Transforming Smart Plug IoT - 1

If there's no function what I want, I just make it can.

Posted by Gyul on November 15, 2022

Introduction

I bought Smart Plug a while ago. It was because I want to save my smartphone battery. I usually charge my phone when I go to sleep. But it damages battery becauses it charges after it is fully charged. So I used smart plug to set the timer. And of course, it was tiresome. The function I want was to stop charging when my phone is fully charged. So as a hardware hacker, not a hardware developer, I will make this smart plug can do it.

As this story is too long to put whole things in one post, we will break it up into two parts.

In this post I will show you how I extracted the firmware. And in the second post there will be the story of implementing the function.

Smart Plug Teardown

By gaping sides, I could easily open it.

Let's take the board out.

And we can see that there's a ESP8285 chip. This chip would be a main SoC as there is no any other mcu chip.

And also test points! That's sweet. Guessing why there are test points here, maybe they are used for the flash programming?

Maybe or maybe not. Anyways let's keep this in mind.

ESP8285

ESP8285 is a ESP series chip which has WiFi features in it. This is like the upgrade version of ESP8266. It has 1MB Flash which ESP8266 doesn't.

In programming ESP8285, it's just same as how to program ESP8266. So no need to search for the datasheet to extract the firmware as there are plenty of posts that explains how to program ESP8266.

But to skip reading detailed datasheet is one thing; to read the chip's datasheet is another. So I briefly read the datasheet of the chip. ESP8285 Datasheet URL

Firmware Extraction

Now let's move on to the next page. Let's extract the firmware!

First we have to make a circuit to connect with a UART to USB. ESP8266 and also ESP8285 chips can use uart to control flash.

I referenced this image to connect with my uart/usb. CH-PD is EN in our boards test point. And also there is GPIO 0 test point beside of the EN point.

The reason that we have to follow the circuit above is becuase we have to change the boot mode to control the flash.

You can read more details in this document.

Extraction Circuit

To make circuit, we have to connect with test points. But how? My choice was this.

I connected test pads with needle test probes.

I didn't want to take a risk to solder it. And this could be the easiest way also! Because soldering the enameled magnet wire with the pad is... awful.

The whole circuite looks like this.

And it is conntect with my CP210X UART/USB.

Firmware Extraction

There is a tool called esptool. It helps us to read flash or write flash and even to print the info of the image.

After connecting my USB/UART to the computer, I tried to read the flash using esptool.

And this happened. The error message was Device doesn't recognize a command. It was because I didn't download the FTDI driver.

FTDI driver is a VCP(Virtual COM Port) driver which makes us to use USB port as Serial port. So we have to download FTDI driver to use USB/UART which is based on FTDI chipset.

My USB/UART was using CP210X chipset. So I thought downloading FTDI driver is not necessary. But it wasn't.

I downloaded the FTDI Driver in this site.

After downloading, it starts to read the firmware.

Sweet!

And when we use the image_info command in esptool, it shows the entry point and segments.

So we successfully extracted firmware.

In the next post, we will reverse engineer this firmware and develop the function we want and finally reprogram it.

Copyright © FirmExtract 2024