Reverse engineering - mikey0000/PyMammotion GitHub Wiki

These pages contain some documentation about the reverse engineering progress.

Reverse engineering is a lot of work, so any help is appreciated. Feel free to add to this wiki.

Tips

Android

Logs

The Mammotion app is, luckily, quite "chatty" in the logs. Using logcat (for example in Android Studio) and the filter process:com.agilexrobotics you can follow the output of the app while using it.

Decompiling

  1. Download the .apk (Google download apk) for the app ("Mammotion", com.agilexrobotics)
  2. Go to javadecompilers.com, upload the APK, let it do its thing, download the result or use visual studio code with the APK Lab tool.

Protobufs

Tools to reverse engineer protobuf definitions: protobuf-inspector, pbtk protoc

Communication pathways

The Luba listens on UDP port 5000 (unknown protocol) and 5683 (CoAP).

So far, these communication pathways have been identified:

C4Context
    System(App, "App")
    System(Luba, "Luba")
    System(Mammotion, "Mammotion")
    System(AlibabaIoT, "Alibaba Cloud IoT")
    BiRel(App, Luba, "Local control", "BLE/MQTT/CoAP")
    Rel(App, Mammotion, "Login", "HTTP")
    Rel(App, Mammotion, "Manage tasks, jobs, etc.", "HTTP")
    BiRel(Luba, AlibabaIoT, "Remote control", "MQTT")
    BiRel(App, AlibabaIoT, "Remote control", "MQTT")
    UpdateLayoutConfig($c4ShapeInRow="2", $c4BoundaryInRow="2")

That is:

  • The App can communicate directly with the Luba using BLE (Bluetooth Low Energy)
  • Additionally, Luba runs a coAP server, the app does not use it CoAP
  • When out of Bluetooth-range, cloud MQTT is the only option as the device has root cert verification MQTT (requires spoofing a dns address and replacing root cert on ESP32)
  • Mammotion provides two REST APIs:
    • user for managing users accounts and logging in
    • device for managing tasks, jobs, etc.
  • Finally, it is possible to control the Luba remotely using MQTT via the Alibaba Cloud

Frida

I'm not going to go into much detail here but Frida can be used to look at values in classes without decompiling the APK, its very useful and its whats was used to work on the encryption for Wifi communication.