Saturday, 28 December 2019

Reverse engineering the Flower Power app

"Flower Power" is an "internet connected" plant / soil monitoring device which was sold in 2016 by Parrot. The company subsequently decided to discontinue these products to concentrate on its better-known flying drone products.

We acquired some Flower Powers for an environmental study project.

How did it work?

A small low power, very clever monitoring device ( see Sylvia Wu's magnificent teardown ) monitors the environmental conditions, and logs them into a local non-volatile memory. It has a Bluetooth Low Energy (BLE) radio to communicate with smartphones.

Then periodically it synchronises with a smartphone app (available for Android and ios) to send the data up to a "cloud" internet server. The phone app doesn't need to connect to the sensor and the internet at the same time; it can buffer data and send them up later - which is useful if your plants are in a location where internet connection isn't available.

What's the problem?

Parrot have stopped supporting the devices and will switch off the (internet) API soon.

We still have working sensors and want to use them at least next year, maybe after.

There may also be more Flower Powers sitting in storage somewhere; those will become really useless if the API to update the firmware isn't available. I wanted to get the firmware before Parrot turn off their servers.

Reverse engineering


The Android app is a .apk file. I downloaded file from this "sideloading" site here:  


 - of course I don't know if this is the real, unmodified app (from "apkpure"), but it seems likely. I'm not going to load it on a real phone from here.

I extracted the files from .zip formats, and eventually found the "meat" of the application in the .dex files classes.dex classes2.dex and classes3.dex.

These are "Dalvik Executable" files, which are just packed in a different format to .jar - so I' used this utility "dex2jar"  to convert them into .jar

Then I used this Java Decompiler to extract the source code.

I was able to see that the app communicates with https://api-flower-power-pot.parrot.com - but it uses some weird authentication scheme.

Fortunately, the code https://github.com/growobservatory/MyData implements the authentication scheme for this API. 

The "secret" client id and client secret are also hard-coded in the Android app source code, so I was able to log in and call the APIs (and get the api token needed for authentication below).

Using this, I obtained the firmware download location:

wget -S  - 'https://api-flower-power-pot.parrot.com/sensor_data/v1/firmware_update/flower-power' --header="Authorization: Bearer myapitoken"

// Got API token by using MyData

// "flower-power" device
{
   "errors" : [],
   "firmware_version" : "2016-09-14_hawaii-2.0.3_hardware-config-MP",
   "user_config_version" : 39,
   "server_identifier" : "2.1.18 April 6th 2017",
   "firmware_update_url" : "http://hawaii2-web-service-prod-firmware.s3.amazonaws.com/2016-09-14_hawaii-2.0.3_hardware-config-MP.bin?1474470262",
   "garden_status_version" : 219
}

Then I could download (without authentication) the firmware image file.

What next?

Ultimately, if we have any new boxed Flower Powers, I will create an app which flashes the firmware image without using Parrot's cloud servers.

This should allow flashing the devices.

We can also call any of the APIs which the app uses, to get our data from the cloud, plus pictures, etc. (Grow Observatory's Getdata app does some of this)

To be continued... I have all the files downloaded. I suppose if Parrot's servers go away, it gets more interesting.

Also,  this NodeJS project claims it can talk to the Flower Power:

https://github.com/sandeepmistry/node-flower-power 

It also says it can update the firmware.

No comments: