WiFi Teardown – arVin Light Swtich

WiFi Teardown – arVin Light Switch


This post is the first in what I hope will be a very fun and informative series. Lately there has been a huge influx of cheap wifi enabled IOT/SmartHome devices flooding the market. Each with their own (usually questionable) app.

I have embarked on an exciting journey to find out how many of these devices contain friendly micro controllers, and write basic “snoop-free” firmware replacements!

Source: Amazon
Price (at time of post): $25.99

Device Features

Dual color LED (Red and Green)
Button
15A Relay

Components

Relay: Golden brand 15A @ 120V
MCU: ESP8266EX
Flash Size: 1MiB

Pinout

Relay/Red LED: Pin 12
Green LED: Pin 13 (inverted)
Button: Pin 0 (inverted)

platformio.ini

[env:arvin]
platform = espressif8266
board = esp01_1m
framework = arduino
board_build.flash_mode = dio

PCB Front

PCB Rear

Flashing Instructions

This device is actually very easy to reprogram, hook up the exposed programming header labeled to a USB -> TTL Serial converter using the following table.

Serial -> Device
GND -> GND
3V3 -> 3V3
RX -> TX
TX -> RX

Put the device into boot mode by holding down the button while powering up the device, then you can use esptool or arduino uploader as normal.

I have included a basic firmware that includes ArduinoOTA and WiFiManager for your hacking pleasure on Github

These are the http endpoints of this basic firmware
http://<device ip>/ will show the name of this device and status of device
http://<device ip>/led/on will turn the Green LED on
http://<device ip>/led/off will turn the Green LED off
http://<device ip>/relay/on will turn the Red LED and Relay on
http://<device ip>/relay/off will turn the Red LED and Relay off

Note: Pressing the button on with this firmware will not work until you connect to the wifi labeled “esp_<chipid>” and set up the wifi

Note: Pressing and holding the button for 5 seconds will clear the stored wifi credentials and restart the device.

Happy Hacking!

If you have any suggestions of what I should tear down next let me know in the comments!
Please let me know if this format is informative enough for you!

Real time Litecoin Ticker (GDAX)


This is going to be a short one for my friends on /r/litecoin who asked for a tutorial after this post. So here it is.

There are many variants of the esp8266 micro controller with an oled, all of which will work for this application (possibly without any code tweaks) but I chose this one from ali express due to its compact size, and the fact that it was only $6.

Because this tutorial is aimed more at the good people of /r/litecoin I will try to be verbose because there is a good possibility this will be there first venture into embedded development.

For the rest of you, skim over most of this but pay attention to the platformio customization and proceed directly to the code.

Step the first – get platformio
Install platformio <- this guide is better then anything I could write, so please just follow that.

Step 2 – install base esp8266 support
open a command prompt or terminal and run the following command

pio platform install espressif8266

Step 3 – get the code
Download the code from github either in zip form or by cloning it

Step 4 – add new board support
Open the folder from github and open the wifikit8 folder,
copy the innards from wifikit8/platformio into the PLATFORMIO_HOME_DIR merging all the folders.

Open the PLATFORMIO_HOME_DIR/packages/framework-arduinoespressif8266/boards.txt file and append the contents of wifikit8/boards.txt

if you did this correctly running

pio boards wifiki8t

will return with

Platform: espressif8266
------------------------------------------------------------
ID                    MCU            Frequency  Flash   RAM    Name
------------------------------------------------------------
wifikit8              ESP8266        80Mhz     4096kB  80kB   Wifi Kit 8 (oled 128x32)

The only real difference between this board and the nodemcuv2 boards is the pin mapping, the i2c bus is on different pins

 SDA = 2;
 SCL = 14;
 D0   = 16;
 D1   = 5;
 D2   = 4;
 D3   = 0;
 D6   = 12;
 D7   = 13;
 D8   = 15;
 RX   = 3;
 TX   = 1;

Step 5 – upload the code
Due to being short on time, this code is pretty rough, yet functional, as a side effect of this being rough code I have not had time to bring in WifiManager to set up the wireless network as I usually would. I will leave this as an exercise to the reader, and I am accepting pull requests!

Open src/main.cpp from the github download and edit

const char *WIFI_NETWORK = "*****";
const char *WIFI_PASSWORD = "*****";

So that they contain your wifi network name and password

From the terminal run

pio run --target=upload

If it uploads successfully you should be done!
You might have to press the RST button on the bottom right a few times (not sure why)

Litecoin Tip Jar as requested LgKtLbpyQQmmnACTHyEk9SrLzPnLKMJZTZ

If there is any interest in purchasing one of these pre flashed and ready to go please let me know! It might take a bit because I’ll need to order more boards but I’ll 3d print a simple case for it to make it alittle more robust!

Notes
If you know how I can submit this board variation to platformIO please let me know, I have not been able find any info.

Cheap and polished ESP8266 Wifi Outlet

 

This slideshow requires JavaScript.

In my eternal quest to control the flow of electrons with bits and bytes I stumbled across these little beauties at walmart.com for a very reasonable price, and according to the marketing pages these little mass manufactured voltage control modules even give you live energy usage stats, wunderbar!

The android app while effective leaved much to be desired. Doesn’t matter, I am a software engineer by trade and like a challenge. So I did what anyone would do in my situation and started recording network traffic in an attempt to reverse engineer the protocol.

The night is dark and full of terrors

These little snitches switches pack a nasty secret. When you register one on your wireless network it sends your wireless SSID and password in plain text to a server in china, and ask for your zip code during registration?

 

It’s too late for me, but ye be warned share not your wireless password for thou shalt aquire the heavist of burdens. Having to change your SSID and wireless password and reconnecting all your wireless devices, and invoke the mighty wrath of…. the minor inconvenience of re adding all your devices to a new wireless network

I cannot say that I was surprised by this discovery, disappointed, but not surprised.
Unsatisfied with these findings I decided to see what micro controller powered this polished little product, and was presently surprised for I stumbled on what looked like the current (at least of the time of this blog post) hackers oriental best friend, the (soon to be) venerable esp8266 micro controller.

At this point I was practically salivating, this is a very nice looking wireless outlet, and now I have the power to bend electrons without secreting state secrets? Needless to say I purchased many more that night for fear they would disappear.

Ok, now the hacking begins… Or so I thought, like always I decided I should probably poke around the old internets and see if I couldn’t give myself a leg up by polling the wisdom of my peers and rivals. After all, this the internet where anything can and probably already has been done.

Lo’ and behold for the bounty is rich

http://thegreatgeekery.blogspot.ca/2016/02/ecoplug-wifi-switch-hacking.html

http://forums.parallax.com/discussion/162862/wifi-controlled-outlets

Armed with this knowledge I warmed up the soldering iron and whipped up a programmer based on a esp8266-01 pinout so I could use a programmer I made a while back based on this no button flashing circuit.

 

Then cranked out a very simple yet semi-effective firmware replacement, basic on off and status functionality, I through in some of the usual esp8266 mix-ins like OTA firmware updates and SSID selection. This is in no means a production firmware, but more like something to get you started.

https://github.com/pborges/SimpleESP

So now I have a simple wireless controlled outlet. Great, I need an easy way to control it. Enter SmartThings Hub! Although I am not much of a fan of Java (and by extension groovy) I like that I am able to integrate almost whatever I want into my home automation. I whipped up a quick little ditty to extend SmartThings so it has dominion over these beasts. If you want to know how I did that leave it in the comments and I’ll make a post about it.

Ok, now I have hardware, and some meh software. Lets replicate these results en mass. Time to dust off another of the tools I don’t use nearly often enough, the CNC. and created this little pogo pin programmer out of sample vinyl tiles from Home Depot and a cheap esp8366 nodeMCU board from which I removed esp8266 module. This way I retain the no button esp flash capability of nodeMCU that is baked into the arduino esp8266 plugin.

To get these to flash properly I added this to the esp8266 boards.txt file,
I run linux so I’m not sure where it would be on a windows system but it’s located here on linux
~/.arduino15/packages/esp8266/hardware/esp8266/2.3.0-rc2/boards.txt

nodemcuv2.menu.FlashSize.1M64=1M (64K SPIFFS)
nodemcuv2.menu.FlashSize.1M64.build.flash_size=1M
nodemcuv2.menu.FlashSize.1M64.build.flash_ld=eagle.flash.1m64.ld
nodemcuv2.menu.FlashSize.1M64.build.spiffs_start=0xEB000
nodemcuv2.menu.FlashSize.1M64.build.spiffs_end=0xFB000
nodemcuv2.menu.FlashSize.1M64.build.spiffs_blocksize=4096
nodemcuv2.menu.FlashSize.1M64.upload.maximum_size=958448

 

And here is the programmer in action.

Now I need to write a better firmware, and figure out how to get those energy stats! There is a HLW8012 on board so I thought it would be easy but I guess there is a small 8 pin micro controller talking to the HLW8012 and converting its output to i2c but I have not been able to make much headway on it.

This is what I have determined by reverse engineering and research.

Wire.begin(12, 0); // these are the i2c pins
Wire.requestFrom(0, 16); // this will request 16 bytes of info

The data that comes back looks like 4 uint32’s, I am assuming there’s watt’s, amps, volts and power factor but I have not been able to grok much more then that.

Arduino controlled light switch

Materials

Qty Description Link
1 Decora Light switch Home Depot
1 9g servo (preferably with metal gears) Amazon | EBay
a few inches 14 guage wire Scrap romex

Tools

Description
Dremel
Needle nose pilers
Hot glue gun
Thin blade flat head screwdriver

Step 1

Gently pry the lightswitch paddle off.

Careful not to loose this little piece of metal

Final Result

Step 2

Measure out some wire

And give it a bend

And another bend

Strip the tip of the short side up to the plastic block

Drill a small hole through the plastic block to allow the stripped wire to pass through

Make sure the wire fits snugly inside of the paddle

Dremel out a valley on the opposite side of your drill hole

After and before

Notch out a valley on the outer part of the plastic clip big enough for a stripped bit of wire to fit into

Cut the long side of the wire about an inch past the paddle’s length

And strip back until the middle of the paddle

Fit the wire into the valley you notched out

And bend it upwards so that it is flush to the outside.

Here is another view of the prior step.

Hot glue down your handywork

Step 3

Remove the tab on the opposite side of the screw terminals

Before and after

Drill a 1/4in hole down the middle of the tab you just removed

Snap it together, and make sure it toggles with ease

Step 4

Position the servo so that it is flush to the switch body

Make sure not to cover this hole

Or this one

Hot glue down your handywork

Final product

Step 5

Chop two legs off of a X servo horn

Like so

It should look like this once it is attached

Shape the wire so that it can easily be toggled by the servo.
Yet does not protude out to far past the lightswitch body

The mechanical portion is complete!

Stay tuned for the circuit and firmware!
coming soon.

 

EDIT:

I just realized I never linked in the videos of it in action, bear in mind these are of the first prototype where the servo was connected to the toggle mechanically, the version outlined in this blog post is superior as there is no mechanical linkage to break.