[SOLVED: for local access]A/C app named TFIAC, anyone ever heard of it?

I am trying to sniff lan traffic from the Intelligent AC or the Hangzhou BroadLink Technology module, with Whiteshark but there is no luck! In the same network, with the same network with whiteshark I can sniff the packets to HangZhou Gubei Electronics Technology which is connected to TFIAC, and I can easy read the XML/UDP packets. I also tried to sniff the packets from my mobile where Intelligent AC is installed, but I could find nothing! Anyone can help me how to start to find a way to find solutions with the Intelligent AC;
Thanks in advance!

After few days of searching with all of my devices, I found the followings:
1.) Devices with mac address C8:F7:42:XX:XX:XX cannot be added as new devices at TFIAC app, TFIAC is not working anymore! But you can use, those modules them with the new app Intelligent AC, AND they working great with TFIAC component of Hassio!!! So you add them to your network with Intelligent AC, and the you are using without out problem with TFIAC at HASSIO.

climate:

  • platform: tfiac
    host: xxx.xxx.xxx.xxx
  1. Devices with mac address 24:DF:A7:XX:XX:XX they are working with only with Intelligent AC, but they are not working with TFIAC component of HASSIO… :frowning: They are accepting udp messages at port 16617 from their server 18.197.223.13,when the app is working from WAN (4G) but those packet are not in XML format :(. Also when the app is working locally the devices are accepting udp messages at port 80, but also the packet are not in XML format… :frowning:

I will upload Wireshark capture file, for someone with more knowledge, if he can find something… The ip address of the module was 192.168.1.52. If anybody can help me, it will be nice.

I am a little bit unlucky as I bought 2 AC before a year test with hassio, and working great! I bought 4 new ACs before two months and all of them has the new module… So the 4 new are not working with hassio… :frowning:

Thanks in advance!

1 Like

I’ll take a look at the pcap file.

2 Likes

hi, got the same problem as Iakis with TCL Aircon.
I’ve got 2 devices, one of them is from some newer series.
Both works in IntelligentAC app on android, but only older one can be controlled by “tfiac” module in hassio.
My device starts with mac 24:DF:A7 … :confused:
Will be glad if someone can take a look to this pcap that Iakis has sent.
Thank you!

I had a look at the PCAP, but I don’t know how I should parse this:

# Packet 4407
peer0_0: !!binary |
  AQAAAQEk36crn960xPxr1E0IAEUAAHQ9NEAAQBF5esCoAUbAqAE0qOgAUABgcjpapapVWqWqVQAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAIXZAAB6UGoAte3enyun3yQBAAAAXMUAAGWa3XmPu6huCKuV
  hQTxX657Ipw0zPF9ZywkH4lYyWp7
  WqWqVVqlqlUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACF2QAAelBqALXt3p8rp98kAQAAAFzFAABl
  mt15j7uobgirlYUE8V+ueyKcNMzxfWcsJB+JWMlqew==
# Packet 4409
peer0_1: !!binary |
  AQAAAQEk36crn960xPxr1E0IAEUAAHQ9OEAAQBF5dsCoAUbAqAE0qOgAUABgcjpapapVWqWqVQAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAIXZAAB6UGoAte3enyun3yQBAAAAXMUAAGWa3XmPu6huCKuV
  hQTxX657Ipw0zPF9ZywkH4lYyWp7
  WqWqVVqlqlUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACF2QAAelBqALXt3p8rp98kAQAAAFzFAABl
  mt15j7uobgirlYUE8V+ueyKcNMzxfWcsJB+JWMlqew==
# Packet 4411
peer0_2: !!binary |
  AQAAAQEk36crn960xPxr1E0IAEUAAHQ9PEAAQBF5csCoAUbAqAE0qOgAUABgcjpapapVWqWqVQAA
  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAIXZAAB6UGoAte3enyun3yQBAAAAXMUAAGWa3XmPu6huCKuV
  hQTxX657Ipw0zPF9ZywkH4lYyWp7
  WqWqVVqlqlUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACF2QAAelBqALXt3p8rp98kAQAAAFzFAABl
  mt15j7uobgirlYUE8V+ueyKcNMzxfWcsJB+JWMlqew==
# Packet 4416
peer1_0: !!binary |
  AQAAAQEk36crn960xPxr1E0IAEXAAkBu0AAAQAGFYsCoAUbAqAE0AwN16QAAAABFAAO0DFUAAP8R
  KBnAqAE0wKgBRgBQqOgDoAHIWqWqVVqlqlUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYdAAAelDu
  A7Xt3p8rp98kAQAAAOXRAADR5SgfnD8CqdwSDBVD7IwTKbEI5wsrnJhSgufy7DMPieIb+vl4Xs95
  2XmP+IDGDjhYG+N9HpJERfVTgsN040GafQ3qA96iJSuWxeaEKQ5/q5hE2MQwMHftxuXI47pSxbNn
  kck0dMhIDRwflM+0w4yTpnEZPnywBWq4tka6JdZWXWHTHvsY41an1Vs4209oqnMaDxYHQJuFFryq
  znUSa/IEktZvlpSPgqiyPzvf8UGN+s1wpI0V3l6SRiYBavHQbxO2o8TJm5/bKQW5BFNbhXgswUjy
  luncmxG6VTaS6XmVTE0ke9yYZG39417UCAwvvnV7+2Nm7ubuAQssYZ4RYyvm5dREZbeNR/+zGE30
  e9U8RwyKAZttdnuaGHOgRnB7Whdft3vuBgu4CN49giU0SXd0lgmPDlem4sky+X0qHfUChoNnf97g
  ODIBMYPZcGWRSfIN4duL/iI8tRHBbd0VqZzM/aoLECQNtsZmayyxpR4Xf1l5NsSqhDsRB0xB63ub
  won8NaJ0qjaEsZkSeh1zGIm0hz3Lsui/ItY7WVK52Sk8RXjHgUGJDMpCFJf89bV1GelsojsT1XPT
  WY0QyszFM7Q90MbeFcHTHik0C0UK11vHNA==
# Packet 4418
peer1_1: !!binary |
  AQAAAQEk36crn960xPxr1E0IAEXAAkBu0QAAQAGFYcCoAUbAqAE0AwN16QAAAABFAAO0DFYAAP8R
  KBjAqAE0wKgBRgBQqOgDoAHIWqWqVVqlqlUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYdAAAelDu
  A7Xt3p8rp98kAQAAAOXRAADR5SgfnD8CqdwSDBVD7IwTKbEI5wsrnJhSgufy7DMPieIb+vl4Xs95
  2XmP+IDGDjhYG+N9HpJERfVTgsN040GafQ3qA96iJSuWxeaEKQ5/q5hE2MQwMHftxuXI47pSxbNn
  kck0dMhIDRwflM+0w4yTpnEZPnywBWq4tka6JdZWXWHTHvsY41an1Vs4209oqnMaDxYHQJuFFryq
  znUSa/IEktZvlpSPgqiyPzvf8UGN+s1wpI0V3l6SRiYBavHQbxO2o8TJm5/bKQW5BFNbhXgswUjy
  luncmxG6VTaS6XmVTE0ke9yYZG39417UCAwvvnV7+2Nm7ubuAQssYZ4RYyvm5dREZbeNR/+zGE30
  e9U8RwyKAZttdnuaGHOgRnB7Whdft3vuBgu4CN49giU0SXd0lgmPDlem4sky+X0qHfUChoNnf97g
  ODIBMYPZcGWRSfIN4duL/iI8tRHBbd0VqZzM/aoLECQNtsZmayyxpR4Xf1l5NsSqhDsRB0xB63ub
  won8NaJ0qjaEsZkSeh1zGIm0hz3Lsui/ItY7WVK52Sk8RXjHgUGJDMpCFJf89bV1GelsojsT1XPT
  WY0QyszFM7Q90MbeFcHTHik0C0UK11vHNA==

1 Like

Fredrik, Thank you for you time, once again!
Is there anyway or any tool to send those specific packets to the device? To check if there is any response to them?

The red “text” in the image is the binary message sent to the ac, the blue is the response. But I don’t have a single clue what it might mean.

I might be able to write a short pyton script to send the specific data but I don’t know how it would help.

We need someone to explain what is sent and what the response is. The best would be if we could have a dump with just the communication between the app and the ac where each command is documented. Then I might be able to guess how the communication works.

1 Like

I found this: https://m.apkpure.com/intelligent-ac/com.ab.smartDevice

Is that the app that is working? I might be able to look at what it is doing…

yes, it’s in the same version as downloaded from google store.

I’ve decompiled the code which ended up with a 3.4MB javascript file. I’ve been digging a bit in that file but without success of finding what is fired.

Perhaps a new pcap file with both TCP and UDP data to the AC is needed.

This is the data sent to the AC (but it does not seem like the AC replies):

char packet_bytes[] = {
  0x5a, 0xa5, 0xaa, 0x55, 0x5a, 0xa5, 0xaa, 0x55,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0xef, 0xf0, 0x00, 0x00, 0x7a, 0x50, 0x6a, 0x00,
  0x90, 0xd5, 0xde, 0x9f, 0x2b, 0xa7, 0xdf, 0x24,
  0x01, 0x00, 0x00, 0x00, 0x66, 0xd4, 0x00, 0x00,
  0x31, 0x41, 0x3a, 0x0e, 0xfa, 0xc1, 0xe9, 0x72,
  0x30, 0xc3, 0x61, 0xcf, 0x93, 0x71, 0x74, 0x9e,
  0x6c, 0x66, 0x54, 0x41, 0x2f, 0xf3, 0x5d, 0x39,
  0xed, 0x98, 0x98, 0xc4, 0x86, 0x0e, 0x47, 0xd9,
  0x1e, 0x69, 0xbc, 0x7d, 0x50, 0xc0, 0x1d, 0xeb,
  0x63, 0xa1, 0x8a, 0x98, 0xa4, 0x46, 0x90, 0x20,
  0xf3, 0xdb, 0x39, 0x44, 0xd4, 0x93, 0xa7, 0x7f,
  0x99, 0x3e, 0x27, 0x36, 0x8d, 0xc9, 0xc6, 0xa2,
  0xcc, 0xe0, 0x69, 0x07, 0x7f, 0x3b, 0xb6, 0xc8,
  0x70, 0x27, 0x58, 0xc8, 0x2f, 0x6a, 0x19, 0x42
};

Edit: @lakis, are you sure that 192.168.1.52 really is your AC module? The first bytes looks similar (exactly) like the broadlink header (and the following bytes also seems to work fine) with 0x7a, 0x50 as device type and 0x6a as command, according to: https://blog.ipsumdomus.com/broadlink-smart-home-devices-complete-protocol-hack-bc0b4b397af1

Perhaps this will work: https://github.com/liaan/broadlink_ac_mqtt, also found this: https://github.com/liaan/broadlink_ac_mqtt/issues/61 where the message looks very much like this 5aa5aa555aa5aa55000000000000000000000000000000000000000000000000eff000007a506a0090d5de9f2ba7df240100000066d4000031413a0efac1e97230c361cf9371749e6c6654412ff35d39ed9898c4860e47d91e69bc7d50c01deb63a18a98a4469020f3db3944d493a77f993e27368dc9c6a2cce069077f3bb6c8702758c82f6a1942 that is sent to 192.168.1.52:80. Is this app working with your device? https://play.google.com/store/apps/details?id=com.broadlink.acfreedom&hl=en_US

1 Like

Yes this is the app and it is working. And yes I am sure, the ip of the device is 192.168.1.52.
I tried in the past https://github.com/liaan/broadlink_ac_mqtt but i couldn’t make it work. I will try again with this.
AC Freedom it doesn’t pair the device at the final step. So it didn’t work. I will try again and let you know!
I will have a look to the rest info that you shared with us !
Thank you once again for all of your time!!!

Any update on this ?/

greetz

1 Like

awaiting too since while , hope it can be solved

Fredrike, have you ever been able to progress on this? Or perhaps @lakis ? Setting up MQTT is a pain in my current environment.

I’ve not investigated this further…

1 Like

Hey Iakis, did you managed to get it working with https://github.com/liaan/broadlink_ac_mqtt after trying again?

hey,
I did some tests but no success at all. Tried with ports: 80, 16617, 49137 …

1 Like

I just received this adapter to connect an ESP-01 to my Inventor A/C.

I will use this configuration with ESPHome

Hopefully either this or the next weekend I will find the time to give it a try and I will report back :slight_smile:

1 Like

That would be awesome, looking forward to it!

I also tried intercepting the SSL reqs from the app to the AC using a rooted Android, but it’s mostly UDP, so no luck decompiling it, and the broadlink_ac_mqtt doesn’t find it in my LAN.

1 Like

And now we are a few weekends further :slight_smile:
And we are all waiting for the succes :slight_smile: