I’d suggest you just forget about using Windows and boot from a Linux LiveCD (or just buy a $100 laptop for your hacking projects) and follow the most commonly used instructions.
If you can see characters appearing and you see the system responding to your input, I’d think that your soldering was done correctly.
Same here.
Thank you Paul
Hi there,
I’m using this hack with ZHA and my devices always offer a 100% of battery.
Probably in new devices this information is correct, but not in devices running from a year ago.
Is it possible to fix this problem?
BR
This probably depends on the device (or your configuration is broken). I have seen devices reporting other values than 100%.
I connected GND, Rx, Tx and plugged to USB also and get nothing pretty.
No matter the baud rate i set i cannot get human readable information.
Im using putty, also cutecom and comm operator.
Can some one share the adapter they used?
I need some help here…
I got the serial working
I got the password
I can login via root via serial .
But i cant access the device via port 2333.
The port is not open. Anything I missed to enable the ssh ?
This is Moes version of Gateway. Look exactly the same.
Ok, it is using default port 22.
Now i am stuck Z2M does not work while zha works.
How to check firmware version ?
mine stopped working after the last 3 updates, ZHA does not see it anymore, and well is not a HA thing for it is no longer approachable via its network address either. Strange as if there was an update of the firmware being pushed onto it.
Hi, Did you manage to stop the boot process and access to the password ?
I’m in the same situation unless I’m using Unix (ubuntu) and minicom
I know that my connection is working as I can attempt to enter username/password.
I tried also through Putty but no success.
Is it possible that new versions are locked ?
Any suggestion ?
Hello all,
read through the very long thread to find an answer to my problem.
After following Pauls documentation how to hack the lidl gateway, I am stuck at the bootloader screen.
The device starts, tries to get a rootfs at the different addresses (but does not find one) and ends up at the prompt :
Booting...
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@
@ chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize
@ 0000000h 0c84018h 00000c8h 0000040h 0000018h 0000000h 0000018h 1000000h
@ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName
@ 0010000h 0000100h 0001000h 0001000h 0000100h 0000010h 000004eh GD25Q128
@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
DDR1:32MB
---RealTek(RTL8196E)at 2020.04.28-13:58+0800 v3.4T-pre2 [16bit](400MHz)
P0phymode=01, embedded phy
check_image_header return_addr:05010000 bank_offset:00000000
no sys signature at 00010000!
no rootfs signature at 00200000!
no rootfs signature at 00210000!
. . .
no rootfs signature at 003FF000!
no rootfs signature at 00400000!
P0phymode=01, embedded phy
---Ethernet init Okay!
tuya:start receive production test frame ...
P0phymode=01, embedded phy
---Ethernet init Okay!
<RealTek>
The gateway does not obtain an ip address in any way (from DHCP), so I have no chance to use tftp in any way 
Is there any solution ( I did not yet find ) to regain access and redo the firmware upload ? I already built the “new” rootfs.bin file according to Pauls docu…
Any help would be appreciated and many thanks for this project 
!!
Hi Justin, did you solve the problem ?
I have the same problem.
ZHA is working.
If i remove ZHA and start Z2M in HA, it gives me an error:
Zigbee2MQTT:error 2022-10-21 18:25:11: Exiting...
Zigbee2MQTT:error 2022-10-21 18:25:11: Error: Error while opening socket
at Socket.<anonymous> (/app/node_modules/zigbee-herdsman/src/adapter/ezsp/driver/uart.ts:146:24)
at Socket.emit (node:events:539:35)
at emitErrorNT (node:internal/streams/destroy:157:8)
at emitErrorCloseNT (node:internal/streams/destroy:122:3)
at processTicksAndRejections (node:internal/process/task_queues:83:21)
my serial configuration is:
serial:
port: tcp://192.168.xxx.xxx:8888
adapter: ezsp
U need go upgrade your ezsp firmware to supported zigbee2mqtt 6.7.8 something.
nobody had the same issue before ?
I have the same problem. I even tried port scanning and unfortunately only 22 (telnet) is open.
When I dump the tuya directory, everything seems to be ok:
Oct 28 2022 serialgateway
Oct 28 2022 serialgateway"
Oct 28 2022 ssh_monitor.original.sh
Oct 28 2022 ssh_monitor.sh
Oct 28 2022 start_record_file
Oct 28 2022 tuya_start.original.sh
(only the changed files)
THX, great work, I wouldn’t have discovered this problem on my own with windows because I also used powershell
Hi,
Has anyone tried (and hopefully succeeded) with “DMD2CC” (Zigbee Wired Gateway | LAN Zigbee Gateway | Tuya Expo) device? It looks almost exactly the same as the Lidl one and has the same Realtek chip. Here is how the board looks:
I am able to connect to the UART and serial communication works bidirectionally, but the “ESC” key menthod does not work (tried on Windows with putty and on Linux with minicom) and linux boots up.
Boot log:
Booting...
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@
@ chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize
@ 0000000h 0c84018h 00000c8h 0000040h 0000018h 0000000h 0000018h 1000000h
@ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName
@ 0010000h 0000100h 0001000h 0001000h 0000100h 0000010h 000004eh GD25Q128
@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
DDR1:32MB
---RealTek(RTL8196E)at 2022.03.29-15:59+0800 v3.4T-pre2 [16bit](400MHz)
P0phymode=01, embedded phy
check_image_header return_addr:05010000 bank_offset:00000000
no sys signature at 00010000!
get uboot flag failed
Jump to image start=0x80c00000...
decompressing kernel:
Uncompressing Linux... done, booting the kernel.
done decompressing kernel.
start address: 0x80003780
Linux version 3.10.90 (wsj@LAPTOP-MO8FQJRA) (gcc version 4.6.4 (Realtek RSDK-4.6.4 Build 2080) ) #8 Tue Mar 29 16:04:50 CST 2022
CPU revision is: 0000cd01
Determined physical RAM map:
memory: 02000000 @ 00000000 (usable)
Zone ranges:
Normal [mem 0x00000000-0x01ffffff]
Movable zone start for each node
Early memory node ranges
node 0: [mem 0x00000000-0x01ffffff]
icache: 16kB/16B, dcache: 8kB/16B, scache: 0kB/0B
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 8128
Kernel command line: console=ttyS0,38400 root=/dev/mtdblock2
PID hash table entries: 128 (order: -3, 512 bytes)
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 27344k/32768k available (2763k kernel code, 5424k reserved, 562k data, 192k init, 0k highmem)
SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
NR_IRQS:128
console [ttyS0] enabled
Calibrating delay loop... 398.13 BogoMIPS (lpj=1990656)
pid_max: default: 4096 minimum: 301
Mount-cache hash table entries: 512
reg e0=0
reg e1=0
reg e2=0
reg e3=0
reg e4=0
reg e5=0
reg e6=0
reg e7=0
reg f0=0
reg f1=0
reg f2=0
reg f3=0
reg f4=0
reg f5=0
reg f6=0
NET: Registered protocol family 16
bio: create slab <bio-0> at 0
NET: Registered protocol family 2
TCP established hash table entries: 512 (order: 0, 4096 bytes)
TCP bind hash table entries: 512 (order: -1, 2048 bytes)
TCP: Hash tables configured (established 512 bind 512)
TCP: reno registered
UDP hash table entries: 256 (order: 0, 4096 bytes)
UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
NET: Registered protocol family 1
squashfs: version 4.0 (2009/01/31) Phillip Lougher
jffs2: version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
msgmni has been set to 53
Block layer SCSI generic (bsg) driver version 0.4 loaded (major 254)
io scheduler noop registered
io scheduler deadline registered
io scheduler cfq registered (default)
Serial: 8250/16550 driver, 2 ports, IRQ sharing disabled
serial8250: ttyS0 at MMIO 0x18002000 (irq = 9) is a 16550A
serial8250: ttyS1 at MMIO 0x18002100 (irq = 13) is a 16550A
Realtek GPIO Driver for Flash Reload Default
tuya_gpio_init ok, scan expire time:50
SPI INIT
------------------------- Force into Single IO Mode ------------------------
|No chipID Sft chipSize blkSize secSize pageSize sdCk opCk chipName |
| 0 c84018h 0h 1000000h 10000h 10000h 100h 84 0 GD25Q128|
----------------------------------------------------------------------------
SPI flash(GD25Q128) was found at CS0, size 0x1000000
boot+cfg offset=0x0 size=0x20000 erasesize=0x10000
linux offset=0x20000 size=0x1e0000 erasesize=0x10000
rootfs offset=0x200000 size=0x200000 erasesize=0x10000
tuya-label offset=0x400000 size=0x20000 erasesize=0x10000
jffs2-fs offset=0x420000 size=0xbe0000 erasesize=0x10000
5 rtkxxpart partitions found on MTD device flash_bank_1
Creating 5 MTD partitions on "flash_bank_1":
0x000000000000-0x000000020000 : "boot+cfg"
0x000000020000-0x000000200000 : "linux"
0x000000200000-0x000000400000 : "rootfs"
0x000000400000-0x000000420000 : "tuya-label"
0x000000420000-0x000001000000 : "jffs2-fs"
PPP generic driver version 2.4.2
nf_conntrack version 0.5.0 (427 buckets, 1708 max)
ip_tables: (C) 2000-2006 Netfilter Core Team
TCP: cubic registered
NET: Registered protocol family 10
sit: IPv6 over IPv4 tunneling driver
NET: Registered protocol family 17
l2tp_core: L2TP core driver, V2.0
8021q: 802.1Q VLAN Support v1.8
Realtek FastPath:v1.03
Probing RTL819X NIC-kenel stack size order[1]...
eth0 added. vid=9 Member port 0x10f...
eth1 added. vid=8 Member port 0x10...
[peth0] added, mapping to [eth1]...
VFS: Mounted root (squashfs filesystem) readonly on device 31:2.
Freeing unused kernel memory: 192K (80340000 - 80370000)
init started: BusyBox v1.13.4 (2022-03-29 15:58:30 CST)
Set power startcmd read
b8000038: 2794A104 0000000F 00000042 00000018 '▒▒ B
cmd write
Write memory 0xb8000038 dat 0x1794a104: 0x1794a104
Set power end
killall: dropbear: no process killed
udhcpc (v1.13.4) started
Sending discover...
Please press Enter to activate this console. Tuya Gateway Application Normal Srart /tuya/tuya_start.sh UserAppRunDir:
set defult run_dir:/tuya
TY_ENV_APP_RUN_DIR=/tuya
get user cfg file error, load defult cfg file
load platform configure file:/tuya/def.cfg
start.conf is exist
udhcpc (v1.13.4) started
current run dir:/tuya/tuya_user2
tuya_start_children.sh:UserAppRunDir:/tuya JsonFile Path:/tuya/def.cfg [engineer_mode: ]
grep: /var/resolv.conf: No such file or directory
Sending discover...
killall: app_detect.sh: no process killed
killall: tyZ3Gw: no process killed
killall: log_detect.sh: no process killed
killall: process_monitor.sh: no process killed
killall: tyZ3Gw: no process killed
Sending discover...
1
Sending discover...
nlRecvFromAppSock sg_netlinkKeyPid:243
nlRecvFromAppSock port link sg_netlinkPid:243
nameserver 8.8.8.8
nameserver 114.114.114.114
UPDATE: I got a “proper” lidl gateway and the whole process went seamlessly. So it seems that the “DMD2CC” variant is somehow secured against interrupting the boot process (at least by ESC key).
Hi there,
I’ve bought a TYGWZ1 and created a backup dump(at least I tried). Somehow it seems that something went wrong and I bricked my gateway because the bootprocess always stop after the line “start address: 0x80003780”. I assume (can be wrong) that the flash content is corrupted for the flash jffs2 partition "0x420000 to 0x1000000 ". Can anybody post a working flash content of this area?
Regards @all
Using zigbee2mqtt 1.28.x, the gateway isn’t stable. Using zigbee2mqtt 1.25.2 it is. Has anyone else the same issue with an explanation as to why that is the case?
