Tado’s v1 connector. This connects the system to your router and Tado’s servers
I’ve been a fan of the Tado smart thermostat for a while. I didn’t quite make it onto the UK beta test, but bought one as they were first available. Way before Nest, Hive and the others. It’s a nice device. It knows when you’re home and what the weather is, so adjusts your heating to be warm by the time you get home.
Of course, I couldn’t resist a peek inside even before I installed it. It was great to find that the internals involved a TI Stellaris ARM microcontroller in one of the three components, MSP430s on the other two, and all three were linked with CC1101 sub-1GHz radios. The developers were also really helpful. When I had problem with my Sky Broadband’s rubbish DNS, they created and remotely deployed firmware for me within 24 hours. They also told me that it used 6LoWPAN (i.e. IPv6 over a mesh network) to communicate between the components.
Fast forward a couple of years and i decided to upgrade my Tado v1 to a v2. Whilst there was some discount of the list price for returning my v1 device, it seemed far more fun to play around with the hardware. I’m going to hack it. Nothing devious or underhand, of course. I’m just going to make use of this nice piece of hardware.
First the connector. This contains a LM3S9997 microcontroller. This has now been superseded by TI’s Tiva range – and Tado now use a STM32 in the v2 connector. However, there’s nothing wrong with this device. It does the job. A bit of snooping showed a couple of unpopulated SMT headers on the top – and similar large pitch versions on the underside. I traced the ICDI (debugging) pins on the LM3S and discover not only that the go to one of these headers, but that it is even in a standard ARM JTAG header format. Result! Thank you Tado. Hardware developers that care! You’ll see my new 10-pin addition in the photo above, along with the still unpopulated 8-pin header.
All I needed to do was solder on a header and connect an ICDI to it. Unfortunately I couldn’t find the proper debugger – they’re a bit old for what I work with. The newer XDS110 on my CC2650 LaunchPad wouldn’t play with the older LM Flash programmer software. Whilst the really helpful Bluehash over on 43oh.com kindly offered to send me the correct debugger, I decide to see if I could hack something together. A bit of ribbon cable and some iffy soldering and my old Stellaris LaunchPad was called into action. Now I could dump the flash contents – so that I can revert to if needed – and program new firmware.
All I’ve done so far is dump the Tado firmware and take a peek. Nothing too revealing in all those bytes – other than a reference to Contiki 2.6. Whilst I don’t know much about Contiki yet, I know it’s TI’s preferred route to getting 6LoWPAN working to provide an edge router for newer devices like the CC1310 – an ARM microcontroller with a Sub-1GHz radio built in. Anyway, that’s enough for now. We have a vague plan…
0xFRED 
Hello! Can you help me out with the firmware dump? Would you mind to provide me more detailed steps ?
Thank you!
Sorry – I’ve only just seen this comment!
All you need to dump the firmware is a Stellaris Launchpad. This is a bit from an old one from TI. It’s now been discontinued. Newer versions might like the Tiva Launchpad might work. I’m afraid I can’t send you my firmware as it contains my details. If it was uploaded to anoher device you’d connect to Tado as me.
Unfortunately I didn’t really take the Tado hacking any further. I decided Contiki / 6LoWPAN wasn’t easy to work with.
Hi, TADO is fantastic, the only problem is the “no internet” problem. When it happens the Tado is quite dead, only manual is allowed (no scheduling and no remote). There is a way to use the application (making a fake tado server) so that where you are in home you can use tado normally with scheduling ? I think that Tado communicate with some sort of server,the question is if we can make a local fake server to use offline (no internet) but with the local network.
I still use Tado but have up on hacking it. There is now a v2 and I believe a new v3, so things have changed a fair bit since this post.