Hacking the Silvercrest (Lidl/Tuya) Smart Home Gateway

Hardware
255

TTY serial working but no joy getting KEK or AUSKEY

I’m pretty sure I’m chatting with the Lidl / Silvercrest gateway OK. If I let it boot, I see this:

Booting…

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@

@ chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize

@ 0000000h 0c84018h 00000c8h 0000040h 0000018h 0000000h 0000018h 1000000h

@ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName

@ 0010000h 0000100h 0001000h 0001000h 0000100h 0000010h 000004eh GD25Q128

@ 

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

DDR1:32MB

—RealTek(RTL8196E)at 2020.04.28-13:58+0800 v3.4T-pre2 [16bit](400MHz)

P0phymode=01, embedded phy

check_image_header  return_addr:05010000 bank_offset:00000000

no sys signature at 00010000!

P0phymode=01, embedded phy

—Ethernet init Okay!

tuya:start receive production test frame …

Jump to image start=0x80c00000…

decompressing kernel:
Uncompressing Linux… done, booting the kernel.
done decompressing kernel.
start address: 0x80003780
Linux version 3.10.90 (dingsl@dingsl-pc) (gcc version 4.6.4 (Realtek RSDK-4.6.4 Build 2080) ) #10 Tue Apr 28 14:03:14 CST 2020
CPU revision is: 0000cd01
Determined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
Zone ranges:
  Normal   [mem 0x00000000-0x01ffffff]
Movable zone start for each node
Early memory node ranges
  node   0: [mem 0x00000000-0x01ffffff]
icache: 16kB/16B, dcache: 8kB/16B, scache: 0kB/0B
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 8128
Kernel command line:  console=ttyS0,38400 root=/dev/mtdblock2 
PID hash table entries: 128 (order: -3, 512 bytes)
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 27700k/32768k available (2479k kernel code, 5068k reserved, 525k data, 192k init, 0k highmem)
SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
NR_IRQS:128
console [ttyS0] enabled
Calibrating delay loop… 398.13 BogoMIPS (lpj=1990656)
pid_max: default: 4096 minimum: 301
Mount-cache hash table entries: 512

If I interrupt the bootloader with ESC I see this:

—RealTek(RTL8196E)at 2020.04.28-13:58+0800 v3.4T-pre2 [16bit](400MHz)

P0phymode=01, embedded phy

check_image_header  return_addr:05010000 bank_offset:00000000

no sys signature at 00010000!


—Escape booting by user

P0phymode=01, embedded phy


—Ethernet init Okay!

<RealTek>

When I enter ‘?’ at the prompt I see this:

<RealTek>?

———————— COMMAND MODE HELP ————————————————

HELP (?)				    : Print this help message

DB <Address> <Len>

DW <Address> <Len>

EB <Address> <Value1> <Value2>…

EW <Address> <Value1> <Value2>…

CMP: CMP <dst><src><length>

IPCONFIG:<TargetAddress>

AUTOBURN: 0/1

LOADADDR: <Load Address>

J: Jump to <TargetAddress>

FLR: FLR <dst><src><length>

FLW <dst_ROM_offset><src_RAM_addr><length_Byte> <SPI cnt#>: Write offset-data to SPI from RAM

tftp <memoryaddress> <filename>  

MDIOR:  MDIOR <phyid> <reg>

MDIOW:  MDIOW <phyid> <reg> <data>

PHYR: PHYR <PHYID><reg>

PHYW: PHYW <PHYID><reg><data>

PORT1: port 1 patch for FT2

<RealTek>

But when I enter:
FLR 80000000 401802 16
DW 80000000 4

all I get back is the <RealTek> prompt, no other output.

I’m probably making a basic / newbie mistake - but I’d appreciate a nudge in the right direction please?