March 2017 – Bizoir

Maginon SP-2 Smart Plug – Part 3

Since the investigation until now has not given any concrete hints as to how to achieve the main goals:

Make the socket associate and connect to my own Wifi network
Make the socket turn on and off

another approach was needed.

The next most obvious option to me, was to try to intercept the network-communication between the Maginon SP-2 app and a WIFI network. To do this, the app has to believe that it is connecting to a real socket. So I set a router up to imitate the Maginon socket – with the same SSID and WPA password that the socket uses. The router did not allow for modifying its MAC-address.

Sadly, although I, a few brief times, was able to see my “fake” WIFI from the app, I was never able to make the app believe it was the real socket enough to make it try to associate with it. This was a bommer, since I have read about several other sockets, where this was trivially easy. I still do not know why the app did not believe it was a real sockets WIFI.

Next option – decompile the Android app and look for hints. There are several free sites which will decompile an APK file.

With the Maginon app decompiled, you can search for a lot of interesting things in the .java files (eg. using ‘find’ in Linux or something like WinGrep on Windows)

48899
8899
http:
HttpGet
AT+
AT
10.100.100.254
192.
Reco
connect
admin

When you look into the java-files that contains these search-words, you learn primarily three things:

A list of URLs that the app accesses. This is the final “proof” that the socket is probably a Reco4life socket
A suggestion, that port 48899 is used to set up the socket and port 8899 is used for ordinary use afterwards
A list of AT- or AT-like commands that the app issues to the socket

Port	AT command	Description
8899	AT+YZSWITCH=1,ON,201410292146\r\n	Switches the socket on
8899	AT+YZSWITCH=1,OFF,201410292146\r\n	Switches the socket off
8899	AT+YZDELAY=1,OFF,5,201410292146\r\n	Switches the socket on or off after a delay (in minutes)
8899	AT+YZOUT\r\n	Seems to return the energy consumption statistics
8899	AT+VER\r\n	Returns the version of the socket SW and (probably) the Wifi stack SW
48899	AT+EPHY=off\n	Disable ETH interface
48899	AT+FAPSTA=on\n
48899	AT+LANN\n	Query LAN setting in AP mode
48899	AT+PING=173.194.72.103\n	PING ip address
48899	AT+PING=176.58.117.69\n	PING ip address
48899	AT+PLANG\n
48899	AT+Q\n
48899	AT+WANN\n	Query WAN setting in STA mode
48899	AT+WMODE=APSTA\n	Set WIFI work mode
48899	AT+WMODE\n	Query WIFI work mode
48899	AT+WMODE=STA\n	Set WIFI work mode
48899	AT+WSKEY\n	Query WIFI Security parameters as STA
48899	AT+WSKEY=OPEN,NONE\n	Set WIFI Security parameters to no encryption
48899	AT+WSKEY=pwMethod,PwMatch,Pwd\n	Set WIFI Security parameters
48899	AT+WSLK\n	Query WIFI link status as STA
48899	AT+WSSSID=ssid\n	Set WIFI target AP SSID as STA
48899	AT+Z\n	Restart WIFI module
48899	HF-A11ASSISTHREAD	Sending command to the socket will make the socket respond with its ip-address etc. If you respond with “+ok” all the other AT-commands are enabled for use. Some sites call this command as a sort of “password”.
48899	WIFIKIT-214028-READ	Unknown
48899	YZ-RECOSCAN	Sending command to broadcast address will make all sockets in network respond with their ip-addres, MAC and hostname
48899	+ok	Response to HF-A11ASSISTHREAD

“\r\n” means CRLF (characters hex 0a + hex 0d)

3 of these commands stand out

HF-A11ASSISTHREAD
WIFIKIT-214028-READ
YZ-RECOSCAN

From the .java files, it is clear that YZ-RECOSCAN is used to scan a network for active sockets. The purpose of WIFIKIT-214028-READ is not clear from the sources, and a search on Google does not turn up much usable.

HF-A11ASSISTHREAD is another matter. The usage in the .java is not clear, but a search on the internet brings up a lot of interesting links.

One of them is this post from Andrius Stikonas concerning an Orvibo S20 socket. The control part of this socket is clearly different from the Maginon socket, but the setup/initial pairing-part seems to be similar. Strangely enough, the description from Andrius cannot be used 100% for the Maginon socket. Andrius writes, that “The socket always replies to the same port as the source port of your message.“. This is not correct in regards to the Maginon socket which will ALWAYS respond back to your source ip on UDP port 48899. Hence, in your code, you need to control both source and destination UDP port. Apart from this, the description from Andrius can be used directly for initial pairing of the Maginon socket.

Now we have the needed information to setup and control the socket.

Philips Hue bridge – Cannot find a new bulb

When you buy a Philips Hue kit like the Dimmer with an extra bulb, the bulb is already linked to the dimmer. This means, that the bridge cannot find this bulb. First you have to instruct the bridge to takeover a bulb (from another bridge, a dimmer or similar), before it can be added.

This information is for the version 1 of the bridge (the round one), but I believe that method 2 also works for the newer bridge

There are 2 methods for doing this – depending on the version of the bridge firmware. In both cases, start by placing the bulb immediately next to the bridge (like 30 cm.)

for older firmwares, telnet to port 30000 on the bridge and type
[Link,Touchlink]
and stop the telnet
for newer firmwares, use your own code or the CLIP debugger and on the
http://<ip>/api/<username>/config
object, PUT the value
{“touchlink”:true}

In both cases, the bulb should blink to signal that it can now be seen by the new bridge. Now you can use normal methods (like the app, CLIP debugger or own code) to link the bulb to the bridge.

Do not copy/paste the texts from above, since this will often result in “body contains invalid json” error messages. Type them by hand.

The same problem occurs, if you want to move the bulbs from one bridge to another without using the official app

To use the clip-debugger, you need to first find the ip-address of your hue-bridge, and then enter the url below into a browser
http://ip-address/debug/clip.html

Maginon SP-2 Smart Plug – Part 2

Go to part 1 – Go to part 3

It is now necessary to gather as much information about the plug as possible.

If you plug it into a power socket and power it on, you will see a new WIFI network SSID available. In my case, it was called “Reco900000621“. If you try to connect to it, you will be asked for a network WPA key. If you look at the backside of the plug, you will find the WPA key.

BTW, the “Reco” part turns out to point to the real producer of this plug – apparantly “Reco4Life.com“. Their homepage Reco4Life is sadly in chinese – at least the forum, where a little bit of usable information (the AT commands) can be found using Google Translate if you are patient. I have not been able to find this exact plug on their website.

Now you should be connected to the socket. You will see, that you have been assigned the ip-address 10.10.100.150 and that the gateway (the socket) is assigned the ip-address 10.10.100.254

Next task. Which ports are open on the device. If you run a nmap scan from a linux box, you will find these TCP ports open

nmap -p1-10000 10.10.100.254

PORT STATE SERVICE
80/tcp open http
8899/tcp open ospf-lite

and these UDP ports.

PORT STATE SERVICE
53/udp open|filtered domain
67/udp open|filtered dhcps
48899/udp open|filtered unknown
MAC Address: AC:CF:23:XX:XX:XX (Hi-flying electronics technology Co.)

We can also note, that the MAC belongs to “Hi-flying electronics…..”. This points to the producer of the WIFI chip in the socket.

Since the HTTP port is open, the next obvious step, is to try to connect to it using a browser. If you try, you will be asked to provide a username and password. Since none are available, random guesses will show that ADMIN/ADMIN works. Sadly though, all you get for your troubles is a “ERROR:404 Not Found” message. No matter what I have tried, I have not been able to find an URL that returns anything else than this error-message. If you find any that works, please let me know.

Afterwards (unfortunately I cannot remember where) I have found mentioning of other smart plugs which provides this apparantly dummy http-server which is not meant to be used.

Next possible target is the open TCP port 8899. If you telnet to it

telnet 10.10.100.254 8899
Trying 10.10.100.254...
Connected to xxxxxxxx.
Escape character is '^]'.

nothing happens. Whatever you type, you are treated with a “+ERROR” message. This looked to me like a response to a AT command (like in the good old modem days). Hence I tried many-many AT commands, but I only ever got the +ERROR message.

As it turns out, at this point already, one can actually control the socket, if you know or guess the exact AT commands to send (on / off). I have only found 4 commands that give a response on this port.

The downside to issuing the commands here, is that you need to be directly connect to the WIFI network on the socket and cannot access it through your normal network. This makes this solution unusable for most purposes.

As socket setup is not yet clear, it might be an idea to take a quick look inside the plug – it might be possible to see which IC’s the socket uses

Sadly, apart from the relay itself, not much important is visible from this side. All the important stuff is apparantly mounted on the reverse side. And it is soldered VERY well to the socket legs, and I do not want to possibly ruin the plug by de-soldering it.

The only other interesting thing which is visible, is that the socket has a serial interface on the bottom right in the picture. You can use a standard 3V3 serial USB interface to communicate with the socket.

While it was easy to get the serial communication up and running, I was not able to learn anything relevant from it. I did not investigate it much. On the surface it looks very similar to what you get when you connect to TCP port 8899.

To connect to the serial interface on the socket, connect the GND, TX og RX pins on the socket to the 3V3 USB interface and use connection settings

115200 8/N/1

in eg. minicom (linux), HyperTerminal (Windows) or similar