new module as remote

[boelle]

hi

this project on thingiverse https://www.thingiverse.com/thing:3655354 has been much fun to me

it was easy to remove a zigbee module from their light bulbs and then reprogramm it to work as a 5 button remote

but now ikea is slowly replacing their zigbee modules with a new one that for the bulbs concern are far more power hungry and why should ikea bother as they are intended to be always on mains power

and their new 5 button remote do not have a module at all but is one complete pcb and to top it off they now use 2 AAA batteries

that makes it impossible to install it in the danish LK Fuga design, it will simply be to big to sit flush with the other switches

anyone that have started to look in to if the new modules can be reprogrammed to work as a remote and be energy efficient so that it can run on coin cells?

i emagine that the firmware needs to be taken from the new 5 botton remote and changed so that its as efficent as possible

of course the chip on the new module an the new 5 botton remote needs to be the same

and the pcb in the new remote is way to be to be but in a LK switch, from what i have seen online its 2 cm to big in each direction

[MattWestb]

The 3 gen devices is having one very good original Silabs module that is not battery hungry. And its also possible making custom boards for the new 4 button remote (E2001/E2002) and not using the IKEA PCB if you like but its little more tricky to flashing then its having one newer CPU (need one real J-Tag probe).

And you can using the module from other 3 gen devices if you can flashing it (the E2001/E2002 is not debug locked so its possible dumping and flashing it). (Dumped and its have 5 buttons if counting the reset button.)

PS tuya is running 730 days on one CR2430 with one nearly the same module (ZS3L) with more LEDs on the PCB.

[boelle]

is that the new 5 botton remote?

in denmark i can only get it as a set with a bulb, but i think that will change

[boelle]

btw... i get the modules from 904.087.97

[MattWestb]

No its not the new 5 button remote then its one 4 button remote if not counting the reset button. Its the new E2001/E2002 remote "styrbar" and the PCB is looking like this with one Silabs MG21 module.

Its very "clean" and shall being easy for the Danes making one updated PCB for that is fitting in the original deigned switch.

Your module is one ICC-A-1 = the normal 2 gen module.

[boelle]

ahh

i wonder why they changed it to 2 AAA then? ie if the power consumption is the same

[CableCatDK]

I was told the new module would spend too much power. Why else is it using 2xAAA... Maybee I sould give it a try.

[MattWestb]

I can being that IKEA devs have not maximizing the sleep current but the module / chip is very low power.

The reason for the 2 AAA shall being re chargeable and is the new green way IKEA have starting and also all new device having only recycles repairer packing (all plastic is gone).

If its little hungry put 2 CR4530 in parallel on the new PCB (some tuya is having 2 CR2032 and was having one old MG1B module).

Thanks for the PCB layout !!

[boelle]

If its little hungry put 2 CR4530 in parallel on the new PCB

remember that space is VERY limited

40x40mm and barely space for the coincell

[boelle]

currently we use OpenOCD on a pi to flash firmware

can that be used with the new remote too?

[MattWestb]

If they have adding support for ARM Cortex®-M33 the last half year but i have not reading that have being done.

The module datasheet https://www.silabs.com/documents/public/data-sheets/mgm210l-datasheet.pdf

[boelle]

i just saw that you had wires soldered to the programming header and wondered how you dumped/flashed firmware

[MattWestb]

Main flash and data is dumped without problem with Silabs WSTK (it have integrated OBD J-Tag) and Segger J-flasher and the same made with tuya ZS3L modules on LIDL device but have loading the LIDL LED stripe controller with EZSP 6.1.0.0 and is using it as one coordinator in ZHA. (before sounding my SWD and com cables) Its haveing the same chip and is also good calibrated and have one good implemented RF part (for being one Chinese module).

[boelle]

sorry for "stepping in a turd" here, but are there other ways to dumb the firmware?

using a raspberry pi right now with the current modules it seems costly to get a new programmer, but on the other hand i bet the one from silabs uses windows software, not that i mind linux but it could be nice to have everything on the same machine

so its a bit up in the air, nice to use the setup i have, but that means a different machine just to flash firmware, with a new setup i can use my main pc

[boelle]

being not so tech savy, i assume you use the debug connector

we use the same currently

but not sure if that would work, i do not have a one of the new modules, but @CableCatDK does

[MattWestb]

With one J-Link (every original version is working also the EDU) and you can building one "OBD clone" from one STM32 board and using it in windows but dont letting Segger updating the firmware on it then its being soft broken. Using Segger flasher and commands programs is working OK for dumping but can being it dont like flashing if having one clone or ST-Link flasher (that is ST OBD flasher only allowed flashing ST chips). But flashing can being made with Silabs Commander that dont care if its one clone or not (its free downloading it from Silabs web).

The pins used for flashing is the same SWD for both 1 and 2 gen modules only changed is the CPU that must being supported by the probe and / or flashing software.

[boelle]

So for the danish dummie here it would make more sense to just get the WSTK programmer?

all i'm after is being able to dumb firmware from the 4 button remote and then flash it again to the same module. Thoase module i can get from mouser.

[MattWestb]

The WSTK is expensive but then you also is getting access to Silabs Zigbee stack SDK and one good thing is that with the WSTK you can also unbrick "hard software bricked devices" (boot loader flashed at wrong address with Silabs commander) that is not possible dong with other probes (i have bricking 3 IKEA modules and recovering them with my WSTK).

The cheapest is one Chinese ODB clone but dont have any grantee that is working so long (then Segger is blocking the serial numbers of them) but one Segger EDU is not so expensive and working very well and is much smaller then one WSTK.

Then dumping the flash is the main flash and also the user data that is needed then its can (but not always) having configuration for the firmware that making it working in one different way.

[CableCatDK]

First release of STYRBAR to Danish wall switch is now released: https://www.thingiverse.com/thing:4938961 The idle power consumption is the same.

[CableCatDK]

Diagram

[MattWestb]

Very nice !!!

I think the Zigbee module is not so easy getting in the open market the IKEA, tuya Philips and many more is having high demand for it and Silabs cant producing enough of it but the have opening and certifying more productions cites the last year (if reading they internal company PM that is also distributed to devs).

Our (community) firmware cooker Gary R have ordering some hundred modules for nearly one year go and cant getting them shipped then they is out of stock before the shipping is arriving to the seller.

The cheapest device i can getting in Wien is the same new E14 or E27 you have used for 8€ and need reprogramming the module.

But i was 2 week in southern Spain for holiday and doing one "pi stop" at IKEA in Montpelier and was baying 2 stainless steel version Styrbar for only 10€ and in most countries they is costing 15€.

Great that the power consumption is OK and not killing the battery and also possible putting one large inside if needed.

Thanks for the schematics it great to having if doing one other version of one wall switch.

For dumping the firmware you can finding one version with GDB in my git but is also possible using Sergger Commander and also Silabs Commander but the last is not so easy like using the GUI from Segger Commander for normal users.

One more time great work done Per !!!

[CableCatDK]

In Denmark STYRBAR is 69 DKK, whis is 9,28 euro. The nye E14 is 59 DKK, which includes the new module. The module alone is about 100 DKK.

Reprogramming the module (in Danish with nice pictures): https://rbx.dk/w/smart-home-knapper-og-paneler/flash-ikea-zigbee-j-link.html

[MattWestb]

For my "Billy EZSP" project i was baying the cheapest "family pack" for 10€ with one E27 WW (for the module) and E1744 remote and its was very useful.

So better baying the nye clear E14 and getting little spare parts for the lab ;-))

I think IKEA was having one very hard to getting the good deal with Silabs (or it was Silabs that was having the problem getting the deal) then some FCC papers is over 2 year old with the MG21 module and they was having them on hold then was not getting one good price from Silabs but its very normal for IKEA if not getting one good deal then is normally leaving the project and taking the costs (and some time the manufacturing company is going bankruptcy then not having any large customer like one Swedish bed manufacture).

Its also looks like the SYMFONISK shall have getting one MG21 module but was getting one ICC-1-A in the end.

So very likely many Zigbee modules from IKEA lights is going to the DIY and professional projects but is not so bad !!

The latest is IKEA have ordering containers then they cant getting the products to the market then its shortages of them (Maersk ?) and is also looking baying own ships for going around the time and price of the shipping from China.

One question can you reusing the 5 switches from the Styrbar PCB to your custom PCB ? Then its not so bad baying one Styrbar then can reusing most of the components.

[CableCatDK]

The TACH switches are different on my PCB.

[CableCatDK]

The SONOS gen2 is very similar to STYRBAR. IT has 3 more buttons, connected to PC02, PC03 and PC04.

[MattWestb]

Is it Synfonisk 2 ?? One user have getting one in thee Netherlands and in Vienna it shall coming the next week. I dint knowing what commands is suing but its having very normal cluster for one light controller but we is knowing mor in some days :-))

[CableCatDK]

You should watch this video I made: https://youtu.be/msPRU2MsIXY

Here are the functions, when pair directly with a lightbulb:

[MattWestb]

Nice !!

So normal OnOff and Level commands plus 4 more functions IKEA have cocked in the firmware. New version with one AAA of OnOff, ShirtCut and OpenClose is in the pipe (FCC certed).

The reset / sync of light is long press right or left button on Styrbar.

[MattWestb]

By the way OnOff and OpenClose is using the same firmware and you can dumping the flash aria "user data" and flashing it on the other and you have transforming it.

[CableCatDK]

By the way OnOff and OpenClose is using the same firmware

Very interesting. Can one change the user data over the air?

[HexDK]

By the way OnOff and OpenClose is using the same firmware and you can dumping the flash aria "user data" and flashing it on the other and you have transforming it.

you mean this?

[MattWestb]

Yes but Styrrbar is using the new module so its not working with it. E1743 OnOff is here E1743UD.zip but i dont have the OpenClose in my laptop but dumping it and you can transforming between the device.

[MattWestb]

The interesting is not the name (is being used on the basic cluster) but the other bits after it is changing hardware functions in the firmware.

[HexDK]

The interesting is not the name (is being used on the basic cluster) but the other bits after it is changing hardware functions in the firmware.

it not all version they use userdata maybe

[MattWestb]

If not having any custom data in user data the firmware is using the default its having (its in the end of the firmware file around "IKEA").

Its the same with the lights is many having the same firmware and its one model in it but all other versions is getting it thru user data.

The 5 button is little different then its old and new hardware but the same firmware.

[CableCatDK]

I have finished the diagram

Changes from STYRBAR to SONOS gen2:

• LED moved from PC01 to PC00, which was wired to VCC. This makes layout easier, and frees up PC01.
• CLK and DIO are not longer used for buttons. Which interfered programing (huge improvement).

This diagram is incorrect. See later ports.

[MattWestb]

Looks great !!

I was just by Westbahnhof and have getting 2 of them :-)) I need sniffing how IKEA is setting them up for getting the extra keys working and implanting it in ZHA.

Try flashing the dumped Symfonisk on one MG21 module and look is its working OK. If not i think you also need flashing the userdata for getting it working but if its working OK then its not needed doing the work.

Devices that is using the debug pins for hardware is very bad then trying flashing / dumping and can making it impossible getting it working.

Next 3 devices that is in the pipe https://fccid.io/FHO-E2201/Letter/Model-Declaration-Letter-6321956.iframe.

[CableCatDK]

I looks like IKEA will EoL the ON/OFF, curtain and shortcut button, with these 3 new devices.

[MattWestb]

I think the old Zigbee module is going complete out and also the FER32MG1P chip is end of life. Then looking one the first EFR32MG21 devices on FCC it was over one year of the drawings before IKEA was applying for FCC so i think they was having one very long and intense round with Silabs for getting one very good price on the new module and also Silabs have open 2 new assembly lines for the module so they can delivering it to IKEA.

By the way the module is engendered in Finland !!

And with Diriigera is the Symfonisk 2 getting firmware update from 1.0.012 to ??? Is tradfri doing the same ??

[MattWestb]

Updated firmware is version 1.0.32 for the E2123. Sniffed then Dirigera was doing the updated and rebuild with zigpy tools if someone need it (the signing is OK so iit shall being 110% OK). ota_t0x110e_m0x117c_v0x01000032.zip

Have some one that have opening the device dumping the user data ? Im interesting of it for future use.

[HexDK]

maybe I'll go to Ikea(Aalborg) tomorrow and pick one up so I can dump the firmware from it if Ikea has more in stock

[MattWestb]

If you is getting one i very thankful getting the dump. I must getting the support for it in ZHA and also trying sniffing and decrypting the OTA server function Dirigera is using than its not the same feed as TF.

Westbahnhof in Vienna was only getting one package with 20 and i was baying the first pair from them so its not large quantity they is have getting but its needed then the first gen is out of stock for long time.

Bay the way the OTA file looks very different form all other ones with very mush c-code in clear and references.

[MattWestb]

O i was forgetting IKEA is open on Sundays like in my Xhome country (Swe) !!

Is someone having or knowing one that have KNYCKLAN Open/Close remote (E1841) and the KNYCKLAN Receiver (E1842) that i cant getting in Austria but like have firmware dumps off (the remote is most interesting then its very likely having the same hardware ad ObOff / OpenClose ones) ?

[CableCatDK]

When I tried to dump the flash, I got this error:

WARNING: Could not connect to target device
ERROR: Debug access is locked. Could not connect to device

Device Info from Simplicity Commander

[MattWestb]

Ops IKEA have locking the debug and start using secure elements !!

So you can only doing one device erase and not reading / writing the device. The good is they is not using secure boot = the bootloader is using encryption with keys stored i the secure storage.

If you like trying flashing the sniffed OTA firmware i was doing on one MG21 module with Styrbar bootloader and system and look if its liking it or not. I think of 2 alternative: 1 the bootloader and / or the app is not liking it and is caching / locking the device 2 its working OK but can being little strange device name from the styrbar.

If you doing one device erase you is losing the main flash and i think its also erasing the user data but im not 110% sure (need reading the bootloader paper).

I hope IKEA have not implanting the tamper functionality then it can burning the chip and cant recovering it at all.

[MattWestb]

Have extracting the signed OTA file and making one S37 file of it so it shall being possible flashing it with commander and dont need converting it and its doing it in the right place.

Have putting in the GBL and BIN file 2 but the s37 is the safest / best for flashing. 110e.zip

[CableCatDK]

So should I try flashing a blank module, and solder it in place instead of the current module, to see if we can make your own module?

[MattWestb]

Take one not used module then you cant flash the Symfonisk, you can only erasing the chip = you have loosing 20€ and after that flashing it but perhaps the Symfonisk firmware.

New module flashing one dumped Styrbar firmware from 0x0 so you is getting its bootloader and APP. Then flash the 110e.s37 over it so its having the standard bootloader and the Styrbar APP.

If the bootloader is OK and the APP is loaded OK and liking all things then it shall working. If have make more protection its not loading OK like putting keys in the userdata that we cant reading.

Edit: soldering one new if you like or one new without PCB only cables is easier for testing only little.

[CableCatDK]

I have flashed 110e.s37 to one of my converted STRBAR to FUGA. The result is that the led is half bright constantly, and nothing else work. This result is expected, as the pairing button has been changed to pull to VCC, instead of pull to GND, and the LED output has been changed.

Flashing the previous firmware, recovered the module.

I have not tested it yet in the SYMFONISK PCB. I need a donor module. Maybe one of my noisy RGB bulbs will get the hammer.

[MattWestb]

I hope Synfonisk FW can running on the Styrbar bootloader but only way to knowing is flashing as you have doing and testing and if you is having one PCB with all pins OK its being easier testing.

Before doing chip erase of the CWS3 can you dumping main flash and userdata ? I think it can being great making one RGB LED controller that is good Zigbee 3 compatible.

You can also testing if Synfonisk is starting OK on the CWS3 bootloader with only flashing the OTA files. And one test thing is deleting the userdata on the new module so its not somthing that making it crashing as one second way to testing

[CableCatDK]

I just brought a 204.867.84 as a donor chip. But it is locked too. I tried to lock the module. But I think I have bricked it.