Cloning a Zigbee Light Link Device to a MeshBee

For a while now, I have had this idea to create a hardware interface for custom led lighting which connects to my Philips Hue. Since the Hue device only accepts Zigbee Light Link compliant devices, I did some research on the possibilities of creating my own device. As I am not an electronics engineer, I was looking for components that require minimal knowledge in that field. Arduino is something I am comfortable with, so shields and Arduino like boards where an option. After looking at all sorts of Zigbee and 802.15.4 capable boards, I started looking at the options for making any of these Light Link compliant.

After some research this was my conclusion. To create a custom (Zigbee) Light Link device there are a few options:

  • Cheap parts (TI, Silicon Labs, Atmel, etc..) where you have spend a lot of money on the development environment (IAR) to use the manufacturer provided frameworks
  • The same cheap parts and write the frameworks yourself
  • Somewhat more expensive parts (NXP, Digi) with a free development environment and framework

I choose the latter. With my requirements, two options remained, XBee Pro (Digi) and Mesh Bee (Seeed Studio). As it turned out the XBee does not support the Light Link profile. So, Mesh Bee it is.

MeshBee

Mesh Bee

UartsBeeV5

Uarts Bee v5

I ordered 2 Mesh Bee’s and one UartSBee v5 for programming the Bee’s. The Mesh Bee uses an NXP JN5168 chip for which all the tools and documentation required are available for free on the NXP site. The documentation is also pretty detailed on the general workings of the Zigbee (Pro) stack, the Home Automation (HA) and Light Link (LL) profiles.

This was about 2 months ago, and I have been working on this project (in my spare time) ever since. Although without success, the Bee’s still won’t connect to the Hue, I did find something cool.

At my local hardware store a new brand of smart lights had appeared, Innr. I could not resist and bought a starter pack with 2 bulbs and a bridge. An hour later the zigbees were connected to the Bridge. Still no connection to the Hue, but I figured it was progress. Jeei! To my surprise the Innr bulbs also connected to my Hue. What was going on here, why wouldn’t the Bee’s connect to the Hue (I know now it is probably licence key related).

Curious of the parts used by Innr, I took apart one of their bulbs and discovered it uses the same JN5168 chip as the Bee’s. Proof that the chip is suitable for connecting to the Hue! I also noticed there were some probing points on the board that could be traced back to the JN5168. These points are probably used for programming or testing the device in production, as they are connected to the UART0 port of the JN5168. A while of soldering and multi-metering later:

Innr internals connected

Innr internals connected. left: 3.3v, – top right: ground – red: not connected (1.8v), – blue: UART0 TX, – white: UART0 RX

With all the wires soldered I powered it up and the Hue still recognized it as a dimmable light. The next step was to try and see if it is possible to get some info out of the PCB. To put the JN5168 in programming mode, pin 22, SPIMISO has to be low while booting the device. In the picture above it is the second pin from the left on the bottom of the chip. So while powering the device I made sure the pin was low by connecting it with ground. Started the NXP flash programmer and requested the device config. With success:

Innr device configuration details

Well, that was pretty easy. Lets see what else this flash programmer can do.
A (selection) of the available options:

  • -f –loadflash <filename>
    Load device flash with the given firmware file.
  • -F –dumpflash <filename>
    Dump device flash contents into a file.
  • -e –loadeeprom <filename>
    Load device EEPROM contents from a file.
  • -E –dumpeeprom <filename>
    Dump device EEPROM contents into a file.
  • -r –loadram <filename>
    Load device RAM with the given firmware file, then execute it.
  • -m –mac <MAC Address>
    Set MAC address of device.
  • -k –key
    Display AES key
  • -k –key=<AES Key>
    Set AES key. Specify key as 128 bit hexadecimal string

I was pretty amazed by the possibilities, this allowed me to dump both the flash and EEPROM and maybe upload it to the Mesh Bee’s. Not expecting this to work, I did just that, dumped the flash and EEPROM to a file and uploaded them both to one of the Bee’s. Well, what do you know? It worked, the Hue accepted the Bee’s!

2 XBee's and the Innr PCB with the same firmware

2 XBee’s and the Innr PCB with the same (Innr) firmware

 

5 new devices, 3 of them are the 2 Bee’s and the Innr PCB

I have no idea what this all means and if it is of any use. But, since the Mac address of the JN5168 can be set (once) with the flash programmer, it seems possible to completely clone a device. I can imagine this opens up the possibility of replacing a trusted device with a modified clone to gain access to a private network. Also, the PCB part number (A470S-A7R) is identical to this Leedarson bulb. If the PCB is manufactured by Leedarson, it could be that other products by Leedarson are also cloneable.

For now, I have no intention to continue the project in this direction (I might look into cloning the Innr hub if I find the time) and my goal remains unchanged: To create a Light Link device that connects to my Philips Hue. If there is anyone reading this who could help me achieve this goal, it would be greatly appreciated!

Useful, related links:

 

Update (nov-21-2016)

Last week I succeeded in creating a custom ZLL device (2 actually, RGB and Monochrome). Read all about how you can connect your Mesh Bee to your Hue here: Custom firmware Hue lights.

Author: Peter

Comments

  1. Pingback: Connecting Mesh Bee to Philips Hue |

  2. Hello
    what uart to usb pcb do you use ?
    the red one ?
    may you provide a link to buy one ?

    thank you for sharing your good job

    1. You are best of buying the JN5168 01 module. These are way cheaper and can be orders at Mouser.com. The Seeed Mesh Bees are getting hard to find and very expensive.

    1. I got root of the hue bridge, I see the serial zigbee serial interface in /dev/
      Cheaper then buying a new board when you have these lying around 😉

  3. Hi,
    do i must use the UARTsbee to program the mesh bee? i have a usb to serial TTL with 3.3V.
    If it’s work how i must connect the mesh bee.

    thanks and best regards
    boergim

    1. Sure you can , I’m using an FTDI breakout board (Sparkfun) myself!

      Simply connect it to UART0 (RX to TX and TX to RX) and connect SPIMISO to ground while powering to put it in programming mode.

Leave a Reply

Your email address will not be published. Required fields are marked *