1

So, I have an Air Conditioner with a wifi module that is ready to be controlled remotely.

I'm trying to understand, how this AC is able to connect to my network as it does not create any self hosted Wifi network nor my phone is connected anywhere else rather than my Wifi network.

Facts:

  • My phone's bluetooth is disabled.
  • My phone does not connect to any other network (as the icon in the status bar indicates)
  • I reset the AC and the AC is not able to connect to my network anymore - until I use the application again.
  • The android application I use is the "AC Freedom"

From my inspection via packet sniffing with an android application named "Packet Capture", my phone sends many UDP packages to the multicast(?) of my network when trying to talk to the AC.

Some of the packets are dispatched to the socket addresses: 224.0.0.251:80, 224.0.0.251:16680, 255.255.255.255:15000

Somehow the AC connects magically to my wifi. How is this possible? Is any WiFi protocol that I'm not aware of? Also the AC is able to "talk" with the external server (their server) and I'm able to manage the AC remotely - without being connected to local network via Wifi.

Guess: AC scans wifi networks and captures trafic and is able to identify packets - decrypt them (as the payload is known) and connect to the wifi. This is a little bit sci-fi by it's the only method I can think of.

Spiros Mitropoylos
  • 11
  • 1

1 Answers1

0

Check of your Smartphone and the AC use something called Wifi Direct. This connects them directly and doesn't use "your Wifi" (i.e., your Wifi access point on your home router)

Ok, so I downloaded the "AC Freedom" APK (some random version, there seem to be several versions around), unpacked it with apktool, and had a look.

There are a number of libBL*.so libraries, and one libNetworkAPI.so. Looking inside those libraries finds references to the "Broadlink API", and one can google various Java libraries for that that are apparently ports of this Python library.

The description there mentions a "device in AP" mode.

There also seems to be some DES encryption stuff, "BLJSON", and so on.

So all of this looks like your Air Conditioner is based on this Broadlink technology (and your last comment confirms this), has its own access point, and there's an encrypted and authenticated exchange using this AP.

Nothing points to "let's just hack the user's Wifi" (not that this would be possible).

As to why your Android apps don't pick up this AP, I have no idea - maybe it's a hidden SSID.

There is a really simple test to find out if your Air Conditioner is using "your wifi":

Completely power off your home router. If your Smartphone can still communicate with your Air Conditioner, then it's not using your home router. Even if you cannot see what it is using to communicate.

Reading through the Python library documentation again:

Setup

In order to control the device, you need to connect it to your local network. If you have already configured the device with the Broadlink app, this step is not necessary.

  • Put the device into AP Mode.
  • Long press the reset button until the blue LED is blinking quickly.
  • Long press again until blue LED is blinking slowly.
  • Manually connect to the WiFi SSID named BroadlinkProv.

Connect the device to your local network with the setup function.

broadlink.setup('myssid', 'mynetworkpass', 3)

Security mode options are (0 = none, 1 = WEP, 2 = WPA1, 3 = WPA2, 4 = WPA1/2)

So what that does is tell the Broadlink device to setup it's own AP, then it connects to this AP, and then you give it the SSID and password of your wifi. Along with the encryption method. And after it has the SSID and password of your wifi (because you gave it voluntarily), then yes, it can connect to your wifi.

And the sentence "If you have already configured the device with the Broadlink app, this step is not necessary." seems to imply that this is what the Broadlink app is doing, too. Either by asking for your SSID and password, or by getting it from the Smartphone data.

So have you gone through these steps with the Broadlink app? If yes, then your AC is connected to your Wifi, and can communicate normally in your home network, and yes, then it can do it via multicast on 224.0.0.251.

dirkt
  • 16,421
  • 3
  • 31
  • 37
  • I'm searching for WiFi networks (with a Wifi analyzer application) and no Wifi direct network shows up. (on the other hand - my windows laptop wifi direct for example - shows up in the wifis) – Spiros Mitropoylos Oct 18 '21 at 09:03
  • So possibly your Wifi analyzer application doesn't see this particular one. Impossible to say without being in your room with some hardware where I can control it on the lowest level, and check. If you've rooted your Smartphone, you can also check. OTOH, "hacking" into a WPA2-protected Wifi AP by the AC is **extremely** improbable... – dirkt Oct 18 '21 at 09:12
  • I tried two different laptops - two different smartphones and no device can find the wifi of the AC. I really cannot understand what's going on. It's an AUX AC with BroadLink_OEM-T1 wifi adapter on it. – Spiros Mitropoylos Oct 18 '21 at 10:46
  • I tried many devices (including linux, macos etc) and I cannot find in any way a Wifi hotspot opened by the searching device nor the AC. It's the strangest thing I've ever seen. I tried UART sniffing on the device's wifi module without any luck so far. (seems to talk bytecode) – Spiros Mitropoylos Oct 19 '21 at 16:03
  • If it's a hidden AP (beacons turned off), you can "try as many devices" as you want - you won't see it until you connect to it. Try [aircrack-ng](https://www.aircrack-ng.org/doku.php?id=getting_started) on a third device while your Smartphone talks to the AC. – dirkt Oct 20 '21 at 05:02
  • Extensive search with aircrack done with no findings what so ever. Bluetooth is off also. AC's station comes up only when connected to my Wifi. – Spiros Mitropoylos Oct 20 '21 at 13:24
  • Something I tried. I created a wireless network via my W10 laptop (with internet access). When the phone is connnected to this hotspot - AC cannot connect. If I'm in my router's hotspot - I'm able to pair the AC. How about this? :-) – Spiros Mitropoylos Oct 20 '21 at 13:36
  • You should see the phone communicating with AC in aircrack, whatever the way of communication is, and then you can also see where this communication goes. If your phone has a limited number of "extra" connections, then connecting it to your hotspot will disallow any other connection, like the one to the AC. All of this can be found out in detail if your phone is rooted. You can **see** what is going on if you know where to look. Then you don't have to grope in the dark, like you are doing now. But if you are convinced your AC is hacking "your" router, have it your way. – dirkt Oct 20 '21 at 14:18
  • I think I found somewhat, how it's doing it's thing. https://docs.ibroadlink.com/public/appsdk_en/appsdk_05/#2-1-span-id-api1-configure-device-span I cannot fully understand the logic but seems to send UDP packets to wifi's broadcast and somehow the AC understands this and connects. – Spiros Mitropoylos Oct 21 '21 at 14:56
  • Link doesn't work... And you **cannot** send packets to an AP unless you are associated with that AP. Which needs a password if the AP is protected with WPA2. Which today every Wifi router should do by default. So without "hacking" the password, it's impossible to do. – dirkt Oct 22 '21 at 04:31