Hacking the IKEA TRÅDFRI

Introduction
Components
Pinout
Flashing using JTAG
Software used
Custom firmware
Isolation
Pictures
Relevant sources
License
Disclaimer

Introduction

The IKEA TRÅDFRI family of products provide you with several lighting solutions that interconnect using ZigBee Light Link.

If we take a simple GU10 light bulb, it contains:

Power supply
LED driver
IKEA TRÅDFRI module

The tiny IKEA TRÅDFRI module is used in many of their products, and is actually a small piece of circuit board with pins exposed. This board uses the energy-efficient Silicon Labs EFR32MG1P132F256GM32 microcontroller (MCU), which is a ARM Cortex M4 with 256 KiB of flash and 32 KiB of memory.

You can take out the board, and hook it up to your own lighting solutions. Or, you can flash it with your own firmware, for other purposes.

To find relevant products, I have compiled a list of IKEA TRÅDFRI products (please help me to update this list).

Components

I have been able to identify the following parts on a IKEA TRÅDFRI module:

Microcontroller: EFR32MG1P132F256GM32
2 Mbit SPI NOR Flash: IS25LQ020B
Crystal: 38.4 MHz

I am very certain that the SPI NOR Flash component is correct. The original firmware contains strings that refer to the exact part number. However, it also contains references to other SPI flash components, so your module may contain another one. The JEDEC ID it responds with is 9d 40 12.

Updated module

In January 2020 I bought the successor of the cheapest Trådfri LED bulb (the LED1837R5) and it contains an updated module (ICC-A-1). It looks like some components have been moved, but all the part numbers look the same. I have included updated pictures in the Pictures section.

The only difference I have found (so far), is that PF3 is no longer an output pin, but used to enable the SPI NOR Flash.

Pinout

The pinout of both modules is very similar.

Marco van Nieuwenhoven has provided a very detailed teardown of the ICC-1 module. He traced most of the copper traces and created a schematics on his website.

Flashing using JTAG

To connect to an external JTAG/SWD debugger, connect as follows:

PF0 -> SWCLK
PF1 -> SWDIO
PF2 -> SWO
RESETn -> RESETn
GND -> GND
VCC -> VCC (3V3)

In my case, I could leave the module in the light bulb, but for flashing I provided my own power supply by hooking it up to the VCC line directly.

I'm working on a small PCB that can host a TRÅDFRI module. You can find it in the pcbs folder.

Software used

You can use software like JLink or OpenOCD to flash the target.

If you use JLink, you can use the command below to connect to the board:

JLink -If SWD -Speed 5000 -Device EFR32MG1PXXXF256

To dump the flash contents, use the command below (0x40000 is 256 KiB):

savebin output.bin 0x0 0x40000

To load a flash from file, use the following command:

loadbin output.bin 0x0
verifybin output.bin 0x0

I have confirmed that you can dump the flash, erase the device and load it again, and the light bulb will still work.

An analysis of the firmware encountered in the GU10 light I bougth can be found in FIRMWARE.md.

Custom firmware

The chip is a normal Cortex M4. You can flash it with anything. As a starting point, you could take a look at this pull request for RIOT-OS. To get started.

I've added some firmwares in the firmwares folder.

As a proof of concept, check out this YouTube video I made. In there, I show how I control the LED connected via a serial console.

Isolation

If you plan to leave the board in-place, and run your own light bulb firmware, never connect external devices (e.g. debugger or serial adapter) to a light bulb that is plugged in. Due to different voltage levels, you could destroy your devices.

If you want to connect an external device, ensure that it is properly isolated (e.g. using a optocoupler).

I have designed a board that you could use to isolate UART signals. You can find it here.