Tag Planets

18 jul


Fantus-button part 1: Reverse engineering the DRTV Chromecast App


I want to build a physical giant red button, that when pressed instantly starts a children’s TV-show, in my case Fantus on DRTV using a Chromecast.

The first part of the build is figuring out how to remotely start a specific video on a Chromecast. Initially I thought this would be pretty simple to do from an Arduino, because back in the day you could start a video just using a HTTP request. Very much not so anymore: the Chromecast protocol has evolved into some monster using JSON inside Protobuf over TLS/TCP, with multicast DNS for discovery. Chance of getting that working on a microcontroller is near-zero.

But remote control is possible using e.g. pychromecast which has support for not only the usual app of YouTube, but also a couple of custom ones like BBC. Let’s try and add support for DRTV to pychromecast, starting at the hints given on adding a new app.

Using the netlog-viewer to decode the captured net-export from Chrome, and looking at the unencrypted socket communication, the appId of the DRTV app is easily found.

However, one of the subsequent commands has a lot more customData than I expected, since it should more or less just be the contentId that is needed:

  "items": [
      "autoplay": true,
      "customData": {
        "accountToken": {
          "expirationDate": "2022-07-02T00:48:35.391Z",
          "geoLocation": "dk",
          "isCountryVerified": false,
          "isDeviceAbroad": false,
          "isFallbackToken": false,
          "isOptedOut": false,
          "profileId": "c4e0...f3e",
          "refreshable": true,
          "scope": "Catalog",
          "type": "UserAccount",
          "value": "eyJ0eX...Dh8kXg"
        "chainPlayCountdown": 10,
        "profileToken": {
          "expirationDate": "2022-07-02T00:48:35.389Z",
          "geoLocation": "dk",
          "isCountryVerified": false,
          "isDeviceAbroad": false,
          "isFallbackToken": false,
          "isOptedOut": false,
          "profileId": "c4e0a...f3e",
          "refreshable": true,
          "scope": "Catalog",
          "type": "UserProfile",
          "value": "eyJ0eXAi...IkWOU5TA"
        "senderAppVersion": "2.211.33",
        "senderDeviceType": "web_browser",
        "sessionId": "cd84eb44-bce0-495b-ab6a-41ef125b945d",
        "showDebugOverlay": false,
        "userId": ""
      "media": {
        "contentId": "278091",
        "contentType": "video/hls",
        "customData": {
          "accessService": "StandardVideo"
        "streamType": "BUFFERED"
      "preloadTime": 0,
      "startTime": 0
  "repeatMode": "REPEAT_OFF",
  "requestId": 202,
  "sessionId": "81bdf716-f28a-485b-8dc3-ac4881346f79",
  "startIndex": 0,
  "type": "QUEUE_LOAD"

Here I spent a long time trying without any customData, and just using the appId and contentId. Initially it seemed to work!

However, it turned out it only worked if the DRTV Chromecast app was already launched from another device. If launched directly from pychromecast the app would load, show a spinner, and then go back to idle. Here much frustration was spent; I guess the customData is actually needed. And indeed, putting that in works! But where do these tokens come from, and how do we get those tokens from Python?

Using Chrome’s developer tools (F12) on the DRTV page, and then searching globally (CTRL-SHIFT-f) for various terms (“expirationDate”, “customData”, “profileToken”, “accountToken” etc.) revealed some interesting code, that was as semi-readable as any pretty-printed minifyed Javascript. Eventually I found the tokens in local storage:

Using these tokens work really well, and allows starting playback!

Some further exploration proceeded: using the showDebugOverlay flag reveals that the DRTV player is just a rebranded Shaka Player. The autoplay functionality can be disabled by setting chainPlayCountdown to -1, which is honestly a real oversight that it cannot be disabled officially, to not have to rush to stop the playback of the item before the next autoplays.

With all the puzzle pieces ready, I prepared a pull request (still open) to add support for DRTV to pychromecast.

Fantus-button part 2 will follow, detailing the hardware build and network integration with the support from pychromecast.

Gemt under: Extern, HAL9k


20 feb


Floating Solid Wood Alcove Shelves


I have an alcove where I wanted to put in some floating shelves. I wanted to use some solid wood I had lying around, to match the rest of the interior; this ruled out most of the methods described online: (i) building up the shelf around a bracket, and (ii) using hidden mounting hardware would be hard to get precise and would not provide support on the sides.

So inspired by some of the options instead I tried to get by with just brackets on the three sides, in a solid wood shelf. I ended up with 12mm brackets of plywood in a 26mm solid wood shelf, and that was plenty sturdy.

Step 1 was to cut out the rough shelves, with plenty of extra width, and rough fitting the plywood bracket pieces. It makes sense to leave as much on the top of the slit as possible, as this will be the failure point if overloaded. The excellent wood workshop at Hal9k came in very handy!

Step 2 was to mount the plywood brackets in the alcove. Pretty easy to do using a laser level, biggest problem was getting the rawplugs in precise enough for the level to be kept.

Step 3 was fitting the shelves individually, accounting for the crookedness of the 3 walls. The scribing method used by Rag’n’Bone Brown was pretty useful, just doing it in multiple steps to make sure not to cut off too much.

Finally, all the shelves in final mounting. Getting them in took a bit of persuasion with a hammer, and minor adjustments with a knife to the plywood brackets, as it was a tight fit. The key again was small adjustments.

One concern with such a tight fit would be wood movement; however most of the wood movement is “across the grain” which in this application means “in and out” from the alcove, where the wood is basically free to move as the shelves are not fastened to the brackets in any way.

Another concern would be if the relatively small brackets (12x12mm) can handle the load of the relatively wide shelves (60cm wide, 35cm deep, and 2.6cm high). There are two failure scenarios: (i) the wood could split above the slit, (ii) or the bracket could deform or be pulled out. Neither seems likely as (i) applying a static (or even dynamic) load large enough to split the wood seems implausible, even at the weakest point in the middle of the front, and (ii) the tight fit counteracts the brackets ability to be pulled out since pulling out in one side would have the shelf hitting the wall on the opposite side.

All in all a very satisfying project to work on and complete!

Gemt under: Extern, HAL9k

Tags: ,

04 okt


Olimex A20-OLinuXino-LIME2 – 8 years in service, 2 PSUs and 1 SD-card down


4 years ago I posted a 4 year review of the Olimex LIME2. It seems that the lifetime of power supplies is approximately 4 years as now another power supply died, and this time also the SD-card was expiring. The LIME2 lives on however!

It was a bit hard to notice, because the battery pack of the LIME2 kept it running pretty well even with the poor power supply. So, better monitoring of the battery pack is also on the todo list.

Recovering the bad SD-card

Recovering the SD-card was relatively easy with minimal dataloss, when out of the LIME2:

$ sudo ddrescue /dev/mmcblk0 backup.img
# Put in a new SD-card
$ sudo dd if=backup.img of=/dev/mmcblk0 bs=16M

I have done this a couple of times with other SD-cards from Raspberry PIs, and though there is the potential for dataloss it is usually minimal. This time a few blocks were lost.

Upgrading Debian from Stretch to Bullseye

I took the opportunity to upgrade the Debian install while the system was offline anyway. Upgrading was generally painless, following the usual Debian method. I went through the Buster release just to be sure:

$ vim /etc/apt/sources.list
# replace all "stretch" with "buster" :%s/stretch/buster
$ apt update && apt upgrade && apt full-upgrade
$ reboot

$ vim /etc/apt/sources.list
# replace all "buster" with "bullseye" :%s/buster/bullseye
$ apt update && apt upgrade && apt full-upgrade
$ reboot

The only tricky part is booting the new kernel. Since that always fails for me on the first try, I always hookup the serial console. For future reference, this is how to hookup the serial console:

Pinout from left as labelled on the LIME2: TX, RX, GND

Now, of course the boot failed. I tried getting the flash-kernel package to work for my setup, but for historical reasons I have a separate boot partition. In the end I derived a simple bootscript from that package, that boots from p1 but loads the kernel, fdt and initrd from p2:

setenv bootargs  ${bootargs} console=ttyS0,115200 root=/dev/mmcblk0p2 rootwait panic=10

#setenv fk_kvers '4.19.0-21-armmp-lpae'
setenv fk_kvers '5.10.0-18-armmp-lpae'
setenv fdtpath dtb-${fk_kvers}

load mmc 0:2 ${kernel_addr_r} /boot/vmlinuz-${fk_kvers}
load mmc 0:2 ${fdt_addr_r} /boot/${fdtpath}
load mmc 0:2 ${ramdisk_addr_r} /boot/initrd.img-${fk_kvers}
bootz ${kernel_addr_r} ${ramdisk_addr_r}:${filesize} ${fdt_addr_r}

The script can be manually input over the serial terminal, and thereby tested out.

The only downside is it needs to be manually updated after each kernel upgrade. To activate the uboot bootscript:

$ mount /dev/mmcblk0p1 /mnt/
$ cd /mnt
# ensure boot.cmd is as above
$ mkimage -C none -A arm -T script -d boot.cmd boot.scr

Monitoring the LIME2 battery pack

After upgrading to a recent 5.X mainline Linux kernel the battery pack is exposed in the sysfs filesystem:

$ cat /sys/class/power_supply/axp20x-battery/voltage_now 
4070000 # 4.07 V
$ cat /sys/class/power_supply/axp20x-ac/voltage_now 
4933000 # 4.93 V

I setup a couple of alerting rules for these in my home monitoring setup, so hopefully the next time the LIME2 defeats a power supply I’ll get notified.


I can still warmly recommend the LIME2. It is still available, and even a bit cheaper nowadays at 40 EUR + VAT, and still a little workhorse that just keeps on going.

Gemt under: Extern, HAL9k

Tags: ,

29 aug


Grundfos Alpha 2 pumpe går i stykker og flimrer: reparer den med en kondensator til nogle få kr


Som med så mange andre huse fulgte der en Grundfos Alpha 2 cirkulationspumpe med da vi købte et hus. Den pumpede og pumpede, indtil den var blevet 13 år gammel: så begyndte den at flimre når den skulle starte op. Det er jo som sådan en rimelig hæderlig levetid, men også lidt mistænkeligt at det ikke virkede til at være et mekanisk problem.

Flimmer, men ingen pumpning.

Symptomerne er:

  • Pumpen kan køre fint i længere tid
  • Ved længere tids stop kan den ikke starte; nogen gange starter den efter noget tid
  • Ved opvarmning starter pumpen, f.x. med en varmepistol

Det sidste punkt har gjort at der flere steder bliver spekuleret i at der er “kondens” i pumpen.

Det er dog ikke problemet. Problemet er en lille kondensator der holder strøm til lavspændingselektronikken:

47 uF 16 V kondensatoren er problemet.

I Hal9k eksperimenterede vi en smule for at verificere: hvis man køler den ned med f.x. sprit opstår problemet med det samme. Hvis man varmer den op starter pumpen med det samme.

For en udførlig vejledning i hvordan pumpen skilles ad og kondensatoren skiftes har Simon lavet en video:

Men hvad er kilden til problemet så? Kondensatoren får over tid en alt for stor indre modstand, og spændingstabet bliver for stort. Her et par målinger uden og med lidt sprit til ekstra afkøling:

En helt ny kondensator måler under 1 ohms modstand, altså 100 gange så lille indre modstand:

En ny kondensator kan findes ved at søge på “47 uf 16 v smd electrolytic capacitor”, f.x. TME.eu, eller endnu mere lokalt fra el-supply.dk.

Efter erstatning pumper pumpen lystigt.

Så hvad kan man lære af hele denne historie?
Grundfos laver mekanisk gode pumper, men sparer på deres elektronik. Det er trist at tænke på hvor mange pumper der mon er smidt ud lang tid før tid. Man kan nok ikke beskylde Grundfos for “planned obsolence” efter 13 år, men man kunne dog ønske at produktet fejlede i en mere brugbar konfiguration: f.x. at pumpen kører ved et minimum hvis elektronikken fejler.

Gemt under: Extern, HAL9k

Tags: ,

25 mar


Sniffing Philips Hue Zigbee traffic with Wireshark


I have a Philips Hue gateway at home that is connected to a number of Philips Hue lights, as well as some IKEA trådfri light bulbs, and a couple of OSRAM Lightify light strips. Most of the time the network works quite well, but some of the time a few of the lights become unreachable. I read a rumor online that the Hue lights and the other lights are actually on two different Zigbee networks. Of course, if only I had a way of sniffing the Zigbee traffic I could diagnose these problems. And thus began this quest.

USB TI CC2531 Zigbee sniffer dongle.

I started by buying a Zigbee sniffer, I found that the Texas Instruments CC2531 chip is widely used, and available in a cheap USB package. I purchased this USB CC2531 Zigbee sniffer, but others are probably equally good. After the dongle arrived I spent quite a while thinking that I need to replace the stock firmware, because of various old projects on GitHub (Sensniff, ccsniffpiper, etc.). Fortunately, you do not need to change the stock firmware. The best software package seems to be KillerBee which supports both sniffing and injection; however only sniffing with the CC2531. Installing KillerBee on Ubuntu is quite easy. You need to install scapy, and a few dependencies. The installation instructions are probably more up to date than this blog post.

Starting the sniffing is really easy, if you know the channel the Philips Hue is operating at. I think channel 11 is the default, but it is displayed in the Hue app, under info for the bridge:

sudo zbwireshark -c 11

This will launch a background process, and an instance of Wireshark that is monitoring the channel. At this point you can see the traffic; but everything is encrypted…

Encryption… Encryption everywhere!

A very incomplete intro to Zigbee encryption

Zigbee traffic can be encrypted with AES-128, which is a symmetric encryption scheme. This means the key to encrypt and decrypt is the same. There is a number of keys that can be used to encrypt a single packet payload:

  1. The Network Key, which is unique to this Zigbee network. This is what we will ultimately need to find. It is generated by the gateway, and shared by all the devices on the network. How does a new device join the network then? It uses the…
  2. The Key-Transport Key which is a pre-shared secret. Apparently there is a number of these, depending on the class of devices and type of network. These are apparently a well-kept secret or something, although widely available on the internet:
    1. “default global trust center link key” which is 5A:69:67:42:65:65:41:6C:6C:69:61:6E:63:65:30:39
    2. “light link master key” which is 9F:55:95:F1:02:57:C8:A4:69:CB:F4:2B:C9:3F:EE:31
    3. “light link commissioning key” which is 81:42:86:86:5D:C1:C8:B2:C8:CB:C5:2E:5D:65:D1:B8

You can add these keys to Wireshark, and the Zigbee dissector will then try to decrypt traffic using them. Go to Edit -> Preferences -> Protocols -> ZigBee and edit the pre-configured keys:

The Key-Transport Key is used whenever a new device joins the network with the sole purpose of encrypting the network key. So, to find the network key we need to know the Key-Transport Key, and observe the traffic when a device joins. So this is what I did: I found an IKEA Trådfri lightbulb and spent the frustrating time needed to get it to join the Philips Hue gateway (resetting the bulb, searching for new lights). Finally, it suceeded!

Hitting gold!

Now, by adding the transport key to the list of keys in Wireshark all the traffic on the network was able to be decrypted!

Decrypted traffic

The next step will be to analyze the traffic, and understand the routing. Very initial probes using zigbee-viewer indicates that there is indeed three distinct routings:

Zigbee routing.

Gemt under: Extern, HAL9k