Hacking the Silvercrest (Lidl/Tuya) Smart Home Gateway

bool2 · January 20, 2021, 7:51pm

If I get time, I plan to hack the Tuya / Lidl Smart Home hub to integrate with Home Assistant. Fortunately the device is fairly easy to get into and the ZigBee module might even have an open source SDK available so it might make a nice project for a rainy day. It would be nice to gauge interest in this.

For those interested, I have documented findings so far here:

https://paulbanks.org/projects/lidl-zigbee/

Enjoy!

bool2 · January 24, 2021, 8:24pm

Ok, I have a working integration and it’s not much work at all. It was a fun hack but since there’s not much interest in this I’ll keep the writeup short and sweet as follows.

The Tuya/Lidl hub contains a Zigbee Module that talks the EZSP protocol by Silicon Labs. ZHA directly supports this protocol so it’s a matter of just linking the two up.

Here’s a guide to integration:

https://paulbanks.org/projects/lidl-zigbee/ha.html

Result: Tuya/Lidl Home Hub directly integrated with Home Assistant and no Tuya Cloud. WIN!

Foxxy · January 25, 2021, 9:07am

Thanks for this
Let us see how it compares to Sonoff ZbBridge in terms of Zigbee radio coverage and other usage params.
Both devices are superb in ability to place them in strategic place in house limited only by WiFi coverage and power outlet existence…
Best, JR

blakadder · January 25, 2021, 10:28am

Great project, might be worth to get one just for the tinkering value Maybe install mosquitto on it as well if it can handle it

Simulacra · January 29, 2021, 5:37pm

I have this device on my hand but you didn’t provide much details how I could go further to get root access to the device.

Simulacra · January 29, 2021, 7:53pm

I connected GND, Rx, Tx and plugged to USB
I can see output messages but unable to activate the console.
Tried ESC to get to bootloader, then Enter in the console but unable to get in.

Booting…

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@
@ chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize
@ 0000000h 0c84018h 00000c8h 0000040h 0000018h 0000000h 0000018h 1000000h
@ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName
@ 0010000h 0000100h 0001000h 0001000h 0000100h 0000010h 000004eh GD25Q128
@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
DDR1:32MB

—RealTek(RTL8196E)at 2020.04.28-13:58+0800 v3.4T-pre2 16bit
P0phymode=01, embedded phy
check_image_header return_addr:05010000 bank_offset:00000000
no sys signature at 00010000!
P0phymode=01, embedded phy

—Ethernet init Okay!
tuya:start receive production test frame …
Jump to image start=0x80c00000…
decompressing kernel:
Uncompressing Linux… done, booting the kernel.
done decompressing kernel.
start address: 0x80003780
Linux version 3.10.90 (dingsl@dingsl-pc) (gcc version 4.6.4 (Realtek RSDK-4.6.4 Build 2080) ) #10 Tue Apr 28 14:03:14 CST 2020
CPU revision is: 0000cd01

Please press Enter to activate this console. Tuya Gateway Application Normal Srart /tuya/tuya_start.sh UserAppRunDir:
set defult run_dir:/tuya
TY_ENV_APP_RUN_DIR=/tuya
get user cfg file error, load defult cfg file
load platform configure file:/tuya/def.cfg
start.conf is exist
udhcpc (v1.13.4) started
current run dir:/tuya/tuya_user2
tuya_start_children.sh:UserAppRunDir:/tuya JsonFile Path:/tuya/def.cfg
Sending discover…

How could I unlock the keyboard?

P.S. I guess it may be possible UART one of the art connectors is not properly soldered but I can’t see it. It’s too small for me.

bool2 · January 30, 2021, 10:00am

Console RX isn’t locked so sounds like a hardware issue.

Check connections.
Check that your serial port program doesn’t have hardware flow control enabled.

Simulacra · January 30, 2021, 10:46am

Flow control is None
I suspect Rx connector on the board.
I can’t see small details. Tried to resolder it.
If I put out GND and leave Rx and Tx + USB, the Tx still able to send signals. With errors but however. So, Rx is linked.

Simulacra · January 30, 2021, 11:46am

Changed UART/USB connector. Able to see <Realtek prompt now

Simulacra · January 30, 2021, 11:49am

So, As I guess, now I must make a dump of firmware to be able to replace root password. How can I do that?

P.S.
Found some docs here. But still need assistance.
https://openwrt.org/docs/techref/bootloader/realtek

P.P.S. Not sure is it useful

Besides the functions of the gateway networking SDK, the extended functions are as follows:

There are a large number of Zigbee sub-devices on the market, and Tuya Zigbee gateway cannot be compatible with Zigbee sub-devices of all manufacturers. Extended functions allow you to integrate third-party Zigbee sub-devices that are not compatible with the Tuya ecosystem.

Extended functions allow you to develop multi-protocol convergence gateways, such as Zigbee + 443, Zigbee + Z-Wave, and other multi-protocol combinations, and connect non-Zigbee protocol sub-devices to Tuya Cloud.

Extended functions allow you to develop multi-functional gateways to connect to peripherals such as night lights, siren alarms, and achieve multiple smart scenarios with sensors.

bool2 · January 30, 2021, 1:02pm

I made it easier for you.

Simulacra · January 30, 2021, 1:23pm

Cool. I’ll try it as soon as I can.
Thanks a lot!

Simulacra · January 30, 2021, 2:15pm

That looks weird
like b’C\xb6…

bool2 · January 30, 2021, 3:37pm

I think it should be a random string of letters and numbers… but no “\x” in it. On my device, the value is encrypted with an encoded key that comes from the SPI at address 0x401800. On mine the raw key looks like this:

<RealTek>FLR 80000000 401800 18                                   
Flash read from 00401800 to 80000000 with 00000018 bytes	?
(Y)es , (N)o ? --> y                                             
Flash Read Successed!
<RealTek>db 80000000 18 
 [Addr]   .0 .1 .2 .3 .4 .5 .6 .7 .8 .9 .A .B .C .D .E .F
80000000: 10 10 7e 7e 7e 7e 7e 7e 7e 7e 7e 7e 7e 7e 7e 7e     ..~~~~~~~~~~~~~~
80000010: 7e 7e                                               ~~

What does the above show on yours?

Sthope · January 30, 2021, 3:39pm

Script above has incorrect FLR command it says FLR 80000000 402002 32 instead of FLR 80000000 401800 18

bool2 · January 30, 2021, 3:41pm

They’re different things. The key at 0x402002 is itself encrypted with the key at 0x401800. Security through obscurity! The above script assumes your key is 16 “~”'s like it was on my device. If not then there’s a little more work to do!

Sthope · January 30, 2021, 3:46pm

My raw key:

<RealTek>FLR 80000000 401800 18
Flash read from 00401800 to 80000000 with 00000018 bytes        ?
(Y)es , (N)o ? --> y
Flash Read Successed!
<RealTek>db 80000000 18
 [Addr]   .0 .1 .2 .3 .4 .5 .6 .7 .8 .9 .A .B .C .D .E .F
80000000: 10 10 5d 4e 2d 51 39 57 36 72 3f 4e 60 30 66 57     ..]N-Q9W6r?N`0fW
80000010: 54 33                                               T3```

bool2 · January 30, 2021, 3:49pm

Ok, in the script change the “c” in

 AES.new(b"c"

to an exclamation mark “!” and try again.

Sthope · January 30, 2021, 3:50pm

jackpot

Simulacra · January 30, 2021, 4:09pm

<RealTek>FLR 80000000 401800 18
Flash read from 00401800 to 80000000 with 00000018 bytes        ?
(Y)es , (N)o ? --> y
Flash Read Successed!
<RealTek>80000000 18
Unknown command !
<RealTek>db 80000000 18
 [Addr]   .0 .1 .2 .3 .4 .5 .6 .7 .8 .9 .A .B .C .D .E .F
80000000: 10 10 45 30 69 72 69 6f 78 42 39 5a 60 5d 78 36    
80000010: 51 4e                                               QN
<RealTek>

simulacra@DESKTOP-EFF32PG:~$ python3 log.py
Encoded aus-key as hex string line 1>80000000: 10 10 45 30 69 72 69 6f 78 42 39 5a 60 5d 78 36
Encoded aus-key as hex string line 2>80000010: 51 4e
Traceback (most recent call last):
  File "log.py", line 38, in <module>
    auskey = cipher.decrypt(encoded_key)
  File "/usr/lib/python3/dist-packages/Crypto/Cipher/blockalgo.py", line 295, in decrypt
    return self._cipher.decrypt(ciphertext)
ValueError: Input strings must be a multiple of 16 in length
simulacra@DESKTOP-EFF32PG:~$