Posts
A little over a year ago, a truly powerful article came out that I simply couldn’t miss (…
May 14, 2025 at 6:39 PM•Max Knyazev is typing…Telegram mirror
A little over a year ago a truly powerful
article
, which I just couldn't miss (
but I missed it because I didn’t know about its existence, and now I’m catching up
). James Warner published it on his site
jmswrnr.com
. If you are interested in reverse, IoT, or just want to improve your understanding of how smart devices work from the inside, read the article (
and this post, because I also tried to sort everything out
)
💯
The article is called "Hacking a Smart Home Device" , and this, without exaggeration, is the whole story of the transformation of a smart air purifier based on ESP32 into a fully integrated module for Home Assistant . But the way James got there is simply fantastic. Let's start
🍻
So, we have a device, there is a crooked application that lives only in the cloud, and absolutely no local integration. And so the author decides: since he spent the money, then let him work it out 100%. This is where the reversal begins
⤵
He followed the classics: analyzing APKs, searching for WebSocket addresses, studying network traffic via Pi-hole and Wireshark . Here, by the way, there was the first nuance - the purifier communicates via UDP , and there was not a hint of readable text in the packages. Only cryptographic tinsel, which ( spoiler ) turned out to be custom ECDH+HKDF with AES-128-CBC encryption
But this is just the beginning
😅
James carefully opens the case, connects via UART through Flipper Zero ( put
😍
, if you want a review specifically on my Flipper Zero with all the goodies that I have for it
), and merges the firmware. There he saw the FAT partition, serial numbers, private keys and certificates. All this was located directly on the device, without any protection. At that moment I thought:
“Seriously? In 2024?
But okay, let's move on (
God be their judge
)
👏
With Ghidra it parses the binary, identifies all the main functions, figures out how the key exchange works, and even patches the firmware so that the device can be run without a front panel. By the way, Ghidra had to be customized for Xtensa, import modify ROM functions and SVD to somehow work with this
But the main thrill is when he decrypts the first packet. That feeling when everything finally works out. At that moment I was truly happy for James. Then he builds a full-fledged MITM -scheme. He replaces DNS, intercepts packets, decodes, decrypts, logs and... raises its own server. Without a single line of original manufacturer code. Just by logic and analysis ( it's a gun-bomb after all )
🤩
Then he connects it all to MQTT and Home Assistant. Describes how to make a connection in the form “device <—> server <—> Mosquitto <—> Home Assistant.” Everything lives locally and works stably. Mission accomplished
🥂
And now I’ll sum it up and express my opinion about all his work
😉
Firstly, this is one of the coolest and most methodical implementations of reverse that I have seen in open-source. The article describes everything in as much detail as possible step by step, with explanations and even scripts. This is not just a “look at the traffic and write a sniffer”, this is a direct reverse tower with practical benefits
Secondly, the case clearly shows that custom protocols are almost always a recipe for disaster. Yes, they can create the illusion of security, but as soon as one person unearths the binary, there will be no trace of security left
😵
And thirdly, all this was done in order to avoid running a separate application on the phone. So that the purifier turns on when there is dust in the room. So as not to think about whether your account is alive in the Chinese cloud. Simple motivation, but how cool it turned out
If you like reverse engineering, working with ESP32, or want to integrate an obscure Chinese gadget into your ecosystem, be sure to read the original ( the article is in English, but I don’t think that’s a big problem nowadays ). You'll see how powerful DIY can be with a Flipper Zero, Ghidra, a little patience, and a strong desire to make something cool.
🍿
Something like that. Write your opinion and send similar stories ( cool and useful things need to be shared ). All the best to you, my dear Ayotovites
🙏
#information_security #Internet_of_things
Open original post on TelegramThe article is called "Hacking a Smart Home Device" , and this, without exaggeration, is the whole story of the transformation of a smart air purifier based on ESP32 into a fully integrated module for Home Assistant . But the way James got there is simply fantastic. Let's start
So, we have a device, there is a crooked application that lives only in the cloud, and absolutely no local integration. And so the author decides: since he spent the money, then let him work it out 100%. This is where the reversal begins
He followed the classics: analyzing APKs, searching for WebSocket addresses, studying network traffic via Pi-hole and Wireshark . Here, by the way, there was the first nuance - the purifier communicates via UDP , and there was not a hint of readable text in the packages. Only cryptographic tinsel, which ( spoiler ) turned out to be custom ECDH+HKDF with AES-128-CBC encryption
But this is just the beginning
James carefully opens the case, connects via UART through Flipper Zero ( put
With Ghidra it parses the binary, identifies all the main functions, figures out how the key exchange works, and even patches the firmware so that the device can be run without a front panel. By the way, Ghidra had to be customized for Xtensa, import modify ROM functions and SVD to somehow work with this
But the main thrill is when he decrypts the first packet. That feeling when everything finally works out. At that moment I was truly happy for James. Then he builds a full-fledged MITM -scheme. He replaces DNS, intercepts packets, decodes, decrypts, logs and... raises its own server. Without a single line of original manufacturer code. Just by logic and analysis ( it's a gun-bomb after all )
Then he connects it all to MQTT and Home Assistant. Describes how to make a connection in the form “device <—> server <—> Mosquitto <—> Home Assistant.” Everything lives locally and works stably. Mission accomplished
And now I’ll sum it up and express my opinion about all his work
Firstly, this is one of the coolest and most methodical implementations of reverse that I have seen in open-source. The article describes everything in as much detail as possible step by step, with explanations and even scripts. This is not just a “look at the traffic and write a sniffer”, this is a direct reverse tower with practical benefits
Secondly, the case clearly shows that custom protocols are almost always a recipe for disaster. Yes, they can create the illusion of security, but as soon as one person unearths the binary, there will be no trace of security left
And thirdly, all this was done in order to avoid running a separate application on the phone. So that the purifier turns on when there is dust in the room. So as not to think about whether your account is alive in the Chinese cloud. Simple motivation, but how cool it turned out
If you like reverse engineering, working with ESP32, or want to integrate an obscure Chinese gadget into your ecosystem, be sure to read the original ( the article is in English, but I don’t think that’s a big problem nowadays ). You'll see how powerful DIY can be with a Flipper Zero, Ghidra, a little patience, and a strong desire to make something cool.
Something like that. Write your opinion and send similar stories ( cool and useful things need to be shared ). All the best to you, my dear Ayotovites
#information_security #Internet_of_things
Discussion
Comments
Comments are available only to confirmed email subscribers. No separate registration or password is required: a magic link opens a comment session.
Join the discussion
Enter the same email that you already used for your site subscription. We will send you a magic link to open comments on this device.
There are no approved comments here yet.