Kankun KK-SP3 Wi-Fi Smart Socket Hacked, Based on Atheros AR9331, Running OpenWRT

Kankun KK-SP3 is a $20 Wi-Fi smart socket that can be controlled via iOS and Android app. But one person created a Kankun community on Google+ to try to hack the device and control it from a PC, or from outside the home network for example. Up to now, the device has been opened, found to run OpenWRT, and one the member wrote a Windows app to control the socket from a PC. It is a basic smart socket, without power monitoring capabilities, and unless you start hacking the hardware, all you can do is basically turn it on and off.

Kaunkun KK-SP3 Board (Click to Enlarge)
Kankun KK-SP3 Board (Click to Enlarge)

The device is based on Qualcomm Atheros AR9931, found in many low cost routers supporting OpenWRT, and the socket indeed runs OpenWRT, which you can access via SSH or Telnet (username/password: root/admin). There’s 32MB RAM (Winbond W9425G6JH), and a 10A OMRON relay.

SmartPlug_App
SmartPlug Windows App

The smart socket actually communicates with the mobile app using the UDP protocol, but communication appears to be encrypted. So instead of trying to reverse-engineer the protocol, one member (Konstantin) found the relay was controlled by one of the LED GPIO, and provided instructions to access the device from the outside using a CGI file he built (relay.cgi) to control the relay.

Building up on relay.cgi, another member released SmartPlug.exe, a Windows program to control the socket from a PC. There are also more tips on the community such as instructions to access it from the Internet. Since routers based on Atheros AR9331 are quite popular, there are many instructions on the web, and you can find various way to improve the functionality of the device, for example by adding a USB port.

If you want to play around, you can purchase the plug on it can also be found on Aliexpress for as low as $19.99 including shipping, and If you live in China or use forwarding services, it’s available on Taobao for 99 RMB ($16). A new version, Smart Plug 2 (K2), appears to be in the works, with Wi-Fi and RF support, and two USB ports for motion sensing, camera, weather, and light sensor modules. I’ll cover it in another post, if I can find more information.

Share this:
FacebookTwitterHacker NewsSlashdotRedditLinkedInPinterestFlipboardMeWeLineEmailShare

Support CNX Software! Donate via cryptocurrencies, become a Patron on Patreon, or purchase goods on Amazon or Aliexpress

ROCK Pi 4C Plus

14 Replies to “Kankun KK-SP3 Wi-Fi Smart Socket Hacked, Based on Atheros AR9331, Running OpenWRT”

  1. What about compiling custom openwrt image for it. Is it possible? I though I saw this is possible but now that I would like to do that can’t find single piece of info 🙁

  2. I’m very interested in using this smart plug’s capabilities in an OEM application. I would like its timing function modified slightly and the App’s appearance branded with our company info. Do you know who could do this for me?

  3. I can’t belive, but my smartplug are lighthing on and of a lamp At home controlled from my smartphone at 1 km away.
    I view the lighthing from my IPcam.
    How know the app the extern IP of my router???

  4. @jgarciamo
    I can’t remember, and they may be using a Cloud service, so your plug is always connected to the Internet and can send/receive message from the cloud.

    Alternatively, since it’s running Linux, they could easily find your public IP using commands such as:

  5. @Valent
    They are two different companies. Broadlink has a API, but you must be a company and to fill a document explaining how many thousands units you are going to buy to get it, in order to have a chance to get it.

    If you want something that can be controlled from your own gateway KK-SP3 or Orvibo Wiwo S20 are better options.

Leave a Reply

Your email address will not be published. Required fields are marked *

Khadas VIM4 SBC
Khadas VIM4 SBC