the esp daughter board, I’ll dump that next and see if there’s anything we can modify in there.
I’ve already hooked it up standalone to a logic analyser and got nothing useful, I really will need to get that tap cable made to capture the UART while both boards are hooked up.
While I’m waiting, I’ll check if the MQTT URL is stored in the flash chip and see if I can modify it, watch this space.
Oh no, you took it apart! I mean, awesome!!
It’s snowing here so I didn’t expect you to be so enterprisingly.
I’m @Humvee. Someone thought it would be constructive to restrict new users from contributing too much, and I was receiving the below message, so I had to create a new user:
You have reached the reply limit for this topic
We’re sorry, but new users are temporarily limited to 3 replies in the same topic.
Looking at the pictures, there are like 4 boards and 2 debug ports, correct? And those P1 - P14 tags on the back, weird.
I guess the two interwoven big ones are for the heating and fan and such. Then you have two boards with 10-Pin plug-of-nails JTAG each.
The smallest is the duux MCU board. I don’t know what this is for. I assumed it was the ESP32 board.
The bigger one is the duux 1022 v1.2.0 whatever that means. The number 2312 and the word RF are printed on it, confusing me into believing this is an RF2312 module. And that’s weird because that’s neither for WiFi nor for Bluetooth, if I am not mistaken. So I probably am. (Or this device can secretly be remote controlled by RF/RC, which is too good to be true).
Either way, you just found the motherlode. That SOIC8 chip on the first picture marked Z. It’s a Winbonds flash chip. The 25VQ32BSIG. It has only 4 Megabytes, so you are right, that’s probably not Linux. So I’m more pessimistic now because I’m not good with unknown binaries, but in the past I have been able to read/write that kind of chips using a CH341A EEPROM flasher and a SOP8-clip.
Edit: I don’t think the 25VQ can be read using CH341A. It reads 24C, 25C and 93C.
Apologies, the way I presented the photos was confusing.
There’s only two boards, the main large one with the power stuff and the smaller ESP32 board with DUUX written on it.
The other photos were just front/back and some close ups of the key chips.
As for the SPI NOR flash, no worries, I have the tools to dump it, I’ll poke around when I do.
I definitely made a mistake disassembling it when I did because it has been snowing here too and I’ve been so cold in my home office it’s been a struggle typing, my fingers are so cold.
If nothing else it’ll encourage me to sort it out quickly, I’ve got a plan of attack, will update as I make progress.
Ah I see. The ESP32 board looks different from the one photographed by @SirYesSir, so I assumed you photographed a secondary module. These are both Duux Threesixty 2, right? Must be different models. The physical antenna is replaced by a printed one, among other things. Or the other way around. I hope the firmware is the same though.
I’ll be back when I have something more useful to add. I have 1 reply left, and then I need to create a new username. Looking forward to your findings!
Hi @hamido I’ve trying to do MiTM and so far I’ve been able to discover the app communication only. Can you tell what domains are requested for the MQTT communication since the only one I’m able to discover for the device itself, is collector.cloudgarden.nl, but that seems to be HTTP(s) protocol.
@hamido can you give the MQTT domain & port used ?
I wonder if forcing the dns resolve of this server to a local one would work too. Haven’t checked yet if the dns used by the Duux device is the one givent by the DHCP or if it’s embedded on the fw.
But could be a simple solution if you don’t want to mitm and change dNAT rules
If I remember correctly, it was something like api.cloudgarden.nl. I’ll need to grab my pcap to check as the unit is disassembled at the moment.
DNS redirect should be easy to test, I force all standard DNS requests to my servers regardless of the client being hard coded etc (using DNAT rules again).
That would be the easiest solution for people not wanting to modify anything, I’ll test it soon as I can.
I already built the cable for tapping and capturing the UART and I have the clip I need to dump the SPI ROM so that’s next on my Todo list.
