Maginon SP-2 Smart Plug – Part 3

Go to part 2

Since the investigation until now has not given any concrete hints as to how to achieve the main goals:

  1. Make the socket associate and connect to my own Wifi network
  2. Make the socket turn on and off

another approach was needed.

The next most obvious option to me, was to try to intercept the network-communication between the Maginon SP-2 app and a WIFI network. To do this, the app has to believe that it is connecting to a real socket. So I set a router up to imitate the Maginon socket – with the same SSID and WPA password that the socket uses. The router did not allow for modifying its MAC-address.

Sadly, although I, a few brief times, was able to see my “fake” WIFI from the app, I was never able to make the app believe it was the real socket enough to make it try to associate with it. This was a bommer, since I have read about several other sockets, where this was trivially easy. I still do not know why the app did not believe it was a real sockets WIFI.

Next option – decompile the Android app and look for hints. There are several free sites which will decompile an APK file.

With the Maginon app decompiled, you can search for a lot of interesting things in the .java files (eg. using ‘find’ in Linux or something like WinGrep on Windows)

  • 48899
  • 8899
  • http:
  • HttpGet
  • AT+
  • AT
  • 10.100.100.254
  • 192.
  • Reco
  • connect
  • admin

When you look into the java-files that contains these search-words, you learn primarily three things:

  • A list of URLs that the app accesses. This is the final “proof” that the socket is probably a Reco4life socket
  • A suggestion, that port 48899 is used to set up the socket and port 8899 is used for ordinary use afterwards
  • A list of AT- or AT-like commands that the app issues to the socket
Port AT command Description
8899 AT+YZSWITCH=1,ON,201410292146\r\n Switches the socket on
8899 AT+YZSWITCH=1,OFF,201410292146\r\n Switches the socket off
8899 AT+YZDELAY=1,OFF,5,201410292146\r\n Switches the socket on or off after a delay (in minutes)
8899 AT+YZOUT\r\n Seems to return the energy consumption statistics
8899 AT+VER\r\n Returns the version of the socket SW and (probably) the Wifi stack SW
48899 AT+EPHY=off\n  Disable ETH interface
48899 AT+FAPSTA=on\n
48899 AT+LANN\n Query LAN setting in AP mode
48899 AT+PING=173.194.72.103\n PING ip address
48899 AT+PING=176.58.117.69\n PING ip address
48899 AT+PLANG\n
48899 AT+Q\n
48899 AT+WANN\n Query WAN setting in STA mode
48899 AT+WMODE=APSTA\n Set WIFI work mode
48899 AT+WMODE\n Query WIFI work mode
48899 AT+WMODE=STA\n Set WIFI work mode
48899 AT+WSKEY\n Query WIFI Security parameters as STA
48899 AT+WSKEY=OPEN,NONE\n Set WIFI Security parameters to no encryption
48899 AT+WSKEY=pwMethod,PwMatch,Pwd\n Set WIFI Security parameters
48899 AT+WSLK\n Query WIFI link status as STA
48899 AT+WSSSID=ssid\n Set WIFI target AP SSID as STA
48899 AT+Z\n Restart WIFI module
48899 HF-A11ASSISTHREAD Sending command to the socket will make the socket respond with its ip-address etc. If you respond with “+ok” all the other AT-commands are enabled for use. Some sites call this command as a sort of “password”.
48899 WIFIKIT-214028-READ Unknown
48899 YZ-RECOSCAN Sending command to broadcast address will make all sockets in network respond with their ip-addres, MAC and hostname
48899 +ok Response to HF-A11ASSISTHREAD

“\r\n” means CRLF (characters hex 0a + hex 0d)

3 of these commands stand out

  • HF-A11ASSISTHREAD
  • WIFIKIT-214028-READ
  • YZ-RECOSCAN

From the .java files, it is clear that YZ-RECOSCAN is used to scan a network for active sockets. The purpose of WIFIKIT-214028-READ is not clear from the sources, and a search on Google does not turn up much usable.

HF-A11ASSISTHREAD is another matter. The usage in the .java is not clear, but a search on the internet brings up a lot of interesting links.

One of them is this post from Andrius Stikonas concerning an Orvibo S20 socket. The control part of this socket is clearly different from the Maginon socket, but the setup/initial pairing-part seems to be similar. Strangely enough, the description from Andrius cannot be used 100% for the Maginon socket. Andrius writes, that “The socket always replies to the same port as the source port of your message.“. This is not correct in regards to the Maginon socket which will ALWAYS respond back to your source ip on UDP port 48899. Hence, in your code, you need to control both source and destination UDP port. Apart from this, the description from Andrius can be used directly for initial pairing of the Maginon socket.

Now we have the needed information to setup and control the socket.

Leave a Reply

Your email address will not be published. Required fields are marked *