More hacking to secure the gadget army: The KanKun SP3

So a couple of years ago I bought some KK-SP3 (from ikonke). They are ‘wireless smart plugs’, and despite their pretty-sketch appearance, work.

Its a tiny little white box that plus into your electrical outlet, and contains a relay and small linux board.

The only real issue that i had initially was that it came with Chinese power pins (angled). So I did what you would expect, gave them a twist with some pliers, and, well, it works (see below, twisty!). The ground pin was in the wrong spot, but, well, after checking it wasn’t connected internally anyway, so I didn’t feel bad about making that disappear.

OK, so we ran that for a while. I integrated these w/ home-assistant in a very simple way, by putting a bash-script cgi/json file in /www/cgi-bin. Life was good. (Did i mention the hacking of the device initially was trivial: turn it on, it exposes a WiFi SSID as OK-SP3. Connect, ssh as root, the password is ‘p9z34c’.

A couple of other minor changes (enable wifi on ‘wwan’, etc), and we were golden. Lights were automated, everyone was happy.

When suddenly a wild vulnerability appeared. Dropbear is cracked wide open. CVE-2016-7406. OK, no problem, let me just go back to the manuf… crap. That didn’t work.

OK, next step is, we’re already pretty much in, lets just rebuild it all from upstream OSS.

It turns out this wasn’t that bad. If we use the WR703N config from Lede (the fork of OpenWRT), it just works. Enable it, add uhttpd, and build away.

Now, one thing to watch out for, there is no Ethernet port, and the image by default disables WiFi. So, when running sysupgrade, edit /etc/sysupgrade.conf first. Or, put the files u want in files/… dir in the build-root before you build.

Now, one minor niggle, the original image has this nicely named GPIO ‘relay’ to toggle the relay. But this is not defined in the BSP for the WR703N. So, well, lets hunt it down. Turns out its GPIO 26.

So we can just use it as-is w/o the nice name.

echo 26 > /sys/class/gpio/export 
echo out > /sys/class/gpio/gpio26/direction 
echo 1 > /sys/class/gpio/gpio26/value # on
echo 0 > /sys/class/gpio/gpio26/value # off

And we are done! Now we are back to fully secure on this device.

Oh yeah, want to see the wild interior of this ‘highly safe’ device? Here it is, de-spudged. Its a tiny board (removed here) w/ the SOC/radio on it, an a 120V-3.3V power supply wedged around the plug.

So yeah, after ~2 hours of playing w/ this to get it fixed, uh, do you think the original $15 price was worth it?





5 Responses to “More hacking to secure the gadget army: The KanKun SP3”

  1. DaveWaterloo

    speaking of actual gadget armies:

    Don, please make these things can’t be hacked. 🙂

  2. Andrey

    Please share the modified firmware that you are using now and instructions on how to flash it.

    1. db

      WR703N config
      add uhttpd

      then it just works.

  3. Peter

    I flashed wrong openwrt image and now I can’t connect to it anymore. Is there any option for recovering?

    1. db

      it probably has a first stage bootloader if you do something like hold button while power on.
      this might do tftp.
      Since its wifi only, it might go into an AP-only local mode you connect.

      I’m not sure.

Leave a Reply

Your email address will not be published. Required fields are marked *