Difference between revisions of "Kankun Plug"

Revision as of 00:22, 23 June 2016

What is it?

The Kankun Smart Plug (also known as KK-SP3 or Small K) is a relatively inexpensive Wi-Fi device that sits between some AC-powered appliance and the mains, and switches the power on and off via a relay. As of this writing the device is about $22 on Amazon.

The cool part is that it has internals very similar to some TP-Link router, and even out of the box, it is running OpenWRT. The relay output is exposed via /sys, even. So I'd like to compile a list of some of the possible hacks.

Hacks

One observation of note is that, when the relay is changed using /sys or any unofficial method, the official app will not track that change. The most visible result is that it may take more than one press of the physical button on the device to get the output to toggle. This is because the official app thinks that the output is already on, so it turns it off, but it was already off because of our hack. (Or vice versa.)

Logging in via ssh and controlling the thing.

hunter@tamale:~$ ssh root@192.168.1.161
root@192.168.1.161's password: p9z34c (apparently might also be 1234 or admin)

BusyBox v1.19.4 (2014-03-27 17:39:06 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
<snip>
root@koven:~# cat /sys/class/leds/tp-link:blue:relay/brightness #is the output on or off?
1
root@koven:~# echo 0 > /sys/class/leds/tp-link:blue:relay/brightness #turn it off
root@koven:~# echo 1 > /sys/class/leds/tp-link:blue:relay/brightness #turn it back on

CGI scripting

I've done some of this. Need to come back and populate.

Sources

• Basic login stuff

Other potential resources

• Hacker News thread about the device
• App to control a Kankun Plug using the stock protocol, no hacks
• Apparently some listen on telnet?
• Untested json cgi script
• Discussion of some of the security failings of the device, but also its official control protocol