Author Topic: LaCrosse Wireless Internet Gateway Model GW1000U ERF-100  (Read 84369 times)

0 Members and 1 Guest are viewing this topic.

Offline mycal

  • Member
  • *
  • Posts: 24
Re: LaCrosse Wireless Internet Gateway Model GW1000U ERF-100
« Reply #50 on: January 13, 2014, 05:12:13 PM »
Serial console?


Yes so far no joy.

I would be surprised if you could get anything out of it via serial comm.  All the GW smarts are devoted to TCP/IP.  You probably found a firmware programming port or maybe a production-test I/O port.

Yea just in case it is linux or some other know quantity.   In lots of embedded devices the serial port is very handy.




Offline skydvrz

  • Senior Contributor
  • ****
  • Posts: 221
Re: LaCrosse Wireless Internet Gateway Model GW1000U ERF-100
« Reply #51 on: January 13, 2014, 08:55:59 PM »
Mycal,

That is some very strategic potting compound over the GW processor and RF circuitry.   :grin: I wonder whats underneath? 

Do you think the connector you hooked up to is actually a JTAG header?  If so, you need some different hardware to snoop it.  Also, you could brick the GW in a heartbeat. Be careful.

I saw a hack for a different model home-weather station where the guy tapped into the data stream coming out of the receiver for all the wireless sensors.  The wireless data signal was simple ~915 MHz, PCM modulation.

Since all of the sensor data is routed through the GW, you might be able to do a complete end-run around the whole TCP/IP web server thing.  You would need some sort of hardware UART or do some clever software to turn the PCM bits into bytes and then parse all of that back into sensor readings.  I don't know what would be harder - hacking the hardware or snooping the TCP/IP  #-o

Offline mycal

  • Member
  • *
  • Posts: 24
Re: LaCrosse Wireless Internet Gateway Model GW1000U ERF-100
« Reply #52 on: January 14, 2014, 01:09:48 AM »

Yes it is very securely potted, even the jelly bean parts.   I don't think it is jtag, I soldered the header on and it has +3.3v, gnd and 2 wires that go into the big potted chip.  This screams serial, but so far I haven't seen anything out of it,  My DSO is packed away so I need to break that out for a peek.

I'm also guessing the 3 pin header that I did not stuff is the Manchester encoded data from the radio to the CPU.

I'm not worried about bricking it,  I design stuff like this for my job so I'm familiar.

Yea it might just be better to build a new gateway that can talk to the wireless parts.   But hijacking the pipe and emulating  weather direct server as skydvrz is doing is likely a pretty good way to go, especially if your running DDWRT or OpenWrt as it becomes trivial.

I may actually go down that path as I'm working on modules for OpenWrt at the moment for other stuff.  I can post a pic of the other side of the board if anyone is interested.

-M





Mycal,

That is some very strategic potting compound over the GW processor and RF circuitry.   :grin: I wonder whats underneath? 

Do you think the connector you hooked up to is actually a JTAG header?  If so, you need some different hardware to snoop it.  Also, you could brick the GW in a heartbeat. Be careful.

I saw a hack for a different model home-weather station where the guy tapped into the data stream coming out of the receiver for all the wireless sensors.  The wireless data signal was simple ~915 MHz, PCM modulation.

Since all of the sensor data is routed through the GW, you might be able to do a complete end-run around the whole TCP/IP web server thing.  You would need some sort of hardware UART or do some clever software to turn the PCM bits into bytes and then parse all of that back into sensor readings.  I don't know what would be harder - hacking the hardware or snooping the TCP/IP  #-o

Offline mycal

  • Member
  • *
  • Posts: 24
Re: LaCrosse Wireless Internet Gateway Model GW1000U ERF-100
« Reply #53 on: January 14, 2014, 04:16:45 AM »

So I have figured out you can talk to the gateway via UDP and set the parameters, reboot and lots of other stuff.  There is also a UDP broadcast search mechanism so you can find the gateways on the network..

So you can just program the gateway to talk to your own server, no prob.

I'm pretty tired, but I will write this up and post tomorrow.  Maybe we can write a simple configure program, then just write our own linux module and be done with it.

-M

PS the port is 61751 on UDP,  example 00 05 [MACADDRESS] 00 0A reboots the gateway.

IE 00 05 01 02 03 04 05 06 00 0A


Offline mycal

  • Member
  • *
  • Posts: 24
Re: LaCrosse Wireless Internet Gateway Model GW1000U ERF-100
« Reply #54 on: January 14, 2014, 04:50:20 PM »
Ok here is the UDP spec I've created and a test PHP script (command line) to exercise it.

I think there is more, but I haven't setup my weather stuff yet, so I've just been playing with the gateway only.

But you can definably point the server to your own box and emulate.   Likely there is a UDP query you can get the stats too, but I haven't found that yet.

-M

https://dl.dropboxusercontent.com/u/12351460/Lacross_UDP_Protocol.txt
https://dl.dropboxusercontent.com/u/12351460/lax_send.php


Offline skydvrz

  • Senior Contributor
  • ****
  • Posts: 221
Re: LaCrosse Wireless Internet Gateway Model GW1000U ERF-100
« Reply #55 on: January 14, 2014, 05:59:54 PM »
I noticed that my TCP/IP capture/analysis program was crashing every 120 minutes.  It turns out that there is a short form version of the SDP that has a payload size of 30 bytes that gets sent every 2 hours - on the dot.  The short packet was causing my conversion routines to throw an exception on the missing data.  I assumed the "01:01" packet always had the same length binary payload.  I was wrong...  :???:

The data in the short-SDP has some invariant fields, but most of it changes in subsequent transmissions from the GW to the LCX server.  Interesting... Could this be the only Sensor Data packet that gets sent if you are on the Basic Service plan?

This packet needs to be analyzed by someone and have the fields identified for later parsing.  Later, I will add parsing rules to my app for this packet.

The HTML header for this short packet has the same packet type identifier as the SDP:

HTTP_IDENTIFY: 8009A417:01:1ACD276DFAC43232:01\r\n 

But instead of a Content-Length of 197, it has a length of 30.

I also found out that the 64-bit hex number found above changes during the registration process, so it is some sort of server-issued key Probably used to verify that you have completed the registration process - or to tie your sensor data to your user account. 

The GW does some crazy things with DHCP during the registration process too. It requests new IP addresses from your DHCP server, hopping from from IP to IP 3 times (for no apparent reason).  It should be happy with the first one.  Maybe a firmware bug?

There were several new HTTP_IDENTIFY packet ID codes that are only used during registration.  I'll smoosh the the leading/trailing hex together, since everyone's 64-bit ID number (stuffed between the two numbers) will be different:

0010 - some sort of registration preamble
0020 - actual registration request
0030 - registration complete/finalize?
7F10 - 13 bytes sent - mysterious stuff
0114 - 14 bytes sent - more mysterious stuff
0001 - 210 bytes sent - even more mysteries



Offline mycal

  • Member
  • *
  • Posts: 24
Re: LaCrosse Wireless Internet Gateway Model GW1000U ERF-100
« Reply #56 on: January 16, 2014, 04:22:02 AM »
Just an update

I tired all packet types in the UDP protocol from 00 00 to ff ff and they only ones that return anything are the ones I've previously documented.

There may be other formats, but for now this is all I know.  It might change once I register my gateway.

-M

Offline skydvrz

  • Senior Contributor
  • ****
  • Posts: 221
Re: LaCrosse Wireless Internet Gateway Model GW1000U ERF-100
« Reply #57 on: January 16, 2014, 10:17:27 AM »
If you haven't registered already, how about capturing the GW TCP/IP conversation during registration. Wireshark is a good tool, if you are not already using it.  I have only one sample right now, and it would be interesting to compare more. 

Offline 10ACTony

  • Senior Member
  • **
  • Posts: 71
Re: LaCrosse Wireless Internet Gateway Model GW1000U ERF-100
« Reply #58 on: January 16, 2014, 05:10:50 PM »
If you haven't registered already, how about capturing the GW TCP/IP conversation during registration. Wireshark is a good tool, if you are not already using it.  I have only one sample right now, and it would be interesting to compare more. 

I sent you a PM.
//
No trees were destroyed in the sending of this message though a significant number of electrons were terribly inconvenienced.
//

Offline skydvrz

  • Senior Contributor
  • ****
  • Posts: 221
Re: LaCrosse Wireless Internet Gateway Model GW1000U ERF-100
« Reply #59 on: January 16, 2014, 05:33:26 PM »

Offline 10ACTony

  • Senior Member
  • **
  • Posts: 71
Re: LaCrosse Wireless Internet Gateway Model GW1000U ERF-100
« Reply #60 on: January 16, 2014, 05:35:23 PM »
I resent it.
//
No trees were destroyed in the sending of this message though a significant number of electrons were terribly inconvenienced.
//

Offline mycal

  • Member
  • *
  • Posts: 24
Re: LaCrosse Wireless Internet Gateway Model GW1000U ERF-100
« Reply #61 on: January 17, 2014, 05:11:17 AM »

I registered my device.

This is what it looks like to me, taking skydvrz HTTP_IDENTIFY as an example:

HTTP_IDENTIFY: 8009A417:01:1ACD276DFAC43232:01\r\n 
                         ^^     ^^ ^^        ^^                    ^^
                          A       B    C          D                       E

Each packet types seems to consist of

A=80, always 80 so far.
B= MAC address less vendor ID
C= Packet Code 1
D=RegistrationCode or Device Serial Number or other Identifier
E= Packet Code 2

AB never change
D changes on registration, maybe this gets read from wetherstation, or is generated in reg process, probably easy to check with a fake reg.
C and E form the packet type identifier,  This packet identifier is Acknowledged by the server's reply in the HTTP reply header in the HTTP_FLAGS Field.  Example

Packet request:
HTTP_IDENTIFY: 8009A417:00:1ACD276DFAC43232:20

Would get replied:
HTTP_FLAGS: 20:00    <-----------I'm changing my mind on this, not always the case.

This is outside of any other Post or Reply data.


Packets that I have Identified (just showing C:D) :

00:10 --> power up packet for unregistered device.
00:20 --> button Push Packet, note that this packet may or may not have data in the reply based on if your in registration on the website or not.
00:30 --> Ping?
00:70 --> Ping with Data?  Or Poll Data,  After Registration this is the power up packet.
7F:10 -->
01:14 --> Pushes data
01:01 --> Likely Data Packet Push as explained by Skydivr  (seen HTTP_FLAGS reply 00:00 here)
01:00 --> Push 5 bytes with data reply


That's it so far, I have not analyzed the data in the packets yet.


-M








Offline skydvrz

  • Senior Contributor
  • ****
  • Posts: 221
Re: LaCrosse Wireless Internet Gateway Model GW1000U ERF-100
« Reply #62 on: January 17, 2014, 10:39:10 AM »
My packet sniffer app is working well (running 48 hours or so without a glitch), and my monitor program is just about ready for release - probably this 3-day weekend. Note that it uses MySQL database server to save packet and sensor readings.  I can temporarily provide an open MySQL server for a few beta testers. 

MySQL is free/open source.  I can provide a file needed to create the schema/table structures I used if you want to set up your own private database server (recommended).  Don't let "server" scare you.  MySQL is just a program that runs on your computer.  You can put it on the same PC as your other programs or run it on a spare computer somewhere on your home network.

Screen shots:

Current sensor reading in realtime.  I figured out most of the date/time fields in the SDP packet:
https://www.dropbox.com/s/j6twypw2pnzzp8x/Current%20Readings.png

Historical readings mode:
https://www.dropbox.com/s/1kzxud7jf5ujwt3/historical%20readings.png

Packet debug/analysis mode:
https://www.dropbox.com/s/58uos81e3gmjyfj/Packet%20Debug.png

Offline mycal

  • Member
  • *
  • Posts: 24
Re: LaCrosse Wireless Internet Gateway Model GW1000U ERF-100
« Reply #63 on: January 17, 2014, 01:06:36 PM »
Sky,

So I was thinking with your software that maybe we can make it simple without having to sniff or use a ethernet hub.

2 possible ways:

1) One is build the interface into your software to be a proxy, this way we can tell the gateway that your software is the proxy, you add the socks proxy bits, but you get all the packets from the gateway, and forward them on.

2) Might be simple, just act as a router and point the weather gateway config to your software.   So instead of your router, the packets get sent to your software, then you just forward them on to your gateway.  (you'd have to handle reply packets too.)

Your software should be able to automatically configure the gateway for this using the UDP config protocol.

This way there is no special hardware needed, just run your software and it works.

-M







Offline skydvrz

  • Senior Contributor
  • ****
  • Posts: 221
Re: LaCrosse Wireless Internet Gateway Model GW1000U ERF-100
« Reply #64 on: January 17, 2014, 02:20:40 PM »
1) One is build the interface into your software to be a proxy, this way we can tell the gateway that your software is the proxy, you add the socks proxy bits, but you get all the packets from the gateway, and forward them on.

Possibly.

Quote
2) Might be simple, just act as a router and point the weather gateway config to your software.   So instead of your router, the packets get sent to your software, then you just forward them on to your gateway.  (you'd have to handle reply packets too.)

Won't work, because the GW wants to carry on a specific conversational "dance" with the LCX Cloud server.  I'd have to simulate the server in order to fool the GW into submitting data.  My guess is the GW/Server designers already thought of that and made it a bit complicated to protect revenue.  Remember that they do charge you money for accessing that server....  Not that it could not be done. 

There is way too much mysterious data sent back and forth.  Much of that would have to be decoded and simulated to fool the GW. 

We may be screwed if there is some sort of challenge-reply code: The GW sends a random string to the server, the serve encrypts the data in a very specific way and sends it back to the GW.  The GW decrypts it and if it does not equal what it just sent then it quits.  This is something I would do in LCX's place to prevent guys like me doing what I am doing now.  :grin:

An actual server simulator would not be a simple proxy, but an entire Web Server simulator having the same business rules as the actual one.  Since the LCX server hostname is hard coded into the GW, then we'd also need a fake DNS server (easy) to tell the GW to send its packets to the server simulator instead of the actual LCX Cloud server.



The way it works now is I simply listen in on the conversation between the GW and LCX server.  Since it is non-invasive, the GW is not interrupted, has a nice warm server to talk to and thinks everything is Hunky Dorey.   Much simpler than simulating an entire server.

Quote
Your software should be able to automatically configure the gateway for this using the UDP config protocol.

Possibly, but why reinvent the wheel?  It is easier to use LCX's own GAS utility.  You can use it to change the GW DNS address to a fake DNS server located on your home network. When GW "dials up" the fake DNS and asks for the IP of box.weatherdirect.com, it always replies with an IP on your LAN - the location of the server simulator.  That would only work with a full-blown server simulator though.

Maybe if you could simulate the entire registration process.  Then you would not need UDP at all.  I think I saw the LCX server configuring the host name for the GW to use.  That was over TCP/IP.

To my knowledge, UDP is for use by the GAS utility only.



« Last Edit: January 17, 2014, 02:22:56 PM by skydvrz »

Offline mycal

  • Member
  • *
  • Posts: 24
Re: LaCrosse Wireless Internet Gateway Model GW1000U ERF-100
« Reply #65 on: January 17, 2014, 03:54:40 PM »

Quote
2) Might be simple, just act as a router and point the weather gateway config to your software.   So instead of your router, the packets get sent to your software, then you just forward them on to your gateway.  (you'd have to handle reply packets too.)

Won't work, because the GW wants to carry on a specific conversational "dance" with the LCX Cloud server.  I'd have to simulate the server in order to fool the GW into submitting data.  My guess is the GW/Server designers already thought of that and made it a bit complicated to protect revenue.  Remember that they do charge you money for accessing that server....  Not that it could not be done. 


Myabe I'm not being clear, I relooked at option 2 and I think it is only a few more lines of code than what you have now. In option 2 your basically doing what your doing now except you don't need a hub.

All you have to do is set the "router" gateway to your software host IP address, All packets sent by the weather gateway will go to your host.  All you have to do is change the destination MAC of the packet you receive from the gateway to your "internet router" address and send the packet.   Thats it.  You don't change any of the data.  The replies will bypass you and go directly to the weather gateway from your router.

Like I said this is just an idea to toss around.
















Offline skydvrz

  • Senior Contributor
  • ****
  • Posts: 221
Re: LaCrosse Wireless Internet Gateway Model GW1000U ERF-100
« Reply #66 on: January 17, 2014, 05:04:59 PM »
Ok, I guess I misunderstood.  I am working on a couple major software development projects right now (not related to SkySpy) and mental multitasking isn't working for me this morning :-)

Can you tweak the outbound MAC address without messing with the NIC settings? 

Offline mycal

  • Member
  • *
  • Posts: 24
Re: LaCrosse Wireless Internet Gateway Model GW1000U ERF-100
« Reply #67 on: January 19, 2014, 01:57:00 PM »
Ok, I guess I misunderstood.  I am working on a couple major software development projects right now (not related to SkySpy) and mental multitasking isn't working for me this morning :-)

Can you tweak the outbound MAC address without messing with the NIC settings? 

Well I guess I am assuming a lot.   I am assuming your using something like pcap/winpcap to sniff the packets, if you are then it is trivial.   You can send any MAC address you want.  You don't even have to recalculate any checksums since it is link level and doesn't even touch the IP layer.

I don't know what language your using either, but it shouldn't matter.

-M

Offline slim83301

  • Member
  • *
  • Posts: 3
Re: LaCrosse Wireless Internet Gateway Model GW1000U ERF-100
« Reply #68 on: January 29, 2014, 01:12:32 PM »
I just wanted to say thanks for all that you guys have done so far!!!

I work in a school district as their tech for computers and we have a teacher that received one of these PWS from her parents for Christmas. She would like to get it out to a site so that students can do some predictions and experiments which are weather related.

I have access to most of the hardware you are using but the software is my challenge.  :? This has been a fun read! I guess I need to go back to school! :lol:

Don't stop now!

Again thanks!

Will

Offline skydvrz

  • Senior Contributor
  • ****
  • Posts: 221
Re: LaCrosse Wireless Internet Gateway Model GW1000U ERF-100
« Reply #69 on: January 29, 2014, 01:23:30 PM »
Will,

I have a system up and running that can capture all of the sensor readings, display them and export to Excel.  I have it running at two sites right now.

There are a couple issues to iron out, but I should be able to publish something soon.

As for displaying the data on a web site - that is a while off.  Right now you need a PC and a program that connects to my database of weather samples.

Here is a screen shot of the latest version of the SkySpy monitor program, displaying weather readings in real time:



https://www.dropbox.com/s/qc0j7n8ub7e6lkt/ssMonitorNewHist.png
« Last Edit: January 29, 2014, 01:28:38 PM by skydvrz »

Offline mikemac99

  • Member
  • *
  • Posts: 6
Re: LaCrosse Wireless Internet Gateway Model GW1000U ERF-100
« Reply #70 on: January 29, 2014, 09:22:48 PM »
How is the CPU usage when your sniffer is running?  It sounds like all the network traffic going out the router needs to be inspected by the sniffer program in order to find the packets we care about (going to the LaCrosse server).  There are other devices on my home network such as a Tivo and Apple TV and I'm  and I'm wondering if checking all the traffic would load down the CPU.

Offline skydvrz

  • Senior Contributor
  • ****
  • Posts: 221
Re: LaCrosse Wireless Internet Gateway Model GW1000U ERF-100
« Reply #71 on: January 29, 2014, 09:26:29 PM »
Data packets and other network chitchat from the Gateway happens every couple minutes.  This is not a big burden for most PCs  :lol:

Offline mycal

  • Member
  • *
  • Posts: 24
Re: LaCrosse Wireless Internet Gateway Model GW1000U ERF-100
« Reply #72 on: February 02, 2014, 06:12:02 PM »
Did you ever force the gateway?

Sorry I haven't been around, I deployed the weather station, but I will be getting another next week for this location, then I can help test/debug more.


Offline skydvrz

  • Senior Contributor
  • ****
  • Posts: 221
Re: LaCrosse Wireless Internet Gateway Model GW1000U ERF-100
« Reply #73 on: February 02, 2014, 07:13:14 PM »
Mycal,

I am mostly working on getting the SkySpy Capture and SkySpy Monitor working 100%.  I have it running at my home and another beta site, with over 45000 packet samples collected.  A server simulator may come later, but it will be a ways off.

Today I am adding graphs to the monitor program.

You are welcome to join us when you get your hardware situated.  At this point in development, you either need an "old-school" hub or a dual-Ethernet port PC.  You might be able to get it to work with a WiFi laptop that also has an Ethernet port - where both can be run at the same time. 

Offline mycal

  • Member
  • *
  • Posts: 24
Re: LaCrosse Wireless Internet Gateway Model GW1000U ERF-100
« Reply #74 on: February 03, 2014, 01:12:17 AM »

Yes I have a 10/100 hub and a access point sniffer setup in my lab.  I like the old 10/100 hubs with 2 collision domains rather than a 10mbps hub as they are not usable for general use.

I'm well versed in wireshark, routing and pcap so I can help you do the gateway trick, so you don't have to listen to the whole network or use a hub too.

-M