Automation/Smart Plug Hacking
Smart Plug Hacking[edit | edit source]
At Sequoia Fabrica we use generic Smart Plugs with custom firmware to enable automation of electrical equipment and to monitor our power usage. To hack a Smart Plug monitor follow these steps.
Bill of Materials[edit | edit source]
| Category | Item | Description | Link |
|---|---|---|---|
| Hardware | Sonoff S31 | Wi-Fi Smart Plug w/ Power Monitoring | https://www.amazon.com/dp/B08TNF4835/ |
| Hardware | TTL Serial Module (3.3V) | USB to TTL Serial Module | https://www.amazon.com/dp/B00LODGRV8/ |
| Hardware | Jumper Wires (x4) | Hook Probes for Jump Wiring | https://www.amazon.com/dp/B083PRVPCR/ |
| Hardware | Electronics Repair Kit | Toolkit for repairing small electronics | https://www.amazon.com/dp/B0BXLWC9LJ/ |
| Software | Tasmota | Open source firmware for ESP devices | https://tasmota.github.io/docs/ |
Hacking Steps for Smart Plugs[edit | edit source]
The Smart Plug can be re-programmed by over writing the firmware. This can be done using Tasmota
Serial Access[edit | edit source]
To gain access to the chip for programming, you'll need to disassemble the Smart Plug. Once the screws are removed the cover can be removed exposing the chip for reprogramming.
For the Sonoff S31, the chip to reprogram is on the side of the module (see image below)
---TODO add image of chip---
Serial Port Connections[edit | edit source]
The Smart Plug chip will need to be connected in a specific way to ensure it can be programmed. The USB to TTL Serial board and the Sonoff S31 board should have the following connections:
- GND (ground, black wire)
- 3.3V or VCC (power, red wire)
- TX (transmit, blue wire)
- RX (receive, yellow wire)
Note: The ground and power wires should be connected to each other on their respective boards (i.e.: ground --> ground and power --> power). The transmit and receive wires should be connected in opposite on each other's board(i.e.: RX --> TX, and TX --> RX).
Re-Programming[edit | edit source]
The Sonoff S31 can be re-programmed by over writing the vendor firmware with a Tasmota firmware binary image.
To get the ESP32 chip in a state where we can reprogram it, we must first get it into the ESP32 bootloader. To get the chip into the bootloader:
- Remove 3.3v power from the plug
- Press and hold the button (which connects the ESP32 GPIO0 pin to ground / logic low)
- Restore 3.3v power to the plug
- Shortly after, release the button
- Using Tasmotizer or esptool.py, erase the flash chip and write in a Tasmota firmware image. More information is available in the Tasmota documentation.