Project Logs

Collapse

• 6. Open points

  mwahid • 12/25/2024 at 14:19 • 0 comments

  The following are still open and need more research (when time allows):
  

  1. Understanding I2C1 and I2C2 bus frames.
  2. Reverse engineering of the firmware with Ghidra. This will require some knowledge about the RTL7811AF architecture and registers.
  
  

• 5. Result

  mwahid • 12/25/2024 at 14:13 • 0 comments

  Here is the final result - Video link
  
  
   

  
  
  

• 4. Hacking

  mwahid • 12/25/2024 at 13:51 • 0 comments

  My ultimate goal is to have a simple app that talks to an API to control the device, and the opened port 30300 looked promising. So, I tried to check the binary file for clues regarding what APIs are used but, I could not find anything useful.

  So, I turned to the LED-I2C bus that controls the relays. Using the amazing "Bus Pirate" and the logic analyzer captures, I was able to control all the relays in the same way the SoC does by sending the frames in the capture files.

  The only problem is that the I2C bus can have one master only which is the SoC. So, for the bus pirate to work, I had to put the SoC in reset before sending the frames. But, in order to operate the device normally, the SoC must be running.

  Remembering that the I2C bus is transferred from the Control board to the Power board via the flat cable, I cut these two pins from the cable, and soldered two wires on the Power board itself thus, isolating this bus only from the Power board.
  

  This worked perfectly without the need to reset the SoC.
  

  Now, that I can bypass the SoC, all what remains is to add "Internet" part to the "Things".
  

  The ESP-01 is a tiny and capable module, and fits perfectly inside the plug housing. Using GPIO0 and GPIO2, I connected the ESP-01 to the I2C test pads on the Power board. With a simple Arduino sketch, I can control the power plug from any phone.

• 3. Investigating

  mwahid • 12/25/2024 at 11:47 • 0 comments

  After identifying as many components as I could, it is time see how things work. So, I got my $10 logic analyzer and $20 FT4232-56Q module out and got to work.

  I connected the three I2C buses to the logic analyzer and the two UART ports to the FT4232 module, then turned on the device. I turned ON/OFF some relays while recording everything, and below are the logs.

  UART_LOG

  • The file "bootlog.txt" is a log when the device boots up, and after turning ON/OFF some relays.

  • The status message is sent every time a relay is switched  `Update relay state, 1,1,0,0,0`

  • The message format is: <Overall status>,<Relay1>,<Relay2>,<Relay3>,<Relay4>

    1 = ON , 0 = OFF

  • When you press enter in the UART console, a "#" appears, but it seems nothing else happen.

  
  I2C1 & I2C2

  • The two I2C buses transmit messages every 3 seconds whether a relay is ON or OFF.
  • I am still unable to understand the meaning of the bytes, but I think they are related to the current measurements.
  • The same pattern appears on both buses.
  • The files "PowerPlug_I2C1_capture_CTRL_PCB_with_Power_PCB_InitialState.csv" and "PowerPlug_I2C2_capture_CTRL_PCB_with_Power_PCB_InitialState.csv" contain the decoded bytes.

  
  
  

  LED-I2C

  • This is that controls the relays and indicator LEDs.
  • When one of the four keys on the Power board is pressed, the SoC detect the input and sends the corresponding command over this bus.
  • The files "I2C_RelayX_OFF.csv" and "I2C_RelayX_ON.csv" show the frames for controlling each of the four relays.

  WiFi

  • Remember, this is an IoT device and it supports Access Point mode by default. So, I connected to the access point and fired nmap.
  • I scanned the entire ports range and found only port 30300 that is opened. It is the port the mobile app is using to communicate with the device.

  Firmware

  • Since this an ARM based device, I thought of dumping the firmware especially that the JTAG pins are exposed and labeled on the test pads.
  • The SoC is very old and is not natively supported in OpenOCD, but thanks to "greatlevi", the config file "rtl8710.ocd" worked fine and I dumped the firmware.
  • Check the dumped binary file shows that the device is running the FreeRTOS system, with many of the FreeRTOS libraries used as is.

• 2. Device Internals

  mwahid • 12/25/2024 at 10:08 • 0 comments

  The plug consists of three boards; Control, Power and USB.

  Control PCB

  • The control PCB is the brain of the plug and has the following components:

    • The controller is an RTL8711AF which is "ARM Cortex M3 SINGLE-CHIP 802.11b/g/n 1T1R WLAN SoC".

    • The SoC has several GPIO pins, I2C, SPI, UART and even NFC peripherals.

    • The input is 18V coming from the Power board.

    • There are several voltage regulators to generate the 5V, 3.3V and 1.2V required by the USB and  the SoC.

    • The Control board communicates with the Power board via a 22-pin flat cable, and controls the relays and LEDs over three I2C buses:
      • I2C1 (SCL1 & SDA1), and I2C2 (SCL2 & SDA2) are used to communicate with four current sensor ICs.
      • LED-I2C (LED-SCL1 & LED-SDA1) is used to control switch ON/OFF the relays.
    • There are two UART ports:
      • UART_LOG_OUT1 & UART_LOG_IN1:
        • Works at 38400bps
        • Outputs the current status of the relays, and accepts user input.
          I am still unable to figure out what commands it accepts or, if it is even possible to control the relays over this UART port.
      • UART_OUT & UART_IN: Not used.

  Power PCB

  The Power PCB has several interesting components which, unfortunately, I could not identify any of them. I was able, however, to discern their functionality from their connections.

  • 4 x Momentary buttons
    
    • Push-Buttons to switch ON/OFF the relays.

  • 4 x Status LEDs
    
    • Bi-color LEDs showing whether a relay is ON or OFF

  • HFE39
    
    • It Is a 277VAC/20A latching relay that works with 5V.
    • It has two coils; one for ON and another for OFF.

  • 1809 BJY3
    
    • There are four of this chip; each connected to one of the relays, and communicates with the main SoC over I2C1 and I2C2 buses.
    So, my guess is that these chips are for current sensing.

  • T4118 3218
    
    • This chip communicates with the SoC over LED-I2C bus.
    • The SoC controls the relays via this chip over the I2C bus.
    • 18 out of its 24 pins are connected to transistors to drive the relays' coils, as well as the indicator LEDs.
    So, my guess is that it is a GPIO expander of some kind.

  USB PCB

  • The USB board is quite simple with two USB-A female connectors, charger IC and probably a voltage regulator.
  • The 6-pin connector connects the USB board to the Power board.

  Unfortunately, I could not read anything of the chips.

• 1. Overview

  mwahid • 12/25/2024 at 09:47 • 0 comments

  Features

  • The LG Smart Power Plug MTTL-W01 (called Multitap) is 3.5KW power plug made by LG/TCL.

  • It houses a lot of  nice features such as Overload power cut, Standby power cut, remote controlled via mobile application over WiFi, USB ports for charging phones and many more. It is also made from high quality materials.

  • The device supports Access Point or Station modes which can be configured from the "U+Smart Home App".
  • According to LG website (in Korean), you can set schedules and monitor your power consumption and even have some statistics.

  Down side

  • My only problem with this device is the mobile application which is in Korean only, and requires a Korean phone number and annual subscription in order to use it with the device.
  • There are other applications that claim compatibility with plug but none of them worked with me.

  So, I decided to take the matters in my own hands.

  Goal

  • My goal is to control the plug using my phone via a simple mobile application or a web server.

View all 6 project logs