ITEAD’s Sonoff line is a range of Internet-of-Things gadgets based around the ESP8266. This makes them prominent for hacking because of their accessibility. past jobs have figured out exactly how to reflash the Sonoff devices, however for [mirko], that wasn’t sufficient – it was time to reverse engineer the Sonoff Over-The-Air update protocol.
[mirko]’s motivation is basic sufficient – a wish for IoT gadgets that don’t requirement to phone house to the business mothership, integrated with wanting to prevent the labor of cracking open every Sonoff gadget to reflash it with wires like a Neanderthal. The very first step involved connecting the Sonoff gadget to WiFi as well as catching the traffic. This swiftly turned up an SSL connection to a remote URL. This was quickly intercepted as the gadget doesn’t do any type of certificate validation – however a lack of safety is unfortunately never a surprise on the Web of Things.
After catching the network traffic, [mirko] set about piecing together the protocol utilized to execute the OTA updates. After a fundamental handshake between client as well as server, the server can ask the client to take different actions – such as downloading an updated firmware image. After figuring out the messaging format, [mirko] sought to produce a webserver in Python to replicate this behaviour.
There are some pitfalls – firmware pictures requirement to be formatted somewhat in a different way for OTA updates versus the normal serial publish method, as this process leaves the stock bootloader intact. There’s likewise the split-partition flash storage system to offer with, which [mirko] is still working on.
Nevertheless, it’s excellent to see hackers doing what they do finest – taking manage over hardware as well as software to serve their own purposes. To discover more, why not inspect out exactly how to flash your Sonoff gadgets over serial? They’re just an ESP8266 inside, after all.