A couple of weekends ago, Cat and I had a Bluetti home battery installed. Bluetti seems to be taking the open source community fairly seriously, and there was already a Home Assistant integration available on github, which is impressive. Before installation it was hard to tell if my EP760 inverter with “PBOX” IoT dongly thing was well supported or not, so we just kind of YOLO’ed it. Sadly, the existing open source Bluetti projects I looked at had pretty poor support for this model.
However, I’ve spent a fair bit of time in the last year reading and watching tutorials on YouTube about Android reverse engineering, so I knew at least that JADX existed and how to run it to extract source code. I’ve also been playing around a lot with Claude Code, and it had done a fairly good job at analyzing malicious APKs from the courses I’d done, so I thought perhaps I could do something interesting here. Its super common for APKs to be obfuscated with commercial tools, but notably Claude is also pretty good at unwinding that obfuscation in a way in which its probably no longer a particularly effective technique for stopping analysis of otherwise unprotected code.
I asked Claude to download the Bluetti app from the Google Play Store — it couldn’t do that directly, but it could download the APK from one of the various Play Store mirroring services out there. I extracted the APK with JADX, although I am sure Claude could have done this bit itself. After a quick analysis session by Claude I was confident that I could implement the Bluetti cloud APIs, but also that for some functionality I wanted such as initiating a battery maintenance cycle I would need to implement the BLE protocol as well. I didn’t have the hardware for the BLE project at the time, so our initial focus was on the cloud APIs.
Literally one evening later Claude had implemented those and I had a working Bluetti cloud API to MQTT gateway. The biggest stall was that Claude had some difficulty working out the cryptography for the authentication APIs for the cloud service, but that was literally a case of just encouraging it to read the decompiled Java just a little bit harder and we were unblocked. I’ve now been running that for a couple of weeks and it just works. I went ahead and ordered a slightly fancy ESP32 board which supports PoE and BLE and waited patiently for it to arrive. The PoE bit was because I believed that the device would need to be close to the inverter to work, but in hindsight that’s probably not true given my home office seems to be within comfortable range of the inverter.
Claude and I had a discussion about if we should extend an existing project or not, but honestly in a world in which I can trade off supply chain pain against just generating a thing from scratch I was more inclined to just go the baremetal std rust pathway which wasn’t represented in any of the options we considered, so that’s what we did. We rapidly had the board booting and achieving a DHCP’ed ethernet connection over the wired network as well as sending heartbeats to my home MQTT server. Similarly to our cryptography problems with the cloud API, there was some confusion from Claude as it if the PBOX was talking modbus or a proprietary protocol — largely because both exist in the APK and Claude was confused about which pathway was used for the rack mount home batteries as opposed to the smaller portable batteries. Again, we got there in the end though.
The development process was definitely iterative and I’ve developed some pretty strong opinions about what good prompting and planning looks like for these LLM-assisted code generation tools. That said, the ability to go from nothing to a reverse engineered BLE protocol that ties into Home Assistant with MQTT in less than a day is amazing to me. Honestly I think this is a very exciting time to be a software engineer. I spent the last weekend walking Claude through the functionality I wanted, and by the end of the weekend I had both a “full” implementation of the BLE control protocol, as well as a custom 3d printed case.
But why am I writing this post? Well first off because its just so amazing to me that a non-trivial project like this is now a weekend’s work instead of being six months of effort, but also because I think this APK reverse engineering technique is quite interesting and probably worth further examination although perhaps this is all old news to active practitioners in the field. My intention is to have a go at reverse engineering the “LG Thinq” app for my fridge, washing machine, and dryer next to see how repeatable my experience is. I do wonder where the line is — in terms of cost right now very large apps that are heavily obfuscated are probably beyond what I am willing to personally fund, but I suspect for a sufficiently motivated actor that wouldn’t be a big barrier.