Hey guys! I’m into IT & cyber security a little bit. I’d like to have a go at making this firmware upgrade OTA.
In order to do that, I first need to capture some network traffic from wireshark. (EDIT! Please also use PCAPdroid on your android phone, as I’m not sure just yet if the firmware gets downloaded to your phone first then the plug, and how it checks for updates)
First things first, I need to know if it would upgrade the firmware over http or https. If https, we cannot recreate the firmware upgrade file from a basic wireshark capture. I’d have to get an outdated device myself, set up a proxy / man in the middle to basically grab the encryption keys and such myself, so that I can have software to be able to read the network traffic and decipher it.
Here’s how you’d capture the firmware upgrade with wireshark. You can input a filter for the device IP address to view only relevant web traffic. As in this short video:
Hope we can figure something out! ALSO PLEASE NOTE: If you do the wireshark capture, please unplug and then replug your device in while doing the capture, before starting the firmware update process. This should help get us everything we need
Not necessarily. If you control the server side (the device), Wireshark supports decrypting https captures with the certificate and private key. We do this occasionally at work.
This would be great! I started out by capturing all the packets straight from my openwrt router. Can’t seem to attach a .pcap file here, so here’s a link:
The first few packets are:
I would hope I can see a request to check for firmware updates. I would personally just regex search the decrypted packets for the firmware number pattern.
Also the devices may be setup to only check for updates at certain times, in which case we would need to monitor the network for an extended period of time! Not a problem here. I’d just setup something a little more robust to capture packets with the filter to ignore any irrelevant (normal) packets.
Yes! This is something I’m interested in. Although even without sharing, this is a potential OTA update method you can explore yourself!
If people could send me their .pcap files of their device receiving the firmware update, that’d be great.
Also, if you do capture the update, please unplug and replug the device into the wall while doing the capture / before the firmware update. This way we can grab all traffic necessary. If it’s already up and running we would probably not see a key (for non IT people, a “password” so to speak) being exchanged and the capture might not tell us much
PCAPdroid network monitor can act as a VPN and capture the packets from my android phone coming and going from any given app. I’ve set it up to listen to the traffic from eWeLink and got a good capture of device setup. If the device firmware update occurs through the phone (phone downloads from sonoff, then uploads to device) this is all we’d need! See packets captured of device setup only here: PCAPDroidSonoffPlugSetup.pcap - Google Drive
The sonoff devices have a compatibility setup mode that exposes some more functionality. No luck here yet though. Very similar to this tutorial once in compatibility pairing mode, you can connect to a hotspot ITEAD from the plug, navigate to 10.10.7.1 and you’ll be greeted with a blank page, unlike their other devices.
Here’s a packet capture from PCAPdroid, you can see with PCAP droid we can see the text sent to the sonoff in plain text. (image removed due to rules, please see linked capture file)
I’ve not been able to do complete reconnaissance on the smartplug. The problem is it only stays in compatibility pairing mode for a short time then disables it. This only gives me enough time to use NMAP to scan a limited number of ports (picture removed due to rules, we only have 8081 open after setup, 80 open during setup from my incomplete scan)
Basically I’d have to automate the process of unplugging the smart plug and plugging it back in after, then pressing the button. I could do this with a raspberry pi, but I think the best way forward is still to capture a firmware update. That would eliminate all of this reconnaissance work that is possibly irrelevant.
