Reverse Engineering A Toy Robot

@crlane

Tea Time

2017-01-19

Agenda

  • introduce mebo
  • reverse engineering!
  • writing a library
  • publishing solution

Meet Mebo

  • toy robot
  • controlled via an Android/iOS app
  • looks kind of like Mars rover

Features

  • 5-axis arm
  • joystick control
  • interactive media

Problem Definition

  • I want to play with this thing!
  • I want my son to think I'm cool
  • I want to do nerdy things with my son
  • I want to use my computer and (probably) Python

I'll use whatever's on PyPI!

smile

No Python Library

disappointed

Sweet, I'll Write It!

smile

Undocumented API

areyoukiddingme

Can I Figure it Out?

someonhastodoit

Reverse Engineering

Step 1: What do I know?

  • The app talks to the robot via the LAN
  • It is possible to spy on traffic in a network
  • There are a limited number of functions
  • It works on iOS & Android client devices

Step 2: Gathering Data

  • Problem 1: I don't know the IP address of the robot

dhcp_client_list

Discovering the Correct IP

  1. Ping the IP for hostnames I don't recognize
  2. Turn off Mebo
  3. Does it still ping?
  • Problem 2: I don't know how to snoop traffic from iPad -> Mebo

LMGTFY lmgtfy

Snooping Traffic

  1. Plug in iPhone to Mac
  2. Get the UDID (unique ID for device)
  3. Add a virtual interface on Mac using the UDID1
  4. tcpdump from virtual interface
  5. Wireshark

(side note: go watch Christine Spang on WebSockets from the Wire Up https://www.youtube.com/watch?v=u5QT3luWx7w)

  • Problem 3: I don't know what I'm looking for

wireshark

Wireshark

  1. lots of experimentation
  2. look for familiar things
  3. use filters

Conclusion

Mebo is controlled via normal HTTP GET requests. Query parameters change the type of function and add additional optional parameters (speed, duration, etc.)

Writing the Library

  • flexible design for rapid prototyping while I'm still discovering functions
  • minimal 3rd party dependencies (requests)
  • easy to build, test, deploy, publish

Publishing to PyPI

  • my first PyPI package
  • lots of setup.py wrangling
  • python setup.py sdist bdist_wheel
  • twine upload

Next Steps

  1. Refine the API and clean up
  2. Write some real tests
  3. Media streaming (RTSP + RTP).

Questions?