Hello,
My local hardware store (Leroy Merlin) held a competition and a I won a connected light bulb from Eglo, the Tunable White V-Link model.
The recommended way to connect to it is the following:
- Install the Enki app on Android/IPhone
- Start the app, while connected to Internet
- Add a new item in the app, select the bulb brand and model
- Turn on the bulb
- Connect to the wifi network provided by the bulb
- Let the app do its thing
- Connect back to the home wifi
- Control the bulb with the application
Now, from the manufacturer own advertisement, it is possible to control this bulb with an “enki box” that is claimed to be capable of working without any Internet connection.
I sent an email to the manufacturer asking for a detailed protocol, and I’m yet to receive an answer, but I don’t have my hopes too high on this.
So, in the meantime, I decided to attempt reverse engineering the protocol with the help of tcpdump on my rooted android device, and wireshark under windows to analyze the traces.
Here is what I found so far:
After getting connected to the bulb wifi network, the bulb is broadcasting mDns
requests looking for _alljoyn._tcp.local
and _alljoyn._udp.local
The android application answers this request with a reply that indicates a port to use for communication
The bulb connects to the android application on the given TCP
port and the protocol is definitely AllJoyn
After a few back and forth to authenticate and exchange keys, there is a ConfigureWifi
order that is sent by the android app to the bulb with an encrypted payload that I believe contains the Wifi SSID and password.
Then the bulb wifi network disappears and both the app and the bulb reconnect on the home wifi, the one that has access to Internet.
Once again, there is a bit of back and forth for the bulb and the app to find each other. This allows discovering that the bulb is most likely running MicroEJ to handle all this communication and the exact model number is EG-FWCCT8-1
The andoid app then resolves the device-broker.iot.leroymerlin.fr
DNS name and starts talking to it via HTTPs. After having received a secure MQTT packet from that same host, the android now does a DNS lookup for enki-backend.iot.leroymerlin.fr
and starts talking to it with HTTPs again.
In between those two, there were a few encrypted AllJoyn packets between the bulb and the android app, which I believe contain the hostname to use as the MQTT broker.
And after that, the android app sends a MQTT packet to the broker which the bulb is receiving and acting upon accordingly.
After this already long analysis, I’m wondering: does this kind of “protocol” sounds familiar to anyone?
I see that there is the AllPlay binding that uses AllJoyn to communicate with its devices, but I doubt it is anywhere near compatible with that bulb.
What would you suggest that I should try next?
I mean, considering that AllJoyn was “engulfed” inside Iotivity, I attempted to build the latter but only got as far as a compiling issue that did not seem to attract much attention.
Any help, suggestion, pointers are most welcome.