new module as remote

[boelle]

hi

this project on thingiverse https://www.thingiverse.com/thing:3655354 has been much fun to me

it was easy to remove a zigbee module from their light bulbs and then reprogramm it to work as a 5 button remote

but now ikea is slowly replacing their zigbee modules with a new one that for the bulbs concern are far more power hungry and why should ikea bother as they are intended to be always on mains power

and their new 5 button remote do not have a module at all but is one complete pcb and to top it off they now use 2 AAA batteries

that makes it impossible to install it in the danish LK Fuga design, it will simply be to big to sit flush with the other switches

anyone that have started to look in to if the new modules can be reprogrammed to work as a remote and be energy efficient so that it can run on coin cells?

i emagine that the firmware needs to be taken from the new 5 botton remote and changed so that its as efficent as possible

of course the chip on the new module an the new 5 botton remote needs to be the same

and the pcb in the new remote is way to be to be but in a LK switch, from what i have seen online its 2 cm to big in each direction

[MattWestb]

With Silabs commander is shall being possible unlocking the debug lock in the chip but then its erasing the internal flash. I have not trying it but shall working OK.

I only have hard software braking 3 old IKEA modules but was debricking them with commander CLI but its need one original Silabs WSDK that have special macros implanted but the debug unlocking shall working with normal Segger J-Link probe and commander.

Look in the manual for Silabs Commander how its shall working.

So we have making / forcing IKEA debug locking there modules by using them for nice things wall light switches and Zigbe coordinators and Open Thread Boarder Router RCPs !!!

Bad swedes !! ;-))

[MattWestb]

Also make sure connecting the reset pin then commander have updating Segger libs and have problem sometimes (not always) if the reset pin is not connected and can making very strange things without it.

[CableCatDK]

I would like to recover the module. But for now, the high-pitch RGB-bulb gets the hammer tomorrow. I have finish my first revision of the PCB: https://www.printables.com/model/410259

[CableCatDK]

Erasing the module can be done with:

c:\Simplicity Commander>commander device lock --debug disable -s seriel-of-segger -d MGM210L022JNF2
Unlocking debug access (triggers a mass erase)...
Chip successfully unlocked.
DONE

c:\Simplicity Commander>commander device unlock -s seriel-of-segger -d MGM210L022JNF2
Unlocking debug access (triggers a mass erase)...
Chip successfully unlocked.
DONE

[CableCatDK]

When adding the STYRBAR moded to SYMFONISK. It appers as a STYRBAR and 2 shortcut buttons:

[MattWestb]

That is great !!!

I was reading yesterday evening that is need one Silabs WSDK for doing recovery and unlocking of devices but then its working for you :-)) Wot SWD adapter is you using for flashing ?

The Styrbar is only having one normal endpoint and Symfonisk 2 is having 2 extra with name shortcut 1 and 2 that is sending the commands from the extra buttons. If you is using one open Zigbee system you need binding the 2 extra endpoints to the coordinator so its sending the commands to it.

If adding it to one IKEA system TF or Dirigera it can being confusing and not working OK but im interested if its relay working but i think so then the APP / firmware have starting OK and can being added.

Then the OTA file i having the name in it you can trying flashing one empty file or erasing the flash pagers of the userdata so its not using the old name. Fromm the OTA fiile:

IKEA of Sweden
SYMFONISK sound remote 2
20221219
E2123
1.0.32

Is you using TF for your system or do you using other HA like ones ??

So in the end i was not getting any dump pf the CWS3 ;-((

[HexDK]

STYRBAR moded to SYMFONISK. Test Version Test_Version.zip

[MattWestb]

@HexDK Have you hex edit Styrbar userdata or making debug unlock and dumping it ? Im not sure if debug unlock is easing the userdata then its little defuse in the docks (zherfor i have not recommending trying it before knowing if Styrbar bootloader is working for not bricking the device.

If its working then is IKEA chested then can writing main flash with bootloaader and OTA APP and also the uerdat and also "recycling" (debug lock unlocking) old modules and using them for Symfonisk 2.

Only problem is if IKEA have making some extra in the in the Symfonisk bootloader so further OTA is not working. The good thing is the module is the with software secure wault and not the hardware ones that cant being workaround like this.

[HexDK]

Yes I have HEX edit user data. and when you unlock I think it deletes user data, but I have not tested. don't have one that was locked

[MattWestb]

Good ! Normal erase flash chip is not deleting the userdata but debuglock unlocking shall erasing all and also the internal RAM so cant sniffing secret manufacture data.

If you like you can locking the debug and unlocking it and dumping the userdata then we is knowing.

[HexDK]

yes, I want to do that test tomorrow, I'm just at work right now :)

[CableCatDK]

Changing userdata worked. The remote is now proper recognized as a SYMFONISK remote in the hub-

NAME = SYMFONISK sound remote 2 MODEL = E2123

S3150FE0020053594D464F4E49534B20736F756E6420CD
S3150FE0021072656D6F74652032FFFFFFFFFFFFFFFF13
S3150FE00230014532313233FFFFFFFFFFFFFFFFFFFFC5

[CableCatDK]

Here are both the source files, and the result: SYMFONISK_E2123_firmware.zip

[MattWestb]

I was thinking recommending using s37 files for doing the update so can getting all in one file and in right place but im to late ;-(.

Is the IKEA_TRADFRI_SYMFONISK_sound_remote_2_E2123_1.0.32_mainflash_userdata.s37 flashing all on one blank module so not need doing any more steps or is it needing more flashing ?

[CableCatDK]

Is the IKEA_TRADFRI_SYMFONISK_sound_remote_2_E2123_1.0.32_mainflash_userdata.s37 flashing all on one blank module so not need doing any more steps or is it needing more flashing ?

The file have the entire mainflash and userdata. So the module can be flashed in one step. Or 3 steps, if you need to unlock it first.

[MattWestb]

Great !! I shall testing it. Was testing locking one Billy (old IKEA module) and unlocking it but was not working. Must using the Silabs recovery for getting it back:

.\commander.exe  device lock --debug disable --speed 100 -d efr32mg1p
Setting debug interface speed to 100 kHz
Unlocking debug access (triggers a mass erase)...
Unlocking debug access (triggers a mass erase)...
Attempting EFR32/EFM32 Series 1 recovery using system bus stall...
Attempting connection while holding device in reset...
Waiting for AAP mass erase to complete...
Verifying debug access...
Found DP ID:  0x2ba01477
Found AAP ID: 0x24770011
Chip successfully unlocked.
DONE

.\commander.exe  device masserase  -d efr32mg1p
Reconfiguring debug connection with detected device part number: EFR32MG1P132F256IM32
Erasing chip...
Flash was erased successfully
DONE

The chip was having bootloader EZSP NCP APP and user data set before unlocking. After recovery / unlocking it was having the main flash blank but not the user data.

Was testing one Markus module (IKEA new EFR32MG210L module) that was having bootloader, RCP (Open thread broader router radio co possessor firmware) and model sett in user data. Debug locking and unlocking with mass erasing and the main flash is blank but the user data is not !!

Have some brave ones testing unlocking the debug lock on the original module ?? I think it very likely not erasing the userdata and can being dumped and reused as one original devices on our recycled modules.

If getting the original userdat its no way IKEA can making problems in the future then they is not using security storage in the chip so all is in the main flash and userdata. Then OTA updates in the future shall is working for 110% !!

[MattWestb]

I was flashing the combined and taking all cables away and only VCC and GND (I using PC05 ass comport so cant having the debug connected) and then using one resistor between VCC and PC05 and its start requesting beacon. Adding it in Dirigera and i is getting 3 lights with the model from the origin of the module but the "naming" is remote X.

So the firmware is working but somthing its not OK userdata. I think its only updating the changed bits and not erasing the not changed ones but i must looking if its so or not.

[MattWestb]

Userdata dumper and its not updated with the combined s37 file :-(( SyFo2.zip

Edit: After flashing the IKEA_TRADFRI_SYMFONISK_sound_remote_2_E2123_1.0.32_userdata.bin at 0xFE00000 and adding it in Dirigera all looks like the original and its not complaining :-)))))

The only bad thing its not so easy doing the PC05 to VCC so i have tosh linked some of my devices in the production system and must repairing them back.

[CableCatDK]

I have learnt that this command:

commander.exe readmem -s seriel-of-segger -d MGM210L022JNF2 --region @mainflash @userdata -o IKEA_TRADFRI_SYMFONISK_sound_remote_2_E2123_1.0.32_mainflash_userdata.s37

Does not dump both mainflash and userdata. But only mainflash.

New fixed firmware is here: IKEA_E2123_1.0.32_firmware.zip

[MattWestb]

Thanks !! I using one Silabs WSDK and its have internal module or external device and if using the external i must using --device for the chip i have and then the --region @userdata is not working and must using range but it working OK but not so easy a region.

I think only some days and we have working around IKEAs bad protecting there new devices is great !!

And you must ordering new PCBs for you new wall switch :-))

I waiting Vindstyrka air sensor shall being released and the OTA file for it and then trying using Styrbar as ground for getting it working on new Zigbee module and also Starkvind i like trying but not so easy finding the paring pin and if its grounding or VCC that is needed and can burning the chip if doing it wrong. Also if holding it too long its tush linking other device.

[CableCatDK]

How did you convert the OTA file to S37?

[MattWestb]

I have zigpc-cli installed in one python env in windows and using the command zigpy ota dump-firmware .\10082261-zingo_lds_starkvind-1.1.001.ota.ota.signed E2006.gbl. You is not knowing if its one old EBL or one new GBL file but can using silabs commander for getting information of the file. Then using commander for converting it to S37 or other format like bin, hex, ebl or gbl files. Also combining files to one hex or s37 is working OK.

For info of the OTA file zigpy ota info <file>. The command zigpy ota reconstruct-from-pcaps is not implanted (its work in progress) but its what i have using making the OTA file from sniffing the Zibee network then the device was being updated.

Edit: zigpy PCAP -> OTA zigpy OTA / SIGNED -> GBL / EBL Commander EBL / GBL -> BIN HEX EBL GBL S37

Edit 2: SIGNED = TF OTA feed files signed by IKEA. OTA = PCAP sniffed update rebuild to one OTA file and for IKEA the signing is still OK (its the same as SIGNED but recreated)= its the same file as IKEA is having on there sever and is not broken and the device is verifying the signature OK and flashing it.

[HexDK]

@MattWestb here is everything from ikea firmware I have Dump Link

and some files from when I made the mod file for Per (CableCatDK) and the userdata file Link

I have also updated a bit on my flash guide page with everything we have learned Link

[MattWestb]

I was looking yesterday in your git and great collection of dumps that is always good to have / knowing where to finding :-)) I normally doing s37 files then its easier to flashing and dont need putting the right address every time.

In commander then clicking on read memory you is getting one nice grafik.

With the updated firmware its little strange but its working. First is the bootloader 0x0 to 0x3ffff and then the APP at 0x40000 to its end. Then the APP is starting its making one NVM3 in the last part of the flash. The dump have some extra blocks allocated but its looks working OK (can being rests from the Sytrbar NVM2 file). It can also being rest from one OTA file then MG21 is using the main flash for temp storage of OTA files (MG1X is using external flash for OTA updated).

Silabs commander is working OK but it little trickey and the documentation is not 100%.

I think all is very fast learning and in the end we have getting all working well !!

[HexDK]

We can hope that dump we can make when it is again updated via ikea hub will be a better dump

[MattWestb]

@CableCatDK I was looking on the schematics and i think paring switch / PC05 is having the pull up resistor wrong. PC05 is having R8 as pull up to VCC and on the other side the switch its connected to VCC. For it to working OK it shall being pull down to GND on the PC05 side of the switch and VCC on the other side so PC05 is normal low and is getting high the pushing the switch.

If having PC05 to VCC all the time its very likely the device is trying tush link devices all the time if the program is not have blocking it then the switch is continuous closed.

On my test Symfonis 2 i have it not connected and only putting it to VCC with one resistor for paring and its working but its not by the book.

I have repairing 3 signal repeaters and 2 light and 6 sensors that was by mistake tush linked of the remote then testing and hope no more devices have being kidnapped of my wild testing.

[CableCatDK]

I don't see any error in the diagram. The resistor R8 is unpopulated. I will examine it thoroughly, when I get home.

With the original PCB, I am have issues using the parring button. It take many clicks to reset it.

MY PCBs have been produced now, and is expected to be delivered 2023-03-07.

[MattWestb]

Most 24.X firmware can being little tricky getting in paring mode but its easier then having one LED that i dont have on my test rig, but the worse is the new motion sensor on 24.X firmware.

If R8 is unpopulated it shall being OK (free floating) also if IKEA have configure the port with internal pull down (i have not looking if its possible doing in the software). You can trying putting one pull down resistor and look if its being better as you have saying the paring pin shall being high then active.

[CableCatDK]

Corrections:

• R8 (unpopulated) is between PC05 and GND, not PA03.
• C8 renamed to C4, is between PC05 and VCC, not PA03 (need to be fixed in manufactured PCB).
• C9 renamed to C1.
• C10 renamed to C2.
• C6 renamed to C8.
• C5 renamed to C10.
• C3 renamed to C7.
• C4 renamed to C9.
• C7 renamed to C3.
• C1 renamed to C5.
• C2 renamed to C6.
• SW1-7 are between their IO-pin and PA03, not GND (mayor flaw, will take a lot of fixing).

[MattWestb]

That looks more logic to my. So the PA03 is normal high and if some button (not the paring one) is pressed its going low and waking the SOC up for scanning with key is pressed and sending the command from the key and all caps is for filtering the contacts on the switches.

Is C4 populated and not R8 on the original IKEA PCB ? I was only thinking if the C4 is leaking it can bringing the PC05 high and need R8 for being kept low for not going in pairing mode without pressing the pairing button.

If the device is going in torch link or normal paring mode then is being powered or without some reason i think populating one 1M as R8 shall fixing it.

I also think IKEA have putting pull up and down on the IO pins in the software and not need all resistors they have on the PCB (thinking = not knowing) or.

PS: Sorry for making more work on you PCB that is on the way ;-(

[CableCatDK]

I am working on a 1½ module version too. This is the button configuration I am going for:

[CableCatDK]

I have made ny first prototype.

The LED and pairing button are working. But not any of the other buttons. I have fixed the errors I described earlier. I am missing R9, maybe that is the issue.

[MattWestb]

If the inputs have internal pull down it shall working but i think R9 is needed and if not heaving SMD version use normal one for testing. Its looks title as Modern Art but the most importing see if its working and doing the correction in the design.

My "Symfonisk 2" is still running OK on the IKEA module so i think the file you is having shall working OK on all new modules only need flashing the userdata so its not having old crap saved in it that making strange things.

I was getting one VINDSTYRKA today and shall testing dumping it if its not debug logged then its have date code 2236 then i hope getting the userdata and also one newer bootloader that is not locked of the firmware that we can using then IKEA is starting shipping all new devices with debug locked.

Next is being the upcoming OnOff, OpenClose and shortcut 2.

By the way the updated firmware (that you was getting) Symfonisk 2 shortcut cluster is sending Matter formatted commands and is only missing some small parts but i think IKEA like changing the cluster to the matter one (then its OK for Zigbee) and piping to matter in the GW.

[CableCatDK]

I am using the original module I desoldered earlier. I will see if I can get a 1M resistor.

[MattWestb]

You can using one lower value for it then testing but for production its better with higher so your battery is not going out to fast.

One design question. All switches is having one cap over the switch. Is it not better putting the caps between the legs of the switch then its enough space for it and only need small pads for it and its the same plane as the switch legs on both side and its making more free space on the rest of the PCB but only little more tricky soldering the components ?

In the end i like getting more metal free space around the Zigbee module antenna so the RF is not being killed and you is getting connecting problems on your devices.

The antenna free zone and guides is in the module data chest.

[CableCatDK]

Remember when I design the PCB, I thought the connection for the switches and caps where not the same.

This is the current 1,5M version:

And the new 1M version:

[MattWestb]

The 1½ module version i think the antenna is better then the 1 module layout but you never knowing before testing it in real life (its radio waves magic). PCB need the switches in that position and also the battery holder and the space for mounting so not so mush can being done. Ops i think you is having 2 batteries on the large module :-)))

One bad new is that VINDSTYRKA cant being read with Commander then IKEA is using pins for other things like IC for LCD drive and sensors but with command line its saying debug locked and Seggers J-Flasher is saying the same so we is not getting one new bootloader for controllers (I think lights is having one other then have reset with power cycles) and updated firmware is certified but Dirigera dont have it but its coming later. Have putting in one ZHA test system without IKEA update so i can sniffing it then its being made and making one OTA file in the future.

So Styrbar we have one working bootloader that is working with Symfonisk 2 OTA files. Looks like all new device is being debug locked also lights. So likely the new upcoming buttons also is and hoping that Styrbars bootloader is working on them or we is busted making extending hardware for them in one easy way.

[CableCatDK]

It is working with a 1M resistor. 10K did not.

[MattWestb]

Was testing little more and with x-modem bootloader and the update = not starting (is not making NVM file at the end of the flash). Styrbar bootloader and update on erased chip not starting (no NVM is made = chip is not starting). So was using the normal patched and was writing copy of empty UD on flash pages that is wrong from some old stuff and looking in the flash map and the bad pages is erased OK. Starting the chip and holding the pairing button pin high and its scanning tush link = working. Was flashing one blank user data and testing and its starting OK.

Was paring with fixed main flash and empty user data with Dirigera and its looks very nice.

I hope IKEA have not saving some importing things in the user data and that the device is working OK in hard or software way and also that the future OTA is working with it. I shall testing if its requesting OTA with ZHA OK then i think its no problems but that we is not knowing until the next OTA update is installed and working on the device.

E2123.zip

[CableCatDK]

What does E2123.zip contain?

I would like to hack the firmware to better work when directly paired with a light bulb. Any suggestions where to start?

[MattWestb]

The Zip is one blank user data and one cleaned main flash without the extra ghost blocks that was in the near the NVM in the upper part of the flash. Its only cosmetic then your files is working great. Only good have for testing then IKEA is updating the firmware and if we is getting problems with the update.

Patching the main OTA flash files is braking the signing of the file and it cant being updated with OTA but still with SWD. And i dont have the knowledge of digging the the code but it shall being possible.

If you like digging or cooking you own firmware you can do that with GSDK 4.X that is free but need little work getting understanding how its working and getting it working. I is doing NCP (EZSP coordinator) and RCP (Open Thread) firmware and its working OK but i have some problems getting the EZSP working OK on this module in all configurations. With old IKEA (Billy) module all Zigbee is working OK but its not supported of GSDK 4.X and can only using privies version that is not free but i have licence for it and thread is working OK with the latest version for them.. I have also doing some Zigbee Controll Bridges (its the working mode of IKEA TF and HUE bridge) that can controlling all device in the network as one normal device with CLI.

Silabs GitHub for GSDK https://github.com/SiliconLabs/gecko_sdk

PS: I think for direct control you need using the ZLL part that is in the GSDK but Silabs is not having the the ZLL master key in the package and need one extra agreement with them for getting it for Sinplicity studio (the normal Zigbee HA mater key is in the software package and working OK) so it can being you cant getting it working !!

[CableCatDK]

The hammer falls:

[CableCatDK]

Firmware dump and high res pictures of TRADFRI bulb E27 CWS 806lm LED1924G9.zip

[MattWestb]

Now i understand way IKEAs CWS3 is mush cheaper then HUE lights they is not putting in all components like Zigbee modules and power supplies in China and IKEA can selling them for only some € ;-))).

The main flash is not old then the date is 2019.07.19 so the bootloader can being used for devices with debug log and rolling one OTA file on it after doing one unlock.

And the CSW3 is one true RGBWW but i think they is also using the RGB for doing the color temperature for helping then 20 W type white LEDs and only 3 G type white LEDs of the other CT i think its little unbalanced but can being that the G type is mush more powerful or they is using the RGB LED for doing compensation for getting it looks OK.

And thanks for the instruction it look great and i always forgetting how to do all parameters and must using the commander papers for doing it right.

And now you is knowing way many firs and second gen IKEA lights is having better radio performance then 3 gen devices. The first and second gen is the MG1P one +19 dBm chip and the antenna is normally good places and 3 gen is MGM210L with 12.5 dBm and the antenna is RF grounded of the metal socket and is surrounding of metal all over for getting it smaller for visual design and destroying one very good implanted Zigbee modules performance.

Thanks for sharing the knowledge !!!

[CableCatDK]

Well version 1.0.032 does not work with IKEAs gateway. Is there anyway to get the orginal relase firmware 1.0.012?

[MattWestb]

We cant dumping the main flash then its debug locked so not possible. What is not working the paring or the function of the device ? I can move my updated devices to TF GW and looking if my is working that is original and updated but i have not seen that TF have putting it on the supported list in the release notes so it can its not supported in TF GW.

[MattWestb]

It was paring easily with TF GW and is shoeing Version 1.0.32 and no updated. I dont have any Sonos speakers so i cant testing how its working.

[CableCatDK]

While pairing, the app says that parring failed. But the device is added in 2 groups (each of the shortcut button), but the main device is missing.

[CableCatDK]

Is there no secret download link for version 1.0.012?? What is the link for 1.0.032? Is there a JONS with download links for DIRIGERA, like for the gateway?

[MattWestb]

The GIRIGERA is using encrypted communication with the server and we have not braking it. I have sniffing the Zigbee network then it was updating my device and was putting all packages together and the signing is OK so all is OK and the device is also flashing it that is not doing if the signing is broken. All "found" OTA files and links iis posted heer https://github.com/zigpy/zigpy/discussions/660 (DIRIGERA OTA files is on the right column and clicking on it for downloading it).

I was having the same problem with "extra devices" in DIRIGERA then not erasing the user data and only flashing the main flash you was doing and was writing the model of the light the module was build in before removed. So its somthing that is not OK in the user data that the firmware need. You can trying writing one blank user data so its not getting any extra info but it can also its missing somthing that we need having in it. If we cant fixing it we need doing one debug unlock on one original device and hoping it is nit erasing the user data and dumping it so we is having on original for our devices.