“Smart” IoT and home automation devices are becoming increasingly common and that has highlighted a problem we all foresaw: software bugs introduce a point of failure to otherwise reliable appliances. The DeLonghi Dinamica Plus is a smart espresso machine that can brew espresso, americano, or lattes according to commands sent from a smartphone app via Bluetooth Low Energy (BLE). But Matthew found that the connection fails frequently, rendering the expensive smart features useless. To correct that, he reverse engineered the DeLonghi Dinamica Plus BLE protocol so he could brew coffee via GitHub.
The DeLonghi Dinamica Plus is supposed to connect to the companion smartphone app via BLE so users can brew a coffee remotely according to their preferences. But that feature is useless when the app and machine drop their connection frequently. Matthew’s goal was to ditch the proprietary smartphone app and gain direct control over the BLE connection so he could send brew commands however he likes.
The vast majority of Matthew’s work (and most of explanation in his write-up) focused on reverse engineering the BLE protocol. That isn’t a trivial undertaking for a closed-source system from a developer uninterested in publishing details. He started by identifying the Dinamica Plus BLE device ID using the nRF Connect app. From there, he was able to sniff BLE packets sent from the DeLonghi app to the Dinamica Plus while it was working. That let him identify one of the commands for brewing coffee, but the structure of that command was still a mystery and so he couldn’t send his own custom commands.
His next step was to explore the source code for the DeLonghi app by unpacking its Android APK. That let him identify how the app encodes brewing parameters as a series of hex values, which control brew strength, water amount, milk amount, and so on. He was also able to determine the possible ranges for those values, which let him send BLE packets with his own brewing recipes.
Matthew’s final step was to create a simple workflow for sending those commands. An old MacBook connects to the Dinamica Plus via BLE and Matthew wrote a custom Rust program to send the commands. It sends those commands according to user requests from an unusual source: GitHub. Matthew repurposed GitHub’s issue reporting system as a sort of IoT service. The user submits an issue to the proper repository using a template structure with their desired parameters. The Rust language uses the GitHub API to look for new issues, parses their text, and then sends the proper brew command to the DeLonghi Dinamica Plus.
Now Matthew can easily start whatever brew he likes from anywhere in the world, including from another room in his home.