How Orvibo S20 WIFI plugs are controlled outside of local network?

Question

I bought a Orvibo S20 WIFI plug. It works great when controlled within local network. Some information on the control protocole are available here (Wifi socket communication with android phone ). But outside of local network (from cellular or Internet), the plug control does not work. Does someone has information on how these plugs are controlled outside of local network? Which protocole, ports are used, when do plugs update dynDNS servers...? Thanks for help

Answer 1

I think the S20 communicates with an external server which routes commands from the app to the device. The reason I assume this is because when my internet connection is down my S20 is not available even from the local network via the app.

If your app isn't working outside your local network my best guess is that there may be some kind of firewall issue between the device and the external server causing the problem.

Edit: actually after further testing the app does work on the local network connection if the internet is down. Still, your issue is probably port/firewall-related.

Answer 2

There are two ways to send the password to the socket. Either connect to the unencrypted Wifi network created by the socket and send the password over UDP port 48899 using AT+ commands of HF-A11 (actually HF-LPB100) chip.

Or try to send password by encoding it into wifi packet lengths and repeatedly send packets of various length containing 0x05 (UDP port 49999). Socket sniffs wifi encrypted Wifi traffic and tries to determine the wifi password from that.

Some more info is available on my blog https://stikonas.eu/wordpress/2015/02/24/reverse-engineering-orvibo-s20-socket/. There are links there to some other useful posts which would give you idea how the socket works (basically sending/receiving UDP packets on port 10000).

Unfortunately, both methods of sending your password to the socket are not secure, so for security purposes you can consider your wifi password compromised.

(This is mostly a reply to Humberto Figueiredo but StackExchange rules did not allow me to post it as a comment)

Answer 3

I used a below script which contains a PHP script as well.

#!/bin/bash

# script to find the lan ip address mini computer
hostname -I > /tmp/plug_config_own_ip.txt

# script to find the mac addres mini computer
ifconfig eth0 | grep HWaddr >& /tmp/plug_config_own_mac.txt

# script to find the wan ip address mini computer
wget http://ipecho.net/plain -O - -q > /tmp/plug_config_own_ip_wan.txt

# script to populate the arp table
sudo nmap --send-ip -sP 192.168.1.0/24
sudo nmap --send-ip -sP 192.168.0.0/24

# script to find the ip & mac address & little endian wifi plugs
ping -c 4 HF-LPB100 && arp -n  | grep ac:cf:23 >& /tmp/plug_config_wifi_socket_ip.txt
arp -n  | grep ac:cf:23 >& /tmp/plug_config_wifi_socket_ip.txt


# php script to upload information into database
php /../plug_config.php > /tmp/plug_config_output.txt 2>/tmp/plug_config_error.txt &

The PHP script is basically used to create the coding to switch on / off the different WIFI sockets. This is why I need the IP, mac addresses of the WIFI sockets. Besides this PHP script stores the line of code to switch on and switch off the WIFI sockets. And later on I used this information to automatically switch on or off the devices. See PHP below:

<?php
include '/DBconfig.php';

//
// Config variables
//
$filename1 = "/tmp/plug_config_own_ip.txt";
$filename2 = "/tmp/plug_config_own_ip_wan.txt";
$filename3 = "/tmp/plug_config_own_mac.txt";
$filename4 = "/tmp/plug_config_wifi_socket_ip.txt";

$mysqli= new mysqli($host  , $user  , $pw  ,$db);
if ($mysqli->connect_errno) {
   echo "Failed to connect to MySQL: (" . $mysqli->connect_errno . ") " . $mysqli->connect_error;
}


if (file_exists($filename2)) {
    $file = fopen($filename2,"r");
  $ip_address_wan = file($filename2,FILE_IGNORE_NEW_LINES)[0];
    $ip_address_wan = trim($ip_address_wan);
  // echo "ip_address_wan: ".$ip_address_wan;
fclose($file);
} else {
        echo "The file $filename2 does not exist";
}

if (file_exists($filename3)) {
    $file = fopen($filename3,"r");
  $mac_address = file($filename3,FILE_IGNORE_NEW_LINES)[0];
  $mac_address = substr(strrchr($mac_address, "HWaddr "), 7);
  $mac_address = trim($mac_address);
  // echo "mac_address: ".$mac_address;
fclose($file);
} else {
        echo "The file $filename3 does not exist";
}

// get information from wifi sockets

if (file_exists($filename4)) {
    $file = fopen($filename4,"r");

$ln=1;
$device_ind = 2001;
while(! feof($file))
  {
  $data = fgets($file);
  //echo "data: ".$data;
    $ip_address = trim(substr($data, 0,15));
    IF(empty($ip_address)){$device_ind=0;}
  //echo "ip_address: ".$ip_address;
  $mac_address = trim(substr($data,(strpos($data, "ether"))+8, 20));
  // echo "mac_address: ".$mac_address;
  $mac = substr($mac_address,0,2)." ".substr($mac_address,3,2)." ".substr($mac_address,6,2)." ".substr($mac_address,9,2)." ".substr($mac_address,12,2)." ".substr($mac_address,15,2);
  $mac = trim($mac);
  // echo "mac: ".$mac;
  $little_endian = substr($mac_address,15,2)." ".substr($mac_address,12,2)." ".substr($mac_address,9,2)." ".substr($mac_address,6,2)." ".substr($mac_address,3,2)." ".substr($mac_address,0,2);
  $little_endian = trim($little_endian);
  // echo "little_endian: ".$little_endian;
  $subscribe_code = "echo '68 64 00 1e 63 6c ".$mac." 20 20 20 20 20 20 ".$little_endian." 20 20 20 20 20 20 ' | xxd -r -p | nc -i5 -n -4u -w1  ".$ip_address." 10000";
  $subscribe_code = base64_encode($subscribe_code);
  //echo "subscribe_code: ".$subscribe_code;
  $on_code = "echo '68 64 00 17 64 63 ".$mac." 20 20 20 20 20 20 00 00 00 00 01' | xxd -r -p | nc -i5 -n -4u -w1 ".$ip_address." 10000";
  $on_code = base64_encode($on_code);
  //echo "on_code: ".$on_code;
  $off_code = "echo '68 64 00 17 64 63 ".$mac." 20 20 20 20 20 20 00 00 00 00 00' | xxd -r -p | nc -i5 -n -4u -w1 ".$ip_address." 10000";
  $off_code = base64_encode($off_code);
  //echo "off_code: ".$off_code;
  //$status_code = "";
  // echo "status_code: ".$status_code;
  // insert information into soso_devices table
  $query = "INSERT INTO soso_devices (`device_ind`,`ip_address`, `mac_address`, `mac`, `little_endian`, `subscribe_code`, `on_code`, `off_code`, `status`) VALUES ('".$device_ind."','".$ip_address."','".$mac_address."','".$mac."','".$little_endian."','".$subscribe_code."','".$on_code."','".$off_code."','Y')";
  $mysqli->query($query);
  //echo $query;
  $device_ind++;
  $ln++;
  }

fclose($file);


} else {
        echo "The file $filename4 does not exist";
}


mysqli_close($mysqli); // closing connection

?>

Hope this is helpfull.