China. Some of my fa­vorite things are from China. Technically, all my fa­vorite things could be traced back to Made in China”, but some of them are:

  1. Riot Games (VALORANT, League of Legends)
  2. CORSAK (music artist)
  3. My LED light

Let’s fo­cus on the last one. Last year, I bought an LED light strip from Amazon. There’s a whole in­dus­try for it on the mar­ket, and you can find ones with vary­ing fea­tures. This one, in par­tic­u­lar, can be con­trolled via an app called Magic Home Pro”, which comes with pretty cool fea­tures like can­dle-like light­ing (if you need to set that ro­man­tic tone) and sync­ing with your mu­sic (highly in­ac­cu­rate, works best with EDM songs).

LED lights from Amazon

I’ve been us­ing it for a while now, and it’s been great. However, the in­cor­rect mu­sic sync­ing both­ered me a bit and I tried to re­verse-en­gi­neer the app to send my cus­tom re­quests to the light so that I could sync it with my Spotify (instead of hav­ing to rely on the app). Controlling the lights from my com­puter would be cool, right?

Unfortunately, the app or the light does­n’t have a doc­u­mented API for me to use. The clos­est I came to was a GitHub repos­i­tory that re­verse-en­gi­neered the pro­to­col used by the app to com­mu­ni­cate with the light. It did work, but I wanted to build my ver­sion of it so that I could use it how­ever I liked. Most re­pos re­quired a Raspberry Pi, and in case you did­n’t know, those are ex­tremely hard to come by for the right price in the MENA.

While mon­i­tor­ing the mo­bile app for any net­work re­quests I could re­verse en­gi­neer, I no­ticed a cou­ple of weird TCP re­quests be­ing sent to a few servers in China. Because the LED light runs on the lo­cal net­work, any re­quest made to any­thing other than a lo­cal IP ad­dress (192.168.x.x) was sus­pi­cious. (The app seem­ingly does­n’t use any ex­ter­nal re­sources ei­ther, so it was a bit con­cern­ing.)

Further at­tempts to re­pro­duce these re­quests have failed.

The first re­quest was a POST to

POST /rqd/async?aid=<UUID_V4_HERE> HTTP/1.1
wup_version: 3.0
secureSessionId: REDACTED_SZ
strategylastUpdateTime: 1550481301000
appVer: 1.9.3%28219%29
bundleId: com.zengge.wifi
sdkVer: 2.8.6
prodId: 956393cf2b
cmd: 840
platformId: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Dalvik/2.1.0 (Linux; U; Android 14; <MY ANDROID MODEL> Build/UP1A.230620.001)
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 1056
a7 60 e3 2a e9 08 af d8  4f 48 10 8a 0a 60 51 db  .`.*.... OH...`Q.
c7 09 3e c6 52 67 8d c9 5c 7e 3a 0d 81 58 35 36 ..>.Rg.. \~:..X56
83 9e 90 b3 cb 07 b5 28 66 6d bf b7 f5 62 7a 81 .......(
49 0e 2f 6b 46 ec e1 d6 4d 99 36 02 09 21 27 01 I./kF... M.6..!'.
...60 more lines

The POST body and re­sponse were gib­ber­ish (probably en­crypted, if any­one knows how to make mean­ing of it, please let me know).

Let’s fo­cus on a few things here.

The bundleId is com.zengge.wifi. Zengge is a com­pany that makes LED lights among other smart home de­vices. On the LED mar­ket, I’d say they’re a bit more pre­mium than the rest. According to their web­site, they are a sup­pos­edly renowned brand, even used by Walmart in China. A Facebook page reads [sic]

ZENGGE Co., Ltd is a world’s lead­ing smart light bulb and con­troller en­ter­prise which lo­cates in Shenzhen China and es­tab­lished in 2008.

The Magic Home Pro app (and my LED) is also made by Zengge, which would ex­plain the bundleId.

The User-Agent reads Dalvik”. A quick search shows that Dalvik is a dis­con­tin­ued VM for Android, last used in Android 4.4. This, again, is weird be­cause ac­cord­ing to the Play Store, the app was re­leased in late 2016, which would mean it should be us­ing ART (the suc­ces­sor of Dalvik).

A WHOIS for the ad­dress shows

ISP 	        ChinaNet Guangdong Province Network
Domain Name
Country China
City Guangzhou, Guangdong

And here we see once again.

Tencent QQ (Chinese: 腾讯QQ), also known as QQ (, is an in­stant mes­sag­ing soft­ware ser­vice and web por­tal de­vel­oped by the Chinese tech­nol­ogy com­pany Tencent. QQ of­fers ser­vices that pro­vide on­line so­cial games, mu­sic, shop­ping, mi­croblog­ging, movies, and group and voice chat soft­ware. As of March 2023, there were 597 mil­lion monthly ac­tive QQ ac­counts. Wikipedia

Visiting, I man­aged to un­der­stand the web­site con­tents be­cause of Duolingo (and Google Translate). The web­site reads

A pleas­ant way to de­velop

Tencent Bugly pro­vides mo­bile de­vel­op­ers with pro­fes­sional ex­cep­tion re­port­ing and op­er­a­tion sta­tis­tics, help­ing de­vel­op­ers quickly dis­cover and re­solve ex­cep­tions, while also grasp­ing prod­uct op­er­a­tion dy­nam­ics and fol­low­ing up on user feed­back in a timely man­ner.

Turns out, it was a crash-re­port­ing ser­vice.

Overkill for an app that con­trols your LED lights, but at least it’s for a valid rea­son (hopefully).

What I do love about Bugly is its de­tailed Privacy Policy, which is un­like any Privacy Policy I’ve ever seen, most of them con­sist­ing of lay­ers of legalese and eigh­teenth-cen­tury English. It in­cludes a table of data that it col­lects from de­vices and how it uses them, such as the phone model, whether the de­vice is rooted or not, and the net­work - stan­dard re­quire­ments for a crash re­port­ing ser­vice. Even the Android per­mis­sions re­quested by the app are listed in the Privacy Policy, prob­a­bly due to Chinese reg­u­la­tions.

What’s in­ter­est­ing is this part:

(3) According to the pro­vi­sions of laws and reg­u­la­tions, the fol­low­ing are ex­cep­tions to which user con­sent is re­quired:

  1. In or­der to re­spond to pub­lic health emer­gen­cies, or nec­es­sary to pro­tect the life, health and prop­erty safety of end users in emer­gen­cies;

4. Carry out news re­port­ing, pub­lic opin­ion su­per­vi­sion and other ac­tiv­i­ties for the pub­lic in­ter­est, and process the per­sonal in­for­ma­tion of end users within a rea­son­able scope;

A bit ex­ces­sive for a crash re­port­ing ser­vice, no?