Teddycloud CC3235 Newbie HowTo

Actually that’s not the case. There are two ways for volume mounts in Docker:

1. native Docker volumes: - certs:/teddycloud/certs
2. explicitly mounted directories: - /home/xxx/teddy/certs:/teddycloud/certs

In both cases, the data is not lost when you shut down, restart or update the container. Both of them even persist when you delete the container.

In case 1, the Docker daemon will create a dedicated folder for each defined volume inside its own directories. So at the end, this is also a directory on your host system, but owned by docker or root. The default directory for Docker volumes is /var/lib/docker/volumes/ (on Linux). So if you define your docker-compose.yaml like in example 1. , your certificate volume will be created at /var/lib/docker/volumes/teddycloud_certs/_data on your host system. Any files that you copy or move into this directory will be available inside the container (and vice-versa).

So at the end, 1 and 2 are basically the same, the only difference is that in case 1, Docker will take care of creating the folders. Whereas in case 2, the file handling is a little bit more convenient, as this directory might already belong to your user (e.g. pi instead of root).

I suspect that your error is here. Can you please post this step in more detail? Are you sure that you patch the ca.der of Teddycloud (→ result of gencerts.sh) into your dumped firmware?

cc3200tool -if backupCC3235.bin -of cc3235-flash.customca.bin -d cc32xx write_file /home/pi/toniebox/certs/server/ca.der /cert/ca.der

The second last parameter (/home/pi/toniebox/certs/server/ca.der) has to be the Teddy CA, not the Boxine CA that you read from your Toniebox. Here’s a picutre how it has to be at the end, after you flashed your modified firmware onto your Toniebox:

certificates-tonie-teddy1650×884 180 KB

@Martin_Gubin I think I know why. Please put the both domains on your allowlist in Adguard so they dont‘t get blocked!

prod.de.tbs.toys 
rtnl.bxcl.de

THIS! OMG IT WORKED! Thank you so much!

I have no idea why, but I completely removed teddycloud from docker. Then I created the folders
/home/pi/teddycloudfolder/certs/client
and
/home/pi/teddycloudfolder/certs/server

And I added my Toniebox certs to the client folder and the generated ones to server BEFORE creating the teddycloud. Then I created teddycloud with your options:

version: '3'
services:
  teddycloud:
    container_name: teddycloud
    hostname: teddycloud
    image: ghcr.io/toniebox-reverse-engineering/teddycloud:develop
    ports:
      - 80:80 #optional (for the webinterface)
      - 8443:8443 #optional (for the webinterface)
      - 443:443 #Port is needed for the connection for the box, must not be changed!
    volumes:
      - /home/pi/teddycloudfolder/certs:/teddycloud/certs
      - /home/pi/teddycloudfolder/config:/teddycloud/config
      - /home/pi/teddycloudfolder/data/content:/teddycloud/data/content
      - /home/pi/teddycloudfolder/data/library:/teddycloud/data/library
      - /home/pi/teddycloudfolder/data/firmware:/teddycloud/data/firmware
      - /home/pi/teddycloudfolder/data/cache:/teddycloud/data/cache
    restart: unless-stopped

develop branch and latest are working fine. Teddycloud instantly recognized my Toniebox!

…I have no idea why it didnt work the initial way. I was able to copy the client certs from the box without issues, I was even able to activate boxine cloud.
I also extracted the patched firmware and did a diff command with the docker server file and they said they were identical…

Anyways, thank you so much for your support. I really, really appreciate it.

I am getting stuck on reading the original firmware. I am pretty sure I’ve gotten the clamp to sit properly. Is the error below because of the clamp not sitting good (lsusb seemed to work)? Or is my version of flashrom not compatible? One other possibility I could think of is I am using POPOS and sometimes I need to change permission of the USB (I have had to do this when flashing ESP32 before).

sudo flashrom -p ch341a_spi -r backupCC3235.bin
flashrom v1.2 on Linux 6.9.3-76060903-generic (x86_64)
flashrom is free software, get the source code at https://flashrom.org

Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
Found Generic flash chip "unknown SPI chip (RDID)" (0 kB, SPI) on ch341a_spi.
===
This flash part has status NOT WORKING for operations: PROBE READ ERASE WRITE
The test status of this chip may have been updated in the latest development
version of flashrom. If you are running the latest development version,
please email a report to flashrom@flashrom.org if any of the above operations
work correctly for you with this flash chip. Please include the flashrom log
file for all operations you tested (see the man page for details), and mention
which mainboard or programmer you tested in the subject line.
Thanks for your help!
Read is not working on this chip. Aborting.

The version of flashrom should be ok. Even in the latest version, the Toniebox chip is shown as “unknown” but it works anyways. I also used v1.2!

In your case, the file size of the flash chip is wrong. It should be 4MB, not 0 kB.

Found Generic flash chip "unknown SPI chip (RDID)" (0 kB, SPI) on ch341a_spi.

So I would assume it’s the clamp not sitting correct. But the error messages are normally different in this case. Very strange.

Yeah not sure whats happening, tried to reseat it mny times. I noticed my rogrammer had a jumper on it. are their any jumpers on your programmer that you are using?

I have similiar problems with the "owl"error after flashing the custom file several times…
After reading the whole discussion i maybe mentioned your Problem:

The TeddyCloud-Server should have a different IP then the AdGuard-Server.
Screenshot DNS Server in FritzBox Settings and in the Adguard Rewrite Rule are both …29

Now to my problem

Believe it or not… in my first flash I had a working Teddycloud Toniebox.
During my vacation, I played around with the box, my network in general and the Teddycloud and unfortunately I got a bit lost… but I can’t figure it out.

My current guess is the AdGuard DNS.

First of all, my setup:
ProxMox server with AdGuard Home, as well as Teddycloud (installed via the helper script : https://community-scripts.github.io/ProxmoxVE/scripts?id=teddycloud

I have now reinstalled everything except AdGuard (Toniebox and Teddycloud). Unfortunately, I get the message “Owl” after flashing. As mentioned, I suspect that the AdGuard Home DNS is the problem.

I noticed that an entry had landed on the AdGuard blocklist:

dns_blocklist1354×498 58.9 KB

I initially released the domain again in the user-defined rules, but then the forwarding to Teddycloud did not work.

I have now adjusted the rule and added important:
(.249 = TonieBox, .62 Teddycloud)
||prod.de.tbs.toys^$dnsrewrite=NOERROR;A;‘192.168.178.62’,client=‘192.168.178.249’$important
||rtnl.bxcl.de^$dnsrewrite=NOERROR;A;‘192.168.178.62’,client=‘192.168.178.249’$important

However, the result is still blocked…

As mentioned, very exciting, as the forwarding used to work perfectly before a week…

I had already extracted the flashed.bin and checked the certificate (which i created with ./generate.sh): it shows teddycloud as name.

Does anyone else have any ideas? What options do I have to exclude AdGuard or the TonieBox in failure analysis?

I’m using Pihole instead of Adguard but I had the same problem at first and can confirm that a blocked rtnl.bxcl.de will lead to error code owl and what makes this problem hard to detect is that the Toniebox sometimes works and sometimes not.

You have to allow (whitelist) this domain globally in Adguard, see here.

@@|rtnl.bxcl.de^$important

In addition to that, you need the dns rewrite rules for your Toniebox. The combination of both should work. What do you mean with “forwarding to Teddycloud did not work”? This is independent from the allowlist.

AdGuard Custom Rule Working:

! TonieCloud unblock
@@|rtnl.bxcl.de^$important
! Umleitung von TonieBox (.249) auf Teddycloud (.62)
||prod.de.tbs.toys^$dnsrewrite=NOERROR;A;192.168.178.62,client=192.168.178.249
||rtnl.bxcl.de^$dnsrewrite=NOERROR;A;192.168.178.62,client=192.168.178.249

@marco79cgn,

first of all thank you for the detailed guide.
Now I am a little bit lost.
my QinHeng Electronics CH341 in EPP/MEM/I2C mode, EPP/I2C adapter is recognised by the pi when no Toniebox platine is connected. But when I unplug the USB Adapter and the connect the platine (proper conected and steady green) the adapter disapears in the list. I tried it with stronger power supply and with 2 Tonieboxes, no change.

I had the exact same problem. I solved it by ordering another programmer and then it worked immediately. I even left the clamp sitting on the board the whole time until the new programmer arrived from Amazon (2 days).

Wow, yes you were right. New Adapter and firmware flashing worked. Used the Adguard Settings but unfortunatelly no connection and codeword “Eule”

#certifcate
can’t upload *.sh - only *.der Files

Great job - after hearing in ony mydealz video that i obviously own the most complicated version this gave me hope. i had teddycloud with proxmox/docker already running on a local mini server. But in order to follow these steps i re-activated an older raspberry-3 again but now i wanted to replace the steps to store the certificate in the teddycloud. i got a file generated: “gencert.sh” - i searched and found a gui possibility where i can upload certificated onto the teddycloud but obviosly only *.der Files are supported. seems that i am stuck now.

can anybody help here?

the gencert.sh file is a file (shell script) which generates the certificates. not a certificate.

I see, thanks - totally missing the basics i don’t get the differences from this how-to here and the"integrated" which is available in the teddy cloud environment - in the telegram group somebody advised me to just follow strictly the integrated version. i did setup an older raspi3 but is there a simple way to just use an old microsoft notebook?? I ordered this online Amazon.de The guide here mentions that the automatic cert generation is not working in case ov my hardware and that i need to generate it by myself and copy it back - this is unclear to me since my steps differ slightly since i don’t need portainer etc because teddycloud is already running inside docker/proxmox on my mini server.

hello, how can i use flashrom under win11? i found this Windows - flashrom but this mentioned shell is not available in my case…

Thank you for your guide!

Do you run teddycloud and pihole on the same machine? If yes how did you manage to give them separate IP-adresses?

Macvlan is the hint you asked for

Hey Everyone,

as I had trouble flashing my cc3235 I want to describe them and also how I got it running.

I have IS25LQ032B flash chip.

The CH341A Programmer has the problem, that the data lines still drive with 5V instead of 3.3V. As I had concerns destroying my chip, I applied a fix to 3.3V 3.3V Fix.

I tested the Programmer without connecting to the flash, and it was correctly recognized by Linux and the both leds behaved okayish and where quite brightly glowing.

Then I attached the SOP8 clamp and put the small pcb into the programmer like described in this post. The battery was disconnected and I put the programmer into the USB port.

The Run LED of the programmer became dimmed down with the flash connected and the programmer was not recognized. Flashrom didn’t detect a programmer anymore.

Then I put in the programmer first and afterwards connected the small PCB to the programmer. The programmer was detected fine but as soon as the PCB was connected it got disconnected from linux. sudo dmesg showed the disconnects quite prominent. I measured the power between VCC of usb programmer and flash cip and it took already 380mA and I assume with the power for the programmer it draw too much for my usb port (Lenovo T480) and disconnected. So I had no luck using this programmer. I had concerns to connect the battery in parallel so i didn’t try that.

I had another CH341A multipurpose USB stick laying around Module CH341A USB UART/I2C/SPI and that one was not drawing too much power with the flash connected. But still, the readout was not possible as the received values where always a bit different. It already got the manufacturer id and device id correct (0x9d & 0x4016) most of the time but SFDP was not detected correctly. (The IS25LQ032B is not supported directly by flashrom but flashrom and this chip supports SFDP, so it is supported that way)
So perhaps it still draws too much power to have something in a state which is not ready to read. So the connection wasn’t stable to get it working reliable.

flashrom -V -p ch341a_spi

Probing for Generic unknown SPI chip (RDID), 0 kB: compare_id: id1 0x9d, id2 0x4016
Added layout entry 00000000 - ffffffff named complete flash
Found Generic flash chip "unknown SPI chip (RDID)" (0 kB, SPI) on ch341a_spi.
Probing for Generic unknown SPI chip (REMS), 0 kB: compare_id: id1 0x9d, id2 0x15
Found Generic flash chip "unknown SPI chip (RDID)" (0 kB, SPI).
===
This flash part has status NOT WORKING for operations: PROBE READ ERASE WRITE
This flash part has status UNTESTED for operations: WP

Until here, I had connected:
Flash / USB Module
Pin1 CE# → CS0
Pin 2 SO → MISO
Pin 3 WP# → VCC 3.3V
Pin 4 GND → GND
Pin 5 SI → MOSI
Pin 6 SCK - > SCK
Pin 7 HOLD# → Not connected
Pin 8 VCC → VCC 3.3V

What I then did changed all to a good:
I disconnected Pin 1 VCC and Pin 3 WP# and put it into the USB port.
The toniebox led does not light now (if it already glows very very lightly, you can skip the next step).
Connect Pin 1 VCC to 3.3V for about 2s (wait for the solid, very bright glow)
Disconnect Pin 1 VCC again
The toniebox led should still glow green but very very dimmed. Look closely.

Probing for Unknown SFDP-capable chip, 0 kB: Parsing JEDEC flash parameter table... done.
Support for SFDP Page with ID 0x9d not implemented, skipping it.
===
SFDP has autodetected a flash chip.
All standard operations (read, verify, erase and write) should work.
Additionally, flashrom supports RPMC commands via SFDP autodetection.
We may add support for more features via SFDP in future.
If you are interested, join us on the mailing list https://flashrom.org/contact.html#mailing-list-1
===
Added layout entry 00000000 - 003fffff named complete flash
Found Unknown flash chip "SFDP-capable chip" (4096 kB, SPI) on ch341a_spi.

Now the data can be read reliable with flashrom!

Last thing is writing, without WP# (Writeprotect) connected to VCC, the write command can not succeed. So just before calling the write command, just connect Pin 3 WP# to VCC and it worked.

My resulting connections:
Flash / USB Module
Pin1 CE# → CS0
Pin 2 SO → MISO
Pin 3 WP# → only connected right before calling the write command
Pin 4 GND → GND
Pin 5 SI → MOSI
Pin 6 SCK - > SCK
Pin 7 HOLD# → Not connected
Pin 8 VCC → NOT CONNECTED (only for 1-2s to get the low glow led state)

The power which comes through the data lines seems to be enough, no other power seems to be needed.

Last but not least, I had a breadboard between USB stick and my clamp and this caused already a unreliable connection. So having as less connections as possible is something you should strive for.

This is the setup which is working for me. I used the small cables to easily connect/disconnect VCC and WP#:

usbmulti1242×709 152 KB

This is how the LED glows in a state which can be reliable used for flashing (in my case):

ledglow713×389 318 KB

And this setup (with and without breadboard) was consuming too much power and I got never a connection:

programmer1255×829 210 KB

I hope it helps someone. Happy flashing!