Hacking the Silvercrest (Lidl/Tuya) Smart Home Gateway

Yes, I checked in this place. Thanks for advices.

My remote is paired in ZHA (hack from this topic), not in Zigbee2MQTT. It looks like it is not supported by ZHA for now. I see that ZHA has less compatible devices than Zigbee2MQTT. Do you know how often ZHA is updated for new devices? I consider to buy new IKEA Tradfri bulbs but the newest models is still not compatible with ZHA (according to this site: Database of Zigbee devices compatible with ZHA, Tasmota, Zigbee2MQTT, deCONZ, ZiGate and ioBroker).

I know they are using same libraries underneath to support devices, so they should be eventually consistent in terms of supported devices, maybe ZHA might be slower but not sure.

I have one of these and started adding support a while ago. At the time I had an issue which seemed to be in the underlying Tuya library, where the events were not being interpreted correctly. I think 2 of the 4 buttons were working though. I only have one gateway so testing isn’t all that easy, and I haven’t tried with the latest version to see if it works now.

There is an open feature request in the issue tracker at [Device Support Request] LIVARNO LUX/LIDL Remote Control Dimmer (Tuya TS1001 based) · Issue #613 · zigpy/zha-device-handlers · GitHub

Hello @Ordspilleren I tried using your upgrade script same as @krosand and got the same Retry error

How do i fix this? i tried rerunnning it but it hangs:

./firmware_upgrade.sh 192.168.20.4 22 V7 NCP_UHW_MG1B232_678_PA0-PA1-PB11_PA5-PA4.gbl
[email protected]'s password:
[email protected]'s password:
[email protected]'s password:

and ps on devise says:

  177 root      1288 S    sh -c  chmod +x /tmp/sx killall -q serialgateway stty

and it stays there

btw one thing to add to all new users using newer os - add

-oHostKeyAlgorithms=+ssh-rsa

to ssh in order to be able to ssh to gateway.

"type .\serialgateway.bin | ssh [email protected] “cat >/tuya/serialgateway”
worked for me.

What do I need to do differently if I have connected to the cloud before attempting this hack?

You won’t be able to use the python script to determine the root password, because it will be modified as soon as you connect to the Tuya cloud.

That means you need to go down the route of connecting to the serial port, dumping current flash via serial, making a modified root image from that and uploading the modified flash image back to the device. I had to go down that route too; there are various comments from me on this thread about that.

Happy hacking!

Do I have to have a tftp server running on 192.168.1.254? The thing is that I already have something else running on that IP (my router (for which I don’t have root)).

I suppose I could also get an extra router merely for doing this hack, but man the cost/benefit ratio is really starting to suck.

No you don’t, sorry that wasn’t clear. You just need to use addresses for the gateway and the computer where you are running tftp to be in the same network range so they can contact each other.

I agree that would not be worth it at all!

I can’t even get a Linux console :pleading_face:. Getting serial connections to work is always a nightmare. Why do these people not just include the screen command to use (AARGGH)?

My USB-TTL converter is connected:

[ 1703.021247] usb 4-1.6: Product: USB2.0-Ser!
[ 1703.021574] ch341 4-1.6:1.0: ch341-uart converter detected
[ 1703.022287] ch341-uart ttyUSB0: break control not supported, using simulated break
[ 1703.022395] usb 4-1.6: ch341-uart converter now attached to ttyUSB0

script I wrote that should connect to the device, but doesn’t. Possibly that something is wrong there?

#!/bin/sh
chmod 666 /dev/ttyUSB0 &&
screen /dev/ttyUSB0 38400,cs8,-parenb,-cstopb,-hupcl

I configured my 5/3.3V TTL such that the jumper is set to the position where the 3.3V is connected. I verified via Google that this is the meaning of “setting a jumper”.

I connected:

  • the RX of the 3.3VTTL to the TX of the Silvercrest
  • the TX of the 3.3VTTL to the RX of the Silvercrest
  • GND of 3.3VTTL to the GND of the Silvercrest

The LAN port of the Silvercrest is free.
I am supplying power to the power port of the Silvercrest.

Finally, perhaps I messed up the soldering of the male header. There are no soldering bridges.

Can you please tell me where I most likely (or preferably certainly) messed up?

So, now I got this binary gibberish (after soldering it a bit better), which I think is better than not getting anything: It also seems to have a pattern, so perhaps something is now working? Certainly, not how it should be.

j��N+�kk�kʹ�Ik�_}��[k��o_Nmk�k�jk�k�o�kk��k��Ko�Ok�K�%�j�o�zjo�k��ojoc��{���?��j�ookO�N�o��NJj��[O�o�okk�o�?N��k�k�;��=�kk�j��k�o�o�o_��j[��jooO�j�O�kojk����ZkNo�j�j�k�o�k��k�k��kK��O�{��*!�Zbo��kkcI�oK�oKjo�Ok��ko��K�O/��c�jO�����!�jO�jok���oj���[�bKCb��j�k��ON+jo��o�}�kͭO��J�+/k��o)Zk��Nk�Nk��k�N{�Nkk��Nk��N#�Nb�kN{�Nk�Nk��rNk�Nk��Z��k�k��bN+�Nk�NkNk�Nk��"N+�Nk�k�k��N#�Nkk��Nk�Nk��k�Nk��k�N{�NNk��N#�N+�Nkk��kk�"Nkk�k�Nk�Nk!�k��kk�#�NNk�Nk��Nkk�!�NkNk�Nk�Nk�k��Nk��Nk�Nk�NkNk��NNk��Nk�N+�Nk��k��#�N!�Nk��k�Nk��N��Nk��N�Nk��Nk�Nk�k��N#�N+�Nk�k��N+�Nk�Nk�k�-k��Nk�N+�bNk��Nk�Nb�k��"N+�Nk�k��Nk��Nk�Nk�k��NN+�Nk�k��bN+�Nk0k��k��b+�k��k��N#�Nkk��N#�Nk��kk��+�Nk�Nk��
                                        -k��Nk�Nk�k��k�k��s�N+�Nk��-k��N+�Nk�Nk��NNkNNk��N+�Nk�Nk��NNk�Nk��k��Nk��Nk�N;�b�^-Nk��k�Nk��N+�Nk�Nk��-k���N#�N+�N-k��N+�Nk��"N+�Nk��k��Nk��N�Nk�k��N#�N+�Nk��kNk��k��N{�Nk�Nk�Nk��N#�N+�Nk��k0Nk��k�N+�k��Nk�Nk�Nk��N*��Nk��NkNk��k��N#�NNk�Nk�k��N-k��Nk�k��NNk�k-�Nk��+�Nk�Nk�Nk��Nk�Nk��k�k�k��N#�N+�Nk��-k��Nk��k�N+�Nk��k�N#�Nkk��N#�Nkkk�#�Nk�k��k�Nk�

Update1:
Not sure what I did, but now I got something a bit better:

Please press Enter to activate this console. ^C
Please press Enter to activate this console. 
tuya-linux login: Sending discover...
Sending discover...
Sending discover...

Yes, I already pressed enter…

Update2:
Looks like I can dump the flash. How nice. I suppose the rest will work too then. Thanks for acting like a rubber duck.

Haha, congrats on getting past that stage. I didn’t see anything obvious in your description so thought I’d need to dig out my own notes to check what I did. Glad you found the problem already.

Is the dumped flash file supposed to grow over time or does it just collect everything in memory and write everything at once? It has been running for 10 minutes and not a single byte has been written. I’d have added some kind of progress system that “something” is happening. I will just let it run for an hour, but still.

Update: Hmm, the source code contains all kinds of print() calls, so it’s probably hanging somewhere. Not good.

Getting a console is reproducible and when I type text I also see it appear on my screen, when I press enter something also happens, so communication is working. Dumping flash does not work, however. I think I am stuck for now.

Well, thinking for 30 seconds and I am unstuck. Flash is dumping.

(this only works if you transfer an image starting with a new linux kernel)

What do you mean by this?

Blockquote

The Realtek chip has an option ‘autoburn’ which can be used to receive a tftp image and write it straight to flash memory automatically. However, it only works if you upload an image containing a valid executable kernel. Because we are only uploading a disk image, this option does not work and the image would be rejected without writing to flash.

tftp 172.28.1.6 -m binary -c put newroot.squashfs

Where does this magic IP come from? You set the IP of the device being flashed to 192.168.10.10, right?

So, shouldn’t that then be 192.168.10.10?

However, the box still ends up in the bootloader when power cycled.

Is this still the case if I were to execute this hack? That would defeat its purpose in my case. Sometimes the power grid fails.

Never mind, I got everything to work, but I don’t think the instructions are written for an amateur audience; I write instructions for computers to execute or I don’t write instructions at all. I don’t see the point of “programming people” when I have a computer that can follow millions or sometimes billions of commands per second.

I guess I underestimate how easy it is to get access to such devices once you already have experience with a few of them. Automating all those scripts would really not be such a big deal, but I guess the author just wants people to never forget his name by going through all the pain and useless uses of cat. :joy:

Important for me: When I try to add the device to HomeAssistant via the zha module, it detects the serial port, but it “can’t make a connection”. No explanation as to why (terrribly error messages in general on HomeAssistant).

Specifically, the issue is that it will only let me create serial connections, not socket connections like in Paul’s instructions. (Yes, I picked the manual option, but the instructions do not match the version of HomeAssistant I am running (which is core-2021.11.5). )

I also still have a few more questions:

  • Do I need to do something with socat too?
  • Can I use this gateway also just via the network without using the serial port (after the hack itself has been done)?

This is a somewhat nicer script to connect than the one used in various scripts:

I configured the machine named “lidlhacked” in /etc/ssh_config, but you can do so in ~/.ssh/config.

#!/usr/bin/env expect
log_user 0
spawn ssh lidlhacked
expect ord:
send "<your password without the angle brackets>\r\n"
expect {#}
puts "#"
log_user 1
interact

I got the integration to work in a newer version of HomeAssistant.

Long time since I visited this thread. For a few months now running this kit again. The LIDL starter set + motion sensor + schuko smart plug. No problems. They are all in a small studio, have not had to do anything about the network.
Also connected Sonoff door and motion sensors now and doing some limited first automations.

But lost access while trying to get key-based SSH auth to work last year. iirc. I just get thrown out directly when I logon now. I should have just used sshpass… But the serial-socket is fine. Need to get onto the console and see whats up.

No support in ZHA for the remote control yet. So what is the software state, I need some buttons or other tokens to do automations. This remote control has 4 but they dont work. From what I read I gather I could setup a Zigbee2MQTT and actually use the control via HA, instead of pairing it with a bulb directly? I just tried reset it to another bulb and that did not want work with three bulbs plugged in.

In HA listen for ‘zha_event’ but the only thing I see is

        "device_event_type": "device_offline"

when I unpair, and after I paired it. And the battery level. Looking at [Device Support Request] LIVARNO LUX/LIDL Remote Control Dimmer doesn’t look like anyone is picking that up.

I like @swedude’s script config, have you noticed any connection drops?
My setup has an SSH tunnel additionally, its run from a tmux window which session in turn is kept running by SystemD

new-window -n 'HA-ZHA tunnel'
send-keys ". ~/.local/etc/profile.d/zha-access.sh;\nwwhile true; do echo \"$(date --iso=min) Connecting SSH tunnel...\"; sshpass -e ssh -gNL 8888:*:8888 root@zha || sleep 10; done;\n"

So this all starts automatically. Not seeing any drops, except after a reset. Just added the date. Maybe I should add a persistent log.

Well, nice work everyone, keep it up.

That is better done via autossh or ideally a wireguard tunnel. I am not sure what would be required to get wireguard to work on the gateway (just cross compilation, I think), but that would be the best solution.