Help sniffing packets to get hardware i want in homeassistant - trolmaster hydrox

docsparks · July 20, 2021, 7:49pm

a few years ago a company by the name of ‘trolmaster’ released a environment controller that relies on rj12 connectors to connect to its devices, and the main controller itself plugs directly into ethernet. no wifi.

there is also no way to configure the main units internet properties at all, no login, no password. no settings, acquires IP when online and does it via DHCP. you open the app on your phone, login, then scan the QR code on the controller itself to establish ownership. being on local internet is basically not at option. the software is also lackluster to say the least.

ive decompiled the android app and see it does connect to aws for the user account process. there are also bin files for firmware updates available on their website.

the hardware inside the main controller is STM32, ive opened all units and identified which chips are what and their purpose… Im not at the proper skill level yet to attempt to gain access via i2c, or slic cable debuggers, that to my understanding, this thing works off of.

countless times in the past ive wasted a few too many hours trying to use wireshark to figure out what its transmitting, but its also been a while as ive come quit discouraged with this entire process.

its got to be sending the environmental data to its cloud, and there has got to be a way for me to get that access to that. there’s gotta be :shrug:

between the ides to decompile their bin, semi regular android apk updates, decompiling the apk and nudging around in that source code… its been a blackhole of time for me.

if anyone is of any skill in this process, feel free to suggest anything, or ask anything, ill be happy to post pics and links to anything, for a bump in the right direction.

theres got to be someone out there that can aid in this, and heres my outcry for help.
i cant even figure out what port it uses.

the company doesn’t have an API available yet, and is going to be charging a monthly access fee when they figure it out :facepalm:

not sure where else to post this on the forum, but again, any help is welcome.
thanks!

trolmaster hydrox
https://www.trolmaster.com/Products/Details/HCS-1

TM4C1231 - TI SOC
https://www.ti.com/store/ti/en/p/product/?p=TM4C1231H6PMI7

PIC32 MZ1024EFM - second pcb that has ethernet jack
https://www.microchip.com/en-us/products/microcontrollers-and-microprocessors/32-bit-mcus

kevinleberge · August 19, 2021, 5:42am

Is there private messaging on here?

aceindy · August 19, 2021, 6:00am

Yes, just hit the users avator and voila, a message button…

docsparks · August 19, 2021, 7:42am

sup hombre

sea3pea0 · September 24, 2021, 11:59pm

I was wanting to figure out how to get the Hydro-X controller integrated in home assistant a while ago. I even called Trolmaster to ask about it and was given the answer no, its proprietary. They told me if I wanted to export the data from the hydro-x I had to do it via sd card. Anyway, I was wondering if anyone ever figured a way to access the hydro-x from home assistant?

One thing I noticed about the hydro-x is that if you bring up it’s IP address in a terminal there is a UNIX shell available. I thought about taking the hydro-x and trying to brute force into it with a penetration tool. But since then I haven’t had a hydro-x handy to attempt that. I am likely going to grab a hydro-x pro sometime in the next couple of months, so I will probably be looking into figuring out to gain access to it from home assistant. I know the hydro-x pro has a built-in web server so scraping would be an option for that model if nothing else shows any promise… However the regular hydro-x doesn’t have a web server so scraping wouldn’t work on that one

docsparks · September 25, 2021, 7:47pm

Yeah there pretty much anti-anything that could potentially take away business from them when they learn what their doing. Go Figure.

Hope is not lost, ive made progress in tapping into jtag points or i2c / stm32 sniffing.
Without a doubt not the path I wanted to go down but, if people can jailbreak iphones, Ill find a way into this firmware.

Even to disassemble the firmware would be beneficial, however this forum in general doesn’t seem to be the place to get help on this subject.

cant have no in your heart. feel free to shoot any thoughts my way.

aceindy · September 26, 2021, 7:26am

The midea air conditioning was reverse engineered by a group on Telegram,
I figured, i could do the same for my Duepi pellet stove. Not as complicated as midea protocol, nevertheless working now😉

matthewallen00 · December 4, 2022, 1:48pm

Anybody have any success or made some kind of progress? This is something I’d love to incorporate into my HA but definitely not going to spend $15/MONTH! for API access. If I could just sign up for a month, get what I need and then cancel that has appeal but I like the thought of hacking the device more.

I have a good brain for tinkering, with some thoughts/tips on direction or possible approach it’d at least be fun to try.

I got into HA because I wanted a data logger for the Teros 12 sensors. There’s a tutorial here on these forums that I used to get it built and configured. But the readings that get displayed don’t match the readings from the little USB dongle thingy that you use with the Aroya app. So I reworked the equations and now I have a home brewed Aroya system that’s a lot of fun to play with.

Now if I could just pull the Trolmaster data into HA I could really start having fun. I’d love to hear things anyone has tried or thinks is worth exploring.

matthewallen00 · March 29, 2023, 6:05pm

If anybody out there is looking for Trolmaster integration…I’ve been able to automate my room with MUCH more finesse and precision using smart plugs and temp/humidity sensors. And the required hardware is significantly cheaper than buying all the TM modules.

HA is a much better platform for environmental control and I’m happy to not only be getting rid of Trolmaster’s feature-lacking and primitive system, but I get all kinds of neat graphs and data sets and phone alerts that just wasn’t possible before.

If anybody is looking at automating some grow things with HA I’d be happy to share what I’ve learned.

almighty59 · October 16, 2023, 8:56pm

I did almost the same thing with my AC Infinity UIS controller. They do have an integration that allows me to pull the state of the devices and probes which I use to automate other devices. It’s a solid work around.

eden2.0 · December 26, 2023, 3:35am

i could use your help with this integration. thanks

W1ngl3t · August 16, 2024, 3:24pm

Has anyone made any progress?

baudneo · August 16, 2024, 3:41pm

I did some reverse engineering of proprietary code for c by ge (cync) lights. If you can verify if the device you want to reverse engineer is forcing SSL verification? If it is, then the only way is to pull chip off and dump the firmware and then decrypt the firmware, etc.

If the device isn’t enforcing ssl, you can make your own cert, do DNS redirection and have the device talk to a local python script or socat to log the output between device and cloud server. Basically sniff the traffic in real time and then work out the binary protocol.

I can help point someone in the right direction, but I don’t have this device, so I can’t attempt this myself.

W1ngl3t · August 16, 2024, 8:38pm

I have no reverse engineering experience and my unit hasn’t arrived either, but when it does, I’m happy to play a part in getting this thing to integrate.