Owl Intuition Insecure API
January 1, 2017 — 0:05

A year or so ago I bought an electricity monitor from OWL, the single phase monitor with network connectivity called the intuition-e. Part of the appeal of this was that it sent out multicast messages on your home network which allowed you to capture and use this data however you wished. It had always been in the back of my mind that if you buy a network attached device you are at the mercy of that company continuing to provide the server for remote access. With the OWL, even if they completely shut down you could still get some use out of it even if you needed to add some extra hardware.

I moved house a couple of months ago and never unpacked the monitor until a few days ago. I had just been using an OWL Micro+ display previously but was now interested in getting the usage data onto my phone in the form of a homescreen widget. As it turns out my current router (Sky Q hub) blocks multicast messages, at least between wired and wireless devices, but the OWL also has the option to send UDP packets to a specific IP/port which wouldn’t be blocked. Using a combination of Tasker and Minimalistic Text Widgets i succeeded in getting my widget working but that is for another post.

This method only worked while i was connected to my home network so i wanted a way of accessing the data from any location, so direct from the OWL servers. To start with, as i was looking to display info on my phone, I had a look at the OWL Intuition app. Using the Packet Capture app i was able to discover an api address being used:

http://beta.owlintuition.com/api/electricity/history_overview.php?user=<username>&nowl=<network_owl_id>&clientdate=<date>

Similar addresses are available at:

http://beta.owlintuition.com/api/3phase/history_overview.php and http://beta.owlintuition.com/api/solar/history_overview.php

It didn’t take long to find the base mac address for OWLs parent company which confirmed the owl id was just the mac address.

A couple of things struck me as odd. Firstly, no https connection. Secondly, there is no api key like you might expect. My assumption was that were probably sending some custom headers or user agent string in the request, I opened the link in a browser, it displayed fine. Next guess, they are performing a lookup between username and mac address before returning data. I changed the username to random text – data returned fine. I tried a couple of random mac addresses and sure enough I got a hit on some valid data. That shouldn’t happen!

Curiosity got the better of me and I wrote some php to to loop through a number (256) of mac address and print the result.

<?php
for ($x = 0; $x < 256; $x++) {
$hex = str_pad(dechex($x), 2, ‘0’, STR_PAD_LEFT);
$url = “http://beta.owlintuition.com/api/electricity/history_overview.php?user=test&nowl=<base_mac_address>”.$hex.”&clientdate=2016-12-30″;
echo file_get_contents($url).” <br>”;
}
?>

Surely the server will reject so many consecutive requests? Nope: dump. 256 lines returned, 122 of which contain valid data. The others either invalid mac addresses or haven’t been operational for the last while.

I’m going to have a further poke around but i thought it was interesting enough share now.

Happy New Year!

 

 

Use Sky HD Remote with Sky Q
December 15, 2016 — 10:20

I believe Sky originally supported using the Sky HD remote with the Sky Q box but disabled it in a firmware update. Using any of the Ken Shirriff based arduino IR libraries we can easily create a circuit to map the Sky HD remote to the Sky Q commands.

The code is below and commented quite well but if there is any questions please ask.


/*
Sky HD to Sky Q mapper

Allows use of Sky HD remote with the Sky Q

Chet Kelly
www.chet.ie
*/

#include <IRremote.h>

//base value of all Sky HD codes
#define SKYHDBASE 0xC05C00

//base value of all Sky Q codes
#define SKYQBASE 0xC0081A00

byte buttonVal;

long sendButton;

/*
* Default is Arduino pin D11.
* You can change this to another available Arduino Pin.
* Your IR receiver should be connected to the pin defined here
*/
int RECV_PIN = 11;

IRrecv irrecv(RECV_PIN);
IRsend irsend;
decode_results results;

void setup()
{
irrecv.enableIRIn(); // Start the receiver
}
void process(decode_results *results) {

//We are only interested in Sky HD codes which are all 24 bit RC6
if (results->decode_type == RC6 && results->bits == 24) {

//assign 24 bit value to 8 bit variable to take least significant byte
buttonVal = results->value;

//check if its likely to be a valid Sky HD code by comparing the base
/*
check if its likely to be a valid Sky HD code by comparing the base e.g.

received = 0xC05C5C

assigned to buttonVal = 0x5C

0xC05C5C - 0x5C = 0xC05C00 = Sky HD base

*/
if(results->value - buttonVal == SKYHDBASE){

//Sky HD least significant byte matches corresponding button on Sky Q
sendButton = SKYQBASE + buttonVal;

//send IR
irsend.sendRC6(sendButton, 32);
//we need to re-enable receiving after sending
irrecv.enableIRIn();
}
}
}

void loop() {
if (irrecv.decode(&results)) {
process(&results);
irrecv.resume();
}
}

Sky Q Remote Codes
December 15, 2016 — 9:48

Here’s a table of the IR remote codes for a Sky Q satellite box which may be of use. All codes are 32 bit RC6.

Note: The remote sends the power command four times.

Button HEX
Sky C0081A80
Power C0081A0C
Search C0081A7E
Rewind C0081A3D
Play/Pause C0081A3E
Forward C0081A28
Up C0081A58
Down C0081A59
Left C0081A5A
Right C0081A5B
Select C0081A5C
Back/Return C0081A83
Home C0081ACC
C0081AF5
I (information) C0081ACB
Channel UP C0081A20
Channel DOWN C0081A21
Record C0081A40
RED C0081A6D
GREEN C0081A6E
YELLOW C0081A6F
BLUE C0081A70
1 C0081A01
2 C0081A02
3 C0081A03
4 C0081A04
5 C0081A05
6 C0081A06
7 C0081A07
8 C0081A08
9 C0081A09
0 C0081A00
HELP C0081A81
ITEAD Sonoff and Slampher Review (and Teardown)
January 10, 2016 — 23:40

ITEAD, purveyors of electronics kits and bits, and one of the original sources of the super cheap PCBs, have come up with their own range of IoT remote controlled mains switches. The Sonoff, a 10A capable multipurpose switch and the Slampher, a 2A lamp switch for anything with an E27 screw in socket. They have sent me one of each for the purposes of reviewing as they are currently running an indiegogo campaign for both. In addition to being IoT devices these can also be controlled by the included RF remote control.

Both devices are functionally identical so apart from the physical connections and power switching capabilities what applies for one also applies for the other.

Initial Setup

The setup guide is located here so I won’t go into too much detail. You can use them immediately and offline with the RF remote, it is simply a matter of teaching the device which button on the (4 button) remote toggles the output by holding the relevant button down when the device is in “learning” mode. Wifi control setup requires an android/iphone (tested with android here) device. Note that account verification uses an sms message so a phone is required for initial account creation. There is no requirement for the phone component after this so hipsters rocking a nokia 5110/ipad combo will be able to use this. I do question the reasons why this is done over the more usual email verification but Xiaomi also do the same so perhaps its more common in China.

Wifi setup involves putting the device into some sort of access point mode, the details of this are handled within the app, where you input you wifi passkey. The device then appears in your app where it can be renamed, turned on/off or a timer set. All in all the app end was quite a seamless process, the only problem i had was that the button on the sonoff was a bit awkward to use, it needed to be about 1mm further out of the casing, i’m unsure if any changes are planned from this sample unit but i found it necessary to cut the cover sticker so i could see what i was doing and use a pen to press the button.

20151227_202911

Usage

I used both devices with both the RF remote and via wifi/phone. The RF performance is a bit flakey at best. It requires holding the button down before you’ll get a successful switching. Its a nice extra to have it in cases where wifi is down or you want a third party to have control over your device temporarily. For me it was much easier to use the phone app.

I put the devices into use over christmas. The screw in bulb connection is not that common here and i had only one light fitting which is a floor lamp from IKEA. Generally having remote control over lights is not something we require but i came up with a great idea for Christmas morning where i told the kids that they couldn’t get up until the lamp in the hall came on and I set a timer in the app for the lamp to come on at 8am. Around 7:30 i could hear them talking in their bedroom so i went down where they were patiently waiting. I went back to our room where i made sure the wife and baby were ready to start Christmas. Once ready i turned the lamp on via the app and the kids were into us in a matter of seconds! If it wasn’t for the slampher i fear we would have been up about 5am! A useful feature is that the timer settings are saved to the server so if you run the app on separate devices they will sync up and more importantly even if your phone is off the device will still switch.

For the last year or more i have been using a spark core to control our central heating boiler with a solid state relay (a separate post on this is coming at some point). This was turned on and off with http post requests from my phone. I have now replaced this with the sonoff and have set timers in the app so it comes on in the morning. Manual control is obviously also available. Over the last two weeks it hasn’t failed to come on at the right time or via manual control in the app.

20151228_185129

Teardown

Sonoff:

20151227_203008 20151227_203311 20151227_203330 20151227_203402 20151227_203421

Slampher:

20151227_210620 20151227_210637 20151227_210703

So whats inside? Each shares the same hardware with the only difference being the relay in one and triac in the other.

The relay in the sonoff is a Hongfa HF32F and the triac is a JST131U (chinese link). Interestingly this is listed as a 1A part, not the 2A that is claimed.

The RF module is RXC6 433MHz module which can be bought for a couple of dollars from any of the usual sources.

Wifi is handled by everyones new favourite ESP8266 but here it it integrated into the circuit design and not just a plug in module.

All of this is tied together with a Silabs EFM8 8bit microcontroller

Programming headers for both the ESP8266 and the EFM8 are broken out.

Overall Impressions

I have to say, i’m quite impressed by these devices. They have been faultless in operation and control over wifi is as good as instant. One thing i would love to see is access to the API so they can be controlled by other apps. I use Tasker on android for my automation but i have no way to integrate these as yet. I did spend a bit of time wiresharking the app but that needs more time spent on it. I have a feeling the app opens a TCP socket and commands are sent via this. Initial app config (timers) are downloaded via http on startup and the app also sends phone info out (imei amongst other stuff) which may be an issue for some.

Even without direct access i still see this as extremely useful. So much so that i’m backing the campaign on indiegogo as an extra couple of sonoffs will definitely get used.

Heating Oil Level Gauge
April 28, 2013 — 22:26

It seems I can’t just leave the central heating alone. When we got the heating in (after 2 years of zero heating here, cooold) the tank was fitted with a wireless level monitor which measured the level of the tank using an ultrasonic sensor and sent the data back to a base station plugged into a wall socket using its combined battery pack/aerial. This worked fine for a couple of months until the battery pack went dead. A new battery pack worked for a couple of days and it never worked again – exactly the same as the unit fitted to my parents tank , an absolute waste of money. I switched to dipping a stick into the tank which proved far more reliable but slightly inconvenient over the last two years.

A few weeks back i was browsing ebay, as i do, and found some ultrasonic distance sensors for about €4 delivered. (I have no direct link as the auction has expired but searching for SR04 will bring up any amount of similar units.) I had no plan for them immediately but I bought some just to have anyway. It was only after they came that it struck me that a way of remotely monitoring the oil level would be  a nice project.

The units are very simple to use. There is 4 pins: 5v, GND, Trigger and Echo. By applying a 10uS pulse to the trigger pin you activate the sensor to take a distance reading. The sensor replies on the echo pin with a pulse that is as long as the time taken for the sound wave to travel to the distant object and return to the sensor. Knowing the speed of sound we can then calculate the distance.

more…

DIY Heating Timer v2.0
March 4, 2013 — 2:16

Following on from my previous post on my DIY timer I wanted to make something that I could mount to the wall and not have my wife be ashamed of it! In passing on one of the car forums I frequent I said that I could modify my original heating timer to be controlled by a google calendar for less than €100. As you know that timer died while experimenting so i was left having to make one from scratch if i was to come good on my claim. Thinking about it an arduino combined with an ethernet shield and touchscreen shield could come together to make a very nice controller with a tidy looking interface. The hardware for that should come in under €100. 20 each for the shields and arduino and a further 10 for a solid state relay. It was while browsing DX.com i came across this. A 4.3″ touchscreen android tablet for less than 35 euro delivered – mind blown, I knew what i had to do.

jxds18

 

Hardware wise I needed a way of allowing the tablet to turn on the relay. I couldn’t use bluetooth as the tablet didn’t have it and it would be too unreliable anyway. The next choice for getting an output would be the vibration motor but again, the tablet didn’t have one. All that i was left with was using the speaker output to trigger the heater. To do this i had the software (detailed later) output two tones. Depending on the frequency of this tone we would know if the heating should be on or off. The speaker output is passed into an op-amp used as a comparator to give a nice 5v square wave that is input into an Attiny85 via one of the Boards.ie keyrings/dev boards i had made up. The attiny measures the incoming pulse and decides whether to turn the output on or not. The solid state relay can be directly controlled with an attiny pin. Here you can see the hardware during the prototype stage.

more…

Work Placement Needed
February 4, 2013 — 12:11

Due to a mix up/mess up with my university I’m left to either find a work placement on short notice or try find some modules this semester which I should’ve started over two weeks ago – something I don’t want to do as not only does it mean missed class time, it means choosing modules I normally would not have chosen both this year and next.

Ideally I’d love to get in somewhere small where I can get stuck in, and I find myself drawn to learning PCB layout and design but I am open to anything relevant and interesting. I’m based in the east, so I would be looking for Dublin/Wicklow/Wexford/Carlow area. I’m a mature student with a wife and 3 year old so moving away for 6 months currently isn’t an option.

I have an engineering science degree in electronics and this placement is part of my electronic and computer engineering masters.

If  anyone knows of any companies willing to take on someone I’d love to hear about them. I can be emailed at blog@chet.ie

Thanks!

LED Light Ready For Hacking
January 18, 2013 — 20:35

I bought one of these in Argos to see if there was anything interesting that could be one with it. It turns out that the thing is ripe for hacking if you wanted.

argos

more…

Heating Timer Mods -> Homemade Timer
January 14, 2013 — 11:06

For years our heating timer was sitting on the wall being not particularly useful. It was so awkward to reprogram new times into it that it had come to a point where it had a basic program on it and was mostly manually controlled by switching it on for 1/2/3 hours at a time. Finally i had enough of it and with some spare time on my hands i set about adding some remote control functionality to it. The first plan was to gain control over the “+hrs” button we were used to using and then see what was possible. In preparation i ordered an arduino ethernet shield but i wasn’t sure what i was going to do with it.

A popular method of controlling a switch with a microcontroller is to replace it with a transistor. As i didn’t want to interfere with the normal operation of the switch i traced back the pads on the switch to two vias on the PCB which allowed me to solder some thin wires in to attach the transistor to. To test i brought out GND and the base wire and reassembled. Running some simple code to toggle the switch let me cycle through the times and turn it off as expected.

more…

Scraping HTML from Websites with PHP
January 13, 2013 — 21:06

Here’s a simple and useful PHP script that i’ve used a number of times to pull data from an external site to use elsewhere. I first used it with my Cartell.ie android app. To minimise data use on the phone the entered reg number is sent to one of my webservers which requests the cartell.ie site, submitting the given reg and returning just the vehicle information.

The phone requests server/file.php?registration=<reg number> Where the registration number is first read into the variable ‘reg’


$reg = $_REQUEST['registration'];

more…