The Miniserver allows connections from other computers and can talk to other systems. This document will try to document all ways the Miniserver communicates.
Whenever I need to mention the 6-byte serial number of the Miniserver, I will use 504F11223344
as the serial number. You obviously need to use your own serial number.
Server name | Description | Loxone Documentation Link |
---|---|---|
https://www.loxone.com | Their main website, also hosts the News Feed. | https://www.loxone.com |
clouddns.loxone.com | Loxone DNS Service | https://www.loxone.com/enen/kb/dns-service/ |
mail.loxonecloud.com | Loxone Mailer Service to send emails | https://www.loxone.com/enen/kb/mailer-service/ |
push.loxonecloud.com | Push Notifications Service | https://www.loxone.com/enen/kb/push-notifications/ |
weather.loxone.com | The subscription-based Loxone Weather Service | https://www.loxone.com/enen/kb/weather-service/ |
caller.loxone.com | The subscription-based Caller Service for text-to-speech callbacks for notifications | https://www.loxone.com/enen/kb/caller-service/ |
update.loxone.com | Update server for the hardware | https://www.loxone.com/enen/kb/installing-updates/ |
monitorserver.loxone.com | Loxone Monitor | https://www.loxone.com/enen/kb/loxone-monitor/ |
log.loxone.com | Loxone Log (can be disabled in Loxone Config, sends support information to Loxone) |
clouddns.loxone.com, push.loxonecloud.com, weather.loxone.com, and dns.loxonecloud.com are all services running on the same Amazon server.
mail.loxonecloud.com, monitorserver.loxone.com is running on Host Europe GmbH.
update.loxone.com is running on an running on Amazon cloud server.
caller.loxone.com is running on a Loxone server from Netplanet in Vienna.
log.loxone.com is running on a Loxone server directly at the Loxone headquarter in Kollerschlag, Austria.
Type | Port | Description |
---|---|---|
TCP | 21 | FTP server |
TCP | 23 | Telnet (stream) |
TCP | 80 | HTTP server (also: stream) |
TCP | 8080 | HTTP |
UDP | 68 | DHCP |
UDP | 123 | NTP |
UDP | 137 | NetBIOS NS |
UDP | 162 | smtp (stream) |
UDP | 514 | syslog (stream) |
UDP | 1900 | SSDP |
UDP | 3671 | EIBnet/IP tunnel protocol |
UDP | 5000 | Intercom |
UDP | 5353 | mDNS |
UDP | 7070/7071 | Miniserver send/answer – used for discovery |
UDP | 7072/7073 | Loxone Gateway (from/to ports) |
UDP | 7074/7075 | Loxone Gateway (from/to ports) (alternative ports) |
UDP | 7076 | Loxone Gateway |
UDP | 7077 | Intercom |
UDP | 7078 | Bus Handler (unknown) |
UDP | 7090 | Keba Wallbox (see https://www.keba.com/web/downloads/e-mobility/KeContact_P20_P30_UDP_ProgrGuide_en.pdf) |
UDP | 7091 | Loxone Multi Media Server |
UDP | 7700 | Loxone DNS Service (send only) |
UDP | 7707 | Loxone Log Server (send only) |
UDP | 7777 | Loxone Monitor (send only) |
UDP | 8110 | Intercom Xl |
UDP | 8112 | Intercom SIP |
UDP | 55895 | UPnp search |
The firewall in the Miniserver only allows the configured HTTP port (typically 80) and FTP port (typically 21) to pass through. Additionally HTTPS (port 443) and port 7091 are always allowed. All other will be blocked.
DHCP/NTP/NetBIOS/SSDP/mDNS/UPnp are typical ports to detect or be detected by other network devices. There are no special Miniserver related services being offered by them.
The stream ports are possible destinations for the Loxone configuration, like /dev/udp
.
The Ports starting at 7070 seem to be a reserved range of UDP ports used by the Miniserver. 7700,7707,7777 are for sending to Loxone specific services, they can all be disabled, if necessary.
The Intercom seems to use a range of ports (5000,7077,8110,8112)
There are two ways to search for a Miniserver in a local network:
- UDP Broadcast
- Simple Service Discovery Protocol
To find a Miniserver from outside the local network, you either need to use the DNS service from Loxone or use a VPN setup for your local network.
To search via UDP Broadcast, broadcast a single 0x00 byte to the UDP port 7070. while listening on UDP port 7071 for about 3s.
Miniservers will reply with one package:
[LoxLIVE: Loxone Miniserver 192.168.178.32:80 504F11223344 10.2.3.26 Prog:2019-04-24 21:08:03 Type:0 HwId:A0000 IPv6:,0c112233:10020217/O]
LoxLIVE:
can be used to detect the messageLoxone Miniserver
is the name of the Miniserver. You might notice, that it is tricky to detect the length of the string. You need to scan for a valid IPv4 behind it to figure it out.192.168.178.32:80
is the local IPv4 with the HTTP port number.504F11223344
is the serial number of the Miniserver10.2.3.26
is the firmware version of the MiniserverProg:2019-04-24 21:08:03
is the date of the Loxone Config file.Type:0
HwId:A0000
is the hardware version of the Miniserver as documented in Loxone Miniserver HardwareIPv6:,0c112233:10020217/O
looks like it is supposed to contain the IPv6 of the Miniserver, but because it is not assigned one, it seems to return garbage, which looks like the serial number of a Air Base Extension with its firmware version.
This protocol is used by many different hardware devices, like Sonos. As such the Miniserver uses NOTIFY
to inform the network via Broadcast.
The Miniserver also responds to a SSDP request. It returns a reply like this:
HTTP/1.1 200 OK
CACHE-CONTROL:max-age=3600
ST:upnp:rootdevice
USN:uuid:aabbccdd-eeff-0011-2233-445566778899::upnp:rootdevice
EXT:
SERVER:Loxone Miniserver Loxone Miniserver UPnP/1.0
LOCATION:http://192.168.178.32:80/upnp.xml
It contains the name after "Loxone Miniserver" and the SSDP UUID, as well as a location of an XML, which provides you with the LOCATION
, which responds with the following XML code, that looks like this:
<root xmlns="urn:schemas-upnp-org:device-1-0">
<specVersion>
<major>1</major>
<minor>0</minor>
</specVersion>
<device>
<deviceType>urn:schemas-upnp-org:device:HVAC_System:1</deviceType>
<friendlyName>Loxone Miniserver</friendlyName>
<manufacturer>Loxone Electronics GmbH</manufacturer>
<manufacturerURL>https://www.loxone.com/</manufacturerURL>
<modelDescription>Loxone Electronics home control (Loxone Miniserver: *4C6F786F6E65204D696E69736572766572 192.168.178.32:80 504F11223344 10.2.3.26 IPv6:,0c112233:10020217/O)</modelDescription>
<modelName>Loxone Miniserver</modelName>
<modelNumber>1</modelNumber>
<modelURL>https://www.loxone.com/help/miniserver</modelURL>
<serialNumber>504F11223344</serialNumber>
<UDN>uuid:aabbccdd-eeff-0011-2233-445566778899</UDN>
<iconList>
<icon>
<mimetype>image/png</mimetype>
<width>16</width>
<height>16</height>
<depth>32</depth>
<url>/images/icon16.png</url>
</icon>
<icon>
<mimetype>image/png</mimetype>
<width>32</width>
<height>32</height>
<depth>32</depth>
<url>/images/icon32.png</url>
</icon>
<icon>
<mimetype>image/png</mimetype>
<width>48</width>
<height>48</height>
<depth>32</depth>
<url>/images/icon48.png</url>
</icon>
<icon>
<mimetype>image/png</mimetype>
<width>64</width>
<height>64</height>
<depth>32</depth>
<url>/images/icon64.png</url>
</icon>
<icon>
<mimetype>image/png</mimetype>
<width>256</width>
<height>256</height>
<depth>32</depth>
<url>/images/icon256.png</url>
</icon>
</iconList>
<presentationURL>http://192.168.178.32:80/index.html</presentationURL>
</device>
</root>
The important entries are:
friendlyName
- the user facing name of the MiniservermodelNumber
- is provided just like the serial number and the UUID from the flash memory.modelDescription
- similar to the UDP request. The hex-string after the*
also contains the name.serialNumber
- serial number of the MiniserverUDN
- UUID for the Miniserver, similar to its serial number, but only used for SSDP.presentationURL
- URL to the webinterfaceiconList
- the iconList does not work, because the png asserts are not on the Miniserver. Feels like a bug.
- SSDP NOTIFY to the local network
- Send log information, if necessary
- UDP dynamic IP update via dns.loxonecloud.com:80
- HTTP request for the weather forecast
- NTP clock requests
Loxone News Feed (www.loxone.com)
The Loxone Smart Home application, but also the webinterface to show ads for Loxone products. These can't be disabled!
The web application is requesting
https://www.loxone.com/loxone-feed.php?channel=app&lang=dede?_=123456789
which requests the annoying advertisements shown in the top-right corner of the app. The _
parameter is just a random number (actually a timer value) to avoid caching of the data, it could be omitted. The returned data is a JSON block, which looks like this:
HTTP/1.1 200 OK
Date: Mon, 01 May 2018 00:11:22 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: close
Access-Control-Allow-Origin: *
Expires: 0
Last-Modified: Mon, 01 May 2018 00:11:22 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: cloudflare
[
{
"title": "Touch Nightlight: Viel mehr als ein gew\u00f6hnliches Nachtlicht",
"image": "https:\/\/www.loxone.com\/wp-content\/uploads\/sites\/2\/2019\/03\/Touch_Nightlight_Header_NEU.png",
"short_text": "Das Touch Nightlight ist weit mehr als ein gew\u00f6hnliches Nachtlicht. Es ist Ambientelicht, Wecker, Bedienger\u00e4t, Alarmgeber und Nachtlicht zugleich. Diese Vielf\u00e4ltigkeit macht es zur perfekten Erg\u00e4nzung f\u00fcr all Ihre Wohn- und Schlafr\u00e4ume. Vom Elternschlafzimmer bis zum Kinderzimmer.",
"link": "https:\/\/www.loxone.com\/dede\/touch-nightlight-mehr-als-ein-nachtlicht\/",
"timestamp": 1553592596,
"location_long": "",
"location_lat": "",
"radius": "",
"partner_status": ""
},
……………
{
"title": "iPad Wallmount: Die eleganteste Wandhalterung aller Zeiten",
"image": "https:\/\/www.loxone.com\/wp-content\/uploads\/sites\/2\/2018\/11\/[email protected]_.png",
"short_text": "Hochwertige Materialien, beste Verarbeitung, hauchd\u00fcnne Abmessungen, ein elegantes sowie zeitloses Design und ein revolution\u00e4re Ladevorrichtung. Diese Attribute beschreiben unsere iPad Wallmount. Angebracht an Ihrem Lieblingsort, verwandelt sie Ihr iPad in die eleganteste Smart Home Bedienzentrale aller Zeiten. ",
"link": "https:\/\/www.loxone.com\/dede\/ipad-wallmount\/",
"timestamp": 1543914098,
"location_long": "",
"location_lat": "",
"radius": "",
"partner_status": ""
}
]
Loxone offers a dynamic DNS service, which allows finding your own servers via the internet, based on the assumption that your home IP address is not static (which it typically is not). This still requires the Firewall to be open for the Miniserver. In general it is probably still better to have a VPN connection to your home, than relying on security of your home automation server. The advantage of this system is: it is easy and reasonably secure (if there are no security issues in the Miniserver and your passwords are good). That said: you are still exposing your server to the internet!
To publish the IP, the Miniserver sends a single UDP request to the Loxone DNS Service on port 7700 with the following content:
504F11223344,80,00000000,AABBCCDDEEFF0011
504F11223344
is the 6-byte serial number of the Miniserver. All Miniservers start with504F
.- 80 is the port number under which the Miniserver responds to HTTP requests for the Web-Interface
- 00000000 is the version number of the
WebInterfaceAGZ
AABBCCDDEEFF0011
is an 8 byte unique key. This key is constant for the Miniserver and acts as a validation for the serial number. It protects Loxone against bad guys pushing random serial numbers to their DNS server.
But you might be able to spot a problem with security: because the request is not encrypted, any bad guy who manages to collect one request can then send it's own request to Loxone. The next time you try to connect to your server, you then could end up on a compromised server from the bad guy, telling him your admin name and password!
Also it is called every 60s, which feels excessive. It should be called whenever the external IP changes, but not every minute.
To find the IP address for a Miniserver, you need to know it's serial number and simply send this request: http://dns.loxonecloud.com/504F11223344
This will get resolved to http://504F11223344.dns.loxonecloud.com which forwards directly to your Miniserver.
Alternatively you can get the DNS status by sending this request http://dns.loxonecloud.com/?getip&snr=504F11223344&json=true, which returns a proper JSON reply:
{
"cmd": "getip",
"IP": "123.123.123.123",
"Code": 200,
"LastUpdated": "2018-02-01 00:11:22",
"PortOpen": true,
"DNS-Status": "registered"
}
Without the json flag, you get an XML reply. Whatever you prefer, but Loxone has been deprecating XML-based APIs, so I would probably go with the JSON one.
<Answer cmd="getip" LastUpdated="2018-02-01 00:11:22" PortOpen="1" IP="123.123.123.123" Code="200" DNS-Status="registered"/>
The Miniserver can send emails with status updates to any email account.
When using the standard Mailer service, you have to provide an SMTP server with username and password to send emails, it does support TLS security via SMTP (Thanks for Stefan for pointing this out)
The Loxone Mailer Service is a special mail server from Loxone, which does encrypt data between the Miniserver and the mail server. The disadvantage is a potential limit on the number of emails you can send and that you are relying on Loxone as well as trusting them with you data. Interestingly it is not using SMTP, but HTTPS to send the data. It works in two steps:
- Request an authorization key via
https://mail.loxonecloud.com/getkey/MINISERVER_SERIAL
. The response is a 48 byte hex string, which converts into a 24 byte ASCII string. - Send the email via POST
https://mail.loxonecloud.com/sendmail/MINISERVER_SERIAL
with an XML block containing the user, date, sender, sender name (the server name), receiver, subject, mail body and an authorization code. The user field is the encrypted username and password, the authorization code is calculated with a HMAC-SHA1 with the response from the first request as a key and a secret code plus the Miniserver serial number as the data. This allows the Mail server to validate the partner.
Security: trusting somebody on the internet is always a risk, even Loxone. But mail is not considered really secure and we are typically talking about status updates. Their choice of HTTPS is fine, but their authorization mechanism is kind of weird. Yes, it is a handshake between two partners, but the signature of the reply is only based on the serial number. The username/password are empty anyway, but probably validated via decryption – which is another check, this time with the date and Miniserver serial number. What is absent are all the other fields, which could be considered an attack surface, because via a man-in-the-middle these fields could be simply replaced with new data. Nevertheless not a very probable attack, but possible, especially if you are in the same network.
This service allows sending notifications to typically mobile devices, like smartphones. The content is similar to mail, but more limited.
Apple requires all iOS software to use HTTPS for notifications, which means that this service is HTTPS based.
Sending a notification is done via an HTTPS POST to https://push.loxonecloud.com:443/v1/push
with the notification being a JSON block in the body. This block contains a UUID, a timestamp, a title, a message, the name of the Miniserver, a list of UUIDs of devices to notify, a type, an optional sound (none, door bell, alarm, smoke alarm), a level (info,error,system error) and a UUID reference to the notification object in the Loxone configuration. It is also signed via HMAC-SHA1. The server will return a response with a valid status (true/false), an HTTP-like error code and a list of push_errors, e.g. if certain devices are no longer registered for push notifications.
To receive notifications you have to to an HTTPS POST to https://push.loxonecloud.com:443/v1/register
also with a JSON block.
Loxone also offers a subscription to weather service. This service seems to be offered via Meteo Blue, but routed via a Loxone server weather.loxone.com, which validates the subscription. When started the weather service some years ago, Loxone used Ubimet as weather service. But this changed some time ago. Loxone does not disclose which service they use nowadays.
Several times a day the Miniserver sends the following request: http://weather.loxone.com:6066/forecast/?user=loxone_504F11223344&coord=13.8408,48.6051&asl=20&format=1
You notice a couple of parameters:
- user=loxone_504F11223344 - this is the user account based on the serial number of the Miniserver
- coord=13.8408,48.6051 - GPS location for the weather report (longitude,latitude). As entered in Loxone Config.
- asl=200 - altitude over sea level in meter. Not sure why this is needed, because
coord
implies it. Can be entered as Elevation in Loxone Config. This parameter seems optional, but the Miniserver always provides it. - format=1 - the Weather server can return two different report formats:
format=0
, which is XML orformat=1
, which is a mixture between XML and CSV from Meteo Blue. The Miniserver understands both and detects the right format automatically.
I have not found out, when the XML/CSV format is requested, it seems that it can happen after a reboot. Typically the Miniserver seems to request XML. But as I said, the server could ignore the format and simply return whatever is more convenient.
If there is no paid subscription, the response will be this:
HTTP/1.1 200 OK
Date: Wed, 01 Feb 2018 01:02:34 GMT
Server: Apache/2.4.7 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 153
Content-Type: text/xml
<?xml version="1.0"?>
<ServiceExceptionReport><ServiceException>authentication exception: user is not active</ServiceException></ServiceExceptionReport>
Here is a shortened example for the XML/CSV format. I've only shown the first 2 and last 2 entries. Overall it is 181 entries large. As you can see it has a header, describing the individual columns in the CSV block below. It also has a valid_until
entry, which contains the subscription expiry date. The Miniserver will start warning, once you hit that date. Kollerschlag
is a bug, it seems to not know the city, so it falls back to Kollerschlag
. Longitude and latitude are correct, as well as the elevation. Sunrise/Sunset are also provided, but the Miniserver does it's own calculation locally.
The report has to be hourly and lasts about 7 days into the future. The Miniserver ignores a lot of the data, especially the cloud coverage at different altitudes does not seem to be used.
<mb_metadata>
id;name;longitude;latitude;height (m.asl.);country;timezone;utc-timedifference;sunrise;sunset;
local date;weekday;local time;temperature(C);feeledTemperature(C);windspeed(km/h);winddirection(degr);wind gust(km/h);low clouds(%);medium clouds(%);high clouds(%);precipitation(mm);probability of Precip(%);snowFraction;sea level pressure(hPa);relative humidity(%);CAPE;picto-code;radiation (W/m2);
</mb_metadata><valid_until>2018-04-25</valid_until>
<station>
;Kollerschlag;13.84°E;48.61°N ;200;;CEST;UTC+2.0;07:06;11:22;
01.02.2018;Mon;14; 3.3; 2.3; 12;280; 12; 10; 10; 0; 0.0; 0;0.0;1005; 50; 33;4; 200;
01.02.2018;Mon;15; 5.6; 1.7; 11;244; 12; 71; 6; 0; 0.0; 0;0.0;1005; 54; 78;5; 100;
…
10.02.2018;Tue;01; 2.0; -2.0; 30;170; 37; 20; 37; 10; 0.0; 19;0.0;1021; 70; 2;8; 200;
10.02.2018;Tue;02; 1.9; -1.5; 30;180; 40; 2; 55; 17; 0.0; 17;0.0;1023; 70; 20;5; 0;
</station>
Here a shortened example for the XML format. I've only shown the first entry. Overall it is 181 entries large.
<?xml version="1.0"?>
<metdata_feature_collection p="m" valid_until="2018-04-25">
<metdata>
<timepoint>2018-02-01T12:00:00</timepoint>
<TT>3.3</TT>
<FF>2.6111111111111</FF>
<DD>111</DD>
<RR1H>0.0</RR1H>
<PP0>1005</PP0>
<RH>50</RH>
<HI>0.3</HI>
<RAD>200</RAD>
<WW>2</WW>
<FFX>3.8</FFX>
<LC>10</LC>
<MC>10</MC>
<HC>0</HC>
<RAD4C>1</RAD4C>
</metdata>
…
</metdata_feature_collection>
The keys for one metdata
entry are as follows
Key | Description |
---|---|
timepoint | Date/Time for this data point |
TT | Temperature in C |
TD | Dewpoint in C |
FF | Wind Speed in m/s |
DD | Wind Direction |
RR1H | Percipitation in mm |
PP0 | Pressure in hPa |
RH | Relative Huminity in % |
HI | Feel Temperature in C |
WW | Weathertype (picto-code) |
FFX | Gusts in m/s |
LC | Low Clouds in % |
MC | Medium Clouds in % |
HC | High Clouds in % |
RAD | Absolute Radiation (Solar Irradiation (0-20% (<60), 20-40% (<100), 40-100%)) |
RRAD | Relative Radiation |
RAD4C | Radiation (UV Index) |
The picto-codes for the weather icons seem to come from Meteoblue
Picto-Code | Description |
---|---|
1 | Clear, cloudless sky (Loxone: Wolkenlos) |
2 | Clear, few cirrus (Loxone: Wolkenlos) |
3 | Clear with cirrus (Loxone: Heiter) |
4 | Clear with few low clouds (Loxone: Heiter) |
5 | Clear with few low clouds and few cirrus (Loxone: Heiter) |
6 | Clear with few low clouds and cirrus (Loxone: Heiter) |
7 | Partly cloudy (Loxone: Heiter) |
8 | Partly cloudy and few cirrus (Loxone: Heiter) |
9 | Partly cloudy and cirrus (Loxone: Wolkig) |
10 | Mixed with some thunderstorm clouds possible (Loxone: Wolkig) |
11 | Mixed with few cirrus with some thunderstorm clouds possible (Loxone: Wolkig) |
12 | Mixed with cirrus and some thunderstorm clouds possible (Loxone: Wolkig) |
13 | Clear but hazy (Loxone: Wolkenlos) |
14 | Clear but hazy with few cirrus (Loxone: Heiter) |
15 | Clear but hazy with cirrus (Loxone: Heiter) |
16 | Fog/low stratus clouds (Loxone: Nebel) |
17 | Fog/low stratus clouds with few cirrus (Loxone: Nebel) |
18 | Fog/low stratus clouds with cirrus (Loxone: Nebel) |
19 | Mostly cloudy (Loxone: Stark bewölkt) |
20 | Mostly cloudy and few cirrus (Loxone: Stark bewölkt) |
21 | Mostly cloudy and cirrus (Loxone: Stark bewölkt) |
22 | Overcast (Loxone: Bedeckt) |
23 | Overcast with rain (Loxone: Regen) |
24 | Overcast with snow (Loxone: Schneefall) |
25 | Overcast with heavy rain (Loxone: Starker Regen) |
26 | Overcast with heavy snow (Loxone: Starker Schneefall) |
27 | Rain, thunderstorms likely (Loxone: Kräftiges Gewitter) |
28 | Light rain, thunderstorms likely (Loxone: Gewitter) |
29 | Storm with heavy snow (Loxone: Starker Schneeschauer) |
30 | Heavy rain, thunderstorms likely (Loxone: Kräftiges Gewitter) |
31 | Mixed with showers (Loxone: Leichter Regenschauer) |
32 | Mixed with snow showers (Loxone: Leichter Schneeschauer) |
33 | Overcast with light rain (Loxone: Leichter Regen) |
34 | Overcast with light snow (Loxone: Leichter Schneeschauer) |
35 | Overcast with mixture of snow and rain (Loxone: Schneeregen) |
Every time data is received, it is appened to /data/weatheru.bin
on the webserver of the Miniserver (up to 200 entries). The data is in 108 byte chunks as follows:
- 4 Bytes unsigned integer: Loxone Timestamp
- 4 Bytes integer: WW (see
Key
above) - 4 Bytes integer: DD (see
Key
above) - 4 Bytes integer: RAD4C (see
Key
above) - 4 Bytes integer: RH (see
Key
above) - 8 Bytes double: TT (see
Key
above) - 8 Bytes double: HI (see
Key
above) - 8 Bytes double: TD (see
Key
above) - 8 Bytes double: RR1H (see
Key
above) - 8 Bytes double: FF (see
Key
above) - 8 Bytes double: PP0 (see
Key
above) - 4 Bytes integer: LC (see
Key
above) - 4 Bytes integer: MC (see
Key
above) - 4 Bytes integer: HC (see
Key
above) - 4 Bytes integer: probability of Precipitation (see in the XML format above)
- 8 Bytes double: RAD (see
Key
above) - 8 Bytes double: Snow Fraction (see in the XML format above)
- 8 Bytes double: CAPE (see in the XML format above)
The Cloud Service Caller is an automated phone callback service from Loxone. It can be configured in Loxone Config. Whenever it is triggered, the Miniserver sends the following request:
You can see the following parameters in the request:
extip
=http://dns.loxonecloud.com/504F11223344/dev/sps/io/caller/11223344-5566-7788-99aabbccddeeff00 -11223344-5566-7788-99aabbccddeeff00
is the object ID for the Caller Service in the Loxone Config file.loxid
=504F11223344
- serial number of the Miniserver, the Miniserver needs to have a paid subscription of the Cloud Service Caller.tel
=004912345678
- phone number, which need to be calledtext
=Schalter%20aus
- the text which will be said to you via text-to-speech
This request triggers a http reply, which content can be ignored.
HTTP/1.1 200 OK\r\n
Date: Mon, 20 Feb 2019 00:11:22 GMT\r\n
Server: Apache/2.4.7 (Ubuntu)\r\n
X-Powered-By: PHP/5.5.9-1ubuntu4.14\r\n
Vary: Accept-Encoding\r\n
Transfer-Encoding: chunked\r\n
Content-Type: text/html\r\n
\n\r\n
4a\r\n == Length of following line without the \r\n suffix
2018-02-20 01:11:22:11.22.33.44:-----------------------------------<br>\n\r\n
3b\r\n
2018-02-20 01:11:22:11.22.33.44:TEXT2SPEECH START...<br>\n\r\n
46\r\n
2018-02-20 01:11:22:11.22.33.44:MINISERVER 504F11223344 ACTIVE.<br>\n\r\n
3d\r\n
2018-02-20 01:11:22:11.22.33.44:CALL TO 4912345678.<br>\n\r\n
Within a few seconds you will get a phone call with the announcement. You can then enter a code, which will be forwarded to your Miniserver (assuming the dynamic DNS is working), it does so by using the extip
URL and appending the code, like so for the code 1
: http://dns.loxonecloud.com/504F11223344/dev/sps/io/caller/11223344-5566-7788-99aabbccddeeff00/1
The Miniserver will reply accordingly, if the change was accepted:
GET /dev/sps/io/caller/11223344-5566-7788-99aabbccddeeff00/1 HTTP/1.1\r\n
Host: 11.22.33.44\r\n
Accept: */*\r\n
\r\n
HTTP/1.1 200 OK\r\n
Access-Control-Allow-Origin: \r\n
Access-Control-Allow-Credentials: true\r\n
Content-Type: text/xml\r\n
Content-Length: 131\r\n
Keep-Alive: timeout=10, max=1000\r\n
Connection: Keep-Alive\r\n
\r\n
<?xml version="1.0" encoding="utf-8"?>
<LL control="dev/sps/io/11223344-5566-7788-99aabbccddeeff11/pulse" value="1" Code="200"/>\r\n
As you can see, the whole communication is not encrypted. Attacks are possible, but limited:
- you need to know the Miniserver serial number, which has to have a paid subscription
- the request to trigger a callback has to come from the IP address of the Miniserver
As you can see: this would be easily possible for anybody within your home network. From this network you can fake callbacks with no problem. This could be especially tricky if the callback allows security relevant things, like unlocking doors.
Could somebody from the outside hack this? Potentially, but only in a small window:
- you need to catch the Caller request
- within 2 minutes, you can trigger the callback URL, even with different parameters
Is this all a big risk? Probably not, but Loxone could have done better – even without SSL.
Used if checking for "Automatic Updates" is enabled in Loxone Config. update.loxone.com is a server to serve all updates for the Loxone products, it also hosts the XML file, which is requested by the Miniserver and all other Loxone apps. An update for the Miniserver is installed via an update of the the Loxone Config application. The Miniserver will then update all extensions and devices to the latest version automatically.
http://update.loxone.com/updatecheck.xml?serial=504F11223344&version=10020326&reason=App
You can see the following parameters in the request, they are all just for logging purposes.
serial=504F11223344
- serial number of the Miniserverversion=10020326
- current firmware version of the Miniserverreason=App
- why was the updated requested. (0
= the Miniserver,App
= a Loxone app requests it)
The reply is a rather large XML file, which starting with Version 10 includes public key certificates and signatures used to validate the software update by the Miniserver. Previous versions just used a checksum. I've replaced the certificate and the signatures with <CERTIFICATE>
and <SIGNATURE>
to keep the document brief. As you can see, that there are 3 types of updates:
- Release
- Beta
- Test
Loxone seems to use this to allow public beta tests of their software. Updates are also included for all related products, like the "Loxone Smart Home" app for various platforms and TimeZone updates.
<Miniserversoftware Version="10" certificate="<CERTIFICATE>">
<Test Version="10.03.05.04" Path="http://updatefiles.loxone.com/LoxConfig/LoxoneConfigSetup_10030504.zip" signature="<SIGNATURE>"/>
<Beta Version="10.03.05.04" Path="http://updatefiles.loxone.com/LoxConfig/LoxoneConfigSetup_10030504.zip" signature="<SIGNATURE>"/>
<Release Version="10.02.03.26" Path="http://updatefiles.loxone.com/LoxConfig/LoxoneConfigSetup_10020326.zip" signature="<SIGNATURE>"/>
<update Name="WebInterface" type="webif">
<Test Version="20190503" Path="http://updatefiles.loxone.com/WebInterface/10320190503_commonv2.zip" Filesize="5873496" crc32="4577c078" signature=<SIGNATURE>"/>
<Beta Version="20190503" Path="http://updatefiles.loxone.com/WebInterface/10320190503_commonv2.zip" Filesize="5873496" crc32="4577c078" signature="<SIGNATURE>"/>
<Release Version="20190402" Path="http://updatefiles.loxone.com/WebInterface/102520190402_commonv2.zip" Filesize="5844622" crc32="73310bf5" signature="<SIGNATURE>"/>
</update>
<update Name="WebInterfaceAGZ" type="webifAGZ">
<Test Version="20190503" Path="http://updatefiles.loxone.com/WebInterfaceAGZ/10320190503_commonv2.agz" Filesize="6008320" crc32="7bbc65ef" signature="<SIGNATURE>"/>
<Beta Version="20190503" Path="http://updatefiles.loxone.com/WebInterfaceAGZ/10320190503_commonv2.agz" Filesize="6008320" crc32="7bbc65ef" signature="<SIGNATURE>"/>
<Release Version="20190402" Path="http://updatefiles.loxone.com/WebInterfaceAGZ/102520190402_commonv2.agz" Filesize="5978624" crc32="899ff065" signature="<SIGNATURE>"/>
</update>
<update Name="Loxone Smart Home for Mac" type="Mac OS X">
<Test Version="10.3.0 (2019.05.03)" Path="http://updatefiles.loxone.com/macOS/10320190503.dmg" Filesize="14059397" crc32="eb045428" signature="<SIGNATURE>"/>
<Beta Version="10.3.0 (2019.05.03)" Path="http://updatefiles.loxone.com/macOS/10320190503.dmg" Filesize="14059397" crc32="eb045428" signature="<SIGNATURE>"/>
<Release Version="10.2.5 (2019.04.02)" Path="http://updatefiles.loxone.com/macOS/102520190402.dmg" Filesize="14059397" crc32="eb045428" signature="<SIGNATURE>"/>
</update>
<update Name="Loxone Smart Home for Linux x64" type="linux-x64">
<Test Version="10.3.0 (2019.05.03)" Path="http://updatefiles.loxone.com/linux/10320190503-amd64.deb" Filesize="43394142" crc32="df0a2559" signature="<SIGNATURE>"/>
<Beta Version="10.3.0 (2019.05.03)" Path="http://updatefiles.loxone.com/linux/10320190503-amd64.deb" Filesize="43394142" crc32="df0a2559" signature="<SIGNATURE>"/>
<Release Version="10.2.5 (2019.04.02)" Path="http://updatefiles.loxone.com/linux/102520190402-amd64.deb" Filesize="43394142" crc32="df0a2559" signature="<SIGNATURE>"/>
</update>
<update Name="Loxone Smart Home for Linux x86" type="linux-x86">
<Test Version="10.3.0 (2019.05.03)" Path="http://updatefiles.loxone.com/linux/10320190503-i386.deb" Filesize="44373068" crc32="8aabec55" signature="<SIGNATURE>"/>
<Beta Version="10.3.0 (2019.05.03)" Path="http://updatefiles.loxone.com/linux/10320190503-i386.deb" Filesize="44373068" crc32="8aabec55" signature="<SIGNATURE>"/>
<Release Version="10.2.5 (2019.04.02)" Path="http://updatefiles.loxone.com/linux/102520190402-i386.deb" Filesize="44373068" crc32="8aabec55" signature="<SIGNATURE>"/>
</update>
<update Name="Loxone Smart Home for Linux armv7l" type="linux-armv7l">
<Test Version="10.3.0 (2019.05.03)" Path="http://updatefiles.loxone.com/linux/10320190503-armv7l.deb" Filesize="39867056" crc32="19dc7942" signature="<SIGNATURE>"/>
<Beta Version="10.3.0 (2019.05.03)" Path="http://updatefiles.loxone.com/linux/10320190503-armv7l.deb" Filesize="39867056" crc32="19dc7942" signature="<SIGNATURE>"/>
<Release Version="10.2.5 (2019.04.02)" Path="http://updatefiles.loxone.com/linux/102520190402-armv7l.deb" Filesize="39867056" crc32="19dc7942" signature="<SIGNATURE>"/>
</update>
<update Name="Loxone Smart Home for Linux arm64" type="linux-arm64">
<Test Version="10.3.0 (2019.05.03)" Path="http://updatefiles.loxone.com/linux/10320190503-arm64.deb" Filesize="38808166" crc32="04756263" signature="<SIGNATURE>"/>
<Beta Version="10.3.0 (2019.05.03)" Path="http://updatefiles.loxone.com/linux/10320190503-arm64.deb" Filesize="38808166" crc32="04756263" signature="<SIGNATURE>"/>
<Release Version="10.2.5 (2019.04.02)" Path="http://updatefiles.loxone.com/linux/102520190402-arm64.deb" Filesize="38808166" crc32="04756263" signature="<SIGNATURE>"/>
</update>
<update Name="Loxone Smart Home for Windows" type="windows">
<Test Version="10.3.0 (2019.05.03)" Path="http://updatefiles.loxone.com/windows/10320190503.exe" Filesize="13155791" crc32="44926439"/>
<Beta Version="10.3.0 (2019.05.03)" Path="http://updatefiles.loxone.com/windows/10320190503.exe" Filesize="13155791" crc32="44926439"/>
<Release Version="10.2.5 (2019.04.02)" Path="http://updatefiles.loxone.com/windows/102520190402.exe" Filesize="13155791" crc32="44926439"/>
</update>
<update Name="Loxone Smart Home for iOS" type="ios">
<Test Version="10.3.0 (2019.05.03)"/>
<Beta Version="10.3.0 (2019.05.03)"/>
<Release Version="10.2.4 (2019.03.29)"/>
</update>
<update Name="Loxone Smart Home for Android" type="android">
<Test Version="10.3.0 (2019.05.03)"/>
<Beta Version="10.3.0 (2019.05.03)"/>
<Release Version="10.2.5 (2019.04.02)"/>
</update>
<update Name="Loxone Music Server" type="LoxoneMusicServer">
<Intern Version="1.3.03.13"/>
<Beta Version="1.3.03.13"/>
<Release Version="1.3.03.13"/>
</update>
<update Name="LoxLIVE" type="ms">
<Test Version="10030504" Path="http://updatefiles.loxone.com/bin/10030504_Miniserver.upd" Filesize="11118692" crc32="d76298bf" signature="<SIGNATURE>"/>
<Beta Version="10020314" Path="http://updatefiles.loxone.com/bin/10020314_Miniserver.upd" Filesize="10990384" crc32="5dd441a" signature="<SIGNATURE>"/>
</update>
<update Name="TimeData" type="TimeData">
<Test Version="20180905" Path="http://updatefiles.loxone.com/Miniserver/20180905_timeData.zip" Filesize="369881" crc32="f592dde6" signature="<SIGNATURE>"/>
<Beta Version="20180905" Path="http://updatefiles.loxone.com/Miniserver/20180905_timeData.zip" Filesize="369881" crc32="f592dde6" signature="<SIGNATURE>"/>
<Release Version="20180905" Path="http://updatefiles.loxone.com/Miniserver/20180905_timeData.zip" Filesize="369881" crc32="f592dde6" signature="<SIGNATURE>"/>
</update>
<update Name="VenBlindmotorAir" type="air">
<Test Version="10001009" MsMinVersion="10000924" Path="http://updatefiles.loxone.com/bin/10011009_VenBlindmotorAir.upd" crc32="f8fa38b4" Year="2018" signature="<SIGNATURE>"/>
<Beta Version="10001009" MsMinVersion="10000924" Path="http://updatefiles.loxone.com/bin/10011009_VenBlindmotorAir.upd" crc32="f8fa38b4" Year="2018" signature="<SIGNATURE>"/>
<Release Version="10001009" MsMinVersion="10000924" Path="http://updatefiles.loxone.com/bin/10011009_VenBlindmotorAir.upd" crc32="f8fa38b4" Year="2018" signature="<SIGNATURE>"/>
</update>
<changelogs>
<changelog lang="DEU" url="http://www.loxone.com/dede/produkte/software/loxone-config.html"/>
<changelog lang="ENU" url="http://www.loxone.com/enen/products/software/loxone-config.html"/>
<changelog lang="CSY" url="http://www.loxone.com/cscz/produkty/software/loxone-config.html"/>
<changelog lang="ESN" url="http://www.loxone.com/eses/productos/software/loxone-config.html"/>
<changelog lang="NLD" url="http://www.loxone.com/nlnl/producten/software/loxone-config.html"/>
<changelog lang="SKY" url="http://www.loxone.com/cscz/produkty/software/loxone-config.html"/>
<changelogx lang="ENG" url="http://www.loxone.com/enen/products/software/loxone-config.html"/>
<changelogx lang="FR" url="http://www.loxone.com/frfr/produits/logiciels/loxone-config.html"/>
</changelogs>
</Miniserversoftware>
The Monitor Server can be enabled in Loxone Config via the "Monitor Server" option. The purpose is to forward the logging, which can be seen in the Loxone Monitor application remotely to help diagnosing issues. The Monitor Server can decided what events are shown and at what detail via the response to the first request from the Miniserver:
http://monitorserver.loxone.com:80/?504F11223344
Typically the responds looks like this (logging disabled)
HTTP/1.1 200 OK
Date: Wed, 01 May 2018 01:23:45 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.45-0+deb7u2
Cache-Control: no-cache, must-revalidate
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Length: 107
Content-Type: application/xml
X-Pad: avoid browser bug
<?xml version="1.0"?>
<Log Version="10" LogKeep="true" NoIPchange="false">
<LogMode>Off</LogMode>
</Log>
But the server could return something like this:
HTTP/1.1 200 OK
Date: Wed, 01 May 2018 01:23:45 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.45-0+deb7u2
Cache-Control: no-cache, must-revalidate
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Length: 107
Content-Type: application/xml
X-Pad: avoid browser bug
<Log Version="10" LogKeep="true" NoIPchange="false">
<LogMode>on</LogMode>
<LogDest>/dev/udp/192.168.178.200/7777</LogDest>
<LogLevelCommon>moreinfo</LogLevelCommon>
<LogLevelSPS>moreinfo</LogLevelSPS>
<LogLevelProtocol>off</LogLevelProtocol>
<LogLevelBus>off</LogLevelBus>
<LogLevelFilesystem>off</LogLevelFilesystem>
<LogLevelNet>off</LogLevelNet>
</Log>
This will forward all output to the the UDP port 7777 at the local IP address 192.168.178.200. It will send all possible common and SPS output, but none for Loxone Link (Bus), the filesystem or network access. These are the possible types of data, which can be monitored:
Type | Description |
---|---|
Common | Displays general information about the Miniserver |
SPS | Information about the PLC |
Protocol | Information on specific protocols such as NTP (time) or UDP |
Bus | Information about the CAN bus link |
File | Information about the SD card and memory system |
Network | Network information for troubleshooting network |
Here are the possible keys:
Version
= major version of the MiniserverLogKeep
= boolean, unknown function.NoIPchange
= boolean, if true, the output is send to/dev/udp/IPADDRESS/PORT
with IPADDRESS being the address ofmonitorserver.loxone.com
the the default port being 7777.LogDest
= path for the log file, default is/dev/null
(logging off)LogMode
=on
oroff
LogLevelCommon
=off
,severe
,serious
,warning
,info
,moreinfo
LogLevelSPS
=off
,severe
,serious
,warning
,info
,moreinfo
LogLevelProtocol
=off
,severe
,serious
,warning
,info
,moreinfo
LogLevelBus
=off
,severe
,serious
,warning
,info
,moreinfo
LogLevelFilesystem
=off
,severe
,serious
,warning
,info
,moreinfo
LogLevelNet
=off
,severe
,serious
,warning
,info
,moreinfo
LogStart
= Loxone timestamp as an integerLogDay
= integer, number of days logging should be active. Up to 7 days is possible.LogUntil
= UTC date/time string, can be used as an alternative toLogDay
and supports a longer duration.
Loxone allows sending Crashlogs automatically to them via the "Loxone Log" setting in Loxone Config. If enabled, the Miniserver will send a binary block of Loxone Support Crashlog, when necessary.
The data is 982 bytes long and send to log.loxone.com:7707 via UDP.
Now the question: what data is in it? Typical crashlog related data:
- timestamp
- serial number of the Miniserver
- version of the Miniserver
- which hardware the Miniserver is running on
- local IP address
- used/maximum memory
- Latitude/Longitude of the Miniserver from the config file.
- name of the owner of the Miniserver from the config file.
- error statistics
- function callstack on a crash
As you can see with the exception of the owner and the Latitude/Longitude of the Miniserver, there is not really any personal data in this block. And the coordinates are send to Loxone via the Weather report anyway.
The Miniserver offers a HTTP interface at the HTTP port 80 (this port can be changed in Loxone Config). You can use a webbrowser to use the "Loxone Smart Home" directly on the server.
The Miniserver offers a FTP interface at the FTP port 21 (this port can be changed in Loxone Config). This is used to upload a configuration or download backups.
The FTP server supports these commands:
FTP command | Description |
---|---|
QUIT | Logout |
USER | User Name |
PASS | Password |
NOOP | No-Op |
PASV | Passive Mode |
PORT | Data Port |
PWD, XPWD | Print Directory |
SYST | System |
TYPE | Representation Type |
OPTS | Options |
SITE | Site Parameters |
CWD | Change Working Directory |
CDUP | Change to Parent Directory |
REIN | Reinitialize |
FEAT | Feature Negotiation |
SIZE | File Size |
MDTM | File Modification Time |
DELE | Delete File |
LIST, NLST | List, Name List |
MKD, XMKD | Make Directory |
RETR | Retrieve |
RNFR | Rename From |
RNTO | Rename From |
RMD, XRMD | Remove Directory |
STOR | Store |