Currently i have hacked / rooted the gateway…
Its running on port 8888, how do i connect this to ZHA?
If i pick a random option and fill in my IP it does not find anything:
Any ideas?
Thank you for sharing your workflow damTed, what’s your recommendation for the best “USB to TTL” PCB for now and the near future? This ‘hack’ will be first project of its kind, so please bear with me. Thanks in advance.
/m4v3r1ck
Take a look at the bottom of this page, screenshots might be different but I did it yesterday on latest HA and it seems to work:
Just remembered I did one other thing and that is a full update to latest SW with the Lidl Home app, perhaps that is what you need too.
Unfortunately doesn’t appear to work either - I’ve now tried another USB to TTL adaptor, resoldered all of the pins, tried new cables and still can’t get it to abort the boot process 
Added it to the LIDL App and tried with the Smart Life app too - both show no updates available. For anyone else who is having similar issues, the LIDL app reports:
Wi-Fi Module - 1.18.2
ZigBee Module - 1.0.13
I assume I’ve somehow got a version with firmware that blocks the technique thats talked about in the tutorials - I’ve ordered another one in the hope that maybe I can get it to work…
If you use putty, then you need to start a new session up really fast after powering up the device or you will be too late.
It can be really tricky to do this and you can not make putty stay open during boots, because it will shutdown when the ports gets inactive in the device end.
A Linux live usb stick will give you access to a Linux version of the serial terminal that stays open and this makes it so much easier.
When I did the reprogrammering I did it with putty and a nodemcu as terminal device
I used PuTTy but if you have a serial connection open with your USB converter this was not necessary for me since the serial connection stayed open.
I did not use the reset button (that seems to be for erasing settings AFAICT) but plugged in the USB cable every time.
Sadly even with an installation of Linux Mint and Minicom - I’ve still been unable to interrupt the boot sequence.
So far I’ve tried multiple operating systems and 2 x USB > TTL converters and I still can’t get this one to do anything other than boot and give me the tuya-login: prompt
For me worked to put flat screwdriver to hold down Esc button and then plug in power cable to stop booting mode 
Tried several times to put in power cable and then push down Esc that wasn’t fast enough to stop it booting up 
Does anybody has a hint for me, i can’t retieve the root password. If i follow the guide i have to run the following commands;
FLR 80000000 401802 16
DW 80000000 4
But from the terminal i recieve the warning that it isn’t available. But the device is in the correct mode after hitting ESC when booting.
Read what the monitor says.
Thanks worked perfectly!
You have to type (Y) when its asking for Yes , No.
If you do the Zigbee ZHA integration in Home Assistant, just follow the procedure and use the socket://ipadresgateway:8088 and baudrate: 115200 and use the right radio.
Also make sure the serialgateway file is executable via chmod 755 serialgateway in de /tuya directory.
Does anybody have a clue for me, i’ve finally retrieved the KEK and AUSKEY. The next step was to boot it with de nic connected, but my dhcp server wasn’t give any ip lease to the mac adress.
Then i’ve connected the USB TTL again and see that the gateway won’t boot to the OS anymore without pressing the ESC key.
Booting...
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@
@ chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize
@ 0000000h 0c84018h 00000c8h 0000040h 0000018h 0000000h 0000018h 1000000h
@ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName
@ 0010000h 0000100h 0001000h 0001000h 0000100h 0000010h 000004eh GD25Q128
@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
DDR1:32MB
---RealTek(RTL8196E)at 2021.07.29-21:33+0800 v3.4T-pre2 [16bit](400MHz)
P0phymode=01, embedded phy
check_image_header return_addr:05010000 bank_offset:00000000
no sys signature at 00010000!
---Escape booting by user
P0phymode=01, embedded phy
---Ethernet init Okay!
<RealTek>
You might have made an error when flashing the firmware. A mistyped address can have huge effects here.
I did’t flashed the firmware yet only the steps for retieving both security keys.
Why do I see this message? It seems you pressed escape during boot!
You don’t need to connect the console to login as root.
Let the gateway boot and see on which IP address you can connect with a SSH session on port 2333.
Please take care not to make any mistakes with login, because there is a penalty timer increasing everytime you make a login error.
If you are logged in disable the dropbear server on 2333 and change it to port 22.
And that’s the problem, it wont recieve a DCHP lease. That’s why i’ve connected the USB TTL again to see what’s happening.
It seems that it stuck with booting, but i can’t find the reason and won’t see any errors.