Hacking Mitsubishi AC Controller.
I recently install the Mitsubishi Air-Conditioner at my home, As part of the install I wanted to have the app to control it from my phone and hook it up to my home automation system as well. I currently use my home automation system for floor heating and there are already thermostats/motion sensors in every room, obviously I wanted to use the same for controlling the AC.
Mitsubishi has an adaptor PAC-USWHS002-WF-1 that allows the AirConditioner to connect to the cloud. There is an application (kumo-cloud) that you can download to help you with configuration and then control the units.
For configuration the phone app connects with the adaptor using bluetooth, you will need give the app your wifi SSDI and password and then it configures the same into the adaptors using bluetooth. After that the adaptor connects to the wifi and the app can be used to control the AC.
The cloud part of the application is called kumo cloud and I did not find documentation or API’s to directly interface with it. Also there was no information on how to connect to the AC directly on the local network as they all had IP address on my wifi network.
As a first step I wanted to see what kind of communication was going on between the application and the cloud. I am using the USG box from unifi, it’s fairly easy to run tcpdump on it to see all the packets flowing through it to the internet.
192.168.77.13 is the address for my internal unit, the destination is 52.88.0.195. (This is where the adapters are communicating to)
A reverse dns name lookup indicates that 52.88.0.195 is ec2–52–88–0–195.us-west-2.compute.amazonaws.com
So looks like the traffic is all headed to an AWS cluster running in Oregon. Whats more the adaptors keep a constant connection to server so there is always a socket open from there to inside of your home. When you directly put the address on your browser https://52.88.0.195 it presents a certificate that is not signed by any of the CA that is known to the browser. This implies that the adapter is not really checking the certificate or has the CA hardcoded in it that generated the certificate for the kumo cloud. Hopefully it’s the later, if it’s the first one then the value of using https diminishes and it’s fairly easy to do MITM type inspection. (Not sure if this matters for an AirCon unit but the fact that an insecure connection is constantly open from inside the house makes me nervous)
I was thinking of going down that route of putting MITM but though about checking if there is something different about the traffic from my app to the AC, perhaps they directly communicate without going to the cloud.
It turned out to be the case, here is a trace for a command send from the app to the AC.
The application was using plain old HTTP command to talk to the adapter, this made things easier.
I was able to directly talk to the adapter using linux curl commands as I had captured form the trace.
> curl “http://192.168.77.13/api?m=41e8f2f37893a4ea63eed78e7e3779f3edd766cd337499d266c036e19862947" -X PUT -H “Accept: application/json, text/plain, */*” -H “Content-Type: application/json;charset=UTF-8” -H “Accept-Encoding: gzip, deflate” -H “Accept-Language: en-us” -d ‘{“c”:{“indoorUnit”:{“status”:{}}}}’This would come back with response
{“r”:{“indoorUnit”:{“status”:{“roomTemp”:21.666666,”mode”:”off”,”spCool”:24,”spHeat”:21,”vaneDir”:”horizontal”,”fanSpeed”:”quiet”,”tempSource”:”unset”,”activeThermistor”:”unset”,”filterDirty”:false,”hotAdjust”:false,”defrost”:false,”standby”:false,”runTest”:0}}}}Success. So all I needed was to do some packet capture of the different commands and I would be able to hardcode it such that I have to playback the right one.
This worked because the Security token you see that is part or ?m=<token> does not change and seems to be some kind of has of the command itself. As for now this is my theory since I can keep repeating the commands and it works.
So this is a good point to stop if you want to directly control the units, you just need to capture the packets that are send by the app and try all the commands on the application. There are handful of them which will let you have the security token for each command. Once you have collected all the information you can replay them in a script based on what you want the AC to do. Of course this is not portable as It will need to be done for every user and it’s a bit painful to get the right information. But it solves my problem for now.
Out of curiosity I am planning to look at the application a bit more to see if it is possible to get the api security token computed, if it’s possible it can translate into a nice project.
Here are some of the commands accepted by the unit.
Setting Fan Speed
{"c":{"indoorUnit":{"status":{"fanSpeed":"quiet"}}}}
{"c":{"indoorUnit":{"status":{"fanSpeed":"low"}}}}
{"c":{"indoorUnit":{"status":{"fanSpeed":"powerful"}}}}
Setting Vent Direction
{"c":{"indoorUnit":{"status":{"vaneDir":"auto"}}}}
{"c":{"indoorUnit":{"status":{"vaneDir":"horizontal"}}}}
{"c":{"indoorUnit":{"status":{"vaneDir":"midhorizontal"}}}}
{"c":{"indoorUnit":{"status":{"vaneDir":"midpoint"}}}}
{"c":{"indoorUnit":{"status":{"vaneDir":"midvertical"}}}}
{"c":{"indoorUnit":{"status":{"vaneDir":"vertical"}}}}
{"c":{"indoorUnit":{"status":{"vaneDir":"swing"}}}}
Setting AC Mode
{"c":{"indoorUnit":{"status":{"mode":"off"}}}}
{"c":{"indoorUnit":{"status":{"mode":"heat"}}}}
{"c":{"indoorUnit":{"status":{"mode":"cool"}}}}
{"c":{"indoorUnit":{"status":{"mode":"dry"}}}}
Setting Temperature in cool mode:
{"c":{"indoorUnit":{"status":{"spCool":23.333333333333332}}}}
Setting Temperature in heat mode:
{"c":{"indoorUnit":{"status":{"spHeat":22.22222222222222}}}}Good luck if you are trying something similar, Let me know if you have any questions. I am working on a github project to translate what I learned into usable code.
Update Mar 29th: I spend some more time on analyzing the application and was able to translate that into usable code. The script can be used in CLI mode to control the AIR Conditioner or can host a REST API that can accept commands. The configuration needed is pulled down form the cloud in an easy script (works today, but not sure how long will the cloud keep it enabled)
The project is hosted at : https://github.com/sushilks/kumojs
