Local Deployment for SureFlap / SurePetCare Connect using only local MQTT Broker

peterl · January 29, 2021, 9:51pm

~~I’m looking to reverse engineer the sureflap cloud backend.~~

This is a completely different approach to the built-in Home Assistant Integrations to the SurePetCare Cloud:

PetHubLocal requires you to poison the DNS entry the hub connects to hub.api.surehub.io to an internal host, so that the hub no longer connects to the Cloud service but it only connects locally.

To achieve this I have mostly reverse engineered the SureFlap Connect series hardware Hub. With a primary focus on “Me In The Middle” aka MITMing the traffic from the Hub to the SurePetCare cloud after figuring out how to open the AWS IoT MQTT Client Certificate by finding how the password is calculated on a per-hub basis. This has involved building a python frontend and Hub <-> Home Assistant translation to translate MQTT messages generated by the hub into Home Assistant messages and vice versa.

Documentation: https://pethublocal.github.io/
Code: GitHub - PetHubLocal/pethublocal: Replacement for SurePetCare "Connect" cloud service connecting via MQTT to Home Assistant

There are two ways you can deploy PetHubLocal:

Home Assistant OS / Supervisor Addon - GitHub - PetHubLocal/addon: Home Assistant addon Repository for PetHubLocal
Standalone - GitHub - PetHubLocal/pethublocal: Replacement for SurePetCare "Connect" cloud service connecting via MQTT to Home Assistant

The HAOS Addon assumes you are using the embedded Mosquitto MQTT Broker and deploys the addon along side exposing the ports required by the hub (80/443/8883) and connects back to the main broker.

Standalone you can deploy it in a Docker container, or run it interactively using tmux or something to keep it running as a background process.

I recommend you start at the documentation to understand how it all fits together, and if updating your internal DNS, and potentially flashing custom firmware onto your hub if it has been upgraded sounds all a bit too much then this project probably isn’t for you.

ashscott · January 29, 2021, 10:21pm

Great idea!

I don’t have many skills in this area but will help out with testing and data.

I have 3 flaps, 2 feeders and three hubs.

Jamie_Pryer · January 29, 2021, 10:36pm

100% love this idea
I have 1 catflap and 3 feeders, let me know if anything i can do to help at all

Gotcha1980 · January 30, 2021, 9:44am

Seems like a great idea!

I have 1 cat flap, and 4 feeders, and would be happy to test / help in anyway I can!

brunocunhatlm · January 30, 2021, 1:41pm

Me to i have 1hub and 1 feeder tks for the idea
Please hurry

BruceH5200 · January 31, 2021, 8:01am

Happy to help with testing.
Hub + 2 feeders and 2 cats here !

peterl · January 31, 2021, 8:55am

Does anyone have a H004 serial number hub? There seem to be 10 revisions from H001 to H010. If so I wouldn’t mind if you could PM me your serial number and the mac address of the hub.

Gotcha1980 · January 31, 2021, 10:02am

Nope, sorry … mine is H008!

peterl · February 10, 2021, 9:25am

So it appears it might be easier to reverse the air protocol and build a custom gateway. Anyone else with a CC2531 that ideally has the external antenna as then you should be able to pick up the Miwi traffic from the hub and the door / feeder and interested in running a docker image to sniff traffic.

mretallack · February 21, 2021, 5:48pm

Hi,

I have a working system that runs on a Pi and communicates with my SurePet Feeder. It publishes the readings to MQTT.

The Repo is:

Mark

divided_euclid · February 22, 2021, 10:31am

@peterl Happy to help testing. I have a H009 Hub

kimagure · March 1, 2021, 9:11am

If you still need information for a H004 hub, I have this revision.

K.

tinuva · March 1, 2021, 2:56pm

Do you still need someone to help with a pet door? I see the above github repo only works with the feeders currently. Would love to move my door over to mqtt locally. Cloud is more down than up for me for some reason.

peterl · March 1, 2021, 9:52pm

I have a feeder and pet door. So am working on both. Need to confirm everything is the same with the cat flap. But so far it looks to all use the same messages.
The hardware required will probably end up being something very similar to this project. With just a esp32 or 8266 and the MRF24J40. https://doc.riot-os.org/group__boards__esp32__mh-et-live-minikit.html

tinuva · March 4, 2021, 9:38am

I like the idea of the ESP with MRF24J40 more than a Pi3. Really excited.

I do like the MH-ET LIVE MiniKit setup, but can’t find it anywhere. Looks like we either email that email address on that site or look at the easier obtainable arduinos.

tinuva · March 4, 2021, 10:47am

Is this the easiest (not cheapest though) combination that will work?

wifi-ble-click (esp32-wroom-32) + bee-click (MRF24J40MA)

Or should I look at this esp with this socket board on to which I then put the MRF24J40 which seems to be very easily accessible.

peterl · March 12, 2021, 10:48am

I have just published my first initial cut of the Wemos ESP32 Arduino code with the MRF24J40 radio controller.

My focus is similar to Mark having a local hub as the constraints of re-using the existing hub were such that I couldn’t easily use it.

Currently the code segfaults every few minutes due to an issue with the interrupt handler which I think should be fairly easy to solve and plan to do that over the next few days. I also have python code I am working on to take all the messages off the MQTT topic that the Wemos Hub puts on and converts them into Home Assistant messages. The code is incredibly rough but will commit it when I am feeling happier with it.

I have also fabricated the PCBs for the MRF24J40 to plug into the Wemos and have included the gerber file from Gunar Schorcht which I found here: https://doc.riot-os.org/group__boards__esp32__mh-et-live-minikit.html

Questions and feedback or idea

tinuva · March 12, 2021, 11:44am

Do you think in future a CPL and BOM can be included to make it easier to let jlcpcb do the SMT assembly? Just asking for others, for now I will print and diy.

peterl · March 12, 2021, 4:11pm

Unfortunately JLCPCB doesn’t support the MRF24J40MA so you can’t have them do it for you. But the MA is a single PCB that solders directly only the fabricated PCB so it is a super simple job to solder on. I have sourced the MAs from rsonline or Ali and they are a standard component which is slightly on the more expensive side for Zigbee radios.

However if you don’t mind opening your hub or perhaps you bricked it there is one inside there too.

peterl · March 12, 2021, 6:02pm

Added further documentation to the feeder message decode the feeder messages:

github.com

plambrechtsen/pethublocal/blob/e9f61ef9381862ce6caf6d4ce663af251ef863d4/docs/Feeder.md

# Feeder messages - 126 - 2A/2D

The feeder is slightly different as it can send two messages in a single payload where the message length indicates how long the message is and sometimes there is a second message.
The feeder message is always 126 if it is to do with the feeder itself. This is a 2A message over the air. 
If the hub is sending a message to configure the feeder that is a 2D, and the feeder responds with a 2A.

The message is formatted as: - length - type - payload 

Standard message header offsets that don't change per message type:
| Offset | Message |
|-|-|
|LEN| Length of the message in hex including the LEN payload such as 29 for a 41 byte feeder open / close message
|MSG| Message Type described below. 
|01| Always 00
|02| Hex based counter that goes from 00 - FF for the event number off the device itself. When the device is rebooted from a power cycle the number resets to 00. 

## 09 - Learning mode, scales reset, change bowls and boot message

Below are the messages with the operation in field 07 from the pet training (05) modes 1-4 and finishing up, feeder close delay (0d) ,  pressing the scales reset with nothing on the left hand scale (17) and an empty bowl on the right (18) also there is a 19 on boot.

This file has been truncated. show original

And the issue I have around the calculation of the CRC value of the frame and if it is an xored value or not, plus there are two digits I am not sure about for the xor key that I would like to figure out.