Hacking the Silvercrest (Lidl/Tuya) Smart Home Gateway

Hi, I’ve successfully extracted the root password, can SSH into the gateway and serialgateway is running.

I’m trying to add the device via ZHA. I can input the socket but I simply get an “Error” (nothing further than that) when trying to create a new radio network formation in the following step.

Here’s debug output where it breaks:

2023-10-09 22:29:01.929 DEBUG (MainThread) [bellows.uart] Data frame: b'232ea1a9062a15b2592a577e'
2023-10-09 22:29:01.930 DEBUG (MainThread) [bellows.uart] Sending: b'83401b7e'
2023-10-09 22:29:01.932 DEBUG (MainThread) [bellows.ezsp.protocol] Application frame received getConfigurationValue: [<EzspStatus.SUCCESS: 0>, 0]
2023-10-09 22:29:01.933 DEBUG (MainThread) [bellows.ezsp] Setting config CONFIG_APPLICATION_ZDO_FLAGS = 3 (old value 0)
2023-10-09 22:29:01.933 DEBUG (MainThread) [bellows.ezsp.protocol] Send command setConfigurationValue: (<EzspConfigId.CONFIG_APPLICATION_ZDO_FLAGS: 42>, <EmberZdoConfigurationFlags.APP_RECEIVES_SUPPORTED_ZDO_REQUESTS|APP_HANDLES_UNSUPPORTED_ZDO_REQUESTS: 3>)
2023-10-09 22:29:01.934 DEBUG (MainThread) [bellows.uart] Sending: b'332f21a9072a3fb1592b867e'
2023-10-09 22:29:01.981 DEBUG (MainThread) [bellows.uart] Data frame: b'342fa1a9072a152e937e'
2023-10-09 22:29:01.982 DEBUG (MainThread) [bellows.uart] Sending: b'8430fc7e'
2023-10-09 22:29:01.982 DEBUG (MainThread) [bellows.ezsp.protocol] Application frame received setConfigurationValue: [<EzspStatus.SUCCESS: 0>]
2023-10-09 22:29:01.983 DEBUG (MainThread) [bellows.ezsp.protocol] Send command getConfigurationValue: (<EzspConfigId.CONFIG_PACKET_BUFFER_COUNT: 1>,)
2023-10-09 22:29:01.984 DEBUG (MainThread) [bellows.uart] Sending: b'442c21a9062a1461d37e'
2023-10-09 22:29:02.033 DEBUG (MainThread) [bellows.uart] Data frame: b'452ca1a9062a15f2590a907e'
2023-10-09 22:29:02.034 DEBUG (MainThread) [bellows.uart] Sending: b'8520dd7e'
2023-10-09 22:29:02.036 DEBUG (MainThread) [bellows.ezsp.protocol] Application frame received getConfigurationValue: [<EzspStatus.SUCCESS: 0>, 64]
2023-10-09 22:29:02.038 DEBUG (MainThread) [bellows.ezsp] Setting config CONFIG_PACKET_BUFFER_COUNT = 255 (old value 64)
2023-10-09 22:29:02.038 DEBUG (MainThread) [bellows.ezsp.protocol] Send command setConfigurationValue: (<EzspConfigId.CONFIG_PACKET_BUFFER_COUNT: 1>, 255)
2023-10-09 22:29:02.039 DEBUG (MainThread) [bellows.uart] Sending: b'552d21a9072a144d5926167e'
2023-10-09 22:29:02.093 DEBUG (MainThread) [bellows.uart] Data frame: b'562da1a9542a1571b47e'
2023-10-09 22:29:02.094 DEBUG (MainThread) [bellows.uart] Sending: b'8610be7e'
2023-10-09 22:29:02.097 DEBUG (MainThread) [bellows.ezsp.protocol] Application frame received version: [0, 0, 0]
2023-10-09 22:29:02.097 ERROR (MainThread) [homeassistant] Error doing job: Fatal error: protocol.data_received() call failed.
Traceback (most recent call last):
  File "/usr/local/lib/python3.11/asyncio/selector_events.py", line 1003, in _read_ready__data_received
    self._protocol.data_received(data)
  File "/usr/local/lib/python3.11/site-packages/bellows/uart.py", line 81, in data_received
    self.frame_received(frame)
  File "/usr/local/lib/python3.11/site-packages/bellows/uart.py", line 108, in frame_received
    self.data_frame_received(data)
  File "/usr/local/lib/python3.11/site-packages/bellows/uart.py", line 129, in data_frame_received
    self._application.frame_received(self._randomize(data[1:-3]))
  File "/usr/local/lib/python3.11/site-packages/bellows/ezsp/__init__.py", line 337, in frame_received
    self._protocol(data)
  File "/usr/local/lib/python3.11/site-packages/bellows/ezsp/protocol.py", line 119, in __call__
    assert expected_id == frame_id
           ^^^^^^^^^^^^^^^^^^^^^^^
AssertionError
2023-10-09 22:29:02.118 DEBUG (MainThread) [bellows.uart] Connection lost: AssertionError()
2023-10-09 22:29:02.120 ERROR (MainThread) [bellows.uart] Lost serial connection: AssertionError()
2023-10-09 22:29:02.120 DEBUG (MainThread) [bellows.ezsp] socket://192.168.2.50:8888 connection lost unexpectedly: 
2023-10-09 22:29:02.121 ERROR (MainThread) [bellows.ezsp] NCP entered failed state. Requesting APP controller restart
2023-10-09 22:29:02.121 DEBUG (MainThread) [bellows.zigbee.application] Received _reset_controller_application frame with ('Serial connection loss: AssertionError()',)
2023-10-09 22:29:02.121 DEBUG (MainThread) [bellows.zigbee.application] Resetting ControllerApplication. Cause: 'Serial connection loss: AssertionError()'

I’ve exhausted my options; if anyone has any ideas how to fix this it’d be appreciated. I’ve gone through every other step available on the guide (including updating the radio firmware)- it is simply failing on the last step of creating the radio network.

Output from serialgateway while trying to create the network:

serialgateway Release-1.2: port 8888, serial=/dev/ttyS1, baud=115200, flow=HW
Connect from host 192.168.2.52 fd=5
Closing existing connection
Connect from host 192.168.2.52 fd=5
Closing existing connection
Connect from host 192.168.2.52 fd=5
Closing existing connection
Connect from host 192.168.2.52 fd=5
Closing existing connection

ZHA socket settings 115200 baud, software control. Tried every other combination imaginable.

@borf, I had the same problem initially and (I think) it was fixed by simply deleting the integration and re-adding it. Did you remember to modify the tuya_start.sh script as per the setup instructions?

BTW where did you find the instructions to update the radio firmware?

Yes, the script is modified as serialgateway is running, and ZHA can make the initial connection to the box, but it seems like it returns some data the integration is not expecting.

Hi,

I’ve been trying to hack Lidl gateway. I read about this hack briefly months ago, but didn’t read all the instructions back then. So when I saw these gateways in Lidl discounted to 7€, I just bought one and came home. Plugged it in to see what it looks like and then came to Paul’s website to read the instructions.

Well, the gateway had updated itself and now I just get FFFF’s when I try to get the KEK key. I followed instructions on posts around 130-150. I have dumped the firmware successfully using dump_flash.py, all partitions as a matter of fact (boot+cfg, linux, rootfs etc). Then extracted the SquashFS with sudo unsquashfs rootfs.bin. I checked the created folders and for example “tuya” folder is empty. Is this really the case or have I done something wrong? Now I’m afraid to move forward, because I remember something about “/tuya/serialgateway” or “tuya_start.sh” and those are nowhere to find.

So, could someone confirm me that the next step, “replacing the /etc/passwd symlink with a passwd file we created” as Paul stated in step 3), is safe to do and better yet, if someone has all the steps clearly written down for us, who have ‘accidentally’ updated gateway.

My integration died suddenly…
While again, I am able to ssh into the actual zigbee box, it appear like the zigbee chip is sending some unexpected data.
Could it be that there were some OTA updates? Haven’t really checked whether there is any script running and be responsible for OTA updates of the zigbee chip.
I did go as far as reinstalling the whole HA without any backups, with no success…

UPDATE: Fixed!
The following steps apparently fixed the zigbee module, idk how, but it worked

1. Connect to the box via ssh
2. kill the serial gateway and start the original tuya script
3. go into the tuya app and add the gateway
4. add a new random zigbee device
5. reboot the gateway (it will start PaulB’s serialgateway by default)
6. Add the zigbee device in HA and select to keep the current network settings
7. Add your zigbee devices

Both green led´s are on and only thing comes to console is Booting…
Seems that its bricked, is there any way to save it by flashing or do i throw it away?

I connect today with gateway that was connected several month to Lidl and I got no such FFFF. in the meantime it stands unconnected for several weeks in my garage, could it be possible that a capacitor hold the configuration but release it to original when fully discharge? I have to crack another one that was connected only few days before I’ll keep you posted .

Does anybody use lidl silvercrest gateway with zigbee2mqtt ?
I’m failing to configure it.

hah, RTFM to myself

Can this hacked unit be used as a bridge/extender? I have ZHA configuration on Sonoff ZBDongle-E
which I would rather keep as is and would like to use this unit as a hub/extender only.

I have exactly the same question about using the Silvercrest as a router/repeater. Would be great if possible.

Hello Guys,
Some time ago i have bought a simple tuya gateway on aliexpress but i have switched to the Home Assistant. I have used different gateway for HA. Now got some spare time to play with the old gateway.
My gateway it is not Lidl one. It has following label on the PCB. DMD2CC-V1.0.
I have soldered J1 pins and tried to get the boot prompt. Unfortunately, without any success. Boot prompt must be disabled or locked. I’ve took different approach. I read dump of SPI FLASH and I wanted to extract auzkey (authkey) from the tuya-label partition on flash drive. Unfortunately, this partition is empty (all space is filled with 0xFF values). Instead of it I`ve modified /etc/passwd to get access.
However, I was curious where the AUZKEY is located. It might be useful some for people which owned Lidl gateway or any other gateway with enabled bootloader. They don’t need to buy programmer and do any desolder/solder stuff.

I did little research on tuyamd executable and I have succesfully extracted (or decoded) auzkey.
To extract auzkey you need to:

• dump jffs2 partition (using bootloader or using programmer)
• extract jffs2 partition - Jefferson github
• get two files: config/License.file1 and config/License.key
• Use following program to decode it:
  decode.txt
  It will give you output:
  Decrypted data
  b'{"bsn":"XXXX","master_mac":"XXXXXX","auzkey":"XXXXXXXXXXXXX","uuid":"XXXXXXXXXX","prodtest_exit":"true"}\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f'
  Also file License.out will be produced.

Hope it will be helpful for someone.

Hi Guys,
I have a way to get prompt if ESC key is not working.
See more at:
https://github.com/parasite85/tuya_dmd2cc_gateway_hack

Thank for your info.
Now I could pass to boot prompt which ESC doesn’t work for me.
But I stuck with KEK and AUSKEY which I get “FFFFFFFF” only.

I try to find solution but it seem to programing for me.

I had the same problem and resolved it by creating a new zigbee network. I followed the instructions in post #33 and after this it worked.

Please tell me.
I got root and updated the gateway firmware.
I suspect that I failed to flash the gateway. How can I find out the current firmware version?

Hello,
I tried to hack the gateway and successfully uploaded the custom firmware/program (serialgateway.bin) and tried connecting ZHA to it through socket://ipaddress:8888. But it crashes when setting up a (both with creating a new network and keeping the existing one) connection. I can see in the serial monitor that the connection is constantly broken by the zigbee gateway. I followed this tutorial: Cloud-free integration with Home Assistant - PaulBanks.Org and only did that.

I also tried connecting it with Zigbee2Mqtt in a docker container, but that also doesn’t work. I also don’t get clear error messages from that so nothing to point me in the right direction unfortunately.

I am guessing it takes to long to react for my HA instances so the gateway breaks the connection. But it does it after 5 seconds or so. Then I see a “connect from host IPADDRESS fd=5” and the fd varies between 5 and 6.

Can someone please point me at a solution for this? If any additional information is needed I would gladly provide it!

You must set Baudrate to 115200?

I tried that and it looks like it takes longer, but still crashes. When I start the serialgateway it says: serialgateway Release-1.2: port 8888, serial=/dev/ttyS1, baud=115200, flow=HW. So I tried connect to it with socket://ipaddress:8888, baud 115200 and flow on Hardware in the ZHA settings. Unfortunately it still crashes.

I kinda find the serial=/dev/ttyS1 a weird thing. I am not really sure why but I am thinking maybe I need to do something with that?