Since the investigation until now has not given any concrete hints as to how to achieve the main goals:
- Make the socket associate and connect to my own Wifi network
- Make the socket turn on and off
another approach was needed.
The next most obvious option to me, was to try to intercept the network-communication between the Maginon SP-2 app and a WIFI network. To do this, the app has to believe that it is connecting to a real socket. So I set a router up to imitate the Maginon socket – with the same SSID and WPA password that the socket uses. The router did not allow for modifying its MAC-address.
Sadly, although I, a few brief times, was able to see my “fake” WIFI from the app, I was never able to make the app believe it was the real socket enough to make it try to associate with it. This was a bommer, since I have read about several other sockets, where this was trivially easy. I still do not know why the app did not believe it was a real sockets WIFI.
Next option – decompile the Android app and look for hints. There are several free sites which will decompile an APK file.
With the Maginon app decompiled, you can search for a lot of interesting things in the .java files (eg. using ‘find’ in Linux or something like WinGrep on Windows)
When you look into the java-files that contains these search-words, you learn primarily three things:
- A list of URLs that the app accesses. This is the final “proof” that the socket is probably a Reco4life socket
- A suggestion, that port 48899 is used to set up the socket and port 8899 is used for ordinary use afterwards
- A list of AT- or AT-like commands that the app issues to the socket
“\r\n” means CRLF (characters hex 0a + hex 0d)
3 of these commands stand out
From the .java files, it is clear that YZ-RECOSCAN is used to scan a network for active sockets. The purpose of WIFIKIT-214028-READ is not clear from the sources, and a search on Google does not turn up much usable.
HF-A11ASSISTHREAD is another matter. The usage in the .java is not clear, but a search on the internet brings up a lot of interesting links.
One of them is this post from Andrius Stikonas concerning an Orvibo S20 socket. The control part of this socket is clearly different from the Maginon socket, but the setup/initial pairing-part seems to be similar. Strangely enough, the description from Andrius cannot be used 100% for the Maginon socket. Andrius writes, that “The socket always replies to the same port as the source port of your message.“. This is not correct in regards to the Maginon socket which will ALWAYS respond back to your source ip on UDP port 48899. Hence, in your code, you need to control both source and destination UDP port. Apart from this, the description from Andrius can be used directly for initial pairing of the Maginon socket.
Now we have the needed information to setup and control the socket.