This is not the first Smart Socket I had taken apart. Previously I flashed a custom software into ESP8266 based Oittm Smart socket (review, teardown, guide) this time, annoyed with Koogeek Smart Plug apps, I decided to flash custom software on it too. I didn’t know how much more difficult this job was going to be.
Hacking Koogeek Smart Plug
I’m an experienced Sonoff hacker, so taking apart ESP8266 based hardware is daily bread to me. Hacking Koogeek Smart Plug had proven to be difficult from a start as the hardware is enclosed inside a sealed plastic. There are no screws and the case is glued up together.
I took it apart using a combination of a knife and a screwdriver. Inside I found 2 boards. One to convert the mains to a more reasonable (3.3V) logic and the ESP8266. While I recognised the ESP8266 as ESP8266-S1 (also present in Oittm Smart plug) The ESP module is embedded onto another breakout board.
I found the spec sheet that would identify each ESP8266 pin, however, the breakout pins are not corresponding with the spec sheet at all. My first hacking Koogeek Smart Plug attempt failed, as I was not able to find GPIO00 to put the device into the flash mode.
It was time to dig deeper. To access the other side of the ESP8266 and make the hacking Koogeek Smart Plug possible, I had to desolder the entire module and expose the bottom side. It took some time to remove the excess solder from the board, then wiggling motion released the module from the main board.
AFI Firmware
I worked with the firmware before, when I flashed an ESP8285 4 relay board, so I knew what I’m doing. Once the ESP8266-S1 got exposed, it was very easy to solder the wire directly to the board.
To put the ESP8266 into flash mode, connect the cables as shown below, then reset the module by grounding RST pin for a second.
| Koogeek Smart Plug | FTDI | |
| 3.3V | – | 3.3V |
| TX | – | RX |
| RX | – | TX |
| GND | – | GND |
| EN | – | 3.3V |
| GPIO00 | – | GND |
| RST | – | GND (not connected) |
Before any hacking Koogeek Smart Plug could be done, I wanted to save the firmware. The entire procedure is described in detail here. Make a backup, erase flash and get everything ready to flash the new software
Download the AFE Firmware for Sonoff Basic and put it in the same folder then run:
python esptool.py --port COM5 write_flash -fs 1MB -fm dout 0x0 AFE_Firmware.binOnce the flash is complete disconnect the GPIO00 from the GND and resets the board. The AFE Firmware will be in AP mode. Connect to it and enter the network details.
192.168.5.1
I had to go through all the pins to find the correct configuration:
- The relay is connected to GPIO15
- The button is connected to GPIO13
- LED is connected to GPIO04
I have named the device Koogeek, and enabled MQTT, HTTP Requests so I could integrate it with Alexa, Google Home, NodeRed, Tasker and IFTTT.
MQTT and HTTP
There are 2 protocols that can be used to interact with the Koogeek Smart Plug. Both have their own advantages and I will show you how to link these to a NodeRED server. If you want to learn more about MQTT and HTTP in NodeRED I have a fantastic tutorial for you.
MQTT
The Koogeek Smart Plug comes with a single relay that we can toggle. The MQTT broker allows you to specify the topic for the device, but to control each of the relays we have to modify that topic more.
Let’s say I use the topic name /koogeek/ this means that to control the relay, I will have to add the name to the relay (from the config page – I named mine switch1) to the topic.
/koogeek/switch1/
To issue the commands I have to modify the topic further:
As you can see, this is fairly straight forward, and the control of the relay is done by modifying the topic and setting a correct payload.
HTTP requests
Another way of controlling the Koogeek Smart Plug is through the HTTP requests. Most of the time, you will be composing the URL which has embedded commands that will be issued to the board.
To build a valid URL you will need:
https://IP_Address/?device=relay&name=RelayName&command=command
Make sure to reserve the static IP address. The fields in my example are as follow:
command = on/off/get/toggle
RelayName = switch1
The responses given are sent in a JSON format. If you not sure how to handle JSON I have the tutorial explaining all you need to know here.
Here are a couple of JSON samples:
{ „device”:”Koogeek”, „name”:”switch1”, „command”:”on”, „value”:”on”, „status”:”success” }
{ „device”:”Koogeek”, „name”:”switch1”, „command”:”get”, „value”:”off”, „status”:”success” }
{ „command”:”reboot”, „status”:”success” }
Lastly, to control the MQTT, HTTP and other APIs links look like:
https://IP_Address/?device=DeviceName&name=ApiName&command=command
Where Apis names are: mqtt, http, domoticz.
Conclusion
Hacking Koogeek Smart Plug was more difficult as I couldn’t find any development pads on board, but not impossible. If your soldering game is strong, you can complete the job in about 2h. Since we have NodeRED, MQTT and HTTP, it’s super simple to add the Alexa, Tasker, EventGhost or IFTTT. I created basic integration for you, so you can interact with your plug in the NodeRED.
Project Download
Download project files here. Bear in mind that Patreon supporters have early access to project files and videos.
