Page 1 of 1

TCP Smart Bulbs

Posted: Sun Feb 09, 2020 4:01 pm
by RyanP_J
Hi,

I dont know where to post this but I was wondering whether its possible to connect to smart plugs and bulbs and host and change the status on a web server located on the raspberry pi?


Thanks,


Ryan.

Re: TCP Smart Bulbs

Posted: Tue Feb 11, 2020 4:30 pm
by drgeoff
Perhaps, but a definite answer would require much more information than you have provided.

Re: TCP Smart Bulbs

Posted: Tue Feb 11, 2020 4:46 pm
by HermannSW
RyanP_J wrote:
Sun Feb 09, 2020 4:01 pm
but I was wondering whether its possible to connect to smart plugs and bulbs and host and change the status on a web server located on the raspberry pi?
Typically smart plugs and bulbs need some server infrastructure.
Many use TUYA API which I tried to reverse engineer, but the Smartlife Android app talks encrypted to the devices.
Nevertheless node project tuyapi is able to read the status at least:
https://twitter.com/HermannSW/status/12 ... 0054726656

I was not able to get the needed key via ettercap MITM arp poisoning (that reveals productKey only).
So I just went the 1st method stated here today:
https://github.com/codetheweb/tuyapi/bl ... s/SETUP.md

I need this because of contract work for my sone, in order to control smart devices by a 4x4 keypad:
https://forum.arduino.cc/index.php?topi ... msg4471648

Re: TCP Smart Bulbs

Posted: Tue Feb 11, 2020 4:49 pm
by B.Goode
RyanP_J wrote:
Sun Feb 09, 2020 4:01 pm
Hi,

I dont know where to post this but I was wondering whether its possible to connect to smart plugs and bulbs and host and change the status on a web server located on the raspberry pi?


Thanks,


Ryan.


I suggest searching more widely to see if it is possible to circumvent the vendors control software using any alternative computer platform. If it can be made to work at all it can probably be made to work under the Raspbian Operating System running on an RPi board.


At a quick glance it seems that some loopholes and possibilities that existed when the bulbs were first sold have since been closed by the manufacturer.



(Assuming you are referring to a branded product similar to https://www.tcpsmart.eu/2018/09/23/tcp- ... tructions/)

Re: TCP Smart Bulbs

Posted: Wed Feb 12, 2020 12:22 pm
by HermannSW
HermannSW wrote:
Tue Feb 11, 2020 4:46 pm
...
Typically smart plugs and bulbs need some server infrastructure.
Many use TUYA API which I tried to reverse engineer, but the Smartlife Android app talks encrypted to the devices.
...
My son has yeelink lights as well, not TUYA protocol, controlled by yeelight app:
https://play.google.com/store/apps/deta ... ght.cherry

Before looking into that I made a need for internet access test for TUYA.
Smartlife app is able to control the smart plug locally (via open port 6668, encrypted) even if I block internet access for smart plug as well as smartphone in my home router, even after removing smart plug from power and powering back in order to kill existing MQTT tunnels to the amazonws server.

Contrary to that, yeelight app cannot control the yeelink light in case one or both are blocked in Router for internet access.
I did a port scan and initially the yeelink light (192.168.178.149) has no open ports.
I did ettercap MITM arp poisoning again on my Pi and catured traffic between light and smartphone (192.168.178.179).
I was surprised to see no traffic at all while turning light off and on, or change the color of the light.
Then I forced yeelight app to close on smartphone, started capturing and started yeelight.
As you can see in Raspberry gimp screenshot of Wireshark, there are only few packets exchanged before any traffic goes over internet (after RST packet). The UDP packets open port 55443 on smart light that was not open before for a single TCP message from yeelight app to light.

From a 12/2018 Chaos Computer Club talk I know that TUYA devices were not safe at that time, because most stuff was tranported in clear allowing MITM extraction of key needed to control the smart device. Now traffic is encrypted, but it is most likely that WLAN password transferred from SmartLife app to smart plug on initial confguration does not only get stored on the plug, but is sent to MQTT server as well ...

My son will move to student dorm soon and take all smart plugs, lights and Alexa with him. At that point I will change WLAN password in my router because it is most likely known to several IOT providers already.
wireshark.ettercap_149_179.png
wireshark.ettercap_149_179.png
wireshark.ettercap_149_179.png (124.34 KiB) Viewed 1567 times

Re: TCP Smart Bulbs

Posted: Fri Feb 14, 2020 7:00 pm
by HermannSW
1st method worked fine, I did apply for "Cloud API Authorization" and that was granted:
https://github.com/codetheweb/tuyapi/bl ... s/SETUP.md

I tried to use tuya-cli per the instructions, and at least the keys seem to be fine because registering against resetted plug really starts, with Braille character snake rotating on the left:

Code: Select all

$ tuya-cli link --api-key xxx --api-secret yyy --schema zzz --ssid aaa --password bbb
⠙ Registering devices(s)...
Unfortunately the registration times out for now, will try more:

Code: Select all

Error: Timed out waiting for devices to connect.
    at TuyaLinkWizard.linkDevice (/usr/lib/node_modules/@tuyapi/cli/node_modules/@tuyapi/link/index.js:117:17)
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (internal/process/task_queues.js:94:5)
    at async link (/usr/lib/node_modules/@tuyapi/cli/lib/link.js:45:19)
$
One more correction to what I stated before, the device knew that it had no internet access anymore, and I had to unblock internet access of the plug before starting tuya-cli.


P.S:
How does registering of smart plug work, before the plug gets the Wifi credentials?
The smartphone passes the password via a Morse protocol called SmartConfig to the plug.
Then the plug connects to Wifi, and triggers registering at the MQTT server.
(German language talk, slide English text):
https://www.youtube.com/watch?v=urnNfS6 ... .be&t=1290

Re: TCP Smart Bulbs

Posted: Wed Feb 26, 2020 8:17 pm
by Shea
Let me share some of my Tuya device mods experience which works for me.
I used a WRT router with tcpdump running during the smart life app with Tuya device registration to get the the key.
Once that is done, I block the Tuya device going out to the internet.
I then use node-red to manage the Tuya device from there on.

Re: TCP Smart Bulbs

Posted: Wed Feb 26, 2020 10:09 pm
by PhatFil
imho Tasmota is the best option for smart plug/device control https://tasmota.github.io/docs/#/Home
compatible h/w is listed in the wiki docs

Re: TCP Smart Bulbs

Posted: Wed Feb 26, 2020 10:23 pm
by neilgl
+1 for Tasmota, and openhab2 has some bindings for standard unmodified devices e.g Tradfri bulbs (IKEA), Philips Hue etc.