Hijacking the Sonoff OTA Mechanism

ITEAD’s Sonoff line is a range of Internet-of-Things devices based around the ESP8266. This makes them popular for hacking due to their accessibility. Past projects have figured out how to reflash the Sonoff devices, but for [mirko], that wasn’t enough – it was time to reverse engineer the Sonoff Over-The-Air update protocol.

[mirko]’s motivation is simple enough – a desire for IoT devices that don’t need to phone home to the corporate mothership, combined with wanting to avoid the labor of cracking open every Sonoff device to reflash it with wires like a Neanderthal. The first step involved connecting the Sonoff device to WiFi and capturing the traffic. This quickly turned up an SSL connection to a remote URL. This was easily intercepted as the device doesn’t do any certificate validation – but a lack of security is sadly never a surprise on the Internet of Things.

After capturing the network traffic, [mirko] set about piecing together the protocol used to execute the OTA updates. After a basic handshake between client and server, the server can ask the client to take various actions – such as downloading an updated firmware image.  After determining the messaging format, [mirko] sought to create a webserver in Python to replicate this behaviour.

There are some pitfalls – firmware images need to be formatted slightly differently for OTA updates versus the usual serial upload method, as this process leaves the stock bootloader intact. There’s also the split-partition flash storage system to deal with, which [mirko] is still working on.

Nevertheless, it’s great to see hackers doing what they do best – taking control over hardware and software to serve their own purposes. To learn more, why not check out how to flash your Sonoff devices over serial? They’re just an ESP8266 inside, after all.

Google Home Meets ESP8266

[Luc Volders] is building his own smart house with the help of Google Home and an ESP-8266. Inspired by the house computers from the TV show, Eureka [Luc] created an IoT ecosystem using a mix of off the shelf devices and open source software.

There are about a thousand ways to create a DIY smart home these days. All of them involve setting up a command receiver (like Amazon’s Echo or Google Home), some sort of cloud connection, and an end device controller. This can get complex for the beginner. [Luc’s] article is great because he walks is through each step tutorial style. He even keeps things simple by programming the ESP8266 using BASIC with ESP-BASIC.

[Luc] uses If This Then That (IFTT) as his cloud service. IFTT is the glue between Google’s cloud service and the ESP8266 connected to his home WiFi network. Speaking of which, [Luc] shows how to set up port forwarding on the router so all accesses to port 8085 go to the ESP8266. Not exactly strong security – but it’s better than opening the entire home network.

You don’t need a real Google home device for this hack. You can build your own with a Raspberry Pi. Once that is set up you can do everything from turning on lights to watering your lawn.

Continue reading “Google Home Meets ESP8266”

The Internet of Rice Cookers

You’d be forgiven for thinking this was going to be an anti-IoT rant: who the heck needs an IoT rice cooker anyway? [Microentropie], that’s who. His rice cooker, like many of the cheapo models, terminates heating by detecting a temperature around 104° C, when all the water has boiled off. But that means the bottom of the rice is already dried out and starting to get crispy. (We love the crust! But this hack is not for us. This hack is for [Microentropie].)

So [Microentropie] added some relays, a temperature sensor, and an ESP8266 to his rice cooker, creating the Rice Cooker 2.0, or something. He tried a few complicated schemes but was unwilling to modify any of the essential safety features of the cooker. In the end [Microentropie] went with a simple time-controlled cooking cycle, combined with a keep-warm mode and of course, notification of all of this through WiFi.

There’s a lot of code making this simple device work. For instance, [Microentropie] often forgets to press the safety reset button, so the ESP polls for it, and the web interface has a big red field to notify him of this. [Microentropie] added a password-protected login to the rice cooker as well. Still, it probably shouldn’t be put on the big wide Internet. The cooker also randomizes URLs for firmware updates, presumably to prevent guests in his house from flashing new firmware to his rice cooker. There are even custom time and date classes, because you know you don’t want your rice cooker using inferior code infrastructure.

In short, this is an exercise in scratching a ton of personal itches, and we applaud that. Next up is replacing the relays with SSRs so that the power can be controlled with more finesse, adding a water pump for further automation, and onboard data logging. Overkill, you say? What part of “WiFi-enabled rice cooker” did you not understand?

IOT Startup Bricks Customers Garage Door Intentionally

Internet of Things startup Garadget remotely bricked an unhappy customer’s WiFi garage door for giving a bad Amazon review and being rude to company reps. Garadget device owner [Robert Martin] found out the hard way how quickly the device can turn a door into a wall. After leaving a negative Amazon review, and starting a thread on Garadget’s support forum complaining the device didn’t work with his iPhone, Martin was banned from the forum until December 27, 2019 for his choice of words and was told his comments and bad Amazon review had convinced Garadget staff to ban his device from their servers.

The response was not what you would expect a community-funded startup. “Technically there is no bricking, though,” the rep replied. “No changes are made to the hardware or the firmware of the device, just denied use of company servers.” Tell that to [Robert] who can’t get into his garage.

This caused some discontent amoung other customers wondering if it was just a matter of time before more paying customers are subjected to this outlandish treatment. The Register asked Garadget’s founder [Denis Grisak] about the situation, his response is quoted below.

 It was a Bad PR Move, Martin has now had his server connection restored, and the IOT upstart has posted a public statement on the matter.– Garadget

This whole debacle brings us to the conclusion that the IoT boom has a lot of issues ahead that need to be straightened out especially when it comes to ethics and security. It’s bad enough to have to deal with the vagaries of IoT Security and companies who shut down their products because they’re just not making enough money. Now we have to worry about using “cloud” services because the people who own the little fluffy computers could just be jerks.

Hacked IoT Switch Gains I2C Super Powers

Economies of scale and mass production bring us tons of stuff for not much money. And sometimes, that stuff is hackable. Case in point: the $5 Sonoff WiFi Smart Switch has an ESP8266 inside but the firmware isn’t very flexible. The device is equipped with the bare minimum 1 MB of SPI flash memory. Even worse, it doesn’t have the I2C ports extra pins exposed so that you can’t just connect up your own sensors and make them much more than just a switch. But that’s why we have soldering irons, right?

Continue reading “Hacked IoT Switch Gains I2C Super Powers”

Cheap Smarthome Gadget(s) Hacked into Zigbee Sniffer

French hacker [akila] is building up a home automation system. In particular, he’s been working with the “SmartHome” series of gadgets made by Chinese smartphone giant, Xiaomi. First, he started off by reverse-engineering their very nicely made temperature and humidity sensor. (Original in French, hit the translate button in the lower right.) With that under his belt, he opened up the PIR motion sensor unit to discover that it has the same debugging pinouts and the same processor. Almost too easy.

For a challenge, [akila] decided it was time to implement something useful in one of these gadgets: a ZigBee sniffer so that he can tell what’s going on in the rest of his home network. He built a USB/serial programming cable to work with the NXP JN5169’s bootloader, downloaded the SDK, and rolled up his sleeves to get to work.

While trolling through the SDK, he found some interesting firmware called “JennicSniffer”. Well, that was easy. There’s a demo version of a protocol analyzer that he used. It would be cool to get this working with Wireshark, but that’s a project for another day. [Akila] got far enough with the demo analyzer to discover that the packets sent by the various devices in the home network are encrypted. That’s good news for the security-conscious out there and stands as the next open item on [akila]’s to-do list.

We don’t see as many ZigBee hacks as we’d expect, but they’ve definitely got a solid niche in home automation because of commercial offerings like Philips Hue and Wink. And of course, there’s the XBee line of wireless communications modules. We just wrote up a ZigBee hack that aims to work with the Hue system, though, so maybe times are changing?

Zelda and the Ocarina of Things

Voice recognition is this year’s model for home automation, but aside from feeling like you’re onboard the Aries 1b arguing with HAL 9000, it just doesn’t do it for our geeky selves. So what’s even geekier? How about carrying around an ocarina in your pocket so that you can get a Raspberry Pi to unlock the door for you? (YouTube video, embedded below.) Yeah, that’ll do.

[Sufficiently Advanced]’s video gets us 90% of the way toward replicating this build. There’s a tube with a microphone and a Raspberry Pi inside. There are a bunch of ESP8266-powered gadgets scattered around the house that take care of such things as turning on and off the heater, watering plants, and even pressing a (spare) car remote with a servo.

We’d love to know what pitch- or song-recognition software the Raspberry Pi is running. We’ve wanted to implement a whistling-based home automation interface since seeing the whistled. We can hold a tune just fine, but we don’t always start out on the same exact pitch, which is a degree of freedom that [Sufficiently Advanced]’s system doesn’t have to worry about, assuming it only responds to one ocarina.

If you’re questioning the security of locking and unlocking your actual apartment by playing “Zelda’s Lullaby” from outside your window, you either overestimate the common thief or you just don’t get the joke. The use case of calling (and hopefully finding) a cell phone is reason enough for us to carry a bulky ocarina around everywhere we go!

Continue reading “Zelda and the Ocarina of Things”