Details about the Chacon WIFI socket

Published on 2021-11-27. Updated on 2022-02-02.

This article contains details about the traffic made by Chacon sockets and what represents most of it. I still have a lot of traffic to decrypt (and to understand the functions and variables in the Chacon Home application). Bonus, some additional information.

2022-02-02 update.
It looks like Chacon has updated the sockets, the new code is 53017. I'll buy one to see what's new.

2022-02-26 update.
I noticed that starting with 24.02.2022 (when war in Ukraine started) the Chacon Home application didn't work anymore. I checked on several connections and from several ISPs, but also from several countries. Thus, I consider that PHP-Chacon is a very good "backup" solution in such situations.

Chacon WIFI socket (code: 53012)


Table of contents

About the socket

From the manufacturer's website:

Control your electrical devices from anywhere using your smartphone.

• Remote control with your smartphone from anywhere in the world, via Internet
• Voice control compatible with Amazon Alexa and Google Home
• Easy to install in a single step directly from your smartphone
• Multi-function hourly programming
• Countdown
• Presence simulation (theft prevention)
• Programming of time slots
• Free Chacon Home smartphone and tablet application on Android and iOS
• The same application as for Chacon Home Multi-socket strip and modules
• 6 A 230 V AC 50 Hz MAX 3500 W
• Wi-Fi: 2.4 GHz 802.11b/g/n

This socket has some extremely interesting things which makes it very attractive for any home. First of all, the price on the official website is 16.90, so I think it is one of the cheapest on the market. Secondly, it can support a load of up to 3500W and is therefore ideal for houses that have strictly electric heating. Considering this aspect, I can only think that this socket is ideal to be able to lower the electricity bills.

The fact that it can be controlled with Amazon Electra or Google Home are just as good bonuses.

At the base of this devices is the WiFi chip LPB1xx produced by Hi-Flying Technology. For some older sockets it is LPB100 which also has a detailed web interface in which you can do a lot (I will not enter in details), but for newer sockets it is LPB130 which has a very small web interface from which you can only set the WiFi part. See Web Gui below.

The most fun part about this chipset is that it can be controlled with udp network traffic, the only thing needed is understanding the traffic and because it is encrypted, finding the encryption key.

What I'm after

I am very tired of network scans made from IPs in China, Vietnam, Cyprus or Russia that I at least block absolutely all traffic to/from these IP blocks in the firewall. And because these sockets unfortunately have communications with IPs from China, I had to find a way to use these sockets without allowing them traffic outside of my network. Unfortunately the registration part needs internet, but after that the traffic can be stopped in the firewall.

Mode of operation

The default communication is between the Chacon Home application and sockets within the same WLAN. Also the sockets can be controlled from the application via 3G/4G, thanks to cloud services (Amazon), but if you are like me and you are looking for no communications with Chinese IP addresses, then this document is just for you. Socket communication is done via UDP using port 18530 and packets have a size of 25 bytes. Therefore, we can control these outlets with our own scripts from a linux box instead of the Chacon Home application, the only thing we need to do is understand the traffic between the sockets and the application, so that we can reproduce it. This document is exactly about that, about what happens in the communication between sockets and the application.

(bonus) Web Gui

When the socket has registered in the WLAN, you can access the WebGUI with the browser. The access data are.

Old firmware:
Login: admin
Password: admin

New firmware:
Login: admin
Password: Lumlink@100
LPB100 interface
LPB130 interface

All devices have a hard-coded firmware flash webpage at (I recommend not going to this page unless you know what you are doing):


Dumping and decrypting wifi packets

There are 2 ways to intercept traffic from a wifi network. In any case, tshark must be installed (it is part of the Wireshark package)

  1. Intercepting WIFI traffic from a laptop/desktop (with a good wireless network card which support monitoring mode) connected to a WIFI router.
  2. Use a RaspberryPI as a WIFI router. This is the most convenient and the simplest. RaspAP is a perfect tool.

Option 1

Intercept and dump to a file, which will be read after (in my example I'm using a MacbookPro).

tshark -i en0 -I -w output.pcap

Now open the Chacon Home application and refresh over the registered sockets to generate some traffic or you can also turn the sockets on or off. You can stop the interception of traffic when you consider that you have generated enough traffic and so we can look in the dump.

tshark -r output.pcap -Y udp -Y udp.dstport==8530 -Y udp.srcport!=8530  -T fields -e data -e ip.addr

Sample output:

Option 2

Intercept traffic directly from your wireless router.

tshark -i wlan0  -Y udp -Y udp.dstport==8530 -Y udp.srcport!=8530  -T fields -e data -e ip.addr

Output should be the same as above.

Well, these packets seem familiar to some extent, for example we can understand that "ffffffffffff" is the broadcast address for example and in other cases you will see the mac of the socket. The first part seems to be a constant but after the mac address .... pause. The rest of the packet seems to be encrypted so we need to find the encryption type and key. The easiest way is to use a java decompiler (Bytecode Viewer, Jadx, etc.) and so you can open the Chacon Home application and search for the key. I won't go into details but that's how I found the key.

Encryption key: 1234567890abcdef
Encryption type: AES/CBC/NoPadding

The encryption part is a bit unclear to me, I have to study a little more. In the application I see the following:

public class EspAES {
        private static final String TRANSFORMATION_DEFAULT = "AES/ECB/PKCS5Padding";
        private Cipher mDecryptCipher;
        private Cipher mEncryptCipher;
        private final byte[] mIV;
        private final byte[] mKey;
        private final String mTransformation;

It's pretty funny that now I see that the encryption key can be found quite easily on the internet, I've found it in several places lately, but the most interesting thing is that somehow someone made public the source code for the firmware :). It's old, but it's enough for a skilled enough programmer (which I'm not). For the curios you can go to this link

Full packet details

01 = Prefix (constant)
4X = It depends on the type of action
MAC = MAC address
LE = Length of encrypted payload

Encrypted payload

00 = Prefix (constant)
PN = Packet number
CC = Company Code
DT = Device Type
AUTH = Auth Code
CMD = Command
ARG = Command argument
PAD = Padding     

PN = The socket has an internal packet counter that increases with each command. The PN is added to the query in the application, and the socket response always has the same PN. Lucky enough, the socket will always accept FFFF on any command sent.

Packet structure

Example: search packet

0140ffffffffffff10 9d68e044c2aa8f707efaee81ad1638d7
Non-encrypted part Encrypted part
9 bytes How many bytes depends on the command

Non encrypted part

01 40 ffffffffffff 10
Prefix Lock status MAC address Length of encrypted data
Constant 40 = open
42 = response (open)
44 = locked
46 = response (locked)
1 byte 1 byte 6 byte 1 byte

Encrypted part

00 04EB 00 F1 21B4 23 ffffffffffff 0202
Prefix Packet number Company code Device type Auth code Command Argument Padding
Prefix = constant.
Packet number = the socket has an internal packet counter and does not accept commands with lower packet numbers. A response has the same packet number as the command sent, but the counter is increased. The range is from 00 00 to FF FF, ie 65535. Then the counter is reset by the socket. We can always use FF FF to make sure that the command is accepted.  (If we can handle it without counting the packets).
Company code = 00 is always the device with Chacon Home application. Everything else is a company identifier (eg. df = chacon, c1 = silvercrest).
Command = depends on the desired action.
Argument = argument of the command, depends on the command.
Padding = depends on command and argument.


Turn on/off

App Turn on/off
Socket Event

Turn 010000FFFF04040404 ON
01000000FF04040404 OFF
Response Copy of the command
Event 060000FFFF04040404 Socket ON
06000000FF04040404 Socket OFF

Socket state

App Get state
Current state

Get state 020000000004040404
Current state 020000FFFF04040404 Is ON
02000000FF04040404 Is OFF

Search packet

App Search

Search 23ffffffffffff0202
Response 23IPMAC10313233343536373839306162636465660d0d0d0d0d0d0d0d0d0d0d0d0d
IP = in HEX
MAC = Socket MAC Address
10 = Length of encrypted message (16 decimal)
31323334353637383930616263646566 = 1234567890abcdef
0d0d... = Padding

Get Wifi info

App Get info

Get info 620808080808080808
Response 620848575f56312e303106332e30303031095265635377697463688301020b0b0b0b0b0b0b0b0b0b0b
48575f56312e3031 = HW_V1.01 (hardware revision)
332e30303031 = Firmware version (3.0001)
09526563537769746368 = RecSwitch
0b0b... = Padding


App Heartbeat

Heartbeat 6161aa06ca04040404
Response 61001e060606060606
The query is always starting with 6161. The next 3 bytes are somekind of counter depending on the number of the sockets registered in the application.
Response is always 61001e060606060606.

I will add other commands from time to time that I will find (i already decoded the timer setup but i see no reason to implement it as long as I have cron available). I will try to redo the registration process and if I succeed, we may not need the application (and by default internet access).


PHP-Chacon is a set of scripts written in PHP for use with the Chacon WIFI socket from a Linux system. More info here.


Alternative to these scripts (made by someone much more skilled), you will find at It is only for LB100, not yet tested on LPB130 but I can confirm that on LPB100 it works super well.