Be careful. Harmful / toxic substance are inside the bulb, as mercury, etc.

Angelo, are you sure you’re not thinking of CFLs? I wasn’t aware of LED presenting a mercury hazard

It looks like you didn’t actually get the code read from the device.

All you’ve got is an incrementing data pattern. See it count 00 01 02 03 04? That’s it.

So I would try again to read the code from the chip and then disassemble it.

And There’s no mercury in LED bulbs, so you’re safe.

The converter’s trying to draw too much current, more than your ISP can provide, which is why you couldn’t talk to it in circuit. We see the same problem in the adafruit Ice Tube Clock kit when you attempt to program the ATMega ISP with the tube plugged it. Cut the leads (Vin0 to the buck converter and you might be able to program it in circuit. But since you’ve pulled it it hardly matters at this point.

Oh, and there’s not much toxic substances in an LED, Angelo. It’s not a CFL.

begone mercury scare monger.

also: your disassembly isn’t of the firmware. note that the undisassembled code is just a couple of regular numeric sequences, e.g. 1, 2, 3, 4…

I would say you could not talk to the AVR in circuit because the pins are obviously connected to other components on the PCB. That introduces loads to the pins of the AVR and the programmer, so the signal gets altered, distorted, weakened..

Sometimes it’s possible with a very slow programming speed.

That’s just an incrementing patter. It doesn’t look like the code download worked.

alankilian is right–that ain’t code you have there. I’d be willing to take a look at the real code once/if we get it. For something as simple as a color-cycling bulb, it won’t be very complex.

I’d have to question the value in reverse engineering the code – you’ve got a set of clearly defined inputs and outputs, and it’s easy to infer what is going on in the uP. It’s normally only really necessary to reverse engineer more complex system.

Yup, definitely unsafe. I hear they also contain roentgenium and Darmstadtium, which is probably why they don’t last very long. Oh, and the case is made from asbestos. Better look out for the velociraptors hiding in the box, as well!

You can’t talk to the chip while it was on the board because HV programming isn’t designed to work in-circuit. ISP doesn’t automatically work in circuit either unless the board is properly designed for it. They probably had the attinys pre-programmed before they assembled the boards as is usual in production at this scale.

Can you tell if the reset pin is connected to anything on the board? They may have disabled reset as a rudimentary protection measure or more likely they may have needed to repurpose the pin for another purpose.

The AC->DC converter on the lower part of the board outputs 12V. Undoubtedly the LEDs are driven at 12V by the transistors/FETs on the underside. There is some possibility that the ATtiny is both controlling the LEDs and playing a part in the power supply. Before having a look at the code it would be useful to know something about where the IO pins of the ATTiny are routed.

It probably wouldn’t even be worth trying to wade though the disassembly if the mcu is simply controlling the LEDs. Theres plenty of code out there for that — it would be easier to simply write your own implementation. If it’s playing a part in the power supply though, things are going to be far more complicated.

I don’t have an answer to your first question and an partial answer to the second one.

You can learn a lot form the code in the microcontroller. It can teach you how the device works. Unfortunately, the disassembled code you posted is useless. You used nsisasm, which is a 80×86 disassembler and therefore incapable of understanding avr binary files. Try using an avr disassembler like vAVRdisasm. You’ll see that
the produced code will make more sense.

Once you understand how the code works, you can modify it to suit your needs. You can for example make it to display different color sequences or blinking patters. Those are just some ideas.

If you disable the reset, you cannot use ISP. The device looks like it is protected against reading the code(which is how most micros are in commercial aplications in order to protect duplication). Still, it should be easy to reproduce. Also, get a new bulb and hook up a scope on each of the pins.
Hv programming is not suited for in board and it might even damage other parts of the circuit.
I wish i could find such cheap bulbs… now attiny13 costs more than $2 for one piece.

You need to reverse engineer the schematic.
Use generic component pinouts for LEDs & transistors.
I wouldn’t waste any time on rev.engineering the firmware. 3ch PWM control is not a big deal.

For debugging don’t use live Voltage, inject 12V after the PSU, it will be much safer after that (it might damage the PSU).

After finished that, you can think about controlling the bulb. (NO direct connections!)
Only wireless: IR,RF,sound
Make it IR remote controllable, like the Philips bulbs.

Place many in one room, average the colors of your monitor/screen, then make dynamic ambient light.

That’s all you can do for $2.

Would you please make the binary (or hex) file available to us. Then one of us could feed it into IDA Pro or any other modern analysis tool ;)

Switching buck regulator + some nmos FETs to PWM the LEDs + shunt regulator for the ATTiny. Not terribly efficient, but this is mood lighting and not illumination.

The 270 ohm resistors seem a bit high if they’re limiting LED current, but we don’t know for sure what voltage the buck regulator is generating.

Nice little light for $1.99, wish I had a few to hack on. :)

R4/R5 are feedback resistor divider for buck regulator, which with the feedback voltage of 1.65v from the datasheet gives an output voltage of ~9v.

R7/R8/R9 are the current limiting resistors, which the original post read incorrectly – looks like 18, 22, and 27 ohms. guesstimate 150 mA per LED die? that seems high still, but not ridiculous.

i rember back in the dishnet hackign days on some 301 irds having to cut a trace that was holdign the reset pin of the tsop low to be able to gain read/write access.. i would be intrested to see what the pins on the atiny are tied to.

Awesome to see people hitting up Sector67. I’m gonna have to stop by late December when I’m back up there.

Can read out every page of EEPROM and FLASH even with the bits and fuses set using a buffer/reset trick ^^

If you want I can give you working code for the arduino IDE that uses an HSL colour wheel and then translates the Hue value to RGB and output that as pwm for an RGB led, but its very very easy to do, and there are many examples out there.
Fell free to ask.

Hey Angelo, no worries – I glanced at original post and thought exactly the same as you till I saw the pix of the *plastic* bulb – yep, DUH :)

–

Just looking at looking at CFL circuits for first time- interesting, but a bit Hairy-Scary / incomprehensible for me – (soon as it gets into Coils/Inductors am a bit lost…)

–

Any interesting hacks with CFLs/’CFL bases’ (i.e. sans bulb) out there? I keep getting packs of them sent to me for free from my electricity supplier, but I don’t like the light they give out so they just sit in my cupboard.

http://www.pavouk.org/hw/lamp/en_index.html#electrical_construction

this guy’s gaps are better: http://www.youtube.com/watch?v=9pd1w63gaU4

Looks like a fairly strait forward circuit to me. The LinkSwitch LNK304 universal off-line switch mode controller is a class of devices found a lot in the smaller wall adapters for cell phones and the like. That particular chip can only output about 170mA of total current due to the limitations of the internal switching FET. It probably just provides the board with regulated 5V, based on the requirements of the ATtiny and the fact that I don’t see another voltage regulator. Although it might be possible that D4 is a zener and is being used as a rudimentary regulator for the AVR.

Throw in a few FETs as low side switches to PWM dim the RGB channels of LEDs and you have yourself a mood light!

The Chip is
Vendor Power Integrations (VA)
Category Integrated Circuits (ICs)
Packaging Cut Tape (CT)
Package / Case 8-SMD Gull Wing, 7 Leads
Power (Watts) 12mW
Voltage – Input –
Voltage – Output 700V
Frequency Range 62 ~ 70kHz
Operating Temperature -40°C ~ 150°C
Output Isolation Non-Isolated
Lead Free Status Lead Free
RoHS Status RoHS Compliant
Other Names LNK304GN TL
LNK304GNTL
596 1022 1 ND
59610221ND
596-1022-1

++ Opinion ++
The LED color change is by altering the voltage in cycles and there are three LED Colors (RGB).

The Transistors are being used to cycle the different voltages to the different colors at different times for the effect

@Mike Szczys
To the beste of my knowledge, those leds contain 3 leds each with it’s own anode and cathode, so probably you have the reds in series, the greens in series and the blues in series.
By the looks of it, D6 has all the pins on the left connected together and my guess is that this is the common anode and should be at 9V or how much the psu is giving. The should have used NMOS transistors as this is the easiest way to control a higher voltage than that powering the micro.
Here: http://www.es.co.th/Schemetic/PDF/LNK304-306.PDF at page 4 on top is a typical schematic with the switcher, this should help get the schematic out of the board.

those capacitors without lable are probably nothing special, probably just blocking capacitors and capacitors needed by the swiching converter
if you have a look at the converters datasheet you see that it needs a coil and a diode, too, so that’s probably what they are good for
but where is the rectifier?
TD

oh right, what do you want to achieve by hacking that thing?
you could simply erase the whole chip, i guess this would also erase the lock bits, then you could upload a new programming file to the avr, but what would that be good for? I mean, this is an AVR wired to RGB LEDs, what could you do with that apart from fading through the colors?
TD

bogdan kinda beat me to it there
http://www.es.co.th/Schemetic/PDF/LNK304-306.PDF

first rule of reverse engineering if you can identify the IC’s involved forget the circuit for a moment and RTFM , for something this simple 9/10 times the manufacturer will use something very close to the example circuits , real EE’s dont waste time reinventing the wheel when the designs are put on a plate.

from there its a simple task of logic as to whats happening with the rest of the circuit

its a simple buck converter with a AVR tiny PWMing the led’s.
Pointless reverse engineering the code as its a 3 min code job to recreate.

REverse engineer a led bulb…

Hack a day for N00bs….

Honestly, did the OP even id the chips and then download the documents on it? This is 3rd grade Electronics level stuff…

GOOD GRIEF! WHAT HAPPENED TO MY POST!!! LETS TRY THAT AGAIN!!!!

Fine then! Stop the bickering and get on w/it!

…A Challenge…

I propose making these $2 lights do your bidding. Not just be random. Eh, that’s the hack! Use a common remote to turn them on/off & change color.

So, here’s what I think ya-all should do:

1) Be careful! For all development use a low voltage power source. Not the included switcher!

2) Erase the uP. I agree, it’s not worth reverse engineering the software.

3) Add an Inferred ASK receiver module. These are cheap and common and the output usually suitable for direct connection to the uP.

4) Now then, the magic, the secret sauce: You need to develop PWM code to control the lights of course. But this go around you need to also decode the IrASK code sent out by your common remote control. I would recommend trying to decode the RC5 On and Off first (’cause that’s what I have :)). No no, well, yes, I do have one (well several RC5′s as a matter of fact). No, no, I recommend RC5 *purely* because there have been some very nice write ups here at hackaday.com:
http://hackaday.com/2008/10/30/how-to-usb-remote-control-receiver/

…There now, off you go, remember no high voltages…

An ATTiny13 has 6 I/O lines… are any spare?

If you have two lines spare, you can hook them up as an X10 receiver and turn the unit into an X10 module.

I’ve built ATTint26 X10 driver code that does both send and receive in 300 bytes, so just a receiver would be smaller.

So I bought a set of five led ‘tea-lights’ from home depot it is a color changing led shaped like a tea-light…got them for 5 bucks in the Christmas section. I took it apart and it has the led and they left the leads attached and just soldered wires to them…rgb leds cost a buck or so at rs so this seems to be a good deal…I havent torn it apart enough to see what is controling it…

Here is some code I wrote for an ATTiny13 that uses software-pwm to drive an RGB-led “mood light”:

http://blog.unixbigot.id.au/2009/11/driving-rgb-led-from-microcontroller.html

The light itself uses approximately zero parts. For the mains->5v conversion, grab an old cellphone charger from a flea market.

One thing I would question, is if the chip has security enabled (and I’m just guessing, I’m not an AT kinda person), is what would you read back from it?? Code? Gobbledygook?

Since a lot of companies, when they build something like this, they enable security bits (if available) so people can’t…. do this.

So, what would you expect to read back out of it?

Just a thought.

not a bad deal though, you get a usable chip (I hope) and a couple parts, LED’s etc…

But from the video, I can’t see ANYbody wanting these things. Not unless I ran a whorehouse or something. UGLY!

that’s cool, i hope i can find some of these here in italy, 3 euros would be cheap enough to be a substitute for blinkm’s.

it would be great to get a load of them working together under dmx control. individualy adressable via an arduino and a 1 wire buss.

led pixels for maybe 4 euros each, that’s pretty good. maybe it would be possible to strip them to bare bones and power them from a centralised power supply.

did you find a way to program it on the board?

p.s. ignore the trolls

Oh, is that what anon meant by Ooooh, italics!!

I starting receiving comments by email and didn’t understand the references – dismissing them for some weird inside joke I was not privy to.

It, what ever it was, was unintentional.

Let’s see, some reverse engineering, some hacking…

There, did that work?

Hummm, meep…

Why bother disassembling a code that only think it does to change colors? I mean, how hard could that be to write that code from scratch? Granted it is a good hacking practice but, I disagree that you’d get great ideas from the code.

http://www.hex-rays.com/idapro/idadownfreeware.htm That is the only disassembler anybody ever needs… I’m not sure which processors the free version supports… Unfortuneately the full versions are pretty pricey but give it a look. IDA provides full jump and data access cross references, type inference based on function signatues, etc… It will be more helpful for you than a dead listing if you don’t know the instruction set very well.

[/i]

“oh right, what do you want to achieve by hacking that thing?” @ToykoDrift

You might learn something?

Somehow or other it gets low voltage power for the IC and LED’s – find what and where and you can power it IN there from a bench supply for safer hacking.

If you can disassemble the code then it is sure to teach you something or even provide a laugh.

You could take a new uP, programme it and use this existing LED hardware as an outboard while you develop your own app.

* Rebuilt
a failed CFL with LED’s using HV caps from the CFL as capacitive droppers = night light.

strange….

@Filespace

Yeah, I thought so too.

Thanks for trying!

Oh my. All these folk going “this is trivial why bother reverse engineering it” really don’t get it.

Either you are a hardware and code god, or you only like reading a complete tear down article that spoon feeds all the techno-goodness for high tech devices. Those of us who remember what starting out is like, sit back and watch in amazement. To learn, one should start somewhere sensible – such as a trivial device like this. Remember: the whole point of the exercise is NOT TO CREATE AN RGB MOODLIGHT.The point is to figure out how it ticks, from the ground up. A bonus – a lesson on how to pull code from an attiny, perhaps leading down the fuzzy path of how to extract the code from a “protect fuse” set chip. Huge amount of learning to be had here, even if this device never reveals it’s code….

I had the original bulb like this at Sector67 opened up. I found that I could put a DC voltage into the base and get it to light up – but it only stays blue – won’t color change. Also I found a couple points in the board where I soldered some wires on and can put 6 volts DC in it and it lights up but also only lights up as blue and will not color change. Maybe it needs the AC for something.

I tried a bunch of close em tags to stop italics. No go…

Interesting… some of the &LT and &GT where gobbled. Okay enough experimenting. I suspect the original strings that borked this topic into italics had even more &LT and &GT that were also gobbled. I was thinking that reversing the original may fix this mess, but it would need to replace the chars that were consumed in the borkage.