It is now necessary to gather as much information about the plug as possible.
If you plug it into a power socket and power it on, you will see a new WIFI network SSID available. In my case, it was called “Reco900000621“. If you try to connect to it, you will be asked for a network WPA key. If you look at the backside of the plug, you will find the WPA key.
BTW, the “Reco” part turns out to point to the real producer of this plug – apparantly “Reco4Life.com“. Their homepage Reco4Life is sadly in chinese – at least the forum, where a little bit of usable information (the AT commands) can be found using Google Translate if you are patient. I have not been able to find this exact plug on their website.
Now you should be connected to the socket. You will see, that you have been assigned the ip-address 10.10.100.150 and that the gateway (the socket) is assigned the ip-address 10.10.100.254
Next task. Which ports are open on the device. If you run a nmap scan from a linux box, you will find these TCP ports open
nmap -p1-10000 10.10.100.254
PORT STATE SERVICE
80/tcp open http
8899/tcp open ospf-lite
and these UDP ports.
PORT STATE SERVICE
53/udp open|filtered domain
67/udp open|filtered dhcps
48899/udp open|filtered unknown
MAC Address: AC:CF:23:XX:XX:XX (Hi-flying electronics technology Co.)
We can also note, that the MAC belongs to “Hi-flying electronics…..”. This points to the producer of the WIFI chip in the socket.
Since the HTTP port is open, the next obvious step, is to try to connect to it using a browser. If you try, you will be asked to provide a username and password. Since none are available, random guesses will show that ADMIN/ADMIN works. Sadly though, all you get for your troubles is a “ERROR:404 Not Found” message. No matter what I have tried, I have not been able to find an URL that returns anything else than this error-message. If you find any that works, please let me know.
Afterwards (unfortunately I cannot remember where) I have found mentioning of other smart plugs which provides this apparantly dummy http-server which is not meant to be used.
Next possible target is the open TCP port 8899. If you telnet to it
telnet 10.10.100.254 8899 Trying 10.10.100.254... Connected to xxxxxxxx. Escape character is '^]'.
nothing happens. Whatever you type, you are treated with a “+ERROR” message. This looked to me like a response to a AT command (like in the good old modem days). Hence I tried many-many AT commands, but I only ever got the +ERROR message.
As it turns out, at this point already, one can actually control the socket, if you know or guess the exact AT commands to send (on / off). I have only found 4 commands that give a response on this port.
The downside to issuing the commands here, is that you need to be directly connect to the WIFI network on the socket and cannot access it through your normal network. This makes this solution unusable for most purposes.
As socket setup is not yet clear, it might be an idea to take a quick look inside the plug – it might be possible to see which IC’s the socket uses
Sadly, apart from the relay itself, not much important is visible from this side. All the important stuff is apparantly mounted on the reverse side. And it is soldered VERY well to the socket legs, and I do not want to possibly ruin the plug by de-soldering it.
The only other interesting thing which is visible, is that the socket has a serial interface on the bottom right in the picture. You can use a standard 3V3 serial USB interface to communicate with the socket.
While it was easy to get the serial communication up and running, I was not able to learn anything relevant from it. I did not investigate it much. On the surface it looks very similar to what you get when you connect to TCP port 8899.
To connect to the serial interface on the socket, connect the GND, TX og RX pins on the socket to the 3V3 USB interface and use connection settings
in eg. minicom (linux), HyperTerminal (Windows) or similar