{"id":34,"date":"2017-03-17T16:01:24","date_gmt":"2017-03-17T15:01:24","guid":{"rendered":"http:\/\/wp.bizoir.dk\/?p=34"},"modified":"2017-03-31T15:28:31","modified_gmt":"2017-03-31T14:28:31","slug":"maginon-sp-2-smart-plug-part-3","status":"publish","type":"post","link":"https:\/\/wp.bizoir.dk\/?p=34","title":{"rendered":"Maginon SP-2 Smart Plug &#8211; Part 3"},"content":{"rendered":"<p><a href=\"http:\/\/wp.bizoir.dk\/?p=26\">Go to part 2<\/a><\/p>\n<p>Since the investigation until now has not given any concrete hints as to how to achieve the main goals:<\/p>\n<ol>\n<li>Make the socket associate and connect to my own Wifi network<\/li>\n<li>Make the socket turn on and off<\/li>\n<\/ol>\n<p>another approach was needed.<\/p>\n<p>The next most obvious option to me, was to try to intercept the network-communication between the Maginon SP-2 app and a WIFI network. To do this, the app has to believe that it is connecting to a real socket. So I set a router up to imitate the Maginon socket &#8211; with the same SSID and WPA password that the socket uses. The router did not allow for modifying its MAC-address.<\/p>\n<p>Sadly, although I, a few brief times, was able to see my &#8220;fake&#8221; WIFI from the app, I was never able to make the app believe it was the real socket enough to make it try to associate with it. This was a bommer, since I have read about several other sockets, where this was trivially easy. I still do not know why the app did not believe it was a real sockets WIFI.<\/p>\n<p>Next option &#8211; decompile the Android app and look for hints. There are several free sites which will decompile an APK file.<\/p>\n<p>With the Maginon app decompiled, you can search for a lot of interesting things in the .java files (eg. using &#8216;find&#8217; in Linux or something like WinGrep on Windows)<\/p>\n<ul>\n<li style=\"text-align: justify;\"><strong>48899<\/strong><\/li>\n<li style=\"text-align: justify;\"><strong>8899<\/strong><\/li>\n<li style=\"text-align: justify;\"><strong>http:<\/strong><\/li>\n<li style=\"text-align: justify;\"><strong>HttpGet<\/strong><\/li>\n<li style=\"text-align: justify;\"><strong>AT+<\/strong><\/li>\n<li style=\"text-align: justify;\"><strong>AT<\/strong><\/li>\n<li style=\"text-align: justify;\"><strong>10.100.100.254<\/strong><\/li>\n<li style=\"text-align: justify;\"><strong>192.<\/strong><\/li>\n<li style=\"text-align: justify;\"><strong>Reco<\/strong><\/li>\n<li style=\"text-align: justify;\"><strong>connect<\/strong><\/li>\n<li style=\"text-align: justify;\"><strong>admin<\/strong><\/li>\n<\/ul>\n<p>When you look into the java-files that contains these search-words, you learn primarily three things:<\/p>\n<ul>\n<li>A list of URLs that the app accesses. This is the final &#8220;proof&#8221; that the socket is probably a <a href=\"http:\/\/www.reco4life.com\/\"><span style=\"color: #0000ff;\">Reco4life<\/span><\/a> socket<\/li>\n<li>A suggestion, that port 48899 is used to set up the socket and port 8899 is used for ordinary use afterwards<\/li>\n<li>A list of AT- or AT-like commands that the app issues to the socket<\/li>\n<\/ul>\n<table style=\"height: 38px;\" border=\"1\" width=\"599\">\n<thead>\n<tr>\n<th>Port<\/th>\n<th>AT command<\/th>\n<th>Description<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<th><a name=\"on\"><\/a>8899<\/th>\n<th>AT+YZSWITCH=1,ON,201410292146\\r\\n<\/th>\n<th>Switches the socket on<\/th>\n<\/tr>\n<tr>\n<th><a name=\"off\"><\/a>8899<\/th>\n<th>AT+YZSWITCH=1,OFF,201410292146\\r\\n<\/th>\n<th>Switches the socket off<\/th>\n<\/tr>\n<tr>\n<th>8899<\/th>\n<th>AT+YZDELAY=1,OFF,5,201410292146\\r\\n<\/th>\n<th>Switches the socket on or off after a delay (in minutes)<\/th>\n<\/tr>\n<tr>\n<th>8899<\/th>\n<th>AT+YZOUT\\r\\n<\/th>\n<th>Seems to return the energy consumption statistics<\/th>\n<\/tr>\n<tr>\n<th>8899<\/th>\n<th>AT+VER\\r\\n<\/th>\n<th>Returns the version of the socket SW and (probably) the Wifi stack SW<\/th>\n<\/tr>\n<tr>\n<th>48899<\/th>\n<th>AT+EPHY=off\\n<\/th>\n<th>\u00a0Disable ETH interface<\/th>\n<\/tr>\n<tr>\n<th>48899<\/th>\n<th>AT+FAPSTA=on\\n<\/th>\n<th><\/th>\n<\/tr>\n<tr>\n<th>48899<\/th>\n<th>AT+LANN\\n<\/th>\n<th>Query LAN setting in AP mode<\/th>\n<\/tr>\n<tr>\n<th>48899<\/th>\n<th>AT+PING=173.194.72.103\\n<\/th>\n<th>PING ip address<\/th>\n<\/tr>\n<tr>\n<th>48899<\/th>\n<th>AT+PING=176.58.117.69\\n<\/th>\n<th>PING ip address<\/th>\n<\/tr>\n<tr>\n<th>48899<\/th>\n<th>AT+PLANG\\n<\/th>\n<th><\/th>\n<\/tr>\n<tr>\n<th>48899<\/th>\n<th>AT+Q\\n<\/th>\n<th><\/th>\n<\/tr>\n<tr>\n<th>48899<\/th>\n<th>AT+WANN\\n<\/th>\n<th>Query WAN setting in STA mode<\/th>\n<\/tr>\n<tr>\n<th>48899<\/th>\n<th>AT+WMODE=APSTA\\n<\/th>\n<th>Set WIFI work mode<\/th>\n<\/tr>\n<tr>\n<th>48899<\/th>\n<th>AT+WMODE\\n<\/th>\n<th>Query WIFI work mode<\/th>\n<\/tr>\n<tr>\n<th>48899<\/th>\n<th>AT+WMODE=STA\\n<\/th>\n<th>Set WIFI work mode<\/th>\n<\/tr>\n<tr>\n<th>48899<\/th>\n<th>AT+WSKEY\\n<\/th>\n<th>Query WIFI Security parameters as STA<\/th>\n<\/tr>\n<tr>\n<th>48899<\/th>\n<th>AT+WSKEY=OPEN,NONE\\n<\/th>\n<th>Set WIFI Security parameters to no encryption<\/th>\n<\/tr>\n<tr>\n<th>48899<\/th>\n<th>AT+WSKEY=pwMethod,PwMatch,Pwd\\n<\/th>\n<th>Set WIFI Security parameters<\/th>\n<\/tr>\n<tr>\n<th>48899<\/th>\n<th>AT+WSLK\\n<\/th>\n<th>Query WIFI link status as STA<\/th>\n<\/tr>\n<tr>\n<th>48899<\/th>\n<th>AT+WSSSID=ssid\\n<\/th>\n<th>Set WIFI target AP SSID as STA<\/th>\n<\/tr>\n<tr>\n<th>48899<\/th>\n<th>AT+Z\\n<\/th>\n<th>Restart WIFI module<\/th>\n<\/tr>\n<tr>\n<th>48899<\/th>\n<th>HF-A11ASSISTHREAD<\/th>\n<th>Sending command to the socket will make the socket respond with its ip-address etc. If you respond with &#8220;+ok&#8221; all the other AT-commands are enabled for use. Some sites call this command as a sort of &#8220;password&#8221;.<\/th>\n<\/tr>\n<tr>\n<th>48899<\/th>\n<th>WIFIKIT-214028-READ<\/th>\n<th>Unknown<\/th>\n<\/tr>\n<tr>\n<th>48899<\/th>\n<th>YZ-RECOSCAN<\/th>\n<th>Sending command to broadcast address will make all sockets in network respond with their ip-addres, MAC and hostname<\/th>\n<\/tr>\n<tr>\n<th>48899<\/th>\n<th>+ok<\/th>\n<th>Response to HF-A11ASSISTHREAD<\/th>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&#8220;\\r\\n&#8221; means CRLF (characters hex 0a + hex 0d)<\/p>\n<p>3 of these commands stand out<\/p>\n<ul>\n<li>HF-A11ASSISTHREAD<\/li>\n<li>WIFIKIT-214028-READ<\/li>\n<li>YZ-RECOSCAN<\/li>\n<\/ul>\n<p>From the .java files, it is clear that <span style=\"color: #0000ff;\">YZ-RECOSCAN<\/span> is used to scan a network for active sockets. The purpose of\u00a0<span style=\"color: #0000ff;\">WIFIKIT-214028-READ<\/span> is not clear from the sources, and a search on Google does not turn up much usable.<\/p>\n<p><span style=\"color: #0000ff;\">HF-A11ASSISTHREAD<\/span> is another matter. The usage in the .java is not clear, but a search on the internet brings up a lot of interesting links.<\/p>\n<p>One of them is <a href=\"https:\/\/stikonas.eu\/wordpress\/2015\/02\/24\/reverse-engineering-orvibo-s20-socket\/\">this<\/a> post from Andrius Stikonas concerning an Orvibo S20 socket. The control part of this socket is clearly different from the Maginon socket, but the setup\/initial pairing-part seems to be similar. Strangely enough, the description from Andrius cannot be used 100% for the Maginon socket. Andrius writes, that &#8220;<em>The socket always replies to the same port as the source port of your\u00a0message.<\/em>&#8220;. This is not correct in regards to the Maginon socket which will ALWAYS respond back to your source ip on UDP port 48899. Hence, in your code, you need to control both source and destination UDP port. Apart from this, the description from Andrius can be used directly for initial pairing of the Maginon socket.<\/p>\n<p>Now we have the needed information to setup and control the socket.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Go to part 2 Since the investigation until now has not given any concrete hints as to how to achieve the main goals: Make the socket associate and connect to my own Wifi network Make the socket turn on and off another approach was needed. The next most obvious option to me, was to try &hellip; <a href=\"https:\/\/wp.bizoir.dk\/?p=34\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Maginon SP-2 Smart Plug &#8211; Part 3&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[],"class_list":["post-34","post","type-post","status-publish","format-standard","hentry","category-hardware"],"_links":{"self":[{"href":"https:\/\/wp.bizoir.dk\/index.php?rest_route=\/wp\/v2\/posts\/34","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wp.bizoir.dk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wp.bizoir.dk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wp.bizoir.dk\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/wp.bizoir.dk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=34"}],"version-history":[{"count":25,"href":"https:\/\/wp.bizoir.dk\/index.php?rest_route=\/wp\/v2\/posts\/34\/revisions"}],"predecessor-version":[{"id":72,"href":"https:\/\/wp.bizoir.dk\/index.php?rest_route=\/wp\/v2\/posts\/34\/revisions\/72"}],"wp:attachment":[{"href":"https:\/\/wp.bizoir.dk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=34"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wp.bizoir.dk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=34"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wp.bizoir.dk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=34"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}