Hello
My firstLidl gateway was dead, bought another used one. This time I managed to interrupt the boot and enter the busybox!!
But I’m blocking now to get the root password!! I run the python script (python 3 installed!) after entering the “auskey” I have this error message:
“UnicodeDecodeError: ‘ascii’ codec can’t decode byte 0xe6 in position 0: ordinal not in range(128)”
I searched everywhere including on the 430 messages of this topic but found nothing!!
I ran the python scrypt on different machines (debian, ubuntu with putty and windows with power shell) but I still have this message.
I modified the script: “utf-8” instead of “ascii” without success! It works in Latin-1!! But the characters are useless!
Sorry to bother with this but if anyone has any idea I take!!
And sorry for my english !!
Thank you
My mistake I apologize I made something wrong when I copy/paste the instructions !!! I managed to decode the root password !
Hello
Does this command sounds ok?
#!/bin/sh
should it not be !/bin/sh?
I took it from the website I follow to hack the LIDL gateway.
Can somebody explain what this command do excately ?
Thanks
Hello
I have the following error in putty serial communication
/tuya/tuya_start.sh: line 9: /tuya/serialgateway: Permission denied
is it linked to
-rw-r--r-- 1 root 0 69485 Jan 1 00:20 serialgateway
shall I change something with chmod command to serialgateway directory ?
Hi Paul
Thanks for all sharing on this gateway freeing up
I have this value on the serialgateway.bin I downloaded
4bb59358e6db08192e8aeda3f8d0e646 serialgateway.bin
It does not match at all with the value in the post.
Is this value correct … I guess not
I downloaded the file thru WSL
Thanks for your rely
I have success with locked bootloader, with no ESC enabled. I unsolder flash memory from TUYA-ZHUB, read it and save fulflash to file using CH341A prog. I Cut from address 0x00200000 with length 0x200000 (to address 0x00400000) rootfs using HexEdit and save to file rootfs.bin. Using instruction from Hacking the Silvercrest (Lidl) Smart Home Gateway - PaulBanks.Org i change symlink to file with known password and recreate squashfs. In hex editor i paste new newroot.bin partition to address 0x00200000 of fullflash, reflash the memory ic, solder it back to ZHUB and have root access in serial terminal. After that i start internal ssh server with cmd /tuya/tuyadropbear -p 22.
Using this instruction Cloud-free integration with Home Assistant - PaulBanks.Org i have working coordinator and connect to zeegbe2mqtt.
Try chmod +x /tuya/serialgateway
In step 2 on: “Cloud-free integration with Home Assistant - PaulBanks.Org” I made a copy paste error resulting in the loss of the original /tuya/tuya_start.sh on my 2nd edition Lidl gateway (the one with the rounded edges and esc enabled bootloader). Can someone please post the content of their /tuya/tuya_start.original.sh please (if it does not contain unique identifying data)?
Here is my original /tuya/tuya_start.sh (from a “compatible” device) 
#!/bin/sh
#Usage: sh tuya_start.sh UserAppRunDir
#=======================================================================
DEFULT_APP_RUN_DIR=/tuya
TY_START_CHILDREN_SHELL=tuya_start_children.sh
def_jsonvalue_NULL="defaultValue"
#echo "Tuya Gateway Application Normal Srart $0 UserAppRunDir:${1} JsonFile Path:${2}"
echo "Tuya Gateway Application Normal Srart $0 UserAppRunDir:${1}"
#set app run dir
app_run_dir=$DEFULT_APP_RUN_DIR
if [ -d "$1" ];then
app_run_dir=${1%*/}
echo "set run_dir:${app_run_dir}"
elif [ -n "$TY_ENV_APP_RUN_DIR" ];then
app_run_dir=$TY_ENV_APP_RUN_DIR
echo "find old TY_ENV_APP_RUN_DIR:${app_run_dir}"
else
echo "set defult run_dir:${DEFULT_APP_RUN_DIR}"
fi
export TY_ENV_APP_RUN_DIR=$app_run_dir
LD_LIBRARY_PATH=$app_run_dir:$LD_LIBRARY_PATH
export LD_LIBRARY_PATH
echo "TY_ENV_APP_RUN_DIR=${app_run_dir}"
UserAppRunDir=$app_run_dir
JSON_PARSER_SH=${UserAppRunDir}/json_parser.sh
#load platform configure file
DEFULT_PLATFORM_CFG_FILE=${app_run_dir}/def.cfg
user_cfg_file=$DEFULT_PLATFORM_CFG_FILE
if [ -f "$DEFULT_PLATFORM_CFG_FILE" ];then
#get user cfg file path
jsonkey_USER_CFG_FILE="user_cfg_file"
jsonvalue_USER_CFG_FILE=`sh ${JSON_PARSER_SH} ${DEFULT_PLATFORM_CFG_FILE} ${jsonkey_USER_CFG_FILE} | sed 's/\"//g'`
if [ "$jsonvalue_USER_CFG_FILE" = "$def_jsonvalue_NULL" ] || [ ! -f "$jsonvalue_USER_CFG_FILE" ] ;then
echo "get user cfg file error, load defult cfg file"
user_cfg_file=$DEFULT_PLATFORM_CFG_FILE
else
echo "get user cfg file success."
user_cfg_file=$jsonvalue_USER_CFG_FILE
fi
else
echo "defult cfg does not exist."
exit 0
fi
echo "load platform configure file:${user_cfg_file}"
export TY_ENV_USER_CFG_FILE=$user_cfg_file
#sh $TY_PLATFORM_CFG_PARSER_SHELL $app_run_dir $user_cfg_file
JsonFile=$user_cfg_file
#tmp_dir
jsonkey_USER_TMP_DIR="tmp_dir"
def_jsonvalue_USER_TMP_DIR="/tmp"
jsonvalue_USER_TMP_DIR=`sh ${JSON_PARSER_SH} ${JsonFile} ${jsonkey_USER_TMP_DIR} | sed 's/\"//g'`
if [ "$jsonvalue_USER_TMP_DIR" == "$def_jsonvalue_NULL" ];then
jsonvalue_USER_TMP_DIR=$def_jsonvalue_USER_TMP_DIR
fi
export TY_ENV_USER_TMP_DIR=${jsonvalue_USER_TMP_DIR%*/}
#platform
jsonkey_PLATFORM="platform"
def_jsonvalue_PLATFORM="RTL8196E"
jsonvalue_PLATFORM=`sh ${JSON_PARSER_SH} ${JsonFile} ${jsonkey_PLATFORM} | sed 's/\"//g'`
if [ "$jsonvalue_PLATFORM" == "$def_jsonvalue_NULL" ];then
jsonvalue_PLATFORM=$def_jsonvalue_PLATFORM
fi
export TY_ENV_PLATFORM=${jsonvalue_PLATFORM}
#wan_interface
jsonkey_WAN_IF_NAME="wan_interface"
def_jsonvalue_WAN_IF_NAME="eth1"
jsonvalue_WAN_IF_NAME=`sh ${JSON_PARSER_SH} ${JsonFile} ${jsonkey_WAN_IF_NAME} | sed 's/\"//g'`
if [ "$jsonvalue_WAN_IF_NAME" == "$def_jsonvalue_NULL" ];then
jsonvalue_WAN_IF_NAME=$def_jsonvalue_WAN_IF_NAME
fi
export TY_ENV_WAN_IF_NAME=$jsonvalue_WAN_IF_NAME
app_fold1=${app_run_dir}/tuya_user1
app_fold2=${app_run_dir}/tuya_user2
user_path=${app_fold1}
#restart dhcp
killall -9 udhcpc
echo 4 > /proc/sys/net/ipv4/tcp_syn_retries
killall udhcpc
udhcpc -i ${TY_ENV_WAN_IF_NAME} -s ${app_run_dir}/udhcpc.script -p /var/run/udhcpc0.pid & ##需要修改
#create user_tmp dir
if [ ! -d "$TY_ENV_USER_TMP_DIR" ]; then
mkdir -p "$TY_ENV_USER_TMP_DIR"
fi
default() {
echo "Into default funtion"
user_path=$app_fold1
if [ ! -d $user_path ];then
echo "Error: no run dir:${user_path}"
user_path=$app_fold2
if [ ! -d $user_path ];then
echo "Error: no run dir:${user_path}"
exit 0
else
echo "tuya_start_dir=${user_path}" > ${app_run_dir}/start.conf
fi
else
echo "tuya_start_dir=${user_path}" > ${app_run_dir}/start.conf
fi
}
cd $app_run_dir
if [ ! -r "$app_run_dir" ]; then
echo "dir:${app_run_dir} error"
exit -1
fi
if [ ! -w "$app_run_dir" ]; then
echo "dir:${app_run_dir} read only!"
else
if [ -s start.conf ];then
echo "start.conf is exist"
user_path=`cat start.conf | grep tuya_start_dir | cut -d "=" -f 2`
else
echo "start.conf is not exist"
user_path=/tytest123
fi
if [ ! -d $user_path ];then
echo "$user_path is not exist"
default
else
if [ "$user_path" != "$app_fold1" ] && [ "$user_path" != "$app_fold2" ];then
echo "$user_path error."
default
fi
fi
fi
echo "current run dir:$user_path"
cd $user_path
./$TY_START_CHILDREN_SHELL $app_run_dir $user_cfg_file &
I’ve mainly followed this part of the blog article: Hacking the Silvercrest (Lidl) Smart Home Gateway - PaulBanks.Org
Since I cannot use “ESC key trick” I’ve change the first step by unsoldering the flash rom and dump it from the eprom.
so I mainly :
- carefully unsold (with hot air) the flash eprom
- dumped it with my TL866II + (by selecting the right flash [GD25Q127]) and the right adapter.
- within the TL866 tool, extracted the
rootfs“partition” from offset 0x20000 to 0x400000 to rootfs.bin
then follow the blog article:
- under linux run
unsquashfs rootfs.binto exctact ALL file from the rootfs - replace the
/etc/passwdfile - recreate the “complete file” :
mksquashfs squashfs-root newroot.sqfs -comp xz -noappend - used the python script (https://paulbanks.org/download/files/lidl-zigbee/rootfs_tool.py) to recalculate the squashfs’s header
then go back to the TL866II tool to update the eprom:
- i’ve replaced the “segment” at the offset 0x20000 with my new newrootsqfs file
- finally carefully solder back the eprom
hope it help
Hey, first of all great work with the tutorial, but I could use a little help. I managed to get the root passwort, but I cant manage to get files to the gateway. I´m using cmd in windows with the somewhereabove posted command type .\serialgateway.bin | ssh [email protected] "cat >/tuya/serialgateway". With this I am able to connect to the gateway, it asks for the passwort and after entering it hits me with sh: can't create /tuya/serialgateway: Text file busy. As a solution I tryed it with chmod +x /tuya/serialgateway with reboot and chmod 755 /tuya/serialgateway with reboot, but still get the same massage.
I hope that somebody can help me and thanks in advance
Hi, Thanks for the tutorial.
After hacking can I access the gateway from Tuya Smart app, or only from local?
I successfully did it with one gateway and then bought another one. I could not get it (the 2nd gateway) to break the boot sequence. I checked the versions (from the serial output) and they were identical to each other “2020.04.28-13:58”
I started even trying different keys. I went back to the first gateway and tried to interrupt the boot sequence - it just seemed to work almost first time. It was now very strange how the second gateway did not work since it just worked fine for the first one. One thing I noticed was that when I typed into the serial console, some of the characters were garbage. I ended up changing the power supply to the gateway and then the garbage characters went away, but I still struggled to interrupt the boot sequence. What I found was the I just had to try multiple times, holding Esc, or repeatedly fast-pressing Esc until it worked. It seems that, if you are not sending garbage then it is just a timing thing. I am still not sure what the timing is. I am still not sure why the 2nd gateway is harder than the first one. Maybe I just got lucky with my timing.
Now my problem is that this second unit, once I break the boot sequence and get the Realtek prompt, will not respond to me …
Check CoolTerm’s settings.
Should look like this.
I heve the same probem.
perhaps i have done somting wrong is step 2:
if [ ! -f /tuya/tuya_start.original.sh ]; then cp /tuya/tuya_start.sh /tuya/tuya_start.original.sh; fi
cat >/tuya/tuya_start.sh <<EOF
#!/bin/sh
/tuya/serialgateway &
EOF
chmod 755 /tuya/serialgateway
is this one line or do i heve to enter it in parts?
do i enter it in the ssh of te ttl conection?
i tried both and i assume it is in ssh then i get:
“# client_loop: send disconnect: Connection reset”
but after the reboot it stil doesn’t work.
i checkt the file with:
“md5sum /tuya/serialgateway”
and get:
“705ca5a422b2c91b4e98b8f552917704 /tuya/serialgateway”
but don’t know what it should be
(i do work on windows 11 don’t know if windows screwd up?
(i managed to rename the oritginal file back so it dus work in smart life again)
does anyone have an idea where i went wrong?
oke i have found it.
windows screw up.
if i use my old linux laptop to copy the file it works.
“md5sum /tuya/serialgateway”
gave a different output.
(in windows cmd: “certutil -hashfile MD5”)
@Mgeeve, Yeah I had the same problem copying files to and from the gateway using windows. It would alter the checksum and corrupt the file.
It can be done via windows CMD via ssh and I had to use these commands to ensure the hacked file did not get corrupted:
To copy a file to gateway on port 2333 (default) called serialgateway.bin and call it just serialgateway (no file extention)
type C:\tmp\serialgateway.bin | ssh -p2333 [email protected] “cat >/tuya/serialgateway”
To copy a file from gateway on port 2333 (default) called tuya_net_start.sh from directory /tuya to computer
ssh -p2333 [email protected] “cat /tuya/tuya_net_start.sh” >tuya_net_start.sh
I see you got it sorted using an old linux laptop but if you need to use windows in the future these might help.
Kal …
Any update for gateway which can’t interrupt by using ESC. I repeat many times which no luck and I think my device already brick. 
( can’t add gateway device via Tuya app)
I have suffered twice that all devices disappear from zigbee2mqtt. It’s very annoying me. I think I will try move to another Zigbee gateway.
Does anyone know if there’s a way to update to the latest version of EZSP?