Hacking the Tado (part 3 – Thermostat)

So, parts 1 and 2 showed that the Tado gateway could be debugged and re-purposed. What about the main Thermostat unit? That contains a MSP430F5659 rather than a Tiva. It also has a CC1101 sub-1GHz radio. There’s 2 Panasonic DK series latching relays to switch the heating and hot water – DK1a1b-L2-3V to be precise. Along with that is what I assume to be a switching power supply so it is powered by the mains and a 1.0F supercapacitor – probably to keep it working if this is briefly switched off. Finally there’s a Sensirion SHT21 temperature and humidity sensor – no thermostat would be complete without a temperature sensor! Whilst the MSP430s have an on-board temperature sensor these get heated by the processor itself so aren’t really much use.

Connecting a debugger

wp-1468699428814.jpgWell, just like the gateway, there was a very inviting 12 pin header – this time 0.1″ pitch through hole. It turns out this is a standard 14 pin MSP430 JTAG header with the unused pins 13 and 14 missing. Another result. Adding the header and connecting this up to a MSP-FET was all that was needed. Not the missing pins on the new header (on the RHS). That’s just to remind me to align it properly with the 14 pin ribbon cable.

wp-1468699453123.jpgThe MSP430 is actually on the reverse of the device, but to be honest that’s the only interesting thing there. Want a look anyway? OK then. Here it is.

The first thing I did was use MSP Flasher to verify it could connect to the MSP430 and then dump the sections of the ROM that I might want to put back. There’s MAIN (code), INFO (configuration and calibration), BSL (this was all 0xFFs anyway). I dumped the RAM too just in case. These need to be backed up to separate data files. Apart from one tiny bit of plastic that needs to be trimmed you can even get it back in the case with the header in place. Same with the Gateway.

CC1101, relays, buttons, LEDs

Next I need to work out what pins connect to the peripherals..

 

Hacking the Tado (part 2 – gateway)

Well, in part 1 I worked out that I could connect to the Gateway with a debugger. Now I need to work out a little bit about the board. It’s a 4-layer board, so tracing the signals isn’t that easy. Writing some simple code seemed to be the best way to determine what’s connected to what.

LEDs

The easiest bit. I just toggled all the pins until i found out that the three green LEDs are all on port H. The link LED is bit 5, router is bit 6 and internet is bit 7. All are active high.

Switches

One switch is reset, so not much happening there. I can’t seem to determine what the other is doing yet. It doesn’t appear to be directly connected to a pin and may have circuitry between that and the reset button. I can’t  remember what function it had on the Tado.

CC1101 radio, Ethernet, USB type A jack

Still to come.

Getting started with StellarisWare

I thought the easiest approach to getting somethings going was to try some sample code from StellarisWare – perhaps even some Ethernet code. Unfortunately the examples seem to only cover specific evaluation boards and I seem to hit a hard fault at some point running adapted code. Not getting really anywhere right now.

Hacking the Tado (part 1)

Tado’s v1 connector. This connects the system to your router and Tado’s servers

I’ve been a fan of the Tado smart thermostat for a while. I didn’t quite make it onto the UK beta test, but bought one as they were first available. Way before Nest, Hive and the others. It’s a nice device. It knows when you’re home and what the weather is, so adjusts your heating to be warm by the time you get home.

Of course, I couldn’t resist a peek inside even before I installed it. It was great to find that the internals involved a TI Stellaris ARM microcontroller in one of the three components, MSP430s on the other two, and all three were linked with CC1101 sub-1GHz radios. The developers were also really helpful. When I had problem with my Sky Broadband’s rubbish DNS, they created and remotely deployed firmware for me within 24 hours. They also told me that it used 6LoWPAN (i.e. IPv6 over a mesh network) to communicate between the components.

Fast forward a couple of years and i decided to upgrade my Tado v1 to a v2. Whilst there was some discount of the list price for returning my v1 device, it seemed far more fun to play around with the hardware. I’m going to hack it. Nothing devious or underhand, of course. I’m just going to make use of this nice piece of hardware.

First the connector. This contains a LM3S9997 microcontroller. This has now been superseded by TI’s Tiva range – and Tado now use a STM32 in the v2 connector. However, there’s nothing wrong with this device. It does the job. A bit of snooping showed a couple of unpopulated SMT headers on the top – and similar large pitch versions on the underside. I traced the ICDI (debugging) pins on the LM3S and discover not only that the go to one of these headers, but that it is even in a standard ARM JTAG header format. Result! Thank you Tado. Hardware developers that care! You’ll see my new 10-pin addition in the photo above, along with the still unpopulated 8-pin header.

wp-1468447005484.jpgAll I needed to do was solder on a header and connect an ICDI to it. Unfortunately I couldn’t find the proper debugger – they’re a bit old for what I work with. The newer XDS110 on my CC2650 LaunchPad wouldn’t play with the older LM Flash programmer software. Whilst the really helpful Bluehash over on 43oh.com kindly offered to send me the correct debugger, I decide to see if I could hack something together. A bit of ribbon cable and some iffy soldering and my old Stellaris LaunchPad was called into action. Now I could dump the flash contents – so that I can revert to if needed – and program new firmware.

All I’ve done so far is dump the Tado firmware and take a peek. Nothing too revealing in all those bytes – other than a reference to Contiki 2.6. Whilst I don’t know much about Contiki yet, I know it’s TI’s preferred route to getting 6LoWPAN working to provide an edge router for newer devices like the CC1310 – an ARM microcontroller with a Sub-1GHz radio built in. Anyway, that’s enough for now. We have a vague plan…