I think that, DNS server return IP address by name, but TechLife bulb use IP address and really DNS not return nothing. TechLife bulb used IP address of amazon MQTT server.
My lights atleast try to resolve cloud.qh-tek.com, so i changed it to return the ip address of my local mqtt server. works like a charm 
There might be some alternative that does not involve changing the board to an esp8266.
The SM02A module the lamp uses has an RDA5981 SoC. If there is an easy way to read and write to its flash, maybe we can change any reference to “cloud.qh-tek.com” so that it points to another name (it can be a name that resolves to an private IP, so that it’s easier to set up)
There is probably a mechanism for doing OTA updates. I tried doing a port scan but it seems like the device is not listening on any particular port.
You need to have your own dnsserver, or the possibility to override zones. I use pfsense, so its easy to change the result of the dns lookup.
If you want to setup your Bulb without their software, try this python script: https://gist.github.com/csabavirag/334d9fa4028c17a69e3af4ea22838381
I also have their cloud redirected to my local MQTT server and the setup works fine after resetting (turn on/off 6 times) the bulb.
1 Like
Please share script for redirecting to local MQTT!
Actually there is no such a script you could run on a computer to override DNS unless the DNS service is provided by an other device than your WiFi router on your local network.
So to give a straight answer is difficult, since some routers has their own built-in DNS server, some does not. You can check the router’s admin interface to see if there is a local DNS server support and it’s enabled to your LAN. If it’s available, you can override any hostname to have the desired IP for that.
For example on DD-WRT routers, there is a DNS server provided by DNSMasq application. Therefore under the Service->Service menu you just have to enter this to the “Additional DNSMasq Options” section:
address=/cloud.qh-tek.com/192.168.1.xx ← your MQTT server’s address
Like this:
Ok, I want script which may replace record (string) <cloud.qk-tek.com> in the bulb 
.
When connected with network, bulb start search for domain cloud.qk-tek.com using DNS. When replace that cloud .qk-tek .com with my local IP I will not necessary forwarding DNS to my local DNS server in router
I found this image showing how you can connect the module to a PC (using usb to ttl adapter). Remember its 3.3v only! Baudrate is 921600. Send enter right after boot to enter bootloader.
The bootloader seems unlocked, digging around a bit I found this string:
http://icloud.qh-tek.com:8080/DN/packed03.bin
Which is probably the OTA firmware image. It contains cloud.qh-tek.com as a plaintext string, so we might be able to change lt
Still need to find a way to flash the modified image, it probably has a checksum that needs to be modified
1 Like
That was cool.
According to https://github.com/alibaba/AliOS-Things/blob/c9074e99fbb7ba5c5ecde2ae38ae30b27a913afe/platform/mcu/rda5981x/tools/ota_pack_image_lzma.py#L7-L21 the header has no CRC (it’s zero). But that’s just an assumption.
And here is some fun:
To instruct the device to download the firmware, send this command over MQTT:
echo -en "\xa9\xf0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf0\xaa" | mosquitto_pub ....
The command is “0xA9 0xF0”
In order to set an IP for an MQTT broker (instead of using cloud .qh-tek.com broker), here is a small python script which generates the necessary sequence for you. I tried to restart the bulb and did not see DNS requests to their cloud anymore. However I can’t confirm the new IP address setting will persist for several reboots (just haven’t had time to play with it).
You can run this at eg. https://pyfiddle.io/ and put the result into your echo command. Please note, the bulb must be connected to an MQTT server (most likely to their cloud)
def calcChecksum(stream):
checksum = 0
for i in range(1, 14):
checksum = checksum ^ stream[i]
stream[14] = checksum & 255
return bytearray(stream)
def changeIP (ipAddr, port):
Command = bytearray.fromhex("AF 00 00 00 00 00 00 f0 00 00 00 00 00 00 00 b0")
l = list(Command)
idx = 1
for ip in map(int,ipAddr.split('.')):
l[idx] = ip
idx = idx + 1
l[5] = port & 0xff
l[6] = port >> 8
return calcChecksum(l)
print 'Change IP payload: \\x' + '\\x'.join(format(x, '02x') for x in changeIP('192.168.1.100',1883))Awesome! How did you find that command to change the IP and download the firmware? Did you look at the bin or the provided Android app?
The OTA image does have a checksum, in this case it is “E1 B9 04 CB” (0xCB04…) . VERSION_SZ seems to be 24. It should be trivial to modify the image and recalculate the checksum, I might try to do it during next weekend.
I will try to add support for those MQTT commands to my fork of gBridge, so that this type of lamps can still be used with Google Home:
Yes, the bin file helped to find some interesting commands. I updated my gist (link above) with a new script which has several device queries over MQTT.
Did you have time to rebuild the image?
Hi guys,
A newcomer to these bulbs here…
I tried your script, but it fails with this message:
ConnectionRefusedError: [WinError 10061] No connection could be made because the target machine actively refused it
My bulb is also a Techlife Pro bulb, however, I noticed a difference to yours (maybe irrelevant): When I create an AP with the bulb, this is the name of it:
BroadlinkProv-8bb250
Hello Jakab
based on the SSID you provided, I believe that bulb uses Broadlink protocol which is completely different from the Techlife bulbs, so the scripts won’t work for that particular device.
Broadlink uses broadcasts/direct packets to port 80 while Techlife is based on MQTT (and can be configured via port 8000)
Szia!
Hmmm, interesting… The box the bulb came in says Techlife Pro. That’s how I found this forum.
Also, I checked out this link (earlier in this thread), and after opening the bulb I can see that is looks very similar, if not identical.
So for me it is not a huge problem, I can (and next week I will) replace the wifi module in it for a 8266 based one.
Thank you for your input, and if I can be of any help exploring these bad boys any further, let me know.
Indeed, it’s interesting. If it turns out that’s a broadlink device and need some advice, send me a PM (without highjacking this thread)
I’m afraid, I can’t send private messages on this forum yet…
Now I opened up the bulb and took a couple of pics.
I can now see that this is a different wifi module than the one you guys were talking about.
Sorry about this.
Custom IP address for local MQTT broker in the bulb persists between pulling the plug cord and removing the bulb from its socket.
Thanks