Reverse Engineering the Orvibo S20c WiFi Switch

IoT / Reverse Engineering

And now for our thilling conclusion!

Contents
  1. Attempt 1: New Firmware
  2. Attempt 2: Packet Capture
  3. Attempt 3: Replay attacks, prior art
  4. Belated Conclusion

27 Jun 2017

I’ve got an Orvibo S20 WiFi switch hooked up to the light on one of my fish tanks. It’s great; cheep1 , easy to set up2 and plays nicely with HomeAssistant so I can script it to turn on and off3 .

I’ve recently brought a second fish tank, so I ordered another two switches - again from AliExpress, this time for $15 each. The packaging had changed a bit, and it wasn’t until I had opened things up and tried to plug them in that I found that I had been sent the “new” S20c switches instead. Physically these look identical4 but seem to have very different internals, are controlled by a different app5 and talk a different protocol.

<figcaption itemprop="caption description">
The front of an S20c
<span itemprop="copyrightHolder">William Hughes</span>
</figcaption>

<figcaption itemprop="caption description">
The rear of an S20c
<span itemprop="copyrightHolder">William Hughes</span>
</figcaption>

<figcaption itemprop="caption description">
The S20c internals. Note the chip labeled &#39;8266&#39;
<span itemprop="copyrightHolder">William Hughes</span>
</figcaption>

<div class="title"></div>

On the advice of a colleague I cracked open one of my switches (this was actually really easy, undo one screw on the back, and use a spudger to pop the front off) to see if there was an easy way to reprogram them. It turns out that many of these cheep WiFi enabled devices that have been produced in the last couple of years use an Espressif 8266 SoC, and some manufacturers are even so kind as to leave pads (and in one case, a full connector) for a FTDI-to-USB adapter on the board. This would, in theory at least, let you write your own firmware and flash it onto the SoC.

No such luck in this case, although the device does seem to run on an 8266. There isn’t anywhere on the top of the board that I can see where I could tap into a serial connection. You probably could solder wires onto the chip, but my soldering skills probably aren’t up to the task. I couldn’t work out how to get the board out of the case to check the bottom without de-soldering the plug part, and the goal is to have a working switch at the end of all this.

Next step: get the control app installed on an old phone, and try to capture some packets.