Reverse Eng: Watts Clever Easy-Off Sockets w/SMART Box (ES-AUS1103)

Internet-of-things and home automation seem to be the cool thing nowadays, and remote controlling things is something many have been dabbling with, sometimes rather unsafely. Imagine my surprise when I walk into a Jaycar, and see a kit of IR-and-RF based remote control sockets selling at AU$5 a piece. Yep. That’s cheap. Too cheap for me to walk by.

discount-set discount-single

smartbox-receiptThese units are branded Watts Clever Easy-Off Sockets with Smart Box, model ES-AUS1103. These were never listed on their site, nor are the listed now, and are likely considered end-of-life.

The proof is in the receipt. I ended up clearing out the store, purchasing all four sockets they had in a single starter-kit with two sockets, and two single additional socket packs. The product seems to have a notice on the online listing that it cannot be sold from 28th April onwards in NSW, but I don’t know why that is the case. It does make me worry a little, although I’ve asked them to clarify the reason, I haven’t received a response yet.

It’s a price I haven’t seen before, although, given that it’s in clearance, is a price that probably won’t be repeated for a while at retail.

Unboxing

2016040619423081

The first box is the starter kit that has two 433.92Mhz controlled wireless sockets, and a “Smart Box” which learns IR signals from remotes and sends out a 433.92Mhz signal to control the remotes outside of line-of-sight.

2016040619423082

The mode of operation is listed on the rear, and they claim it has a 30m radio range and a 10m IR range. It also claims to have an SAA approval, meeting Australian electrical safety requirements. The Smart Box requires 2xAA batteries. It is distributed by Electus Distribution Pty Ltd, the parent company of Jaycar. The package has a model number of ES-AUS2105.

2016040619433083

Inside, you get the Smart Box and two sockets as pictured, in a molded clear plastic tray.

2016040619463084

You also get an instruction manual, and two Alkaline AA batteries to get you started – a nice touch.

2016040619483091 2016040619483093

2016040619493094

The Smart Box has a blue plastic front which you can see through to some degree. An IR decoder (as used in most home AV appliances) and a feedback LED can be seen poking out of a slot internally. The unit is model ES2008.

The bottom houses a battery door which has a very tight fit and a very flimsy set of tabs 2016040619483089holding its other end in place. Two different tones of plastic are used inside, and an on-off switch cut-out is provided where no switch is actually installed. This doesn’t lend a quality feel to the product.

The plug itself is nothing particularly special and resembles a small digital timer. Its model number is ES-AUS1103. It differs quite markedly in design and model number compared with the other RF-only Watts Clever EASY-OFF branded sockets and is unlikely to interoperate with them.

The plug is somewhat larger than a standard plug and ends up blocking adjacent plugs on GPOs and power boards. I wonder why so many companies have such annoying designs.

2016040619553098

The single socket packages look very similar, and only have the plug and instruction manual. Interestingly, the rear of the box only claims a 20m RF range, probably to be more “realistic” with real-life conditions. Seldom are the claimed ranges achieved, especially through walls and with neighbours and other devices on the band causing interference.

Teardown

Before trying it out, lets take a look at what it’s made of. At the low price I got it for, I wouldn’t mind breaking it …

Smart Box

2016040619513096

Internally, the Smart Box consists of one single-sided paper-type PCB. The PCB implies a design date of January 2011, and is labelled IR-RF. The push button switch for learning, IR decoder and LED for feedback. A 433.92Mhz ASK transmitter module is mounted to this side, with the wound up coiled cable forming the antenna which is “haphazardly” floating around. A capacitor is provided to bypass the supply.

2016040619513097

The underside shows that the only components there are resistors and an HS2300-PE IC which is likely to be a microcontroller of sorts. Not much information seems to be available.

Easy-Off Socket

The socket was a hell to take apart because of the use of very peculiar security screws that are Y shaped and have a triangular stud in the center. I had no suitable screwdriver for it, so I just ended up destroying the casing on one of the plugs by drilling out the plastic around the screws (as the bit wouldn’t drill through the heads) and then cutting out the plastic.

2016041012193173

Internally, there are two PCBs connected by a ribbon. The top PCB facing us seems to have a microcontroller, but not much else. An antenna isn’t visible nor is a 433Mhz receiver module.

2016041012203177

There appears to be a spot for an additional surface mounted push button, its use is not immediately obvious. The base PCB has a Songle relay, SRD-24VDC-SL-A1 rated up to 15A at 250VAC. It appears to use a 24v coil, thus there must be some form of 24v or similar on the PCB.

2016041012223178

The bottom PCB has an LM358 opamp, so I’m guessing the antenna is formed by traces on the PCB and a simple crude passive filter is used for receive, tuned by the slug on the board underneath and amplified by the opamp and fed into the microcontroller. That leaves the power supply which appears to be exceedingly crude. The input fuse is merely bypassed, and protection relies on fusible resistor R5. A full wave bridge is formed by the four 1N4004 style diodes, and it seems the output voltage is regulated by shunt regulation with zener diodes. This implies energy is constantly consumed and wasted by this, and should the zener diode fail, a nice bang is to be expected. It also implies that all these boards are not actually isolated from the mains which could make it somewhat dangerous to play with. For higher efficiency, a dedicated switching supply IC with techniques such as synchronous rectification is needed.

2016041012233179

The underside as a few surface mount transistors, capacitors, diodes and resistors.

The PCBs are marked SK-5805 and C-UNIOU (sic) which tells me that it’s likely to be made by Ningbo Jiangdong C-Union Electronic Co., Ltd.

In Practical Use

Working with the system is very easy. Step 1 is to insert batteries into the Smart Box. Then, press and hold the top button until the LED blinks, point a remote, press a button until the LED stops blinking and the code is learnt on the Smart Box. To associate a plug with the code, plug the plug into a socket, press and hold the button until the LED blinks slowly, then press the button you want to associate with the switch twice, and then it is learnt. Clearing is as simple as holding the button down until rapid blinking (on the plug) or slow blinking (on the Smart Box) occurs.

The system generally does what it says on the tin. I used a very generic TV-tuner remote control that I had no other use for, and it was able to successfully learn the code and control the sockets. The range did not reach even 20m, with intermittent operation about 10-15m away, making it good for one to three rooms roughly.

The IR control struggled to be sensitive enough to receive bounced signals, but did do line of sight up to about 7-8m, which is about the regular practical limit. Of course, having such a system is somewhat inconvenient, as with one sender, you really have to have one remote pointed line of sight with that one sender to actuate the switches.

The standby energy consumption was worth checking, the results were:

As speculated in the tear-down, this seems to suggest that shunt regulation is indeed being used, as both states with relay on and relay off are essentially identical (uncertainty in readings is reported as 26mW). This is less than 1W as required but not as small as the 0.25W claimed by other Watts Clever Easy-Off products. It’s also not going to save you energy if you plug in only a few switching adapters to switch off, as its consumption is more than many of the adapters on the market due to its crude design. At AU$0.25/kWh, each plug will cost AU$1.57 a year to run.

I wondered how the system worked over the air and with respect to the IR coding – was it just merely spewing the IR codes over 433.92Mhz “dumbly” and expecting the sockets to learn the codes, or did the Smart Box have some intelligence. Was the link over the air secure in any way? Could we build something to eliminate the Smart Box and retain control?

Reverse Engineering

The same night I unpacked the unit, I started on my quest to reverse engineer the units’ on-air behaviour. It didn’t take more than two hours until I had finished my exploration.

Signal and Behaviour Analysis

The first thing that came to mind was to see what the transmissions were like. Using a RTL-SDR dongle and SDR Sharp, it was possible to see that it was a regular ASK/OOK signal. Because this involves keying a carrier on-and-off, I desired to record the signal to analyze it. The best mode for this is to use USB (an SSB demodulator) which basically is a frequency translator (e.g. if tuned to 433.92Mhz, then a signal at 433.921Mhz will turn up as a 1khz signal in the recording). The recorded audio file shows the signal clearly.

audioana

From noise, the same signal is repeated six times to guard against reception error.

pulse-length

The data is encoded as binary “short” and “long” bursts of signal. Recorded timings show a bit time of 1.1875ms, with a long being 0.9375ms of signal, and a short being 0.40625ms of signal. There is about an 11ms delay between signal repetitions, with the baud rate approximately 842bps.

Is this the IR code signal? No. It isn’t. The IR code signal as received by a IR decoder looks as follows:

IR-code-trace

It has a different length, and a different structure with the short “repeat code” being blurted out as long as the button is pressed. The Smart Box also does not emit anything for the codes it hasn’t “learnt”, so it’s not just dumbly repeating IR codes into the air. It must have intelligence to learn a certain number of codes, and translate them into standard messages to be sent over the air.

This naturally leaves the question, how many codes can be learnt? I tested this out by trying to force the unit to learn about 60 buttons on a remote control. Despite the LEDs claiming that the box had learnt the signal, only the last five learned codes remain and the other buttons were “forgotten” by the box silently.

Of course, now the question is, what is the format of the signal? I decided to learn four buttons for the four switches I have, and then record each button being pressed. The samples were then aligned from the audio recordings, and the long signal is given the name of a logical ‘0’, with a short signal given the name of a logical ‘1’.

bittime-meas

We can see that in the four recordings, only four bits of 25 total bits are variable. The rest of the message is the same, meaning that this is a fixed code protocol with no security and a very SMALL space of valid codes. This makes emulation much easier, but also will likely mean that switches can be easily interfered with.

That led me to wonder, is there any fixed section which changes? Perhaps resetting the Smart Box and re-learning new codes will set a new fixed section similar to re-keying the house-key on an X10 system. I tried it, and to my shock, it did not and instead re-allocated the same values.

Testing Code

Having made it this far, the next step was to screw around with the system – almost fuzz it if I will. I coded up a simple test first of all just to emit the codes above, only to find that it didn’t do much – the plugs didn’t react the way I expected them to and resending the codes didn’t toggle them on and off.

I then changed the code into the test code below, which simply cycles through all 4-bit combinations (in a hacky way) where I discovered some rather interesting results.

The first bit is used to tell the socket whether to turn on or off. If it’s a 0, the socket turns on, and if it’s a 1, the socket turns off. Re-sending a message for a socket to turn on, when it’s already on, has no effect. This was discovered because the cycling of combinations allowed me to observe which paired values turned on and off (e.g. 0x1 on, 0x9 off).

The remaining three bits address which sockets should respond. This is a “group” number, and the learning process merely sets this group number. A socket learns its group number over the air when it’s set to learning mode, and it hears a transmission for a given group for both ON then OFF. No sophisticated two-way processes are involved. As there are only three bits for the groups, there are only eight possible groups in the system.

So why are only five remote buttons supported? It turns out, when the Smart Box is fresh, each learned code is sequential starting at address 1, then 2, etc. It was then discovered that address 6 is a “all units broadcast which allows for all units to be turned on or off and is hard coded. You can force a unit to learn address 6, then it only responds to broadcasts, but it is not possible to make a switch ignore messages to address 6. Addresses 0 and 7 are not used by the box but the switches can learn and operate on these addresses as well. As a result, we have two groups which cannot be actuated by the Smart Box, but can be run by our code. Cool!

// Watts Clever Smart Plug Transmission Test
// by goughlui.com April 2016
// F bits are fixed for the protocol, V bits are variable
// Variable Bit 1 -> 0 = turn ON, 1 = turn OFF
// Variable Bit 2 to 4 = device address (110 is broadcast to all)
//                 F F F F F F F F F F F F F F F F F F F F V V V V F
int sendkey[25] = {0,0,0,1,1,0,1,0,0,1,0,1,1,1,1,1,1,1,1,1,0,0,0,0,1};
int fourbits = 0;

void setup() {
  // RF Module Connected Lazy: A3 GND, A4 DATA, A5 VCC
   pinMode(A3, OUTPUT);
   pinMode(A4, OUTPUT);
   pinMode(A5, OUTPUT);
   digitalWrite(A3, LOW);
   digitalWrite(A4, LOW);
   digitalWrite(A5, HIGH);
   Serial.begin(9600);
}

void loop() {
  Serial.print("Sending data value ");
  Serial.print(fourbits,HEX);
  Serial.print("\n");
  senddata();
  // Loop iterating all four bit values
  fourbits = fourbits + 1;
  if(fourbits>15) {
    fourbits=0;
  }
  moddata();
  delay(1000);
}

// Function sends the command in sendkey using A4 pin
void senddata() {
  int sendcount=0;
  int loopcount=0;
  while(loopcount < 6) {
    while(sendcount<25) {
     if(sendkey[sendcount]) {
       digitalWrite(A4, HIGH);
       delayMicroseconds(406);
       digitalWrite(A4, LOW);
       delayMicroseconds(782);
     } else {
       digitalWrite(A4, HIGH);
       delayMicroseconds(938);     
       digitalWrite(A4, LOW);
       delayMicroseconds(249);    
     }
     sendcount = sendcount + 1; 
    }
    delay(12);
    sendcount=0;
    loopcount = loopcount + 1;
  }  
}

// Function updates the four bits in sendkey based on fourbits
void moddata() {
  int temp = fourbits;
  if(temp/8) {
    temp=temp-8;
    sendkey[20]=1;
  } else {
    sendkey[20]=0;
  }
  if(temp/4) {
    temp=temp-4;
    sendkey[21]=1;   
  } else {
    sendkey[21]=0;
  }
  if(temp/2) {
    temp=temp-2;
    sendkey[22]=1;   
  } else {
    sendkey[22]=0;
  }
  if(temp) {
    sendkey[23]=1;   
  } else {
    sendkey[23]=0;
  }
}

This test code was run using an Arduino Uno to prove that the transmission could be easily emulated using a standard off-the-shelf 433.92Mhz ASK/OOK transmitter module and an Arduino, using the approximate measured timings. The plugs aren’t too picky on timing.

2016040622553099

As I was too lazy to solder, I just shoved it into the pins and used a logic pin to provide power. I also just used a Dupont wire jumper as an antenna.

But now having understood the protocol, it’s now time to make it even more fun.

Ethernet to Easy-Off Sockets Bridge

I decided to make it even more convenient for myself, as ultimately, most people desire to connect these devices to an IP network of sorts. As I had experience a long time ago making an Arduino-enabled Ethernet IR remote control, I decided I should follow a similar hacky technique to make an Ethernet to Easy-Off Sockets bridge. This re-used the same hardware – namely an old Arduino Duemilanove and a classic W5100 Ethernet Shield. Other more complex solutions may be possible using the Raspberry Pi (e.g. pilight) or with other platforms, but I really wasn’t bothered.

The ugly codebase was rehashed to support the Easy-Off sockets using the test code above. It has been reformatted for better appearance on the blog by breaking arrays into shorter lines.

#include <SPI.h>
#include <Ethernet.h>
#include <avr/pgmspace.h>

byte mac[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0xFF };
byte ip[] = { 192,168,0,208 };
EthernetServer server(80);

const char webpage1[] PROGMEM = {"<html><title>Arduino-Enabled Watts \
Clever EASY-OFF Smart Box Controller</title><h2>Arduino-Enabled Watts\
 Clever EASY-OFF Smart Box Controller</h2><p><table border=10><tr><td\
><center><table width=\"300px\"><tr><td><center><FORM action=\".\" me\
thod=\"post\"><INPUT type=\"hidden\" name=\"c\" value=\"0\"><INPUT ty\
pe=\"submit\" value=\"Ch. 0  ON\"></FORM></center></td><td><center><F\
ORM action=\".\" method=\"post\"><INPUT type=\"hidden\" name=\"c\" va\
lue=\"1\"><INPUT type=\"submit\" value=\"Ch. 1  ON\"></FORM></center>\
</td><td><center><FORM action=\".\" method=\"post\"><INPUT type=\"hid\
den\" name=\"c\" value=\"2\"><INPUT type=\"submit\" value=\"Ch. 2  ON\
\"></FORM></center></td><td><center><FORM action=\".\" method=\"post\
\"><INPUT type=\"hidden\" name=\"c\" value=\"3\"><INPUT type=\"submit\
\" value=\"Ch. 3  ON\"></FORM></center></td><td><center><FORM action=\
\".\" method=\"post\"><INPUT type=\"hidden\" name=\"c\" value=\"4\"><\
INPUT type=\"submit\" value=\"Ch. 4  ON\"></FORM></center></td>"};
const char webpage2[] PROGMEM = {"<td><center><FORM action=\".\" meth\
od=\"post\"><INPUT type=\"hidden\" name=\"c\" value=\"5\"><INPUT type\
=\"submit\" value=\"Ch. 5  ON\"></FORM></center></td><td><center><FOR\
M action=\".\" method=\"post\"><INPUT type=\"hidden\" name=\"c\" valu\
e=\"6\"><INPUT type=\"submit\" value=\"Ch. 6 (ALL)  ON\"></FORM></cen\
ter></td><td><center><FORM action=\".\" method=\"post\"><INPUT type=\
\"hidden\" name=\"c\" value=\"7\"><INPUT type=\"submit\" value=\"Ch. \
7  ON\"></FORM></center></td></tr><tr><td><center><FORM action=\".\" \
method=\"post\"><INPUT type=\"hidden\" name=\"c\" value=\"8\"><INPUT \
type=\"submit\" value=\"Ch. 0 OFF\"></FORM></center></td><td><center>\
<FORM action=\".\" method=\"post\"><INPUT type=\"hidden\" name=\"c\" \
value=\"9\"><INPUT type=\"submit\" value=\"Ch. 1 OFF\"></FORM></cente\
r></td><td><center><FORM action=\".\" method=\"post\"><INPUT type=\"h\
idden\" name=\"c\" value=\"a\"><INPUT type=\"submit\" value=\"Ch. 2 O\
FF\"></FORM></center></td>"};
const char webpage3[] PROGMEM = {"<td><center><FORM action=\".\" meth\
od=\"post\"><INPUT type=\"hidden\" name=\"c\" value=\"b\"><INPUT type\
=\"submit\" value=\"Ch. 3 OFF\"></FORM></center></td><td><center><FOR\
M action=\".\" method=\"post\"><INPUT type=\"hidden\" name=\"c\" valu\
e=\"c\"><INPUT type=\"submit\" value=\"Ch. 4 OFF\"></FORM></center></\
td><td><center><FORM action=\".\" method=\"post\"><INPUT type=\"hidde\
n\" name=\"c\" value=\"d\"><INPUT type=\"submit\" value=\"Ch. 5 OFF\"\
></FORM></center></td><td><center><FORM action=\".\" method=\"post\">\
<INPUT type=\"hidden\" name=\"c\" value=\"e\"><INPUT type=\"submit\" \
value=\"Ch. 6 (ALL) OFF\"></FORM></center></td><td><center><FORM acti\
on=\".\" method=\"post\"><INPUT type=\"hidden\" name=\"c\" value=\"f\
\"><INPUT type=\"submit\" value=\"Ch. 7 OFF\"></FORM></center></td></\
tr><tr><td></td><td></td><td></td><td></td><td></td><td></td><td>by</\
td><td>goughlui.com</td></tr></table></html>"};

//                 F F F F F F F F F F F F F F F F F F F F V V V V F
int sendkey[25] = {0,0,0,1,1,0,1,0,0,1,0,1,1,1,1,1,1,1,1,1,0,0,0,0,1};
int fourbits = 0;

char webpagechar;
int progmemcount;
char tempbuffer[1024] = {0};
char stringtemp[3] = {0};
int respcount = 0;
char c;
  
void setup() {
  Ethernet.begin(mac, ip);
  server.begin();
  // RF Module Connected Lazy: A3 GND, A4 DATA, A5 VCC
  pinMode(A3, OUTPUT);
  pinMode(A4, OUTPUT);
  pinMode(A5, OUTPUT);
  digitalWrite(A3, LOW);
  digitalWrite(A4, LOW);
  digitalWrite(A5, HIGH);
}

void loop() {
  EthernetClient client = server.available();
  if (client) {
// READ CLIENT REQUEST, KEEPING FIRST AND LAST CHARACTERS ONLY
    respcount=0;
    c=0;
    if (client.connected()) {
        while (client.available()) {
          c = client.read();
          stringtemp[respcount]=c;
          if (respcount < 1) {
             respcount=respcount+1;
          }

        }
     stringtemp[respcount+1]='\0';

// IF POST REQUEST THEN DO SOMETHING
     if (stringtemp[0] == 'P') {
       if (stringtemp[1] >= '0' && stringtemp[1] <= '9') {
         fourbits = stringtemp[1] - '0';
       } else if (stringtemp[1] >= 'a' && stringtemp[1] <= 'f') {
         fourbits = stringtemp[1] - 'a' + 10;
       }
       moddata();
       senddata();
      }
   
// ELSE SEND WEBPAGE REGARDLESS
        client.println("HTTP/1.1 200 OK");
        client.println("Content-Type: text/html");
        client.println("Server: Gough's Arduino Remote"); 
        client.println("Accept-Ranges: none"); 
        client.println("Connection: close");            
        client.println();
        progmemcount=0;
        webpagechar=(char)pgm_read_byte_near(webpage1+progmemcount);
        while(webpagechar!='\0') {
          tempbuffer[progmemcount]=webpagechar;
          progmemcount=progmemcount+1;
          webpagechar=pgm_read_byte_near(webpage1+progmemcount);
        }
        tempbuffer[progmemcount]='\0';
        client.write(tempbuffer);
        progmemcount=0;
        webpagechar=(char)pgm_read_byte_near(webpage2+progmemcount);
        while(webpagechar!='\0') {
          tempbuffer[progmemcount]=webpagechar;
          progmemcount=progmemcount+1;
          webpagechar=pgm_read_byte_near(webpage2+progmemcount);
        }
        tempbuffer[progmemcount]='\0';
        client.write(tempbuffer);        
        progmemcount=0;
        webpagechar=(char)pgm_read_byte_near(webpage3+progmemcount);
        while(webpagechar!='\0') {
          tempbuffer[progmemcount]=webpagechar;
          progmemcount=progmemcount+1;
          webpagechar=pgm_read_byte_near(webpage3+progmemcount);
        }
        tempbuffer[progmemcount]='\0';
        client.write(tempbuffer);
      }
    delay(50);
    client.stop();
  }
}

// Function sends the command in sendkey using A4 pin
void senddata() {
  int sendcount=0;
  int loopcount=0;
  while(loopcount < 6) {
    while(sendcount<25) {
     if(sendkey[sendcount]) {
       digitalWrite(A4, HIGH);
       delayMicroseconds(406);
       digitalWrite(A4, LOW);
       delayMicroseconds(782);
     } else {
       digitalWrite(A4, HIGH);
       delayMicroseconds(938);     
       digitalWrite(A4, LOW);
       delayMicroseconds(249);    
     }
     sendcount = sendcount + 1; 
    }
    delay(12);
    sendcount=0;
    loopcount = loopcount + 1;
  }  
}

// Function updates the four bits in sendkey based on fourbits
void moddata() {
  int temp = fourbits;
  if(temp/8) {
    temp=temp-8;
    sendkey[20]=1;
  } else {
    sendkey[20]=0;
  }
  if(temp/4) {
    temp=temp-4;
    sendkey[21]=1;   
  } else {
    sendkey[21]=0;
  }
  if(temp/2) {
    temp=temp-2;
    sendkey[22]=1;   
  } else {
    sendkey[22]=0;
  }
  if(temp) {
    sendkey[23]=1;   
  } else {
    sendkey[23]=0;
  }
}

The resulting code renders a very primitive web-page that looks like this. Because of the simple web-page design, it can fit entirely within the ATmega328P controller of an old Arduino Duemilanove with no external storage and can render on practically any web browser. The page is broken down into three PROGMEM arrays of <1023 bytes, which is copied into a temporary RAM buffer and then passed to the Ethernet library to send-out more efficiently than doing it byte-wise. The code is very primitive and doesn’t produce a full HTTP server – instead, it looks at the first packet sent by a client and keeps two characters – the first and the last. If the first character is a P, it assumes it’s a POST request and takes the last character which is a command byte and actions on that. Otherwise, any other response produces a response to a GET request, namely 200 OK, other HTTP headers and the page itself. On the whole, it’s somewhat resistant to unexpected packets and overflow as it only keeps the first and the last, so likely if the first character is not a P, then you’ll just get fed the page, and if it is, then the last character needs to be a 0-9, a-f to have any effects.

bridge

Pressing the button causes the web browser to send a POST request with the field data filled with “c=?” where ? is one character which represents the code to be sent (0-9, a-f). The unit immediately emits the respective code from the 433.92Mhz module. It was designed this way so that GET requests are idempotent and can be repeated without consequence, and only POST requests cause actions, which is at odds with other paradigms (e.g. REST) where GET requests can cause side effects.

For use with scripting, cURL can be used to produce the post requests as follows:

curl --data "c=7" -o /dev/null -s http://192.168.0.208
curl --data "c=f" -o /dev/null -s http://192.168.0.208

Where the post data contains the command (0-7 for channels 0-7 on, and 8-f for channels 0-7 off, case sensitive). In this case, the output is directed to null and cURL is invoked silently. Due to limitations in the coding which expects requests to be within the first received packet, wget cannot be used as it seems to split POST requests into multiple packets for some unknown reason. Most web browsers don’t have this issue, although it might be alleviated by adding a delay after the code checks for the availability of the client.

Both programs source code can be downloaded as a ZIP file.

Of course, it looks ugly, and a way of helping that might be to lay it out portrait-wise like a remote control so it renders better on mobile phones in portrait. It’s also not secure at all, but since it doesn’t rely on the cloud, as long as you trust everyone on your network, I suppose you can run it without major issues. Remote access can be handled upstream by a VPN server/SSH tunnel. Regardless, as the bridge and the air protocol are both insecure, the plugs should never be used to control anything that can have nasty consequences from unintended operation or failure to operate.

2016041001343172

To make it a little more reliable, I decided to re-solder some nice gold pins to the 433.92 TX module, because the pressed flat metal pins weren’t that reliable. I suspect if I supply the transmit current from 5v directly, I might get a little more range as now it’s drawing it from a logic pin held high, but it’s not too shabby as it is. Improvement in signalling reliability can be achieved by sending the same code multiple times (e.g. Ch 5 ON, Ch 5 ON) as redundant commands are simply ignored by the switches (i.e. if already on, sending another on command does not affect the switch).

Conclusion

The Watts Clever Easy-Off with Smart Box is a very cheap way to remote control appliances especially when purchased at clearance run-out. The system uses a Smart Box which learns IR remote signals and creates 433.92Mhz messages to control switches outside the line of sight. Using it as intended, the IR remote aspect makes it a little inconvenient, and the range could be better as it didn’t really make it as far as to cover a house.

Analyzing its design, it can be seen that a very cheap design for component minimization is used, which results in poor standby power consumption characteristics, and will be unlikely to save you much if any energy especially if you’re switching relatively efficient devices already. Where most phone chargers are <100mW, the switch consumes approximately 700mW.

Upon analyzing its operation, it was determined that its design is woeful. There is no security in the system whatsoever, as fixed codes are used that contain no checksum. The code space is tiny and a hard-coded all unit broadcast address exists. You can really have some fun if you went along and broadcasted a Channel 6 ON command as every switch, learned or unlearned, will respond and power on to such commands. As a result, you should never trust such devices to control critical, high-power, safety of life, or heat producing devices as they can be inadvertently remotely powered on maliciously, accidentally, by stray remote control signals from neighbours or by interference. They can also be jammed by amateur radio 70cm signals at high power, denying service.

Due to the small key space, users in close proximity which are using more than three channels are likely to come into overlap with their neighbours, with only five unique channels accessible through the Smart Box. Two more channels were found that can be used, but require you to produce your own hardware.

It does, however, make control emulation very easy to the point that I could do everything within a few hours. Now I even have an Ethernet to Easy-Off bridge allowing for any phone on the network to control a switch, thus obviating the need for the Smart Box. The solution doesn’t address security, however, and is admittedly both hacky and insecure – but also is relatively “low-tech” as it’s running on an Arduino and Ethernet Shield.

At the end of the day, it’s cheap, but I’m surprised such insecure products can make it to the market in droves. I suspect the “learning” feature often fools people into thinking there is some security when there isn’t, and unless people have had close proximity to another user using the same product, they aren’t likely to encounter any cases where unexpected operation occurs. This doesn’t mean that they should blindly trust the product despite not seeing any incorrect operation, however.

It’s worth reiterating that the other RF-only Easy-Off sockets look like a different product with a different design that may actually utilize rolling code protection. The issues found only apply to the “with Smart Box” IR-and-RF based product described above.

Update

I decided to customize the button labelling and change the layout for a vertical layout which suits phones a little better. Code not provided, but is a trivial change if you are bothered.

better-layout

Update 2

I just heard back from Jaycar who have advised that it cannot be sold in NSW after April 28 due to it not having double pole switching, as the new safety standard will require this. I suppose the requirement for double pole switching seems sensible where customers may inadvertently have appliances wired “backward” especially with exposed metal parts and overseas plug adapters etc to avoid any potential hazard, but should be otherwise safe for most appliances.

About lui_gough

I'm a bit of a nut for electronics, computing, photography, radio, satellite and other technical hobbies. Click for more about me!
This entry was posted in Electronics and tagged , , , , , , , , . Bookmark the permalink.

4 Responses to Reverse Eng: Watts Clever Easy-Off Sockets w/SMART Box (ES-AUS1103)

  1. Fake name says:

    *grins* – I bought a bunch of these, even cheaper I think, cleared out Jcar Darwin, the transmitter module just arrived – I give it a shot.

  2. Thanks very much for this post. I bought a few of these $5 kits also from Jaycar and just got around to driving them automatically from my Raspberry Pi. Basically I needed that protocol bit sequence you have decoded above. I implemented a small program in Python using that and I can drive all my switches now.

    • lui_gough says:

      Glad to hear it was helpful.

      If you haven’t already, also check out Part 2 (http://goughlui.com/2016/04/13/reverse-eng-pt-2-watts-clever-easy-off-wsmart-box-es-aus1103/)

      In that post, I determined that many of the fixed bits can also be changed, which the sockets will still accept, and would allow you to gain additional channels above that of this post which only looked at what is emitted by the regular IR-to-433Mhz bridge. In my own house, I use a separate “fixed” bit sequence with the channel code NOT one that is emitted by the IR box to gain a slight increase in potential immunity to interference from neighbours. Granted, it’s not a secure system, but it’s better than that battery-eating IR bridge!

      Personally, mine is now running on an old left-over Arduino Yun and has been doing well. The other is still running on an Arduino Uno clone with Ethernet Shield. It doesn’t take much to make them work :).

      – Gough

  3. Thanks very much also for that second post. Given that extra info, I added a group parameter to my Python interface so now I control 2 of my switches in one group, and 3 switches on another. I do this just so I can switch them independently, but all switches in a group at exactly the same time using address 6 :). My very simple Python code is both a command line program and a library module which I may put on github. If I do, I will credit your excellent investigative work.

Error: Comment is Missing!