Month: March 2023

[toc] Introduction Got a few ITEAD Sonoff WiFi switches to automate my home. Why use the boring software, so I tried to hack the switches. This is a reference manual for me, but quite useful for anyone else if they want to use micropython, mqtt, web server and control the switches. Required items Sonoff switch VCP: FTDI Cable yeah, 5x pin headers to solder on the board few jumper wires for debugging Flashing micropython Make sure the FTDI cable is set to 3V which is very important. Then connect the cable as detailed in the table. Programmer Sonoff (counting from the switch to bottom) 3V3 1 TX 2 (RX) RX 3 (TX) GND 4 5 The easiest way to flash the firmware is to use the nodemcu-flasher available. Unfortunately available only for windows. The micropython-flash image esp8266-20170108-v1.8.7.bin can be downloaded from the website. On the config tab add the image. Sometimes it helps to first flash a blank image to the WiFi switch.  INTERNAL://BLANK   Installing MQTT Install mosquitto, an open source MQTT broker. It is very easy to install, follow the installation instructions in the link or copy paste the following commands.   This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters Show hidden characters wget http://repo.mosquitto.org/debian/mosquitto-repo.gpg.key sudo apt-key add mosquitto-repo.gpg.key cd /etc/apt/sources.list.d/ sudo wget http://repo.mosquitto.org/debian/mosquitto-wheezy.list sudo wget http://repo.mosquitto.org/debian/mosquitto-jessie.list sudo apt-get update sudo apt-get install mosquitto view raw… Read more

First, it was conceived to overcome an web exploit, called Cross site request forgery. This is well explained in the answers from the stack overflow question [1]. It is well explained well with a banking page. It will be very evident in a hacker situation. Cross site request forgery can be simply overcome by token based authentication of the user requests by cross checking every request with a token. A token is a random number generated by the server and served with every page that is served. On an Internet-of-Things context, it is very important when there are a lot of devices, a lot could happen even within your devices without any attacks. OAuth is a method of authenticating using a time based token. The token verification is time based, the verification will not pass through when the token time is finished. Looks like JWT, Json Web Tokens, is an evolved format of oauth where every communication is working on json based messages. A lot of negotiations are going on. It is very amazing to look at the evolution of these technologies. Incase of IoT it is important to keep it simple without compromising on the level security. References: [1] http://stackoverflow.com/questions/5207160/what-is-a-csrf-token-what-is-its-importance-and-how-does-it-work [2] https://en.wikipedia.org/wiki/OAuth [3] https://en.wikipedia.org/wiki/JSON_Web_Token [4] https://jwt.io