ActronConnect Air Conditioner Module – Part 3: The Solution.

“It’s against my programming to impersonate a deity.” – C-3PO.

This post is part of a 3 part series, starting with part 1.

Now that I had determined the protocol used to communicate with the air conditioner, the remaining activity was to create a new web service to impersonate the ninja blocks one being used by the air conditioner controller.

I’ve roughly described the infrastructure changes needed to do that here. The solution was to use additional records on my local DNS server to redirect the traffic to an internal IP address, where I had a Microsoft IIS web server listening for traffic to the Actron usage URL and the Ninja Blocks data and command URLs. I was able to use ASP.NET 4.5 routing in order to route the requests to special handler classes. After that, it was a simple matter of the handler classes in the web application calling a WCF method from my home automation system to send status information to the home automation system, and to ask the home automation system if there were any queued commands that needed to be relayed to the air conditioner.

As an example, here is a snippet of the code from my UsageHandler.aspx file which deals with the Actron usage flow (as described in the previous post). The code adds some device specific HTTP headers to the response, sets the return content type, and then sends the appropriately formatted JSON response. After that, I capture the input data and send it to a syslog server.

    protected void Page_Load(object sender, EventArgs e)
		StreamReader srRequest;
		string strData;

		Response.AddHeader("Access-Control-Allow-Headers", "X-Requested-With");
		Response.AddHeader("Access-Control-Allow-Origin", "*");

		Response.ContentType = "application/json";

		Response.Write("{\"status\":200,\"message\":\"Usage tracked\",\"value\":null}");

		srRequest = new StreamReader(Request.InputStream);

		strData = srRequest.ReadToEnd();

		Utility.SendSyslog("UsageHandler() " + strData);

The overall project was a lot of fun, and ultimately very successful. My home automation system now has full control over the air conditioner. Whilst I’ve still got the ability to control it from the phone (using my interface), having the computer also able to control it opened it up to a whole new world of possibilities.

I am going to be contacting Actron to see if I can discuss any of these points. Interestingly enough, within a day of writing the first post I could see that my post was being read by Dialogix, a site used by companies to monitor what people are saying about their products. I can only assume that was on behalf of Actron and not a competitor.

The key suggestions for product improvement are:

  1. Either expose an API on the controller itself (preferably), or provide guidance on how to exploit the API of the cloud web service. Given Actron are using the Ninja Blocks web service which does have an API – it would be nice if they could inform people of that when they ring up and ask “how do I use an API to influence the air conditioner.” Simply saying “no, it can’t be done” when it clearly can be is not helpful. Whilst Actron don’t want to get into a position of providing support to people experimenting with an API outside of their control, they can still pass on information about the service for people to investigate themselves.
  2. Be aware of what data your organisation is collecting. I’m not sure if legally the excuse of “I didn’t know we were capturing that” works these days. Additionally, the damage to a company’s reputation when they are found to have been collecting information they shouldn’t have can be quite high.
  3. If you are sending information that should be protected, protect it with encryption. Whilst I understand that means additional development effort to ensure that the device can support something like SSL/TLS, it has become significantly cheaper these days to add that functionality to a custom built hardware device.

Just one further comment on that last point. Yes, it’s just an air conditioner. However. Now that I know that the air conditioner is not using HTTPS to talk to the cloud service, that means it’s also not validating the certificate (because there isn’t one). The certificate validation would allow for the air conditioner to confirm that the cloud web service sending it commands is the legitimate one. If someone were to attack this, they would basically be looking to compromise DNS and provide their own web service instead (as I did locally). Given there is no authentication between the air conditioner controller and the cloud web service, if someone were to impersonate the real cloud web service every single customer with an ActronConnect could have their air conditioner remotely controlled. Whilst I understand that’s not overly exciting, there’s a couple of points to remember.

The first point is that whilst the rogue cloud service is impersonating the real cloud service, the customer can not prevent their air conditioner being controlled from the rogue service without dropping their internet connection or turning the power off to the air conditioner. The rogue service could simply send out a constant message that says ‘run the air conditioner at its max temperature on heating’. If you couldn’t turn that off, it might be a bit annoying not to mention dangerous. The second point is that we’re going to see companies like Actron producing more and more internet enabled devices – see Internet of Things. If they continue to operate in this manner, we are going to have a lot of internet enabled devices that can be thoroughly compromised – we’ve already seen web sites popping up that expose people that haven’t secured their IP home cameras. Having someone take control over your air conditioner, alarm, front door (we’re starting to see locks become computer controlled as well) and internal camera is quite scary.

~ Mike

33 thoughts on “ActronConnect Air Conditioner Module – Part 3: The Solution.

    1. Hi Mike, lot’s of great information here. I too would like to get a look at your code. Any chance of that?

  1. Thanks for another informative web site. Where else may just I am getting that type of information written in such a perfect manner?
    I have a project that I am just now operating on, and I
    have been on the glance out for such info.

  2. Hi Mike, I’m interested in your integration of the Actron unit with home automation. Would you be able to provide an integration for my unit (plugin) to the Fibaro system? If so how much would this cost?

  3. Hi, I too fell for the wireless but it had an ethernet port, .. I too tried ( must admit my skillz are very poor ) to get something to use with my Fibaro system. I too must admit to being very annoyed with Actron and their very poor attempt at something that was quite expensive. I’d assumed also that I could intercept a few calls and then just bounce them through my HA system, I’ve pretty much given up now, I thought I’d wait and see if they come out with a V2 .. as it is I need to run the actron connect on a guest wifi to separate it from the lan or it wouldn’t connect, but even so it is so unresponsive it’s not worth using. Which HA do you use Mike ?

  4. It seems only Mike has the answers to automating the Fibaro A/C. I’ve contacted nearly everybody in regard to this and no one can help. I would be more than happy to pay for a solution.
    I require only local access control of the system.

  5. Mike, since you did this a while ago, have you seen any change in this? What about Actron, did they reach out to you like you mentioned?

    If you had to do it all again, would you have done it differently?

    1. Howdy – no they haven’t – not a surprise though.

      I would do it this way again – given the constraints of how the system works, I’ve no choice but to emulate the management server.


      1. Hi Mike, I am having a lot of trouble using and connecting to the Actron Wireless Control unit. Can you assist in any way Please ?

  6. Hi Mike,

    Was there any particular formatting or encoding trick you found with returning commands to the air conditioner? I’ve set up a similar system using Python and Flask, and my web UI is able to harvest data from the AC and display it correctly, but sending commands to the unit is proving to be difficult. I’m running out of ideas (packet captures of the commands flow during normal cloud operation are almost identical to packet captures of the commands flow from my app) and would appreciate any insight you may have!

      1. Huh, I got an email about “Frustrated”‘s comment below, but not your reply! Cheers for responding 🙂 I managed to get everything working (details below for anyone else who may find them helpful).

        My system is pretty much a re-implementation of the one you’ve described here. I have my own DNS server running locally that redirects the air conditioner’s requests to Actron’s cloud to a Flask application running on my LAN. I keep a queue of commands stored in Redis, and whenever the air conditioner sends a GET request to the commands endpoint, my server pops the oldest command from the Redis queue, formats it and returns it.

        The issue I was having is that I was formatting my returned commands as JSON, but the air conditioner wasn’t doing anything with them. To troubleshoot, I made my responses have the exact same appearance (order of keys and values, lack of spaces between anything) as the packets I had from my packet capture. I hadn’t done this originally because JSON isn’t supposed to care about order, and the spaces should have been legal. It still didn’t work, so I went back and realised that every response from the cloud service started with two characters, and these characters are actually the size of the command JSON in hexadecimal. Once I implemented that, the air conditioner started responding to my commands. It was a little unreliable at first, so I changed my code to send each command to the air conditioner twice, and now it works quite well.

    1. I have just discovered flask and I am using it to control my pool heating system. Are you able to provide your solution on GitHub or similar? Are you using a Raspberry Pi out of interest as well?

      1. Hi Gavin/Chris, I’m also looking to use a Raspberry with my Actron Connect to integrate with my HA system based on Indigo Domo.

        Gavin, did you make any inroads with Python & Flask?

        Chris, would you be willing to share your work? It would be great to not have to start from scratch.

        P.S Awesome work Mark. Very informative.

      2. Hi Gavin/Chris, I’m also looking to use a Raspberry with my Actron Connect to integrate with my HA system based on Indigo Domo.

        Gavin, did you make any inroads with Python & Flask?

        Chris, would you be willing to share your work? It would be great to not have to start from scratch.

        P.S Awesome work Mike. Very informative.

  7. This module and app really is terrible, shame cause the AC itself is brilliant. The webserver on the module is literally plain text json commands on port 80 called Aconnect. I’m having issues connecting to it from my phone once the module is connected to my SSID. The app goes through it’s process and says it’s encrypting and connected but when I reconnect back to my SSID it can’t find the air conditioner. Did you have this problem? I get “Server link needs activation” from the webpage.

    1. Didn’t have this problem, so I can’t offer any help I’m afraid. Pretty shoddy if it won’t even connect to your WiFi, might be worth contacting Actron’s support or trying for a replacement unit or something.

      1. Is it possible to control the Actron device over the internet, as it is now, but with a third party app using LUA? Can you simply POST/PUT commands through the Ninja server? Any help would be appreciated.

      2. I fixed it. Firewall was blocking access to actron ninja server web requests/domains/servers. It’s all working now on a separate SSID 🙂

  8. @Adrian: I haven’t looked at the communications between the phone app / mobile site, so I’m afraid I don’t know how easy it would be to get the Ninja backend to accept commands sent from an app or site you build yourself. I’m not sure if the web interface uses https like the iOS app apparently does. If it doesn’t, you could try monitoring network traffic as you log in and send commands through it using Chrome’s developer tools or an equivalent. If you want to try to reverse engineer anything that’s using https then I guess the best way to approach that would be to set up something like mitmproxy and (temporarily!) install a certificate on your computer or phone so that you can examine everything that way.

  9. guys, can you help to share the code here.. it would be very helpful to us like technical savvy but doesnt know about coding. ‘Me myself a network and system engineer and i just built my new home with vera zwave home automation.

    1. Hi Adrian. I am trying to do something similar but through OpenHAB. I am completely out of my depth and was hoping to impose on some assistance.

  10. So, looks like Ninjablocks went bust a few years ago in 2015, and I see that just fell off the Internet due to not being renewed. That means as of today no-ones ActronConnect app will work, and seems unlikely they can bring it back to life without a firmware update on the module unless they do something clever.
    I had automation setup via the rest API, but looks like I’ll be converting to this method unless I can convince Actron to release the firmware. Thanks for writing it up.

  11. Darren, was just reading your post and watching my router continually fail to resolve tonight.

    At ~9pm it looks like someones worked some magic and this now resolves to

    App seems to be working again.

    Mike – would be great to obtain this code or a little more info, hoping to set-up an internal webserver (RPi or similar) that me and wife can access instead of relying on Actron and their providers.

  12. Brett, ah, excellent looks someone is still around at NinjaBlocks, domain looks like it was just renewed for another year.

  13. I have been able to integrate the Actron into my home automation system using Openhab. I can send commands to the web server and almost completely control the air conditioner. The icing on the cake was being able to partially implement voice commands via Apple HomeKit. The next step is to remove reliance on the web server because as has been pointed out, that could be gone tomorrow, leaving us with a worthless module attached to the unit.

    I would love to learn how to move the web server and host it locally. While I was able to learn from others work to implement the coding necessary to communicate with the air conditioner via the web server, there is precious little out there for this next step.

    I am currently running Openhab on a raspberry Pi and think I could host a web server on it but I just don’t know how to work out what code to use or how to get it on there.

    Just putting a little cry out for help to anyone who can give some guidance.

    1. I haven’t done any work on this but you should be able to redirect the web request from your router to your own web server. You obviously know what to send but have you sniffed what the web server sends back? If you can find that out I would think it shouldn’t be too hard to emulate the server?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s