Moes Tuya ZigBee Gateway Support

[dmitriy-sqrt]

Hi, just bought the hub for experiments and was passing by this repo to see if instructions here will still apply for the hub i have.

So i have this version of a gateway:

Examples of aliexpress link:
https://www.aliexpress.com/item/4000452898540.html
https://www.aliexpress.com/item/1005003190609659.html

This is how the mobo looks like:

(its pretty different, you can note it uses RTL8197FS)

And I've started my experiments.

1. Connected the UART FTDI232 to debug pins (ones near the micro usb connector), just RX\TX\GND + power via micro usb. (Although i tried to do 3.3v power only via debug port and it still seemed to work)
   UPD: powering via 5V power pin gave more stability then micro usb power, with usb dumping script got stuck randomly.
2. Took a while to get working serial port connection software, in the end I used Putty on windows.
3. The loading log is a bit different from the one for lidl gateway, full gist is available here
4. Important here that partitions with sizes are different:

6 rtkxxpart partitions found on MTD device m25p80
Creating 6 MTD partitions on "m25p80":
0x000000000000-0x000000270000 : "boot+cfg+linux"
0x000000270000-0x000000640000 : "rootfs"
0x000000640000-0x000000b40000 : "app"
0x000000b40000-0x000001040000 : "backup"
0x000001040000-0x000001fe0000 : "data"
0x000001fe0000-0x000002000000 : "factory"

6. I was able to get to bootloader with hitting ESC on the early load steps
7. Sadly the default passwords (like root\root, tuya123, etc. didnt work for me)
8. Also i wasnt able to get KEK|UASKEY values, as the commands from instruction just returned all 0000000000000. And thats pretty expected, the partitions\addresses\offsets might be different
9. Then i tried to use python flash dumping script (my biggest thanks for the authors!). The command used was:
   python dump_flash.py --serial-port /dev/ttyUSB0 --output-file rootfs.bin --start-addr 0x270000 --end-addr 0x640000
10. Overnight the dumping completed (not sure how long it actually took), the file is ~4megabytes.
11. The step i'm currently stuck with is trying to sudo unsquashfs rootfs.bin.
    Default squashfs version for linux (1:4.4-1) i was using and latest one build from source (4.4 with all compression extensions i could enable) gets me a

Reading a different endian SQUASHFS filesystem on rootfs.bin
Filesystem on rootfs.bin is (0:4), which is a later filesystem version than I support!

Also, the squashfs-tools-ng gets me a rootfs.bin: reading super block: wrong magic value in super bloc

For now i'm thinking that dumping could go wrong and i have a corrupted img.
13. ...
14. I'll try to share if will be able to gain more progress

Thanks again for the instructions & scripts

[MattWestb]

Its looks very nice and 2 EFR32MG21 modules for BT and one for Zigbee so cant loading one RCP firmware on the Zigbee module and you can running BT + Zigbee and Open Thread at the same time over Ethernet :-))

Hope you can getting the root password and looking little more in the Linux tuya is using and how the hardware is configured.

[MattWestb]

The SOC have 3 comports ttys0 = consolle and ttys1 and 2 plus one ch341 that is likely used for Zigbee module or for one extra USB console.

[dmitriy-sqrt]

Sadly for now i cant unpack\unsquashfs dumped partitions. I've tried using unsquashfs version 4.5.1 but get an error for:

Reading a different endian SQUASHFS filesystem on rootfs_v2.bin
FATAL ERROR: Can't find a valid SQUASHFS superblock on rootfs_v2.bin

So its either me dumping in a wrong way, or different unpacking way should be used. I'll attach the dump, in case anyone more experienced wishes to take a look
rootfs_v2.bin.zip

[zalatnaicsongor]

the file had endianness issues, I've fixed it, it can now be extracted. @dmitriy-sqrt
password for the 7z file within the zip:
dmitriy-sqrt

rootfs_v2_le_2.zip