Den Automation – API

With the very sad news that Den Automation is having financial troubles, I decided it was time to revisit my investigation into the protocol that Den uses.

I had read on their website that they used both a cloud based and local network approach. In fact, this was one of the things that appealed to me most. Offering local control is an important aspect in any smart home as it insulates you from internet outages.

I had looked into their protocol a few weeks after setting up my Den hub, but it turned up a dead end for me.

Based on what I’d learned my own adventures in IoT, I started working under the assumption that the local protocol would be HTTP based and use probably use mDNS. Using Charles, the populate iOS proxy, I was able to capture some of the traffic from my phone whilst using the Den app.

Unfortunately, all the requests were targeted at Den’s cloud. I was able to see the details of my deployment, the various switches and sockets, but I wasn’t too interested in taking this approach, since I had Google Home and Alexa integrations already setup.

I fired up WireShark and used Apple’s guide on how to intercept all traffic from my iPhone – https://developer.apple.com/documentation/network/recording_a_packet_trace

I immediately spotted a HTTP request, which was a protocol switch request. More digging and some Google-fu and I leaned that this was just MQTT over websockets on port 1884

I loaded up MQTT Explorer and fed in the details (IP address of my hub and Port 1884) but got a 401 (Authentication failed). This was progress as I knew some thing was listening.

Fast forward a few hours and I’d extracted this packet. Thanks to this protocol document ( http://public.dhe.ibm.com/software/dw/webservices/ws-mqtt/MQTT_V3.1_Protocol_Specific.pdf ) I was able to determine this was a connect request (0001), which contained a username and password.

The request to login, with a client name of MQTT and the username and password

Armed with some credentials, I fired up MQTT Explorer and was connected.

After a few minutes, I started to get information over the connection! MQTT Explorer includes the # and $SYS/# subscriptions, so it basically gets everything published by the hub.

I knew that the device was one of the double sockets (the TV was on) and it was sending measurements!

{“43de2329-8808-57bc-af5b-ea01bd6a6d11”:{“online”:true},”c8de59a4-29e5-52ad-84b5-2574f005544b”:{“software”:[{“type”:”USER_1″,”version”:”1.3.0″}],”battery_level”:29,”online”:false,”status”:{“0”:{“last_state_changed”:”2019-08-09T15:46:24Z”},”1″:{“last_state_changed”:”2019-08-09T15:46:24Z”}}},”7039ee52-d25a-59c5-b957-844ff067233f”:{“software”:[{“type”:”USER_1″,”version”:”1.4.0″}],”online”:false,”status”:{“0”:{“state”:0,”shutter”:1,”nfc_tag”:{“uid”:”04:cd:be:d2:35:5e:80″,”atqa”:”0x44″,”sak”:”0x00″,”version”:0,”name”:””,”type”:”APPLIANCE”,”keep_on”:false,”timeout”:{“enabled”:false,”duration”:0}},”last_state_changed”:”2019-10-09T11:18:17Z”},”1″:{“state”:0,”shutter”:1,”nfc_tag”:{“uid”:”04:f2:97:ca:35:5e:80″,”atqa”:”0x44″,”sak”:”0x00″,”version”:0,”name”:””,”type”:”APPLIANCE”,”keep_on”:false,”timeout”:{“enabled”:false,”duration”:0}},”last_state_changed”:”2019-10-09T10:59:42Z”}}},”1cef1fcd-3aa7-5a49-80b4-ea98b85c5827″:{“software”:[{“type”:”USER_1″,”version”:”1.4.0″}],”online”:true,”status”:{“0”:{“state”:1,”shutter”:1,”nfc_tag”:{“uid”:”04:61:8a:7a:33:5e:80″,”atqa”:”0x44″,”sak”:”0x00″,”version”:0,”name”:””,”type”:”APPLIANCE”,”keep_on”:false,”timeout”:{“enabled”:false,”duration”:0}},”last_state_changed”:”2019-10-09T18:04:06Z”},”1″:{“state”:1,”shutter”:1,”nfc_tag”:{“uid”:”04:5a:b2:d2:35:5e:81″,”atqa”:”0x44″,”sak”:”0x00″,”version”:0,”name”:””,”type”:”APPLIANCE”,”keep_on”:false,”timeout”:{“enabled”:false,”duration”:0}},”last_state_changed”:”2019-10-09T18:04:08Z”}}},”c0713ae1-1913-5ab7-944b-d94ea4b5477d”:{“software”:[{“type”:”USER_1″,”version”:”1.4.0″}],”online”:false,”status”:{“0”:{“state”:0,”is_ready”:true,”last_state_changed”:”2019-10-09T17:30:34Z”}}},”4f832cb2-824f-58dc-87ad-5a89e121b653″:{“software”:[{“type”:”USER_1″,”version”:”1.4.0″}],”online”:true,”status”:{“0”:{“state”:0,”is_ready”:true,”last_state_changed”:”2019-10-07T17:23:55Z”}}},”59607912-dda1-5e97-9e3d-6b065b9288db”:{“software”:[{“type”:”USER_1″,”version”:”1.4.0″}],”online”:false,”status”:{“0”:{“state”:0,”is_ready”:true,”last_state_changed”:”2019-10-08T18:59:02Z”}}},”5a008677-5c2e-5405-a6b8-357a7e64642a”:{“software”:[{“type”:”USER_1″,”version”:”1.4.0″}],”online”:true,”status”:{“0”:{“state”:0,”is_ready”:true,”last_state_changed”:”2019-10-08T21:19:37Z”}}},”8016c79f-8502-5b5c-b480-bb6361af1398″:{“software”:[{“type”:”USER_1″,”version”:”1.4.0″}],”online”:true,”status”:{“0”:{“state”:0,”shutter”:0,”nfc_tag”:null,”last_state_changed”:”2019-10-07T11:13:41Z”},”1″:{“state”:0,”shutter”:0,”nfc_tag”:null,”last_state_changed”:”2019-09-29T12:54:36Z”}}}}

Switching stuff on and off

After more digging around, I eventually capture the Publish command used to control the state of the individual devices.

A 142 bytes WebSocket message sent when I turned on a switch
The content is an MQTT publish (0011)

This enabled me to update the state and thus turn the switches on and off.

I’ve created a simple web app – https://denclient.azurewebsites.net/ – which can be used to control the connected hardware. You just need to use the same process as I did to sniff the packets.

At the time of writing this, the Den app was still working for me, which enabled me to perform some basic packet sniffing. Since I performed this investigation, the Den App is no longer working. I presume that AWS/Azure have killed the Den backend due to unpaid bills.

6 thoughts on “Den Automation – API

  1. Hi Tomas .. well done 🙂

    Are you saying that you decoded packets between Den’s web service and the hub to extract the username/password ? Or between the sockets and the hub perhaps ? What I’m really asking is now that their service is down am I not able to get the username / password anymore ?

    1. Hi Kevin,

      I grabbed the packets going from the iPhone App to the Hub. This let me get the username and password. Armed with that, I then compiled a list of MQTT commands being sent.

      I build a simple website that could run discovery and command the few devices connected to the hub – http://denclient.azurewebsites.net/

      Unfortunately, now that the app has signed itself out, my approach for getting the credentials is no longer possible. I wish I knew the app would sign out like that – I would have tried to spread the information

      I feel Den really screwed its customers over by not giving them some ability to get this information.

      Sorry I can’t be of any more help. I’ve disconnected my Den Hub and am in the process of replacing the hardware with Sonoff sockets and Shelly 1 relays.

      Maybe some developers from Den will release some information once the company folds officially.

      T

    1. Would be great. Does my API key change if I add more devices ? I have some unopened double sockets.

      1. No, I don’t think so. But then again, my setup was complete when I started. First question – do you have a Mac?? The first step I took in getting the API key was to listen to all network traffic from my iPhone. I achieved this by using Wireshark on my Mac. I used these instructions: http://www.gilles-bertrand.com/2016/07/iphoneappwebtrafficcaptureproxymachttpsniffer.html and after working through the traces, I found the key my phone was using. However, with the API up and running, you could probably “Log In” using your credentials and get the token that way. I might try that this weekend, time permitting.

Leave a Reply to Tomas McGuinness Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.