On/Off

Yoav Farhi's blog

Reverse engineering the leynew WF510 light bulb adapter

A few weeks ago I ordered some WF510 WIFI enabled E27 adapters. The WF510 is a device you place between your light fixture and your light bulb, that allows you to control the light with an iOS/Android app. At $56 per lot of 3, they’re the poor man connected light bulb.

WF510 adapters

The reason I bought those adapters was to see if I could find out how the app controls the device, and build a better (open source!) app or web service around that. I always wanted to get more experience with home automation and device control.

When the package arrived yesterday, I was quick to plug one of the devices in and fire up Wireshark to see what was happening. Here’s what I found out:

All communications to and from the device are  over UDP port 5000 (The app send its packets directly to 255.255.255.255:5000). The packets contain bits of comma separated text encoded around the ascii table. I’m not sure if this method of encoding is known and documented, or if it’s proprietary to the manufacturer, but it works like this:

  • Each column of 32 characters in the table is encoded separately (i.e ` through DEL, and @ to _ )
  • For each set, the first 4 characters are shifted 12 places ahead. So @ becomes L and a becomes m, and vice versa.
  • The next 4 characters are shifted 4 places ahead: d becomes h and g becomes k, and vice versa
  • Chars in positions 16 to 19 are shifted 12 places ahead as well. So p becomes | and P becomes \, and vice versa.
  • Chars in positions 20-23 are shifted 4 places ahead, so t becomes x and { becomes w

This took me a little while to figure out, but once I did the device no longer had any secrets for me.

Device setup:

To setup the device you connect to its own WIFI Access point (named WF510-MACADDRESS). You then sends it the credentials for your home network.
Here’s the translated exchange between the app and the device:

App:
search //knock knock, who's there

Device:
search,ACCF23022B80,leynew,WF510,room,\r\nOK-  // I'm ACCF23022B80, manufactured by leynew, model WF510, room(?)

App:
ACCF23022B80,setonoff,0,254, // can you turn off so I can see you

Device
setonoff,0\r\nOK- // sure

App
ACCF23022B80,setonoff,1,254, // and on again?

Device
setonoff,1\r\nOK- //sure

App
ACCF23022B80,setnet,{network ssid},{network password},WPA2PSK,AES, // Here's the network you need to connect to, with WPA2PSK security and AES encryption (possible values are also WPAPSK and TKIP respectively)

Device Control

Turn light off
ACCF23022B80,setbrightness,0,254,

Turn light on
ACCF23022B80,setbrightnes,100,254,

Dim light to 50%
ACCF23022B80,setbrightness,50,254,

What’s next?

I plan to build a library to control the devices – not sure about the stack I’m going to use, but it’s definitely going to be something I haven’t used before.

Yoav

, , , , ,

9 responses to “Reverse engineering the leynew WF510 light bulb adapter”

  1. Donncha Avatar
    Donncha

    Nice investigative work!

    Reply
  2. עירא - Ira Avatar
    עירא – Ira

    Cool 🙂

    Did you see the “Search API” people added to Xposed for similar systems? people use it with Tasker to voice-control electricity from their phone…

    https://www.youtube.com/watch?v=1k4lCB_dJwY

    Reply
    1. Yoav Avatar
      Yoav

      Interesting, haven’t seen that before. Might be a cool way to use those adapters eventually.

      Reply
  3. Alex Mills Avatar
    Alex Mills

    Does the initial connection to the lightbulb’s temporary WiFi hotspot require entering a password, such as its MAC address, or is it an open WiFi hotspot? Sending your normal WiFi network password in the clear seems bad. It also seems like you could sit outside someone’s house and control their lights!

    Reply
    1. Yoav Avatar
      Yoav

      The initial connection is to an open hotspot, on which you send your home wifi credentials. So yes, this is unsecure as someone could listen to that exchange and get your password. However, there’s the (undocumented) possibility to connect to the adapter via the browser, and set it to be a secure network. Once you do that, you can safely connect to it to pass it your home network credentials.

      Regarding controlling someones lights – that can only happen before you’ve set it up. Once set up and your private home network, it should be safe.

      Reply
  4. Henke Avatar
    Henke

    Nice! Have you been playing with these anymore? Would love to hear an update! 🙂

    Reply
    1. Yoav Avatar
      Yoav

      I actually made a lot of progress on a node.js library to control the appliance. I’ll do my best to open source it soon 🙂

      Reply
  5. Andrew Avatar
    Andrew

    Hello, have you made any further progress on this? Get in touch, I’d like to discuss this in more depth. Thanks

    Reply
  6. Levi Roberts Avatar
    Levi Roberts

    Wow. Great work! And great find! I’ve been looking for a poor man’s way to do home automation for some time now. This looks like it might be my entry point!

    I came across this post in search if anyone has made any progress on the LEDE lights to see if I can do the same thing. Theres not much info on them and only found them on Amazon and eBay so far. Not as cheap at around $35 a piece but they are BLE (bluetooth low energy) controlled, which may seem more preferable at times.

    For example, I want to use BLE in case the network goes down for whatever reason. For me; my home lighting is solar powered while I slowly convert the rest of the home over. When power goes out to the router, I still want to control these lights (in primary rooms) with a phone. Additionally, you can control what color the lights are. Great feature for severe weather alerts and such. (Red on warnings; orange on alerts)

    I do like these sockets though because you can use your current bulbs in rooms that aren’t as important. Which work great in combination with room occupancy sensors on the network. 😉

    Anyway, would love to see the Nodejs source! If thats not possible, I’ll just have to take your very generous research and build one myself which doesn’t look to be too difficult. We appreciate all of the work you put into this! =)

    Links to the LEDE lights in case anyone is interested. I’m sure we can look into doing something very similar to those bulbs over Bluetooth. (Links held due to moderation; replaced with names of items)

    Amazon:
    Bluetooth LED Light Bulb 9W 800lm, Multicolor RGB, Wireless, 60 Watt Incandescent Bulbs Replacement

    Ebay:
    Bluetooth LED Edison Screw Light Bulb, Pearl White

    Update: Got these in and love them. The only bad thing I could say is that while dimming theres a “buzz”-ish sound you can.. sounds just like power lines. And that occasionally the bluetooth lags. Both are negligible for the benefits. I.E. 80 watt replacement which consumes only 9w, multi-color, and bluetooth. =)

    Reply

Leave a Reply to Andrew Cancel reply

Powered by WordPress.com.

%d bloggers like this: