Friday, January 2, 2015

Hacking Kankun Smart Wifi Plug

Kankun Smart Wifi Plug


The Kankun "Small K" (KK-SP3) Smart Wifi Plug Socket is an inexpensive device (~$20) that lets you switch an outlet on and off over Wi-Fi.

Smart Plug is a Controllable OpenWRT Linux BusyBox

Designed to be controlled by a smart phone, some engineering minds posted on Hackaday a way to control the device from any web browser or SSH client.  It turns out the Smart Plug is running a version of OpenWRT, which is basically a minimal BusyBox Linux environment (BusyBox: The Swiss Army Knife of Embedded Linux). It also has SSH access turned on by default, and was just a matter of determining the default password (admin, 1234, or p9z34c). Once you have SSH access you can either control the relay directly, or add a CGI script to control from a web browser.

root@koven:~# cat /etc/openwrt_release
DISTRIB_ID="OpenWrt"
DISTRIB_RELEASE="Bleeding Edge"
DISTRIB_REVISION="r39365"
DISTRIB_CODENAME="barrier_breaker"
DISTRIB_TARGET="ar71xx/generic"
DISTRIB_DESCRIPTION="OpenWrt Barrier Breaker r39365"

AliExpress

The Kunkun Smart Plug can be picked up on AliExpress for about $20.
"AliExpress is like eBay worldwide, but a lot bigger." (src)
Smart Plug package

There are a lot of options for purchase, just make sure you pick the US connector version (example), or you will need to buy an adapter (a mistake I made with the first one I ordered).

Smart Plug - US Connector Version

If you do get the wrong one, the front "female" receptacle connector was a universal connector, but the back "male" plug connector is the problem and you have to buy an adapter, so your device will end up looking like this:
Smart Plug - Chinese Connectors with US adapter
I should mention that one plug took 2 weeks to arrive and another took just shy of a full month. Different sellers, but both coming from China.

Factory Reset

As we make changes to the wireless settings, we can recover to the original factory settings by pressing and holding an almost-invisible white button on the surface of the plug for 4 seconds.

Configuring to SmartPlug Wireless Network

To get access and control to the Smart Plug, we first need to configure it.

Out of the box the Smart Plug is set as a Wireless Access Point, with an SSID of OK_SP3 (no password). To be useful, we will need to connect to this temporary access point and configure the device to connect to our home wireless network.



To configure the wireless, we can either:

1. Connect to the SSH service (default ip: 192.168.10.253) and modify the wireless files manually

or

2. We can use the Smart Phone Android/iOS app to configure the Smart Plug

I think the initial setup is easier with the app, so...

Configuring to SmartPlug Wireless Network - Android App Method


1. Download and install the Android Kankun "SmartPlug" app. (I assume the app on iOS is the same, but I haven't verified this)



For reference, I installed the app from the Google Play Store, but the instructions also provide a URL to download the app file: http://kk.huafeng.com:8081/android/Smartwifi.apk

2. Connect your Android Smart phone to the OK_SP3 network.

3. Start the SmartPlug app and click the "Config" button. Note: the "Device" page will be empty, unless you have already configured devices.



4. This is where we will change the Smart Plug's wireless network settings to our home network. Change the "Wifi" item to your home SSID (sorry no discovery option here). Change the Password to your home's wireless password. Ignore the "Encryption" option. Finally click the Configuring button to save the changes.



5. The Smart Plug should now be on your home's wireless network, and your Smart Phone will have been auto disconnected from the OK_SP3 network and also back on your home network. Check the status of the blue LED on the Smart Plug. If the LED is off, everything is good. If the light is blinking, it was unable to connect to your home wireless network.



6. Now check the "Device" list. Your Smart Plug should now be in the device list. Select the device.



Note: The device's Ethernet address (MAC) is also listed. Take note of the MAC, as you will want to check your DHCP server's logs to determine the IP address of your Smart Plug.

7. From here, we can quickly test the Smart Plug. We will be presented with a visual "on/off" button. Click the "on/off" a few times until you are satisfied. You will hear the relay switch on and off, or if you have something plugged into the Smart Plug, you will see it turn on and off.



7. Check your home's DHCP logs to find out what the new IP address of your Smart Plug is. Next we will connect to the Smart Plug over SSH.

Example:
dnsmasq-dhcp: DHCPDISCOVER(eth0) 00:15:61:bc:42:af
dnsmasq-dhcp: DHCPOFFER(eth0) 10.10.10.222 00:15:61:bc:42:af
dnsmasq-dhcp: DHCPREQUEST(eth0) 10.10.10.222 00:15:61:bc:42:af
dnsmasq-dhcp: DHCPACK(eth0) 10.10.10.222 00:15:61:bc:42:af


Configuring to SmartPlug Wireless Network - SSH Method


default /etc/config/wireless:
...

config wifi-iface
        option device radio0
        option network lan
        option mode ap
        option ssid OK_SP3
        option encryption none

change /etc/config/wireless:
...

config wifi-iface
        option device radio0
        option network wwan
        option ssid 'YOURSSID'
        option mode sta
        option encryption psk
        option key 'YOUR_WPA_KEY'

append /etc/config/network: (thanks Michael Liddle)
  config interface 'wwan'
  option proto 'dhcp'

After saving this file, reboot the Smart Plug and it should be connected to your home network. If the connection fails, perform the "factory reset" procedures to reset the network settings.
# reboot


SSH Password

Using your favorite SSH client, connect to the Smart Plug's IP address. Use "root" for the username, and "p9z34c" as the password (older models may have used "admin" or "1234").

$ ssh root@10.10.10.222
root@10.10.10.222's password:

BusyBox v1.19.4 (2014-03-27 17:39:06 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

  _    _               _    _
 | | _-_| _____ _____  | | _-_| _____ ____
 |  -_-  |     ||     ||  -_-  |     ||    |
 | |-_   |  -  ||  |  || |-_   |  -__||   _|
 |  _ -_ |_____||__|__||  _ -_ |_____||__|
 |_| -__|  S M A L L   |_| -__| S M A R T
 -----------------------------------------------------
 KONKE Technology Co., Ltd. All rights reserved.
 -----------------------------------------------------
  * www.konke.com            All other products and
  * QQ:27412237              company names mentioned
  * 400-871-3766             may be the trademarks of
  * fae@konke.com            their respective owners.
 -----------------------------------------------------
root@koven:~#

You can then change the default password with the 'passwd' command.

# cat /etc/shadow | grep root
root:$1$4a45vajh$LVbmwoCs84PwyB.r2UdIN1:16185:0:99999:7:::

# passwd
Changing password for root
New password:
Retype password:
Password for root changed by root

Control Relay

Turning on and off the relay is really easy:

# turn relay on
echo 1 > /sys/class/leds/tp-link:blue:relay/brightness

# turn relay off
echo 0 > /sys/class/leds/tp-link:blue:relay/brightness


Web Interface

cnxsoft posted a simple CGI script (relay.cgi) to control the relay from a web interface:

Simply create the directory /www/cgi-bin/ and create the relay.cgi script as follows and give execute permission (chmod +x /www/cgi-bin/relay.cgi).

#!/bin/sh
echo "Content-Type: text/plain"
echo "Cache-Control: no-cache, must-revalidate"
echo "Expires: Sat, 26 Jul 1997 05:00:00 GMT"
echo

RELAY_CTRL=/sys/class/leds/tp-link:blue:relay/brightness

case "$QUERY_STRING" in
 state) 
  case "`cat $RELAY_CTRL`" in
   0) echo "OFF"
   ;;
   1) echo "ON"
   ;;
  esac
 ;;
 on) 
  echo 1 > $RELAY_CTRL
  echo OK
 ;;
 off) 
  echo 0 > $RELAY_CTRL
  echo OK
 ;;
esac

Open a browser and use the following URLs to control the relay:

http://your_device_ip/cgi-bin/relay.cgi?on

http://your_device_ip/cgi-bin/relay.cgi?off

Power Limits

The Smart Plug has a max current of 10 A or 2,200 W. A fire may be caused by exceeding these limits.



Google+ Group

Hacking the the Smart Plug now has a community group setup on Google+ Groups.








34 comments:

Anonymous said...

Thank you! This is awesome. Because of your work, we can now use this device for any kind of home automation. Which is awesome.

Anonymous said...

Do you know what you can do if the application is unable to login to plug, as I can SSH, but app keeps saying login failure. Any ideas?

Anonymous said...

Yes I have same problem

Michael Liddle said...

Hi,

For manual ssh configure you need to also append

config interface 'wwan'
option proto 'dhcp'

to /etc/config/network

Kenneth Burgener said...

Thank you Michael Liddle, I have updated the details.

Anonymous said...

Thank for the useful information.

I telnet to my kankun with user root without password

use mkdir to create /www/cgi-bin folder

use vi to create/edit relay.cgi file

chmod +x /www/cgi-bin/relay.cgi

now I can turn on/turn off the device using web brower however the on/off status of the device did not reflect on kakun provided android application.

I am now trying to learn how to develop vera home automation's plug in to create virtual z wave device to control kakun from vera home automation

Jesús Moreno said...

Hello! Great post! I only can connect Kankun to wifi if the router has no security and wifi is open. Any ideas?

Thank you in advance!

Jesus

iphone_hebrew said...

What the new password for root ssh?

Anonymous said...

hi. im new to this. can someone help me by explaining a simpler way on how to control smartplug using web browser? i dont know how to do the cgi stuff and all that. also do i have to set up smartplug through ssh if im going to control it through browser? here is my email imthedaniel22@gmail.com thanks guys

megarameno said...

Hi there,
Does anyone know how to allow mdns on this. I sucessfully installed avahi on it but multicasting stops after 120 sec.

All Ideas would be appreciated.
Thanks

Dan said...

on this community they are working on an andorid app: https://plus.google.com/communities/115308608951565782559

https://play.google.com/store/apps/details?id=com.blogspot.choplabalagun.widgetkkforsmartplug

It has homescreen widgets, and google now integration so you can setup voice commands

Rene Canlas said...

Thanks for the information you posted!
However I am unable to download the apk for the widgetkk:
https://play.google.com/store/apps/details?id=com.blogspot.choplabalagun.widgetkkforsmartplug

Can you help me download it?

Thanks!

Rene

Chop Labalagun said...

Try this link:

https://play.google.com/apps/testing/com.blogspot.choplabalagun.widgetkkforsmartplug

if it doesnt work, join the community mentioned on this thread and try again.

Anonymous said...

I would like to thank you for your work, this has help me control my outlets from my mcu projects.....Thanks

Unknown said...

Hi! When I follow this steps I had the device listed in the application list but if I click in the device, the app, ask me for a password. Do you know what password I need? Thanks!!

Anonymous said...

Hello
Works fine with ssh (default root passwd = p9z34c)
I would suggest NOT to use phone app, considering the security issue : installing this app would give to this app access to about everything on your phone...
Regards

L said...

did you know how to check the indiator led of LED ? please help. thank you

Anonymous said...

Love you article. It was a tremendous help to me in getting this thing up. I have a small web page on the KanKun web server that displays:

MY GARAGE DOOR

Press to Close/Open (switch on wait 1 second switch off)

It works great as for as for as activating the relay. I haven't gone live yet as I don't know how to password protect the site when I NAT through my router. Anyone know how this is done?


L said...

it's so really easy to customize kankun v1 socket. you can search into google.

Thanh Viet said...

It seems that the hack is no longer valid with the latest versions of the Smart Plug Mini K (round) with FW&HW 1.0.6

http://www.dhresource.com/200x200s/f2-albu-g3-M00-4C-1B-rBVaHVboG-yANNnaAAFaNJWfAHk533.jpg/2015-hot-fashion-mini-k-smart-wifi-plug-socket.jpg

Juraj Ziak said...

Hello,

I would like to ask you if it is possible to control wifi smart plug - ON/OFF function just with one URL - I mean to use just one single URL which will turn the plug ON when is OFF and vice versa. I need to have exact URL without difference at the end.
Thank you very much.

Graham Oakman said...

If you want to spy on your friends you just need to click here and read the review.

Johan Lindström said...

Hi

When trying to do the setup via the app the device is unable to connect to my wireless (fast blinking)

When setting up it via ssh i get the device rebooted but now its hosting a new wifi named "Omni10_setup_6E7" that i am unable to get an ip from (guessning no dhcp enabled)

Please help :D

Anonymous said...

Bought a couple of these. then learn that you can create something more powerful with Ardunio and its wifi module. Though you do have to had both electrical and software skills to do that.

Still, I think I'll just keep this thing as an elegant HTTP relay and somewhat programmable to some extent :)

Tititoulou said...

I've also played with my Kankun and configured it to be controlled vi home-assistant.

To enable connection via ssh key (and not password) you need to place the authorized key in /etc/dropbear/authorized_keys (and not the traditional ~/.ssh/authorized_keys)

The home-assistant configuration in case someone need:
switch:
platform: command_line
switches:
ikonke:
command_on: "ssh root@[switch-ip] 'echo 1 > /sys/class/leds/i-konke:red:relay/brightness'"
command_off: "ssh root@[switch-ip] 'echo 0 > /sys/class/leds/i-konke:red:relay/brightness'"


or depending on the version of your Kankun switch:
switch:
platform: command_line
switches:
ikonke:
command_on: "ssh root@[switch-ip] 'echo 1 > /sys/class/leds/tp-link:blue:relay/brightness'"
command_off: "ssh root@[switch-ip] 'echo 0 > /sys/class/leds/tp-link:blue:relay/brightness'"

hprocess said...

For Home Assistant you can also do the below once the cgi script is installed and poll for state

command_on: 'curl -k "http://ipaddress/cgi-bin/relay.cgi?on"'
command_off: 'curl -k "http://ipaddress/cgi-bin/relay.cgi?off"'
command_state: 'curl -k "http://ipaddress/cgi-bin/relay.cgi?state"'
value_template: '{{ value == "ON" }}'

Anonymous said...

Check your wifi router options
Maybe your option is:

Option encryption psk2

Seeme Breakthis said...

Does anyone know how to configure the small K to use a static IP instead of relying on DHCP?

Seeme Breakthis said...

Answering my own question here...

In /etc/config/network

option proto 'static'
option ipaddr ''
option netmask '255.255.255.0'

Seeme Breakthis said...

Just realized if you want the kankun-supplied app to continue to work, u have to supply the following options too:

ipaddr (mentioned above, insert desired local IP address)
netmask
gateway
broadcast
dns

For details, Google any openwrt documentation

Seeme Breakthis said...

This will just be a simple matter of modifying the cgi script a little

Seeme Breakthis said...

This super hackable little gadget really is fun to work with.... I have since been able to program it to auto-reset my pair of homeplugs whenever connection is severed (by writing a shell script on home router running DD-wrt)... Next I am going to program another plug to turn on the light whenever webcam detects motion 👍👍

Dung Maurice said...

Here you can get information about spy gps systems and how to use them

dandylau said...

Thanks to the admin.

It still works. I got my plug 2 years back and now i'm reusing it after reading this post.

I've even used my Pebble to control it via HTTP Push app. Only setback is to have Bluetooth connection all the time to my phone.

I've modified the relay.cgi code to perform toggle of my smart plug's on off.
Now it's controlling a table lamp bought from Ikea.

Interested people may do so by add the following codes before the last line "esac"

toggle)
case "`cat $RELAY_CTRL`" in
0) echo 1 > $RELAY_CTRL
echo OK
;;
1) echo 0 > $RELAY_CTRL
echo OK
;;
esac
;;


For non-tech guy, what it basically does is toggling the status by taking the current state of the plug as input and do the opposite.


Have fun.