Shark hunt on LW301

Shark hunt on LW301

Shark hunt? As a passionate diver, shark hunt is an absolute “no-go” for me. But as a networker I love to go hunting with a shark – with the Wireshark. Wireshark is one of the best network protocol analyzers. It lets you see what’s happening on a network at a microscopic level.

Why shark hunting?

In spring I wrote about the problems I have with my Oregon Scientific LW301 weather station. Several readers contacted me because they encounter the same problem. Fact is that one owns a weather station but can only read the gathered data over the Internet using a rather badly developed Android, iPhone or Windows App.

The weather station’s data is inside your own network, but you have no access.  This had to change. Two guys In France and South Africa gave me very useful input. The only thing I lacked was time. Yesterday I found enough time for the hunt.

Set up the hunt

Shark hunt with WiresharkClick on the photo to enlarge

On the left side you see the Oregon Scientific LW301 with the attached wireless receiver (single green LED). The LW301 is connected to a hub (an old Netgear 4 port hub). This hub is connected to the laptop on the right (black cable) and to the WAN router (pink cable).

In the laptop runs the latest version of Wireshark. You may want to download it – here it is!

Step by step

I absolutely do not know what is inside the Oregon Scientific LW301. There must be a micro-controller like an Arduino or a Raspberry Pi or a  BeagleBone. But I do not want to open the “Black Box” – never touch a running system. So I had to look inside over the network.

Step 1: The network address

Fortunately the LW301 has the MAC address printed on the label stick on the case. A media access control address (MAC address) is a unique identifier assigned to network interfaces for communications on the physical network segment. MAC addresses are used as a network address for most IEEE 802 network technologies. So it hadn’t been to difficult to see what the Oregon Scientific LW301 is doing on the network when powered on. Network gurus may want to click on the pictures below to read the data from Wireshark.

Sharkhunt with Wireshark

The Oregon Scientific LW301 first tries to get an IP address from the DHCP server. Wireshark also detected the brand of the network module – it’s a Mirochi. My Linksys (CISCO) router then assigned an IP address to the Oregon Scientific LW301 using DHCP.

Sharkhunt with Wireshark

Here  are the details of captured frame 166:
Sharkhunt with Wireshark

The Oregon Scientific LW301 got the IP address 192.168.2.100 from the DHCP server. This is good to know because now we can leave the hardware layer (MAC address) and move up to the Internet Protocol layer. But before we leave the underground, the Wireshark detected that the LW301 is already contacting Oregon Scientific (static.oregonscientific.com). It sends a DNS request to the name server of my network provider – 172.18.15.254.

Sharkhunt with Wireshark

Oregon Scientific then answers much later – it’s across the whole Pacific Ocean – and tells our LM301 where it can be found. Now let’s quit this low level of data communication.

Step 2: Find the right server

 Sharkhunt with Wireshark

How is this data transmitted to Oregon Scientific? How it comes back to my PC doesn’t interest me because I want to read the data in my house without traveling twice under or over the Pacific Ocean.

The chat is now open between 192.168.2.100 (my weather station) and 175.45.32.3 (a server at Wharf T&T Limited in Kowloon). The surprise will come later …

 Sharkhunt with Wireshark

The Oregon Scientific LW301 sends a synchronization request on TCP level (Transmission Control Protocol)  to the remote server. Important to know is that the LW301 uses port 1109, a non standard port, and the remote server uses port 80, which means that it is a web server understanding HTML. This will make the future investigation much simpler because HTML is very readable for humans.

The remote server then confirms the SYN request and asks the LM301 to communicate from his port 1109 to the servers port 80

Sharkhunt with Wireshark

In sequence 432 the LW301 sends a GET query to http://static.oregonscientific.com/blackbox/lw301/version?m=68e974.  And then in a long chat the LW301 gets a new server name. The chat is so long because many packets did not arrive completely due to network congestion. And frankly, I do not know in which packet the new server name had been transmitted. The new server to contact is: gateway.weather.oregonscientific.com.  This is the Anywhere Weather homepage.

Sharkhunt with Wireshark

During a chat with the Oregon Scientific name server our LW301 gets a new address to contact … The big surprise !

Sharkhunt with Wireshark

Address “23.21.166.179” belongs to Amazon.com !

I seems that Oregon Scientific has abandoned Google’s cloud services and has moved to Amazon. This finally also explains the very long data exchange between the weather box and the Oregon Scientific servers. Our little box had to find out, where to send the weather data.

 Step 3: The weather data transmission

Now the Oregon Scientific LW301 is ready to exchange weather data with the Amazon.com cloud server. The following sequence runs now about every minute.

Sharkhunt with Wireshark

The most important packet is # 1145. Inside this packet comes the desired payload, the data from our weather station:

Sharkhunt with Wireshark

The data starts after the dark grey zone. It reads:

mac=00 04 a3 68 e9 74 (that’s the MAC address of our LW301)
id=84 (I don’t know what ID this is)
rid=b3 (Again, I don’t know)
pwr=0 (Power ?)
htr=0 (Again ???)
cz=0 (Still cryptic ?)
oh=65 (Aah, Outdoor Humidity is 65%)
ttr=0 (???)
ot=31.5 (Outdoor Temperature is 31.5 Celsius Grades)
ch=1 (The sensor’s channel is number 1)
p=1 (Again, I don’t know)

But at least 4 of the 11 items are identified.  So the LW301 sends this data as one sausage to : http://gateway.weather.oregonscientific.com/update?
The Amazon server then acknowledges and our box continues to send. The next payload contains wind inforation:

mac=00 04 a3 68 e9 74 (that’s the MAC address of our LW301)
id=90 (I don’t know what ID this is)
rid=dd (Again, I don’t know)
pwr=0 (Power ?)
gw=0 (Don’t know. Seems to be an average)
av=0 (Don’t know. Seems to be an average)
wd=45 (Wind direction is 45 degrees
wg=2.2 (Wind gusts is 2.2 m/s))
ws=0.0 (Current wind is 0.0 m/s)
ch=1 (The sensor’s channel is number 1)
p=1 (Again, I don’t know)

Barometric pressure and rainfall are still missing.

mac=00 04 a3 68 e9 74 (that’s the MAC address of our LW301)
id=82 (I don’t know what ID this is)
rid=5a (Again, I don’t know)
pwr=0 (Power ?)
rro=0 (A rainfall average)
rr=0.00 (Another rainfall average ?)
rfa=0.204 (Current rainfall is 0.204 mm) It really rained!
ch=1 (The sensor’s channel is number 1)
p=1 (Again, I don’t know)

mac=00 04 a3 68 e9 74 (that’s the MAC address of our LW301)
id=c2 (I don’t know what ID this is)
pv=0 (?)
lb=0 (?)
ac=0 (?)
reg=0803 (Region ?)
lost=0000 (?)
baro=1006 (Barometric pressure in hPa)
ptr=0 (?)
wfor=0 (Weather forecast ?)
p=1 (?)

Now we have a lot of data. Some data can be decrypted, other information needs more observation. Important for the network gurus is that the LW301 increases the portnumber with each transmission.

The next transmission after a few seconds is again a wind information:

mac=00 04 a3 68 e9 74 (that’s the MAC address of our LW301)
id=90 (It is again 90. Seems to be the sensor ID)
rid=dd (Again, the same. Seems also to be a sensor ID )
pwr=0 (Power ?)
gw=0 (Don’t know. Seems to be an average)
av=0 (Don’t know. Seems to be an average)
wd=292 (Wind direction is 292 degrees
wg=1.9 (Wind gusts is 1.9 m/s))
ws=1.5 (Current wind is 1.5 m/s)
ch=1 (The sensor’s channel is number 1)
p=1 (Again, I don’t know)

Let’s stop for now. There is a lot of information to crunch and to interpret. For me still the big question is how to intercept this data and redirect it to my in-house server.

For those who have network knowledge and want to help me. I have two Wireshark capture files. One containing the initial server data exchange and one containing the weather data exchange. Send a comment and ask for the files, I’ll then send them by e-mail. I am now going hunting with the real sharks.

waebi

Stop Shark Hunting – hunt with the Sharks !

Pin It