Question : newer Sonoff stock firmware a problem?

[gerardwr]

Hi,

I read here that some Sonoff switches with newer firmware (1.6.x?) fail to work with the SonOTA software. It seems that the newer firmware intruduces "real" SSL verification: https://github.com/mirko/SonOTA/issues/58

As far as I can see the SonOTA software uses the same Sonoff mechanism as your server, so your server could be affected too.

Or am I mistaken?

[mdopp]

Hi, you are absolutely right. I have used much of their work to implement this. (as mentioned in the readme I used => http://blog.nanl.de/2017/05/sonota-flashing-itead-sonoff-devices-via-original-ota-mechanism/ as a source)

So the problem descriped in mirko/SonOTA#58 will also affect this tool. Currently I am not able to do anything more than making a note in the readme and follow their Issue, if they find a solution (I am not a too good at security-breaking-hacks)

[gerardwr]

Hi,

Thanks for the confirmation.

Increased security is in principle a good thing, but for us "hackers" is not always a blessing :-(

Let hope this issue is sorted out eventually.

[mdopp]

Agree, but Security could also be implemented in a way, that allows hacking. Specially as the first setup needs user interaction. And before I forget to mention => Thanks for the hint. I guess this will be a deal breaker for a lot of sonoff users. But as long as updating the firmware is possible we still have a way (even thought not an none-in-versive way)

[pevecyan]

Did anyone had this problem? Today I received two switches and I was able to connect to my local server without any problems. Maybe they still use old firmware and I also didn't connect them to WeLink app to prevent any OTA firmware updates.

[gerardwr]

@mdopp I'm afraid that Itead has shown little interest in providing information on the "hacker" use of their stock firmware. Closing the SSL gap in newer firmware seems another step to tie their devices down to their own services.

Many users will stick to the stock firmware i.c.w. the Ewelink App so closing the SSL gap it's not a problem for them.

Most hackers will probably ditch the stock firmware anyway so it's also not a problem or them.

It's a pity for guys like us who like to extend default behaviour of devices in a way the supplier has not foreseen. Oh well, on to the next challenging device ;-)

[gerardwr]

@pevecyan I saw a list of reported working and affected devices here: https://github.com/mirko/SonOTA/wiki

[kisdaniel]

How can I get the current firmware version? I have just bought a Sonoff RF Bridge and seems to be not working with this hacking.

I would like to try it with valid certs generated by letsenrypt.

[mdopp]

I am not sure, but I guess it would be updated by using the original app

[xyboox]

@mdopp a few questions, if I may:

1. If my server is not on LAN but somewhere in the cloud ( say an Amazon EC2 instance running NodeJS ), should this work?
2. My devices have v1.6.0 firmware. Would they work if my server running the NodeJS script is using a valid SSL cert?
3. When POSTing the new configuration to 10.10.7.1, the port should be of the https server or http? ( I'm asking this because in the documentation is mentioned 1081 which a few lines above is assigned to httpPort but in the sonoff.config.json file is the other way around: httpPort: 1080 and httpsPort: 1081 )

Assuming the first 2 questions would have yes as an answer, I must be doing something wrong because after sending data to 10.10.7.1 nothing else happens on server side. The device exits the AP mode and joins the LAN but there is no connection to the server ( at least the server doesn't output any log about it ). Also, in sonoff.server.module.js line #150 I see the websockets should log the start of the server but that never shows up in my logs ( only the http and https servers starts ). Any idea why? Maybe this is why the device is never connecting to the server? Thanks!

[mdopp]

@xyboox

1. It should make no difference where the server is running, as long as it is reachable from your network
2. I have no clue. But i would guess that the devices are expecting an special signed certificate.
3. it should be connecting to the https port.

About the websocket log => this will only show, if anything is connecting to the websocket. Not seeing this log is normal. The devices should try to connect to "/dispatch/device", and get the ip + websocket-port from there first. Not seeing this in your log- means, that they are expecting another certificate or something.

[xyboox]

It makes sense @mdopp what you're saying. Must be something with the SSL cert, although it is a valid one ( using it for another API that requires SSL ). I'll start digging about this. Thanks for the answer!

[mdopp]

@xyboox also an hint => https://disqus.com/home/discussion/itead/sonoff_wifi_wireless_smart_switch_for_smart_home/newest/

Jack Liu  Jon • 3 days ago
We will release new firmware that support LAN control in the future.

looks like they make it happen some time in the future!

[xyboox]

@mdopp good news, as most of us will use the devices with an onLAN server. However, this doesn't exclude the Sonoff device connectivity to their clouds. Hopefully, when their servers are down ( like a couple of days ago ) the devices won't be affected.

[xyboox]

Today I've got an update for the ewelink app ( ios) but not a new firmware yet.

[kisdaniel]

I see a new firmware update (1.6.2 to 1.7.0) in ewelink app.