Difference between revisions of "Kankun Plug"
(rip out default behavior) |
(reverse engineering) |
||
| Line 45: | Line 45: | ||
* [http://homedash.org/2014/08/31/kankun-json-cgi-script/ Untested json cgi script] | * [http://homedash.org/2014/08/31/kankun-json-cgi-script/ Untested json cgi script] | ||
* [http://mjg59.dreamwidth.org/43486.html Discussion of some of the security failings of the device, but also its official control protocol] | * [http://mjg59.dreamwidth.org/43486.html Discussion of some of the security failings of the device, but also its official control protocol] | ||
| + | * [http://www.payatu.com/hijacking-kankun/ Reverse engineering the app to plug comms (including crypto key)] | ||
[[Category:Automation]] [[Category:Embedded Devices]] [[Category:Internet of Things]] <!--MAKE AS MANY CATEGORIES AS YOU NEED--> | [[Category:Automation]] [[Category:Embedded Devices]] [[Category:Internet of Things]] <!--MAKE AS MANY CATEGORIES AS YOU NEED--> | ||
Revision as of 16:28, 7 July 2016
|
Creator: |
Contents
[hide]What is it?
The Kankun Smart Plug (also known as KK-SP3 or Small K) is a relatively inexpensive Wi-Fi device that sits between some AC-powered appliance and the mains, and switches the power on and off via a relay. As of this writing the device is about $22 on Amazon.
The cool part is that it has internals very similar to some TP-Link router, and even out of the box, it is running OpenWRT. The relay output is exposed via /sys, even. So I'd like to compile a list of some of the possible hacks.
Hacks
One observation of note is that, when the relay is changed using /sys or any unofficial method, the official app will not track that change. The most visible result is that it may take more than one press of the physical button on the device to get the output to toggle. This is because the official app thinks that the output is already on, so it turns it off, but it was already off because of our hack. (Or vice versa.)
Logging in via ssh and controlling the thing.
hunter@tamale:~$ ssh root@192.168.1.161 root@192.168.1.161's password: p9z34c (apparently might also be 1234 or admin) BusyBox v1.19.4 (2014-03-27 17:39:06 CST) built-in shell (ash) Enter 'help' for a list of built-in commands. <snip> root@koven:~# cat /sys/class/leds/tp-link:blue:relay/brightness #is the output on or off? 1 root@koven:~# echo 0 > /sys/class/leds/tp-link:blue:relay/brightness #turn it off root@koven:~# echo 1 > /sys/class/leds/tp-link:blue:relay/brightness #turn it back on
Ripping out the default control methods
Development needed.
Stopping the plug from turning on when it boots
Development needed.
CGI scripting
I've done some of this. Need to come back and populate.
Sources
Other potential resources
- Hacker News thread about the device
- App to control a Kankun Plug using the stock protocol, no hacks
- Apparently some listen on telnet?
- Untested json cgi script
- Discussion of some of the security failings of the device, but also its official control protocol
- Reverse engineering the app to plug comms (including crypto key)
