Files
lippert-onecontrol/PROTOCOL_FINDINGS.md
T
wes 7dd4f55a0c Initial commit: Lippert OneControl protocol reverse engineering
 Protocol fully reversed from decompiled Xamarin app
 All 431 .NET assemblies extracted and decompiled
 COBS encoder/decoder implemented in Python
 CRC8 checksum implementation
 Complete BLE client for OneControl devices
 Comprehensive documentation

Files included:
- cobs_protocol.py: COBS encoding/decoding + CRC8
- onecontrol_client.py: Full BLE client implementation
- Complete protocol documentation
- Home Assistant integration guide
- ESPHome Bluetooth Proxy setup
- Extraction scripts for reference

Ready for testing with RV hardware (April 2025)
2025-12-29 08:50:16 -05:00

121 lines
3.9 KiB
Markdown

# Lippert OneControl Bluetooth Protocol - Reverse Engineering Findings
## Overview
This document contains findings from reverse engineering the Lippert Connect app (v6.2.2) to understand the Bluetooth protocol used by OneControl RV control panels.
## App Architecture
- **Platform**: Xamarin (C#/.NET on Android)
- **BLE Library**: Plugin.BLE (Xamarin Bluetooth plugin)
- **Package**: com.lci1.lippertconnect
## Bluetooth Information (CONFIRMED)
### Service UUIDs
- **Service**: `00000030-0200-A58E-E411-AFE28044E62C`
- **Write Characteristic**: `00000033-0200-A58E-E411-AFE28044E62C`
- **Read Characteristic**: `00000034-0200-A58E-E411-AFE28044E62C`
(Note: The `c457...` UUID found earlier might be for a different device type or cached).
### Protocol Structure
The communication uses a custom packet format wrapped in **COBS (Consistent Overhead Byte Stuffing)** encoding.
**Packet Structure (Unencoded):**
```
Byte 0-1: Sequence Number (Little Endian, unsigned short)
Byte 2: Command Type (byte)
Byte 3: Device Table ID (byte, usually 1)
Byte 4-N: Payload (Command specific data)
Byte Last: CRC8 (Calculated over bytes 0..N, Init=0x55)
```
**Encoding:**
1. Construct the packet.
2. Calculate CRC8 (Init 0x55) and append it.
3. Encode the entire buffer using COBS (Start byte 0x00, 6-bit packing).
### Command Types (`MyRvLinkCommandType`)
- `0x01` (1): **GetDevices**
- `0x40` (64): **ActionSwitch** (Lights, Pumps, etc.)
- `0x41` (65): **ActionMovement** (Awnings, Slides)
- `0x43` (67): **ActionDimmable** (Dimmable Lights)
### Payload Examples
**Turn Light ON (Device ID 0x05):**
- Command: `0x40` (ActionSwitch)
- Table: `0x01`
- Payload: `[0x01 (On)] [0x05 (Device ID)]`
**Turn Light OFF (Device ID 0x05):**
- Command: `0x40` (ActionSwitch)
- Table: `0x01`
- Payload: `[0x00 (Off)] [0x05 (Device ID)]`
**Get Device List:**
- Command: `0x01` (GetDevices)
- Table: `0x01`
- Payload: `[0x00 (StartID)] [0xFF (MaxCount)]`
### Key DLL Assemblies
- `OneControl.Direct.MyRvLinkBle.dll` - Contains the BLE connection logic and UUIDs.
- `OneControl.Direct.MyRvLink.dll` - Contains the Command classes and Enums.
- `IDS.Portable.Common.dll` - Contains `CobsEncoder` and `Crc8` logic.
## Next Steps for Complete Protocol Understanding
To fully reverse engineer the protocol, we need to:
1. **Extract and Decompile .NET Assemblies**
- Use a proper Xamarin assembly extraction tool
- Decompile with dnSpy or ILSpy to see actual command structures
2. **Bluetooth Packet Capture**
- Use Android's HCI snoop log or Wireshark with Bluetooth adapter
- Capture actual packets during device control
- Analyze packet structure and command bytes
3. **Alternative Approaches**
- Check if Lippert has published any API documentation
- Look for existing open-source implementations
- Contact Lippert for developer API access
## Tools Needed for Further Analysis
### For .NET Assembly Extraction:
```bash
# Install Xamarin assembly extraction tools
# Option 1: xamarin-decompress (if available)
# Option 2: Manual extraction from blob
# Install .NET decompiler
sudo pacman -S ilspy-bin # or dnspy on Windows
```
### For Bluetooth Sniffing:
```bash
# Enable HCI snoop on Android device
adb shell settings put secure bluetooth_hci_log 1
# Pull HCI log
adb pull /data/misc/bluetooth/logs/btsnoop_hci.log
# Analyze with Wireshark
wireshark btsnoop_hci.log
```
### For Protocol Analysis:
- **Wireshark** - Packet analysis
- **nRF Connect** (Android/iOS) - BLE exploration and testing
- **Bluetooth HCI Snoop** - Packet capture
## Contact Information
- **Developer Support**: service@lci1.com
- **Phone**: +1 432-LIPPERT
- **GitHub**: https://github.com/lci-ids/app.c (referenced in code)
## Notes
- The protocol appears to be proprietary
- Commands are likely simple relay on/off with device addressing
- May use standard BLE characteristics for read/write/notify
- Protocol implementation is in C# code (not visible without proper decompilation)