Pro 1 Thermostat Local API?

I haven’t seen anywhere online, but there is a bit of a local API for the Pro 1 Thermostats. Their App doesn’t seem to use it unfortunately.

I haven’t been able to find anything super useful yet, but this is what I got so far:

Reboot Device: curl -X POST -H "Content-Type: application/json" -d '{"command":"reboot"}' http://{IP}/sys/command

GETs:

System info: 

sys - Lists a ton of data, but no sensor info
sys/network - current wifi info
sys/scan -used for finding network during provisioning (I presume) nothing happens if already connected
sys/time gives epoch time
sys/interface - provides json {"interface":"station"} also in sys
sys/connection - 4 flags of wifi auth status

AWS Info:

aws_iot/pubCert
aws_iot/thing
aws_iot/region
aws_iot/privKey

Most of this was just pulled from it’s webpage javascripts. I tried to unpack the phone app, but didn’t find anything useful for the Local API. If anyone has any ideas on how to find the other info I’d love to hear it.

Have a look if you find something here:

Honestly, it doesn’t seem like there’s a way to local communication without some exploit which I haven’t given up on.

I did contact the company to see if they’d be willing to add it or at least provide some documentation around it.

From part 1 (IoT: Pro1 T701i Wifi Thermostat, Part 2 | Medium) it at least seems somewhat possible to pretend to be AWS IOT by taking over the dns record but sure what that would take and seems like more work than just using a different thermostat

A lot of time later: I have extracted the firmware and binwalked it.

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
24895         0x613F          PEM certificate
26168         0x6638          PEM RSA private key
360103        0x57EA7         xz compressed data
372603        0x5AF7B         Unix path: /sys/diag/stats/live
379712        0x5CB40         SHA256 hash constants, little endian
380407        0x5CDF7         PEM DSA private key
380468        0x5CE34         PEM EC private key
380657        0x5CEF1         PEM RSA private key
380829        0x5CF9D         PEM certificate request
380891        0x5CFDB         PEM certificate
381652        0x5D2D4         CRC32 polynomial table, little endian
385761        0x5E2E1         xz compressed data
389526        0x5F196         xz compressed data
389968        0x5F350         PEM certificate
775015        0xBD367         xz compressed data
787515        0xC043B         Unix path: /sys/diag/stats/live
794624        0xC2000         SHA256 hash constants, little endian
795319        0xC22B7         PEM DSA private key
795380        0xC22F4         PEM EC private key
795569        0xC23B1         PEM RSA private key
795741        0xC245D         PEM certificate request
795803        0xC249B         PEM certificate
796564        0xC2794         CRC32 polynomial table, little endian
800673        0xC37A1         xz compressed data
804438        0xC4656         xz compressed data
804880        0xC4810         PEM certificate
869208        0xD4358         GIF image data, version "89a", 46 x 46
877033        0xD61E9         gzip compressed data, maximum compression, has original file name: "aws_starter.js", last modified: 2022-09-02 20:48:03
877815        0xD64F7         gzip compressed data, maximum compression, has original file name: "common.js", last modified: 2022-09-02 20:48:03
878553        0xD67D9         gzip compressed data, maximum compression, has original file name: "custom.css", last modified: 2022-09-02 20:48:03
879909        0xD6D25         PNG image, 864 x 18, 8-bit colormap, non-interlaced
880417        0xD6F21         Zlib compressed data, compressed
881877        0xD74D5         PNG image, 864 x 18, 8-bit colormap, non-interlaced
882398        0xD76DE         Zlib compressed data, compressed
883865        0xD7C99         PNG image, 1728 x 36, 8-bit colormap, non-interlaced
884431        0xD7ECF         Zlib compressed data, compressed
887724        0xD8BAC         PNG image, 1728 x 36, 8-bit colormap, non-interlaced
888299        0xD8DEB         Zlib compressed data, compressed
891585        0xD9AC1         gzip compressed data, maximum compression, has original file name: "index.html", last modified: 2022-09-02 20:48:03
892095        0xD9CBF         gzip compressed data, maximum compression, has original file name: "jquery.js", last modified: 2022-09-02 20:48:03
924903        0xE1CE7         gzip compressed data, maximum compression, has original file name: "jquery.mobile.css", last modified: 2022-09-02 20:48:03
938090        0xE506A         gzip compressed data, maximum compression, has original file name: "jquery.mobile.js", last modified: 2022-09-02 20:48:03
979434        0xEF1EA         gzip compressed data, maximum compression, has original file name: "prov.js", last modified: 2022-09-02 20:48:03
986069        0xF0BD5         gzip compressed data, maximum compression, has original file name: "reboot.js", last modified: 2022-09-02 20:48:03
987392        0xF1100         PEM certificate
988328        0xF14A8         PEM RSA private key
989215        0xF181F         PNG image, 40 x 35, 8-bit/color RGBA, non-interlaced
991260        0xF201C         PNG image, 40 x 35, 8-bit/color RGBA, non-interlaced
993458        0xF28B2         PNG image, 40 x 35, 8-bit/color RGBA, non-interlaced
995535        0xF30CF         PNG image, 40 x 35, 8-bit/color RGBA, non-interlaced
997788        0xF399C         PNG image, 40 x 35, 8-bit/color RGBA, non-interlaced
999943        0xF4207         PNG image, 40 x 35, 8-bit/color RGBA, non-interlaced
1002272       0xF4B20         PNG image, 40 x 35, 8-bit/color RGBA, non-interlaced
1004502       0xF53D6         PNG image, 40 x 35, 8-bit/color RGBA, non-interlaced
1065816       0x104358        GIF image data, version "89a", 46 x 46
1073641       0x1061E9        gzip compressed data, maximum compression, has original file name: "aws_starter.js", last modified: 2022-09-02 20:48:03
1074423       0x1064F7        gzip compressed data, maximum compression, has original file name: "common.js", last modified: 2022-09-02 20:48:03
1075161       0x1067D9        gzip compressed data, maximum compression, has original file name: "custom.css", last modified: 2022-09-02 20:48:03
1076517       0x106D25        PNG image, 864 x 18, 8-bit colormap, non-interlaced
1077025       0x106F21        Zlib compressed data, compressed
1078485       0x1074D5        PNG image, 864 x 18, 8-bit colormap, non-interlaced
1079006       0x1076DE        Zlib compressed data, compressed
1080473       0x107C99        PNG image, 1728 x 36, 8-bit colormap, non-interlaced
1081039       0x107ECF        Zlib compressed data, compressed
1084332       0x108BAC        PNG image, 1728 x 36, 8-bit colormap, non-interlaced
1084907       0x108DEB        Zlib compressed data, compressed
1088193       0x109AC1        gzip compressed data, maximum compression, has original file name: "index.html", last modified: 2022-09-02 20:48:03
1088703       0x109CBF        gzip compressed data, maximum compression, has original file name: "jquery.js", last modified: 2022-09-02 20:48:03
1121511       0x111CE7        gzip compressed data, maximum compression, has original file name: "jquery.mobile.css", last modified: 2022-09-02 20:48:03
1134698       0x11506A        gzip compressed data, maximum compression, has original file name: "jquery.mobile.js", last modified: 2022-09-02 20:48:03
1176042       0x11F1EA        gzip compressed data, maximum compression, has original file name: "prov.js", last modified: 2022-09-02 20:48:03
1182677       0x120BD5        gzip compressed data, maximum compression, has original file name: "reboot.js", last modified: 2022-09-02 20:48:03
1184000       0x121100        PEM certificate
1184936       0x1214A8        PEM RSA private key
1185823       0x12181F        PNG image, 40 x 35, 8-bit/color RGBA, non-interlaced
1187868       0x12201C        PNG image, 40 x 35, 8-bit/color RGBA, non-interlaced
1190066       0x1228B2        PNG image, 40 x 35, 8-bit/color RGBA, non-interlaced
1192143       0x1230CF        PNG image, 40 x 35, 8-bit/color RGBA, non-interlaced
1194396       0x12399C        PNG image, 40 x 35, 8-bit/color RGBA, non-interlaced
1196551       0x124207        PNG image, 40 x 35, 8-bit/color RGBA, non-interlaced
1198880       0x124B20        PNG image, 40 x 35, 8-bit/color RGBA, non-interlaced
1201110       0x1253D6        PNG image, 40 x 35, 8-bit/color RGBA, non-interlaced
1261576       0x134008        xz compressed data
1560576       0x17D000        xz compressed data

I was really hoping that /sys/diag/stats/live would be a sensor readout or something but it just returns a 404 when I request in in Firefox. Maybe I will have to try another way

Looks like someone else also has tried: https://www.reddit.com/r/embedded/comments/1enhczx/need_help_parsing_flash_dump/ not the same

More Googling sends me to a different thermostat page with an API. Seems a lot of overlap to be a coincidence GitHub - brannondorsey/radio-thermostat: Radio Thermostat CT50 & CT80 REST API notes

Most of the “new” commands don’t seem to work.

Darn it. Well I have a T701iV3 instead of the V1 in the medium post. This one has a Atmel ATSAMD20J18A-U so the same unpacking program for the firmware file wont work for me.

Seems to have the interworkings still in there:

strings -td firmware_dump.bin | grep "diag"
 372603 /sys/diag/stats/live
 372624 /sys/diag/stats/history
 372648 /sys/diag/info
 787515 /sys/diag/stats/live
 787536 /sys/diag/stats/history
 787560 /sys/diag/info

Found new urls

/pro1/info - gives mac addr, hw_model, aws_status, partitions?

partitions	"wifi:000001,fw:011511,ftfs:000001"

/pro1/private_label - private contractor info (configurable through app)

Looks like it runs freertos

 787996 sdk/external/freertos/Source/queue.c
 788537 sdk/external/freertos/Source/tasks.c
 789151 sdk/external/freertos/Source/timers.c
 789288 sdk/external/freertos/Source/portable/GCC/ARM_CM4F/port.c