Firewall on your client machine?
I hope there is someone who can explain to me howto upgrade the firmware.
Have the silvercrest running for sometime, but it puzzles me howto commence upgrading the firmware from a windows computer, is it done in putty or???
Some help appreciated, and should I upgrade, what is the extra?
You’re right thank you. I had to deactivate my firewall and add a redirect rule on port 69/UDP to the raspberry on my router. After the upload, everything went as planned. Thank you for your help!!
I am not sure in which verssion the silvercrest is running, but I did an update to 6.7.8.0
You can find a good description here:
Make sure you have the Windows subsystem for linux up and running on your Windows PC and from the Terminal app window execute bash to get into the Linux shell.
From there you can get the firmware with wget and flash it towards your hacked gateway.
I saw some discussions about higher FW levels, but I don’t think it will give better results if you go to higher versions.
2 Likes
But how does this interact with my silvercrest, I got the feeling this wget is running in my bash or linus sub system, and… I see no reference to the ip address nor the ssh of the silvercrest, that is why I am lost on how to flash it.
I did all that paul did, and as said it works great, it is just that last step of upgrading the firmware, that I seem to mis 
Did you follow the steps described under point 10?
If you downloaded the firmware in bash on your Windows computer.
You can try to connect to your gateway first, from the folder you downloaded the firmware:
ssh root@gatewayipaddress
(now on your gateway:)
mv /tuya/serialgateway /tuya/serialgateway_save
killall serialgateway
exit
Then continue on your PC with the following commands:
./firmware_upgrade.sh <gateway IP address> 22 V7 NCP_UHW_MG1B232_678_PA0-PA1-PB11_PA5-PA4.gbl
Continue on your gateway after reboot by fw update to enable the serial gateway(after you login again)
mv /tuya/serialgateway_save /tuya/serialgateway
reboot
During firmware upgrade you need to enter the gateway root password 3 times.
I am stuck at the same point. I have started thinking they have updated the firmware and closed this door.
My serial is fine. I can see all characters I type but I never manage to stop the process at booting
It is not closed, but your serial is connecting too slow or you are reacting too late.
The point of break is coming within 1-2 seconds after power being connected, so you will pretty much be needing to continuously hit ESC right at the time the power is connected.
I have learnt to do it with Putty on Windows, but it is a operation with military precision in timings.
In the beginning I had to use an Ubuntu Live USB stick with Minicom, because Minicom does not close the connection on powerloss.
First connect your USB to TTL connector and setup Putty serial session 38400b/sec.
Then you can power up the gateway and you have plenty of time to press Escape key when you see the gateway booting.
It’s not very time critical, but make sure you made the right settings and connections (RX,TX,GND)
Hi. There is no way they haven’t close this back door. For my entire life i did not press ESC button so many times as for the last hour. Still can not cancel boot procedure. How it is achievable? Windows putty or linux tio not stopping boot procedure. Im using CP2102 STC 6 pin and connected correctly. Its impossible to do it.
Maybe if you have changed the standard keyboard setup of Putty.
Mine looks like this.
It is highly unlikely that this feature is closed.
The feature is not a Tuya feature, but a feature in the Realtek chipset used for flashing the firmware.
Chipset on boot is : —RealTek(RTL8196E)at 2022.06.01-16:29+0800 v3.4T-pre2 16bit
Also settings should be OK.
I think that instead banging my head in wall will buy SONOFF USB adapter model -p and problem solved.
My flow control is set to XON/XOFF, but I do not think that matter much and I use a NodeMCU as a serial adapter.
Thanks for reply. I have give up as no idea what is wrong.
Also i don’t think its my hardware related as on Silicon Labs CP2102 as well as CH341A in serial mode this same problem. So it must be problem with Putty/TIO or Realtek RTL8196E is locked.
I connect external 3.3v as well as esc keys combination ctrl+[. Nothing working.
Looks like its not worth the hassle and easier would be buy USB devices and connect to odroid as you not gain any performance adapting this device to zigbee2mqtt. Less work same effect. Thanks any way.
Edit:On board with NH-GWZ1 number on it you can not interrupt booting procedure. So please watch what you buying.
Hi I am stuck at the very same point. Did you succeed ? how ?
I already hacked 3 of these gateways and never worried about Putty settings (only Serial an baudrate settings were set)
Logs of one of these boots:
Booting...
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@
@ chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize
@ 0000000h 0c84018h 00000c8h 0000040h 0000018h 0000000h 0000018h 1000000h
@ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName
@ 0010000h 0000100h 0001000h 0001000h 0000100h 0000010h 000004eh GD25Q128
@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
DDR1:32MB
---RealTek(RTL8196E)at 2021.07.29-21:33+0800 v3.4T-pre2 [16bit](380MHz)
P0phymode=01, embedded phy
check_image_header return_addr:05010000 bank_offset:00000000
no sys signature at 00010000!
---Escape booting by user
P0phymode=01, embedded phy
---Ethernet init Okay!
<RealTek>FLR 80000000 401802 16
Like @hari-bo I use an ESP32 with a WIFI to serial program, that was a bit flakey on hitting ESC to go into the bootloader mode, but would work 1 out of 5 times. The console itself worked flawless except I got an “Aborted!” on executing the FLR commands. So instead of using WIFI to Serial I use UART2 to connect to the Tuya gateway and USB to my computer. The RX: GPIO 16 and TX: GPIO 17
This works flawless with 38400 baud 8N1 and all hardware control disabled. I now have my root password extracted.
As you can see on your attached picture my is from Jun 2022 and yours from July 2021. So my is newer and possibly updated (not modded) version. Also my is NH-GWZ1 and yours possible TY-GWZ1 as there is no other explanation. In my case 2 different computers one with win 10 and other with Debian. On both Silicon Labs CP2102 as well as CH341A in serial mode not able to stop booting procedure. Only what is left common is board. So conclusion is: Those boards are somehow locked or instructions are not clear.
Edit:
I did even overkill and connect my FTDI FT2232 developer board with same effect. Not able to cancel booting procedure.
Sorry but i will not waste another £6 just to find out its this same problem. As I said boards are not equal and some are locked from modifications and some are not . My is locked. Ill play with it few more times and if not its time to move on and buy Sonoff USB adapter as all recommended them.
My post was not a reply to your problem, but a generic comment on serial connections being flakey and escape difficult to press on an TYGWZ-01. hari-bo’s screenshot on the FLR command being aborted is something I experienced. He used an ESP32 and so do I. If you use an ESP32 use the serial connectivity and not the wifi, it has timing issues.