Topic: does the GW2000 phone home to china too ?

[mcrossley]

It looks like 47.102.253.116 is the upload/config/firmware server, and 120.25.115.20 is the NTP server.
Alibaba offer cloud hosting solutions for other companies as well as the well know marketplace.

[jumper]

Thank you for the clarification. I could not identify the Shanghai web addresses' purposes, just that they get polled very frequently.  I see once a second polling on what you identify as the Alibaba upload/config/firmware server, and once a minute on the Alibaba NTP server. Yet, I have both auto firmware updates, and auto time zone disabled in the GW2000. 

I appreciate that:

Alibaba offer cloud hosting solutions for other companies as well as the well know marketplace.

I didn't know Alibaba provides hosting (and apparently, NTP) services.

[jbroome]

The recent posts got me looking at my GW1100 to see exactly what it was doing.  (I have a GW2000 on order, so I'll repeat this when that arrives.)

So I monitored everything that it did from the time I turned it on, and here's what I saw. I'm leaving out the DHCP and ARP requests, as those are boring.

NOTE that this device has the updates to ecowitt.net set to one minute intervals. All other services are turned off. (More on that later.)

1. DNS lookup to the configured DHCP-configured DNS server, asking for "rtpdate.ecowitt.net".  (On my network, I have configured my DNS server to return the local address of my own web server instead of the real IP address of rtpdate.ecowitt.net)
 
2. HTTP "POST" to /data/ip_api/ on that IP address, with the "HOST" (SNI) field set to cdnrtpdate.ecowitt.net - not rtpdate.ecowitt.net - and the following data:

             mac=30:83:98:A7:2E:D9&stationtype=GW1100C_V2.1.8&fields=timezone,utc_offset,dst,date_sunrise,date_sunset

   I have my server respond with HTTP status code 202 and the following data:

             {"timezone":"America\/Los_Angeles","utc_offset":"-25200","dst":"1","date_sunrise":"06:50","date_sunset":"19:07"}

3. DNS lookup to the configured DHCP-configured DNS server, asking for "cdnrtpdate.ecowitt.net".  (Similarly, I have configured my DNS server to return the address of my web server instead of the real IP address.)

4. HTTP "POST" to /data/report/ on that IP address, with the "HOST" (SNI) field set to cdnrtpdate.ecowitt.net, as expected, and the following data (broken onto multiple lines here for readability):

            PASSKEY=FEA606E728ABB98925C42F5CE38A819D&stationtype=GW1100C_V2.1.8&
            runtime=43&dateutc=2024-03-43+01:21:19&tempinf=74.12&humidityin=57&
            baromrelin=30.014&baromabsin=30.014&temp6f=70.52&humidity6=61&soilmoisture1=0&
            leak_ch1=0&leak_ch2=0&leak_ch3=0&leak_ch4=0&batt6=0&soilbatt1=0.8&leakbatt1=5&
            leakbatt2=5&leakbatt3=5&leakbatt4=5&freq=433M&model=GW1100C

    Note that the PASSKEY value is simply the MD5 hash of the MAC address, using uppercase hex digits.

    My server simply responds with HTTP status code 202, accepted.

5. It does a DNS request for "pool.ntp.org".  In this case, I let my DNS server return the real IP address for that.

6. It sends an NTP request using UDP to the returned IP address, which replies with the time information (several timestamps.)

7. It sends a UDP broadcast packet to the local network's broadcast address (192.168.23.255 in my case), directed to port 59387.
    This is the Ecowitt broadcast packet, formatted as:

        0x0000:  4500 0046 0018 0000 ff11 0cee c0a8 1551  E..F...........Q
        0x0010:  c0a8 17ff d5dc e7fb 0032 d6e3 ffff 1200  .........2......
        0x0020:  2730 8398 a72e d9c0 a815 51af c817 4757  '0........Q...GW
        0x0030:  3131 3030 432d 5749 4649 3245 4439 2056  1100C-WIFI2ED9.V
        0x0040:  322e 312e 38ee                           2.1.8.

    The data contained is, in order, CMD_BROADCAST (hex 12), two bytes of packet size (00 27 in this case = 39 decimal), six bytes of MAC address (30 83 98 A7 2E D9), four bytes of IP address (C0 A8 15 51 = 192.168..21.81), two bytes of port number (AF C8 = 45000 decimal), one byte for the size of the SSID (in this case, 17 = 23 decimal), and size bytes of SSID, usually with the firmware version concatenated("GW1100C-WIFI2ED9 V2.1.8"), followed by the packet data checksum (ee).

8. It repeated step 7 three additional times, sending the UDP broadcast a total of four times, every two seconds.

9. It then repeated step 4, HTTP "POST" to /data/report/, WITHOUT doing another DNS lookup.

It then falls into a cycle, doing the UDP broadcast (step 7) roughly every two seconds, and the HTTP POST to /data/report (step 4) every 61 seconds.
It occasionally does the HTTP post to /data/ip_api (step 2) on a decreasing basis by my observation - initially one minute apart, then two, three, four, five, etc., up to ten minutes apart.

So when I disabled updates to the ecowitt.net service, unsurprisingly the POST to /data/report went away completely - it didn't do this even when first booted. When I began this project, I was using a near-virgin GW100C, and I didn't realize that ecowitt updates were enabled by default.

Some other notes: at least over the course of ten minutes, the GW1100 only performed one DNS query per name - it did not look them up again before reusing the address (for the HTTP POST, at least.)  It also onlly performed the initial NTP query, and no more.  I will monitor for a longer time to see if/when it reissues the DNS or NTP requests.

   ---Jonathan

[jbroome]

I went ahead and upgraded the firmware of my GW1100 to 2.3.1, and enabled automatic firmware updates.
When it reboots, it does some more things of interest:

1. DNS lookup of "ota.ecowitt.net".  I don't intercept this (yet), so the query returns
        ota.ecowitt.net. CNAME ota.ecowitt.net.w.kunlunsl.com., ota.ecowitt.net.w.kunlunsl.com.
                      A 163.181.66.71

2. It issued an HTTP GET request of "/api/index/initialization", specifying HOST "ota.ecowitt.net":
        GET /api/index/initialization?mac=30:83:98:A7:2E:D9&model=GW1100C&version=V2.3.1&sign=021525CF0B685580C3DC7ABC333D4A4E&last_ret=-1 HTTP/1.0

    and received this response:
        {"code":0,"msg":"success","time":"1711163109","data":{"ip":"47.180.242.173","is_cnip":false,"ota_host":["ota.ecowitt.net"],"rtp_host":["rtpdate.ecowitt.net","cdnrtpdate.ecowitt.net"],"rtpmedia_host":["rtpmedia.ecowitt.net","cdnrtpmedia.ecowitt.net"],"mqtt_host":["iot.ecowitt.net"],"mqtts_url":["iot.ecowitt.net:8883"],"api_host":["api.ecowitt.net"]}}


3.  It issued another GET :
        GET /api/ota/v1/version/info?id=30%3A83%3A98%3AA7%3A2E%3AD9&model=GW1100C&time=1711163125&user=1&version=V2.3.1&sign=294DC72B72614C8CBC4185CEA1450013

    and received the response:
        {"code":-1,"msg":"The firmware is up to date","time":"1711163125","data":{"id":380,"name":"V2.3.1","content":"- Fixed bug where some devices could not upload ecowitt.\r\n- Fix the memory leaks and some known crashes.\r\n- T&HP sensor can replace indoor temperature, humidity, pressure data.","attach1file":"https:\/\/osswww.ecowitt.net\/ota\/20240126\/68dfe9b8d7e459739e85f2ba44188cf2.bin","attach2file":"","queryintval":86400}}


Clearly step 3 is the version check at work. I'll need to poke around to see what happens with the device running an older version.

And step 2 reveals some new hostnames to look into, and possibly to impersonate on my local network.

   ---Jonathan