nielsole / ecoflow-bt-reverse-engineering Goto Github PK

Hi all :)
Yes, BLE - right way.

Hassio - stuck on open port 8055
v1ckxy - stuck on declaring the basic principles of working offline
tolwi - realize only user corporate MQTT

BUT - exist much more interesting solutions. Absolute independence of the device from the corporation, from the presence of the Internet. With support for a much wider range of devices. and using DEVICE mqtt (LOCAL mqtt server :)) ).
So. let's start:
Please install mobile app - nrf connect. Find and connect to device. Look to RAW ble header. So....
0 - RAW - (topic,lenght)data(topic,lenght)data(topic,lenght)data....
02-01-06 1B-FF-B5-B5-12 52-33-33-31-5A-45-42-34-5A-45-42-47-30-FF-FF-FF 63-00-20-BC-5F-01-93 11-FF-C5-C5-12 36-02-13-50-34-47-FF-FF-FF-FF-FF-FF 5D-0C-09 52-33-33-2D-30-34-35-34-00- 14-0D
a) Device SN - 52-33-33-31-5A-45-42-34-5A-45-42-47-30-FF-FF-FF (utf8)
b) battery level - 63 and some other data
c) 36-02-13-50-34-47-FF-FF-FF-FF-FF-FF - CPU Id
d) 52-33-33-2D-30-34-35-34 - short name of device (utf8)
1 - install JADX (dex to java) application and decompile in ecoflow.apk - *.dex files (look on com/ecoflow folder)
2 - If you're not normal at all - IDA (not free) or Ghidra Software Reverse Engineering Framework (free) to disasm base packet engine placed on \lib\arm64-v8a\libnative-lib.so in apk file
So. let's focus on the first option.
Examine the files and you will get a list of many commands, like for mqtt, iot, ble for - ALL different devices.
everything else is correct. But this is not enough.
1 - the device model is determined by the first two or three bytes of the serial number (attachment).
2 - to send commands, to receive data (full) - MANDATORY! needs to be configured MTU (Maximum Transmission Unit) 136 for start - will be enough (for DELTA 2). Chinese programmers didn't properly implement package merging :)
3 - the number of commands is not limited to those described and implemented by hassio.
So - for start i recommend doing the module under the number 53(decimal) (ble/wifi module)

53 - 53 - 0 : Reconnect to mqtt
53 - 53 - 5 : (0/1) enable-disable wifi module. And Yes. This open some intresing ports of device;
PORT STATE SERVICE VERSION
340/tcp filtered unknown
1062/tcp filtered veracity
1216/tcp filtered etebac5
1600/tcp filtered issd
2030/tcp filtered device2
3333/tcp filtered dec-notes
4006/tcp filtered pxc-spvr
5051/tcp filtered ida-agent
5432/tcp filtered postgresql
6543/tcp filtered mythtv
9968/tcp filtered unknown
10002/tcp filtered documentum
10617/tcp filtered unknown
50000/tcp filtered ibm-db2
52869/tcp filtered unknown

53 - 53 - 8 - wifi networks - (id)(name lenght)(name)... (id)(name lenght)(name)...
53 - 53 - 4 WiFI connection - MAC/IP/WiFi Name (32 bytes)/Password(32 bytes)
53 - 53 - 10 - (0/1) connect/disconnect MQTT connection
53 - 53 - 51 - disable BLE module. Restatr device manualy to enable BLE
53 - 53 - 52 - BLE RAW Data - COD(class of device)/MAC/MAC?/RAW
53 - 53 - 112 - isenabled - wifi/?/mqqt
53 - 53- 32 - callback - when device connecting
53 - 53 - 11 - in private email message :)

53 - 1 - 65 - FRONT PANEL SN and CPU
53 - 1 - 64 - Frp - SN
53 - 1 - 5 - WIFI Ver
53 - 1 - 20 - reconnect

And many other interesting, not mention in apk file sources,,,because exist device firmware, and in this firmware realize some options ONLY for internal using and absolutly not for public and not for ecoflow GUI developers :)

FINALY.
1- i has MY OWN mqtt SERVER.
2 - divice connected to it, and thinks it's a corporate server.
3 - i has mqtt client, which is connected to the corporate server, but not as a user - as a real device.
4 - my client and server communicate with each other to monitor everything that and how the corporate system manages the device.

subscribed:
/ota/module/inform/80/R331ZEB4ZEBFFFFF/reply
/ota/wifi/inform/80/R331ZEB4ZEBFFFFF/reply
/ota/wifi/upgrade/80/R331ZEB4ZEBFFFFF
/ota/wifi/progress/80/R331ZEB4ZEBFFFFF/reply
/ota/device/inform/80/R331ZEB4ZEBFFFFF/reply
/ota/device/upgrade/80/R331ZEB4ZEBFFFFF
/ota/device/progress/80/R331ZEB4ZEBFFFFF/reply
/sys/80/R331ZEB4ZEBFFFFF/thing/event/post_reply
/sys/80/R331ZEB4ZEBFFFFF/thing/property/set
/sys/80/R331ZEB4ZEBFFFFF/thing/property/get
/sys/80/R331ZEB4ZEBFFFFF/thing/battery/get

/sys/80/R331ZEB4ZEBFFFFF/thing/property/get@AtMostOnce
/sys/80/R331ZEB4ZEBFFFFF/thing/property/set@AtMostOnce
/sys/80/R331ZEB4ZEBFFFFF/thing/event/post_reply@AtMostOnce
/sys/80/R331ZEB4ZEBFFFFF/thing/battery/get@AtMostOnce
/ota/wifi/upgrade/80/R331ZEB4ZEBFFFFF@AtMostOnce
/ota/wifi/progress/80/R331ZEB4ZEBFFFFF/reply@AtMostOnce
/ota/device/upgrade/80/R331ZEB4ZEBFFFFF@AtMostOnce
/ota/device/progress/80/R331ZEB4ZEBFFFFF/reply@AtMostOnce

post topics
/sys/80/R331ZEB4ZEBFFFFF/thing/property/post
/ota/wifi/inform/80/R331ZEB4ZEBFFFFF
/ota/device/inform/80/R331ZEB4ZEBFFFFF
/ota/module/inform/80/R331ZEB4ZEBFFFFF

commands like operateType : analysisExtSc/analysisIntSc/analysisVol etc... (do not exist in app - only for device) and many other.
1
when device connecting to mqtt throw BLE command (connect to wifi) in this command exist path to certificate (the same like for user) but path -
https://api.ecoflow.com/iot-auth/**device**/certification
If change this path in command to own (for example - 192.168.2.33:8080/cert)
and intercept this connection you can see request from device -
?sn=R331ZEB4ZEBFFFFF&cpuId=360213503447303832155FFF&timeStamp=123132333"&sign=Y7VJLGVhsQy_N3KKVngeOtPjG0BaH0AwTDiqEss44ds
2
run this request to corporate host and you recive json data like for user but some differ
{"code":"0","data":{"clientId":"R331ZEB4ZEFFFFFF","password":"d23f87052c92489ea1cf43f1463fFFFF","port":"8883","productKey":"80","protocol":"mqtts","url":"mqtt.ecoflow.com","username":"device-eb3bb8586a874f9ab0f3755fc3FFFFFF"},"message":""}
This is credetials for mqqt server for DEVICE (not for user). And this operations needed only once.
3 -
Now you has 2 ways.
1 - just using mqtt with connection to corporate host like device
2 - replace in request mqtt server and port to own. for example ,"url":"192.168.33.33" etc
3 - device remember this and not needed this do every time - just once.
4 - after this - the most interesting will begin

So.
I am completely independent, I know everything that happens. I don't need a corporation, and it doesn't need to know what and how I have. I don't need internet. I don't need authentication and verification.
I wish you all the same :)

Very important! Don't use brute force to find interesting commands and modules. There is a command (without parameters) - which is simple in the inverter - changes the voltage and in an instant - your capacitors (in the literal sense) explode. Yes - it looks like a self-destruct command :) It's funny, but who knows this command and just has a phone with bluetooth - can really burn the device with one click. someone else's device :) (module 4 ..commandset 13+ )

Assets.zip