👈

Reinventing The Light Switch

I have Wiz Connected smart light bulbs, and read that there is a way to control them directly over Wi-Fi in ways the proprietary app does not cater for.

This will involve several stages:

first the existence of an undocumented network exploit that allows control of a particular brand of commerical LED bulb
then writing a python script to send data to the light bulbs
then writing shell scripts to call the appropriate python script for different functions, and putting these scripts on a server
finally writing a mobile app that connects to the server and issues commands to turn the lights on, off or change their brightness

I came across some exploit code that was written by a cyber-security enthusiast and software developer from Finland with the handle R00tendo.

Rootendo wrote an Article about hacking the lights about the exploit on Medium. There is a paywall so I'll paraphrase. Basically they monitored the network traffic between his phone running the proprietary app and the light bulbs. They used a method called ARP spoofing so he would be able to access the packets of data as they were being sent across the network.

So on Github, is the source code of the hack they wrote for issuing commands. Bascially it connects to an IP on a certain port and sends some JSON. I've adapted this script for my own purposes. Since my particular bulbs don't have colours, I just implemented functions for on, off and change brightness between 0 and 100. And while there are a hundred brightnesses, I found there are actually only ten distinct ones, so the least significant figure is redundant.

I wrote shell scripts to wrap around this to just implement the specific functions I needed. I hard coded the IP addresses of the light bulbs, which I discovered through a combination of running NMAP and looking at the device status information on the admin console of my wifi router.

These scripts are on my home server. I created a simple mobile app to control the lights. Hybrid-mobile frameworks like Apache Cordova let you you write the user interface with plain HTML, CSS and Javascript which are familiar to most people who've done any front-end development. In addition, there are hundreds of plugins available that interface to native features of the mobile device. And a lot of the plugins will provide a consistent function that works irrespective of whether the device is Android or iOS.

I found a plugin called SSH Connect created by Jose Andrés Pérez Arévalo. The reason for using it is so I can run some Javascript in the mobile WebView and it will connect to my server over SSH and invoke one of the shell scripts I described earlier.

This plugin is for Android, so I've made an Android version of this app only, not an iOS one. First you have to make sure along with cordova you have installed the right version of the Android SDK, Java and especially Gradle or the app won't build properly.

So I created the app with the command cordova create lightswitch and go into the folder and add the android platform with cordova platform add android and then install the plugin with cordova plugin add cordova-plugin-ssh-connect. Then it is a matter of modifying the html, javascript and css in the WWW folder to show whatever user interface and user interaction you want, and also with javascript access the plugins to do native command, in this case connecting to my server with SSH.

So just looking at the code, in my index.html I just have two buttons, for on and off, and a range input from zero to one hundred for the brightness. In my index.js file I wait for the on device ready event, then attach click or input listeners respectively to these controls, and I call one of three functions which are on, off and brightness. Each of these functions accesses the cordova ssh plugin and connects to the server, issues a command and then disconnects.

Then I built it with cordova build android and assuming my phone is connected to the PC, has developer mode and USB debugging enabled and activated, then I can run 'cordova run android' and it deploys the app to my device.

Android Cordova App

Python Script

import socket
import time
import random
import sys

if len(sys.argv) < 3:
      print(help)
      exit()
IP = sys.argv[1]

on = """{"params":{"orig":"andr","state":true},"id":6,"method":"setPilot"}"""
off = """{"params":{"orig":"andr","state":false},"id":6,"method":"setPilot"}"""

s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.connect((IP, 38899))
if sys.argv[2] != "on" and sys.argv[2] != "off":
    print("Changing lights color")
    b = sys.argv[2]
    color_send = """{"method":"setPilot","params":{"r":""" + str(255) + ""","g":""" + str(255)  + ""","b":""" + str(255) + ""","dimming":""" + str(b) + """}}"""
    print(color_send)
    s.sendall(bytes(color_send, "utf-8"))
    s.close()
elif sys.argv[2] == "on":
     print("Turning on the lights")
     s.sendall(bytes(on, "utf-8"))
     s.close()
elif sys.argv[2] == "off":
     print("Turning off the lights")
     s.sendall(bytes(off, "utf-8"))
     s.close()

Shell Scripts

`on.sh`

#!/bin/sh
/usr/bin/python /usr/local/bin/wiz-hack.py 192.168.0.94 on
/usr/bin/python /usr/local/bin/wiz-hack.py 192.168.0.177 on
/usr/bin/python /usr/local/bin/wiz-hack.py 192.168.0.207 on
/usr/bin/python /usr/local/bin/wiz-hack.py 192.168.0.254 on

`off.sh`

#!/bin/sh
/usr/bin/python /usr/local/bin/wiz-hack.py 192.168.0.94 off
/usr/bin/python /usr/local/bin/wiz-hack.py 192.168.0.177 off
/usr/bin/python /usr/local/bin/wiz-hack.py 192.168.0.207 off
/usr/bin/python /usr/local/bin/wiz-hack.py 192.168.0.254 off

`light.sh`

#!/bin/sh
/usr/bin/python /usr/local/bin/wiz-hack.py 192.168.0.94 "$1"
/usr/bin/python /usr/local/bin/wiz-hack.py 192.168.0.177 "$1"
/usr/bin/python /usr/local/bin/wiz-hack.py 192.168.0.207 "$1"
/usr/bin/python /usr/local/bin/wiz-hack.py 192.168.0.254 "$1"

Mobile App

index.html (excerpt)

...
  <h1>Light Control</h1>

  <button id="onButton">On</button>
  <button id="offButton">Off</button>

  <br><br>

  <label for="brightnessSlider">Brightness:</label>
  <input type="range" id="brightnessSlider" min="0" max="100" value="50">

  <script src="cordova.js"></script>
  <script src="js/index.js"></script>

index.js

const user = "user";
const password = "redacted_password";
const host = "192.168.0.218";
const port = "22";

var sshConnect;

function on() {
    sshConnect.connect(user, password, host, port, () => {
        sshConnect.executeCommand('on.sh', function() {
            sshConnect.disconnect();
        });
    });
}

function off() {
    sshConnect.connect(user, password, host, port, () => {
        sshConnect.executeCommand('off.sh', function() {
            sshConnect.disconnect();
        });
    });
}

function brightness(level) {
    sshConnect.connect(user, password, host, port, () => {
        sshConnect.executeCommand('light.sh '+level, function() {
            sshConnect.disconnect();
        });
    });
}    

document.addEventListener('deviceready', onDeviceReady, false);

function onDeviceReady() {
    sshConnect = cordova.plugins.sshConnect;

    document.getElementById("onButton").addEventListener("click", () => {
      // Send "on" command to light
      console.log("Light turned on");
      on();
    });

    document.getElementById("offButton").addEventListener("click", () => {
      // Send "off" command to light
      console.log("Light turned off");
      off();
    });

    document.getElementById("brightnessSlider").addEventListener("input", () => {
      const level = document.getElementById("brightnessSlider").value;
      // Send brightness value to light
      console.log("Brightness set to:", level);
      brightness(level);
    });
}

This file was updated at 2025-03-01 19:15:47