I have a bit of history reverse engineering protocols, and found this one to be fun and only a little tricky. I have yet to capture the initial config commands as it’s harder to do a MITM monitoring (but I’ll get that done eventually)
I have never written an OpenHAB binding, yet this may be a good one to work on.
These devices speak JSON. For instance, "AAAAKtDygfiL/5r31e+UtsWg1Iv5nPCR6LfEsNGlwOLYo4HyhueT9tTu36Lfog=="
is a length-prefix encoded sort of encrypted string for: {"system":{"set_relay_state":{"state":1}}}
There is also a sort of discovery one can do to learn what the device is. For instance, sending {"system":{"get_sysinfo":null}}
(which the app sends) to one of my bulbs, results in:
{
"system": {
"get_sysinfo": {
"sw_ver": "1.1.2 Build 160927 Rel.111100",
"hw_ver": "1.0",
"model": "LB130(US)",
"description": "Smart Wi-Fi LED Bulb with Color Changing",
"alias": "rgb-bulb-02",
"mic_type": "IOT.SMARTBULB",
"dev_state": "normal",
"mic_mac": "<redacted>",
"deviceId": "<redacted>",
"oemId": "<redacted>",
"hwId": "<redacted>",
"is_factory": false,
"disco_ver": "1.0",
"ctrl_protocols": {
"name": "Linkie",
"version": "1.0"
},
"light_state": {
"on_off": 0,
"dft_on_state": {
"mode": "normal",
"hue": 0,
"saturation": 0,
"color_temp": 6500,
"brightness": 100
}
},
"is_dimmable": 1,
"is_color": 1,
"is_variable_color_temp": 1,
"preferred_state": [
{
"index": 0,
"hue": 0,
"saturation": 0,
"color_temp": 2700,
"brightness": 50
},
{
"index": 1,
"hue": 0,
"saturation": 75,
"color_temp": 0,
"brightness": 100
},
{
"index": 2,
"hue": 120,
"saturation": 75,
"color_temp": 0,
"brightness": 100
},
{
"index": 3,
"hue": 240,
"saturation": 75,
"color_temp": 0,
"brightness": 100
}
],
"rssi": -64,
"active_mode": "none",
"heapsize": 363984,
"err_code": 0
}
}
}
Note this control protocol is completely insecure. Anyone who can talk to your devices can reconfigure them, including taking control of them, uploading malicious firmware, and perhaps gaining access to a shell (they run Linux).
For my setup, all the bulbs are on a WiFi SSID dedicated to just home automation, and this maps to a VLAN that has no internet access, and indeed cannot initiate an outgoing connection. This means the cloud component of the system is dead – which is fine by me! I may have to end up allowing it to perform firmware upgrades, if they ever have one.
Note also that even though my bulbs live in their own little world, they do not only accept connections on port 9999 from things on their local network, but from anywhere that can reach that port. In my case, this is an OpenHAB box on a different VLAN/subnet, which is good. This means I don’t have to put the OpenHAB server on what I consider to be a very insecure network.