Adventures with Sonoff Zigbee Bridge #8583
Comments
|
The form factor is cool and similar to the Sonoff RF Bridge, in white.
Opening the box is super easy, remove the 4 rubber protections, and unswcrew. As reported before, it is based on ESP8266EX so flashing Tasmota shouldn't be hard.
The good news is that pads are easily accessible. Sonoff made available lots of GPIOs, although it looks only RX/TX (GPIO1/3) are used to communicate with the Zigbee module. There is a Useful pads: GPIO1, GPIO3, GPIO0, 3.3V, GND, Z_RST We'll however need to wait a little more to analyze the protocol, my logic analyzer is arriving next week. |
|
First test with the Sonoff Zigbee Bridge in pairing mode, using another Z2T in device mode. The Z2T device finds the Sonoff coordinator, connects to the network but then nothing happens, the device does not receive any more packets from the coordinator. It looks like Sonoff is restricting to its own devices, either filtering on IEEE Address, or waiting for a specific packet. |
effelle
added
pinned
|
Listening to TX at boot, 76800 bauds, 8N1, here is what is printed to Serial: Then the ESP pulls down The MCU sends two identical frame burst at 115299 bauds: The first is sent at power-up, then the ESP resets the MCU and it sends it again. Edit: corrected baud rates. |
|
Here is the complete sequence at start (115200 bauds, 8N1):
Edit: encoding looks similar to the one used by CC2530:
|
|
So it starts with fe followed by the total byte count |
|
Aha, listening to the UART port of the MCU: First sequence: 52ms later: Then after the ESP pulls down MCU Reset, we see a similar sequence again: And 175ms later: |
|
@s-hadinger It would be absolutely great if that SONOFF ZBBridge (SONOFF Zigbee Bridge) already has its firmware based on EmberZNet Zigbee Stack with their standard EZSP (EmberZNet Serial Protocol) serial protocol interface / API over UART bus on the EFR32 base MCU, as it now looks to have. If it already has EmberZNet firmware with EZSP interfaces then will hopefully not need to worry about any firmware upgrade of in the first place and instead just focus on hacking its ESP8266 instead and maybe offering a serial server service (like ser2net or similar) to offer remote access the Zigbee module. Otherwise, if the Zigbee SoC module used in the SONOFF ZBBridge (SONOFF Zigbee Bridge) is at all similar to other Silicon Labs EFR32 family modules, like the E180-ZG120B by Ebyte, then at least according to the Ebyte manual can flash the firmware on EFR32 module with J-Link over GPIO/JTAG. JTAG
SWD (Serial Wire Debug)
In the Ebyte E180-ZG120B manual, the "burning program" sais that GPIO pins for J-Link interface is:
FYI, there's also a related discussion about flashing firmware on these type of EFR32 modules here: If still are serious about flashing that firmware then checkout a Silicon Labs document called AN136 Maybe it is possible to just use the Command-Line Interface (CLI) of Simplicity Commander as it supports using Serial Wire Debug (SWD) or Joint Test Action Group (JTAG) as the target interface? AN136 otherwise refers to other documents for many different methods, like SWD, JTAG, and C2:
MarkDing who work at Silicon Labs summarized their Serial Wire Debug (SWD) in their forum here: The same @MarkDing also maintains a wiki about development with Silicon Labs IoT MCU SoCs: |
|
More data: When entering Pairing mode, MCU sends: MCU responds: MCU logs: Edit: sending a new Pairing mode request shows: It shows that the n-2 byte is actually a sequence number, probably so that the ESP knows which response correspond to which request. |
|
Aborting Pairing mode: |
|
Finally, when trying to join the network from a Z2T device, the MCU logs the following but does not report to the ESP: It looks like Ember layer did accept the connection, but the app layer dropped it; probably filtering based on IEEE address. |
|
Connecting to the EFR32 with a JLink probe (SWD mode using Or Sonoff is kind enough to give the unlock key? |
|
Excellent work so far! I see they have a new board revision listed on yours. I'll have to compare to see what changed. |
According to that screenshot, there is no unlock key on the device, so Sonoff wouldn't be able to give you one either way :) |
|
Sounds as if don't need an unlock key to erase & flash firmware via JTAG interface or SWD interface: Simplicity Commander support CLI as the target for EFx32 but it is not open-source or for Arduino. "Simplicity Commander is a software package provided by Silicon Labs that provides a very powerful GUI and command-line utility for working with your EFR32 parts. With Simplicity Commander you can flash firmware (bootloaders and applications), update the WSTK firmware, reset locked parts and unlock debug access. It is the EFR32 version of the ISA3 Utilities." Simplicity Commander GUI and CLI interfaces with software download for Linux, Mac, and Windows. Simplicity Studio also includes a simpler tool called "Flash Programmer" that allows the user to flash the device with a binary or hex file, supporting flashing to EFM8, EFM32, C8051, EZR32, and EFR32. |
|
Will you brick the EFR32 if erasing application firmware also erases the bootloader firmware? That is if erasing the bootloader firmware is not optional, sounds strange if that is not optional? If that is the case and EFR32 gets bricked then can you still unbrick it by flashing a new bootloader via the JTAG or SWD interface on EFR32 using just a Raspberry Pi / Arduino or will you need a purpose-built debugger for EFR32 or an official EFM32 Gecko Development Kit to unbrick it? |
ITead (Sonoff) as a company has benefited a lot from alternative firmware from the community in the past and there are today more aware of that fact so would not hurt for you to ask. Suggest that you sent a mail to "Jerry Shi" <jerry.shi 'at' itead.cc> and "Stan Li" <stan.li 'at' itead.cc> and explain that you are an open-source developer from the Tasmota community that is looking into developing an alternative firmware for the Sonoff ZBBridge and are therefore wondering if they could share the key to disable the debug lock. Jerry Shi and Stan Li I have no affiliations to ITead/Sonoff myself however in the past I have sent a few questions or suggestions to them and got relatively quick replies from Jerry Shi and Stan Li. I think that Jerry is in marketing at ITead so he has to pass on the technical questions to the developers, however, I know he helped the community in the past and since he is in marketing I assume he would especially helpful if it directly or indirectly helps ITead sell more products, which is something Tasmota surely does. |
|
Again, there is no secure boot key installed in the device, so there are no obstacles to mass-erasing and writing a new bootloader + application over SWD. The only thing you cannot do is reading out the current firmware. Whether or not a new firmware can be flashed through the use of the factory-installed bootloader depends on how that bootloader is configured. If ITead's bootloader requires a signed and/or encrypted upgrade image, then those keys would be relevant in order to leverage the factory bootloader for upgrading over the UART interface, instead of having to go through JLink. |
|
Unlocking / disabling debug lock also erase all data to prevent reading or? That is, does it also do a full erase of bootloader + application firmware? That part is still unclear for me even after trying to interpret that from these: |
|
@Hedda correct. Unlocking a locked device, or disabling a debug lock that has been set, will result in an erase of main flash and RAM. Some devices in EFR32 Series 1 (e.g. EFR32MG12) have a separate flash area where a bootloader optionally can reside. |
just now tested. btw my board has different ROHS certification logo , rest PCB looks same ps - i am not able to find path of ERX , ETX on EFR chip so directly tested from breakout / test point instead of EFR chip |
thank you so much. |
|
@Tech-freak you need to test from the other side of the board too. You could have a breakout of the 2 sides. The connection for the EFR is on the other side goes to R11-R12 |
|
TX and RX is pad 2 and 3 on and then to R12 and R11the module and it should being PCB traces on the underside of the main PCB to the 2 red marked points and from there to the ESP. Edit: R12 and R13 |
not possible to check from back ig @cjitariu @MattWestb by any chance if you have hub can you please check it ? |
|
You can following them on the underside to the red marked points: |
|
Most likely is its some micro cracking in the PCB between upper and under layer in the hole marked ERX and ETX. |
red (ERX.ETX) marked points(back side) to ESP is okay , not getting any signal on R12/R13 or pad 2/3
if someone confirms continuity then i might try soldering jumper wire to R12/R13 from ERX/ETX |
|
You can following the trace on the underside of the PCB. |
|
Yes i got that but just need confirmation from someone so can do soldering stuff |
|
I can soldering stuff. |
|
If you is having one USB-Serial adapter you can soldering GND, RX and TX (and 3.3V if you like power the module from USB then flashing) and dont need modding the PCB. |
sir by any chance are you available on skype/discord ? |
Noticed the one I flashed has the ROHS logo. No issues with it so far. |
|
Would OTA updating from Tasmota 8.5.1 to 9.2.0 be likely to cause any problems that anyone is aware of? |
Did it on many devices, with no problems whatsoever. |
|
Thanks - do you mean many of these specific devices, though? The brand new 9.2.0 has some real advantages, native HA integration being the loudest, but I put myself into the position of having no other Zigbee coordinator on hand, so I am treading lightly. |
Yes. However I misread your question - I've been using betas, 9.1.x.x - without problems. Will check 9.2 out now. |
|
Thanks mate, worked like a champ. 😇 |
|
Did somebody found a circuit diagram of this device? |
|
Look here #8583 (comment) GPIO12-GPIO15 are already used. |
|
Oh thank you |
|
The MCP2515 is having SIP interface :-( |
|
I guess as CAN is a relatively fast bus I2C is to slow. NMEA2000 would need 250 kbit/s and I doubt thats possible or stable with I2C |
|
Its depends of the devices (hardware) and the (software) implanting of the drive in the hosts. And Wikipedia is writing : max speed : 5 Mbit/s | Corrected two graphs. This is the current standard. |
|
Sorry its looks like wikipedia is having wrong but its more than enough for 250 kbit/s |
|
i using many sonoff devices with tasmota but zigbee kill me after the flashing issue.i flashed zbbrige.bin file and all is ok .after flashing i see the device in ap mode like tosomota device and i access to them with 192.168.4.1 address and setup local wifi address. |
|
@crolaser |
and others
Have you looked for this feature in other issues and in the docs?
Yes
Is your feature request related to a problem? Please describe.
This issue is opened to track progress for the support of Sonoff Zigbee Bridge.
Describe the solution you'd like
Z2T full support, like with CC2530.
Describe alternatives you've considered
CC2530
Additional context
This issue is only to report about progress and issues on the Sonoff Zigbee Bridge with Tasmota. It shall not contain any speculation like in #8197. All speculations should stay in #8197.
The text was updated successfully, but these errors were encountered: