Help Me Reverse Engineer An LED Light Bulb

hack LED bulb

I went to the last monthly meeting of Sector 67, a hackerspace in Madison, WI. One of the things shown off was a color changing LED light bulb that Menards was clearing out for $1.99. Inside there’s two RGB LEDs controlled by an ATtiny13 and powered by an AC/DC buck converter. An ATtiny13 will run you around $1.25 by itself so this price is quite amazing. I grabbed a couple of these bulbs and set to work on them. Join me after the break to see what I’ve got so far.

Update: read a follow-up to this post.

These bulbs use a candelabra base so I grabbed an adapter and tried it out in a lamp. Here’s the result, you can see it stepping through color levels a few times a second:

[youtube=http://www.youtube.com/watch?v=yRrYp3qRBXc&w=470]

We’ve seen this in a lot of mood light hacks, I want to get at the hardware and make it do my bidding. First thing’s first, time to crack it open. For some reason I thought that carefully drilling some holes around the base would help me figure out where best to use the Dremel cutting wheel. Unfortunately I immediately drilled through one of the inductor coils. Drat.

hack sylvania light bulb

Well, no stopping now. I’m not too worried as I also bought a solid red version of this bulb. I want to see what’s inside, whether it’s the same design with unpopulated components, or the full shebang with different hardware. I assume there’s no microcontroller inside so I’ll steal the inductor from that one later.

I cut off the diffuser and got to the circuit board. Here’s some images (click for hi-res) as well as a cursory list of hardware.

Top:

  • R2 – 1004
  • R3 – 1004
  • R4 – 3001
  • R5 – 1302
  • R10 – 1003
  • D4 – Looks like a zener… perhaps to set down votage for the tiny13
  • D5 – RGB LED
  • D6 – RGB LED
  • D7 – JF S1J
  • IC5 – ATtiny13
  • C1 – smd without label
  • C7- smd without label

Bottom:

  • R1 – inline with center conductor of light socket
  • P1 & P2 – Labels for incoming AC power?
  • L1 – 102J CEC
  • L2 – 102J CEC
  • C2 – 50V 22 uF electrolytic
  • C3 – 400V 4.7 uF electrolytic
  • C4 – 400V 4.7 uF electrolytic
  • C5 – 25V 100 uF electrolytic
  • C6 – smd without label
  • D3 – R106 TF
  • R6 – 1201
  • R7 – 1Bx
  • R8 – 270
  • R9 – 270
  • IC1 – NGS (transistor for driving LEDs?)
  • IC2 – NGS (transistor for driving LEDs?)
  • IC3 – NGS (transistor for driving LEDs?)
  • IC4 – LNK304GN AC/DC switching converter

I wanted to see if I could talk to the ATtiny13 so I soldered wires onto the pins and hooked it up to my AVR Dragon programmer. ISP was a no go so I soldered more wire to the remaining connection and gave high voltage programming a shot. That was also a failure. But since I already hosed that inductor I have no issue popping the microprocessor off of the board. Here it is soldered onto some perfboard and inserted in a breadboard:

hack LED

I tried ISP again and that was a no-go. But this time around High Voltage Serial Programming worked. I talked to the chip with AVRdude using this command:

avrdude -P usb -p t13 -c dragon_hvsp -v

That polls the chip and reads back the fuse settings. Currently the lfuse is 0x6A which is the factory default but the hfuse is 0xFA. After checking the datasheet I see that they’ve disabled the reset function (that’s why ISP doesn’t work) and enabled brownout detection. I dumped the firmware and the eeprom and that’s where I’m at. Now I need your help.

I haven’t done much reverse engineering before this so I’m not sure what to do next. I disassembled the firmware using ‘ndisasm’ but I have no idea what I can learn from it, or even how to read it. I’d love some help answering two questions:

1) Why couldn’t I talk to the chip when it was on the circuit board?

2) What can I learn from the disassembled code. Update: after running the code through an AVR disassembler it looks like this is just an ascending list of numbers. [Tiago] pointed out in the comments that this is the behavior when the lock bits have been set. It should be possible to reuse the chip by erasing it but I won’t be able to dump the firmware first. Now I’ll focus on figuring out how the board is routed.

Let me know in the comments.

Read Part Two

101 thoughts on “Help Me Reverse Engineer An LED Light Bulb

  1. The Chip is
    Vendor Power Integrations (VA)
    Category Integrated Circuits (ICs)
    Packaging Cut Tape (CT)
    Package / Case 8-SMD Gull Wing, 7 Leads
    Power (Watts) 12mW
    Voltage – Input –
    Voltage – Output 700V
    Frequency Range 62 ~ 70kHz
    Operating Temperature -40°C ~ 150°C
    Output Isolation Non-Isolated
    Lead Free Status Lead Free
    RoHS Status RoHS Compliant
    Other Names LNK304GN TL
    LNK304GNTL
    596 1022 1 ND
    59610221ND
    596-1022-1

    ++ Opinion ++
    The LED color change is by altering the voltage in cycles and there are three LED Colors (RGB).

    The Transistors are being used to cycle the different voltages to the different colors at different times for the effect

  2. @Mike Szczys
    To the beste of my knowledge, those leds contain 3 leds each with it’s own anode and cathode, so probably you have the reds in series, the greens in series and the blues in series.
    By the looks of it, D6 has all the pins on the left connected together and my guess is that this is the common anode and should be at 9V or how much the psu is giving. The should have used NMOS transistors as this is the easiest way to control a higher voltage than that powering the micro.
    Here: http://www.es.co.th/Schemetic/PDF/LNK304-306.PDF at page 4 on top is a typical schematic with the switcher, this should help get the schematic out of the board.

  3. those capacitors without lable are probably nothing special, probably just blocking capacitors and capacitors needed by the swiching converter
    if you have a look at the converters datasheet you see that it needs a coil and a diode, too, so that’s probably what they are good for
    but where is the rectifier?
    TD

  4. oh right, what do you want to achieve by hacking that thing?
    you could simply erase the whole chip, i guess this would also erase the lock bits, then you could upload a new programming file to the avr, but what would that be good for? I mean, this is an AVR wired to RGB LEDs, what could you do with that apart from fading through the colors?
    TD

  5. bogdan: yeah sorry I didn’t see that
    but there are doides missing for that layout
    maybe there are some hidden underneath the big capacitors or something…
    but hey, there are D1 to D3 missing anyways, so, look for those OP
    PCB doesn’t look like it would have more than two layers, OP should make a schematics diagram
    TD

  6. bogdan kinda beat me to it there
    http://www.es.co.th/Schemetic/PDF/LNK304-306.PDF

    first rule of reverse engineering if you can identify the IC’s involved forget the circuit for a moment and RTFM , for something this simple 9/10 times the manufacturer will use something very close to the example circuits , real EE’s dont waste time reinventing the wheel when the designs are put on a plate.

    from there its a simple task of logic as to whats happening with the rest of the circuit

    its a simple buck converter with a AVR tiny PWMing the led’s.
    Pointless reverse engineering the code as its a 3 min code job to recreate.

  7. @ToykoDrift: I’m also wondering what the big deal is. The instruction set for this chip is so small you can literally guess the code with little effort.

    This IS after all an LED sequencer circuit..

    confirmed methods with bits and fuse programmed:
    -program after chip clear and reset both EEPROM and FLASH
    -timing attack with watchdog timer with 1-wire hooked and waiting to get dumps

  8. @gmcurrie: Yes, you can remove the circuit board from a CFL and use it to drive a regular linear fluorescent tube, but typically at reduced power. For example, you might only get 15W from a 23W CFL ballast when driving a T8. A few people have successfully used this trick for small planted aquarium lighting fixtures. Also note that CFL ballasts weren’t intended to have replaceable bulbs, and are built as cheaply as possible; so not all will handle a failing bulb gracefully. Some try so hard to drive a failing bulb that they’ll self destruct. In planted aquariums, where bulbs are usually replaced once a year and well before failure, that’s not a big deal; and if a ballast goes out with the bulb, just replace it with another free one. I use CFLs extensively around the house, and collect and examine the ones that burn out, and I’d estimate about 25% of the ballasts die along with the bulbs; the other 75% can be reused.

  9. REverse engineer a led bulb…

    Hack a day for N00bs….

    Honestly, did the OP even id the chips and then download the documents on it? This is 3rd grade Electronics level stuff…

  10. GOOD GRIEF! WHAT HAPPENED TO MY POST!!! LETS TRY THAT AGAIN!!!!

    Fine then! Stop the bickering and get on w/it!

    …A Challenge…

    I propose making these $2 lights do your bidding. Not just be random. Eh, that’s the hack! Use a common remote to turn them on/off & change color.

    So, here’s what I think ya-all should do:

    1) Be careful! For all development use a low voltage power source. Not the included switcher!

    2) Erase the uP. I agree, it’s not worth reverse engineering the software.

    3) Add an Inferred ASK receiver module. These are cheap and common and the output usually suitable for direct connection to the uP.

    4) Now then, the magic, the secret sauce: You need to develop PWM code to control the lights of course. But this go around you need to also decode the IrASK code sent out by your common remote control. I would recommend trying to decode the RC5 On and Off first (’cause that’s what I have :)). No no, well, yes, I do have one (well several RC5’s as a matter of fact). No, no, I recommend RC5 *purely* because there have been some very nice write ups here at hackaday.com:
    http://hackaday.com/2008/10/30/how-to-usb-remote-control-receiver/

    …There now, off you go, remember no high voltages…

  11. I have to agree with some of the other comments. To reverse engineer code that pwms an led is a complete waste of time. The code can be written in C WAY easier, 5 mins ? I would scavange parts from these. Then make a light setup , that uses a wall wart. Its just not worth it to me to “condone” futzing with a board with AC current on it. Thats how potential hackers die trying to do the project.

    Not that a properly competent person shouldnt play with this, but I could see this going horribly wrong.

  12. An ATTiny13 has 6 I/O lines… are any spare?

    If you have two lines spare, you can hook them up as an X10 receiver and turn the unit into an X10 module.

    I’ve built ATTint26 X10 driver code that does both send and receive in 300 bytes, so just a receiver would be smaller.

  13. So I bought a set of five led ‘tea-lights’ from home depot it is a color changing led shaped like a tea-light…got them for 5 bucks in the Christmas section. I took it apart and it has the led and they left the leads attached and just soldered wires to them…rgb leds cost a buck or so at rs so this seems to be a good deal…I havent torn it apart enough to see what is controling it…

  14. I agree with the others that this is not rocket science – driving a few LEDs from a small avr is pretty simple stuff.

    This thing definitely has a transformerless power supply, and you need to be careful with that – there are dangerous voltages throughout.

  15. One thing I would question, is if the chip has security enabled (and I’m just guessing, I’m not an AT kinda person), is what would you read back from it?? Code? Gobbledygook?

    Since a lot of companies, when they build something like this, they enable security bits (if available) so people can’t…. do this.

    So, what would you expect to read back out of it?

    Just a thought.

    not a bad deal though, you get a usable chip (I hope) and a couple parts, LED’s etc…

    But from the video, I can’t see ANYbody wanting these things. Not unless I ran a whorehouse or something. UGLY!

  16. If any one is going to use an oscilloscope on this circuit then make sure you are using an isolation transformer.

    Or better still…don’t use an oscilloscope avoid the risk, the slip of the probe, the sparks, the pain and above all the humiliation! :-) Danger!
    online powered circuitry can get the best of us, I know, I’ve fixed more SMPSs and ‘live’ cctry. than I’ve had hot dinners!

  17. that’s cool, i hope i can find some of these here in italy, 3 euros would be cheap enough to be a substitute for blinkm’s.

    it would be great to get a load of them working together under dmx control. individualy adressable via an arduino and a 1 wire buss.

    led pixels for maybe 4 euros each, that’s pretty good. maybe it would be possible to strip them to bare bones and power them from a centralised power supply.

    did you find a way to program it on the board?

    p.s. ignore the trolls

  18. Oh, is that what anon meant by Ooooh, italics!!

    I starting receiving comments by email and didn’t understand the references – dismissing them for some weird inside joke I was not privy to.

    It, what ever it was, was unintentional.

    Let’s see, some reverse engineering, some hacking…

    There, did that work?

  19. Why bother disassembling a code that only think it does to change colors? I mean, how hard could that be to write that code from scratch? Granted it is a good hacking practice but, I disagree that you’d get great ideas from the code.

  20. http://www.hex-rays.com/idapro/idadownfreeware.htm That is the only disassembler anybody ever needs… I’m not sure which processors the free version supports… Unfortuneately the full versions are pretty pricey but give it a look. IDA provides full jump and data access cross references, type inference based on function signatues, etc… It will be more helpful for you than a dead listing if you don’t know the instruction set very well.

  21. There isn’t much point in talking about disassemblers as it it is clear that the micro is protected against reading. Plus, i think that the purpose of this hacking is to make the lamp do something else, and that requires rewriting the software. And that random blinky thing it normally does is quite simple to do.

  22. [/i]

    “oh right, what do you want to achieve by hacking that thing?” @ToykoDrift

    You might learn something?

    Somehow or other it gets low voltage power for the IC and LED’s – find what and where and you can power it IN there from a bench supply for safer hacking.

    If you can disassemble the code then it is sure to teach you something or even provide a laugh.

    You could take a new uP, programme it and use this existing LED hardware as an outboard while you develop your own app.

    * Rebuilt
    a failed CFL with LED’s using HV caps from the CFL as capacitive droppers = night light.

  23. Oh my. All these folk going “this is trivial why bother reverse engineering it” really don’t get it.

    Either you are a hardware and code god, or you only like reading a complete tear down article that spoon feeds all the techno-goodness for high tech devices. Those of us who remember what starting out is like, sit back and watch in amazement. To learn, one should start somewhere sensible – such as a trivial device like this. Remember: the whole point of the exercise is NOT TO CREATE AN RGB MOODLIGHT.The point is to figure out how it ticks, from the ground up. A bonus – a lesson on how to pull code from an attiny, perhaps leading down the fuzzy path of how to extract the code from a “protect fuse” set chip. Huge amount of learning to be had here, even if this device never reveals it’s code….

  24. I had the original bulb like this at Sector67 opened up. I found that I could put a DC voltage into the base and get it to light up – but it only stays blue – won’t color change. Also I found a couple points in the board where I soldered some wires on and can put 6 volts DC in it and it lights up but also only lights up as blue and will not color change. Maybe it needs the AC for something.

  25. Interesting… some of the &LT and &GT where gobbled. Okay enough experimenting. I suspect the original strings that borked this topic into italics had even more &LT and &GT that were also gobbled. I was thinking that reversing the original may fix this mess, but it would need to replace the chars that were consumed in the borkage.

  26. @Rob Wentworth
    Thanks Rob for trying. As the original bor-ka-ger I can clue you in on the gobbling. I had placed 3 less then signs in a row to “high light” some text. The next paragraph started with the letter “I” followed by a lot of text that all got gobbled. Then came the fateful 3 greater then signs. Actually the next post is almost identical except I surmised what had happened and replaced the greater and less then signs with periods. (But only later I realized the italics directive was propagating to subsequent postings :O!)

    Obviously what we are trying to get around is a filter to prevent entering HTML. What no one has been able to do yet is to pass the forward slash symbol through the filter.

    I suppose it’s time for my weekly try at this:
    1) Take that! <> test
    2) And that! <> test
    3) And that! <<>> test
    4) One more time! <<>> test

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.