Close

Reverse engineering the RainCloud

A project log for RainCloud de-cloudifier

Run Melnor's RainCloud locally without the cloud service

Jean-Philippe JodoinJean-Philippe Jodoin 08/06/2018 at 02:330 Comments

The RainCloud product has two parts
1) An irrigation switch that runs on 4 AA battery with 4 output. This irrigation switch has 4 hex character id.

2) An RF transmitter connected to internet through an Ethernet cable. This transmitter sends command to the irrigation switch through an 900 Mhz RF links. This transmitter has a 12 hex character id.

There are two ways we can use the RainCloud locally

1) We re-engineer the protocol on 900 MHz RF link 

2) We reverse engineer at the ethernet level. 

We will start to explore the Ethernet level as it should be much easier to figure out (at least for me).

First step,  is to connect the Raincloud RF transmitter to my Asus-WRT router in order to get a valid network trace and try to figure out the protocol between the RF Transmitter and the RainCloud Cloud. This can be done by running tcpdump directly on the router

To see the packets as they are save, I use this command :

 tcpdump -i any -U -s 1500 host <RainCloudRFTransmitterIp> -w - | tee raincloudapi.pcap | tcpdump -r -

There are two way to interact with the RainCloud

1) You can press the button manually in front of the switch, this will activate the valve for 60 minutes

2) You can use the web interface where you can setup schedule, activate the valve on timer for period up to 60 minutes. 

Looking at the trace, we can see that everything is un-encrypted which should make this project pretty straigth forward.  There are two of communication:

1)  Cloud sends command to the RainCloud via Websockets 

2) Device sends an update about the current state to the Cloud via GET request

Status update from the device looks like this:

GET /submit/?idhash=1c213db3d2&message=4vOuyTDCAAAAAC3dAP8AAgAAAAAAAg== HTTP/1.1

where idhash is negociated when we connect the device and message represent the current state of the device.

Cloud commands looks like this:

{"event":"manual_sched","data":"\"Lc0AAAAAAAAAAAAAAAAAAAAA\"","channel":"d8ae2312e45c"} 

Where channel is the Rf Transmitter Id and event and data contains command information.

Next post will contains information about the reverse engineered protocol

Discussions