Finding ESP8266 Inside Big-Box Store IoT Plugs

When we buy new shiny toys, we usually open them up to at least have a look. [Scott Gibson] does the same, apparently. He found an ESP8266 module inside the EcoPlug brand WiFi-controlled wall switches.

The original device was intended to be controlled by a (crappy) app. He sniffed the UDP packets enough to send the on-off signals to an unmodified device, but where’s the fun in that? [Scott] gave it an upgrade by replacing the ESP8266’s firmware with his own and now he’s got a much more capable remote switch, one that speaks MQTT like the rest of his home automation system.

There’s not much to the code — it just does what you’d think it does. And that’s the beauty of open standards and our community of open-source hardware hackers. It’s easier than ever to take commercial crap that doesn’t do what you want and “fix” it.

There are other ways to crack the home automation egg. On the ESP8266 front, we’ve got even cheaper products for you to hack and even complete-DIY options. Before the ESP8266, firms used to put complete Linux routers into switches, if you can believe that, and they’re hackable as well. But kudos to [Scott] for looking at what he had, and making it into what he wanted.

Thanks [Milos] for the tip!

43 thoughts on “Finding ESP8266 Inside Big-Box Store IoT Plugs

  1. Not surprising. The thing I’m more curious about is how well it was made/programmed, and by the sounds of it, not very well. Makes one wonder if this was just implemented by someone with a hobbyist level of experience, and if that’s indicative of how IoT will be in general (or already is).

    1. It’s got the telltale serif font on the silkscreen, probably made in a hurry by an ODM in China. So, probably not well vetted at all. OTOH, they were pretty nice about labeling the switches and header vias so maybe it’s meant as a starting point for the budding hacker? (not likely)

    2. The hardware is much better than the average HaD projects. There are a few details like the shielding, raised and insulated socket, RU marking on the PCB, proper creepage/slots on PCB.

      It has to passes safety (UL/CSA), EMC (FCC/IC)in order to be for the big box store to import and sell it – liability and applicable laws and regulation.

      1. Creepage? Man, that trace by the bottom-right mounting hole scares me just a little. An extra wide screwhead could easily bite in there. Wonder what it does? It looks a little wide for a signal track, I think it may be Vcc.

      2. Don’t see the issue on the Power board where actual *creepage* safety requirement applies between high voltage and low voltage sides. The RF/Control board is in the low voltage domain, so creepage rule does not apply. It is a mechanical clearance issue.

        The lower bottom right trace route to R1 and D3, so likely that is the positive rail for running the D3 LED. The hole is a non-plated through hole and the screw entry came from the backside through the plastic coated shielding. The screw head is not coming in contact with this side and the ring would only make contact with the plastic standoff in the case.

      3. You assume that it passed safety and EMT, but case markings mean very little on generic import goods. I’m not saying that it didn’t actually get certified, but the odds seem pretty low to me for any of this kind of off product.

      1. Search for ‘lCT-065W’ at Walmart.com, they apparently carry the whole range of WorkChoice wifi gadgets. Not as much fun as picking one up off the shelf, but they are there, and I’d bet they all use the same controller.

    1. It was discontinued several months ago and clearanced for $8 per package of 2 outlets. I bought all four pairs that were left in the NOLA area online and picked them up at the store the next day. I’ve already turned one into a remotely monitored shutoff timer for a lapidary saw, got two more in process to replace the controller for my larger rock saw, and I figure I’ll figureo out something to do with the others, since the relay controlled outlet is worth four bucks even if I throw the ESP8266 away.

      1. It does take a few people reporting a comment for it to kick back to moderation. We do have a wish-list for mobile friendly improvements that I think are going to happen in the next few months. We’ll look at making it harder to accidentally click when on mobile. Thanks!

        1. The moderation’s by human beings anyway right? So it’s not like a Youtube or Facebook thing where they’re trying to optimise staff away with dodgy AI, and you can get anything removed with a campaign of reporting. Their model is aimed at getting it tolerably right for most people. HAD is different, many less of us, with a different level of tolerance. Particularly because, I think, we know how to do these things RIGHT, so when somebody gets them wrong for a bad reason, we get pissed off quicker.

  2. I’m a newbie to this stuff so, questions…
    Is it possible to write and upload code so the switch turns on when I connect to it with my device and it switches back off when disconnect?

    Or, could I possibly use SSID names as control codes for it? Like the opposite of the ‘poetic SSID’ hack- I’m not sure how to word my question, sorry.

      1. LOL…I see what you did there. Wondering if someone will read that; replace all of their’s with these; then scratch theor head in confusion when their next, higher electrical bill comes in :-)

  3. There was a good amount of information about these style plugs in the february hackaday post at http://hackaday.com/2016/02/06/cheap-wifi-outlets-reflashed-found-to-use-esp8266/

    In particular there is a link to https://labs.bitdefender.com/2016/08/hackers-can-use-smart-sockets-to-shut-down-critical-systems/ which describes an exploit to get access to the module without having to crack them open. All the more reason to reflash them I suppose…

    In the mean time, does anyone know of an android app that lets you connect a soft button to a MQTT device (to be able to regain the original functionality of the devices being able to be controlled/monitored by a phone)? It would also be excellent to add the power monitoring code posted by David Ewing (in the comments http://thegreatgeekery.blogspot.com/2016/02/ecoplug-wifi-switch-hacking.html?showComment=1461709954597#c7086122775433933705) integrated into the github!

  4. Be careful with these projects…. Remember many of these kinds of plugs cheap out and just use a simple linear regulator circuit off LINE and NEUT. So if your wall outlet is wired incorrectly OR pin swapped LINE and NEUT when you plugged it in and you touch GND on the low voltage side you are essentially touching LINE or NEUT. This can become worse if you happen to plug in your programmer or scope that is EGND referenced and you short LINE to EGND or many other issues…. Failsafe way to not kill yourself or your gear is to externally power the device while under test or through isolation gear.

Leave a Reply to Dave DavidsonCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.