3 min read

Flashing Kogan Smart Plugs

Flashing Kogan Smart Plugs

Edit Jan 2021: A reader informs me that:

Unfortunately, it seems that the newer firmware from factory is now encrypted and the Tuya Convert method no longer works as per https://github.com/ct-Open-Source/tuya-convert/wiki/Collaboration-document-for-PSK-Identity-02

Oh well! It was good while it lasted.

Original post below:

I re-flashed some Kogan Smart Plugs to the open-source Tasmota firmware, so I could monitor power usage with Grafana dashboards and Prometheus time-series database.

This guide isn't for the faint-of-heart: I bricked one of the four devices while flashing them.

This is what we want to see on the Smart Plug's Web UI: The Tasmota firmware.

Tasmota: Voltage 259V, Current 0.244 A, Power: 22 W, ... Plug on, Toggle button
Screenshot of Tasmota Web UI running on Kogan Smart Plug

Kogan Smart Plugs

I bought the Kogan SmarterHome™ Smart Plug With Energy Meter & 5V 2.4A USB Ports (4 Pack) for 49.99 AUD plus postage. Model number KASPEMHAUS84P.

Three smart plugs. There are two USB-A chargers on the bottom.
Here's what they look like from every angle

These devices have internet control for turning the plug on/off, and (what I'm interested in), measuring the voltage, current, and power going through the plug.

You control the stock firmware with the poorly-reviewed Kogan SmarterHome app. The stock firmware is a white-labelled Tuya IoT Platform, which has a vulnerability on boot when it checks for firmware updates that allows us to re-flash our own firmware.

The vulnerability has an exploit which is weaponized into the Tuya-Convert tool. This sets up a fake Wi-Fi access point, which intercepts requests made by the Smart Plug, and sends back firmware of your choice. I don't totally understand how this works, but it sounds very cool!

Will this be hard? Testimonials

I was encouraged by people on Home Assistant Forum reporting success for re-flashing:

Yes. I did a box of four a week ago via the Tuya Convert method.

And OzBargainers had some success:

Flashed my first kogan plug over the weekend, pretty smooth and all set up in home assistant with no dodgy cloud service :)

GeekZone NZ Forums reported success too:

Just confirming that the Kogan ones can be flashed ota easily with tasmota without any opening or hardware modifications.

There is a template for configuring Tasmota firmware for these exact Kogan plugs. That's promising.

Flash

I followed the Tuya-Convert documentation and also roughly followed this flashing guide.

I ran into a few bits of trouble:

AP mode not supported

I first tried setting up an old Thinkpad laptop to be the fake Wi-Fi access point, but I hit the error running ./start_flash.sh:

AP mode not supported! Please attach a WiFi card that supports AP mode.

Dang. A lot of people reported success with Raspberry Pi 3 and 4, so I tried with a spare Raspberry Pi 4, and got past this error.

iw: command not found

The Raspberry Pi 4 gave me this error running ./start_flash.sh:

./setup_checks.sh: line 32: iw: command not found

It seems that iw is only in the $PATH of the root user.

This was fixed by running sudo ./start_flash.sh.

Donor Device

To reflash, Tuya-Convert requires a 'Donor Device': just another device that will connect to the fake Wi-Fi access point before the smart plug connects. I'm not totally sure why.

Some docs note this cannot be an iOS device, but Android devices work. Indeed my iOS device would not connect to the fake Access Point. I tried with an Android 10 Device, but it seems like the latest versions of Android the phone realises there's no public internet access, and disconnects/reconnects forever.

In the end I fished out an old Chromebook and that stayed connected to the Access Point.

Bailing out of failed flashes

The Tuya-Convert software starts up a bunch of services in various screen sessions, but doesn't  close them down cleanly on exit, and sometimes doesn't respond to Ctrl-C. I ended up rebooting to clean up these processes.

Yield

I successfully flashed one device, then bricked one device (Tuya-Convert seemed to be hung for many minutes, a bad sign after it just took a few seconds to flash the first device). This was disheartening, and the bricked device didn't come up even if holding down the power button to reset. I suppose I shouldn't be surprised, flashing a firmware over Wi-Fi is dangerous.

The last two devices flashed successfully and quickly. 3 out of 4: not bad? Oh well, they're only $12.50 each.

Part 2...

In the next post, I monitor the power draw of these plugs using Prometheus time-series database and Grafana dashboards.

Discuss this post on Twitter.

Mark Hansen

Mark Hansen

I'm a Software Engineering Manager working on Google Maps in Sydney, Australia. I write about software {engineering, management, profiling}, data visualisation, and transport.
Sydney, Australia