Aercus WeatherSleuth Weatherstation / MQTT / Security thoughts

I recently got my hands on an Aercus Weathersleuth Weatherstation. This is a fairly nice piece of kit.

One of its benefits is it can talk to the internet or an arbitrary server. A bit of poking around revealed it communicates by way of an HTTP post request which looks as follows –


On the back of this I wrote a trivial script (which does not yet do authentication) –


# Script to take data from Aecus weather station and convert to MQTT

# Stations is an array which defines the devices we accept.
# Format of each sub-array is “Name”,”Password”,”IP address”

# This script requires php-mqtt – see
# Acquired with “composer require php-mqtt/client”


$mqttserver = ‘MQTTSERVER’;
$mqttport = 1883;
$mqttClientID = ‘WeatherStnToMQTT01’;
$mqtttopic = ‘WeatherStation’;

# List of attributes not to send to MQTT
$DontPublish = array (‘ID’,’PASSWORD’);

require_once ‘vendor/autoload.php’;

$mqtt = new \PhpMqtt\Client\MQTTClient($mqttserver,$mqttport,$mqttClientID);


# Clean up array
# $key=array_search(‘ID’,$PostedVals);

echo “<hr />”;

foreach ($PostedVals as $PostKey=>$PostVal)
# Ignore the following keys:
if (!in_array($PostKey,$DontPublish))



This script needs to be placed in (documentroot)/weatherstation/updateweatherstation.php – and (from the same path” composer require php-mqtt/client” needs to be run to install the MQTT library


On the version I got – software version 2.1 The security on this device is pretty much non-existent.  The web interface for the device can be accessed without a username or password, and telnet access username and password are both, by default admin.   Communication takes place on http (no obvious option for https).    The password to the publish to the webserver is sent as part of a request which will turn up in the servers log files. 

I guess publishing this to a local server at least means that to access the url someone needs to have breached the local network.  

TZT AT89C2051 Digital LED Display 4 Bits Electronic Clock Electronic Production Suite DIY Kit 0.56 Inch Red Two Alarm Programming / Instruction

I purchased a kit-set clock/alarm kit for my kids to build to learn to solder. Unfortunately, while it came with soldering instructions (which it didn’t need), it did not come with programming instructions and the supplier is no more. Below are partial instructions I’ve discovered through the web and playing around.

The clock has 2 buttons – S1 and S2.

Clicking S2 cycles through different settings A-I. When you click S2 the left digit on the screen represents A,B (8), C, D (0), E,F,G,H and I

Clicking S1 then cycles through the options for that setting. The corresponding settings are roughly (and slightly incorrectly still) –

A = Clock Hour

B = Clock Minute

C = Beep on hour ?

D = Supposedly Alarm 2 On/Off ??? I think this is wrong. I suspect it is Alarm 1 On/Off

E = Alarm 1 Hour

F = Alarm 1 Minute

G = Alarm 2 On/Off ??? This makes sense I think

H = Alarm 2 Hour ?

I = Alarm 2 Minute ?

Owners Manual for ProRunner 310R Motorized Treadmill

I purchased said Treadmill from Torpedo 7 a few months ago, and the manual has been sitting around the machine, looking ugly. As its only 16 pages, black and white, I cant be bothered finding a place to keep it. (It would make my library of exercise machinery manuals to large), so I’ve digitized a copy for myself.

I have emailed Torpedo 7 confirming I am OK to redistribute this work for free. ( I doubt this is an issue as they have not asserted copyright, so hopefully we are helping each other)

The manual number is 4130K3-90004-1400, and can be found here.

Dissecting a cheap Time Release Lock

Some months ago I acquired a dead-on-arrival time release lock – the type that typically sells on Aliexpress and eBay for about US$20, appropriately described as “Multipurpose Time Lock” but more commonly “Fetish Electronic Timer” or, in the type of English unique to China “Adult Game Fetish Handcuffs”. Unfortunately there does not seem to be a lot of choice if you want an inexpensive electronically controlled time-release lock.

The issue with the unit I got my hands on was clearly a dead battery – as best I can tell the unit contains a small lithium polymer battery which must have been sitting in a state of discharge in a warehouse somewhere causing permanent damage – it no longer held charge.

As there were no apparent screws, I took to the unit with a thin screwdriver and excessive force. I record my discovery for creative soles who wish to either repair or modify one of these units – or even for those just curious as to how they are constructed. As a picture is worth 1k words, here is the 3k version –

Exposed Time release Lock

My observations are as follows –

I could almost certainly have opened the lock without damaging brute-force had I known to peal the back the black frame surrounding the display. This would have revealed the 2 screws which were used to hold the unit together (I went in through the top of the unit where the cable fits in, and leveraged the unit apart with a screwdriver – breaking the lock in the process.

Similarly there are 4 small screws holding the circuit board to the frame. 3 screws are fairly apparent but I missed the fourth one which was hiding behind the tangle of wires to the bottom left of the unit. As lock was already dead, I used brute force again!

The battery is labelled as XC401020, 3.7 55mAh – so a 55mAh 3.7 volt battery. I’m not sure that there is place internally for a larger battery, but as its 3.7 volts I expect with some creativity it might be possible to jerry-rig a larger external unit if you can secure it properly. As far as replacement of the existing battery goes, a search for 401020 on Aliexpress revealed a plethora of replacement batteries starting at about US$5 including shipping and very quickly rising in price to a almost the replacement price of the lock.

NOTE THAT THIS PARAGRAPH IS SPECULATION. DO NOT RELY ON ANYTHING IN IT WITHOUT FIRST SATISFYING YOURSELF THAT IT IS CORRECT (corrections and confirmations welcome) – The core of the locking mechanism is a simple high torque motor with a rectangular shaped piece on the end. When this piece lies horizontally the lock is closed. When it is vertical the motor is open. When powered (looking from the top as per below image) the motor spins clockwise. This configuration does not appear to be a “fail open” arrangement I would have expected in this type of device- ie if the motor stops in the wrong position the lock will not be able to be opened without opening it or getting the motor to move. Conversely I posit ( As my unit is now totally destroyed I can’t test) it would be practical to modify the lock to self-release at the end of the lockout period by using an elastic band wrapped around the button to push it in automatically. In this instance it would still require force on the chain to remove it from the lock.

The below image shows the motor and screw holes once the front plate is disassembled.


Removed face-plate and top view of motor.

DIY IOT Heated Towel Rail Timer

In order to save electricity I made a heated towel rail timer, and, because its 2019, made it controllable through a web page available on my home network. This project cost less then half the price of a basic timer. Here is how I did it and how you can leverage my experience and avoid some pitfalls. NOTE THIS PROJECT USES MAINS VOLTAGES, COULD BE DANGEROUS AND MAY NOT BE LEGAL TO IMPLEMENT IN YOUR COUNTRY.

The heart of the project is a Sonoff Basic – which comprises of an ESP8266 micro-controller with its 802.11n WIFI, some power handling circuitry and a relay. It nominally takes 2 wires in with mains voltage (ie live & neutral) and turns on/off the output depending on its program. I purchased a couple of these units from Ali-express for around US$5 each. I also purchased an FT232RL controller for about US$1.50 to program them.

There are a number of instructions on wiring and programming the SonOff using the Arduino platform online, and this is what I followed. I followed an instruction at which worked well, although my board layout was slightly different, and I elected to use a male rather then female header on the board, and did not bother with the switch.

Here is a picture of my board, hooked up to the FT232RL controller –

The next step was upgrading my version of Arduino platform to 1.8.9 and adding the ESP8266 libraries. (The Sonoff presents as a generic ESP8266 board).

I decided I wanted my towel rail to, by default, turn on for 30 minutes and off for 90, always turning on at startup so that it could easily be used manually. Integrating this with the simple ESP8266 was a bit of a challenge, and not ideal, but the following solution works well for me:

  Rui Santos
  Complete project details at  
  Modifyed by DavidGo to work as a controllable monostable vibrator.

#include <ESP8266WiFi.h>
#include <WiFiClient.h>
#include <ESP8266WebServer.h>
#include <ESP8266mDNS.h>

MDNSResponder mdns;

// Replace with your network credentials
const char* ssid = "SSID";
const char* password = "PASSWORD;

// Duty cycles in seconds
int timeon = 60;
int timeoff = 120;
// 100 - centiseconds taken to process web server
int processwait = 10;

ESP8266WebServer server(80);

// String webPage = "";
// int dgstatus = 0;

int gpio13Led = 13;
int gpio12Relay = 12;

void setup(void){

  // preparing GPIOs
  pinMode(gpio13Led, OUTPUT);
  pinMode(gpio12Relay, OUTPUT);

  WiFi.begin(ssid, password);

  // Wait for connection
  while (WiFi.status() != WL_CONNECTED) {
  Serial.print("Connected to ");
  Serial.print("IP address: ");

  if (mdns.begin("esp8266", WiFi.localIP())) {
    Serial.println("MDNS responder started");

  server.on("/", [](){
    server.send(200, "text/html", ShowStatus());

  server.on("/on", [](){
    server.send(200, "text/html", ShowStatus());
  server.on("/off", [](){
    server.send(200, "text/html", ShowStatus());
  Serial.println("HTTP server started");

void loop(void){

  for ( int i=1; i<timeon*100; i++)

  for ( int i=1; i<timeoff*100; i++)


After extensive tweeking and testing, I was ready to install this behind my heated towel rail. Surprisingly this turned out to be the hardest part of the project.

One step not mentioned above is going into my router and assigning the SonOff a static IP address. This allows me to go to the HTTP webpage, view its status, turn it on and off and modify the on/off duty cycle. Of-course, less sophisticated users can simply turn the device off and on again to restart it with an on time of 30 minutes.

FIRST OFF, MAKE SURE TO TURN OFF THE MAINS POWER BEFORE DOING THIS. Also be cognizant that you are working in a bathroom and water and electricity do play nicely together.

The Sonoff is fairly big, and was very difficult to mount behind the faceplate. Were I to do this again, I would ensure longer leads on both sides of the device to give it more play.

I also added a pilot indicator light (which I also bought from Ali Express. The nice thing was that this was 10mm round, so easy enough to install on the faceplate. The negatives are (a) It is aa green light, but look yellow when on, (b) is quite deep, and I did not take this into account when mounting it in the faceplate – I had to mount the faceplate upside-down as I did not want to drill through tile.

My final project looks as follows:

Free Roundcube Skin

I am quite used to the “Larry” Roundcube skin, and did not find the default theme to be as comfortable to use – however I have 2 mail boxes which I want to keep separate, but still use with Roundcube.   Looking for alternative themes did not yield an awful lot of options, and the ones which were available were either extremely overpriced or just did not work right.

So I went down a small rabbit hole – cloning the “Larry Skin” and then modifying it.   This worked – sort of.   After a frustratingly large amount of time I realised that (a) Larry appears to be special and the plugins have specific support for that skin – which are not available to modified versions of the larry skin without a lot of fiddling and (b) Roundcube supports child themes – so the solution is to make a child theme with just my modifications and link it to the Larry theme – which allows my plethora of plugins to continue to work – and would seem to substantially future proof it.

The documentation is fairly clear on how to extend a theme, but a few trivial gotchas – “Purple Larry” can be used to expose pretty close to the minimal set of changes required to make a child theme.

Anyone is welcome to use my extended skin (theme?) for free – just download it and extract it to the Roundcube skins directory.



Oneplus 3 Nougat with R/W System

I recently upgraded my Oneplus 3 to OxygenOS 4.0.3 – which runs Android 7.0.

I discovered that I could no longer write to the hosts file to do ad blocking and this was driving me crazy, so I set about changing the OS to allow me to do this – it required a single letter tweak to a file – but, unfortunately this file is embedded in the heart of the ROM.   Other then tweeking the fstab file in the initial ramdisk image to mount /system rw I have made no changes to the source code.  (Of-course, it is possible that when I repackaged this I did something slightly wrong, being that I’ve never done this before)

Subsequent to installing this file (and SuperSu, of-course), Adaway again happily does its thing and adverts have vanished.

I am uncertain of the security implications of allowing /system to be rw – but I am sure its less of a frustration then being bombarded with adverts (and, come to think of it, it must be safer as well).  I wrote a question on android.stackexchange, which suggests the threat is not that great – certainly less then the alternative hack I came up with which required disabling selinux.

If anyone wants it, they can download it here. This file has an md5 sum of 0729ae4ba8d30ccf2a5ec0982021abb6  and a sha512 sum of e8c8e4bdbe960cfcbd0ce564710144bfac8ba663de6fd9df8a858a567f7317309bf6bad5645142feede6ae8741a5b3eaced2c4fd1214fdc6476d808f4f9b1dd9. Its a drop-in replacement for from the OnePlus 3 website.  I expect it is smaller then the Oneplus 3 file because of different zip file compression ?  The file is about 1.5 gigs compressed.  Usage is, of-course, at your own risk.  If you brick your device, don’t come running to me.  The only guarantee I make is that I flashed this firmware on my system and it behaved as expected.

Resolving shared WordPress Email issue

I like using a database to directly drive my virtual webhosting – this means that each account on the system has a UID and GID, but no username associated with it (ie in /etc/passwd or getent passwd)

Because of this, when users try and send an email in WordPress (eg to reset their password), WordPress does not send the message, complaining “Possible reason: your host may have disabled the mail() function.”

The underlying cause of the problem can be found by looking at the Postfix mail Logs – where you get errors like “fatal: no login name found for user ID XXXX

Fixing this problem – without relying on WordPress plugins or tweeks is simple – modify the php.ini file apache is using by adding the following line:

sendmail_path = /usr/sbin/sendmail -t -i


Hangsun S80 Lamp

I purchased one of these lamps in 2016.  Below details my findings and some help to others (maybe).

The product is not good at all – indeed if returning it were a practical option I would – but because I live down-under, shipping costs make this prohibitive – so I’ve tried to make the best I can.

Problems I encountered –

I could not download the Android App, no matter how hard I tried – I assume this is because of country restrictions set by the developer.   Luckily, I reached out to them, and they responded, and they responded with a QR code to download the app (not sure if this is a different one to the one on the base of the unit and manual, or if they updated there permissions), but here it is:

QR Code

As this file appears to not be valid anymore – here is a copy of the APK.

This app seems to work a lot better then the IPad app I previously needed to use – specifically it fixes a bug where you could not set maximum brightness on the lamp, and has a cleaner interface.

The display

The display on the unit is backlit – and the backlighting only comes on when you are interacting with it – it is also blindingly bright white light – particularly in a dark room.   This means that you can’t simply look over at the clock to see its 3am.    I greatly greatly reduced this issue by adding a small red LED to the back-light (in conjunction with a 150 ohm resistor, which I attached to the top and bottom pins of the conveniently located CON6 connector to the left of the display board).   This allows me to read the light without having to turn it off.    Next time I open the unit, I intend to disconnect one of the 2 white LEDs which power the backlighting.  (Its not possible to simply replace one of these with a red LED, as they are merged into the display).

The hardware

Although very, very let down by the software, the hardware appears to be OK – although it is all plastic.  The design appears to be modular and thus somewhat hackable.

One confusing and disappointing thing though is the maximum lamp voltage is supposedly 6 watts (according to the package this is the size of the replacement lamp, and according to an email from them this is the maximum size).   The problem with this theory is that the lamp included is a 7 watt warm white dimmable LED.    While more-or-less adequate, its not fantastic, and certainly not as good as my previous jerry-rigged system which used the equivalent of a 100 watt CFL bright white light.

Other notes and letdowns

The promotional video seems to imply you can program a significant number of on-off events – this is incorrect – you are limited to a maximum of 2 events.  You can not specify which days, although you can turn the alarm on and off manually – this is nowhere near as convenient as a 7 day timer for example.

You can’t have the light come on  without an alarm – the alarm level can be set to low, but not off.  This is irritating.  I intend to install a switch so I can disconnect the speaker.

The light seems to turn on at random times – but without sound.  Interestingly this has stopped after I unplugged the unit for an extended period out of frustration of it coming on in the middle of the night.

On my unit, you can’t output sound over Bluetooth to the device.  (You are supposed to be able to do this according to the manual).  Not sure why this is, the unit is paired, just no sound output, regardless of volume!

The amazon  account has a number of 5 star reviews – if you look at the reviewers though, they are all (as of the time of this post) shills, having all posted exactly 2 reviews on the same 2 products.   The other reviews stand at 1 – except for mine, which I need to upgrade to 2 (I’m doing  that as part of a deal I’ve done with them to get the QR code and confirmation of the maximum wattage – and to be honest, the unit is kinda useable)

BD-F6500 region free upgrade – Firmware 1010 / 1017 note

In case anyone has the same issue –

A few months ago I purchased a SamsungBD-F6500 from Noel Leemings (A whiteware retailer in New Zealand).   A few days ago, we purchased some DVDs which were “region 2” and would not play on our NZ/AU – region 4 player(s).

I attempted to region unlock the DVD using the method on the Internet, ie Start the DVD player, open and close [empty] dvd drive, press repeat, enter in “7 6 8 8 4“, then “9” for region free.   This failed to work a number of times.

With nothing to loose I upgraded the firmware to 1017, and was able to unlock the drive using the above process without issue on the first attempt.

(Of-course, friends who download their content using filesharing networks don’t have these issues – and the media industry wonder why movie piracy is so common ?)