HomeESP8266/ESP32Hacking Koogeek Smart Plug

Hacking Koogeek Smart Plug

This is not the first Smart Socket I had taken apart. Previously I flashed a custom software into ESP8266 based Oittm Smart socket  (review, teardown, guide) this time, annoyed with Koogeek Smart Plug apps, I decided to flash custom software on it too. I didn’t know how much more difficult this job was going to be.

Hacking Koogeek Smart Plug

I’m an experienced Sonoff hacker, so taking apart ESP8266 based hardware is daily bread to me. Hacking Koogeek Smart Plug had proven to be difficult from a start as the hardware is enclosed inside a sealed plastic. There are no screws and the case is glued up together.

I took it apart using a combination of a knife and a screwdriver. Inside I found 2 boards. One to convert the mains to a more reasonable (3.3V) logic and the ESP8266. While I recognised the ESP8266 as ESP8266-S1 (also present in Oittm Smart plug) The ESP module is embedded onto another breakout board.

I found the spec sheet that would identify each ESP8266 pin, however, the breakout pins are not corresponding with the spec sheet at all. My first hacking Koogeek Smart Plug attempt failed, as I was not able to find GPIO00 to put the device into the flash mode.

It was time to dig deeper. To access the other side of the ESP8266 and make the hacking Koogeek Smart Plug possible, I had to desolder the entire module and expose the bottom side. It took some time to remove the excess solder from the board, then wiggling motion released the module from the main board.

Buy Koogeek Smart Plug

Buy it using these links to support NotEnoughTech.

AFI Firmware

I worked with the firmware before, when I flashed an ESP8285 4 relay board, so I knew what I’m doing. Once the ESP8266-S1 got exposed, it was very easy to solder the wire directly to the board.

To put the ESP8266 into flash mode, connect the cables as shown below, then reset the module by grounding RST pin for a second.

Koogeek Smart Plug FTDI
3.3V3.3V
TXRX
RXTX
GNDGND
EN3.3V
GPIO00GND
RSTGND (not connected)

Before any hacking Koogeek Smart Plug could be done, I wanted to save the firmware. The entire procedure is described in detail here. Make a backup, erase flash and get everything ready to flash the new software

Download the AFE Firmware for Sonoff Basic and put it in the same folder then run:

python esptool.py --port COM5 write_flash -fs 1MB -fm dout 0x0 AFE_Firmware.bin

Once the flash is complete disconnect the GPIO00 from the GND and resets the board. The AFE Firmware will be in AP mode. Connect to it and enter the network details.

192.168.5.1

I had to go through all the pins to find the correct configuration:

  • The relay is connected to GPIO15
  • The button is connected to GPIO13
  • LED is connected to GPIO04

I have named the device Koogeek, and enabled MQTT, HTTP Requests so I could integrate it with Alexa, Google Home, NodeRed, Tasker and IFTTT.

MQTT and HTTP

There are 2 protocols that can be used to interact with the Koogeek Smart Plug. Both have their own advantages and I will show you how to link these to a NodeRED server. If you want to learn more about MQTT and HTTP in NodeRED I have a fantastic tutorial for you.

MQTT

The Koogeek Smart Plug comes with a single relay that we can toggle. The MQTT broker allows you to specify the topic for the device, but to control each of the relays we have to modify that topic more.

Let’s say I use the topic name /koogeek/ this means that to control the relay, I will have to add the name to the relay (from the config page – I named mine switch1) to the topic.

/koogeek/switch1/

To issue the commands I have to modify the topic further:

MQTT commands
TOPIC Message Result
/koogeek/cmd reboot Reboot ESP8285
/koogeek/cmd configurationMode Open config mode
/koogeek/state connected publish on connected (only firmware T0,T1,T2)
/koogeek/state disconnected publish on disconnected (only firmware T0,T1,T2)
/koogeek/switch1/cmd on turn on “switch1”
/koogeek/switch1/cmd off turn off “switch1”
/koogeek/switch1/cmd toggle toggle “switch1”
/koogeek/switch1/cmd get get status of the “switch1”
/koogeek/switch1/get defaultState set “switch1” to default state (see config settings)
/koogeek/switch1/state on OR off “switch1” sens this message back each time it changes the state
/koogeek/configuration/api/http/cmd on OR off enable/disable HTTP API
/koogeek/configuration/api/domoticz/cmd on OR off enable/disable Domoticz API
/koogeek/configuration/api/mqtt/cmd off disable MQTT API

As you can see, this is fairly straight forward, and the control of the relay is done by modifying the topic and setting a correct payload.

HTTP requests

Another way of controlling the Koogeek Smart Plug is through the HTTP requests. Most of the time, you will be composing the URL which has embedded commands that will be issued to the board.

To build a valid URL you will need:

https://IP_Address/?device=relay&name=RelayName&command=command

Make sure to reserve the static IP address. The fields in my example are as follow:

command = on/off/get/toggle
RelayName = switch1

The responses given are sent in a JSON format. If you not sure how to handle JSON I have the tutorial explaining all you need to know here.

Here are a couple of JSON samples:

{ „device”:”Koogeek”, „name”:”switch1”, „command”:”on”, „value”:”on”, „status”:”success” }
{ „device”:”Koogeek”, „name”:”switch1”, „command”:”get”, „value”:”off”, „status”:”success” }
{ „command”:”reboot”, „status”:”success” }

Lastly, to control the MQTT, HTTP and other APIs links look like:

https://IP_Address/?device=DeviceName&name=ApiName&command=command

Where Apis names are: mqtt, http, domoticz.

Conclusion

Hacking Koogeek Smart Plug was more difficult as I couldn’t find any development pads on board, but not impossible. If your soldering game is strong, you can complete the job in about 2h. Since we have NodeRED, MQTT and HTTP, it’s super simple to add the Alexa, Tasker, EventGhost or IFTTT. I created basic integration for you, so you can interact with your plug in the NodeRED.

Project Download

Download project files here. Bear in mind that Patreon supporters have early access to project files and videos.

Disclaimer

This product has been sponsored, but I reserve the rights to a honest and unbiased opinion about the product.

Shop with to support:

client-image
client-image
client-image
client-image
client-image
client-image

Other reviews

One switch for all your needs? Shelly 1L

0
Shelly 1L can be installed in no--neutral and live and neutral configurations. Check out what else it brings to the table

Soldering just got better: MiniWare TS80P

0
Is TS80P soldering iron an upgrade worth considering?

Insta360 ONE X2 bends all perspectives

0
Insta360 ONE X2 is the camera you should seriously consider, if not for 360 videos or stabilised action shots, then for the full joy of use!

Is Aqara T1 ZigBee switch all I asked for?

0
Aqara introduces 2 new switches Aqara T1 ZigBee switch in no-neutral and L & N configurations

Bulletproof – IMOU Bullet 2E

0
Surprisingly big sturdy and with Power over Ethernet as an option! I'm taking a look at #IMOU #Bullet2E IP camera and I will show you how to use it with NVR via RTSP.

Xiaomi Mi Watch: all good, except it’s not a smartwatch.

0
Xiaomi Mi Watch is the latest wearable from the Chinese giant. While looking like a smart watch it shares more with smart bands.

No more hubs: Aqara G2H

0
Aqara G2H brings the power of ZigBee sensors to an IP camera.