Trending Tutorials

Hacking My Sous Vide (Reverse-Engineering the Anova Precision Cooker Software)

Deconstructing the WiFi API. It starts a little slow, but it picks up after discussing the Android app.

Hardware teardown:

I have a second channel:

37 Comments on Hacking My Sous Vide (Reverse-Engineering the Anova Precision Cooker Software)

  1. Is it possible to disable the "low water" alarm? Many Anova units are faulty and the detection is broken even though there is plenty of water. It errors with a long beep of death rendering the unit useless.

  2. I think that You could also use pfsense NAT instead of load balance to redirect traffic ????

  3. This is awesome. Nice job!

  4. Thank you very much for this video!

  5. That's quite a clever piece of reverse engineering. Were I still teaching all of my students would be required to watch this.

  6. Hi Mark, awesome vid. I loved seeing your thought process.

    Question: I’m not getting wifi to work. From your vid it turns out the Anova is being called from the internet on port 8080? So I guess I have to make a NAT forward rule on my router for 8080 to my Anova, right?

    I was expecting the Anova just to poll the cloud server, but in your vid you say it’s the other way around.

  7. Do you think its possible to flash the same mcu in their device with their firmware and build your own sous vide that uses their app? I have this broken anova cooker and Im suspecting that the pin that reads voltage of one of the thermistors has burned because I found wet dust inside and the device measure 0 degrees constantly. I was thinking that it would be possible to replace the mcu and flash it with their firmware update and fix it that way.

    Im still not sure if its the mcu or if there is some other issues.

  8. For those wanting to follow along at home, here's how to get a dump into readable format using Mark's script:
    curl -O
    nc hf-lpb100 9988 | xxd -plain -l 500 | tr -d 'n' | sed -e $'s/1668/16\n68/g' > rawdump.txt # replace hf-lpb100 with your anova's IP or hostname…

  9. Thanks for your awesome detective work! My device at broadcasts this protocol data to any client connecting to 9988. With regards to security, it needs to balance risk with cost to implement… so I'm happy they didn't make it too hard for you to figure out. I hope to feed this info into the Home Assistant community so that perhaps we can get a home automation component out of it. 😀

  10. Awesome skills. Throw a catchy title on and this would be worthy of a defcon talk.

  11. *I've had so much fun with my first precision cooker that I bought a second one so we can cook different things at different temperatures at the same time>>>
      A couple of our favorites are shrimp appetizers and chuck roast that comes out like prime rib. I might need a third one to make the creme brulee for dessert!*

  12. Have you ever taken apart the chefsteps joule?

  13. Very cool work! What about the communication of the app with the server? If we could reverse engineer that, wouldn't we have no need to redirect any traffic to talk to the Anova via their servers?

  14. Could you publish the code on Github or a similar place?

  15. And it is almost like the stream you have.

  16. I just bought a second anova ..and it might differ a bit .. it uses a HF-LPT220 and seems to spawn data if you connect to port on it 9988

  17. Brilliant sir. Not only does he "get" the hardware, he owns the software!. Man, the only reason now I might not buy this one, I could see a nefarious use with the AWS side to boil everyone's cooking one day – lol. (and I really don't need this much tech to heat my water!) – great work, it's been a pleasure to pseudo meet you.

  18. I honestly think more people to sub to you, I'm currently going back to school for sys administration and cyber security. I wish I had the knowledge you have in a finger nail it would get my an amazing job. I just wish I could follow better what exactly your are doing

  19. amazing moment 28:05 you might have felt it longer than that
    great video

  20. I heard that some IoT devices are so insecure they have thermal cutout disable function hidden in it — meaning someone could hijack your whatever-the-thing-is and set everything to maximum or do something similar to Aurora Generator Exploit.

  21. Really interesting to watch. Thanks for sharing!


  23. great video Mark! I actually also did some reverse engineering on this cooker on the software side and found a valid page on the HTTP server! It leads to what i believe is a firmware update page where you can upload a new custom firmware. 😉

  24. really enjoy your videos, keep em coming 🙂

  25. Too bad most (self-proclaimed) techies aren't interested in the true backbone of technology, or are too impatient/incapable of understanding it, because if they were, you'd be much more popular.

  26. Man, this was really fun to watch! Please do make more like this!
    If you have the time and energy for, that is.

  27. Mark,

    Excellent work, especially as this led me to looking at what sous vide actually is and from that going out and buying one of these things.

    I've got the wifi/bluetooth model, its arriving today and my phone has already told me the app isn't compatible.

    I'm a pfsense user too though so definitely looking foward to any more info you post on this.

    Keep up the good work!

  28. wow Mark, 1337. Please do a piper next!

  29. APK files are technically just zip files, so you can just use any zip manager to extract the contents.

  30. Very cool stuff. Reverse engineering is always fascinating.

  31. Could you get the device ID and (using the amazon servers) resolve the ip that the device is plugged into?

  32. yup I'll never buy an internet of shit device except for pwning it…

Leave a comment

Your email address will not be published.