Looking inside a Wifi smartplug (Maginon/Edimax/STT)

I bought a smart plug from a local retailer which branded it as a Maginon SP1-E. These can also be found on the market as an Edimax SP-1101W. Originally, they are manufactured by ST&T.

For me, these plugs are very useful as they are a cheap solution for socket based electricity sub-metering and I can enable or disable the power remotely, which can be integrated into my domotics or smart home control center.

In a summary, the functions are:

• Runs embedded Linux
• Able to switch power
• Able to access Wifi networks
• Able to measure V, W, A and kWh
• Can be controlled by a crappy smartphone app

By default, when plugged in, the plug will power-on, allow power consumption from it for 2-3 seconds, switch the breaker (and no longer allow power consumption) and then require that the user switches the breaker (through a command to the device) again to allow power consumption. This behavior can be seen as 'safe', yet it is a dirty way to trigger the breaker at startup. If the breaker would have been normal open by design, the 2-3 seconds power-on at the start, would not happen. Additionally, if you put this plug onto a freezer e.g., and a power disruption happens, your freezer will not be repowered after power restoration, until the user switches the breaker through a command to the device. Later on, we will tackle this short coming in another blog post.


Maginon has released source code for the plug under the GPL: http://gpl.supra-elektronik.com/

The mechanics: outside

The front has 2 buttons and 2 LEDs. The main button (largest one) can be used to HW switch the breaker. When pressing the reset button for more than 8 seconds, the plug will go back to the factory settings.

The plug can be opened, using triangle bits.

The mechanics: inside

There are 2 main PCBs inside. The Embedded Linux board (Ralink RT5350F) which is low voltage and the breaker/metering board which runs at 230V.

Below are the images of the Embedded Linux board:

 Patch antenna on the left, wired to the Embedded Linux board

 Ralink Soc (System on Chip) board

Pins on the edges, to plug the board onto the breaker/metering board.

Here are some images of the breaker/metering board:

Look inside from the top

The breaker

Inside the Embedded Linux OS

Login into the plug can be done by telnet to the plug IP on port tcp/23. The default username/password is: admin/admin.

Checking the cpuinfo

# cat /proc/cpuinfo
system type             : Ralink SoC
processor               : 0
cpu model               : MIPS 24K V4.12
BogoMIPS                : 239.61
wait instruction        : yes
microsecond timers      : yes
tlb_entries             : 32
extra interrupt vector  : yes
hardware watchpoint     : yes
ASEs implemented        : mips16 dsp
VCED exceptions         : not available
VCEI exceptions         : not available

Linux version

# uname -a
Linux (none) 2.6.21 #324 Mon Aug 25 16:53:40 CST 2014 mips unknown

Checking the mount points

# mount   
rootfs on / type rootfs (rw)
proc on /proc type proc (rw)
none on /var type ramfs (rw)
none on /etc type ramfs (rw)
none on /tmp type ramfs (rw)
none on /media type ramfs (rw)
none on /dev/pts type devpts (rw)

Checking the filesystem

# df /
Filesystem           1k-blocks      Used Available Use% Mounted on
rootfs                       0         0         0   0% /

Checking the memory usage

# free   
              total         used         free       shared      buffers
  Mem:        29324         9984        19340            0            0
 Swap:            0            0            0
Total:        29324         9984        19340

The available tools within Busybox

# busybox
BusyBox v1.12.1 (2014-07-31 06:32:52 CEST) multi-call binary
Copyright (C) 1998-2008 Erik Andersen, Rob Landley, Denys Vlasenko
and others. Licensed under GPLv2.
See source distribution for full notice.

Usage: busybox [function] [arguments]...
   or: function [arguments]...

        BusyBox is a multi-call binary that combines many common Unix
        utilities into a single executable.  Most people will create a
        link to busybox for each function they wish to use and BusyBox
        will act like whatever it was invoked as!

Currently defined functions:
        [, [[, ash, brctl, cat, chmod, chpasswd, cp, crond, date, dd, df,
        du, echo, expr, free, grep, halt, ifconfig, init, init, insmod, kill,
        killall, login, ls, lsmod, mkdir, mknod, mount, ping, poweroff, printf,
        ps, pwd, reboot, rm, rmmod, route, sed, sh, sleep, syslogd, telnetd,
        test, tftp, top, touch, tr, udhcpc, udhcpd, umount, uname, uptime,
        vconfig, wc

The following binaries are available and not from Busybox

# cd /bin
# ls -l | grep -v "busybox"
-rwxr-xr-x    1 0        0          148244 iperf
-rwxr-xr-x    1 0        0           22804 ntpclient
-rwxr-xr-x    1 0        0            6208 erase
lrwxrwxrwx    1 0        0              11 nvram_set -> ralink_init
-rwxr-xr-x    1 0        0           36216 iwpriv
-rwxr-xr-x    1 0        0           36508 ralink_init
-rwxr-xr-x    1 0        0           79072 rt2860apd
-rwxr-xr-x    1 0        0            9032 gpio
-rwxr-xr-x    1 0        0            9928 flash
-rwxr-xr-x    1 0        0            6864 reg
-rwxr-xr-x    1 0        0          173476 miniupnpd
lrwxrwxrwx    1 0        0              11 nvram_get -> ralink_init
-rwxr-xr-x    1 0        0            9920 ated
-rwxr-xr-x    1 0        0            6536 nvram_daemon
-rwxr-xr-x    1 0        0           33992 mkfs.jffs2
-rwxr-xr-x    1 0        0          345156 goahead
-rwxrwxrwx    1 0        0          381421 RDTServer
lrwxrwxrwx    1 0        0               9 rtinicapd -> rt2860apd
-rwxrwxrwx    1 0        0           37798 setUID
-rwxr-xr-x    1 0        0          170687 GpioForCrond
-rwxrwxrwx    1 0        0           37901 writeflash
-rwxr-xr-x    1 0        0           88976 iptables
-rwxr-xr-x    1 0        0            5264 mii_mgr
-rwxr-xr-x    1 0        0           83848 GetInfo
-rwxrwxrwx    1 0        0           48789 checksum
-rwxr-xr-x    1 0        0           39975 UartForCrond
-rwxr-xr-x    1 0        0           12744 mtd_write
-rwxr-xr-x    1 0        0           74124 lld2d
-rwxr-xr-x    1 0        0           16236 switch
-rwxrwxrwx    1 0        0           37798 getUID
-rwxr-xr-x    1 0        0            6164 eraseall

The below command will enable the power consumption on the plug.

# /bin/GpioForCrond 1
gpio_set_dir: gpio=2, dir=0
gpio_set_dir: gpio=1, dir=1
InitGpio() success, fd = 3
Get GPIO1 = [01]

The below command will disable the power consumption on the plug.

# /bin/GpioForCrond 0
gpio_set_dir: gpio=2, dir=0
gpio_set_dir: gpio=1, dir=1
InitGpio() success, fd = 3
Get GPIO1 = [00]

Several interfaces are available for connecting. The apcli0 is the WAN interface where the plug acts as a client for. In this case, this is connected to the home Wifi network in the network range 192.168.0.0/24. The br0 is the "server" interface where the plug can give IP leases to other clients (e.g. your laptop), which are accessing the plug's Wifi network. This Wifi network has a SSID which is always named as "Smartplug_XXXXXX" where XXXXXX is the last 6 chars of the plug's br0 MAC address, in this case 11A408.

# ifconfig
apcli0    Link encap:Ethernet  HWaddr 00:08:ED:11:A4:09
          inet addr:192.168.0.235  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

br0       Link encap:Ethernet  HWaddr 00:08:ED:11:A4:08
          inet addr:10.10.10.254  Bcast:10.10.10.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:36 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:1512 (1.4 KiB)

eth2      Link encap:Ethernet  HWaddr 00:0C:43:30:50:77
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5345 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:548821 (535.9 KiB)
          Interrupt:3

eth2.1    Link encap:Ethernet  HWaddr 00:0C:43:30:50:77
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth2.2    Link encap:Ethernet  HWaddr 00:0C:43:30:50:66
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1588 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1588 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:191850 (187.3 KiB)  TX bytes:191850 (187.3 KiB)

ra0       Link encap:Ethernet  HWaddr 00:08:ED:11:A4:08
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:70094428 errors:203 dropped:0 overruns:0 frame:0
          TX packets:923762 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3887818972 (3.6 GiB)  TX bytes:88933398 (84.8 MiB)
          Interrupt:4