Weather Station Hardware > LaCrosse Technologies/Hyundai

LaCrosse Wireless Internet Gateway Model GW1000U ERF-100

<< < (3/99) > >>

skydvrz:
I shot close-up video of my LCD display all night long and sniffed packets at the same time.  I got 7 gigabytes (18 hours!) of some of the most boring video ever shot.   :lol: 

I created a spread sheet of (some of) the values on-screen when the big data packet went out. I noted packet numbers in the spread sheet, local time, Etc.  I will use it to correlate measured values with hex values in the packets. 

The LCD display blinks the "INTERNET" indicator when the big data packet goes out.  This indicator shuts off if the server does not ACK the packet. It turns back on after the next successful transmission.  The interval between large data packets is anywhere from 1-5 minutes or so, but averages about 4 minutes.

I also blasted the LCD display (location of the inside temp/humidity sensors) with a blow dryer to make a large change in readings during the recording period.  I will probably have to do something similar with the outside sensors.

Analyzing packets now, but it looks like they are shifting XOR keys or whatever encryption they use periodically. There is some suspicious hex in the big data packet:

AA AA AA, BB BB BB, EE EE EE found at offset 0x95 and 0xA4.  They are duplicated in the two offset locations.  The 3-byte hex values seem to perturb the other hex values as they change.

The repeated hex above may be the XOR key they used, but it would be silly to send it each time.  It might also be that they accidentally encrypted some fixed 0x00 or 0xFF bytes in the data record with the XOR key they are using.  If this is the case, then they are using a short key (1 byte) and it should be trivial to decrypt the fields.  Or not...

I am hoping that the GW is light on CPU power and memory space, and that the designers did not go to heroic lengths to encrypt the data.

Here is a good Wireshark _capture filter_ (not a display filter) for sniffing just the important data traffic to/from the GW:

host 192.168.xxx.xxx and tcp port http

where 192.168.xxx.xxx is the actual address of the GW. 

This keeps you from "drinking out of the firehose" during long sniffs.

The GW also chats with the DNS server to get the current server IP, and does the usual TCP/IP muttering, but this filter blocks that.

asquaredancer:
Wow, I'm impressed.
You might just try taking the external sensors out of range. or just take the batteries out of the hum/temp sensor. Its the gateway for the other two.
I guess I'd be surprised if they encrypt weather data.
Have you peeked inside the gateway to see if you can tell what uP they're using?

skydvrz:
I suspect that the GW would probably just repeat the last valid values if I somehow disabled a sensor.  I have seen the LCD display show ___.__ for missing values, so maybe there would be some value to remove batteries, Etc.  The weather outside is really crappy, so I'd rather not climb out on my roof right now  :-)

As for the uP used - it really doesn't matter, since the task at hand is interpreting the TCP/IP data and then writing a server simulator - plus I don't want to break my GW module.  The case looks pretty cheesie.

If you haven't registered your unit yet, I'd be interested in seeing the entire process in Wireshark PCAP format.  It took me 2-3 tries to get my unit registered, so I don't want to go through that again!  ](*,)

asquaredancer:
I registered my old GW. Thats why I bought another system for use in TX. I've got the new GW that came with the new system and will register that before I go back to MO. It wouldnt register but it does communicate with the server so perhaps if I register it here it'll work with the system back in MO. Ive got part of the registration captured with wireshark from back in MO if you think thatll help.

skydvrz:

--- Quote from: asquaredancer on December 27, 2013, 10:48:38 PM ---I've got the new GW that came with the new system and will register that before I go back to MO. It wouldnt register but it does communicate with the server so perhaps if I register it here it'll work with the system back in MO. Ive got part of the registration captured with wireshark from back in MO if you think thatll help.

--- End quote ---

We may need a complete registration "conversation" to see if there is a way to simulate it with a replacement server.   For folks that have an existing registration with the actual server, I don't think there will be a problem.  Hijack the DNS (for the GW only), point box.weatherserver.com your own server as a replacement and it should continue to work as long as the GW thinks everything is normal.

There is much work to do  #-o

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version