Hacking a $20 WiFi Smart Plug

The Kankun smart plug is an inexpensive device that lets you switch an outlet on and off over wifi. The smart plug only works with an Android or IOS app that ships with the device, which limits its usefulness to turning things on and off from your phone.

In an attempt to make this device more useful, [LinuxGeek] probed the device with nmap and discovered that it runs OpenWRT. After trying various common default passwords he discovered the login was root/admin. While [LinuxGeek] hasn’t sniffed the protocol yet, others have hacked it a bit further. The plug apparently uses UDP packets to communicate with the Android app, but the packets are unfortunately encrypted.

Rather than hack at the protocol, they wrote code that toggles the GPIO pin from a CGI script and developed a small Windows application that hits the CGI script for simple control from a computer. There’s also a Google+ group where more information and a couple other hacks for these plugs are posted. For $20 (from AliExpress) and with a bit of hacking, this smart plug could be a great way to add wireless control to a home automation system.

48 thoughts on “Hacking a $20 WiFi Smart Plug

    1. I found one (several) on AliExpress that handles US plugs, but it is ‘plug agnostic’ as it also handles other plugs in the same device without changing any hardware/software. It seems to be tolerant of many voltage levels from 90 through 230 VAC or so.

  1. Maybe these manufacturers should just make these devices with a bootloader and a manual and let the community figure out what is the best software solution, this seems to be the inevitable result anyway.

    1. Personally, I’d like manufacturers to publish the dev. docs, schematics, source code, etc. for products they EOL. Basically, “We’re done supporting this product, so have at it if you want to.” I’ve collected many little plugs/adapters, gadgets, and other doodads that could make great little dev. platforms if I know how to reprogram them.

    1. Doubt it.
      The problem with these companies is they use Chinese made relays, then take the rating off the relay cover.
      We used to use about a 500k power relays a year, we tried some of the well known Chinese brands but always found the contact coating would break down fairly quickly, causing the contact point to ‘splash’ and then start to arc & weld.
      A relay is a relay…. The real tech. is in the contact material layering and its processing.

  2. Might be worth running their Android app through a decompiler. I did this once in preparation for reverse-engineering another brand of wifi power adapter and discovered that their “encryption” simply involved salting the packets with the IP address and tacking on a checksum. Half an hour later we had no further need of the mobile apps.

    1. Can you help/advise how we can work it through our home WiFi router as if we stop connection mob. communication the KK-SP3 lose its
      memory…..and don’t stop!!, it’s even danger, thanks.

  3. I’m currently waiting on an order for one of these. I wanted to use it to be able to kill my 3D printer at the wall plug in the event of a failure via remote. Combining this with an old android phone for monitoring and printing times no longer matter.

    1. Why not use a standard relay breakout and attach it to your printer’s microcontroller? You can then control with M80/M81 to turn the power on/off. Power your microcontroller via a non-switched USB so you can connect any time and fire up the high voltage side.

      Run octoprint on a raspi off that non-switched USB power, and you can then connect to a webpage and turn the power on and off.

  4. I would watch out…..
    This thing is ‘proxied’ via a Chinese server, as such there is nothing to stop the firmware from being updated remotely thereby blowing a MASSIVE hole in your firewall.
    Get several thousand of these things into service and you would have access to a significant amount of info.
    ESP. if they were installed in businesses.

    1. nailed it right there. proxying anything like this through anyone’s server is a significant risk on multiple fronts. Multiply that by several orders of magnitude when that server is in China. Nothing good will come of such things.

  5. Beware cheap Chinese switchers! My house burnt down a few months ago and the fire inspector pinpointed it to one of these. I was using it with just one 4″ fluorescent lamp so it was certainly not overloaded.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s