James Warner Frees a "Smart" Air Purifier From Its Proprietary App with a Bit of Reverse Engineering

From capturing network packets and dumping the firmware to setting up a fake server, Warner's work is a masterclass in reverse engineering.

Self-described "creative technologist" James Warner has written up a project that sought to make a "smart" air purifier a lot smarter — by reverse engineering it and removing the lock, which made it controllable only from a proprietary app.

"Recently, I've been slightly obsessed with connecting anything and everything in my house to Home Assistant," Warner explains. "There's something so satisfying about having everything connected and automated in one application; I can finally forget every random mobile app for a different brand of smart product. But there is one product I own that stubbornly doesn't connect to anything other than its own mobile app. It's a sleek air purifier that is unfortunately let down by its disappointing app."

Determined to get the air purifier talking to Home Assistant, Warner started by digging into the proprietary Android app — finding UDP packets being sent to a remote server, which could be captured locally for analysis. Sadly, the packet content turned out to be unreadable — which is when the screwdrivers came out.

"We know there are two applications that understand how to read this packet data: the smart device and its cloud server. And, well, I don't have their cloud server handy, so it's time to take a look inside the smart device," Warner writes. "It was quite easy to disassemble with a few easily accessible screws. Inside was the main PCB containing the microcontroller, a port connecting to the fan, and a ribbon cable to the control panel on the front."

That microcontroller turned out to be an Espressif ESP32-WROOM-32D module, which exposes its hardware UART on easily-accessible pins. Using a Flipper Zero multi-tool, Warner connected to the bus and was able to read its boot log — then switch the chip into download mode to retrieve a copy of the flash memory content.

Flash dump in hand, Warner used the esp32knife tool to parse the firmware and uncover a FAT-formatted storage partition, gaining access to certificates and an encryption key. The firmware was then analyzed with Ghidra, providing a grounding point for modifying the firmware — initially to remove the requirement for the front panel to be connected when booting, in order to make further experimentation easier, and then to print out the shared secret key at the time of calculation in order to make it possible to decode the encrypted UDP packets.

"We can now create an MITM (man in the middle) attack that does not require any firmware patching. This is because the private key of the device is now known, the key derivation logic has been reverse engineered, and any required dynamic data is exposed over the insecure network," Warner says. The MITM "attack" takes the form of a custom server, to which the purifier is forced to connect, linked to an MQTT broker which can in turn connect to Home Assistant — finally completing the task of offering control of the device independently of the proprietary app.

Warner's full project write-up is available on his website; the post is "intended for educational purposes on the process of reverse engineering IoT [Internet of Things] smart devices and network protocols," he says, and warns that "tinkering with your devices will likely void any warranty and carries a risk of permanently damaging the device; do so at your own risk."

Gareth Halfacree
Freelance journalist, technical author, hacker, tinkerer, erstwhile sysadmin. For hire: freelance@halfacree.co.uk.
Latest articles
Sponsored articles
Related articles
Latest articles
Read more
Related articles