building from sources and decryption key

[ljalves]

I just got a couple of these switches and would really like to avoid having any data going outside my home (apparently these switches keep pushing data to their server about their state).

According to the source on the hf github: https://github.com/mys812/hf/blob/master/LPB100-HSF/src/LumitekITO/inc/itoCommon.h#L55

The key by default is "1234567890abcdef" (and not "0123456789abcdef") Did you also try that one?

On another topic, do you know of anyone that has tried to build the firmware from those sources? Or even building from the original HF sdk?

I'm willing to give it a try...

[ljalves]

Also, if you "browse" to the device IP address you'll get a http access popup. The default firmware user/pass is admin/admin but it doesn't seem to work here.

Anyone knows the user/pass to access the device webpage/config? Has anyone asked it to the manufacturer?

[ljalves]

I just tried and they key is indeed "1234567890abcdef" I'm able to decrypt/encrypt the packets!

[ljalves]

Here is a simple python status sniffer for all devices in the lan:

https://pastebin.com/gRfkcdqR

[futuretap]

Decrypting the UDP status packets would allow us to detect the current status, right? And also to update the status without using the replay attack?

Would love to see this in the homebridge plugin!

[futuretap]

I tried to decode the decrypted payload of the UDP packets.

The structure is as follows (see the struct for the first 5 elements):

• 0x00 8 bit reserved
• snIndex 16 bit sequence number
• 0xdf 8 bit deviceType
• 0xf1 8 bit factoryCode/companyCode
• 0x21B4 16 bit licenseData/authCode
• 0x0100 16 bit cmdType
• variable length command data

The deviceType, companyCode and authCode can be determined by sniffing the network traffic from the iPhone to https://lumitek.yunext.com/api/device/wifi/list?.... I used Charles with a custom root certificate. Luckily, the app doesn't do SSL cert pinning and happily accepts Charles' custom root certificate. The response to that request includes all devices in the account with their corresponding macAddress, companyCode, deviceType, authCode, and the deviceName configured by the user. Unfortunately that request needs an accessKey and a password as GET parameters whereby the password parameter seems to be some sort of hash of the entered user password. (I tried a simple MD5 and SHA1 but they don't match. Probably the app adds some salt string.)

For our purposes, the MSG_CMD_SET_GPIO_STATUS and MSG_CMD_GET_GPIO_STATUS cmdTypes are most interesting. Their command data is 16 bit long, 0x00ff for on and 0x0000 for off. To query the current status, the iPhone sends MSG_CMD_GET_GPIO_STATUS with 0x0000 to the device and it responds with MSG_CMD_GET_GPIO_STATUS with 0x00ff for on and 0x0000 for off.

Now the next step would be to try sending our own encrypted packets.

[ljalves]

Now the next step would be to try sending our own encrypted packets.

Already tried and it works.

I'm now trying to understand how hard it would be to rebuild the firmware from sources. Not even sure which toolchain they used...

[ljalves]

By the way, anyone knows the web interface user/pass?

[futuretap]

Would love to know, too.

Imo this library would greatly benefit from not having to enter the on and offCodes but rather the deviceType, companyCode and authCode. Would be much more flexible and for many switches one doesn't have to sniff all on/offCodes but only one web request. Btw, do you see the same deviceType, companyCode and authCode or which of them is different?

[ljalves]

Here are some messages captured on my network from 1 wifi plug and 1 wifi on/off module: (msg type in bold)

Plug: 0x0, 0x4, 0xdb, 0xdf, 0xf1, 0x21, 0xb4, 0x6, 0x0, 0x0, 0xff, 0xff

Module: 0x0, 0x0, 0x30, 0xd1, 0xf1, 0x21, 0xb4, 0x2, 0x0, 0x0, 0x0, 0xff 0x0, 0x16, 0x1a, 0xd1, 0xf1, 0x21, 0xb4, 0x6, 0x0, 0x0, 0xff, 0xff 0x0, 0x0, 0x39, 0xdf, 0xf1, 0x21, 0xb4, 0x61, 0x5c, 0x39, 0xf5, 0x63 0x0, 0x70, 0xd, 0xd1, 0xf1, 0x21, 0xb4, 0x62, 0x8, 0x8, 0x8, 0x8

For some reason the "deviceType" changes (bug?)

By the way, I don't use this library - found it when searching for info about these devices.

[ljalves]

I really hate the idea of having these devices sending status updates and accessible from "outside". If I fail to recompile the firmware, Instead of adding blocking rules to my firewall I'll probably will create a separate wifi essid for these devices, without internet connectivity, but accessible from my lan.

[ljalves]

Success! I'm able to build and flash the firmware! I'll post more details soon...

[ljalves]

In case you're thinking in updating with a custom firmware you'll need either webui access or you'll have to open the module and connect it to a serial port (to flash it).

I just noticed that the webui user/pass is admin/admin for one of my modules. The one where I did a firmware upgrade using the android app is not (not sure if it was due to the upgrade).

My advise is to NOT update the firmware or you may loose access to the webui flashing page...

[ljalves]

Well... progress! Just discovered the webui password for the latest firmware version: user: admin pass: Lumlink@100

[ljalves]

I now have a firmware that doesn't send any data to their servers. App still works while on LAN. Let me know if anyone is interested - easily upgrade by web interface.

[futuretap]

The web admin password is very useful, thanks! Using the web UI one can also configure the network settings manually and could simply remove the default gateway. Wouldn’t this be an easier way to remove the home phoning behavior while keeping access from the LAN? In case of a problem it’s also easily reversible.

[futuretap]

However it would be awesome to build a firmware with native HomeKit support!

Btw is there a way to toggle the power switch via the web UI? Couldn’t find anything.

[ljalves]

The device uses NTP to get/set it's date and time - unless you don't use the device on/off timers, removing the gateway will break that functionality.

No, there is no way to control the switch by webui - can be easily added. I'm planning on working on a MQTT client for these devices.

Flashing a custom firmware is really easy by the use of the webui. Reverting to the official one is also easy (just use the app update firmware function).

[futuretap]

Indeed, NTP would be broken. Isn't important for me but might be for others. An MQTT client would be great!

[ljalves]

Latest official firmware (to flash using the webui):

Wall plug (http://www.lumitek.cn/en/productsd.php?pid=1095) http://lumitek.yunext.com/files/DF_1_5114.bin

On/Off Module (http://www.lumitek.cn/en/productsd.php?pid=1093): http://lumitek.yunext.com/files/D1_1_V1.5116.bin

(useful when needed to revert from custom firmware)

[ljalves]

Quick hack - added url to get/set the switch by http:

query switch status: http://device_ip/on=?

set switch status: http://device_ip/on=1 or http://device_ip/on=0

firmware here: https://drive.google.com/drive/folders/1HWl-QiYM2u8lW9TAv1M6Kr9DPkj1_wRG?usp=sharing

P1 is the on/off module P3 if the socket plug module

[ljalves]

So... I have an initial version (should work with any Ankuoo device).

It has a simple MQTT client (no auth for now, so lan only). It has http config, control and status page: http:///config http:///status http:///state?sw OR http:///state?sw=1 OR http:///state?sw=0

I've been using it for over 1 week along with OpenHab without any issue.

Source code is at: https://github.com/ljalves/hfeasy

Firmware to flash using the webui is at: https://drive.google.com/open?id=1KVt4QvOLIY-WCWgONfWG1eNCMGK019AO (for plug and for module)

Open an issue at my github page if you have questions or improvement suggestions! I'll try to get some time to add a wiki / readme at my github repo.

PS: These modules are pretty "unbrickable" - the "main" webpage is "hard-coded" and still there no matter which firmware you flash.

[futuretap]

This works great, thanks!

I've installed mosquitto on the Mac and used the mqttthing homebridge plugin to control MQTT from Homebridge.

My complete tech stack to control one power switch: HomeKit (on Apple TV) => Homebridge (on Mac mini) => homebridge-mqttthing (Plugin) => mosquitto (on Mac mini) => SW6201 Wifi Switch (bought at Hornbach, IIRC branded as Malmbergs)

Wondering if it's a bit over-engineered… But I'm actually glad to use a standards-conforming solution now!

[ljalves]

Nice to know!! My setup is more similar, difference is that I'm using openhab2: Openhab2->mqtt binding->mosquitto->wifi switches

Edit: By the way, I have openhab2 and mosquitto on the same server (a raspberry pi3)

[ljalves]

released 0v2 (adds mqtt authentication and recovery mode - explained in the readme)

[giu1io]

Hey, sorry If haven't been involved in the discussion but I have been swamped at work in the last few months. Thank you for all your great work in actually finding the key and improving the firmware! The mqtt support is awesome! It looks great. Sadly I'm unable to test it because I "bricked" my switch last summer by trying to set it on a static IP from the web ui. I must have done something wrong because now it's not connecting to the network anymore and I can't find a way to factory reset it (setting it up again from the app doesn't seem to work). I would love to update the code to add the key but I have no way to test it. Maybe I can push it to another branch and you can test it? Or, If you can, make a pull request and I'll merge it? I'm going to update the README with links to this issue and your repository with the improved firmware.

[cab113]

hi, i have a unit available to test, if you modify the code and sample config, i will be able to test it on my side

[cab113]

@futuretap . were you able to connect this device to homebridge ?

[futuretap]

@cab113 yes. As I described before, I use mosquitto and mqttthing to control the device via MQTT from homebridge.

[ljalves]

@giu1io, It's pretty easy to unbrick these modules (if you're used to mess with hardware). Open it and connect it to a usb/uart adapter (like one of those ftdi usb adapters, or an arduino serving as a com port bridge). Once connected you'll have access to the bootloader where you can flash a new firmware via serial port. I can help with more details if needed.

[msantagata]

Hi @ljalves , could you provide more details on how to get to the bootloader flash a new firmware? just like @giu1io , I tried to set a static IP address and even if all the parameters were right, my module is unreachable. Thanks!

[phrogg]

Nice to know!! My setup is more similar, difference is that I'm using openhab2: Openhab2->mqtt binding->mosquitto->wifi switches

Edit: By the way, I have openhab2 and mosquitto on the same server (a raspberry pi3)

Hello, I can't find the plug with MQTT. I also Installed mosquitto on the same pi.

[Linearburn]

Does anyone know if there is a tasmota version for this switch yet? or has anyone taken it apart and checked what mainboard is in it?

[stevo44444]

Hi guys, Would someone mind explaining to me how to decrypt the switch on/off UDP packet data with the key: 1234567890abcdef

Thanks

[polmdm]

I've just flashed a plug and seems to work properly. But I'm unable to connect it to Home Assistant with MQTT, someone can help me? I've already set a MQTT server that work well with Tasmota but I'm unable to add this switch...

Thanks you

[chrisv54]

Hi, by curiosity I'm interesting on this code for plug ANKOO/Chacon, and I test my Chacon' plugs. On the seven plug, I have 6 with the version v1.0.8 of software to be correct to change the flash bin. For you information on a new plug, I can't change software because the version is in 4.12.02 (2018-06-28), and we don't have the menu "upgrade SW".