Update notes

author: Mike Crute <mcrute@gmail.com> 2013-09-19 00:24:11 -0400
committer: Mike Crute <mcrute@gmail.com> 2013-09-19 00:24:11 -0400
commit: da6d833f8a2d09104dda88925fbf07476159f54f (patch)
tree: d9087d7d23559229668d47caeb7c160a2629ee16
parent: 9503ffd82cc45af3c44f9ecf4574f79ab52153bd (diff)
download: ubntmfi-da6d833f8a2d09104dda88925fbf07476159f54f.tar.bz2
ubntmfi-da6d833f8a2d09104dda88925fbf07476159f54f.tar.xz
ubntmfi-da6d833f8a2d09104dda88925fbf07476159f54f.zip
2 files changed, 102 insertions, 6 deletions
diff --git a/.gitignore b/.gitignore
index 0d20b64..e07a3b2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
 *.pyc
+.sandbox_name
diff --git a/inform_protocol.txt b/inform_protocol.txt
index 2a846a5..50c1b20 100644
--- a/inform_protocol.txt
+++ b/inform_protocol.txt
@@ -10,11 +10,17 @@ disable.
 Everything appears to be pull-based, even provisioning. This makes sense with
 the cloud controller where the controller has no access to your network. I
 haven't documented yet how anything works within the protocol, that's next.
-This documents the overall procol itself.
+This documents the overall protocol itself.
+The device will inform by executing an HTTP POST with an encrypted payload to
+http://controller:6080/inform at a regular interval (default is 10 seconds) and
+will expect an encrypted payload to be returned. If the device gets a command
+response instead of a noop response it will immediately do another inform; this
+continues until the controller sends the next noop response. Responses never
+appear to contain multiple commands.
-Packet Structure
+Raw Packet Structure
----------------
+--------------------
 4 bytes          magic number            integer
 4 bytes          version                 integer
 6 bytes          hwaddr                  string
@@ -24,20 +30,109 @@ Packet Structure
 4 bytes          data length             integer
 n bytes          encrypted payload       string
+Raw Packet Constraints
+----------------------
 magic must == 1414414933
 data version must < 1
 flags & 0x1 != 0 means encrypted
 flags & 0x2 != 0 means compressed
+Payload Types
+-------------
 The payload is AES encrypted in CBC mode using PKCS5 padding. They key is the
 device auth key from the database or a master key that is hard coded if the
 device hasn't been provisioned yet. The master key is hard coded in the
 controller code in the DeviceManager class and pretty easy to find.
+MASTER_KEY = "ba86f2bbe107c7c57eb5f2690775c712"
 On devices running protocol version 1 the encrypted payload is just JSON data.
 In version 0 of the protocol the data was key=value pairs separated by
 newlines. All of the mFi hardware I have access to uses protocol version 1.
-MASTER_KEY = "ba86f2bbe107c7c57eb5f2690775c712"
+The payloads break down into two categories; those coming into the controller
+and those going out of the controller.
+Output Payloads
+---------------
+Output payloads are those that originate from the controller and are bound for
+the device. These always appear to contain a _type field. I have observed the
+following output payloads.
+    _type: firmware upgrade (upgrade)
+        url: full url to firmware.bin
+        datetime: rfc3339 formatted date, server time
+        server_time_in_utc: server time in UTC as a unix timestamp (string)
+        version: firmware version (string)
+        time: server time as unix timestamp (int)
+        _id: unknown id string (5232701de4b0457a2f2f031f)
+        device_id: device ID from mongodb
+    _type: config update (setparam)
+        port_cfg: configuration for ports as string
+        server_time_in_utc: server time in UTC as a unix timestamp (string)
+    _type: reboot (reboot)
+        datetime: rfc3339 formatted date, server time
+        device_id: device ID from mongodb
+    _type: heartbeat (noop)
+        interval: next checkin time in seconds (integer)
+    _type: command (cmd)
+        _admin: admin data object
+            _id: mongodb id of admin
+            lang: admin language (en_US)
+            name: admin username
+            x_password: admin password
+        _id: unknown id string (5232701de4b0457a2f2f031f)
+        datetime: rfc3339 formatted date, server time
+        server_time_in_utc: server time in UTC as a unix timestamp (string)
+        time: server time as unix timestamp (int)
+        device_id: device ID from mongodb
+        cmd: command to use (mfi-output)
+        mac: device mac address
+        model: device model (Outlet for mPower)
+        off_volt: ?? (int)
+        port: device port to update (int)
+        sId: sensor ID
+        timer: ?? (int)
+        val: output value (int)
+        volt: ?? (int)
+    // val and volt set to 1 to turn on, 0 to turn off
+Input Payloads
+--------------
+Incoming packets appear to be a JSON version of the out put of the `mca-dump`
+command on the device. There is definitely some AirOS legacy in here. I don't
+document the whole input payload since most of it isn't interesting.
+    callback from device: javascript object
+        alarm: list of sensors
+            index: port name
+            sId: sensor ID hash
+            time: device time
+            // For mPort Only
+            tag: kind of reading presented (magnetic, temperature, humidity)
+            type: kind of device (input, analog, output)
+            val: value (float)
+            // For mPower Only
+            entries: list of entry objects
+                tag: kind of reading (output, pf, energy_sum, v_rms, i_rms, active_pwr)
+                type: sensor type (output, analog, rmsSum, rms)
+                val: value (float)
+        hostname: hostname of device ("ubnt" unless changed)
+        ip: IP of device
+        mac: mac address of primary interface
+        mfi: boolean, indicates if an mfi device
+        model: device model name
+        model_display: display name for device
+        serial: device serial number
+        uptime: uptime in seconds since last reboot
+        version: firmware version
author	Mike Crute <mcrute@gmail.com>	2013-09-19 00:24:11 -0400
committer	Mike Crute <mcrute@gmail.com>	2013-09-19 00:24:11 -0400
commit	da6d833f8a2d09104dda88925fbf07476159f54f (patch)
tree	d9087d7d23559229668d47caeb7c160a2629ee16
parent	9503ffd82cc45af3c44f9ecf4574f79ab52153bd (diff)
download	ubntmfi-da6d833f8a2d09104dda88925fbf07476159f54f.tar.bz2 ubntmfi-da6d833f8a2d09104dda88925fbf07476159f54f.tar.xz ubntmfi-da6d833f8a2d09104dda88925fbf07476159f54f.zip

diff --git a/.gitignore b/.gitignore index 0d20b64..e07a3b2 100644 --- a/.gitignore +++ b/.gitignore
@@ -1 +1,2 @@
1	*.pyc	1	*.pyc
		2	.sandbox_name


diff --git a/inform_protocol.txt b/inform_protocol.txt index 2a846a5..50c1b20 100644 --- a/inform_protocol.txt +++ b/inform_protocol.txt
@@ -10,11 +10,17 @@ disable.
10	Everything appears to be pull-based, even provisioning. This makes sense with	10	Everything appears to be pull-based, even provisioning. This makes sense with
11	the cloud controller where the controller has no access to your network. I	11	the cloud controller where the controller has no access to your network. I
12	haven't documented yet how anything works within the protocol, that's next.	12	haven't documented yet how anything works within the protocol, that's next.
13	This documents the overall procol itself.	13	This documents the overall protocol itself.
14		14
		15	The device will inform by executing an HTTP POST with an encrypted payload to
		16	http://controller:6080/inform at a regular interval (default is 10 seconds) and
		17	will expect an encrypted payload to be returned. If the device gets a command
		18	response instead of a noop response it will immediately do another inform; this
		19	continues until the controller sends the next noop response. Responses never
		20	appear to contain multiple commands.
15		21
16	Packet Structure	22	Raw Packet Structure
17	----------------	23	--------------------
18	4 bytes magic number integer	24	4 bytes magic number integer
19	4 bytes version integer	25	4 bytes version integer
20	6 bytes hwaddr string	26	6 bytes hwaddr string
@@ -24,20 +30,109 @@ Packet Structure
24	4 bytes data length integer	30	4 bytes data length integer
25	n bytes encrypted payload string	31	n bytes encrypted payload string
26		32
27		33	Raw Packet Constraints
		34	----------------------
28	magic must == 1414414933	35	magic must == 1414414933
29	data version must < 1	36	data version must < 1
30	flags & 0x1 != 0 means encrypted	37	flags & 0x1 != 0 means encrypted
31	flags & 0x2 != 0 means compressed	38	flags & 0x2 != 0 means compressed
32		39
33		40	Payload Types
		41	-------------
34	The payload is AES encrypted in CBC mode using PKCS5 padding. They key is the	42	The payload is AES encrypted in CBC mode using PKCS5 padding. They key is the
35	device auth key from the database or a master key that is hard coded if the	43	device auth key from the database or a master key that is hard coded if the
36	device hasn't been provisioned yet. The master key is hard coded in the	44	device hasn't been provisioned yet. The master key is hard coded in the
37	controller code in the DeviceManager class and pretty easy to find.	45	controller code in the DeviceManager class and pretty easy to find.
38		46
		47	MASTER_KEY = "ba86f2bbe107c7c57eb5f2690775c712"
		48
39	On devices running protocol version 1 the encrypted payload is just JSON data.	49	On devices running protocol version 1 the encrypted payload is just JSON data.
40	In version 0 of the protocol the data was key=value pairs separated by	50	In version 0 of the protocol the data was key=value pairs separated by
41	newlines. All of the mFi hardware I have access to uses protocol version 1.	51	newlines. All of the mFi hardware I have access to uses protocol version 1.
42		52
43	MASTER_KEY = "ba86f2bbe107c7c57eb5f2690775c712"	53	The payloads break down into two categories; those coming into the controller
		54	and those going out of the controller.
		55
		56	Output Payloads
		57	---------------
		58	Output payloads are those that originate from the controller and are bound for
		59	the device. These always appear to contain a _type field. I have observed the
		60	following output payloads.
		61
		62	_type: firmware upgrade (upgrade)
		63	url: full url to firmware.bin
		64	datetime: rfc3339 formatted date, server time
		65	server_time_in_utc: server time in UTC as a unix timestamp (string)
		66	version: firmware version (string)
		67	time: server time as unix timestamp (int)
		68	_id: unknown id string (5232701de4b0457a2f2f031f)
		69	device_id: device ID from mongodb
		70
		71	_type: config update (setparam)
		72	port_cfg: configuration for ports as string
		73	server_time_in_utc: server time in UTC as a unix timestamp (string)
		74
		75
		76	_type: reboot (reboot)
		77	datetime: rfc3339 formatted date, server time
		78	device_id: device ID from mongodb
		79
		80	_type: heartbeat (noop)
		81	interval: next checkin time in seconds (integer)
		82
		83	_type: command (cmd)
		84	_admin: admin data object
		85	_id: mongodb id of admin
		86	lang: admin language (en_US)
		87	name: admin username
		88	x_password: admin password
		89	_id: unknown id string (5232701de4b0457a2f2f031f)
		90	datetime: rfc3339 formatted date, server time
		91	server_time_in_utc: server time in UTC as a unix timestamp (string)
		92	time: server time as unix timestamp (int)
		93	device_id: device ID from mongodb
		94	cmd: command to use (mfi-output)
		95	mac: device mac address
		96	model: device model (Outlet for mPower)
		97	off_volt: ?? (int)
		98	port: device port to update (int)
		99	sId: sensor ID
		100	timer: ?? (int)
		101	val: output value (int)
		102	volt: ?? (int)
		103
		104	// val and volt set to 1 to turn on, 0 to turn off
		105
		106
		107	Input Payloads
		108	--------------
		109	Incoming packets appear to be a JSON version of the out put of the `mca-dump`
		110	command on the device. There is definitely some AirOS legacy in here. I don't
		111	document the whole input payload since most of it isn't interesting.
		112
		113	callback from device: javascript object
		114	alarm: list of sensors
		115	index: port name
		116	sId: sensor ID hash
		117	time: device time
		118
		119	// For mPort Only
		120	tag: kind of reading presented (magnetic, temperature, humidity)
		121	type: kind of device (input, analog, output)
		122	val: value (float)
		123
		124	// For mPower Only
		125	entries: list of entry objects
		126	tag: kind of reading (output, pf, energy_sum, v_rms, i_rms, active_pwr)
		127	type: sensor type (output, analog, rmsSum, rms)
		128	val: value (float)
		129
		130	hostname: hostname of device ("ubnt" unless changed)
		131	ip: IP of device
		132	mac: mac address of primary interface
		133	mfi: boolean, indicates if an mfi device
		134	model: device model name
		135	model_display: display name for device
		136	serial: device serial number
		137	uptime: uptime in seconds since last reboot
		138	version: firmware version