lee/hpr-knowledge-base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7c8efd222889735a4b6027023f25710b35817688
hpr-knowledge-base/hpr_transcripts/hpr4331.txt
Lee Hanken 7c8efd2228 Initial commit: HPR Knowledge Base MCP Server 
- MCP server with stdio transport for local use
- Search episodes, transcripts, hosts, and series
- 4,511 episodes with metadata and transcripts
- Data loader with in-memory JSON storage

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-26 10:54:13 +00:00

158 lines
10 KiB
Plaintext
Raw Blame History

Episode: 4331
Title: HPR4331: Re-inventing the light switch
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr4331/hpr4331.mp3
Transcribed: 2025-10-25 23:10:18
---
This is Hacker Public Radio Episode 4331 from Monday the 10th of March 2025.
Today's show is entitled, Reinventing the Light Switch.
It is part of the series' home automation.
It is hosted by Lee and is about 10 minutes long.
It carries a clean flag.
The summary is, Lee does some home automation with Bash, Python and Apache Cordova.
Hi, I'm Lee.
Today I'll be talking about using scripting to turn indoor lights on and off.
Now you might say, in the past we had something called a light switch.
Why mess with that well-proven mechanism?
And I very much sympathise with that point of view.
I have some sensitivity to artificial lighting myself.
And shades or a visor are not always effective.
So I've been in several situations where I've had to leave or give up what I was doing
because the people who designed the building I was in had decided not to provide a light
switch and instead had made the lighting fully automatic.
And even if there was some remote control to adjust the lights, no one knew where it was.
That source subject decided I'll proceed to describe the little handcrafted automation
I've developed for my own apartment.
This will involve several stages.
First, the existence of an undocumented network exploit that allows control of a particular
brand of commercial LED bulb.
Then, writing a Python script to send data to the light bulbs.
Then, writing shell scripts to call the appropriate Python script for different functions and
putting these scripts on the server.
Finally, writing a mobile app that connects to the server and issues commands to turn the
lights off or change their brightness.
So first, the LED bulbs.
These are made by Whiz, spelled capital W, little i and capital Z.
Now there is a mobile app they provide for setting up and controlling bulbs.
So I was using this app originally, particularly for putting the bulbs on the local Wi-Fi.
But then you're limited to only what this proprietary app allows you to do.
So I'd come across some exploit code that was written by cyber security enthusiast and
software developer from Finland with the handle Routendo's, about R00T ENDO.
Now it would be nice if manufacturers of smart devices fully opened up their APIs.
You might say this would be a security risk, but if the APIs well designed it would be secure.
And if they're hiding behind the fact that the API is not documented, then this is security
by obscurity, which can often be effective, but is not really the best type of security.
Routendo wrote an article about the exploit on Medium, and there's a link to this in the
show notes, but I'm aware there is a paywall, so not everyone will be able to read it.
So I'll paraphrase.
Basically, they wanted the network traffic between their phone running the proprietary app
and the light bulbs.
They used a method called ARP spoofing, so they would be able to access the packets of
data as they were being sent across the network.
So on GitHub, also linked in the show notes, is an example Python script they wrote for
issuing commands, basically it connects to an IP on a certain port and sends some JSON.
I've adapted this script for my own purposes.
Since my particular bulbs don't have colours, I just implemented functions for on-off and
change the brightness between 0 and 100.
And while there are 100 brightnesses, I found there are actually only 10 distinct ones,
so the least significant figure is redundant.
Once I got this to work, I wrote shell scripts to wrap around this, to just implement
the specific functions I needed.
I hard-coded the IP address of the light bulbs, which I discovered for a combination of running
end-map and looking at the device status information on the admin console of my Wi-Fi router.
Now I'll put these scripts on my home server, which is always on, and sits in my server
rack that is described in Episode HPR 4215.
So to actually run these scripts, for example, from my PC, which runs Kabuntu, I added a
text command widget to my desktop.
I'm not sure this is one of the built-in KDE widgets, so I think I downloaded it through
the Get More widgets feature.
By the way, I also have a widget called Command Output that gets the weather using a script
I described in Episode HPR 4266.
I include a screenshot, the leftmost widget, by the way, in folks' script.
The launch is a Windows Virtual Machine, with LibVirt, then opens Virt Viewer.
So it's still slightly inconvenient having to turn on my PC just to adjust the lights,
so I first thought of writing a web interface and putting it on my server.
I did this using Python, which listens for HTTP requests.
LibVirt serves up the user interface as HTML, or if it's an Ajax request actually performs
the requested command.
The trouble was, for whatever reason, this demon would go to sleep after a while, meaning
it was not immediately responding to the web browser of my Android phone, iPad or desktop
PC, though it would work eventually.
So what I decided to do was create a simple mobile app to control the lights.
Since I'd already written the HTML and JavaScript when I had made the web interface version,
I thought it would be good if I could reuse this, but just put it inside the web view on a mobile app.
Thankfully, there are several mobile app development frameworks that allow you to do this.
For example, Cordover and Ionic.
Cordover is probably the most long-standing one, and in some circles it is seen as outdated,
but I've been using it at work on and off for quite a number of years.
The advantage of one of these hybrid mobile frameworks is that you write the user interface
with plain HTML, CSS and JavaScript, which are familiar to most people who have done
any front-end development.
But in addition, there are hundreds of plugins available that interface to native features
on the mobile device, and a lot of these plugins will provide a consistent function that works
irrespective of whether the device is Android or iOS.
So in this case, I found a plugin called SSH Connect, created by Jose and Ray Perez
Aravala, and I'll link to it in the show notes.
The reason for using it is so I can run some JavaScript on the mobile web view,
and it will connect to my server over SSH and invoke one of the shell scripts I described earlier.
This plugin is for Android, so I've made an Android version of this app only, not an iOS one.
First you have to make sure, along with Cordover, you have installed the right version
of the Android SDK, Java and especially Gradle, or the app won't build properly.
So I'll create the app with the command Cordover Create Light switch, and go into the folder
that is just added, and add the Android platform with Cordover Platform Add Android, and then
install the plugin with Cordover plugin Add Cordover, iPhone plugin, iPhone SSH, iPhone Connect.
Then it's a matter of modifying the HTML JavaScript and CSS in the WWW folder to show whatever
user interface and user interaction you want.
And also with JavaScript to access the plugins to do native commands, in this case connected
to my server with SSH.
So just looking at the code in my index.html, I have two buttons for on and off, and a range
input from 0 to 100 for the brightness.
In my index.js file, I wait for the on device ready event, then attach click or input
listeners respectively to these controls, and I call one of three functions, which are
on, off and brightness.
Each of these functions accesses the Cordover SSH plugin, and connects to the server issues
of command then disconnects.
So then I built the app with Cordover build Android, and assuming my phone is connected
to the PC, has developer mode enabled, and USB debugging enabled and activated, then I
can just run Cordover run Android, and it deploys the app to my device.
In lone behold, I can turn the lights on off or adjust the brightness with this app.
So you might say I could have done this already with the wizard, and that is true.
So what interests me about doing it this way is I can write scripts that adjust the lights
according to certain triggers.
So for example, I've added to Cron so that in the early morning I have the lights come
on and gradually get brighter, which is a nice way of waking up that I prefer to an alarm
clock.
And especially in the winter, when it's not light until later than it is in the summer,
it makes it seem as if the day has started earlier than it really did.
And I can imagine I might have other triggers, for example, were learning me to certain events.
So I've put the various code in the show notes.
Just to note, so far I'm just working with the four light bulbs in the main room of my
fat, though in future other rooms could be added to the setup.
I'm aware it's somewhat precarious to be working with an undocumented API that could change
or be patched in future.
I'm assuming the bulbs won't do a firmware update by themselves, though I think that
is what all IoT devices need to do nowadays.
And I think this opinion has been often voiced on security now, the Tweet podcast featuring
Steve Gibson.
I mentioned in episode HPR 4246.
So anyway, hopefully this hack will keep working and LED bulbs tend to last forever, especially
given the limited duty cycle and democracies I ask of them.
In fact, it's maybe more likely that the microcontroller would fail before the LED elements
ever do.
So in summary, IoT devices often proprietary and give limited ability for controlling them
in non-standard ways.
There are ways sometimes of using undocumented interfaces for controlling these devices.
Here I've given an example of how with some fairly straightforward scripting it's possible
for someone to roll their own software for controlling things via the command line or
a web interface or via a mobile app.
I hope this has been of interest, thanks for listening, goodbye.
You have been listening to Hacker Public Radio, as Hacker Public Radio does work.
Today's show was contributed by a HPR listener like yourself.
If you ever thought of recording podcasts, click on our contribute link to find out how
easy it leads.
Hosting for HPR has been kindly provided by an honesthost.com, the internet archive and
rsings.net.
On this advice status, today's show is released under Creative Commons, Attribution 4.0 International
License.
Reference in New Issue View Git Blame Copy Permalink