Ok I figured it out! I wanted to share in case this info is useful for anyone else doing any reverse engineering.
After jailbreaking my iPhone all I learned is that the device was sending stuff using TLS encrypted MQTT. Well that's not super helpful since I can't see what topics it's publishing to! So next thing I did was setup a TLS encrypted Mosquitto MQTT server on a Linux PC. I also ran bind on this PC so I could spoof DNS. I set my iPhone to use that PC as its DNS server. I then used SSL Kill Switch 2 (a Cydia Tweak that disables SSL cert validation on an iPhone) so that I could redirect all the MQTT messages to my PC. I then used mosquitto_sub to subscribe to #. This way when my phone published something, I could see the payload.
So at that point I learned the MQTT messages being sent. That was nice and all but @chuck.schwer confirmed for me that Hubitat does NOT support TLS encrypted MQTT (currently... maybe some day!). Turns out the app I'm using uses the Azure IoT Hub which also allows you to send the MQTT messages as HTTPS messages to a REST api endpoint. So basically I could post the same MQTT message just using httpPost.
Between this and having to figure out how to reverse engineer the MS B2C AD OAuth protocol made this the most complicated integration I've ever written. But I learned some new stuff. If anyone else out there has a Kohler DTV+ with Konnect, we can now control the lights (and soon volume!). Anyone interested (in case there are other integrations that rely on Azure IoT Hub, the same basic principles should apply GitHub - dcmeglio/hubitat-kohlerdtv at konnect-control)
