Kankun Plug
Creator: |
Contents
What is it?
The Kankun Smart Plug (also known as KK-SP3 or Small K) is a relatively inexpensive Wi-Fi device that sits between some AC-powered appliance and the mains, and switches the power on and off via a relay. As of this writing the device is about $22 on Amazon.
The cool part is that it has internals very similar to some TP-Link router, and even out of the box, it is running OpenWRT. The relay output is exposed via /sys, even. So I'd like to compile a list of some of the possible hacks.
Hacks
One observation of note is that, when the relay is changed using /sys or any unofficial method, the official app will not track that change. The most visible result is that it may take more than one press of the physical button on the device to get the output to toggle. This is because the official app thinks that the output is already on, so it turns it off, but it was already off because of our hack. (Or vice versa.)
Logging in via ssh and controlling the thing.
hunter@tamale:~$ ssh root@192.168.1.161 root@192.168.1.161's password: p9z34c (apparently might also be 1234 or admin) BusyBox v1.19.4 (2014-03-27 17:39:06 CST) built-in shell (ash) Enter 'help' for a list of built-in commands. <snip> root@koven:~# cat /sys/class/leds/tp-link:blue:relay/brightness #is the output on or off? 1 root@koven:~# echo 0 > /sys/class/leds/tp-link:blue:relay/brightness #turn it off root@koven:~# echo 1 > /sys/class/leds/tp-link:blue:relay/brightness #turn it back on
Initial provisioning
Changing the hostname
Presumably if you have more than one of these, you may want to change the hostname so they're identifiable. Edit /etc/sysconfig/system and look for this section.
config system option hostname 'koven'
Simply set the hostname here. There is no /etc/hostname so you can't use that to tell what the hostname is, either. But you can get it by reading the /proc/sys/kernel/hostname file. If you want to pass this along to your dhcp server, maybe you can do it by editing /etc/init.d/dnsmasq as this is where udhcpc is called. More development needed.
Ripping out the default control methods
Development needed.
Stopping the plug from turning on when it boots
Edit /etc/sysconfig/system and look for this section.
config led option name 'Relay' option sysfs 'tp-link:blue:relay' option trigger 'none' option default '1'
Set default to '0' instead, and the relay will not close upon boot.
CGI scripting
I've done some of this. Need to come back and populate.
MQTT
The goal is to talk Home Assistant's MQTT standard; specifically it should be able to act like a light. More to come.
Sources
Other potential resources
- Hacker News thread about the device
- App to control a Kankun Plug using the stock protocol, no hacks
- Apparently some listen on telnet?
- Untested json cgi script
- Discussion of some of the security failings of the device, but also its official control protocol
- Reverse engineering the app to plug comms (including crypto key)
- Remote management script
- manage using ansible
- LuCI
- One person's setup script, part 1 and part 2 and part 3
- https://github.com/homedash/kankun-json
- https://github.com/metalx1000/Kankun-Smart-GUI
- https://github.com/sean-/kankun
- https://github.com/Mattadlard
- stop communication
- Lua
- cool switch