Hardware hack: Liberating a Chinese Power Plug
Cheap IoT devices like power plugs are mostly manufactured in China. They connect to “bridging” servers we don’t really have control over, they are usually not documented and those required “bridging” services may fail or even be terminated at any time. Which would of course render your (or my) “smart” power plugs useless. Time to do something about it.
A word of caution: I flashed the first devices with line power connected. That’s not a good idea. Always disconnect the “smart plug” from power when the case is open. Always power the chip from your development setup. You have been warned.
I bought a number of cheap “Wifi Mini Socket Outlets”from Amazon and they are easy to install and integrate beautifully. Without going into details (can be found here) all connected devices need a “bridge” server that connects your devices to Amazon’s “Alexa” service. The user doesn’t know what server that is, who is running it and where it is located. I guess most people don’t care. It works – and that’s that. But I am a bit different. I want to rely as little on “foreign” (as in .. not mine) technology as possible. I can’t, for the time being, circumvent a third party voice recognition (though Mozilla is getting close to an open source solution), so “Alexa” (or something else) is a given. But I want to run my own “bridge” servers – and that’s why I had to develop my own devices and .. well .. that’s why I “liberated” that poor little “Wifi Mini Socket Outlet”.
It took one screw and some un-snapping to get the plug open. Inside I found the usual power supply, the relay and an ESP-12, which is a CE certified ESP8266 WiFi chip. I worked on those little buggers over the last weeks, so I thought I knew all about it and was able to proceed swiftly. Well – it turned out to be a bit of an adventure.
I hooked the test-clamps to rx0, tx0 and ground to the Serial-USB converter but all I got was some hieroglyphics on boot (of the plug) – a sure sign for a wrong baud rate. But what baud rate would I need? Google delivered the answer: 77400 . Weird.
And of course – all Linux terminal programs (to connect to a serial device) support only the “usual” standard system baud rates. And 77400 is NOT standard. But nothing beats experience. I hacked a small “C” utility program utilizing the “BOTHER” flag for “c_cflag” to set the baud rate I wanted. And voila – the unit was talking to me. I couldn’t talk to the unit and the unit wasn’t sending any useful data – so I went ahead with the next step: Getting ready for flashing.
That requires the Pin18 (GPIO0) to be pulled to ground. I fiddled with a magnifier in one hand and the test-clamp(s) in the other to get good connections. It took a number of attempts to get all three hooked up – and Cocoa – my Amazon parrot – might have learned a few new words in the process. I finally soldered the ground wire because I just could get a clamp to hold on. I started the Arduino environment (pre-configured for the ESP8266 chip set) and a few minutes later, my device had it’s first “Ela” made software installed.
I wanted the device to work exactly the way it worked before. With three LEDs (small blue, large blue, large red) giving an idea of the status and a push button to manually control the relay. That would require 5 GPIO pins The ESP8266 has 17 GPIO pins (0-16), but one can only use 11. GPIO 6 – 11 are used to connect the flash memory chip and GPIO 1&3 are used for serial. A few loops helped to find the correct GPIOs.
Relay: 12 to high – switch relay on
Button: Pulls 13 to low if pressed
Small Blue led: 2 to low
Big blue led: 4 to low
As a matter of fact: Just switching GPIO2 and GPIO4 to INPUT makes the LEDs come on. So to switch them off, one has to set the GPIO to high. The red LED comes on automatically if the relay is powered.
All that remained to do was to knit some logic and a web server around the GPIO setting and getting action. But that’s easy with the Arduino environment. It just took half an hour or so.
Integrating this new “open source” switch into my personal “Alexa Home” environment took another 30 minutes. It now controls my .. emm .. electric … fireplace. We’d like to turn it on to watch the “flames” once in a while – even if its 70 degrees outside (we live in South Central Texas).
Usually most Chinese products are co-branded so I am pretty sure that this “hack” will work with other cheapo wireless outlets as well.
Which brings me to the next question: Though parts like power supplies, relays and the ESP8266 chips may cost a total of $6 or $7 – is it really worth it building the devices myself? I still need a plug, a box, an outlet, a few LEDs and maybe even a push button .. and this little Chinese fellow was $12 or so ..
I just ordered two more “Nice2MiTu Smart Plug Wi-Fi Switch Sockets” from the jungle ($21.99 for two). I am pretty sure I can convince them to do what I want them to do. Though I am planning to put a self-made “smart” switch into my jukebox. But that’s a different story.
Let me know if I can help you with your project.
UPDATE: As suspected, the Nice2MiTu Switch Sockets were exactly the same on the inside. So far, I flashed 7 “smart” plugs with my software. One of them resisted every attempt to be flashed – so unless I come up with a better idea – I consider this one dead.
Here’s what my software does:
If the unit doesn’t recognize any stored value in the EEprom, it becomes an AP itself and starts an MDNS responder. That makes it easy to find and connect to it and to configure the WiFi SSID, the WiFi password and a name for the device (small LED flashes rapidly). After reboot, the unit finds the data in the EEprom and tries to hook up to the WiFi (small LED flashing slowly). If successful, the large blue LED will light up steady. Again an MDNS responder is launched and web clients may connect to it to switch the relay on (red LED turn on). The unit can be reset on this page, but it is also possible to reset the unit by pressing the manual “on/off” button for 10 seconds. The unit is now ready to be used in any environment one can think of.
UPDATE 2: I purchased the slightly cheaper KMC “smart plugs” that are manufactured by Hangzou Kaite Co. LTD . Those units are available for around $8 to $9 and therefore cheaper than almost any home-brew solution. Though they look almost the same, there are several differences to the “Beauty Flower” switches described in detail above. First: There seems to be a problem with circuit isolation and I blew one up just by grounding the appropriate wire on the ESP chip. The unit was plugged into a power socket across the room and I expect there must have been some difference in potential that discharged when I grounded the unit to the USB on my computer. Weird. But stuff happens. Second: They only have one LED. They still have the small one on the chip, but the case is designed in a way that blocks this let from being visible once assembled. Third: The GPIO setting is completely different to the “Beauty Flower” :
Relay: 14 to high – switch relay on
Button: Pulls 0 to low if pressed
Small Blue led: 2 to low
Big green led: 13 to low
And last but not least: The whole internal design has been somewhat cheapened (I think). Some assembly will be required to get the unit setup again after flashing.
I updated my software to be able to signal the unit’s status via a single LED (very fast flashing: SoftAP, fast flashing: Trying WiFi, slow flashing: All Ok, steady: Relay is on). But they work quite well once everything has been flashed.
UPDATE (September 2018): I wrote a new blog post dedicated to the power measuring circuit within the KMC “smart plugs” . You’ll find it HERE.