diff options
author | Mike Crute <mcrute@gmail.com> | 2013-09-19 00:24:11 -0400 |
---|---|---|
committer | Mike Crute <mcrute@gmail.com> | 2013-09-19 00:24:11 -0400 |
commit | da6d833f8a2d09104dda88925fbf07476159f54f (patch) | |
tree | d9087d7d23559229668d47caeb7c160a2629ee16 | |
parent | 9503ffd82cc45af3c44f9ecf4574f79ab52153bd (diff) | |
download | ubntmfi-da6d833f8a2d09104dda88925fbf07476159f54f.tar.bz2 ubntmfi-da6d833f8a2d09104dda88925fbf07476159f54f.tar.xz ubntmfi-da6d833f8a2d09104dda88925fbf07476159f54f.zip |
Update notes
-rw-r--r-- | .gitignore | 1 | ||||
-rw-r--r-- | inform_protocol.txt | 107 |
2 files changed, 102 insertions, 6 deletions
@@ -1 +1,2 @@ | |||
1 | *.pyc | 1 | *.pyc |
2 | .sandbox_name | ||
diff --git a/inform_protocol.txt b/inform_protocol.txt index 2a846a5..50c1b20 100644 --- a/inform_protocol.txt +++ b/inform_protocol.txt | |||
@@ -10,11 +10,17 @@ disable. | |||
10 | Everything appears to be pull-based, even provisioning. This makes sense with | 10 | Everything appears to be pull-based, even provisioning. This makes sense with |
11 | the cloud controller where the controller has no access to your network. I | 11 | the cloud controller where the controller has no access to your network. I |
12 | haven't documented yet how anything works within the protocol, that's next. | 12 | haven't documented yet how anything works within the protocol, that's next. |
13 | This documents the overall procol itself. | 13 | This documents the overall protocol itself. |
14 | 14 | ||
15 | The device will inform by executing an HTTP POST with an encrypted payload to | ||
16 | http://controller:6080/inform at a regular interval (default is 10 seconds) and | ||
17 | will expect an encrypted payload to be returned. If the device gets a command | ||
18 | response instead of a noop response it will immediately do another inform; this | ||
19 | continues until the controller sends the next noop response. Responses never | ||
20 | appear to contain multiple commands. | ||
15 | 21 | ||
16 | Packet Structure | 22 | Raw Packet Structure |
17 | ---------------- | 23 | -------------------- |
18 | 4 bytes magic number integer | 24 | 4 bytes magic number integer |
19 | 4 bytes version integer | 25 | 4 bytes version integer |
20 | 6 bytes hwaddr string | 26 | 6 bytes hwaddr string |
@@ -24,20 +30,109 @@ Packet Structure | |||
24 | 4 bytes data length integer | 30 | 4 bytes data length integer |
25 | n bytes encrypted payload string | 31 | n bytes encrypted payload string |
26 | 32 | ||
27 | 33 | Raw Packet Constraints | |
34 | ---------------------- | ||
28 | magic must == 1414414933 | 35 | magic must == 1414414933 |
29 | data version must < 1 | 36 | data version must < 1 |
30 | flags & 0x1 != 0 means encrypted | 37 | flags & 0x1 != 0 means encrypted |
31 | flags & 0x2 != 0 means compressed | 38 | flags & 0x2 != 0 means compressed |
32 | 39 | ||
33 | 40 | Payload Types | |
41 | ------------- | ||
34 | The payload is AES encrypted in CBC mode using PKCS5 padding. They key is the | 42 | The payload is AES encrypted in CBC mode using PKCS5 padding. They key is the |
35 | device auth key from the database or a master key that is hard coded if the | 43 | device auth key from the database or a master key that is hard coded if the |
36 | device hasn't been provisioned yet. The master key is hard coded in the | 44 | device hasn't been provisioned yet. The master key is hard coded in the |
37 | controller code in the DeviceManager class and pretty easy to find. | 45 | controller code in the DeviceManager class and pretty easy to find. |
38 | 46 | ||
47 | MASTER_KEY = "ba86f2bbe107c7c57eb5f2690775c712" | ||
48 | |||
39 | On devices running protocol version 1 the encrypted payload is just JSON data. | 49 | On devices running protocol version 1 the encrypted payload is just JSON data. |
40 | In version 0 of the protocol the data was key=value pairs separated by | 50 | In version 0 of the protocol the data was key=value pairs separated by |
41 | newlines. All of the mFi hardware I have access to uses protocol version 1. | 51 | newlines. All of the mFi hardware I have access to uses protocol version 1. |
42 | 52 | ||
43 | MASTER_KEY = "ba86f2bbe107c7c57eb5f2690775c712" | 53 | The payloads break down into two categories; those coming into the controller |
54 | and those going out of the controller. | ||
55 | |||
56 | Output Payloads | ||
57 | --------------- | ||
58 | Output payloads are those that originate from the controller and are bound for | ||
59 | the device. These always appear to contain a _type field. I have observed the | ||
60 | following output payloads. | ||
61 | |||
62 | _type: firmware upgrade (upgrade) | ||
63 | url: full url to firmware.bin | ||
64 | datetime: rfc3339 formatted date, server time | ||
65 | server_time_in_utc: server time in UTC as a unix timestamp (string) | ||
66 | version: firmware version (string) | ||
67 | time: server time as unix timestamp (int) | ||
68 | _id: unknown id string (5232701de4b0457a2f2f031f) | ||
69 | device_id: device ID from mongodb | ||
70 | |||
71 | _type: config update (setparam) | ||
72 | port_cfg: configuration for ports as string | ||
73 | server_time_in_utc: server time in UTC as a unix timestamp (string) | ||
74 | |||
75 | |||
76 | _type: reboot (reboot) | ||
77 | datetime: rfc3339 formatted date, server time | ||
78 | device_id: device ID from mongodb | ||
79 | |||
80 | _type: heartbeat (noop) | ||
81 | interval: next checkin time in seconds (integer) | ||
82 | |||
83 | _type: command (cmd) | ||
84 | _admin: admin data object | ||
85 | _id: mongodb id of admin | ||
86 | lang: admin language (en_US) | ||
87 | name: admin username | ||
88 | x_password: admin password | ||
89 | _id: unknown id string (5232701de4b0457a2f2f031f) | ||
90 | datetime: rfc3339 formatted date, server time | ||
91 | server_time_in_utc: server time in UTC as a unix timestamp (string) | ||
92 | time: server time as unix timestamp (int) | ||
93 | device_id: device ID from mongodb | ||
94 | cmd: command to use (mfi-output) | ||
95 | mac: device mac address | ||
96 | model: device model (Outlet for mPower) | ||
97 | off_volt: ?? (int) | ||
98 | port: device port to update (int) | ||
99 | sId: sensor ID | ||
100 | timer: ?? (int) | ||
101 | val: output value (int) | ||
102 | volt: ?? (int) | ||
103 | |||
104 | // val and volt set to 1 to turn on, 0 to turn off | ||
105 | |||
106 | |||
107 | Input Payloads | ||
108 | -------------- | ||
109 | Incoming packets appear to be a JSON version of the out put of the `mca-dump` | ||
110 | command on the device. There is definitely some AirOS legacy in here. I don't | ||
111 | document the whole input payload since most of it isn't interesting. | ||
112 | |||
113 | callback from device: javascript object | ||
114 | alarm: list of sensors | ||
115 | index: port name | ||
116 | sId: sensor ID hash | ||
117 | time: device time | ||
118 | |||
119 | // For mPort Only | ||
120 | tag: kind of reading presented (magnetic, temperature, humidity) | ||
121 | type: kind of device (input, analog, output) | ||
122 | val: value (float) | ||
123 | |||
124 | // For mPower Only | ||
125 | entries: list of entry objects | ||
126 | tag: kind of reading (output, pf, energy_sum, v_rms, i_rms, active_pwr) | ||
127 | type: sensor type (output, analog, rmsSum, rms) | ||
128 | val: value (float) | ||
129 | |||
130 | hostname: hostname of device ("ubnt" unless changed) | ||
131 | ip: IP of device | ||
132 | mac: mac address of primary interface | ||
133 | mfi: boolean, indicates if an mfi device | ||
134 | model: device model name | ||
135 | model_display: display name for device | ||
136 | serial: device serial number | ||
137 | uptime: uptime in seconds since last reboot | ||
138 | version: firmware version | ||