X10 Community Forum

📱X10 WIFI => 🗯General Discussion => Topic started by: Tuicemen on November 26, 2019, 07:39:34 AM

Title: Hacking WM100 using MQTT.
Post by: Tuicemen on November 26, 2019, 07:39:34 AM
This appears totaly possible.
We've discussed the inner workings of the WM100 prior and it is possible to flash the device and add a new firmware. However this wouldn't overcome some of the devices limitations and still require new software to talk to it.

 Since the WM100 from my limited experiments does apear to use MQTT. A user familure with MQTT could hack this device and create thier own software and overcome some of the WiFi app's issues.
There are several videos available which contain info on hacking MQTT. The unique password for connecting is in the QR code so it is possible to use the X10 broker (server). The app developer was able to connect to my WM100 with just that info.
 I'm not by any means a MQTT master and have very limited knowledge of it. However from reading up on the topic and viewing a few videos it seems it may be possible to see all devices and scenes already configured on the WM100 as well as turn them on/off.
 Yes I still use the WM100 however currently the software is lacking in so many areas I can only use it as a fancy remote.
Title: Re: Hacking WM100 using MQTT.
Post by: Noam on November 26, 2019, 08:52:35 AM
Because of all of the shortcomings (or complete lack of useful features - depending on which way you want to look at it), I've only ever tried to use the WM100 as a glorified remote (though the machine I have running X10Commander does just about the same job, is generally faster to load, and I can create as many custom interfaces as I want to (it is just HTML).

It's a real shame that the manufacturer got stuck down the path they chose for the WM100. I seriously doubt they will go any further with it - or try to develop something else to do what it *should* have been able to do from the start.
Title: Re: Hacking WM100 using MQTT.
Post by: Tuicemen on November 26, 2019, 09:16:29 AM
Using MQTT would allow the WM100 to perform to its full capabilities if the developer would expand the app. Unfortunately they aren't willing or not experianced enough to do so.
There are some hardware restrictions that do limit the WM100 module and even a firmware update can't fix.

 If you scan the QR code youll see something like this {"appkey":"26d884ce-9f25-948537","uid":"Yjm8Am5m2GsFvcGdFMtxo74h9t6qwxw3j49"}
The appkey is the same for all WM100 modules the uid (which I changed) is unique  I know this as I have several.
Using wireshark you can discover the X10 broker (server) this is all you need. I know this from having the developer connect to my WM100 during testing by simply supplying them with the QR code.
Title: Re: Hacking WM100 using MQTT.
Post by: bkenobi on November 26, 2019, 10:35:05 AM
I don't have one and won't get one, but it appears to me that the WM100 would be harder to hack than it would be to use a different controller connected to something like the CM11A or CM19A.  Writing software for a controller of unknown origin is not something a typical person hacking around is going to be capable of UNLESS the original source and compiler is available.  If it were, that would be a different story.

I would personally recommend going the RPi + X10 modem route way before spending any time on the WM100 to hack it.  That said, if the WM100 can be controlled by MQTT commands without modifying the device itself, that would be a different story.  Capturing MQTT packets should probably be doable with wireshark.

https://www.wireshark.org/[/url]

If the traffic is encrypted that makes it different story.  However, it does appear possible to dissect what's going on with MQTT by viewing traffic.

http://blog.catchpoint.com/2017/07/06/dissecting-mqtt-using-wireshark/
Title: Re: Hacking WM100 using MQTT.
Post by: Tuicemen on November 26, 2019, 11:09:31 AM
We already know developing onboard software for the WM100 would involve a major undertaking as jeff has sniffed out the commands sent from the onboard chip and they are a different protocol then what other x10 transmitters use.
 I had though about making a WM100  connection available to users that don't  own one so they could experiment however that would compromise my setup.
 I also notice HG has MQTT abilities and with some modifications to its connection code may allow the WM100 to be used with it (just a thought) ::) :' that also depends if encription was used or not.
 
Title: Re: Hacking WM100 using MQTT.
Post by: Tuicemen on November 26, 2019, 11:18:42 AM
I found this video a bit helpful https://www.google.com/url?sa=t&source=web&rct=j&url=https://m.youtube.com/watch%3Fv%3DYzxTf1y3yCs&ved=2ahUKEwjGvs34oojmAhVYtZ4KHcgNDSEQwqsBMAN6BAgGEA0&usg=AOvVaw0ZopbOjeyEnqocjlMN2Z8n  as well.
Title: Re: Hacking WM100 using MQTT.
Post by: JeffVolp on November 26, 2019, 01:29:25 PM
We already know developing onboard software for the WM100 would involve a major undertaking as jeff has sniffed out the commands sent from the onboard chip and they are a different protocol then what other x10 transmitters use.

Not a different protocol, just a limited set.  Since the development was apparently based on the RR501 transceiver, the chip that interfaces to the powerline only supports the command set used by the PalmPad.  There is no support for extended commands or any of the lesser used X10 commands, such as pre-set dim or status request.

Jeff
Title: Re: Hacking WM100 using MQTT.
Post by: Tuicemen on November 26, 2019, 02:44:15 PM

Not a different protocol, just a limited set.  Since the development was apparently based on the RR501 transceiver, the chip that interfaces to the powerline only supports the command set used by the PalmPad.  There is no support for extended commands or any of the lesser used X10 commands, such as pre-set dim or status request.

Jeff
I stand corrected. The WM100 did use the RR501 board and case for initial proto types.
Title: Re: Hacking WM100 using MQTT.
Post by: dhouston on November 27, 2019, 11:42:38 AM
A few years back, seeing the extreme limitations of the WM100, I designed a ESP-WROOM-02D based PCB with a USB interface, a USB/Serial IC and EEPROM . There were sockets for a small RF receiver of my design and for an off-the-shelf RF transmitter. The RF receiver included a small PIC that would handle encoding/decoding of X10 RF. The RF modules could be either 310MHz or 433.92MHz. It was designed to fit within the XTB-232 enclosure or in an independent external enclosure. However, my health deteriorated rapidly to the point where I can no longer do SMD assembly and testing, so the design was essentially stillborn.
Title: Re: Hacking WM100 using MQTT.
Post by: petera on November 27, 2019, 07:41:24 PM
A few years back, seeing the extreme limitations of the WM100, I designed a ESP-WROOM-02D based PCB with a USB interface, a USB/Serial IC and EEPROM . There were sockets for a small RF receiver of my design and for an off-the-shelf RF transmitter. The RF receiver included a small PIC that would handle encoding/decoding of X10 RF. The RF modules could be either 310MHz or 433.92MHz. It was designed to fit within the XTB-232 enclosure or in an independent external enclosure. However, my health deteriorated rapidly to the point where I can no longer do SMD assembly and testing, so the design was essentially stillborn.

Dave I was checking up on some X10 codes today and clicked on a link that I thought was directing me to your site. Clearly not http://ww1.davehouston.net/
Title: Re: Hacking WM100 using MQTT.
Post by: dhouston on November 28, 2019, 06:57:31 AM
Dave I was checking up on some X10 codes today and clicked on a link that I thought was directing me to your site. Clearly not http://ww1.davehouston.net/ (http://ww1.davehouston.net/)
Everybody needs a side hustle.
Title: Re: Hacking WM100 using MQTT.
Post by: petera on November 28, 2019, 08:22:28 AM
Dave I was checking up on some X10 codes today and clicked on a link that I thought was directing me to your site. Clearly not http://ww1.davehouston.net/ (http://ww1.davehouston.net/)
Everybody needs a side hustle.

Nice one. I thought there may have been some underlying reference to the future of X10.  :)%