Flashing ESP Chips with Open Source Firmware
The ESP family of wifi chips is manufactured by Espressif. The chips are ubiquitous in Chinese manufactured IOT devices. The firmware on many of these devices can be replaced by open source alternatives like Tasmota or Esp Home.
How do you know if a device advertised as being Wifi-enabled is able to be flashed ?
You can try to find reviews but the average reviewer doesn’t flash firmware. In addition, many devices are popping up all the time so that it may be some time before some hacker opens up the device to find out.
Example Teardown To Identify Whether Firmware is Flashable
I was in Aldi’s a few days after Christmas and saw a package of two outlet plugs branded “atomi” and marketed as WiFi-enabled Christmas light timers:
The package was marked down to $12. One was an indoor plug with two 2.4 integrated USB ports as shown above, the second was a heavy duty black outdoor plug:
A quick search revealed that Amazon was selling the inside plug alone as the “Atomi Smart Wifi Plug” for $20.
But is it an ESP Chip and Can It Be Flashed with Tasmota?
The biggest question was were they able to be flashed with Tasmota ? Based on the little known name I guessed these were probably ESP8266 type chips but none of the reviews mention being able to flash the device firmware. A google search did not reveal anybody flashing either of these plugs.
Doing the Research To See If the Device Can Be Flashed
Looking at the back of the package reveals that the plugs are ETL certified for the United States (equivalent to UL approved, good!) with an Intertek Number of 5001673.
There was no FCC ID but the bar code stated it was “13820-Smart Plug Holiday Pack”.
Model Number and FCC ID Brings Some Leads
Going to the Intertek website for ETL Listed Products and typing in “5001673” revealed nothing. But plugging in the model number “13820” produced a couple of listings with the first being by “SHENZHEN FENERGY TECHNOLOGY CO., LTD” conforming to a UL standard.
After some googling to find the FCC ID number, I tried “fcc model AT1217 SHENZHEN FENERGY TECHNOLOGY CO., LTD. – Shenzhen, Guangdong CHINA” and came up with the listing.
Reading the FCC Documentation to Identify the Firmware
Photos and other information confirmed it was the same plug:
There’s also a “Letter of Declaration Model Difference” stating that AT1217 and At1249 models are the same (google reveals that AT1249 is sold at Home Depot also as an Atomi Smart Wifi Plug )
Clicking on the “internal photos” link in the FCC document shows the inside of the plug and reveals this interesting photo:
And another photo of the other side of the chip showing the four contacts required to flash:
Here’s a drawing found online:
Bingo – It’s Flashable !
So I bought the outlets, brought them home and opened up the interior one (removed the four screws on the bottom and wedged open the case). I found the TYW2ES chip but the contacts were oriented down and not exposed:
Exploring Methods to Flash
A quick google of “TYWE2s” shows a tutorial on the Tasmota website flashing an outlet having the same wifi module using the hard wired method. I tried to grind through the bottom of the white outlet with a rotary tool to expose the contacts ( a dangerous and unnecessary [as explained below) step – do NOT do this!):
and to flash it with an FTDI usb/serial tool. But since I didn’t want to take the time of properly soldering the contacts and/or using a jumper, it was an exercise in frustration.
Ah – Wireless Flashing !!
I finally remembered that there were some successful OTA (over the air) methods of flashing these chips, did a google search and found TUYA Convert. I quickly confirmed that the TYWE2S chip is a TUYA and proceeded to flash using the TUYA Convert instructions. Since you need to do this in Linux, I first tried running TUYA Convert in Windows’ WSL but kept getting an error questioning whether my Wifi adapter could be used as an access point. I then ssh’d in to a headless Raspberry Pi I had in the other room and ran the scripts on that machine. I got the same error.
I then found this note on prerequisite steps for a pi, followed those steps, then the main installation steps, and it worked like a charm!
Both outlets were easily flashed within 30 minutes without attaching any wires or having to open the devices!
Configuring Tasmota
The Configure Module in Tasmota should be set as follows to allow the manual switch on the plugs to work:
JAMES J CONRAD
Great writeup, I have a question. I was able to get the outdoor unit flashed and working. The first unit I tried was the indoor unit with the two USB connectors. The process locked up and after about 10 minutes I ctl-c out of the app. It appears that the unit got bricked. I’m guessing at this point the only mitigation is going to cut the unit open and connect via serial, or worse it’s DOA with no hope of repair?
Thanks for the great writeup.
Charlie
Sorry for the long delay in responding. Not sure. I did not have trouble flashing, however, one of mine later did seem to stop working at some point and appeared bricked. I forget exactly what I id to fix it but if memory serves, the light wouldn’t come on and it wouldn’t respond to commands and the ip address didn’t show up. I was able to revive somehow. I think I did it by connecting peer -to-peer using my phone (i.e., connected my phone wifi to the wifi signal from the plug) and giving it the SSID and wifi password so it could connect to my network. I then reflashed it.