Flashing virgin VUE's without soldering

[gekkehenkie11]

As @flaviut noted on this website "there’s some endpoints like prod/minions/emporia/ct/v1/broadcast/fw, which I’m suspicious would allow us to download firmware onto the device".

https://flaviutamas.com/2021/reversing-emporia-vue-2

Yes, that definitely sounds like a way to flash the FW (first time) without soldering. You'd only need to create the emporia SSID and password and find the right MQTT message to upload. After that we could simply create a tool to flash virgin boards OTA.

Did anyone look into this? And does the gen3 also connect to emporia/emporia123?

[gekkehenkie11]

I just dumped my VUE3 flash but I had forgotten I already had connected it once to my WIFI. So it won't connect to the test MQTT server anymore ... Anyway it seems they did change the address of the MQTT server into 192.168.0.43.

[gekkehenkie11]

Via analyzing the strings it seems that with JSON messages sent via MQTT you can activate various commands like:
query_firmware
nvs_info
remote_log_off
live_meter_updates
activate_debug
wifi_update_ota

And with that last option it seems you need to include some info like an url to the firmware:

"No url item found in FW Json Structure"
"OTA_url_contains_wrong_image"
"%s: Parse Firmware v2 "
" Invalid FW Json Structure"

So it seems you need to pass a JSON structure containing an URL to the new firmware image.

[gekkehenkie11]

Anyway, if one day I have a new VUE3 that's not configured yet to wifi, I'll dump the FW and will look into this to see if there's any way to flash it over MQTT. Then again, even it if all works it still seems quite a bit of work then, set up MQTT, set up a file server with the firmware file, setting up a WIFI SSID and password ... Soldering actually might be the faster route.

[flaviut]

If I remember correctly, and it's been years, I believe that the Vue uses some sort of IOT framework from Amazon AWS. Since AWS is pretty good about security, and since vaguely remember seeing some crypto certificates, my guess is that this firmware upgrade functionality requires that the firmware be signed by Emporia's secret keys.

[gekkehenkie11]

Yeah I spotted the same thing and figured that it might be signed indeed, would definitely make sense ... If so then it's going to be hard to bypass that, if not impossible (would need to find a security flaw in that case. Once did a project like that, it drove me almost crazy, haha, I hate that stuff). Either way, probably not even worth all the effort to really dive into it, since, like said, even if it would work out it seems like the user would still need to configure some things, maybe resulting in even more effort/time than soldering.