The bridge is designed to integrate previous generation protocol with Apple HomeKit, Google Home and Amazon Alexa.
Manufacturer | Thinka | 1Home | Freedompro | Atios | Pairot | TSEEM | Home Assistant | ||
---|---|---|---|---|---|---|---|---|---|
Device | Thinka for KNX | Thinka for KNX - Pro | 1Home Bridge for KNX | Easykon for KNX | Atios KNX Bridge | Pairot KNX Bridge for Voice control | TSE300 | Home Assistant Yellow | Home Assistant Yellow with PoE |
Price | EUR 739.00 | EUR 789.00 | EUR 799.00 | EUR 730.78 | CHF 249.00 | EUR 495.00 | ? | USD 124.00 | USD 135.00 |
As router | NO | YES | YES | ? | ? | ? | ? | NO | NO |
The Next Generation Protocol | | | | | | | | | |
Additions | Requires KNXnet/IP router e.g. Weinzierl KNX IP Interface 731 or transceiver e.g. NCN5120, NCN5121, NCN5130, Transceiver from Opternus to communicate with KNX BUS via UDP. |
If you don’t set up the correct ESP-IDF configuration, you will see the board won’t boot successful and keep throw exceptions like this:
1 | ESP-ROM:esp32s3-20210327 |
cp -r espressif_esp32s3_devkitc_1_n8r2 espressif_esp32s3_devkitc_1_n16r8
(Adafruit doesn’t support N16R8
, so choose a ESP32-S3 board with PSRAM is more easier to modification)mpconfigboard.h
MICROPY_HW_BOARD_NAME
: ESP32-S3-DevKitC-1-N8R2
to ESP32-S3-DevKitC-1-N16R8
mpconfigboard.mk
USB_PRODUCT
: ESP32-S3-DevKitC-1-N8R2
to ESP32-S3-DevKitC-1-N16R8
CIRCUITPY_ESP_FLASH_MODE
: dio
to qio
(DIO to QIO for Flash)CIRCUITPY_ESP_FLASH_SIZE
: 8MB
to 16MB
(8MB to 16MB for Flash)sdkconfig
CONFIG_SPIRAM_MODE_QUAD=y
to CONFIG_SPIRAM_MODE_OCT=y
(QUAD to OCTAL for PSRAM)CONFIG_SPIRAM_SIZE
: 2097152
to 8388608
(2MB to 8MB for PSRAM)The above configurations is based on the ESP32-S3 documentation, modify flash size and flash mode mainly.
I made a docker file to compile the CircuitPython firmware.
1 | # https://learn.adafruit.com/building-circuitpython/build-circuitpython |
Usage:
1 | docker build . -t circuitpython |
1 | esptool.py --port /dev/cu.SLAB_USBtoUART --chip esp32s3 --baud 921600 \ |
You will see the storage is already connected via USB then, and the REPL also working fine.
]]>Gianni had already done a excellent job before, I just continued to improve and reduce the size of the whole module, with some minor adjustments.
You can use QRE1113/QRE1114 with analog or digital methods and Arduino codes here.
Normally we use the following connections, but the number of ESP’s GPIO is limited, if we have 25 keys need to drive, we need 25 GPIOs to read the analog then.
Gianni used the matrix method to make the number of GPIOs needed lesser, only need 15 GPIOs. And only one sensor is being powered at the same time, which will save more battery power.
We need at least 17 GPIO, but ESP8266
only 8 are available. Although we don’t need to use the BLE for now (of course you can also make it as a Bluetooth speaker!).
We could also use the very popular MCU RP2040
but it has more peripheral than the ESP32-PICO-D4
and I’m not familiar enough with it.
You can also use sensor (QRE1113) + analogue switch (TS3V330) + matrix scanning IC (SX1509, has a powerful keypad engine and use I2C communication), however, this requires long periods of power supply to all sensors.
I tried to analyze the all chip/hardware differences in the same model of mainboard and find out which chips are key for these features. This should allow a hard-fixed mainboard to use the US firmware theoretically and use all features properly.
First of all, the Chinese version of the heatsink is white and the US version is black. It should not be the key for can or can’t to use GMS, lmao :)
PCB Annotation | Manufacturer Part |
---|---|
J | |
IC1609 | |
J1602 | |
IC3101 |
2.8” Samsung LMS279CC01 VA13071907MP4?
Back Annotation:
The interesting thing is a portable game console called Miyoo Mini
also using this LCD too, but not including touch panel.
Touch IC CY8CTMA301E-48LQXI
.
25 PINs, notched on both sides.
1 | ARG IDF_CLONE_BRANCH_OR_TAG=v4.3 |
Tips should be noted here:
struct file
contents to modify main program file, not fixed magic number.1 | # download |
4 commands available:
1 | U: go Up one level |
Extract main program file
and struct file
.
You can see the Python version through struct file
also:
1 | $ xxd < struct.pyc |
View main program file head:
1 | $ xxd < t.pyc |
You can find that the first byte of the main program is e3
, therefore, the contents before e3
in the struct file
are filled to the front of the main program file.
It is 12 bytes(160d 0d0a 7079 6930 0101 0000) in the example, not 8 bytes on many old articles. So don’t use fixed length!!! View your struct file header!!!
1 | pip install uncompyle6 |
Well done!
]]>Some .DAT files in the directorys.
request
308088630000005b401c64006400c005140000640064006400c005140000640014006400c00514000064000101040102
response
09801624000000bb01
xw607_0000_v00.05.0028_20190726.pro.cfg.sig
1 | <dji> |
I used nmap to scan its ports and found that 53, 80 and some custom service ports(I confirmed that they are some http services) were opened.
SSH and telnet have not been opened, so I decided to check the web interface.
However, only some basic state and networking setting operation pages here.
At that time, the online upgrade function caught my attention. So I decided to sniffing the upgrade url to get the firmware file.
I connected GL-MiFi to another RT-AC86U router: Internet <-> RT-AC86U <-> GL-MiFi
and run tcpdump
on RT-AC86U, then use Wireshark, I got the upgrade host ip.
Then I forwarded all the original traffic to my ip on RT-AC86U.
1 | iptables -A PREROUTING -p tcp -m tcp -j DNAT -d ORIGINAL-IP --match multiport --dports 80,443 --to-destination MY-IP nat |
I can see the request urls now. So I wrote a small Flask app to handle all url and response fake data of upgrade request.
1 | version=10.0 |
Now I have the url path of the firmware files and downloaded them.
I used binwalk upgrade.bin | head
to check firmware file but got nothing.
Then I converted it into HEX string xxd < upgrade.bin | more
, after viewing, I think it is an encrypted file.
Usually unencrypted firmware files have some features:
2705 1956
, a U-Boot headerYou can view the U-Boot image header code on GitHub
1 | typedef struct image_header { |
1 | $ xxd < upgrade_decrypto.bin | more |
At the same time, I found an article about firmware encryption, so I think the decryption function maybe inside firmware.
Now I am in trouble.
I decided to tear down it and start with the hardware.
Connect to UART port via USB TTL adapter.
Adapter | Router |
---|---|
GND | GND |
TXD | RXD |
RXD | TXD |
According the doc set speed 115200
.
Now you can read the data in memory.
Or we can try to use shell in normal mode.
After viewing at the Lua web files, I found the shell script for the call.
Now I can get decrypt firmware file and duplicate it in a new router of the same model!
]]>M0S8C74
.Connect serial port through usb and send code(end with #
) to unlock.
5.6.2.45
here.demo.bin
ZTE F401 is the equipment of Shanghai Telecom enterprise users, we can also use it.
Connect to HG2821T-U and request http://192.168.1.1/appapi/getstat/000000
, you can get loid from response json data.
Connect to ZTE F401 and configure network manually:
Login web anagement interface http://192.168.1.1
, username and password both admin
.
Then configure SN, LOID and password as HG2821T-U’s LOID.
If some random codes in the input box, don’t delete and keep them at the end.
]]>