Introduction: How to Hack a Sonoff Device

By
About: I am a hobbyist and currently i am pursuing my b-tech in ECE branch(2019-2023) from AMRITA VISHWA VIDHYAPEETHAM. I am also part of India's no-1 security team bios.I deal with IOT exploitation and hardware secu…

Prakhar Agrawal
Junior Researcher(IoT Exploits)

SECURE HARDWARE


INTRODUCTION

In this post we will be discussing about how to load a custom firmware on the Sonoff device and control it using its Ip address.

APPROACH

We will be using the uart pins on the device along with a PL2303 convertor to flash custom firmware(namely Tasmota firmware) on the device and then use a network mapping tool(nmap) to get the ip address of the SONOFF basic.

About The Device

A sonoff device is basically a ESP8266 wifi module which can be controlled using the mobile application and its function is to switch on/off the relay on the sonoff device hence it can be used to make any electronic appliance smart(adds control over wifi functionality).

Supplies

Tools Required
Esptool The esptool is used to flash and create backup of the original firmware Nmap The nmap tool is used to scan for networks and ports across a network, your pc is connected to.This tool will be used to get the ip address of the SONOFF basic.

Step 1: INSTALLING REQUIRED TOOLS

INSTALLING NMAP:-

To install nmap tool you have type the below command on your terminal

sudo apt-get install nmap

INSTALLING ESPTOOL:- To install esptool make sure you have the python3 installed on your computer,if you don’t have python3 installed,enter the below command on your terminal.

sudo apt-get install python3

Now once you have the python3 installed on your Pc,go to the below link and download-source code (tar.gz ) file and extract the folder in the Documents directory.

https://github.com/espressif/esptool/releases

Then go to the command line and enter the below command-

cd/documents/esptool

Step 2: ​FIRMWARE BACKUP AND FLASHING

To create a backup of the firmware you will have to first check for the port your SONOFF is connected to,to do so type the following in the terminal:

ls /dev/tty
tty/ACM(number) or ttyUSB(number) is the required port. Note it somewhere.

Now in the esptool directory type the following command-

sudo ./esptool.py –port /dev/ttyUSB(number) read_flash 0x00000 0x100000 image1M.bin

This should create a backup of the firmware by the name image1M.bin in the esptool directory.

To flash the new firmware visit the website given,scroll to the bottom and download sonoff.bin file and save it in the esptool folder that was described in the previous steps. https://github.com/arendst/Sonoff-Tasmota/release... type the following in the command line:

sudo ./esptool.py –port /dev/ttyUSB(number) write_flash -fs 1MB -fm dout 0x0 sonoff.bin

Step 3: ​CONTROLLING THE DEVICE

Now to control the device you need to get the ip address of the device for which we will use nmap tool.

Type the following in the command line:

Ifconfig

Note the inet mask and the netmask.

Let’s assume your inet is 192.168.43.65 Now type the following in command line:

Nmap -sn 192.16.43.0/24

NOTE-make sure your pc and the SONOFF is connected to the same network.

After the scan is completed you will be able to see the ip address of the SONOFF device and also ip addresses of all the devices connected to that network.

Step 4: ACCESS GRANTED!!

Enter the ip address in your web browser and you will be able to get a similar control menu like this.

USE:

With the help of this menu you can get access to the victim’s ssID and passwords and even deny his access to the device.

For any other query you can mail me at prakhar.agrawal001@gmail.com

Step 5: ​CONNECTING TO ROUTER

The device should be flashed with the custom firmware now,wait for 2-3 sec,the SONOFF will restart itself and create a hotspot by a similar name– sonoff-4996

Connect to the hotspot and you should be redirected to a page where you can save ssID and passwords of your router,click on save changes.

After this step the device will restart itself and will automatically connect to your router.