Extracting firmware of Sonoff ZBMINI (Zigbee relais)
Posted: 13 Dec 2025, 13:18
These days i like to try to hack a ZBMINI from Sonoff (Itead). I've got some of them in my Home Automation but it turned out that they make lot's of trouble in my Zigbee network. Before dumping them i'd like to find out if i could write other firmware onto them, just in case i can turn them into anything better than they are? Before doing so, i'd like to save the current firmware to maybe later flash them back to fabric.
Opening up shows: these old crap (2020) runs on Silicon Labs EFR32MG21A020F768IM32 MCU:
This Chip has a Little Endian Cortex-M33 CPU, having 768 KB of Flash and 64 KB of RAM. We can also finde some JTAG pads here, nicely labled (thank you Itead for that!)
Datasheet: https://www.silabs.com/wireless/zigbee/ ... ?tab=specs
Overview of EFR32MG21 Family: https://www.silabs.com/documents/public ... asheet.pdf
The datasheet shows this chip is Zigbee and Thread capable (nice!), CPU runs at 80 MHz.
Fortunatly, Segger JFlash/JLink supports this MCU directly as "EFR32MG21Axxx768". So i simply try to connect the JTAG pins and try to read.
Opening up shows: these old crap (2020) runs on Silicon Labs EFR32MG21A020F768IM32 MCU:
This Chip has a Little Endian Cortex-M33 CPU, having 768 KB of Flash and 64 KB of RAM. We can also finde some JTAG pads here, nicely labled (thank you Itead for that!)
Datasheet: https://www.silabs.com/wireless/zigbee/ ... ?tab=specs
Overview of EFR32MG21 Family: https://www.silabs.com/documents/public ... asheet.pdf
The datasheet shows this chip is Zigbee and Thread capable (nice!), CPU runs at 80 MHz.
Fortunatly, Segger JFlash/JLink supports this MCU directly as "EFR32MG21Axxx768". So i simply try to connect the JTAG pins and try to read.