Panasonic ub9000 control

Wow–this is an insane find. If only we could figure out what the hash or salt was for any of these.

I’ve recently stumbled back into this as I’m getting a whole home HVAC system (Aprilaire IAQ) with a special stat (8840 thermostat) that works with literally every automation provider under the sun (including Alexa and Google assistant) but not HomeKit. To get around this I’m going to try and use Assistant Relay to tie into Home Assistant and then bridge into HomeKit. Will be interesting to see how it works.

Will try and do the same thing with this Blu-ray player as it works with Google Assistant.

64 character raw hex non-b64 response. 32 bytes. 256 bits. Possibly HMAC-SHA-256 (worst case). Or the response is a partially encoded structure since it starts with <II and then a separator sequence. Do you have a second capture to compare the cAUTH_VALUE? The question is how difficult it would be to brute force. Depends on the algorithm.

(Obviously Panasonic should just publish this as this is the same protocol they added in 2012 with no auth value and it worked great. But at least my personal past experience has been that getting a human English speaking technical contact at Panasonic is impossible.)

More likely, whatever the “control 4 IP driver” is needs to be reverse engineered to find the key because getting it out of Panasonic firmware is much harder.

Here it is:
Control 4 drivers are written in LUA script, but this one is encrypted inside the zip file container.

Simple public key encrypted file. The private key is in the Control4 director app along with the passphrase. So you need to attach a debugger on a Control4 system to decrypt it. There is stuff out there on the Internet on how to do that. We do not have any Control4 here. It looks easy at first, but they changed the format in ~2016 such that you now need to go through that extra hoop.

You would need the private key and passphrase, both fairly easy to access with such a box by installing GDB, but I could not find them just browsing the Internet (I would be surprised if they’re not simply posted somewhere). Given a decrypted LUA script, making it work in Roomie would take about 2 minutes since we already have the code set as it’s the same protocol Panasonic added in 2012.

Great update–hoping you can get @Will_Price this info @codtrice!!!