Sonoff dropping connection after receiving SSL certificate

[ratedz]

• Operating System: OSX, Linux
• Python Version: 3.5.3
• Sonoff model: 1 Channel relay firmware 1.7.0

I have two of these devices, one worked just fine and the other fails all the time. It gets to the point where it connects back to my local network after connecting to the ITEAD network. Then it never downloads the new firmware. It just sits and repeats ( see below) The unit that did work, I never used with ewlink and never upgraded the firmware. The unit that fails I did set up with ewlink first and upgraded the firmware to 1.7.0. When the failed unit is in the phase of starting the webserver on 8080 and 8443, you can browse to 8080 and it just gives a 404. I have tried everything and cant get this thing to work. Ideas ? I have tried both on OSX and linux.. The successful unit was done on linux.

Using the following configuration: Server IP Address: 192.168.0.185 WiFi SSID: TP-Link WiFi Password: **** Platform: linux Now connect via WiFi to your Sonoff device. Please change into the ITEAD WiFi network (ITEAD-100001XXXX). The default password is 12345678. To reset the Sonoff to defaults, press the button for 7 seconds and the light will start flashing rapidly. ** This application should be kept running and will wait until connected to the Sonoff... ...................................................Current IPs: [] ..Current IPs: ['10.10.7.2'] ~~ Connection attempt

HTTP GET /10.10.7.1/device << { "deviceid": "1000114fee", "accept": "post", "apikey": "0a2c5628-a925-4dce-81d9-033715d15f3b" } HTTP POST /10.10.7.1/ap { "ssid": "TP-Link_1920", "version": 4, "password": "****", "serverName": "192.168.0.185", "port": 8443 } << { "error": 0 } ~~ Provisioning completed Starting stage2... The IP address of (192.168.0.185) is not assigned to any interface on this machine. Please change WiFi network to TP-Link_1920 and make sure 192.168.0.185 is being assigned to your WiFi interface. ** This application should be kept running and will wait until connected to the WiFi... .........Current IPs: [] ..............................Current IPs: ['192.168.0.185'] ~~ Starting web server (HTTP port: 8080, HTTPS port 8443) ~~ Waiting for device to connect

IMPORTANT! AFTER the first download is COMPLETE, with in a minute or so you should connect to the new SSID "FinalStage" to finish the process. ONLY disconnect when the new "FinalStage" SSID is visible as an available WiFi network. This server should automatically be allocated the IP address: 192.168.4.2. If you have successfully connected to "FinalStage" and this is not the IP Address you were allocated, please ensure no other device has connected, and reboot your Sonoff. ......^@........................ IMPORTANT! AFTER the first download is COMPLETE, with in a minute or so you should connect to the new SSID "FinalStage" to finish the process. ONLY disconnect when the new "FinalStage" SSID is visible as an available WiFi network. This server should automatically be allocated the IP address: 192.168.4.2. If you have successfully connected to "FinalStage" and this is not the IP Address you were allocated, please ensure no other device........... and goes on and one like this forever

[reloxx13]

flash by usb, itead wont change anything cuz its a secruity issue if everybody in your nework could flash those devices over ota.

[beebodo]

Today I flashed a new Sonoff 4ch pro via OTA without any problem. Unfortunately I'm not exactly sure about the original firmware version. As I didn't expect the flashing process to succeed after reading this thread, I didn't notice it, but it surely was >2.

[reloxx13]

Read the wiki https://github.com/mirko/SonOTA/wiki#known-working-configurations

[dzikus]

I have B1 with 2.0.3 and even tried DNAT 52.28.157.61 without success (always FIN after TLS 1.2 Server Hello). Some info about their cert:

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=cb, ST=gd, L=sz, O=coolkit, OU=dev, CN=coolkit.cn/emailAddress=220335@qq.com
        Validity
            Not Before: Jul 19 07:05:14 2017 GMT
            Not After : Jun 25 07:05:14 2117 GMT
        Subject: C=cn, ST=gd, L=sz, O=coolkit, OU=it, CN=*.coolkit.cc/emailAddress=220335@qq.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:bc:c2:17:fd:40:33:be:82:82:e5:a0:82:d9:3d:
                    fc:e6:53:65:70:41:90:cd:f4:6a:37:ce:45:8c:ee:
                    b9:69:ee:23:d6:52:7d:a1:b9:32:b6:18:79:2e:67:
                    1f:94:80:34:1b:bb:7e:e5:2a:6d:04:ba:4f:fe:42:
                    14:ad:1d:95:0b:a8:f5:8f:56:7b:ff:b5:a8:ee:e4:
                    99:63:a2:56:2d:7f:9a:07:b1:20:7c:10:6e:0f:7f:
                    36:96:92:47:5c:dc:cf:c6:66:fa:d5:6a:cd:61:89:
                    b2:aa:b6:fa:76:c2:37:9c:86:fc:c1:57:7b:1c:cd:
                    4f:f9:d3:cc:c6:bf:3c:70:79
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
         99:f2:17:a4:1f:70:36:ca:06:83:d5:23:ef:1e:7e:e3:cf:c8:
         82:a1:fa:a1:20:71:b1:1b:df:17:fb:92:bd:5a:ce:eb:94:91:
         d9:86:ea:64:f9:46:fd:db:7f:cb:2e:e1:60:e8:c6:8b:7b:30:
         f6:e9:29:ec:14:09:f1:28:88:ce:aa:e8:6d:c0:53:70:a2:30:
         94:1d:38:2c:8b:d1:bb:7f:a6:26:06:c6:45:c9:ce:b3:b9:b0:
         27:a9:39:c4:13:86:c7:ca:07:9b:cc:5f:82:6e:9d:dd:3f:b1:
         ce:bb:6b:3b:d6:d8:b3:59:7a:45:32:d3:bb:6c:c1:69:04:7e:
         fe:2e

Connection:

$ openssl s_client -host eu-disp.coolkit.cc -port 443 -status
CONNECTED(00000005)
OCSP response: no response sent
depth=0 C = cn, ST = gd, L = sz, O = coolkit, OU = it, CN = *.coolkit.cc, emailAddress = 220335@qq.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = cn, ST = gd, L = sz, O = coolkit, OU = it, CN = *.coolkit.cc, emailAddress = 220335@qq.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = cn, ST = gd, L = sz, O = coolkit, OU = it, CN = *.coolkit.cc, emailAddress = 220335@qq.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=cn/ST=gd/L=sz/O=coolkit/OU=it/CN=*.coolkit.cc/emailAddress=220335@qq.com
   i:/C=cb/ST=gd/L=sz/O=coolkit/OU=dev/CN=coolkit.cn/emailAddress=220335@qq.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICZjCCAc8CAQEwDQYJKoZIhvcNAQEFBQAwejELMAkGA1UEBhMCY2IxCzAJBgNV
BAgMAmdkMQswCQYDVQQHDAJzejEQMA4GA1UECgwHY29vbGtpdDEMMAoGA1UECwwD
ZGV2MRMwEQYDVQQDDApjb29sa2l0LmNuMRwwGgYJKoZIhvcNAQkBFg0yMjAzMzVA
cXEuY29tMCAXDTE3MDcxOTA3MDUxNFoYDzIxMTcwNjI1MDcwNTE0WjB7MQswCQYD
VQQGEwJjbjELMAkGA1UECAwCZ2QxCzAJBgNVBAcMAnN6MRAwDgYDVQQKDAdjb29s
a2l0MQswCQYDVQQLDAJpdDEVMBMGA1UEAwwMKi5jb29sa2l0LmNjMRwwGgYJKoZI
hvcNAQkBFg0yMjAzMzVAcXEuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQC8whf9QDO+goLloILZPfzmU2VwQZDN9Go3zkWM7rlp7iPWUn2huTK2GHkuZx+U
gDQbu37lKm0Euk/+QhStHZULqPWPVnv/taju5JljolYtf5oHsSB8EG4PfzaWkkdc
3M/GZvrVas1hibKqtvp2wjechvzBV3sczU/508zGvzxweQIDAQABMA0GCSqGSIb3
DQEBBQUAA4GBAJnyF6QfcDbKBoPVI+8efuPPyIKh+qEgcbEb3xf7kr1azuuUkdmG
6mT5Rv3bf8su4WDoxot7MPbpKewUCfEoiM6q6G3AU3CiMJQdOCyL0bt/piYGxkXJ
zrO5sCepOcQThsfKB5vMX4Jund0/sc67azvW2LNZekUy07tswWkEfv4u
-----END CERTIFICATE-----
subject=/C=cn/ST=gd/L=sz/O=coolkit/OU=it/CN=*.coolkit.cc/emailAddress=220335@qq.com
issuer=/C=cb/ST=gd/L=sz/O=coolkit/OU=dev/CN=coolkit.cn/emailAddress=220335@qq.com
---
No client certificate CA names sent
---
SSL handshake has read 1240 bytes and written 533 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: E114E41B2F6B819C679F19EEBCBB0FFAC96D118C7C07A1F5A0554878DE401457
    Session-ID-ctx:
    Master-Key: 66FB10345C80DF746C5B435F5E82830E28F05AD09428EDE8213DDF0FB73633BB525D16F4CDBA551E6D9D86187D52968A
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 8b f9 18 71 e9 fa 33 3a-e8 ba d1 a0 9f 87 21 cd   ...q..3:......!.
    0010 - 8d ff 11 58 41 00 71 97-a7 d4 8f 95 3a ed 14 c5   ...XA.q.....:...
    0020 - d9 ac e1 1c 29 30 63 d8-29 85 59 c2 c3 c0 1c 1a   ....)0c.).Y.....
    0030 - 3d 4e 46 30 15 99 0d 4f-e7 bb 06 eb 47 8e 77 1b   =NF0...O....G.w.
    0040 - a1 fe 93 f2 97 b9 74 68-82 bd c3 d1 45 d6 ff ff   ......th....E...
    0050 - bd a8 a2 bb 00 aa 77 d2-03 ad 44 62 3c 6c 3d 14   ......w...Db<l=.
    0060 - 3c 3f ad 9b 91 04 82 8f-30 12 36 06 e0 ed 64 1a   <?......0.6...d.
    0070 - a3 40 91 68 57 0f a3 b9-98 03 2e 2f 15 d5 ff 27   .@.hW....../...'
    0080 - cd 3d 91 42 15 48 1f 32-14 93 d6 a4 0a 77 71 07   .=.B.H.2.....wq.
    0090 - 3a 6f d0 24 16 32 74 b9-cd e0 1a 13 15 72 09 03   :o.$.2t......r..
    00a0 - d3 c5 c9 82 2a 23 bc 52-20 e8 7c aa 12 4d 29 e5   ....*#.R .|..M).

    Start Time: 1521558713
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
DONE

[ulab]

Did you try explaining that it's a lot less safe for people to open the case, modify the hardware by soldering stuff and force them to use an adapter? :)

[eyegr]

Closing the "loophole" (i.e. actually checking the certificate) was a good thing to do. But here we are asking for a way to downgrade firmware or (preferrably) a way to install alternative firmware. Clearly ITEAD does not want us to do that. I anticipate that they will also restrict the serial port in the future revisions. Meanwhile, there are serious downtime issues at the moment, at least with the EU servers which renders the devices with stock firmware unusable.

[andyjenkinson]

Failing to validate the certificate is a much bigger security vulnerability than being able to flash via the serial port (for which you would need physical access to the device for an extended period). so let's not get carried away.

[eyegr]

RK1975 you are right that more people need to raise the issue with them, but we have to admit that even if someone electrocutes himself while soldering it's not ITEAD's fault. Safety and security are not the same thing, and fixing the SSL hole only improves security for the communication channel, something that ITEAD is actually responsible for. What we should continue to remind ITEAD is that many of us will stop buying their devices if they don't offer an easy way to replace stock firmware. It's the only thing that may persuade them.

[b10m]

@andyjenkinson has a valid point on security. Being able to hack devices OTA is much worse than hacking them through physical access.

Sure, soldering and messing with 220V is much more dangerous for the user's physical safety, but this is not a use case for ITEAD's sonoffs. If they wanted to prevent this, they'd ship them with Tasmota...

Looking at it from a business point of view, it only makes sense. I doubt the condescending language towards Andy is needed nor constructive though.

[kevsgithub]

ITEAD are never going to allow you to downgrade to an insecure firmware. If we have a way to do it, so would the 'hackers'. We can only hope that they will still allow firmware flashing via physical access. Sorry guys, OTA firmware replacement is over. I can only suggest that this issue is closed as 'Cant fix'.

[ulab]

Guys, please stop calling each other out on this. It should be possible to have a discussion without fighting.

Didn't you need to have physical access for the OTA upgrade too? You had to press the button to reset the device to defaults, didn't you?

[andyjenkinson]

Wow that came out of left field. It's really not itead's responsibility to ensure you can replace their firmware easily, that isn't a feature of their product, and a very small proportion of customers even want to. Whereas they do have a responsibility to protect the ordinary consumer (and let's face it, this project is an actual real world exploit for that vulnerability so they are right to fix it, inconvenient as it is for us who want cheap hardware we can customise).

But when I say let's not get carried away, my point is just meant to reassure you - OTA firmware replacement is a much larger attack surface so just because they patched this, it doesn't mean they will prevent the much more convoluted and harder to implement process of flashing over serial. If it wasn't more difficult then we wouldnt be complaining about it :)

@ulab yes someone would need to press the button but this is way easier than opening the device, soldering, flashing etc, and can be done passively of course. Plus, not checking the certificate affects a much wider set of communications between device and server that probably exposes other security holes. Failing to implement TLS in this way is a basic security faux pas. Poor security is an industry wide problem, affects take-up of IoT products and an exploit could severely damage their brand. I doubt they fixed the vulnerability to stop DIYers using tasmota, they did it to prevent MITM attacks generally. Arguing that this is bad for consumers is just bizarre. It may be bad for us, but we are not representative of all consumers.

[ulab]

@andyjenkinson In my experience with SonOTA, you'd have to know the credentials of the wifi it is connected to, press the button, start the process, wait for a few minutes for it to fail, try and try again until it works ;). It's faster to just bring a modified device and replace the one you want to "hack".

iTead could still offer to switch the security feature off easily in some kind of way for people who want to do that. And I am pretty sure the sonoffs are that well known, because they have the option to use your own firmware so they don't need cloud access - which is what I think of as a security problem.

[stixpunk]

they have many options. for example allow downgrade but only if you agree to take responsibility and show warning text about security and using this only if you flashing custom firmware -> if normal user downgrade and use old version it's his problem, it's same as many users don't update if the security hole is found. or other option is upload custom firmware with ewelink. and many more options...if you have 10, 20 or 50 devices, you don't have time to solder...you probably start looking for better manufacturer. itead was nr.1 for me, but now I spent lots of money for new devices, which are useless. if itead don't make anything before summer, I will burn all their devices in grill :D

[andyjenkinson]

I agree, and I think it would be a valuable thing for them to offer themselves - especially the ability to customise the firmware via ewelink itself (which implies via the cloud I guess).

[mattlward]

@stixpunk Send them my way... I will burn them under the soldering iron! :)

[Coelmount]

What is the latest status on this issue? I was trying to connect the switches to my own server like described in the initial post but I am running into similat problems as described here. The device discinnect just after I issued the certificate.

Are there other possibilities than going the hard way?

[FernandoWahl]

I received firmware 1.8.1 today. Has anyone ever been able to validate if it's working for this release? I'm traveling and I can not look at this.

[sillyfrog]

I have tested v1.8.1 just now on a Sonoff Basic. And as expected, still dropping the connecting as soon as it connects :(

[stixpunk]

v1.8.1 on Sonoff T1 dropping connection too :(

[luketoh]

Hi All,

My 1 switch T1 US R2 wall switch is on v1.8.1 and I cannot get it flashed with Sonota.exe . I can get it to detect the ITEAD SSID but after that it drops off (I think at Stage 2) and doesn't connect to the "server" (my PC).

Is there a way to flash this device using FTDI? If so, can someone point me to the instructions for this particular version of the device? I can't seem to find it.

[zomars]

I'm having the same issue as @luketoh with my T1 US 1C with 1.8.1 firmware.

[DonnyBahama]

Could someone please post a link to a noob-friendly procedure for flashing via USB?

[zomars]

You can check this guy on youtube @DonnyBahama

[NguyenKhong]

Hi everyone, Does anyone have Sonoff Basic firmware v1.5.5, I want to download it to study ?

[sillyfrog]

@NguyenKhong See #1 regarding stock firmware

[GeorgeDewar]

My brand new Sonoff S22 came with firmware 2.0.4, and SonOTA worked perfectly! Perhaps they have decided to subtly solve the problem for everyone...

[stixpunk]

Can't wait while it comes for Sonoff T1. I have last version still 1.8.1

[mirko]

@GeorgeDewar Oh, that's awesome news! But what's the S22? I only see the S20, S26 and S30/31. Anyway, I'm curious to see if other - older - devices also get shipped with v2+. Unfortunately I don't have any device left with original FW on it.

If they did that on purpose, I'd expect a statement, at least in the changelogs. Otherwise I wouldn't get too excited for it to stay.

[GeorgeDewar]

The S22 is mentioned in https://github.com/arendst/Sonoff-Tasmota/issues/627. It looks like it used to be on there website here, but that page is gone.

It can be found for sale on Gearbest, Aliexpress, etc.

I agree that it's odd that they would deliberately break the certificate validation after fixing it...

[geekasylum]

I recieved two s26's today. Both came with Firmware 1.6 and updated to 1.8.1 (latest). I don't know where that 2.0.4 version comes from - it may be a device-specific branch but it doesnt seem to be available to all devices, and is quite possibly older than the current general release that I flashed today.

As far as aksing ITEAD for assistance (ie: such as a downgraded firmware version) are we asking for what we actually need?

I'd be happy if they just populated the 4 serial 'test points' with pins that we could clip to or press a header on. The real problem that we are all trying to avoid (even with OTA solutions) is having to solder directly to the board. I'd certainly pay extra to cover the cost of those additional pins.

We definately need to be talking to support, but I'd be asking them for those pins. One time serial flash to change firmware, and OTA after that once the device is in place.

Just my thoughts

[zomars]

I'm stuck on 1.8.1 also @geekasylum

[sillyfrog]

I have just updated the README to try and clarify things. For what ever reason, there appears to be a v1 series and a v2 series of firmware for different devices. They do not appear to actually upgrade from v1 to v2, rather some devices run v1.x.x and others run v2.x.x.

So once you are on the latest version of the series for your device, you are stuffed :(

[GeorgeDewar]

Based on what others have said earlier, I think the 2.x firmware might be for the TH10/TH16, and the Sonoff S22 is probably hardware-equivalent to that. Thanks for updating the Readme @sillyfrog.

[Edzilla2000]

@geekasylum I somewhat agree yet there are people (I for one) who turn to OTA solutions because they are not confortable opening their hardware and flashing a firmware through the mainboard pins.

In the old days of the WRT linksys routers, you could flash them by simply going to the admin interface and uploading the required openwrt or dd-wrt firmware through the official upgrade page.

I for one am happy that they fixed the vulnerability that SonOTA was exploiting to flash the firmware remotely, but I think that what they could offer is a tool or a webinterface that would allow an authorized end-user to safely flash an alternative firmware through the network.

[Jackenmen]

So there's currently no way to flash without soldering Sonoff S26, if I won't be lucky enough (and I probably won't, I'm not even sure, if plug with those 1.6> firmwares are even still on the market) to get 1.6> firmware?

[geekasylum]

@jack1142 As I mentioned, the s26 that I bought recently arrived with firmware 1,6. This is already incompatible with sonOTA. I'm not sure how new the s26 is - but they havn't been around all that long - it may be very difficult (if even possible at all) to find them with older firmware.

@Edzilla2000 IF you're not comfortable pressing connectors onto pins, you definately won't be comfortable soldering to the board, so I do still see pins as an advantage, Perhaps asking ITEAD for a web interface where firmware could be uploaded would indeed be an even better solution. I'm not sure how they would respond though - I have already seen a comment in one of the threads linked here, that suggests that they do not support flashing foriegn (ie: not theirs) firmware. A web interface would still be open to OTA attacks so that may not be an option they'd accept.

Perhaps another viable possibility would be for someone with a 3D printer to come up with a jig, similar to what ITEAD use to flash the firmware in the first place, that could simply be clipped on to the board.

There is already something like this on Thingyverse, (Search Sonoff, and look for a thing with pogo pins) but that one will only work with boards that have their pins on a single connector, such as the Sonoff Basic. It may also work with the Slampher (pins in the same order) but that has its own difficulties, since the button is not conencted to GPIO 0 on the Slampher (you have to jumper a pin on the 8266 (or R9 - easier) to ground temporarily).

Unfortunately I don't own a 3D printer.

[Jackenmen]

@geekasylum thought so, what about soldering part, is it needed or is it possible to hold those pins somehow without soldering? I don't have any Sonoffs for now, so I don't have any experience with that.

[geekasylum]

@jack1142 I did think about holding a couple of headers to the s26 pads. I was fairly confident that this would be do-able, but my wife and I attempted it for over an hour a few nights ago - many times, with no success.

Itead program the assembled devices in a jig (using solderless contacts - aka: pogo pins), so its definately possible, but with our limited tools, aging eyes, and tiny programming pads in an unusual arrangement, the dexterity required was beyond us.

It can be done by soldering a wire to each pad (I believe the Tasmota wiki shows this method) but Im trying to avoid soldering if at all possible. (See above re pad size and eyesight :p )

I have programmed Basic's and SV's by simply holding a header to the programming pads (no soldering), but the pads on the s26 are much smaller and are seperated into two groups.

[robertklep]

Anyone taken a look at the LAN mode that's implemented in the latest app versions?

[adrtitan88]

This simply does not work. On a Mac and I get to the point where I'm waiting for the "Final Stage" ssid crap is supposed to show up and it never does. Complete crap

[zomars]

You don't have to be mean about it @adrtitan88

[A----]

To summarize this extra-long thread/issue. How Sonoff products works is:

1. when you pair it, it creates a WiFi network that you can connect to and starts a HTTP server;
2. you can send a request to this server, with an IP/port where the switch/product should connect to;
3. the dialog always required to use HTTPS.

Now here's the catch. Beforehand, the certificate wasn't validated, even self-signed certificate worked. This allow you to push any kind of commands, or even a new firmware (in the case of SonOTA.) Cool if it's you who's pushing it, not so cool if it's some black-hat whose sole purpose in life is turning your lights on and off in the middle of the night. Spooky. :ghost:

Starting with [1.6, 2.0[ and [2.6, …[ it seems, it now validates the certificate according to the eu-disp.coolkit.cc certificate chain. Which means that unless the certificate gets reversed or an other flaw is discovered, well, you have a nice paperweight.

Edit: or you'll have to treat yourself with a nice soldering session, obviously. That still works.

[fiddie1987]

My sonoff basic just got updated from 1.6.0 to 2.6.0 but Sonota just force closes after connecting to the ITEAD SSID

[difelice]

Hi @A----, can't sonOTA somehow use an Authentication "token" to pass certificate validation? Here a guide to retrieve it. Maybe something similar could be done here as a workaround. Not sure if that makes sense. Thanks.

[A----]

I don't believe so. The issue is on the layer underneath, your switch will refuse to even connect to a custom server.

How a SonOff product works, using the default firmware is this:

[ Switch ] <------> [ A Server (probably in China) ] <---- [ eWeLinkApp ]

If you're freaked out to have random appliances connected to “A Server (probably in China)” , that's a perfectly adequate response.

What the mentioned app does is replace the eWeLink app. That probably still works. And that might be an attack vector for another software solution.

What SonOTA does is replacing the weird server in China by its own, and push a new firmware that removes the necessity to connect to a server all-together.

[pwaldon]

What a huge bullshit this device is:

• 1x s26 = 1.8.1 'latest'
• 1x s26 = 2.6.0 'latest'

I've especially ordered new one and asked them to send me one with old firmware and they sent 2.6.0. Do somebody even know, why for some devices 1.8.1 is latest and not 2.6.0?

I guess the only way to update for now is opening the device, connecting pins and flashing the 'old' way?

[erlendsellie]

Tracking.

[robertklep]

I'm doing a bit of tcpdumping in LAN mode between the EWelink app and a Dual R2 running firmware 2.7.1, and it looks like a relatively simple WebSocket connection to port 8081 on the Dual.

The Dual stops the WS server once it's able to connect to the cloud again, so you have to somehow block connections from the Dual to the outside world (either in your router, or by running a local DNS server that will serve up incorrect addresses for the cloud server hostnames).

EDIT:

If anyone's interested (@difelice?), I posted some Node.js code to control the Dual in this gist.

Only thing to change is the IP-address, the API key is just a random UUID that I generated. I blocked access to the coolkit.cc domain in my router to make the Dual drop into LAN mode.

[beveradb]

If anyone's interested

I certainly am! I just received my first ever Sonoff, was hoping to flash Tasmota OTA and use it with Home Assistant, but realised it came with the latest firmware so SonOTA no longer works. I actually started doing my own tcpdumping in LAN mode myself yesterday before I came across your comment above - here's a pcap file showing the whole interaction between my internet-access-blocked Sonoff and the eWeLink app, enabling LAN mode, finding the Sonoff and switching it on/off a couple of times.

I forked your gist, tweaked a little and got it working with my own Sonoff Basic (came with firmware 2.6.0), made this brief video with explanation steps to help anyone else trying to achieve the same thing.

I'm aware this is now somewhat derailing from this Issue topic, but I'm about to try and get this working as a python script in Home Assistant - if I do, I'll create a PR for a simple platform for it and will give you a heads up!

EDIT: Done; if anyone else is just trying to get a Sonoff working locally with Home Assistant and doesn't want to open it up to flash firmware the hard way, here's the custom component I'm now using which works fine with the stock firmware: https://github.com/beveradb/sonoff-lan-mode-homeassistant