Reset Home Depot Ecosmart A19 by Leedarson to force bootloader

[walthowd]

Hi Matt!

I'm trying to get an alternative firmware on a Home Depot Ecosmart A19 by Leedarson. It looks like it's also using a EFR32MG1P132F256GM32 and has a very similar layout to the IKEA tradfri module:

I've got it on a serial connection now and have been trying to force bootloader. Shorting REST to GND prints this out:

***********************************************
* Leedarson copyright                         *
***********************************************
Device IEEE Addr is: 0xEC1BBDFFFE325373
DeviceID =0x010C,ProfileID=0x0104
WirelessMode=NPA Customer=A023 Frequency=600
Software Version: SVN=346,SWBuildID=2.3
Date=May 14 2019,Time=20:24:32
Stack Version:6500
Library File Verison:15
GetNwkState:1

I've tried shorting all top/bottom pins off the PCB to ground and then powering on the unit -- I see you identified PA0 (PWM4) as force bootloader on some of the IKEA modules.

Any step I'm missing? I'm shorting PWM4 to GND with module off, applying power, waiting a second, removing short --- sending CR over serial connection.

[MattWestb]

I think both have more or less done as silabs reference design and the large difference is the PCB antenna design and perhaps external flash in the module. To force bootloader pin is working or not is depending on the firmware / bootloader that is flashed on the device. IKEAs modules have one application bootloader (=OTA bootloader) and can only loading signed OTA files that is downloaded in the external flash of the module. I have flashing the module with one standalone bootloader (Gecko xmodem bootloader) that have the bootloader pin configuration to the same pin IKEA is normally using as pairing button. I can also being that the module dont have any bootloader and booting the application directly and it's not possible updating the modul without J-tag / SWD. You is getting output from the comm port so that is OK but forcing bootloader boot pin and com pins can being different in bootloader mode.

Is the com port output you was getting the same on one "normal" boot (its looks like applikation config output) ?

The best if you have one J-Link or SWD probe and can reading the internal flash of the chip and looking in the dump.

Do you have one ESP8266 then you can flashing it with SWD probe firmware and dumping and flashing the module (debug / SWD pins is fix in the chip and your module have the same pads as IKEA is using).

[walthowd]

Thanks Matt! That all makes sense, I've been trying to read through the SiLab docs and see that it's up the vendor to include or not include the boot loader and/or to enable a force bootloader pin.

I don't get any output on a "normal" boot -- the output I included below seems to only be issued when shorting REST to GND.

I did also try in turn shorting all pins to ground while doing a reset (RESET to GND) but no output there either.

My original goal was to see if we could do a OTA zigbee upgrade of a Tradfri image. I presented a modified ikea image with a matching mfgr id and image type for the current ecosmart/leedarson image --- the image transfers but fails to install with a "failed image verification" error.

I don't have much debugging hardware around, but I do have some ESP8266s -- using one of those as a SWD probe is a great idea, I'll give that a shot next!

[MattWestb]

Then its verified that the module have one application bootloader and cant being updated with Xmodem but working with with OTA files. The IKEAs OTA files is famous because they is is signed but not encrypted as you probably have seen. Your problem is that the bootloaders signing is not valid then the keys is not matching in the "new" ota file and the expected one and therefore is the bootloader is not accepting it. Sonoff zigbee bridge have trying going around the "signed" problem but have not manager to so so only with help of factory that have released one "update" OTA-file that is installing one normal clan EZSP stack but not erasing the certificates and leaving the chip secure but with workebal firmware.

blackmagic-espidf (BMP) is not so easy to compiling under windows but i have made it in one little older msys32 and flashing the binarys on the ESP. I think its easier if you is trying to do it in linux if you have one machine with it. I have configured as ST with my wifi credentials so it going in my network without problem but the "standard" is AP mode. The only problem i was having was connection or writing problem but is was solved by putting one or two 100 Ohm resistors in serie with the SWD CKL line.

Then you is having the BMP up and running then use my Flashing-MG and connecting the the module with SWD and reading (dumping) the memory region 0 ("normal" internal flash = Bootloaders and APP) and 1 (User data = factory custom setting for the device) and saving them in one secure place for restoring if you need that later. Then you have all parts for doing one complete restore of the module. Then you have the feeling that is working well you can flashing one new bootloader in the module and testing if its working (My bootloaders suld working for your module only take one witch pins is good for your device). Then you have flashing one new bootloader and leaving the APP intact its the app (main program) normally working but the reset (IKEA x repower) is not longer working.

Taking it to that and you can do what you like later.

I have brick waring then i have hard bricked 2 modules but that was with one J-Link clone and Simplicity studio. BMP and GDB is working very well and is safe if knowing its working and always flashing one bootloader pair after erasing the internal flash.

MW

[MattWestb]

@walthowd I knowing you dont liking flashing with SWD but can being good to have files if getting hardware problems and must doing one flash erase. I was looking thru Silabs installed compiled files and for EZSP 6.7.9.0 all NCP is deleted for EM35X platform but all bootloader is still there (I can only install latest major version not minor ones). And EZSP 6.6.6.0 have all EM35X precompiled NCPs. You is having some EZSP 6.6.5.0 in your git do you like having all ziped ?

Say what you like to have and i doing one or more files and uploading them here and then deleting them then you have coping them.

[puddly]

@MattWestb I was able to follow your instructions for flashing the IKEA module and managed to dump the flash regions:

(gdb) mon sw
Target voltage: 3.20V
Available Targets:
No. Att Driver
 1      EFR32MG1P 132 F256 Mighty Gecko M4
(gdb) att 1
Attaching to Remote target
warning: No executable has been specified and target does not support
determining executable automatically.  Try using the "file" command.
0x0002ff06 in ?? ()
(gdb) mon efm_info
DI version 1 (silabs remix?) base 0x0fe08000

EFR32MG1P 132 F256 = Mighty Gecko 256kiB flash, 32kiB ram
Device says flash page size is 2048 bytes, we're using 2048 bytes

Radio si0

(gdb) info mem
Using memory regions provided by the target.
Num Enb Low Addr   High Addr  Attrs
0   y   0x00000000 0x00040000 flash blocksize 0x800 nocache
1   y   0x0fe00000 0x0fe00800 flash blocksize 0x800 nocache
2   y   0x0fe10000 0x0fe12800 flash blocksize 0x800 nocache
3   y   0x20000000 0x20008000 rw nocache
(gdb) dump memory XYZ17.bin 0x00000000 0x00040000
(gdb) dump memory XYZ18.bin 0x0fe00000 0x0fe00800
(gdb) dump memory XYZ19.bin 0x0fe10000 0x0fe12800
(gdb) dump memory XYZ20.bin 0x20000000 0x20008000
(gdb) mon erase_mass
Erase successful!

But any attempts to write fail, with and without a 100Ω resistor (I didn't have anything else close to 130Ω):

(gdb) load XYZ17.elf 0x0
Error erasing flash with vFlashErase packet
(gdb) load IKEA-TRADFRI-ICC-A-1-Module/Firmware/icc-a-1-bootloader-combined.s37
Error erasing flash with vFlashErase packet

Is this chip write locked somehow? I'm using an STM32 converted into a BMP.

---

Looks like the mon erase_mass doesn't actually work, re-connecting to the device from a second computer allowed me to dump the flash again and it contains the same contents.

[MattWestb]

Hey @puddly i think you is out on very deeeeeeeep water (joking) :-))

First one warning with EFR32MG1X if you is doing one mass erase you must first flashing one combined bootloader or you can getting one very hard software bricking (I have bricking 3 modules but recovered them with WSTK) and can only recover with one original Silabs WSTK (have one macro for halting the possessor boot with hardware reset pin and halting the boot that normal j-tag cant).

Your problem looks little different from my:

(gdb) mon sw
Target voltage: 3.20V
Available Targets:
No. Att Driver
 1      EFR32MG1P 132 F256 Mighty Gecko M4

Without the resistors it was not finding the device but yours doing that and your have good VCC that my Wemos clone dont have (around 2.9 V). But i also remember i was having erase / flashing problems but i think it was being fixed with the resistors but its one year ago and my memory is not 110% ;-((

I think you can trying putting 2 100Ω resistor in series on both SWCLK and SWDIO for getting 200Ω but its try and error but its depends if the STM32 one 3.3 or 5 V device (ESP is 3.3 V) also 2 parallel and you is getting 50Ω or combined 2 parallel with one in series and you is getting 150Ω.

My feeling is saying its the hardware interface that is making the problems but its partly working = better then not at all. It can also being that BMP have doing changes and have broken some software things but i dint think its in your case and i remember the vFlashErase.

And you dont need doing one mass erase only flashing one new (standalone / X-model) bootloader and one with only second stage is OK (at 0X0800) then the flash have one OK first stage bootloader in place (at 0x0000). After flashing its good dumping 0x0 - 0x04000 and looking that you is having the first stage boot loader at 0x0 and the second stage at 0x0800 (not only 0XFF all over) then its safe doing more advance things.

Back to the flashing problems, I was using BMP with ESP and it was working OK the having getting the resistor problems but i was also using one blue pill as JLINK-ARM-OB that is working great with Silabs commander that i think its great for you but SEGGER commander (and all of there programs) was liking reflashing the probe > bricking the probe.

Both was OK for flashing and dumping but i was doing most with BMP on ESP then was having more control of wot was happening with GDB.

One curios question wot device have you dumping ? The Userdata is very interesting then its can changing the device setting / type like the E1743 on/off dimmer switch is being one Open/close with different user data and us using the same OTA file = the same firmware but is being complete deferment devices from Zigbeee side and running on the same PCB.

One more thing if you is getting the flashing working you can writing custom IEEE in the user data without reflashing all of the flash (patching the dumped user data and flashing it back) and its very likely can being done with on "factory firmware" then IKEA is using the manufacture lib for writing / reading there tokens in the user data.

Keep my informed and i trying helping you as much i can !!

PS: You badly need one WSTK for 99$ !!!! (but then you is not doing so much great coding for ZHA ;-(( )

[MattWestb]

PS: "Patched" STLink (STM32 with JLINK-ARM-OB firmware cant being used on other chips then STM32 in SEGGER but its looks like Silabs commander is accepting it as one "normal" J-Link adapter and can reading and writing without problems.

[MattWestb]

If you is getting the flashing working you may being interested of ZBCB-6920 its one "control bridge" = the same Zigbee type as Philips HUE and IKEA GW is (they is ZLL but this is ZB3 / ZLO) and have one serial connection with CLI and help and can sending all ZCL commands to all devices in the mesh and i have adding one color light on EP2 so its possible "sniffing" group commands sent in the mesh (by adding the light to the group(s)).

Interesting is how Silabs is doing the binding and its looks very much like our problem with IKEA 2.5/3 gen remotes.

[puddly]

Thanks Matt!

One curios question wot device have you dumping ?

It's the same type of Leedarson light bulb Zigbee module that Walt originally posted. I'm trying to flash it with coordinator firmware.

I actually managed to flash the J-Link probe firmware to the blue pill as you described and no protection bits of any kind were shown to be flipped in the Simplicity Commander. It autodetected the correct model information so it seems like that was working.

After that, I think I flashed the following two images with Simplicity Commander:

• BTL_STD_S1_256-COM_PB14-PB15-PA0.s37
• NCP_USW_115k2_F256_678_PB14-PB15-PA0.s37

My debug probes fell off and I wasn't able to verify if the bootloader was written correctly (you mentioned that Simplicity Commander can sometimes write it to the wrong offset or even write 0xFF??) but the module produced no serial output when being powered on and off so I think at least something was written to its flash. Progress!

[MattWestb]

If you is grounding PA0 and dipping reset pin low (or repower the module) you shall getting the boottloader menu if the bootloader is OK flashed (IKEA lights is working with new bootloader until doing one reset of them). And if you was not doing one mass erase you shall being in the safe place with the first bootloader in place and the s37 (and GBL) files shall being flashed in the right place.

In Simplicity commander you can also using "flash map" for see allocated space in flash (i was see with that the wrong flashing of commander).

If the J-Tag probe cant getting the device in debug mode try connecting the reset pin to the probe (is normally not needed if the app / botloader is working OK and debug is not disabled in Garys files but if the app (main program) its have crashing it needs one hardware reset for reacting on debug commands.

PS: Leedarson have doing lights for IKEA also Zigbee ones but only with IKEA modules wot i knowing and they is one member of Zigbee Alliance. And i was thinking Walt was more hardware hacker then you ;-)))

[MattWestb]

One thing is that the radio power amp on IKEA modules is using 20db output power that to much for the dc-dc regulator on the chip (only working for around 10db) so the firmware is have option set for dc-dc bypass and if the Leedarson is not have the same radio PA design then the NCP firmware is caching (or the hardware is locking and soft boot and debug i not working and need repower for booting in thee bootloader).

It was the first problem with the IKEA module was getting in hard lock then loading the first version of NCP but Gary was fixing that.

But the bootloader shall working OK if you is triggering after power on then the radio is not initialized and not used in as long staying in the bootloader and the debug / SWD shall working.

[MattWestb]

I was doing one change on my Billy EZSP six ten NCP and deactivating the dc-dc by pass option in the hardware (its the standard not activated) and compiling it with little problem then Silab have updated the SDK to 6.10.1.0 but its with GP and 127(max) TC Link keys and NVM3 = one maxed NCP for MG1 device but i cant testing it and the original Billy 6.10 is working OK. If you can boot in the bootloader you can flashing the GBL or EBL file but i was putting all in the zip you can need. ncp-gp-Leedarson-10.zip

Edit: I was compiling one Billy version with the updated SDK (with putting back dc-dc pass thru) and lit looks working OK as sniffer with com.zsmartsystems.zigbee.sniffer and its showing EZSP 6.10.1.0 but i have not testing if its working OK as NCP with ZHA (cant map the comport directly in windows 10 to the docker container) but the NCP is running and can dumping zigbee packages.

[honglihu1986]

I replaced it with KEA tradfri module and it is working well.