Hi there,

Having the new EvoHome and the new apps to control it, I was disappointed upon contacting Honeywell that they told me there was no API to access this from anything but their apps. It seems a shame, as their US wifi thermostats have a limited Beta 1 of API access going on right now (all-bet very limited Beta).

I thought I'd have a look at the app and see if I could understand what they were doing. Initially I simply fired up a copy of Wireshark and sniffed all the traffic from the app to the internet. This did not prove particularly useful, as upon reading the packet trace, I could see that all of the traffic was encrypted and was completely using HTTPS to communicate to the Honeywell web server. What it did show me however, was that it was talking to rs.alarmnet.com, which is the same web site that the US is using and in fact you can login to the US website and use their website to do stuff with their US based thermostats.

Now, I had to work out how to go about decrypting HTTPS traffic to the website. With a bit of effort I think I now have a setup that let's me decode and read the API access that the apps are using. The next step for me to check this out is to write some Python code that replicates what the app is doing and to query the website from a Linux box just to chekc out my findings are correct.

Initially it looks like the app is doing:

POST to HTTPS://rs.alarmnet.com/TotalConnect...PI/api/Session with the parameters:

{
"Username": "your username",
"Password": "your password",
"ApplicationId": "not sure if this is app or user specific yet, so have removed value in meantime"
}

It then returns the following JSON data:

{
"sessionId": "B4E8FE94-F397-4706-85D4-11AEB7D4ADCB",
"userInfo": {
"userID": your numeric userid,
"username": "your username",
"firstname": "your firstname",
"lastname": "your lastname",
"streetAddress": "your address line 1",
"city": "your city",
"state": "",
"zipcode": "your postcode",
"country": "GB",
"telephone": "",
"userLanguage": "en-GB",
"isActivated": true,
"deviceCount": 0
},
"latestEulaAccepted": true
}

The app next sends a JSON request for all the info about your site:

POST to HTTPS://rs.alarmnet.com/TotalConnect...ns?userId=your userid&allData=True

this then returns a JSON response with the full details of your site.

Next it requests details on your gateway:

POST to HTTPS://rs.alarmnet.com/TotalConnect...ocationId=your location&allData=False

this then returns a JSON response:

[{
"gatewayID": XXXXXX,
"mac": "YYYYYYYYYYYY",
"crc": "ZZZZ",
"locationId": your locationID,
"isUpgrading": false
}]


I'm not publicly going to publish how I sniffed and decrypted all this traffic as I do not think it needs to be public knowledge, suffice it to say that the app is very secure and without access to kit and your iDevice, then you cannot break into the the app normally. You need physical access to the iDevice to change config on it to do this.

However, if anyone who is more interested in how to use the API and has more knowledge than I to make use of it, please get in touch via PM.

Roy.