search

pvvx / ZigbeeTLc

Custom firmware for Zigbee 3.0 IoT devices on the TLSR825x chip
Other
355 stars 19 forks source link

Another TY0201 by _TZ3000_bjawzodf with display #107

Open diggit opened 1 month ago

diggit commented 1 month ago

Hi, I have this Zigbee sensor with display: TY0201 by _TZ3000_bjawzodf

Module: ZTU Sensor: AHT20 o flex cable Display driver: BL55072

Button GPIO: ZTU B4, when switched pulls B4 to GND through 1k resistor I2C bus (display driver and sensor):

SWS is not available on any test point or trace so disassembly is necessary for flashing.

Original FW readout (read out 2 times and it matched): TY0201-by-TZ3000_bjawzodf_0x10013001_1M.zip

Photos - click to expand (On top left, there is also signal bar graph - not connected at photo) ![IMG_20240712_145335](https://github.com/user-attachments/assets/38cbdd50-944b-4632-af28-017c5c603c39) Position of plastic locks. Best way to start opening the case is from the bottom with thin metal shim. Once the first lock opens, continue with plastic prying bar all around. ![IMG_20240712_145303_1](https://github.com/user-attachments/assets/54371908-b7c7-4aa3-888c-92aaf3eda4b5) ![IMG_20240712_145140](https://github.com/user-attachments/assets/41061754-17c3-41fd-b827-bb01c714e23c) ![IMG_20240712_144924](https://github.com/user-attachments/assets/1aee11ca-a650-4ba5-a82a-c5e85bc8afbb)

I assume next steps would:

I am a bit lazy to setup whole TLSR8 IDE and write pure C code, but I can definitely find out those GPIOs...

pvvx commented 1 month ago

  1. The ZTU module uses a TLSR8258 chip with built-in 1 Megabyte SPI-Flash memory.

  2. BL55072 is used in TH05.

    lcd_i2c_addr = 0x3E

 const uint8_t lcd_init_cmd[]   =   {
        // LCD controller initialize:
        0xea, // Set IC Operation(ICSET): Software Reset, Internal oscillator circuit
        0xd8, // Mode Set (MODE SET): Display enable, 1/3 Bias, power saving
        0xbc, // Display control (DISCTL): Power save mode 3, FRAME flip, Power save mode 1
        0x80, // load data pointer
        0xf0, // blink control off,  0xf2 - blink
        0xfc, // All pixel control (APCTL): Normal
        0x60,
        0x00,0x00,000,0x00,0x00,0x00,0x00,0x00,0x00
};

Full analogue in firmware lywsd03mmc HW: B1.9.

  1. To determine the bitmap of the LCD screen, you need to use BLE firmware with settings similar to lywsd03mmc HW: B1.9. There is a special command for working with the screen buffer.

  2. The checksum of the written OTA file in TY0201-by-TZ3000_bjawzodf_0x10013001.bin does not match the current options. Addres 0x1F7F0. This is most likely an outdated version of Telink OTA.

Signature, checksum, Uint32 at address 0x1F7F0 is equal to 0x90EA6C20. Telink utility tl_check_fw2.exe calculates 0x097B7ACB for this file (0...0x1F7F0).

diggit commented 1 month ago

1 - updated first post with full 1M dump, I am using TlsrComSwireWriter so it may not be 100% reliable 2 , 3 - thanks, good resources where to start 4 - what is the impact of this?

I'll try to build do some FW experiments later, but first I have to re-check pinout. Those i2c pins don't make sense.

pvvx commented 1 month ago

Module: ZTU

1 - updated first post with full 1M dump,

https://developer.tuya.com/en/docs/iot/ztu-module-datasheet?id=Ka45nl4ywgabp

ZTU is embedded with a low-power 32-bit CPU, 1024-KB flash , 64-KB RAM, and rich peripheral resources.

But you have a ZTU module with 512 kilobytes of Flash! I saw this, but then the ZTU modules did not have an iron shielding case. Cheaper option.

4 - what is the impact of this?

The checksum only indicates that some other SDK was used to build the firmware. Most likely outdated.

Typically Tuya's Zigbee firmware comes with BootLoader. The main program downloaded via OTA is then located at address 0x8000. This affects the fw OTA build type.

ZigbeeTlc and ATC_MiThermometer firmware work with any Flash size. And adapted to the update option with or without Bootloader - during OTA the Bootloader will be removed. If the original firmware had a bootloader, then it will not be possible to restore the flashed thermometer with FW ZigbeeTLc by using the original Zigbee OTA file.

TelinkMiFlasher.html checks the checksum during OTA and will refuse to write such a file. FW during OTA also checks the checksum and will refuse to start this FW OTA.

pvvx commented 1 month ago

OTA bin for TelinkMiFlasher.html with adjusted checksum. TY0201-by-TZ3000_bjawzodf_0x10013001_ota.zip

diggit commented 1 month ago

OTA bin for TelinkMiFlasher.html with adjusted checksum. TY0201-by-TZ3000_bjawzodf_0x10013001_ota.zip

My device has Zigbee FW, so I guess TelinkMiFlasher.html is not usable here.

What does this OTA contain?

It also looks like this one will need some HW modifications too. i2c seems to be on pins which can't be switched to i2c mode if I read datasheet correctly. There is footprint for some similar chip like in ZTH01/ZTH02 have, but not populated. To connect sensor and LCD driver to the normal i2c pins, purple connections would have to be added. TY0201_by_TZ3000_bjawzodf_i2c

pvvx commented 1 month ago

First you need to make BLE firmware. You can't debug anything in Zigbee.

GPIO Function
D4 SWM/I2S_SDO/PWM2_N
C1 I2C_SCK/PWM1_N/PWM0/PGA_N0
RST  
C4 PWM2/UART_CTS/PWM0_N/sar_aio<8>
B7 SDM_N1/SPI_DO/UART_RX/lc_comp_ain7/sar_aio7
B1 WM4/UART_TX/ATSEL2/lc_comp_ain1/sar_aio1
VCC  
GND  
B5 SDM_N0/PWM5/lc_comp_ain5/sar_aio5
B4 SDM_P0/PWM4/lc_comp_ain4/sar_aio4
D2 SPI_CN/I2S_LR/PWM3
C3 PWM1/UART_RX/I2C_SCK/XC32K_I/PGA_N1
C2 PWM0/7816_TRX(UART_TX)/I2C_SDA/XC32K_O/PGA_P1
A1 DMIC_CLK/7816_CLK/I2S_CLK
A0 DMIC_DI/PWM0_N/UART_RX
B6 SDM_P1/SPI_DI/UART_RTS/lc_comp_ain<6>/sar_aio<6
PA7 SWS/UART_RTS
C0 I2C_SDA/PWM4_N/UART_RTS/PGA_P0
D7 SPI_CK/I2S_BCK/7816_TRX(UART_TX)
D3 PWM1_N/I2S_SDI/7816_TRX(UART_TX)

I2C_SDA - PC0, PC2 I2C_SCK - PC1, PC3