Laufen Cleanet Bidet RE | Home Assistant | Page 1

naive trench Sep 19, 2022, 12:45 PM

#

Hi, thanks!

I am in the process of reverse engineering the bluetooth protocol of my bidet, in order to integrate it into my Smart Home.

As is typical fashion, the manufacturer has not provided any open interface, even though this is a 1700 Euro product.

I have found the command and where to send it for the "start washing" option by capturing a bluetooth debug log and the analyzing it with wireshark.

It looks like this 0003260203ad1900 . When I send this command to the bidet, nothing happens though.

Maybe I need to authenticate against the bidet first or something? In the app in order to initially set it up, you need to turn it off and on one time per instructions. after that it connects to it.

This is the point where I am currently at and I have no idea on how to proceed. This is also my first time trying to reverse engineer anything, but I am determined since this is a matter of principle now.

#

There are other commands like for the water temperature:
I can clearly see the values I set in the app in wireshark. E.g. If I set the temperature to level 7, I see this command:

0225 050a 07 3497

The third part of it seems to be the level. If I set it to 6 it looks like this:

0225 050a 06 bd86

#

I am also just a programmer in my normal life, so this is new to me as well.

What is currently annoying to me is, that I seem to have found the general structure of the commands sent to the bidet, but I can not replicate them now by sending the, for example with an ESP32. The bidet just does nothing

bright canopy Sep 19, 2022, 12:50 PM

#

So one thing I've found extremely helpful is decompiling the android app for my device to see how the manufacturer was doing things. In my case it made a bunch of the weird behaviors slightly clearer.

naive trench Sep 19, 2022, 12:50 PM

#

Did you use apktool?

bright canopy Sep 19, 2022, 12:51 PM

#

I had a similar case to yours where in the first couple of days where the commands I was seeing over wireshark didn't actually make the device do anything. In my instance I had to send an additional command that contained a timestamp to sync the device clock before it would initiate the actual command I wanted. And I found that via the decompiled app output.

#

I used http://www.javadecompilers.com/apk which uses apktool under the hood. I didn't want to set up android tools for a one-off decompilation.

naive trench Sep 19, 2022, 12:52 PM

#

alright, so I did use apktool to decompile the app, but honestly, I cannot even find the place where any kind of bluetooth connection is made in there

#

how did you find that?

bright canopy Sep 19, 2022, 12:58 PM

#

Are you opening it in an IDE? I use vscode already so I just opened it there. From there I jumped down into the namespace for the manufacturer code. In my case that was sources > com > ecoaquastar > app > aquastar

#

And then I just started poking around. My app had a constants file with all the BLE gatt addresses which I could then use to start globally searching

#

What's the app you're using called? Can you link me to the google play page? I'd be happy to take a few minutes and poke around the source.

naive trench Sep 19, 2022, 1:00 PM

#

Yeah I am using vscode as well. There is not much in the folder except for a few strings.

Oh yeah sure that would be very helpful, one sec

#

This is the app: https://play.google.com/store/apps/details?id=com.laufen.cleanet&hl=de&gl=US

Beware. It is very shitty.

#

I also have all the debug logs and stuff if that helps you find anything.

#

I assume there might be some kind of "pairing" process missing. If you want to use the app with the bidet for the first time. It asks you to turn the bidet off, wait a few seconds and turn it on again, then hit "connect" in the app.

bright canopy Sep 19, 2022, 1:47 PM

#

Ok it looks like it's a Xamarin/mono app. So decompiling the APK isn't going to do much. You'll need to unzip the apk instead and find the dll to decompile. You can use something like ilspy to do that

naive trench Sep 19, 2022, 2:11 PM

#

ah that sucks yeah

bright canopy Sep 19, 2022, 2:29 PM

#

https://github.com/icsharpcode/AvaloniaILSpy

#

This is what I used this morning on a dll before replying again. And it says it works on linux too. You can output the full source after so you can open it in a real editor to more comfortably plumb through it looking for interesting data.

naive trench Sep 19, 2022, 2:31 PM

#

alright thank you, that exists for linux yes. I'll install it.

naive trench Sep 19, 2022, 2:52 PM

#

@bright canopy so I do have the tool open and I opened a dll, but honestly I have no idea what this tool is trying to tell me^^

#

most of the files are completely empty

#

btw if I send the first command of the handshake to the toilett, it makes a sound and then disconnects. so it seems like a "handshake" unsuccessful error message. proably something like a timestamp missing as well like for you

#

but I can not find anything in the dlls

#

it looks pretty weird in ILSPY

#

almost nothing there

last ravine Sep 19, 2022, 3:20 PM

#

my app for my heaters was java, but think i have to high fever right now and to low knowledge in Bluetooth and java to figure something out right now.

naive trench Sep 19, 2022, 3:48 PM

#

@bright canopy All I've found was a pairing manager file, but I don't think there is helpful information in there:

#

https://hastebin.com/bepujiwiqo.csharp

naive trench Sep 19, 2022, 4:39 PM

#

I've cracked it!

#Laufen Cleanet Bidet RE