Hacking the Silvercrest (Lidl/Tuya) Smart Home Gateway

I guess you are referring to this page

It’s just a summary of what you need to do at point 1 and is described further down:

So you just need to execute something like

cat serialgateway.bin | ssh -p2333 [email protected] "cat >/tuya/serialgateway

Thanks for the answer.
My mistake, I didn’t lay the link between point 1 (Install …) and 1) the real program I need to download.
Point 2 and 3 I understood and those where no problem.

But I have still some questions about the execution of:
cat serialgateway.bin | ssh -p2333 [email protected] "cat >/tuya/serialgateway

Do I need to connect a ethernet cable between my pc and the lidl box with the change the box is contacting the cloud and changing the password as I have read on this forum
.
Do I have to change the ip adress of the lidl box with ifconfig to be in line with my network?

I think I’m missing something about the way this is working.

Some explanation will be appreciated.

I solved it.
This is what I did:

1. via serial console
   a. cp /tuya/ssh_monitor.sh /tuya/ssh_monitor.original.sh
   b. echo "#!/bin/sh" >/tuya/ssh_monitor.sh
   c. reboot
2. removed the WAN cable to be sure not internet connection
3. connected ethernet cable from LAN to box
4. changed ip adress of box to my LAN
5. cat homeassistant/lidl/serialgateway.bin | ssh -p22 -oHostKeyAlgorithms=+ssh-dss  [email protected] "cat >/tuya/serialgateway"
6. connect to box with ssh -p22 -oHostKeyAlgorithms=+ssh-dss  [email protected]
7. execute the other updates.

Still to:
change the ip address of the box to my LAN permanently.

This is a socalled “useless use of cat”. I know you didn’t write it, just wanting to share it.

1 Like

Which one did you use to get it working? I also dont get e prompt while pressing esc several times during boot.
I use an FTDI32 device

Should I be able to use a Tuya smart zigbee actuator in this way too? How to pair a Tuya Smart ZigBee Radiator actuator using a hacked Lidl Silvercrest gateway?

The date command returns a wrong date, presumably because NTP is not being run. As such I think the hack needs to be modified. There is an ntpclient on the device.

# date
Fri Jan  9 21:36:53 UTC 1970

Hi! I managed to solder pins on board and get everything set up. Only thing missing is that I can’t get openHAB to see the device. I followed these instructions: Hacking the Lidl Silvercrest ZigBee Gateway: A Step-by-Step Tutorial - Tutorials & Examples - openHAB Community. I used socat and I can see the tty device created and it links to /dev/pts/1 which has correct user/group. I tried with minicom to use that port as openhab user and saw traffic with wireshark so socat works. OpenHAB has these in the logs:
2022-02-23 18:09:44.677 [ERROR] [zigbee.dongle.ember.ZigBeeDongleEzsp] - EZSP Dongle: Unable to open serial port.

I don’t see any traffic with wireshark when openHAB tries so it probably can’t open the port? BTW openhab I’m using is v3.2.0 on AlmaLinux 8.5. Has anyone else seen this problem?

Just in case someone else runs in to this. Problem was rights of AlmaLinux /var/run/lock directory. Only root could write locks there. I changed group of the directory to lock (rpm already had added openhab user to that group) and gave group write access. After that I got ONLINE-status. Sorry for the noise.

Got 2 MOES like gateways modified… not without a struggle btw:

  • Advice is to connect your network cable when trying to log in via a serial or ssh connection. The unit will try to retrieve a IP address via DHCPD which disturbs your login procedure.
  • If you passw does not decrypt make sure to remove the spaces in between. That helped me.

I seem to have a updated debugtool

./debugtool


Build time: Jan 20 2021 15:53:17
Support cmd:
0: get net info.
1: update zigbee coo.
2: plugin counters printf.
3: set tx radio power.
4: start RF test mode.
5: stop RF test.
6: install code.
7: create a specified zigbee network.
8: set max deveice cnt.
9: replace ncp mac.
a: fault replace.
b: get device short addr.
c: ncp recovery.
q/Q: quit debug.


******Input cmd:7

Input channel:
eg(decimal): 11 - 26
22

Input TxPower:
eg(decimal): 0 - 19
19
Set channel :22, TxPower: 19

Maybe no script needed anymore to update power/channel

But I first left the channel as described

bellows -d socket://192.168.1.29:8888 leave

And when I tried to switch channels via (bellows-venv) installed on a PI4 (not my home assistant machine),

(bellows-venv) root@PI4:~# bellows -d socket://192.168.1.29:8888 form -D /zigbee.db -c 22
Usage: bellows form [OPTIONS]
Try ‘bellows form --help’ for help.

Error: Invalid value for ‘-D’ / ‘–database’: File ‘/zigbee.db’ does not exist.

root@PI4:~# bellows -d socket://192.168.1.29:8888 scan
Scanning channels 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
[EmberZigbeeNetwork(channel=11, panId=0x0c84, extendedPanId=cc:cc:cc:cc:aa:a8:cc:84, allowingJoin=<Bool.false: 0>, stackProfile=2, nwkUpdateId=0), 68, -83]
(bellows-venv) root@PI4:~# bellows -d socket://192.168.1.29:8888 info
[5c:02:72:ff:xx:xx:xx:xx]
[0xfffe]
[<EmberNetworkStatus.NO_NETWORK: 0>]
[<EmberStatus.NOT_JOINED: 147>, <EmberNodeType.UNKNOWN_DEVICE: 0>, EmberNetworkParameters(extendedPanId=5f:2a:24:a3:xx:xx:xx:xx, panId=0xffff, radioTxPower=13, radioChannel=20, joinMethod=<EmberJoinMethod.USE_MAC_ASSOCIATION: 0>, nwkManagerId=0x0000, nwkUpdateId=0, channels=<Channels.ALL_CHANNELS: 134215680>)]
[<EmberStatus.NOT_JOINED: 147>, EmberCurrentSecurityState(bitmask=<EmberCurrentSecurityBitmask.32768|8192|4096|1024|256|64|8|GLOBAL_LINK_KEY|DISTRIBUTED_TRUST_CENTER_MODE|HIGH_SECURITY_MODE: 46415>, trustCenterLongAddress=00:09:00:00:00:01:00:00)]
Manufacturer:
Board name:
EmberZNet version: 6.7.8.0 build 373

Any idea what is happening and how this can be resolved ? →

Don’t forget before creating a new network to create a zigbee.db

touch zigbee.db

1 Like

@bool2, are you ready for this challenge as well?

Is it possible to use zha and zigbee2mqtt at the same time? Or do you have to first disable the zha and then enable zigbee2mqtt?

Not possible. Have you pick one.

Do you know whether TuYa TV02-Zigbee control via MQTT | Zigbee2MQTT will work in the near future in Home Assistant via the hacked gateway discussed in this topic? It seems like such a waste of time to have to repair all devices in a hard to reach location.

Hello, I was reading since a while ago but couldn’t get a solution to my problem (0 skills in programming)
yesterday I managed to get the realtek bootloader, also got the KEK and AUSKEY. But whenever I put the last line in the python script, the window just closed everytime i pushed the ENTER button.

After that I read somwhere that when you already did connect it to the cloud (before the hack) you can’t just run the script for getting the root password…
So what should I do then?
Is there a good/easy tutorial for newbies/dummies like me?

(for info: I use putty for the serial monitor and the CH340 TTL- USB)

Thanks in advance!

TTY serial working but no joy getting KEK or AUSKEY

I’m pretty sure I’m chatting with the Lidl / Silvercrest gateway OK. If I let it boot, I see this:

Booting…

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@

@ chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize

@ 0000000h 0c84018h 00000c8h 0000040h 0000018h 0000000h 0000018h 1000000h

@ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName

@ 0010000h 0000100h 0001000h 0001000h 0000100h 0000010h 000004eh GD25Q128

@ 

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

DDR1:32MB

—RealTek(RTL8196E)at 2020.04.28-13:58+0800 v3.4T-pre2 [16bit](400MHz)

P0phymode=01, embedded phy

check_image_header  return_addr:05010000 bank_offset:00000000

no sys signature at 00010000!

P0phymode=01, embedded phy

—Ethernet init Okay!

tuya:start receive production test frame …

Jump to image start=0x80c00000…

decompressing kernel:
Uncompressing Linux… done, booting the kernel.
done decompressing kernel.
start address: 0x80003780
Linux version 3.10.90 (dingsl@dingsl-pc) (gcc version 4.6.4 (Realtek RSDK-4.6.4 Build 2080) ) #10 Tue Apr 28 14:03:14 CST 2020
CPU revision is: 0000cd01
Determined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
Zone ranges:
  Normal   [mem 0x00000000-0x01ffffff]
Movable zone start for each node
Early memory node ranges
  node   0: [mem 0x00000000-0x01ffffff]
icache: 16kB/16B, dcache: 8kB/16B, scache: 0kB/0B
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 8128
Kernel command line:  console=ttyS0,38400 root=/dev/mtdblock2 
PID hash table entries: 128 (order: -3, 512 bytes)
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 27700k/32768k available (2479k kernel code, 5068k reserved, 525k data, 192k init, 0k highmem)
SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
NR_IRQS:128
console [ttyS0] enabled
Calibrating delay loop… 398.13 BogoMIPS (lpj=1990656)
pid_max: default: 4096 minimum: 301
Mount-cache hash table entries: 512

If I interrupt the bootloader with ESC I see this:

—RealTek(RTL8196E)at 2020.04.28-13:58+0800 v3.4T-pre2 [16bit](400MHz)

P0phymode=01, embedded phy

check_image_header  return_addr:05010000 bank_offset:00000000

no sys signature at 00010000!


—Escape booting by user

P0phymode=01, embedded phy


—Ethernet init Okay!

<RealTek>

When I enter ‘?’ at the prompt I see this:

<RealTek>?

———————— COMMAND MODE HELP ————————————————

HELP (?)				    : Print this help message

DB <Address> <Len>

DW <Address> <Len>

EB <Address> <Value1> <Value2>…

EW <Address> <Value1> <Value2>…

CMP: CMP <dst><src><length>

IPCONFIG:<TargetAddress>

AUTOBURN: 0/1

LOADADDR: <Load Address>

J: Jump to <TargetAddress>

FLR: FLR <dst><src><length>

FLW <dst_ROM_offset><src_RAM_addr><length_Byte> <SPI cnt#>: Write offset-data to SPI from RAM

tftp <memoryaddress> <filename>  

MDIOR:  MDIOR <phyid> <reg>

MDIOW:  MDIOW <phyid> <reg> <data>

PHYR: PHYR <PHYID><reg>

PHYW: PHYW <PHYID><reg><data>

PORT1: port 1 patch for FT2

<RealTek>

But when I enter:
FLR 80000000 401802 16
DW 80000000 4

all I get back is the <RealTek> prompt, no other output.

I’m probably making a basic / newbie mistake - but I’d appreciate a nudge in the right direction please?

I recommend everyone trying this hack to use the zigbee2mqtt integration instead of the ZHA (Home Assistant) integration, because it supports more devices. If that is ever changed, I configured my system such that I can quickly switch between the two technologies (it’s literally setting a flag and the configuration is automatically ported over). How sweet is that? :ok_hand:

FLR 80000000 401802 16 does one command, IIRC. And then DW 80000000 4 also does a command. The first command has no output, but just changes the internal state of the device.

I would type one command, press enter and then the other and press enter. That should work. If it doesn’t, I don’t know other than that perhaps you have a newer batch and it doesn’t work anymore or something like that.

1 Like

Thanks, I did try that - but still no output :confused:

1 Like

I’m experimenting with my reflashed zigbee hub. My battery powered zigbee devices are being found accordingly but are mainly stored as unknow/unknow manu with no sensors defined. Again, not all, but most of them. Re-discovering these does not improve this. Main powered devices are not a problem.

Update: Switched to zigbee2mqtt and my issues are gone.