search

adapt0 / smartplug

Alternative firmware for Etekcity's "Voltson Wi-Fi Smart Plug Mini Outlet" (ESW01-USA)
MIT License
31 stars 6 forks source link

Hijack EU plug #31

Open MiKuBB opened 2 years ago

MiKuBB commented 2 years ago

Hi, I would like to ask for help with hijacking EU plugs. I own some ESW01-EU version plugs, and trying to flash it with alternative firmware. I have found guide on esphome but I can't disassemble plugs. Something in construction is changed so it's impossible to make it without damaging plug. After hours of browsing I have found this project which brings new hope to me :)

According to esphome guide https://esphome.io/cookbook/esw01-eu.html I can communicate with plug soldering some wires without removing PCB from plug case. However I can't locate PIO0 so can't turn ESP into flash mode :-(

As I can see from serial communication my FW version is 1.1.02

ESP8266 SDK version : 2.2.0(f28eaf2)
VeSync SDK version : 2.1.8
Flash-Size-Map: FLASH_SIZE_8M_MAP_512_512
User run area : user1
Device MAC : dc:4f:22:d0:98:89
Device channel : 1
Device type : 10AOutletEU.Firmware version : 1.1.02.

System started ...

mode : sta(dc:4f:22:d0:98:89)
add if0

after calling node ./index.js -s SSID -b BSSID -p password -i 192.168.133.x -d 192.168.4.1 i see somethin like this

Using SSID "xxxx" (BSSID: 00:00:00:00:00:00, Local IP: 192.168.133.226)
Starting web server on TCP port 17273
Attempting to connect to device 192.168.4.1
Connected to device 192.168.4.1
0000 498e3c762468c689c8e9793e1b040ad80385276ae4aa61eac22c3f98211fe3f3
0020 4fa4ab08199533880d0bc0d40a32f77f24234376048b0df0c81b237176ab26b2
0040 e844a15173a397d702bbed082f8e5562f9979b64b6434a689afbeec5a6e8ac48
0060 9c7c77572a659412cef81761aca41f89fae34a09deeb066e23721184159589e6
0080 6831d12ecb9ee7f753fbbf5239e1a967b0621cba82c614f418d1b94b26e8bb83
00a0 b0882f6f5fd1ff2bc58e496ee098c988
undefined:1
�<v$hƉ��y>

and Etekcity AP stop responding ...

I have tryed to update FW using VeSync APP but with no luck hijack output is the same, only changed thing is that the AP is still functional .

0000 498e3c762468c689c8e9793e1b040ad80385276ae4aa61eac22c3f98211fe3f3
0020 4fa4ab08199533880d0bc0d40a32f77f24234376048b0df0c81b237176ab26b2
0040 `e844a15173a397d702bbed082f8e5562f9979b64b6434a689afbeec5a6e8ac48`
0060 9c7c77572a659412cef81761aca41f89fae34a09deeb066e23721184159589e6
0080 6831d12ecb9ee7f753fbbf5239e1a967b0621cba82c614f418d1b94b26e8bb83
00a0 b0882f6f5fd1ff2bc58e496ee098c988
undefined:1
�<v$hƉ��y>

So it will be so good if somebody can help be to manage hijacking of this EU plugs. thank you mk

sredman commented 6 months ago

FWIW, this isn't unique to the EU plugs; I get a very similar-looking response my ESW01-USA. The first bits are identical, the last bits are different. I assume Etekcity patched this particular access method. That assumption is supported from my memory, because I recall when I fist got these plugs years ago, the app did not ask to connect to the ESP_* network, so probably was using AirKiss, now it asks to connect to the switch's wifi.

I spent many hours over the past couple of weeks trying to find a different way to break in. For me, the first step after using the app to tell it to connect to my honeypot wifi, is it makes some non-MQTT connection to vdmpmqtt.vesync.com:1883 - That resolves to a URL which seems like it should be an AWS Kafka instance, but the payload doesn't seem to be Kafka either.

I spent many further hours looking at a decompiled dump of the firmware, but I couldn't make much progress. This is not my area of expertise, so someone else might be able to do more.

The US ones are amazingly difficult to get open to reflash using the serial connection. I've decided they're not worth my time (nor the risk to my fingers). I'm going to donate mine, and buy some more-easily-customized plugs.