Reverse engineering the leynew WF510 light bulb adapter

A few weeks ago I ordered some WF510 WIFI enabled E27 adapters. The WF510 is a device you place between your light fixture and your light bulb, that allows you to control the light with an iOS/Android app. At $56 per lot of 3, they’re the poor man connected light bulb.

WF510 adapters

The reason I bought those adapters was to see if I could find out how the app controls the device, and build a better (open source!) app or web service around that. I always wanted to get more experience with home automation and device control.

When the package arrived yesterday, I was quick to plug one of the devices in and fire up Wireshark to see what was happening. Here’s what I found out:

All communications to and from the device are  over UDP port 5000 (The app send its packets directly to The packets contain bits of comma separated text encoded around the ascii table. I’m not sure if this method of encoding is known and documented, or if it’s proprietary to the manufacturer, but it works like this:

  • Each column of 32 characters in the table is encoded separately (i.e ` through DEL, and @ to _ )
  • For each set, the first 4 characters are shifted 12 places ahead. So @ becomes L and a becomes m, and vice versa.
  • The next 4 characters are shifted 4 places ahead: d becomes h and g becomes k, and vice versa
  • Chars in positions 16 to 19 are shifted 12 places ahead as well. So p becomes | and P becomes \, and vice versa.
  • Chars in positions 20-23 are shifted 4 places ahead, so t becomes x and { becomes w

This took me a little while to figure out, but once I did the device no longer had any secrets for me.

Device setup:

To setup the device you connect to its own WIFI Access point (named WF510-MACADDRESS). You then sends it the credentials for your home network.
Here’s the translated exchange between the app and the device:

search //knock knock, who's there

search,ACCF23022B80,leynew,WF510,room,\r\nOK-  // I'm ACCF23022B80, manufactured by leynew, model WF510, room(?)

ACCF23022B80,setonoff,0,254, // can you turn off so I can see you

setonoff,0\r\nOK- // sure

ACCF23022B80,setonoff,1,254, // and on again?

setonoff,1\r\nOK- //sure

ACCF23022B80,setnet,{network ssid},{network password},WPA2PSK,AES, // Here's the network you need to connect to, with WPA2PSK security and AES encryption (possible values are also WPAPSK and TKIP respectively)

Device Control

Turn light off

Turn light on

Dim light to 50%

What’s next?

I plan to build a library to control the devices – not sure about the stack I’m going to use, but it’s definitely going to be something I haven’t used before.

8 thoughts on “Reverse engineering the leynew WF510 light bulb adapter

  1. Does the initial connection to the lightbulb’s temporary WiFi hotspot require entering a password, such as its MAC address, or is it an open WiFi hotspot? Sending your normal WiFi network password in the clear seems bad. It also seems like you could sit outside someone’s house and control their lights!

    1. The initial connection is to an open hotspot, on which you send your home wifi credentials. So yes, this is unsecure as someone could listen to that exchange and get your password. However, there’s the (undocumented) possibility to connect to the adapter via the browser, and set it to be a secure network. Once you do that, you can safely connect to it to pass it your home network credentials.

      Regarding controlling someones lights – that can only happen before you’ve set it up. Once set up and your private home network, it should be safe.

    1. I actually made a lot of progress on a node.js library to control the appliance. I’ll do my best to open source it soon :)

  2. Hello, have you made any further progress on this? Get in touch, I’d like to discuss this in more depth. Thanks

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s