Outside documentation indicates that these bulbs went from ESP to BK7231N.
For testing purposes, I was able to flash ESP Kickstart using cloudcutter with the 7231N build. Before flashing this one, I retrieved the firmware from SmartLife (1.3.21).
The bulb itself has never connected to SmartLife AFAIK. It was purchased new from Amazon.
Because the firmware version seems to be used with N/T, I've tried running the app multiple times across all lightleak profiles.
The only one that makes it past "Check if device is exploitable" is the "BK7231N-Type 2 / Addr 1 (Standard)" option.
Using this profile, it will actually provide this message message at the usual failure point:
"Good news, your device is exploitable"
I'm assuming this affirms that this is the correct profile? Especially since the others repeatedly fail at this step.
[2023-05-15 14:37:29] [ExploitFragment] State+: Action(progress, Prepare environment)
[2023-05-15 14:37:29] [ExploitViewModel] Profile: io.github.cloudcutter.data.model.ProfileLightleak@cfa9f3c
[2023-05-15 14:37:29] [ExploitViewModel] Preparing action graph
[2023-05-15 14:37:29] [ExploitViewModel] Building action graph
[2023-05-15 14:37:29] [ExploitViewModel] Action graph OK
[2023-05-15 14:37:29] [ExploitFragment] State%: Action(done, Prepare environment)
[2023-05-15 14:37:32] [ExploitViewModel] Action run: MessageAction(message_custom_ap_connect)
[2023-05-15 14:37:32] [ExploitViewModel] Action OK
[2023-05-15 14:37:32] [ExploitViewModel] Action run: WorkStateAction(work_state_raw)
[2023-05-15 14:37:32] [ExploitViewModel] Action OK
[2023-05-15 14:37:32] [ExploitFragment] State+: Action(progress, Connect to CustomAP device (LightleakIdle))
[2023-05-15 14:37:32] [ExploitViewModel] Action run: WiFiConnectAction(custom_ap_connect)
[2023-05-15 14:37:32] [ExploitFragment] Device new state: Unconfigured
[2023-05-15 14:37:32] [ExploitFragment] Wi-Fi scan performed
[2023-05-15 14:37:35] [ExploitFragment] Wi-Fi scan results: [SpectrumSetup-C3, REMOVED, REMOVED, SmartLife-B179, WIFIC6B4B0, SpectrumSetup-CF, MySpectrumWiFid0-2G, LightleakIdle, NTGR_VMB_9265170951, SpectrumSetup-DB, CenturyLink2739-Guest, CenturyLink2739, 36787B-2.4, Brenna 2G, WIFIF741BE, MySpectrumWiFi38-2G, ARRIS-5855, ARLO_VMB_8909912109]
[2023-05-15 14:37:35] [ExploitFragment] State+: Action(done, Found network: LightleakIdle)
[2023-05-15 14:37:35] [ExploitFragment] State%: Action(done, Found network: LightleakIdle)
[2023-05-15 14:37:35] [ExploitFragment] Wi-Fi connection attempt: LightleakIdle / cl0udcutt3r!@#
[2023-05-15 14:37:38] [ExploitFragment] Wi-Fi connection attempt: LightleakIdle / cl0udcutt3r!@#
[2023-05-15 14:37:42] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-69
[2023-05-15 14:37:42] [ExploitFragment] IP addresses changed: 10.0.0.2/24 / 10.0.0.1
[2023-05-15 14:37:42] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-69
[2023-05-15 14:37:42] [ExploitFragment] IP addresses changed: 10.0.0.2/24 / 10.0.0.1
[2023-05-15 14:37:42] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-69
[2023-05-15 14:37:42] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-69
[2023-05-15 14:37:42] [ExploitFragment] State+: Action(done, Connected: LightleakIdle)
[2023-05-15 14:37:42] [ExploitFragment] State%: Action(done, Connected: LightleakIdle)
[2023-05-15 14:37:42] [ExploitViewModel] Action OK
[2023-05-15 14:37:42] [ExploitFragment] State%: Action(done, Connect to CustomAP device (LightleakIdle))
[2023-05-15 14:37:42] [ExploitFragment] State+: Action(progress, Establish connection with the device)
[2023-05-15 14:37:42] [ExploitViewModel] Action run: PingAction(ap_ping_found_1)
[2023-05-15 14:37:45] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-66
[2023-05-15 14:37:45] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-66
[2023-05-15 14:37:45] [ExploitViewModel] Action OK
[2023-05-15 14:37:45] [ExploitFragment] State%: Action(done, Establish connection with the device)
[2023-05-15 14:37:45] [ExploitFragment] State+: Action(progress, Setup CustomAP credentials)
[2023-05-15 14:37:45] [ExploitViewModel] Action run: WiFiCustomAPAction(custom_ap_setup)
[2023-05-15 14:37:45] [ExploitViewModel] CustomAP connected
[2023-05-15 14:37:45] [ExploitViewModel$runWiFiCustomAPAction$2] Wrote packet: 63 63 74 72 68 4c 69 67 68 74 6c 65 61 6b 43 75 73 74 6f 6d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 31 31 b0 16 67 46 be 84 01 fe 6d b3 c0 68 4d 87 e8 e2 d9 c5 65 4a f5 b7 38 46 f6 d7 06 e2 61 9b 09 ce 51 c1 47 2f 20 2e 81 ac 38 4e 44 13 0c e2 60 fb 01 ce 43 0f 22 2e 81 8c f1 93 b9 34 00 40 1f 00 00 3f 9d f4 ea
[2023-05-15 14:37:45] [ExploitViewModel$runWiFiCustomAPAction$2] Got response: 222
[2023-05-15 14:37:45] [ExploitViewModel] Action OK
[2023-05-15 14:37:45] [ExploitFragment] State%: Action(done, Setup CustomAP credentials)
[2023-05-15 14:37:45] [ExploitViewModel] Action run: MessageAction(message_device_connect_1)
[2023-05-15 14:37:45] [ExploitViewModel] Action OK
[2023-05-15 14:37:45] [ExploitFragment] State+: Action(progress, Connect to smart device WiFi)
[2023-05-15 14:37:45] [ExploitViewModel] Action run: WiFiConnectAction(connect_default_1)
[2023-05-15 14:37:45] [ExploitFragment] Wi-Fi scan performed
[2023-05-15 14:37:46] [ExploitFragment] Wi-Fi scan results: [REMOVED, REMOVED, SmartLife-B179, WIFIC6B4B0, pebbles2010, SpectrumSetup-CF, LightleakIdle, 013, NTGR_VMB_9265170951, MySpectrumWiFi8c-2G, Hembree, Harwoods 5G-1, CenturyLink2739-Guest, CenturyLink2739, SpectrumSetup-D8, TammysWifi, Brenna 2G, ARRIS-5855-5G, ARRIS-5855, ARLO_VMB_8909912109]
[2023-05-15 14:37:46] [ExploitFragment] State+: Action(done, Found network: SmartLife-B179)
[2023-05-15 14:37:46] [ExploitFragment] State%: Action(done, Found network: SmartLife-B179)
[2023-05-15 14:37:46] [ExploitFragment] Wi-Fi connection attempt: SmartLife-B179 / null
[2023-05-15 14:37:50] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-38
[2023-05-15 14:37:50] [ExploitFragment] IP addresses changed: 192.168.175.100/24 / 192.168.175.1
[2023-05-15 14:37:50] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-38
[2023-05-15 14:37:50] [ExploitFragment] IP addresses changed: 192.168.175.100/24 / 192.168.175.1
[2023-05-15 14:37:50] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-38
[2023-05-15 14:37:50] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-38
[2023-05-15 14:37:50] [ExploitFragment] State+: Action(done, Connected: SmartLife-B179)
[2023-05-15 14:37:50] [ExploitFragment] State%: Action(done, Connected: SmartLife-B179)
[2023-05-15 14:37:50] [ExploitViewModel] Action OK
[2023-05-15 14:37:50] [ExploitFragment] State%: Action(done, Connect to smart device WiFi)
[2023-05-15 14:37:50] [ExploitFragment] State+: Action(progress, Establish connection with the device)
[2023-05-15 14:37:50] [ExploitViewModel] Action run: PingAction(ping_found_1)
[2023-05-15 14:37:52] [ExploitViewModel] Action OK
[2023-05-15 14:37:52] [ExploitFragment] State%: Action(done, Establish connection with the device)
[2023-05-15 14:37:52] [ExploitFragment] State+: Action(progress, Connect smart device to CustomAP)
[2023-05-15 14:37:52] [ExploitViewModel] Action run: PacketAction(exploit_stager)
[2023-05-15 14:37:52] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-36
[2023-05-15 14:37:52] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-36
[2023-05-15 14:37:53] [ExploitViewModel] Action OK
[2023-05-15 14:37:53] [ExploitFragment] State%: Action(done, Connect smart device to CustomAP)
[2023-05-15 14:37:53] [ExploitFragment] State+: Action(progress, Wait for device to stop responding)
[2023-05-15 14:37:53] [ExploitViewModel] Action run: PingAction(ping_lost_1)
[2023-05-15 14:37:59] [ExploitViewModel] Action OK
[2023-05-15 14:37:59] [ExploitFragment] State%: Action(done, Wait for device to stop responding)
[2023-05-15 14:37:59] [ExploitFragment] State+: Action(progress, Wait for CustomAP termination)
[2023-05-15 14:37:59] [ExploitViewModel] Action run: WiFiScanAction(custom_ap_scan)
[2023-05-15 14:37:59] [ExploitFragment] Wi-Fi scan performed
[2023-05-15 14:37:59] [ExploitFragment] Wi-Fi scan results: [REMOVED, REMOVED, SmartLife-B179, WIFIC6B4B0, NETGEAR19, pebbles2010, MySpectrumWiFid0-2G, LightleakCustom, NTGR_VMB_9265170951, SpectrumSetup-CF, Harwoods, NETGEAR-Guest Essex, 36787B-2.4, TammysWifi, Brenna 2G, MySpectrumWiFi38-2G, ARRIS-5855-5G, ARLO_VMB_8909912109]
[2023-05-15 14:38:00] [ExploitFragment] Wi-Fi scan performed
[2023-05-15 14:38:03] [ExploitFragment] Wi-Fi scan results: [REMOVED, REMOVED, WIFIC6B4B0, Poohbear0716-2.4, Bohland, SpectrumSetup-CF, MySpectrumWiFid0-2G, HP-Setup>b7-M277 LaserJet, LightleakCustom, NTGR_VMB_9265170951, MySpectrumWiFi8c-2G, Harwoods 5G-1, CenturyLink2739-Guest, Harwoods, NETGEAR-Guest Essex, CenturyLink2739, SpectrumSetup-D8, 36787B-2.4, TammysWifi, Brenna 2G, WIFIF741BE, MySpectrumWiFi38-2G, ARRIS-5855-5G, ARLO_VMB_8909912109]
[2023-05-15 14:38:03] [ExploitFragment] Wi-Fi scan performed
[2023-05-15 14:38:05] [ExploitFragment] Wi-Fi scan results: [REMOVED, REMOVED, WIFIC6B4B0, NETGEAR19, SpectrumSetup-CF, MySpectrumWiFid0-2G, LightleakCustom, 013, NTGR_VMB_9265170951, SpectrumSetup-CF, WIFIF741BE, MySpectrumWiFi38-2G, ARRIS-5855-5G, ARRIS-5855, ARLO_VMB_8909912109]
[2023-05-15 14:38:06] [ExploitFragment] Wi-Fi scan performed
[2023-05-15 14:38:09] [ExploitFragment] Wi-Fi scan results: [REMOVED, REMOVED, WIFIC6B4B0, Poohbear0716-2.4, o_brother, Bohland, SpectrumSetup-CF, Nulls2021, MySpectrumWiFid0-2G, LightleakIdle, SpectrumSetup-86, NTGR_VMB_9265170951, SpectrumSetup-CF, MySpectrumWiFi8c-2G, SpectrumSetup-DB, CenturyLink2739-Guest, CenturyLink2739, SpectrumSetup-D8, MySpectrumWiFi70-2G, MySpectrumWiFi38-2G, ARRIS-5855-5G, ChooChooPie, ARLO_VMB_8909912109]
[2023-05-15 14:38:09] [ExploitViewModel] Action OK
[2023-05-15 14:38:09] [ExploitFragment] State%: Action(done, Wait for CustomAP termination)
[2023-05-15 14:38:09] [ExploitViewModel] Action run: MessageAction(message_device_reboot)
[2023-05-15 14:38:09] [ExploitViewModel] Action OK
[2023-05-15 14:38:09] [ExploitViewModel] Action run: WorkStateAction(work_state_with_stager)
[2023-05-15 14:38:09] [ExploitViewModel] Action OK
[2023-05-15 14:38:09] [ExploitFragment] State+: Action(progress, Connect to smart device WiFi)
[2023-05-15 14:38:09] [ExploitViewModel] Action run: WiFiConnectAction(connect_default_2)
[2023-05-15 14:38:09] [ExploitFragment] Device new state: Configured to join CustomAP
[2023-05-15 14:38:09] [ExploitFragment] Wi-Fi scan performed
[2023-05-15 14:38:12] [ExploitFragment] Wi-Fi scan results: [REMOVED, REMOVED, WIFIC6B4B0, Alyson-2G, SpectrumSetup-CF, Nulls2021, MySpectrumWiFid0-2G, our_house, LightleakIdle, 013, NTGR_VMB_9265170951, SpectrumSetup-CF, MySpectrumWiFi8c-2G, SpectrumSetup-DB, Hembree, CenturyLink2739-Guest, SpectrumSetup-5D, CenturyLink2739, SpectrumSetup-D8, Brenna 2G, WIFIF741BE, MySpectrumWiFi38-2G, ARRIS-5855-5G, MySpectrumWiFi50-2G, ARLO_VMB_8909912109]
[2023-05-15 14:38:12] [ExploitFragment] Wi-Fi scan performed
[2023-05-15 14:38:15] [ExploitFragment] Wi-Fi scan results: [Wireless, REMOVED, REMOVED, moontide2-2.4, SpectrumSetup-60, WIFIC6B4B0, , o_brother, SpectrumSetup-68, Bohland, SpectrumSetup-CF, MySpectrumWiFid0-2G, LightleakIdle, NTGR_VMB_9265170951, MySpectrumWiFi8c-2G, Hembree, Harwoods 5G-1, Harwoods, NETGEAR-Guest Essex, CenturyLink2739, SpectrumSetup-D8, Brenna 2G, MySpectrumWiFi38-2G, ARRIS-5855-5G, ARRIS-5855, ARLO_VMB_8909912109]
[2023-05-15 14:38:15] [ExploitFragment] Wi-Fi scan performed
[2023-05-15 14:38:18] [ExploitFragment] Wi-Fi scan results: [REMOVED, REMOVED, MySpectrumWiFiCB-2G, SpectrumSetup-CF, MySpectrumWiFid0-2G, LightleakIdle, NTGR_VMB_9265170951, SpectrumSetup-CF, MySpectrumWiFi8c-2G, CenturyLink2739-Guest, CenturyLink2739, SpectrumSetup-D8, TammysWifi, WIFIF741BE, MySpectrumWiFi38-2G, ARRIS-5855, ARLO_VMB_8909912109]
[2023-05-15 14:38:18] [ExploitFragment] Wi-Fi scan performed
[2023-05-15 14:38:21] [ExploitFragment] Wi-Fi scan results: [REMOVED, REMOVED, MySpectrumWiFiCB-2G, WIFIC6B4B0, NETGEAR19, SpectrumSetup-CF, MySpectrumWiFid0-2G, HP-Setup>b7-M277 LaserJet, LightleakIdle, NTGR_VMB_9265170951, SpectrumSetup-CF, SpectrumSetup-DB, Hembree, Harwoods 5G-1, CenturyLink2739-Guest, SpectrumSetup-5D, CenturyLink2739, SpectrumSetup-D8, WIFIF741BE, CenturyLink3315, MySpectrumWiFi38-2G, ARRIS-5855, MySpectrumWiFi50-2G, ARLO_VMB_8909912109]
[2023-05-15 14:38:21] [ExploitFragment] Wi-Fi scan performed
[2023-05-15 14:38:24] [ExploitFragment] Wi-Fi scan results: [REMOVED, REMOVED, SmartLife-B179, WIFIC6B4B0, SpectrumSetup-CF, LightleakIdle, NTGR_VMB_9265170951, SpectrumSetup-CF, SpectrumSetup-DB, Hembree, SpectrumSetup-D8, 36787B-2.4, MySpectrumWiFi70-2G, MySpectrumWiFi38-2G, ARRIS-5855-5G, ARRIS-5855, MySpectrumWiFi50-2G, ARLO_VMB_8909912109]
[2023-05-15 14:38:24] [ExploitFragment] State+: Action(done, Found network: SmartLife-B179)
[2023-05-15 14:38:24] [ExploitFragment] State%: Action(done, Found network: SmartLife-B179)
[2023-05-15 14:38:24] [ExploitFragment] Wi-Fi connection attempt: SmartLife-B179 / null
[2023-05-15 14:38:28] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-40
[2023-05-15 14:38:28] [ExploitFragment] IP addresses changed: 192.168.175.100/24 / 192.168.175.1
[2023-05-15 14:38:28] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-40
[2023-05-15 14:38:28] [ExploitFragment] IP addresses changed: 192.168.175.100/24 / 192.168.175.1
[2023-05-15 14:38:28] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-40
[2023-05-15 14:38:28] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-40
[2023-05-15 14:38:29] [ExploitFragment] State+: Action(done, Connected: SmartLife-B179)
[2023-05-15 14:38:29] [ExploitFragment] State%: Action(done, Connected: SmartLife-B179)
[2023-05-15 14:38:29] [ExploitViewModel] Action OK
[2023-05-15 14:38:29] [ExploitFragment] State%: Action(done, Connect to smart device WiFi)
[2023-05-15 14:38:29] [ExploitFragment] State+: Action(progress, Establish connection with the device)
[2023-05-15 14:38:29] [ExploitViewModel] Action run: PingAction(ping_found_2)
[2023-05-15 14:38:31] [ExploitViewModel] Action OK
[2023-05-15 14:38:31] [ExploitFragment] State%: Action(done, Establish connection with the device)
[2023-05-15 14:38:31] [ExploitFragment] State+: Action(progress, Configure stager payload)
[2023-05-15 14:38:31] [ExploitViewModel] Action run: PacketAction(exploit_check)
[2023-05-15 14:38:31] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-41
[2023-05-15 14:38:31] [ExploitFragment] Wi-Fi changed: ssid=<unknown ssid>, rssi=-41
[2023-05-15 14:38:31] [ExploitViewModel] Action OK
[2023-05-15 14:38:31] [ExploitFragment] State%: Action(done, Configure stager payload)
[2023-05-15 14:38:31] [ExploitFragment] State+: Action(progress, Check if device is exploitable)
[2023-05-15 14:38:31] [ExploitViewModel] Action run: PingAction(ping_found_3)
[2023-05-15 14:38:33] [ExploitViewModel] Action OK
[2023-05-15 14:38:33] [ExploitFragment] State%: Action(done, Check if device is exploitable)
[2023-05-15 14:38:33] [ExploitViewModel] Action run: MessageAction(message_exploitable)
[2023-05-15 14:38:34] [ExploitViewModel] Action OK
[2023-05-15 14:38:34] [ExploitFragment] State+: Action(progress, Open flash device)
[2023-05-15 14:38:34] [ExploitViewModel] Action run: PacketAction(ddev_open)
[2023-05-15 14:38:34] [ExploitViewModel] Action OK
[2023-05-15 14:38:34] [ExploitFragment] State%: Action(done, Open flash device)
[2023-05-15 14:38:34] [ExploitFragment] State+: Action(progress, Unprotect flash)
[2023-05-15 14:38:34] [ExploitViewModel] Action run: PacketAction(ddev_control)
[2023-05-15 14:38:34] [ExploitViewModel] Action OK
[2023-05-15 14:38:34] [ExploitFragment] State%: Action(done, Unprotect flash)
[2023-05-15 14:38:34] [ExploitFragment] State+: Action(progress, Check if device still responds)
[2023-05-15 14:38:34] [ExploitViewModel] Action run: PingAction(ping_found_4)
[2023-05-15 14:38:50] [ExploitFragment] State%: Action(error, Check if device still responds, kotlinx.coroutines.TimeoutCancellationException: Timed out waiting for 16000 ms)
[2023-05-15 14:38:50] [UIExtensionsKt] Error: The device doesn't respond to ping requests.
This usually means that an exploit is incompatible, making the device freeze instead of continuing running.
It can also mean that writing the payload didn't succeed, in which case you can try again.
Worst case scenario—I'll crack one of these open and dump the flash using UART if needed, but it would be pretty neat to avoid sacrificing a device and soldering.