atc1441
commented
3 years ago Sounds like a good candide. The LYWSD03MMC is using an TLSR8251 so should be mostly compatible
Open michapr opened 3 years ago
atc1441
commented
3 years ago Sounds like a good candide. The LYWSD03MMC is using an TLSR8251 so should be mostly compatible
michapr
commented
3 years ago Problem can be the LCD driver... ;)
atc1441
commented
3 years ago That can be reverse engeneered by listening to the gpio transmitting so i dont see a problem there.
And sorry for misunderstanding it first. The LCD driver on the LYWSD03MMC is unknown as it has not findable markings on the chip. I got it working via reversing as well, so testing every segment one by one etc
michapr
commented
3 years ago Just have seen that after "activating" the device in Qingping app (add it once to the device list) the device is advertising the values not decrypted more. - multiple times per minute (every 5 seconds ?). After closing app (shutdown the mobile phone - it is a test phone I'm using for this) and removing battery of device, waiting and put it in again the device is still reporting all. That's interesting for me - and maybe for some others too.
Advertising data now: 8810089211342d580104e2007901020162
8810 089211342d58 01 04 e2 00 79 01 0201 62
xxxx MAC-addr. xx xx temp hum fw? batttemp = 0*256+e2H = 226 -> 22.6 degree
hum = 01*256 + 79H = 377 -> 37.7%
batt = 62H = 98%
about firmware relase not sure (current: 1.02) So in this time seems there are no needs to change the firmware here ;)
atc1441
commented
3 years ago Thank you for the infos
pvvx
commented
3 years ago 
Is the mi_release_version_4_1_1 SDK version not for this device?
https://yadi.sk/d/g5fV7WD1EaUdRQ
Earlier 1/14/20 on Telink website
pvvx
commented
3 years ago The LCD driver on the LYWSD03MMC is unknown as it has not findable markings on the chip.
IST3055NA0 - Datasheet not found https://github.com/pvvx/ATC_MiThermometer/blob/master/BoardPinout/PcbSide1.jpg Duplication of information: https://github.com/atc1441/ATC_MiThermometer/issues/122#issuecomment-747856364
michapr
commented
3 years ago @pvvx >Is the mi_release_version_4_1_1 SDK version not for this device?
Not sure, cannot find the LCD driver here - but maybe my fault.
pvvx
commented
3 years ago There are no drivers, no "libmijia_std_authen_eclipse_telink_1_0_1.a" (provided by xiaomi). But there is cryptography and xiaomi profiles ...
readme.txt:
After you get the sdk, there are some steps for you to do.
1. you can not compile success, becase there is lib named "libmijia_std_authen_eclipse_telink_1_0_1.a" should provide by xiaomi, so you need to contact xiaomi and get the lib, and then put the lib to the path of the proj_lib.
2. use the mijia app, to add a gateway(we test by the yeelight device). and then add our device (826x or 825x) by mijia, and then reset the device .
3. and then wait for sometime, you will see the picture in the document.
tjheikki
commented
3 years ago Just have seen that after "activating" the device in Qingping app (add it once to the device list) the device is advertising the values not decrypted more. - multiple times per minute (every 5 seconds ?). After closing app (shutdown the mobile phone - it is a test phone I'm using for this) and removing battery of device, waiting and put it in again the device is still reporting all. That's interesting for me - and maybe for some others too.
Zillion thanks, @michapr! Got success with two CGDK2'es I thought were destined to be (lousy) fishnet weights. First tried with Xiaomi app, no luck, but after pairing with Qingping app and power cycling they have been sending unencrypted beacon messages for hours now. Firmware 1.02 apparently. The message byte order seems to be the same than the non-lite CGG1-Qingping/Cleargrass devices (nRF52832-based) send, those just didn't require this pairing step to send usable data. Messages samples from two CGDK2's and one CGG1: CGDK2-1: 58:2d:34:11:94:b4 RSSI:-76 payl: 2 1 6 14 16 CD FD 88 10 B4 94 11 34 2D 58 1 4 D8 0 BB 1 2 1 59 18 9 51 69 6E 67 70 69 6E 67 20 54 65 6D 70 20 26 20 52 48 20 4C 69 74 65 temp:21.6 rh:44.3 CGDK2-2: 58:2d:34:11:92:7b RSSI:-57 payl: 2 1 6 14 16 CD FD 88 10 7B 92 11 34 2D 58 1 4 D4 0 CB 1 2 1 5C 18 9 51 69 6E 67 70 69 6E 67 20 54 65 6D 70 20 26 20 52 48 20 4C 69 74 65 temp:21.2 rh:45.9 CGG1: 58:2d:34:11:08:84 RSSI:-70 payl: 2 1 6 14 16 CD FD 8 7 84 8 11 34 2D 58 1 4 D8 0 C3 1 2 1 46 15 9 43 6C 65 61 72 47 72 61 73 73 20 54 65 6D 70 20 26 20 52 48 temp:21.6 rh:45.1
The byte after Qingping's manufacturer ID "CD FD" (0xFDCD) is always "8" in CGG1 (I have several) but varies in CGDK2.
I am an embedded developer but no experience with TLSR82*, thanks to this interesting project I'll get some. I can look at this CGDK2 if needed. but now looks maybe not. The E-ink CGG1 would be an interesting platform, reverse engineering that one is on my list.
TheGroundZero
commented
3 years ago I got myself some Qingping CGG1 in the hopes of getting them flashed and integrated in Home Assistant.
https://www.aliexpress.com/item/32994401600.html
It appears these cannot be flashed (yet) with the available firmware?
Connecting with the device from the Web Flasher
Log:
23:11:21: Disconnected.
23:11:21: Searching for devices
23:11:29: Connecting to: Qingping Temp & RH M
23:11:32: ConnectedTrying to Activate
23:11:37: Not connectedHey. Yes as in the other issue mentioned they are in itself very different.
It is possible to create a custom firmware for them but someone has to do it :)
truethe1mc
commented
3 years ago Just have seen that after "activating" the device in Qingping app (add it once to the device list) the device is advertising the values not decrypted more. - multiple times per minute (every 5 seconds ?). After closing app (shutdown the mobile phone - it is a test phone I'm using for this) and removing battery of device, waiting and put it in again the device is still reporting all. That's interesting for me - and maybe for some others too.
Zillion thanks, @michapr! Got success with two CGDK2'es I thought were destined to be (lousy) fishnet weights. First tried with Xiaomi app, no luck, but after pairing with Qingping app and power cycling they have been sending unencrypted beacon messages for hours now. Firmware 1.02 apparently. The message byte order seems to be the same than the non-lite CGG1-Qingping/Cleargrass devices (nRF52832-based) send, those just didn't require this pairing step to send usable data. Messages samples from two CGDK2's and one CGG1: CGDK2-1: 58:2d:34:11:94:b4 RSSI:-76 payl: 2 1 6 14 16 CD FD 88 10 B4 94 11 34 2D 58 1 4 D8 0 BB 1 2 1 59 18 9 51 69 6E 67 70 69 6E 67 20 54 65 6D 70 20 26 20 52 48 20 4C 69 74 65 temp:21.6 rh:44.3 CGDK2-2: 58:2d:34:11:92:7b RSSI:-57 payl: 2 1 6 14 16 CD FD 88 10 7B 92 11 34 2D 58 1 4 D4 0 CB 1 2 1 5C 18 9 51 69 6E 67 70 69 6E 67 20 54 65 6D 70 20 26 20 52 48 20 4C 69 74 65 temp:21.2 rh:45.9 CGG1: 58:2d:34:11:08:84 RSSI:-70 payl: 2 1 6 14 16 CD FD 8 7 84 8 11 34 2D 58 1 4 D8 0 C3 1 2 1 46 15 9 43 6C 65 61 72 47 72 61 73 73 20 54 65 6D 70 20 26 20 52 48 temp:21.6 rh:45.1
The byte after Qingping's manufacturer ID "CD FD" (0xFDCD) is always "8" in CGG1 (I have several) but varies in CGDK2.
I am an embedded developer but no experience with TLSR82*, thanks to this interesting project I'll get some. I can look at this CGDK2 if needed. but now looks maybe not. The E-ink CGG1 would be an interesting platform, reverse engineering that one is on my list.
@tjheikki could you say how you read advertising from CGDK2? for example while connecting with gatttool to LYWSD03MMC, it does send notifications with temp/hum very frequently, while connecting to CGDK2 does not give any notifications, i only could retreive the battery level there ( similar to LYWSD03MMC)
tjheikki
commented
3 years ago @truethe1mc Did you pair with the "Qingping app" and power cycle? Worked for me with two devices and they have been constantly sending temp & humi since, for about 6 weeks now. Don't remember how often they send, more frequent than every five minutes, which is my gateway's polling frequency.
Guess they have two different modes; one for Xiaomi app, perhaps only working paired, and another for the Qingping, where it sends the data as non-encrypted advertising packets. My 8-ish CGG1s did the latter out-of-the-box, but those apparenlty have differently working firmware versions.
truethe1mc
commented
3 years ago @tjheikki thanks for your fast reply. By the power cycle you mean put the battery off, wait and put it back? Yes, i did try that, but didnt notice any difference and the tool i use to check these advertising notifications in Linux ( gatttool) didn't show any notifications.
What i've noticed is when CGD2 is paired with MiHome , 16b Service Data which sudo blescan shows very similar with the same string for LYWSD03MMC (something like 95fe5b****75c1a8, 28 chars long), which leads me to an idea that paired with MiHome, CGD2 should work somehow similar to LYWSD03MMC While pairing with Qingping app ( Chineese region) gives another 16b Service Data pattern, looks like then the sensor acts somehow differently( like cd10**342**4f200**0156, 38 chars longs)
spiri439
commented
3 years ago Any updates on this, I have succesfully flashed the custom firmware and see data from the cgdk2, but nothing is displayed. My bad, nothing is displayed on the actual display.
TheGroundZero
commented
3 years ago 
mvdklip
commented
2 years ago So am I right in thinking that getting the ATC firmware to run on these CGDK2 devices "only" requires hardware detection and a different LCD driver?
@spiri439 How did you flash the ATC firmware on this device?
@TheGroundZero That's about being able to parse the packets from CGDK2 devices using esphome firmware. It's not about running custom firmware on this device.
unaiur
commented
2 years ago I also bought some of these thermometer by mistake (I did not realise about the "Lite" suffix). The LCD driver seems quite easy: the data sheet is almost the same than BU9797FUV that is available in English (it has some extra options for some commands but it is almost the same).
The hard part is knowing how is everything connected: to which PIN is connected the KEY, the sensor I2C and the display I2C (maybe they share a single I2C bus) and if there is any other PIN that needs to be configured HIGH for the display to work.
@spiri439, you said that you flashed a firmware and you get the sensor working... which firmware did you flash? Because each device uses different ports for sensor I2C.
I will write some code to detect if the display is in the same I2C bus, but I need to know which firmware did you flashed.
pvvx
commented
2 years ago https://aliexpress.com/item/1005002634860799.html & https://aliexpress.com/item/1005002271902480.html I bought a few pieces to test and possibly support custom firmware. The order will arrive in a month... To read the internal firmware, you can use: https://github.com/pvvx/TLSR825x_OTA_Flash_Hacker
unaiur
commented
2 years ago I will extract the firmware but, is there any tool to disassemble it and learn how the GPIOs are configured?
pvvx
commented
2 years ago Good photo of the board from both sides + datasheet: 'shows the pin assignment' : http://wiki.telink-semi.cn/wiki/chip-series/TLSR825x-Series/
A good photo can be obtained in any scanner like this
An example from the cheapest scanner:: https://github.com/pvvx/ATC_MiThermometer/tree/master/BoardPinout
unaiur
commented
2 years ago I will try to open it tonight…
On Tue, 25 Jan 2022 at 04:30 Victor @.***> wrote:
Good photo of the board from both sides + datasheet: 'shows the pin assignment' : http://wiki.telink-semi.cn/wiki/chip-series/TLSR825x-Series/
— Reply to this email directly, view it on GitHub https://github.com/atc1441/ATC_MiThermometer/issues/135#issuecomment-1020776073, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABM4WBYUTCEZGUJKQXA3UBTUXYKNVANCNFSM4VADJUBA . You are receiving this because you commented.Message ID: @.***>
unaiur
commented
2 years ago I've found these photos from the fcc registry: https://fccid.io/2AQ3F-CGDK2/Internal-Photos/Internal-Photos-4716361.pdf
unaiur
commented
2 years ago And these are the photos of my device:
https://share.icloud.com/photos/09asHIA9n8xlDzkfAkIc8A6Iw
https://share.icloud.com/photos/0862Rxkd4kzv-0xz32-SoHDLA
I tried with an old scanner I use for documents and so on and the quality is way worse that my phone.
unaiur
commented
2 years ago I make a last photo with maximum exposure and it is easier to see the pcb lines:
pvvx
commented
2 years ago Program only uses I2C pins and 'Key'.
<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns="http://www.w3.org/TR/REC-html40">
Hi,
I have got two such devices, compatible to Mi Home app. https://www.aliexpress.com/i/1005001868991135.html Sensor have LCD display, is not advertising temp/hum, I think every 20minutes about sending an encrypted advertising package.
Sensor is using TLSR8253 and for LCD a BU9792AFUV https://datasheet4u.com/datasheet-parts/BU9792FUV-datasheet.php?id=705112
What chip is using LYWSD03MMC for LCD driver? (edited) Maybe it is compatible (I think that not...) or driver maybe adapted...
Not sure in this time, interesting or not ... ;)