This is not the first Smart Socket I had taken apart. Previously I flashed a custom software into ESP8266 based Oittm Smart socket (review, teardown, guide) this time, annoyed with Koogeek Smart Plug apps, I decided to flash custom software on it too. I didn’t know how much more difficult this job was going to be.

Hacking Koogeek Smart Plug

I’m an experienced Sonoff hacker, so taking apart ESP8266 based hardware is daily bread to me. Hacking Koogeek Smart Plug had proven to be difficult from a start as the hardware is enclosed inside a sealed plastic. There are no screws and the case is glued up together.

I took it apart using a combination of a knife and a screwdriver. Inside I found 2 boards. One to convert the mains to a more reasonable (3.3V) logic and the ESP8266. While I recognised the ESP8266 as ESP8266-S1 (also present in Oittm Smart plug) The ESP module is embedded onto another breakout board.

I found the spec sheet that would identify each ESP8266 pin, however, the breakout pins are not corresponding with the spec sheet at all. My first hacking Koogeek Smart Plug attempt failed, as I was not able to find GPIO00 to put the device into the flash mode.

It was time to dig deeper. To access the other side of the ESP8266 and make the hacking Koogeek Smart Plug possible, I had to desolder the entire module and expose the bottom side. It took some time to remove the excess solder from the board, then wiggling motion released the module from the main board.

Buy Koogeek Smart Plug Buy it using these links to support NotEnoughTech. Amazon UK Amazon US

AFI Firmware

I worked with the firmware before, when I flashed an ESP8285 4 relay board, so I knew what I’m doing. Once the ESP8266-S1 got exposed, it was very easy to solder the wire directly to the board.

To put the ESP8266 into flash mode, connect the cables as shown below, then reset the module by grounding RST pin for a second.

Koogeek Smart Plug FTDI 3.3V – 3.3V TX – RX RX – TX GND – GND EN – 3.3V GPIO00 – GND RST – GND (not connected)

Before any hacking Koogeek Smart Plug could be done, I wanted to save the firmware. The entire procedure is described in detail here. Make a backup, erase flash and get everything ready to flash the new software

Download the AFE Firmware for Sonoff Basic and put it in the same folder then run:

python esptool.py --port COM5 write_flash -fs 1MB -fm dout 0x0 AFE_Firmware.bin

Once the flash is complete disconnect the GPIO00 from the GND and resets the board. The AFE Firmware will be in AP mode. Connect to it and enter the network details.

192.168.5.1

I had to go through all the pins to find the correct configuration:

The relay is connected to GPIO15

The button is connected to GPIO13

LED is connected to GPIO04

I have named the device Koogeek, and enabled MQTT, HTTP Requests so I could integrate it with Alexa, Google Home, NodeRed, Tasker and IFTTT.

MQTT and HTTP

There are 2 protocols that can be used to interact with the Koogeek Smart Plug. Both have their own advantages and I will show you how to link these to a NodeRED server. If you want to learn more about MQTT and HTTP in NodeRED I have a fantastic tutorial for you.

MQTT

The Koogeek Smart Plug comes with a single relay that we can toggle. The MQTT broker allows you to specify the topic for the device, but to control each of the relays we have to modify that topic more.

Let’s say I use the topic name /koogeek/ this means that to control the relay, I will have to add the name to the relay (from the config page – I named mine switch1) to the topic.

/koogeek/switch1/

To issue the commands I have to modify the topic further:

MQTT commands TOPIC Message Result /koogeek/cmd reboot Reboot ESP8285 /koogeek/cmd configurationMode Open config mode /koogeek/state connected publish on connected (only firmware T0,T1,T2) /koogeek/state disconnected publish on disconnected (only firmware T0,T1,T2) /koogeek/switch1/cmd on turn on “switch1” /koogeek/switch1/cmd off turn off “switch1” /koogeek/switch1/cmd toggle toggle “switch1” /koogeek/switch1/cmd get get status of the “switch1” /koogeek/switch1/get defaultState set “switch1” to default state (see config settings) /koogeek/switch1/state on OR off “switch1” sens this message back each time it changes the state /koogeek/configuration/api/http/cmd on OR off enable/disable HTTP API /koogeek/configuration/api/domoticz/cmd on OR off enable/disable Domoticz API /koogeek/configuration/api/mqtt/cmd off disable MQTT API

As you can see, this is fairly straight forward, and the control of the relay is done by modifying the topic and setting a correct payload.

HTTP requests

Another way of controlling the Koogeek Smart Plug is through the HTTP requests. Most of the time, you will be composing the URL which has embedded commands that will be issued to the board.

To build a valid URL you will need:

https://IP_Address/?device= relay &name= RelayName &command= command

Make sure to reserve the static IP address. The fields in my example are as follow:

command = on/off/get/toggle RelayName = switch1

The responses given are sent in a JSON format. If you not sure how to handle JSON I have the tutorial explaining all you need to know here.

Here are a couple of JSON samples:

{ „device”:”Koogeek”, „name”:”switch1”, „command”:”on”, „value”:”on”, „status”:”success” } { „device”:”Koogeek”, „name”:”switch1”, „command”:”get”, „value”:”off”, „status”:”success” } { „command”:”reboot”, „status”:”success” }

Lastly, to control the MQTT, HTTP and other APIs links look like:

https://IP_Address/?device=DeviceName&name=ApiName&command=command

Where Apis names are: mqtt, http, domoticz.

Conclusion

Hacking Koogeek Smart Plug was more difficult as I couldn’t find any development pads on board, but not impossible. If your soldering game is strong, you can complete the job in about 2h. Since we have NodeRED, MQTT and HTTP, it’s super simple to add the Alexa, Tasker, EventGhost or IFTTT. I created basic integration for you, so you can interact with your plug in the NodeRED.