Reverse-engineering Broadlink RM Pro+ devices

Hi everyone,
I’ve just bought a Broadlink RM3 (the newest version at the time of writing) and was disappointed by it not having a temperature sensor like the RM1 or RM2, so I decided to tear it apart (because why not).

I’ve discovered the pinout of the WiFi and processor chip (turned out to be a sleepless night) that appears to be some sort of “ESP8266”, but further investigation is needed.


The image is not well drawn, sorry for that, but it should suffice for now

The A44632A is a small chip on the mainboard, which is responsible for receiving/transmitting RF signals. The datasheet is here: https://www.silabs.com/documents/public/data-sheets/Si4463-61-60-C.pdf

I’ve made a reddit post also: https://www.reddit.com/r/broadlink/comments/a6y0q7/pinout_of_the_broadlink_rm_pro_rm3/

If someone here has these devices and wants to help investigating & modding, just let me know. I believe together we can make more with these devices :slight_smile:

6 Likes

The UART of this device can be acessed through G, R and T pins on the mainboard.

image

G = GND
R = Receive (RX)
T = Transmit (TX)

Baud rate: 115200

It’s quite self explanatory.

The output of some normal operation is following:

&&i6O|l||vbroadlink Hello World application Started Product Type :10141 V52
Product init done.
Set int cb 0
Set int cb -1
Set int cb 0
Count 1
Product init done.
Application startup success.
firmware version initialization.
app_firmare_start startup success.
task_thread startup success.
,,,,,,,,,,,,,bl2_thread,,,,,,,,,,,,,,,
ssid SSID_Name psk network_key need broad 0
type 3
ssid SSID_Name psk network_key psklen 11, type 5 special 0
[af] network_mgr: network loaded successfully
app_network_status_set to status. 6.....
[af] app_ctrl: Connecting to the loaded network
[af] app_ctrl [sta]: State Change: UNCONFIGURED => NORMAL_INIT
[af] app_ctrl [sta]: State Change: NORMAL_INIT => NORMAL_CONNECTING
[af] network_mgr: network already loaded
[wscan] Channel: 1   Type: Passive 10
[wscan] Channel: 2   Type: Passive 10
[wscan] Channel: 3   Type: Passive 10
[wscan] Channel: 4   Type: Passive 10
[wscan] Channel: 5   Type: Passive 10
[wscan] Channel: 6   Type: Passive 10
[wscan] Channel: 7   Type: Passive 10
[wscan] Channel: 8   Type: Passive 10
[wscan] Channel: 9   Type: Passive 10
[wscan] Channel: 10  Type: Passive 10
[wscan] Channel: 11  Type: Passive 10
[wscan] Channel: 12  Type: Passive 10
[wscan] Channel: 13  Type: Passive 10
[wscan] Channel: 14  Type: Passive 10
[wscan] SSID_Name: Match successful
[net] configuring interface mlan (with DHCP client)
[af] app_ctrl [sta]: State Change: NORMAL_CONNECTING => NORMAL_CONNECTED
The router mac: 2C:30:XX:XX:XX:XX
The router gateway: 192.168.1.1
The module ip: 192.168.1.220
app_network_status_set to status. 7.....
Bl2 dns startup 0 0 0.
should_probe_wd=1
dns cb 10141tcp.broadlink.com.cn 0x20006db8 e0c6ee36 0x00000002
dns cb 10141backup.broadlink.com.cn 0x20006d60 e0c6ee36 0x00000001
dns cb 10141main.broadlink.com.cn 0x20006d08 d50be70d 0x00000000
lzw......Udp connect....try 1
Send RM_SERV_LIST 0xd50be70d
Send RM_SERV_LIST 0xd50be70d
Send RM_SERV_LIST 0xd50be70d
Send RM_SERV_LIST 0xd50be70d
Send RM_SERV_LIST 0xd50be70d
Send RM_SERV_LIST 0xe0c6ee36
Send RM_SERV_LIST 0xe0c6ee36
Send RM_SERV_LIST 0xe0c6ee36
Send RM_SERV_LIST 0xe0c6ee36
Send RM_SERV_LIST 0xe0c6ee36
Udp read.
Send IP d50be70d port 36895.
.............socket_read 31 144 13 231 11 213...... 308
Cloud Count 1
Send IP 38f7720d port 80.
Send RM_SERV_CHECK
Send IP 38f7720d port 8080.
Send RM_SERV_CHECK
Send IP 38f7720d port 8090.
Send RM_SERV_CHECK
Send IP 38f7720d port 1812.
Send RM_SERV_CHECK
Send IP 38f7720d port 16384.
Send RM_SERV_CHECK
Send IP d50be70d port 39455.
.............socket_read 31 154 13 231 11 213...... 308
Send IP d50be70d port 5127.
.............socket_read 7 20 13 231 11 213...... 308
Send IP d50be70d port 20480.
.............socket_read 0 80 13 231 11 213...... 308
Send IP d50be70d port 64.
.............socket_read 64 0 13 231 11 213...... 308
Send IP e0c6ee36 port 5127.
.............socket_read 7 20 54 238 198 224...... 308
Send IP e0c6ee36 port 20480.
.............socket_read 0 80 54 238 198 224...... 308
Send IP e0c6ee36 port 39455.
.............socket_read 31 154 54 238 198 224...... 308
Send IP e0c6ee36 port 36895.
.............socket_read 31 144 54 238 198 224...... 308
Send IP e0c6ee36 port 64.
.............socket_read 64 0 54 238 198 224...... 308
Send IP 38f7720d port 36895.
.............socket_read 31 144 13 114 247 56...... 56
check res ip 38f7720d port 8080.
Ret 56
should_probe_wd=1
ip: 13.114.247.56, port: 8080
.............cloud_read 31 144 13 114 247 56...... 56
------ret = 1app_network_status_set to status. 8.....
Set rtc 2018-12-17 12.55.22
SET SER TIME:2018-12-17 1 12:55:22:
should_probe_wd=1
should_probe_wd=1
feed watch dog!
should_probe_wd=1
should_probe_wd=1
should_probe_wd=1
ip: 13.114.247.56, port: 8080
.............cloud_read 31 144 13 114 247 56...... 56
------ret = 1app_network_status_set to status. 8.....
Set rtc 2018-12-17 12.55.47
should_probe_wd=1
feed watch dog!
should_probe_wd=1
.............socket_read 228 162 192 168 1 5...... 328
------ret = 1aes head id 3
index 2
Checksum d500 d500
msg type 106
 data length 272
print data:
02 00 00 00 26 00 f2 00 13 00 02 4d 62 00 01 26 11 10 11 31 10 10 10 12 0f 12 0f 11 0f 12 0e 12
10 11 10 31 11 10 11 10 10 31 10 11 10 11 10 31 10 31 11 31 10 31 10 32 0e 13 0e 13 0f 11 10 11
10 11 10 10 11 10 10 11 10 10 11 10 10 11 10 10 11 10 10 11 10 11 10 11 0f 12 0f 11 10 11 0e 13
10 10 10 11 10 11 10 10 11 10 10 11 10 11 10 10 10 11 10 11 10 10 11 10 10 32 10 31 10 32 0e 33
10 62 63 00 01 26 11 31 10 10 11 10 10 11 10 10 11 10 10 11 10 10 11 10 10 32 10 11 0f 12 0f 11
0f 33 10 10 10 32 10 10 11 31 10 31 10 31 11 31 10 31 10 32 10 32 0f 32 0e 13 10 10 11 10 11 30
11 31 10 31 10 11 10 11 10 10 10 11 10 11 10 32 0f 32 10 32 0f 11 10 32 10 31 10 11 10 31 10 31
11 10 10 11 10 10 11 10 10 12 0f 11 10 11 0e 33 0f 33 10 31 10 31 11 00 0d 05 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
bl2_seq.status: 0, user_cmd 2
User commands 2
bl2_irda_send. seq_status = 0
frequency       = 38
length  = 242
13 00 02 4d 62 00 01 26 11 10 11 31 10 10 10 12
0f 12 0f 11 0f 12 0e 12 10 11 10 31 11 10 11 10
10 31 10 11 10 11 10 31 10 31 11 31 10 31 10 32
0e 13 0e 13 0f 11 10 11 10 11 10 10 11 10 10 11
10 10 11 10 10 11 10 10 11 10 10 11 10 11 10 11
0f 12 0f 11 10 11 0e 13 10 10 10 11 10 11 10 10
11 10 10 11 10 11 10 10 10 11 10 11 10 10 11 10
10 32 10 31 10 32 0e 33 10 62 63 00 01 26 11 31
10 10 11 10 10 11 10 10 11 10 10 11 10 10 11 10
10 32 10 11 0f 12 0f 11 0f 33 10 10 10 32 10 10
11 31 10 31 10 31 11 31 10 31 10 32 10 32 0f 32
0e 13 10 10 11 10 11 30 11 31 10 31 10 11 10 11
10 10 10 11 10 11 10 32 0f 32 10 32 0f 11 10 32
10 31 10 11 10 31 10 31 11 10 10 11 10 10 11 10
10 12 0f 11 10 11 0e 33 0f 33 10 31 10 31 11 00
0d 05
Send repeat 0 freq 38 freq len 242
print data:
02 00 00 00
aes checksum beb1
Send udp 72
.............socket_read 154 205 192 168 1 5...... 88
------ret = 1aes head id 3
index 2
Checksum beb0 beb0
msg type 106
 data length 32
print data:
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
bl2_seq.status: 0, user_cmd 1
User commands 1
get_bl2_status.
length: 336
print data:
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 e6 99 ba e8 83 bd e9 81 a5 e6 8e a7 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
aes checksum c73b
Send udp 392
should_probe_wd=1
.............socket_read 228 162 192 168 1 5...... 328
------ret = 1aes head id 3
index 2
Checksum d502 d502
msg type 106
 data length 272
print data:
02 00 00 00 26 00 f2 00 14 00 02 4c 64 00 01 25 12 0f 12 30 11 0f 12 0f 11 10 11 0f 12 0f 11 10
11 0f 12 30 11 10 11 10 0e 33 10 11 10 11 11 30 11 30 12 30 11 30 11 30 12 0f 12 0f 11 10 11 10
11 10 10 10 10 11 10 11 10 10 12 0f 11 10 11 10 11 0f 12 0f 11 10 11 0f 12 0f 11 10 11 0f 12 0f
11 10 11 10 11 10 10 11 0e 12 10 11 10 11 11 0f 11 10 11 10 11 0f 12 0f 11 30 12 30 11 30 11 30
11 62 63 00 01 26 11 31 10 10 10 11 10 11 11 0f 12 0f 11 10 11 0f 12 0f 11 30 12 0f 11 10 11 30
12 30 11 0f 12 30 0f 12 10 31 11 31 11 30 12 2f 12 30 11 30 12 30 11 30 11 10 11 0f 12 10 10 31
10 32 10 31 11 10 11 0f 12 0f 11 10 11 0f 12 30 11 30 11 30 12 10 10 31 11 10 0e 33 10 11 10 31
12 0f 12 0f 11 0f 12 0f 12 0f 11 0f 12 0f 12 30 11 30 11 31 11 30 12 00 0d 05 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
bl2_seq.status: 0, user_cmd 2
User commands 2
bl2_irda_send. seq_status = 0
frequency       = 38
length  = 242
14 00 02 4c 64 00 01 25 12 0f 12 30 11 0f 12 0f
11 10 11 0f 12 0f 11 10 11 0f 12 30 11 10 11 10
0e 33 10 11 10 11 11 30 11 30 12 30 11 30 11 30
12 0f 12 0f 11 10 11 10 11 10 10 10 10 11 10 11
10 10 12 0f 11 10 11 10 11 0f 12 0f 11 10 11 0f
12 0f 11 10 11 0f 12 0f 11 10 11 10 11 10 10 11
0e 12 10 11 10 11 11 0f 11 10 11 10 11 0f 12 0f
11 30 12 30 11 30 11 30 11 62 63 00 01 26 11 31
10 10 10 11 10 11 11 0f 12 0f 11 10 11 0f 12 0f
11 30 12 0f 11 10 11 30 12 30 11 0f 12 30 0f 12
10 31 11 31 11 30 12 2f 12 30 11 30 12 30 11 30
11 10 11 0f 12 10 10 31 10 32 10 31 11 10 11 0f
12 0f 11 10 11 0f 12 30 11 30 11 30 12 10 10 31
11 10 0e 33 10 11 10 31 12 0f 12 0f 11 0f 12 0f
12 0f 11 0f 12 0f 12 30 11 30 11 31 11 30 12 00
0d 05
Send repeat 0 freq 38 freq len 242
print data:
02 00 00 00
aes checksum beb1
Send udp 72
should_probe_wd=1
should_probe_wd=1
feed watch dog!
ip: 13.114.247.56, port: 8080
.............cloud_read 31 144 13 114 247 56...... 56
------ret = 1app_network_status_set to status. 8.....
Set rtc 2018-12-17 12.56.13
should_probe_wd=1
should_probe_wd=1
should_probe_wd=1
should_probe_wd=1
feed watch dog!
should_probe_wd=1
ip: 13.114.247.56, port: 8080
.............cloud_read 31 144 13 114 247 56...... 56
------ret = 1app_network_status_set to status. 8.....
Set rtc 2018-12-17 12.56.38
should_probe_wd=1
should_probe_wd=1
should_probe_wd=1
feed watch dog!
should_probe_wd=1
should_probe_wd=1
ip: 13.114.247.56, port: 8080
.............cloud_read 31 144 13 114 247 56...... 56
------ret = 1app_network_status_set to status. 8.....
Set rtc 2018-12-17 12.57.3
should_probe_wd=1
should_probe_wd=1
feed watch dog!

While it was logging, some IR signals were sent, too.

Hey there!

I just received my Broadlink RM Pro Plus a few days ago and after few days of playing with it, I decided to do more with it, like flashing it with a custom firmware. Wonder if you made any progress with it? Would love to help you with it but I’m still new with this IoT things so, would love to learn more from you.

Unfortunately not, it doesn’t seem to be a ESP or similar. I don’t know how I would compile (or even upload) a firmware for it. It seems to use a Marvell chip. I don’t find a lot if I search for “Marvell chip”. I don’t which pins I should attach onto my PC to flash it, neither which setup I should use software-side.

I appreciate any future research!


EDIT: Curiosity lead me to research a little bit more…

Searching for the initial starting up string “Hello World application Started” on Google, I found that Marvell released open-source code, or at least in the past.

Their entire github page and repo are now down, which once was: https://github.com/marvell-iot/marvell-iot.github.io/tree/master/docs/hello-world

Well, there appears to be two more relevant pages in which is described on how to setup everything(?).
Here: 初探MW302-CSDN博客
And here: https://www.coursehero.com/file/p6oo6n8/You-JJGcan-JJGcreate-a-pair-of-files-for-eaJJGch-driver-to-IIFbe-supported/ **

That second page shows a part of a “familiar” code:

int main(void)
  {
    int count = 0;
    /* Initialize console on uart0 */
    wmstdio_init(UART0_ID, 0);
    wmprintf("Hello World application Started\r\n"); <-- We saw that in the logs
    while (1) {
      count++;
      wmprintf("Hello World: iteration %d\r\n", count);
      /* Sleep 5 seconds */
      os_thread_sleep(os_msec_to_ticks(5000));
    }
    return 0;
}

What this helps us? Not much yet. It’s not the actual code, but it indicates that it has begun with this or similar code.

Searching even more I found that the string “should_probe_wd” leads to a page which has as code header: Copyright 2008-2015, Marvell International Ltd. further indicating that it probably is a Marvell chip.

Without knowing the actual chip model, I can’t do much (discovering jtag[?] pinouts and stuff).

I need to desolder the shield to see what’s underneath. Let’s hope that it’s flashable without lifting the actual chip from the board, because that would be too much for me and 98% of the community.


I’m almost jumping to a easier solution which is buying a “ESP-12E” chip/board and soldering it on the old chip location (with cables, 'cause crucial pin locations like 3.3V aren’t on the same spot), which isn’t too hard to do.

Advantages?

  • Doing this allows me to flash it with any already done community project, like ESPHome or others. These mentioned projects wouldn’t run on a Marvell chip, due to different architecture.
  • Easier available ressources. The Marvell chip would probably need JTAG hardware to flash it, which can be expensive.
  • Probably a lot more.

… Yeah, I’ll probably do this. It’s not worth rewriting every community project for this, I think.


EDIT:

How convenient!! Heh: Convert Broadlink RM1 to ESP8266 - Hackster.io
Someone did exactly this!

Yeah, I’ve seen this before resorting to flashing the RM Pro+. I just felt that it would be more fun to like, reverse engineer the RM. But yeah, after seeing you wanna jump to that solution, I think I would probably do the same since its easier. Plus, I would literally be on my own if I don’t which will be very very very hard, in addition to my lack of experience.

Looking back at the project, I wonder if the module would fit in our RM Pro+? The RM1 looks more spacious, don’t you think?

I guess we both came to a conclusion, well, at least for now till we could work on reverse engineer Broadlink devices again. And is there a way I could contact you? Should one day I’d find something useful on this topic which would give more advantages than converting it to ESP.

I will definitively reverse engineer it a little bit more once I have a little bit more time, but don’t expect too much. I don’t have a JTAG device and it will probably be necessary (or something similar). I’m not sure yet, take all of this with a grain of salt.

I would only take the ESP-12E chip and put it into the RM Pro, not the entire NodeMCU.
See image below:


ESP-12E

Without the entire NodeMCU around it, you will need 3.3V, since the 5V regulator in on the NodeMCU board, but… the Broadlink RM already has regulators and stuff for exactly that voltage, which means that we can use them! We just need to solder on the right locations.
My first image (pinout) will help a lot with this.

Well, you can over here or my Telegram @Fusseldieb. I also have WhatsApp, but I don’t want to put my number publicly available.

Hang on a second… My Broadlink has a temperature sensor? Is there a way to pass this through to home assistant???

Yes, the RM1 and RM2 has one and you can integrate it into Home Assistant.

Take a look at the section “Temperature”:

If you integrate it into HA and it reports 0 or something similar, yours is probably a RM3 and hasn’t one anymore.

That’s great thanks! When I got my unit (around a year and a half/2 years ago) I just configured the switch integration! Never thought of looking at the sensors!
Today I Learned…

Edit-
It’s getting 18.8c, Looks like I have an RM2!

1 Like

I don’t remember seeing any JTAG pinout on the board so I assume that it needs SWD (hopefully since I have a STLink V2 Debugger which hopefully could be use) where we can locate its pinout once we know the exact MCU used.

Ah of course. Thanks. Would it work like Broadlink? I mean, will we have the option to learn from our appliance’s remote and such? I’ve used Arduino IDE before but never bother to check the IRremote library before.

Alright, Telegram would do.

My curiosity lead me over the border. I came home, turned my solder station on and removed the shield.
350°C on the entire shield, forced it up and it came off with a little bit of effort.
Yes, I’m not the best solderer(?), as I almost ripped the front traces for the shield off, but whatever.

Let’s get to the inside:

There are 3 test pins, as it seems. For what? I don’t know yet. It’s quite late now, so I’ll stop here.

Wow, any help would be awesome! I don’t know how SWD works, so your help would be appreciated in any way.

If you flash ESPHome on it, you don’t need to fiddle around with programming code anymore, as it already comes with everything you need. You basically just tell ESPHome where (pin) the IR Leds are attached and you’re good to go. Also learning will work, since ESPHome fully supports IR Receivers, too. It’s an awesome piece of software/firmware overall. The only thing that it doesn’t yet support, is RF (that particular chip model), but there are so called “Custom components”, so I think we could make this work.


The datasheet of the Marvell 88MW300 chip is here:

And the pinout extracted from this same PDF mentioned above:

Rougly looking through the text, I noticed that it only has 128KB ROM, which isn’t enough for almost any community projects out there, which is quite sad.
This further confirms that it’ll probably be better to just replace it with a ESP-12E which has a whooping 4MB, a lot of community support and all our loved firmwares :slight_smile:

With all that said, it is worth the effort? Even if we suceed to program it, it’ll hold just barebone stuff (IR, RF, that’s it), which it already does. I can’t see an advantage.
Remember: A ESP can do much much more, is frickin’ cheap and easy to implement into the Broadlink.

From this point on, I think I’ll focus on the ESP implementation, but welcome anyone that wants to build a firmware for the original chip! ← Not sure yet, but I’ll probably do this


EDIT: Just noticed that it also has a FM25Q08A chip, which can hold up to 8MB! Well, now there are two chips that we need to take care about to build something for it.

This seems to get complex (and out of the bounds of my mind) pretty fast.

Looking at the 88MW300 datasheet, it’s an 32-bit ARM Cortex-M4F architecture. The ESP8266 uses a different architecture, so I don’t think using ESPHome is possible. The ESP8266 is based on a different instruction set.

What looks possible is to somehow load ‘Ubuntu Server for ARM.’ From there, you could run a Linux application or Python. Unless it has a BIOS and console interface, you’d have to do some Internet dumpster diving to find out how to load a valid image into the flash memory.

https://help.ubuntu.com/lts/serverguide/preparing-to-install.html#system-requirements

The bottom line is whether it’s worth the trouble.

Oh boy. I have just read briefly through the datasheet and found out that it’s using JTAG. To make things worse, for someone like me at least, I found out that the chip has a memory protection unit. You can refer on page 67 of the datasheet. As for the JTAG interface details, it on page 63.

What if I want to? Like to control the flashed Broadlink using an app I create. Somewhat like Tasmota I would say. Sorry if this question sound dumb. Still in a learning phase.

I’m no expert but from what I understand, SWD was designed to reduce the pins to debug from the 5 that is used in JTAG.

Well, initially I was wondering if I could extract the firmware and open the .bin file to modify it to my liking. Maybe it sounds like I’m deluded or something but if that was impossible, I have nothing to lose since I could just upload a new firmware or probably re-load the firmware. Currently trying that on a nRF51 chip.

Yeah, I totally understand that. But hey, at least we’re getting somewhere. But as for dumping the firmware and to upload new one, I’m pretty sure it’ll take up so much time. And as @pocket mentioned, ESPHome would be impossible to use. Will it be beneficial for the community to go through the hassle when they could just convert it to ESP?

So, converting to an ESP would be easier and faster until there is a good reason to reverse engineer Broadlink (something that would exceed ESPHome’s capabilities maybe?). I personally would choose this path if I could control it with my own apps. BUT I would still gladly help you with reverse engineering the Broadlink if you still want to do this since I have nothing to lose right?

That’s what I was afraid.

I don’t think that it’ll run on 8MB Flash and 512KB RAM. And even if, it would mean building a new Firmware just for this particular device. I don’t know if that’s time well spent. I could be wrong, of course.

Exactly my thoughts.

Oh boy… Well, I found some projects that use the Arduino as a XSVF thingy, but I don’t know if it’ll work, neither how.

I assume that dumping the firmware is basically dead considering that.

ESPHome is extremely flexible. If you want to write custom code, you can. The reason why I’m so onto this firmware is because it integrates perfectly with Home Assistant, which is the end goal, I guess.
However, if you want a totally custom made firmware, you can setup your Arduino IDE (Or PlatformIO - preferred method) to your ESP8266 and program it from scratch. There are a lot of examples and libraries on the Internet on how to read and send IR packages.

The MPU prevents that, from what I know, doesn’t it?

But if you do this once, it erases the original Broadlink one and you’ll end up with a expensive paperweight until you figure it out how everything works and write a working firmware for it. Wifi, IR receiver, IR sender, RF chip, … Or you take the other route hahah

If we can offer a readily flashable firmware with everything working, the community will praise us. If it’s broken, they’ll be mad, 'cause the original firmware will be gone forever, and Broadlink isn’t that cheap, so… yeah.
I don’t know if the original firmware supports OTA, maybe?
But whatever, I think all this is far from reality.

I couldn’t think of anything that ESPHome (or the ESP in general) couldn’t do which the Marvell chip could.
As I said, even if we suceed, we would need to build a firmware just for this particular model. Is it worth it? I don’t know.

You definitively can.
Theoretically, someone could even imitate Broadlinks protocol and make it work with the original App from them, but I think that’s not so interesting.
The interesting part is to hook up more things to it and use it like a multisensor thing (Humidity, Temperature, Air Quality, IR, RF, etc).

Neither have I, since I’m probably tossing the original chip away.
But what I will do before tossing it away is testing the test pads and documenting them here, if I find out for what they are.
Maybe even uploading something to it (with a lot of help), ultimatively erasing the original firmware and deciding the chips fate into the bin, since I personally don’t think it’s worth the hassle to program it from scratch, considering the other option which already has everything. But if I manage to get it this far, everyone seeing this thread should have sufficient knowledge to program it and maybe someone even makes something for it.

Thanks to everyone interested into this :slight_smile:

Unfortunately, that’s correct. There are not enough memory resources. Even a Pi Zero has access to a SD card. Speed isn’t important for most home automation purposes. Consequently, the clock frequency isn’t all that zippy.

Your board is optimized for cost and compliance with RF regulations, not much else. If you want some fun hacking, however, go for it. You’ll be wiser for the experience.

Well, not really because nRF51802 chip came with a MPU as well so I found out there’s a way that could bypass it. So I figured that there should be a way for us to bypass it too, on this Marvell chip (if we know what we’re doing). That’s why I said “To make things worse, for someone like me at least”, because I don’t have much experience on JTAG. Here’s the reference I used to bypass the nRF51802 MPU

Alright, thanks for the info! Appreciate it so much.

Yeah, your effort would help any hobbyist reading this in the future and hopefully more will come to help out if they’re interested in reverse engineering the Broadlink as well. Right now, I would help you with what I could.

By the way, this is an out-of-topic question but how did you search the China/Chinese website? I bought a Broadlink MS1, which is a Wi-Fi Speaker along with my RM Pro+. Thought I could use it until the customer service said it was only meant for China only. I doubt it because not too long ago, I bought a Bluetooth Door Lock and the seller said the same but I could use it now by pressing a button on the PCB. I have dismantled the MS1 but no luck finding any button on the board except the power, wifi, channels, etc. So, I was hoping you could shed some light and maybe I could find something on the Chinese’s website.

That’s interesting, but out of the bounds of my comprehending (for now).

I really appreciate it. Do you, by any chance, have any solder station so you can desolder the shield and try to flash it? Your help would mean a lot. and I mean, a lot. I don’t have experience in XSVF and JTAG.

But…

If you haven’t any time or solder station, can you give me some instructions on where to put wires on the chip in order to flash it via JTAG? Software used would also help (Windows 10/Ubuntu 19, I have both).

If I understand correctly, it won’t work in your country, right? I don’t know their hardware, nor their site or anything like that.
Well, you could “activate” it using a VPN maybe. Pick a cheap TP-Link router that supports OpenWRT, install the OpenVPN client on it and route that connection to wireless. If you then connect your Broadlink to the router, it’ll route all your traffic through OpenVPN to another country. Obviouly you need a OpenVPN profile too, but that you can find on the internet easily.

Yeah sure, I’d love to but as of now, I don’t think I have the time to try to flash it yet. I still have my nRF51802 on going. Maybe I could open the shield and locate the pinouts? Well hopefully because I haven’t really see the board yet, even from your picture. Are you in a rush?

As for the software used, all I could think of is OpenOCD? Because that’s the common software used for reverse engineering (probably because I’ve seen a lot of them are being mentioned in different websites). Are you using dual boot?

Thanks for the info. Will try it. I’ve found a statement from someone saying that Broadlink stop the support in 2017 so now its only applicable in China. But I still don’t understand why some sellers are still selling them outside of China.

I don’t have a lot of time currently, but if you need me to do something, just say, I’ll find a time :slight_smile:

Never heard of it. Interesting. I got a fresh SSD some days ago and I will dualboot Windows with Ubuntu. Right now I have both, but on different systems.

Well, maybe it’s because there is still stock left or because people still search for it and it creates sufficient demand for them to import it. I don’t know.

Alright, appreciate that. Would tell if I need something. Might desolder the shield soon as my pentest on the nRf51802 is coming to an end. I’ll try if its possible to flash it with STLink v2 debugger and OpenOCD. My only concern is bricking it. And could I still use the device without the shield on?

Yeah, could be. But I think I would just use the VPN trick or maybe just try and flash it. I’ve disassembled the parts and found the chips used so why not.