Skip to content
Hacking the IKEA TRÅDFRI light bulbs and accessories.
Branch: master
Clone or download
basilfx Merge pull request #23 from rosek86/master
Add dimmer pinout + schematic
Latest commit 429af07 Oct 1, 2018

README.md

Hacking the IKEA TRÅDFRI

Introduction

The IKEA TRÅDFRI family of products provide you with several lighting solutions that interconnect using ZigBee Light Link.

If we take a simple GU10 light bulb, it contains:

  • Power supply
  • LED driver
  • IKEA TRÅDFRI module

The tiny IKEA TRÅDFRI module is used in many of their products, and is actually a small piece of circuit board with pins exposed. This board uses the energy-efficient Silicon Labs EFR32MG1P132F256GM32 microcontroller (MCU), which is a ARM Cortex M4 with 256 KiB of flash and 32 KiB of memory.

You can take out the board, and hook it up to your own lighting solutions. Or, you can flash it with your own firmware, for other purposes.

To find relevant products, I have compiled a list of IKEA TRÅDFRI products (please help me to update this list).

Components

I have been able to identify the following parts on a IKEA TRÅDFRI module:

I'm not entirely sure about the flash, but at least the JEDEC ID command and Product ID command (see table 8.4) match up when tested. I'm very certain that the SPI Flash component is correct. The original firmware contains strings that refer to the exact part number. However, it also contains references to other SPI flash components, so your module may contain another one.

Pinout

I found a pinout on this website.

IKEA TRÅDFRI module pinout

Marco van Nieuwenhoven has provided more information about the PCB, copper traces and the schematics on his website.

Flashing using JTAG

To connect to an external JTAG/SWD debugger, connect as follows:

  • PF0 -> SWCLK
  • PF1 -> SWDIO
  • PF2 -> SWO
  • RESETn -> RESETn
  • GND -> GND
  • VCC -> VCC (3v3)

In my case, I could leave the module in the light bulb, but for flashing I provided my own power supply by hooking it up to the VCC line directly.

I'm working on a small PCB that can host a TRÅDFRI module. You can find it in the pcbs folder.

Software used

You can use software like JLink or OpenOCD to flash the target.

If you use JLink, you can use the command below to connect to the board:

JLink -If SWD -Speed 5000 -Device EFR32MG1PXXXF256

To dump the flash contents, use the command below (0x40000 is 256 KiB):

savebin output.bin 0x0 0x40000

To load a flash from file, use the following command:

loadbin output.bin
verifybin output.bin 0x0

I have confirmed that you can dump the flash, erase the device and load it again, and the light bulb will still work.

An analysis of the firmware encountered in the GU10 light I bougth can be found in FIRMWARE.md.

Custom firmware

The chip is a normal Cortex M4. You can flash it with anything. As a starting point, you could take a look at this pull request for RIOT-OS. To get started.

I've added some firmwares in the firmwares folder.

As a proof of concept, check out this YouTube video I made. In there, I show how I control the LED connected via a serial console.

Isolation

If you plan to leave the board in-place, and run your own light bulb firmware, never connect external devices (e.g. debugger or serial adapter) to a light bulb that is plugged in. Due to different voltage levels, you could destroy your devices.

If you want to connect an external device, ensure that it is properly isolated (e.g. using a optocoupler).

I have designed a board that you could use to isolate UART signals. You can find it here.

Pictures

Front of the TRÅDFRI module:

Back of IKEA TRÅDFRI

Back of the TRÅDFRI module:

Front of IKEA TRÅDFRI

My setup (the small board is a UART isolator):

Setup

My safer setup, including debugger (LED is connected to same pin as it would in the GU10 light):

Setup

Relevant sources

I have gathered some information from the following sources:

License

Creative Commons BY Attribution 4.0 International

Disclaimer

This page and its content is not affiliated with IKEA of Sweden AB.

The purpose of this project is to learn and improve using reverse engineering techniques. Use this information on your own risk.

You can’t perform that action at this time.