In the readme the following is written regarding flash dump size:

To dump the flash contents, use the command below (0x4000 is 256 KiB):
savebin output.bin 0x0 0x4000

But when I run this I end up with a ~16KB file.
Shouldn't the filesize either be 0x40000 or 0x3E800?

@basilfx FYI @mtx512 now also build custom Silabs EmberZNet Zigbee coordinator ZNet EZSP NCP firmware for ICC-A-1

• https://github.com/mtx512/efr32
  • https://github.com/mtx512/efr32/tree/master/icc-a-1

@MattWestb has posted documentation on how-to flash that firmware on Silicon Labs ICC-A-1 extracted from IKEA trådfri

• https://github.com/MattWestb/IKEA-TRADFRI-ICC-A-1-Modul

Hello,

My current situation is that my old tradfri gateway is dying. It has had twice open surgery on my bench.
The other problem is that there is no migration path. Re-pairing everything would be irritating task.

I'm probably going for SMlight's slzb-06 and home assistant, so this could be little bit offtopic.

Everyone is repeating the gospel, migrating without re-pair isn't possible, but no-one isn't really telling the reasons. Is here someone who can give some answers why it wouldn't be possible.

My limited understanding is that with some steps it is possible.

1. Join to the network
2. Learn long and short network names
3. Map the network devices
4. Ask the direct communication keys to all found devices from key store. This may be something where I missed something important.
5. Copy network settings and keys to our new gateway
6. Pull the plug of the old one
7. Turn on the new one.

Is there something I missed? Another protocol on top of the zigbee which makes life hard?

hi

this project on thingiverse https://www.thingiverse.com/thing:3655354 has been much fun to me

it was easy to remove a zigbee module from their light bulbs and then reprogramm it to work as a 5 button remote

but now ikea is slowly replacing their zigbee modules with a new one that for the bulbs concern are far more power hungry and why should ikea bother as they are intended to be always on mains power

and their new 5 button remote do not have a module at all but is one complete pcb and to top it off they now use 2 AAA batteries

that makes it impossible to install it in the danish LK Fuga design, it will simply be to big to sit flush with the other switches

anyone that have started to look in to if the new modules can be reprogrammed to work as a remote and be energy efficient so that it can run on coin cells?

i emagine that the firmware needs to be taken from the new 5 botton remote and changed so that its as efficent as possible

of course the chip on the new module an the new 5 botton remote needs to be the same

and the pcb in the new remote is way to be to be but in a LK switch, from what i have seen online its 2 cm to big in each direction

Have disabled one LED1875R5 without heating the lens with very small and hard flat screwdriver and working well and no cracking in the glass.
I have one LED1737R5 that was falling down and the glass its very broken so i want to change the glass with the LED1875R5. The problem was not getting the power pins losing. In the end I was using one gas heat gun and heating the connectors of the GU10 and trying getting the pins inside getting loose but was needing very mutch heating and the soldering on the PCB was loosing from the pins. Then taking the pins out from the GU10 connectors from inside. Resoldering the pins it's no problem but getting the PCB back in the glass with the pins in the GU10 connectors.
I can see on your photos than you have managed getting the PCB out from the GU10 glass without destroying the glass and PCB.
It's the PCB pins soldered inside the GU10 connector or crimped in place ?
Then I have getting the LED1737R5 out without destroying it making it some more photos and dumping the firmware. and userdata and measuring the PSU voltage to the LEDs
Thanks in advance ! !
Mattias

Hi,

I have a dimmer with an ESP8266 which I would like to replace with the ZigBee module I took out of a Tradfri bulb. Does the Tradfri module output anything via UART? If so, which pins are used for UART?

Any help would be appreciated.

Have you succeded decoding the firmware to the level it is possible to change the minimum low level?

For instance for nightlight for the kids, the lowest level is far too bright.

@basilfx What do you think about also providing or linking to Zigbee router firmware and project links in your repo?

Checkout Ikea Tradfri Zigbee Repeater Umbau project with Zigbee router firmware for IKEA Tradfri ICC-A-1 Modules:

https://forum.smartapfel.de/forum/thread/3820-ikea-tradfri-zigbee-repeater-umbau/

More discussion about IKEA Trådfri module based DIY routers here:

https://community.home-assistant.io/t/sonoff-zbbridge-sonoff-zigbee-bridge-from-itead/187346/88

That idea of that concept might beat the performance of these otherwise popular DIY CC2530/CC2531 based HA 1.2 routers:

https://www.zigbee2mqtt.io/how_tos/how_to_create_a_cc2530_router.html

Especially if use those EFR32MG21/ based IKEA Trådfri Modules that you found in newer IKEA Trådfri products with MGM210L

Hi,

Can I order an dev board? Or do you know an good shop
To create one? I live in the Netherlands.

Greeting Arco

I recently got an Osvalla and am disappointed by its minimum available brightness. I would be interested in knowing how hard it might be to reproduce the FLOALT minumum brightness hack on this device. Soldering and flashing micros isn't such a big deal on my end, but reverse engineering byte-code is a bit out of my league and I would need some hand-holding.

Hello,
its a great, that you can read and write the firmware via jtag. Many thanks for your work.

Do you know, where the serial number is coded? The hardware of warmwhite and whitespektrum Tradfri-Zigbee-module is the same. I have build lightstrip-controllers using the tradfrimodule and LogicLevel MosFETs. The most expensive part is the Tradfri-Bulp, making a whitespectrum controler twice as expensive as a warmwhite only.

So the cheapest way to build multiple whitespectrum controler would be to read the flashmemory from a whitespectrum and flash it to a warmwhite module taken from a cheap GU10 warmwhite. Of course, before flashing you have to change the serial number / mac to avoid confusion in the zigbee network.

The second use of your research is to clone tradfri remotes. The big disadvantage of Tradfri is, that you can only use one remote control for a bulp. If you connect a second one, the first one gets lost.
So if you connect a remote to the bulps of a room, cloning the complete flash (firmware and settings) to another remote will alow to use both remotes for the same lights. So I can use as many remotes in a room as I want. Here of course the serialnumber has to be the same.

Will the cheap jtag adaptor (about 3$ at eBay) do for flashing tradfree? or have i to use something special?

I disassembled one of the repeaters and found an ICC-A-1 inside. I was hoping I could increase the range, by attaching an external antenna, but I'm not sure how one would do that (I have little to no experience with antennas).

I do have a couple of different antennas laying around, though. From good routers and some ESP32 ones, as well as some for LTE routers.

I am willing to sacrifice basically any of these antennas, by trying to attach it to one of my IKEA repeaters. However, to my knowledge, simply adding an antenna won't do anything, because the transmit power is still the same.

I want to get the maximum range possible from one of these. How would I go about doing that?

I just opened a 30W LED dimmer (the larger gray box) and found inside a ICPSLC24-10NA Rev1.0.0 module, which according to your findings would be the 10W LED dimmer. So either the -10NA can also do up to 30W or I got a very "very special" model from my Ikea shop :-)

Hej!

For what it worth I can tell you that this bulb is potted.

I have pictures if your want.

Hi.

Would be possible to patch the motion sensor board to change the polling rate? I would like to make my toilet lights turn off faster.
I heard that to save battery the device sleeps for 3 minutes. I would like to reduce it, even if I need to install another battery.

I have been hacking around trying to convert it to run at 12v. With a 12v input and light load it sort of works. But a log led strip would not turn on. Changing R9 from 270k seems to do the 12v conversion trick, for now I have added a 230k in parallel (making it 124.2k). R9 should ideally be 125k for a 12v conversion.

Looking at the latest 3D rendering on the breakout board for the ZLL module, I notice the antenna is sitting ontop of the PCB. Would it not be more helpfull to move the antenna offboard, as is done with the led drivers? (e.g. have it stick out/no PCB underneath). The only real blockage would be the reset button which in turn could move down a little bit between the pin-headers or to the bottom left where the led also lives.

Further more, would it be a good idea to put through-hole pads underneath the ZLL module? E.g. that way we can either solder the module directly onto the carrier board, or solder pinheaders onto the ZLL module and headers onto the carrier board to make it swapable (or even put pins on the carrier board and 'squeeze' the ZLL module temporarily in between.

Hi Community!
Is there any work going on developing a full custom stack (eg. based on http://zboss.dsr-wireless.com/), a decompiled firmware stack, or otherwise? Would be fantastic to e.g. customize the RCU FW to control two groups of lights, etc (like two on/off remotes in one), etc.. make it control custom projects, etc...
Thanks 😊

Here is the pinout of the 5 button remote.

Here is the pinout of the ON/OFF remote, if you flash its firmware to the module.

Buttons are pushed by pulling the pin the GND with a 487 ohm resistor. Except paring, which is pushed by short to GND.

LED is powered by a 2N7002ET MOSFET. If the Draco module is used, the MOSFET can be omitted.

The pinout of the module when used in the mains outlet:

hi
I recently connected my somfy rts blinds to my smart home. I can now control it through http requests. I got some Ikea smart home products already installed in my home, so I wondered if it is possible to emulate a tradfri blind and connect it to my existing work so that in the end it would be possible to control the somfy blind through the Ikea app. From what I saw in this repo it seemed as this would be possible. I would like to hear your thoughts and suggestions on this, since I have got no clue what I'm doing :). thanks

... can be found here: https://learn.pimoroni.com/tutorial/sandyj/controlling-ikea-tradfri-lights-from-your-pi

Is there any information about the support of the wireless functions (Zigbee for Tradfri, but BLE and others seem to be supported by EFR32MG1 as well) by your efforts (https://github.com/RIOT-OS/RIOT/blob/master/boards/ikea-tradfri/doc.txt) or the RIOT project in general?

Hi,
I just started tinkering with the new Tradfri light bulbs. I bought a lot of the new generation models, extracted the ZigBee modules and integrated them in non-smart devices. Now I would like to change some simple basic attributes (e.g. Name, Power Source, …).

In general my deCONZ / RaspBee can access these, but they are flagged as read only:

How can I find the parts in the firmware that control the write flags? Is it possible to patch an OTAU update binary?
Any help is appreciated. Thanks!

I had a look at your TRÅDRI dev board, and I had a few comments and suggestions that I think would allow the board to be more versatile and more generally useful:

• Redesign the board in such a way that allows it to be plugged into a breadboard if the headers are soldered facing down instead of facing upward.
• Remove the reset button. If you need a reset button for a project, it is easy to add on a breadboard. Removing the button should allow you to shrink the size of the board considerably, allowing it to more easily fit on a breadboard.
• Remove the power LED. It is easy to add a power LED on a breadboard, and having a LED on this board will throw off power measurements.
• Remove the bypass caps. All of the capacitors that are required by the EFR32 datasheet are already integrated into the module.
• In order to be as conservative as possible, remove all of the copper fill directly under the module. Copper fill on the other side of the PCB might be fine as long as it is kept far away from the antenna, but many modules like this explicitly forbid copper fill anywhere under them.
• Leave the antenna hanging off the end of the board, as seen here
• Keep the debug headers. Those are often useful, and having to always hook them up manually on a breadboard would be a pain.
• Shrink the board to be as small as possible, to help make usage with a breadboard more easy.

Hi @basilfx,
I would like to make a commit to your project. I made a teardown of the 30W Trådfri LED driver module. So far I have a bunch of pictures and made some basic research on the components used.

I am not able to create a pull request or upload files. Could you make a branch for me? Thanks

I have a project where I modify a remote control into a wall switch. Right now I harvest the module from a original remote control. But that is both expensive and harder than extraction it from a bulb.

Therefor I would like to reprogram the bulb firmware into a remote control. I have done this over OTA. But the switch only works if the module is directly joined with a bulb. If the module is joined with a gateway, it still appears a bulb.

Therefor I would like to use JTAG to clone a firmware from a remote to a bulb*. But I have zero experience with JTAG. I have borrowed a AVR Dragon, which I don't know how or if it can be used. I consider buying a JLink device.

Which JLink device would you recommend to buy for this purpose?

*There are probably some IDs like ZigBee MAC address that need to be unique.

Link to project (in Danish): http://www.thingiverse.com/thing:3655354

I have question regarding memory sizes for bootloader / data / SimEEPROM - you wrote:
0x00000 - 0x03fff -> Bootloader + recovery image (16 KiB)
0x04000 - 0x????? -> Application data
0x????? - 0x3ffff -> Simulated EEPROM
And I looked on Datasheet for SimEEPROM and there was:

For version 1, the EM35x and Mighty Gecko utilize either 4 kB or 8 kB of upper flash memory to store the simulated EEPROM
For version 2, the simulated EEPROM requires 36 kB of upper flash storage

So depend on used version, we can assume correct memory addresses for different region <- But maybe i'm wrong?
it only takes to determine which version was used in this case -> it is possible to find used version?

I'm looking for that because I want to determine in which memory part Ikea placed model info etc.

I have found some 3D printable objects beloging to the TRADFRI system. maybe one should add a new folder caused things to this repository. Or maybe just a file with a list of things and links to thingiverse or the like.

Here are some already:

https://www.thingiverse.com/thing:2254364 Ikea TRÅDFRI (TRADFRI) remote UK light switch holder

https://www.thingiverse.com/thing:2195340 IKEA - Mandal - Tradfri remote holder + glass holder

https://www.thingiverse.com/thing:3254038 Foot IKEA Tradfri Detector

https://www.thingiverse.com/thing:3594356 Ikea Tradfri motion sensor shelter

IKEA product number: 804.392.28 (unrelased)

Ref.: "Devboard"'s Components' Values/Specs

Dear Bas,

Thanks for all the information and files on TRADFRI-Hacking (Github):
An extremely helpful Package!

I would like to play & explore TRADFRI using your "devboard" schematics
but i did not succeed in finding further information on the components' specifications.
(“Devboard.kicad_pcb”, “Devboard.sch” and their "Devboard bom file.csv” export did not reveal a hint)

May i ask which values you would recommend for the capacitors, resistors, switch?

I hope that you may find a spare second to reply
& look forward to hearing from you!

Best Regards!

Hello,

I have taken the radio module from a Tradfri remote control. Is it possible to play the functions of the RGB bulb on this wireless module by means of the OTA firmware? Or someone has a full dump of the firmware of the RGB bulb?

Additional item E1745 TRADFRI Motion Sensor
Uses same Zigbe board external connection points as other modules, Though later version having same CPU. Zigbe board marked Draco1.0_105°C
Uses:
2 CR2032 batteries for 6 volt operation
E931.96B Infra red motion sensor interface device
LHI 968 – Sensor Motion, Pyroelectric (presumed as no markings)
TCA9535 Low Voltage 16-Bit I2C and SMBus Low-Power I/O Expander (for buttons and LEDs)
3 tactile switches
5 LED's
ZIGBEE Board
EFR32 MG1P132GI Blue Gecko Series 2 Bluetooth® Low Energy (SoC)
I4BEB2 P1J552 EEPROM
TXC Oscillator T384 SMD

PCB 2018-06-05
D-SS-X2-01-A-V2.1

A little different to this module https://github.com/basilfx/TRADFRI-Hacking