Hi everyone,
I’ve just bought a Broadlink RM3 (the newest version at the time of writing) and was disappointed by it not having a temperature sensor like the RM1 or RM2, so I decided to tear it apart (because why not).
I’ve discovered the pinout of the WiFi and processor chip (turned out to be a sleepless night) that appears to be some sort of “ESP8266”, but further investigation is needed.
I just received my Broadlink RM Pro Plus a few days ago and after few days of playing with it, I decided to do more with it, like flashing it with a custom firmware. Wonder if you made any progress with it? Would love to help you with it but I’m still new with this IoT things so, would love to learn more from you.
Unfortunately not, it doesn’t seem to be a ESP or similar. I don’t know how I would compile (or even upload) a firmware for it. It seems to use a Marvell chip. I don’t find a lot if I search for “Marvell chip”. I don’t which pins I should attach onto my PC to flash it, neither which setup I should use software-side.
I appreciate any future research!
EDIT: Curiosity lead me to research a little bit more…
Searching for the initial starting up string “Hello World application Started” on Google, I found that Marvell released open-source code, or at least in the past.
That second page shows a part of a “familiar” code:
int main(void)
{
int count = 0;
/* Initialize console on uart0 */
wmstdio_init(UART0_ID, 0);
wmprintf("Hello World application Started\r\n"); <-- We saw that in the logs
while (1) {
count++;
wmprintf("Hello World: iteration %d\r\n", count);
/* Sleep 5 seconds */
os_thread_sleep(os_msec_to_ticks(5000));
}
return 0;
}
What this helps us? Not much yet. It’s not the actual code, but it indicates that it has begun with this or similar code.
Searching even more I found that the string “should_probe_wd” leads to a page which has as code header: Copyright 2008-2015, Marvell International Ltd. further indicating that it probably is a Marvell chip.
Without knowing the actual chip model, I can’t do much (discovering jtag[?] pinouts and stuff).
I need to desolder the shield to see what’s underneath. Let’s hope that it’s flashable without lifting the actual chip from the board, because that would be too much for me and 98% of the community.
I’m almost jumping to a easier solution which is buying a “ESP-12E” chip/board and soldering it on the old chip location (with cables, 'cause crucial pin locations like 3.3V aren’t on the same spot), which isn’t too hard to do.
Advantages?
Doing this allows me to flash it with any already done community project, like ESPHome or others. These mentioned projects wouldn’t run on a Marvell chip, due to different architecture.
Easier available ressources. The Marvell chip would probably need JTAG hardware to flash it, which can be expensive.
Probably a lot more.
… Yeah, I’ll probably do this. It’s not worth rewriting every community project for this, I think.
Yeah, I’ve seen this before resorting to flashing the RM Pro+. I just felt that it would be more fun to like, reverse engineer the RM. But yeah, after seeing you wanna jump to that solution, I think I would probably do the same since its easier. Plus, I would literally be on my own if I don’t which will be very very very hard, in addition to my lack of experience.
Looking back at the project, I wonder if the module would fit in our RM Pro+? The RM1 looks more spacious, don’t you think?
I guess we both came to a conclusion, well, at least for now till we could work on reverse engineer Broadlink devices again. And is there a way I could contact you? Should one day I’d find something useful on this topic which would give more advantages than converting it to ESP.
I will definitively reverse engineer it a little bit more once I have a little bit more time, but don’t expect too much. I don’t have a JTAG device and it will probably be necessary (or something similar). I’m not sure yet, take all of this with a grain of salt.
I would only take the ESP-12E chip and put it into the RM Pro, not the entire NodeMCU.
See image below:
Without the entire NodeMCU around it, you will need 3.3V, since the 5V regulator in on the NodeMCU board, but… the Broadlink RM already has regulators and stuff for exactly that voltage, which means that we can use them! We just need to solder on the right locations.
My first image (pinout) will help a lot with this.
Well, you can over here or my Telegram @Fusseldieb. I also have WhatsApp, but I don’t want to put my number publicly available.
That’s great thanks! When I got my unit (around a year and a half/2 years ago) I just configured the switch integration! Never thought of looking at the sensors!
Today I Learned…
Edit-
It’s getting 18.8c, Looks like I have an RM2!
I don’t remember seeing any JTAG pinout on the board so I assume that it needs SWD (hopefully since I have a STLink V2 Debugger which hopefully could be use) where we can locate its pinout once we know the exact MCU used.
Ah of course. Thanks. Would it work like Broadlink? I mean, will we have the option to learn from our appliance’s remote and such? I’ve used Arduino IDE before but never bother to check the IRremote library before.
My curiosity lead me over the border. I came home, turned my solder station on and removed the shield.
350°C on the entire shield, forced it up and it came off with a little bit of effort.
Yes, I’m not the best solderer(?), as I almost ripped the front traces for the shield off, but whatever.
There are 3 test pins, as it seems. For what? I don’t know yet. It’s quite late now, so I’ll stop here.
Wow, any help would be awesome! I don’t know how SWD works, so your help would be appreciated in any way.
If you flash ESPHome on it, you don’t need to fiddle around with programming code anymore, as it already comes with everything you need. You basically just tell ESPHome where (pin) the IR Leds are attached and you’re good to go. Also learning will work, since ESPHome fully supports IR Receivers, too. It’s an awesome piece of software/firmware overall. The only thing that it doesn’t yet support, is RF (that particular chip model), but there are so called “Custom components”, so I think we could make this work.
The datasheet of the Marvell 88MW300 chip is here:
And the pinout extracted from this same PDF mentioned above:
Rougly looking through the text, I noticed that it only has 128KB ROM, which isn’t enough for almost any community projects out there, which is quite sad. This further confirms that it’ll probably be better to just replace it with a ESP-12E which has a whooping 4MB, a lot of community support and all our loved firmwares
With all that said, it is worth the effort? Even if we suceed to program it, it’ll hold just barebone stuff (IR, RF, that’s it), which it already does. I can’t see an advantage. Remember: A ESP can do much much more, is frickin’ cheap and easy to implement into the Broadlink.
From this point on, I think I’ll focus on the ESP implementation, but welcome anyone that wants to build a firmware for the original chip! ← Not sure yet, but I’ll probably do this
EDIT: Just noticed that it also has a FM25Q08A chip, which can hold up to 8MB! Well, now there are two chips that we need to take care about to build something for it.
This seems to get complex (and out of the bounds of my mind) pretty fast.
Looking at the 88MW300 datasheet, it’s an 32-bit ARM Cortex-M4F architecture. The ESP8266 uses a different architecture, so I don’t think using ESPHome is possible. The ESP8266 is based on a different instruction set.
What looks possible is to somehow load ‘Ubuntu Server for ARM.’ From there, you could run a Linux application or Python. Unless it has a BIOS and console interface, you’d have to do some Internet dumpster diving to find out how to load a valid image into the flash memory.
Oh boy. I have just read briefly through the datasheet and found out that it’s using JTAG. To make things worse, for someone like me at least, I found out that the chip has a memory protection unit. You can refer on page 67 of the datasheet. As for the JTAG interface details, it on page 63.
What if I want to? Like to control the flashed Broadlink using an app I create. Somewhat like Tasmota I would say. Sorry if this question sound dumb. Still in a learning phase.
I’m no expert but from what I understand, SWD was designed to reduce the pins to debug from the 5 that is used in JTAG.
Well, initially I was wondering if I could extract the firmware and open the .bin file to modify it to my liking. Maybe it sounds like I’m deluded or something but if that was impossible, I have nothing to lose since I could just upload a new firmware or probably re-load the firmware. Currently trying that on a nRF51 chip.
Yeah, I totally understand that. But hey, at least we’re getting somewhere. But as for dumping the firmware and to upload new one, I’m pretty sure it’ll take up so much time. And as @pocket mentioned, ESPHome would be impossible to use. Will it be beneficial for the community to go through the hassle when they could just convert it to ESP?
So, converting to an ESP would be easier and faster until there is a good reason to reverse engineer Broadlink (something that would exceed ESPHome’s capabilities maybe?). I personally would choose this path if I could control it with my own apps. BUT I would still gladly help you with reverse engineering the Broadlink if you still want to do this since I have nothing to lose right?
I don’t think that it’ll run on 8MB Flash and 512KB RAM. And even if, it would mean building a new Firmware just for this particular device. I don’t know if that’s time well spent. I could be wrong, of course.
Exactly my thoughts.
Oh boy… Well, I found some projects that use the Arduino as a XSVF thingy, but I don’t know if it’ll work, neither how.
I assume that dumping the firmware is basically dead considering that.
ESPHome is extremely flexible. If you want to write custom code, you can. The reason why I’m so onto this firmware is because it integrates perfectly with Home Assistant, which is the end goal, I guess.
However, if you want a totally custom made firmware, you can setup your Arduino IDE (Or PlatformIO - preferred method) to your ESP8266 and program it from scratch. There are a lot of examples and libraries on the Internet on how to read and send IR packages.
The MPU prevents that, from what I know, doesn’t it?
But if you do this once, it erases the original Broadlink one and you’ll end up with a expensive paperweight until you figure it out how everything works and write a working firmware for it. Wifi, IR receiver, IR sender, RF chip, … Or you take the other route hahah
If we can offer a readily flashable firmware with everything working, the community will praise us. If it’s broken, they’ll be mad, 'cause the original firmware will be gone forever, and Broadlink isn’t that cheap, so… yeah.
I don’t know if the original firmware supports OTA, maybe?
But whatever, I think all this is far from reality.
I couldn’t think of anything that ESPHome (or the ESP in general) couldn’t do which the Marvell chip could.
As I said, even if we suceed, we would need to build a firmware just for this particular model. Is it worth it? I don’t know.
You definitively can.
Theoretically, someone could even imitate Broadlinks protocol and make it work with the original App from them, but I think that’s not so interesting.
The interesting part is to hook up more things to it and use it like a multisensor thing (Humidity, Temperature, Air Quality, IR, RF, etc).
Neither have I, since I’m probably tossing the original chip away.
But what I will do before tossing it away is testing the test pads and documenting them here, if I find out for what they are.
Maybe even uploading something to it (with a lot of help), ultimatively erasing the original firmware and deciding the chips fate into the bin, since I personally don’t think it’s worth the hassle to program it from scratch, considering the other option which already has everything. But if I manage to get it this far, everyone seeing this thread should have sufficient knowledge to program it and maybe someone even makes something for it.
Unfortunately, that’s correct. There are not enough memory resources. Even a Pi Zero has access to a SD card. Speed isn’t important for most home automation purposes. Consequently, the clock frequency isn’t all that zippy.
Your board is optimized for cost and compliance with RF regulations, not much else. If you want some fun hacking, however, go for it. You’ll be wiser for the experience.
Well, not really because nRF51802 chip came with a MPU as well so I found out there’s a way that could bypass it. So I figured that there should be a way for us to bypass it too, on this Marvell chip (if we know what we’re doing). That’s why I said “To make things worse, for someone like me at least”, because I don’t have much experience on JTAG. Here’s the reference I used to bypass the nRF51802 MPU
Alright, thanks for the info! Appreciate it so much.
Yeah, your effort would help any hobbyist reading this in the future and hopefully more will come to help out if they’re interested in reverse engineering the Broadlink as well. Right now, I would help you with what I could.
By the way, this is an out-of-topic question but how did you search the China/Chinese website? I bought a Broadlink MS1, which is a Wi-Fi Speaker along with my RM Pro+. Thought I could use it until the customer service said it was only meant for China only. I doubt it because not too long ago, I bought a Bluetooth Door Lock and the seller said the same but I could use it now by pressing a button on the PCB. I have dismantled the MS1 but no luck finding any button on the board except the power, wifi, channels, etc. So, I was hoping you could shed some light and maybe I could find something on the Chinese’s website.
That’s interesting, but out of the bounds of my comprehending (for now).
I really appreciate it. Do you, by any chance, have any solder station so you can desolder the shield and try to flash it? Your help would mean a lot. and I mean, a lot. I don’t have experience in XSVF and JTAG.
But…
If you haven’t any time or solder station, can you give me some instructions on where to put wires on the chip in order to flash it via JTAG? Software used would also help (Windows 10/Ubuntu 19, I have both).
If I understand correctly, it won’t work in your country, right? I don’t know their hardware, nor their site or anything like that.
Well, you could “activate” it using a VPN maybe. Pick a cheap TP-Link router that supports OpenWRT, install the OpenVPN client on it and route that connection to wireless. If you then connect your Broadlink to the router, it’ll route all your traffic through OpenVPN to another country. Obviouly you need a OpenVPN profile too, but that you can find on the interneteasily.
Yeah sure, I’d love to but as of now, I don’t think I have the time to try to flash it yet. I still have my nRF51802 on going. Maybe I could open the shield and locate the pinouts? Well hopefully because I haven’t really see the board yet, even from your picture. Are you in a rush?
As for the software used, all I could think of is OpenOCD? Because that’s the common software used for reverse engineering (probably because I’ve seen a lot of them are being mentioned in different websites). Are you using dual boot?
Thanks for the info. Will try it. I’ve found a statement from someone saying that Broadlink stop the support in 2017 so now its only applicable in China. But I still don’t understand why some sellers are still selling them outside of China.
I don’t have a lot of time currently, but if you need me to do something, just say, I’ll find a time
Never heard of it. Interesting. I got a fresh SSD some days ago and I will dualboot Windows with Ubuntu. Right now I have both, but on different systems.
Well, maybe it’s because there is still stock left or because people still search for it and it creates sufficient demand for them to import it. I don’t know.
Alright, appreciate that. Would tell if I need something. Might desolder the shield soon as my pentest on the nRf51802 is coming to an end. I’ll try if its possible to flash it with STLink v2 debugger and OpenOCD. My only concern is bricking it. And could I still use the device without the shield on?
Yeah, could be. But I think I would just use the VPN trick or maybe just try and flash it. I’ve disassembled the parts and found the chips used so why not.
