Open deftdawg opened 3 years ago
Hi @deftdawg , Actually I opened one already. The images are in images folder. It runs on a RTL8710BX chipset, not on a ESP82XX. So the device it's not compatible with Tasmota which runs only on ESP8266 or ESP8285 chipsets. I sniffed the packages that this device receives and it's all MQTT packages. (with SSL). so it's a remote MQTT subscription that controls the relay.
The board has 4 pins marked as GND/+3V3/RX/TX where I want to try to get a firmware dump. ( some soldering job is needed and I don't have a soldering iron available ) but it's an alternative to understand the working of this device.
Ah yes, I started looking into this and it seems starting with Teckin sp22 plugs many manufactures have started switching to Realtek Arm chips.
There are some indications that these can be programmed like Ardunios
Here are some other links I found:
BTW, Is there a non-destructive way to get it out of the casing? It looks like there's a seam along the back, is it clipped only or glued as well?
Probably, I manage to open with a minimal damage on the case. I don't have but this tool can probably solve the issue:
https://www.amazon.ca/iFixit-Jimmy-Electronics-Opening-Tool/dp/B00NCFIVH4
It's only 4 clips but the way they did make it hard. I'll include some images later on.
It's only 4 clips but the way they did make it hard. I'll include some images later on.
Yeah some pics of the inside of the shell (or what's left of it 🤣) would be great. Maybe can get it open with a putty knife or something...
Not sure if it's useful, but seems to be a Russian firmware building site for RTL8710n here... https://wifi-iot.com/p/rtl87xx/
Login is demo/demo
Most of the features (red) appear to require payment.
I would say worth a try, but without a better understanding on the firmware dump/written process it's quite a leap. I still don't know if an ameba writer is needed or only a serial connection can get the job done.
I'm also unsure... There is a discussion here: https://github.com/arendst/Tasmota/discussions/9262
Someone drops a link Ameba ARDUINO: Getting Started with RTL8710, but appears to be an official SDK board or something.
@deftdawg I upload some photos of the case opened and my concerns about the way they create some sort of groove in the plastic.
Best of luck guys. I’m following this :)
I sniffed the packages that this device receives and it's all MQTT packages. (with SSL). so it's a remote MQTT subscription that controls the relay.
@gknepper How far did you get in capturing the mqtt packets, could you read the contents, is it a known certificate?
@gmcmicken We are in the same page pretty much. It's a proprietary certificate for sure. I was trying to dump the RTL8710BX image and with some luck open and check the contents to find the cert. Some soldering is needed and I haven't done so far.
@gknepper I found the keypair, it was in the apk in a keystore file (.bks) and I guessed the password. 👍
@gmcmicken Sweet!
I tried packet capturing tonight, but my wifi card doesn't support monitor mode. I then tried to capture on my android device while using the app to configure the smart plug but the app failed to start when the capture was running (an android vpn issue I guess?) I'll try again though.
I tried using rpcapd inside my router but I wasn't able to open the packages. I think I'm doing something wrong on wireshark on TLS settings. For now my only findings was the MQTT gateway: azuremqtt.arnoo.com which leads us to the probable manufacturer of this Arnoo app. https://www.arnoo.com/
It's possible the keypair I found is only for the intial setup during the stage where the switch is broadcasting an unsecured wifi and the app connects directly to it. It's also possible the keypair is for some other device supported by that app. I think we should be able to see the fingerprint (?) in the tls handshake though to be sure.
I know this is not the same device, but some hint where to look for some ideas...
FCC info for the company making the reference design: https://fccid.io/2AB2Q, and this specific plug https://fccid.io/2AB2QHPPA11SWB has anybody been able to find more info on local control ?
Any update on this?
At long last I think some cool people got traction on this problem. https://github.com/libretiny-eu/libretiny
This project is enabling the creation of firmware that can be run on non-ESP32 IoT platforms including the relevant one here, the RTL8710BX. I really did not want to get tangled up with Ameba if I could help it -- this looks more likely to work for me.
I wonder if anybody has actually managed to flush a plug using that code - the project does look interesting.
For a while now I have been using the Sonoff S31 plugs with tasmota, but there is a big price difference between the HomeDepot and the Sonoff ( including the lite version without power monitoring ).
I did some hacking at the plug while back using ssl proxy but was not able to obtain local control - was using an older rooted phone, but have seen videos using the Android emulator making the process a bit simpler.
I believe HD still sells those plugs at a good price, so it would be great to have a low cost, easy to purchase option with local control ( checked the HD page and they still do sell them ).
TLDR: I have this switch working with ESPHome. You will need to...
I bought a three pack of switches on sale at Home Depot. At the time, there wasn't any information for the RTL8710 so I converted two switches with ESP8266 chips for an almost drop-in replacement. Flashed Tasmota on them and went on my way.
I had one switch remaining and until recently was just put aside. I was about to convert it, but I found out that the LibreTiny/ESPHome project exists which has made progress with RTL8710 chips.
LibreTiny mentions how to get a module setup in ESPHome, and then to use the ltchiptool for flashing. The ltchiptool helped me figure out that these SP1 boards have 2MB of flash. Using a generic rtl8710bx module configuration and no GPIO settings, I compiled a firmware. Sadly, my attempts to flash a UF2 firmware file caused ltchiptool to crash or not write to the chip.
I found another tool called rtltool.py. This tool plus the ability to manually download the OTA1/OTA2 files allowed me to flash the board. After this success, I manually figured out which pin assignment was associated to the components which I had previously reversed engineered from converting my other boards over to ESP8266.
Notes:
rtltool.py
requires Python 2.7 to workTo flash the RTL8710BX chip: Manually download the OTA1/OTA2 bin files from ESPHome before proceeding.
python rtltool.py -p <USB_to_Serial_Port> wf 0xb000 name_of_device_0x00B000.bin
python rtltool.py -p <USB_to_Serial_Port> wf 0x80000 name_of_device_0x080000.bin
YAML:
esphome:
name: name_of_device
friendly_name: "Name of Device"
rtl87xx:
board: bw12
# Enable Home Assistant API
api:
encryption:
key: "keyhere"
ota:
password: "ota_pass"
wifi:
ssid: !secret wifi_ssid
password: !secret wifi_password
binary_sensor:
- platform: gpio
pin:
number: PA22
mode:
input: true
pullup: false
inverted: true
name: "Button"
on_press:
- then:
- switch.toggle: relay
disabled_by_default: true
switch:
- platform: gpio
name: "Relay"
pin: PA00
id: relay
on_turn_on:
- then:
- output.turn_on: green_led
on_turn_off:
- then:
- output.turn_off: green_led
status_led:
pin:
number: PA14
inverted: false
output:
id: green_led
platform: gpio
pin: PA05
Some images:
Thanks for the info. Would be interesting if one could flash the plug over the air without having to crack it open. Even without that being able to flash it with ESPHome is great progress - would love to see Tasmota but I don't believe they are doing devices outside of ESP chips. I guess it is the time to cut them open :-)
Ideally that would be best (flashing without having to tear apart the case). Perhaps when more research into how the original firmware operates is done but until then, I'll take what I can get.
I found a way to connect 3.3V and GND without having to take the screws out. The empty capacitor spot by the square cutout has GND (white striped/shaded section), and 3.3V (blank section) pins.
Image attached.
Grabbed a few more 3pk boxes from Home Depot since they were on clearance.
When flashing one of these new devices, the button (PA22) didn't work with the ESPHome YAML I posted above. To fix this, I had to enable the internal pullup resistor.
Regarding the button (PA22) pullup resistor, I've seen a mixed result; detailed below.
Mostly I've been flashing with the pullup set to false. This is because when I was first experimenting to get the correct pins and settings for the YAML, I noticed the button wouldn't work unless the pullup was set to false.
After flashing a few of these, I ran into the device first mentioned above where the pullup needed to be set to true and didn't work otherwise.
I also tested some devices by leaving the pullup set to true. This worked on some devices but not others. Strange.
Picked up a pack of these last week, I'm impressed they are 15A and CSA marked for $20 CAD...
Have you had a chance to open one yet? Most of these devices seem to be tuya / Esp based controlled, I'm curious if this is as well. Would be good to get some picks of the board chips, pins, and general layout to see if it's already been converted by someone else under a different brand name.
I did grab the APK and unzip it: com.homedepot.sp1_131_apkplz.net.apk
App is written in Javascript, there are a ton of different devices in /assets and build.zip seems to contain the whole app, though it's been run through webpack.
Pasted com.homedepot.sp1_131_apkplz.net.apk/assets/static/js/wifi-devices.2dbbbda4.chunk.js into https://lelinhtinh.github.io/de4js/ and there are references to port 6666 and 6667 on 255.255.255.255 ... though the code is still impossible to read.
Anyway, I'd love to get these running on ESPHome or Tasmota so I can control them directly via HomeAssistant.