Hacking the IKEA TRÅDFRI
- Flashing using JTAG
- Software used
- Custom firmware
- Relevant sources
If we take a simple GU10 light bulb, it contains:
- Power supply
- LED driver
- IKEA TRÅDFRI module
The tiny IKEA TRÅDFRI module is used in many of their products, and is actually a small piece of circuit board with pins exposed. This board uses the energy-efficient Silicon Labs EFR32MG1P132F256GM32 microcontroller (MCU), which is a ARM Cortex M4 with 256 KiB of flash and 32 KiB of memory.
You can take out the board, and hook it up to your own lighting solutions. Or, you can flash it with your own firmware, for other purposes.
To find relevant products, I have compiled a list of IKEA TRÅDFRI products (please help me to update this list).
I have been able to identify the following parts on a IKEA TRÅDFRI module:
I'm not entirely sure about the flash, but at least the JEDEC ID command and Product ID command (see table 8.4) match up when tested.
I'm very certain that the SPI Flash component is correct. The original firmware contains strings that refer to the exact part number. However, it also contains references to other SPI flash components, so your module may contain another one.
I found a pinout on this website.
Marco van Nieuwenhoven has provided more information about the PCB, copper traces and the schematics on his website.
Flashing using JTAG
To connect to an external JTAG/SWD debugger, connect as follows:
- PF0 -> SWCLK
- PF1 -> SWDIO
- PF2 -> SWO
- RESETn -> RESETn
- GND -> GND
- VCC -> VCC (3v3)
In my case, I could leave the module in the light bulb, but for flashing I provided my own power supply by hooking it up to the VCC line directly.
I'm working on a small PCB that can host a TRÅDFRI module. You can find it in the pcbs folder.
If you use JLink, you can use the command below to connect to the board:
JLink -If SWD -Speed 5000 -Device EFR32MG1PXXXF256
To dump the flash contents, use the command below (0x40000 is 256 KiB):
savebin output.bin 0x0 0x40000
To load a flash from file, use the following command:
loadbin output.bin verifybin output.bin 0x0
I have confirmed that you can dump the flash, erase the device and load it again, and the light bulb will still work.
An analysis of the firmware encountered in the GU10 light I bougth can be found in FIRMWARE.md.
The chip is a normal Cortex M4. You can flash it with anything. As a starting point, you could take a look at this pull request for RIOT-OS. To get started.
I've added some firmwares in the firmwares folder.
As a proof of concept, check out this YouTube video I made. In there, I show how I control the LED connected via a serial console.
If you plan to leave the board in-place, and run your own light bulb firmware, never connect external devices (e.g. debugger or serial adapter) to a light bulb that is plugged in. Due to different voltage levels, you could destroy your devices.
If you want to connect an external device, ensure that it is properly isolated (e.g. using a optocoupler).
I have designed a board that you could use to isolate UART signals. You can find it here.
Front of the TRÅDFRI module:
Back of the TRÅDFRI module:
My setup (the small board is a UART isolator):
My safer setup, including debugger (LED is connected to same pin as it would in the GU10 light):
I have gathered some information from the following sources:
Creative Commons BY Attribution 4.0 International
This page and its content is not affiliated with IKEA of Sweden AB.
The purpose of this project is to learn and improve using reverse engineering techniques. Use this information on your own risk.