smartplug icon indicating copy to clipboard operation
smartplug copied to clipboard

Published 20 hours ago verified publisher icon adapt0

Hijack EU plug

Open MiKuBB opened this issue 4 years ago • 1 comments
trafficstars

Hi, I would like to ask for help with hijacking EU plugs. I own some ESW01-EU version plugs, and trying to flash it with alternative firmware. I have found guide on esphome but I can't disassemble plugs. Something in construction is changed so it's impossible to make it without damaging plug. After hours of browsing I have found this project which brings new hope to me :)

According to esphome guide https://esphome.io/cookbook/esw01-eu.html I can communicate with plug soldering some wires without removing PCB from plug case. However I can't locate PIO0 so can't turn ESP into flash mode :-(

As I can see from serial communication my FW version is 1.1.02

ESP8266 SDK version : 2.2.0(f28eaf2)
VeSync SDK version : 2.1.8
Flash-Size-Map: FLASH_SIZE_8M_MAP_512_512
User run area : user1
Device MAC : dc:4f:22:d0:98:89
Device channel : 1
Device type : 10AOutletEU.Firmware version : 1.1.02.

System started ...

mode : sta(dc:4f:22:d0:98:89)
add if0

after calling node ./index.js -s SSID -b BSSID -p password -i 192.168.133.x -d 192.168.4.1 i see somethin like this

Using SSID "xxxx" (BSSID: 00:00:00:00:00:00, Local IP: 192.168.133.226)
Starting web server on TCP port 17273
Attempting to connect to device 192.168.4.1
Connected to device 192.168.4.1
0000 498e3c762468c689c8e9793e1b040ad80385276ae4aa61eac22c3f98211fe3f3
0020 4fa4ab08199533880d0bc0d40a32f77f24234376048b0df0c81b237176ab26b2
0040 e844a15173a397d702bbed082f8e5562f9979b64b6434a689afbeec5a6e8ac48
0060 9c7c77572a659412cef81761aca41f89fae34a09deeb066e23721184159589e6
0080 6831d12ecb9ee7f753fbbf5239e1a967b0621cba82c614f418d1b94b26e8bb83
00a0 b0882f6f5fd1ff2bc58e496ee098c988
undefined:1
�<v$hƉ��y>

and Etekcity AP stop responding ...

I have tryed to update FW using VeSync APP but with no luck hijack output is the same, only changed thing is that the AP is still functional .

0000 498e3c762468c689c8e9793e1b040ad80385276ae4aa61eac22c3f98211fe3f3
0020 4fa4ab08199533880d0bc0d40a32f77f24234376048b0df0c81b237176ab26b2
0040 `e844a15173a397d702bbed082f8e5562f9979b64b6434a689afbeec5a6e8ac48`
0060 9c7c77572a659412cef81761aca41f89fae34a09deeb066e23721184159589e6
0080 6831d12ecb9ee7f753fbbf5239e1a967b0621cba82c614f418d1b94b26e8bb83
00a0 b0882f6f5fd1ff2bc58e496ee098c988
undefined:1
�<v$hƉ��y>

So it will be so good if somebody can help be to manage hijacking of this EU plugs. thank you mk

MiKuBB avatar Sep 05 '21 15:09 MiKuBB