New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Newer Orvibo Smart Sockets #11

Open
jimbo-83 opened this Issue Dec 11, 2016 · 36 comments

Comments

Projects
None yet
@jimbo-83

jimbo-83 commented Dec 11, 2016

Do you know if this plugin will support the newer smart sockets? I think the model is B25, I have been trawling various places for an answer on this and can't find resolution anywhere and as someone who is diffo not a coder I'm struggling but really want to make use of this with my Sockets!

@Grayda

This comment has been minimized.

Owner

Grayda commented Dec 11, 2016

Hmm, I didn't realise they had a new version of the socket out. I might have to dig one up and see. However the answer is, it depends.

Right now there are two major versions of the Orvibo protocol. The first, which we'll call "legacy", is fully supported by node-orvibo. Almost anything the official Orvibo app can do, node-orvibo can do.

Then there's the newer version, which I'll call "PK" (because the string "PK" (or sometimes "DK") appears towards the start of the packets, and Orvibo refers to it as a "protocol type"). It's somewhat similar to the legacy protocol, but is encrypted and has an entirely different way of transmitting data (uses JSON instead of just tacking the information to the end of the packet).

PK isn't supported yet. A number of months ago I got a Kepler gas detector, but I could barely get it to respond, so I didn't make much progress. About a week ago I received a Coco smart strip (like the socket, but in a power strip) and a Smart Cube (which is a cloud-connected version of the Orvibo AllOne, an IR blaster for controlling TVs and such). Since then I've made some progress. I can encrypt and decrypt the PK messages and I can recreate the packets used to communicate with the device.

However that's as far as I've got. It shouldn't be too hard to start adding in features, but I haven't got there yet.

So to cut a long story short, if the B25 uses the legacy protocol, I'm 95% confident it'll work. My code might need some tweaking to suit, but most things should be there. If it uses the PK protocol, it definitely won't work yet, but I'm working on it. I've got almost a month off from work in about a week's time, so that'll give me a better chance to tackle the issue.

Let me know if you've got any other questions!

@jimbo-83

This comment has been minimized.

jimbo-83 commented Dec 11, 2016

Hey David,

I think that it's safe to assume that they will be using the same newer protocol as I have tried the "legacy" stuff as well as the Orvibo Platform. I also think they were released at the same time as the Coco. They run on the HomeMate App rather than the Wiwo one.

I really appreciate your reply as I'm 0% knowledgeable in code but I see so much value in this software! It really is so cool, HomeKit technology is so over priced at this point yet other systems are so much more affordable but clunky. This really is a great answer!

Thanks again

J

@jimbo-83

This comment has been minimized.

jimbo-83 commented Dec 11, 2016

@Grayda

This comment has been minimized.

Owner

Grayda commented Dec 11, 2016

Yeah, I guessed they were the newer protocol. Watch this space though, as the newer protocol just seems to be the same ol' Orvibo stuff, just packaged into a different format, so it might be rather trivial to implement this stuff.

@karl0ss

This comment has been minimized.

karl0ss commented Jan 3, 2017

@Grayda I would love for this to work on B25 as well, I can either supply you a B25 for free if you want, or can donate some £ to you if you get it working after if you want?

@Grayda

This comment has been minimized.

Owner

Grayda commented Jan 3, 2017

@karl0ss: I'd certainly appreciate the donation. I'm in the process of rewriting the library so it's easier to add new products (I'm envisioning a plugin system using architect which I've used before). I've got the new protocol sort of worked out, but right now I can just encode and decode packets, not control things.

Send me an email at grayda@solidinc.org if you want to chat further :)

@karl0ss

This comment has been minimized.

karl0ss commented Jan 4, 2017

@Grayda I've sent you an email mate.

@karl0ss

This comment has been minimized.

karl0ss commented Jan 5, 2017

I've ordered David a B25, so hopefully with the actual device, he will be able to get it working for us :)

@JCotton1123

This comment has been minimized.

JCotton1123 commented Jan 21, 2017

@Grayda I recently purchased a S25, what I assume to be the american version of the B25. I've done some packet captures and I see the pk/dk string at the start of the packet as you described above. I was wondering if you could provide any info on the decryption/encryption process including how to derive the key so that I can experiment with my socket. I am more then happy to contribute any information or code I am able to put together.

@Grayda

This comment has been minimized.

Owner

Grayda commented Jan 21, 2017

@JCotton1123: Check out my last commit which added tools to encode and decode packets. The key can be obtained by downloading the Kepler APK then using an APK decompiler (I used an online one, but apktool works great too). Not in front of my computer so I can't remember the path, but I think the key is in an AESCoder jar file as a const. Possibly called "key". The Home mate app doesn't have the key as it's stored server side, but the Kepler APK has it

Not sure if I can legally do it, but I might write a tool that "brute forces" the key so people don't have to decompile APKs to get it. The key is alphanumeric and fairly short, so brute forcing it won't be hard.

I'm almost done rewriting the S20 / Allone code for node-orvibo2, so the base of that should make the DK / PK stuff a cinch to add because node-orvibo2 is modular

@JCotton1123

This comment has been minimized.

JCotton1123 commented Jan 21, 2017

@Grayda Thanks. This never occurred to me as an iOS user.

I found the key. For anyone else thats looking, it can be found in com/orvibo/lib/kepler/core/AESCoder.java.

Looking forward to seeing the new node-orvibo2 lib. Hopefully I can contribute some code.

@karl0ss

This comment has been minimized.

karl0ss commented Jan 23, 2017

Hopefully we can have working B25's soon :)

@Grayda Is the one I sent you working ok?

@Grayda

This comment has been minimized.

Owner

Grayda commented Jan 23, 2017

@karl0ss: Yep, working fine with the HomeMate app!

I'm just about to start on the "v2" code. While I'm doing that, I'm asking a few people (the EFF, the 'legaladvice' subreddit, maybe a lawyer if necessary) about the legalities of distributing the key. Brute-forcing the whole key would take literally forever (with over 200 trillion combinations), so I'm trying to find out if I can include the whole key (in the name of 'interoperability'), or part of the key, then use a tool to unscramble the rest (which would take ~400ms to unscramble). I can't seem to find any info, so I'm reaching out to a few places, just to protect me, and anyone who uses this library.

In the meantime, you can see the progress over on http://github.com/grayda/node-orvibo2. There's so many changes going on, and so different methods and such, that it was better to start from scratch.

@karl0ss

This comment has been minimized.

karl0ss commented Jan 23, 2017

Ok cool, thank you so much for looking at this :)

@Grayda

This comment has been minimized.

Owner

Grayda commented Jan 28, 2017

@karl0ss and others:

I've created a wiki page here which documents my findings with the newer sockets so far.

Right now I haven't gotten anywhere. I'm sending the correct commands, but the B25, the Coco and the SmartCube aren't responding. I'm wondering if they're waiting for those commands to come from the server (which requires signing up for a HomeMate account) or if there's something I'm not doing.

EDIT: Yeah, looks like they wait for sever commands, because as soon as I unplug my internet (but leave WiFi going), everything stops. I'm wondering if the server is hard-coded into the devices, or if they can be changed when being set up. This'll be my next point of investigation. I've just purchased a WiFi adapter that does monitor mode, so I'll be able to sniff packets that go from the socket to the server. Hopefully that'll shed some light. If I can't set the server, then it might take a man-in-the-middle attack to get things running. That'll be tons of fun (/sarcasm)

I'm currently pawing through a bunch of pcap packets to see what is going on. I might have to buy a WiFi dongle that does monitor mode so I can get a clearer picture of what is being sent.

On a separate note, the HomeMate app sends your (precise, I think) location to the server, along with what type of phone you have. Worth keeping in mind if you're privacy conscious. Android Nougat lets you turn off those permissions, or you can install a GPS spoofer to fake your location prior to running HomeMate.

I'll keep everyone updated as I make progress.

@karl0ss

This comment has been minimized.

karl0ss commented Jan 30, 2017

Thanks for the update mate, sounds like these new ones are a right pita...

@kalinon

This comment has been minimized.

kalinon commented Mar 13, 2017

I posed an issue here: cherezov/orvibo#13 for the new S31 blocks. It has some wireshark dumps that may be helpful.

@karl0ss

This comment has been minimized.

karl0ss commented Jul 6, 2017

Guessing this project is now dead for the new plugs?

@insertjokehere

This comment has been minimized.

insertjokehere commented Jul 7, 2017

I'm working on getting something going so I can control my Orvibo "S20c" switches, which also use the "Homemate" app, with the goal of a Homemate-to-MQTT bridge so I can control my switches from Homeassistant.

I've been writing up my notes on blog, and have written a tool that can decode 'PK' and 'DK' packets (hat tip to @Grayda, would never have worked out getting the 'PK' key from Kepler!)

Would be really interested if my tool works with other 'Homemate' devices

@Grayda

This comment has been minimized.

Owner

Grayda commented Jul 9, 2017

@karl0ss: I hit a brick wall and had a bunch of other stuff pop up (work and home projects that chewed up almost all of my free time). Will seems to be on the same track as me, so hopefully between us we'll get something, anything.

@insertjokehere: Good write up! I was holding off from fiddling with DNS and such, because I wanted to see if I could "soft re-program" the switches so they'd accept commands from any connection and negate the need to write an entire (or partial) "server" just to get this working. I thought perhaps through an "AP mode" like the original Socket but nothing yet.

On a separate yet related note, if anyone has experience with decompiling and reading C code, let me know. The Kepler APK is basically a small amount of Java around a large C++ blob, which makes gleaning secrets about how stuff operates, a nightmare.

@insertjokehere

This comment has been minimized.

insertjokehere commented Jul 16, 2017

@Grayda I've got a working server implementation in insertjokehere/homemate-bridge that might be of some use. As for the question of distributing the key, did you hear back from the EFF?

One possible solution: running classes.dex from the Kepler APK through the GNU strings utility yields ~5000 strings that are at least 16 characters long. This is probably a reasonable search space, and doesn't involve distributing any part of the key, and automates getting the key from the APK without having to actually decompile it

@honcheng

This comment has been minimized.

honcheng commented Jul 17, 2017

@insertjokehere you listed that your solution works for S20c. Is S20c different from S20? Will it work for S25 and B25?

@insertjokehere

This comment has been minimized.

insertjokehere commented Jul 17, 2017

@honcheng S20c is different from the S20 - the S20c uses the new 'Homemate' app and protocol whereas the S20 uses the old 'WiWo' app.

I don't know if it will work with the S25 or B25 - I don't have one to test with (and not sure they make them in a form that is compatible with my local electrical system) - but would be interested in hearing about any results

@honcheng

This comment has been minimized.

honcheng commented Jul 17, 2017

@insertjokehere thanks. I have both S20 and S25. S25 only works for HomeMate app, different protocol. I'll try it with your implementation and report back.

@Grayda

This comment has been minimized.

Owner

Grayda commented Jul 17, 2017

@insertjokehere Nice! I'll have to brush up on my Python (I've only ever coded one thing in Python, and that was hacked together from various examples) and have a look.

I don't like the idea of having to set up DNS, mostly because it doesn't feel as self-contained as node-orvibo is (you don't need to know IP addresses or anything, you just run it and it goes), but ultimately I might have to just stop my sooking and do it, and look for a non-DNS solution later, if one exists.

In the meantime, I took your great idea of using strings, and I wrote a bash script: https://gist.github.com/Grayda/eb48093bcfb96bfeec9c58ea301f2668 . I tried to expand the regex to be as vague as possible while only returning the one line. I'm not a lawyer, so I hope I can do this!

@markbosshard

This comment has been minimized.

markbosshard commented Aug 21, 2017

@Grayda sorry the stupid question: is there any node-orvibo2 (as you announced on stikonas.eu's github) or something similar to easily control a B25 yet? thanks a lot :)
best,
Mark

@Grayda

This comment has been minimized.

Owner

Grayda commented Sep 12, 2017

Hi @markbosshard, sorry for the late reply. Not yet. I made a start on it, but lots of other things got in the way (full time job, project work after hours etc.). Right now insertjokehere's code is the only way I know of to control those sockets.

Also as I mentioned before, if anyone knows how to decompile C code found within Android apps, let me know, as that may contain some info I need to move forward a little.

@vrm42

This comment has been minimized.

vrm42 commented Oct 11, 2017

Hi, Grayda, please tell me which script did you mean as the only way to control B25 sockets. I'm desperately seeking a working solution. Thank you!

@insertjokehere

This comment has been minimized.

insertjokehere commented Oct 11, 2017

@vrm42 insertjokehere/homemate-bridge will let you control these sockets through MQTT or HomeAssistant (probably, I don't have any B25s to test with, but other users have managed to get them to work).

Its not super easy to get set up and running, and the docs are a bit sketchy. I keep meaning to tidy it up, but Life etc

@vrm42

This comment has been minimized.

vrm42 commented Oct 12, 2017

Thanks for your quick reply. That solution seems dark magic to me. I don't see anything there that I could put into a bash script.

@sandysound

This comment has been minimized.

sandysound commented Oct 18, 2017

Hey guys, I've actually built something very similar to @insertjokehere but on node to control the B25 sockets. You still have to change your dns settings to point the to system running the server. It's at https://github.com/sandysound/orvibo-b25-server
Also I should mention I got a lot of my understanding of how these sockets worked from reading @Grayda and @insertjokehere 's research and blog posts so thanks guys!

@karl0ss

This comment has been minimized.

karl0ss commented Nov 15, 2017

Just to let people know, there is an official echo skill out now for homemate, and it supports our b25 :)

@Bodge-IT

This comment has been minimized.

Bodge-IT commented Mar 13, 2018

@karl0ss but now way to have it work with node-red and cloud(assistants) at same time. Also no HomeAssistant. Dissapointed in Orvibo

@vrm42

This comment has been minimized.

vrm42 commented Mar 13, 2018

I'm very satisfied with the B25 model. Sandysound's method is perfectly working and I learned a new way to control the unit without its original cloud-based system.
You need an one dollar worth usb programmer and the free arduino software. It has an ESP8266 plugin so you can replace the original firmware with a simple script. The script contains your WiFi SSID, password, a static IP and gateway for the socket, a webserver with ON/OFF buttons and the current status report of the relay. So you can control it with curl.

@Grayda

This comment has been minimized.

Owner

Grayda commented Mar 14, 2018

@vrm42 Can you provide more details on this? I'm really interested in what you've found out about cloudless control.

@vrm42

This comment has been minimized.

vrm42 commented Mar 14, 2018

You need a programmer: PL2303 USB-TTL / USB-STC-ISP. Disassemle the socket. Five pins have to be soldered to the 5V, TX, TX, GPIO0, GND pinouts. Connect these pins to the programmer. 5V to 5V, RX to TX, TX to RX, GPIO0 and GND to GND. Download Arduino IDE software (1.8.5). Under File, Preferences, additional boards manager urls put: http://arduino.esp8266.com/stable/package_esp8266com_index.json.
Under Tools, Board Manager install ESP8266. Restart the software. Under Tools, Programmer select AVRISP mkII (for the model mentioned above). Under Tools, Board select Generic ESP8266.
In the skecth edit field paste the following code, put your stuffs into it (ssid, password, ip, mask, gateway) and press upload (right arrow).

#include <ESP8266WebServer.h>
#include <ESP8266mDNS.h>
#define relay 5
#define button 14

MDNSResponder mdns;

int On = LOW;
const char* ssid = "your SSID here";
const char* password = "your wifi password here";
String webPage="";

ESP8266WebServer server(80);

void handle_root() {
int cstat = digitalRead(relay);
webPage = "

Socket ID

<a href="ON1">ON <a href="OFF1">OFF

";
webPage += "Status_";
webPage += cstat;
server.send(200, "text/html", webPage);
delay(100);
}

void red()
{
digitalWrite(4, LOW);
digitalWrite(12, HIGH);
}

void blue()
{
digitalWrite(4, HIGH);
digitalWrite(12, LOW);
}

void setup()
{
pinMode(relay, OUTPUT);
pinMode(4,OUTPUT);
pinMode(12,OUTPUT);
pinMode(button,INPUT);
Serial.begin(9600);
WiFi.begin(ssid, password);
while (WiFi.status() != WL_CONNECTED)
{
Serial.print(".");
delay(200);
Serial.print(".");
delay(200);
Serial.print(".");
delay(200);
Serial.println();
}

IPAddress ip(192, 168, 1, 64);
IPAddress gateway(192, 168, 1, 1);
Serial.print(F("Setting static ip to : "));
Serial.println(ip);
IPAddress subnet(255, 255, 255, 0);
WiFi.config(ip, gateway, subnet);

red();

server.on("/", handle_root);
server.on("/", {server.send(200, "text/html", webPage);});
server.on("/ON1",
{
server.send(200, "text/html", webPage);
digitalWrite(relay, HIGH);
On = HIGH;
blue();
});

server.on("/OFF1",
{
server.send(200, "text/html", webPage);
digitalWrite(relay, LOW);
On = LOW;
red();
});

server.begin();
}

void loop()
{
int value = digitalRead(button);
if (value == LOW)
{
if (On == LOW)
{
digitalWrite(relay, HIGH);
blue();
On = HIGH;
delay(500);
}
else
{
digitalWrite(relay, LOW);
red();
On = LOW;
delay(500);
}
}
server.handleClient();
}

Please note that the Webpage part of the code is messed up by this forum engine, so check the source.

This will erase the original firmware! I don't know how to put it back.
In case of any error during the upload process simply disconnect the programmer from the pc and then reconnect. It happens all the times.
Now you can connect to the socket with your browser.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment