Create our own tracker for $1! #74
Comments
That one looks awesome, $0.35 even quantity 1! Have you ever programmed one of those? |
|
Its flashable, but its has a very bad deep sleep :( So not good for a tracker |
|
aww that's a pity, I could not find that in the datasheet indeed |
|
Cheap keys on ST17H66B are fully mastered (https://pvvx.github.io/iSearching/) BLE OTA is supported in PHY62x2BTHome.html. Dependence of average consumption of a device of type "KEY2" on the BLE advertising interval:
"KEY2" Power: Using Deep-sleep is inconvenient - loading the code and initialization takes up to 100 ms with an average current of 7.15 mA. |
|
Also while 1,50$ and not 1$ this is quite unbeatable in a DIY solution, cheap plug of my FindMy Video :D |
|
The ST17H66B is what started this project a couple years ago indeed :) Do you know any online pcb factories that still have them @pvvx ? |
|
https://aliexpress.ru/item/1005004397030802.html And similar... Support for ST17H66B/PHY62xx operation in "LE Long Range" mode (this is BLE at a range of 500+ meters) has not yet been published in my SDK, but it has been implemented and tested for a long time. If I have time, I will publish such options as well. https://aliexpress.com/wholesale?SearchText=ST17H66 The cheapest chips that can be ordered in our country from official suppliers are chips from WCH. |
|
The cheapest CH582M. On TSLR825x with similar parameters (3 sec, 0 dB) the average current is less than 5 µA, sleep is less than 1.8 µA (32 KB RAM is constantly active), the maximum peak during transmission is about 7 mA. |
|
It is worth remembering that for beacons like iSearching and similar, the BLE advertising period should be 1 second. But there is not a single SoC that can last 1 year on CR2032 in this mode. CR2450 will work more than 2 years, only due to lower internal resistance (lower voltage drop under 8 mA load). As a result, the price of the chip is completely unimportant if CRxxxx batteries are used. It will cost less than the price of the battery. Another solution is to install a large capacitor in the power supply chain (more than 100 uf). But for a capacitor with a large capacity and low leakage, the price is already equal to or higher than the SoC price :)
When shipped with battery and 1 year of operating time = Impossible goal at the current technological stage of manufacturing cheap SoCs (if you are not in China) :) |
|
https://www.lcsc.com/product-detail/RF-Transceiver-ICs_PHYPLUS-PHY6222AAQC_C2836482.html
:) :) :) THB2, BTH01 - They can be less than $1.5 each on Aliexpress. In WCH SDK, working with "LE Long Range", "PAwR" (new Bluetooth standards v5.4) is only available for CH32V208. Previously, several WCH LinkW (CH32V208) were purchased on AliExpress for $1.5, including shipping. |
|
That looks awesome @pvvx ! Very interested in the st17h66 BLE Long Range mode. |
|
In the "Coded PHY" mode, the PHY chips have problems - the RF part slows down. The delays do not fit the specification. This affects the switching speed of the RF part TX-RX... But FindMy does not use reception. (In the chip, the IRQ from the radio frequency part (mode PHY Coded) arrives with a delay - another error in the PHY62x2/ST17H66 chips. This affects the processing of the BLE connection request. The CPU does not have time to process the request in time, since the IRQ arrives with a delay. But this seems to have been cured...) And where can I find a full description of the format of the data transferred for FindMy? |
|
Do iDevices still register those broadcasts? I remember reading somewhere that even if an iPhone/iMac is able to do coded phy, it will not report findmy broadcasts sent in this mode. |
I actually do not know of any official documentation of this, although oems can get "Works with Apple FindMy" for their tags so it must be somewhere? |
|
I don't use Apple devices. None of them suit me in terms of functionality. |
Same :D The FindMy is only reverse engineered as there is no official doku available |
|
yup same here too :) although I did buy a mini for testing, which turned out to be useless |
|
nRFConnect: Device data used: The Key used is simply a random sequence of numbers. |
|
A MAC address with 0xC0 (bits 7 and 6 in "1") in the first byte is a random MAC address. And it should be marked as Random in the BLE advertising data. But there is no mark in the BLE packet flags, if you look at the FindMy "childish writing". |
|
yeah they are really abusing the mac address to get some extra bytes there |
|
But they don't put a mark in the flags that it's "Random MAC"? Why then isn't "Extended Advertising" used - the length of the message is in kilobytes...
There are still a lot of questions. |
|
I was thinking to have something like this built: https://oshwlab.com/biemster/ch592tag |
|
The ceramic antenna actually is much more expensive than I thought (0.4), exchanging that for a PCB one will result in 30 assembled modules for EUR 40 (which is 1.33 per tag, not bad!) |
|
There is no button - without it, it is difficult to work with such a sensor. You can't update it, you can't change the key... |
|
I knew I forgot something! |
This PB-03M module can work in Zigbee too. But there is no Zigbee SDK for it yet. I can't find a Zigbee SDK for the PH62xx series. |
@natschil was actually able to do a bit of Zigbee as he wrote here: biemster/st17h66_RF#7 |
|
Sending and receiving RF RAW packets with different types of Phy is not at all interesting. These are the basic functions of any RF SOC and they are available in any SDK, except for Espressif chips. :) Full zigbee router implemented on Phy6222 This means that MATTER can also be programmed. PS: On https://www.elektroda.com/ someone has access to Tuya and posts various SDKs and sources. But there is only WiFi :( |
|
@atc1441 ATC1441 appears to be a username or handle associated with an individual who is involved in the development or modification of firmware for electronic devices, particularly flash memory tools like the "Transcend RDF5" or similar devices. This person has shared custom firmware and modifications that enable additional features or improve the functionality of these devices. The modifications often include enabling Wi-Fi capabilities, adding support for different types of flash memory, or improving the overall performance of the tools. If you are looking for specific information about ATC1441 or their work, it would be best to refer to forums, GitHub repositories, or other online communities where firmware modifications and electronic device hacking are discussed. :) And DeepSeek takes me for a group of people. 8-) |
|
I want to solder a battery on the PB-03. Which one is easy to solder 03, 03F or 03M? |
|
@sonman from the looks of it the F is the easiest to solder on? But you can of course see that with the quickest of internet searches. If you have more detailed questions about which module suits you best it's probably advisable to contact the manufacturer directly (ai-thinker), they are know to respond nicely to developers. For programming you just need an UART, those cheap USB - UART dongles will do fine but you could also use any uart available on a single board computer. Excellent firmware with SDK, code and flasher can be found here: https://github.com/pvvx/THB2 |
https://docs.ai-thinker.com/en/blue_tooth_pb
Since the official PHY website has been in an unclear state for the second year, I copied everything assembled on BLE/Zigbee PHY chips to https://github.com/pvvx/PHY62x2. To work with PHY chips you will need Keil. This IDE requires purchase. ST-Link requires reprogramming to "J-Link OB" work with SEGGER utilities. And some SEGGER patches so that the reprogrammed ST-Link works with all types of chips. This violates all SEGGER licenses and is only available in "hacker" forums and not in English. Officially it is possible to reprogram ST-Link to work with OpenOCD. But it is a slowdown, etc. :( |
initially i did yes, but for a couple years already i moved to gcc as well, in https://github.com/biemster/st17h66_RF |
It is clear that this is without XIP Flash, power management in sleep and without BLE stack. |
i have a couple of PB03M here - fine to solder, but i think they are all easy to solder (not too small pads).
no, the module itself is soldered on the kit (you must solder the cables or just use some pogopins)
no, it is soldered too. (But i have the same problem and will create a 3D printed programming solution - will post it here when it is finished ;) ) |
|
The PB-03x has a PHY6252 installed. It does not have a "Reset" signal.
But the capacitor is set to 10 μF.
And it discharges in a few minutes if you flash a program like FindMy. |
|
https://aliexpress.ru/item/1005007872523957.html ~$3 Apple FindMy firmware (FullFlash) from FindMy-QMD-v1 (ST17H65B). UART log: |
|
Received modules PB-03M and PB-03M-Kit. |
|
as i mentioned before, here is my programmer solution for 3D print and housing with CR2032 holder: STL Files: |
That looks awesome! One minor nitpick, the antenna does not really like all that metal from the cr2032 behind it. If you have range issues with this very neat build you might want to focus on that. But all in all great work! edit: in the next iteration you might just rotate the module 180 to get the antenna out of the metal backplane from the cr2032? |
|
Thanks @biemster for your great tips. now i rotated 180 degrees, much better dB levels on my mobile. |
|
Nice work @phoffi, maybe a version for a Module with a CR2045 (holder) would be cool, i bought much of them for the OpenEpaperlink and have some left over at the moment. Your 2032 holder also elready exists for 2045 cells. |
|
What are your experiences with the PB03(m)(f) modules? I've been testing the TB-03F from @atc1441 for a while now and they give a lot of feedback. Lots of feedback with what feels like more accurate results. The error detections are also not more than with other modules. |
On TB-0x (TLSR825x) it is possible to achieve lower battery consumption than on PB-0x PHY6252. Datasheet: Deep sleep with 32KHz RTC and SRAM retention:
Found a faulty module PB-03M |
|
does any firmware for these cheap modules support multiple keys/key rotation? |
that is very easy to implement, but due to low demand not done yet. except the nrf51 FakeTags by @dakhnod if i recall correctly |
|
Yes the nrf51/52 firmwares support key rotation. I am using this on nrf52810 https://github.com/pix/heystack-nrf5x |
|
@magnets110 currently I'm porting the CH59x firmware to ch32v003fun in cnlohr/ch32fun#534 for use in https://github.com/biemster/qible, when that is done it is really trivial to have key rotation (since it will also rotate between Apple and Google FMD networks). Those modules will be just slightly over $1 each, so if you are looking for cheap those will be the way to go. |
|
I have a holyiot 21014 nrf52810 ($12) and a Zigbee smart button ($4) with TLSR8253. The nrf52 with 3s advertising frequency and tslr825 on 2s The nrf52 gets 3x as many location reports/day as TLSR module and gives better range in my testing |
In this example, the maximum possible transmitter power for nRF is set to +8 dBm. The nRF52 and TLSR825x series chips differ little in characteristics (current consumption). In a dream TLSR825x, for Findmy the current will be 1.3 μA, when transmitting 0 dBm - 7 mA, when transmitting +10 dBm - 25 mA And let me remind you - the antenna in the modules from Tuya is very poorly made. According to these measurements: seemoo-lab/openhaystack#57 (comment)
As a result, with this approach, you can expect no more than 80 mAh (+25С!) from an average-priced CR2032. And even less from cheap CR2032. |
|
The nRF52810 supports max +4dBm according to docs. |
|
nRF52840: -20 to +8 dBm TX power, configurable in 4 dB steps
https://github.com/pix/heystack-nrf5x/blob/master/ble_stack.c#L36 -> powers[] = { 8, 7, 6, 5, 4 } So it's even worse. 16 mA at +4 dBm! Chinese chips are winning. |
|
nRF52810 +4dBm shows 8mA in the docs. Is that just the radio, excluding other parts? |
Yes Radio transmitting @ 0 dBm output power, 1 Mbps Bluetooth low energy mode, Clock = HFXO 10.5 mA Plus, let's not forget about the DC-DC error in the nRF52 series. :) But the main thing is that all values in nRF documentation are marketing ones. To find out the exact value, you need to carefully read the documentation and check the provided graphs, not the tables. And in tables always look at the footnotes and measurement conditions. They usually differ from those actually used. :) |
|
Another TLSR8253 is the ebyte E104-BT12LSP. Has anyone tested? $2.35 with choice shipping https://www.aliexpress.com/item/1005007537045339.html $2.12 with free standard shipping https://www.aliexpress.com/item/1005002984811386.html cheaper than the tb-03 modules if you only want a couple |
While it's fun to search the online mall for cheap bluetooth trackers, wait for a month for them to arrive and hope that they contain a flashable chip, let's instead make our own!
The target is very tight: $1 in quantity 100+
I've found a couple candidates already, but definitely would love to see some more suggestions in the comments.
Ideas so far:
https://inplay-tech.com/in100
https://www.akm.com/us/en/products/bluetooth-low-energy-beacon/
by far the cheapest (~$0.2) if we can figure out how to omit the support mcu
also might be difficult to source
https://www.holtek.com/page/vg/BC7161
These are very cost effective (~0.5) and already have a findmy firmware here
https://oshwlab.com/biemster/ch592tag
Have very good support by @atc1441 and @pvvx for example
but seem difficult to source
Another broadcast only chip + mcu, readily available on LCSC
In conclusion I think the CH592 is the prime candidate due to it's availability at jlcpcb for example, and low price and passives count. However I would really like to experiment with the TX only AK1595 and BC7161 for example, since they would do only the bare minimum.
Any ideas or suggestions are definitely very welcome, as are suggestions for a good fab house since this will be my first such project!
The text was updated successfully, but these errors were encountered: