Saturday 30 November 2019

Hacking smart plugs for fun and profit

Smarter, the smart way...

You'd like to have your home a bit smarter but not spend a ton of money and you don't like the fact that you have to trust an unnamed 3rd-party company with your data and more importantly access to things that can trigger kinetic actions in your household.

Chinese company Itead is the maker of well known Sonoff devices (do not confuse with audio gear from Sonos). They have a vast range of wifi controlled relays, in various formats and sizes - overall very cool stuff. There is a really nice video on youtube that will give you more idea about what I mean by this.
One of the best parts of Sonoff devices is that they use ESP8266 as the main driver chip and attach relays to it, so being ESP8266 based they are very hackable! That's just what we need!

These days, Itead and others are making smart devices using the same tested pattern and rebrand them under hundreds of names. You will find on Amazon various devices using the same management app (usualy eWeLink or Smart Life), which means OEM devices - good for us!

NOTE:
Since 2019 more and more devices switch from ESP82xx to Realtek chips - the OEM ecosystem is also a curse. For example in 2018 I bought Teckin SP27 smart plug - worked perfect... bought some SP27 and SP23 this week and they run Realtek, so DO NOT BUY those if you want to reflash :-)

What works? I got this set and as of late November 2019 it was still ESP82xx based. Others reported at the same time that this is also working. Basically depends on which batch you get and a bit of luck :-)


If it works, why change it?

I like hacking and automating things, but I don't like sharing my data with random companies. When you run an off-the-shelf smart plug or switch, what happens is that to integrate it with Alexa, you need to create trust relationship between Amazon ecosystem and whoever is running the cloud backend for your plug.

We have two issues here - someone else runs the system that can tell your plug to turn on (kettle, lights, etc.) and it's invisible to you - that layer is magic, as far as you know it may well not exist at all... but the same layer links to your Alexa or Google Home and there's a trust relationship between them. I won't speculate on data sharing, let's stick to the facts.

One of my main goals was to integrate my smart plugs and switches with some sort of home automation (more on that in next post, soon). I don't have massive ambitions here, but want to use this with or without internet access, so if this requires cloud to work, it's a non-starter for me.

Meet Tasmota!

Tasmota is an open source firmware for ESP8266 based smart plugs/switches. It is very mature and extremely powerful! Here's just some of it's features:

  • MQTT support
  • HTTP support - offers effectively simple RESTful API
  • OTA firmware updates - directly from Internet or local network
  • Remote logging (syslog)
  • Ability to plug additional sensors - some devices have them, some will accept simple mods
  • Device templates - pre-set configurations for various branded devices; there's a good chance that at leat one will work with your clone!

Let's get flashing

You will need a Linux machine (Debian/Ubuntu is the easiest and fully supported), WiFi adapter that you can put into AP mode (those USB dongles for RaspberryPi usually work well - as long as they are not Realtek based) and tuya-convert software.

Clone software from GitHub, edit config file to set the name of your WiFi interface (that will be AP). Depending on which fork of tuya-convert you use, wifi may be either password protected or wide open, but that's a separate issue... 

Here's how it goes (run all operations below as root):
  1. Run start_flash.sh
  2. If you get meesage systemd is getting in the way, respond Y to question(s) and you will get to a numbered list of tasks - almost ready!
  3. Connect another device to this wifi - you will get IP address from DHCP and for mobile devices hotspot login screen - leave it there, that's all.
  4. At this point it helps to open another terminal session and run screen -r smarthack-web to see if the process goes as planned; if at any point you see message

    WARNING: it appears this device does not use an ESP82xx and therefore cannot install ESP based firmware

    then it means you are out of luck - most likely your plug is using Realtek chip - sorry.
  5. Power up the plug, after approximately 3sec press plug button once, you hear click and it lits up - good
  6. Press and hold the button again for approximately 5sec, until the LED goes off - at this point release... few seconds later the LED will be flashing fast (2x/sec) - you are in a smart programming mode
  7. Hit ENTER in the tuya-convert main window... sit back and relax :-P
At this stage plug will listen for broadcast info with wifi name and password, it will join the wifi, try to register with Smart Life app using fake cloud server provided by tuya-convert. Plug will be told to load new software from the web (tuya-convert again) and once this is done, an original firmware will be downloaded from the plug and save to file. Once all that is done, main screen asks if you want to flash another one... HOLD IT HERE!

Open another terminal (regular user will do) and run curl http://10.42.42.42/flash2 to change bootloader (or http://10.42.42.42/undo to abort flashing and revert to stock firmware), then curl http://10.42.42.42/flash3 to write Tasmota permanently into the plug. Few seconds after hitting /flash3 you will see web-server sending a file called thirdparty.bin which is a Tasmota binary.

Please also note that 10.42.42.42 is the usual IP assigned to the plug, but it may be different. You can resume smarthack-wifi screen session to see what IP is assigned in your case.

Once plug reboots it's up and good to go - it will start in AP mode, so find open network called sonoff-xxxx and connect to it, configure your WiFi name and password, plug will reboot and join that one.

Once you're done with all the plugs, there's a separate script to stop AP from running.

What's next?

Check your router logs to see what IP the plug got, open the IP in web browser and hit TOGGLE button to hear if pug clicks. If it doesn't then it doesn't work at all - you will want to check which ready-made template will work.

First thing I do is usually update firmware by going to Firmware Upgrade and using the default URL that is already there.

If you bought the same set as I did, then you go to Configuration --> Configure Module and use Module Type dropdown to set BlitzWolf SHP (45). Plug will reboot, reconnect to wifi and TOGGLE should work... and to my surprise, this plug has also power monitoring so when I plug something into it and turn on, I get this:


Now... explore menus, thinking cap on, read the Tasmota docs... because what it can do is quite spectacular - a separate post for sure.

Final note

Standard disclaimers of "works for me" and "do it at your own risk" apply.

1 comment: