Kankun KK-SP3 Wi-Fi Smart Socket Hacked, Based on Atheros AR9331, Running OpenWRT
Kankun KK-SP3 is a $20 Wi-Fi smart socket that can be controlled via iOS and Android app. But one person created a Kankun community on Google+ to try to hack the device and control it from a PC, or from outside the home network for example. Up to now, the device has been opened, found to run OpenWRT, and one the member wrote a Windows app to control the socket from a PC. It is a basic smart socket, without power monitoring capabilities, and unless you start hacking the hardware, all you can do is basically turn it on and off.
The device is based on Qualcomm Atheros AR9931, found in many low cost routers supporting OpenWRT, and the socket indeed runs OpenWRT, which you can access via SSH or Telnet (username/password: root/admin). There’s 32MB RAM (Winbond W9425G6JH), and a 10A OMRON relay.
The smart socket actually communicates with the mobile app using the UDP protocol, but communication appears to be encrypted. So instead of trying to reverse-engineer the protocol, one member (Konstantin) found the relay was controlled by one of the LED GPIO, and provided instructions to access the device from the outside using a CGI file he built (relay.cgi) to control the relay.
Building up on relay.cgi, another member released SmartPlug.exe, a Windows program to control the socket from a PC. There are also more tips on the community such as instructions to access it from the Internet. Since routers based on Atheros AR9331 are quite popular, there are many instructions on the web, and you can find various way to improve the functionality of the device, for example by adding a USB port.
If you want to play around, you can purchase the plug on it can also be found on Aliexpress for as low as $19.99 including shipping, and If you live in China or use forwarding services, it’s available on Taobao for 99 RMB ($16). A new version, Smart Plug 2 (K2), appears to be in the works, with Wi-Fi and RF support, and two USB ports for motion sensing, camera, weather, and light sensor modules. I’ll cover it in another post, if I can find more information.