The Orvibo S20 WiFi is really a nifty device. Relatively inexpensive from various online sites, this device connects through your WiFi network enabling you to control and power various home appliances up to 10 Amps. The manufacturer offers a smart phone app which permits you to control the socket and also set up timers via the app. However, it just so happens that this device has been reversed engineered and as such makes it that much more interesting for the do-it-yourselfer (if that’s even a word). Interestingly enough, I’ve integrated this device into my own home automation project.
In this blog post, I’ll share how I go this working. More importantly, you’ll learn how to set up the socket without the app. Finally I provide a script that allows you to control the socket from the command line – without the app. Let
s do it!
Motivation
I’m always a bit weary when it comes to proprietary apps, especially those from China – sorry for the generalization – but I just can’t trust whether my personal information is being sent along the internet to some data center across the world. I’ve also read that the S20 may in fact transmit your WiFi password via the mobile app when you pair it with your WiFi. Whether that’s true or not, I cannot say, but I’d rather be on the safe side. I also wanted to integrated this device into my home setup without use of the mobile app.
First and foremost, full credit for this goes to this particular blog post by Andrius Štikonas, the smart individual who reversed engineered the device. Ok, so let’s begin.
Paring the Device with your WiFi
Once connected to a power outlet, you’ll see a flashing read LED. This indicates that the S20 is not connected to WiFi. Now, press and hold the socket button for a few seconds and you’ll notice it switches to a rapidly blinking red LED mode, press and hold the button once more, and changes to a rapidly blinking blue LED. This indicates that the switch has created an unencrypted wifi network, called WiWo-S20. We’ll connect to this network to begin our work.
Unfortunately, according to Andrius, it appears that your WPA password is transferred in an insecure way, i.e. the socket is not able to use any public key cryptography. A slightly safer way to do it is to first change your WPA key in your router’s settings to something temporary and pair the socket. Then use AT+ commands to change the WPA password to the real one and change your router’s WPA password back.
Step: 1 Connect to the WiWo-S20 Network
As discussed above put your device in the rapidly blinking blue LED mode. Use a computer or laptop and connect to the WiWo-S20 network. Disable all other network connections like local/LAN temporarily.
Step: 2 Change your WiFi WPA Key in your Router
Change your WiFi WPA Key to something simple temporarily and save your existing key somewhere. We’ll change it back shortly.
Step: 3 Download Helper Application
Download the s20.exe console application from Andrius’ blog post (bottom of page) and put it on your desktop. There’s a pre-compiled 64-bit and 32-bit version. Double click the app and you’ll see this:
Hit ‘a’.
a - add unpaired socket (WiFi needed)
Enter your SSID and your temporary password. The S20 should now be connected to your WiFi. Test it out by toggling the power state with ‘p’.
p - toggle power state (there are also "on" and "off" commands)
You can also change the remote password if you like as well, with ‘P’.
P - change remote password (max 12 characters)
You can also change the socket name, timezone, etc. Go crazy.
With any luck, you’ll be connected to your network. Now, all communication with the S20 will be encrypted through your network and we can now breathe a sigh of relief. Now connect to your private WiFi and continue below.
Step: 5 Change WiFi Key
Now comes the tricky part. Andrius’ executable does not provide a mechanism to change the WPA key while connected to your network, at least I couldn’t figure it out. You’ll need to download another application called Packet Sender from here to send AT+ commands directly to the S20. FYI, AT commands are instructions used to control a modem. AT is the abbreviation of ATtention. Every command line starts with “AT” or “at”.
- Begin by sending the string “HF-A11ASSISTHREAD” in the ASCII field on UDP port 48899 to the IP address of the S20 (don’t include the double quotes in the message). You should get a response as seen in the above screenshot. If not try again. Keep on trying as if this doesn’t work, you may not be able to continue.
- S20 will reply with “IP address,MAC Address,Hostname”. The socket always replies to the same port as the source port of your message.
- Acknowledge that you got the previous message by sending “+ok”.
- Send “AT+WSSSID=ssid\r” where you replace ssid with your WiFi network name. \r is the carriage return (CR) symbol.
- The socket will reply with “+ok\n\n” (\n in this case is carriage return + line feed) if everything is correct or “+ERR\n\n” if something is wrong.
- Send your original WiFi password by replacing password in the following: “AT+WSKEY=WPA2PSK,AES,password\r”. The socket will again reply with “+ok\n\n”.
- Switch HF-A11 chip to station mode by sending “AT+WMODE=STA\r”. Again, wait for “+ok\n\n” (not sure if this is necessary)
- Restore your original WiFi key in your router’s settings.
- Reboot your socket with “AT+Z\r”.
Hopefully after rebooting your S20 you should see the LED go from blinking red to solid red. Great work!
Controlling the S20 with a Script
Now the fun part. Below is a short Bash script that you can use to toggle the S20 socket from the command line and incorporate into your projects as I have done. Credit goes to the user Mightyman over here. The script expects three arguments: on/off, MAC address, and the IP address of your S20.
Save the following into file and call it s20_toggle.sh and make it executable.
#!/bin/bash if [ $# -ne 3 ]; then echo "Requires three arguments: <on|off> <MAC> <IP>" exit 1 fi if ! type xxd > /dev/null; then echo "Requires xxd binary" exit 1 fi if ! type nc > /dev/null; then echo "Requires nc binary" exit 1 fi ACTION=$1 MAC=$2 IP=$3 REVERSEDMAC=${MAC:10:1}${MAC:11:1}${MAC:8:1}${MAC:9:1}${MAC:6:1}${MAC:7:1}${MAC:4:1}${MAC:5:1}${MAC:2:1}${MAC:3:1}${MAC:0:1}${MAC:1:1} # Subscribe to the device: echo '6864001e636c'$MAC'202020202020'$REVERSEDMAC'202020202020' | xxd -r -p | nc -u -w1 -p10000 $IP 10000 | xxd -p 2>&1 case $ACTION in off) # Switch Off echo "Switching off: $MAC $IP" echo '686400176463'$MAC'2020202020200000000000' | xxd -r -p | nc -u -w1 -p10000 $IP 10000 | xxd -p ;; on) # Switch On echo "Switching on: $MAC $IP" echo '686400176463'$MAC'2020202020200000000001' | xxd -r -p | nc -u -w1 -p10000 $IP 10000 | xxd -p ;; esac exit;
Test it out!
./s20_toggle.sh <ON|OFF> <MAC> <IP>
There’s also a python implementation with more functions found here.
Conclusion
Well I hope this was useful in your home automation endeavors. I welcome the reader to take a look at my home automation project where I have incorporated this and many other sensors.
Thank for stopping by!
Hi!
Thanks for the article! Very useful information.
Do you have any idea how to get S20 remember its last power state?
After power cut S20 will always return to off position even if it was on before.
Hi,
Thanks for your visit and kind words.
And no, I do not think the Socket can remember it’s previous power state before powering off. It can only remember data like passwords, names, time zone, etc..
Can you tell me if the switch remembers the wifi signal if the power turns off for a few hours as I cannot connect to it and the power is back on but it says not connected on my app , thanks in advance . Pete
Hi Peter,
Thanks for your question. Like I mentioned in another reply, I do not think the Socket can remember it’s previous power state before powering off. I also don’t use the app but instead a command line script.
Hi,
This looks like a great potential help to me – I am trying to find a way to inegrate S20 control into a Vera Edge home automation controller. It seems really hard to do! There are no Vera MIOS apps available for the purpose yet, so I was going to try and make one of my own. The Vera apps require the code LUA language, and I am having a hard time sending the correct outputs.
Hi, Thank you this article, I have to make this, but Im usig Openelec and Libreelc too, and the script have to “xxd binary”, but look like it is not included these systems.
Can you help me, how can I add the xxd binary to run the script?
Thank you! 🙂
Hi, I can’t get my two s20 devices to connect to my WiFi router. I have a Synology router running SSID and pasword with no special characters over 2.4Ghz, I also have an Ubiquiti Unifi AP and 2 x Cisco APs all running the same SSID and password over 2.4Ghz WPA2-Personal, AES. NO matter what I do I cannot get it to even look like it is connecting. The s20.exe utility you reference doesn;t work. When I send manual packets to the s20 with Packet Sender I get a response shown in Wireshark Destination Unreachable (Port Unreachable).
At my wits end with these things!
Forgot to mention, I have my laptop connected to the s20 SSID which in my case is HomeMate_AP whilst I am doing all of the suggested in your article.
Hi, I’m using DemoPad for my home automation project. It can send IP commands to devices over TCP or UDP. Is there a simple IP command to toggle power on or off, or (even better) separate commands for on and off? I’m not a programmer or coder…
Sorry I’m not familiar with DemoPad but can you not incorporate the Bash script I provided into your project? Or copy what it does? The script makes use of the binary command “nc” to send packets to the socket. As you further inspect the script, you’ll see that it sends specific codes along with the MAC address to the socket to switch it on/off.
Hi
I cant find s20.exe anywhere?
Many Thanks
It’s at the bottom of this page in the binaries section.
thankyou found!
Hello,
Can I setup the timer for auto ON/OFF ?
Thanks