Nedis Wi-Fi Smart Plug WIFIP121FWT3.
back to home automation page.
2023-09-24: and the device shows up in Home Assistant, as a discovered ESPHome device. Nice! From my FreeBSD workstation, I can ping it too:
tingo@kg-core2:~ $ ping stue-socket1.local PING stue-socket1.local (10.1.161.36): 56 data bytes 64 bytes from 10.1.161.36: icmp_seq=0 ttl=255 time=10.678 ms 64 bytes from 10.1.161.36: icmp_seq=1 ttl=255 time=11.623 ms 64 bytes from 10.1.161.36: icmp_seq=2 ttl=255 time=5.533 ms ^C --- stue-socket1.local ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 5.533/9.278/11.623/2.676 ms
2023-09-24: try tuya-cloudcutter again
tingo@z30b:~/work/projects/2023/20230923_nedis_wifip121wft3/tuya-cloudcutter$ ./tuya-cloudcutter.sh Building cloudcutter docker image Sending build context to Docker daemon 32.2MB Step 1/10 : FROM python:3.9.12-slim-buster AS base ---> ead817e27369 Step 2/10 : RUN apt-get -qq update && apt-get install -qy --no-install-recommends git hostapd rfkill dnsmasq build-essential libssl-dev iproute2 mosquitto ---> Using cache ---> 17d8750f30c0 Step 3/10 : FROM base AS python-deps ---> 17d8750f30c0 Step 4/10 : RUN pip install --upgrade pipenv ---> Using cache ---> 4336a3e9e864 Step 5/10 : COPY src/Pipfile /src/ ---> Using cache ---> 85fd2a9ecb31 Step 6/10 : COPY src/Pipfile.lock /src/ ---> Using cache ---> 32bdae6f4f15 Step 7/10 : RUN cd /src && PIPENV_VENV_IN_PROJECT=1 pipenv install --deploy ---> Using cache ---> 3af53440eae1 Step 8/10 : FROM python-deps AS cloudcutter ---> 3af53440eae1 Step 9/10 : COPY src /src ---> Using cache ---> 0a0a1a45978f Step 10/10 : WORKDIR /src ---> Using cache ---> 29bb0620a8c0 Successfully built 29bb0620a8c0 Successfully tagged cloudcutter:latest Successfully built docker image 1) Detach from the cloud and run Tuya firmware locally 2) Flash 3rd Party Firmware [?] Select your desired operation [1/2]: 2 Loading options, please wait... [?] How do you want to choose the device?: By firmware version and name By manufacturer/device name > By firmware version and name From device-profiles (i.e. custom profile) [?] Select the firmware version and name: 1.1.8 - BK7231N / oem_bk7231n_plug 1.1.7 - BK7231N / CL_DREAM_RGB_STRIP_19KEY_1KEY_5V_BK7231N 1.1.7 - BK7231N / oem_bk7231n_ceiling_light_ty 1.1.7 - BK7231N / oem_bk7231n_plug 1.1.7 - BK7231T / oem_bk7231s_light_pir_ty 1.1.7 - BK7231T / oem_bk7231s_light_ty 1.1.71 - BK7231T / bk7231t_common_user_config_ty > 1.1.8 - BK7231N / oem_bk7231n_plug 1.1.8 - BK7231T / oem_bk7231s_rnd_switch 1.1.80 - BK7231T / bk7231t_common_user_config_ty 1.1.9 - BK7231N / oem_bk7231n_water_sensor_plus 1.1.9 - BK7231T / bk7231s_common_iot_config_ty 1.1.9 - BK7231T / oem_bk7231s_ceiling_light_ty 1.1.9 - BK7231T / oem_bk7231s_strip_ir_daybetter Performing safety checks to make sure all required ports are available Checking UDP port 53... [sudo] password for tingo: Available. Checking UDP port 67... Available. Checking TCP port 80... Available. Checking TCP port 443... Available. Checking TCP port 1883... Available. Checking TCP port 8886... Available. Safety checks complete. [?] Select your custom firmware file for BK7231N chip: image_bk7231n_app.ota.ug.bin ESPHome-Kickstart-v23.08.29_bk7231n_app.ota.ug.bin > image_bk7231n_app.ota.ug.bin OpenBeken-v1.17.245_bk7231n.ug.bin stue-socket1-ota.ug.bin Selected Device Slug: easyliv-4-outlet-4-usb-uk-power-strip Selected Profile: oem-bk7231n-plug-1.1.8-sdk-2.3.1-40.00 Selected Firmware: image_bk7231n_app.ota.ug.bin ================================================================================ Place your device in AP (slow blink) mode. This can usually be accomplished by either: Power cycling off/on - 3 times and wait for the device to fast-blink, then repeat 3 more times. Some devices need 4 or 5 times on each side of the pause Long press the power/reset button on the device until it starts fast-blinking, then releasing, and then holding the power/reset button again until the device starts slow-blinking. See https://support.tuya.com/en/help/_detail/K9hut3w10nby8 for more information. ================================================================================ Scanning for open Tuya SmartLife AP ... Found access point name: "SmartLife-BCCE", trying to connect... Device 'wlp2s0' successfully activated with '16c889e0-e794-4a70-9048-4aecb56c9b50'. Connected to access point. Waiting 1 sec to allow device to set itself up... Running initial exploit toolchain... Exploit run, saved device config too! output=/work/configured-devices/xtjyKJGxvUrT.deviceconfig Saved device config in /work/configured-devices/xtjyKJGxvUrT.deviceconfig ================================================================================ Power cycle and place your device in AP (slow blink) mode again. This can usually be accomplished by either: Power cycling off/on - 3 times and wait for the device to fast-blink, then repeat 3 more times. Some devices need 4 or 5 times on each side of the pause Long press the power/reset button on the device until it starts fast-blinking, then releasing, and then holding the power/reset button again until the device starts slow-blinking. See https://support.tuya.com/en/help/_detail/K9hut3w10nby8 for more information. ================================================================================ Scanning for open Tuya SmartLife AP Found access point name: "SmartLife-BCCE", trying to connect... Error: Connection activation failed: The Wi-Fi network could not be found. . Found access point name: "A-BCCE", trying to connect... Error: Connection activation failed: The Wi-Fi network could not be found. .... Found access point name: "A-BCCE", trying to connect... Device 'wlp2s0' successfully activated with '03ba045e-976b-49fe-abc2-25c80d9809e5'. Connected to access point. Configured device to connect to 'cloudcutterflash' Device is connecting to 'cloudcutterflash' access point. Passphrase for the AP is 'abcdabcd' (without ') Flashing custom firmware... ================================================================================ Wait for up to 10-120 seconds for the device to connect to 'cloudcutterflash'. This script will then show the firmware upgrade requests sent by the device. ================================================================================ Using WLAN adapter: wlp2s0 Configuration file: /dev/stdin Using interface wlp2s0 with hwaddr e4:f8:9c:50:6f:2c and ssid "cloudcutterflash" wlp2s0: interface state UNINITIALIZED->ENABLED wlp2s0: AP-ENABLED Using PSK v1 - Received PSK ID version 01 Processing endpoint /v2/url_config Processing endpoint tuya.device.active Processing endpoint tuya.device.dynamic.config.get Processing endpoint tuya.device.uuid.pskkey.get [MQTT Sending] Triggering firmware update message. Processing endpoint tuya.device.upgrade.get Processing endpoint tuya.device.upgrade.status.update Processing endpoint /files/image_bk7231n_app.ota.ug.bin Firmware update progress: 30% Firmware update progress: 60% Processing endpoint atop.online.debug.log Firmware update progress: 87% Processing endpoint tuya.device.dynamic.config.get Firmware update progress: 87% Processing endpoint tuya.device.dynamic.config.ack [Firmware Upload] /files/image_bk7231n_app.ota.ug.bin send complete, request range: bytes=0-514751/514752 Firmware update progress: 98% Firmware file has been sent and MQTT reported a progress of nearly complete. Waiting 15 seconds to ensure flashing completes. Flashing should be complete. It takes about 15 seconds for the device to reboot and verify the flash was valid. Please wait about 30 seconds then look for signs of activity from the firmware you supplied (either watch for AP mode or check if it joined your network). Device MAC address: a8:80:55:0b:bc:ce
2023-09-24: fixee by adding a polkit config file to my machine
tingo@z30b:~$ sudo cat /etc/polkit-1/localauthority/50-local.d/org.freedesktop.NetworkManager.pkla [nmcli] Identity=unix-user:tingo Action=org.freedesktop.NetworkManager.* ResultAny=yes ResultInactive=no ResultActive=yes
now nmcli shows
tingo@z30b:~/work/projects/2023/20230923_nedis_wifip121wft3/tuya-cloudcutter$ nmcli general permissions PERMISSION VALUE org.freedesktop.NetworkManager.checkpoint-rollback yes org.freedesktop.NetworkManager.enable-disable-connectivity-check yes org.freedesktop.NetworkManager.enable-disable-network yes org.freedesktop.NetworkManager.enable-disable-statistics yes org.freedesktop.NetworkManager.enable-disable-wifi yes org.freedesktop.NetworkManager.enable-disable-wimax yes org.freedesktop.NetworkManager.enable-disable-wwan yes org.freedesktop.NetworkManager.network-control yes org.freedesktop.NetworkManager.reload yes org.freedesktop.NetworkManager.settings.modify.global-dns yes org.freedesktop.NetworkManager.settings.modify.hostname yes org.freedesktop.NetworkManager.settings.modify.own yes org.freedesktop.NetworkManager.settings.modify.system yes org.freedesktop.NetworkManager.sleep-wake yes org.freedesktop.NetworkManager.wifi.scan yes org.freedesktop.NetworkManager.wifi.share.open yes org.freedesktop.NetworkManager.wifi.share.protected yes
2023-09-24: trying cloudcutter to flash 3rd party firmware, it looks like the script cannot connect to the ap
Found access point name: "SmartLife-BCCE", trying to connect... Error: Insufficient privileges. . Found access point name: "SmartLife-BCCE", trying to connect... Error: Insufficient privileges. . Found access point name: "SmartLife-BCCE", trying to connect... Error: Insufficient privileges. . Found access point name: "SmartLife-BCCE", trying to connect... Error: Insufficient privileges. . Found access point name: "SmartLife-BCCE", trying to connect... Error: Insufficient privileges. Error, could not connect to SSID. Failed to connect, please run this script again
tingo@z30b:~/work/projects/2023/20230923_nedis_wifip121wft3/tuya-cloudcutter$ nmcli general permissions PERMISSION VALUE org.freedesktop.NetworkManager.checkpoint-rollback auth org.freedesktop.NetworkManager.enable-disable-connectivity-check no org.freedesktop.NetworkManager.enable-disable-network no org.freedesktop.NetworkManager.enable-disable-statistics no org.freedesktop.NetworkManager.enable-disable-wifi no org.freedesktop.NetworkManager.enable-disable-wimax no org.freedesktop.NetworkManager.enable-disable-wwan no org.freedesktop.NetworkManager.network-control auth org.freedesktop.NetworkManager.reload auth org.freedesktop.NetworkManager.settings.modify.global-dns auth org.freedesktop.NetworkManager.settings.modify.hostname auth org.freedesktop.NetworkManager.settings.modify.own auth org.freedesktop.NetworkManager.settings.modify.system no org.freedesktop.NetworkManager.sleep-wake no org.freedesktop.NetworkManager.wifi.scan auth org.freedesktop.NetworkManager.wifi.share.open no org.freedesktop.NetworkManager.wifi.share.protected no
2023-09-24: labels on the device (picture): "nedis", "WIFIP121FWT", "Power input: 240 VAC 50Hz", "Wi-Fi Smart Plug", "Max Power: 16A (max 3680W)", "NL-5215MC 28", "Batch:2301300011","Made in China.".
2023-09-24: testing Cloudcutter-Android and Lightleak. Using a phone with Android 5.1 (Cubot X12) allows the Cloudcutter app to connect to CustomAP (LightleakIdle) and run the process. state Unconfigured - tested profiles:
Lightleak - BK7231N - Type 1 / Addr 1 (XOR) Lightleak - BK7231N - Type 1 / Addr X (XOR JTAG) Lightleak - BK7231N - Type 2 / Addr 1 (Standard) Lightleak - BK7231N - Type 3 / Addr 1 (IP) Lightleak - BK7231T
all result in "The device doesn't respond to ping requests.". I also tested state running - AP mode..., cloudcutter app finds the device network (SmartLife-BCCE) and connects to it, but then I get "The device doesn't respond to ping reqests.". Tested the same profiles as above..
2023-09-23: using the test_device_exploitable.py script from tuya-cloudcutter, I get
(penv) tingo@z30b:~/work/projects/2023/20230923_nedis_wifip121wft3/tuya-cloudcutter/proof-of-concept$ python3 test_device_exploitable.py This script will attempt to help you lower the chances of prying open a device that won't be exploitable However, it's not 100% foolproof either, there are more devices that are vulnerable which are not based on the BK7231 chipset. So, please take that into account. Before continuing, please set your device in AP mode first. This usually takes 6 power cycles off and on with ~1 sec between each. Is your device now in AP mode? (yes/no) [default: no]: yes Please connect to the device's AP then hit enter to continue. Exploit payload sent! If the device has an LED and now seems to be 'frozen', it's likely exploitable. Leave it be for ~60 seconds, if its WiFi AP stops showing up then it reboots and 'unfreezes' by itself, then it's almost definitely exploitable.
the LED on the device freezes, and the device reboots after ~60 seconds.
Module controls TX1 (P11) BL0937 SEL (pin 8) P26 BL0937 CF P24 BL0937 CF1 P8 relay P6 LED
2023-09-23: started the Tuya app (as guest), added the device (it said that it failed, but the plug is there and I can switch it off and on). Device information says the mac is a8:80:55:0b:bc:ce, which is Tuya. From Device Update, I can see Main Module: V1.1.8, MCU Module: V1.1.8. I Removed the Device and reset it to factory.
2023-09-23: tuya-cloudcutter issue #349 seems to indicate that it uses a bk7231 chipset.
2023-09-23: All these devices seems to be Tuya rebranded / white labeled. No obvious way to open the plug (it might be glued together). Plugging in the device - the light on the button blinks blue, then turns off. Pressing the button for 5 seconds makes the light blink blue quickly. But I can't see any unusual AP. OK, I misread. The first "press button for 5 seconds" puts the device in "EZ Mode" (blinks quickly), then I press the button again for 5 seconds (blinks slowly) and now it is in "AP Mode" and I can see a AP named SmartLife-BCCE.
2023-09-23: I created this page.
2023-09-21: the package arrived, straight into my mailbox.
2023-09-17: From NetOnNet, I ordered a 3 pack Nedis SmartLife Smart Plug 3-pack | Wi-Fi | Strömmätare | 3680 W Art.nr: 1030309 for NOK 249.- (it was on offer).