Introduction: MEROSS MSS620 -- a Journey Into Strangeness

By Detlef Amend media
About: Hard- and Software developer. Knows his way around servers, clients and all that internetz stuff. Sleeps a lot.

A friend of mine needed needed some wifi controlled power outlets for her balcony - you know, the usual stuff: watering plants, bringing up the lights when it gets dark. So after some browsing the web, I came up with the MEROSS MSS620 - two power outlets, wifi controlled.

Of course I wasn't looking to keep the original firmware - maybe I'm oldschool, but I don't like trusting some obscure chinese company with my WiFi password ;) Since I couldn't find any info about that specific model, I opted to go with my guts: 2.4GHz Wifi, some app... right: sounds like ESP8266.

Step 1: Open Up!

The parcel arrived, and there it was: A fairly familiar looking MCU Module, RX, TX, GND and some jumper labeled "KEY". Grabbed my continuity meter and confirmed: all those signals go where I would expect them to go for an ESP12 - this is going to be easy... so I thought.

!!!! One word of caution before I proceed: never operate a device that uses mains voltage open! Mains voltage can seriously harm you, in the worst case kill you! If you have no Idea what to do about mains voltage, ask someone who does! If you don't know anybody, who can help you - dont't touch that stuff !!!!

Anyways - grabbed a USB Serial adapter and connected to RX/TX/GND - worked like a charm. The output was 9600 baud, the MCU gave a bunch of cryptic status messages, nice sign of life. ESP8266's GPIO0 must be pulled to GND to get the MCU into flash mode - so a jumper across the KEY pins, powering up the system... why is the MCU still talking to me? That's right: no change, if the KEY jumper was closed or open - that's impossible for an ESP12.

I was getting tired of plugging-unplugging the device, so I powered the system though the 3v3 of my USB-Serial adapter and tried the hardware reset of the module - that didn't do anything, either. WTH??

Measuring some more control pins of the module didn't help at all: there should be some pullups, that should be detectable with a simple meter - they werent.

So I deciided to go the hard way: I knew that all the needed pins where at the right place for a ESP12 module. Let's get one in there!

Step 2: Something Familiar

A bit out of the right tools for the job I successfully desoldered the MCU module and dropped a fresh ESP12 in - bang, worked out of the box.

Step 3: Who Are You?

But I was curious: what had I just removed? Getting rid of the HF Shield explained the strange behaviour: that wasn't an ESP module at all! Inside I found a MediaTek MT7662 - a bit a mix between an ESP8285 and an ESP32, single chip MCU, Wifi & BT.
So I guess, that the development intended to use an ESP12 module - that's why there's the KEY jumper. Somewhere along the way they switched MCU Modules.

So - the MSS620 is hackable. But be aware that it takes some soldering and getting rid of the MCU module.

If you're interested of the pin assignment:

Relays/Channels: IO12 / IO4

LEDs: IO5 (green/lower) / IO13 (red/top)

Switch: IO14 (Pulldown, so read it via INPUT_PULLUP)