Allow IKEA Trådfri E1526 updates to 1.21.31

This is a simple mirror to allow IKEA Trådfri updates to 1.21.31 after, for example a factory reset.

Below you can read a bit on what is going on and how to use it.

Not what you were looking for? Then maybe go visit klondike's personal website.

Background

Somewhere between March 2024 and August 2024, the OTA update file for the IKEA Trådfri Gateway was silently updated, the changes, highlighted below, involved decreasing two bits on the beginning of the file, changing 256 bytes on the area before the ELF header (likely some hash) and finally changing a much larger block at the end of the file. The new file has also one bit less in this block.

The IKEA Trådfri Gateway fetches firmware updates by parsing the file manifest provided at http://fw.ota.homesmart.ikea.net/feed/version_info.json. This JSON file contains details about the software versions, their size (presumably after decompression or some other kind of processing) and where they can be obtained from.

Because the updated firmware file is linked with the same version information by the version_info.json file, Gateways updated to the older file will not try to apply the update. On the other hand, a Gateway that has been factory reset or in some way not updated in a long amount of time, therefore using an older version of the firmware, will still fetch the new file and install it.

Gateway symptoms

After applying the new firmware update, the Gateway will refuse to boot. Instead no lights or a very faint light in the power and Internet will be visible on the device. The IKEA Trådfri Gateway can still be reset back to the original firmware by holding the reset button for long enough until all three lights start blinking and then turn off followed by the power LED turning on. Unfortunately, this fix will only work until the device tries to update its firmware again and applies the broken firmware image.

Solution

Since the gateway uses an unencrypted HTTP request to fetch the OTA manifest file, it is possible to intercept the request and provide a manifest file pointing to the old, working, file version instead. There are various ways to do achieve installing the older version.

A simpleapproach is to just temporarily hijack the DNS resolution so that fw.ota.homesmart.ikea.net resolves to this server, for example by adding a CNAME to klondike.es for that specific domain or just resolving it to its current IP address.

This server contains an updated (as of 3 of August of 2024) version of the OTA file Manifest with the exception that the entry for the IKEA Trådfri Gateway OTA update contains the metadata of the old update that works.

The device's OTA entry also points to http://fw.ota.homesmart.ikea.net/feed/10032198-2.2-TRADFRI-gateway-1.21.31.p.elf.sig.ota.signed which contains the old and working firmware image.

You can easily replicate this behaviour on your own webserver just by just copying these two files and serving them when the IKEA Trådfri Gateway accesses them at the folder feed on the domain fw.ota.homesmart.ikea.net

Hijacking the DNS requests

In order to Hijack the DNS requests you need to configure your network's DNS server to solve fw.ota.homesmart.ikea.net either as a CNAME of klondike.es or to resolve to the same IP address that domain points to. If you prefer to host your own HTTP server you should instead make the domain resolve to it.

To make the changes you will likely need to configure your home router (if it has a DNS server) or host your own resolving server (for example with dnsmasq) that can override the resolution. On OpenWRT for example this can be changed on the Hostnames tab in the DHCP and DNS settings.

With all this in place all you have left to do is factory reset your gateway by pressing the reset button with a clip or SIM removing tool for long enough. If all three lights start blinking and eventually shut off followe by the power LED lightning up, then you have done the factory reset process correctly and can release the button.

Once the update is applied to your gateway, you should make sure you remove the DNS hijacking so that further firmware updates can still be applied correctly!

Unfortunately I don't have the resources to host an external facing DNS server you could configure your router to point to. Hence why you might need to host your own if your router does not contain its own.

Additional data

The older firmware file is available on archive.org. I have also archived the new firmware file there too. Similarly you can also obtain on archive.org the old manifest file and the new manifest file. From which you can see the metadata differences in the stored file. Finally, the differences between the files are provided below.

File differences

The file binary differences can be seen below. I have hihglighted the bytes differing on each group of 16 octets.

< 00000010  08 07 00 00 70 99 0d 00  78 a0 0d 00 0b 00 00 00  |....p...x.......|
> 00000010  08 07 00 00 6f 99 0d 00  77 a0 0d 00 0b 00 00 00  |....o...w.......|

< 000006e0  a6 29 ec 5e d1 8b 97 a0  51 24 58 e2 df 50 8f 2d  |.).^....Q$X..P.-|
> 000006e0  a6 29 ec 5e d1 8b 97 a0  e7 03 1f a8 49 46 c9 a1  |.).^........IF..|
< 000006f0  0f fb 2c 8e 68 b9 26 3f  41 19 15 9f 7a c7 ab 99  |..,.h.&?A...z...|
> 000006f0  b6 8d 79 42 0d 95 dd b3  92 a9 f7 3d 84 55 55 0d  |..yB.......=.UU.|
< 00000700  92 ae c7 e3 48 99 87 31  7f 45 4c 46 01 01 01 00  |....H..1.ELF....|
> 00000700  8a 9f 30 5f 50 e9 e2 e0  7f 45 4c 46 01 01 01 00  |..0_P....ELF....|

< 000da070  45 59 2d 2d 2d 2d 2d 0a  bb 88 71 4a 26 5f 2e 79  |EY-----...qJ&_.y|
> 000da070  45 59 2d 2d 2d 2d 2d 1d  2c 9e 51 69 09 31 88 75  |EY-----.,.Qi.1.u|
< 000da080  f8 1c 2a b1 bb 86 f5 a0  00 9d 8e e2 13 1f 8e 0a  |..*.............|
> 000da080  ef aa 72 08 cd a1 21 34  eb 45 ae 9a 77 38 80 53  |..r...!4.E..w8.S|
< 000da090  91 85 e1 9f 8a 41 97 ff  0a 68 89 84 27 0a 38 1f  |.....A...h..'.8.|
> 000da090  b5 3f a6 6e 35 82 d7 eb  3d 20 ae c6 81 31 ed d3  |.?.n5...= ...1..|
< 000da0a0  ba 7e 0a 13 00 57 3d db  d3 bb a9 df 53 18 1e 76  |.~...W=.....S..v|
> 000da0a0  d4 ae 46 dc 1b 08 04 88  2c 1b 21 d3 24 08 ee f0  |..F.....,.!.$...|
< 000da0b0  63 44 56 d3 a0 e6 ac 88  93 ef 1c a8 b8 1b 44 1b  |cDV...........D.|
> 000da0b0  09 25 47 e0 fd a1 83 b9  20 f2 80 0a c3 85 d3 b7  |.%G..... .......|
< 000da0c0  5a 4a 76 63 dd 11 85 4e  7d 6d 89 cd 60 72 45 35  |ZJvc...N}m..`rE5|
> 000da0c0  34 20 95 bb 4e 1f 07 74  6d dd 2c 5f 0e 19 20 17  |4 ..N..tm.,_.. .|
< 000da0d0  0c 3d 28 67 66 1c 8d 33  d2 69 0e b6 65 46 fa 4e  |.=(gf..3.i..eF.N|
> 000da0d0  f2 8e 1a d1 0a 2c 67 bf  bd 5d d1 bf 71 1e 06 90  |.....,g..]..q...|
< 000da0e0  f9 c5 67 1b 26 59 db 84  e5 82 42 56 c9 26 09 cd  |..g.&Y....BV.&..|
> 000da0e0  a5 a0 2b 9d 18 e3 31 4e  7a 03 b5 f0 7b c6 f8 a1  |..+...1Nz...{...|
< 000da0f0  0d 36 ca 28 56 de 8e 96  36 09 ed a7 ef 3e 5a 11  |.6.(V...6....>Z.|
> 000da0f0  1d 0c d8 5c 81 e9 83 9f  35 8e 5b 8d ce 22 6c 3f  |...\....5.[.."l?|
< 000da100  28 e7 93 86 77 e5 6b 09  08 91 56 04 84 0a b6 21  |(...w.k...V....!|
> 000da100  17 e7 61 12 36 9b d6 02  58 4e f8 55 32 f1 a8 03  |..a.6...XN.U2...|
< 000da110  1d 4b b3 5a 46 3b a7 29  e6 6e d9 7b 30 4e 2f 32  |.K.ZF;.).n.{0N/2|
> 000da110  d1 95 f8 bc 8b 94 73 7d  95 35 f9 b6 37 94 b6 61  |......s}.5..7..a|
< 000da120  59 67 dc 76 69 19 05 12  7d 76 28 0f ae e3 c2 ef  |Yg.vi...}v(.....|
> 000da120  eb 4a ea 16 9a e4 47 6a  99 93 37 9e d6 6d 5d 2c  |.J....Gj..7..m],|
< 000da130  9f e3 67 9b 1d 66 39 17  80 0e 5d ed 09 14 c6 a8  |..g..f9...].....|
> 000da130  a8 7f 6a 7b 2a a6 fd cb  11 c9 09 bc ac 03 a4 f5  |..j{*...........|
< 000da140  c0 c5 a2 37 6b de 9c 56  03 20 c7 29 fc dc ba 71  |...7k..V. .)...q|
> 000da140  68 c4 e4 11 66 f9 fb f6  a0 22 0a 90 74 10 7c cf  |h...f...."..t.|.|
< 000da150  b3 cd e9 e6 84 93 56 aa  f9 41 53 24 54 79 c5 14  |......V..AS$Ty..|
> 000da150  3d de a2 21 19 26 7a e7  c6 34 fd 7f 2b ed a9 8c  |=..!.&z..4..+...|
< 000da160  ba ee 26 56 70 e8 9a dd  8c 6c d8 fd 6f fe eb 96  |..&Vp....l..o...|
> 000da160  81 d0 4d b8 8b c2 db 42  55 3e 54 08 f2 0c 05 57  |..M....BU>T....W|
< 000da170  65 56 1b 0b d4 18 bd 63  2e e1 1e 2f e3 4f 4b cc  |eV.....c.../.OK.|
> 000da170  04 78 6f 41 60 92 76 2b  14 f2 57 08 a5 08 f9 2d  |.xoA`.v+..W....-|
< 000da180  7e 8f 2f 71 52 07 63 e9  fc 7f 12 01 d4 55 b2 6a  |~./qR.c......U.j|
> 000da180  70 e1 9c 8f ac ee 79 55  33 23 ee 3c 6e 80 34 9a  |p.....yU3#.<n.4.|
< 000da190  69 18 55 1f 40 a7 ee 71  e9 6e 37 4b d7 8a 8f bb  |i.U.@..q.n7K....|
> 000da190  48 13 99 ac b9 af 5d e7  51 1c 0f f9 80 fd 39 30  |H.....].Q.....90|
< 000da1a0  e2 3d ae bd 01 57 f6 e1  7d 75 1f 06 38 84 6b 28  |.=...W..}u..8.k(|
> 000da1a0  47 fc cb ac f4 28 d8 a7  27 93 71 b6 36 05 ce 8c  |G....(..'.q.6...|
< 000da1b0  79 4f cb b9 1a 50 8a 70  9f c7 50 b8 a1 7c 8e 51  |yO...P.p..P..|.Q|
> 000da1b0  b1 94 0b 0f c6 f2 f7 2f  26 92 50 1f 73 0f 8c 5f  |......./&.P.s.._|
< 000da1c0  0c 03 9f 3b fb 42 50 7f  40 f3 b5 f5 d7 26 8f b0  |...;.BP.@....&..|
> 000da1c0  e9 93 aa 9a 79 fb fa f5  0b 9d 11 ce 8d 17 ad ea  |....y...........|
< 000da1d0  bd 9c 8d 85 6d b2 51 59  61 ca 6e b7 0b f8 0a 20  |....m.QYa.n.... |
> 000da1d0  c1 bf af 7e 6c a7 16 ab  ee 3e e2 64 48 0d f7 87  |...~l....>.dH...|
< 000da1e0  08 9d ca 5a 09 7b 69 85  80 cc 88 f3 a1 11 05 7d  |...Z.{i........}|
> 000da1e0  a9 94 cd 38 48 fc 9a 3e  f1 1e a3 49 68 f8 3a 0b  |...8H..>...Ih.:.|
< 000da1f0  80 5d 6b 88 48 11 48 ca  cd 4c 41 c5 0d 7f 01 87  |.]k.H.H..LA.....|
> 000da1f0  27 3a 69 57 76 cc 7a 02  c0 3a 6d a4 99 a0 bc 3b  |':iWv.z..:m....;|
< 000da200  00 7e aa 67 3b 26 a4 15  52 c7 1e 8e 30 58 a4 8c  |.~.g;&..R...0X..|
> 000da200  d9 3d 13 c8 4b 85 20 22  25 25 a7 cb 35 72 bb 9a  |.=..K. "%%..5r..|
< 000da210  83 5c 51 ad 92 de 0b ee  26 0d bd dc c4 3d 90 90  |.\Q.....&....=..|
> 000da210  94 b6 80 96 b5 37 02 6a  45 6c d8 c8 22 25 a9 2d  |.....7.jEl.."%.-|
< 000da220  8f eb a4 5c c7 81 d7 cf  f4 c0 fe 55 e0 d2 c8 63  |...\.......U...c|
> 000da220  a2 5c 6f 2d ef df 6f 6a  19 6f ed d6 54 b6 88 37  |.\o-..oj.o..T..7|
< 000da230  4b b1 7a 9b b2 f6 6a ec  7e 74 67 95 f0 7b a9 6e  |K.z...j.~tg..{.n|
> 000da230  0d 98 3a 00 5a 2d bd c9  b9 f2 fa 97 3d 03 40 d4  |..:.Z-......=.@.|
< 000da240  d2 d8 21 e2 4a e8 18 6d  17 e1 aa 7f 47 09 5e cc  |..!.J..m....G.^.|
> 000da240  11 0e a3 5c d0 cb 59 df  90 e3 55 73 9a be c0 a4  |...\..Y...Us....|
< 000da250  87 80 52 5d 84 75 90 07  5b d9 28 6d 54 37 5a 4c  |..R].u..[.(mT7ZL|
> 000da250  4e 83 8b a4 24 88 1a 45  33 9d bb 31 a2 58 8e 45  |N...$..E3..1.X.E|
< 000da260  9b 61 a0 08 3e 6f 2a 58  23 92 39 15 f0 2e e9 01  |.a..>o*X#.9.....|
> 000da260  46 ec 06 8a 02 ce d6 ac  8a 1b 7d 59 14 02 e0 8f  |F.........}Y....|
< 000da270  3a 44 cb 61 dd 16 b1 c3                           |:D.a....|
> 000da270  4a 41 99 19 d3 64 2e                              |JA...d.|
< 000da278
> 000da277

Not what you were looking for? Then maybe go visit klondike's personal website.

This page is ©2024 Francisco Blas (klondike) Izquierdo Riera. The firmware and manifest files remain the copyright of the original authors, likely IKEA of Sweden AB. The modified manifest files and the old firmware update are provided as is with the sole intention of helping users fix their devices and without any warranty nor copyright claims. Any use you make of these files is under your own responsibility and entails resigning any possible claims for damages or any other kind of compensation if they do not work as expected. At the time of this writting I am not affiliated with IKEA in any way nor have been in many years.