Hacking the SONOFF RF

Hacking the SONOFF RF

Some time ago I bought two SONOFF RF’s, the power switch with an ESP8266 inside. I wasn’t planning on using them out of the box, mostly because I don’t want another app on my phone. I have domotica and I want to control all with the same app. My domotica can control devices based on an http call, so this should work.

While digging around on the internet, I found several sites which explain how to hack the normal SONOFF, without the RF. I liked this page but there are many others. Unfortunately, I couldn’t find any page on how to hack the SONOFF RF so I decided to figure it out myself.

I couldn’t get the ESP in flash mode, no matter how hard I tried. When you’re hacking the SONOFF apparently you can use the button which is connected to GPIO0 to put it in flash mode but that did not work on the SONOFF RF. Finally I decided to connect the GPIO0 to ground straight from the chip and see what happens. That worked!

Let’s look at the chip layout:

esp8266_extra_gpio

The LNA (pin 2) should be easy to find since that is the antenna. I looked at the bottom of the print and found it. Forgive the lousy quality but you can see what I found:

antenna and gpio0

You can see C27 connected to the 2nd pin from the top on the left side. That aligns with the schematic above and this means that the 2nd pin from the right on the bottom side should be GPIO0. It runs to a resistor at which point I soldered a wire to it.

The rest of the connections are the same as with the normal SONOFF:

sonoffrf1.jpg

I soldered a strip to the board, from the button to the top the pins are:

  • 3.3V
  • TX
  • RX
  • GND
  • GPIO14

You connect the 3.3V to your FTDI module on the 3.3V, TX on SONOFF RF to RX on FTDI, RX on SONOFF RF to TX on FTDI and GND to GND. What I did is put a break switch on the line to the power because that way I can quickly reboot the SONOFF RF without unplugging the FTDI (reboot to put it in flash or take it out of flash):
(forgive the sloppy soldering 🙂

SONOFF 2 FTDI

Almost there… Now I want to be able to put the SONOFF RF into flash mode whenever I want and apparently the button does not work. So I soldered a small push button (break if not pressed) between my wire on the bottom and GND but I made the button at the top so I can access it easily. I passed the wire to the front:

sonoffrf2

and connected it to the GND of the button of the SONOFF RF (which is the left side in the picture below) via a small push button:

sonoffrf3

Now if I want to put the ESP in flash mode, I push the button on the power cable (cutting the power to the ESP), push the small button (connecting GPIO0 to GND), release the power button (which boots the ESP) and after a short while release the small button because the ESP will now be in flash mode.

Now that I can program the ESP I can figure out why the regular push button does not work to connect GPIO0 to GND like in the normal SONOFFs.

In short, these are the connections:

  • The relay is connected to GPIO12
  • The led is connected to GPIO13
  • The button is connected to GPIO0

Even though the button is connected to GPIO0, pushing it however only brings GPIO0 to GND for a short while. Even if you keep the button pushed, it only briefly connects GPIO0 to ground which is why you cannot use the button to put the ESP in flash mode. The reason for that is that the RF module also does the same. Pushing the button on the remote actually causes GPIO0 to connect to GND which is probably why they did something different with the button than in the normal SONOFF.

Now that we know that we can build the program. We need to control the relay and the led and we need to watch the button/RF button through GPIO0.

I have created this simple program which should do the trick:

#include <ESP8266WiFi.h>
#include <WiFiClient.h>
#include <ESP8266WebServer.h>

// Replace with your network credentials
const char* ssid = "YourSSID";
const char* password = "YourPassword";

ESP8266WebServer server(80);

String pagePart1, pagePart2;

int sonoffLed = 13;
int sonoffRelay = 12;
int sonoffButton = 0;
bool buttonState = false;
bool powerState = false;

void powerOn (void) {
  digitalWrite(sonoffLed,LOW);
  digitalWrite(sonoffRelay,HIGH);
  powerState = true;
}

void powerOff (void) {
  digitalWrite(sonoffLed,HIGH);
  digitalWrite(sonoffRelay,LOW);
  powerState = false;
}

void switchPower (void) {
  if (powerState) {
    powerOff();
  } else {
    powerOn();
  }
}

void setup(void){
  pagePart1 = "<h1>SONOFF Switch</h1><br><br>Your switch is ";
  pagePart2 = "</font>.<br><br><a href='on'><button>ON</button></a> ";
  pagePart2 = pagePart2+<a href=\"off\"><button>OFF</button></a></p>";  
  // preparing GPIOs
  pinMode(sonoffLed,OUTPUT);
  pinMode(sonoffRelay,OUTPUT);
  powerOff();

  Serial.begin(9600); 
  Serial.println("");
  WiFi.begin(ssid,password);

  // Wait for connection
  while (WiFi.status() != WL_CONNECTED) {
    delay(500);
    Serial.print(".");
  }
  Serial.println("");
  Serial.print("Connected to ");
  Serial.println(ssid);
  Serial.print("IP address: ");
  Serial.println(WiFi.localIP());

  server.on("/",[](){
    String tmp = pagePart1+"<font color=";
    if (powerState) {
      tmp = tmp+"green>on";
    } else {
      tmp = tmp+"red>off";
    }
    tmp = tmp+pagePart2;
    server.send(200,"text/html",tmp);
  });
  server.on("/on",[](){
    String tmp = pagePart1+"now switched <font color=green>on"+pagePart2;
    server.send(200,"text/html",tmp);
    powerOn();
    delay(1000);
  });
  server.on("/off",[](){
    String tmp = pagePart1+"now switched <font color=red>off"+pagePart2;
    server.send(200,"text/html",tmp);
    powerOff();
    delay(1000); 
  });
  server.begin();
  Serial.println("HTTP server started");
}
 
void loop(void){
  server.handleClient();
  bool currentState = digitalRead(sonoffButton);
  if (currentState!=buttonState) {
    buttonState = currentState;
    if (buttonState==LOW) {
      switchPower();
    }
  }
  delay(50);
}

The nice thing about the way the SONOFF RF is designed is that the RF part is completely separate from the ESP part so after reprogramming the ESP, the RF still works as originally designed. This means that you can still program the RF receiver as you would normally:

sonoff_rf_pair_with_433-1

Press the button on the SONOFF RF twice quickly and than press a button on the remote. This button will than be linked to the RF and can be used, with the above program, to turn the switch on and off.

7 thoughts on “Hacking the SONOFF RF

  1. Waow, great solution… it works like a charm. Just putting a native switch between gpio0 and gnd and holding it while inserting the usbFTDIplug. The led should not flash and remain totally off.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s