any ideas about the microcontroller or protocol the tag use?

[mofosyne]

I did a bit of a teardown of the device, but could not find the microcontroller data sheet it uses. How did you work out its communication?

Btw here is the teardown of the iTag PCB . I find no mention of "ST17H25 datasheet" in google for the BLE SoC

[sylvek]

Hi, the only information that i have is the name "Quintic PROXR". your link is very interesting.

[mofosyne]

Your reference BLE tag you used is same in shape as mine?

---

Oh btw, it might be a good idea to use the wiki to record any findings on the gatt profile of various tags. E.g. what each services exist and how to respond to each of em (maybe one of them have the wrong battery address?)

[sylvek]

yes exactly the same… i suppose that the problem is under the android code of your phone :-/ :-/

[mofosyne]

True true. Btw what's your guess about "SWS" pin on the PCB? I deduced PWM1 as the LED, and BZ+ to be for the buzzer.

But I am not sure what SWS stands for. I wonder if its a way to "program" the microcontroller? Or is it serial output? Then again... there is also a possibility that the IC is hardcoded and locked.

[hosek]

Opened mine (http://i.ebayimg.com/images/g/NUQAAOSw3ydV5nNb/s-l500.jpg) same shape, same pcb, but the chip has different labeling: TL SR8266 F512ET32 CK1526 cfapom 1p

[sylvek]

My device contains.. Vcc, God, RX, TX, atm?, in, clk

[sylvek]

[sylvek]

KLJ-1230 for the buzzer Q902t 434NJ

[mofosyne]

Man... You got a really beautiful board. It even has rx and tx. Which is probably the serial port.

sylvek's tag:

VCC = Positive Voltage Source
GND = Ground Voltage
RX = UART receive?
TX = UART transmit?
DT(N?) = ?
IN = Input something?
CLK = Input Clock Signal
RST = reset

Maybe the RST,CLK,IN,DTN is part of a programming interface

Could try soldering to GND, RX, and TX to a serial converter and see what it says

Google search on the IC:

One broken url at eliabieri.com/65 :

my attempt on reverse engineering the cheapest bluetooth ...
eliabieri.com/65
Aug 19, 2015 - Inside I found the TLSR8266 which is produced by TELINK semiconductor. Besides that, theres a small buzzer inside, which can be used to ...

* TLSR8266/TLSR8266F512 

* datasheet in http://www.docin.com/p-878724807.html (can somebody download this and rehost it?)

[mofosyne]

hmmm... do you think we should document this in the wiki perhaps?

[mofosyne]

Oh and btw sylvek, is the packaging for your tag the same as mine? Is the name of the tag the same? Or did it look different?

[sylvek]

Man... You got a really beautiful board. It even has rx and tx. Which is probably the serial port.

you're the first guy to tell me that ^^

[sylvek]

Oh and btw sylvek, is the packaging for your tag the same as mine? Is the name of the tag the same? Or did it look different?

my packaging was exactly the same !

[sylvek]

Could try soldering to GND, RX, and TX to a serial converter and see what it says

i could, i have the serial 3.3V controller and an arduino if necessary

[mofosyne]

yea that would be interesting to see

[sylvek]

;)

Le sam. 7 nov. 2015 à 12:38, mofosyne notifications@github.com a écrit :

Reopened #5 https://github.com/sylvek/itracing2/issues/5.

— Reply to this email directly or view it on GitHub https://github.com/sylvek/itracing2/issues/5#event-457857068.

[hosek]

Today is "singles day" on chienese markets and those tags are ~2$ and itag ~5$ so expect new wave of new requests or in worst case incopatibilities:/ I will add some photos of pcb when the second batch arrives

[sylvek]

i tried yesterday to weld some wire to the tx-rx "pin" … impossible. I'll try it an another day. do you have a link to by some itag? (with paypal support if possible)

[mofosyne]

Have you considered asking these suppliers for images of the PCB?

[mofosyne]

Update: Just recently got another tag of the same shape, but from a different supplier that looked like it had a different PCB inside... it came... but with the same crappy PCB (mcu: ST17H25) that I disassembled before 0.o . Seems like the photo that showed hint of a programming pad is from an older version of the tag.

I have a feeling they got to the volume that they just opted for a factory preprogrammed or perhaps even an ASIC based chip (which is only economical in large volumes). Or just any methods that would allow them to do away with a programming pin pads.

---

but there is some slight change:

The board version is BL-180 when previously it was XTR-001-V1

[sylvek]

do you have a link to buy some iTag? i'm looking for it (needed to develop a version with support of several devices)

[mofosyne]

it was brought from ebay.com.au from a random selection of buyers. But I suspect all these buyers are buying from the same factory. e.g. alibaba or something

search term bluetooth tag

---

Oh about soldering to RX and TX pads in your BLE tag, try using 30awg wires, those are nice for tight soldering attempts. Oh and use some flux too.

[hosek]

Mine pcb

[mofosyne]

hosek, this is your IC's marking

TLSR8266
F5123T32
CK1528
CFAPCm 1P

? Looks to have same pinout as the ST17H25 in the 3 separate tags I opened.

1. First teardown mcu
    ST17H25
    F512ET32
    CK1528
    CFAPOJ 1P

2. Second tag from same store
    ST17H25
    F512ET32
    CK1528
    CFAPOL 1P

3. Third tag from different store
    ST17H25
    F512ET32
    CK1528
    CFAR2W 1P

F512ET32 has 512 and 32, which might mean "Flash 512kb and 32bit cpu" or " Flash 512kb and EEPROM 32kb" something like that. ARM inside? edit: After checking the datasheet in http://www.docin.com/p-878724807.html on page 8. I am convinced it is "Flash 512kb and 32bit cpu"

---

Now that I compaired all these tags. The CK1528 and F412ET32 seems to be pretty constant. But google search turns up nothing...

again I am reminded of this:

One broken url at eliabieri.com/65 :

my attempt on reverse engineering the cheapest bluetooth ...
eliabieri.com/65
Aug 19, 2015 - Inside I found the TLSR8266 which is produced by TELINK semiconductor. Besides that, theres a small buzzer inside, which can be used to ...

and this PDF in http://www.docin.com/p-878724807.html that I cannot download for some reason.

---

For now, I'm pinging http://www.telink-semi.com/site/contact#level-1 for any more info... hopefully they reply in english

[mofosyne]

Does anyone speak chinese here? Can you download the pdf here? http://www.docin.com/p-878724807.html

Anyway these are what sticks out to me:

Pinout at page 71

...

!!!!!! SWS and SWM !!!!! at page 39 !!!!! This looks very very interesting !!!!

Ohhh.... so it means.... Single Wire Master and Single Wire Slave

---

So essentially, it does seem like there is a possibility of programming this... But you need to do it via SWS, using their programming system... Could be an approach if we can somehow emulate the communication. Then the next is what is their compiler etc...

Unless we can get Telelink to be friendlier to us :D ?

Or is this essentially the 1-wire protocol via MAXIM?

---

http://www.telink-semi.com/site/product_detail/50

TLSR8266/TLSR8266F512 (BLE SoC) General Description The TLSR8266/TLSR8266F512 is Telink-developed BLE SoC solution which is fully standard compliant and allows easy connectivity with Bluetooth Smart Ready mobile phones, tablets, laptops. The TLSR8266/TLSR8266F512 supports BLE slave and master mode operation, including broadcast, encryption, connection updates, and channel map updates. The TLSR8266/TLSR8266F512 is designed to offer high integration, ultra-low power application capabilities. It integrates strong 32-bit MCU, BLE/2.4G Radio, 16KB SRAM, 128/256/512KB external FLASH (TLSR8266) or 512KB intrnal FLASH (TLSR8266F512), 14bit ADC with PGA, 6-channel PWM, three quadrature decoders, a hardware keyboard scanner (Keyscan), abundant GPIO interfaces, multi-stage power management module and nearly all the peripherals needed for Bluetooth Low Energy applications development.

Key Features:

• General features ■ 32bit high performance MCU, up to 48MHz ■ Program memory: external 128/256/512KB FLASH (TLSR8266) or internal 512KB FLASH (TLSR8266F512) ■ Data memory: 16KB on-chip SRAM ■ 12M/16MHz&32.768KHz Crystal and 32KHz/32MHz embedded RC oscillator ■ A rich set of I/Os: ◇ TLSR8266: Up to 41/37/22 GPIOs depending on package option; ◇ TLSR8266F512: Up to 35/20 GPIOs depending on package option; ◇ DMIC (Digital Mic); ◇ AMIC (Analog Mic) ◇ Mono-channel Audio output ◇ SPI; ◇ I2C; ◇ UART; ◇ USB with hardware flow control; ◇ Debug Interface. ■ Up to 6 channels of PWM ■ Sensor: ◇ 14bit ADC with PGA ◇ Temperature sensor ■ Three quadrature decoders ■ Operating temperature: ◇ ET versions: -40℃~+85℃ temperature range ◇ AT versions: -40℃~+125℃ temperature range ■ TLSR8266 Package ◇ TLSR8266ET56/TLSR8266AT56, 56-pin QFN 7×7mm ◇ TLSR8266ET48/TLSR8266AT48, 48-pin QFN 7×7mm ◇ TLSR8266ET32/TLSR8266AT32, 32-pin QFN 5×5mm ■ TLSR8266F512 Package ◇ TLSR8266F512ET48/TLSR8266F512AT48, 48-pin QFN 7×7mm ◇ TLSR8266F512ET32/TLSR8266F512AT32, 32-pin QFN 5×5mm
• RF features ■ BLE/2.4GHz RF transceiver embedded. ■ Bluetooth 4.0 Compliant, 1Mbps and 2.4GHz 2Mbps Boost Mode. ■ -92dBm BT4.0 Rx Sensitivity. ■ RF link data rate up to 2Mbps. ■ Tx output power up to +8dBm. ■ Single-pin antenna interface. ■ RSSI monitoring.
• Features of power management module ■ Embedded LDO. ■ Battery monitor: Supports low battery detection. ■ Power supply of 1.9V~3.6V. ■ Multiple stage power management to minimize power consumption ◇ Rx/Tx mode current:13mA ◇ Suspend mode current: 20uA ◇ Deep sleep mode current: 0.7uA

Target Applications:

• Smartphone accessories
• PC and tablet peripherals, including Mouse / Keyboard
• Remote Control and 3D glasses
• Wireless Microphone
• Health monitoring
• Sports and fitness tracking
• Wearable devices

Development tools: A full set of development tools for the BLE SoC are provided, which include EVB, reference design and SDK for customers to perform evaluation, quick application prototyping and firmware development.

---

lol... that devkit is not going to come cheap

[sylvek]

wow great!

mine use a Quantic chip (http://electronics360.globalspec.com/article/4758/nxp-buys-wearable-bluetooth-business)

ref: Q9021 434NJ OOUME

[zoranx]

Telink_TLSR8266F512-datasheet.pdf

[hosek]

Got another batch of tags drom different seller (comes without batteries..great:/) and they have the same pcb as I posted above, so this is probably "most general" type

[mofosyne]

You have my thanks "@zoranx". The next step is to verify if they locked the firmware rom down, and maybe to dump the firmware or something. Writing a new firmware for it would be pretty painful without a toolchain thought.

But yea I agree, at a certain point, they usually settle to one pcb board "@hosek". The same thing happened with those flicker led lights. Started as a music chip hooked directly to an LED, then later on the chip was embedded into the actual LED itself. (Fascinating stuff really. Those optimised ICs are essentially just simple shift register based psudorandom generators. For some reason, they did not implement any true random generator via some form of noise.)

hint: volume is the key :D

[stanislav-brabec]

The original name of the chip, the price, list features and note about 32-bit RISC CPU (without mentioning type), indicates that this chip could be just a modification of ESP8266 that is programmed for BLE radio instead of WiFi radio.

If it is true, it could be programmed using SDK for Xtensa CPU, and toolkit for ESP8266. Just radio images would be different.

[sylvek]

that's sound good :)

[luciocorrea]

@sylvek based on what you said about "Quintic PROXR", I found this: http://en.t-firefly.com/en/firesmart/fireble/download/

It looks like there is an SDK and a git repository for QN9020 BLE chip related development.

Is that useful?

[sylvek]

thank you @luciocorrea !

[sylvek]

you're right (http://wiki.t-firefly.com/index.php/FireBLE/Starter_guide/en)

[sylvek]

• SoC – NXP QN9021 ARM Cortex M0 MCU @ 32MHz with 94KB ROM (protocol stack), 64 KB SRAM, 128KB flash
• Bluetooth – BT 4.0 single mode. Central and peripheral mode with up to 8 simultaneous connections.

awesome !

[sylvek]

instructive http://en.t-firefly.com/en/firesmart/fireble/ my own version uses this chip

[pfalcon]

Ok, so now the question is where to reliably buy a tag with QN9021 chip. @sylvek, so far, you seem to be the only owner of a tag with QN9021. Everyone else got TLSR8266 (some have obfuscated/rebranded markings). The 2 I got are also based on TLSR8266, and the second one I ordered because product page had a different PCB showing thru battery hole, but I got the same TLSR8266.

So, @sylvek, again, please let us know of reliable source to get QN9021-based ones. If you don't know of such, then let me summarize it like: the version you got was a branded one, or an early chinese clone. Shanzhai have now optimized their process and in all crappy cheap tags use crappy cheap chinese chips, so you won't be able to find anything else.

[sylvek]

@pfalcon i'm asking me the same… in fact, my itag is a present. This afternoon i've eaten with my friend who offered me this tag. He bought it on a website that sells different stuffs every days. So it's rellay tricky.. but the package seems to be this one (http://themouse.org/2014/12/19/test-de-themouse-itag-isee-genial-si-vous-perdez-tout-ne-cherchez-plus-vos-cles/)

[sylvek]

found that too: http://guru.multimedia.cx/bluetooth-tracking-devicestagskey-finders/

[sylvek]

if the picture is correct the back of this devices looks like mine http://fr.aliexpress.com/item/5pcs-S1123-iTag-Anti-lost-alarm-Theft-Device-Anti-lost-Self-portrait-for-bluetooth-4-0/32295991777.html?ws_ab_test=searchweb201556_1%2Csearchweb201644_1_10001_10002_10005_10006_10003_10004_62%2Csearchweb201560_1%2Csearchweb1451318400_6148&spm=2114.06010108.3.223.aZgU2E

[pfalcon]

@sylvek : Thanks, here ~ the same in single quantity: http://www.aliexpress.com/item/Wireless-iTag-Self-Portrait-Anti-lost-alarm-Theft-Device-for-bluetooth-4-0-Smartphone-Support-iPhone/32296968392.html

But: last one I ordered was this: http://www.aliexpress.com/item/Hot-Smart-Bluetooth-4-0-Tracer-GPS-Locator-Tag-Alarm-Wallet-Key-Pet-Dog-Tracker-Hot/32438953423.html . Spot that it shows PCB which doesn't yet seem to have appeared on this thread, and there're even few GPIO signals broken out ;-). But, ordering that one, I instead got TLSR8266 one, with usual white silkscreen in battery compartment. But thanks to your another recent link - http://guru.multimedia.cx/bluetooth-tracking-devicestagskey-finders/ - we now know what SoC this recent one has: BK3431 - the PCB shown in blog post shows similar GPIOs broken out, etc.. At least it's ARM, but not even a Cortex-M, it's ARM9.

So, all in all, with Chinese sellers, you cannot be sure that you'll get exactly what's on the picture. The only hint is price - with TLSR8266-based ones went below $2, the one in your and my link are $5-6.

[sylvek]

I'm trying to contact French resellers (who sell the same packages like mine)

[sylvek]

Nice touch... A French reseller took a picture and that seems to be a good one. (but more expensive, around 11€)

[jacksonliam]

Here's my board

st17h25 f512et32 ck1544

Does anyone know if the 'ST' chips are the same as the telink chips? Could be a clone? It looks like they're pin compatible/using the same PCB anyway.

I'll order some more from random sellers (as they're under 2 dollars delivered!) and see what chips I get.

It's a lot of BOM for under $2 if you ask me! 5 part Injection moulded case, coin cell, proper button, radio SoC, crystal, fet, buzzer, diode and a few passives!

I can't see them hitting that price with the QN9020, it's $1.20 in volume.

[sylvek]

http://m.ebay.fr/itm/iTag-Anti-perte-bluetooth-Universel-cle-mobile-valises-voiture-animaux-/262228173326?nav=SEARCH

[verbage]

I just got a new tag with an ST17H26 chip, which is probably a slight revision to the ST17H25 chip folks have already reported. It identifies as an MLE-15 vs. the more common iTag style. It seems to work well with iTracing2, whereas the various iTag-version ones I have are problematic (yes, I realize sylvek said this is for MLE-15 tags...). I'm not sure how to post images here, but I have pics of the device and guts if folks want to see it.

This came from Aliexpress (http://www.aliexpress.com/item/Nut-Mini-Smart-Finder-Bluetooth-Tag-GPS-Tracker-Key-Wallet-Kids-Pet-Dog-Cat-Child-Bag/32579993483.html), and it is currently US$3.23. But identical ones are as cheap as US$2.64 (http://www.aliexpress.com/item/Nut-Mini-Smart-Finder-Bluetooth-Tag-GPS-Tracker-Key-Wallet-Kids-Pet-Dog-Cat-Child-Bag/32559491726.html). There are several storefronts that also sell these, and though they might seem to be separate companies, they all seem to be related to some "YKS" distributor. I have ordered a few more.

I also got a triangular one from the same company, and it has a Beken BK3431 chip inside, and identifies as an iTag device. So I can't even connect to it with iTracing2. Again, I realize sylvek said this is for MLE-15. The URL to this triangular version is http://www.aliexpress.com/item/New-Mini-Triangle-Smart-Tag-Wireless-Bluetooth-4-0-Tracker-Kid-Child-Bag-Wallet-Key-Pet/32579550627.html.

I do note that I never tried the original Chinese iTracing app, and came immediately to iTracing2. Since I have only had iTag-identified devices up to now, things were just not working right with iTracing2. But I just tried the original Chinese iTracing app, and they iTag-based devices work fine. Yeah, that app is a bit quirky, and part of it is related to issues with English, but it seems to deal with iTag-version devices no problem. By the way, it also works with my only MLE-15 device, too.

[sylvek]

@verbage Some users report to me that your triangular device will work too. That's the good news, the bad is that device is more bad ever.

[verbage]

@sylvek, curiously, with the BK3431-based triangular tag, even though it can be seen as an iTag device, I cannot seem to connect to it at all with iTracing2. It just sits there with the spinning ball trying to connect.

I have a handful of teardrop-shaped, ST17H25-based devices (on an LC8266 PCB), and they also identify as iTag devices. Though they are seen by iTracing2, it takes a couple of minutes to sync, and even then, when I try to have the phone set off the buzzer in the tag, sometimes it takes several to many times before it actually happens. Sometimes it never happens. There is an iTracing2 message--I forget exactly what it is--but something to the effect that a serious problem has occurred. Again, I realize your work is for MLE-15 devices, but with the right documentation, problem supporting the iTag devices would be a possibility, too.

If you want a pic of the new ST17H26-based tag I have, let me know, but I am guessing this is probably just a slight revision of the ST17H25 chip.

[verbage]

And by the way, thanks so much for your efforts to support these cheap Chinese tags!

[jacksonliam]

@verbage can you post some pics of the front and back of the Belken board? You can't attach files in the mobile view so use the desktop view or a PC.