Replies: 37 comments 130 replies
-
The Zigbee module is one Tuya TYZS4 Zigbee Module. Can also being upgraded with one better module and getting on OK case and power supply (One module from one new IKEA GU 10 CWS with the new silabs module ?). |
Beta Was this translation helpful? Give feedback.
-
Hi, get one of this https://www.ebay.com/itm/USB-Programmer-CH341A-Series-Burner-Chip-Writer-25-SPI-EEPROM-BIOS-Flash/254676176158?hash=item3b4be20d1e:g:EsQAAOSwK2VfJ8yQ or you can use Arduino to dump SPI, after we can see what's inside... |
Beta Was this translation helpful? Give feedback.
-
Hope those developers are aware of the similar Open Lumi (OpenLumi) project in #644 discussion? Maybe could work together? OpenLumi project is also based on OpenWRT, however, it currently targeting Zigbee gateways based on NXP i.MX 6 Series (IMX6). Summary: @G1K, @devbis, @kirovilya (from the @diyruz organization on GitHub) have hacked Xiaomi Lumi Gateway MIxx01 Zigbee to WiFi bridges (Xiaomi gateways DGNWG05LM and ZHWG11LM) with an OpenWRT based firmware on its NXP IMX6 SoC and ZiGate firmware on its NXP JN516x chips (JN5168 and JN5169 chip), or you can make use your own DIY hardware. References: |
Beta Was this translation helpful? Give feedback.
-
Its looks like its possible getting root access and starting socat in it !! I have soldering the J1 pins and can booting in the boot loader so tomorrow is trying decrypting the root password for getting in the Linux system :-))) |
Beta Was this translation helpful? Give feedback.
-
@xromansx I have root access and can see the partitions table then booting and in the dev tree. Partitions from boot log:
Listing /dev:
ls in the root:
ls in /tmp:
Here should being safe making temp files (I hope). |
Beta Was this translation helpful? Give feedback.
-
EFR32 Dumped :-))
Have normal boot loader but i dont knowing the pins for RX. TX. Force boat loader and the reset in the tuya side.
And now running bellows !!
|
Beta Was this translation helpful? Give feedback.
-
@Adminiuga The module is using HW flow control but its not problems then the socat server is configurated for it and is transparent to ZHA. I have finding the pad 15 RXD PA1 and pad 16 TXD PA0 but cant pinpointing one boot loader pin. You have implanting zigpy/bellows#249 but i dont understanding how to using it :-(( Can you explaining how to using it from one ZHA docker installation or implanting it in zha_custom or if its possible executing the command in zha_custom its also OK. Then i can executing The NCP is running OK (only briefly tested) with the factory firmware but its little old 6.5.0.0 so like finding one method upgrading it in one easy way for users (I can doing it with SWD if needed but its not recommended for "normal" users). I still dont knowing if tuya have locked the boot loader but its being next step. My target is making it easy upgrading one standard tuya eth Zigbee GW witth first step rooting =done, Serial over Ethernet = done and also upgrading the EZSP on it to one stable version (6.7.X.X). Advantage with the tuya ZBG is stable Ethernet that is immune from WiFi interference, only need (for the moment) serial-TTL for getting root (no need shouldering but is preferred if possible) and likely firmware updating without SWD (or if needed with one "cheep" probe). Its easy getting "over the desk" for around 20-30 € all over the world without ordering it from china (I was getting my with one "family pack" with tuya TRV). I was getting it from Germany in 4 days and LIDL was having it for 1.5 mouths in the supermarket (they was taking it sway without sale so i think its returned to the online store for 25 €). Can you helping bringing little light in the software part to getting the EFR32 in boot loader that im not so good at the software things? Thanks you for your attention and grate work done with ZHA !!! Mattias |
Beta Was this translation helpful? Give feedback.
-
The best working is installing HA in one docker container under windows 10. Install ZHA with bellows is installed.
And having one USB-serial on the RX and TX pins on the module i getting somthing i like:
Now im hitting the wall a gen :-(( Normally only hitting 1 and upload one GBL file but the module is not reacting on wot i sending on the pins from the USB-serial converter. I have trying 2 different that is working with my Billy EZSP that have the same bootloader (generation) but the same no reaction. My theory is that the module is wired for hardware flow control and the bootloader is also configurated for it and bellows dont have any problems with that then the socat is using it on the module side. I can flashing one EZSP with SWD but i like finding one way doing it with no extra hardware for normal users. If bellows CLI was having the possibility sending strings (i only need sending one "1") and also starting xmodem sessions it wold being on easy thing. I have "patching" husbzb-firmware so its running under windows 10 and python 3.7 but having problems sending all things on the comport but i can reading and setting EZSP protocol OK but i dont getting it working all the way. Have installing one "port mapper" in windows and can mapping the IP:8888 to one local com port but its only sending and dont getting any thing back from the module. Do some one have more ideas how getting it working with the hardware flow control without desoldering the module or flashing one new bootloader with SWD ? ? |
Beta Was this translation helpful? Give feedback.
-
|
Beta Was this translation helpful? Give feedback.
-
@puddly I have trying getting the tuya GW updating itself with its "backup OTA file" but i cant verifying if its being done or not but the process is doing "somthing" in some realistic time. Can you pleas taking on look if its one "real" Silabs OTA file ? NcpUpgrade.zip For my its looks little strange in the beginning but the end have references to Simplicity studio files. |
Beta Was this translation helpful? Give feedback.
-
Tested with one EZSP 6.0.3.0 by renaming it to
So the debugtool have doing "something" but the version is not degraded in the module = not working :-(( |
Beta Was this translation helpful? Give feedback.
-
Tuya is rolling the network key !!!!
|
Beta Was this translation helpful? Give feedback.
-
I have prepared a script to assist in upgrading the firmware: banksy-git/lidl-gateway-freedom#5. |
Beta Was this translation helpful? Give feedback.
-
Updated "upgrade pack" Tuya_ZBGW_NCP_BL_UPG.ZIP with "manual" triggering bootloader method. 3 different GBLs:
I have testing loading booth 6.5.1 and 6.7.8 EZSP with the updated bootloader by software command reboot to bootloader and its works as expected. If not planing going back to "tuya app" i recommending updating the bootloadder so you always can booting in the bootloader also then EZSP is not running OK and you cant reboot to bootloader by software commands. I have not testing grounding the PB11 and tipping the reset pad low but it shall working as expected. |
Beta Was this translation helpful? Give feedback.
-
@Ordspilleren I have some some ideas of using the /dev/ttyS0 for other serial connected hardware (Zigbee sniffing). Some ideas if its possible and if its some no goes to implanting it ?? |
Beta Was this translation helpful? Give feedback.
-
Do we have new firmware for EZSP chip in this unit? |
Beta Was this translation helpful? Give feedback.
-
Hello everyone! Thanks for this great project - I'm looking forward to using it.
whereas the serialgateway Makefile refers to |
Beta Was this translation helpful? Give feedback.
-
Is any of you are you aware of any new EZSP binary for TYGWZ-01? |
Beta Was this translation helpful? Give feedback.
-
I have not using @Ordspilleren script but you need using the "V8" parameter then its 6.7.8.0 is using V8 protocol and the original tuya is / was using V7 or its not working. If you is getting the module in bot loader mode (with bellows) its also possible sending the firmware with one terminal program like ExtraPuTTY or with local SX commands in the box (the script is killing the serialgateway so need reboot if using external terminal program). |
Beta Was this translation helpful? Give feedback.
-
Just for information , this gateway is now sold at 19€ in France and i saw yesterday a new version at Lidl , which looks like more the rounded version in that post : https://github.com/zigpy/zigpy/discussions/650#discussioncomment-669398 |
Beta Was this translation helpful? Give feedback.
-
@Ordspilleren and more interested user. My question is if some one is interesting in one RCP firmware for tuya ZBGW so can running EZSP 7.0 in "host mode" (not on the chip in the host system) and Open Thread Boarder Router on the same chip and channel ? The integration and reference design is using hardware flow control and our implementation is doing the same so shall being OK but its best doing testing and having SWD debugger so can recover the module if not working OK. More feed back pleas !!! PS: I have trying doing the same firmware for "IKEA Markus" (The new Silabs MG21 module) but i have not getting it working OK. |
Beta Was this translation helpful? Give feedback.
-
@MattWestb you write in #650 (reply in thread) press de ESC....where can i find the ESC? I am very confussed. I use termite but can seem to get communication with the zwgateway. |
Beta Was this translation helpful? Give feedback.
-
@MattWestb Would you be able to create a router firmware for the Lidl Smart Gateway? |
Beta Was this translation helpful? Give feedback.
-
Hi MattWesb
I would like to ask you if you can decode mt KEK en AUS-KEYS?
80000000:5A5AA5A566666666666666676666666680000000:322BC647E282D563971D448202884A6280000010:C1E46A49C5A821773EA0022AF278257A
Is this possible for you.
I am stuck and can't seem to get uasable results
Thanks Constapel Op dinsdag 10 mei 2022 21:55:57 CEST schreef MattWestb ***@***.***>:
You printout looks little different then i was doing it but it was very early in the hacking process.
Look in my post #650 (reply in thread) but the updated script is looking little different but you shall getting the same readings (but different codes) that i was getting from the bootloader.
Great work dune brave user !!!
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you commented.Message ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
I have trying your keys and getting the same error :( Can you doing the commands in the boot loader for getting the keys one more time and copy all in one block and not line by line so you is not getting any strange things from windows and saving it in on TXT fie. Then testing the script if its working or not with the new made keys and if its not working posting the TXT file (attaching it) and i taking one more look on it. |
Beta Was this translation helpful? Give feedback.
-
tuya have certified one updated version of our ZBGW for Matter !!! If looking on the original LIDL ZBGW its having HW ver 100 https://csa-iot.org/csa_product/lidl-home-gateway-2/ and was getting one firmware upgrade https://csa-iot.org/csa_product/gateway/. And its the same as the tuya TYGWZ-01 https://csa-iot.org/csa_product/tuya-smart-gateway-3/ and one hardware updated version for Zigbee https://csa-iot.org/csa_product/tuya-smart-gateway/. So the interesting is some user having one Smart Wired Gateway Pro / THP10-Z-X and can looking in side so we is knowing what hardware tuya have updated and can posting some photos for analyzing ? I think the Zigbee module is being updated then i have my Billy NCP (EFR32MG1P) running RCP firmware so can using it for OTBR and Zigbeed in HA and it working but Silabs have not fixing the EFR32MG1B in the last GSDK so its not possible compiling one working RCP firmware for it. It also can being they is using the same Zigbee module but have implanting the WiFi coexistent that is documented in the tuya dev docks but is not implemented the hardware if the TYGWZ-01. So if some user have one Smart Wired Gateway Pro / THP10-Z-X pleas open it and post some good photos so we can taking one no destructive look inside it !!! |
Beta Was this translation helpful? Give feedback.
-
EZSP 6.10.3.0 and RCP 4.2.0.0Very untested but posted. |
Beta Was this translation helpful? Give feedback.
-
Hi. How to decrypt password from fullflash? I read fullflash from my ZHUB and unpack it with binwalk. So i get many files and many catalogs jffs2-root and squashfs-root and many files passwd with different contain. Thank you! |
Beta Was this translation helpful? Give feedback.
-
This is a long thread and I've managed to get to the stage of getting root login to the device, I'm just not sure on the next steps to get the device to expose a socket on a port allowing the device to be added in to Zigbee2MQTT |
Beta Was this translation helpful? Give feedback.
-
I`m trying to follow the root password process but when I get the password and try to use it says it is an incorrect password. Also when I try to SSH the server is not responding on port 2333 but 22, then login fails with the password I decrypted. ( I`m using Putty on Windows ) |
Beta Was this translation helpful? Give feedback.
-
TYGWZ01 Smart Gateway is used from all suppliers of tuyya products and is the ethernet version of there Zigbee GW.
Known rebranded LIDL, Pearl.de, Revolt, Elesion and many more.
Inside.
Some user is trying porting OpenWrt to the rtl8196eu chip so its being possible using it as one EZSP 2 ETH bridge.
Would it work on rtl8196eu ? #3 and Add Support for RTL8196E RTL8197D RTL8197F
On of the devs (@xromansx) is active in our projects and have contributing to getting tuya TRVs to working in our systems.
Do some more users / hackers have interest in getting it up and running with OpenWrt and tunneling the comport from the EZSP over ethernet to ZHA ??
I finding it interesting then it being cheap and easy to get in EU and most other countries and dont have the problems with WiFi interference that can killing the ZHA.
I have one GW that is not in use and is only for testing if tuya have released new firmware for my tuya products but im willing exposing for more brutal attacks for getting it working for our purposes .
I dont have and SPI programmer onls SWD /J-Tags programmers but im interesting if some one can helping getting the EEPROM red with easy hardware for getting some start of trying loading one new firmware on it for our purposes
More input of crazy ideas is more than welcome for getting (un)possible things happening ! !
Beta Was this translation helpful? Give feedback.
All reactions