Original firmware backup does not work on all Elekstube IPS clocks

Question

Original firmware backup does not work on all Elekstube IPS clocks

neptune2 opened this issue 3 years ago · 7 comments

Firstly - thanks for creating the alternate firmware and documenting all the steps - compiled and worked first time.

I discovered that your original fw-backup-4M.bin does not work on the new EleksTube IPS clock I just received.
Fortunately, I had made a backup of my firmware before uploading new Firmware and my backup firmware does restore correctly.
I checked multiple times with different baud rates - same results.

I'm not sure what is different - all the parts look the same as your documented part numbers.

Please consider adding a Warning for prospective hackers to backup their firmware before uploading new firmware.
Someting similar to:

# backup the firmware from the esp32
esptool --baud 115200 --port COM3 read_flash 0x0 0x400000 my_fw-backup-4M.bin

Answer 1 · 2021-05-22T18:11:04.000Z

Interesting, would you mind sharing your backup? Maybe we can find out what the difference is...

Answer 2 · 2021-05-27T05:21:02.000Z

Sounds like my problem - only I didn't make a backup of mine ;)
@neptune2 would you care to share yours?

Answer 3 · 2021-05-29T02:33:26.000Z

Is this still alive? Since @neptune2 never replied here again I took a dump from my second clock and the binary files indeed differ largely...
fw-backup-jz-4M.zip

Answer 4 · 2021-05-29T04:25:27.000Z

Hi Koshisan, you are welcome to try my binary file and alternative firmware (based on smitty's work). It's at https://github.com/frankcohen/EleksTubeIPSHack. -Frank

Answer 5 · 2021-05-29T04:41:33.000Z

Hi Koshisan, you are welcome to try my binary file and alternative firmware (based on smitty's work). It's at https://github.com/frankcohen/EleksTubeIPSHack. -Frank

I know, I am ksh_osaka in reddit ;) I was just wondering since all other contributors have been silent for a while now...

Answer 6 · 2021-05-29T17:53:38.000Z

Hi Jens @koshisan, I have found how to convert @SmittyHalibut original firmware in this repo to work on my clock!

The discovery is that the MAC address in the firmware must match the factory programmed MAC address in your clock.

Here are the steps (in Windows):

Find the MAC address in your clock:
esptool flash_id
Look for the line that starts MAC:
Replace all 42 instances of the MAC address in your copy of fw-backup-4M.bin.
Note that the 6 MAC bytes in the firmware are in reverse byte order from the MAC: xx:xx:xx:xx:xx:xx format in step 1.
I used WinMerge https://winmerge.org/ to edit the firmware binary with the following steps:

2a. Make a copy of fw-backup-4M.bin (I named it edited_fw-backup-4M.bin)
2b. Open both bin files side-by-side in WinMerge (they should be identical)
2c. Select the edited_fw-backup-4M.bin pane in WinMerge
2d. Edit->Replace <bh:80><bh:93><bh:2f><bh:84><bh:db><bh:e8> with <bh:xx><bh:xx><bh:xx><bh:xx><bh:xx><bh:xx>
     Click Replace all following occurrences (it may report 43 differences - there are actually 42)
     where the xx bytes are replaced with your clock MAC address bytes (reverse order from Step1. format). 
     The last 2-3 bytes should be the same.
2e. Save the edited_fw-backup-4M.bin file

Restore the edited_fw-backup-4M.bin firmware to your clock:
esptool --baud 115200 --port [COM port] write_flash 0x0 edited_fw-backup-4M.bin

Hopefully this also works on your clock.
Please reply with you results. 頑張って

Answer 7 · 2021-09-29T20:19:55.000Z

Thank you @neptune2 for finding this and coming up with the solution. I've updated original-firmware/README.md with your instructions:

https://github.com/SmittyHalibut/EleksTubeHAX/blob/main/original-firmware/README.md

Resolving. :-)