{“hw_model”:”T701iv1",”ssid”:””,”bssid”:””,”channel”:11,”security”:4,”rssi”:-38,”ip”:{“ipv4”:{“iptype”:1,”ipaddr”:”",”ipmask”:”",”ipgw”:”",”ipdns1":”",”ipdns2":”"}}}

Pro1 thermostat wifinot working

JavaScript seems to be disabled in your browser. For the best experience on our site, be sure to turn on Javascript in your browser.

Garlon 4 Ultra Specialty Herbicide (30 gal) works to control for weeds, brush and trees along rights of way, including beneath power lines, and along roadsides and pipelines. Garlon 4 Ultra has an environmentally-friendly profile, having a patented, nonpetroleum-based, plant-derived seed oil solvent formula. Garlon 4 Ultra is a federally non-restricted use pesticide, has low odor, and comes in a 30 gallon plastic drum.

Take some time out of your busy schedule and give you and your business The ADVANTAGE with our monthly eNewsletter.

Pro1 thermostat wifisetup

A few years ago I moved into a house with a Pro1 T701iv1 thermostat. It randomly freezes up, removes itself from wifi, is relatively unsophisticated, and it leaks information like crazy to anyone on the LAN. Oh, and you can reboot it with “curl”. Below is my analysis of this IoT device.

sp->pMyThingNamesp->pMqttClientId (UUID w/ MAC)sp->pHost (data.iot..amazonaws.com)sp->portsp->pRootCAsp->pClientCRT (public cert)sp->pClientKey (priv key)

Pro1 thermostat wifiinstallation

Like my Zyxel article, this will be part 1 with my initial findings. Part 2 will be a dive into the flash ROM. The board has a Winbond 25Q32FVS1F chip so it was no problem to dump with a Pomona 5250 SOIC8 Test Clip and a Raspberry Pi.

Pro1 thermostat wifimanual

Now that I had the code base, it was evident from the github repo that this is a Marvell Semiconductors device. It seems similar to the MW302. I think the MW302 is a development board while the board in my unit would be some purpose built board for HVAC. But knowing the development board, I can tell a lot about the real device. Such as:

{“uuid”:”",”interface”:”station”,”prov”:{“types”:[]},”connection”:{“station”:{“mac_addr”:”",”configured”:1,”status”:2,”ssid”:””,”bssid”:””,”channel”:11,”security”:4,”rssi”:-38,”ip”:{“ipv4”:{“iptype”:1,”ipaddr”:”",”ipmask”:”",”ipgw”:”",”ipdns1":”",”ipdns2":”"}}}}}

What I love the most is that the html title of the web management interface is “AWS Starter Demo”. Doing a bit of Internet sleuthing, a trail of breadcrumbs lead here: https://github.com/dhrishi/ez-connect-lite. This looked like a potential template used for the code on the device. There is a sample app called aws_starter_demo and its main.c has some proof that this is the correct code base. Line 167 says the MQTT Client ID of the device has the MAC address appended to it. Checking my device’s /sys URL, what they called the “UUID” is a match! My device’s MAC address was present in the last 12 characters of the “UUID”. The aws_starter_demo project also has a static copy of the VeriSign G5 CA cert. I tried verifying the cert and key with the CA cert using openssl but it was failing. I believe it was replaced with a difference CA cert, likely embedded in the firmware. With the actual CA cert, this should give one everything they need to attach to the device’s IoT Shadow service.

The thermostat has an unauthenticated web management interface where I could do nothing but reboot and click “provisioning” which shows the wifi SSID. I viewed the source on the web interface and a whole lot of fun jumped out at me. For example, prov.js provides some great AJAX URLs:

As a bonus, there’s an unauthenticated exposed http endpoint for rebooting the device. I’ve tossed all sorts of other commands at it. So far it looks to be used for nothing more than rebooting. But if so, wouldn’t one make the endpoint /sys/reboot? Why let the command be a variable?