Arduino MKR1010 Wifi with Smart Wifi Plug MSS210 about merossiot HOT 10 CLOSED

It seems that, even if my Smart plug is connected to my network, i cannot record any MQTT frames... i don't know why... I am using wireshark and wireshark can sniff mqtt frame so idk why when i press the button on/off on the meross app, i cannot see any mqtt frame on my network... but i see the plug swiching on/off...

from merossiot.

Hi Isosel,
First of all, wireshark won't be helpful because it will monitor only the packets coming through your computer, while the traffic is flowing from the mobile APP to the wifi plugs. Advanced users might use particular wifi adapters that are capable of promiscuous mode and sniff traffic belonging to other wifi devices, but this won't usually be enough for a MITM attack, because SSL traffic is encrypted End-To-End.

In order to perform a deep analysis, I was able to capture packets using a raspberry PI configured as a transparent MITM proxy/gateway. However, I needed to capture TCP traffic (since MQTT is not going to be captured as HTTP) and then I wrote a python script to dissect MQTT frames.

In your case, if you want to only capture messages from the APP and replay them when you want (that is called a REPLAY attack and is usually performed in order to attack weak garage openers), then you can use Android traffic sniffer applications. There are plenty of them which do not require root access.

Good luck with that!

from merossiot.

Thx for that answer :D

Then, if I install an emulator on Windows 10, I will probably see some MQTT frames going out from my computer ? It'll be enough isn't it ?

• isoSeL

from merossiot.

Okey so... I installed BlueStacks and now I am able to see some frames. When I pair my plug with my acess point, I see some TCP frames and one HTTP frame within which there is informations about the command sent to the smart plug, see below:

Hypertext Transfer Protocol POST /config HTTP/1.1\r\n [Expert Info (Chat/Sequence): POST /config HTTP/1.1\r\n] [POST /config HTTP/1.1\r\n] [Severity level: Chat] [Group: Sequence] Request Method: POST Request URI: /config Request Version: HTTP/1.1 Connection: close\r\n Content-Type: application/json; charset=UTF-8\r\n Content-Length: 308\r\n [Content length: 308] Host: 192.168.1.122\r\n Accept-Encoding: gzip\r\n User-Agent: okhttp/X.X.X\r\n \r\n [Full request URI: http://XXX/config] [HTTP request 1/1] [Response in frame: 63] File Data: 308 bytes JavaScript Object Notation: application/json Object Member Key: header Object Member Key: from String value: /app/XXXXXXX-XXX8/subscribe Key: from Member Key: messageId String value: 2669XXXXXXXXXXX7 Key: messageId Member Key: method String value: SET Key: method Member Key: namespace String value: Appliance.Control.ToggleX Key: namespace Member Key: payloadVersion Number value: 1 Key: payloadVersion Member Key: sign String value: XXXXXX892c02 Key: sign Member Key: timestamp Number value: 1XXXX3 Key: timestamp Key: header Member Key: payload Object Member Key: togglex Object Member Key: channel Number value: 0 Key: channel Member Key: onoff Number value: 1 Key: onoff Key: togglex Key: payload

from merossiot.

I don't see MQTT frames going out of my computer :/

from merossiot.

Hi @isosel ,
Yesterday, while developing new functionalities, I've realized that new versions of Meross devices will actually work by using simple POST messages over the wifi, without needing a full MQTT client. That is actually what you've seen so far in your intercepted messages. Once you have the frames, you'd be able to replay them with the Arduino. Give it a try!

from merossiot.

It works fine.

I made a post request with the software Postman.

Request headers:

Connection:close Content-Type:application/json; charset=UTF-8 Content-Length:308 Host:192.168.1.159 Accept-Encoding:gzip User-Agent:okhttp/3.6.0

Request boddy:

{"header":{"from":"/app/339299-e1853779db9fc7866cf6dfe0b697b0b8/subscribe","messageId":"36f3d4b5da1545dd127176bdbbf8f2cf","method":"SET","namespace":"Appliance.Control.ToggleX","payloadVersion":1,"sign":"195a5ea4fb950c3cb475cd5daa5d4e64","timestamp":1571919319},"payload":{"togglex":{"channel":0,"onoff":1}}}

from merossiot.

I'll try with arduino soon, i keep u in touch

from merossiot.

hello ! it works very well with arduino, visit my githug repository: https://github.com/isosel/meross-mkr1010/blob/master/code.ino

from merossiot.

hmmm now im wondering how Meross is hashing the "sign" value.

{"header":{"from":"/app/339299-e1853779db9fc7866cf6dfe0b697b0b8/subscribe","messageId":"36f3d4b5da1545dd127176bdbbf8f2cf","method":"SET","namespace":"Appliance.Control.ToggleX","payloadVersion":1,"sign":"195a5ea4fb950c3cb475cd5daa5d4e64","timestamp":1571919319},"payload":{"togglex":{"channel":0,"onoff":1}}}

I checked your wiki "HTTP API" but I still don't know how to find the "sign" value. If I set the timestamp value to 0, messageID to "arduino123456" for example... I don't know what I have to put into the md5 hasher to find the right "sign" value to make the request working.

@albertogeniola

from merossiot.