[Feature request] Support for CGG1 possible? #41
Comments
|
Hi |
|
@MacSass as you kind of see in these FCC pictures https://fccid.io/2AQ3F-CGG1/Internal-Photos/Internal-Photos-3990168 the CGG1 uses an nRF52832 as SOC, that would mean a custom rom is a complete new project. One other device i know that has an tlsr is the mosquito repellend |
Everything has an SDK, datasheet, ... |
|
@pvvx Thats true. Only some ota update method could be harder to crack, but hardware update should work on all of them |
|
Of the BLE, Xiaomi will only have these chip manufacturers: https://iot.mi.com/new/doc/embedded-development/ble/standard.html
For TLSR825x from Telink https://yadi.sk/d/g5fV7WD1EaUdRQ All have the same OTA connection coding. |
|
"All have the same OTA connection coding." The tlsr uses the Telink ota connection coding so i doubt it?! |
|
They all use their standard options. But binding and bindkey are similar. |
|
The advertising format is also described in detail: "Service Data" (0x16) in advertising contains Mi Service (UUID: 0xFE95)
and etc... |
|
Ok guys, Thanks - I´ll watch this to see if you cracsk come up with anything new, unfortunately I don´t consider my coding know-how advanced enough to attack those other devices ... MacSass |
MHO-C401 more beautiful. |
|
If anyone is interested in taking a look, I have some very early stage efforts for the CGG1 I'm documenting here. It hasn't made it to the wiki yet, but I have managed to at least dump the stock firmware. PS: Thanks @pvvx for your work on the LYWSD03MMC 💯 |
|
Hi @kelchm , |
https://github.com/scooterhacking/mijia_ble_libs/tree/master/gatt_dfu |
|
CCG1 "Qingping Temp & RH Monitor" BT Address: 58:2d:34:11:c3:b2 |
|
Very interesting! I never would have expected there to be a newer revision of the CGG1 hardware that is using the TLSR8253 instead of the nRF52832. |
Nordic is a Norwegian company listed on the Oslo stock exchange. nRF chip price > TLSR https://github.com/pvvx/ATC_MiThermometer/blob/master/src/ble.h#L27-L28 |
|
https://www.qingping.co/temp-rh-monitor/overview All batteries in the kits came discharged (less than 0.2 V). |
Hi, unfortunately I don´t feel like I´m able to understand everything you guys are talking about ... so I have two questions:
Regards - MacSass |
Round thermometers from Qingping are of two types - "H" and "M". Marking on the box -> https://pvvx.github.io/CGG1 https://aliexpress.com/item/1005001914179317.html
TLSR8253 = TLSR8251 = TLSR8258 In the chip, the crystals are identical. The difference is in the plastic case. As soon as there is free time, so will the firmware immediately. It is necessary to correct the procedures for working with E-inc. |
So, from your links, is my understanding right:
That would be great news ... PS: You Ali-Express link goes to a LCD version, which again is something totally different from my point of view. I have an e-ink one and the display is way better compared to LCD ... |
|
I ordered it there: |
Unknown - These are Apple and HomeKit, which I do not support. It is very difficult to disassemble CGG1 and if the firmware is not the same, then the user is doomed.
The firmware from Xiaomi LYWSD03MMC will work, but there will be no indication on the display. |
Did you already receive it? Because the pictures show the LCD version (visible by the small darker grey area at the bottom, which the e-ink version does not have). I ordered this one - with "real" e-ink: I´ll hope you guys will be able to support that in the future, including the nice e-ink display ... |
|
|
https://cleargrass.world.tmall.com/ |
There are two OTA functions on the device. From Telink and from Mijia. |
|
EPD Segments:
Three evenings after receiving the CGG1-M sensors, the first beta is ready. Publishing takes 90% of the time because I don't want to learn English. When building the firmware OTA for original CGG1, the correct size is required at offset 0x18 and the checksum from Telink at the end of the binary code. Otherwise, CGG1 ignores the downloaded OTA. Custom firmware consumes at default settings from 16 μA, original from 23 μA. These minimums are provided that the readings on the indicator do not need to be changed - the temperature and humidity do not change ... In the "custom" connection mode, it consumes dozens of times less. The graphs are provided at https://pvvx.github.io/CGG1 |
Unfortunately I don't think it's that simple -- I purchased the Mijia / M CGG1 in the US and received the nRF variant. I'm guessing that you're much more likely to get the TLSR variant ordering directly from China as the stock will likely be newer, but probably still a bit of a game of chance. |
CGG1 variants produced by Qingping.co (ClearGrass)CGG1-old ver1, Confirmed FCC ID: 2AQ3F-CGG1 CGG1-? ver2, Unknown FCC ID. CGG1-M ver3, has an official fake FCC ID: 2AQ3F-CGG1 CGG1-H ver4, Confirmed FCC ID: 2AQ3F-CGG1H |
|
Hi, is there any way for me to identify which version I have, without opening it, if I do not have the packaging anymore? Are there outer differences or can I identify it by BT connection? |
There are no external differences. Absolutely. It is possible to distinguish in "nRF connect". |
|
Great - thank you, my X-Ray is currently broken :-) ... but I´ll try the nRF connect option. Regards - MacSass |
|
Ok, if I´m not mistaken, I would take it this is a CGG1-M with Telink, right?
Looks like I was lucky? That one would be supported by alternative firmware with OTA flash, and the e-paper display would continue to work, right? |
Yep -- you should be good to go to flash with the TelinkMiFlasher. 👍 It look like it's turning out to be quite easy to pick up these Telink based versions. The second one I ordered from China arrived today with a box dated
|
It looks like "2020 new H version" is also on Telink. Need firmware H versions for OTA tests... When building a test for 825x_sdk_homekit from Telink, a binary file of more than 128 kilobytes is released. This means that OTA in the current version of the BLE SDK from the Ai-Thinker repository is not suitable. A similar situation with the SDK option with ZigBee. Minimum size Firmware for ZigBee: CGG1 has a button and it's easier to implement ZigBee ... There is an option and 2 firmware switched by button: ORIGINAL / CUSTOM or BLE/ZigBee. |
What is the correct way of flashing? I found the CGG1_v31.bin file but how , it doesn't work with activate. |
All Ok. |
Tnnx, I got it working. |
|
Hi everybody. I has the ClearGrass versión (UUID 00010203-0405-0607-0809-0a0b0c0d1912) that it doesn't work: #81 Waiting for a hope to find a solution to hack this model :-). If I can help in some way. Default advertising interval for this model is more than horrible... |
|
Just to clarify the activation/flashing procedure for the new CGG1-M (with GOOSEM20XXXXXXX 106308/00096720 or similar markings and production date 2020.03) once again: Press and hold the button on the back of CGG1-M for 2 seconds until the Bluetooth icon starts blinking on the e-ink display, and then click the 'Connect' and 'Do Activation' buttons on the TeLink Flasher. Took me an hour to figure out why the activation was timing out... Once again, great job on the firmware, @pvvx! |
|
FYI -- it looks like the new CGG1 'M' is now available from Amazon in the US. I ordered one the other day and while not as new as those I've ordered directly from China, its still new enough to be the telink variant. |
|
I've just received "ClearGrass Temp & RH Monitor M Version", production date 2020.01. It came with FW version 1.1.2_0020. Correct me if I am wrong, but it seems it is yet another variant - marked as CGG1-M, but in fact an old CGG1. |
UUID from Nordic DFU - 0xFE59 |
|
Hey i bought a few devices within the last two years from different Sources and got lywsdcgq/01zm everytime. I opened one to share pictures here. I like the idea this project broadcasts the data.
I havent found the information here if its supported allready. the webflasher had not connected to it. I have about 10 here ready to brick. |
|
From the chip details , it seems to be a Nordic chip inside ( nrf51822 ) , not Telink ! |
I have also one here, the hoping for a support maybe in the future. |
Hello, great firmware / solution you have build. Works perfectly - love it on my LYWSD03MMC.
Incredible what is possible and how a commercial product can be made so much better! Thank you!
I´m wondering if it was possible to add the CGG1 model. It seems to use the same type of encrypted advertisement in recent FW, but has a very nice e-paper display with low energy consumption.
Link to respective model here: www.aliexpress.com/item/1000008051178.html
Would love to see that supported. Thanks again for making and documenting all this for us.
Regards - MacSass
The text was updated successfully, but these errors were encountered: