-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathreverse-engineering.txt
107 lines (82 loc) · 3.46 KB
/
reverse-engineering.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
Reverse engineering the GEA Bus
Electrical characteristics:
Logic level: 5V
Baud rate: 19200 (GEA2) or 230400 (GEA3)
Duplex: Half/full for 19200 (GEA2), full for 230400 (GEA3)
ERD: Entity Reference Designator
Endpoint: A board or device on the bus
Entity: An attribute hosted by an endpoint that can be read, written, or subscribed to.
Flag bytes:
0xe0 Escape
0xe1 Ack
0xe2 STX
0xe3 ETX
CRC16 seed: 0x1021
GEA1 packet structure (no erds):
[0xe2][destination][length][source][cmd][data][crc16 msb][crc16 lsb][0xe3]
GEA2 packet structure:
|-------------Header--------------||----------------------------------------Payload---------------------------------------||-----Checksum-------||ETX-|
[0xe2][destination][length][source][erd command][erd count][erd0][erd0 data len][erd0 data][erdn][erdn data len][erdn data][crc16 msb][crc16 lsb][0xe3]
Erd commands:
0xF0 Read Erd(s)
0xF1 Write Erd(s)
0xF2 Subscribe to Erd(s)
0xF3 List subscribed Erd(s)
0xF4 Unsubscribe from Erd(s)
0xF5 Publish notification of changed Erd(s)
Querying/modifying Erds:
[stx][destination][length][source][Erd_cmd][num erds][MSB_Erd][LSB_Erd][data len][data][msb_crc16][lsb_crc16][etx]
GEA messages with multiple messages:
[stx][destination][length][source][Erd_cmd][Num_Erds][MSB_Erd1][LSB_Erd1][Erd1_Data_len][Erd1_Data][MSB_Erdn][LSB_Erdn][Erdn_Data_len][Erdn_Data]...[MSB_crc16][LSB_crc16][etx]
Important notes about addresses:
In most configurations, there are two different GEA busses: external and internal. The external GEA bus
contains the connected WiFi module, and is routed to the RJ45 service port. The internal GEA bus is
for internal components of the appliance to communicate, and is not accessible from the RJ45 port. You can
still talk to all boards in a system from the external bus, however, the external bus does not expose private
communication between boards which would make it possible to reverse engineer without opening the appliance.
From a security standpoint, this is good practice, say the WiFi module was compromised.
Board addresses for some different appliances:
=============================CONSTANTS:===========================================
Addressing common among all appliances:
0xbf Universal WiFi module
0xcb Green bean
0xe4 Newfi service tool
0xf0 Broadcast to external domain
0xff Broadcast to all domains
==============================REFRIGERATORS:======================================
Addressing on bottom-freezer refrigerators:
0x00 Main board
0x01 RFID water filter reader
0x02 Dispenser board
0x03 Door board
0x04 Feature board
==============================RANGES:=============================================
Addressing on ranges:
0x80 Machine control or LCD board
0x81 2-key self-clean UI
0x82 Left-wing touch
0x84 Right-wing touch
0x85 Machine control on LCD touch models
0x87 Cooktop machine control
0x88 Induction generator board 1
0x89 Induction generator board 2
0x8a Induction generator board 3
0x92 Left gen board
0x94 Right gen board
0xbc BLE module
0xbe Connect plus WiFi module
==============================DRYERS:=============================================
Addressing on 2019 dryers:
0xc0 Main board
0x25 User interface
==============================WASHERS:============================================
Addressing on 2019 washers:
0xc0 Main board
0x25 User interface
0x3f Inverter board
==============================DISHWASHERS:========================================
Addressing on dishwashers:
0xc0 Main board
0x42 LCD status display
0x46 User interface
0x5f Inverter board