Working in Progress
This article is still a work in progress, which means it will be updated in the future. Images may be missing captions or alt-texts. There might also be some language weirdness.
I’ve had a Moonside Lighthouse lying around for some time. It’s a pretty nice-looking light fixture, however, there was no way to integrate it into my Homeassistant setup. I’ve had a shot at reverse engineering it’s communication and here are my results:
Trying the network route
Lighthouse is able to join your WiFi-Network for remote control, because of that I was hoping to find some open network port using Nmap. A quick scan showed nothing, meaning that this way is likely a dead end.
However, this digging surfaced one interesting piece of information about its MAC Address, which belongs to the Espressif MAC range (meaning it’s likely something ESPy).
There also exists a public API which enables you to control the fixture remotely. I was unable to get it working, also I would like to be able to control my light locally. I have not explored this route further.
After it became clear that networking is sadly not an option I started looking into Bluethooth. The App uses BLE to talk to the lamp. My first attempt was to use the nRF Connect tool to reads its characteristics.
None of these characteristics were helpful, except one which piqued my interest., “Nordic UART Service”, I’ve never heard of that before, though it seems fairly helpful. Using the nRF toolbox I was able to connect to it via BLE UART. That itself worked fine, however, brute-forcing commands were not useful as there was no response to anything.
Snooping the traffic
The next logical step was to snoop on the traffic between the android app and the hardware counterpart. That proved to be not as easy as it sounds, in the end, I used Wireshark to look at the traffic.
First step was to enable Bluetooth Snooping in the developer settings. Then after some debugging and using this command:
db shell su -c "'nc -s 127.0.0.1 -p 8872 -L system/bin/tail -f -c +0 data/misc/bluetooth/logs/btsnoop_hci.log'"
The interface showed up in Wireshark. Though you need to android dump androiddump module for Wireshark.
It seems like your device needs to be rooted for this to work, I’ve seen contradicting information about that, however.
Finally, I was able to see communication with a device called Espressi_2a:9d:5a, which looks suspiciously like the device in question.
Deconstructing the communication
The became apparent that the app talks in clear text with the light fixture. These commands started showing up:
|LEDOFF||Turns the light off|
|LEDON||Turns the light on|
|BRIGHXXX||Brightness, replace XXX with number (max: 120, min:0)|
|COLORRRRGGGBBB XXX||Sets the colour, replace R with red value, G with green value and B with blue value (0-255), optional X brightness argument|
|THEME.????????||Sets a theme|
|PIXEL,ID,XXX COLOR?||Set a pixel, where ID is the pixel (0-89), XXX is the brightness and COLOR is the colour in an unknown format|
|MODEPIXEL||Applies pixel settings|
Mind you the values of for example the ID range might be different between devices, however I will probably not buy more devices just to prove my theory.
Some things are also just unknown. I do not understand how sound-enabled modes work (yet!). It sends some number string and that’s it. I was also unable to figure out the COLOR format for pixel setting, it is six digits ranging from 0-9.
Themes are a whole different topic. They are way more configurable than the app gives you options. Here is a list of the themes from the app:
|THEME.GRADIENT2.255,0,0,80,20,0,200,200,200,||Volcano Ice Cream|
|THEME.GRADIENT1.0,255,0,200,200,200, Wizard||Vibe Beat|
Sound-activated modes seem to be variations of themes. These have yet to be mapped. However, they commonly start with M and another number following that. After that, there are colour arguments again.
Modifiying theme data
There are a few theme “keywords” which can then be mixed with arguments. These are:
THEME1, THEME2, THEME3, THEME4, THEME5, WAVE1, BEAT1, BEAT2, BEAT3, GRADIENT1, GRADIENT2, RAINBOW1, RAINBOW2, RAINBOW3, TWINKLE1, FIRE2, COLORDROP1, LAVA1, COLORDROP1, PULSING1
Following these theme keywords are blocks of colour, most in this format: (yes they end in a
It seems like every theme’s colour values change different aspects of the effect. (more will be added below over time)
|FIRE2.BBB,BBB,BBB,111,111,111,222,222,222,333,333,333||B is the “background” or base colour of the effect, you can leave it with 0s, meaning it will stay off. The rest 1-3 are other effect colours.|
Building a smart home interface
I’ve built a basic Sketch which connects to the WiFi network. Have a look below! (I will continue working on this sketch)
(If there is nothing above this text make sure to enable experience cookies!)
Leave a Reply