A collection of scripts to flash Tuya IoT devices to alternative firmwares
Branch: master
Clone or download
merlinschumacher Merge pull request #41 from kueblc/fix-40
Added haveged to the installed dependencies
Latest commit a1402c6 Jan 29, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
files Added sonoff-basic.bin Fixes #16 Jan 26, 2019
scripts Update setup_ap.sh Jan 27, 2019
.gitignore Remove useless json file & updated gitignore Jan 21, 2019
LICENSE Initial Commit Jan 16, 2019
README.md Update README.md Jan 25, 2019
config.txt Initial Commit Jan 16, 2019
install_prereq.sh Added haveged to the installed dependencies Jan 28, 2019
start_flash.sh Update start_flash.sh Jan 28, 2019
stop_flash.sh Initial Commit Jan 16, 2019

README.md

TUYA-CONVERT

A Chinese company named Tuya offers a free-to-brand turnkey smart home solution to anyone. Using their offer is dead-simple, since everything can be done by clicking through the Tuya web page, from choosing your pre-designed products or pre-programmed wifi-modules (mostly ESP8266) to building your own app. In the end, this has resulted in as they claim over 11 000 devices 'made' by over 10 000 vendors using Tuyas firmware and cloud services.

Aside from that, they claim their cloud solution has 'military grade security'. Michael Steigerwald, founder of the German IT security startup VTRUST, was able to disprove this claim and presented his results in the "Smart home - Smart hack" talk at 35C3 in Leipzig: https://media.ccc.de/v/35c3-9723-smart_home_-_smart_hack

In the following days, VTRUST and the German tech magazine c't decided to work together. Since reflashing devices using the ESP8266/85 is widespread among DIY smart home enthusiasts, we wanted to provide an easy way for everyone to free their devices from the cloud without the need for a soldering iron.

Please make sure to visit VTRUST (https://www.vtrust.de/), since the hack is their work.

🚨WARNING🚨

Please be sure that you understand what you're doing before using this software. Flashing an alternative firmware can lead to unexpected behavior and/or render the device unusable, so that it might be permanently damaged (highly unlikely) or require soldering a serial connection to the processor in order to reflash it (likely).

⚠️Be aware that you use this software at your own risk so neither VTRUST nor c't/heise can be held accountable for any damage done or loss of functionality⚠️.

TUYA-CONVERT only provides with the means to backup the original and flash an alternative firmware. Please do not ask for hardware support for your favorite alternative firmware in this repository, rather open an issue in the corresponding repository.

DOCUMENTATION

Since Tuya devices are spread around the world with likely a vast amount of different brand names, please tell the community if you find one! There is a device list in the wiki that you can help extend. Please at least add the device model number, brand name, geographical area where you have bought the device and its flash mode (as seen in the device information). Add the GPIO assignments as well if you have found them to save the developers of alternative firmwares some time.

asciicast

REQUIREMENTS

  • Linux computer with a wifi adapter
  • Secondary wifi device (e.g. smartphone)
  • Dependencies (will be installed by install_prereq): python3, dnsmasq, hostapd, screen, curl, python3-pip, python3-setuptools, python3-wheel, mosquitto, nodejs, npm, paho-mqtt, pyaes, tornado

These scripts were tested in

Any Linux with a Wifi adapter which can act as an Access Point should also work. Please note that we have tested the Raspberry Pi with clean installations only. If you use your Raspberry Pi for anything else, we recommend using another SD card with a clean installation.

PROCEDURE

INSTALLATION

# git clone https://github.com/ct-Open-Source/tuya-convert
# cd tuya-convert
# ./install_prereq.sh

flash loader firmware + backup

# ./start_flash.sh

Follow the instructions in the start_flash script. It will install our flash loader onto the ESP and connect to the access point created by your wifi adapter.

WIFI: vtrust-flash
PASS: flashmeifyoucan
IP: 10.42.42.42

A backup of the original firmware will be created and stored locally

Device information

After the firmware backup procedure, the retrieved device information will be shown. Please make sure to write down your devices flash mode and size! You can show this information again by executing:

# curl http://10.42.42.42

BACKUP only and UNDO

You can use the flash loader to create a backup only. If you want to delete the FLASH loader out of the flash again and go back to the stock software just do following:

# curl http://10.42.42.42/undo

FLASH loader to user2

The FLASH loader only allows flashing the third party firmware, if the loader is running in the userspace user2 starting from 0x81000. This will flash the FLASH loader in user2 if it is not already there. It will destroy your ability to undo and go back to the original firmware

# curl http://10.42.42.42/flash2

FLASH third-party firmware

BE SURE THE FIRMWARE FITS YOUR DEVICE!

  1. Place or link your binary file to ./files/thirdparty.bin.

    Currently a Sonoff-Tasmota v6.4.1 basic build is already included. It will open an WiFi access point named sonoff-XXX.

    Binary requirements:

    • full binary including first-stage bootloader
    • maximum filesize 512KB for first flash
  2. Start flashing process

     # curl http://10.42.42.42/flash3
    

Alternatively you can request a certain file to be requested and flashed by the device:

# curl http://10.42.42.42/flashURL?url=http://10.42.42.1/files/thirdparty.bin