Home Automation

Posted on 2020-January-08 in programming

Connected plug

I was a bit late to the party, but I finally got into home automation and bought a couple of connected power plugs. Price and curiosity decided for me: they can often be found online for really cheap and they are a great excuse to spend a week-end doing nothing else but play with new gadgets.

The plugs I got are from a noname Chinese company. The packaging is raw cardboard with no indications, and the manual is limited to a thin and small sheet of paper with a QR code that sends you to the app store to download an app called SmartLife. So be it.

Start the app and get faced with a login screen that forces you to create an account and register your product. Pain in the butt. Once logged in, you need to identify the kind of device you want to register. That's a bit surprising. You would expect connected devices to be able to exchange their pedigrees over the net instead of me having to shuffle through thousands of possible products and probably getting it wrong. Alright, moving on.

Next step is device registration: put the app in pairing mode, press the only button on the plug long enough, and magic: your connected power plug now appears inside the app. Great!

Let's spice it up a bit: the plugs are advertised as being Google-compatible, so start the Google home assistant and try the additional linking process. The Google menu is scary: there are literally hundreds of IoT device vendors out there, and I have no idea which one I should be looking for. No brand name on the box or on the plugs, and the product name displayed on Amazon does not appear anywhere in the endless list proposed by the Google app. Hmm... Let's try with SmartLife? Yes: Google knows about SmartLife and asks for full control over the account I just created above in the app. Why not, who cares? Be my guest.

Once this was done, the two plugs appeared magically under Google Home and I could finally say "Hey Google, turn the lamps on!" and get enlightened. Phew!

That's fun but I have no intention of leaving a device that permanently records every sound in my house, so voice command is pretty much out of the picture. So without voice command, let me summarize how to switch the lights on in my living room in 8 easy steps:

  • Since the app is registered with a SmartLife and Google account, I only installed it on one device. Which means I am the only one who has the power to switch lights on and off. Which also means that I am the only one who has to rummage through the house to find where I left my bloody smartphone again.
  • Unlock phone with fingerprint. Try again. Nope, try again. Give up and type the password. Avoid the temptation to read the bazillion notifications.
  • Find the app. How's it called again? Go through the endless list of apps, cursing yourself for not putting in on the home screen with the other 255 must-have apps.
  • Open the app, but since you haven't used it for a while you need to login again. Of course you forgot the password, so click "Forgot password" and get a link by email to reset it within 5 minutes. Hopefully. Now is the right time to sort out those bazillion notifications.
  • Now you got in, making a mental note to write that password down somewhere on a piece of paper and also remember where you left that piece of paper. Select the Devices tab, go to the lamp you want to switch on, and click.
  • Nothing happens, so click again. And again, several times. Press even harder on the phone screen, you never know.
  • Now all your clicking finally gets through and the lamp starts switching on and off like a Christmas tree, ending up switched off, of course.
  • Click again, then wait. Tadaaa, the light is on!

Easy, right?

The next day I looked into advanced options and found a solution: use a timer. Instead of doing it myself, automate it, of course! Program the lamp to switch on when it's getting dark, and switch off at midnight. Problem solved.

Or maybe not.

Let's assume I am sitting in my living room, the lamp is 3 feet away, but just like a real lazy bastard I reach for my phone, open the app, and press the button. What happens next?

My phone connects to the SmartLife server. Could be in China, maybe in the USA, who knows?

I get authenticated. My order gets through, and a flag is raised somewhere on somebody else's servers, probably in the US on Amazon.

The plug in my living-room sends beacon packets to its home server every second, asking if it needs to do something. The raised flag finally gets to the plug, which acts and switches the light on.

How many things could go wrong?

My phone could stop working. Empty battery, bug in the app, bug in the OS, or it could just be the perfect moment to run a firware update that freezes the device for 20 minutes.

My phone may not be able to connect to the cloud. This requires an overseas link, which is of course not guaranteed to work. Same problem with the plug requesting commands every few seconds. Servers crash, databases get erased, latency can increase without warning. Seems stupid that a server crash in China would prevent me from turning the lamps on in my living-room. I do not want to subscribe to Amazon's server health status to figure out whether I will be in the dark tonight at home.

My home network is nowhere near industrial availability. Between the internet modem and the plugs are several switches, a router, and a WiFi access point that sometimes decides to take a few hours off for relaxation.

Depending on a bunch of companies to keep my service alive does not sound very future-proof. What happens when some of those companies go out of business? What is the plan then? Will we throw away all the devices that depend on it for a living? I was looking for a network-controlled device, not for a life-time service contract with a third-party company whose name didn't even appear on the box.

In terms of energy consumption this is not environmentally sound. The plugs keep sending small data packets back home, which is not much in terms of bandwidth but forces every device on the way to grind packets for no reason. An overseas link necessarily involves 15-30 hops one way, that's a lot of machines working to not light up my living-room.

I also don't feel too good about needing to create an account to protect the plugs from outside attacks. This is just opening a welcome gate for hackers to get into my network, and the price for closing that gate is to forego any usage of the plugs. Not good.

Fortunately there are solutions. Most connected plugs today are based on the ESP8266, a very popular chip in the maker crowd. Just google a bit and you find methods to erase and replace the firmware for those plugs with something that does not need to call home every second.

The project I used is tuya convert:


The procedure is rather simple. I used an Ubuntu-based laptop and got everything sorted in just 15 minutes. No need to open the box or solder anything, it all happens over the air. I re-flashed the firmware with Tasmota, an alternative ESP8266 piece of firmware, done. The two plugs in my house are now mini web servers that can be automated using MQTT or simply controlled from a web browser. Most importantly: they do not require an Internet connection to work and they do not flood the local network with broadcast messages every second.


I lost only one thing: the ability to switch the lights from outside my house. Can't say I will miss much.

This got me thinking: seems most IoT connected devices today are designed to be connected to the cloud. It is extremely hard to find something that could just be controlled from your local network without need to ping back to China or the US or who-knows-where. Why? I understand these companies are hungry for user data, but what's in it for me? Requiring an active Internet connection should not be a pre-requisite for switching lamps on!

One small note about security: those devices are advertised as being top-notch secure and based on military-grade security. And yet you can simply erase and re-flash their firmware over the air without much effort. Simple but deadly mistake: devices do not validate server-side certificates. It is rather trivial to start your own web server with a self-signed certificate and point the device to it using a well-configured local DNS server. This is great because it means I could get rid of the initial firmware, but it also means anyone in the same room could do the same and poison the firmware. Who knows how many other security issues these devices suffer from?

I can easily imagine that instead of relying on distant machines located in data centers, we could host the main control point ourselves in our houses. Modern houses already have Ethernet cabling running through all rooms, with some space in a closet to connect a router and a switch. It would not be hard to install an additional server there, something Raspberry-pi-sized, and use it to control every piece of connected hardware in the house.

You guessed it: there are already several projects on that topic. The most promising I found seems to be Home Assistant:


I have not looked too much into it yet but will do soon, and maybe write it up here. Next evolution would be to be able to run voice recognition on that same local machine so we don't have to be spied upon by Google and Amazon. I am really looking forward to the next company offering a Home OS. Right now these home automation gadgets are just a jungle of services quickly strung together with no future.

Today's lesson: don't buy connected devices if you cannot flash them with alternative firmware.