GW ESP32 WiFi Hotspot
The Gateway provides a WiFi hotspot for configuration. The hotspot has SSID with the name "Configure Ruuvi Gateway ABCD" where ABCD is the last 2 bytes of the gateway WiFi MAC address. No password is required to connect to the gateway's hotspot.
The WiFi hotspot is only active if the gateway is not configured or within one minute after pressing the Configuration button. After the configuration of the gateway is complete, WiFi credentials are stored to flash and the hotspot is turned off. If the Internet connection is lost later, connection loss is indicated by "Red LED" but the hotspot is not turned back on unless the user enters configuration mode by pressing the Configuration button.
The gateway can be partially reconfigured over LAN (network configuration can't be changed in this case). Also following pages are available through LAN connection: /metrics and /history.
API
The gateway is reachable at http://10.10.0.1 once a client has connected to the hotspot.
Encrypted data format
Sensitive data (containing passwords) is transmitted in encrypted form. The format for transmitting encrypted data is as follows (JSON):
encrypted
Encrypted data, encoded as Base64
iv
AES-256 initialization vector, encoded as Base64
hash
SHA-256 hash of unencrypted data, encoded as Base64
Example of encrypted data:
The data is encrypted using AES-256-CBC. ECDH protocol is used to establish a shared secret between the client and the Gateway, then SHA-256 hash is calculated for the shared secret to generate AES encryption key.
To establish a shared secret, the client must perform GET /ruuvi.json request and pass its public encryption key in the HTTP header "ruuvi_ecdh_pub_key" (Base64 encoded):
In response, the Gateway returns its public encryption key in the HTTP header "ruuvi_ecdh_pub_key" (Base64 encoded):
The client needs to compute a shared secret using its private encryption key and the Gateway's public key, then calculate SHA-256 for the shared secret to get the AES encryption key (AES_K).
To encrypt the data before sending it, the client must randomly generate a 16-byte initialization vector (IV) for AES encryption, then encrypt the data using parameters IV and AES_K. The data is validated using a SHA-256 hash, which is passed as part of JSON. All values in JSON are encoded by Base64.
To decrypt the data received from the Gateway, the client needs to decode all values in JSON from Base64 encoding, then get the IV from the "iv" attribute of the received JSON. After that, decrypt the data in the "encrypted" attribute using the IV and AES_K. And finally, calculate the SHA-256 hash for the decrypted data and check if it matches the "hash" attribute in JSON.
These API calls are available:
Requesting gateway configuration and performing encryption keys exchange
GET http://10.10.0.1/ruuvi.json
Headers
ruuvi_ecdh_pub_key*
String
The client's public encryption key in Base64 encoding.
Save network configuration
POST http://10.10.0.1/ruuvi.json
The same endpoint "/ruuvi.json" is used for saving the network configuration and gateway configuration. If the passed JSON data contains the "use_eth" attribute, then the network part of the configuration will be updated. Otherwise, the gateway configuration will be set.
The data must be sent in an encrypted form (see Encrypted data format). Here is the unencrypted data:
Request Body
use_eth*
Bool
Use Ethernet if True, otherwise use Wi-Fi
eth_dhcp
Bool
Use DHCP for Ethernet connection
eth_static_ip
String
Static IP address (when Ethernet is used and DHCP disabled)
eth_netmask
String
Netmask (when Ethernet is used and DHCP disabled)
eth_gw
String
IP address of gateway (when Ethernet is used and DHCP disabled)
eth_dns1
String
IP address of DNS1 (when Ethernet is used and DHCP disabled)
eth_dns2
String
IP address of DNS2 (when Ethernet is used and DHCP disabled)
wifi_ap_config
Object
Set parameters for Wi-Fi AP. The attribute "channel" allows configuring the Wi-Fi channel.
Example:
Example:
Save gateway configuration
POST http://10.10.0.1/ruuvi.json
The same endpoint "/ruuvi.json" is used for saving the network configuration and gateway configuration. If the passed JSON data contains the "use_eth" attribute, then the network part of the configuration will be updated. Otherwise, the gateway configuration will be set.
The data must be sent in an encrypted form (see Encrypted data format). Here is the unencrypted data:
Request Body
remote_cfg_use
Bool
If true, then download the configuration from the remote server, specified in "remote_cfg_url"
remote_cfg_url
String
URL of the remote server to download the configuration
remote_cfg_auth_type
String
Authentication type: "no", "basic" or "bearer"
use_http
Bool
If true, then send data to the cloud via HTTP(S)
http_url
String
URL of the cloud server
http_user
String
Username
http_pass
String
Password
use_http_stat
Bool
If true, then send statistics to the cloud via HTTP(S)
http_stat_url
String
URL of the cloud statistrics server
http_stat_user
String
Username
http_stat_pass
String
Password
use_mqtt
Bool
If true, then send data to the cloud via MQTT(S)
mqtt_transport
String
MQTT transport: "TCP", "SSL", "WS" or "WSS"
mqtt_server
String
IP address of MQTT server
mqtt_port
Int
TCP/IP port of MQTT server
mqtt_prefix
String
MQTT prefix
mqtt_client_id
String
MQTT client ID
mqtt_user
String
Username for MQTT authentication
mqtt_pass
String
Password for MQTT authentication
lan_auth_api_key
String
Bearer key for authentication when accessing the Gateway from LAN
company_use_filtering
Bool
scan_coded_phy
Bool
scan_1mbit_phy
Bool
scan_extended_payload
Bool
scan_channel_37
Bool
scan_channel_38
Bool
scan_channel_39
Bool
auto_update_cycle
String
"regular", "beta" or "manual"
auto_update_weekdays_bitmask
Int
auto_update_interval_from
Int
auto_update_interval_to
Int
auto_update_tz_offset_hours
Int
ntp_use
Bool
ntp_use_dhcp
Bool
ntp_server1
String
ntp_server2
String
ntp_server3
String
ntp_server4
String
remote_cfg_auth_basic_user
String
Username for "basic" authentication
remote_cfg_auth_basic_pass
String
Password for "basic" authentication
remote_cfg_auth_bearer_token
String
Bearer token for bearer authentication
Example:
status.json
GET http://10.10.0.1/status.json
This URL can be polled to get the Wi-Fi/Ethernet connection status of the gateway.
ap.json
GET http://10.10.0.1/ap.json
Scan for available Wi-Fi access points that the gateway can connect to.
connect.json
POST http://10.10.0.1/connect.json
Connect to a Wi-Fi network or Ethernet.
Data containing authentication information is transmitted in the body of the request in encrypted form.
Request Body
hash*
String
SHA256 hash of unencrypted request, encoded as base64
iv*
String
AES initialization vector, encoded as base64
encrypted*
String
Encrypted request, encoded as base64
Example:
Unencrypted content of "/connect.json" is data in json format:
ssid
WiFi network SSID or null for Ethernet
password
Strings with a Wi-Fi password or null for Ethernet. The null value is also used for reconnecting to the last saved Wi-Fi network.
stub
A string of spaces, which is chosen so that the json length is always 240 bytes, regardless of SSID length and password length.
Example of unencrypted data for connecting to Wi-Fi with the name "my_ssid1":
Example of unencrypted data for connecting to Wi-Fi with the name "my_ssid1" using the saved password (the value "null" is passed to indicate that the saved value of the password is to be used):
Example of unencrypted data for connecting to Ethernet:
connect.json
DELETE http://10.10.0.1/connect.json
Disconnect from WiFi or Ethernet.
metrics
GET http://10.10.0.1/metrics
Get machine statistics, such as uptime and free memory. Data is in Prometheus format. For more details, please see https://prometheus.io/docs/instrumenting/exposition_formats/ .
history
GET http://10.10.0.1/history
Get history data in json format
Path Parameters
time
integer
Read the history for the last N seconds only
See examples of the "history" payload here: HTTP GET /history (with timestamps) and decoding
Last updated