Reverse engineering the leynew WF510 light bulb adapter

A few weeks ago I ordered some WF510 WIFI enabled E27 adapters. The WF510 is a device you place between your light fixture and your light bulb, that allows you to control the light with an iOS/Android app. At $56 per lot of 3, they’re the poor man connected light bulb.

WF510 adapters

The reason I bought those adapters was to see if I could find out how the app controls the device, and build a better (open source!) app or web service around that. I always wanted to get more experience with home automation and device control.

When the package arrived yesterday, I was quick to plug one of the devices in and fire up Wireshark to see what was happening. Here’s what I found out:

All communications to and from the device are  over UDP port 5000 (The app send its packets directly to 255.255.255.255:5000). The packets contain bits of comma separated text encoded around the ascii table. I’m not sure if this method of encoding is known and documented, or if it’s proprietary to the manufacturer, but it works like this:

  • Each column of 32 characters in the table is encoded separately (i.e ` through DEL, and @ to _ )
  • For each set, the first 4 characters are shifted 12 places ahead. So @ becomes L and a becomes m, and vice versa.
  • The next 4 characters are shifted 4 places ahead: d becomes h and g becomes k, and vice versa
  • Chars in positions 16 to 19 are shifted 12 places ahead as well. So p becomes | and P becomes \, and vice versa.
  • Chars in positions 20-23 are shifted 4 places ahead, so t becomes x and { becomes w

This took me a little while to figure out, but once I did the device no longer had any secrets for me.

Device setup:

To setup the device you connect to its own WIFI Access point (named WF510-MACADDRESS). You then sends it the credentials for your home network.
Here’s the translated exchange between the app and the device:

App:
search //knock knock, who's there

Device:
search,ACCF23022B80,leynew,WF510,room,\r\nOK-  // I'm ACCF23022B80, manufactured by leynew, model WF510, room(?)

App:
ACCF23022B80,setonoff,0,254, // can you turn off so I can see you

Device
setonoff,0\r\nOK- // sure

App
ACCF23022B80,setonoff,1,254, // and on again?

Device
setonoff,1\r\nOK- //sure

App
ACCF23022B80,setnet,{network ssid},{network password},WPA2PSK,AES, // Here's the network you need to connect to, with WPA2PSK security and AES encryption (possible values are also WPAPSK and TKIP respectively)

Device Control

Turn light off
ACCF23022B80,setbrightness,0,254,

Turn light on
ACCF23022B80,setbrightnes,100,254,

Dim light to 50%
ACCF23022B80,setbrightness,50,254,

What’s next?

I plan to build a library to control the devices – not sure about the stack I’m going to use, but it’s definitely going to be something I haven’t used before.

9 thoughts on “Reverse engineering the leynew WF510 light bulb adapter

  1. Does the initial connection to the lightbulb’s temporary WiFi hotspot require entering a password, such as its MAC address, or is it an open WiFi hotspot? Sending your normal WiFi network password in the clear seems bad. It also seems like you could sit outside someone’s house and control their lights!

    1. The initial connection is to an open hotspot, on which you send your home wifi credentials. So yes, this is unsecure as someone could listen to that exchange and get your password. However, there’s the (undocumented) possibility to connect to the adapter via the browser, and set it to be a secure network. Once you do that, you can safely connect to it to pass it your home network credentials.

      Regarding controlling someones lights – that can only happen before you’ve set it up. Once set up and your private home network, it should be safe.

    1. I actually made a lot of progress on a node.js library to control the appliance. I’ll do my best to open source it soon :)

  2. Hello, have you made any further progress on this? Get in touch, I’d like to discuss this in more depth. Thanks

  3. Wow. Great work! And great find! I’ve been looking for a poor man’s way to do home automation for some time now. This looks like it might be my entry point!

    I came across this post in search if anyone has made any progress on the LEDE lights to see if I can do the same thing. Theres not much info on them and only found them on Amazon and eBay so far. Not as cheap at around $35 a piece but they are BLE (bluetooth low energy) controlled, which may seem more preferable at times.

    For example, I want to use BLE in case the network goes down for whatever reason. For me; my home lighting is solar powered while I slowly convert the rest of the home over. When power goes out to the router, I still want to control these lights (in primary rooms) with a phone. Additionally, you can control what color the lights are. Great feature for severe weather alerts and such. (Red on warnings; orange on alerts)

    I do like these sockets though because you can use your current bulbs in rooms that aren’t as important. Which work great in combination with room occupancy sensors on the network. ;)

    Anyway, would love to see the Nodejs source! If thats not possible, I’ll just have to take your very generous research and build one myself which doesn’t look to be too difficult. We appreciate all of the work you put into this! =)

    Links to the LEDE lights in case anyone is interested. I’m sure we can look into doing something very similar to those bulbs over Bluetooth. (Links held due to moderation; replaced with names of items)

    Amazon:
    Bluetooth LED Light Bulb 9W 800lm, Multicolor RGB, Wireless, 60 Watt Incandescent Bulbs Replacement

    Ebay:
    Bluetooth LED Edison Screw Light Bulb, Pearl White

    Update: Got these in and love them. The only bad thing I could say is that while dimming theres a “buzz”-ish sound you can.. sounds just like power lines. And that occasionally the bluetooth lags. Both are negligible for the benefits. I.E. 80 watt replacement which consumes only 9w, multi-color, and bluetooth. =)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s