mac-577if-e
MAC-577IF2-E Analysis Tools - A collection of tools for analyzing and extracting firmware from Mitsubishi MAC-577IF2-E WiFi adapters
Science Score: 44.0%
This score indicates how likely this project is to be science-related based on various indicators:
-
✓CITATION.cff file
Found CITATION.cff file -
✓codemeta.json file
Found codemeta.json file -
✓.zenodo.json file
Found .zenodo.json file -
○DOI references
-
○Academic publication links
-
○Academic email domains
-
○Institutional organization owner
-
○JOSS paper metadata
-
○Scientific vocabulary similarity
Low similarity (9.5%) to scientific vocabulary
Repository
MAC-577IF2-E Analysis Tools - A collection of tools for analyzing and extracting firmware from Mitsubishi MAC-577IF2-E WiFi adapters
Basic Info
- Host: GitHub
- Owner: pymitsubishi
- License: mit
- Language: Python
- Default Branch: main
- Size: 198 KB
Statistics
- Stars: 1
- Watchers: 1
- Forks: 1
- Open Issues: 1
- Releases: 0
Metadata Files
README.md
MAC-577IF-2E Analysis & Control Tools
A comprehensive toolkit for analyzing and controlling Mitsubishi MAC-577IF-2E WiFi air conditioner adapters.
🎉 Project Success
This project has achieved two major breakthroughs:
✅ 1. Firmware Extraction
- Complete firmware dumping via telnet exploitation
- Robust extraction with crash recovery and resume capability
- Flash memory analysis with automatic gap filling
✅ 2. Air Conditioner Control
- Full programmatic control of Mitsubishi air conditioners
- Working Python implementation using the
/smartendpoint - AES encryption reverse-engineered with static key
"unregistered" - HTTP-based communication (no ECHONET UDP needed)
Based on research from: https://github.com/ncaunt/meldec/issues/2
Overview
These tools leverage discovered vulnerabilities to:
- Access admin HTTP endpoints using known credentials (admin:me1debug@0567)
- Enable telnet access via the /analyze endpoint
- Execute diagnostic commands via telnet
- Extract firmware from flash memory with automatic recovery
- Control air conditioner functions via encrypted HTTP requests
Tools
1. ac_control.py - Air Conditioner Controller ⭐
Complete air conditioner control via HTTP /smart endpoint with AES encryption.
Core Features: - ✅ Device status monitoring (MAC, serial, connection status, temperatures, etc.) - ✅ Power control (on/off) - ✅ Temperature control (16-32°C) - ✅ Mode control (AUTO, COOL, HEAT, DRY, FAN) - ✅ Fan speed control (0=auto, 1-4=levels) - ✅ ECHONET protocol activation - ✅ Multiple output formats (table, JSON, CSV, XML) - ✅ Debug mode with raw request/response logging
Extended Features: - ✅ Vertical vane control (independent left/right sides: auto, v1-v5, swing) - ✅ Horizontal vane control (left, center, right, combinations, swing) - ✅ Dehumidifier control (adjustable level 0-100%) - ✅ Power saving mode (enable/disable energy saving) - ✅ Buzzer control (audio feedback control) - ✅ Environmental monitoring (room & outside temperature sensors) - ✅ Error detection (abnormal states and error codes) - ✅ State backup and restore (save/restore complete AC configurations)
Basic Usage: ```bash
Check device status
python3 accontrol.py --ip <DEVICEIP> --status
Enable ECHONET protocol
python3 accontrol.py --ip <DEVICEIP> --enable-echonet
Basic control
python3 accontrol.py --ip <DEVICEIP> --power on --temp 24 --mode cool --fan-speed 2
Get status in JSON format with debug info
python3 accontrol.py --ip <DEVICEIP> --status --format json --debug ```
Extended Control Examples: ```bash
Control vanes
python3 accontrol.py --ip <DEVICEIP> --vertical-vane v2 --vane-side right python3 accontrol.py --ip <DEVICEIP> --horizontal-vane c
Adjust dehumidifier and power saving
python3 accontrol.py --ip <DEVICEIP> --dehumidifier 75 --power-saving on
Send buzzer command
python3 accontrol.py --ip <DEVICEIP> --buzzer
Combined settings
python3 accontrol.py --ip <DEVICEIP> --power on --temp 23 --mode auto --fan-speed 1 --vertical-vane swing --horizontal-vane lr ```
Backup and Restore: ```bash
Backup current AC state to default file (ac_backup.json)
python3 accontrol.py --ip <DEVICEIP> --backup
Backup to custom file
python3 accontrol.py --ip <DEVICEIP> --backup myacsettings.json
Restore from default backup file
python3 accontrol.py --ip <DEVICEIP> --restore
Restore from custom file
python3 accontrol.py --ip <DEVICEIP> --restore myacsettings.json ```
2. mac577if2e_dumper.py - Firmware Extraction Tool
Robust firmware extraction with automatic crash recovery and resume capability.
Features: - ✅ Complete firmware dumping via telnet commands - ✅ Automatic device crash detection and recovery - ✅ Resume interrupted dumps from partial files - ✅ Progress reporting during long extractions - ✅ Multiple dump strategies (sector-based, overflow method) - ✅ Missing data collection and gap filling - ✅ Single command execution for device exploration
Usage: ```bash
Execute a single telnet command
python3 mac577if2edumper.py <DEVICEIP> --command "p"
Dump specific memory region (32 sectors from offset 0)
python3 mac577if2edumper.py <DEVICEIP> --dump --offset 0 --count 32 --output firmware.bin
Dump entire flash memory (very slow, but comprehensive)
python3 mac577if2edumper.py <DEVICEIP> --dump --offset 0 --count 0 --output full_firmware.bin
Resume interrupted dump
python3 mac577if2edumper.py <DEVICEIP> --dump --offset 0 --count 0 --output full_firmware.bin --resume
Dump AES key storage area
python3 mac577if2edumper.py <DEVICEIP> --dump --offset e7 --count 32 --output aes_keys.bin
Collect missing memory rows (to fill gaps in main dump)
python3 mac577if2edumper.py <DEVICEIP> --dump --offset 0 --count 0 --output firmware.bin --collect-missing ```
Quick Start
Install dependencies:
bash pip install -r requirements.txtOr use the setup script:bash ./setup.shFind your device IP address:
- Check your router's admin panel
- Look for devices with MAC addresses starting with
70:61:be(Mitsubishi Electric)
Test connectivity:
bash python3 ac_control.py --ip <DEVICE_IP> --status
Known Working Credentials
- Admin:
admin:me1debug@0567(hardcoded in firmware) - User:
user:[KEY from device label]
Important Security Notes
- These tools exploit known vulnerabilities in the device firmware
- Only use on devices you own or have explicit permission to test
- The admin credentials appear to be hardcoded across all devices
- All communication is local to your network (no external servers)
- The AES encryption key
"unregistered"is the standard key used by Mitsubishi devices
Flash Memory Layout
Based on reverse engineering, key areas include:
- 0x0 - Firmware start
- 0xba - WPA key storage
- 0xc4 - Domain name configuration
- 0xc8 - ECHONET flag
- 0xe7 - AES key storage
Device Behavior Notes
- The device may crash/reset after executing telnet commands (tools handle this automatically)
- Telnet access requires enabling via
/analyzeendpoint first - Use
\rline endings for telnet commands (not\r\n) - Some memory rows are skipped during flash reads (tools compensate for this)
Installation
Clone the repository:
bash git clone https://github.com/pymitsubishi/mac-577if-e.git cd mac-577if-eInstall dependencies:
bash pip install -r requirements.txtThis will install thepymitsubishipackage from PyPI along with all dependencies.
Reference Implementation
The homebridge-mitsubishi-electric-aircon/ directory contains a git submodule with reference TypeScript code that helped inform this implementation.
Contributing
Found a bug or want to add features? - See CITATIONS.md for research references - Check existing issues on GitHub - All contributions welcome!
License
This project is for educational and research purposes. Use responsibly and only on devices you own.
Research Credit: This work builds upon extensive research documented at https://github.com/ncaunt/meldec/issues/2
Special thanks to the security researchers who discovered the original vulnerabilities and documented the device's behavior.
Owner
- Name: pymitsubishi
- Login: pymitsubishi
- Kind: organization
- Repositories: 1
- Profile: https://github.com/pymitsubishi
Citation (CITATIONS.md)
# Citations This project was successful thanks to the following external resources: ## Primary Reference Implementation - **Repository**: [LeeChSien/homebridge-mitsubishi-electric-aircon](https://github.com/LeeChSien/homebridge-mitsubishi-electric-aircon) - **License**: Apache-2.0 license - **Usage**: TypeScript implementation provided the key breakthrough for understanding the AES encryption method and `/smart` endpoint usage - **Specific files referenced**: - `src/MEAircon.ts` - Main device communication - `src/utils/crypt.ts` - AES encryption/decryption implementation - `src/commands/general.ts` - Control command building - `src/commands/extend08.ts` - Extended commands - `src/utils/calcFCC.ts` - Checksum calculation ## Referenced from Conversation History - Original GitHub repository from conversation: References to ECHONET enable commands - Device IP and communication details provided by user - Test methodologies and approaches discussed during implementation ## Technical Standards - **ECHONET Lite specification**: For UDP discovery packet structure (though ultimately not used) - **AES-CBC encryption**: Standard cryptographic approach - **HTTP POST requests**: Standard web protocol implementation ## Tools and Libraries Used - **Python requests**: HTTP client library - **Python Crypto.Cipher.AES**: AES encryption implementation - **Python xml.etree.ElementTree**: XML parsing - **Python enum and dataclasses**: Type safety and structure ## Key Breakthrough Attribution The critical insight that enabled this project's success came from the LeeChSien homebridge plugin, which revealed: 1. The use of HTTP `/smart` endpoint instead of UDP ECHONET 2. The static AES key `"unregistered"` 3. The specific encryption format (IV + data as hex, then base64) 4. The XML payload structure for commands Without this reference implementation, reverse-engineering the MAC-577IF-2E protocol would have been significantly more challenging.
GitHub Events
Total
- Push event: 10
Last Year
- Push event: 10
Dependencies
- pycryptodome >=3.15.0
- requests >=2.28.0