Pierre-David Oriol Targets a Cloud-Free Summer with a Dreo Smart Fan Home Assistant Hack
Not happy with relying on third-party cloud services to cool down this summer, Oriol has cut the cord on his new Dreo fan.
Pierre-David Oriol is preparing for a cloud-free summer in more ways than one — by reverse engineering a Dreo smart fan for fully-local control, cutting its connection to remote servers in favor of true local integration.
"Summers are getting pretty hot, and with an unfortunate AC failure I had to find quick alternatives such as quality fans to stay cool while the AC was getting repaired," Oriol explains. "I'm not a super fan (hah, that'll be the Only Fan pun, I promise) of IoT [Internet of Things] devices that are cloud-dependent. It is also common knowledge that the 'S' in IoT stands for Security: I'd rather have these devices isolated, and when possible, controlled locally without any dependency on the cloud."
The fan in question, a Dreo Pilot Max S DR-HTF004S, includes smart features that are dependent on connectivity to a remote cloud service — and while the ability to integrate the device into Home Assistant already exists thanks to a previous third-party effort, it does not remove the requirement for having this connection in place.
To solve the problem, Oriol set about reverse engineering the fan — starting with an inspection of its Android app. Attacks on the fan's built-in web server followed, before Oriol took the housing off and started to investigate its internals — pulling up a handy spec sheet for the board responsible for the fan's IoT connectivity. Dumping the board's firmware allowed the web server to be decompiled using Ghidra, providing a full list of application programming interface (API) endpoints.
The key to the project's success: an undocumented endpoint that provides a way to flash a new firmware — which, combined with further analysis to find the required partition layout, decode the custom UART protocol responsible for fan control, and figure out the algorithm for checksum validation, provided a means to replace the stock firmware with a port of ESPHome. Once flashed, the fan ceases all outside communication and instead acts as a purely-local device connected to a Home Assistant server.
Oriol has published a full-write up, firmware dumps, and source code on GitHub under the permissive Apache 2.0 license; it is, he warns, "for educational purposes only," and is definitely not to be used as-is with any other model of fan.