ELV Max! Hardware & Cube firmware

Forum about the home automation suites by ELV etc

Moderator: jrkalf

matthijskooijman
Member
Member
Posts: 62
Joined: Tue Oct 18, 2011 10:07 am

Re: ELV Max! Hardware & Cube firmware

Post by matthijskooijman »

I did a bit more reading on the Atmel chip used.

The debug unit that is included, is really just a serial port optimized for debugging output. The debugging commands that I had hoped to use, aren't actually implemented by the debug unit, but just by the fallback bootloader that lives in ROM (and never gets activated on the cube, unless you do a full flash reset).

Furthermore, it seems that this chip can activate a "security bit" on its internal Flash, preventing all flash programmer operations (until a full reset). Furthermore, a program can set the NTRST bit, which (IIUC) prevents all JTAG / ICE operations on the chip, which would mean the JTAG port is useless to us. At first I was hopeful that ELV wouldn't have used these protection mechanisms, so they can still restore the firmware on a bricked Cube in case a firmware upgrade goes awry, but realizing that they can always to a full Flash reset to get the programming interface working again, makes me pessimistic about this.

In any case, I ordered a simple JTAG interface today (The Bus Pirate), so I'll hope to know more soon (but there's also regular work to do, unfortunately ;-p).
matthijskooijman
Member
Member
Posts: 62
Joined: Tue Oct 18, 2011 10:07 am

Re: ELV Max! Hardware & Cube firmware

Post by matthijskooijman »

I also found the pictures I made of the Cube and Radiator PCBs again, which I now attached to the first post.
Kingsammy
Starting Member
Starting Member
Posts: 17
Joined: Mon Dec 19, 2011 11:10 am

Re: ELV Max! Hardware

Post by Kingsammy »

matthijskooijman wrote: - Neither the article or the schematic offers real insight in what the type of RF unit is used exactly. The name that looks the most like a model name is "TRX868", but I can't find anything with that model name that actually looks like the component itself. ELV doesn't seem to offer the TRX module either.
The TRX868-module of the cube includes a Texas Instruments "CC1100"-Chip, see here: http://www.mikrocontroller.net/topic/244432#2735133
matthijskooijman
Member
Member
Posts: 62
Joined: Tue Oct 18, 2011 10:07 am

Re: ELV Max! Hardware & Cube firmware

Post by matthijskooijman »

Ah, IIRC that module is the same one (or similar) as the one in the CUL module.

As for JTAG, this didn't work out. I got my JTAG adapter (a cheap-and-simple one, the Bus Pirate last week and got it working with a known-good JTAG device (a wireless AP I have here).

Then, I connected the thing to the Cube's JTAG pins, without any luck. The readings I got were very similar to the readings I got with my AP when I forgot to connect the TRST pin, which confirms the suspicion that the Cube has the "Force nTRST low" bit enabled. In theory, there should be a race condition where JTAG is enabled after the power-on and before the application or bootloader sets the force nTRTS register in the debug unit, but I guess it's not feasible to exploit this race condition in practice...

So, I think I've exhausted my options for getting my paws at the firmware inside the device and I'll have to just talk to the cube through ethernet (or get a CUL dongle...).
matthijskooijman
Member
Member
Posts: 62
Joined: Tue Oct 18, 2011 10:07 am

Re: ELV Max! Hardware & Cube firmware

Post by matthijskooijman »

I've taken a closer look at the radiator thermostat hardware, hoping to get and/or modify the firmware in there. No luck so far.

IC3 is a 24C04RP, which is a flash chip. I [url=http://www.utsource.net/ic-datasheet/24 ... 31570.html]found a datasheet for the (probably) similar 24C04A 4K flash chip. It contains 4Kbit == 512bytes and talks over I2c. I was hoping this chip would contain the firmware, but the fact that it is connected over I2c suggests it is just for auxiliary data. Connecting a i2c sniffer (by soldering wires directly to the chip's pins) shows me that about two dozen bytes get read at startup, so that also suggests there is no firmware in there.

A bit more sniffing shows that this flash chip is indeed used to store persistent data. The RF address of the connected cube is stored in bytes 0-2 and the weekly program is stored somewhere in the second half of the flash. A quick look suggests it is not stored in the same format as it is transmitted, but I didn't look more closely.

I suspect the PRG1 pads are connected to some kind of internal flash chip inside the main chip. I haven't figured anything about this programming, except that pin 1 seems to be GND and pin 4 seems to VCC. I was hoping these pins connected to the flash chip IC3, but this didn't seem the case.
Kingsammy
Starting Member
Starting Member
Posts: 17
Joined: Mon Dec 19, 2011 11:10 am

Re: ELV Max! Hardware & Cube firmware

Post by Kingsammy »

matthijskooijman wrote:
I suspect the PRG1 pads are connected to some kind of internal flash chip inside the main chip. I haven't figured anything about this programming, except that pin 1 seems to be GND and pin 4 seems to VCC. I was hoping these pins connected to the flash chip IC3, but this didn't seem the case.
A short view in the schematics of the Radiator Thermostate I will see that

Prg4 is connected VLC1 (Pin 4) of IC2
Prg3 is connected to VLC2 (Pin eight) of IC2
Prg2 is connected to RESETB (Pin 16)of IC2
PrG6 is connected to TEST (Pin 13) of IC2

Hope this will help you.
matthijskooijman
Member
Member
Posts: 62
Joined: Tue Oct 18, 2011 10:07 am

Re: ELV Max! Hardware & Cube firmware

Post by matthijskooijman »

Awesome! I already had the schematic for the cube, but I hadn't realized there was a DIY version of the radiator thermostat as well. Bought it right away, interesting stuff.

Unfortunately, the schematic doesn't list the type of microcontroller used, but by filling in a bunch of pin names into google, I was able to find a taiwanese (or whatever) datasheet from Samsung that matches the pin names exactly (including pin numbers). I'm pretty confident that the chip is indeed a S3F8275X/F8278X/F8274X so that's awesome.

I also found a datasheet in English, it's here (and comprehensive, >300 pages): http://www.samsung.com/global/business/ ... _rev14.pdf

The datasheet also suggests the pins in the programming header are needed to read and write the internal flash, but it doesn't explain how to talk to the flash exactly. Apparently this is somewhat standardized (Samsung) MCU / OTP / MTP serial programming / tool programming mode, but I couldn't find any actual documentation on this (except for a dozen more datasheets for similar microcontrollers that were similarly vague).

Anyone have any clue how this stuff is supposed to work?
matthijskooijman
Member
Member
Posts: 62
Joined: Tue Oct 18, 2011 10:07 am

Re: ELV Max! Hardware & Cube firmware

Post by matthijskooijman »

Thinking, "it never hurts to ask", I sent an e-mail to ELV to see if they could provide any extra documentation about the system. It didn't actually get me anything, as was to be expected of course. I'll share the exchange here, for future reference.
Matthijs wrote: I've been experimenting with your ELV Max! Heating system for a while and am considering to implement it completely in my house. However, I need some way to integrate my central heating boiler into the system, for which I'm planning to build some custom electronics and software. Now I'm wondering if ELV could perhaps release some more documentation or tools to help with something like this. On various internet forums, parts of the ELV Max! protocols and hardware have already been analyzed (which suggests to me that there is a lot of community interest in having a more open system), but there are still a lot of bits missing.

In particular, things that could be helpful would be:
- Documentation about the TCP protocol used by the cube
- Documentation about the RF protocol used by the system
- Information about the algorithm the radiator thermostats use to
decide the valve position
- The exact model number of the microcontroller chip used in the
radiator and wall thermostats
- Source code for the radiator and wall thermostat firmware (this is a
long shot, but I can try, right? :-)
ELV wrote: Regarding your request for forwarding of the data, we must regret to say in this case that we can not provide these.

Our development department wants in coordination with the management due to competition and patent reasons, no publication of any data to finished devices and not fully disclosed journal projects. This applies to private as well as business customers and does not affect you personally. By the technical customer service we can provide only data that have already been published in the ELV- Journal.
Post Reply

Return to “Homematic, FS20, FHT, ESA and ELV”