OwnerIntroduction
My smart home infrastructure contains several Xiaomi humidity/temperature and door sensors. I’ve used these sensors with the corresponding Xiaomi gateway. The gateway was connected with my BananaPi M2U and Pimatic. But my home is long and tall. One gateway does not cover all rooms and therefore far sensors disappear periodically.
I’ve googled and found I can use Xiaomi sockets (Zigbee edition) like Zigbee routers. This socket is less expensive than a new gateway and it has a smaller size. I’ve purchased tow sockets and used it about a month. This socket has a big problem (from my point of view). It can go into the deep sleep mode and cannot forward data packets from sensors.
I’ve decided to use a CC2530 based development board and build my own router. Aliexpress.com offers some variants. I’ve purchased two samples:
cc2530 board with the debug interface
cc2530 compact board with the external antenna
1. This board will be used in my Zigbee router.
2. This board will be used in BananaPi as a coordinator instead of the CC2531 USB stick. This board has an external antenna and I hope it will work better.
Firmware for Zigbee Coordinator
Z-Stack Home Automation SDK 1.2.2a comes with a precompiled firmware for CC2530 ZNP (Projects\zstack\ZNP\CC253x\bin\CC2530ZNP-SB.hex), but all my attempts to launch it on my samples failed. The gateway software xiaomi-zb2mqtt cannot detect and work with boards through a UART port.
RS232 pins:
P0_2 <=> RS232 RX
P0_3 <=> RS232 TX
P0_4 <=> RS232 CTS
P0_5 <=> RS232 RTS
The precompiled firmware uses hardware flow control wires. If you do not want to use it then you must connect P2_0 (CFG1) to GND.
So I’ve installed the trial version of IAR Embedded Workbench for 8051 (CC2530 is based on this processor architecture) and compiled the “SampleLight” demo application as a coordinator. Yes, of course, it may take some time. Below are my defined symbols:
SECURE=1 TC_LINKKEY_JOIN NV_INIT NV_RESTORE xHOLD_AUTO_START ZTOOL_P1 MT_TASK MT_APP_FUNC MT_SYS_FUNC MT_ZDO_FUNC HAL_LCD=FALSE xLCD_SUPPORTED=DEBUG MULTICAST_ENABLED=FALSE xZCL_READ xZCL_WRITE xZCL_REPORT xZCL_EZMODE xZCL_BASIC xZCL_IDENTIFY xZCL_ON_OFF xZCL_SCENES xZCL_GROUPS xZCL_LEVEL_CTRL xZCL_DIAGNOSTIC FEATURE_SYSTEM_STATS MT_UART_DEFAULT_BAUDRATE=HAL_UART_BR_115200 MT_UART_DEFAULT_OVERFLOW=FALSE HAL_LED=FALSE HAL_SPI=FALSE MT_UTIL_FUNC MT_AF_FUNC MT_SAPI_FUNC MT_SAPI_CB_FUNC MT_ZDO_CB_FUNC MT_ZDO_FUNC MT_SYS_FUNC OSAL_SAPI=FALSE SAPI_CB_FUNC=FALSE xHAL_UART_DMA_RX_MAX=128 MT_TASK_CUSTOM MT_ZDO_MGMT
How to use
Download and flash the firmware.
Baud rate: 115200
Hardware flow control: Disabled
P2_o pin state: ignored
P0_2 <=> UART (RS232) RX
P0_3 <=> UART (RS232) TX
UART port uses the DMA mode.
You may also connect to this port using ZTool.
Firmware for Zigbee Router
I’ve used the source code of the “SampleLight” demo application for my router’s firmware. I did some modifications and improvements:
- Pre-configured manufacturer code for Xiaomi devices.
- Pre-configured security key.
- Led blinking for some states.
- short fast blinks (one per second) – the router is connecting to a network.
- short long blinks (one per 4 seconds) – normal operations.
- three short blinks – the router cannot send a report to a coordinator.
- The router sends the “genOnOff” report to a coordinator every minute (you may configure an interval using the corresponding ZCL command). It works like a keep-alive message.
- The debug version of the firmware sends additionally the “genBinaryValue” report for every neighbor in a network:
1 2 3 4 5 6 7 | { description: '28069/0x00158D0001DE7964', inactiveText: 'PARENT', presentValue: 6, relinquishDefault: 1, minimumOffTime: 0 } |
description – network and MAC address.
inactiveText – device role in a network.
presentValue – RSSI value of the last received packet (rxLqi).
relinquishDefault (optional) – path depth.
minimumOffTime (optional) – number of associated devices.
Defined symbols from the project:
SECURE=1 TC_LINKKEY_JOIN NV_INIT NV_RESTORE xHOLD_AUTO_START ZTOOL_P1 MT_TASK MT_APP_FUNC MT_SYS_FUNC xMT_ZDO_FUNC LCD_SUPPORTED=DEBUG xHAL_LCD=FALSE HAL_SPI=FALSE MULTICAST_ENABLED=FALSE ZCL_READ xZCL_WRITE ZCL_REPORT xZCL_EZMODE ZCL_BASIC xZCL_IDENTIFY ZCL_ON_OFF xZCL_SCENES xZCL_GROUPS xZCL_LEVEL_CTRL xZCL_DIAGNOSTIC ZCL_DISCOVER FEATURE_SYSTEM_STATS MT_UART_DEFAULT_BAUDRATE=HAL_UART_BR_115200 MT_UART_DEFAULT_OVERFLOW=FALSE HAL_LED=TRUE MT_UTIL_FUNC HAL_KEY=TRUE ZSTACK_MANUFACTURER_CODE=4447 BLINK_LEDS DIAG_INFO_REPORT
How to use
1. Download and flash the firmware.
2. Power off/on (restart) the router.
3. Permit joining to a network on your coordinator.
===========================
UPDATE 2018-09-26
1. Allows a router to use all possible channels (the old firmware was used the channel #11). But now, the router will take more time to connect to a coordinator.
2. A router may report link quality for all connected neighbors.
UPDATE 2019-02-04
1. The previous version allowed to join for deleted devices.
2. СС2530 can be re-paired if you power on/power off it three times (power on, wait 2 seconds, power off, repeat this cycle three times).
Owner
Arik
Awesome work! This will greatly help diy zigbee home automation deployments.
I learned about this article from the Koenkk/zigbee2mqtt project.
You seem to be familiar with the inner details of zigbee so I though I would try and ask about an issue that concerns me. The security model of zigbee, and specifically the LinkKeyJoin that we are using with Xiaomi devices, how secure is it? Specifically, can I sniff what is going on there? Can somebody send spoofed commands to my HA network? Is it vulnerable at “join-allowed” times or other times as well?
I tried reading some zigbee materials but was not able to find the information I was looking for. Perhaps you can shed some additional light.
Thanks.
Owner
Hi Arik.
My knowledge is limited, but:
1. Xiaomu devices use a known security key. Therefore everyone (located closely) can monitor your traffic. Also this key can be captured at link-join time (https://www.youtube.com/watch?v=4vG4CVNAm_A). I think Zigbee HA network is not protected in this case.
2. Sending data. A coordinator receives data only from joined devices. If the coordinator has a good firmware it will not receive unwanted data packets. The popular ZNP firmware for CC2531 USB is good enough. Also, in this case a computer or SBC knows about all connected devices and can report about attacks. Note: Zigbee HA allows to send data between devices directly. Therefore security depends on a firmware of each individual device. For example, a device may check a sender poorly.
Arik
I see. Thanks for the additional info. Looks like I will have to make a few experiments with a sniffer.
Can you tell me what are the: pre-configured manufacturer code for Xiaomi devices and the pre-configured security key that you mention above? What method did you use to find these values?
Owner
Manufactured code: 4447
Networks ID (PanID): 0x1a62
Security key: I’ve found in Internet (this is a set 8 bytes)
Turbo T.
Can I use this to control a 12V motor? A motor such as the Dooya DM25DC for blinds.
Owner
No, my firmware cannot control anything.
Chris
I have used your Router firmware file with the external antenna board and it’s working now perfect! With this board as a Zigbee Router I get connection to some Xiaomi devices, that before not worked. Thank you!
One thing I figured out: With the CC-Debugger I had to connect Pin2 (Target Voltage Sense) with VCC to make the programming work.
Owner
Hi,
Thank you for your feedback and comment (I’ve updated one my post with this note)!
Mike Stewart
Hi
I use home assistant (hass.io) on a pi3b with xiaomi zigbee sensors.
I bought 3x cc2531 usb sniffers. My initial plan was to install zigbee2mqtt and have 1x co-ordinator and 2x routers using your router firmware. This would allow me to connect 43 xiaomi devices.
If i wanted to use cc2530 as a zigbee co-ordinator
eg. http://s.click.aliexpress.com/e/f2ZBu3N
How do I attach this co-ordinator to my Pi? or how does it communicate with the Pi?
Thanks
Mike
Owner
I’m using the identical board with my BPi. Connect:
P0_2 < => RS232 RX (note: RPi may have several UARTs on digital pins).
P0_3 < => RS232 TX
GND < => GND
+ connect power to this board.
Mike Stewart
Thanks. I might have to find someone running the cc2530 and a pi with hass.io to find out the pi side of the configuration.
Michael
Hi, thank you very much for this great idea!
It is working with a xiaomi-reed-contact! I tried to use it with an Osram SmartPlug in the cellar room. When I turn on/off the Osram-Plug by hand on the switch, the status is immediately transmitted to FHEM. Without the use of the router it is not working.
But when I press the on/off or toggle button in FHEM there isn‘t any reaction at the SmartPlug in the cellar room (using the router!).
Can you please help me? Is it only working for sensors (one way)?
Thanks Michael
Owner
Hi Michael.
I’m sorry, but I don’t have ideas. I don’t have such device to test it. But the router works with similar Xiaomi Plugs.
Marco
Hi. I’m testing the CC2530 router firmware (all channels version), but it doesn’t show up in my HomeAssistant with zha module (using Elelabs ZigBee USB which is working like a charm connecting Xiaomi door sensors).
How do I check that it’s actually trying to connect? Is the only way to use a CC2531 as a coordinator?
Thank you
Owner
What PanID do you use in your network?
Marco
Mmh… it’s all hardcoded in the homeassistant zha component. Shall I override that with the Xiaomi PanID?
Thanx
Owner
Please, re-download firmware. I’ve changed it tomorrow and the router may connect to a network with any PanId.
Marco
I’m using the 2018-09-26 update: I wasn’t able to change the channel in the Homeassistant component, so when I saw the new firmware I gave it a try.
Did you change anything after that date?
Anyway, do you have an estimate of how long should it take to join now? I tried to permit for 254 seconds, but the Homeassistant debug log does not show any sign of communication at all (only if a Xiaomi sensor sends directly to my Zigbee coordinator)
Owner
Yes, I’ve changed the file. Usually, the pairing process takes up to 60-120 seconds. But you can repeat this.
Marco
Tried your last router firmware: unfortunately, nothing appears in the debug log (after the permit-join for 120s). I tried with a different CC2530 board, just to be sure nothing went wrong, but no results either.
I then set up the IAR workbench and was able to compile the SampleLight project (RouterEB profile) setting just a few channels (11, 15 and 25, ie 0x02008800), plus: your symbols, PanID = 0xFFFF, and Xiaomi security key and it just connected after a few seconds. Any ideas?
For now, it’s working as a router (though need some more time to test it). I would like at least to add the genOnOff report to the code, but I’m not very familiar with the Z-Stack… Any help appreciated 😉
Thank you
Owner
This is strange that my router cannot connect, but it is based on the same sample.
Marco
I would like to debug that, but have very little time.
Do you think that adding leds to the CC2530 board would help? I have the compact board version with antenna.
I’m waiting for a programming cable for the CC2531: may be I can sniff with that?
Thanx
P.S. feel free to contact me via email
KC
Could you share your firmware? I’m having the same issue as you, using the external antenna version.
Marco
Hi KC, please ask PTVO to share my email address with you. I’m not hijacking this post with my firmware. And I’m not supporting it nor sharing sources anyway.
Marco
Hi, I didn’t get any contact from KC: I’m still available for sharing ideas with him.
Owner
I didn’t get any message from KC. Nothing to say you. Sorry.
Jeff
How many ZigBee end devices can one cc2530 coordinator handle?
Owner
The firmware can handle up to 24 devices.
Reiner
Thanks for your great work!
I use the 2530 board with ext. antenna and your firmware router-cc2530-std.hex
Do you support the LED in your FW ? If yes, to which pin must it be connected?
Owner
Hello. The firmware controls leds on the CC2531 board only.
Frans
Is it possible to install the router firmware to a CC2530 + CC2591 board?
Owner
Please, try this:
http://ptvo.info/wp-content/uploads/2018/09/cc2530_cc2591_1.2.2a.44539_firmware.zip
But I didn’t test it myself. It would be great if you let me know how it works.
Frans
I’ve uploaded the firmware (diag) to the cc2530_2591 using the cc-debugger.
I connect a FTDI to VCC, GND. RX to P0_2 and TX to P0_3. But i don’t get any debug information. My zigbee network is already running, but i don’t see the new router.
I’m using this board: https://images-na.ssl-images-amazon.com/images/I/51o1F2Xd6oL.01_SL500_.jpg
Owner
This firmware does not output diagnostic information through the UART port. But you may get some additional information about router’s neighbors on the controller.
Frans
To make the router work, i only need to connect the VCC to 3.3V and the GND to GND(does it matter wich VCC or GND?)
Frans
The Router is working, thank you for building the firmware!
Brisko
Hello Frans,
Can you explain how you managed to get you routers to work?
It seems that I have the same module (I think webee is the real producer, model Z-0002).
I was able to flash this firmware “router-cc2530-cc2591-diag.hex”. But after the successfull flashing procedure the router could not be paired to the existing CC2531 coordinator.
I have connected the 3.3V to pin2 on the 6-pin header and the ground to pin1 on the same header.
Is this correct? Does I have to connect anoter pins to ground (perhaps P0_4, P0_6 or P2_0)?
Hope you can help.
Owner
My router firmware needs 3.3V and GND only. But it is possible your board uses a custom schematic, and the cc2530 chip enables the cc2591 chip with help of another pin (cc2530 control the on/off state of cc2591). It is necessary to check it.
Brisko
I still don’t know if the router is working but meanwhile I think that my real problem is the number of paired devices.
I have one CC2531 USB-Stick as coordinator on my linux-machine and an another CC2531 USB-Stick as a router. This config works.
But I think I have reached the maximum numbers of paired devices because I also can’t connect any additional end device like an aqara temperature/humidity sensor.
I had 28 paired devices and to check if I have reached the end I removed 2 devices. But that had no impact to my problem. I still can not pair any additional device. Neither an end device nor the CC2530 router.
Is it possible that the entry in the list of paired devices in the flash-memory of the CC2531 doesn’t get pruned if I remove a device in zigbee2mqtt? This would explain my problems.
I just wonder why I get no information from zigbee-shepherd telling me that there is a device that could not be paired because of any limitation.
Owner
As I know the stable quantity is about 20 devices. How many routers did you connect to your coordinator?
Zigbee-shepherd receives all notifications from a coordinator. The coordinator does not output any info if it does not accept/allow to connect a device.
Brisko
I took me a heart and have rebuilded the whole zigbee-network. This time I replaced the coordinator CC2531 usb-stick with one of the CC2530+CC2591 connected via TTL-USB adapter.
After deleting of the zigbee2mqtt database and a little problem concerning the RX/TX signal lines (I were so shure that I had connected RX to TX and vice versa TX to RX), I was able to start zigbee2mqtt. Pairing was faster than the first time, not so suprising because it was just an re-pairing of known devices.
After I had paired the sensors near the coordinator I flashed a CC2530+CC2591 with your router-firmware and paired it with the coordinator by connecting only 3.3V and GND!
At the moment I have the coordinator with 2 router and 31 end devices in my zigbee network. I will keep my two CC2531 usb-sticks for later, if I have to extend the coverage area in one special direction.
Thanks a lot for your help!
Best regards
Brisko
Owner
Hi! I glad to know that my work is usable 🙂
Marco
Hi, I have installed a couple of routers with the SampleLight firmware (with little modifications and your symbols definitions) and they are working fine for distant devices.
Now I’m in a situation where even the router has weak signal for the most distant devices, so added a router in cascade, but it seems it’s not picking up the closer router (though if the cascaded one is closer to the coordinator, it works).
Is there anything to tweak in the IAR project to make it work?
Thank you.
Owner
Hi Marco.
Sorry, I cannot help here. I think a router found a better path to your coordinator. It is possible the better path is the shortest path.
Marco
Thank you. Your suggestion hinted me to try with a smaller antenna on the farthest router and it’s working much better. But from time to time the on-off command is failing.
I guess there’s some kind of interference. That router is installed on a 2nd floor and I believe there are neighborhood WiFis transmitting on a close channel.
Will try to set the transmission retries higher.
KC
Hi PTVO, are you able to provide detailed instructions on how to compile the firmware for routers? I’m having the same issues as Marco (CC2530+antenna not connecting), and I’d like to try compiling with his instructions.
Owner
Sorry, I cannot share the sources.
fensoft
Can you please only share the version of zstack you used + the patch file ?
Owner
Sorry, I cannot share my code/changes.
Dr. Apple
I have the same problem, cc2530 with ex antenna will not work as router 🙁 The cc2531 works great als router or as cordi. But the cc2530 don’t work with any fw 🙁 The LED has no function 🙁 What is wrong ?
Owner
There are many places when the problem may exist. I don’t know how to help here.
Rob
Hello, I followed instructions found here https://github.com/Koenkk/zigbee2mqtt/blob/dev/docs/how_tos/how_to_create_a_cc2530_router.md to create a cc2530-based router using your router firmware (thanks!)
I hope the following questions make sense (I’m new to Zigbee things…):
Will the router firmware go into pairing mode every time it is powered up, or will it remember the pairing info and not re-pair after power cycling?
If the former, does that mean “permit_join” needs to be enabled on the host if the router is ever power-cycled, or else the router won’t be able to reconnect to the network?
If the latter, how to force it to re-pair if the previous pairing is no longer correct?
Thanks,
Rob.
ps. You mentioned that you can’t share your code/changes – I’m curious why?
Owner
Hello Rob,
1. You don’t need to re-pair the router after power off. But you need to do it after re-flashing.
2. You should disable permit_join after pairing of all your devices.
3. Re-flash the router.
4. I cannot share my code changes of Z-Stack, because I’m not sure that the TI’s license allows to do it.
Rob
OK, understood. Thanks for your swift reply.
Rob
> The router sends the “genOnOff” report to a coordinator every minute…
What does the “onOff” value in this keep-alive message mean? It appears to become the “state” value in the message that is published by zigbee2mqtt. After I first flashed the router firmware and it paired, the “state” was true, but after a short while it changed to false. Seem to be working fine, I’m just curious. Thanks again, Rob.
Owner
This is the state of green light on CC2531. Usually, CC2530 does not have this LED indicator and therefore this state does not matter for you. But you can still control this state from any high-level application.
Rob
I guessed that if an end device connects via the router, its “link quality” would be for end device to router, but in fact the end device appears to inherit the link quality of the router to coordinator connection…?
I have a Xiaomi Aqara temp/humidity/pressure sensor in my garage. When originally connected direct to the coordinator, the link quality was typically 75-85. I added a cc2530 router < 1m from the sensor in the garage, and reset the sensor so that it re-paired, and then confirmed that it was connected via the router by getting a network map from zigbee2mqtt. The link quality of both the router and the sensor appear to be equal now, hovering around 45-60.
It would be more useful for the end device to report the link quality between it and the router, as this is lost information otherwise.
Quatuor
Is anyone else having issues with CC2531 router firmware that after a power cycle it is open for new zigbee device joins, pretty much keeping the network open.
Is there a setting in firmware to disable it?
Owner
The router re-transmits all data packets to a coordinator and does not analyze it. The coordinator may approve or decline to join request. Or do you mean something else?
Quatuor
I’ve opened an issue at https://github.com/Koenkk/Z-Stack-firmware/issues/30 Let’s continue there. I think there’s more to the router then just forwarding all packets to coordinator.
Rob
Hi, would you be able to make the 2019-02-04 version of the firmware available for CC2530+CC2591 devices, please?
Owner
I’ve added the necessary files to the archive:
http://ptvo.info/wp-content/uploads/2018/09/cc2530_1.2.2a.44539_firmware.zip
Rob
Thanks v. much.
Vikram
Hi, the binaries for router firmware works perfectly. Thanks for that. Could you please shed some info on the changes required in the source for connecting CC2530 (router) to coordinator running HomeAssistant or Zigbee2Mqtt.
Thanks in advance.
Vikram
Hi, Could you please shed some info on the changes required in the source for connecting the router CC2530 to a coordinator running Homeassistant or Zigbee2mqtt.
Thanks in advance.
PS: The binary files work great! Thanks for that
Alex
Hi, would you be able to make the firmware available for CC2530+CC2592 devices (Coordinator), please?
Owner
Please, look here:
https://github.com/Koenkk/Z-Stack-firmware/tree/dev/coordinator/Z-Stack_Home_1.2/max_stability/CC2530_CC2592
Alex
Tried, here result :
08:37:22.39 COM3 UTIL_GET_DEVICE_INFO (0x2700)
08:37:22.39 COM3 UTIL_GET_DEVICE_INFO_RESPONSE (0x6700)
Status: SUCCESS (0x0)
IEEEAddr: 0x00124B001A0C73EC
ShortAddress: 0xFFFE
DeviceType: COORDINATOR, ROUTER, END_DEVICE (0x7)
DeviceState: DEV_HOLD (0x0)
NumAssocDevices: 0x00
AssocDevicesList
Owner
So, you should connect your devices now.
Alex
To connect devices the coordinator has to create network, looks approximately so :
07:53:34.79 COM3 UTIL_GET_DEVICE_INFO_RESPONSE (0x6700)
Status: SUCCESS (0x0)
IEEEAddr: 0x00124B001A0C73EC
ShortAddress: 0x0000
DeviceType: COORDINATOR (0x1)
DeviceState: DEV_ZB_COORD (0x9)
NumAssocDevices: 0x00
AssocDevicesList