Understand how the Flic app, the Flic Hub and the Flic buttons work. Update Flic Smart Buttons configuration with or without the official application.
On July 4, 2020, Shortcut Labs sent me a take down notice for this repository.
I kindly ask you to take down your flic-reverse repo at GitHub.
It contains confidential information, API keys, and also includes (encrypted) firmware which you have no rights to redistribute.
We're continually opening up things more and more, but for now we'd like to keep the API private.
For Flic 2 we have released the protocol specification at https://github.com/50ButtonsEach/flic2-documentation/wiki/Flic-2-Protocol-Specification.
If you would like to try out our beta version of our Hub SDK, please let me know. With it you can do a range of things, such as send IR commands, set up TCP/UDP sockets, make internet requests, scan new buttons, listen to button events, configure wifi etc.
As a consequence, the main content of the repository is now private. The original table of content is still there for reference.
At that date, the promises of the HUB SDK are still not fullfiled. Shortcut Labs also refused to publish the proto files for the GRPC communication and the API specification arguing that is "a private API you are not supposed to use", "[we] don't want anyone to use the config API currently", that "the hub <-> app protocol will not be documented for the foreseeable future" and concluding that "[we] don't see how [this repo] this can help anyone for a better Flic experience the way we want".
I will let anyone appreciate the advertised promises of the Kickstarter campaign versus the reality.
Expand the table of content
- Introduction
- Disclaimer
- Contribute
- Security concerns
- APK
- API api.flic.io
- Authentication
- /api/v1/users
- /api/v1/buttons
- GET /api/v1/buttons
- GET /api/v1/buttons/{button-id}
- PUT /api/v1/buttons/{button-id}
- POST /api/v1/buttons/{button-id}/unlock
- GET /api/v1/buttons/{button-id}/cloud-redirect
- GET /api/v1/buttons/{button-id}/trigger/{trigger-id}
- GET /api/v1/buttons/mac-addresses/ranges
- GET /api/v1/buttons/tags
- GET /api/v1/buttons/keys
- GET /api/v1/buttons/keys/grab-legacy-button
- GET /api/v1/buttons/versions/firmware
- POST /api/v1/buttons/versions/firmware2
- POST /api/v1/buttons/button-icons
- GET /api/v1/buttons/hub/tags
- /api/v1/configs
- /api/v1/tasks
- /api/v1/sms
- Statistics endpoint statistics.flic.io
- Flic Hub
- Integration with third-party systems
- Home Assistant
- FAQ
- When using HTTP Request integration, who makes the call? The phone / HUB directly or Flic?
- Is it possible to use the API to get or set the config of the Flic Hub
- Is it possible to call an API to send custom IR commands through the IR module?
- Is there a request sent to the API each time a button is clicked?
- How can I integrate my Flic buttons with other systems?
- Credits
- Legal
The guys from Shortcut Labs AB made great products with their Flic Smart Buttons but sadly, there were promises of a SDK to interact with the buttons and the hub but nothing was delivered yet. The team focused on the Android and iOS SDKs for other apps to be able to trigger an action on a button click.
I was not interested by this part. I wanted to see what can be done by fiddling with the application. I wanted a way to get events from buttons paired with my phone or the Flic Hub. I discovered that this was not so easy. The Flic Hub has not any REST API exposed, in fact, no port is open on the Hub. Still, I discovered how the buttons' config can be retrieved and updated when paired on the phone. I also got a first overview about how it's done with Bluetooth, however, I did not fully reversed the link encryption part at this stage.
This review was only done on the Android version of the application. Version 3.7.8.
The analysis of the application was exclusively done through traffic sniffing (HTTP and Bluetooth) and static analysis of the Android application. The goal was to find ways to interoperate with the Flic buttons, not to find security vulnerabilities in software or hardware. Potential weaknesses are reported since they can help to understand how the application works.
Credentials, security tokens, serials were updated with fake ones in this documentation.
To ease the initial setup, it is not required to enter the "factory password" of the hub that is printed on its back. It's the same when a factory reset is done (rollback to firmware 1.0). The default password of the hub is XXX (the three letters are redacted). However, this default password is only used for the initial setup and it is immediately replaced by a randomly generated one which is hashed and stored hashed on the phone.
Flic Hub password, when user resets it or when manually set by the user, is stored in clear text in the SQLite database. It is not the case for the initial pairing or when the hub is factory reset. In this case, a random password is generated and stored hashed (SHA-512) in the SQLite database.
The app sends information about the phone and the executed actions to a dedicated statistics endpoint. Looks like no confidential is leaked but still... I did not find a way to disable this in the app.
Since actions may be related to security related stuff (e.g. alarms), and that exact date and time of execution are sent, it could lead to privacy and security concerns.
Since there is no way to use the Hub in a very generic way to request the latest events or send a request without configuring the buttons manually. I tried to keep it rather generic to integrate them with Home Assistant.
I used the "Internet Request" feature which is available for the buttons paired with the phone or the hub.
I send a POST request to the HA endpoint (you can do it with or without authentication, cf. below) with the following information depending on the button id and the type of click:
{"id": "flic1", "event_type": "click"}
{"id": "flic1", "event_type": "double_click"}
{"id": "flic1", "event_type": "hold"}
It is also possible to retrieve the button-serial-number
and the button-name
(display name if the Flic app) directly in the headers, as described in the FAQ.
Example of automation:
- alias: Salle de bains - Flic - Alexa - Joue France Info
description: ''
trigger:
- event_data:
event_type: click
id: flic1
event_type: flic
platform: event
condition:
- condition: not
conditions:
- condition: device
device_id: 3dc4df62da4c4813372b16e3d8aa552
domain: media_player
entity_id: media_player.morgane_echo
type: is_playing
action:
- data:
entity_id: media_player.morgane_echo
media_content_id: FranceInfo
media_content_type: TUNEIN
service: media_player.play_media
Authenticated, using a Long-Lived Access Token
Fire an event directly from the API and listen for the event as a trigger in the automation:
https://developers.home-assistant.io/docs/api/rest/#post-apieventsevent_type
Non-authenticated, with a webhook trigger: https://www.home-assistant.io/docs/automation/trigger/#webhook-trigger.
Keep it simple with a single webhook. However, since it is not possible to use the same webhook for multiple automations, the workaround is to use a webhook that will "refire" an event for the other automations:
- alias: Salle de bains - Flic 1 - Event
description: ''
trigger:
- platform: webhook
webhook_id: flic
condition: []
action:
- event: flic
event_data_template:
id: '{{ trigger.json.id }}'
event_type: '{{ trigger.json.event_type }}'
It's the phone directly, with a few additional headers:
GET / HTTP/1.1
Accept-Encoding: gzip, deflate
User-Agent: Google-HTTP-Java-Client/1.23.0 (gzip)
button-serial-number: BA48-131337
button-battery-level: 100
button-name: Flic 3
timestamp: 2020-06-30T09:01:04Z
Host: xxxxx.x.pipedream.net
Connection: close
I did not receive other requests from other IPs on the test endpoint.
Sadly no.
-
https://community.flic.io/topic/17660/configuring-flic-hub-programmatically
-
https://community.flic.io/topic/17253/running-custom-apps-on-the-flic-hub/
I don't think so. It is not possible to use the API for the hub
Not really but since the configuration is stored online and the requests are sent to the statistics endpoint, it is possible for Shortcut Labs to know exactly when an action was triggered, but not in real time.
In the end, the easiest method is to use the "Internet Request" integration.
@righettod for his great help!
This research and documentation are in no way affiliated with, authorized, maintained, sponsored or endorsed by Shortcut Labs AB or any of its affiliates or subsidiaries. This is an independent and unofficial documentation. Use at your own risk.