I love coffee, that’s a fact, and I drink liters of it during the week … I also am a nerd and a hacker, so a few days ago I bought a Smarter Coffee machine on Amazon, basically a coffee machine that you can control over your home wifi network using a mobile application ( both for Android and iOS ).
The app is really nice: you can set the amount of cups you want, the strength of the coffee, etc, then you only need to press a button and wait for your delicious coffee to be brewed.
Since I work from home, most of the times I’m using the computer keyboard, not a smartphone, therefore I wanted/needed a console client for it, something that the vendor never released, so I started reversing the Android application in order to understand the communication protocol and write my own client implementation … guess what? :D
Yep, i can make coffee using the terminal now :D
I decided to reverse the Android application since it’s usualy way easier than reversing iOS ones ( java vs assembly :D ), once I downloaded the APK I started studying the various classes and methods.
So I fired up JADX ( with the
--show-bad-code argument ), I launched CTAGS inside the exported source code folder and VIM to navigate it.
A few hours later, I found the interesting part in the
am.smarter.smarterandroid.models.a class and noticed a few methods like the following:
Each of these “packets” is sent to tcp port
2081 of the machine, the protocol is very simple.
- First byte: the command number.
- Second byte to N: optional data ( depending on the command code ).
- Last byte: always
0x7ewhich indicates the end of the packet.
Responses can vary, but for most of the commands they are:
- First byte: response size
- Second byte: status ( 0 = success otherwise error code )
- Last byte: always
An example command and response, the one to keep the coffee warm for 5 minutes for instance, would be:
0x3e 0x05 0x7e
0x03 0x00 0x7e
So I’ve mapped all the commands I needed in order to write a minimal console client and tested it … this is the result, it works like a charm! :D
You can download the client code here, you’ll need to specify the machine ip address the first time, then it will be saved in the
~/.smartercoffee file and won’t be needed anymore.
coffee make -A 192.168.1.50
A few examples:
Just make one cup of coffee:
Make two cups using the filter instead of the beans in the grinder:
coffee make --filter
Keep coffee warm for ten minutes:
coffee warm --keep-warm=10
☕ ☕ ☕ SmarterCoffee Client ☕ ☕ ☕ by Simone 'evilsocket' Margaritelli Usage: coffee [options] (make|warm) Options: -h, --help show this help message and exit -A ADDRESS, --address=ADDRESS IP address of the Smarter coffee machine. -M, --make Make coffee. -W, --warm Warm coffee. -C CUPS, --cups=CUPS Set number of cups. -S STRENGTH, --strength=STRENGTH Set coffee strength ( 0-2 ). -G, --grind Use grind. -F, --filter Use filter. -K TIME, --keep-warm=TIME Keep the coffee warm for TIME minutes.
Even if the mobile app requires you to register an account, access to port 2081 is completely unauthenticated ( in fact, I’ve found that the user account is only used for statistics using the Firebase API ), anyone on your network could access it and even flash a new firmware with no authentication required ( I reversed the
UPDATE_FIRMWARE packet as well but you won’t find it on the repo :P )