ESPurna firmware on Tonbux Power Strip
The Tonbux power strip is an IoT device that allows control of each power outlet from a mobile device. These are sold on Amazon for around $30 each. It has a closed firmware that does not allow direct access to the power strip. Instead, a mobile device app must be installed and control is done through the app. From the looks of it, the power strip publishes with MQTT to a cloud based broker. In turn the mobile device app subscribes to that same broker to control the IoT device.
In this post, we will be removing the factory firmware and replacing it with ESPurna, a open source firmware developed for ESP based IoT devices. It provides a locally accessible Web UI as well as telnet access to the IoT device, let’s begin.
Warning – Do Not Operate The Tonbux Power Strip While The Cover Is Off. Risk Off Electrical Shock Or Fire Resulting In Death Or Loss Of Property Can Occur. None Of The Setup Steps Require The Cover To Be Off.
The Tonbux power strip ESPurna firmware installation steps can be found here, however there are some additional steps we will cover.
https://github.com/xoseperez/espurna/wiki/Hardware-Tonbux-Powerstrip02
Opening up the Tonbux power strip is done by removing the rubber feet from the fastener holes and unscrewing the fasteners. There is a total of 6 in all. Using the same philips head screw driver, pry one of the corner holes to get the bottom cover off. Once off you should see the main circuit board and the ESP8266 TYWE3S module. No further disassembly is needed.
More details about the TYWE3S wifi module used in TonBux power strip can be found here.
https://fccid.io/2AFNL-TYWE3S/User-Manual/Users-Manual-3525098
Here are the steps I used end to end.
1. Download the compiled binary, https://github.com/xoseperez/espurna/releases/
https://github.com/xoseperez/espurna/releases/download/1.13.3/espurna-1.13.3-tonbux-powerstrip02.bin
2. Download ESP8266 and ESP32 serial bootloader utility
I first attempted sudo apt install esptool, then esptool –help > ESPTool_Help.txt, but this didn’t work as I might have expected. So then I installed python-serial using sudo apt-get install python-serial, then downloaded the ESPtool python code from here.
https://github.com/espressif/esptool
3. I then soldered bread board jumper connectors directly to the Tonbux TYWE3S wireless controller.
https://github.com/xoseperez/espurna/wiki/Hardware-Tonbux-Powerstrip02
4. Then I connected the Tonbux TYWE3S wireless controller to a USB2UART adapter, mine is the Sparkfun FTDI Basic 3.3V and used a bread board to link the two together.
https://www.sparkfun.com/products/9873
ESP-01 mockup required the CH_PD connection to be in the following state, more on that later.
RXD – To TXD of FTDI Basic
GPIO0 – To GND
GND – To GND
TXD – To RXD of FTDI Basic
CH_PD – To 3.3v VCC (This only applies to ESP-01 module)
VCC – To 3.3v VCC
5. Connect USB2UART adapter to the computer, my FTDI Basic connects with a separate mini USB to USB cable. The USB2UART adapter supplies power to the ESP8266 TYWE3S Module.
6. Boot the TYWE3S in flash mode, reminder the GPIO pin needs to be held at ground.
https://github.com/xoseperez/espurna/wiki/Binaries
“esptool will hard reset after each operation so unless GPIO0 is still connected to ground you will need reenter boot mode manually every time you want to do backup, erase or write flash.”Backup the existing Firmware, this lets you revert back later if you need. It’s recommended.
https://github.com/xoseperez/espurna/wiki/Backup
7. Command used – Only alpha numeric characters with no spaces in backup name and replug USB cord from computer first.
./esptool.py –port /dev/ttyUSB0 read_flash 0x00000 0x100000 tonbux166.bin
[Output]
tyUSB0 read_flash 0x00000 0x100000 tonbux166.bin
esptool.py v2.6-beta1
Serial port /dev/ttyUSB0
Connecting….
Detecting chip type… ESP8266
Chip is ESP8266EX
Features: WiFi
MAC: aa:bb:cc:dd:ee:ff
Uploading stub…
Running stub…
Stub running…
1048576 (100 %)
1048576 (100 %)
Read 1048576 bytes at 0x0 in 99.3 seconds (84.5 kbit/s)…
Hard resetting via RTS pin…
8. Next erase the existing Firmware – Replug USB cord from computer first
./esptool.py –port /dev/ttyUSB0 erase_flash
[Output]
esptool.py v2.6-beta1
Serial port /dev/ttyUSB0
Connecting….
Detecting chip type… ESP8266
Chip is ESP8266EX
Features: WiFi
MAC: aa:bb:cc:dd:ee:ff
Uploading stub…
Running stub…
Stub running…
Erasing flash (this may take a while)…
Chip erase completed successfully in 1.4s
Hard resetting via RTS pin…
9. Write firmware to device – Replug USB cord from computer first
./esptool.py –port /dev/ttyUSB0 write_flash –flash_size 1MB –flash_mode dout 0x00000 espurna-1.13.3-tonbux-powerstrip02.bin
10. Verify firmware loads, it does.
11. The ESPurna firmware is now installed on the ESP8266. ESP-01 mockup required the following connections to be in the following states to operate. Again, I’ll cover this later.
GND – To GND
CH_PD – To 3.3v VCC – Chip enable option is unique to ESP8266 modules, mainly used as a software on/off switch to save power
VCC – To 3.3v VCC
12. Connect and Configure the ESP8266 ESPurna wifi network settings. Now it is time to remove the soldered jumpers and screw the cover back on the bottom of the power strip. Once fastened and rubber stops reinstalled, the power strip can be plugged into the mains outlet. Using another system to connect to available wireless networks, connect to ESPURNA_DDEEFF (DDEEFF are last values of ESP8266 mac address)
Password is “fibonacci”
Open a web browser and connect to http://192.168.4.1
Login is “admin” and “fibonacci”, it will prompt to change the password.
After entering in a new password and saving, the wifi connection will drop.
Use the new password to connect to the ESPURNA_DDEEFF wireless network.
13. Login to the web portal at http://192.168.4.1
Configure some settings before joining the ESPurna device to your wireless network.
Under General, change the Hostname and I like to set the LED mode to always on.
Click the Save button in the left column.
Your wireless conection to the ESPurna will break as its SSID will now be the new Hostname.
Connect to the Hostname SSID using the same password you set on the ESPurna.
14. Login to the web portal at http://192.168.4.1
Under NTP, set Time Zone, Enable DST and DST Region, then click Save.
Under Admin, I enabled TELNET, then clicked Save.
Before going any further, I then rebooted.
15. Login to the web portal at http://192.168.4.1
Under Wifi, click the Scan now button.
This will list available wireless networks detectable by the ESPurna.
If your network doesn’t broadcast, aka is hidden, then you will need to set the Scan networks option to No.
Click the Add network button and provide the Network SSID, Password, and any IP information if you don’t use DHCP. Click Save and Reboot.
After connecting to an existing wireless network, ESPurna no longer broadcasts its SSID and strictly becomes a wireless client. You will need it’s assigned IP in the web UI, ie http://assigned_ip_here
16. Now control of the outlets can be done directly by opening the ESPurna’s web page and under Status clicking On or Off for any of the Switches.
17. If support for telnet is enabled, a subset of commands are included. Do realize that unencrypted wireless and using telnet is a recipe for disaster. Wireless sniffers can capture the passwords used in plaintext, use with caution. To get the list of available commands after logging in with telnet, type -help.
[787043] Available commands:
[787046] > COMMANDS
[787047] > CONFIG
[787049] > CRASH
[787050] > DEL
[787052] > DICTIONARIES
[787054] > EEPROM
[787055] > EEPROM.DUMP
[787057] > ERASE.CONFIG
[787060] > FACTORY.RESET
[787063] > FLASH.DUMP
[787066] > GET
[787068] > GPIO
[787071] > HA.CLEAR
[787073] > HA.CONFIG
[787076] > HA.SEND
[787078] > HEAP
[787079] > HELP
[787082] > INFO
[787083] > KEYS
[787084] > MQTT.RESET
[787086] > OTA
[787088] > PUBLISH
[787090] > RELAY
[787091] > RELOAD
[787092] > RESET
[787095] > RESET.SAFE
[787097] > SELECT
[787099] > SET
[787102] > STACK
[787104] > SUBSCRIBE
[787107] > UNSUBSCRIBE
[787109] > UPTIME
[787112] > WIFI
[787114] > WIFI.AP
[787117] > WIFI.RESET
[787119] > WIFI.SCAN
The telnet sessions keep alive with status messages every 5 minutes, this can be useful if you intend to monitor the ESPurna. Also telnet sessions also echo any connection status such as web requests or port scans from NMAP, possible honeypot usage.
The ESPurna firmware can also be installed on ESP-01 modules, https://en.wikipedia.org/wiki/ESP8266. I briefly mentioned that earlier and want to go into detail here. The ESP-01 modules are good ways to test and verify without the risk of bricking your more expensive equipment. Granted the GPIOs are limited and they will not mimic your actual equipment. But the WebUI and telnet functions will work and it is a good way to become more familiar with the ESPurna platform. In another post I’ll demonstrate how to use ESPurna to perform wireless network scanning using the ESP-01 modules.
This demo showed how to use Node-Red, developed by IBM, in the mainstream since 2014.
More background about Node-Red
Here is some further reading if you like
https://github.com/xoseperez/espurna/wiki/Posts-&-Videos
https://learn.adafruit.com/raspberry-pi-hosting-node-red/what-is-node-red
Refresher on ESP8266 Arduion IDE
https://randomnerdtutorials.com/how-to-install-esp8266-board-arduino-ide/