Fails after "Unprotect flash" within the app's UI output (BK7231N—1.3.21) - Type 2 / Addr 1

[micahriley88]

After running this on my Globe E26/G25 lightbulbs and uploading the profile, I've tried following the same process for a Doogan E12. Link: https://www.amazon.com/dp/B07WGL5L8Q?ref=ppx_yo2ov_dt_b_product_details&th=1

Outside documentation indicates that these bulbs went from ESP to BK7231N. For testing purposes, I was able to flash ESP Kickstart using cloudcutter with the 7231N build. Before flashing this one, I retrieved the firmware from SmartLife (1.3.21).

The bulb itself has never connected to SmartLife AFAIK. It was purchased new from Amazon.

Because the firmware version seems to be used with N/T, I've tried running the app multiple times across all lightleak profiles. The only one that makes it past "Check if device is exploitable" is the "BK7231N-Type 2 / Addr 1 (Standard)" option.

Using this profile, it will actually provide this message message at the usual failure point: "Good news, your device is exploitable" I'm assuming this affirms that this is the correct profile? Especially since the others repeatedly fail at this step.

Here's a screen capture showing the failure point from the GUI:

Here's the log for showing how each session plays out:

[2023-05-15 14:37:29] [ExploitFragment] State+: Action(progress, Prepare environment)
[2023-05-15 14:37:29] [ExploitViewModel] Profile: io.github.cloudcutter.data.model.ProfileLightleak@cfa9f3c
[2023-05-15 14:37:29] [ExploitViewModel] Preparing action graph
[2023-05-15 14:37:29] [ExploitViewModel] Building action graph
[2023-05-15 14:37:29] [ExploitViewModel] Action graph OK
[2023-05-15 14:37:29] [ExploitFragment] State%: Action(done, Prepare environment)
[2023-05-15 14:37:32] [ExploitViewModel] Action run: MessageAction(message_custom_ap_connect)
[2023-05-15 14:37:32] [ExploitViewModel] Action OK
[2023-05-15 14:37:32] [ExploitViewModel] Action run: WorkStateAction(work_state_raw)
[2023-05-15 14:37:32] [ExploitViewModel] Action OK
[2023-05-15 14:37:32] [ExploitFragment] State+: Action(progress, Connect to CustomAP device (LightleakIdle))
[2023-05-15 14:37:32] [ExploitViewModel] Action run: WiFiConnectAction(custom_ap_connect)
[2023-05-15 14:37:32] [ExploitFragment] Device new state: Unconfigured
[2023-05-15 14:37:32] [ExploitFragment] Wi-Fi scan performed
[2023-05-15 14:37:35] [ExploitFragment] Wi-Fi scan results: [SpectrumSetup-C3, REMOVED, REMOVED, SmartLife-B179, WIFIC6B4B0, SpectrumSetup-CF, MySpectrumWiFid0-2G, LightleakIdle, NTGR_VMB_9265170951, SpectrumSetup-DB, CenturyLink2739-Guest, CenturyLink2739, 36787B-2.4, Brenna 2G, WIFIF741BE, MySpectrumWiFi38-2G, ARRIS-5855, ARLO_VMB_8909912109]
[2023-05-15 14:37:35] [ExploitFragment] State+: Action(done, Found network: LightleakIdle)
[2023-05-15 14:37:35] [ExploitFragment] State%: Action(done, Found network: LightleakIdle)
[2023-05-15 14:37:35] [ExploitFragment] Wi-Fi connection attempt: LightleakIdle / cl0udcutt3r!@#
[2023-05-15 14:37:38] [ExploitFragment] Wi-Fi connection attempt: LightleakIdle / cl0udcutt3r!@#
[2023-05-15 14:37:42] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-69
[2023-05-15 14:37:42] [ExploitFragment] IP addresses changed: 10.0.0.2/24 / 10.0.0.1
[2023-05-15 14:37:42] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-69
[2023-05-15 14:37:42] [ExploitFragment] IP addresses changed: 10.0.0.2/24 / 10.0.0.1
[2023-05-15 14:37:42] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-69
[2023-05-15 14:37:42] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-69
[2023-05-15 14:37:42] [ExploitFragment] State+: Action(done, Connected: LightleakIdle)
[2023-05-15 14:37:42] [ExploitFragment] State%: Action(done, Connected: LightleakIdle)
[2023-05-15 14:37:42] [ExploitViewModel] Action OK
[2023-05-15 14:37:42] [ExploitFragment] State%: Action(done, Connect to CustomAP device (LightleakIdle))
[2023-05-15 14:37:42] [ExploitFragment] State+: Action(progress, Establish connection with the device)
[2023-05-15 14:37:42] [ExploitViewModel] Action run: PingAction(ap_ping_found_1)
[2023-05-15 14:37:45] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-66
[2023-05-15 14:37:45] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-66
[2023-05-15 14:37:45] [ExploitViewModel] Action OK
[2023-05-15 14:37:45] [ExploitFragment] State%: Action(done, Establish connection with the device)
[2023-05-15 14:37:45] [ExploitFragment] State+: Action(progress, Setup CustomAP credentials)
[2023-05-15 14:37:45] [ExploitViewModel] Action run: WiFiCustomAPAction(custom_ap_setup)
[2023-05-15 14:37:45] [ExploitViewModel] CustomAP connected
[2023-05-15 14:37:45] [ExploitViewModel$runWiFiCustomAPAction$2] Wrote packet: 63 63 74 72 68 4c 69 67 68 74 6c 65 61 6b 43 75 73 74 6f 6d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 31 31 b0 16 67 46 be 84 01 fe 6d b3 c0 68 4d 87 e8 e2 d9 c5 65 4a f5 b7 38 46 f6 d7 06 e2 61 9b 09 ce 51 c1 47 2f 20 2e 81 ac 38 4e 44 13 0c e2 60 fb 01 ce 43 0f 22 2e 81 8c f1 93 b9 34 00 40 1f 00 00 3f 9d f4 ea
[2023-05-15 14:37:45] [ExploitViewModel$runWiFiCustomAPAction$2] Got response: 222
[2023-05-15 14:37:45] [ExploitViewModel] Action OK
[2023-05-15 14:37:45] [ExploitFragment] State%: Action(done, Setup CustomAP credentials)
[2023-05-15 14:37:45] [ExploitViewModel] Action run: MessageAction(message_device_connect_1)
[2023-05-15 14:37:45] [ExploitViewModel] Action OK
[2023-05-15 14:37:45] [ExploitFragment] State+: Action(progress, Connect to smart device WiFi)
[2023-05-15 14:37:45] [ExploitViewModel] Action run: WiFiConnectAction(connect_default_1)
[2023-05-15 14:37:45] [ExploitFragment] Wi-Fi scan performed
[2023-05-15 14:37:46] [ExploitFragment] Wi-Fi scan results: [REMOVED, REMOVED, SmartLife-B179, WIFIC6B4B0, pebbles2010, SpectrumSetup-CF, LightleakIdle, 013, NTGR_VMB_9265170951, MySpectrumWiFi8c-2G, Hembree, Harwoods 5G-1, CenturyLink2739-Guest, CenturyLink2739, SpectrumSetup-D8, TammysWifi, Brenna 2G, ARRIS-5855-5G, ARRIS-5855, ARLO_VMB_8909912109]
[2023-05-15 14:37:46] [ExploitFragment] State+: Action(done, Found network: SmartLife-B179)
[2023-05-15 14:37:46] [ExploitFragment] State%: Action(done, Found network: SmartLife-B179)
[2023-05-15 14:37:46] [ExploitFragment] Wi-Fi connection attempt: SmartLife-B179 / null
[2023-05-15 14:37:50] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-38
[2023-05-15 14:37:50] [ExploitFragment] IP addresses changed: 192.168.175.100/24 / 192.168.175.1
[2023-05-15 14:37:50] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-38
[2023-05-15 14:37:50] [ExploitFragment] IP addresses changed: 192.168.175.100/24 / 192.168.175.1
[2023-05-15 14:37:50] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-38
[2023-05-15 14:37:50] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-38
[2023-05-15 14:37:50] [ExploitFragment] State+: Action(done, Connected: SmartLife-B179)
[2023-05-15 14:37:50] [ExploitFragment] State%: Action(done, Connected: SmartLife-B179)
[2023-05-15 14:37:50] [ExploitViewModel] Action OK
[2023-05-15 14:37:50] [ExploitFragment] State%: Action(done, Connect to smart device WiFi)
[2023-05-15 14:37:50] [ExploitFragment] State+: Action(progress, Establish connection with the device)
[2023-05-15 14:37:50] [ExploitViewModel] Action run: PingAction(ping_found_1)
[2023-05-15 14:37:52] [ExploitViewModel] Action OK
[2023-05-15 14:37:52] [ExploitFragment] State%: Action(done, Establish connection with the device)
[2023-05-15 14:37:52] [ExploitFragment] State+: Action(progress, Connect smart device to CustomAP)
[2023-05-15 14:37:52] [ExploitViewModel] Action run: PacketAction(exploit_stager)
[2023-05-15 14:37:52] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-36
[2023-05-15 14:37:52] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-36
[2023-05-15 14:37:53] [ExploitViewModel] Action OK
[2023-05-15 14:37:53] [ExploitFragment] State%: Action(done, Connect smart device to CustomAP)
[2023-05-15 14:37:53] [ExploitFragment] State+: Action(progress, Wait for device to stop responding)
[2023-05-15 14:37:53] [ExploitViewModel] Action run: PingAction(ping_lost_1)
[2023-05-15 14:37:59] [ExploitViewModel] Action OK
[2023-05-15 14:37:59] [ExploitFragment] State%: Action(done, Wait for device to stop responding)
[2023-05-15 14:37:59] [ExploitFragment] State+: Action(progress, Wait for CustomAP termination)
[2023-05-15 14:37:59] [ExploitViewModel] Action run: WiFiScanAction(custom_ap_scan)
[2023-05-15 14:37:59] [ExploitFragment] Wi-Fi scan performed
[2023-05-15 14:37:59] [ExploitFragment] Wi-Fi scan results: [REMOVED, REMOVED, SmartLife-B179, WIFIC6B4B0, NETGEAR19, pebbles2010, MySpectrumWiFid0-2G, LightleakCustom, NTGR_VMB_9265170951, SpectrumSetup-CF, Harwoods, NETGEAR-Guest Essex, 36787B-2.4, TammysWifi, Brenna 2G, MySpectrumWiFi38-2G, ARRIS-5855-5G, ARLO_VMB_8909912109]
[2023-05-15 14:38:00] [ExploitFragment] Wi-Fi scan performed
[2023-05-15 14:38:03] [ExploitFragment] Wi-Fi scan results: [REMOVED, REMOVED, WIFIC6B4B0, Poohbear0716-2.4, Bohland, SpectrumSetup-CF, MySpectrumWiFid0-2G, HP-Setup>b7-M277 LaserJet, LightleakCustom, NTGR_VMB_9265170951, MySpectrumWiFi8c-2G, Harwoods 5G-1, CenturyLink2739-Guest, Harwoods, NETGEAR-Guest Essex, CenturyLink2739, SpectrumSetup-D8, 36787B-2.4, TammysWifi, Brenna 2G, WIFIF741BE, MySpectrumWiFi38-2G, ARRIS-5855-5G, ARLO_VMB_8909912109]
[2023-05-15 14:38:03] [ExploitFragment] Wi-Fi scan performed
[2023-05-15 14:38:05] [ExploitFragment] Wi-Fi scan results: [REMOVED, REMOVED, WIFIC6B4B0, NETGEAR19, SpectrumSetup-CF, MySpectrumWiFid0-2G, LightleakCustom, 013, NTGR_VMB_9265170951, SpectrumSetup-CF, WIFIF741BE, MySpectrumWiFi38-2G, ARRIS-5855-5G, ARRIS-5855, ARLO_VMB_8909912109]
[2023-05-15 14:38:06] [ExploitFragment] Wi-Fi scan performed
[2023-05-15 14:38:09] [ExploitFragment] Wi-Fi scan results: [REMOVED, REMOVED, WIFIC6B4B0, Poohbear0716-2.4, o_brother, Bohland, SpectrumSetup-CF, Nulls2021, MySpectrumWiFid0-2G, LightleakIdle, SpectrumSetup-86, NTGR_VMB_9265170951, SpectrumSetup-CF, MySpectrumWiFi8c-2G, SpectrumSetup-DB, CenturyLink2739-Guest, CenturyLink2739, SpectrumSetup-D8, MySpectrumWiFi70-2G, MySpectrumWiFi38-2G, ARRIS-5855-5G, ChooChooPie, ARLO_VMB_8909912109]
[2023-05-15 14:38:09] [ExploitViewModel] Action OK
[2023-05-15 14:38:09] [ExploitFragment] State%: Action(done, Wait for CustomAP termination)
[2023-05-15 14:38:09] [ExploitViewModel] Action run: MessageAction(message_device_reboot)
[2023-05-15 14:38:09] [ExploitViewModel] Action OK
[2023-05-15 14:38:09] [ExploitViewModel] Action run: WorkStateAction(work_state_with_stager)
[2023-05-15 14:38:09] [ExploitViewModel] Action OK
[2023-05-15 14:38:09] [ExploitFragment] State+: Action(progress, Connect to smart device WiFi)
[2023-05-15 14:38:09] [ExploitViewModel] Action run: WiFiConnectAction(connect_default_2)
[2023-05-15 14:38:09] [ExploitFragment] Device new state: Configured to join CustomAP
[2023-05-15 14:38:09] [ExploitFragment] Wi-Fi scan performed
[2023-05-15 14:38:12] [ExploitFragment] Wi-Fi scan results: [REMOVED, REMOVED, WIFIC6B4B0, Alyson-2G, SpectrumSetup-CF, Nulls2021, MySpectrumWiFid0-2G, our_house, LightleakIdle, 013, NTGR_VMB_9265170951, SpectrumSetup-CF, MySpectrumWiFi8c-2G, SpectrumSetup-DB, Hembree, CenturyLink2739-Guest, SpectrumSetup-5D, CenturyLink2739, SpectrumSetup-D8, Brenna 2G, WIFIF741BE, MySpectrumWiFi38-2G, ARRIS-5855-5G, MySpectrumWiFi50-2G, ARLO_VMB_8909912109]
[2023-05-15 14:38:12] [ExploitFragment] Wi-Fi scan performed
[2023-05-15 14:38:15] [ExploitFragment] Wi-Fi scan results: [Wireless, REMOVED, REMOVED, moontide2-2.4, SpectrumSetup-60, WIFIC6B4B0, , o_brother, SpectrumSetup-68, Bohland, SpectrumSetup-CF, MySpectrumWiFid0-2G, LightleakIdle, NTGR_VMB_9265170951, MySpectrumWiFi8c-2G, Hembree, Harwoods 5G-1, Harwoods, NETGEAR-Guest Essex, CenturyLink2739, SpectrumSetup-D8, Brenna 2G, MySpectrumWiFi38-2G, ARRIS-5855-5G, ARRIS-5855, ARLO_VMB_8909912109]
[2023-05-15 14:38:15] [ExploitFragment] Wi-Fi scan performed
[2023-05-15 14:38:18] [ExploitFragment] Wi-Fi scan results: [REMOVED, REMOVED, MySpectrumWiFiCB-2G, SpectrumSetup-CF, MySpectrumWiFid0-2G, LightleakIdle, NTGR_VMB_9265170951, SpectrumSetup-CF, MySpectrumWiFi8c-2G, CenturyLink2739-Guest, CenturyLink2739, SpectrumSetup-D8, TammysWifi, WIFIF741BE, MySpectrumWiFi38-2G, ARRIS-5855, ARLO_VMB_8909912109]
[2023-05-15 14:38:18] [ExploitFragment] Wi-Fi scan performed
[2023-05-15 14:38:21] [ExploitFragment] Wi-Fi scan results: [REMOVED, REMOVED, MySpectrumWiFiCB-2G, WIFIC6B4B0, NETGEAR19, SpectrumSetup-CF, MySpectrumWiFid0-2G, HP-Setup>b7-M277 LaserJet, LightleakIdle, NTGR_VMB_9265170951, SpectrumSetup-CF, SpectrumSetup-DB, Hembree, Harwoods 5G-1, CenturyLink2739-Guest, SpectrumSetup-5D, CenturyLink2739, SpectrumSetup-D8, WIFIF741BE, CenturyLink3315, MySpectrumWiFi38-2G, ARRIS-5855, MySpectrumWiFi50-2G, ARLO_VMB_8909912109]
[2023-05-15 14:38:21] [ExploitFragment] Wi-Fi scan performed
[2023-05-15 14:38:24] [ExploitFragment] Wi-Fi scan results: [REMOVED, REMOVED, SmartLife-B179, WIFIC6B4B0, SpectrumSetup-CF, LightleakIdle, NTGR_VMB_9265170951, SpectrumSetup-CF, SpectrumSetup-DB, Hembree, SpectrumSetup-D8, 36787B-2.4, MySpectrumWiFi70-2G, MySpectrumWiFi38-2G, ARRIS-5855-5G, ARRIS-5855, MySpectrumWiFi50-2G, ARLO_VMB_8909912109]
[2023-05-15 14:38:24] [ExploitFragment] State+: Action(done, Found network: SmartLife-B179)
[2023-05-15 14:38:24] [ExploitFragment] State%: Action(done, Found network: SmartLife-B179)
[2023-05-15 14:38:24] [ExploitFragment] Wi-Fi connection attempt: SmartLife-B179 / null
[2023-05-15 14:38:28] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-40
[2023-05-15 14:38:28] [ExploitFragment] IP addresses changed: 192.168.175.100/24 / 192.168.175.1
[2023-05-15 14:38:28] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-40
[2023-05-15 14:38:28] [ExploitFragment] IP addresses changed: 192.168.175.100/24 / 192.168.175.1
[2023-05-15 14:38:28] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-40
[2023-05-15 14:38:28] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-40
[2023-05-15 14:38:29] [ExploitFragment] State+: Action(done, Connected: SmartLife-B179)
[2023-05-15 14:38:29] [ExploitFragment] State%: Action(done, Connected: SmartLife-B179)
[2023-05-15 14:38:29] [ExploitViewModel] Action OK
[2023-05-15 14:38:29] [ExploitFragment] State%: Action(done, Connect to smart device WiFi)
[2023-05-15 14:38:29] [ExploitFragment] State+: Action(progress, Establish connection with the device)
[2023-05-15 14:38:29] [ExploitViewModel] Action run: PingAction(ping_found_2)
[2023-05-15 14:38:31] [ExploitViewModel] Action OK
[2023-05-15 14:38:31] [ExploitFragment] State%: Action(done, Establish connection with the device)
[2023-05-15 14:38:31] [ExploitFragment] State+: Action(progress, Configure stager payload)
[2023-05-15 14:38:31] [ExploitViewModel] Action run: PacketAction(exploit_check)
[2023-05-15 14:38:31] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-41
[2023-05-15 14:38:31] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-41
[2023-05-15 14:38:31] [ExploitViewModel] Action OK
[2023-05-15 14:38:31] [ExploitFragment] State%: Action(done, Configure stager payload)
[2023-05-15 14:38:31] [ExploitFragment] State+: Action(progress, Check if device is exploitable)
[2023-05-15 14:38:31] [ExploitViewModel] Action run: PingAction(ping_found_3)
[2023-05-15 14:38:33] [ExploitViewModel] Action OK
[2023-05-15 14:38:33] [ExploitFragment] State%: Action(done, Check if device is exploitable)
[2023-05-15 14:38:33] [ExploitViewModel] Action run: MessageAction(message_exploitable)
[2023-05-15 14:38:34] [ExploitViewModel] Action OK
[2023-05-15 14:38:34] [ExploitFragment] State+: Action(progress, Open flash device)
[2023-05-15 14:38:34] [ExploitViewModel] Action run: PacketAction(ddev_open)
[2023-05-15 14:38:34] [ExploitViewModel] Action OK
[2023-05-15 14:38:34] [ExploitFragment] State%: Action(done, Open flash device)
[2023-05-15 14:38:34] [ExploitFragment] State+: Action(progress, Unprotect flash)
[2023-05-15 14:38:34] [ExploitViewModel] Action run: PacketAction(ddev_control)
[2023-05-15 14:38:34] [ExploitViewModel] Action OK
[2023-05-15 14:38:34] [ExploitFragment] State%: Action(done, Unprotect flash)
[2023-05-15 14:38:34] [ExploitFragment] State+: Action(progress, Check if device still responds)
[2023-05-15 14:38:34] [ExploitViewModel] Action run: PingAction(ping_found_4)
[2023-05-15 14:38:50] [ExploitFragment] State%: Action(error, Check if device still responds, kotlinx.coroutines.TimeoutCancellationException: Timed out waiting for 16000 ms)
[2023-05-15 14:38:50] [UIExtensionsKt] Error: The device doesn't respond to ping requests.

This usually means that an exploit is incompatible, making the device freeze instead of continuing running.

It can also mean that writing the payload didn't succeed, in which case you can try again.

I've observed the following after "Check if device is exploitable":

• When it reaches the "Open flash device" stage, the bulb stops flashing and turns off.
• Following the "Check if device still responds", my phone's Wi-Fi disconnects. After a brief moment, a tiny purple progress bar quickly depletes and immediately presents the error shown in the image above.
• After the error, the bulb remains off for about 20-30 seconds and powers on to solid.
• I quickly checked the APs after the error and saw no Smart Device AP. When the device powers on to solid, it still shows no AP. Not sure if it's worth mentioning, but these bulbs always require 6 cycles to reach AP mode.

Worst case scenario—I'll crack one of these open and dump the flash using UART if needed, but it would be pretty neat to avoid sacrificing a device and soldering.

[micahriley88]

Since the time I posted this, I ended up using an alternative method to achieve a flash dump.

I've also discovered there's a some overall issues with the N variation. Hence, why my T variations worked fine.

I'll go ahead and close this.