{"id":56,"date":"2015-02-24T00:21:51","date_gmt":"2015-02-24T00:21:51","guid":{"rendered":"https:\/\/stikonas.eu\/wordpress\/?p=56"},"modified":"2018-04-01T23:38:02","modified_gmt":"2018-04-01T23:38:02","slug":"reverse-engineering-orvibo-s20-socket","status":"publish","type":"post","link":"https:\/\/stikonas.eu\/wordpress\/2015\/02\/24\/reverse-engineering-orvibo-s20-socket\/","title":{"rendered":"Reverse engineering Orvibo S20 socket"},"content":{"rendered":"

I have bought Orvibo S20 (picture<\/a>) smart socket. You can find them on Amazon, eBay and probably many other online shops. The socket comes with an app for Android and\u00a0iOS that is used to control the socket. Unfortunately, the app is proprietary and also not available for\u00a0normal computers. I wanted to have some free software<\/a>\u00a0solution. Also, the original app didn’t work too reliably,\u00a0and of course you can’t fix it without having a code. Again, this shows why it is important to have free software…<\/p>\n

After searching a bit I found some code on GitHub<\/a> written for Ninja Blocks. It also came with some reverse engineering data<\/a>\u00a0(I will refer to this as the original reverse engineering later and will assume that you briefly looked at it). That file might look slightly scary\u00a0initially if you are not used to that kind of stuff but actually everything is quite simple. It seems that the socket can be controlled by simply sending UDP packets over the network and listening for replies. You can even try to play a bit with netcat but of course it is not too convenient. So I decided to write my own program using Qt 5<\/a>. It provides a lot of convenient functions in its QtNetwork module and also it would make it easy to write GUI if I ever decide to do so in the future. Also, I’m familiar with Qt because it is used by KDE\u00a0Applications<\/a>. Another reason for choosing Qt was it’s support for sockets and slots and I expected them to be useful.<\/p>\n

As you can see in the reverse engineering file, there are commands to discover the socket, subscribe to it (which is required before doing anything else), power it on\/off and read some tables (Socket Data contains information about the socket and Timing Data stores when to turn the socket on or off).\u00a0They all follow similar pattern. You have to send<\/p>\n

Magic\u00a0Key+ message length + command id + rest of the message<\/em><\/p>\n

where Magic Key<\/em> is 68 64 (hexadecimals) and is used to\u00a0distinguish these UDP packets from any other packets that are send over UDP port 10000. Every time you send a message the socket replies with\u00a0another message confirming the action of the first message. Or the socket doesn’t reply. We are using UDP protocol for networking. So there is no guarantee that message is received and later I had to write some code to make sure packets are received. Hence, I implemented message queue and resend every command until\u00a0I get a proper reply before sending another command. This finally made my program more reliable.<\/p>\n

Writing Socket Data<\/h2>\n

I quickly managed to get some basic stuff working (for example powering it on and off) and soon I implemented most of the commands from the file with reversed engineered commands (reading Timing Table is still not completed but shouldn’t be too hard). Since I wanted to do more than that, I started Wireshark<\/a> and analyzed a few more packets. I quickly learned how to write Socket Data Table too. Apparently, you send command very similar to what you receive when you request Socket Data but with different Command ID (74\u00a06d instead of 72\u00a074 in hexadecimals).<\/p>\n

So to write\u00a0Socket Data I send the following packet<\/p>\n

Magic\u00a0Key + message length + 74 6d\u00a0+\u00a0mac + mac padding\u00a0+ 00 00 00 00\u00a0\u00a0+ AA\u00a000 BB\u00a0+ recordLength + record;<\/em><\/p>\n

where<\/p>\n

record = 01 00 \/* record number = 1*\/ + versionID + mac + mac padding\u00a0+ reversed mac\u00a0+ mac padding\u00a0+ remote password + socket name + icon + hardwareVersion + firmwareVersion + wifiFirmwareVersion + port + staticServerIP + port + domainServerName + localIP + localGatewayIP + localNetMask + dhcpNode + discoverable + timeZoneSet + timezone + countdownStatus + countdown + 00 (repeated twelve times) + 30 (repeated 30 times, note that hex 30 corresponds to 0 in ASCII);<\/em><\/p>\n

countdownStatus is 00 ff when countdown is disabled and 01 00 when countdown is enabled.<\/p>\n

AA\u00a000 BB is actually table number and version flag. E.g. 04 00 01. 4 stands for table number (Socket Data is Table number 4) I don’t completely understand what is version flag, so if you know please tell me in the comments.<\/p>\n

Then socket replies with:<\/p>\n

Magic\u00a0Key + message length + 74 6d\u00a0+\u00a0mac + mac padding + 01 00 00 00 00;<\/em><\/p>\n

Now just send an already documented Socket Table packet (see:\u00a0http:\/\/pastebin.com\/LfUhsbcS<\/a>) to update your variables.<\/p>\n

Writing Timing\u00a0Data<\/h2>\n

Writing Timing\u00a0Data is exactly the same (even Command ID is still 74 6d) as writing Socket Data but you must specify 03 a a table number<\/p>\n

Magic\u00a0Key + message length + 74 6d\u00a0+\u00a0mac + mac padding\u00a0+ 00 00 00 00\u00a0\u00a0+ AA\u00a000 BB\u00a0+ record1Length + record 1+\u00a0<\/em>record2Length + record2 +\u00a0<\/em>record3Length + record3 + …<\/em>;<\/p>\n

record<\/em>\u00a0again contains the same data as what socket sends when you request timing data<\/a>.<\/p>\n

Initial pairing of the socket<\/strong><\/h2>\n

The authors of the original Ninja Blocks orvibo-allone driver\u00a0assume that socket was already paired using the proprietary Android\/iOS application. Their original reverse engineering also contains no information how to do that. I expected\u00a0that this might be a bit tricky to do because unpaired socket is not connected to the router and you have to somehow transmit your wifi configuration into the socket. I think there are at least two ways to pair that proprietary Android\/iOS app implements. If you press the socket button for a few second it switches to a rapidly blinking red led mode. Then long press it again and it switches to rapidly blinking blue led and the socket creates an unencrypted wifi network (it was called WiWo-S20).<\/p>\n

Then I created the\u00a0wifi network with the same name on my laptop and tricked the proprietary app into believing that it is the socket’s wifi network. I was able to intercept the following message on UDP port 48899 (everything is in ASCII in the section, not in hex):<\/p>\n

HF-A11ASSISTHREAD<\/p>\n

So apparently, Orvibo S20 has HF-LPB100\u00a0Wifi chip inside.\u00a0This chip can be controlled by the AT+ commands (you can find them online but I will write a brief summary here) and I was able to do initial socket configuration!<\/p>\n