Hacking a Sonoff WiFi Switch

The ESP8266 platform has become so popular that it isn’t just being used in hobby and one-off projects anymore. Companies like Sonoff are basing entire home automation product lines around the inexpensive WiFi card. What this means for most of us is that there’s now an easily hackable and readily available product on the market that’s easily reprogrammed and used with tools that we’ve known about for years now, as [Dan] shows in his latest project.

[Dan] has an aquaponics setup in his home, and needs some automation to run the lights. Reaching for a Sonoff was an easy way to get this done, but the out-of-the-box device can only be programmed in the simplest of ways. To get more control over the unit, he wired a USB-to-Serial UART to the female headers on the board and got to programming it.

The upgraded devices are fully programmable and customizable now, and this would be a great hack for anyone looking to get more out of a Sonoff switch. A lot of the work is already done, like building a safe enclosure, wiring it, and getting it to look halfway decent. All that needs to be done is a little bit of programming. Of course, if you’d like to roll out your own home automation setup from scratch that can do everything from opening the garage door to alerting you when your dog barks, that’s doable too. You’ll just need a little more hardware.

48 thoughts on “Hacking a Sonoff WiFi Switch

    1. Except you NEVER connect the sonoff to mains while programming it. The programmer powers the sonoff in that case.

      Another solution is to hack the sonoff to run off 12v instead of mains. I did that to control a 12v led strip, the sonoff is powered by a 12v fixed voltage led driver and the relay toggles the 12v to the led strip.

    2. I’ve said this before on this very project – OTA.
      These are perfectly fine for OTA use, which negate the issue of exposing pins.

      At very worse, you could do some ‘galvanic isolation’.

          1. And if you have a reasonably steady hand, you can do the reprogramming with a bunch of dupont plugs – no soldering (or pogo pins) required. The tasmota replacement firmware on github is pretty impressive.

        1. How? If you’re using custom firmware, it’s can’t be disabled by the previous tenant.

          Unless you meant OOB – in which you can add internal headers, or pogo-pin/angled-fit headers to do the initial flash.

    3. Re: “Power isn’t sufficiently isolated” and “GPIOs are essentially at high voltage to ground”.

      Do you have anything to back these claims up?

      I have a Sonoff switch on my desk right now, and it has a switch-mode (transformer) power supply for the logic side. It doesn’t have an earth ground, but the thing is in a plastic case anyway. I would love to know what’s wrong with it.

      1. @Elliot: My thoughts exactly. It’s been a little while since I’ve had one apart, but I seem to remember isolation slots and pretty good creepage between all things mains and low voltage. Looking at the schematic again, it sure looks like an isolated supply to me. Would love to know if this isn’t the case.

  1. sledgehammer, nut. Has the man not heard of OTA? Program it ONCE with only 5v on the loose then put the case back on. I have built a pogo.pin to FTDI adapter for exactly that purpose. Press and hold for about 30 sec while flashing OTA.capable firmware. No soldering, job done safely, forever.

  2. OTA is your friend…

    and, if you need to flash it you dont need to solder anything. use a 4 ping header and hold it in place with the finger (unplugged from mains, of course).

  3. I have a deep distrust of anything ‘from China’ (ie not genuinely distributed in the US/UK) that’s connected to the mains – is this Sonoff kit ‘good’ or ‘dodgy’?

    1. I have several and they are pretty good. Itead (the actual name of the company that makes them, Sonoff is just the range) has a history of making good stuff that is designed to be hacked. There’s good isolation on the mainboard and the traces are sufficiently thick, and all the parts have the proper ratings. They aren’t UL or similar independent tester listed, but I trust them and have been using them for over a year.

    2. That’s not entirely fair. As the director of engineering of an ODM with customers that sell into all of the major markets, I can write from experience that if the product is sold in the local Chinese market and is CCC certified, you can trust it as being stringently regulated.

      Of course, many products sold in on street corners and on-line China are not CCC certified and this is especially true for the lowest tier of products sold on the on-line dumpster that is taobao.

      1. Hmm. Sems to fly in the face of what my Chinese collegues tell me (manfuacturing co) about why they wont buy chinese brands.
        Part of it is very much a status thing but there is also massive distrust in the local market.
        I found it funny that whilst we clamour to buy cheap tat, the Chinese guy is buying western brands made in China, because they believe it gives a level of western quality control that they dont see on cut price local brands.
        If the chinese company is selling internationally and is know then it’s a good bet that it should be a quality product becasue they have invested in marekting.
        If it’s generic stuff steer clear as those guys come and go like the seasons.

      1. The number of Chinese teardowns by yourselves, Big Clive and other trusted sources. Which is why I asked a source I trust (ie the HaD readership). In this case, I think the balance of opinion makes it clear that Sonoff/Itead are ‘good’. On that basis, I may now buy some – and woe betide you all if my house burns down…

  4. “A lot of the work is already done, like building a safe enclosure, wiring it, and getting it to look halfway decent. All that needs to be done is a little bit of programming.”

    I’ve been thinking of hacking an ESP into a piece of gear and using the WeMo emulating software to control it with Alexa, but this is the part that kind of holds me back. I’ve got to figure out how to get 3.3VDC in there and then wire a 110AC relay. Lots of points of failure, especially since it’s all going to be China-special hardware.

    For the ~$25 you can get a real WeMo switch for, kind of wonder if it’s even worth the risk.

      1. That’s a slightly odd duck – it looks like the construction standards are about right and they claim conformance to a bunch of UL etc standards, but it carries no certifications.

      1. is C E or CE?

        one is “Conformité Européenne” and the other “China Exports”. the second one means absolutly nothing regards security.

        spoiler alert: the one in sonoff is the second one.

          1. Yes, but notice on the Cert that is refers to “the scope evaluation relates to the submitted documents only”. What that means is BCTC simply reviewed the documents and felt it was worthy of a CE mark. In no way should people consider this equivalent to a UL, CSA, or TUV grade certification. In all honesty, I could care less if a product has a CE mark unless it also has a cert from an NRTL.

            osha.gov/dts/otpca/nrtl/nrtllist.html

          2. I beg to differ again. Isn’t that a declaration of _compliance_ from a test house, rather than a declaration of _conformity_ from the manufacturer/responsible party? Which is the actual EU directive (RED) requirement?

        1. Seriously can people quit it with the “China Export” bullshit?

          Yeah we know CE is self-certification and means nothing for a company not operating within reach of EU jurisdiction, but there is no such thing as “China Export”.

          1. If you’re saying that there is no official designation for CE meaning “China Export” then I don’t think anyone has made that claim and you aren’t wrong. But the fact remains that unscrupulous Chinese manufacturers are known to stamp goods with a meaningless “CE”, which has become known informally (and maybe a bit in jest) as “China Export”.

            There’s simply too many people reporting fake CE stamps on Chinese devices to pretend it’s not a real thing. Even the CE Marking Association has had to acknowledge it:

            http://www.cemarkingassociation.co.uk/ce-marking-and-the-chinese-export-logo/

      2. “they are CE certified though.”

        CE is a self-certification standard. By printing that logo on their product, they are attesting that they have met the CE standards. (I’ve done it myself. It’s fun!)

        It has _not_ gone through some external certification process like with UL.

        It does mean that they are liable to get the heck sued out of them if their claims are false. But that may only matter for big firms, or firms within the reach of the long arms of the European Community.

    1. This is my concern as well. I’d really like to get into some custom home automation stuff but I’m not really sure I trust no-name Chinese brands (or even named US brands) that haven’t gone through some credible 3rd party evaluation. I work for a product development company (non electronic) and we manufacture most of our items in China. I can tell you, having visited dozens of factories in the PRC that the “certifications” thing is a joke. They’re usually old and outdated if the certs are even legitimate to begin with and rarely apply to specific items.

      My question is what are the alternatives? Are there any reputable, UL certified products that offer access to the microcontroller for home automation and customization while maintaining safe HV standards for the parts I don’t want to mess with?

  5. I’m all for the OTA method, because it makes re-programming easy. And similarly, I agree that you might as well program the ESP8266 in the modules with the thing unplugged because there are all sorts of mains traces exposed when you’ve got the case open.

    But I don’t think that the ESP8266 ground floats on the line voltage. The devices use a transformer for the low-voltage power, and have cutouts in the PCB separating the LV/HV sections. (I am not sure about “sufficient” safety, but it passes a sniff test.)

    Try it out for yourself. Pull out a continuity checker and you’ll see that the logic ground isn’t tied to either of the mains lines. (Unplug!)

    Unlike the 433 MHz radio switches, these aren’t transformerless designs. Doesn’t mean they’re safe, just means they’re not deathtraps.

    1. They do seem to have proper isolation and trace widths. Still though, I feel wary of putting them in-service around the house if they’re not UL listed at all. Itead does generally make good products, but it still worries me.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s