Using JTAG it’s probably not possible to brick it, due to direct connection. At last resort, you can get a ESP-01 and put it in place. The shield of the chip is not absolutely necessary. From what I know, it’s just to ‘shield’ out additional noise from outside, interferences, etc. I think it’ll work just fine without it.
Alright. Will get back to you once I got something.
2 Likes
Hello.
I have one too, and I wanted to use it as RF receiver/sender, and found out that it’s not always receiving…
And with the stock firmware my RF devices are not detected by broadlink app.
The PCB looks like yours, I want to replace the controller with ESP12 with Tasmota firmware, as I did with RM Mini and it’s perfect.
Do you have any schematics so I can remove the broadlink micro controller and replace with ESP12?
I just don’t know if there is a Tasmosta driver for SI4463 chip…
Anyone have tried that?
Regards!
@Valentino_Stillhardt Hello once again. I’m so sorry for the late reply. Was very busy for Christmas, New Year and Lunar New Year plus my work. So what I’ve got is that I think its possible to connect directly from the Marvell chip through TX and RX (using FTDI USB to Serial Adapter since it’s ESP-ish but I’m not sure whether it’ll work) or SDO and SCLK using a Marvell debugger (maybe a Black Magic Probe would do the trick but I’m not so sure as well). That way, you could flash your own firmware or even extract it, that is if it’s not protected.
As for me, I changed the the chip to an ESP12. I was satisfied with the outcome and I think it’ll be easier if you take this path as well. But if you insist on reverse engineering the Marvell, I’d still try to help you.
@zejulio I replaced one with an ESP12 recently. What schematics are you looking for? And is there a Tasmota firmware for IR blaster like Broadlink? If so, do I just upload the code and ready to use like Sonoff Tasmota?
Hello,
What connections did you made? Can you share some photos?
I have removed the broadlink microcontroller, and now I have a good looking enclosure with a PCB inside :), I want to place the WEMOS/ESP12 doing what broadlink controller was doing but with own firmware, I think tasmota does not have driver for the RF device, I don’t know if ESPHome or other has…
Please share what you have done, it would be very appreciated.
For now I have bought a Sonoff RF Bridge and flashed with tasmota and its working very good, but if I can bring the BL back to life it would be good, since it has a “supposed” better RF IC…
Thanks,
Julio Silva
I can’t send pictures of my connection because it’s really messy so I’ll just share where to connect. Before that, I just wanna make sure that your’s is RM Pro Plus? If it’s not, then the connection might be a little bit different from mine.
Oh, just to tell you beforehand, I can’t share the firmware as requested by the person who helped me because he didn’t want it to be share publicly so I hope you could understand.
No problem, ESPHome or Tasmota should do it just fine.
Okay. So here’s the connection:
ESP12F -> Broadlink
VCC -> 3.3V
GND -> GND
TX -> RX
RX -> TX
RST w/ 10k resistor -> 3.3V
EN w/ 10k resistor -> 3.3V
GPIO15 w/ 10k resistor -> GND
As for the in and out signal and the learn and wifi LED, I think it depends on where your firmware assign the pinout but here’s mine anyway:
GPIO12 -> Blue/Wifi LED
GPIO5 -> IR SIG (OUT)
GPIO4 -> IR SIG (IN)
The GPIO15 was supposed to be wired to the Orange/Learn LED but somehow, it will only work if I connect it to GND thus leaving the Learn LED unconnected.
Maybe you could make a PCB to make it better so it won’t look as messy as mine LOL
3 Likes
Tasmota does not have driver to this RF module…
Did anyone flash a RM Mini with esphome and have it work?
Ahh nevermind, I thought this chip had an esp8266 but it uses a marvel chip. https://www.youtube.com/watch?v=_bgFeeZ3_ks
Ok, lots of information, but loved to know if you can put esphome on my RM pro+ will be the best if I can
We can’t, at least with original hardware afaik. It isn’t based on an Espressif chip.
Unless someone develops a compiler thingy for the Marvel chip, it’s a far fetch. Even then, someone probably would need to rewrite some parts of ESPHome to support the marvel chip.
What did you end up doing to yours?
It’s tossed in a drawer somewhere.
I ended up using an ESP8266 with an infrared LED and put ESPHome on it. It can control IR just fine, is much MUCH cheaper (less than $10 total) and works over 1 year now - flawlessly. No cloud necessary 
It’s so small that it could fit into all my HVAC units. I placed the IR led near the IR led from the HVAC and now I can control them with my phone. No visible wires or anything ahahah
All my HVAC units coincidentally have a 5V rail to power the receiver IR doide (3 pin), so I used it to also power the ESP. Works just fine.
I find this guy, Create Custom IR remote w/ Home Assistant & ESPHome - David Sword… is he the best tutorial.
1 Like
I realize this thread has been quiet for almost a year, but I’m hoping to resurrect some interest. I came across the thread when I decided to stop trying get my horribly unstable RM4 Pro S working properly and decided I need to try and hack it. I don’t however see anyone talking about the RM4 Pro here and my main application is to control an RF-controlled ceiling fan at 315MHz.
Cracking open the case on this model doesn’t appear to be as easy as what I’ve seen of the other versions, there’s two tri-lobe screws hidden under the rubber circle on the bottom. Once you get those out, you need to use a spudger around the clamshell seam and I managed to break four of the eight tabs regardless. Once you have the outer, black shell removed the PCB is mounted inside of whiteish clamshell and the whole thing is fastened to the bottom of the outer shell with one phillips screw. To remove the white shell, you have to fold in some of the IR LEDs in the circular array.
There’s two shield-bearing boards mounted to the main PCB, the larger one looks almost identical to the picture above by @Tombstone but doesn’t have the same markings and the dimensions don’t appear the same. The code e324684 is printed on that one which appears in a few search results as a WiFi module, and used in a generic WiFi connected LED bulb as documented here in a related module-swap project. The backside of the main PCB where this is mounted has eight solder pads exposed: GND, pin6:TX2, pin6:RX2, +3.3V, +5V, pin4:TX0, GND, pin5:RX0.
I can’t identify the smaller board with shield exactly, but it appears to be the FM tx/rx board, one marking is BL3361-I_1VD, though I’m not sure about the characters after the hyphen, they could be I (eye), l (elle) or 1 (one), I haven’t found an exact match but BL3361 is easy to find and appears similar at least. The backside of this one exposes seven solder pads: 433_R1, 433_T1, GND, DBG_DATA, DBG_CLK, DBG_EN, RST_433.
The two problems I’m having are that the device’s WiFi connection is intermittent at best for a few days, then drops off completely until it gets power cycled. When it is online, programming it is an effort in frustration though I have gotten it to control my ceiling fan using both the Broadlink app and using service calls within HA, so the lack of 315MHz being written anywhere on the board should be disregarded as I bought this one expecting it should be able to do both 315MHz and 433MHz though I have nothing 433MHz to test against.
The first thing I’d like to do is connect to a serial interface to see what it is doing as described by @Valentino_Stillhardt bay in Dec '18 but I’m not sure what pads to connect to. Hopefully someone here can use the information provided including the pictures to help get me started. And if anyone else has hacked their RM4 Pro, please share.
Hi, sorry for the late reply.
You’d connect your FTDI to any “GND” and “pin4:TX0” and “pin5:RX0” and that would give you the serial output of the first chip.
By connecting to any “GND” and “pin6:TX2” and “pin6:RX2” you probably get the serial output of the second chip.
And lastly, by connecting to any “GND” and “433_R1” (meaning RX) and “433_T1” (meaning TX) you get the serial output of the 433 chip afaik.
If you don’t know which one to connect to RX and which one to TX of your FTDI adapter, just try 
Cheers
I have a Broadlink RM Pro+ that stopped powering on and have all the equipment need ed to access the board via headers and such. Does anyone have some time to see if this device can be repaired? I have no idea how to check the fusible link or circuit breaker. So far I have tried connecting via ESP home without luck.
Broadlink devices are not ESPHome compatible, so you can’t connect them that way.
If the device stoppee powering up, use my pinout above and measure the VCC (3.3v) to look if it’s getting power. If the chip does, the chip is probably dead or bricked. Sniffing TX RX would probably give you more insight.