Owl Intuition Insecure API
January 1, 2017 — 0:05

A year or so ago I bought an electricity monitor from OWL, the single phase monitor with network connectivity called the intuition-e. Part of the appeal of this was that it sent out multicast messages on your home network which allowed you to capture and use this data however you wished. It had always been in the back of my mind that if you buy a network attached device you are at the mercy of that company continuing to provide the server for remote access. With the OWL, even if they completely shut down you could still get some use out of it even if you needed to add some extra hardware.

I moved house a couple of months ago and never unpacked the monitor until a few days ago. I had just been using an OWL Micro+ display previously but was now interested in getting the usage data onto my phone in the form of a homescreen widget. As it turns out my current router (Sky Q hub) blocks multicast messages, at least between wired and wireless devices, but the OWL also has the option to send UDP packets to a specific IP/port which wouldn’t be blocked. Using a combination of Tasker and Minimalistic Text Widgets i succeeded in getting my widget working but that is for another post.

This method only worked while i was connected to my home network so i wanted a way of accessing the data from any location, so direct from the OWL servers. To start with, as i was looking to display info on my phone, I had a look at the OWL Intuition app. Using the Packet Capture app i was able to discover an api address being used:

http://beta.owlintuition.com/api/electricity/history_overview.php?user=<username>&nowl=<network_owl_id>&clientdate=<date>

Similar addresses are available at:

http://beta.owlintuition.com/api/3phase/history_overview.php and http://beta.owlintuition.com/api/solar/history_overview.php

It didn’t take long to find the base mac address for OWLs parent company which confirmed the owl id was just the mac address.

A couple of things struck me as odd. Firstly, no https connection. Secondly, there is no api key like you might expect. My assumption was that were probably sending some custom headers or user agent string in the request, I opened the link in a browser, it displayed fine. Next guess, they are performing a lookup between username and mac address before returning data. I changed the username to random text – data returned fine. I tried a couple of random mac addresses and sure enough I got a hit on some valid data. That shouldn’t happen!

Curiosity got the better of me and I wrote some php to to loop through a number (256) of mac address and print the result.

<?php
for ($x = 0; $x < 256; $x++) {
$hex = str_pad(dechex($x), 2, ‘0’, STR_PAD_LEFT);
$url = “http://beta.owlintuition.com/api/electricity/history_overview.php?user=test&nowl=<base_mac_address>”.$hex.”&clientdate=2016-12-30″;
echo file_get_contents($url).” <br>”;
}
?>

Surely the server will reject so many consecutive requests? Nope: dump. 256 lines returned, 122 of which contain valid data. The others either invalid mac addresses or haven’t been operational for the last while.

I’m going to have a further poke around but i thought it was interesting enough share now.

Happy New Year!

 

 

Sky Q Remote Codes
December 15, 2016 — 9:48

Here’s a table of the IR remote codes for a Sky Q satellite box which may be of use. All codes are 32 bit RC6.

Note: The remote sends the power command four times.

Button HEX
Sky C0081A80
Power C0081A0C
Search C0081A7E
Rewind C0081A3D
Play/Pause C0081A3E
Forward C0081A28
Up C0081A58
Down C0081A59
Left C0081A5A
Right C0081A5B
Select C0081A5C
Back/Return C0081A83
Home C0081ACC
C0081AF5
I (information) C0081ACB
Channel UP C0081A20
Channel DOWN C0081A21
Record C0081A40
RED C0081A6D
GREEN C0081A6E
YELLOW C0081A6F
BLUE C0081A70
1 C0081A01
2 C0081A02
3 C0081A03
4 C0081A04
5 C0081A05
6 C0081A06
7 C0081A07
8 C0081A08
9 C0081A09
0 C0081A00
HELP C0081A81
Heating Oil Level Gauge
April 28, 2013 — 22:26

It seems I can’t just leave the central heating alone. When we got the heating in (after 2 years of zero heating here, cooold) the tank was fitted with a wireless level monitor which measured the level of the tank using an ultrasonic sensor and sent the data back to a base station plugged into a wall socket using its combined battery pack/aerial. This worked fine for a couple of months until the battery pack went dead. A new battery pack worked for a couple of days and it never worked again – exactly the same as the unit fitted to my parents tank , an absolute waste of money. I switched to dipping a stick into the tank which proved far more reliable but slightly inconvenient over the last two years.

A few weeks back i was browsing ebay, as i do, and found some ultrasonic distance sensors for about €4 delivered. (I have no direct link as the auction has expired but searching for SR04 will bring up any amount of similar units.) I had no plan for them immediately but I bought some just to have anyway. It was only after they came that it struck me that a way of remotely monitoring the oil level would be  a nice project.

The units are very simple to use. There is 4 pins: 5v, GND, Trigger and Echo. By applying a 10uS pulse to the trigger pin you activate the sensor to take a distance reading. The sensor replies on the echo pin with a pulse that is as long as the time taken for the sound wave to travel to the distant object and return to the sensor. Knowing the speed of sound we can then calculate the distance.

more…

DIY Heating Timer v2.0
March 4, 2013 — 2:16

Following on from my previous post on my DIY timer I wanted to make something that I could mount to the wall and not have my wife be ashamed of it! In passing on one of the car forums I frequent I said that I could modify my original heating timer to be controlled by a google calendar for less than €100. As you know that timer died while experimenting so i was left having to make one from scratch if i was to come good on my claim. Thinking about it an arduino combined with an ethernet shield and touchscreen shield could come together to make a very nice controller with a tidy looking interface. The hardware for that should come in under €100. 20 each for the shields and arduino and a further 10 for a solid state relay. It was while browsing DX.com i came across this. A 4.3″ touchscreen android tablet for less than 35 euro delivered – mind blown, I knew what i had to do.

jxds18

 

Hardware wise I needed a way of allowing the tablet to turn on the relay. I couldn’t use bluetooth as the tablet didn’t have it and it would be too unreliable anyway. The next choice for getting an output would be the vibration motor but again, the tablet didn’t have one. All that i was left with was using the speaker output to trigger the heater. To do this i had the software (detailed later) output two tones. Depending on the frequency of this tone we would know if the heating should be on or off. The speaker output is passed into an op-amp used as a comparator to give a nice 5v square wave that is input into an Attiny85 via one of the Boards.ie keyrings/dev boards i had made up. The attiny measures the incoming pulse and decides whether to turn the output on or not. The solid state relay can be directly controlled with an attiny pin. Here you can see the hardware during the prototype stage.

more…

Work Placement Needed
February 4, 2013 — 12:11

Due to a mix up/mess up with my university I’m left to either find a work placement on short notice or try find some modules this semester which I should’ve started over two weeks ago – something I don’t want to do as not only does it mean missed class time, it means choosing modules I normally would not have chosen both this year and next.

Ideally I’d love to get in somewhere small where I can get stuck in, and I find myself drawn to learning PCB layout and design but I am open to anything relevant and interesting. I’m based in the east, so I would be looking for Dublin/Wicklow/Wexford/Carlow area. I’m a mature student with a wife and 3 year old so moving away for 6 months currently isn’t an option.

I have an engineering science degree in electronics and this placement is part of my electronic and computer engineering masters.

If  anyone knows of any companies willing to take on someone I’d love to hear about them. I can be emailed at blog@chet.ie

Thanks!

LED Light Ready For Hacking
January 18, 2013 — 20:35

I bought one of these in Argos to see if there was anything interesting that could be one with it. It turns out that the thing is ripe for hacking if you wanted.

argos

more…

Heating Timer Mods -> Homemade Timer
January 14, 2013 — 11:06

For years our heating timer was sitting on the wall being not particularly useful. It was so awkward to reprogram new times into it that it had come to a point where it had a basic program on it and was mostly manually controlled by switching it on for 1/2/3 hours at a time. Finally i had enough of it and with some spare time on my hands i set about adding some remote control functionality to it. The first plan was to gain control over the “+hrs” button we were used to using and then see what was possible. In preparation i ordered an arduino ethernet shield but i wasn’t sure what i was going to do with it.

A popular method of controlling a switch with a microcontroller is to replace it with a transistor. As i didn’t want to interfere with the normal operation of the switch i traced back the pads on the switch to two vias on the PCB which allowed me to solder some thin wires in to attach the transistor to. To test i brought out GND and the base wire and reassembled. Running some simple code to toggle the switch let me cycle through the times and turn it off as expected.

more…

SolarSwitch v1.0
December 24, 2012 — 22:27

 

My brother has a solar panel on the roof of his house which is used to charge a 12v battery which runs the equipment in his attic, the routers etc. There is a proper solar regulator/battery charger which keeps the battery topped up. The problem is that when the sun isn’t shining (which happens a lot here!) the battery drains and eventually the voltage drops. He had bought a switch mode power supply that would take over from the solar regulator but he wasn’t sure how to wire it up to work as he wanted, which was to have the power supply on only when it was need so there would be no power wasted.

This is what i came up with for him.

2012-07-18 19.51.40

more…

USB Boost Module Testing
October 3, 2012 — 23:49

As you may have seen from the RC car mods posts, i had to add a voltage boost module in to get it working. While it worked perfectly for that purpose i was skeptical of the claimed specifications – as you should be when buying cheap stuff from ebay.

Here is the details from the ebay auction:

  • Input voltage: DC 3-4.4V

  • Output voltage: DC 5.5V

  • Output current: 700mA (max)

more…

Porsche RC Car Mods Part Two
July 26, 2012 — 15:13

Following on from the first post where the voltage was dropping when the motors were under load causing the arduino to reset i tried a couple of things to get around the problem, first i added another cap across the arduino supply and then i added another battery in series (to give 6V total) but still the voltage was dropping too much.

As i knew running an arduino from 4.5V was on the low side i went looking for a dc-dc boost to up the voltage to something more useful. What i found was a module used for charging USB devices from voltages down as far as 3V. These are rated at 700mA so more than enough for what we’re running off them. The actual output voltage is 5.5V which is in the acceptable range for the arduino.

more…