-
Notifications
You must be signed in to change notification settings - Fork 104
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sonoff that does not advertise ITEAD- WiFi #20
Comments
If the DNS spoof works, you should be able to run sonota with the It may also need to skip the first step (as SonOTA won't be configuring it, you'll be using the EWeLink app to do that), so if you comment out Let me know if it works, and I can also add a command line option to start at stage 2 automatically. |
I am willing to test the procedure you said. I did:
testing with ping
and this happens:
No FinalStage WiFi advertised though |
Hmm, that’s not connecting at all. Are you able to run dnsspoof on your router. |
I used this method for DNS spoofing: When I got time I will try the tcpdump. What should I check? |
I also did a dns spoof on B1 and was able to flash the device.
I connected to the FinalStage SSID, and it eventually disappeared. I can see on the router that the bulb has an arp entry with hostname ESP_xxxx, but it does not respond to ping. The router shows that it is still asking for a DHCP lease
Is there any way to revive this? |
I did not realise that B1 had changed into an AP, and was broadcasting the Sonoff SSID. I was able to connect to it and update to the latest Tasmotta. B1 can be flashed by SonOTA! |
Thanks @rajil - I was just going to suggest that when you replied :) @ageorgios If we can get the DNS spoofing working like we want, this shows it should work :) Cheers. |
Yes, both DHCP and gateway are on a pfsense router. |
I installed a new DNS server (dnsmasq) on raspberry pi to make sure the DNS resolves ok.
What do I do wrong? |
@sillyfrog, I can also confirm that BN-SZ01 works. The instructions are the same as B1. Start pairing with eWeLink and then computer takes over,
|
@ageorgios, my only suggestion is to use the Pi as your DHCP server and gateway as well as @rajil did. I had something similar (from memory, so not 100% sure), were that was the only way I could inspect the traffic. I ended up setting up a spare WiFi AP I had just so I could get inline to mess with the traffic when doing the initial reverse engineering (before finding this project). |
@rajil Thanks for the update, I have put that on the Wiki as well! |
I'm not able to get this to work with my Sonoff B1. I'm spoofing eu-disp.coolkit.cc to my machine on 192.168.2.100, and using wireshark, I can see the sonoff hitting it with a request, but the sonota.py output never logs anything received, and I never see FinalStage as an available wireless network. I also tried spoofing all calls to *.coolkit.cc to the machine running sonota, and logged the output. Attached is the text output, and the pcapng file is at this link. |
@jptrsn Can you include your debug_######.log file as well? Looking at the traffic dump something appears to be dropping the link, so please also ensure all firewalls are turned off. |
Worked well for me to flash B1. Couple of things:
|
I have openwrt chaos calmer router and sonoff basic, trying to flash from host 158.168.1.53 config domain |
@dony71 - I use tomato not openwrt, but I'd guess you just need to add |
@oglodyte your suggestion is working. thanks |
I managed to flash the Sonoff B1 using the instructions provided above. DNS spoofed by adding the line mentioned by 'oglodyte' above (plus a few more general ones like coolkit.cc and coolkit.cn to be sure) to dnsmasq.conf in my Almond Plus, and then running the command stated by ageorgios. Then afterward I compiled the latest development branch of sonoff-Tasmota (5.10.0a) which supports configuring the module as a Sonoff B1. I uploaded the minimal firmware to the bulb, then after that loaded I uploaded the full firmware. It's now working! |
so if you comment out stage1() on line 624 in sonota.py can you attach modified sonata.py as i am not able to understand what should i do clearly |
@ahzazou In the current release, you can do the same thing by running it with |
Hi guys, I'm unable to flash mine. I've followed the steps by @oglodyte, to no avail. I've done a packet capture, it seems the B1 is doing a DNS lookup and retrieves the spoofed response, but still connects to a (hardcoded?) IP address: 52.28.157.61. Packet capture in attach: Sonoff B1: 10.9.8.70, DNS/GW: 10.9.8.254, Laptop running SonOTA: 10.9.8.4 Does anyone have any ideas? Thanks! |
Just want to say a big thank you to all who worked on this. I just flashed 4 units. 2 X T1 Gang 2 units and 2 X T1 Gang 3 units. I saw that the version of firmware on the units according to the app was 2.0.1. |
@bennnnnnnn I may be having similar problem trying to flash RF Bridge. Looks like it is trying to connect to my spoofed server few times, but it does not result in firmware update. Then it connects to AWS server IP (also w/out DNS query) and works with WEeLink app. Sonoff RF Bridge firmware is 1.1.0 (latest today). Attached log and packet capture. RF Bridge 192.168.5.150. SonOTA server 192.168.5.3 also out of ideas, but hope @sillyfrog can see something there. |
same issue here as @bennnnnnnn. Maybe it checks the server certificate? I notice, that on my spoofed server there is just a "Client Hello" and a "Server Hello, Certificate, Server Hello Done" as response over TLSv1.2 (three times). Update:
|
@oglodyte, can you try generate self sign certificate from here |
@tyjtyj i tried locally with new self signed certificate(from your mentioned site), seems it didn't made a difference... |
Thx @laDanz, I hate the fact that the ssl error shown above means there is a cert install on the client device(the sonoff) which will match with the server. I can only think of spoofing the ip address 52.28.157.61 itself which might not worry as it client cert still dont match the server cert but worth a try |
@tyjtyj spoofing the ip wasn't working for me either: still not a successful SSL handshake: |
Hi, As you can see the sonoff send fin, ack means asking to close the connection. Seems it found the server cert does not match the one it has. I tried to clone all i can from the cert hoping something works Can you try cert below this is the cert/crt.
This is the key
|
Based on the last few posts, it sounds like #58 unfortunately... :( |
Any update on this, like, I am on a mac, I have a router that I was going to use with DDWRT, and I have the ATT router which is useless, so that is the reason for the DDWRT. Is there any step by step on how to spoof in this configuration? I went into my MAC settings and set the dns to the DDWRT, and was able to ping us-disp.coolkit.cc and eu just in case, no problem, on the DDWRT i used dnsmasq and did address=/us-disp.coolkit.cc/192.168.1.XXX I this command sudo ./sonota.py --legacy --wifi-ssid mywifi --wifi-password mypassword --serving-host 192.168.1.XXX I never see the ITEAD ssid pop up, nothing, so, I guess I am at step 1. Can anyone lend a hand here, I really dont want to solder a header on all this bulbs |
Hey all, I have a B1-v2 with 2.0.3 on it in the US. I have been hitting a wall with this since last night... My pi-hole is masking...
"sonota.exe --legacy --no-prov" just does the ..... then the message and .... over and over. I removed my bulb from the app and re-added it with doing the on-off-on-off-on with 2 sec pause between and it just adds it to the app and starts working from the itead cloud. Looking for blue skies (No clouds) without solder being I want to get a few more of these if it works out. Thanks in Advance, |
does anyone have any update on this issue, Like a chump, i spent the day learning to spoof / masq, then eventually when it didnt work, i scrolled down to find security cert issues. :-/ If anyone has a way ahead, it would be appreciated, as i have a b1 with a lifted pad, stopping me soldering. |
I have the same issue as Tom, The bulb is in pairing mode, i ran the command, but nothing happens |
What is the procedure for sonoff devices (like B1) that do not advertise a WiFi SSID ITEAD-*?
One can use dnsspoof with a hosts file
192.168.X.X eu-disp.coolkit.cc
Can I use the SonOTA when the sonoff device is connected to my local network?
If so what is the command?
Thank you.
The text was updated successfully, but these errors were encountered: