Pierre-David Oriol is getting ready for a cloud-free summer time in additional methods than one — by reverse engineering a Dreo good fan for fully-local management, reducing its connection to distant servers in favor of true native integration.
“Summers are getting fairly sizzling, and with an unlucky AC failure I needed to discover fast options similar to high quality followers to remain cool whereas the AC was getting repaired,” Oriol explains. “I am not an excellent fan (hah, that’ll be the Solely Fan pun, I promise) of IoT [Internet of Things] gadgets which can be cloud-dependent. It is usually frequent data that the ‘S’ in IoT stands for Safety: I would quite have these gadgets remoted, and when attainable, managed regionally with none dependency on the cloud.”
A formidable journey of reverse engineering has delivered a Dreo good fan with out the necessity for cloud connectivity. (📷: Pierre-David Oriol)
The fan in query, a Dreo Pilot Max S DR-HTF004S, consists of good options which can be depending on connectivity to a distant cloud service — and whereas the power to combine the system into Residence Assistant already exists due to a earlier third-party effort, it doesn’t take away the requirement for having this connection in place.
To resolve the issue, Oriol set about reverse engineering the fan — beginning with an inspection of its Android app. Assaults on the fan’s built-in net server adopted, earlier than Oriol took the housing off and began to analyze its internals — pulling up a helpful spec sheet for the board answerable for the fan’s IoT connectivity. Dumping the board’s firmware allowed the net server to be decompiled utilizing Ghidra, offering a full checklist of utility programming interface (API) endpoints.
The invention of an undocumented API endpoint permitting for over-the-air firmware updates was key to the venture. (📷: Pierre-David Oriol)
The important thing to the venture’s success: an undocumented endpoint that gives a method to flash a brand new firmware — which, mixed with additional evaluation to seek out the required partition structure, decode the customized UART protocol answerable for fan management, and work out the algorithm for checksum validation, supplied a method to switch the inventory firmware with a port of ESPHome. As soon as flashed, the fan ceases all exterior communication and as a substitute acts as a purely-local system linked to a Residence Assistant server.
Oriol has revealed a full-write up, firmware dumps, and supply code on GitHub below the permissive Apache 2.0 license; it’s, he warns, “for academic functions solely,” and is unquestionably not for use as-is with some other mannequin of fan.