search

tuya-cloudcutter / lightleak

Firmware version-agnostic PoC exploit for smart devices
47 stars 10 forks source link

Nedis SmartLife Smart Plug: Couldn't receive packets from the device #7

Open janihy opened 1 year ago

janihy commented 1 year ago

The device is a Nedis Smart Plug WIFIP110FWT. When connected to the Tuya app both main and MCU versions are reported as 1.0.0. Opening the device revealed the chip is a BK7231N, but the existing cloudcutter profiles for this combination did not seem to do the trick. So I thought I'd dump the firmware and create a profile for this particular device. After using the Tuya app, I disconnected and wiped the device in the app so it should be good to go. The CustomAP I'm using is a esp8266-based NodeMCU.

Dumping the flash with Lightleak fails and does not seem to receive any packets from the plug. I can get to the flash dump screen after selecting unconfigured device, all actions are successful. Device exits AP mode and the app connects successfully to it after reboot to AP mode. I used the BK7231N - Variant 1 (Standard) profile: other N-profiles did not seem to exploit correctly and froze the plug, so at least something is happening.

Let me know if you need more information. Disassembling the device enough to get a dump needs a bit more prying but I'll do that if needed. log_lightleak.txt log_exploit.txt

kuba2k2 commented 1 year ago

Does the device exit AP mode about 3 minutes after getting to the flash reading screen?

Does it crash at any point when using the Standard profile? The fact that Standard doesn't freeze the plug is interesting, it can mean that the code doesn't find some functions it needs.

Also, what board is inside the plug? We've seen CB2S plugs with BK7231T before... see https://github.com/tuya-cloudcutter/tuya-cloudcutter/issues/210#issuecomment-1353787812

janihy commented 1 year ago

Nope, does not seem to exit AP mode. Light is flashing slowly still after at least 10 minutes from entering the flash reading screen. It's still advertising its SmartLife_95AC SSID and responding to the button press. Does respond to the button press throughout the whole process actually.

This was a bit more embedded than the ones I've seen photos and the BK7231N is sitting directly on the main PCB. Here's an image inside with barely readable prints: 2023-01-04_16-24

kuba2k2 commented 1 year ago

Okay, so that means the Standard profile is correct and that flash writing did succeed (otherwise it would exit AP mode after 3 minutes).

It would be easiest to have a dump of this device. It's possible that it uses some code that lightleak didn't expect, and it can't find the proper functions.

janihy commented 1 year ago

Thanks! I'll dig a bit deeper tonight and see if I can find the correct pins for a full dump.

janihy commented 1 year ago

Alright, found actual pins on the other side of the PCB. Dumped everything with bk7231tools, I'll attach the dump here. Hope this helps someone, the plug was kind of worn out during research :D nedis_smart_plug.zip

Cossid commented 1 year ago

A profile has been added to CloudCutter built from the dump in the meantime.