Tuya TYGWZ01 Smart Gateway with EZSP 6.7.8.0 ! !

[MattWestb]

TYGWZ01 Smart Gateway is used from all suppliers of tuyya products and is the ethernet version of there Zigbee GW.

Known rebranded LIDL, Pearl.de, Revolt, Elesion and many more.

Inside.

Some user is trying porting OpenWrt to the rtl8196eu chip so its being possible using it as one EZSP 2 ETH bridge.

Would it work on rtl8196eu ? #3 and Add Support for RTL8196E RTL8197D RTL8197F

On of the devs (@xromansx) is active in our projects and have contributing to getting tuya TRVs to working in our systems.

Do some more users / hackers have interest in getting it up and running with OpenWrt and tunneling the comport from the EZSP over ethernet to ZHA ??

I finding it interesting then it being cheap and easy to get in EU and most other countries and dont have the problems with WiFi interference that can killing the ZHA.

I have one GW that is not in use and is only for testing if tuya have released new firmware for my tuya products but im willing exposing for more brutal attacks for getting it working for our purposes .
I dont have and SPI programmer onls SWD /J-Tags programmers but im interesting if some one can helping getting the EEPROM red with easy hardware for getting some start of trying loading one new firmware on it for our purposes

More input of crazy ideas is more than welcome for getting (un)possible things happening ! !

[MattWestb]

The Zigbee module is one Tuya TYZS4 Zigbee Module.
One EFR32MG1B232F256GM48-C0 with , 256 KB flash and 32
KB ram but only : +10 dBm radio.

Can also being upgraded with one better module and getting on OK case and power supply (One module from one new IKEA GU 10 CWS with the new silabs module ?).

[xromansx]

Hi, get one of this https://www.ebay.com/itm/USB-Programmer-CH341A-Series-Burner-Chip-Writer-25-SPI-EEPROM-BIOS-Flash/254676176158?hash=item3b4be20d1e:g:EsQAAOSwK2VfJ8yQ or you can use Arduino to dump SPI, after we can see what's inside...

[MattWestb]

I have ordered the last from Youmile with Sop8 Test Clip so i hopefully dont need burning my fingers and its being delivered on friday or monday (company delivering so not on weekend).

[Hedda]

Some user is trying porting OpenWrt to the rtl8196eu chip so its being possible using it as one EZSP 2 ETH bridge.

Would it work on rtl8196eu ? #3 and Add Support for RTL8196E RTL8197D RTL8197F

Hope those developers are aware of the similar Open Lumi (OpenLumi) project in #644 discussion? Maybe could work together?

https://openlumi.github.io

https://github.com/openlumi

OpenLumi project is also based on OpenWRT, however, it currently targeting Zigbee gateways based on NXP i.MX 6 Series (IMX6).

Summary: @G1K, @devbis, @kirovilya (from the @diyruz organization on GitHub) have hacked Xiaomi Lumi Gateway MIxx01 Zigbee to WiFi bridges (Xiaomi gateways DGNWG05LM and ZHWG11LM) with an OpenWRT based firmware on its NXP IMX6 SoC and ZiGate firmware on its NXP JN516x chips (JN5168 and JN5169 chip), or you can make use your own DIY hardware.

References:

Koenkk/zigbee-herdsman#241

Koenkk/zigbee-herdsman#242

[MattWestb]

I think the Xiaomi GW is having one other WiFi chip then the Tuya is using (RTL8197EU) but if possible installing OpenWRT its no problem installing ser2net and using it as one "Zigbee2Net" device.

[MattWestb]

Its looks like its possible getting root access and starting socat in it !!
Hacking the Silvercrest (Lidl/Tuya) Smart Home Gateway

I have soldering the J1 pins and can booting in the boot loader so tomorrow is trying decrypting the root password for getting in the Linux system :-)))

[MattWestb]

Im being in as root !!!

tuya-linux login: root
Password: 

Tuya Linux version 1.0
Jan  1 12:03:30 login[1004]: root login on 'console'
# 
ls
bin   etc   init  mnt   root  sys   tuya  var
dev   home  lib   proc  sbin  tmp   usr
# 
ls -la
drwxrwxr-x   14 1000     1000          186 Jun 20  2020 .
drwxrwxr-x   14 1000     1000          186 Jun 20  2020 ..
drwxrwxr-x    2 1000     1000         1117 Jun 20  2020 bin
drwxr-xr-x    4 root     0               0 Jan  1 00:00 dev
drwxrwxr-x    4 1000     1000          189 Jun 20  2020 etc
drwxrwxr-x    2 1000     1000           33 Jun 20  2020 home
lrwxrwxrwx    1 1000     1000            8 Jun 20  2020 init -> bin/init
drwxrwxr-x    2 1000     1000          997 Jun 20  2020 lib
drwxrwxr-x    2 1000     1000            3 Jun 20  2020 mnt
dr-xr-xr-x   66 root     0               0 Jan  1 00:00 proc
lrwxrwxrwx    1 1000     1000            9 Jun 20  2020 root -> /var/root
drwxrwxr-x    2 1000     1000            3 Jun 20  2020 sbin
dr-xr-xr-x   11 root     0               0 Jan  1 00:00 sys
lrwxrwxrwx    1 1000     1000            8 Jun 20  2020 tmp -> /var/tmp
drwxr-xr-x    7 root     0               0 Jan  1 00:00 tuya
drwxrwxr-x    3 1000     1000           26 Jun 20  2020 usr
drwxr-xr-x   10 root     0               0 Jan  1 00:00 var
#

[MattWestb]

In Win 10 install python 3.9 in from windows store.
Open one power-shell and install pycryptodome.
python.exe -m pip install pycryptodome

Cutting the spaces from the 3 strings you have getting from readings in the boot loader.
Run the python script and you is getting you beloved password.

Open your terminal to the tasmota ZB.
Hit enter in your terminal and write root and enter and the your new password and enter.

Attached the Python script with extension txt (take the .txt away and you is getting the .py :

TUYAZBGWROOTPW.PY.TxT

[MattWestb]

Hitt ESC then booting and you is landing in the boot loader:

Booting...

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@
@ chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize
@ 0000000h 0c84018h 00000c8h 0000040h 0000018h 0000000h 0000018h 1000000h
@ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName
@ 0010000h 0000100h 0001000h 0001000h 0000100h 0000010h 000004eh GD25Q128
@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
DDR1:32MB

---RealTek(RTL8196E)at 2020.06.20-10:26+0800 v3.4T-pre2 [16bit](400MHz)
P0phymode=01, embedded phy
check_image_header  return_addr:05010000 bank_offset:00000000
no sys signature at 00010000!

---Escape booting by user
P0phymode=01, embedded phy

Then by the instruction:

---Ethernet init Okay!
<RealTek>
<RealTek>FLR 80000000 401802 16
Flash read from 00401802 to 80000000 with 00000016 bytes        ?
(Y)es , (N)o ? --> y
Flash Read Successed!
<RealTek>dw 80000000 4
80000000:       11111111        22222222        33333333        44444444
<RealTek>FLR 80000000 402002 32
Flash read from 00402002 to 80000000 with 00000032 bytes        ?
(Y)es , (N)o ? --> y
Flash Read Successed!
<RealTek>dw 80000000 8
80000000:       55555555        66666666        77777777        88888888
80000010:       99999999        AAAAAAAA        BBBBBBBB        CCCCCCCC
<RealTek>   

(With faced strings)

Now cutting the spaces from the 3 strings you have getting from readings in the boot loader:

KEK hex string: 11111111222222223333333344444444

aus-key string line 1: 55555555666666667777777788888888

aus-key string line 2: 99999999AAAAAAAABBBBBBBBCCCCCCCC

Open your power shell and run the python script TUYAZBGWROOTPW.PY and you is getting you beloved password.

PS C:\msys32\home\Mattias> python.exe .\TUYAZBGWROOTPW.PY
Enter KEK hex string line>11111111222222223333333344444444
11111111222222223333333344444444
Encoded aus-key as hex string line 1>55555555666666667777777788888888
55555555666666667777777788888888
Encoded aus-key as hex string line 2>99999999AAAAAAAABBBBBBBBCCCCCCCC
99999999AAAAAAAABBBBBBBBCCCCCCCC
Auskey: b'010101010101010101010101FEDCBA98'
Root password: b'FEDCBA98'
PS C:\msys32\home\Mattias>

Your root password is: FEDCBA98.

Reboot the tuya ZBG and open one terminal.

Hitt enter.
Typing root and hit enter.
Prompt for password.
Typing FEDCBA98 and hit enter.

tuya-linux login: root
Password: 

Tuya Linux version 1.0
Jan  1 12:03:30 login[1004]: root login on 'console'
# 

Next to do is stopping the tuya services and making one socat service for tunneling the EFR32s comport to ZHA.

I think we have getting on better remote EZSP coordinator with Ethernet for ZHA then Sonoff Zigbee Bridge !!!

[MattWestb]

Now you have the root password you can putting it back in the network without serial cable.
Use your favorite SSH program on port 2333 and login as root with your "founded password".
use tail -f /tmp/tuya.log if you like to see wot your tuya ZBG is doing.

[MattWestb]

Interesting thing in the log:

[01-31 15:37:43:840 TUYA Debug][tuya_z3.c:21055] process monitor, g_tyz3Globals.permit:0.
[01-31 15:38:43:870 TUYA Debug][tuya_z3.c:21055] process monitor, g_tyz3Globals.permit:0.
[01-31 15:39:43:900 TUYA Debug][tuya_z3.c:21055] process monitor, g_tyz3Globals.permit:0.
[01-31 15:40:43:940 TUYA Debug][tuya_z3.c:21055] process monitor, g_tyz3Globals.permit:0.
[01-31 15:41:43:970 TUYA Debug][tuya_z3.c:21055] process monitor, g_tyz3Globals.permit:0.

Its must being one reason way tuya is sending permit 0 to the NCP every minute !!!

[MattWestb]

@xromansx I have root access and can see the partitions table then booting and in the dev tree.
I think it wold being possible dumping partitions that you need with DD but im not so sure how to so that in the right way. Can you giving some input how to do it ??
I dont like DD one blank file to to boot loader partition !!!

Partitions from boot log:

 ------------------------- Force into Single IO Mode ------------------------
|No chipID  Sft chipSize blkSize secSize pageSize sdCk opCk      chipName    |
| 0 c84018h  0h 1000000h  10000h  10000h     100h   84    0          GD25Q128|
 ----------------------------------------------------------------------------
SPI flash(GD25Q128) was found at CS0, size 0x1000000
boot+cfg offset=0x0 size=0x20000 erasesize=0x10000
linux offset=0x20000 size=0x1e0000 erasesize=0x10000
rootfs offset=0x200000 size=0x200000 erasesize=0x10000
tuya-label offset=0x400000 size=0x20000 erasesize=0x10000
jffs2-fs offset=0x420000 size=0xbe0000 erasesize=0x10000
5 rtkxxpart partitions found on MTD device flash_bank_1
Creating 5 MTD partitions on "flash_bank_1":
0x000000000000-0x000000020000 : "boot+cfg"
0x000000020000-0x000000200000 : "linux"
0x000000200000-0x000000400000 : "rootfs"
0x000000400000-0x000000420000 : "tuya-label"
0x000000420000-0x000001000000 : "jffs2-fs"

Listing /dev:

# ls /dev
console     mtd3        mtdblock11  null        sda1        ttyS1
fuse        mtd3dro     mtdblock2   ppp         sda2        ttyp0
misc        mtd4        mtdblock3   ptmx        sdb         ttyp1
mtd0        mtd4dro     mtdblock4   pts         sdb1        ttyp2
mtd0dro     mtd5        mtdblock5   ptyp0       sdb2        ttyp3
mtd1        mtd5dro     mtdblock6   ptyp1       sdc         urandom
mtd1dro     mtdblock0   mtdblock7   ptyp2       sdc1        zero
mtd2        mtdblock1   mtdblock8   random      sdc2
mtd2dro     mtdblock10  mtdblock9   sda         ttyS0

# ls -la /dev
drwxr-xr-x    4 root     0               0 Jan  1 00:00 .
drwxrwxr-x   14 1000     1000          186 Jun 20  2020 ..
crw-r--r--    1 root     0          4,  64 Jan  1 12:03 console
crw-r--r--    1 root     0         10, 229 Jan  1 00:00 fuse
drwxr-xr-x    2 root     0               0 Jan  1 00:00 misc
crw-r--r--    1 root     0         90,   0 Jan  1 00:00 mtd0
crw-r--r--    1 root     0         90,   1 Jan  1 00:00 mtd0dro
crw-r--r--    1 root     0         90,   2 Jan  1 00:00 mtd1
crw-r--r--    1 root     0         90,   3 Jan  1 00:00 mtd1dro
crw-r--r--    1 root     0         90,   4 Jan  1 00:00 mtd2
crw-r--r--    1 root     0         90,   5 Jan  1 00:00 mtd2dro
crw-r--r--    1 root     0         90,   6 Jan  1 00:00 mtd3
crw-r--r--    1 root     0         90,   7 Jan  1 00:00 mtd3dro
crw-r--r--    1 root     0         90,   8 Jan  1 00:00 mtd4
crw-r--r--    1 root     0         90,   9 Jan  1 00:00 mtd4dro
crw-r--r--    1 root     0         90,  10 Jan  1 00:00 mtd5
crw-r--r--    1 root     0         90,  11 Jan  1 00:00 mtd5dro
brw-r--r--    1 root     0         31,   0 Jan  1 00:00 mtdblock0
brw-r--r--    1 root     0         31,   1 Jan  1 00:00 mtdblock1
brw-r--r--    1 root     0         31,  10 Jan  1 00:00 mtdblock10
brw-r--r--    1 root     0         31,  11 Jan  1 00:00 mtdblock11
brw-r--r--    1 root     0         31,   2 Jan  1 00:00 mtdblock2
brw-r--r--    1 root     0         31,   3 Jan  1 00:00 mtdblock3
brw-r--r--    1 root     0         31,   4 Jan  1 00:00 mtdblock4
brw-r--r--    1 root     0         31,   5 Jan  1 00:00 mtdblock5
brw-r--r--    1 root     0         31,   6 Jan  1 00:00 mtdblock6
brw-r--r--    1 root     0         31,   7 Jan  1 00:00 mtdblock7
brw-r--r--    1 root     0         31,   8 Jan  1 00:00 mtdblock8
brw-r--r--    1 root     0         31,   9 Jan  1 00:00 mtdblock9
crw-r--r--    1 root     0          1,   3 Jan  1 00:00 null
crw-r--r--    1 root     0        108,   0 Jan  1 00:00 ppp
crw-r--r--    1 root     0          5,   2 Jan  1 00:00 ptmx
drwxr-xr-x    2 root     0               0 Jan  1 00:00 pts
crw-r--r--    1 root     0          2,   0 Jan  1 00:00 ptyp0
crw-r--r--    1 root     0          2,   1 Jan  1 00:00 ptyp1
crw-r--r--    1 root     0          2,   2 Jan  1 00:00 ptyp2
crw-r--r--    1 root     0          1,   8 Jan  1 00:00 random
brw-r--r--    1 root     0          8,   0 Jan  1 00:00 sda
brw-r--r--    1 root     0          8,   1 Jan  1 00:00 sda1
brw-r--r--    1 root     0          8,   2 Jan  1 00:00 sda2
brw-r--r--    1 root     0          8,  16 Jan  1 00:00 sdb
brw-r--r--    1 root     0          8,  17 Jan  1 00:00 sdb1
brw-r--r--    1 root     0          8,  18 Jan  1 00:00 sdb2
brw-r--r--    1 root     0          8,  32 Jan  1 00:00 sdc
brw-r--r--    1 root     0          8,  33 Jan  1 00:00 sdc1
brw-r--r--    1 root     0          8,  34 Jan  1 00:00 sdc2
crw-------    1 root     0          4,  64 Jan  1 13:43 ttyS0
crw-r--r--    1 root     0          4,  65 Jan  1 13:43 ttyS1
crw-r--r--    1 root     0          3,   0 Jan  1 00:00 ttyp0
crw-r--r--    1 root     0          3,   1 Jan  1 00:00 ttyp1
crw-r--r--    1 root     0          3,   2 Jan  1 00:00 ttyp2
crw-r--r--    1 root     0          3,   3 Jan  1 00:00 ttyp3
crw-r--r--    1 root     0          1,   9 Jan  1 00:00 urandom
crw-r--r--    1 root     0          1,   5 Jan  1 00:00 zero
# 

ls in the root:

# 
ls
bin   etc   init  mnt   root  sys   tuya  var
dev   home  lib   proc  sbin  tmp   usr
# 
ls -la
drwxrwxr-x   14 1000     1000          186 Jun 20  2020 .
drwxrwxr-x   14 1000     1000          186 Jun 20  2020 ..
drwxrwxr-x    2 1000     1000         1117 Jun 20  2020 bin
drwxr-xr-x    4 root     0               0 Jan  1 00:00 dev
drwxrwxr-x    4 1000     1000          189 Jun 20  2020 etc
drwxrwxr-x    2 1000     1000           33 Jun 20  2020 home
lrwxrwxrwx    1 1000     1000            8 Jun 20  2020 init -> bin/init
drwxrwxr-x    2 1000     1000          997 Jun 20  2020 lib
drwxrwxr-x    2 1000     1000            3 Jun 20  2020 mnt
dr-xr-xr-x   66 root     0               0 Jan  1 00:00 proc
lrwxrwxrwx    1 1000     1000            9 Jun 20  2020 root -> /var/root
drwxrwxr-x    2 1000     1000            3 Jun 20  2020 sbin
dr-xr-xr-x   11 root     0               0 Jan  1 00:00 sys
lrwxrwxrwx    1 1000     1000            8 Jun 20  2020 tmp -> /var/tmp
drwxr-xr-x    7 root     0               0 Jan  1 00:00 tuya
drwxrwxr-x    3 1000     1000           26 Jun 20  2020 usr
drwxr-xr-x   10 root     0               0 Jan  1 00:00 var
#

ls in /tmp:

# ls
ncp_ver65_1_0_8_flag  pro_mon_file
ota-files             tuya.log
#
# ls -la
drwxr-xr-x    3 root     0               0 Jan  1 14:02 .
drwxr-xr-x   10 root     0               0 Jan  1 00:00 ..
-rw-r--r--    1 root     0               2 Jan  1 00:00 ncp_ver65_1_0_8_flag
drwx------    2 root     0               0 Jan  1 00:00 ota-files
-rw-r--r--    1 root     0               4 Jan  1 14:02 pro_mon_file
-rw-r--r--    1 root     0         2953936 Jan  1 14:02 tuya.log
#  

Here should being safe making temp files (I hope).

[MattWestb]

@xromansx I have dumped MTD 0 - 4 with:

dd if=/dev/mtd0 of=/tmp/dmtd0.bin

And uploading it to my PC with tftpd64 as TFTP server with:

tftp -l /tmp/dmtd0.bin  -r dmtd0.bin -p 192.168.2.10

Its one busybox so its having little limited parameters but i can reading the bootloader but its not saying so much. The linux have decompressing kernel: done decompressing kernel. start address: after the kernel section so its looks being OK.

I have uploaded the boot loader it im my private git and you can downloading if you like (I have sending you one inviting to it).

[MattWestb]

EFR32 Dumped :-))

(gdb) mon sw
Target voltage: 2980mV
Available Targets:
No. Att Driver
 1      EFR32MG1B 232 F256 Mighty Gecko M3/M4
(gdb) at 1
Attaching to Remote target

(gdb) mon efm_info
DI version 1 (silabs remix?) base 0x0fe08000

EFR32MG1B 232 F256 = Mighty Gecko 256kiB flash, 32kiB ram
Device says flash page size is 2048 bytes, we're using 2048 bytes

Radio si0

(gdb) info mem
Using memory regions provided by the target.
Num Enb Low Addr   High Addr  Attrs
0   y   0x00000000 0x00040000 flash blocksize 0x800 nocache
1   y   0x0fe00000 0x0fe00800 flash blocksize 0x800 nocache
2   y   0x0fe10000 0x0fe12800 flash blocksize 0x800 nocache
3   y   0x20000000 0x20008000 rw nocache

(gdb) dump memory TZ01.bin 0x00000000 0x00040000
(gdb) dump memory TZ02.bin 0x0fe00000 0x0fe00800
(gdb) dump memory TZ03.bin 0x00004000 0x00040000
(gdb) dump memory TZ04.bin 0x0fe10000 0x0fe12800

Have normal boot loader but i dont knowing the pins for RX. TX. Force boat loader and the reset in the tuya side.
Reed from flash dunp:

Gecko Bootloader vX.Y.A
1. upload gbl
2. run
3. ebl info

And now running bellows !!

2021-02-02 17:40:06 DEBUG (MainThread) [bellows.ezsp] EZSP Stack Type: 2, Stack Version: 6500, Protocol version: 7
2021-02-02 17:40:07 INFO (MainThread) [bellows.zigbee.application] EZSP Radio manufacturer:
2021-02-02 17:40:07 INFO (MainThread) [bellows.zigbee.application] EZSP Radio board name:
2021-02-02 17:40:07 INFO (MainThread) [bellows.zigbee.application] EmberZNet version: 6.5.0.0 build 188

[MattWestb]

@Adminiuga The module is using HW flow control but its not problems then the socat server is configurated for it and is transparent to ZHA.

I have finding the pad 15 RXD PA1 and pad 16 TXD PA0 but cant pinpointing one boot loader pin.

You have implanting zigpy/bellows#249 but i dont understanding how to using it :-((

Can you explaining how to using it from one ZHA docker installation or implanting it in zha_custom or if its possible executing the command in zha_custom its also OK.

Then i can executing launchStandaloneBootloader() = bootloader in bellows CLI and getting the NCP in boot loader i can stopping (Z)HA and connecting to the socat on the GW (socat is implanted with onlly one connection so bellows shall not running then doing boot loader things) i can upload new firmware to the module with ZOC or Extra PUTTY thru port 8888.

The NCP is running OK (only briefly tested) with the factory firmware but its little old 6.5.0.0 so like finding one method upgrading it in one easy way for users (I can doing it with SWD if needed but its not recommended for "normal" users).

I still dont knowing if tuya have locked the boot loader but its being next step.
The good if they have locking it that the 2 SWD conections is on J1 that is need being populated for doing the rooting and its working with one simple SWD programmer like BMP on one ESP8266.

My target is making it easy upgrading one standard tuya eth Zigbee GW witth first step rooting =done, Serial over Ethernet = done and also upgrading the EZSP on it to one stable version (6.7.X.X).

Advantage with the tuya ZBG is stable Ethernet that is immune from WiFi interference, only need (for the moment) serial-TTL for getting root (no need shouldering but is preferred if possible) and likely firmware updating without SWD (or if needed with one "cheep" probe).
The EFR32 is not so powerful as Sonoff but very likely more stable and more than enough for running one large Zigbee network.

Its easy getting "over the desk" for around 20-30 € all over the world without ordering it from china (I was getting my with one "family pack" with tuya TRV). I was getting it from Germany in 4 days and LIDL was having it for 1.5 mouths in the supermarket (they was taking it sway without sale so i think its returned to the online store for 25 €).

Can you helping bringing little light in the software part to getting the EFR32 in boot loader that im not so good at the software things?

Thanks you for your attention and grate work done with ZHA !!!

Mattias

[walthowd]

You might find the sequence here more readable:

https://github.com/walthowd/husbzb-firmware/blob/2802a527eef0a060875e9f12092e1e005587c323/ncp.py#L284

Look at the init function for your EZSP level to reset the stack, then on to init bootloader with 0x8F -- Or you can just add the line:

exit()

On line 292 of the above ncp.py and it will stop when the NCP is in bootloader mode.

[MattWestb]

The best working is installing HA in one docker container under windows 10. Install ZHA with bellows is installed.
Delete ZHA in HA so the "comport" is not occupied.
Open one CLI in the HA container and using bellows CLI:

/config # bellows -d socket://192.168.2.60:8888 info
[58:8e:81:ff:fe:d5:92:9c]
[0x0000]
[<EmberNetworkStatus.JOINED_NETWORK: 2>]
[<EmberStatus.SUCCESS: 0>, <EmberNodeType.COORDINATOR: 1>, EmberNetworkParameters(extendedPanId=1e:0f:02:81:45:16:0b:80, panId=0xd337, radioTxPower=13, radioChannel=15, joinMethod=<EmberJoinMethod.USE_MAC_ASSOCIATION: 0>, nwkManagerId=0x0000, nwkUpdateId=0, channels=<Channels.ALL_CHANNELS: 134215680>)]
[<EmberStatus.SUCCESS: 0>, EmberCurrentSecurityState(bitmask=<EmberCurrentSecurityBitmask.TRUST_CENTER_USES_HASHED_LINK_KEY|64|32|HAVE_TRUST_CENTER_LINK_KEY|GLOBAL_LINK_KEY: 244>, trustCenterLongAddress=58:8e:81:ff:fe:d5:92:9c)]
Manufacturer:
Board name:
EmberZNet version: 6.5.0.0 build 188

/config # bellows -d socket://192.168.2.60:8888 bootloader
Manufacturer:
Board name:
Current EmberZNet version: 6.5.0.0 build 188
bootloader version: 0x0108, nodePlat: 0x04, nodeMicro: 0x18, nodePhy: 0x0f
bootloader launched successfully

And having one USB-serial on the RX and TX pins on the module i getting somthing i like:

Gecko Bootloader v1.8.0
1. upload gbl
2. run
3. ebl info
BL >

Now im hitting the wall a gen :-((

Normally only hitting 1 and upload one GBL file but the module is not reacting on wot i sending on the pins from the USB-serial converter. I have trying 2 different that is working with my Billy EZSP that have the same bootloader (generation) but the same no reaction.

My theory is that the module is wired for hardware flow control and the bootloader is also configurated for it and bellows dont have any problems with that then the socat is using it on the module side.
But then trying "injecting" on the serial lines the HF is flagging the comport (on the SOC) in waiting state and the module dont lingering on the traffic.

I can flashing one EZSP with SWD but i like finding one way doing it with no extra hardware for normal users.

If bellows CLI was having the possibility sending strings (i only need sending one "1") and also starting xmodem sessions it wold being on easy thing.

I have "patching" husbzb-firmware so its running under windows 10 and python 3.7 but having problems sending all things on the comport but i can reading and setting EZSP protocol OK but i dont getting it working all the way.

Have installing one "port mapper" in windows and can mapping the IP:8888 to one local com port but its only sending and dont getting any thing back from the module.

Do some one have more ideas how getting it working with the hardware flow control without desoldering the module or flashing one new bootloader with SWD ? ?

[Ordspilleren]

I don't know if this will be useful to you, but I looked through the scripts on the device briefly, and the app_upgrade.sh script runs a tool that updates the NCP using a .ota file like this:

if [ -f "/tmp/ota-files/NcpUpgrade.ota" ];then
    /tuya/tuya_user1/debugtool -n
else
    echo "no ncp file"
fi

I think by running debugtool -n, it upgrades the NCP with the .ota file /tmp/ota-files/NcpUpgrade.ota.
Maybe you can upgrade EZSP this way?

[MattWestb]

Sound like on likely working way. Only downloading the GLB and renaming it and before starting the script killing the socat server so it not interfering with the communication to the module.
I trying it tomorrow after finding one test GLB that is working (but perhaps not 100% OK) so i dont need flashing back my backup i have made.
Its still not known if tuya have securing the firmware form being loaded or not (signed and / or encrypted).

And one large thanks for the hint !!!

[MattWestb]

# /tuya/tuya_user1/debugtool

*********************************
Build time: May 15 2020 15:48:16
Support cmd:
    0:   get net info.
    1:   update zigbee coo.
    2:   plugin counters printf.
    3:   set tx radio power.
    4:   start RF test mode.
    5:   stop RF test.
    6:   install code.
    7:   create a specified zigbee network.
    8:   set max deveice cnt.
    q/Q: quit debug.
*********************************

******Input cmd:q
#

[MattWestb]

@puddly I have trying getting the tuya GW updating itself with its "backup OTA file" but i cant verifying if its being done or not but the process is doing "somthing" in some realistic time.

Can you pleas taking on look if its one "real" Silabs OTA file ?

NcpUpgrade.zip
I have zipping it so git hub is accepting it.

For my its looks little strange in the beginning but the end have references to Simplicity studio files.

[puddly]

Parses and validates fine for me. Didn't need any correction to parse either:

$ ipython
In [1]: import pathlib

In [2]: from zigpy.ota.image import parse_ota_image

In [3]: from zigpy.ota.validators import validate_ota_image

In [4]: data = pathlib.Path('~/Downloads/NcpUpgrade.ota').expanduser().read_bytes()

In [5]: image, rest = parse_ota_image(data)

In [6]: rest  # no trailing data
Out[6]: b''

In [7]: image.header
Out[7]: OTAImageHeader(upgrade_file_id=200208670, header_version=256, header_length=56, field_control=<FieldControl.0: 0>, manufacturer_id=1, image_type=1, file_version=65544, stack_version=2, header_string='TYZS4 115200 1.0.8  MFTEST', image_size=194230)

In [8]: validate_ota_image(image)  # it validates and the firmware is parsed properly
Out[8]: <ValidationResult.VALID: 1>

In [9]: image.serialize() == data  # no correction was applied, it serializes to the original file
Out[9]: True

In [10]: pathlib.Path('~/Downloads/NcpUpgrade.bin').expanduser().write_bytes(image.subelements[0].data)  # extract the actual firmware file
Out[10]: 194168

[puddly]

It's a GBL image:

$ git clone https://github.com/dac-gmbh/gbl
$ cd gbl
$ cargo run dump ~/Downloads/NcpUpgrade.bin
    Finished dev [unoptimized + debuginfo] target(s) in 0.37s
     Running `target/debug/gbl dump ~/Downloads/NcpUpgrade.bin`
Gbl {
    enc: NotEncrypted {
        app_info: AppInfo {
            type_: 1,
            version: 0,
            capabilities: 0,
            product_id: 00000000-0000-0000-0000-000000000000,
        },
        sections: [
            ProgramData {
                flash_addr: 16384,
                data: (172 bytes) [60, 4C, 00, 20, D1, D7, 00, 00, 91, BE, 00, 00, 95, BE, 00, 00, A7, 0A, 0A, 01, 00, 42, 00, 00, 04, 18, 0F, AC, 00, 65, BC, 00, ...],
            },
            ProgramData {
                flash_addr: 16896,
                data: (193908 bytes) [60, 4C, 00, 20, D1, D7, 00, 00, 91, BE, 00, 00, 95, BE, 00, 00, 9D, BE, 00, 00, 99, BE, 00, 00, A1, BE, 00, 00, CD, D7, 00, 00, ...],
            },
        ],
    },
    sig: NotSigned,
}

[MattWestb]

Thanks very much then then i can trying with one normal OTA file (GBL) and see if the module is accepting it.
The problems i have not funding any force bootlader pin so if its not communicating OK I must flashing it with SWD then cant sending reboot in bootloader mode.

One more time thanks !!

[MattWestb]

Not encrypted and only signed = JACKPOT !!!!!!!

[MattWestb]

Tested with one EZSP 6.0.3.0 by renaming it to NcpUpgrade.ota tftp to the/tmp/ota-files/NcpUpgrade.ota Stopping the socat server (without stopping ZHA) and extincting /tuya/tuya_user1/debugtool -n
The debugtool is working around one minute and then i getting the command prompt. Startting the socat service and looking in HA log and getting this then ZHA is reconnecting:

2021-02-12 20:34:43 INFO (MainThread) [bellows.zigbee.application] EZSP Radio manufacturer:
2021-02-12 20:34:43 INFO (MainThread) [bellows.zigbee.application] EZSP Radio board name:
2021-02-12 20:34:43 INFO (MainThread) [bellows.zigbee.application] EmberZNet version: 6.5.0.0 build 188

So the debugtool have doing "something" but the version is not degraded in the module = not working :-((
The debug too is not giving any output or logging so not easy knowing wot is done or was going wrong.
So still need getting the comport working with HW flow control in one terminal that that can doing xmodem transfer.
I was not trying one 6.7 or higher because if the debugtoo dont supporting V8 framing i cant getting the module in bootloader mode.

[MattWestb]

Great thanks !!!

The problem with the original socat its blocking the Zigbee module for communicating then hardware pins is being in blocking mode and the original bottloader and NCP is have HW flow control.
Also connecting one USB-TTL serial is being blocking sending to the module with the original socat.

I trying it out if i can recovering my "bricking" with it after writing one request for new firmware and one new bootloader with SW :-)).

I keep you informed of the progress if its positive or negative !!

[MattWestb]

One Australian firmware request is sent from one Swed in Austria with help from Denmark :-)))

[MattWestb]

And now from docker CLI:

/config # bellows -d socket://192.168.2.60:8888 info
[58:8e:81:ff:fe:d5:92:9c]
[0x0000]
[<EmberNetworkStatus.JOINED_NETWORK: 2>]
[<EmberStatus.SUCCESS: 0>, <EmberNodeType.COORDINATOR: 1>, EmberNetworkParameters(extendedPanId=1e:0f:02:81:45:16:0b:80, panId=0xd337, radioTxPower=13, radioChannel=15, joinMethod=<EmberJoinMethod.USE_MAC_ASSOCIATION: 0>, nwkManagerId=0x0000, nwkUpdateId=0, channels=<Channels.ALL_CHANNELS: 134215680>)]
[<EmberStatus.SUCCESS: 0>, EmberCurrentSecurityState(bitmask=<EmberCurrentSecurityBitmask.TRUST_CENTER_USES_HASHED_LINK_KEY|64|32|HAVE_TRUST_CENTER_LINK_KEY|GLOBAL_LINK_KEY: 244>, trustCenterLongAddress=58:8e:81:ff:fe:d5:92:9c)]
Manufacturer:
Board name:
EmberZNet version: 6.7.8.0 build 373
/config #

And ZHA is saying:

2021-02-14 15:29:47 INFO (MainThread) [bellows.zigbee.application] EZSP Radio manufacturer:
2021-02-14 15:29:47 INFO (MainThread) [bellows.zigbee.application] EZSP Radio board name:
2021-02-14 15:29:47 INFO (MainThread) [bellows.zigbee.application] EmberZNet version: 6.7.8.0 build 373

So My tuya ZBGW is not bricked only little degraded to software flow control !!

YIPPPPPY !!!

[MattWestb]

With new Gary EZSP i getting:

2021-02-15 08:29:33 INFO (MainThread) [bellows.zigbee.application] EZSP Radio manufacturer: 
2021-02-15 08:29:33 INFO (MainThread) [bellows.zigbee.application] EZSP Radio board name: 
2021-02-15 08:29:33 INFO (MainThread) [bellows.zigbee.application] EmberZNet version: 6.7.8.0 build 373

Attached firmware if some one is brave :-))
Tuya_ZBGW_NCP678.ZIP

Credit for the firmware: our master firmware cooker Gary and the downloading to @Ordspilleren ! ! !

I was trying flashing back the NcpUpgrade.ota but the bootloader was not liking it but i should trying it one more time so knowing if its possible restoring the Zigbee module without activating the tuya app.
And also interesting wot is the tuya app doing then being activated after the "soft hack".
It can being god if its working normal so i cant doing update of my Revolt TRVs that i was getting in the "family pack".

Edit: Added both HW and SW version of the EZSP 6.7.8.0 in the zip file.

[MattWestb]

I agree with you @Ordspilleren the HW flow control its better then its already in the hardware design of the PCB and its have zero impact of the speed on the lines (that SW can doing some %).
Also is making the communication more stability on the board but on the other side of Socat is ZHA is only using SW flow control but its looks like Socat is manager it OK with HW on one side and SW on the other.

I was little of focus then going thru the hardware pin / pads / ports :-((

You have god eyes and brilliant brain have you finding some hint if tuya have implanting one force bottloader pin / pad / port to the module in the software and hardware ?

I have only finding the 4 comport lines and the "2 | FRC_DCLK | I/O | packet trace interface (PTI) | PB11" that looks going to the SOC but is not making any thing then resting the module.

Most bootloaaders is configurated without flow control then the NCP is using soft or hardware like the USB stick HUSBZB-1 that is using HW and 57k6 in the EZSP firmware and the normal shipped bootloader is without flow control.

As i was saying before the bootloader is not flashing on downloaded firmware if the CRC and header is OK so its only re transmitting the file if its being wrong and the xmodem is also doing checks so its very safe mechanism.

[MattWestb]

Tuya is rolling the network key !!!!

Next NWK key update in 2 days

[Ordspilleren]

How is it initiating the network key update? Will it update the network key even if we only run serialgateway on the device?
Since we have root access, it should be quite simple to disable this behavior.

[MattWestb]

I think the spec is saying first sending the new key (broad or unicast) and waiting before sending "updating network key" that is doing the roiling and updating the network key cuter.

[MattWestb]

Lasse its the tuya app that is trying doing "its things" and its complete disabled then running the Socat.

For information 6.7.0.0 and newer EZSP is not backwards compatible then the frames format (ASH v8) is changed and cant "talking" the old (ASH v7) frame format (exception is the reset and initiating commands).

If the tuya ZBGW is roiling the network key its shall not being any problems going back to ZHA then all devices have (hopefully) getting the new one and its transparent to ZHA.

[Ordspilleren]

Great. So if you only run serialgateway, then the network key update will not take place.
My gateway is only being used for ZHA, so it won't be a problem for me at least.

[MattWestb]

The network key saved in the simulated NVRAM in the flash and its the application that is manager it so if not using the "tuya app" (= disabled then starting the Socat) its only ZHA that can doing it (and very likely loosing all Xiaomi devices) but the devs dont like implanting it then its getting to much problems with "some" devices.

[Ordspilleren]

I have prepared a script to assist in upgrading the firmware: banksy-git/lidl-gateway-freedom#5.
Hopefully it will be useful.

[MattWestb]

I was thinking doing one zip or tar file with Socat, HW and SW and the new startup file and Xmodem and the EZSP firmware downloaded to the /tmp and then extracted in the right directorys and the right rights from the script. More or less one "all in one" package.

[Ordspilleren]

Great find! I have updated the script, and it now works without bellows.

[MattWestb]

Great !!
I must trying it out !!!

[MattWestb]

I was trying converting the dumped bin file from the "app" to one GBL file and i can downloading it but the module is rebooting to the bootloader = cant run the APP.

Was taking one look on Garys git and hi have adding one 6.5.1.0 and its working booting and enabling tuyas "APP". Its writing little things but is not complaining and i can steering my LIDL LED stripes = working.

I shall doing more testing with it and see that it can rebooting and adding and deleting device OK before saying its working 100%.

Perhaps i can catching the network key rolling (by "cating" the log but very unlikely not with on real sniffing).

By the way nice change in the updating script Lasse !!

[MattWestb]

Tuya dont like updating the NCP i think they is only comparing the mayor version of the NCP.

# ./debugtool

*********************************
Build time: May 15 2020 15:48:16
Support cmd:
    0:   get net info.
    1:   update zigbee coo.
    2:   plugin counters printf.
    3:   set tx radio power.
    4:   start RF test mode.
    5:   stop RF test.
    6:   install code.
    7:   create a specified zigbee network.
    8:   set max deveice cnt.
    q/Q: quit debug.
*********************************

******Input cmd:0
rev msg, type: 0x3003.
nodeEuiStr = 588e81fffed5929c.
nodeId = 0x0000.
panId = 0xd337.
channel = 0x0f.
ver = 3.9.3.
netStatus = 0x03.

Bad news for network key rolling is planed before the time is synced so its not being for some years.

[MattWestb]

Updated "upgrade pack" Tuya_ZBGW_NCP_BL_UPG.ZIP with "manual" triggering bootloader method.

3 different GBLs:
NCP_UHW_651.gbl for loading to EZSP 6.5.1.
NCP_UHW_678.gbl for loading to EZSP 6.7.8.
BTL_TZBG.GBL for updating the bootloader to one new with PB11 / module pad 2 thats going to the MCU for forcing booting the bootloader on reset (hardware forced if the EZSP is not running OK).

EZSP 6.5.1:

2021-02-17 15:18:24 INFO (MainThread) [bellows.zigbee.application] EmberZNet version: 6.5.1.0 build 241

EZSP 6.7.8:

2021-02-17 15:11:45 INFO (MainThread) [bellows.zigbee.application] EmberZNet version: 6.7.8.0 build 373

New bootloader:

# cat /dev/ttyS1
▒

R~B▒▒\(▒▒.▒~    B▒▒\(▒▒0Q~      B▒▒\(▒▒0Q~C▒▒▒▒▒~
Gecko Bootloader v1.A.3
1. upload gbl
2. run
3. ebl info
BL >
begin upload
CCCCCCCCCCCCCCCCCCCCCC

I have testing loading booth 6.5.1 and 6.7.8 EZSP with the updated bootloader by software command reboot to bootloader and its works as expected.

If not planing going back to "tuya app" i recommending updating the bootloadder so you always can booting in the bootloader also then EZSP is not running OK and you cant reboot to bootloader by software commands.

I have not testing grounding the PB11 and tipping the reset pad low but it shall working as expected.
If some one like testing doing one script for doing it in the MCU is shall being possible then both the module pad 1 (reset) and 2 (PB11) is going to the MCU.

[pbertra]

So, with this archive, can I?

• upload EZSP 6.7.8 to my TYGWZ1
• update with debugtool
• still have tuya and everything working as before
• rollback to 6.5.0 if I encounter any issue

I don't want to remove tuya for now, just have a more recent FW version for unsupported devices...

[MattWestb]

If you like staying tuya cloud dont hack the ZBGW or only extract the root password !!
Supported devices is mots one thing in the application (tuya ZBGW and its cloud / ZHA / Z2M) but the zigbee module can help with communicating problems for tricky devices but with tuya cloud you cant use the updated firmware on the Zigbee module then tuya cant communicating with it (it have newer serial protocol v8).

I have 2 tuya ZBGW (one LIIDL and one no named) and both hacked and one restored with the EZSP 6.5.1 and its working OK with tuya cloud then i testing tuya devices if they have getting firmware updates.
It shall being possible doing firmware downgrade the same way as upgrade only using the parameters for protocol V8 for getting the module in bootloader mode.

If you is getting problem it can being you must using SWD probe flashing the firmware but i have not hearing users have needing it.

[pbertra]

In fact here the manufacturer of the switch states that to get the power measures, you must have at least 6.7 FW on the gateway...
What's the most recent firmware using the V7 protocol?

[MattWestb]

EZSP 6.6.X if i remember right.
Its possible implanting V8 / V9 using framing for V7 but it must being done in the host system (tuya ZBGW firmware not the Zigbee module) like ZHA have done.

It can being that tuya have rolling out updates for some customers but they have not doing it on all devices (ZBGW) then i have not seen report of it and for Matter they is using one newer hardware version that is certificated for some weeks ago.

[MattWestb]

@Ordspilleren I have some some ideas of using the /dev/ttyS0 for other serial connected hardware (Zigbee sniffing).
I dont knowing if its possible making the Linux stop using it as one local console and and stop it printing status / debug messages on it. But if its possible I wold liking getting one Socat with SW flow control for it ttyS0.

Some ideas if its possible and if its some no goes to implanting it ??

[nagyrobi]

Do we have new firmware for EZSP chip in this unit?

[MattWestb]

I have cooked one six ten for it and have one tuya TBGW running on it but only with few devices for test so its pretty untested but you can try it on own risk.
Its having NVM3, ZGP cluster support and max TC link keys and so on.

[nagyrobi]

Battery drain issue?

[MattWestb]

I have not tested is its helping then i dont have any extreme battery draining in my production system (EZSP 6.7.8.0) and also the test system with all IKEA remotes types i having (was running 6.7.8.0 and now 6.10.0.0),

Fixes in the Zigbee stack #595 (comment).

I have good routers so the remotes can using then and i have blocking sleeping end device using the coordinator as parent and its working great.

[nagyrobi]

How to flash it on TYGWZ01?

[MattWestb]

Normal way if you is downloading the GBL file and with one SWD/J-Link probe if you is using the S37 files.
I have flashing it with one patched script that can rebooting the zigbee module and uploading the firmware but the original guide shall working OK.

[kev-m]

Hello everyone! Thanks for this great project - I'm looking forward to using it.
I've hit one problem - the pre-compiled serialgateway.bin segfaults on my device.
Could it be because of the different SDK versions (or Linux and cLibrary versions)?
I have the following in my boot log:

Linux version 3.10.90 (dingsl@dingsl-pc) (gcc version 4.6.4 (Realtek RSDK-4.6.4 Build 2080) ) #10 Tue Apr 28 14:03:14 CST 2020

whereas the serialgateway Makefile refers to rtl819x/toolchain/rsdk-4.4.7...

[kev-m]

Ah! My mistake! I "copied" the binary using $ cat > serialgateway, but that does not preserve the binary (same, using the ssh command).
I copied it successfully using tftp.

[MattWestb]

Great !!

I was using TFTP for all my file copy to the device and then doing the copy in the terminal from the tem folder to its real location for not getting problems.

So very soon we have one more brave user using it with ZHA or Z2M :-)))

[kev-m]

I'm quite interested in this Lidl device. I see that the RTL8196E SOC has USB support, and that there are test pads connected to the USB_DN and USB_DP pins. I wonder if there is USB storage device support compiled in? Will a flash drive be detected if I solder in a USB connector???

[kev-m]

Staying on topic, though, now that I have tftp'd the GBL binaries to the device, it's not clear to me how to replace the bootloader and firmware on the TYGWZ01.
I have root ssh access and serial access to the device.
What's my next step?

[MattWestb]

You shall (normally) not writing one new bootloader only triggering the bootloader and uploading the updated firmware for the Zigbee module.
Then is in the bootloader you can triggering upload with 1 and then sending it with xmodel.

I dont remember exactly how we was doing it in the device but it was working well with the script posted in pauls git.

[nagyrobi]

Is any of you are you aware of any new EZSP binary for TYGWZ-01?
v6.7.8.0 is rather old, since then there's 6.10 released....
any of these could match?
https://github.com/Elelabs/elelabs-zigbee-ezsp-utility/tree/master/data/EFR32MG13

[MattWestb]

I think i have not written that the original firmware is using SSIM2 and the updated using NVM3 so the firmware is deleting the old information if cant upgrading it to the new standard (I have getting one updating but not working and was needing resetting the zigbee module for getting it working).
In the new firmware is some fixes that can helping but likely if the remotes is having the coordinator as parent and its offline some minutes they is jumping to on new parent and that can triggering the bug in the remotes firmware.
If you have good routers around the remotes you can blocking the coordinator for having direct children with config parameters in HA and is normally working better with IKEA remotes (I was having one E1743 that was fast draining 2 times after firmware update).

I have not testing if the firmware how stable its then i running "Billy EZSP" in my production system and the test ones is restarted oft.

[mihsu81]

So the only solution you found for the fast battery draining was to add the remotes to the routers instead of the TYGWZ01 coordinator?

[MattWestb]

Its can being around up to 10 bugs in the firmware that Silabs have fixing in the last release of there SDK but we is not knowing if IKEA nave implanting some of the fixes then they have one custom version with some extra code / patches.

The work case is the battery dead in 48 hour = if the device is doing OTA firmware updating all the time.

EZSP 6.7.8.0 is fixing many of the old bugs in the coordinator side so its treating the device better and not getting the bugs trigger so easy and for must user its being better.

Some more devs have zero problems with IKEA remotes and i have only seen 2 draining on new battery then changing them and was not doing it at there normal position (remote for bedroom was getting new battery in living room and was jumping to one router in the living room and then putted back to the bed room jumped and drained the battery in one week).

Most user with this problem (but not all) is having one SonOff ZBB and no routers but we have seen all Silabs but is being better with updated firmware (6.7.8.0) but also CornBee and the new is that all TI coordinators is having problem with the last firmware updates in there coordinators.
I think now is the normal problem that the device cant shutting down the external flash (used for OTA storage) that is doing the most problem so its using 5-1 micro Ampere all the time instead of some nano A.

The only thing is getting it working good is having good routers around the device and making them using them and not using the coordinator then its can being of line (like updating HA) and can making end devices jumping to one new parent and getting problems.

Sorry but we have not finding any 100% working solution only IKEA can making one updated firmware with all bugs fixed (and pleas also the lost group binding) can making it working 100%.

But for my its better than Xiaomi sensors that is leaving the network (silent) if they dont like there parent and must being repaired or rejoined but they is working great im my system 2.

So have good routers is the best step for getting them working better but not 100% sure.

[mihsu81]

@MattWestb Thanks for the very in-depth explanation. For me 6.10 made the difference. 16 days now without issues.
Thanks a lot.

[snakesrules94]

Hi all, after a long time in the drawer due to the Ikea battery drain issue, i decided yesterday to givr the 6.10 fw a chance on my lidl/silvercrest gateway after reading all your feedback.
I've tried to update as i did a few month with the 6.7.8 fw and the update script but this time with the 6.10 but no way to upgrade. I always get some timeout error while runing the sx command. I've checked the bootlaoder mode with bellows and it's ok , i' ve also check in terminal and it enters gecko prompt and waiting for file, but no way to upgrade. Is there something i'm missing since all this time to change from 6.7.8 to 6.10 ?
Regards.

[MattWestb]

I have not using @Ordspilleren script but you need using the "V8" parameter then its 6.7.8.0 is using V8 protocol and the original tuya is / was using V7 or its not working.

If you is getting the module in bot loader mode (with bellows) its also possible sending the firmware with one terminal program like ExtraPuTTY or with local SX commands in the box (the script is killing the serialgateway so need reboot if using external terminal program).

[snakesrules94]

Sure , i will report . As @mihsu81 , i've paired the remote using ZHA and one Ikea bulb , for testing purpose . I don't have router right now in my network . what would be the "cheapest" way to get one router ? is there a simple device that could do the job ?

[MattWestb]

Normally lights is OK but the some of the last IKEA 3 gen is not so good then the antenna is very badly shielded with metal but the old outlet is pity good.
Only keep away from OSRAM devices then they is making more bad then good in the netwok.

[snakesrules94]

For now, i have reflashed an old 2531 usb stick with the router FW and added it in the network . I will let the Ikea remote paired to the gateway and see the bat level in a few day , and next test will be to pair the remote to the router instead and start to check again bat level.

[snakesrules94]

This morning, the battery was reported at 100% by ZHA , it tells me 5% 7 hours later :-( ...

[mihsu81]

@MattWestb I gave up on the Lidl Gateway and went for ZigStar LilyZig with CC2652P.
Since you're getting so good at building coordinator firmware for EFR32, would you be able to make a router firmware for the Lidl Gateway? Would be a shame not to reuse it :D

[snakesrules94]

Just for information , this gateway is now sold at 19€ in France and i saw yesterday a new version at Lidl , which looks like more the rounded version in that post : https://github.com/zigpy/zigpy/discussions/650#discussioncomment-669398

[MattWestb]

I think LIDL is trying getting market from IKEA with the price.
The linked ZBGW looks like my first that i running ZHA on.
Hope its the same PCB and chips inside so we can hacking it the normal good working way.

I was baying 2 Stainless steel Styrbar by IKEA in Montpelier then passing by to Spain and they was only 10€ and in Austria they was 20€.

By the way i have putting back the EZSP 6.5.1 on the Zigbee module and copy the original start script and restarting the ZBGW and its have updating the Zigbee module and and the ZBGW firmware and then i must resetting my old account then the token was to old and then all was working OK.
The serialserver and backup of the start scrips is being left in the flash = good and the root access is working OK.

Shall doing little more sniffing of TS004F and then looking more how its reversing back to ZHA.

[MattWestb]

@Ordspilleren and more interested user.
I have getting my "IKEA Billy" up and running with Silabs RCP firmware and Home Assistant Add-on for Silicon Labs Multiprotocol stack and looks working but have only doing one fast test.
I have one tuya MG21 module up and running with Zgbee(d) (EZSP 7.0) and OTBR (formed but no thread devices then i dont have any but shall coming) for some weeks and looks working OK.
The HA integration dont have support for network connected RCP but we can requesting that function if needed.

My question is if some one is interesting in one RCP firmware for tuya ZBGW so can running EZSP 7.0 in "host mode" (not on the chip in the host system) and Open Thread Boarder Router on the same chip and channel ?

The integration and reference design is using hardware flow control and our implementation is doing the same so shall being OK but its best doing testing and having SWD debugger so can recover the module if not working OK.

More feed back pleas !!!

PS: I have trying doing the same firmware for "IKEA Markus" (The new Silabs MG21 module) but i have not getting it working OK.

[MattWestb]

One Billy RCP as leader OTBR with one tuya / LIDL ZS3L module RCP as second OTBR and its having one LIDL E14 RGBWW light on the Zigbee network :-)))

The big Q is what shall i doing with the Thered network then i have not finding any devices and host system for it ???

[MattWestb]

I have Billy RCP up and running on one WeMis D1 Mini clone with ESPHome with serial server running on it and using the new implanted network attached RCP and its working OK.

I need testing if i can doing firmware updates of EZSP and RCP with software commands safely then i can cooking one RCP for tuya ZBGW with hardware flow control and testing aas is being done in Garys firmware we is using in our ZBGWs.

[constapel]

@MattWestb you write in #650 (reply in thread) press de ESC....where can i find the ESC? I am very confussed. I use termite but can seem to get communication with the zwgateway.
"Press ESC"on what? PC with serial addaptor or somewhere else?

[constapel]

i tryed multple solutions but nothing seem to work. 3 different PC's en 3 different USB serial port adapters . I must be doing something wrong because i can not intercept the bootloader with the ESC key I use termite on windows 7 and windows 10 . Pressing ESC on the keyboard at different times intervals on the PC keyboard has no effect whatsoever. I am very frustrated and feel very stupid. I dont understand what i am doing wrong......

[MattWestb]

Your terminal can receiving from the ZBGW = very good !!
Let the box booting and hitting enter and you shall getting one login prompt and can writing root as user and enter and one password plus enter. If you is getting feed bacl all the way is the sending commands from your PC working OK.
If not working its some problems with sending (TX) lines.
Also you need have flow control disabled (= non in most program and not soft or hardware) or the terminal is waitinng for getting one ACK before sending anything and the bootloader is not making that..

[constapel]

I finally succeeded in stoping the boatloader. HOREE.... I now used a fdti233 chip usb controller and i took a Linux Mint machine and installed minicom. ESC aping was very easy now! That DID the TRICK!
Now i am stuck in decoding the root password
when i use [lidl_auskey_decode.py](https://github.com/banksy-git/lidl-gateway-freedom/blob/master/scripts/lidl_auskey_decode.py)
i get an error UnicodeDecodeError: 'ascii' codec can't decode byte 0x9b in position 0: ordinal not in range(128)

When i use TUYAZBGWROOTPW.PY i get
Auskey: b'\xd0\x0e\xb8\xa9\xcd\x8cj.\x84I\xbd\xccl\xaeo\xbd\xb7\x7f82j4\x08\xe3\t\x8c\xf5\xb4\xab\x18\x1c\xac'
Root password: b'\t\x8c\xf5\xb4\xab\x18\x1c\xac'

Can you help me please?

[MattWestb]

You printout looks little different then i was doing it but it was very early in the hacking process.
Look in my post #650 (reply in thread) but the updated script is looking little different but you shall getting the same readings (but different codes) that i was getting from the bootloader.

Great work dune brave user !!!

[constapel]

Is it possible for you to decode my KEK and AUSKEY ?. Is it oke if i send you my 3 lines of code? (may i have other python setting then you?)
Do i understand correctly that there is an updated script of "TUYAZBGWROOTPW.PY"

Thank you very much in your efforts to help me....

[mihsu81]

@MattWestb Would you be able to create a router firmware for the Lidl Smart Gateway?
Thanks in advance.

[MattWestb]

Sorry @mihsu81 i dont have interest doing it then the hardware is not made for that purposes.
If you like trying and have one SWD / J-Tag probe you can using the GSDK and compiling one.
https://github.com/SiliconLabs/gecko_sdk

Information of the module pins and so on you can finding on me git.
https://github.com/MattWestb/EFR32-FW/tree/main/TUYA_ZBGW

I can recommending IKEAs Signal Repeater is working OK if you like having one USB powered device that have being around for long time.
tuya Mini / micro repeater have one OK chip but very bad antenna so not working so good in the reality.

Normally its the best adding some good routers in the network for getting it extended (i using IKEA Power outlets as "back bone"for my production network) so all your end devices can connecting to them and not need for having them connected direct to the coordinator then its normally one very lazy router (its being one normal router but is doing the coordinator things that is higher priority).

[constapel]

Hi MattWesb I would like to ask you if you can decode mt KEK en AUS-KEYS? 80000000:5A5AA5A566666666666666676666666680000000:322BC647E282D563971D448202884A6280000010:C1E46A49C5A821773EA0022AF278257A Is this possible for you. I am stuck and can't seem to get uasable results Thanks Constapel Op dinsdag 10 mei 2022 21:55:57 CEST schreef MattWestb ***@***.***>: You printout looks little different then i was doing it but it was very early in the hacking process. Look in my post #650 (reply in thread) but the updated script is looking little different but you shall getting the same readings (but different codes) that i was getting from the bootloader. Great work dune brave user !!! — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you commented.Message ID: ***@***.***>

[constapel]

Hoera! i retryed and this time a got different KEK en AUSKEY.
This time i used python 3 on Linux Mint and.........GOT the pasword !!!
Again i i lost now ....How do i proceed.....What do i need to do now?
Thanks!

[MattWestb]

I have trying your keys and getting the same error :(
Then i was testing the keys i was posting and getting the same error :-((((
I have reinstalled my laptop that i was doing the orginal hacking so the system is not 110% the same so i was trying one Lubuntu 22.04, HA container, GIT bash and some more things and all was not working.
Then i was looking on my original keys (not the example that i have posting) and i was trying them and it was working OK on all test i was doing (2 hours later) and is getting the real key.
So my conclusion is it somthing wrong from the commands you was making in the boot loader or com problem with copy the resolute it was giving.

Can you doing the commands in the boot loader for getting the keys one more time and copy all in one block and not line by line so you is not getting any strange things from windows and saving it in on TXT fie. Then testing the script if its working or not with the new made keys and if its not working posting the TXT file (attaching it) and i taking one more look on it.

[MattWestb]

Sorry was missing your lat post the doing dinner :-))
Great then you have getting one real password !!

Only reboot the ZBGW and hitting enter then have booting OK and you is getting on login prompt:

tuya-linux login: root
Password: 

Tuya Linux version 1.0
Jan  1 12:03:30 login[1004]: root login on 'console'
# 

put root as user and enter and the the password you have decode and you shall being inside the tuya Linux.
Then you can start looking around and making one backup of the system if you like.

[constapel]

Hi Matt,
I have been successful in walking through the Hack of the Silvercrest ZG. I think i was also succesfull in upgrading the EZSP Version to 6.7.8.0. But i am not sure. I have no way/script/command to test if these actions where al succesfull. Do you have any help to check/test?
Since i am using Openhab 3.2.0 ( on docker) i can not test the EZSP. I dont understand how to make a binding on OH and can not publish a serial port /dev/ttyzbbrige. I think i came very far, but can not implement the hacked ( properly done?) Zigbee gateway to my favorite system OH.

[MattWestb]

Im dont knowing OH so i cant guiding you with it.
If you is not having HA running you can installing it in one docker container its being easy testing and also reversing / deleting the test setup without braking your OH system.
In HA adding ZHA and putting in ezsp as radio type and socket://192.168.2.60:8888 (with your IP and port to your ZBGW) and 115200 as baudrate. If getting ZHA connected you is getting the version of the firmware in the log.
You can also open one command prompt in the HA container and using bellows with command info for getting information from the coordinator but its little more advanced.

[constapel]

Tribute to Matt!
I installed HA on a docker and after choosing EZSP en socket://gateway.ip:port
I got this !!!!!!
Device info
EZSP = Silicon Labs EmberZNet protocol: Elelabs, HUSBZB-1, Telegesis
by ZHA
Zigbee info
IEEE: xx:xx:xx:xx:xx:xx:xx:xx
Nwk: 0x0000
Device Type: Coordinator
LQI: 255
RSSI: Unknown
Last Seen: 2022-05-13T16:21:42
Power Source: Mains
Quirk: bellows.zigbee.application.EZSPCoordinator

I am happy! Thanks to Matt for all his fantastic support !
Now i can get on in finding the way to integrate under OH. ( but I now kown i have a correctly hacked Lidl Silvercest Zigbee Gateway!
THANKS to Matt

[MattWestb]

THAT IS GREAT !!!

I like brave users that is doing advance things and getting more knowledge :-)))

If you looking in the HA -> Settings -> System -> Logs and clinking on load full log you can see all what was happening then HA was started and one line shall telling the version of the coordinator you is running like this:

2022-05-12 22:17:48 INFO (MainThread) [bellows.zigbee.application] EZSP Radio manufacturer: 
2022-05-12 22:17:48 INFO (MainThread) [bellows.zigbee.application] EZSP Radio board name: 
2022-05-12 22:17:48 INFO (MainThread) [bellows.zigbee.application] EmberZNet version: 6.7.8.0 build 373

And the version of the EmberZNet must being 6.7.0.0 or higher for running other systems then ZHA then they have not implanting the old versions of the protocol but i think you is on 6.7.8.X so shall being OK for Z2M and other systems that is supporting EZSP coordinators.
The tuya ZBGW is original running EZSP 6.5.X.X and is working (but not good) with ZHA and not at all with Z2M and other systems.

And you can trying adding some device in ZHA and see how its working before "converting" all your nice device to OH ;-)

[MattWestb]

tuya have certified one updated version of our ZBGW for Matter !!!
https://csa-iot.org/csa_product/smart-wired-gateway-pro/

If looking on the original LIDL ZBGW its having HW ver 100 https://csa-iot.org/csa_product/lidl-home-gateway-2/ and was getting one firmware upgrade https://csa-iot.org/csa_product/gateway/.

And its the same as the tuya TYGWZ-01 https://csa-iot.org/csa_product/tuya-smart-gateway-3/ and one hardware updated version for Zigbee https://csa-iot.org/csa_product/tuya-smart-gateway/.

So the interesting is some user having one Smart Wired Gateway Pro / THP10-Z-X and can looking in side so we is knowing what hardware tuya have updated and can posting some photos for analyzing ?

I think the Zigbee module is being updated then i have my Billy NCP (EFR32MG1P) running RCP firmware so can using it for OTBR and Zigbeed in HA and it working but Silabs have not fixing the EFR32MG1B in the last GSDK so its not possible compiling one working RCP firmware for it.
Perhaps tuya have fixing the code and is using the original module or then have putting in one ZS3L that is working great with RCP firmware and i have firmware posted in my firmware repo https://github.com/MattWestb/EFR32-FW/tree/main/MG21LD.
I using one LIDL LED stripes controller (RGBWW) that is having one tuya ZS3L flashed with EZSP or OTR firmware.

It also can being they is using the same Zigbee module but have implanting the WiFi coexistent that is documented in the tuya dev docks but is not implemented the hardware if the TYGWZ-01.

So if some user have one Smart Wired Gateway Pro / THP10-Z-X pleas open it and post some good photos so we can taking one no destructive look inside it !!!

[d0np3p3]

Hi Matt, how cam I use the MG21LD in HA?
Flash with programmer RCP
"Addnig one working rcp for the ZS3L.
Pinout is standard tuya so RX = PA06 and TX = PA05.
Use socket://192.168.2.64:9999 (with your HAS IP address) and 115200 baud in the addon."
How do I connect the MG21LD to HA, Via serial?

I got 4 of them, and since i use 2 controllers with 2 led stripes each, i got 2 left...
could i put them in my Lidl Gateway?
Thank for helping

[MattWestb]

I was getting 2 of them and using the LED stripes on one controller so one i have modded.
Pin out of the module you finding here https://developer.tuya.com/en/docs/iot/zs3l?id=K97r37j19f496.
You need 3V3,, GND, RX and TX for communicating with the host but put RTC. CTS and the debug / SWD plus reset t the same time then you can needing them but bootloader pin is nearly never used.
My used pin out you finding here https://github.com/MattWestb/EFR32-FW/tree/main/tuya_ZS3L#tuya-zs3l.
I was starting with flashing bootloasder and then EZSP / NCP for testing that communicating is OK then its easier testing the RCP.
Then having the com working with EZSP you can using https://github.com/NabuCasa/universal-silabs-flasher for flashing RCP / NCP and you can using it also with only bootloader so very good for testing.

Your settings for Silabs Addon looks OK only need adding the network port in the config (9999) so it starts the socat port OK. Before it was problems setting it up if ZHA was not having any working Zigbee network (time outs) but it shall being fixed not but i have not testing it. If timing out load EZSP and adding it in ZHA with normal comport and forming the network. Then take sown ZHA and changing the config (in the HA .config folder) to the addon and starting it and it shall working.

If you getting it working you can putting one in the LIDL ZBGW but i think the pinout is not the same but all can being patched with think cables soldered.

My controller is for the moment running Open Thread Full future device with CLI connected to the OTBRs network for testing the commissioning devices.

Ask more if you need help for getting it working !!

[xsanderlin]

I have this stuff (Smart Wired Gateway Pro / THP10-Z-X)

[MattWestb]

EZSP 6.10.3.0 and RCP 4.2.0.0

Very untested but posted.
EZSP i can getting info with bellows CLI and USF can booting it to bootloader mode.
If getting problem with the RCP you very likely need one SWD proble for doing one erase flash and flashing new bootloader and APP.
https://github.com/MattWestb/EFR32-FW/tree/main/tuya_ZBGW

[dongbh]

Thanks for your hard work and my tygwz-01 works very well. I use " ./firmware_upgrade.sh [gateway_ip] 22 V7 NCP_UHW_MG1B232_678_PA0-PA1-PB11_PA5-PA4.gbl " to upgrade zigbee firmware where V7 is the ezsp version. I want to know if I want to upgrade to 6.10.30, Is there still be V7 or V8? The firmware_upgrade.sh only support V7 and V8. Tks!

[ur5dco]

Hi. How to decrypt password from fullflash? I read fullflash from my ZHUB and unpack it with binwalk. So i get many files and many catalogs jffs2-root and squashfs-root and many files passwd with different contain. Thank you!

[jonny190]

This is a long thread and I've managed to get to the stage of getting root login to the device, I'm just not sure on the next steps to get the device to expose a socket on a port allowing the device to be added in to Zigbee2MQTT

[MattWestb]

Best is using the Pauls guid if its online but the next step is installing the serial server and getting it auto starting be renaming the tuya starting script and maning one that starting the serial server.

[Vendo232]

I`m trying to follow the root password process but when I get the password and try to use it says it is an incorrect password.
my board is Koogeek Tuya Hub TYGWZ_02N.

Also when I try to SSH the server is not responding on port 2333 but 22, then login fails with the password I decrypted. ( I`m using Putty on Windows )

[gunjubas]

This one help me on my Ubuntu.
Try to set options for ssh command:
ssh -oHostKeyAlgorithms=+ssh-dss root@your-ip -p2333