Hey, first of all great work with the tutorial, but I could use a little help. I managed to get the root passwort, but I cant manage to get files to the gateway. I´m using cmd in windows with the somewhereabove posted command type .\serialgateway.bin | ssh [email protected] "cat >/tuya/serialgateway". With this I am able to connect to the gateway, it asks for the passwort and after entering it hits me with sh: can't create /tuya/serialgateway: Text file busy. As a solution I tryed it with chmod +x /tuya/serialgateway with reboot and chmod 755 /tuya/serialgateway with reboot, but still get the same massage.
I hope that somebody can help me and thanks in advance
Hi, Thanks for the tutorial.
After hacking can I access the gateway from Tuya Smart app, or only from local?
I successfully did it with one gateway and then bought another one. I could not get it (the 2nd gateway) to break the boot sequence. I checked the versions (from the serial output) and they were identical to each other “2020.04.28-13:58”
I started even trying different keys. I went back to the first gateway and tried to interrupt the boot sequence - it just seemed to work almost first time. It was now very strange how the second gateway did not work since it just worked fine for the first one. One thing I noticed was that when I typed into the serial console, some of the characters were garbage. I ended up changing the power supply to the gateway and then the garbage characters went away, but I still struggled to interrupt the boot sequence. What I found was the I just had to try multiple times, holding Esc, or repeatedly fast-pressing Esc until it worked. It seems that, if you are not sending garbage then it is just a timing thing. I am still not sure what the timing is. I am still not sure why the 2nd gateway is harder than the first one. Maybe I just got lucky with my timing.
Now my problem is that this second unit, once I break the boot sequence and get the Realtek prompt, will not respond to me …
Check CoolTerm’s settings.
Should look like this.
I heve the same probem.
perhaps i have done somting wrong is step 2:
if [ ! -f /tuya/tuya_start.original.sh ]; then cp /tuya/tuya_start.sh /tuya/tuya_start.original.sh; fi
cat >/tuya/tuya_start.sh <<EOF
#!/bin/sh
/tuya/serialgateway &
EOF
chmod 755 /tuya/serialgateway
is this one line or do i heve to enter it in parts?
do i enter it in the ssh of te ttl conection?
i tried both and i assume it is in ssh then i get:
“# client_loop: send disconnect: Connection reset”
but after the reboot it stil doesn’t work.
i checkt the file with:
“md5sum /tuya/serialgateway”
and get:
“705ca5a422b2c91b4e98b8f552917704 /tuya/serialgateway”
but don’t know what it should be
(i do work on windows 11 don’t know if windows screwd up?
(i managed to rename the oritginal file back so it dus work in smart life again)
does anyone have an idea where i went wrong?
oke i have found it.
windows screw up.
if i use my old linux laptop to copy the file it works.
“md5sum /tuya/serialgateway”
gave a different output.
(in windows cmd: “certutil -hashfile MD5”)
@Mgeeve, Yeah I had the same problem copying files to and from the gateway using windows. It would alter the checksum and corrupt the file.
It can be done via windows CMD via ssh and I had to use these commands to ensure the hacked file did not get corrupted:
To copy a file to gateway on port 2333 (default) called serialgateway.bin and call it just serialgateway (no file extention)
type C:\tmp\serialgateway.bin | ssh -p2333 [email protected] “cat >/tuya/serialgateway”
To copy a file from gateway on port 2333 (default) called tuya_net_start.sh from directory /tuya to computer
ssh -p2333 [email protected] “cat /tuya/tuya_net_start.sh” >tuya_net_start.sh
I see you got it sorted using an old linux laptop but if you need to use windows in the future these might help.
Kal …
Any update for gateway which can’t interrupt by using ESC. I repeat many times which no luck and I think my device already brick. 
( can’t add gateway device via Tuya app)
I have suffered twice that all devices disappear from zigbee2mqtt. It’s very annoying me. I think I will try move to another Zigbee gateway.
Does anyone know if there’s a way to update to the latest version of EZSP?
I’m currently trying to do this to a NEO branded (tuya ZW05B0).
noob question, but where did you get the passwd file from you used to replace it with?
Cheers.
Hi all,
Currently, what version of EZSP and coordinator are you using with this silvercrest gateway ?
I don’t exactly understand how can I know that a version is compatible with the gateway or not ?
Lidl SilverCrest Zigbee Gateway TYGWZ-01 Zigbee compatibility tell to update to 6.7.8.0 witch seems a little bit old
I bought a brand new TYGWZ1 a few days ago, but before soldering wires and connecting USB TTL for rooting, I excitedly want to try it with my ZigBee sensors and default Lidl APP.
It was my mistake =)
Lidl App updates the firmware on my TYGWZ1 almost instantly, and I can’t stop it.
My worst expectation was that this process could be unrecoverable and root no longer be possible.
The next day I soldered wires and connected the USB TTL successfully but discovered that KEK and AUS all was in FFFFFFFF values.
It’s a new firmware. I saw that I broke everything I wanted to try with TYGWZ1.
But…
Thank’s to paulbanks.org, I was successful in resolving the FFFFFFFF problem:
In general, I follow these steps:
- Dump rootfs.bin over USB TTL
- Create newroot.bin with known password
At this moment, I am trying to upload over TFTP on TYGWZ1 with the following:
tftp 192.168.1.6 -m binary -c put newroot.bin
But all that I see in the terminal it’s a repeated message:
**TFTP Client Upload, File Name: newroot.bin
**TFTP Client Upload, File Name: newroot.bin
**TFTP Client Upload, File Name: newroot.bin
And nothing changed. The upload was interrupted by a timeout.
It was point 2 where I saw that I had broken everything…)
But I start trying better. And this is what I discover.
LOADADDR
This command, in general, need (I think) to set the address from which the firmware was downloaded by TYGWZ1 in automatic mode (I believe the app in my Android tablet run instruction to TYGWZ1 to make such a thing)
So I changed it to my IP. I get a message that the new LOADADDR it’s my ip, but when I run the TFTP command – the address still was 192.168.1.97.
Next, if my TYGWZ1 wants to download from 192.168.1.97 - ok, I help to do this.
- Run the TFTPD server on my Ubuntu laptop with IP: 192.168.1.97 and put newroot.bin into the TFTPd server root directory
- Type in serial terminal:
tftpd 80500000 newroot.bin
And JACKPOT! I have a successful message of saving my file in TYGWZ1 memory.
- My TYGWZ1 - successfully download my newroot.bin and store at 80500000 memory address
- Next, I run this command in the serial terminal:
FLR 80500000 20000 001E0000
and write newroot.bin
But after reboot, I get Debug mode (TERMINAL) again…and again. I make mistakes.
But thanks to @challs Chris Halls – I ran this command and successfully started Linux:
FLR 80500000 20000 001E0000
and than
J 80c00000
Then I successfully login into the root shell.
My next step was to READ AUZKEY and get 8 last symbols.
So I run /tuya/./tuyamtd, read the key and get the value of my original firmware.
Next…I saw that if my new firmware didn’t work correctly and I have a password from my original firmware, let’s try to revert changes, upload the original firmware and try to log in with a password I found.
I make all this stuff again, copy rootfs.bin into the TFTPd server root directory, runtftpd 80500000 rootfs.binin the serial terminal, wait until the file is uploaded, run FLR 80500000 20000 001E0000, and write changes.
Then I REBOOT…Linux was started successfully.
And my password is working too.
I am happy! So happy!
Thank’s all! It was a great 5 hours of my life spent with lots of manuals, instructions, links, comments, texts, etc. I like it!
4 Likes
Hi all,
I also purchased a brand new TYGWZ1 to try this hack with. I’ve succesfully extracted the root password and I’m able to access the device over serial connection. However, when I try to login via SSH, I get no response from the device at all. I’ve tried ports 22 and 2333, but neither works.
Further inspection with Wireshark shows that the device does not respond to my machine’s ARP requests. It also doesn’t repond to ping requests. I’m completely clueless as to what this could be. Has anyone here encountered similar issues with the SSH connection?
Thanks!
Hello,
i got recently one of these gateway and the firmware got upgraded once I connected it with the LIDL application. From an nmap scan it looks like there is no more ssh server on the board …
It looks like you can still tftp a new firmware to access the root password but no ssh access - I am thinking of putting the serialgateway firmware in the rootfs to transfer it to the jffs2 image …
I haven’t had time yet to try this …
Francois
Francois, I’m having similar issues. I’m eager to hear it this works for you!
Hello,
Oops, rewrote the linux kernel instead of the rootfs - kernel will not boot 
the rootfs is at 200000 not 20000
Can somebody send me the result of
python dump_flash.py --serial-port /dev/ttyUSB0 --output-file linux.bin --start-addr 0x20000 --end-addr 0x200000
The dump_flash.py is from https://paulbanks.org/projects/lidl-zigbee/#gaining-initial-access
or at https://github.com/banksy-git/lidl-gateway-freedom/tree/master/scripts
[email protected]
Francois
Did you get any advice for that problem? I have similar issue. I tried two different USB serial dongle, it does not help.
Hello,
For the people who have problems with ESCaping to the bootloader, for me minicom did not work (may be I should have disabled H/W handshake …) screen /dev/ttyUSB0 38400 worked right away …
François
IP configuration belongs in your router, not the firmware.