Closed brilthor closed 3 years ago
It's been a while since I played with this, but yes it's possible to use the hijack to flash a different image. Think the only limitation is that the image has to be <= 1MB. That is unless you were to hack up the bootstrap firmware...
The actual process first uploads a bootstrap image compatible with the existing firmware memory layout (user1.bin + user2.bin). That bootstrap program is given control, then fetches and deploys the actual firmware image (firmware.bin). Where all this firmware are just binary files served via the hijack web server. So I think substituting firmware.bin with a complete image should work?
Upgrade logic is here: https://github.com/adapt0/smartplug/blob/f07d91bed6c97ca6b8999596521d07acdea97293/vesync-hijack/bootstrap-firmware/src/task_upgrade.cpp#L255
Warning: There is some risk involved as the bootstrap process does overwrite the boot loader. So if something goes wrong be prepared to have to pull the device apart to recover it.
Upgrade hijack flow is covered here (in case you missed it): https://github.com/adapt0/smartplug/blob/f07d91bed6c97ca6b8999596521d07acdea97293/doc/upgrading.md
with the fix for https://github.com/adapt0/smartplug/issues/27 I can confirm this can flash an unmodified tasmota image (I used the small one to be safe, will do an update inside tasmota to the full release), which will save a ton of soldering, thanks @adapt0 This can be closed or kept open for reference
Awesome!! 😎
I'll close this since it's resolved, and look at adding some notes on the main readme for others to find.
Is it possible to use the hijacking loader to load a different FW image (eg tasmota)? I'll be reading through the code later to see if I can figure it out, however a definitive answer would be appreciated.
ps. Great work on the hijack reverse engineering, I came across this while looking for a firmware dump to decompile for exactly the same reason, always nice when you find someone's already done it.