Incase it helps others… i bought a Tuya TYGWZ-01 for £16 on aliexpress branded as “LoraTap” that required some extra steps to get to work for ZHA.
I mainly followed the Blakadder guide here.
Fisrt hurdle was the the Realtek bootloader was locked, sending the ESC character at boot did not work. Luckily @parasite85 trick of shorting the flash chip got me into the bootloader.
Next I couldn’t retreive the KEK encryption key or AUSKEY using the FLR+DW commands, i was getting FFFFFFFF only. I tried parasite85’s method #1 of dumping the “tuya-label” partition hoping the AUSKEY was in plaintext, but no luck. the partition was full of 0xFF only.
I finally resorted to his method #4 of dumping the “jffs2-fs” partition with @bool2 (paul banks) dump_flash.sh script
python dump_flash.py --serial-port COM3 --output-file jffs2.img --start-addr 0x420000 --end-addr 0x1000000
Note: this will take a very VERY long time to complete, but i periodically checked the output file and was able to extract the required files after ~30mins using:
jefferson jffs2.img -d jeff
Once i had config/License.file1, config/License.file2 and config/License.key i used parasite85s script to get Licence.out json. The root password is the last 8 characters of AUSKEY.
Third problem, i found the ssh server is not configured properly on this version of the hardware. I found i needed to create a file /tuya/enable_ssh_flag before the /tuya/ssh_monitor.sh script we edit in the guide, will run. I also had to add the line dropbear -p 22 -K 300 to ssh_monitor.sh, different from the guide (long story short, dropbear is commented out in initrc). Now the SSH server was up and running on port 22. I could put the case back together and connect remotely.
(newer version of openssh needed some extra config if you get Unable to negotiate with ... port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss)
The rest of the guide on zigbee.blakadder.com could be completed without a hitch.
