Generic tutorial on hacking wifi enabled devices

A couple of months ago, I bought an electric water boiler with wifi connectivity. I was well aware that the wifi connectivity would only work by signing up to some cloud service and then managing the device through a proprietary app, which would make it more or less useless for HA integration.

However, I still would like to give it a try, but I don´t know how to start. From what I could see, this device is controlled by HTTP requests sent between the device and the cloud service. Is there a way to send those HTTP requests directly from HA to the device? and is there a way for HA to receive the HTTP Requests sent from the device to the cloud service?

Does anyone know of a tutorial that could help me with this?

In this particular case, the boiler is a ferroli titano twin… in case someone already managed to connect it to HA

GD

This might get you started: MITM Tutorial

Ferroli has different apps, based on I don’t know what criteria, for example I have a boiler that works with the mobile app “Ferroli Connect”, I tried to use mitm, and it’s all very strange, mainly it makes get requests (to eu-api[dot]topband-cloud[dot]com) without get parameter, but still resulting in “application/json”, I just can’t figure out on what protocol it sends requests to the boiler/server(which then communicates to the boiler)

by the way here in Italy they brag about Made in Italy and the APIs and servers they run on are litterally Chinese :rofl:

oh my gosh! I get it, approximately, the app gets a web page from the server this way the requests don’t go directly from the app

ok I have some news, after unsuccessful experiments on the app, I moved to the gateway, and I discovered something very useful, basically, after examining the packets (and if the company has not changed port) the gateway communicates with the server on port 8883 that is MQTT over TLS

MITM Proxys are usefull when the device communicates via normal web protocols. Fiddler is also very useful. You need also install a root certificate on a device. works both on iOS and Android.
But sometimes the Device or Server complains about certificte issues. bc fiddler already viewed the packet and forward it to your phone or IoT device.

But if you more interested you can try Raspion.
That turns a Raspberry Pi into a WLAN router and you can a look at network traffic of smart home and IoT devices. All apps are reachable via web browser.

I have successfully captured the MQTT traffic between the device and the server. It was not so easy because it was encrypted.
I’m now reverse engineering the protocol (it’s quite complex, it will take some weeks), I hope to implement an alternative open-source server in python that the device will talk to locally in order to remove the cloud part and allow local home assistant integration.
Stay tuned, maybe i will ask you to do some testing :slight_smile:

2 Likes

Sounds interesting, and of course, I am always willing to do some testing for you. I lack the knowledge for this kind of reverse engineering, but whatever I can do to contribute, I am glad to do so.

some news?

I had to stop due to some issues at work, I plan to continue during the summer!

3 Likes

some progress?/some ideas?

Try installing the tuya app and adding your device to that. Then tuya is visible on HA. I solved it like this

Not really the ideal solution if one wants to get away from the cloud, but anyway: I have this Ferroli Titanio Twin boiler connected to an app that is called EGEA Smart. Are you saying I can register this Ferroli boiler on Tuya?
I have the Tuya integration installed in HA, used it to control 2 wifi plugs, but I do not know how to register Ferrolli boilert on Tuya.

Geert

Hey, please let me know if I can help on that, I just started with HA and it will be great to integrate the Ferroli Connect.

In case it’s helpful, I’ve recently reinstated mitmproxy as a home assistant addon

This can be helpful when trying to decode what a WiFi device or app is doing via an encrypted connection to a remote server.

Unfortunately I also have the same problem. Unfortunately, Ferroli devices cannot be integrated with the TUYA app and obviously not even with SMARTLIFE. So at the moment it is impossible to integrate them on home assistant, or at least I can’t.

I confirm that the Ferroli Titanio TWIN can be integrated with the Smart Life app. It installs like any other tuya device. This registers it on the Tuya Server and makes it accessible in Home Assistant via the Tuya Integration as a climate entity. Once this is done, you have access to the actual water temperature, you can set it to OFF or HEAT/COOL. For some reason setting it to HEAT leaves it on HEAT/COOL. Setting the temperature is available via a service.
Not exactly what I want, as I aim for a cloudless environment, but still better than nothing.
Geert

Not sure if you’re still looking for a cloudless solution for the Ferroli Titano Twin electric water heater, but I set mine up with tuya-local (not to be confused with LocalTuya) (GitHub - make-all/tuya-local: Local support for Tuya devices in Home Assistant) and it works fine. (It’s even exposed as a water_heater instead of climate entity). The Titano Twin listed in the compatible devices list, which means setup is as simple as scanning a QR code with the Tuya Smart/Smart Life app for authorisation, and specifying the protocol version to auto and the device IP (reserved with DHCP on your router) and it works offline.