“Hacking” BNETA Smart LED Bulbs for MQTT Integration

Teardown of a BNETA Smart LED bulb, flashing of Tasmota firmware and integration into Home Assistant via MQTT – without any soldering.

I recently experimented with a Sonoff B1 LED WiFI bulb. These units are based on the old-faithful Espressif Systems’ ESP8266 WiFi Microcontroller.

Sonoff smart devices tout various features, all accessible through the “EWELink” app and “cloud” infrastructure (it looks super crap). Um, no, if it’s in my house and on my WiFi network it needs to run open source software (or at least be made by a trustworthy company subject to mass scrutiny – even that’s not ideal, but life’s full of trade-offs). Sonoff devices are of particular interest to me because they (1) run a well-known micro-controller that has a lot of community-driven software and support available, (2) they’re SUPER cheap [$1.50] and (3) they’re really versatile. I’m proud to say that although I own and operate more than 20x Sonoff smart devices I’ve never installed their Android app. Life’s too short for that.

I bought one Sonoff B1 R2 to test with… it was a ball-ache to programme it with custom firmware (Tasmota) but it was possible and it works well once flashed.

Flashing a Sonoff B1 R2 is far from great. I just want lights and colours, not soldering.

I recently came across an advert for a WiFi “Smart” LED light at a local mass retailer (ultimately owned by Walmart, known as Makro in South Africa). The LED light was branded by a local company but South African companies rarely produce anything original (sorry guys, we don’t, we should, I really wish we did). The light was on special too and a fair bit cheaper than the Sonoff. This was too tempting. I thought “what are the chances it’s just a rebranded Sonoff device ?”. The device has the same basic specs and power rating as the Sonoff B1. Googling for the device name only yielded the local company’s empty website, but searching for the product’s SKU “IO-WIFI60” revealed a link to a Chinese site.

Makro’s SKU

So yes, screw it, let’s give it a go. R 250 (about $19) later and we have this :

Yeah, I opened it up on the drive home 😀
Unlike the Sonoff, which either pops off or unscrews this light top has been glued on.
The line on my thumb is from voting 😉
I’m very excited at this point because that looks like an ESP8266 dev board WOOOOOHOOOOO
RGB and White LED WiFi Smart light fitting - removal of top PCB.
Screws gone. The white stuff on top feels like silicone, but below it there’s thermal paste. I assume to bond the mostly copper top PCB to the alloy base.
You can see a bit of the thermal paste going on there and what looks like a power supply PCB with the dev board riding on top of it. It’s essentially a DIP8 package. The board can’t be easily separated from the power supply PCB and the PSU PCB appears to be soldered to the base.
Tuya TYLC2V module in WiFi Smart LED Light Fitting with cloud QR code present.
And there’s the ESP8266 😄😄😄 along with what looks like a voltage regulator, clock source, etc. The bit sticking out is the PCB antenna. Once again, below the white board is a power supply PCB which runs down into the E27 fitting. At this point I didn’t know what the label/QR code/code meant.
Tuya TYLC2V module in WiFi Smart LED Light Fitting.
Label removed and ahhhh, a model number.

A quick Google search and…

Tuya Module overview diagram.

The module the MCU is on, as it turns out, is made by a company called Tuya. The label with a QR code on it that I removed is a key for Tuya’s cloud infrastructure. In short Tuya makes ready-to-go ESP8266 modules that are pre-flashed to work with their cloud infrastructure. The idea being that you point your users to a white label app branded with your logos, which configures the device via WiFi. As the manufacturing company (pffft) you buy several thousand pre-flashed/configured WiFi modules from Tuya and integrate them into your product. This is interesting but still problematic as I don’t want their firmware in my house haha. There are no easily-accessible pins to flash this device… maybe someone has hacked the OTA protocol.

More Googling and yes, the Tuya OTA protocol was reverse engineered around 4 months ago. The product of that work has allowed a popular open-source Home Automation project, called Tasmota, to utilise the device, which in-turn allows the device to be used via MQTT with OpenHAB/Home Assistant/Domoticz platforms (and that means these devices can be firewalled off from the internet). It also means their interaction via MQTT can be homogenised into a common format, regardless of manufacturer.

I can feel the excitement GROWING. Bring me the Pi!

Raspberry Pi 3 and TUYA-based Smart WiFi LED Light.
Yes, that Pi will do. Hands ftw.
unzip 2019-04-08-raspbian-stretch-lite.zip
dd if=2019-04-08-raspbian-stretch-lite.img bs=64k of=/dev/sde status=progress
mount /dev/sde1 /mnt/sde
touch /mnt/sde/ssh
sync
umount /mnt/sde
<some time later>
# GO GO GO!
ssh pi@10.50.0.36
sudo mount -o remount,async,commit=500,discard,noatime,nodiratime /
# ^ It's called living dangerously :D Speeeeeeeeeed
sudo apt update
sudo apt install byobu git
byobu
git clone https://github.com/ct-Open-Source/tuya-convert
cd tuya-convert
./install_prereq.sh
# You're not going fast enough :<
./start_flash.sh

Go go go!

pi@raspberrypi:~/tuya-convert$ ./start_flash.sh
~/tuya-convert/scripts ~/tuya-convert
======================================================
TUYA-CONVERT

https://github.com/ct-Open-Source/tuya-convert
TUYA-CONVERT was developed by Michael Steigerwald from the IT security company VTRUST (https://www.vtrust.de/) in collaboration with the techjournalists Merlin Schumacher, Pina Merkert, Andrijan Moecker and Jan Mahn at c't Magazine. (https://www.ct.de/)


======================================================
PLEASE READ THIS CAREFULLY!
======================================================
TUYA-CONVERT creates a fake update server environment for ESP8266/85 based tuya devices. It enables you to backup your devices firmware and upload an alternative one (e.g. ESPEasy, Tasmota, Espurna) without the need to open the device and solder a serial connection (OTA, Over-the-air).
Please make sure that you understand the consequences of flashing an alternative firmware, since you might lose functionality!

Flashing an alternative firmware can cause unexpected device behavior and/or render the device unusable. Be aware that you do use this software at YOUR OWN RISK! Please acknowledge that VTRUST and c't Magazine (or Heise Medien GmbH & Co. KG) CAN NOT be held accountable for ANY DAMAGE or LOSS OF FUNCTIONALITY by typing yes + Enter

yes
======================================================
  Starting AP in a screen
  Stopping any apache web server
  Starting web server in a screen
  Starting Mosquitto in a screen

======================================================

IMPORTANT
1. Connect any other device (a smartphone or something) to the WIFI vtrust-flash
   The wpa-password is flashmeifyoucan
   This step is IMPORTANT otherwise the smartconfig will not work!
2. Put your IoT device in autoconfig/smartconfig/pairing mode (LED will blink fast). This is usually done by pressing and holding the primary button of the device
3. Press ENTER to continue


======================================================
Starting pairing procedure in screen
RTNETLINK answers: File exists
~/tuya-convert
Waiting for the upgraded device to appear
If this does not work have a look at the '*.log'-files in the 'scripts' subfolder!
....................................................................................................................

Okay, so, that didn’t work. Tailing the log files indicates the device is present but rejected connection attempts. Probably a race condition. Let’s try again. Off, On Off On Off On… blinking fast. Here we go.

Yesssssss
Thank you, I WILL HAVE FUN Merlin Schumacher, Pina Merkert, Andrijan Moecker and Jan Mahn. Did I mention they came up with this very slick project ? Thank you!
curl http://10.42.42.42/flash3
pi@raspberrypi:~/tuya-convert/scripts$ tail -f smarthack-web.log
Target device retrieving the firmware during OTA 😀

Go to your mobile phone and connect to the Tasmota-created network, then go to your phone’s browser and navigate to 192.168.4.1

Enter your wifi network’s SSID and password and click “Save”. Do this quickly, you have 3 minutes from boot to do it otherwise the device reboots.

Okay, so at this point we have an ESP8266 running the base Tasmota firmware. The Tasmota firmware has different modules which allow it to manage different kinds of devices. There’s a big variety involved though, like dimmers, switches, temperature sensors, etc. So we need to be fairly specific about the kind of device we’re trying to control. I need a Tasmota “template”. I’m hoping something someone else has created will work with this device. Looking at this page one particular candidate stands out : (there’s that “60” again from the Makro SKU…)

The device is on my home network now, so I can configure it using my desktop machine’s browser yay.

Go to the device IP with a browser and click : Configuration -> Configure Other

Paste the following into the “Template” textbox :

{"NAME":"OM60/RGBW","GPIO":[255,255,255,255,140,37,0,0,38,142,141,255,255],"FLAG":0,"BASE":18}

The device will reboot.

Once again, yessssssss

So this is great, but now I want to get the device to talk to Home Assistant. To do that start by configuring the device name :

Configure -> Other : Set Friendly Name

Set your MQTT config to point to your HA system.

And then my favourite: go to the console and run the following :

Sleep 0
NTPServer 8.8.8.8 #as an example
Timezone 2

#and then some fun : Set the colour to red :
Color ff00000000
#green
Color 00ff000000
#blue
Color 0000ff0000
#white
Color 000000ff00
# all on - it's damn bright
Color ffffffff00

# These allow HA to auto-detect the device - but you'll need to upgrade from the basic to classic firmware first.
SetOption19 1 
SetOption31 1

Home Assistant's Single RGB Light Interface.
Of course the real benefit of all this is integration into Home Assistant’s web interface 🙂 Now I can script the lights as part of a larger network of devices… think continuously adjusting house lighting based on presence and current exterior lighting conditions.
Home Assistant's Group Lighting Interface operating on a group of RGB lights.
Controlling groups of lights.

And that’s about that. Hopefully this helps someone 🙂

SlingStudio Learnings

I run a business on the side that does corporate video/advertising/training media. In order to keep clients happy and the business current I’m always on the lookout for new ways of doing things. New ways that are better, stronger, faster and more efficient than what we’ve done in the past. Efficiency ultimately translates into cost savings and cost savings keep clients happy.

Live streaming content has become a hot topic service in the last few years but despite the passage of time not much has changed changed on the tech-side.

A small portion of the equipment necessary to make a reasonably-decent show work.

We normally achieve live streaming in one of two main ways; but they both start with big heavy cameras, expensive coaxial cables, a big bulky video mixer, some LCD monitors, loads of converters, frame rate and resolution “scalers” and then an output step. The output step involves either a dedicated video streaming device, like the Teradek Vidiu or a laptop running a USB3 capture card and the amazing OBS. Systems that run on 30p (NTSC) frame rates tends to *just work* but we operate in a PAL country (South Africa) and this greatly complicates things as most IT equipment is NTSC native.

Even more equipment.

These setups are unfortunately huge and by extension very expensive (as they require a lot of expensive equipment, space, cabling, setup time, crew, etc).

A client recently started asking about ways in which they could do smaller, “lighter-weight” multi-camera streams for the purposes of internal marketing and staff training. One of this client’s staff members had found an advert for a system, called the “SlingStudio”.

The SlingStudio Hub

Now, “SlingStudio” is a very poorly thought-out name, because the word “Sling” often means a type of support equipment that may not be “safe for work”. My client’s staff member mentioned this device, the SlingStudio that is, and asked if it could work for their purposes. I looked into it and I must admit it seemed too good to be true… and it is, sort of. They’ve taken a leaf out of Blackmagic Design’s book, in that it isn’t a bug-free product and it certainly isn’t plain-sailing to operate.

An NTSC HDMI-equipped camera attached to a SlingStudio CameraLink

The SlingStudio is tiny compared to the setup we normally use. The switcher and video encoder/streaming module are contained in one device the size of a fancy wifi router – and ironically the device is also a wifi router, albeit a very limited one. The system has some notable limitations, that mostly extend out of its core design:

  • All video sources, bar one, are wirelessly streamed to the device over 5GHz 802.11ac wifi using proprietary equipment or a smartphone application (which uses the phone’s camera).
  • The device is 30p only. 60p is available as an option with another set of limitations.

Have lots of batteries ready…

In order to use the machine in practice you need the following :

  • HDMI-equipped cameras all operating on NTSC.
  • For each camera you need a wireless transmitter.
  • If you’re operating for longer than ~1.5 hours you’ll need USB power banks for each of the transmitters.
  • Tripods (optional!).
  • The SlingStudio “hub”.
  • The hub’s battery “base” or a power supply.
  • An iPad.
  • An internet connection.

The SlingStudio’s iPad console operating with three wireless video sources.

The above makes for a very compact setup compared to traditional configurations. In South Africa, almost all of our “ENG”-style cameras operate on PAL (25p/50i) frame rates, which makes them incompatible with most projectors. This means that you need a frame rate converter to connect a normal mixer and camera setup to a projector system – but the SlingStudio is an American product and it only supports NTSC (specifically 30p, 60p* and 60i). As a result of this frame rate selection all venue projectors are happy to deal with the signal the SlingStudio outputs. The SlingStudio can output video to the internet via RTMP or to Youtube and Facebook directly. It can even create events on those platforms using the iPad console interface. In parallel it can also record your output stream (program), your video sources individually, your line-in audio source and output a limited set of streams via HDMI. Really impressive stuff. All this is at an extremely attractive price point that’s a fraction of the cost of a traditional setup. So what’s the catch ?

There are several catches, but it is possible to work around them if you understand them in the context of your brief. Here are some limitations, some of them are South Africa-specific :

  • The SlingStudio is an NTSC/30p/60p/60i product and as such will only work with equipment that supports these framerates. Many cameras in South Africa are locked to PAL frame rates and are therefore incompatible with this system. This is especially true of cheaper “handycam”-type camcorders.
  • The company that makes the SlingStudio (DISH) are hell-bent on preventing the SlingStudio being used by non-US customers; you need an iPad with a US iTunes account to download their control application. US retailers will not ship the SlingStudio to South Africa (or anywhere outside of the US and Canada). Warranty support is, naturally, unavailable.
  • The SlingStudio -only- works with a Macbook or an iPad, no Android folks.
  • The SlingStudio uses 802.11ac wifi on 5GHz to transport camera video streams and as a result you are subject to all of the complexities that come with that, including interference and general frequency congestion (which can be erratic and severe).
  • Full HD video at 30 fps is roughly 1.5 Gbits/second, but the SlingStudio transmits video data over wifi at anywhere between 2mbit/sec and 10 mbit/sec. It manages to do that by heavily compressing the footage and that comes with the price tag of notable latency. This isn’t an issue if you’re only recording and streaming to the web but it is a problem if you’re planning on going out to a projector in the location in which you’re filming. The SlingStudio does have a low-latency mode which sacrifices quality for latency.
  • The system is cutting-edge and as a result sometimes suffers a software glitch here and there. You have to keep your technical wits about you to navigate these issues.

The SlingStudio’s wifi quality checker interface.

In practice the system has been pretty amazing so far. I performed extensive testing (in excess of several days of streaming) before actually using the device on a real shoot. In a real-world environment the system unfortunately has failed once so far, but after some investigation I came to the conclusion that the fault was caused by a ground-loop between an HDMI input and the machine’s line-in audio input (the ground-loop was created by an audio desk’s dodgy power supply). The solution was to put as much of the system on battery as possible and air-gap everything else (we moved the audio onto a wirelessly-connected camera). This resolved further issues. The lesson here is don’t “electrically” trust the voltages of third-party equipment.

So, if you find that your SlingStudio’s wifi occasionally abruptly disappears but the device continues operating normally otherwise, you’re probably experiencing a ground-loop related issue. Galvanically isolate the crap out of everything.

The SlingStudio’s Quad View output

The SlingStudio can send a “quad view” output, program output or HDMI pass-through to the HDMI output. Switching between these modes is seemless, so it’s possible to use it as a rudimentary auxiliary output.

The real SlingStudio treat is in the edit…

For all the SlingStudio’s limitations, issues and reliability concerns the feature that really stands out is the edit – it’s possible to import SlingStudio recorded projects/footage into Adobe Premiere Pro and Apple Final Cut Pro. The resulting timeline includes all of your cuts and transitions. It’s an absolute treat and makes fixing things easy. This is the biggest sell for the SlingStudio for me against other competing solutions.

All-in-all the SlingStudio is an amazing piece of equipment at an almost unbelievable price-point ($1000 without the transmitters and iPad) but it does have very specific limitations and can be finicky. A traditional system is a lot more effort to set up but it is much more reliable and provides lower-latency and better quality feeds.

Extra:

It appears that the SlingStudio runs Linux; the company publishes open source licences for the system (but not the source) and the licences mention both Linux and SSH, amongst other things. I’ve also noticed that drives formatted in Debian that are unlabelled get assigned “sda” as a drive name on the SlingStudio… which seems familiar. If only someone would open their hub up and take some photos. I’m tempted…

Update

A few months, a few more live streaming jobs and a website update later and the SlingStudio is performing well. After adopting a policy of galvanically isolating the hub (running from batteries, not using the audio input on the hub, not using the HDMI input/output on the hub, etc.) the system has performed admirably and hasn’t crashed/rebooted/failed once, despite being used on several high profile shoots, often with 5 video sources, high bitrates and lots of graphics.