Details about the Chacon WIFI socket

Published on 2021-11-27. Updated on 2022-02-02.

This article contains details about the traffic made by Chacon sockets and what represents most of it. I still have a lot of traffic to decrypt (and to understand the functions and variables in the Chacon Home application). Bonus, some additional information.

2022-02-02 update.
It looks like Chacon has updated the sockets, the new code is 53017. I'll buy one to see what's new.

2022-02-26 update.
I noticed that starting with 24.02.2022 (when war in Ukraine started) the Chacon Home application didn't work anymore. I checked on several connections and from several ISPs, but also from several countries. Thus, I consider that PHP-Chacon is a very good "backup" solution in such situations.

Chacon WIFI socket (code: 53012)

(https://chacon.com/en/outlet/802-chacon-wi-fi-socket-5411478530121.html)

Table of contents

• About the socket
• What I'm after
• Mode of operation
• Web gui
• Dumping and decrypting wifi packets
• Full packet details
• Commands
• PHP-Chacon
• Alternative

About the socket

From the manufacturer's website:

Control your electrical devices from anywhere using your smartphone.

• Remote control with your smartphone from anywhere in the world, via Internet
• Voice control compatible with Amazon Alexa and Google Home
• Easy to install in a single step directly from your smartphone
• Multi-function hourly programming
• Countdown
• Presence simulation (theft prevention)
• Programming of time slots
• Free Chacon Home smartphone and tablet application on Android and iOS
• The same application as for Chacon Home Multi-socket strip and modules
• 6 A 230 V AC 50 Hz MAX 3500 W
• Wi-Fi: 2.4 GHz 802.11b/g/n
    

This socket has some extremely interesting things which makes it very attractive for any home. First of all, the price on the official website is 16.90, so I think it is one of the cheapest on the market. Secondly, it can support a load of up to 3500W and is therefore ideal for houses that have strictly electric heating. Considering this aspect, I can only think that this socket is ideal to be able to lower the electricity bills.

The fact that it can be controlled with Amazon Electra or Google Home are just as good bonuses.

At the base of this devices is the WiFi chip LPB1xx produced by Hi-Flying Technology. For some older sockets it is LPB100 which also has a detailed web interface in which you can do a lot (I will not enter in details), but for newer sockets it is LPB130 which has a very small web interface from which you can only set the WiFi part. See Web Gui below.

The most fun part about this chipset is that it can be controlled with udp network traffic, the only thing needed is understanding the traffic and because it is encrypted, finding the encryption key.

What I'm after

I am very tired of network scans made from IPs in China, Vietnam, Cyprus or Russia that I at least block absolutely all traffic to/from these IP blocks in the firewall. And because these sockets unfortunately have communications with IPs from China, I had to find a way to use these sockets without allowing them traffic outside of my network. Unfortunately the registration part needs internet, but after that the traffic can be stopped in the firewall.

Mode of operation

The default communication is between the Chacon Home application and sockets within the same WLAN. Also the sockets can be controlled from the application via 3G/4G, thanks to cloud services (Amazon), but if you are like me and you are looking for no communications with Chinese IP addresses, then this document is just for you. Socket communication is done via UDP using port 18530 and packets have a size of 25 bytes. Therefore, we can control these outlets with our own scripts from a linux box instead of the Chacon Home application, the only thing we need to do is understand the traffic between the sockets and the application, so that we can reproduce it. This document is exactly about that, about what happens in the communication between sockets and the application.

(bonus) Web Gui

When the socket has registered in the WLAN, you can access the WebGUI with the browser. The access data are.

http://deviceip/
Old firmware:
Login: admin
Password: admin

New firmware:
Login: admin
Password: Lumlink@100
    

LPB100 interface

LPB130 interface

All devices have a hard-coded firmware flash webpage at (I recommend not going to this page unless you know what you are doing):

http://deviceip/iweb.html

Dumping and decrypting wifi packets

There are 2 ways to intercept traffic from a wifi network. In any case, tshark must be installed (it is part of the Wireshark package)

1. Intercepting WIFI traffic from a laptop/desktop (with a good wireless network card which support monitoring mode) connected to a WIFI router.
2. Use a RaspberryPI as a WIFI router. This is the most convenient and the simplest. RaspAP is a perfect tool.

Option 1

Intercept and dump to a file, which will be read after (in my example I'm using a MacbookPro).

tshark -i en0 -I -w output.pcap
    

Now open the Chacon Home application and refresh over the registered sockets to generate some traffic or you can also turn the sockets on or off. You can stop the interception of traffic when you consider that you have generated enough traffic and so we can look in the dump.

tshark -r output.pcap -Y udp -Y udp.dstport==8530 -Y udp.srcport!=8530  -T fields -e data -e ip.addr

Sample output:

0140ffffffffffff103f3b364e5624333d6f9265b4291a863a	10.3.141.2,10.3.141.255
0140ffffffffffff10686451f881118853dfb8e772ef03329d	10.3.141.2,10.3.141.255

Option 2

Intercept traffic directly from your wireless router.

tshark -i wlan0  -Y udp -Y udp.dstport==8530 -Y udp.srcport!=8530  -T fields -e data -e ip.addr 10.3.141.0/24

Output should be the same as above.

Well, these packets seem familiar to some extent, for example we can understand that "ffffffffffff" is the broadcast address for example and in other cases you will see the mac of the socket. The first part seems to be a constant but after the mac address .... pause. The rest of the packet seems to be encrypted so we need to find the encryption type and key. The easiest way is to use a java decompiler (Bytecode Viewer, Jadx, etc.) and so you can open the Chacon Home application and search for the key. I won't go into details but that's how I found the key.

Encryption key: 1234567890abcdef
Encryption type: AES/CBC/NoPadding

NOTE
The encryption part is a bit unclear to me, I have to study a little more. In the application I see the following:

public class EspAES {
        private static final String TRANSFORMATION_DEFAULT = "AES/ECB/PKCS5Padding";
        private Cipher mDecryptCipher;
        private Cipher mEncryptCipher;
        private final byte[] mIV;
        private final byte[] mKey;
        private final String mTransformation;

It's pretty funny that now I see that the encryption key can be found quite easily on the internet, I've found it in several places lately, but the most interesting thing is that somehow someone made public the source code for the firmware :). It's old, but it's enough for a skilled enough programmer (which I'm not). For the curios you can go to this link https://github.com/mys812/hf/blob/master/LPB100-HSF/src/LumitekITO/inc/itoCommon.h#L55.

Full packet details

01 + 4X + MAC + LE + ENCRYPTED_PAYLOAD

01 = Prefix (constant)
4X = It depends on the type of action
MAC = MAC address
LE = Length of encrypted payload
    

Encrypted payload

00 + PNPN + CC + DC + AUTH + CMD + ARG + PADDING

00 = Prefix (constant)
PN = Packet number
CC = Company Code
DT = Device Type
AUTH = Auth Code
CMD = Command
ARG = Command argument
PAD = Padding     

PN = The socket has an internal packet counter that increases with each command. The PN is added to the query in the application, and the socket response always has the same PN. Lucky enough, the socket will always accept FFFF on any command sent.
    

Packet structure

Example: search packet

Non encrypted part

Encrypted part

Prefix = constant.
Packet number = the socket has an internal packet counter and does not accept commands with lower packet numbers. A response has the same packet number as the command sent, but the counter is increased. The range is from 00 00 to FF FF, ie 65535. Then the counter is reset by the socket. We can always use FF FF to make sure that the command is accepted.  (If we can handle it without counting the packets).
Company code = 00 is always the device with Chacon Home application. Everything else is a company identifier (eg. df = chacon, c1 = silvercrest).
Command = depends on the desired action.
Argument = argument of the command, depends on the command.
Padding = depends on command and argument.
    

Commands

Turn on/off

Socket state

Search packet

IP = in HEX
MAC = Socket MAC Address
10 = Length of encrypted message (16 decimal)
31323334353637383930616263646566 = 1234567890abcdef
0d0d... = Padding
    

Get Wifi info

62 = CMD_GET_WIFI_INFO
48575f56312e3031 = HW_V1.01 (hardware revision)
332e30303031 = Firmware version (3.0001)
09526563537769746368 = RecSwitch
0b0b... = Padding
    

Heartbeat

The query is always starting with 6161. The next 3 bytes are somekind of counter depending on the number of the sockets registered in the application.
Response is always 61001e060606060606.
    

I will add other commands from time to time that I will find (i already decoded the timer setup but i see no reason to implement it as long as I have cron available). I will try to redo the registration process and if I succeed, we may not need the application (and by default internet access).

PHP-Chacon

PHP-Chacon is a set of scripts written in PHP for use with the Chacon WIFI socket from a Linux system. More info here.

Alternative

Alternative to these scripts (made by someone much more skilled), you will find at https://github.com/ljalves/hfeasy. It is only for LB100, not yet tested on LPB130 but I can confirm that on LPB100 it works super well.