Home Rule

In the age of robotic vacuums, robotic lawn mowers, and mopping robots, I want to add automation and intelligence to my apartment. Just the act of purchasing a smart socket that has an Android app makes this both an easy and a comfortable solution for people wanting to add a touch of home automation to their living space.

However, I am paranoid enough that when devices are in my network, I want to have full control over them. It bothers me that this new functionality comes with the "additional feature" of these devices calling home to a server somewhere on the Internet. I was optimistic that I could achieve my goal of automation but also keep full control over my own devices.

To achieve this control, I was hoping I could purchase a few smart adapters and find one that I could bend to my will. The good news is that the security on each of these devices was good enough that I wasn't able circumvent it with a playback or man-in-the-middle attack, but I didn't actually have any luck gaining complete control of the devices, so I set out to find a way to modify an existing device to achieve my goals.

Little did I know that this is a fairly active area of development in the open source community. The solution is to flash the devices with new firmware that provides enhanced functionality. I looked into a couple of different solutions under active development. The oldest and presumably most mature firmware solution is Tasmota.

Tasmota

The Tasmota project [1] contains additional functionality to support the MQTT (Message Queuing Telemetry Transport) protocol, so your device can be an MQTT client and publish and receive messages.

The list of main functions supported by Tasmota is pretty impressive:

• Support for the MQTT protocol
• Support for HTTP requests
• Support for most common sensors
• Over-the-air updates
• Belkin Wemo and Philips Hue emulation
• Timers
• Domoticz integration
• ESPTool FTDI programmer/serial programmer

My needs are pretty modest; I simply want to connect the device to my home network. However, in addition to all the other functionality, I get another cool feature for free. Tasmota offers over-the-air (OTA) updates, which means once you have flashed the device, you won't have to unplug, disassemble, flash, and reassemble each time you want to upgrade the firmware, which is priceless for anyone unfamiliar with the technology.

Before using this firmware, you need to have all the necessary tools and materials:

• FTDI serial converter
• Header pins
• Soldering iron and solder
• Firmware
• Low-melting-point solder (optional)

The device I chose to modify was the Sonoff S20 (Figure 1), an extremely friendly device from the perspective of the home do-it-yourselfer. The circuit board is big, is easily accessible, and has been designed so it can be enhanced with connector pins to allow external programming.

Figure 1: Sonoff S20.

Taking apart the Sonoff was refreshingly easy. None of the screws are hidden behind labels, and the case comes apart and can be put together much like playing with legos. No blobs of glue prevent access to any part of it. Inside the case, the printed circuit board (PCB) is also held in place with screws, and it appears the overall design was done to simplify the assembly for multiple markets. The design of the S20 separates the power socket from the circuit board in such a way that plugging in your power cord doesn't put any stress on the PCB or any of its connections. The manufacturer, iTead, must feel pretty confident in their product, because they also made the schematic available on their website [2].

Not only is it easy to disassemble and reassemble the case, the PCB that controls the power socket is ready to be programmed. The only step necessary is to solder on some header pins so you can flash the Sonoff with the new software (Figure 2). Once the headers are soldered to the PCB, you can then use your FTDI adapter male or female header pins, depending on your FTDI adapter and cable setup.

Figure 2: Header pins with VCC, Rx, Tx, and GND labels added.

Soldering the header to the board should take just a matter of minutes, but before you proceed, you might want to take some notes. Some people have been reporting that their circuit board already has markings describing what each pin is. That was not the case for my board, although the VCC (power in) pin did have a small arrow pointing to it. This pin is also visibly different from the rest: The through-hole plating on the board has a square outline around the hole. This differentiation, as well as the pinout for the header pins, is clearly marked in Figure 2.

During this project you should keep two important points in mind. The first and most important is to make sure your device is not plugged into the wall, so it is easier to work on the device and the chance of electrocuting yourself or blowing up your laptop is considerably reduced. The second point is that the power from your FTDI connector needs to be 3.3V. Some FTDI adapters use 5V, so if you are not certain how much power your controller uses, look it up online or purchase an inexpensive 3.3V connector for this project.

Getting Your Hands Dirty

The Sonoff, like most smart devices, will be powered by a microcontroller, which is almost as good as a CPU. Albeit a bit slower, it sips energy and, as a friend used to say, they are cheap as potato chips.

The only downside of devices powered by microcontrollers is that the resources are usually somewhat limited, as well. The limiting factor that restricts the size of the firmware and ultimately the functionality is the number of resources available. The Sonoff that I purchased has only 1MB of flash memory, which as small as it sounds, is plenty for controlling the smart socket (see the "Querying Memory Size" box). However, if the firmware occupies more than half of the available memory, OTA updates are no longer possible.

Querying Memory Size

Memory size might become more important in the future, with different devices being manufactured with different memory sizes. Thus, it is important to know how much memory exists in the device for either backing up or determining the maximum size for a firmware image.

This information can be queried from the device itself:

$ sudo ./esptool.py --port /dev/ttyUSB0 flash_id
esptool.py v2.6
Serial port /dev/ttyUSB0
Connecting....
Detecting chip type... ESP8266
Chip is ESP8266EX
Features: WiFi
MAC: 84:f3:eb:b0:6e:07
Uploading stub...
Running stub...
Stub running...
Manufacturer: 5e
Device: 4014
Detected flash size: 1MB
Hard resetting via RTS pin?

The value (shown in the next-to-the-last line) is normally 1MB for the S20, but it might be different for other hardware (Figures 3 and 4).

Figure 3: Querying the memory before replacing the memory chip.

Figure 4: Querying the memory after replacing the memory chip.

The convenience of OTA firmware flashing should not be underestimated. Disassembling a smart socket, flashing the firmware, and reassembling it is not a big deal unless you have 20 of them. The only thing preventing OTA updating is the size of the firmware relative to the size of free memory. A number of other trailblazers on the Internet have already found a solution to this problem, which is to get a larger flash chip to hold the program. This small upgrade only requires a few minutes to desolder the old chip and solder in a new chip.

Although this solution sounds radical, it isn't that much more so than opening up a device and soldering header pins onto it. The PN25F08B that comes with the Sonoff S20 is just a 1MB flash chip that can be replaced with a larger memory chip. The most common replacement seems to be the 4MB Winbond 25Q32FVSIG.

To make the replacement, carefully heat the legs of the chip and remove (Figure 5). This process is easier if you have a hot air gun or, alternatively, some low-melting-point solder wire. The reports I have read said the new memory chip was the same size, so no unusual hacks are necessary (e.g., straightening or bending the pins to odd angles). In my case, the replacement chip was slightly larger (Figure 6), but it still (barely) fit onto the pads.

Figure 5: Flash memory chip.

Figure 6: The old memory chip (left) compared with the new, larger chip (right).

Installing the Firmware

A compiled copy of just the Tasmota firmware can be downloaded from GitHub [3], or you can download the source code if you want to take a closer look or compile it yourself. I already had a copy of esptool.py [4] on my laptop. Flashing the firmware is described in full detail in the "Flashing a Device" box. Once you have everything ready to flash the firmware, including the firmware, you are ready to begin.

$ sudo ./esptool.py write_flash --flash_mode dout --flash_size 1MB 0x0 sonoff.6.4.1.bin
esptool.py v2.6
Found 1 serial ports
Serial port /dev/ttyUSB0
Connecting....
Detecting chip type... ESP8266
Chip is ESP8266EX
Features: WiFi
MAC: 84:f3:eb:b0:6e:07
Uploading stub...
Running stub...
Stub running...
Configuring flash size...
Compressed 534032 bytes to 365310...
Wrote 534032 bytes (365310 compressed) at 0x00000000 in 32.4 seconds (effective 131.7 kbit/s)...
Hash of data verified.
Leaving...
Hard resetting via RTS pin?

If your device has 1MB of memory, then backing up is just a matter of running the command:

sudo ./esptool.py --port /dev/ttyUSB0 read_flash 0 0x100000 flash_contents.bin

It doesn't matter whether ESPTool is being used for reading memory, gathering information, or writing new firmware: The completion of each action will cause the device to leave programming mode.

The original firmware on the Sonoff allows it to be controlled by the eWeLink application from either the Apple App Store or Google Play. Because flashing new firmware will overwrite the existing firmware, you should back up before continuing. If you later change your mind, you can always restore the device to its original state so it can be controlled by the eWeLink app.

Remember that the original firmware is tied to the device and cannot be flashed into another Sonoff device.

Configuring WiFi

Which device or which firmware is running is immaterial if it is not reachable over your network. Most Internet of Thing (IoT) devices treat this problem in a similar manner by putting the device into a special mode that causes it to become an access point with a web server. You then connect to the access point and enter the details of your WiFi configuration, which are then subsequently used to connect to your network. Flashing the S20 with Tasmota will cause it to start up as an access point automatically the first time you power up. Now, you need to connect your laptop to the new WiFi network. In my case, the network was sonoff-3591.

Once you are connected to the access point network, you must open http://192.168.4.1 in your web browser. You will see a form similar to Figure 7 that allows you to enter your SSID and password for your local network. When this form opens, you have three minutes before the device automatically reboots. Pressing Save keeps the values and causes the device to reboot immediately.

Figure 7: Configuration dialog for WiFi.

When the device restarts, it should be reachable from your network. The device will bring up a very comprehensive menu that allows you to set up WiFi, MQTT, Domoticz, timers, and a few other settings, one of which is where you can download the most current Tasmota image when doing an OTA update (Figure 8).

Figure 8: Dialog for OTA updates.

Software, computers, and upgrades, despite rigorous testing, can occasionally encounter difficulties. Should this occur with the S20, it might be having a problem connecting to the web from the browser. If this happens, you still have a number of ways to communicate with your device. The S20 has a button that can be used for operation, such as toggling the power state; however, it can do much, much more. Most importantly, it can enable the access point. Pressing the button on the Sonoff device four times quickly causes the Sonoff to enable the access point. I couldn't find any clarification of how fast "quickly" is, but pressing the button four times in less than a second will successfully start the access point mode.

The different "commands" that can be enabled with button presses are listed in Table 1; however, if it isn't possible to connect to the Sonoff in the usual manner, this manual method might not help. Pressing the button for longer than 40 seconds will reset the settings to the defaults defined in user_config.h and restart the device, which might be enough to allow you to seize control without resorting to reflashing.

All of the options in Table 1 should make controlling the device easy. During my initial experiments, it wasn't possible to regain control even by reflashing. In extreme situations, you might need to erase memory before reflashing with:

sudo esptool.py erase_flash

Erasing the memory will write a 0xFF to each memory location. After the memory has been erased, it needs to be reflashed with the firmware. Make sure when you do this that you use the correct memory size for your device. Once the Sonoff is up and running, you can finally control it.

Sending Commands

The Tasmota firmware has a great deal of functionality to support a myriad of ESP8266-powered devices and their associated timers and sensors. Table 2 is the tiniest subset of commands from the Tasmota command list [5].

The Tasmota can be controlled by commands sent either via an MQTT broker or by sending a command to the device directly as an HTTP request. In the future, I might set up an MQTT broker or a home automation package such as Domoticz or OpenHAB, but for now, I control the devices with HTTP commands:

http://sonoff/cm?cmnd=Power
http://sonoff/cm?cmnd=Power%20On
http://sonoff/cm?cmnd=Power%20Off
http://sonoff/cm?cmnd=Power%20Toggle

It is even possible to set a password for the Tasmota web interface, which requires you to provide the username and password as part of the command:

http://192.168.178.50/cm?user=admin&password=passwordgoeshere&cmnd=Power On

Adding a password might make your devices more secure to naive attackers on your network, but it is passed in clear text, undermining your total security, especially if you access your devices over the Internet.

Controlling the Sonoff from the browser is quite neat during development, but the most flexible way would be to call a script. Although quite a few different ways of doing this probably exist, one easy example uses cURL. A number of sites discuss the full powers of cURL, but I only need to perform a simple HTTP GET:

curl http://192.168.178.59/cm?cmnd=Power%20Toggle

The command to toggle the power switch also could be added to a shell script.

Conclusion

Tasmota not only supports all the same types of functionality that most other smart socket apps support, but much, much more. Besides MQTT, it supports Domoticz home automation out of the box; more importantly, Tasmota lets you keep all your data within your home network and control the device by script or in a browser. This isn't to say I didn't encounter any difficulties during the process (see the "Troubleshooting" box), but in general I would say flashing Tasmota to my Sonoff S20 has been wildly successful.

Bus 002 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 004: ID 1bcf:2883 Sunplus Innovation Technology Inc.
Bus 001 Device 003: ID 8087:07da Intel Corp.
Bus 001 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 003 Device 008: ID 0403:6001 Future Technology Devices International, Ltd FT232 USB-Serial (UART) IC
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

File Not Found
 **
URI: /cm/
Method: GET
Arguments: 1
cmnd: Power 0