Skip to content

Understand how the Flic app, the Flic Hub and the Flic buttons work.

Notifications You must be signed in to change notification settings

Mincka/flic-reverse

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 

Repository files navigation

Flic App, Hub and Smart Buttons Reverse Engineering

Understand how the Flic app, the Flic Hub and the Flic buttons work. Update Flic Smart Buttons configuration with or without the official application.

Take down notice from Shortcut Labs

On July 4, 2020, Shortcut Labs sent me a take down notice for this repository.

I kindly ask you to take down your flic-reverse repo at GitHub.
It contains confidential information, API keys, and also includes (encrypted) firmware which you have no rights to redistribute.

We're continually opening up things more and more, but for now we'd like to keep the API private.
For Flic 2 we have released the protocol specification at https://github.com/50ButtonsEach/flic2-documentation/wiki/Flic-2-Protocol-Specification.

If you would like to try out our beta version of our Hub SDK, please let me know. With it you can do a range of things, such as send IR commands, set up TCP/UDP sockets, make internet requests, scan new buttons, listen to button events, configure wifi etc.

As a consequence, the main content of the repository is now private. The original table of content is still there for reference.

At that date, the promises of the HUB SDK are still not fullfiled. Shortcut Labs also refused to publish the proto files for the GRPC communication and the API specification arguing that is "a private API you are not supposed to use", "[we] don't want anyone to use the config API currently", that "the hub <-> app protocol will not be documented for the foreseeable future" and concluding that "[we] don't see how [this repo] this can help anyone for a better Flic experience the way we want".

I will let anyone appreciate the advertised promises of the Kickstarter campaign versus the reality.

Table of content

Expand the table of content

Introduction

The guys from Shortcut Labs AB made great products with their Flic Smart Buttons but sadly, there were promises of a SDK to interact with the buttons and the hub but nothing was delivered yet. The team focused on the Android and iOS SDKs for other apps to be able to trigger an action on a button click.

I was not interested by this part. I wanted to see what can be done by fiddling with the application. I wanted a way to get events from buttons paired with my phone or the Flic Hub. I discovered that this was not so easy. The Flic Hub has not any REST API exposed, in fact, no port is open on the Hub. Still, I discovered how the buttons' config can be retrieved and updated when paired on the phone. I also got a first overview about how it's done with Bluetooth, however, I did not fully reversed the link encryption part at this stage.

This review was only done on the Android version of the application. Version 3.7.8.

Disclaimer

The analysis of the application was exclusively done through traffic sniffing (HTTP and Bluetooth) and static analysis of the Android application. The goal was to find ways to interoperate with the Flic buttons, not to find security vulnerabilities in software or hardware. Potential weaknesses are reported since they can help to understand how the application works.

Credentials, security tokens, serials were updated with fake ones in this documentation.

Security concerns

Default credentials for Flic Hub

To ease the initial setup, it is not required to enter the "factory password" of the hub that is printed on its back. It's the same when a factory reset is done (rollback to firmware 1.0). The default password of the hub is XXX (the three letters are redacted). However, this default password is only used for the initial setup and it is immediately replaced by a randomly generated one which is hashed and stored hashed on the phone.

Insecure storage of credentials

Flic Hub password, when user resets it or when manually set by the user, is stored in clear text in the SQLite database. It is not the case for the initial pairing or when the hub is factory reset. In this case, a random password is generated and stored hashed (SHA-512) in the SQLite database.

Statistics

The app sends information about the phone and the executed actions to a dedicated statistics endpoint. Looks like no confidential is leaked but still... I did not find a way to disable this in the app.

Since actions may be related to security related stuff (e.g. alarms), and that exact date and time of execution are sent, it could lead to privacy and security concerns.

Integration with third-party systems

Home Assistant

Since there is no way to use the Hub in a very generic way to request the latest events or send a request without configuring the buttons manually. I tried to keep it rather generic to integrate them with Home Assistant.

I used the "Internet Request" feature which is available for the buttons paired with the phone or the hub.

I send a POST request to the HA endpoint (you can do it with or without authentication, cf. below) with the following information depending on the button id and the type of click:

{"id": "flic1", "event_type": "click"}
{"id": "flic1", "event_type": "double_click"}
{"id": "flic1", "event_type": "hold"}

It is also possible to retrieve the button-serial-number and the button-name (display name if the Flic app) directly in the headers, as described in the FAQ.

Example of automation:

- alias: Salle de bains - Flic - Alexa - Joue France Info
  description: ''
  trigger:
  - event_data:
      event_type: click
      id: flic1
    event_type: flic
    platform: event
  condition:
  - condition: not
    conditions:
    - condition: device
      device_id: 3dc4df62da4c4813372b16e3d8aa552
      domain: media_player
      entity_id: media_player.morgane_echo
      type: is_playing
  action:
  - data:
      entity_id: media_player.morgane_echo
      media_content_id: FranceInfo
      media_content_type: TUNEIN
    service: media_player.play_media

REST API

Authenticated, using a Long-Lived Access Token

Fire an event directly from the API and listen for the event as a trigger in the automation:

https://developers.home-assistant.io/docs/api/rest/#post-apieventsevent_type

Webhook

Non-authenticated, with a webhook trigger: https://www.home-assistant.io/docs/automation/trigger/#webhook-trigger.

Keep it simple with a single webhook. However, since it is not possible to use the same webhook for multiple automations, the workaround is to use a webhook that will "refire" an event for the other automations:

- alias: Salle de bains - Flic 1 - Event
  description: ''
  trigger:
  - platform: webhook
    webhook_id: flic
  condition: []
  action:
  - event: flic
    event_data_template:
      id: '{{ trigger.json.id }}'
      event_type: '{{ trigger.json.event_type }}'

FAQ

When using HTTP Request integration, who makes the call? The phone / HUB directly or Flic?

It's the phone directly, with a few additional headers:

GET / HTTP/1.1
Accept-Encoding: gzip, deflate
User-Agent: Google-HTTP-Java-Client/1.23.0 (gzip)
button-serial-number: BA48-131337
button-battery-level: 100
button-name: Flic 3
timestamp: 2020-06-30T09:01:04Z
Host: xxxxx.x.pipedream.net
Connection: close

I did not receive other requests from other IPs on the test endpoint.

Is it possible to use the API to get or set the config of the Flic Hub

Sadly no.

Is it possible to call an API to send custom IR commands through the IR module?

I don't think so. It is not possible to use the API for the hub

Is there a request sent to the API each time a button is clicked?

Not really but since the configuration is stored online and the requests are sent to the statistics endpoint, it is possible for Shortcut Labs to know exactly when an action was triggered, but not in real time.

How can I integrate my Flic buttons with other systems?

In the end, the easiest method is to use the "Internet Request" integration.

Credits

@righettod for his great help!

Legal

This research and documentation are in no way affiliated with, authorized, maintained, sponsored or endorsed by Shortcut Labs AB or any of its affiliates or subsidiaries. This is an independent and unofficial documentation. Use at your own risk.

About

Understand how the Flic app, the Flic Hub and the Flic buttons work.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published