HomeESP8266/ESP32Hacking Koogeek Smart Plug

Hacking Koogeek Smart Plug

This is not the first Smart Socket I had taken apart. Previously I flashed a custom software into ESP8266 based Oittm Smart socket  (review, teardown, guide) this time, annoyed with Koogeek Smart Plug apps, I decided to flash custom software on it too. I didn’t know how much more difficult this job was going to be.

Hacking Koogeek Smart Plug

I’m an experienced Sonoff hacker, so taking apart ESP8266 based hardware is daily bread to me. Hacking Koogeek Smart Plug had proven to be difficult from a start as the hardware is enclosed inside a sealed plastic. There are no screws and the case is glued up together.

I took it apart using a combination of a knife and a screwdriver. Inside I found 2 boards. One to convert the mains to a more reasonable (3.3V) logic and the ESP8266. While I recognised the ESP8266 as ESP8266-S1 (also present in Oittm Smart plug) The ESP module is embedded onto another breakout board.

I found the spec sheet that would identify each ESP8266 pin, however, the breakout pins are not corresponding with the spec sheet at all. My first hacking Koogeek Smart Plug attempt failed, as I was not able to find GPIO00 to put the device into the flash mode.

It was time to dig deeper. To access the other side of the ESP8266 and make the hacking Koogeek Smart Plug possible, I had to desolder the entire module and expose the bottom side. It took some time to remove the excess solder from the board, then wiggling motion released the module from the main board.

Buy Koogeek Smart Plug

Buy it using these links to support NotEnoughTech.

AFI Firmware

I worked with the firmware before, when I flashed an ESP8285 4 relay board, so I knew what I’m doing. Once the ESP8266-S1 got exposed, it was very easy to solder the wire directly to the board.

To put the ESP8266 into flash mode, connect the cables as shown below, then reset the module by grounding RST pin for a second.

Koogeek Smart Plug FTDI
3.3V3.3V
TXRX
RXTX
GNDGND
EN3.3V
GPIO00GND
RSTGND (not connected)

Before any hacking Koogeek Smart Plug could be done, I wanted to save the firmware. The entire procedure is described in detail here. Make a backup, erase flash and get everything ready to flash the new software

Download the AFE Firmware for Sonoff Basic and put it in the same folder then run:

python esptool.py --port COM5 write_flash -fs 1MB -fm dout 0x0 AFE_Firmware.bin

Once the flash is complete disconnect the GPIO00 from the GND and resets the board. The AFE Firmware will be in AP mode. Connect to it and enter the network details.

192.168.5.1

I had to go through all the pins to find the correct configuration:

  • The relay is connected to GPIO15
  • The button is connected to GPIO13
  • LED is connected to GPIO04

I have named the device Koogeek, and enabled MQTT, HTTP Requests so I could integrate it with Alexa, Google Home, NodeRed, Tasker and IFTTT.

MQTT and HTTP

There are 2 protocols that can be used to interact with the Koogeek Smart Plug. Both have their own advantages and I will show you how to link these to a NodeRED server. If you want to learn more about MQTT and HTTP in NodeRED I have a fantastic tutorial for you.

MQTT

The Koogeek Smart Plug comes with a single relay that we can toggle. The MQTT broker allows you to specify the topic for the device, but to control each of the relays we have to modify that topic more.

Let’s say I use the topic name /koogeek/ this means that to control the relay, I will have to add the name to the relay (from the config page – I named mine switch1) to the topic.

/koogeek/switch1/

To issue the commands I have to modify the topic further:

MQTT commands
TOPIC Message Result
/koogeek/cmd reboot Reboot ESP8285
/koogeek/cmd configurationMode Open config mode
/koogeek/state connected publish on connected (only firmware T0,T1,T2)
/koogeek/state disconnected publish on disconnected (only firmware T0,T1,T2)
/koogeek/switch1/cmd on turn on “switch1”
/koogeek/switch1/cmd off turn off “switch1”
/koogeek/switch1/cmd toggle toggle “switch1”
/koogeek/switch1/cmd get get status of the “switch1”
/koogeek/switch1/get defaultState set “switch1” to default state (see config settings)
/koogeek/switch1/state on OR off “switch1” sens this message back each time it changes the state
/koogeek/configuration/api/http/cmd on OR off enable/disable HTTP API
/koogeek/configuration/api/domoticz/cmd on OR off enable/disable Domoticz API
/koogeek/configuration/api/mqtt/cmd off disable MQTT API

As you can see, this is fairly straight forward, and the control of the relay is done by modifying the topic and setting a correct payload.

HTTP requests

Another way of controlling the Koogeek Smart Plug is through the HTTP requests. Most of the time, you will be composing the URL which has embedded commands that will be issued to the board.

To build a valid URL you will need:

https://IP_Address/?device=relay&name=RelayName&command=command

Make sure to reserve the static IP address. The fields in my example are as follow:

command = on/off/get/toggle
RelayName = switch1

The responses given are sent in a JSON format. If you not sure how to handle JSON I have the tutorial explaining all you need to know here.

Here are a couple of JSON samples:

{ „device”:”Koogeek”, „name”:”switch1”, „command”:”on”, „value”:”on”, „status”:”success” }
{ „device”:”Koogeek”, „name”:”switch1”, „command”:”get”, „value”:”off”, „status”:”success” }
{ „command”:”reboot”, „status”:”success” }

Lastly, to control the MQTT, HTTP and other APIs links look like:

https://IP_Address/?device=DeviceName&name=ApiName&command=command

Where Apis names are: mqtt, http, domoticz.

Conclusion

Hacking Koogeek Smart Plug was more difficult as I couldn’t find any development pads on board, but not impossible. If your soldering game is strong, you can complete the job in about 2h. Since we have NodeRED, MQTT and HTTP, it’s super simple to add the Alexa, Tasker, EventGhost or IFTTT. I created basic integration for you, so you can interact with your plug in the NodeRED.

Project Download

Download project files here. Bear in mind that Patreon supporters have early access to project files and videos.

Shop with to support:

client-image
client-image
client-image
client-image
client-image
client-image

Other reviews

Knock, knock? Who’s there? EZVIZ EP3x Pro

0
The EZVIZ EP3x Pro smart doorbell offers dual cameras, 2K resolution, and AI features for parcel detection. Easy installation, optional cloud storage, and Alexa/Google integration make it a reliable choice for home security.

Dashcam and driving instructor in one: 70mai A810

0
I have upgraded my dashcam and this one comes with a couple of fun tricks. Watch this if you care about the safety of your car and the peace of mind remote access gives you

We’ve seen this before: SwitchBot K10+ PRO

0
This is an odd one. Building on the success of SwitchBot K10+ they released SwitchBot K10+ PRO - but is the experience actually better?

Ultimea Nova C40 sets the standards for budget projectors

0
It's hard to get excited about a gadget that comes with a "budget" tag. Ultimea Nova C40 puts excitement into inexpensive projectors and you should watch this if you are picking a projector in 2024

A keyboard for life! GravaStar Mercury K1

0
After the release of GravaStar Mercury M2 mouse, it was time to see the keyboard from GravaStar. And oh boy I'm happy to own one!

These three features of AIcoco onAir are great!

0
I'm trying out a new streaming camera for YouTube, Twitch and other services. This is Aicoco onAir - should you get one?

SwitchBot S10: cleaning re-imagined!

0
SwitchBot S10 promises unattended vacuuming and mopping so you can focus on things you love and care for. Does it deliver?