This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
upload OTA rgb bulb firmeware to radio modul from a remote control #24
Comments
|
I don't know what you consider 'full' dump of the firmware, but in the firmware dir there are some dumps/update files. https://github.com/basilfx/TRADFRI-Hacking/tree/master/firmwares/ikea/otau/stable |
|
For my understanding, the ota firmware is only part of the entire firmware. The bootloader and the identifier, whether it is a switch, or a bulb, is not included in the ota firmware. |
|
ah right, well a few levels up is a JTAG dump of the full firmware, that bas was able to read and restore. so there's that. |
|
I have now put up for testing the firmware led1650r5-1.2.214.bin. The connected LED behaves as expected, but I can not find the chip through the gateway. In the folder of the firmware I also found the file led1650r5-1.2.214.strings. Can it be that important configurations are included here? How can I first save the configurations of my chip and how can I then upload the led1650r5-1.2.214.strings to the chip? |
|
The strings file is just a dump of all the strings that can be found (using You probably need the contents of the SPI chip as well. However, I never attempted to dump it (should be easy though). |
|
I am also interested in a full dump of the flash and SPI-chip-dump. Same idea here: Turning the remote into a RGBW ZigBee Controller. I found an image of the PCB of the RGBW bulb: https://i.ibb.co/V3Gb5qT/3xtUrUX.png seems to use another kind of Zigbee-Module-Board. Maybe same CPU. |
|
looks like a slightly different board layout, the board is the same, just antenna and contacts seem to be different ... maybe an earlier proto? a new board would need new FCC certification ... |
|
Agreed should be same hardware - just different layout even the GPIO pin count is the same. Just an Idea: RIOT-OS is supported from now as far as I know. Can we just dump the flash with a simple firmware that reads the flash contents over SPI and output it over serial? And flash this dump with it onto a different device. After this just flash the original firmware with JTAG. Should work? ZigBee MAC is another point - hopefully it's generated by HW. |
|
Update: I finally got the dimmable white bulp 1000lumen software flashed on the remote. For pairing i used this instruction:
I also did some flash dumps and it seems that the app just uses the simulated eeprom for persisting data. Hopefully i made someone happy out there - you can turn a 5€ remote into a hue compatible controller. |
I'm trying the opposite, can you elaborate on how you succeeded in this? I've tried via STLink-v2 and openocd, but it gives me an "Unknown MCU Family" |
|
You might find the infomation in the guide usefull, even if it in Danish: It tells how to use JTAG to dump or flash the ZigBee module. |
|
Tak CableCatDK, det var en kæmpe hjælp! Det er på dit pcb design jeg roder :) |
Can you please describe how you got ST-Link v2 working. I just got one now, and I want to make a guide for windows users. |
|
Normally for bulbs share the same firmware but different model / setting its stored in the userdata that not being erased with normal internal flash erase. Reg 0 = Flash (256K) MAC and radio calibration ar written in the chip and then write protected from the factory. More info with SWD flashing: Flashing the ICC-1 Module |
|
Hi there, |
|
I think byes of them is not so "hacky" and they is little more expensive then the cheapest bulb. You can trying "extracting" the firmware from the OTA file the is rapped with one signing and only need finding the start of the code part and cutting the heeding and ending signing part away then all the code is not encrypted. I have seen scripts that is extracting the metadata from one OTA file and then can extracting the APP (the main flash part) from it but i cant finding it from the moment. |
|
I have a JAZZDANS blind,but i don't know how to dump of the firmware, it can't connect to JLINK with SWD. |
|
If its the classic IKEA ICC-A-1 Zigbee module is shall working OK with one no original J-Link probe like or Black Magic Probe or other SWD probes. Can you posting one photo of the PCB with the Zigbe module ? |
|
Its one ICC-A-1 module (normal "old" one) so shall being easy dumping and flashing !! 06 | PF0 | SWCLK shall being enough. Pin out from FCC https://github.com/MattWestb/IKEA-TRADFRI-ICC-A-1-Module/tree/master/teardowns/ICC-A-1 Always dumping the man flash (0) and user data (1) !! |
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
Hello,
I have taken the radio module from a Tradfri remote control. Is it possible to play the functions of the RGB bulb on this wireless module by means of the OTA firmware? Or someone has a full dump of the firmware of the RGB bulb?
The text was updated successfully, but these errors were encountered: