PlusPlugUS working

[steelsparky]

Successfully flashed with v13.1. I had the exact opposite going on as noted in issue #15 w/ the latest release. I have a Plus Plug US according to the box but app name was still wanting PlugUS to not cancel the OTA. Just got these via Amazon this week.

[brad07x]

@steelsparky Do you recall the device template you selected in Step 8 of the guide for autoconfig? I and a few others also experienced this issue, but on our plugs it seems that the something is going wrong with the replacement of the locked bootloader and/or issues with the partition table that create downstream problems with Step 10 in the guide (as described in #22 and as further reported in the comments of #29).

The reason I ask is that I don't seem to remember Plus Plug US being in the devices list for autoconfig. I may have missed it or selected an incompatible one thinking a similar device using the same ESP32-U4WD chip would be good enough, and in fairness this could have led to the issues I had.

I would like to have another go at flashing mgos32-to-tasmota32 to another unmodified/unopened Plus Plug US but before I commit to purchasing wanted to ask about what worked for you so I can have as much info and chances for success as possible.

Since my first plug was stuck at v12.5.0 due to what I outlined in the linked issues above, I ended up opening it to flash via the serial. Even though my end goal was to use mgos32-to-tasmota32 to transition the plug to ESPHome (and I was successful doing so with serial flashing after some challenges), I still had some observations that were interesting/relevant for mgos32-to-tasmota32 that I have included below.

Further Reading - Locked Bootloader, Flash Encryption, and Serial Flashing

For those interested, I was able to open the Plus Plug US breaking the single glued seam on the bottom edge of the device, and separating the halves reasonably cleanly (no damage; I think it could be glued back together and still be solid). The serial pinout for the Plus Plug US module is the same as the Plus Plug UK and outlined here. The module in my plug as reported by Tasmota32 is ESP Chip Id 1798856 (ESP32-U4WDH-D rev.3) and the module PCB is marked US_plug_V0.2.1 and 2022-11-24.

During this process I noticed signs that the locked bootloader did not seem to be replaced in step 8 of the mgos32-to-tasmota32 guide as serial flashing a plaintext image did not work - got invalid header <address> messages and a boot loop after completing the first flash - from my research indicating secure boot/flash encryption was still on.

I ended up having to use esptool to burn the module's eFuse for FLASH_CRYPT_CNT to have an even number of bits to disable encryption and in order for my serial-flashed plaintext image to boot successfully - 1 R/W (0b0000001) to 3 R/W (0b0000011).

There were also a few other interesting eFuse security settings on the module:

...
Config fuses:
WR_DIS (BLOCK0)                                    Efuse write disable mask                           = 128 R/W (0x0080)
RD_DIS (BLOCK0)                                    Disable reading from BlOCK1-3                      = 1 R/W (0x1)
...
Flash fuses:
FLASH_CRYPT_CNT (BLOCK0)                           Flash encryption is enabled if this field has an o = 1 R/W (0b0000001)
                                                   dd number of bits set
FLASH_CRYPT_CONFIG (BLOCK0)                        Flash encryption config (key tweak bits)           = 15 R/W (0xf)
...
Security fuses:
UART_DOWNLOAD_DIS (BLOCK0)                         Disable UART download mode. Valid for ESP32 V3 and = False R/W (0b0)
                                                    newer; only
ABS_DONE_0 (BLOCK0)                                Secure boot V1 is enabled for bootloader image     = False R/W (0b0)
ABS_DONE_1 (BLOCK0)                                Secure boot V2 is enabled for bootloader image     = False R/W (0b0)
DISABLE_DL_ENCRYPT (BLOCK0)                        Disable flash encryption in UART bootloader        = True R/W (0b1)
DISABLE_DL_DECRYPT (BLOCK0)                        Disable flash decryption in UART bootloader        = True R/W (0b1)
KEY_STATUS (BLOCK0)                                Usage of efuse block 3 (reserved)                  = False R/W (0b0)
SECURE_VERSION (BLOCK3)                            Secure version for anti-rollback                   = 0 R/W (0x00000000)
BLOCK1 (BLOCK1)                                    Flash encryption key
   = ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? -/-
BLOCK2 (BLOCK2)                                    Security boot key
   = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W
BLOCK3 (BLOCK3)                                    Variable Block 3
   = 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W

It was interesting that the ABS_DONE_0 & 1 fuses for Secure boot V1/2 is enabled for bootloader image were False but the FLASH_CRYPT_CNT and bootloop with a serial-flashed plaintext image definitely seemed to indicate that Flash encryption was still on.

Hopefully we can work together to figure out where things went wrong. I'd like to help others with Plus Plug US units they want to flash per the guide steps for this project be consistently successful in doing so when they try in the future.

If possible it would also be great to help those with previous issues and stuck on 12.5 resolve them without opening their devices, but at least recovery with a serial flash does work.

I do admit though that it is bummer that Shelly made choices to lock the bootloader and glue the device closed.

[jonmill]

I hit this issue today...any chance folks have found a workaround for how to get out of this broken state?

[brad07x]

@jonmill Unfortunately opening the plug, modifying eFuses as I mentioned above, and a serial flash was the only way I was able to resolve the issue fully. I didn't get a chance to try on a second plug (see reasoning below).

Although Shelly was one of the earlier manufacturers to offer a US smart plug with ESP32 leading to my interest in testing flashing it with Tasmota/ESPHome, now the situation has changed and there seem to be far easier and cost-effective options available.

YMMV but I have had good experiences with athom.tech's ESP32-C3 US Plug V3. They offer pre-flashed versions for both ESPHome and Tasmota, and as of writing a 2-pack is in stock in their US warehouse for just under $30.

I'm all about using a project as an excuse for learning new skills and gaining experience even if it is horribly impractical with regard to time and costs, but with ready-working alternatives that openly post device templates/YAML config files at $15 per plug, continuing down this road with the Shelly Plus Plug US was very hard to justify.

One notable thing about some of the alternative plugs that may be missing is the lack of any certifications. Shelly Plus Plug US mentions ETL certification in the Amazon product listing (at least it did before I had to open the plug's shell to reflash which in my opinion would compromise that), while the Athom ESP32-C3 US Plug V3 mentions no certifications and just a 94-V0 fire-protection rating.

[jonmill]

That makes a ton of sense, thanks for the update! I bought a pack of the athome's and I'll see how those work out. Thanks for your help and info, much appreciated!