Replies: 21 comments
-
|
I don't know what you consider 'full' dump of the firmware, but in the firmware dir there are some dumps/update files. https://github.com/basilfx/TRADFRI-Hacking/tree/master/firmwares/ikea/otau/stable |
Beta Was this translation helpful? Give feedback.
-
|
For my understanding, the ota firmware is only part of the entire firmware. The bootloader and the identifier, whether it is a switch, or a bulb, is not included in the ota firmware. |
Beta Was this translation helpful? Give feedback.
-
|
ah right, well a few levels up is a JTAG dump of the full firmware, that bas was able to read and restore. so there's that. |
Beta Was this translation helpful? Give feedback.
-
|
I was able to dump a firmware, overwrite it with something else and load it again using the steps mentioned here. Like @oliv3r, you need to have a dump of the full firmware first ;-) |
Beta Was this translation helpful? Give feedback.
-
|
I have now put up for testing the firmware led1650r5-1.2.214.bin. The connected LED behaves as expected, but I can not find the chip through the gateway. In the folder of the firmware I also found the file led1650r5-1.2.214.strings. Can it be that important configurations are included here? How can I first save the configurations of my chip and how can I then upload the led1650r5-1.2.214.strings to the chip? |
Beta Was this translation helpful? Give feedback.
-
|
The strings file is just a dump of all the strings that can be found (using You probably need the contents of the SPI chip as well. However, I never attempted to dump it (should be easy though). |
Beta Was this translation helpful? Give feedback.
-
|
I am also interested in a full dump of the flash and SPI-chip-dump. Same idea here: Turning the remote into a RGBW ZigBee Controller. I found an image of the PCB of the RGBW bulb: https://i.ibb.co/V3Gb5qT/3xtUrUX.png seems to use another kind of Zigbee-Module-Board. Maybe same CPU. |
Beta Was this translation helpful? Give feedback.
-
|
looks like a slightly different board layout, the board is the same, just antenna and contacts seem to be different ... maybe an earlier proto? a new board would need new FCC certification ... |
Beta Was this translation helpful? Give feedback.
-
|
Agreed should be same hardware - just different layout even the GPIO pin count is the same. Just an Idea: RIOT-OS is supported from now as far as I know. Can we just dump the flash with a simple firmware that reads the flash contents over SPI and output it over serial? And flash this dump with it onto a different device. After this just flash the original firmware with JTAG. Should work? ZigBee MAC is another point - hopefully it's generated by HW. |
Beta Was this translation helpful? Give feedback.
-
|
Update: I finally got the dimmable white bulp 1000lumen software flashed on the remote. For pairing i used this instruction:
I also did some flash dumps and it seems that the app just uses the simulated eeprom for persisting data. Hopefully i made someone happy out there - you can turn a 5€ remote into a hue compatible controller. |
Beta Was this translation helpful? Give feedback.
-
I'm trying the opposite, can you elaborate on how you succeeded in this? I've tried via STLink-v2 and openocd, but it gives me an "Unknown MCU Family" |
Beta Was this translation helpful? Give feedback.
-
|
You might find the infomation in the guide usefull, even if it in Danish: It tells how to use JTAG to dump or flash the ZigBee module. |
Beta Was this translation helpful? Give feedback.
-
|
Tak CableCatDK, det var en kæmpe hjælp! Det er på dit pcb design jeg roder :) |
Beta Was this translation helpful? Give feedback.
-
Can you please describe how you got ST-Link v2 working. I just got one now, and I want to make a guide for windows users. |
Beta Was this translation helpful? Give feedback.
-
|
Normally for bulbs share the same firmware but different model / setting its stored in the userdata that not being erased with normal internal flash erase. Reg 0 = Flash (256K) MAC and radio calibration ar written in the chip and then write protected from the factory. More info with SWD flashing: Flashing the ICC-1 Module |
Beta Was this translation helpful? Give feedback.
-
|
Hi there, |
Beta Was this translation helpful? Give feedback.
-
|
I think byes of them is not so "hacky" and they is little more expensive then the cheapest bulb. You can trying "extracting" the firmware from the OTA file the is rapped with one signing and only need finding the start of the code part and cutting the heeding and ending signing part away then all the code is not encrypted. I have seen scripts that is extracting the metadata from one OTA file and then can extracting the APP (the main flash part) from it but i cant finding it from the moment. |
Beta Was this translation helpful? Give feedback.
-
|
I have a JAZZDANS blind,but i don't know how to dump of the firmware, it can't connect to JLINK with SWD. |
Beta Was this translation helpful? Give feedback.
-
|
If its the classic IKEA ICC-A-1 Zigbee module is shall working OK with one no original J-Link probe like or Black Magic Probe or other SWD probes. Can you posting one photo of the PCB with the Zigbe module ? |
Beta Was this translation helpful? Give feedback.
-
|
https://drive.google.com/file/d/1KmIRXP6XX3yp3b8BulPCjg8f_wANTR3K/view?usp=drivesdk |
Beta Was this translation helpful? Give feedback.
-
|
Its one ICC-A-1 module (normal "old" one) so shall being easy dumping and flashing !! 06 | PF0 | SWCLK shall being enough. Pin out from FCC https://github.com/MattWestb/IKEA-TRADFRI-ICC-A-1-Module/tree/master/teardowns/ICC-A-1 Always dumping the man flash (0) and user data (1) !! |
Beta Was this translation helpful? Give feedback.
-
Hello,
I have taken the radio module from a Tradfri remote control. Is it possible to play the functions of the RGB bulb on this wireless module by means of the OTA firmware? Or someone has a full dump of the firmware of the RGB bulb?
Beta Was this translation helpful? Give feedback.
All reactions