Reverse engineering IOLITE remote API
Our landlords installed a smart heating system into our apartment around 2 years ago. Consisting of a wall mounted tablet and some RF controlled radiator valves to allow us to control these on a schedule or via the control panel in the hall.
The company which provides both the hardware and software is a company based in Berlin called IOLITE. They provide smart home equipment for these sorts of residential setups.
Around 6 months ago the device updated and the ability to control the platform through Android own device became available. The App is called Meine intelligente Assistenz or MIA and is available through the play store.
This immediately got me excited as it opened up the possibility to reverse engineer the application and let me hack on the software to and provide a client library of sorts in an attempt integrate with our Home Assistant based smart home stack.
Pulling the APK from your device
You will need to install the Android Debug Bridge (ADB) toolchain on your computer to do this. Once installed you’ll need to run the following commands from your shell.
# Get the path to the apk on your device adb shell pm path de.iolite.client.android.mia # Pull the apk to your host adb pull /data/app/de.iolite.client.android.mia-2.apk /path/to/save/to/mia.apk
Decompiling the apk
Once pulled we need to now convert the APK into another format to understand. While there are tools such as apktool that convert the APK into smali I find it easier to look at Java so opted for dex2jar. A tool that converts an APK into a jar file.
sh d2j-dex2jar.sh -f mia.apk # outputs mia.jar
Reading the jar
You can then view the jar in a tool such as JD-GUI which allows you to navigate the class structure and to try and make sense of the logic inside.
From here I was able to reverse engineer the OAuth flow and figure out how to authenticate with IOLITE’s remote API allowing me to gain access to the web view that the Android app presented.
Reversing the Web UI
This allowed me then to view the source of the application which was written in React and leveraged web-sockets to communicate to the backend API.
From here I was able to figure out the models that were used and the payloads to send thanks to the rich developer toolkit that Chrome provides.
Python IOLITE client
Since Home Assistant is written in Python I took it upon myself to write to client in Python. It’s currently in WIP form but available on Github.
The OAuth communication with token refreshing is in place. Along with basic models for communication.
However the whole async websocket communication needs to be built out and then plugged into Home Assistant to be able to work seamlessly.
Feel free to contribute :)