logo elektroda
logo elektroda
X
logo elektroda
Advanced Search
logo elektroda

Tuya P06 PIR IoT Allwinner/XRadiotech XR809 [XR3] Module and PhoenixMC UART Flash Tool

divadiow 1104 4
ADVERTISEMENT
Reply | New topic
  • #1 21145096
    divadiow
    Level 34  
    Hi. I bought a P06 PIR device from Ali Express expecting it to contain an Allwinner/XRadioTech XR809-based XR3 module, and I wasn't disappointed.

    https://www.aliexpress.com/item/1005006138378704.html fdsmart store
    Image of a WiFi PIR motion sensor available on AliExpress with a 49% discount offer.

    I've since noticed you can get the XR3 module on its own (I'm sure I looked before!): https://www.aliexpress.com/i/1005006923473047.html

    Image of the XR3 Smart Temperature and Humidity Sensor Wi-Fi Cloud module from AliExpress.

    Before I began to look into flashing and analysing this module/device, I familiarised myself with these OpenBeken XR809 articles
    https://www.elektroda.com/rtvforum/topic3806769.html
    https://www.elektroda.com/rtvforum/topic3890640.html

    It seems the PhoenixMC flash burning tool in the XR809 Github is still v2.8.2110e but I see reference to newer versions buried in a couple of places
    https://bbs.16rd.com/forum-qzx-1.html
    https://xradiotech-developer-guide.readthedocs.io/zh/latest/zh_CN/tools/
    https://bbs.aw-ol.com/recent?cid[]=16

    Finally I managed to find v 3.1.21014b in this XR806 Gitee https://gitee.com/moldy-potato-chips/xr806_-ap_mode.

    My first port of call, however, was to capture the UART boot log output. This was achieved by attaching USB-TTL RX to the RXD0 (not TXD0, as expected) of the module. This is the black dupont soldered in this pic. It joins the white where it's connected to USB-TTL RX pin.

    Electronic circuit with connected wires and XR3 module.

    and the module more clearly:
    XR3 module with visible connectors and traces.

    boot log
    Code: Text
    Log in, to see the code


    I need to go out now and I have more to add, including factory fw dump, but for now here are some pics of the device

    Close-up of a circuit board with an XR3 module. Close-up of a circuit board with XR3 module and PIR sensor. XR3 module with a micro USB port inside a device casing. Leaflet with setup instructions for a WiFi motion sensor device. User manual for WiFi PIR Motion Sensor model P06 from AliExpress. Close-up of XR3 module on a circuit board with a PIR sensor. Electronic module with components on a PCB, including XR3 chip and PIR sensor. XR3 module with PIR sensor on a circuit board. XR3 module on a P06 device circuit board with micro USB port and electronic components. Close-up of a circuit board with an XR3 module and a USB connector. XR3 module with a PIR sensor on a PCB. PIR motion sensor P06 with accessories and manual on a carpet. PIR motion sensor box with WiFi and Smart Life labels
    Attachments:
  • ADVERTISEMENT
  • #2 21146063
    divadiow
    Level 34  
    As with other SmartLife devices 6669/udp is open. But I have not got it to respond to any AT commands.

    Looking in PhoenixMC it seems there is a flash erase and read function and so attached is the result of read from 0x0 - 0x1FFFFF (2,097,151 bytes) and 0x0 - 0x200000 (2,097,152 bytes). I thought the end address of 0x1FFFFF would give me the full 2,097,152 bytes but it turns out the following is true

    Code: Text
    Log in, to see the code

    not sure I fully understand. Anyway, attaching both. I've not braved flashing back factory yet to see if it works.

    Screenshot of PhoenixMC showing a comparison of two binary files with different sizes.

    Here is an edited PhoenixMC GUI with English text

    Screenshot of the PhoenixMC application in mass production mode with a table and firmware update options.

    Debug window
    User interface of PhoenixMC tool for flash memory operations.
    Settings/Setup
    Settings window in PhoenixMC software with flash memory configuration options.
    Attachments:
  • ADVERTISEMENT
  • #3 21146083
    divadiow
    Level 34  
    interesting the SDK is v1.3 (Github latest is 1.4) and references some fix for a ~2010 Buffalo router.

    Code: Text
    Log in, to see the code


    Added after 8 [minutes]:

    The PIR sensor is the same BS612 seen in other PIR devices. Including the CBU-based P06 with TuyaMCU. This device does not have an MCU, so all control is handled by the XR3/XR809 module.

    The BS612 is a Senba Sensing Tech component. Datasheet attached.
    Attachments:
  • ADVERTISEMENT
  • #4 21146149
    divadiow
    Level 34  
    I believe the flash memory is by Macronix and is one of these two models

    Code: Text
    Log in, to see the code

    Warning message in phoenixMC_v3.1.21014b about BROM version 1 and flash ID 0x2040150000000000.

    Added after 52 [minutes]:

    and now flashing to OBK with PB02 and PB03 pulled low (grounded). I am powering the device by 5V USB, so I have soldered the GND on the module to a cable that is then made common with the GND on the USB-TTL adaptor, PB02 and PB03.

    Screenshot of PhoenixMC software with file update settings.

    Wi-Fi signal icon with network name OpenXR809_42D7AD9F.

    OpenXR809 is on 192.168.4.1 and client IP issued was 192.168.51.100. I had to set manual IP (192.168.4.2) in the same subnet to be able to get access to OBK GUI.

    User interface for OpenXR809 device at IP address 192.168.4.1.

    I also flashed back to factory and was able to pair again with the Smart Life app.

    Screenshot of PhoenixMC software showing firmware update progress.

    Added after 25 [minutes]:

    and using this info from the boot log

    Code: Text
    Log in, to see the code

    We set this

    Pin configuration interface for XR809 motion sensor

    BUT because there are no drivers enabled in XR809 release, there is no battery driver to run. Also, I'm guessing deep sleep isn't a thing sorted for XR809, so batteries are probably no use here. There's also no LFS for autoexec. Luckily the device can be powered using 5V micro USB. I'll probably unsolder the XR3 for use in ESP universal downloader board anyway.

    When motion is detected channel 1's value changes to 1. After covering up the sensor ~30s later the value will return to 0.

    Screenshot of the OpenXR809 interface with highlighted channel values.

    OBK template
    Code: JSON
    Log in, to see the code

    https://github.com/OpenBekenIOT/webapp/pull/1...mits/beb8ee0a6472d2300947b3c4428cba489aad03c5
  • #5 21460298
    divadiow
    Level 34  
    divadiow wrote:
    OpenXR809 is on 192.168.4.1 and client IP issued was 192.168.51.100. I had to set manual IP (192.168.4.2) in the same subnet to be able to get access to OBK GUI.

    https://github.com/openshwprojects/OpenXR809/pull/8 appears to fix this by changing src/net/udhcp-0.9.8/dhcpd_cfg.h

    Code: C / C++
    Log in, to see the code
Reply | New topic
Report a violation of the law
Popular Topics
ADVERTISEMENT