Hacking the Silvercrest (Lidl/Tuya) Smart Home Gateway

Hi

I bought a Tuya Wired Smart Gateway on Aliexpress and try to use ist with Homeassistant.
After uncountable tries I don’t know what to do else.
My board has NH-GWZ1 REV 1.0.1 written on it. I’m stuck at getting the root password because I struggle with the serial connection.
I use Putty on Win10 and Win11 and tried with two different FTDI-Adapters. When I connect the FTDI adapter to my pc I can see the com port. Then I connet Putty to this com port, without the 3,3v attached to the board. When I connect the 3,3v, putty sends a popup with the message, that the connection ist lost.
When I start the putty connection after I connect 3,3v, I’m always to late, and ESC doesn’t interrupt boot.

Can you give me a hint?

Thanks
philipp

You don’t need to connect the 3.3V at all. You should be able to power the gateway through the USB connector.

There’s more details about this stage in this post and the ones nearby in the thread.

Leave the 3,3V open, or your FTDI-Adapter has to supply all the power for the NH-GWZ1.

This newer version (at least the casing) of the lidl gateway is now a Black Friday offer for €12,50. Can this one also be hacked with the same method? Or should I see it as a different type? Had anyone tried?

Considering this instead of getting a Sonoff USB type.

gcp460bfcdb14724405b6bf14f76c348da0772×579 30.5 KB

Yes these new Silvercrest / LIDL gateways is to be hacked.
I bought 3 units and already hacked one successfully.

Good to know.
I already bought a Sonoff dongle now, but will keep it in mind for the future.
Are there downsides to using the lidl gateway as opposed to the Sonoff dongle? Like stability, range, delay, etc?
And does the fact that it uses the EZSP firmware still make it less compatible/experimental with Zigbee2MQTT as opposed to Z-Stack?

Hi Chris

Thanks a lot for yout advice!
Surely this is the way to go. With power over usb Putty doesnt disconnect after plugging USB out and in. Nevertheless I wasn’t able to interrupt the boot process. I tried all keys ‘ESC’, Ctrl+], Ctrl+[, Ctrl+4, Ctrl+5…
I always end up with the login screen.

I just started to build up a new instance of HA on a spare Pi and already added the following devices successfully:
TS011F smart Power Outlet
TS0505B RGB GU10 lamp (full control is tested ok)
TS0201 Temp Hygro sensor
TS004F Smart remote button
TS0203 Door switch (with magnet)
TS0501B LED dimmer 12V
TY0202 movement PIR sensor
It looks like LIDL devices as well as Tuaya branded devices will work with this gateway.
I used the ZHA integration but also want to try the MQTT integration because it seems that it will support more different devices as the ZHA implementation.
In the setup of the TCP socket I had to setup 115200 instead of 57600, because the 115200 was the message I read on the console when I booted the device.

Can you give some clues how to install MQTT on this hacked gateway?

I try to generate root passwork using py script lidl_auskey_decode but Im still getting this error:

D:\>python3 lidl_auskey_decode.py
Enter KEK hex string line>5A5AA5A5        401A4000        8F7B238C        001AD582
Encoded aus-key as hex string line 1>EDBFC322        2A58E249        33203EEB        56F3E694
Encoded aus-key as hex string line 2>909F6F16        5FDF34C6        F4CA428E        FF718A59
Traceback (most recent call last):
  File "D:\lidl_auskey_decode.py", line 65, in <module>
    print("Auskey:", auskey.decode("ascii"))
UnicodeDecodeError: 'ascii' codec can't decode byte 0xd1 in position 0: ordinal not in range(128)

I get KEK and AUSkey from putty via this tutorial.
And python run on Command line (win). I try to insert the codes with and without prefix 80000000/80000010 but still the same error.
Any idea whats wrong?

I used the some values as you mentioned and I got exactly the same error.
Are you sure you extracted the right bytes from memory?
I don’t have any FF in my values, maybe there is something wrong with the values you retrieved.

My values

<RealTek>FLR 80000000 401802 16
Flash read from 00401802 to 80000000 with 00000016 bytes        ?
(Y)es , (N)o ? --> Y
Flash Read Successed!
<RealTek>DW 80000000 4
80000000:       3C5D7B2A        4E48517B        2B2A693A        5638334F
<RealTek>FLR 80000000 402002 32
Flash read from 00402002 to 80000000 with 00000032 bytes        ?
(Y)es , (N)o ? --> Y
Flash Read Successed!
<RealTek>DW 80000000 8
80000000:       F2EA7327        26E957E7        B53CAD4B        F03DD8F2
80000010:       BD3A952B        19B19F02        29B48380        3C7CFADF
<RealTek>

C:\Users\Ted\Documents\Zigbee\silvercrest_lidl>python lidl_auskey_decode.py
Enter KEK hex string line>3C5D7B2A        4E48517B        2B2A693A        5638334F
Encoded aus-key as hex string line 1>F2EA7327        26E957E7        B53CAD4B        F03DD8F2
Encoded aus-key as hex string line 2>BD3A952B        19B19F02        29B48380        3C7CFADF
Auskey: v6b0wTjeN3n4OIT2P0sAJ3EAe6ZLSaBg
Root password: e6ZLSaBg

Hello,

i have a problem do move serialgateway.bin from my Xubuntu laptop onto device:

cat serialgateway.bin | ssh -p2333 [email protected] “cat >/tuya/serialgateway”

Unable to negotiate with 192.168.101.144 port 2333: no matching host key type found. Their offer: ssh-rsa,ssh-dss

With Putty i can ssh do gateway and login with root…

Solved myself:
cat serialgateway.bin | ssh -oHostKeyAlgorithms=+ssh-rsa -p2333 root@[gateway IP address] “cat >/tuya/serialgateway”

Regards Mario

Is it possible to hack these new models - I have 2 - as routers for my Zigbee mesh to get better connection values? Thanks in advance.

Yes, already mentioned 8 days ago.
See:
my earlier post

I might be doing wrong or missing a vital step as I don’t seem to be able to get into the boot loader of my 2nd gen SilverCrest GW. When I power on the device with my thumb already on the ESC key I only get the following:

Booting...

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@
@ chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize
@ 0000000h 0c84018h 00000c8h 0000040h 0000018h 0000000h 0000018h 1000000h
@ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName
@ 0010000h 0000100h 0001000h 0001000h 0000100h 0000010h 000004eh GD25Q128
@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
DDR1:32MB

---RealTek(RTL8196E)at 2021.07.29-21:33+0800 v3.4T-pre2 [16bit](380MHz)
P0phymode=01, embedded phy
check_image_header  return_addr:05010000 bank_offset:00000000
no sys signature at 00010000!
P0phymode=01, embedded phy

---Ethernet init Okay!
tuya:start receive production test frame ...
Jump to image start=0x80c00000...
decompressing kernel:
Uncompressing Linux... done, booting the kernel.
done decompressing kernel.
start address: 0x80003780
Linux version 3.10.90 (zhangpc@embed) (gcc version 4.6.4 (Realtek RSDK-4.6.4 Build 2080) ) #1 Thu Jul 29 21:36:28 CST 2021
CPU revision is: 0000cd01
Determined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
Zone ranges:
  Normal   [mem 0x00000000-0x01ffffff]
Movable zone start for each node
Early memory node ranges
  node   0: [mem 0x00000000-0x01ffffff]
icache: 16kB/16B, dcache: 8kB/16B, scache: 0kB/0B
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 8128
Kernel command line:  console=ttyS0,38400 root=/dev/mtdblock2
PID hash table entries: 128 (order: -3, 512 bytes)
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 27344k/32768k available (2763k kernel code, 5424k reserved, 562k data, 192k init, 0k highmem)
SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
NR_IRQS:128
console [ttyS0] enabled
Calibrating delay loop... 378.47 BogoMIPS (lpj=1892352)
pid_max: default: 4096 minimum: 301
Mount-cache hash table entries: 512
reg e0=0
reg e1=0
reg e2=0
reg e3=0
reg e4=0
reg e5=0
reg e6=0
reg e7=0
reg f0=0
reg f1=0
reg f2=0
reg f3=0
reg f4=0
reg f5=0
reg f6=0
NET: Registered protocol family 16
bio: create slab <bio-0> at 0
NET: Registered protocol family 2
TCP established hash table entries: 512 (order: 0, 4096 bytes)
TCP bind hash table entries: 512 (order: -1, 2048 bytes)
TCP: Hash tables configured (established 512 bind 512)
TCP: reno registered
UDP hash table entries: 256 (order: 0, 4096 bytes)
UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
NET: Registered protocol family 1
squashfs: version 4.0 (2009/01/31) Phillip Lougher
jffs2: version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
msgmni has been set to 53
Block layer SCSI generic (bsg) driver version 0.4 loaded (major 254)
io scheduler noop registered
io scheduler deadline registered
io scheduler cfq registered (default)
Serial: 8250/16550 driver, 2 ports, IRQ sharing disabled
serial8250: ttyS0 at MMIO 0x18002000 (irq = 9) is a 16550A
serial8250: ttyS1 at MMIO 0x18002100 (irq = 13) is a 16550A
Realtek GPIO Driver for Flash Reload Default
tuya_gpio_init ok, scan expire time:50
SPI INIT
 ------------------------- Force into Single IO Mode ------------------------
|No chipID  Sft chipSize blkSize secSize pageSize sdCk opCk      chipName    |
| 0 c84018h  0h 1000000h  10000h  10000h     100h   84    0          GD25Q128|
 ----------------------------------------------------------------------------
SPI flash(GD25Q128) was found at CS0, size 0x1000000
boot+cfg offset=0x0 size=0x20000 erasesize=0x10000
linux offset=0x20000 size=0x1e0000 erasesize=0x10000
rootfs offset=0x200000 size=0x200000 erasesize=0x10000
tuya-label offset=0x400000 size=0x20000 erasesize=0x10000
jffs2-fs offset=0x420000 size=0xbe0000 erasesize=0x10000
5 rtkxxpart partitions found on MTD device flash_bank_1
Creating 5 MTD partitions on "flash_bank_1":
0x000000000000-0x000000020000 : "boot+cfg"
0x000000020000-0x000000200000 : "linux"
0x000000200000-0x000000400000 : "rootfs"
0x000000400000-0x000000420000 : "tuya-label"
0x000000420000-0x000001000000 : "jffs2-fs"
PPP generic driver version 2.4.2
nf_conntrack version 0.5.0 (427 buckets, 1708 max)
ip_tables: (C) 2000-2006 Netfilter Core Team
TCP: cubic registered
NET: Registered protocol family 10
sit: IPv6 over IPv4 tunneling driver
NET: Registered protocol family 17
l2tp_core: L2TP core driver, V2.0
8021q: 802.1Q VLAN Support v1.8
Realtek FastPath:v1.03

Probing RTL819X NIC-kenel stack size order[1]...
eth0 added. vid=9 Member port 0x10f...
eth1 added. vid=8 Member port 0x10...
[peth0] added, mapping to [eth1]...
VFS: Mounted root (squashfs filesystem) readonly on device 31:2.
Freeing unused kernel memory: 192K (80340000 - 80370000)
init started: BusyBox v1.13.4 (2021-07-29 21:31:51 CST)
Set power startcmd read


b8000038: 2794A104  0000000F    00000042  00000018    '▒▒        B
cmd write
Write memory 0xb8000038 dat 0x1794a104: 0x1794a104
Set power end
udhcpc (v1.13.4) started
Sending discover...

Please press Enter to activate this console. Tuya Gateway Application Normal Srart /tuya/tuya_start.sh UserAppRunDir:
set defult run_dir:/tuya
TY_ENV_APP_RUN_DIR=/tuya
get user cfg file error, load defult cfg file
load platform configure file:/tuya/def.cfg
start.conf is exist
udhcpc (v1.13.4) started
Normal mode.
current run dir:/tuya/tuya_user1
tuya_start_children.sh:UserAppRunDir:/tuya JsonFile Path:/tuya/def.cfg [engineer_mode: ]
grep: /var/resolv.conf: No such file or directory
Sending discover...
killall: app_detect.sh: no process killed
killall: tyZ3Gw: no process killed
killall: log_detect.sh: no process killed
killall: process_monitor.sh: no process killed
killall: tyZ3Gw: no process killed
Sending discover...
cat: can't open '/tuya/eng_mode': No such file or directory
no eng file
Sending discover...
nameserver 114.114.114.114
Sending discover...
Sending discover...
Sending discover...
nameserver 114.114.114.114
Sending discover...
Sending discover...
Sending discover...
nameserver 114.114.114.114
Sending discover...
Sending discover...
Sending discover...
killall: udhcpc: no process killed
route: SIOCADDRT: File exists
killall: process_monitor.sh: no process killed
killall: tyZ3Gw: no process killed
cat: can't open '/tuya/eng_mode': No such file or directory
nlRecvFromAppSock sg_netlinkKeyPid:417
nlRecvFromAppSock port link sg_netlinkPid:417
Jan  1 00:02:08 mDNSResponder: mDNSResponder (Engineering Build) (Jul 27 2021 20:15:30) starting
Jan  1 00:02:08 mDNSResponder: mDNS_AddDNSServer: Lock not held! mDNS_busy (0) mDNS_reentrancy (0)
Jan  1 00:02:08 mDNSResponder: mDNS_AddDNSServer: Lock not held! mDNS_busy (0) mDNS_reentrancy (0)
Jan  1 00:02:08 mDNSResponder: WARNING: mdnsd continuing as root because user "nobody" does not exist
1970-01-01'T'00:02:09'Z'        Default [com.apple.mfi.HomeKit.Core:AccessoryServer] Version information:
        - ADK Version: 5.1 (dfeceb3a) - compatibility version 8
        - Extensions:
                - HAP over Thread
                - Dynamic memory allocation
        - Platform: Tuya IoTOS
                - Compiler:
                - Version: 2.2.8 (2021_07_29 20_22_42)
                - Available features:
                        - Key-Value store
                        - Accessory setup manager
                        - TCP stream manager
                        - Service discovery
                        - Software Token provider
                        - Wi-Fi Reconfiguration Control
1970-01-01'T'00:02:10'Z'        Default [com.apple.mfi.HomeKit.Core:AccessoryValidation] [0000000000000001 Gateway] An accessory should advertise one of its services as its primary service.
1970-01-01'T'00:02:10'Z'        Error   [com.apple.mfi.HomeKit.Platform:TCPStreamManager] Could not configure TCP User Timeout socket option.

Any pointers to what I might need to additionally do or doing wrong?

Do I need to first install and activate it or can it be hacked straight from the box?
I have not plugged in a ethernet cable and only connected my CH340 USB Serial (at 3.3V) to J1 (RX, TX and GND) and using putty and connect using 38400bps/1/N, parity off, flow control none as suggested in the original write up.

No response to ESC at boot: press enter, if you don’t get a login prompt, your cable has an issue.
My experience was similar with bad cabling: my typing was received wrong 90% of the time before I found that I had rx/tx swapped and mirrored J1.

Did you manage to find a solution for this - seems like I’m stuck with exactly the same issue

Keypresses are working as pressing enter gives me a tuya-linux login: prompt, but can’t seem to escape the boot process…

Today I retried. I did not do anything special, but it might have been bad soldering or bad connection indeed. I was able to finally follow the procedures with a simple ESC at the start of the boot sequence of the device.

First connect the USB to TTL adapter to the gateway (only GND, RX, TX) and make sure your TTL adapter is set to 3.3V. (Note connect TX with RX and RX with TX)
Check the right COM port on your PC and setup Putty serial line with for example: COM6 and speed 38400.
You can check in device management (Windows) which COM port is used by the TTL adapter.
Connect the gateway to a router which has no Internet connection, this will stop the discover proces from the gateway after booting.
Power up the gateway and see it booting in your Putty session.
Only press ESC key and the booting must be interrupted and you should see the prompt

Don’t press any other keys, because you might end up in the login prompt.
First you have to distract the root password from memory according to the procedure.
If you have root password you can login as root on the console (Putty serial session) after a reboot by powercycle.
After successful login disable the intrusion timeout by setting up SSH over port 22.
Then you can continue with the procedure.
I already hacked 2 devices without any issues and have 2 spare original gateways in stock.

Damn - I was hoping it would be something else, I will try to reflow the solder joints - seems odd that all of my other keypresses seem to register, I can press enter and get the login prompt etc.

Just seems like the ESC key doesn’t interrupt the boot process