Hacking the Silvercrest (Lidl/Tuya) Smart Home Gateway

semiii · March 2, 2022, 9:51am

Hello, I was reading since a while ago but couldn’t get a solution to my problem (0 skills in programming)
yesterday I managed to get the realtek bootloader, also got the KEK and AUSKEY. But whenever I put the last line in the python script, the window just closed everytime i pushed the ENTER button.

After that I read somwhere that when you already did connect it to the cloud (before the hack) you can’t just run the script for getting the root password…
So what should I do then?
Is there a good/easy tutorial for newbies/dummies like me?

(for info: I use putty for the serial monitor and the CH340 TTL- USB)

Thanks in advance!

martin.dell · March 5, 2022, 2:35pm

TTY serial working but no joy getting KEK or AUSKEY

I’m pretty sure I’m chatting with the Lidl / Silvercrest gateway OK. If I let it boot, I see this:

Booting…

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@

@ chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize

@ 0000000h 0c84018h 00000c8h 0000040h 0000018h 0000000h 0000018h 1000000h

@ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName

@ 0010000h 0000100h 0001000h 0001000h 0000100h 0000010h 000004eh GD25Q128

@ 

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

DDR1:32MB

—RealTek(RTL8196E)at 2020.04.28-13:58+0800 v3.4T-pre2 [16bit](400MHz)

P0phymode=01, embedded phy

check_image_header  return_addr:05010000 bank_offset:00000000

no sys signature at 00010000!

P0phymode=01, embedded phy

—Ethernet init Okay!

tuya:start receive production test frame …

Jump to image start=0x80c00000…

decompressing kernel:
Uncompressing Linux… done, booting the kernel.
done decompressing kernel.
start address: 0x80003780
Linux version 3.10.90 (dingsl@dingsl-pc) (gcc version 4.6.4 (Realtek RSDK-4.6.4 Build 2080) ) #10 Tue Apr 28 14:03:14 CST 2020
CPU revision is: 0000cd01
Determined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
Zone ranges:
  Normal   [mem 0x00000000-0x01ffffff]
Movable zone start for each node
Early memory node ranges
  node   0: [mem 0x00000000-0x01ffffff]
icache: 16kB/16B, dcache: 8kB/16B, scache: 0kB/0B
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 8128
Kernel command line:  console=ttyS0,38400 root=/dev/mtdblock2 
PID hash table entries: 128 (order: -3, 512 bytes)
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 27700k/32768k available (2479k kernel code, 5068k reserved, 525k data, 192k init, 0k highmem)
SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
NR_IRQS:128
console [ttyS0] enabled
Calibrating delay loop… 398.13 BogoMIPS (lpj=1990656)
pid_max: default: 4096 minimum: 301
Mount-cache hash table entries: 512

If I interrupt the bootloader with ESC I see this:

—RealTek(RTL8196E)at 2020.04.28-13:58+0800 v3.4T-pre2 [16bit](400MHz)

P0phymode=01, embedded phy

check_image_header  return_addr:05010000 bank_offset:00000000

no sys signature at 00010000!


—Escape booting by user

P0phymode=01, embedded phy


—Ethernet init Okay!

<RealTek>

When I enter ‘?’ at the prompt I see this:

<RealTek>?

———————— COMMAND MODE HELP ————————————————

HELP (?)				    : Print this help message

DB <Address> <Len>

DW <Address> <Len>

EB <Address> <Value1> <Value2>…

EW <Address> <Value1> <Value2>…

CMP: CMP <dst><src><length>

IPCONFIG:<TargetAddress>

AUTOBURN: 0/1

LOADADDR: <Load Address>

J: Jump to <TargetAddress>

FLR: FLR <dst><src><length>

FLW <dst_ROM_offset><src_RAM_addr><length_Byte> <SPI cnt#>: Write offset-data to SPI from RAM

tftp <memoryaddress> <filename>  

MDIOR:  MDIOR <phyid> <reg>

MDIOW:  MDIOW <phyid> <reg> <data>

PHYR: PHYR <PHYID><reg>

PHYW: PHYW <PHYID><reg><data>

PORT1: port 1 patch for FT2

<RealTek>

But when I enter:
FLR 80000000 401802 16
DW 80000000 4

all I get back is the <RealTek> prompt, no other output.

I’m probably making a basic / newbie mistake - but I’d appreciate a nudge in the right direction please?

lepton · March 6, 2022, 11:18am

I recommend everyone trying this hack to use the zigbee2mqtt integration instead of the ZHA (Home Assistant) integration, because it supports more devices. If that is ever changed, I configured my system such that I can quickly switch between the two technologies (it’s literally setting a flag and the configuration is automatically ported over). How sweet is that?

lepton · March 6, 2022, 11:26am

FLR 80000000 401802 16 does one command, IIRC. And then DW 80000000 4 also does a command. The first command has no output, but just changes the internal state of the device.

I would type one command, press enter and then the other and press enter. That should work. If it doesn’t, I don’t know other than that perhaps you have a newer batch and it doesn’t work anymore or something like that.

martin.dell · March 6, 2022, 6:50pm

Thanks, I did try that - but still no output

myHA · March 8, 2022, 7:33am

I’m experimenting with my reflashed zigbee hub. My battery powered zigbee devices are being found accordingly but are mainly stored as unknow/unknow manu with no sensors defined. Again, not all, but most of them. Re-discovering these does not improve this. Main powered devices are not a problem.

Update: Switched to zigbee2mqtt and my issues are gone.

challs · March 8, 2022, 5:23pm

Hey, thanks for the heads up on that problem. I see a similar problem with my hub. I have found that if I put the battery powered devices fairly close by, but not right next to the router, that all is well and the pairing process works ok. I hadn’t noticed that the mains powered devices worked better, but you are right - they can pair from a much bigger distance.

Silence444 · March 15, 2022, 7:11pm

Hi there,
I’m trying to get this silvercrest hack working but i encounter some problems. Perhaps it’s not that difficult but i cannot get it working properly. I’ve been trying for a few days without succes.
The first part extracting the Auskey and root password works. I also receive the default ip adress(192.168.1.6) of the device.
Then comes the problem with flashing the gateway. First i’m already stuck in accessing the gateway with an SSH command. I tried doing this with de CMD or Windows PowerShell, but no response. Also ip PING does not work, it also does not show as device in my router. But then i noticed that it says this could only be done with a Linux shell. So i installed a virtual debian 11 machine on my pc but get the same problem. I only seem to get a “ssh: connect to host 192.168.1.6 port 22: Connection timed out” message.
If anyone can help me point me in the right direction i would be thankfull.

Mister_Slowhand · March 16, 2022, 9:41pm

If you haven’t already changed the ssh configuration on the gateay, then you’ll have to force the port to connect to :

ssh -p 2333 [email protected]

Then to get back to the original ssh server on port 22 :

echo "#!/bin/sh" >/tuya/ssh_monitor.sh

(backup the original file if you want to)

Diabe · March 19, 2022, 7:54pm

Hey everyone,

I bought the gateway today and want to start hacking it. I got the kek and other codes from my device. But when I enter them in the python script I get the following error code

‘ascii’ codec can’t decode byte 0x8e in position 2: ordinal not in range(128)

Anyone could help me with this?

Petronie · March 19, 2022, 9:56pm

Hello, does anybody tried new Lidl GW SGWZ 1 A2? Do you know how it differs from the old model? Thank you. P.

challs · March 23, 2022, 8:35pm

Hello, I think I had a similar problem which happened because I started the script under Python 2. Can you check that you are running the script under Python 3, not python 2? If you are on a Linux machine you might need to execute python3 instead of python.

lepton · March 25, 2022, 11:32am

Just out of interest, but is there any hardware which is just as good that doesn’t require hacking? The problem with a hacked solution is that the supply chain is somewhat uncertain.

I am very pleased with the hardware, otherwise.

HaTi · March 31, 2022, 10:01am

Dear Paul, thanks for your work!
Would it be possible to flash a Tuya firmware on this gateway?
I am asking this because I would like to trace the datapoints of unsupported Tuya zigbee devices and I do not have a Tuya zigbee gateway.
Thank you!

Fred5 · April 7, 2022, 1:01pm

and with 2 coordinators?
1 for zha and the other for zigbee2mqtt?
Is that possible?

k8gg · April 7, 2022, 2:56pm

If you have 2 zigbee coordinators then yes.

Note that there will be 2 different zigbee mesh networks, so powered devices on one network would not be able to relay for endpoint devices on the other network. But yeah devices from either networks would all go into HA.

lepton · April 8, 2022, 4:05pm

Are the Xiaomi Aqara devices (contact sensor, temperature, and smartplug) compatible with the hacked version of this device? I have seen people claim that these do not implement Zigbee correctly and that they are incompatible with some coordinators.

challs · April 8, 2022, 9:13pm

I’m not aware that a particular coordinator causes compatibility issues with individual devices, so you should find that they will work if they are supported by the zha integration (as opposed to zigbee2mqtt, which supports devices in a different way to zha).

I don’t have any of those devices myself to be able to tell you how well they work, so I can’t share any experience with you on that.

The hacked devices have the EZSP chip, and the fact that they have been hacked doesn’t really make any difference compared to any other EZSP device. However, I have observed that the EZSP implementation seems to have some problems with pairing, especially if the device is battery powered and closer to another router than the coordinator while doing the pairing. Once things are paired, I haven’t noticed any further problems caused by coordinator.

brozikcz · April 12, 2022, 7:05am

Exactly! I glad to hear that I’m not alone with the same issues with pairing battery devices.

triggad23 · April 14, 2022, 8:30pm

Hi,

I just bought a TYGWZ1 from Amazon. I opened it and it’s Rev 1.0.2. I can connect to it via Serial and I can also stop it in the bootloader. But when I enter the commands I just get FFFFFFFF

Here’s the complete Output:

Booting...

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@
@ chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize
@ 0000000h 0c84018h 00000c8h 0000040h 0000018h 0000000h 0000018h 1000000h
@ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName
@ 0010000h 0000100h 0001000h 0001000h 0000100h 0000010h 000004eh GD25Q128
@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
DDR1:32MB

---RealTek(RTL8196E)at 2019.01.23-17:03+0800 v3.4T-pre2 [16bit](400MHz)
P0phymode=01, embedded phy
check_image_header  return_addr:05010000 bank_offset:00000000
no sys signature at 00010000!

---Escape booting by user
P0phymode=01, embedded phy

---Ethernet init Okay!
<RealTek>LR 80000000 401802 16
Unknown command !
<RealTek> FLR 80000000 401802 16
Unknown command !
<RealTek>FLR 80000000 401802 16
Flash read from 00401802 to 80000000 with 00000016 bytes        ?
(Y)es , (N)o ? --> y
Flash Read Successed!
<RealTek>dw 80000000 4
80000000:       FFFFFFFF        FFFFFFFF        FFFFFFFF        FFFFFFFF
<RealTek>FLR 80000000 402002 32
Flash read from 00402002 to 80000000 with 00000032 bytes        ?
(Y)es , (N)o ? --> y
Flash Read Successed!
<RealTek>dw 80000000 8
80000000:       FFFFFFFF        FFFFFFFF        FFFFFFFF        FFFFFFFF
80000010:       FFFFFFFF        FFFFFFFF        FFFFFFFF        FFFFFFFF
<RealTek>

What am I doing wrong?

Greets
Daniel