All available CMD payloads

[noneevr2]

Firstly, all XML must contain the SMARTPLUG tag with attribute id = edimax or there will be an "XML Header error". These are the possible tags for CMD tag with attribute id = get.

• SSID_LIST => SSID_DATA contains fields SSID, BSSID, CHANNEL, SIGNAL, MODE, ENCRYPTION, AUTHENTICATION
• INTERNET => (online status, checks against one of yahoo, ibm or google)
• SYSTEM_INFO (mail, smtp pass, timezone, ntp servers, daylight, system name)
• SCHEDULE
• TEST_MAIL
• Device.System.Time => contains %Y%m%d%H%M%S
• Device.System.Power.State
• Device.System.Power.NextToggle
• NOW_POWER (elecc get_now)
• POWER_USAGE
• POWER_HISTORY
• some flag check for overcurrent output
• some flag check for overpower output

[noneevr2]

These are the setup tags:

• Some config flag
• Device.System.Power.State (Set the relay ON, OFF, SWITCH) reason is always REMOTE
• Device.System.Password.Password (Set the password and push to lighthttpd config, not able to set username this way)
• Device.System.Time (executes the unix date command)
• SYSTEM_INFO (TODO)
• SCHEDULE (TODO)
• POWER_USAGE (either Device.System.Power.OverCurrent.UpperLimit, must be less than Device.System.Power.OverCurrent.MaxUpperLimit OR Device.System.Power.OverPower.UpperLimit, being less than Device.System.Power.OverPower.MaxUpperLimit)
• some connection test flag
• DANGER: there's some eval flag => will be eval'd!

[noneevr2]

These are other allowed tags:

reboot

Reboots the system

reset

Requires a context:

• PROFILE
• CONFIG
• CONFIG_EXCEPT_NETWORK
• POWER_DATA
• OVER_ALARM

[mwittig]

Thanks for the info. I have filed the info and will use this for the next release!

[goldelico]

Q1: I have found that there is also a newer http://192.168.30.2:10000/edilife.cgi which takes and responds by base64 encoded POST or content. But I could not yet make sense out of the bit patterns of the decoded packets. I was able to replay one of them and get an answer, also base64 encoded.
Using telnet mode it is possible to find the edilife.cgi binary in the file system.
Anyone with ideas about this new protocol?

Q2: is there knowledge how registration to some WLAN router works?
Unfortunately the EdiPlug.app on my iPhone 3GS fails to register so that I could not analyse the complete registration process. What I could find out is that SSID_LIST command is used first to display the SSIDs seen by the device. Choosing one for registration and typing username and password sends this first
<?xml version="1.0" encoding="UTF8"?> <SMARTPLUG id="edimax"> <CMD id="setup"> <SYSTEM_INFO> <Device.System.TimeZone.Minute>60</Device.System.TimeZone.Minute><Device.System.TimeZone.City>Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna</Device.System.TimeZone.City> </SYSTEM_INFO><Device.System.Time>20190621164354</Device.System.Time> </CMD> </SMARTPLUG>
This fails by an authorization error (although it works by sending my own commands) and obviously is only the first part of the registration process.
What I guess is that either some id="setup" or the id="reset" with parameters for device name, SSID, encryption type, password etc. should follow (all the config Information I did choose or type in the EdiPlug.app) and a command that makes the device reboot in operation mode.

[noneevr2]

@goldelico

Think about the id attribute as if it were the HTTP request type. get is GET, while setup is POST (modifying state)

Basically the connection init works as follows:

• Setup/sync the time (what you've seen)
• get available ssid (will be listed in GUI)
• setup SYSTEM_INFO for wireless credentials
• reboot

If you really want to know how it works - take the binary into IDA and analyze the SYSTEM_INFO part of the cgi. Plz bro world too has its limits.

[goldelico]

@noneevr2
Thanks! Yes, that is how I expect it to work.
There is only one missing piece: the specific XML tag names for the wireless credentials. IDA would be an option (but I have no MIPS compatible version). What I have tried is to find the credential names in the "nvc all" command without success. I also did run "strings" on the binary (I could find reset, reboot, PROFILE, CONFIG, CONFIG_EXCEPT_NETWORK etc.) but the result wasn't clear about names of wireless credentials (only SMTP credentials e.g. Device.System.SMTP.0.Server.Authorization.Password). Any hints about this?

[goldelico]

Well, it is quite simple: just pick one of the SSID_DATA responses (without SSID_DATA) and send these wireless credentials as an id = setup (no need for SYSTEM_INFO tags). Values are stored in nvc as Run.ConnConf.key. This makes the plug connect through that WLAN, get an IP address through DHCP and then it is possible to ping the internet through the WLAN or successfully run conntest test.
I have experimented with an unencrypted WLAN so WEP will likely need additional information for the key (may be a KEY record but there is also WEP_KEY_INDEX).
But I have not succeeded to make this setup permanent and exit the programming mode.
A side-note: there seems to be a tag id = upgrade. I haven't researched more about it.

[goldelico]

One more finding: it may be necessary to base64 encode the password.
Anyone here who knows or has an idea how to make the WLAN setup permanent and switch from programming to operation mode? reboot does wipe out the values and the device comes up still in programming mode. This is the last little bit I need to be able to control registration on some WLAN, i.e. the main task for which I still need the EdiPlug.app.

[goldelico]

Any new findings by anyone? Unfortunately I could so far not find the missing piece. Help is appreciated.

[noneevr2]

This is not a please bro forum. If you know ASM, disassemble and check yourself. Use IDA. Otherwise you will probably need to pay someone for doing it, this kind of "research" can be very time consuming. IDA software itself is already priced at ~$2k only for disassembly. With it, finding the routines is easy, matching the logic challenging but doable. Without IDA - well good luck. Plan for even more time spent. On Mon, Sep 23, 2019 at 3:13 PM +0200, "Golden Delicious Computers GmbH&Co. KG" <[email protected]> wrote: Any new findings by anyone? Unfortunately I could so far not find the missing piece. Help is appreciated. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[goldelico]

What is a "please bro forum"?
I think this here is github for openly sharing information and ideas for the benefit of everyone.
About IDA I think I already wrote that I have not found a MIPS compatible version I could run on my machine. And I do not know MIPS assembler at all.
So it does not seem to be the easiest and best suited tool to invest my time into, just to find out one missing piece and then having it collect dust.
Yes, for someone who is already familiar with it it may be a task of just some minutes. But for someone who has to learn and probably buy these tools first, it is not worth the effort. Anyways it would be magnitudes cheaper to buy a different branded unit where the protocol is better understood or documented. It is just a personal challenge to do some reverse engineering on the protocol (not on MIPS assembler).
So I already did have a lot of progress as shared here, without using IDA, by just inspecting the communication between the App and the device with WireShark. Unfortunately the smartphone app for doing the setup using the old protocols is not working properly and misses to run the last step. It does a timeout after letting me choose a network. So there is no wireless command exchange to inspect :(
So I am just asking if someone (not necessarily you) has got an idea about the command to finally make the WLAN setup permanent and switch from programming to operation mode?