Hackaday Prize Semifinalist: A Better Smart Plug

Walk into any home improvement store, and you’ll find dozens of smart accessories, home automation equipment, and WiFi-connected ephemera. The Belkin WeMo Insight is one of these devices, giving anyone with $60 and a WiFi network the ability to switch lights and appliances on and off over a network. [John] picked up one of these WiFi plugs, but it didn’t work exactly as he would like. Instead of building a smart plug from scratch, [John] replaced the controller board for a WeMo Insight for his Hackaday Prize entry, making it far more useful and a replacement for devices like the Kill-a-Watt.

In its stock form, the WeMo can only be used though the smartphone app provided by Belkin or through a few third-party services like IFFT. All of these solutions have a limited API, and don’t provide advanced power metrics. To solve this problem, [John] replaced the smart controller board inside the Belkin WeMo with one of their own design.

By volume, most of the electronics inside the WeMo are a transformer, caps, and a relay; the smarts of this smart plug are just a daughterboard. By re-engineering this daughterboard with a new microcontroller, an ESP8266, and a microSD card connector, [John] can replicate the functionality of the WeMo while adding some new features. SD card datalogging for up to four years is now possible, a RTC now provides precise time stamps on all data collected, and a few simple calculations on the microcontroller enable power factor, line frequency, and total energy metering. With the ESP, all this data can be sent up to the cloud with a vastly improved API.

It’s a great project, and something that Belkin should seriously consider for their next revision of the WeMo. For anyone stuck with a stock WeMo, [John] has made all his design files and code available, allowing anyone to replicate this build

You can check out [John]’s Hackaday Prize entry video below.

The 2015 Hackaday Prize is sponsored by:

Continue reading “Hackaday Prize Semifinalist: A Better Smart Plug”

Hacking a $20 WiFi Smart Plug

The Kankun smart plug is an inexpensive device that lets you switch an outlet on and off over wifi. The smart plug only works with an Android or IOS app that ships with the device, which limits its usefulness to turning things on and off from your phone.

In an attempt to make this device more useful, [LinuxGeek] probed the device with nmap and discovered that it runs OpenWRT. After trying various common default passwords he discovered the login was root/admin. While [LinuxGeek] hasn’t sniffed the protocol yet, others have hacked it a bit further. The plug apparently uses UDP packets to communicate with the Android app, but the packets are unfortunately encrypted.

Rather than hack at the protocol, they wrote code that toggles the GPIO pin from a CGI script and developed a small Windows application that hits the CGI script for simple control from a computer. There’s also a Google+ group where more information and a couple other hacks for these plugs are posted. For $20 (from AliExpress) and with a bit of hacking, this smart plug could be a great way to add wireless control to a home automation system.

Hacking the D-Link DSP-W215 Smart Plug


The D-Link DSP-W215 Smart Plug, a wireless home automation device for monitoring and controlling electrical outlets has just been hacked. Even though it isn’t readily available from Amazon or Best Buy yet, the firmware is already up on D-Link’s web site. The very well detailed write-up explains all the steps that led to this exploit creation.

First, the firmware was unpacked to examine the file system contents. It was found that the smart plug doesn’t have a normal web-based interface as users are expected to configure it using D-Link’s Android/iOS app. The apps however, appear to use the Home Network Administration Protocol (HNAP) to talk to the smart plug running a lighthttpd server. A look at the latter’s configuration file revealed the functions that could be called without any authentication. Another revealed that the firmware could accept an unlimited amount of POST request bytes which were copied in a fix length buffer without any performed checks. We’ll let our readers head to the original article to see where the author went from this point.