PH-Messung
-
Ich denke wir brauchen hier einen ESP -Experten der versteht was da vor sich geht und wie man die Daten umleiten bzw den Gateway ändern kann.
-
Bei mir steht das Thema auch an ... Blöd das da Lokal nix geht
Aber DNS umbiegen ist echt blöd und unconvenientHat jemand die App schonmal auseinander genommen das man die Daten da abholen kann wenigstens?
-
@apollon77 Hm. Davon hab ich leider keine Ahnung. Vieleicht kennt sich ja jemand damit aus.
Ich denke , wenn man den ESP auslesen könnte und dann die IP auf den Mqtt umändert , die Firmware wieder zurückspielt
dann solllte man die Daten haben. Nur auslesen kann ich auch nicht
-
@chaosbrother sagte in PH-Messung:
Nur auslesen kann ich auch nicht
das ist auch Sinn der Sache.
Sonst könnte man deine Wettersenoren aus dem Garten klauen und hätte deine WLAN-Zugangsdaten -
@dala
Hi,
Sorry for writing in English, I don't speak German.
I found this thread while Googling for PH-803W firmware flashes...Some background:
I'm in the process of buying a Wifi PH/ORP measurement tool and found PH-803W on AliBaba. I wanted to check a way to not use the Android App, but redirect the data from PH-803W to a MQTT broker and then integrate with my home automation system. I use HomeSeer for home automation.According to the picture posted by you the PH-803W uses ESP12f chip, which is based on ESP8266 chipset.
Have to tries to use tools like Tasmota or similar to reflash the device?There are many toolkits that support ESP8266 firmware rewrite. Take a look:
https://en.wikipedia.org/wiki/ESP8266#Espressif_modules -
@apollon77 hab ich doch vorhin im poolpower forum deinen Alias entdeckt
Ich bin da jetzt auch noch nicht wirklich weiter mit dem Teil. An App zerlegen hab ich auch schon gedacht, braucht nur jemanden, der es kann.
Ich weiß nicht, ob man auch an RX/TX was auslesen könnte von dem ESP. -
@coyote sagte in PH-Messung:
An App zerlegen hab ich auch schon gedacht, braucht nur jemanden, der es kann.
naja da muss man mal schauen. Ich würde mit nem HTTP proxy anfangen und schauen ob man HTTP requests sieht ... wenn nein muss man mit wireshark ran dann könnte es MQTT sein.
Also wenn du die app und nen clpud account hast mir mal schicken mit den Daten und ich schaue mal
-
@apollon77 mit http proxy kann ich nix anfangen, weiß ich nicht wie das geht.
Wireshark hatte ich schon benutzt, damit hab ich die IP und den Port raus bekommen, die das Ding anspricht.
Nutze aber auch den Cloud Zugang nicht, nur LAN oder über VPN, wobei er in der App auch Remote anzeigt, wenn ich über VPN verbunden bin.Wenn es dir hilft, kann ich auch nen Account anlegen
-
@coyote Ahhh ... die App verbindet ich lokal?? Ja dann ... aber ja am Ende muss man schauen was die App tut. Wenn Lokal dann braucht man wohl eher direkten Zugriff
-
@apollon77
Also ich weiß nicht so recht, lokal sei mal dahin gestellt. In der App steht zwar "LAN" wenn ich mit beidem im heimischen WLAN bin und wenn ich per VPN drauf zugrreife steht "Remote" in der App. Aber bei Wireshark kommen die gleichen Protokolle und auch IP Adresse raus.Schau mal, so siehts in wireshark aus.
59398 42.180687 119.29.42.117 192.168.66.54 MQTT 60 Ping Response 58392 41.859962 192.168.66.54 119.29.42.117 MQTT 56 Ping Request 56888 41.376643 192.168.66.54 119.29.42.117 MQTT 134 Publish Message [dev2app/CFqpJTSymCE9PLlp1DpbhY/usr2AiQiQhHhGgG5F5F4E4t] 55942 41.070275 119.29.42.117 192.168.66.54 MQTT 125 Publish Message [app2dev/CFqpJTSymCE9PLlp1DpbhY/usr2AiQiQhHhGgG5F5F4E4t] 55898 41.048388 192.168.66.54 119.29.42.117 MQTT 106 Publish Message [dev2app/CFqpJTSymCE9PLlp1DpbhY] 55755 41.006119 119.29.42.117 192.168.66.54 MQTT 121 Publish Message [app2dev/CFqpJTSymCE9PLlp1DpbhY/usr2AiQiQhHhGgG5F5F4E4t] 53674 40.334612 192.168.66.54 119.29.42.117 MQTT 106 Publish Message [dev2app/CFqpJTSymCE9PLlp1DpbhY] 52837 40.064017 119.29.42.117 192.168.66.54 MQTT 100 Publish Message [ser2cli_res/CFqpJTSymCE9PLlp1DpbhY] 35117 34.327664 192.168.66.54 119.29.42.117 MQTT 106 Publish Message [dev2app/CFqpJTSymCE9PLlp1DpbhY] 5944 24.840750 192.168.66.54 119.29.42.117 MQTT 106 Publish Message [dev2app/CFqpJTSymCE9PLlp1DpbhY] 917 18.835631 192.168.66.54 119.29.42.117 MQTT 106 Publish Message [dev2app/CFqpJTSymCE9PLlp1DpbhY] 397 12.827564 192.168.66.54 119.29.42.117 MQTT 106 Publish Message [dev2app/CFqpJTSymCE9PLlp1DpbhY] 123 6.535826 192.168.66.54 119.29.42.117 MQTT 106 Publish Message [dev2app/CFqpJTSymCE9PLlp1DpbhY] 9 0.532890 192.168.66.54 119.29.42.117 MQTT 106 Publish Message [dev2app/CFqpJTSymCE9PLlp1DpbhY] -
Ich switche mal auf Englisch um auch @sharan mitzunehmen:
Ok, I found some code and looks like the GizWith stuff opens ports locally on the device in LAN for port 12416 (TCP) and 12414 (UDP) and UDP Broadcast on 2415 ... So it could be really an idea to do a port scan against the device in local network.
(https://github.com/gizwits/gokit-GAgent/blob/master/software/lan/Socket.c#L109-L111)We should also see UDP packages I think which are then also used for discovery.
Also in this code some stuff is in that could describe some protocols and stuff.
So, yes also the local stuff should be a MQTT server when I interpret that correctly
https://github.com/gizwits/gokit-GAgent/blob/master/software/lan/lan.c#L291
(all relevant only if that code is somehow current)
-
@apollon77 here again everything that wireshark outputs to adress 119.29.42.117
Port is 47280
I don't see UDP packets9 0.532890 192.168.66.54 119.29.42.117 MQTT 106 Publish Message [dev2app/CFqpJTSymCE9PLlp1DpbhY] 123 6.535826 192.168.66.54 119.29.42.117 MQTT 106 Publish Message [dev2app/CFqpJTSymCE9PLlp1DpbhY] 397 12.827564 192.168.66.54 119.29.42.117 MQTT 106 Publish Message [dev2app/CFqpJTSymCE9PLlp1DpbhY] 917 18.835631 192.168.66.54 119.29.42.117 MQTT 106 Publish Message [dev2app/CFqpJTSymCE9PLlp1DpbhY] 5944 24.840750 192.168.66.54 119.29.42.117 MQTT 106 Publish Message [dev2app/CFqpJTSymCE9PLlp1DpbhY] 35117 34.327664 192.168.66.54 119.29.42.117 MQTT 106 Publish Message [dev2app/CFqpJTSymCE9PLlp1DpbhY] 53057 40.134667 192.168.66.54 119.29.42.117 TCP 54 47280 → 1883 [ACK] Seq=313 Ack=47 Win=4957 Len=0 53674 40.334612 192.168.66.54 119.29.42.117 MQTT 106 Publish Message [dev2app/CFqpJTSymCE9PLlp1DpbhY] 55772 41.009306 192.168.66.54 119.29.42.117 TCP 54 47280 → 1883 [ACK] Seq=365 Ack=114 Win=4890 Len=0 55898 41.048388 192.168.66.54 119.29.42.117 MQTT 106 Publish Message [dev2app/CFqpJTSymCE9PLlp1DpbhY] 56143 41.134375 192.168.66.54 119.29.42.117 TCP 54 47280 → 1883 [ACK] Seq=417 Ack=185 Win=4819 Len=0 56888 41.376643 192.168.66.54 119.29.42.117 MQTT 134 Publish Message [dev2app/CFqpJTSymCE9PLlp1DpbhY/usr2AiQiQhHhGgG5F5F4E4t] 58392 41.859962 192.168.66.54 119.29.42.117 MQTT 56 Ping Request 59645 42.258980 192.168.66.54 119.29.42.117 TCP 54 47280 → 1883 [ACK] Seq=499 Ack=187 Win=4817 Len=0 -
In fact this all seems to be the "device to cloud" traffic ... so I would have expected that as soon as you open the app on the phone the app sends out udp packages locally and this is also answered by the device and then the app connects to the device directly ...
so you would need to check traffic where your mobile phone and the local device IP is involved
-
Hi yall, my first post so be gentle...
I connected the TX/RX inside the PH-803W with my UART to see what is shown there:
Seems it sends the same binary data that Anti was able to reroute to his MQTT? While my router has the NAT functionality, I unfortunately cannot define virtual IP addresses, so that route is not viable for me and probably most here. But if we can make sense of the TX/RX Data, we could potentially add another ESP on this port and let it send the data to where we want it to be sent?
Hope this makes sense and is helpful for the discussuion, Cheers
-
Hi, maybe it would be easier to make a backup of the firmware from the ESP and then just change the gateway and play back again. Something like that works with Esptool.py , but I don't know my way around that well either.
-
Hey,
I hope I also get my device in next 1 days (just ordered yesterday). When the code I found telling anything AND when it is right that the App also switches to "local" communication when in same WLAN then honestly I would start really analyzing that. That could be way more easy!
Code wise it seemed to me that locally the device itself acts as a simple mqtt server hopefully.So if someone wants to do stuff in between:
- maybe start with a nmap scan against the local IP ... is there anything open and what can be found there?
- start (like @coyote started) with Wireshark but focus on mobile device/App-with-ph-803w communication ... there should be some
Anyone up for that?
PS: @Marc-R
Hi yall, my first post so be gentle...
We are always
To maybe see more in the data would be a good idea to also see what data the device was showing as you tried it, maybe the "calculation rules" that @Anti was able to decode also apply. ALso interesting would be which part o fthe message is changing when the values change and which part stays static. So now you need to start "data crunching", I expect the data needs to be in there
-
Today I made a local scan in the same network. At the first attempt it was over the VPN connection and therefore "Remote"
Maybe you like that better @apollon77
39484 33.259423 192.168.66.54 192.168.66.8 TCP 62 12416 → 48158 [PSH, ACK] Seq=94 Ack=83 Win=5758 Len=8 29590 29.524847 192.168.66.54 192.168.66.8 TCP 62 12416 → 48158 [PSH, ACK] Seq=86 Ack=75 Win=5766 Len=8 26127 28.341450 192.168.66.54 192.168.66.8 UDP 151 12414 → 37038 Len=109 18180 25.193896 192.168.66.54 192.168.66.8 TCP 62 12416 → 48158 [PSH, ACK] Seq=78 Ack=67 Win=5774 Len=8 8826 21.298249 192.168.66.54 192.168.66.8 TCP 62 12416 → 48158 [PSH, ACK] Seq=70 Ack=59 Win=5782 Len=8 8700 21.257654 192.168.66.54 192.168.66.8 TCP 76 12416 → 48158 [PSH, ACK] Seq=48 Ack=51 Win=5790 Len=22 8696 21.255005 192.168.66.54 192.168.66.8 UDP 151 12414 → 37038 Len=109 7288 20.836871 192.168.66.54 192.168.66.8 TCP 72 12416 → 48158 [PSH, ACK] Seq=30 Ack=38 Win=5803 Len=18 7287 20.824022 192.168.66.54 192.168.66.8 TCP 54 12416 → 48158 [ACK] Seq=30 Ack=38 Win=5803 Len=0 6978 20.574620 192.168.66.54 192.168.66.8 UDP 151 12414 → 37038 Len=109 5694 20.118304 192.168.66.54 192.168.66.8 TCP 63 12416 → 48158 [PSH, ACK] Seq=21 Ack=29 Win=5812 Len=9 5643 20.100519 192.168.66.54 192.168.66.8 TCP 74 12416 → 48158 [PSH, ACK] Seq=1 Ack=9 Win=5832 Len=20 5607 20.088883 192.168.66.54 192.168.66.8 TCP 58 12416 → 48158 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 3855 19.504039 192.168.66.54 192.168.66.8 UDP 151 12414 → 37038 Len=109 2761 18.290828 192.168.66.54 192.168.66.8 UDP 151 12414 → 37038 Len=109 2567 17.284353 192.168.66.54 192.168.66.8 UDP 151 12414 → 37038 Len=109 2381 16.220137 192.168.66.54 192.168.66.8 UDP 151 12414 → 37038 Len=109 2210 15.190409 192.168.66.54 192.168.66.8 UDP 151 12414 → 37038 Len=109 2063 14.544840 192.168.66.54 192.168.66.8 UDP 151 12414 → 37038 Len=109 1906 13.514199 192.168.66.54 192.168.66.8 UDP 151 12414 → 37038 Len=109 1662 12.248355 192.168.66.54 192.168.66.8 UDP 151 12414 → 37038 Len=109 -
@coyote yes. Via VPN normally all UDP messages are not transferred
Can you send me that wireshark file via email to iobroker@fischer-ka.de
Ps: i assume .54 is the ph803 and the .8 is mobile device?
-
@apollon77 ok, i didn't know.
Sure, think it'll take another hour, then I can send it to you.
Yes exactly. .54 is the 803W and .8 is the smartphone
-
@apollon77 you have mail
