Reverse engineering the leynew WF510 light bulb adapter

A few weeks ago I ordered some WF510 WIFI enabled E27 adapters. The WF510 is a device you place between your light fixture and your light bulb, that allows you to control the light with an iOS/Android app. At $56 per lot of 3, they’re the poor man connected light bulb.

WF510 adapters

The reason I bought those adapters was to see if I could find out how the app controls the device, and build a better (open source!) app or web service around that. I always wanted to get more experience with home automation and device control.

When the package arrived yesterday, I was quick to plug one of the devices in and fire up Wireshark to see what was happening. Here’s what I found out:

All communications to and from the device are  over UDP port 5000 (The app send its packets directly to The packets contain bits of comma separated text encoded around the ascii table. I’m not sure if this method of encoding is known and documented, or if it’s proprietary to the manufacturer, but it works like this:

  • Each column of 32 characters in the table is encoded separately (i.e ` through DEL, and @ to _ )
  • For each set, the first 4 characters are shifted 12 places ahead. So @ becomes L and a becomes m, and vice versa.
  • The next 4 characters are shifted 4 places ahead: d becomes h and g becomes k, and vice versa
  • Chars in positions 16 to 19 are shifted 12 places ahead as well. So p becomes | and P becomes \, and vice versa.
  • Chars in positions 20-23 are shifted 4 places ahead, so t becomes x and { becomes w

This took me a little while to figure out, but once I did the device no longer had any secrets for me.

Device setup:

To setup the device you connect to its own WIFI Access point (named WF510-MACADDRESS). You then sends it the credentials for your home network.
Here’s the translated exchange between the app and the device:

search //knock knock, who's there

search,ACCF23022B80,leynew,WF510,room,\r\nOK-  // I'm ACCF23022B80, manufactured by leynew, model WF510, room(?)

ACCF23022B80,setonoff,0,254, // can you turn off so I can see you

setonoff,0\r\nOK- // sure

ACCF23022B80,setonoff,1,254, // and on again?

setonoff,1\r\nOK- //sure

ACCF23022B80,setnet,{network ssid},{network password},WPA2PSK,AES, // Here's the network you need to connect to, with WPA2PSK security and AES encryption (possible values are also WPAPSK and TKIP respectively)

Device Control

Turn light off

Turn light on

Dim light to 50%

What’s next?

I plan to build a library to control the devices – not sure about the stack I’m going to use, but it’s definitely going to be something I haven’t used before.

9 responses to “Reverse engineering the leynew WF510 light bulb adapter”

  1. Nice investigative work!

  2. Cool 🙂

    Did you see the “Search API” people added to Xposed for similar systems? people use it with Tasker to voice-control electricity from their phone…

    1. Interesting, haven’t seen that before. Might be a cool way to use those adapters eventually.

  3. Does the initial connection to the lightbulb’s temporary WiFi hotspot require entering a password, such as its MAC address, or is it an open WiFi hotspot? Sending your normal WiFi network password in the clear seems bad. It also seems like you could sit outside someone’s house and control their lights!

    1. The initial connection is to an open hotspot, on which you send your home wifi credentials. So yes, this is unsecure as someone could listen to that exchange and get your password. However, there’s the (undocumented) possibility to connect to the adapter via the browser, and set it to be a secure network. Once you do that, you can safely connect to it to pass it your home network credentials.

      Regarding controlling someones lights – that can only happen before you’ve set it up. Once set up and your private home network, it should be safe.

  4. Nice! Have you been playing with these anymore? Would love to hear an update! 🙂

    1. I actually made a lot of progress on a node.js library to control the appliance. I’ll do my best to open source it soon 🙂

  5. Hello, have you made any further progress on this? Get in touch, I’d like to discuss this in more depth. Thanks

  6. Wow. Great work! And great find! I’ve been looking for a poor man’s way to do home automation for some time now. This looks like it might be my entry point!

    I came across this post in search if anyone has made any progress on the LEDE lights to see if I can do the same thing. Theres not much info on them and only found them on Amazon and eBay so far. Not as cheap at around $35 a piece but they are BLE (bluetooth low energy) controlled, which may seem more preferable at times.

    For example, I want to use BLE in case the network goes down for whatever reason. For me; my home lighting is solar powered while I slowly convert the rest of the home over. When power goes out to the router, I still want to control these lights (in primary rooms) with a phone. Additionally, you can control what color the lights are. Great feature for severe weather alerts and such. (Red on warnings; orange on alerts)

    I do like these sockets though because you can use your current bulbs in rooms that aren’t as important. Which work great in combination with room occupancy sensors on the network. 😉

    Anyway, would love to see the Nodejs source! If thats not possible, I’ll just have to take your very generous research and build one myself which doesn’t look to be too difficult. We appreciate all of the work you put into this! =)

    Links to the LEDE lights in case anyone is interested. I’m sure we can look into doing something very similar to those bulbs over Bluetooth. (Links held due to moderation; replaced with names of items)

    Bluetooth LED Light Bulb 9W 800lm, Multicolor RGB, Wireless, 60 Watt Incandescent Bulbs Replacement

    Bluetooth LED Edison Screw Light Bulb, Pearl White

    Update: Got these in and love them. The only bad thing I could say is that while dimming theres a “buzz”-ish sound you can.. sounds just like power lines. And that occasionally the bluetooth lags. Both are negligible for the benefits. I.E. 80 watt replacement which consumes only 9w, multi-color, and bluetooth. =)

Leave a Reply

%d bloggers like this: