Reverse Engineering Chamberlains Api
Recently, I made an Alexa skill to open and check my Chamberlain garage door. I thought it’d be interesting to share how this was made. In particular, I’d like to show how I reverse engineered the Chamberlain API. Aside from this, I will provide my findings on the Chamberlain API.
First of all, Chamberlain provides a smartphone app for us to interact with our garage door. There is an iOS and Android app. I am personally an iPhone user so I will be explaining how I worked with the iOS version of the application.
In order for us to reverse engineer the API, we need some way to be able to sniff (or capture) the traffic between us and the Chamberlain servers as we interact with the app. After doing some research, I decided to use Fiddler to do this. You can download it from here. Fiddler is a program that captures web traffic (HTTP/HTTPS) and logs it in a way that we can review it. Great!
So after installing Fiddler, we need to do some configuration since we are not logging traffic from our computers to Chamberlain’s servers. Instead, we are logging traffic from our phones to Chamberlain’s servers. Therefore, we will need to do some configuration on Fiddler, and we will also need to configure our wifi settings on our phones. With a little bit of research, I came across a document on how to set this up on iOS here. I imagine the process should be somewhat similar for Android.
After the configuration, I opened up Fiddler on my PC and went to File > Capture Traffic.
Afterwards, I opened the Chamberlain garage door opener app on my iPhone and Fiddler starts capturing the traffic. One thing that makes reverse engineering and programming easier is to break a problem into small parts. In this case, we should be doing one action at a time so we can tell what that action does in terms of communicating with the Chamberlain servers. So, let’s start off with just logging into our Chamberlain account.
From a quick glance of our capture session thus far, we see a few things occur. First, there is a login that occurs. After the login occurs, we get more account information (this is what ?expand=account) is, and then there is something to do with roles and invitations. It is unclear what this information is. Next, it gets the device information (the garage door information). The last few API calls are to retrieve information about the API.
Let’s take a closer look to see if we can discover how login works here. We’ll click on the /api/v5/Login
The top is our request header, and the bottom is the response body. From our request header, we can see that we are making a POST request (we are submitting information in our request). Also, we should notice the headers being used such as Accept, Accept-Encoding, Accept-Language, User-Agent (notice the custom User-Agent that identifies that it is the Chamberlain application accessing the API rather a typical web browser), Content-Type (notice that it is application/json, which means it is a REST API), and MyQApplicationId (which likely identifies which application we are using). Let’s take a look at what data we are sending to the REST API, and what the API gives back to us. To do this, click on the JSON tab for both the top and bottom.
From this, we can see that we are sending our username and password in a JSON format. After we send this request, we get a response back which is a security token. This security token will be required for all of our actions from this point forward so we should store this information after we’ve logged in, so we can send it alongside any actions that are done to the garage door as needed. Next, we need to look at the request and response for ?expand=account.
From the request, we are only sending the headers as before as well as the SecurityToken (generated from login). Other than that, we are not sending anything in terms of JSON. From our response, there appears to be a lot of information regarding the account. Scrolling through it, you can find the information about where the account was registered in, the postal code of the owner, a link to the device (the devices API endpoint), and the account ID. This information will likely come in handy, and we should look for this later on when we are opening and closing the garage door.
One important thing that we should notice is that in every request header we make, we always send the security token (after it’s been generated), and the MyQApplicationId. After a few trials of testing the app, I was able to verify that the MyQApplicationId doesn’t change, and as a result, I’ve decided to hardcode this information for my Alexa skill.
Moving forward, we are interested in the Chamberlain devices that we have. Scrolling through our Fiddler logs, we find this:
As expected, the device information of our garage door is listed. The garage door itself is the first item, and the second item would be the wifi gateway. We are however more interested in what sort of information is available for the garage door. So let’s take a closer look at the response body.
We can see that under state, it stores some nifty information about the garage door such as door_state, last_status, and the open and close URLs. Now, let’s take a look at opening and closing the garage door. Opening the garage door, we see that the app is communicating to the following endpoint:
And this is the JSON that is being sent in the request:
And while the door is opening, we notice the following at the Devices endpoint:
After the door is open, we notice this at the Devices endpoint:
So putting this all together, we notice that we contact an Actions endpoint and provide action_type=open in the JSON. After that is been done, we do a request on the Devices endpoint to retrieve the state of the garage door to identify the current state of the door (opening or opened). It is very likely that closing the garage door will be similar as well. But let’s confirm that by closing the garage door. When closing the garage door, we notice the same thing occur:
And that’s it! That is all there is to the Chamberlain API when it comes to opening and closing the garage door. Everything else can easily be figured out from this point.