Hacking the Silvercrest (Lidl/Tuya) Smart Home Gateway

FlyingKangaroo · October 27, 2023, 3:01pm

Does anybody use lidl silvercrest gateway with zigbee2mqtt ?
I’m failing to configure it.

Freelance · October 31, 2023, 12:22pm

hah, RTFM to myself

Freelance · November 1, 2023, 1:22pm

Can this hacked unit be used as a bridge/extender? I have ZHA configuration on Sonoff ZBDongle-E
which I would rather keep as is and would like to use this unit as a hub/extender only.

m4v3r1ck · November 1, 2023, 1:51pm

I have exactly the same question about using the Silvercrest as a router/repeater. Would be great if possible.

parasite85 · November 3, 2023, 12:50pm

Hello Guys,
Some time ago i have bought a simple tuya gateway on aliexpress but i have switched to the Home Assistant. I have used different gateway for HA. Now got some spare time to play with the old gateway.
My gateway it is not Lidl one. It has following label on the PCB. DMD2CC-V1.0.
I have soldered J1 pins and tried to get the boot prompt. Unfortunately, without any success. Boot prompt must be disabled or locked. I’ve took different approach. I read dump of SPI FLASH and I wanted to extract auzkey (authkey) from the tuya-label partition on flash drive. Unfortunately, this partition is empty (all space is filled with 0xFF values). Instead of it I`ve modified /etc/passwd to get access.
However, I was curious where the AUZKEY is located. It might be useful some for people which owned Lidl gateway or any other gateway with enabled bootloader. They don’t need to buy programmer and do any desolder/solder stuff.

I did little research on tuyamd executable and I have succesfully extracted (or decoded) auzkey.
To extract auzkey you need to:

dump jffs2 partition (using bootloader or using programmer)
extract jffs2 partition - Jefferson github
get two files: config/License.file1 and config/License.key
Use following program to decode it:
decode.txt
It will give you output:
Decrypted data
b'{"bsn":"XXXX","master_mac":"XXXXXX","auzkey":"XXXXXXXXXXXXX","uuid":"XXXXXXXXXX","prodtest_exit":"true"}\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f'
Also file License.out will be produced.

Hope it will be helpful for someone.

parasite85 · November 7, 2023, 8:10am

Hi Guys,
I have a way to get prompt if ESC key is not working.
See more at:
https://github.com/parasite85/tuya_dmd2cc_gateway_hack

XIIIX13 · November 14, 2023, 6:15pm

Thank for your info.
Now I could pass to boot prompt which ESC doesn’t work for me.
But I stuck with KEK and AUSKEY which I get “FFFFFFFF” only.

I try to find solution but it seem to programing for me.

rjw7vdgh · November 15, 2023, 9:12pm

I had the same problem and resolved it by creating a new zigbee network. I followed the instructions in post #33 and after this it worked.

Maikl_Sh · November 29, 2023, 8:32am

Please tell me.
I got root and updated the gateway firmware.
I suspect that I failed to flash the gateway. How can I find out the current firmware version?

bluhb · December 6, 2023, 9:21pm

Hello,
I tried to hack the gateway and successfully uploaded the custom firmware/program (serialgateway.bin) and tried connecting ZHA to it through socket://ipaddress:8888. But it crashes when setting up a (both with creating a new network and keeping the existing one) connection. I can see in the serial monitor that the connection is constantly broken by the zigbee gateway. I followed this tutorial: Cloud-free integration with Home Assistant - PaulBanks.Org and only did that.

I also tried connecting it with Zigbee2Mqtt in a docker container, but that also doesn’t work. I also don’t get clear error messages from that so nothing to point me in the right direction unfortunately.

I am guessing it takes to long to react for my HA instances so the gateway breaks the connection. But it does it after 5 seconds or so. Then I see a “connect from host IPADDRESS fd=5” and the fd varies between 5 and 6.

Can someone please point me at a solution for this? If any additional information is needed I would gladly provide it!

damted · December 7, 2023, 3:25pm

You must set Baudrate to 115200?

bluhb · December 7, 2023, 4:31pm

I tried that and it looks like it takes longer, but still crashes. When I start the serialgateway it says: serialgateway Release-1.2: port 8888, serial=/dev/ttyS1, baud=115200, flow=HW. So I tried connect to it with socket://ipaddress:8888, baud 115200 and flow on Hardware in the ZHA settings. Unfortunately it still crashes.

I kinda find the serial=/dev/ttyS1 a weird thing. I am not really sure why but I am thinking maybe I need to do something with that?

damted · December 8, 2023, 7:16pm

Are you sure the gateway is in the same subnet?
You should use the connection: socket://ipaddress:8888 softwareflow / 115200 baudrate
on the gateway terminal connection you can see some logging when serialgateway starts.

sarg · December 9, 2023, 1:17pm

Just a tip - dumping is much faster over TFTP. For that:

set host ip to 192.168.1.1
connect the gw by UART and ethernet, gw addr would be 192.168.1.6
get into the bootloader prompt
enter flr 80000000 <hex flash offset> <hex length>
read the file on your host with atftp -g -r test 192.168.1.6

It works because FLR command automatically exposes the loaded data over TFTP. Offsets and sizes for your convenience:

dev:    size   erasesize  name         offset
mtd0: 00020000 00010000 "boot+cfg"     0
mtd1: 001e0000 00010000 "linux"        20000
mtd2: 00200000 00010000 "rootfs"       200000
mtd3: 00020000 00010000 "tuya-label"   400000
mtd4: 00be0000 00010000 "jffs2-fs"     420000

bluhb · December 11, 2023, 8:17pm

So damn me, the gateway was not working.
I tried everything again after you said the thing about the subnet(it is in a different subnet than ZHA, ZHA/HA is in docker subnet and the gateway in normal network) But something happened and now it is working. Lightbulbs are connecting.

Only the remote is not connecting yet(HG08376) so that will be a search how to get that working. But this is a step in the right direction already!

MathiasEveraerts · December 28, 2023, 12:21pm

This fails for me, even tried disabling the commands over ssh, loged in on the ssh ports, ran all the commands local. No fix.

_{# ls -la}
_{drwxr-xr-x 2 root 0 0 Jan 1 00:02 .}
_{drwxr-xr-x 10 root 0 0 Jan 1 00:00 …}
_{-rw-r–r-- 1 root 0 9304 Jan 1 00:02 firmware.gbl}
_{-rw-r–r-- 1 root 0 222542 Jan 1 00:02 sx}
_{# chmod +x /tmp/sx}
_{# killall -q serialgateway}
_{# stty -F /dev/ttyS1 115200 cs8 -cstopb -parenb -ixon crtscts raw}
_{# echo -en ‘\x1A\xC0\x38\xBC\x7E’ > /dev/ttyS1}
_{# echo -en ‘$CONFIGURATION_FRAME’ > /dev/ttyS1}
_{# echo -en ‘\x81\x60\x59\x7E’ > /dev/ttyS1}
_{# echo -en ‘\x7D\x31\x43\x21\x27\x55\x6E\x90\x7E’ > /dev/ttyS1}
_{# stty -F /dev/ttyS1 115200 cs8 -cstopb -parenb -ixon -crtscts raw}
_{# echo -e ‘1’ > /dev/ttyS1}
_{# /tmp/sx /tmp/firmware.gbl < /dev/ttyS1 > /dev/ttyS1}
_{Sending /tmp/firmware.gbl, 72 blocks: Give your local XMODEM receive command now.}
_{Xmodem sectors/kbytes sent: 0/ 0kRetry 0: Timeout on sector ACK}
_{Retry 0: Timeout on sector ACK}
_{Retry 0: Timeout on sector ACK}

MathiasEveraerts · December 28, 2023, 12:24pm

MathiasEveraerts · December 28, 2023, 12:26pm

ssh -oHostKeyAlgorithms=+ssh-dss root@yourip

does that work?

rtorrente · December 30, 2023, 8:18pm

Does anyone has the default zigbee chip firmware to restore the gateway to default and use it with the cloud again ?

Chellux · January 1, 2024, 6:33pm

i cant “extract” the root pw it always says

Traceback (most recent call last):
File “C:\lidl_auskey_decode.py”, line 35, in
from crypto.Cipher import AES
ModuleNotFoundError: No module named ‘crypto’

i cant encrypt the key because the script dont work… but “crypto” is installed!!