Daddy Geek
Author Image

Blog d’un papa
un peu geek

Nous A1 Smart Plug

Jun 20, 2021
domotic
5 min read

Introduction

I bought recently some Nous A1 smart plugs. They can be connected to a Wi-Fi network and then be managed remotely, in order to mainly:

  • Allow or not the electricity to go through and therefore remotely switch off or switch on the equipment plugged on it
  • Return the power consumption of the equipment plug on it

Such as many domotics devices, there is a phone application that can be downloaded and that allow the full control of the plug. As usual, the management of the plug is done through a cloud provider.

The main interest for me about those plugs, is the possibility to very easily change the firmware of the plug, and therefore get rid off the cloud dependency that I don’t like.

Tuya convert

Security flaw

This plug contains inside an ESP8266, that is doing all the smart part. The firmware provided for this ESP8266 is provided by a Chinese company called Tuya. It provides firmwares for many many devices, and many different companies rely on those Tuya firmwares.

The protocol between the device and Tuya servers is based on TLS and some flaws have been discovered and published (in German). The result is that it is possible to perform a Human-In-The-Middle attack and therefore request the device to perform an upgrade through OTA, and then push an alternative firmware.

A full procedure to perform such an attack has been developed and published, called Tuya convert.

Right now, the Tuya company has put in place counter measures to avoid this kind of thing:

  • They have fixed the flaws and it is not anymore possible to perform this Human-In-The-Middle attack (at least at the time when I write those lines)
  • Many new devices do not use anymore ESP8266 chips

In the first case, it is still possible to change the firmware, but for that you will need to open the device, and perform some firmware upgrade through the GPIO, soldering will be necessary. Depending on the device, this task will be very easy, or very difficult without breaking the enclosure… In the second case, right now there is no solution.

Of course, when you buy a device like that, you never know what will be the firmware set, and therefore luck is necessary to be able for get rid off the original firmware. It is also necessary to be very careful to not connect the device to internet, otherwise you can be sure that it will update itself fixing the different issues.

Procedure

As said previously, the procedure to perform the attack and to change the firmware if the device is vulnerable, is extremely easy and is well described here. You will need the alternative firmware that you want to write on the device. tuya convert comes with already some of them such as:

  • tasmota.bin
  • espurna.bin

The tasmota.bin file is in fact a Tasmota lite firmware, which is a Tasmota firmware with reduced capabilities. Tasmota is an open source firmware that comes with a WebUI and that allows you many configurations. I already talked a bit about this firmware in this post (in french). In addition, if you use the original Tasmota firmware (not the Lite one) , it can be automatically integrated to HomeAssistant. However, it might not work because this firmware can be considered as too large and then be skipped by the script. If it is the case, you can always use the tasmota_lite.bin firmware and then flash the tasmota.bin firmware in a second time, using Tasmota upgrade feature.

I choose to use an Raspberry Pi. You just need to clone the repository and to launch the correct scripts:

$ git clone https://github.com/ct-Open-Source/tuya-convert
$ cd tuya-convert
$ ./install_prereq.sh

Once every requirement is installed, you can start the flashing procedure.

  1. Start the tuya convert script
$ ./start_flash.sh

  1. Connect your phone to the SSID vtrust-flash. Honestly I do not really understand why it is necessary, I did not dig into it.

  2. Put your device in pairing mode, it will connect automatically to the Raspberry pi access point, setup by the tuya convert script. The script will ask you which firmware you want to push (it has to be located in the files folder) and let the magic happens.

The script start_flash.sh is also going to backup the original firmware, just in case you would like to use it later. It is located in the tuya-convert/backups/DATE folder.

Tasmota

Once the Tasmota firmware set, it is necessary to configure it. For that you need to connect to the tasmota_XXXXXX SSID and then on the http://192.168.4.1 URL.

Few configuration needs to be done such as:

  • Upgrade the firmware to the desired final firmware, if it was not done during the first flash
  • The SSID on which the device needs to be connected
  • The Tasmota Module that has to be set to 0
  • The GPIO configuration specific to the device. For the Nous A1 page this information can be found on here and is {"NAME":"NOUS A1","GPIO":[320,0,576,0,2656,2720,0,0,2624,32,0,224,0,0],"FLAG":0,"BASE":45}. This information needs to be added in the Configuration Other of Tasmota
  • I have also added an MQTT configuration, which is necessary for the home assistant integration

There are some detailed information about the tasmota integration with home assistant here.

Once every configuration is done, the Nous A1 smart plug should be visible in home assistant and therefore benefit from all its powerfulness.

Problems

During the configuration of one of the plugs, I had some troubles of WiFi connection. Indeed, I probably made a mistake on my AP configuration and it was neither possible to see my plug connecting to the WiFi, nor a tasmota-XXX was available. In order to solve that problem, I reset the plug by doing a sequence of 7 fast on/off. When the tasmota firwmare detects this sequence, it reset the whole firmware. You can find more information here.

Some results

Here is my power consumption with my dishwasher, that I directly integrated into my grafana.

grafana

Tasmota sur Sonoff Mots invariables