Just in case someone else runs in to this. Problem was rights of AlmaLinux /var/run/lock directory. Only root could write locks there. I changed group of the directory to lock (rpm already had added openhab user to that group) and gave group write access. After that I got ONLINE-status. Sorry for the noise.
Got 2 MOES like gateways modified⌠not without a struggle btw:
- Advice is to connect your network cable when trying to log in via a serial or ssh connection. The unit will try to retrieve a IP address via DHCPD which disturbs your login procedure.
- If you passw does not decrypt make sure to remove the spaces in between. That helped me.
I seem to have a updated debugtool
./debugtool
Build time: Jan 20 2021 15:53:17
Support cmd:
0: get net info.
1: update zigbee coo.
2: plugin counters printf.
3: set tx radio power.
4: start RF test mode.
5: stop RF test.
6: install code.
7: create a specified zigbee network.
8: set max deveice cnt.
9: replace ncp mac.
a: fault replace.
b: get device short addr.
c: ncp recovery.
q/Q: quit debug.
******Input cmd:7
Input channel:
eg(decimal): 11 - 26
22
Input TxPower:
eg(decimal): 0 - 19
19
Set channel :22, TxPower: 19
Maybe no script needed anymore to update power/channel
But I first left the channel as described
bellows -d socket://192.168.1.29:8888 leave
And when I tried to switch channels via (bellows-venv) installed on a PI4 (not my home assistant machine),
(bellows-venv) root@PI4:~# bellows -d socket://192.168.1.29:8888 form -D /zigbee.db -c 22
Usage: bellows form [OPTIONS]
Try âbellows form --helpâ for help.
Error: Invalid value for â-Dâ / ââdatabaseâ: File â/zigbee.dbâ does not exist.
root@PI4:~# bellows -d socket://192.168.1.29:8888 scan
Scanning channels 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
[EmberZigbeeNetwork(channel=11, panId=0x0c84, extendedPanId=cc:cc:cc:cc:aa:a8:cc:84, allowingJoin=<Bool.false: 0>, stackProfile=2, nwkUpdateId=0), 68, -83]
(bellows-venv) root@PI4:~# bellows -d socket://192.168.1.29:8888 info
[5c:02:72:ff:xx:xx:xx:xx]
[0xfffe]
[<EmberNetworkStatus.NO_NETWORK: 0>]
[<EmberStatus.NOT_JOINED: 147>, <EmberNodeType.UNKNOWN_DEVICE: 0>, EmberNetworkParameters(extendedPanId=5f:2a:24:a3:xx:xx:xx:xx, panId=0xffff, radioTxPower=13, radioChannel=20, joinMethod=<EmberJoinMethod.USE_MAC_ASSOCIATION: 0>, nwkManagerId=0x0000, nwkUpdateId=0, channels=<Channels.ALL_CHANNELS: 134215680>)]
[<EmberStatus.NOT_JOINED: 147>, EmberCurrentSecurityState(bitmask=<EmberCurrentSecurityBitmask.32768|8192|4096|1024|256|64|8|GLOBAL_LINK_KEY|DISTRIBUTED_TRUST_CENTER_MODE|HIGH_SECURITY_MODE: 46415>, trustCenterLongAddress=00:09:00:00:00:01:00:00)]
Manufacturer:
Board name:
EmberZNet version: 6.7.8.0 build 373
Any idea what is happening and how this can be resolved ? â
Donât forget before creating a new network to create a zigbee.db
touch zigbee.db
1 Like
Is it possible to use zha and zigbee2mqtt at the same time? Or do you have to first disable the zha and then enable zigbee2mqtt?
Not possible. Have you pick one.
Do you know whether TuYa TV02-Zigbee control via MQTT | Zigbee2MQTT will work in the near future in Home Assistant via the hacked gateway discussed in this topic? It seems like such a waste of time to have to repair all devices in a hard to reach location.
Hello, I was reading since a while ago but couldnât get a solution to my problem (0 skills in programming)
yesterday I managed to get the realtek bootloader, also got the KEK and AUSKEY. But whenever I put the last line in the python script, the window just closed everytime i pushed the ENTER button.
After that I read somwhere that when you already did connect it to the cloud (before the hack) you canât just run the script for getting the root passwordâŚ
So what should I do then?
Is there a good/easy tutorial for newbies/dummies like me?
(for info: I use putty for the serial monitor and the CH340 TTL- USB)
Thanks in advance!
TTY serial working but no joy getting KEK or AUSKEY
Iâm pretty sure Iâm chatting with the Lidl / Silvercrest gateway OK. If I let it boot, I see this:
BootingâŚ
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@
@ chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize
@ 0000000h 0c84018h 00000c8h 0000040h 0000018h 0000000h 0000018h 1000000h
@ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName
@ 0010000h 0000100h 0001000h 0001000h 0000100h 0000010h 000004eh GD25Q128
@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
DDR1:32MB
âRealTek(RTL8196E)at 2020.04.28-13:58+0800 v3.4T-pre2 [16bit](400MHz)
P0phymode=01, embedded phy
check_image_header return_addr:05010000 bank_offset:00000000
no sys signature at 00010000!
P0phymode=01, embedded phy
âEthernet init Okay!
tuya:start receive production test frame âŚ
Jump to image start=0x80c00000âŚ
decompressing kernel:
Uncompressing Linux⌠done, booting the kernel.
done decompressing kernel.
start address: 0x80003780
Linux version 3.10.90 (dingsl@dingsl-pc) (gcc version 4.6.4 (Realtek RSDK-4.6.4 Build 2080) ) #10 Tue Apr 28 14:03:14 CST 2020
CPU revision is: 0000cd01
Determined physical RAM map:
memory: 02000000 @ 00000000 (usable)
Zone ranges:
Normal [mem 0x00000000-0x01ffffff]
Movable zone start for each node
Early memory node ranges
node 0: [mem 0x00000000-0x01ffffff]
icache: 16kB/16B, dcache: 8kB/16B, scache: 0kB/0B
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 8128
Kernel command line: console=ttyS0,38400 root=/dev/mtdblock2
PID hash table entries: 128 (order: -3, 512 bytes)
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 27700k/32768k available (2479k kernel code, 5068k reserved, 525k data, 192k init, 0k highmem)
SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
NR_IRQS:128
console [ttyS0] enabled
Calibrating delay loop⌠398.13 BogoMIPS (lpj=1990656)
pid_max: default: 4096 minimum: 301
Mount-cache hash table entries: 512
If I interrupt the bootloader with ESC I see this:
âRealTek(RTL8196E)at 2020.04.28-13:58+0800 v3.4T-pre2 [16bit](400MHz)
P0phymode=01, embedded phy
check_image_header return_addr:05010000 bank_offset:00000000
no sys signature at 00010000!
âEscape booting by user
P0phymode=01, embedded phy
âEthernet init Okay!
<RealTek>
When I enter â?â at the prompt I see this:
<RealTek>?
ââââââââ COMMAND MODE HELP ââââââââââââââââ
HELP (?) : Print this help message
DB <Address> <Len>
DW <Address> <Len>
EB <Address> <Value1> <Value2>âŚ
EW <Address> <Value1> <Value2>âŚ
CMP: CMP <dst><src><length>
IPCONFIG:<TargetAddress>
AUTOBURN: 0/1
LOADADDR: <Load Address>
J: Jump to <TargetAddress>
FLR: FLR <dst><src><length>
FLW <dst_ROM_offset><src_RAM_addr><length_Byte> <SPI cnt#>: Write offset-data to SPI from RAM
tftp <memoryaddress> <filename>
MDIOR: MDIOR <phyid> <reg>
MDIOW: MDIOW <phyid> <reg> <data>
PHYR: PHYR <PHYID><reg>
PHYW: PHYW <PHYID><reg><data>
PORT1: port 1 patch for FT2
<RealTek>
But when I enter:
FLR 80000000 401802 16
DW 80000000 4
all I get back is the <RealTek> prompt, no other output.
Iâm probably making a basic / newbie mistake - but Iâd appreciate a nudge in the right direction please?
I recommend everyone trying this hack to use the zigbee2mqtt integration instead of the ZHA (Home Assistant) integration, because it supports more devices. If that is ever changed, I configured my system such that I can quickly switch between the two technologies (itâs literally setting a flag and the configuration is automatically ported over). How sweet is that? 
FLR 80000000 401802 16 does one command, IIRC. And then DW 80000000 4 also does a command. The first command has no output, but just changes the internal state of the device.
I would type one command, press enter and then the other and press enter. That should work. If it doesnât, I donât know other than that perhaps you have a newer batch and it doesnât work anymore or something like that.
1 Like
Thanks, I did try that - but still no output 
1 Like
Iâm experimenting with my reflashed zigbee hub. My battery powered zigbee devices are being found accordingly but are mainly stored as unknow/unknow manu with no sensors defined. Again, not all, but most of them. Re-discovering these does not improve this. Main powered devices are not a problem.
Update: Switched to zigbee2mqtt and my issues are gone.
Hey, thanks for the heads up on that problem. I see a similar problem with my hub. I have found that if I put the battery powered devices fairly close by, but not right next to the router, that all is well and the pairing process works ok. I hadnât noticed that the mains powered devices worked better, but you are right - they can pair from a much bigger distance.
Hi there,
Iâm trying to get this silvercrest hack working but i encounter some problems. Perhaps itâs not that difficult but i cannot get it working properly. Iâve been trying for a few days without succes.
The first part extracting the Auskey and root password works. I also receive the default ip adress(192.168.1.6) of the device.
Then comes the problem with flashing the gateway. First iâm already stuck in accessing the gateway with an SSH command. I tried doing this with de CMD or Windows PowerShell, but no response. Also ip PING does not work, it also does not show as device in my router. But then i noticed that it says this could only be done with a Linux shell. So i installed a virtual debian 11 machine on my pc but get the same problem. I only seem to get a âssh: connect to host 192.168.1.6 port 22: Connection timed outâ message.
If anyone can help me point me in the right direction i would be thankfull.
If you havenât already changed the ssh configuration on the gateay, then youâll have to force the port to connect to :
ssh -p 2333 [email protected]
Then to get back to the original ssh server on port 22 :
echo "#!/bin/sh" >/tuya/ssh_monitor.sh
(backup the original file if you want to)
Hey everyone,
I bought the gateway today and want to start hacking it. I got the kek and other codes from my device. But when I enter them in the python script I get the following error code
âasciiâ codec canât decode byte 0x8e in position 2: ordinal not in range(128)
Anyone could help me with this?
Hello, does anybody tried new Lidl GW SGWZ 1 A2? Do you know how it differs from the old model? Thank you. P.
Hello, I think I had a similar problem which happened because I started the script under Python 2. Can you check that you are running the script under Python 3, not python 2? If you are on a Linux machine you might need to execute python3 instead of python.
Just out of interest, but is there any hardware which is just as good that doesnât require hacking? The problem with a hacked solution is that the supply chain is somewhat uncertain.
I am very pleased with the hardware, otherwise.
Dear Paul, thanks for your work!
Would it be possible to flash a Tuya firmware on this gateway?
I am asking this because I would like to trace the datapoints of unsupported Tuya zigbee devices and I do not have a Tuya zigbee gateway.
Thank you!