Friday, January 2, 2015

Hacking Kankun Smart Wifi Plug

Kankun Smart Wifi Plug


The Kankun "Small K" (KK-SP3) Smart Wifi Plug Socket is an inexpensive device (~$20) that lets you switch an outlet on and off over Wi-Fi.

Smart Plug is a Controllable OpenWRT Linux BusyBox

Designed to be controlled by a smart phone, some engineering minds posted on Hackaday a way to control the device from any web browser or SSH client.  It turns out the Smart Plug is running a version of OpenWRT, which is basically a minimal BusyBox Linux environment (BusyBox: The Swiss Army Knife of Embedded Linux). It also has SSH access turned on by default, and was just a matter of determining the default password (admin, 1234, or p9z34c). Once you have SSH access you can either control the relay directly, or add a CGI script to control from a web browser.

root@koven:~# cat /etc/openwrt_release
DISTRIB_ID="OpenWrt"
DISTRIB_RELEASE="Bleeding Edge"
DISTRIB_REVISION="r39365"
DISTRIB_CODENAME="barrier_breaker"
DISTRIB_TARGET="ar71xx/generic"
DISTRIB_DESCRIPTION="OpenWrt Barrier Breaker r39365"

AliExpress

The Kunkun Smart Plug can be picked up on AliExpress for about $20.
"AliExpress is like eBay worldwide, but a lot bigger." (src)
Smart Plug package

There are a lot of options for purchase, just make sure you pick the US connector version (example), or you will need to buy an adapter (a mistake I made with the first one I ordered).

Smart Plug - US Connector Version

If you do get the wrong one, the front "female" receptacle connector was a universal connector, but the back "male" plug connector is the problem and you have to buy an adapter, so your device will end up looking like this:
Smart Plug - Chinese Connectors with US adapter
I should mention that one plug took 2 weeks to arrive and another took just shy of a full month. Different sellers, but both coming from China.

Factory Reset

As we make changes to the wireless settings, we can recover to the original factory settings by pressing and holding an almost-invisible white button on the surface of the plug for 4 seconds.

Configuring to SmartPlug Wireless Network

To get access and control to the Smart Plug, we first need to configure it.

Out of the box the Smart Plug is set as a Wireless Access Point, with an SSID of OK_SP3 (no password). To be useful, we will need to connect to this temporary access point and configure the device to connect to our home wireless network.



To configure the wireless, we can either:

1. Connect to the SSH service (default ip: 192.168.10.253) and modify the wireless files manually

or

2. We can use the Smart Phone Android/iOS app to configure the Smart Plug

I think the initial setup is easier with the app, so...

Configuring to SmartPlug Wireless Network - Android App Method


1. Download and install the Android Kankun "SmartPlug" app. (I assume the app on iOS is the same, but I haven't verified this)



For reference, I installed the app from the Google Play Store, but the instructions also provide a URL to download the app file: http://kk.huafeng.com:8081/android/Smartwifi.apk

2. Connect your Android Smart phone to the OK_SP3 network.

3. Start the SmartPlug app and click the "Config" button. Note: the "Device" page will be empty, unless you have already configured devices.



4. This is where we will change the Smart Plug's wireless network settings to our home network. Change the "Wifi" item to your home SSID (sorry no discovery option here). Change the Password to your home's wireless password. Ignore the "Encryption" option. Finally click the Configuring button to save the changes.



5. The Smart Plug should now be on your home's wireless network, and your Smart Phone will have been auto disconnected from the OK_SP3 network and also back on your home network. Check the status of the blue LED on the Smart Plug. If the LED is off, everything is good. If the light is blinking, it was unable to connect to your home wireless network.



6. Now check the "Device" list. Your Smart Plug should now be in the device list. Select the device.



Note: The device's Ethernet address (MAC) is also listed. Take note of the MAC, as you will want to check your DHCP server's logs to determine the IP address of your Smart Plug.

7. From here, we can quickly test the Smart Plug. We will be presented with a visual "on/off" button. Click the "on/off" a few times until you are satisfied. You will hear the relay switch on and off, or if you have something plugged into the Smart Plug, you will see it turn on and off.



7. Check your home's DHCP logs to find out what the new IP address of your Smart Plug is. Next we will connect to the Smart Plug over SSH.

Example:
dnsmasq-dhcp: DHCPDISCOVER(eth0) 00:15:61:bc:42:af
dnsmasq-dhcp: DHCPOFFER(eth0) 10.10.10.222 00:15:61:bc:42:af
dnsmasq-dhcp: DHCPREQUEST(eth0) 10.10.10.222 00:15:61:bc:42:af
dnsmasq-dhcp: DHCPACK(eth0) 10.10.10.222 00:15:61:bc:42:af


Configuring to SmartPlug Wireless Network - SSH Method


default /etc/config/wireless:
...

config wifi-iface
        option device radio0
        option network lan
        option mode ap
        option ssid OK_SP3
        option encryption none

change /etc/config/wireless:
...

config wifi-iface
        option device radio0
        option network wwan
        option ssid 'YOURSSID'
        option mode sta
        option encryption psk
        option key 'YOUR_WPA_KEY'

append /etc/config/network: (thanks Michael Liddle)
  config interface 'wwan'
  option proto 'dhcp'

After saving this file, reboot the Smart Plug and it should be connected to your home network. If the connection fails, perform the "factory reset" procedures to reset the network settings.
# reboot


SSH Password

Using your favorite SSH client, connect to the Smart Plug's IP address. Use "root" for the username, and "p9z34c" as the password (older models may have used "admin" or "1234").

$ ssh root@10.10.10.222
root@10.10.10.222's password:

BusyBox v1.19.4 (2014-03-27 17:39:06 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

  _    _               _    _
 | | _-_| _____ _____  | | _-_| _____ ____
 |  -_-  |     ||     ||  -_-  |     ||    |
 | |-_   |  -  ||  |  || |-_   |  -__||   _|
 |  _ -_ |_____||__|__||  _ -_ |_____||__|
 |_| -__|  S M A L L   |_| -__| S M A R T
 -----------------------------------------------------
 KONKE Technology Co., Ltd. All rights reserved.
 -----------------------------------------------------
  * www.konke.com            All other products and
  * QQ:27412237              company names mentioned
  * 400-871-3766             may be the trademarks of
  * fae@konke.com            their respective owners.
 -----------------------------------------------------
root@koven:~#

You can then change the default password with the 'passwd' command.

# cat /etc/shadow | grep root
root:$1$4a45vajh$LVbmwoCs84PwyB.r2UdIN1:16185:0:99999:7:::

# passwd
Changing password for root
New password:
Retype password:
Password for root changed by root

Control Relay

Turning on and off the relay is really easy:

# turn relay on
echo 1 > /sys/class/leds/tp-link:blue:relay/brightness

# turn relay off
echo 0 > /sys/class/leds/tp-link:blue:relay/brightness


Web Interface

cnxsoft posted a simple CGI script (relay.cgi) to control the relay from a web interface:

Simply create the directory /www/cgi-bin/ and create the relay.cgi script as follows and give execute permission (chmod +x /www/cgi-bin/relay.cgi).

#!/bin/sh
echo "Content-Type: text/plain"
echo "Cache-Control: no-cache, must-revalidate"
echo "Expires: Sat, 26 Jul 1997 05:00:00 GMT"
echo

RELAY_CTRL=/sys/class/leds/tp-link:blue:relay/brightness

case "$QUERY_STRING" in
 state) 
  case "`cat $RELAY_CTRL`" in
   0) echo "OFF"
   ;;
   1) echo "ON"
   ;;
  esac
 ;;
 on) 
  echo 1 > $RELAY_CTRL
  echo OK
 ;;
 off) 
  echo 0 > $RELAY_CTRL
  echo OK
 ;;
esac

Open a browser and use the following URLs to control the relay:

http://your_device_ip/cgi-bin/relay.cgi?on

http://your_device_ip/cgi-bin/relay.cgi?off

Power Limits

The Smart Plug has a max current of 10 A or 2,200 W. A fire may be caused by exceeding these limits.



Google+ Group

Hacking the the Smart Plug now has a community group setup on Google+ Groups.








38 comments:

  1. Thank you! This is awesome. Because of your work, we can now use this device for any kind of home automation. Which is awesome.

    ReplyDelete
  2. Do you know what you can do if the application is unable to login to plug, as I can SSH, but app keeps saying login failure. Any ideas?

    ReplyDelete
  3. Yes I have same problem

    ReplyDelete
  4. Hi,

    For manual ssh configure you need to also append

    config interface 'wwan'
    option proto 'dhcp'

    to /etc/config/network

    ReplyDelete
  5. Thank you Michael Liddle, I have updated the details.

    ReplyDelete
  6. Thank for the useful information.

    I telnet to my kankun with user root without password

    use mkdir to create /www/cgi-bin folder

    use vi to create/edit relay.cgi file

    chmod +x /www/cgi-bin/relay.cgi

    now I can turn on/turn off the device using web brower however the on/off status of the device did not reflect on kakun provided android application.

    I am now trying to learn how to develop vera home automation's plug in to create virtual z wave device to control kakun from vera home automation

    ReplyDelete
  7. Hello! Great post! I only can connect Kankun to wifi if the router has no security and wifi is open. Any ideas?

    Thank you in advance!

    Jesus

    ReplyDelete
  8. What the new password for root ssh?

    ReplyDelete
  9. hi. im new to this. can someone help me by explaining a simpler way on how to control smartplug using web browser? i dont know how to do the cgi stuff and all that. also do i have to set up smartplug through ssh if im going to control it through browser? here is my email imthedaniel22@gmail.com thanks guys

    ReplyDelete
  10. Hi there,
    Does anyone know how to allow mdns on this. I sucessfully installed avahi on it but multicasting stops after 120 sec.

    All Ideas would be appreciated.
    Thanks

    ReplyDelete
  11. on this community they are working on an andorid app: https://plus.google.com/communities/115308608951565782559

    https://play.google.com/store/apps/details?id=com.blogspot.choplabalagun.widgetkkforsmartplug

    It has homescreen widgets, and google now integration so you can setup voice commands

    ReplyDelete
  12. Thanks for the information you posted!
    However I am unable to download the apk for the widgetkk:
    https://play.google.com/store/apps/details?id=com.blogspot.choplabalagun.widgetkkforsmartplug

    Can you help me download it?

    Thanks!

    Rene

    ReplyDelete
  13. Try this link:

    https://play.google.com/apps/testing/com.blogspot.choplabalagun.widgetkkforsmartplug

    if it doesnt work, join the community mentioned on this thread and try again.

    ReplyDelete
  14. I would like to thank you for your work, this has help me control my outlets from my mcu projects.....Thanks

    ReplyDelete
  15. Hi! When I follow this steps I had the device listed in the application list but if I click in the device, the app, ask me for a password. Do you know what password I need? Thanks!!

    ReplyDelete
  16. Hello
    Works fine with ssh (default root passwd = p9z34c)
    I would suggest NOT to use phone app, considering the security issue : installing this app would give to this app access to about everything on your phone...
    Regards

    ReplyDelete
  17. did you know how to check the indiator led of LED ? please help. thank you

    ReplyDelete
  18. Love you article. It was a tremendous help to me in getting this thing up. I have a small web page on the KanKun web server that displays:

    MY GARAGE DOOR

    Press to Close/Open (switch on wait 1 second switch off)

    It works great as for as for as activating the relay. I haven't gone live yet as I don't know how to password protect the site when I NAT through my router. Anyone know how this is done?


    ReplyDelete
  19. it's so really easy to customize kankun v1 socket. you can search into google.

    ReplyDelete
  20. It seems that the hack is no longer valid with the latest versions of the Smart Plug Mini K (round) with FW&HW 1.0.6

    http://www.dhresource.com/200x200s/f2-albu-g3-M00-4C-1B-rBVaHVboG-yANNnaAAFaNJWfAHk533.jpg/2015-hot-fashion-mini-k-smart-wifi-plug-socket.jpg

    ReplyDelete
  21. Hello,

    I would like to ask you if it is possible to control wifi smart plug - ON/OFF function just with one URL - I mean to use just one single URL which will turn the plug ON when is OFF and vice versa. I need to have exact URL without difference at the end.
    Thank you very much.

    ReplyDelete
    Replies
    1. This will just be a simple matter of modifying the cgi script a little

      Delete
  22. If you want to spy on your friends you just need to click here and read the review.

    ReplyDelete
  23. Hi

    When trying to do the setup via the app the device is unable to connect to my wireless (fast blinking)

    When setting up it via ssh i get the device rebooted but now its hosting a new wifi named "Omni10_setup_6E7" that i am unable to get an ip from (guessning no dhcp enabled)

    Please help :D

    ReplyDelete
  24. Bought a couple of these. then learn that you can create something more powerful with Ardunio and its wifi module. Though you do have to had both electrical and software skills to do that.

    Still, I think I'll just keep this thing as an elegant HTTP relay and somewhat programmable to some extent :)

    ReplyDelete
  25. I've also played with my Kankun and configured it to be controlled vi home-assistant.

    To enable connection via ssh key (and not password) you need to place the authorized key in /etc/dropbear/authorized_keys (and not the traditional ~/.ssh/authorized_keys)

    The home-assistant configuration in case someone need:
    switch:
    platform: command_line
    switches:
    ikonke:
    command_on: "ssh root@[switch-ip] 'echo 1 > /sys/class/leds/i-konke:red:relay/brightness'"
    command_off: "ssh root@[switch-ip] 'echo 0 > /sys/class/leds/i-konke:red:relay/brightness'"


    or depending on the version of your Kankun switch:
    switch:
    platform: command_line
    switches:
    ikonke:
    command_on: "ssh root@[switch-ip] 'echo 1 > /sys/class/leds/tp-link:blue:relay/brightness'"
    command_off: "ssh root@[switch-ip] 'echo 0 > /sys/class/leds/tp-link:blue:relay/brightness'"

    ReplyDelete
  26. For Home Assistant you can also do the below once the cgi script is installed and poll for state

    command_on: 'curl -k "http://ipaddress/cgi-bin/relay.cgi?on"'
    command_off: 'curl -k "http://ipaddress/cgi-bin/relay.cgi?off"'
    command_state: 'curl -k "http://ipaddress/cgi-bin/relay.cgi?state"'
    value_template: '{{ value == "ON" }}'

    ReplyDelete
  27. Check your wifi router options
    Maybe your option is:

    Option encryption psk2

    ReplyDelete
  28. Does anyone know how to configure the small K to use a static IP instead of relying on DHCP?

    ReplyDelete
    Replies
    1. Answering my own question here...

      In /etc/config/network

      option proto 'static'
      option ipaddr ''
      option netmask '255.255.255.0'

      Delete
    2. Just realized if you want the kankun-supplied app to continue to work, u have to supply the following options too:

      ipaddr (mentioned above, insert desired local IP address)
      netmask
      gateway
      broadcast
      dns

      For details, Google any openwrt documentation

      Delete
  29. This super hackable little gadget really is fun to work with.... I have since been able to program it to auto-reset my pair of homeplugs whenever connection is severed (by writing a shell script on home router running DD-wrt)... Next I am going to program another plug to turn on the light whenever webcam detects motion 👍👍

    ReplyDelete
  30. Here you can get information about spy gps systems and how to use them

    ReplyDelete
  31. Thanks to the admin.

    It still works. I got my plug 2 years back and now i'm reusing it after reading this post.

    I've even used my Pebble to control it via HTTP Push app. Only setback is to have Bluetooth connection all the time to my phone.

    I've modified the relay.cgi code to perform toggle of my smart plug's on off.
    Now it's controlling a table lamp bought from Ikea.

    Interested people may do so by add the following codes before the last line "esac"

    toggle)
    case "`cat $RELAY_CTRL`" in
    0) echo 1 > $RELAY_CTRL
    echo OK
    ;;
    1) echo 0 > $RELAY_CTRL
    echo OK
    ;;
    esac
    ;;


    For non-tech guy, what it basically does is toggling the status by taking the current state of the plug as input and do the opposite.


    Have fun.

    ReplyDelete
  32. Hi, Anyone know the file and/or the path to the file that contains the timer info. on one of these switches. I just want to modify that file to run my schedule. Thanks. Larry

    ReplyDelete
  33. Does anyone know what exactly needs to be added into relay.cgi script to be able to control ON/OFF function just with one command, without need to use ON or OFF at the end of the URL?

    I want just type this URL into browser:
    IP-ADDRESS/cgi-bin/relay.cgi

    and light should turn ON or OFF, depends on previous state of the light.

    Thank you.

    ReplyDelete
  34. Hey, posting this in case anybody is still buying these. I have about 8 of them, purchased as a direct consequence this page, and they are very cool with this hack. Sadly, I've recently discovered that they have a significant safety issue - in the United States/North America version, they switch the *neutral* wire, instead of the *hot*! This means that when they are turned off, the plugged-in device is still live and ready to shock you.

    I'm guessing this is because they are a multi-country design, and they always switch the wire on the *left*. This is correct for China/Australia but incorrect for North America; see the relevant pinouts:

    https://en.wikipedia.org/wiki/File:Australian_Socket-Outlet,_Auto_Switched.jpg
    https://www.schneider-electric.us/en/faqs/FA156527/

    ReplyDelete

Please be respectful.