Compatibility with Toshiba Estia heat pump?

[LFC86]

Hi folks,

I use Toshiba Home AC Control app to monitor and control Toshiba Estia heat pump (indoor device HWT-1101XWHT6W-E, outdoor device HWT-1101HW-E). The indoor unit is not equipped with a built-in wifi module thus I installed the Wirelles Adapter Type C, model HWS-IWF0010UP-E. I successfully managed to add Toshiba AC integration in my HA and filled in the credentials. However, I cannnot see any entities available. Is it because the integration is suitable solely for the air conditioners?

[stehuz]

+1 I have captured MITM traffic between app and Toshiba servers and format seams, similar so probably it's just parsing issue. I can handover captured requests/responses but I don't have atm time to actively debug it.

[martinnj]

I suspect that support can't be added directly in this repo alone, the API support has to come from the upstream toshiba-ac-control dependency.

But as an aisde I've done a little snooping around myself, some of the URLs are different. For getting the status, the main ones are:

• /api/Estia/GetConsumerEstiaMapping
• /api/Estia/GetCurrentEstiaStateByUniqueDeviceId

They take different argument name, DeviceUniqueId, instead of ACId as the GET argument.

The hard part (to me at least) is deciphering the state string. It looks to be considerably longer for the Estia devices than it is for the "normal" AC units.
I took apart the APK to the best of my ability, but I suspect the parsing is in some of the .so binary libraries and not the Java. At least I couldn't find anything useful.

[Zyxl72]

i hope h4de5 has soon some time for it..

[h4de5]

martinnj is right. the underlying api needs to support it first.

[Zyxl72]

marinnj do you have some sort of documentation of the API of the Toshiba Estia ?

[martinnj]

marinnj do you have some sort of documentation of the API of the Toshiba Estia ?

I've tried to sanitize my notes a bit. :)
Gist: https://gist.github.com/martinnj/3bcf4f5d8376ccf95949c7a943083b13
They use Azures IoT cloud thing, so I don't know how much of all that data is standard for that tech, or if it's custom. But it responds to regular HTTP stuff.

Some other resources:

• https://github.com/KaSroka/Toshiba-AC-control
• https://gist.github.com/h4de5/7f97db0f4efc265e48904d4a84dab4fb

[Zyxl72]

marinnj do you have some sort of documentation of the API of the Toshiba Estia ?

I've tried to sanitize my notes a bit. :) Gist: https://gist.github.com/martinnj/3bcf4f5d8376ccf95949c7a943083b13 They use Azures IoT cloud thing, so I don't know how much of all that data is standard for that tech, or if it's custom. But it responds to regular HTTP stuff.

Some other resources:

* https://github.com/KaSroka/Toshiba-AC-control

* https://gist.github.com/h4de5/7f97db0f4efc265e48904d4a84dab4fb

Nice, but how did you get to the URI for the Estia Requests, Try&Error?

[stehuz]

I would say Man In The Middle kind of "attack", btw @martinnj has that format been changed recently? I did something like that ~ 6 months ago and body of request/response looks completely different it was like one long hex string with values on specific positions similar to how it was for regular AC.

[martinnj]

Nice, but how did you get to the URI for the Estia Requests, Try&Error?

I installed the app in an Android emulator (In the official android development IDE I think) and inserted a webproxy in the middle, so the app had to talk to that instead of directly to Azure. It's a bit of a hazzle.

I would say Man In The Middle kind of "attack", btw @martinnj has that format been changed recently? I did something like that ~ 6 months ago and body of request/response looks completely different it was like one long hex string with values on specific positions similar to how it was for regular AC.

Yep, MITM using an HTTP proxy in an Android emulator.
These dumps are from April of this year, I think.

The ACStateData field was just a long hex-string as well.
It is considerably longer on Estia than on their regular AC's, I suspect it's because the heatpumps have more settings and features.
But because I don't know what is in it, I had to cut it out of the samples.

[Zyxl72]

Nice so i don't need to do this anymore :-P

I changed the URI and the Output is quite big

---

$base_url = "https://mobileapi.toshibahomeaccontrols.com";
$login_url = "/api/Consumer/Login";
$device_url = "/api/Estia/GetRegisteredEstiaByUniqueId";
$mapping_url = "/api/Estia/GetConsumerEstiaMapping";
$status_url = "/api/Estia/GetCurrentEstiaStateByUniqueDeviceId";
$settings_url = "/api/Estia/GetConsumerProgramSettings";

---

i also exchanged the Info with the DeviceUniqueId
eg. here the result of the Time Table

---

'Sunday' =>
array (
'p1' => '07000898030684ffffffffff',
'p2' => '110008ff02ffffffffffffff',
'p3' => '16000c9803067affffffffff',
'p4' => '220008ff02ffffffffffffff',
),

---

i can provide an Output on request of the toshiba-api.php

[Zyxl72]

I could identify some of these Hex fields by comparing and turning off and on inside the app.
Martinnj could again do the MTM to check what URI is used to PUT the info? Would be strange if they use the same
as to get the Informations.

And where should i place my Informations about the Informations and what i think they mean ?

[martinnj]

I could identify some of these Hex fields by comparing and turning off and on inside the app. Martinnj could again do the MTM to check what URI is used to PUT the info? Would be strange if they use the same as to get the Informations.

And where should i place my Informations about the Informations and what i think they mean ?

I don't have the setup installed anymore. I suggest you set it up yourself so you have the chance to verify and play with it.

Some links I found useful:

• https://nibarius.github.io/learning-frida/2021/01/23/sniffing-https-traffic
• https://httptoolkit.com/android/

I don't know if they're still applicable to newer Android versions. :)

I would also encourage you to look at the upstream library: https://github.com/KaSroka/Toshiba-AC-control
It'll show you how to authenticate requests.

[Zyxl72]

ok i will try when i have enough time

I tried to document my research and you can find it here
https://github.com/Zyxl72/home-assistant-toshiba_estia

@h4de5 what informations would you need more for adapting the code for the estia??

[Zyxl72]

I could identify some of these Hex fields by comparing and turning off and on inside the app. Martinnj could again do the MTM to check what URI is used to PUT the info? Would be strange if they use the same as to get the Informations.
And where should i place my Informations about the Informations and what i think they mean ?

I don't have the setup installed anymore. I suggest you set it up yourself so you have the chance to verify and play with it.

Some links I found useful:

* https://nibarius.github.io/learning-frida/2021/01/23/sniffing-https-traffic

* https://httptoolkit.com/android/

I don't know if they're still applicable to newer Android versions. :)

I would also encourage you to look at the upstream library: https://github.com/KaSroka/Toshiba-AC-control It'll show you how to authenticate requests.

So i did set up a system, which was quite annoying and frustrating, as I'm not into hacking and most of the linux stuff.
I made it to the Point where the Burp certificate is in the System trusted part and i can see all the https from a browser but no calls are to be seen from the Toshiba app.
Do you have a guess what you did a time ago ?

[Zyxl72]

I could identify some of these Hex fields by comparing and turning off and on inside the app. Martinnj could again do the MTM to check what URI is used to PUT the info? Would be strange if they use the same as to get the Informations.
And where should i place my Informations about the Informations and what i think they mean ?

I don't have the setup installed anymore. I suggest you set it up yourself so you have the chance to verify and play with it.
Some links I found useful:

* https://nibarius.github.io/learning-frida/2021/01/23/sniffing-https-traffic

* https://httptoolkit.com/android/

I don't know if they're still applicable to newer Android versions. :)
I would also encourage you to look at the upstream library: https://github.com/KaSroka/Toshiba-AC-control It'll show you how to authenticate requests.

So i did set up a system, which was quite annoying and frustrating, as I'm not into hacking and most of the linux stuff. I made it to the Point where the Burp certificate is in the System trusted part and i can see all the https from a browser but no calls are to be seen from the Toshiba app. Do you have a guess what you did a time ago ?

Did find the Solution, it simply was the Proxy entries in the Emulator Settings ..
Shame on me..

[Zyxl72]

SO i got now a lot of information and it would be great, if someone (h4de5 maybe) would use these to adapt or build a an Estia integration to HA.

to be honest my programming skills are more theoretical

[martinnj]

SO i got now a lot of information and it would be great, if someone (h4de5 maybe) would use these to adapt or build a an Estia integration to HA.

Sounds good. 👍 But without putting words in the mouth of @h4de5 , it was mentioned earlier in the issue:

I suspect that support can't be added directly in this repo alone, the API support has to come from the upstream toshiba-ac-control dependency.

Support has to come from up-stream, this plugin doesn't manage all the explicit API calls, it relies on a client (this repo) which handles all the HTTP plumbing and stuff. This repository just bridges the gab to HA. :)

[Zyxl72]

Then i will try to get KaSroka on that..

[Messa1]

Any update on that? Would be awesome to had it in the Integration. I got the Toshiba App there i had included Heatpump.
@Zyxl72 did you ask @KaSroka?