Reverse engineering - mikey0000/PyMammotion GitHub Wiki
These pages contain some documentation about the reverse engineering progress.
Reverse engineering is a lot of work, so any help is appreciated. Feel free to add to this wiki.
Tips
Android
Logs
The Mammotion app is, luckily, quite "chatty" in the logs. Using logcat (for example in Android Studio) and the filter process:com.agilexrobotics you can follow the output of the app while using it.
Decompiling
- Download the
.apk(Googledownload apk) for the app ("Mammotion",com.agilexrobotics) - Go to
javadecompilers.com, upload the APK, let it do its thing, download the result or use visual studio code with the APK Lab tool.
Protobufs
- Reverse engineering Protobuf
Tools to reverse engineer protobuf definitions: protobuf-inspector, pbtk protoc
Communication pathways
The Luba listens on UDP port 5000 (unknown protocol) and 5683 (CoAP).
So far, these communication pathways have been identified:
C4Context
System(App, "App")
System(Luba, "Luba")
System(Mammotion, "Mammotion")
System(AlibabaIoT, "Alibaba Cloud IoT")
BiRel(App, Luba, "Local control", "BLE/MQTT/CoAP")
Rel(App, Mammotion, "Login", "HTTP")
Rel(App, Mammotion, "Manage tasks, jobs, etc.", "HTTP")
BiRel(Luba, AlibabaIoT, "Remote control", "MQTT")
BiRel(App, AlibabaIoT, "Remote control", "MQTT")
UpdateLayoutConfig($c4ShapeInRow="2", $c4BoundaryInRow="2")
That is:
- The App can communicate directly with the Luba using BLE (Bluetooth Low Energy)
- Additionally, Luba runs a coAP server, the app does not use it CoAP
- When out of Bluetooth-range, cloud MQTT is the only option as the device has root cert verification MQTT (requires spoofing a dns address and replacing root cert on ESP32)
- Mammotion provides two REST APIs:
- Finally, it is possible to control the Luba remotely using MQTT via the Alibaba Cloud
Frida
I'm not going to go into much detail here but Frida can be used to look at values in classes without decompiling the APK, its very useful and its whats was used to work on the encryption for Wifi communication.