uKasa uKasa - A utility script that manages Kasa smart outlets and switches with Asuswrt-Merlin routers

[JGrana]

This is my power strip. I have 2 of them. From the support page you can find there's different hardware version. Mine is version 1 and 2. In case something went wrong by PM I attach my log files here for your reference. Looks like the attachment need has file extension. So I just add .txt to them.

Thanks. It looks like the response from the power strip had a type field of "null". Wonder if the power strips need a different decode.
Let me look into this.

Thanks!

 

[sfx2000]

NOTE nmap is usually pretty good about finding all the Kasa devices. Once in a while it might miss one. If the number of devices it reports found doesn't match with what you believe, run ukasa in discover mode

Have you addressed this security concern?

nmap is bad news on a bastion host - this really isn't something you want installed on a device that can be exposed to the internet.

 

[Adamm]

The last thing you want running on your firewall is a tool that is specifically designed to do network recon for addtional vulns and targets for exploits...

If someone has the ability to execute malicious code on your router I think they have a lot bigger ideas and capability then using a niche script that’s preinstalled to communicate with some power strips.

 

[sfx2000]

I have put together YetAnotherUtility that runs on Asuswrt-merlin routers and is used to manage and operate TP-Link Kasa Smart Plugs and Switches. It can show the present state of the plug or switch (Off/On) and if supported how much power it is supplying (along with line voltage). There is also a "monitor" mode that will show the line voltage, current, Watts and Watt Hours continually (until Enter is pressed)

I originally did this for some issues I was having with an AiMesh node. At times, the node would go "offline" and I found that a power cycle always brought it back.

What problem are you trying to solve here? The Kasa app works fine, and better yet, it works over the internet.

If the Kasa device is dropping offline, this doesn't require a new application/script...

Fix the AIMesh issue first.

 

[sfx2000]

If someone has the ability to execute malicious code on your router I think they have a lot bigger ideas and capability then using a niche script that’s preinstalled to communicate with some power strips.

Have you looked at most of these Asus Add-On from a security perspective?

I guess not...

 

[Kingp1n]

Oh boy...here we go again lol

 

[sfx2000]

Oh boy...here we go again lol

So I guess you treat security lightly then?

 

[Maverickcdn]

I've run George Georgovassilis' version of this on my server for years now, works great, nice to see it adapted for use with asuswrt-merlin

edit: Just realized the one I linked is a different version than what I have saved. Mine is much more complex, the git version is much simpler and works after adding -w1 to the netcat command (on my debian system).

 

[sfx2000]

If someone has the ability to execute malicious code on your router I think they have a lot bigger ideas and capability then using a niche script that’s preinstalled to communicate with some power strips.

Don't provide an easy door to be opened...

I'm really surprised that folks don't consider this...

 

[L&LD]

@Adamm, @sfx2000, I always really appreciate getting both perspectives.

Even if I err on the side of security.

 

[dave1000]

@JGrana I found your script while trying to fix an issue with a buggy HP printer that occasionally needs a re-power to remain reachable; thanks it totally works! Along the way, I discovered an issue that can crop up when GNU NetCat is installed on the AsusWRT Merlin router using Entware (I needed it to use nc -z for checking the printer's status). GNU NetCat will take over as the default NC rather than the BusyBox NetCat and the uKasa script will hang for a long time when running the send_to_plug() routine. I fixed the problem on my router by editing the routine to hard code the location of the BusyBox NetCat binary:

Before:

send_to_plug() {
   ip="$1"
   port="$2"
   payload="$3"
   if ! echo -n "$payload" | base64 ${BASE64DEC} | nc $NCOPTS $ip $port
   then
      echo "couldn't connect to $ip:$port, nc failed with exit code $?"
   fi
}

After:

send_to_plug() {
   ip="$1"
   port="$2"
   payload="$3"
   if ! echo -n "$payload" | base64 ${BASE64DEC} | /usr/bin/nc $NCOPTS $ip $port
   then
      echo "couldn't connect to $ip:$port, nc failed with exit code $?"
   fi
}

Maybe not an ideal fix, but a NetCat vendor conflict may be important to keep in mind.

 

[JGrana]

@JGrana I found your script while trying to fix an issue with a buggy HP printer that occasionally needs a re-power to remain reachable; thanks it totally works! Along the way, I discovered an issue that can crop up when GNU NetCat is installed on the AsusWRT Merlin router using Entware (I needed it to use nc -z for checking the printer's status). GNU NetCat will take over as the default NC rather than the BusyBox NetCat and the uKasa script will hang for a long time when running the send_to_plug() routine. I fixed the problem on my router by editing the routine to hard code the location of the BusyBox NetCat binary:

Before:

send_to_plug() {
   ip="$1"
   port="$2"
   payload="$3"
   if ! echo -n "$payload" | base64 ${BASE64DEC} | nc $NCOPTS $ip $port
   then
      echo "couldn't connect to $ip:$port, nc failed with exit code $?"
   fi
}

After:

send_to_plug() {
   ip="$1"
   port="$2"
   payload="$3"
   if ! echo -n "$payload" | base64 ${BASE64DEC} | /usr/bin/nc $NCOPTS $ip $port
   then
      echo "couldn't connect to $ip:$port, nc failed with exit code $?"
   fi
}

Maybe not an ideal fix, but a NetCat vendor conflict may be important to keep in mind.

Thanks @dave1000 . I'll update the github source!

 

[SoFluffy]

First, thanks @JGrana for this tool. I've been using this for some automation for about 2 months, which I recently noticed was broken. Being transparent, I haven't done much troubleshooting other than rebooting my router. I wanted to share what I'm experiencing first before changing anything.

My Setup
* RT-AX86U Pro, Merlin 3006.102.4
* Installed latest version of your script (about 2 months ago)
* Entware, Skynet, vnStat, scMerlin, Dual WAN Failover

Second data point is that I had initially installed this on one of my Mesh nodes for testing, and it is also now producing the same error:

od: cannot skip past end of combined input

I'm trying to remember my order of operations here, but I believe the culprit may be due to implementing Dual WAN (in the router, along with the Dual WAN Failover from amtm). I swear I tested this end to end after that but may be wrong.. I haven't updated to the latest Merlin (for reasons), haven't updated Entware, and have even had the Kasa switches blocked from internet access so nothing can be updated/changed there. The Dual WAN Failover is the only potential change.

I get that error every time I run the script, no matter which command I try to run. I'm no longer able to query the state of the device (returns "OFF" even though it's on). Trying to run "ukasa refresh" finds the devices, but isn't able to pull the names or other info:

root@RT-AX86U_Pro-FE60:/jffs/scripts# ukasa refresh
myip  subnet port: 192.168.5.1 192.168.5.0-255 9999
Scanning local network for Kasa plugs and switches
This can take a minute or two...(ignore any RTTVAR messages)
Checking devices and names...
od: cannot skip past end of combined input
od: cannot skip past end of combined input

Found 2 Kasa devices on the network

ukasa: Here are the Kasa devices found:

Device IP      Hostname  Model    Type  Features  Alias
--------------------------------------------------------
192.168.5.201  b00027    Unknown
192.168.5.202  b00364    Unknown

The fact that it worked perfectly on 2 Asus devices and is now broken on both of them (with no other known changes) makes me think the Dual WAN setting and/or the Dual WAN Failover script is messing with the LAN broadcast or something to that effect. I might have some "approved downtime" this weekend to disable Dual WAN and uninstall the Dual WAN Failover script and see if that restores the ukasa functionality, although I really need Dual WAN to work.. Any ideas? Am I barking up the right tree? Does anyone else have this working along with Dual WAN?

 

[JGrana]

Sorry you’re having issues! The error from od has to do with the decode function (the Kasa devices return encoded messages). od is told to skip the first 4 bytes of the message (header).
It appears that it is having issues getting the response message from the devices.

See how big the file /jffs/addons/ukasa/kpresonse is. This would be the file od is trying to decode.

 

[SoFluffy]

Thanks @JGrana. /jffs/addons/ukasa/kpresponse is empty. It does find the 2 devices, but something else is going wrong:

root@RT-AX86U-F1B8:/jffs/addons/ukasa# ls -l
-rw-rw-rw-    1 root    root             0 Oct 29 19:44 kpresponse
drwxrwxrwx   2 root    root             0 Oct 28 20:41 saved
-rw-rw-rw-    1 root    root            49 Oct 28 20:41 ukasa.conf
-rw-rw-rw-    1 root    root            58 Oct 29 19:44 ukasa.devices
-rw-rw-rw-    1 root    root            38 Oct 29 19:44 unknownkasa1
-rw-rw-rw-    1 root    root            38 Oct 29 19:44 unknownkasa2

I uninstalled and reinstalled this last night on my mesh node. Same behavior. I guess it now seems obvious that od is trying to trim bytes that don’t exist. So now the mystery is why that file is being written null. I can probably piece it together from your script, but do you have a quick one liner I can run to query manually and see the raw output? Or any other debugging ideas?