- 👋 Hi, I’m @banksy-git
One day I'll update this page.
Freeing the Silvercrest (Lidl/Tuya) Smart Home Gateway from the cloud.
Home Page: https://paulbanks.org/projects/lidl-zigbee/
License: GNU General Public License v3.0
One day I'll update this page.
Hi,
was running the device over a year now sucessfully.
A few days ago it stopped working.
I can ping the device, but the configured ssh server port is gone, also the zigbee server installed is no longer working.
I reattached the ttl debug cable to login and see whats going on but the root password is no longer working.
I reran the commands to get the KEK and the AUSKEY, but its the same. I saved them with the actual password and port infos in my keepass database.
My guess is that the firmware was updated automatically and they changed the procedure how the root password is initially set?
I have 3 other spare gateways left i could use. But i want to understand first, whats going on.
Any Idea? Interested in debugging, i could share a terminal within Teams or something similiar.
Hello!
It is a nice jab you've done, but it requires some more effort to fix the issues.
Currently, after updating to the latest firmware suggested ( NCP_UHW_MG1B232_678_PA0-PA1-PB11_PA5-PA4.gbl)
I am having all sorts of troubles running zigbee network, and I have a big one (~200 devices), though even in redundunt state (~50 devices - all bulbs) it fails instantly. I am getting the following errors in the log of my HA instance runnin only ZHA integration for the test purpose:
Logger: homeassistant.components.websocket_api.http.connection
Source: components/zha/light.py:234
Integration: Home Assistant WebSocket API (documentation, issues)
First occurred: 20:11:09 (7 occurrences)
Last logged: 20:12:15
[2771035904] duplicate 2 TSN
[2771035904] duplicate 42 TSN
[2771035904] duplicate 142 TSN
[2771035904] duplicate 150 TSN
[2771035904] duplicate 92 TSN
AssertionError
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "/usr/src/homeassistant/homeassistant/components/websocket_api/commands.py", line 136, in handle_call_service
await hass.services.async_call(
File "/usr/src/homeassistant/homeassistant/core.py", line 1455, in async_call
task.result()
File "/usr/src/homeassistant/homeassistant/core.py", line 1490, in _execute_service
await handler.job.target(service_call)
File "/usr/src/homeassistant/homeassistant/helpers/entity_component.py", line 204, in handle_service
await self.hass.helpers.service.entity_service_call(
File "/usr/src/homeassistant/homeassistant/helpers/service.py", line 595, in entity_service_call
future.result() # pop exception if have
File "/usr/src/homeassistant/homeassistant/helpers/entity.py", line 664, in async_request_call
await coro
File "/usr/src/homeassistant/homeassistant/helpers/service.py", line 632, in _handle_entity_call
await result
File "/usr/src/homeassistant/homeassistant/components/light/__init__.py", line 233, in async_handle_light_on_service
await light.async_turn_on(**params)
File "/usr/src/homeassistant/homeassistant/components/zha/light.py", line 546, in async_turn_on
await super().async_turn_on(**kwargs)
File "/usr/src/homeassistant/homeassistant/components/zha/light.py", line 234, in async_turn_on
result = await self._on_off_channel.on()
File "/usr/local/lib/python3.8/site-packages/zigpy/group.py", line 44, in request
res = await self.application.mrequest(
File "/usr/local/lib/python3.8/site-packages/bellows/zigbee/application.py", line 415, in mrequest
with self._pending.new(message_tag) as req:
File "/usr/local/lib/python3.8/site-packages/zigpy/util.py", line 262, in new
raise ControllerException(f"duplicate {sequence} TSN") from AssertionError
zigpy.exceptions.ControllerException: duplicate 242 TSN
Logger: zigpy.device
Source: /usr/local/lib/python3.8/site-packages/zigpy/device.py:127
First occurred: 18:34:21 (10 occurrences)
Last logged: 19:25:31
[0xb057] Failed to discover active endpoints
[0x656e] Failed to discover active endpoints
[0x7fde] Failed to discover active endpoints
[0x96b3] Failed to discover active endpoints
[0xf1a0] Failed to discover active endpoints
Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-packages/zigpy/device.py", line 119, in _initialize
status, _, endpoints = await self.zdo.Active_EP_req(
File "/usr/local/lib/python3.8/site-packages/zigpy/util.py", line 110, in retry
r = await func()
File "/usr/local/lib/python3.8/site-packages/zigpy/device.py", line 214, in request
raise zigpy.exceptions.DeliveryError(
zigpy.exceptions.DeliveryError: [0xad68:0:0x0005]: Message send failure
Logger: homeassistant.components.zha.core.gateway
Source: components/zha/core/gateway.py:157
Integration: Zigbee Home Automation (documentation, issues)
First occurred: 17:17:05 (55 occurrences)
Last logged: 18:28:02
Couldn't start EZSP = Silicon Labs EmberZNet protocol: Elelabs, HUSBZB-1, Telegesis coordinator
Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-packages/serial/urlhandler/protocol_socket.py", line 63, in open
self._socket = socket.create_connection(self.from_url(self.portstr), timeout=POLL_TIMEOUT)
File "/usr/local/lib/python3.8/socket.py", line 808, in create_connection
raise err
File "/usr/local/lib/python3.8/socket.py", line 796, in create_connection
sock.connect(sa)
OSError: [Errno 113] Host is unreachable
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/src/homeassistant/homeassistant/components/zha/core/gateway.py", line 157, in async_initialize
self.application_controller = await app_controller_cls.new(
File "/usr/local/lib/python3.8/site-packages/zigpy/application.py", line 69, in new
await app.startup(auto_form)
File "/usr/local/lib/python3.8/site-packages/bellows/zigbee/application.py", line 108, in startup
self._ezsp = await bellows.ezsp.EZSP.initialize(self.config)
File "/usr/local/lib/python3.8/site-packages/bellows/ezsp/__init__.py", line 78, in initialize
await ezsp.connect()
File "/usr/local/lib/python3.8/site-packages/bellows/ezsp/__init__.py", line 88, in connect
self._gw = await bellows.uart.connect(self._config, self)
File "/usr/local/lib/python3.8/site-packages/bellows/uart.py", line 352, in connect
protocol, connection_done = await thread.run_coroutine_threadsafe(
File "/usr/local/lib/python3.8/site-packages/bellows/uart.py", line 330, in _connect
transport, protocol = await serial_asyncio.create_serial_connection(
File "/usr/local/lib/python3.8/site-packages/serial_asyncio/__init__.py", line 445, in create_serial_connection
serial_instance = serial.serial_for_url(*args, **kwargs)
File "/usr/local/lib/python3.8/site-packages/serial/__init__.py", line 90, in serial_for_url
instance.open()
File "/usr/local/lib/python3.8/site-packages/serial/urlhandler/protocol_socket.py", line 66, in open
raise SerialException("Could not open port {}: {}".format(self.portstr, msg))
serial.serialutil.SerialException: Could not open port socket://192.168.1.149:8888: [Errno 113] Host is unreachable
Often the coordinator just gets stuck and even hardreboot does not save the situation - I have to delete the configuration and reinstall from scratch ZHA to bring it back to life ... for a litle while...
That what the state of the events is at present moment...
Hi,
when I hack the Gateway using these scipts, can I still using Tuya mobile app (aka dual mode: local + tuya cloud)?
Thank you!
Thanks for your time and effort in this project! I've 2 MOES branded Zigbee bridges that are internally the same as you use.
Let's start that I was able to obtain the root password from bridge nummer 1 (in another post I will come back to that one). Following thw same procedure I'm able to get both KEK/AUSKEY, but when re-using the script to decrypt the root password, I run into a problem:
root# python3 lidl_auskey_decode.py
Enter KEK hex string line>5A5AA5A5 401A4000 8F7B238C 001AD582
Encoded aus-key as hex string line 1>13F436F6 E44A50B4 5AF2F409 7AE9D394
Encoded aus-key as hex string line 2>8E335DD1 C67C31D9 63B3EBD5 2C7C790A
Traceback (most recent call last):
File "lidl_auskey_decode.py", line 64, in
print("Auskey:", auskey.decode("ascii"))
UnicodeDecodeError: 'ascii' codec can't decode byte 0xaa in position 2: ordinal not in range(128)
Any ideas ?
Please consider adding automatic network discovery of this so can be discovered by Home Assistant’s ZHA (Zigbee) integration:
Support for Zeroconf network discovery of Tube's ESPHome based Zigbee Gateways was recently added to the ZHA integration:
Note that Home Assistant already have integration support to add Zeroconf and/or SSDP automatic network discovery methods.
After a successful retrieval of the password for Gateway1 (I have 2 of these), I got a login prompt and tried to login with root/password obtained via the serial connection. Don't know what exactly happened next, but currently the gateway seems to loop. I'm still able to retrieve the keys after using .
The loop looks like
Booting...
Booting...
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@
@ chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize
@ 0000000h 0c84018h 00000c8h 0000040h 0000018h 0000000h 0000018h 1000000h
@ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName
@ 0010000h 0000100h 0001000h 0001000h 0000100h 0000010h 000004eh GD25Q128
@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
DDR1:32MB
---RealTek(RTL8196E)at 2021.01.21-19:59+0800 v3.4T-pre2 16bit
P0phymode=01, embedded phy
check_image_header return_addr:05010000 bank_offset:00000000
no sys signature at 00010000!
P0phymode=01, embedded phy
SPI flash(GD25Q128) was found at CS0, size 0x1000000
boot+cfg offset=0x0 size=0x20000 erasesize=0x10000
linux offset=0x20000 size=0x1e0000 erasesize=0x10000
rootfs offset=0x200000 size=0x200000 erasesize=0x10000
tuya-label offset=0x400000 size=0x20000 erasesize=0x10000
jffs2-fs offset=0x420000 size=0xbe0000 erasesize=0x10000
5 rtkxxpart partitions found on MTD device flash_bank_1
Creating 5 MTD partitions on "flash_bank_1":
0x000000000000-0x000000020000 : "boot+cfg"
0x000000020000-0x000000200000 : "linux"
0x000000200000-0x000000400000 : "rootfs"
0x000000400000-0x000000420000 : "tuya-label"
0x000000420000-0x000001000000 : "jffs2-fs"
PPP generic driver version 2.4.2
nf_conntrack version 0.5.0 (432 buckets, 1728 max)
ip_tables: (C) 2000-2006 Netfilter Core Team
TCP: cubic registered
NET: Registered protocol family 17
l2tp_core: L2TP core driver, V2.0
8021q: 802.1Q VLAN Support v1.8
Realtek FastPath:v1.03
Probing RTL819X NIC-kenel stack size order[1]...
eth0 added. vid=9 Member port 0x10f...
eth1 added. vid=8 Member port 0x10...
Booting...
I've picked up a cheap ethernet gateway off Aliexpress.
Seems to be the same hardware as the Lidl
Firmware is a lot newer - I've added headers and got to the boot messages so far.
Pressing ESC doesn't seem to get to the bootload prompt.
Any suggestions for next steps?
Booting...
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@
@ chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize
@ 0000000h 0c84018h 00000c8h 0000040h 0000018h 0000000h 0000018h 1000000h
@ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName
@ 0010000h 0000100h 0001000h 0001000h 0000100h 0000010h 000004eh GD25Q128
@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
DDR1:32MB
---RealTek(RTL8196E)at 2022.09.02-15:49+0800 v3.4T-pre2 [16bit](380MHz)
P0phymode=01, embedded phy
check_image_header return_addr:05010000 bank_offset:00000000
no sys signature at 00010000!
get uboot flag failed
Jump to image start=0x80c00000...
decompressing kernel:
Uncompressing Linux... done, booting the kernel.
done decompressing kernel.
start address: 0x80003780
Linux version 3.10.90 (huangxh@embed) (gcc version 4.6.4 (Realtek RSDK-4.6.4 Build 2080) ) #5 Fri Sep 2 15:52:57 CST 2022
CPU revision is: 0000cd01
Determined physical RAM map:
memory: 02000000 @ 00000000 (usable)
Zone ranges:
Normal [mem 0x00000000-0x01ffffff]
Movable zone start for each node
Early memory node ranges
node 0: [mem 0x00000000-0x01ffffff]
icache: 16kB/16B, dcache: 8kB/16B, scache: 0kB/0B
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 8128
Kernel command line: console=ttyS0,38400 root=/dev/mtdblock2
PID hash table entries: 128 (order: -3, 512 bytes)
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 27344k/32768k available (2763k kernel code, 5424k reserved, 562k data, 192k init, 0k highmem)
SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
NR_IRQS:128
console [ttyS0] enabled
Calibrating delay loop... 378.47 BogoMIPS (lpj=1892352)
pid_max: default: 4096 minimum: 301
Mount-cache hash table entries: 512
reg e0=0
reg e1=0
reg e2=0
reg e3=0
reg e4=0
reg e5=0
reg e6=0
reg e7=0
reg f0=0
reg f1=0
reg f2=0
reg f3=0
reg f4=0
reg f5=0
reg f6=0
NET: Registered protocol family 16
bio: create slab <bio-0> at 0
NET: Registered protocol family 2
TCP established hash table entries: 512 (order: 0, 4096 bytes)
TCP bind hash table entries: 512 (order: -1, 2048 bytes)
TCP: Hash tables configured (established 512 bind 512)
TCP: reno registered
UDP hash table entries: 256 (order: 0, 4096 bytes)
UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
NET: Registered protocol family 1
squashfs: version 4.0 (2009/01/31) Phillip Lougher
jffs2: version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
msgmni has been set to 53
Block layer SCSI generic (bsg) driver version 0.4 loaded (major 254)
io scheduler noop registered
io scheduler deadline registered
io scheduler cfq registered (default)
Serial: 8250/16550 driver, 2 ports, IRQ sharing disabled
serial8250: ttyS0 at MMIO 0x18002000 (irq = 9) is a 16550A
serial8250: ttyS1 at MMIO 0x18002100 (irq = 13) is a 16550A
Realtek GPIO Driver for Flash Reload Default
tuya_gpio_init ok, scan expire time:50
SPI INIT
------------------------- Force into Single IO Mode ------------------------
|No chipID Sft chipSize blkSize secSize pageSize sdCk opCk chipName |
| 0 c84018h 0h 1000000h 10000h 10000h 100h 84 0 GD25Q128|
----------------------------------------------------------------------------
SPI flash(GD25Q128) was found at CS0, size 0x1000000
boot+cfg offset=0x0 size=0x20000 erasesize=0x10000
linux offset=0x20000 size=0x1e0000 erasesize=0x10000
rootfs offset=0x200000 size=0x200000 erasesize=0x10000
tuya-label offset=0x400000 size=0x20000 erasesize=0x10000
jffs2-fs offset=0x420000 size=0xbe0000 erasesize=0x10000
5 rtkxxpart partitions found on MTD device flash_bank_1
Creating 5 MTD partitions on "flash_bank_1":
0x000000000000-0x000000020000 : "boot+cfg"
0x000000020000-0x000000200000 : "linux"
0x000000200000-0x000000400000 : "rootfs"
0x000000400000-0x000000420000 : "tuya-label"
0x000000420000-0x000001000000 : "jffs2-fs"
PPP generic driver version 2.4.2
nf_conntrack version 0.5.0 (427 buckets, 1708 max)
ip_tables: (C) 2000-2006 Netfilter Core Team
TCP: cubic registered
NET: Registered protocol family 10
sit: IPv6 over IPv4 tunneling driver
NET: Registered protocol family 17
l2tp_core: L2TP core driver, V2.0
8021q: 802.1Q VLAN Support v1.8
Realtek FastPath:v1.03
Probing RTL819X NIC-kenel stack size order[1]...
eth0 added. vid=9 Member port 0x10f...
eth1 added. vid=8 Member port 0x10...
[peth0] added, mapping to [eth1]...
VFS: Mounted root (squashfs filesystem) readonly on device 31:2.
Freeing unused kernel memory: 192K (80340000 - 80370000)
init started: BusyBox v1.13.4 (2022-09-02 15:48:01 CST)
Set power startcmd read
b8000038: 2794A104 0000000F 00000042 00000018 '▒▒ B
cmd write
Write memory 0xb8000038 dat 0x1794a104: 0x1794a104
Set power end
killall: dropbear: no process killed
Please press Enter to activate this console. udhcpc (v1.13.4) started
Tuya Gateway Application Normal Srart /tuya/tuya_start.sh UserAppRunDir:
set defult run_dir:/tuya
TY_ENV_APP_RUN_DIR=/tuya
Sending discover...
get user cfg file error, load defult cfg file
load platform configure file:/tuya/def.cfg
start.conf is exist
udhcpc (v1.13.4) started
current run dir:/tuya/tuya_user1
tuya_start_children.sh:UserAppRunDir:/tuya JsonFile Path:/tuya/def.cfg [engineer_mode: ]
grep: /var/resolv.conf: No such file or directory
Sending discover...
killall: app_detect.sh: no process killed
killall: tyZ3Gw: no process killed
killall: log_detect.sh: no process killed
killall: process_monitor.sh: no process killed
killall: tyZ3Gw: no process killed
killall: dropbear: no process killed
Sending discover...
cat: can't open '/tuya/eng_mode': No such file or directory
no eng file
Sending discover...
nlRecvFromAppSock sg_netlinkKeyPid:242
nlRecvFromAppSock port link sg_netlinkPid:242
nameserver 8.8.8.8
nameserver 114.114.114.114
Sending discover...
Sending discover...
Sending discover...
First of all: Thanks for this project
Is this project still valid for the newer model of the Lidl Silvercrest Zigbee Gateway Model HG07132.
I followed your steps on https://paulbanks.org/projects/lidl-zigbee/
I do not get any output in Minicom
Thanks for any tips
The script always give me the error message.
[rave@satellite Downloads]$ python3 lidl_auskey_decode-new.py
Enter KEK hex string line>80000000: FFFFFFFF FFFFFFFF FFFFFFFFFFFFFFFF
Encoded aus-key as hex string line 1>80000000: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
Encoded aus-key as hex string line 2>80000010: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
Traceback (most recent call last):
File "/home/rave/Downloads/lidl_auskey_decode-new.py", line 65, in <module>
print("Auskey:", auskey.decode("ascii"))
^^^^^^^^^^^^^^^^^^^^^^
UnicodeDecodeError: 'ascii' codec can't decode byte 0xec in position 0: ordinal not in range(128)
[rave@satellite Downloads]$
System is fedora 40 with python3-3.12.3-2.fc40.x86_64
I am also wondering about the output of kek and auskey in serial console.
<RealTek>FLR 80000000 401802 16
Flash read from 00401802 to 80000000 with 00000016 bytes ?
(Y)es , (N)o ? --> y
Flash Read Successed!
<RealTek>DW 80000000 4
80000000: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
<RealTek>
<RealTek>FLR 80000000 402002 32
Flash read from 00402002 to 80000000 with 00000032 bytes ?
(Y)es , (N)o ? --> y
Flash Read Successed!
<RealTek>DW 80000000 8
80000000: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
80000010: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
<RealTek>
I post this in public because i think the output is wrong.
Can you help me please to get the root password of my lidl gateway?
Pictures of Tuya TYGWZ-01 / TuyaGo TYGWZ01 and links to official product page is missing project website:
https://paulbanks.org/projects/lidl-zigbee/
Suggest mention "Tuya TYGWZ-01 (also known as TuyaGo TYGWZ01)" as well as add links plus one or a few images:
Product dimensions:90x90x23mm (Package dimensions:1000x1000x50mm)
https://go.tuya.com/en/productDetail?code=83jt6kkktau3
https://zigbeealliance.org/zigbee_products/tuya-smart-gateway/
The obvious advantage of the original TYGWZ-01 (non-Lidl/Silvercrest) gateway is its availability outside of Europe.
Such wide availability should benefit all people and project whose goal it is to hack it for other purposes than its intended use.
It is also sold under different rebranded names such as Lonsonho, Moes, BENEXMART, Kstyhome, Moniclern, OWSOO, Zemismart, as well as in combination with Zigbee devices:
https://www.amazon.com/Zigbee-Switch-standard-Control-gateway/dp/B082B2FT6V
https://www.amazon.com/Gateway-Control-Temperature-humidity-gateway/dp/B083PRPYQ8/
https://www.amazon.com/OWSOO-Gateway-Wireless-Control-Compatible/dp/B08YNG15XQ
https://www.amazon.com/Moniclern-Powered-Gateway-Connection-Products/dp/B08HV1BNLG
https://www.amazon.com/Kstyhome-Powered-Gateway-Connection-Products/dp/B08XY37L49/
https://www.amazon.com/OWSOO-Powered-Gateway-Connection-Products/dp/B08768DMJJ/
https://www.amazon.com/OWSOO-Temperature-Humidity-Automation-Security/dp/B0868QJ1NV/
https://www.amazon.com/OWSOO-Temperature-Humidity-Automation-Security/dp/B0868NZHJZ/
As you all probably already know TYGWZ01 is also available in online stores in the European Union and the United Kingdom:
https://www.amazon.de/ZigBee-Gateway-zentraler-Controller-Hub-ZigBee-Ger%C3%A4te/dp/B083584M99/
https://www.amazon.co.uk/Zigbee-Gateway-Central-Controller-Devices/dp/B083584M99/
https://www.amazon.co.uk/TYGWZ-01-Gateway-Central-Controller-Devices/dp/B07N65MXD4/
https://www.amazon.de/BENEXMART-PIR-Sensor-Temperatur-Feuchtigkeitssensor-Combination/dp/B07SCXNG14/
It can of course be ordered from Chinese stores like BangGood, Gearbest, or Aliexpress, but shipping from China is slow now.
https://www.gearbest.com/other-car-gadgets/pp_3008504694819915.html?wid=2000001
https://www.aliexpress.com/item/1005002441359324.html
https://www.aliexpress.com/item/4000071525839.html
https://www.aliexpress.com/item/1005002340919938.html
https://www.aliexpress.com/item/1005002007026244.html
https://www.aliexpress.com/item/1005002341316609.html
https://www.aliexpress.com/item/4001263689776.html
https://www.aliexpress.com/item/4001263868157.html
https://www.aliexpress.com/item/1005002545821613.html
You just have to do a little research before placing an order to really get the Ethernet ("wired") version and not the WiFi version.
When I try to read an attribute (e.g. app_version from Aqara Weather sensor)
I constantly get the following error in Home Assistant log:
Logger: homeassistant.components.websocket_api.http.connection
Source: components/zha/api.py:679
Integration: Home Assistant WebSocket API (documentation, issues)
First occurred: 9:19:53 AM (4 occurrences)
Last logged: 9:26:11 AM
[547770400288] Error handling message: Unknown error
[547681024800] Error handling message: Unknown error
Traceback (most recent call last):
File "/usr/src/homeassistant/homeassistant/components/websocket_api/decorators.py", line 26, in _handle_async_response
await func(hass, connection, msg)
File "/usr/src/homeassistant/homeassistant/components/zha/api.py", line 679, in websocket_read_zigbee_cluster_attributes
success, failure = await cluster.read_attributes(
File "/usr/local/lib/python3.9/site-packages/zigpy/zcl/__init__.py", line 297, in read_attributes
result = await self.read_attributes_raw(to_read, manufacturer=manufacturer)
File "/usr/local/lib/python3.9/site-packages/zigpy/device.py", line 287, in request
raise zigpy.exceptions.DeliveryError(
zigpy.exceptions.DeliveryError: [0x2513:1:0x0000]: Message send failure
Don't know if it is a problem in HA, in ZBGW or what... 😃
I found your website and followed everything to the letter. I managed to get the password, login, put serialgateway in the /tuya/ dir and execute the script. I get a new tuya_start.original.sh, and anew tuya_start.sh. When I use cat to check the new files I think the output is correct:
But: After reboot I can't reach the unit through home assistant, and i am still able to SSH to port 2333. SO something is not completely working.
Do you have a hint for me to take me to the next and last step?
Thanks!
Hello Sir,
First of all a big thank you!
I Managed my Device to get Unlocked.
I have a Plan with my Device and need to know if this is possible or can be implemented.
I'am no coder, but do my best.
I would, if it is possible solder also an esp on top to send / receive ESP-Now signals over this Device.
Is it possible to send the request over the hacked Device and get them send over MQTT to my Openhab over my hacked gateway?
Iam looking forward for an answer.
Kind regards and merry christmas
Mordi
Less of an Issue and more of an "advice"; Revision 2 of the Lidl gateway (rounded edges) is the "exact same". Its firmware just has ssh disabled. You need to TTL onto the device and start its dropbear ssh server with;
dropbear -p "port"
From thereon you are able to ssh into the device with your given root until next restart.
Its recommended to follow the tutorial part in which you set the ssh port to "always on" and "port 22":
if [ ! -f /tuya/ssh_monitor.original.sh ]; then cp /tuya/ssh_monitor.sh /tuya/ssh_monitor.original.sh; fi
echo "#!/bin/sh" >/tuya/ssh_monitor.sh
ALSO FOR NOOBS LIKE ME;
IF:
Unable to negotiate with "ip.address" "port" : no matching host key type found. Their offer: ssh-rsa,ssh-dss
USE:
ssh -o HostKeyAlgorithms=+ssh-rsa "ip-address" -p "port"
I might have tinkered too far and need to restore the original dump but have no idea on the FLW command for it.
Hoping this unbricks my device after following
https://community.home-assistant.io/t/hacking-the-silvercrest-lidl-tuya-smart-home-gateway/270934/148
FLW 200000 80500000 000E1002
Hi, just bought the hub for experiments and was passing by this repo to see if instructions here will still apply for the hub i have.
So i have this version of a gateway:
Examples of aliexpress link:
https://www.aliexpress.com/item/4000452898540.html
https://www.aliexpress.com/item/1005003190609659.html
This is how the mobo looks like:
(its pretty different, you can note it uses RTL8197FS)
And I've started my experiments.
6 rtkxxpart partitions found on MTD device m25p80
Creating 6 MTD partitions on "m25p80":
0x000000000000-0x000000270000 : "boot+cfg+linux"
0x000000270000-0x000000640000 : "rootfs"
0x000000640000-0x000000b40000 : "app"
0x000000b40000-0x000001040000 : "backup"
0x000001040000-0x000001fe0000 : "data"
0x000001fe0000-0x000002000000 : "factory"
ESC
on the early load steps0000000000000
. And thats pretty expected, the partitions\addresses\offsets might be differentpython dump_flash.py --serial-port /dev/ttyUSB0 --output-file rootfs.bin --start-addr 0x270000 --end-addr 0x640000
sudo unsquashfs rootfs.bin
.Reading a different endian SQUASHFS filesystem on rootfs.bin
Filesystem on rootfs.bin is (0:4), which is a later filesystem version than I support!
Also, the squashfs-tools-ng gets me a rootfs.bin: reading super block: wrong magic value in super bloc
For now i'm thinking that dumping could go wrong and i have a corrupted img.
13. ...
14. I'll try to share if will be able to gain more progress
Thanks again for the instructions & scripts
hi,
I have a following problem with the dump_flash.py during executing it through the idle shell.
File "xxxxx\dump_flash(1).py", line 57, in <module>
with open(args.output_file,"wb") as fOut:
TypeError: expected str, bytes or os.PathLike object, not NoneType
i have no idea how to solve the problem...
Hello,
Thank you for your very detailed work.
I can confirm that this technique works on the "smarthome silvercrest 2021". 👍
I have some questions about the identification of the addresses where the keys are stored and the identification of the encryption algorithm (AES).
How did you identify the physical addresses?
how did you figure out that the data was encrypted with AES?
Hi,
just bought my second Lidl gateway that i wanted to root.
I spotted you reworked your website https://paulbanks.org and now the "using this technique" link is broken, as the "root.html" ia a 404.
https://paulbanks.org/projects/lidl-zigbee/root.html
Just as a headsup
From /tmp (that being deleted after reboot and not saved in the flash).
dd if=/dev/mtd0 of=/tmp/dmtd0.bin
for mtd0 - mtd4
Install tftpd64.464 and confing your eth network.
tftp -l /tmp/dmtd0.bin -r dmtd0.bin -p 192.168.2.10
For dmtd0.bin - dmtd4.bin
The tftp is one busybox version and have lesser parameters and dont printing command errors so well but looks working OK.
I have 5 bin files that looks good but i have not verifying if they is 100% OK.
Some like trying verifying that is working ???
ZHA is working great but my docker under windows is making strange things so cant testing so much.
Great work done !!
Hi Paul,
Amazing project!
I already have a lidl silver crest gateway up and running which I wish to integrate with Home Assistant.
Would appreciate a step by step n00b proof guide
.
Thanks
Cheers,
Hello,
After doing all the steps i try to add a new user, but get read only system, then try change the password, i get sucess, but then after reboot, cannot login with the new password or the one the i retrive from the script.
The gateway appear to work normally but cannot login via console or ssh..
Thanks
Hello,
I have a problem assigning any channel other than 25 to TYGWZ-01 coordinator.
I've used this gateway with my old network at channel 25. Now I try to build a new network with it in the neighboring room, while all old devices vere deleted from the ZHA configuration for this coordinator, the configuration was deleted also, and the coordinator is moved to brand new raspberry pi.
Just installed fresh container image for HA and try to add the coordinator to ZHA. But no metter what I try it keeps assigning
channel 25 to it!
How do I make it run channel 23 then?
My config:
zha:
zigpy_config:
network:
channel: 23 # What channel the radio should try to use.
channels: [21, 22, 23] # Channel mask
When I run lidl_auskey_decode.py I'm always getting an error message.
I've already tried two different systems
Encoded aus-key as hex string line 1>80000000: ECBF6766 4674D1E7 06711FE1 C43E49B7
Encoded aus-key as hex string line 2>80000010: FA011E25 563B2EA3 BE57D96F 19E3CFE1
Traceback (most recent call last):
File "/tmp/lidl-gateway-freedom-Release-1.2/scripts/lidl_auskey_decode.py", line 58, in <module>
cipher = AES.new(kek, AES.MODE_ECB)
File "/usr/local/lib/python3.10/dist-packages/Crypto/Cipher/AES.py", line 95, in new
return AESCipher(key, *args, **kwargs)
File "/usr/local/lib/python3.10/dist-packages/Crypto/Cipher/AES.py", line 59, in __init__
blockalgo.BlockAlgo.__init__(self, _AES, key, *args, **kwargs)
File "/usr/local/lib/python3.10/dist-packages/Crypto/Cipher/blockalgo.py", line 141, in __init__
self._cipher = factory.new(key, *args, **kwargs)
SystemError: PY_SSIZE_T_CLEAN macro must be defined for '#' formats
Both systems running different Ubuntu versions but the result is the same.
I also tried to enter KEK and AUSKEY without leading 800000x0 or without blanks. It brings up always the same error.
I can see in the code that parameter p = TCP port and can being overridden then loading the application.
I like trying using the /dev/ttyS0 that is being used as local console for one IKEA ICC-A-1 module for sniffing Zigbee trafic.
Is it possible for you to implanting one parameter like "-S0" for starting Socat using /dev/ttyS0 ?
I think i can (with not so much Linux compiling experience) downloading toolchain and compiling one separate binary for it but then i also must have 2 95% identical version installed in the ZBGW.
Do you have some good advice to "muting" the log / debug out pot on the local console as much as possible ? Redirecting logs to dev null ?
The Zigbee sniffing is never starting at boot so that is not one problem (if not getting the NCP in blocking state beaus of boot logging) but its very nice done then having all that i need on J1 for doing good sniffings in full speed also in large networks.
PS: All EZSP NCP firmware (if not being stripped) is having one working mode for sniffing zigbee.
I just purchased a Silvercreast zigbee GW board rev 1.0.2.7. I sucessfully gained root access.
The GW is not exposing port 8888 on my Network though.
When running the serialgateway on my Silvercreast zigbee GW board rev 1.0.2.7 :
I get this error:
Segmentation fault
Any ideas/tips how to proceed?
Unfortunately I dont know how to build the serialgateway SW myself, I am not advanced enough in Linux nor C++...
Hi there,
great project, thanks!
I am having problems with my recently acquired Moes sensors: https://www.aliexpress.com/item/1005002535901726.html . It seems to be a Tuya device. I have six of them and they all behave the same.
As it appears, the sensor works well on its own if I reset it. I also coupled the sensor to a not-hacked Lidl gateway, and so far no problems.
However, as soon as I couple it to the hacked gateway (which is connected to Home Assistant through ZHA), the sensor starts reporting zeros and eventually goes into some kind of reboot loop. Here's a more detailled sequence of events:
Have you ever experienced a similar problem with this or a different sensor? And can you maybe propose a fix? I really like the sensors but I really do not want to route all my temperature readings through the Tuya cloud...
Thanks for any hint!
never mind
How can I do this operation (and similar operation with TFTP):
- Finally we TFTP'd the newroot.bin file to the device and used the bootloader command FLW to write it to flash.
Give please a step-by-step manual for use TFTP to write images to device
Hi,
can someone post the content of the original tuya_start.sh? The if clause got ignored while restoring back to factory and thus it has been overwritten :(
After not being able to connect to port 8888 after a reboot, I tried to start serialgateway manually:
# /bin/sh /tuya/serialgateway
/tuya/serialgateway: line 1: syntax error: "(" unexpected
Could it be that there's an error in the provided prebuilt serialgateway.bin?
first of all, thank you for the article. Just a ticket to warn. I had the bad idea to make an ssh-copy-id ... I'm not going to be able to access ssh anymore :'(
Hi there
I follow the procedure to get the root passwd however the passwd I got doesn't work.
Not sure if I missed something .
I did as follow:
SO I got stuck here for now.
Can you help?
Hello,
I rooted my LIDL gateway thanks to your great job, but I get a newer version with Homekit feature.
The PCB looks the same (TYGWZ1 with TYZS4 module).
The root python script has worked, and I successfully modified ssh server to port 22 and sent serialgateway.bin executable.
Unfortunately I get an error when running your serial gateway.
Do you know if I need to get a newer toolchain to rebuild your software with RSDK-4.6.4 and where to find it?
Best Regards,
Sebastien
# ./serialgateway
Segmentation fault
I grabbed some info from my device:
# cat /proc/version
Linux version 3.10.90 (zhangpc@embed) (gcc version 4.6.4 (Realtek RSDK-4.6.4 Build 2080) ) #1 Thu Jul 29 21:36:28 CST 2021
# cat /proc/cpuinfo
system type : RTL8196E
machine : Unknown
processor : 0
cpu model : 52481
BogoMIPS : 378.47
tlb_entries : 32
mips16 implemented : yes
# ls /dev/
console mtd3 mtdblock11 null sda1 ttyS1
fuse mtd3dro mtdblock2 ppp sda2 ttyp0
misc mtd4 mtdblock3 ptmx sdb ttyp1
mtd0 mtd4dro mtdblock4 pts sdb1 ttyp2
mtd0dro mtd5 mtdblock5 ptyp0 sdb2 ttyp3
mtd1 mtd5dro mtdblock6 ptyp1 sdc urandom
mtd1dro mtdblock0 mtdblock7 ptyp2 sdc1 zero
mtd2 mtdblock1 mtdblock8 random sdc2
mtd2dro mtdblock10 mtdblock9 sda ttyS0
# cat /proc/mtd
dev: size erasesize name
mtd0: 00020000 00010000 "boot+cfg"
mtd1: 001e0000 00010000 "linux"
mtd2: 00200000 00010000 "rootfs"
mtd3: 00020000 00010000 "tuya-label"
mtd4: 00be0000 00010000 "jffs2-fs"
# ls /lib/
ld-uClibc-0.9.33.so libm.so libstdc++.so.6.0.16
ld-uClibc.so libm.so.0 libthread_db-0.9.33.so
ld-uClibc.so.0 libnsl-0.9.33.so libthread_db.so
ld.so.1 libnsl.so libthread_db.so.1
libc.so libnsl.so.0 libuClibc-0.9.33.so
libc.so.0 libpthread-0.9.33.so libuargp-0.9.33.so
libcrypt-0.9.33.so libpthread.so libuargp.so
libcrypt.so libpthread.so.0 libuargp.so.0
libcrypt.so.0 libresolv-0.9.33.so libubacktrace-0.9.33.so
libdl-0.9.33.so libresolv.so libubacktrace.so
libdl.so libresolv.so.0 libubacktrace.so.0
libdl.so.0 librt-0.9.33.so libz.so
libgcc.so librt.so libz.so.1
libgcc_s.so librt.so.0 libz.so.1.2.8
libgcc_s.so.1 libstdc++.so
libm-0.9.33.so libstdc++.so.6
I tried using this procedure with the Aldi Lightway Smart Home gateway, which appears to be the same as the Lidl variant inside. I was able to connect via serial terminal, read the flash sections and generate a root password. But the password is not accepted on the serial terminal or command line.
I will see if I can use the original method of playing with the squashfs to get control of the device. For now, this issue is just for information in case anyone else is thinking of trying it.
From the article to Gaining access to the device
Quote
"3) We replaced the /etc/passwd symlink with a passwd file we created with a known root password."
Question: the password file to be put in the unsquashfs filesystem structure, is it need to be format as shardow passwd file or just plain text format like in the old-time linux passwd file. where should it be located in the file system i.e. in root directory and change the symlink to /etc/passwd
Quote
"6) Finally we TFTP'd the newroot.bin file to the device and used the bootloader command FLW to write it to flash."
Can you outline the process to in the Quote (step 6 in the article)
Currently I have a dump of the device from your dump_flash.py and unsquashfs it into my virtualbox debian vm
I got the directory contains all the files from the SquashFS dumped. as I'm not very familiar with the process of flashing the device with tftp I need more detail on how to do that on my device.
I got device but can not get the root password fron the process you mentioned in the article so the alternative is to reflash it with modified SquashFS flash image to gain initial access to the device.
I hope this will also help other that fail to get root password of the device as I am.
Thanks very much.
I get this message:
Unable to negotiate with 192.168.0.231 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.