Smart heaters are using binary format to communicate over MQTT. What techniques can I use to figure out the format?

I've got a bunch of Wifi enabled heaters. They have some terrible cloud setup, but I noticed that they connect through MQTT. So I added a DNS override on my network for the MQTT broker, and spun up a Mosquitto server. The heaters connect, send a long message and start publishing shorter messages supposedly with metrics regularly. Hexdump of both messages: here

They also subscribe to some topics which I guess is how they are controlled. The first 50% of the metric message seems to always be the same, at least for the printable characters. I haven't checked in detail yet. But this at least makes me think it’s not encrypted.

I’ve tried decompiling the Android APK to look for clues but unfortunately it doesn’t interact with the MQTT broker at all.

So my main question is how do I approach this? What are some techniques or tools I should be leaning on?

submitted by /u/bruj0and
[link] [comments]

from hacking: security in practice https://ift.tt/ca1Tey2