Making smart devices smarter with Tasmota
Home Rule
Flashing IoT devices with new firmware lets you wield control and keep them out of the cloud.
In the age of robotic vacuums, robotic lawn mowers, and mopping robots, I want to add automation and intelligence to my apartment. Just the act of purchasing a smart socket that has an Android app makes this both an easy and a comfortable solution for people wanting to add a touch of home automation to their living space.
However, I am paranoid enough that when devices are in my network, I want to have full control over them. It bothers me that this new functionality comes with the "additional feature" of these devices calling home to a server somewhere on the Internet. I was optimistic that I could achieve my goal of automation but also keep full control over my own devices.
To achieve this control, I was hoping I could purchase a few smart adapters and find one that I could bend to my will. The good news is that the security on each of these devices was good enough that I wasn't able circumvent it with a playback or man-in-the-middle attack, but I didn't actually have any luck gaining complete control of the devices, so I set out to find a way to modify an existing device to achieve my goals.
Little did I know that this is a fairly active area of development in the open source community. The solution is to flash the devices with new firmware that provides enhanced functionality. I looked into a couple of different solutions under active development. The oldest and presumably most mature firmware solution is Tasmota.
Tasmota
The Tasmota project [1] contains additional functionality to support the MQTT (Message Queuing Telemetry Transport) protocol, so your device can be an MQTT client and publish and receive messages.
The list of main functions supported by Tasmota is pretty impressive:
- Support for the MQTT protocol
- Support for HTTP requests
- Support for most common sensors
- Over-the-air updates
- Belkin Wemo and Philips Hue emulation
- Timers
- Domoticz integration
- ESPTool FTDI programmer/serial programmer
My needs are pretty modest; I simply want to connect the device to my home network. However, in addition to all the other functionality, I get another cool feature for free. Tasmota offers over-the-air (OTA) updates, which means once you have flashed the device, you won't have to unplug, disassemble, flash, and reassemble each time you want to upgrade the firmware, which is priceless for anyone unfamiliar with the technology.
Before using this firmware, you need to have all the necessary tools and materials:
- FTDI serial converter
- Header pins
- Soldering iron and solder
- Firmware
- Low-melting-point solder (optional)
The device I chose to modify was the Sonoff S20 (Figure 1), an extremely friendly device from the perspective of the home do-it-yourselfer. The circuit board is big, is easily accessible, and has been designed so it can be enhanced with connector pins to allow external programming.
Taking apart the Sonoff was refreshingly easy. None of the screws are hidden behind labels, and the case comes apart and can be put together much like playing with legos. No blobs of glue prevent access to any part of it. Inside the case, the printed circuit board (PCB) is also held in place with screws, and it appears the overall design was done to simplify the assembly for multiple markets. The design of the S20 separates the power socket from the circuit board in such a way that plugging in your power cord doesn't put any stress on the PCB or any of its connections. The manufacturer, iTead, must feel pretty confident in their product, because they also made the schematic available on their website [2].
Not only is it easy to disassemble and reassemble the case, the PCB that controls the power socket is ready to be programmed. The only step necessary is to solder on some header pins so you can flash the Sonoff with the new software (Figure 2). Once the headers are soldered to the PCB, you can then use your FTDI adapter male or female header pins, depending on your FTDI adapter and cable setup.
Soldering the header to the board should take just a matter of minutes, but before you proceed, you might want to take some notes. Some people have been reporting that their circuit board already has markings describing what each pin is. That was not the case for my board, although the VCC (power in) pin did have a small arrow pointing to it. This pin is also visibly different from the rest: The through-hole plating on the board has a square outline around the hole. This differentiation, as well as the pinout for the header pins, is clearly marked in Figure 2.
During this project you should keep two important points in mind. The first and most important is to make sure your device is not plugged into the wall, so it is easier to work on the device and the chance of electrocuting yourself or blowing up your laptop is considerably reduced. The second point is that the power from your FTDI connector needs to be 3.3V. Some FTDI adapters use 5V, so if you are not certain how much power your controller uses, look it up online or purchase an inexpensive 3.3V connector for this project.
Getting Your Hands Dirty
The Sonoff, like most smart devices, will be powered by a microcontroller, which is almost as good as a CPU. Albeit a bit slower, it sips energy and, as a friend used to say, they are cheap as potato chips.
The only downside of devices powered by microcontrollers is that the resources are usually somewhat limited, as well. The limiting factor that restricts the size of the firmware and ultimately the functionality is the number of resources available. The Sonoff that I purchased has only 1MB of flash memory, which as small as it sounds, is plenty for controlling the smart socket (see the "Querying Memory Size" box). However, if the firmware occupies more than half of the available memory, OTA updates are no longer possible.
Querying Memory Size
Memory size might become more important in the future, with different devices being manufactured with different memory sizes. Thus, it is important to know how much memory exists in the device for either backing up or determining the maximum size for a firmware image.
This information can be queried from the device itself:
$ sudo ./esptool.py --port /dev/ttyUSB0 flash_id esptool.py v2.6 Serial port /dev/ttyUSB0 Connecting.... Detecting chip type... ESP8266 Chip is ESP8266EX Features: WiFi MAC: 84:f3:eb:b0:6e:07 Uploading stub... Running stub... Stub running... Manufacturer: 5e Device: 4014 Detected flash size: 1MB Hard resetting via RTS pin?
The value (shown in the next-to-the-last line) is normally 1MB for the S20, but it might be different for other hardware (Figures 3 and 4).
The convenience of OTA firmware flashing should not be underestimated. Disassembling a smart socket, flashing the firmware, and reassembling it is not a big deal unless you have 20 of them. The only thing preventing OTA updating is the size of the firmware relative to the size of free memory. A number of other trailblazers on the Internet have already found a solution to this problem, which is to get a larger flash chip to hold the program. This small upgrade only requires a few minutes to desolder the old chip and solder in a new chip.
Although this solution sounds radical, it isn't that much more so than opening up a device and soldering header pins onto it. The PN25F08B that comes with the Sonoff S20 is just a 1MB flash chip that can be replaced with a larger memory chip. The most common replacement seems to be the 4MB Winbond 25Q32FVSIG.
To make the replacement, carefully heat the legs of the chip and remove (Figure 5). This process is easier if you have a hot air gun or, alternatively, some low-melting-point solder wire. The reports I have read said the new memory chip was the same size, so no unusual hacks are necessary (e.g., straightening or bending the pins to odd angles). In my case, the replacement chip was slightly larger (Figure 6), but it still (barely) fit onto the pads.
Installing the Firmware
A compiled copy of just the Tasmota firmware can be downloaded from GitHub [3], or you can download the source code if you want to take a closer look or compile it yourself. I already had a copy of esptool.py
[4] on my laptop. Flashing the firmware is described in full detail in the "Flashing a Device" box. Once you have everything ready to flash the firmware, including the firmware, you are ready to begin.
Flashing a Device
To flash the firmware, the FTDI adapter needs to be connected to the headers on the Sonoff. The connection should be fairly obvious, with just a ground and power connector. The transmit (Tx) and receive (Rx) need to be crossed, as with an Arduino.
Simply connecting the FTDI adapter to the Sonoff is not enough for you to flash firmware or even communicate with the Sonoff. First, the Sonoff needs to be put into a programming mode:
- Wire the FTDI adapter to Sonoff, but do not plug it into the USB port.
- Press and hold the on-board button.
- Plug the FDTI into the computer and wait two or three seconds.
- Release the on-board button.
If your device doesn't have an on-board button, you can also connect GPIO 0 to ground, but in practice, I haven't heard of this being necessary with the S20.
Once the Sonoff is in flash mode, you can run your tool to flash the firmware:
$ sudo ./esptool.py write_flash --flash_mode dout --flash_size 1MB 0x0 sonoff.6.4.1.bin esptool.py v2.6 Found 1 serial ports Serial port /dev/ttyUSB0 Connecting.... Detecting chip type... ESP8266 Chip is ESP8266EX Features: WiFi MAC: 84:f3:eb:b0:6e:07 Uploading stub... Running stub... Stub running... Configuring flash size... Compressed 534032 bytes to 365310... Wrote 534032 bytes (365310 compressed) at 0x00000000 in 32.4 seconds (effective 131.7 kbit/s)... Hash of data verified. Leaving... Hard resetting via RTS pin?
Note that either backing up or flashing the device will bring it out of flash mode. Moreover, the recent Sonoff switches have been shipped with a flash chip (PN25F08B) that requires flashing with ESPTool in DOUT mode.
ESPTool [4] can do more than just flash a device. It can also be used to interrogate information from the device, such as the size of the flash memory, or it can be used to back up the firmware from the device.
If your device has 1MB of memory, then backing up is just a matter of running the command:
sudo ./esptool.py --port /dev/ttyUSB0 read_flash 0 0x100000 flash_contents.bin
It doesn't matter whether ESPTool is being used for reading memory, gathering information, or writing new firmware: The completion of each action will cause the device to leave programming mode.
The original firmware on the Sonoff allows it to be controlled by the eWeLink application from either the Apple App Store or Google Play. Because flashing new firmware will overwrite the existing firmware, you should back up before continuing. If you later change your mind, you can always restore the device to its original state so it can be controlled by the eWeLink app.
Remember that the original firmware is tied to the device and cannot be flashed into another Sonoff device.
Buy this article as PDF
(incl. VAT)