Hacking the Silvercrest (Lidl/Tuya) Smart Home Gateway

Hi,
I can connect to the gateway.
But after

FLR 80000000 401802 16
    DW 80000000 4

there are the answer
FLR 80000000 401802 16
Flash read from 00401802 to 80000000 with 00000016 bytes ?
(Y)es , (N)o ? → y
Flash Read Successed!
DW 80000000 4
80000000: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF

and after the
FLR 80000000 402002 32
Flash read from 00402002 to 80000000 with 00000032 bytes ?
(Y)es , (N)o ? → y
Flash Read Successed!
DW 80000000 8
80000000: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
80000010: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF

What is the problem?
Thanx

hi,

i am stuck… i have solder the wire and can get a usb connection but i get garbage in it

image

i try to send key but nothing is happening even do the soldering is present…

thx in advance for your help :slight_smile:

so nuts… i had plug my device to a routeur usb3 then a power suply same garbage then i tried my usb3 from pc and all fine…

for those having issue with the esc input…i have just pin the wire directly on the test node (gold one above the hole) and it went through.

first time soldering and it was not a great success but at least achieved to hack my 2 gateway so: job done!

thank you so much for the contributor that made it happen.

cheers! :beers: :beers: :beers:

Can someone please dump the firmware for me and upload it somewhere? I’d like to run the Tuya gateway software on a box with the same CPU.

something bad happened to my device, i thinks its fried, I connected 3.3v on the device to 5v on uart and it stopped working anymore, does anyone know what needs to be fixed on the board? i can send it to a technician to replace the damaged part if i know what to tell him that needs replacement

Hi Tom,
I am in the same boat - no esc input.
Could you please elaborate which pin and wire are you referring to?
Thanks in advance!

first connect rx tx and gnd as in tutorial
2nd open terminal connection
3rd connect 3.3v the already open terminal will have the output text then pres ESC
and follow other steps

Hello @all,

I am interested in going of the cloud with my silvercrest but wanted to ask some questions.
If I perform this hack, is it still possible to use the Smartlife app? As I already have alot zigbee device also some wifi device that is all connecten to smartlife.

Once I perform the hack, is it possible to revert this action?

If I want to use HA with the silvercrest hub, do I need other hardware or is it possible to run HA on the hub itself? Sorry if these questions are “dumb” but I really could not find information about it on here.

I already got the CH340 TLL and was able to get into the hub. Only still could not get the password :grimacing:

Thank you in advance for clearing these things up!
Semi

These are not affected

Smartlife is TUYA. Not Zigbee. And yes those are not affected.

Is there any value in updating the firmware after I’ve unlocked the hub? I’m afraid to brick the device and wouldn’t try to risk it if it doesn’t bring some meaningful benefits.

BTW thanks to everyone for this thread. I’m still in awe about the technical expertise people have here. Wouldn’t be able to do it without you

Incase it helps others… i bought a Tuya TYGWZ-01 for £16 on aliexpress branded as “LoraTap” that required some extra steps to get to work for ZHA.

I mainly followed the Blakadder guide here.

Fisrt hurdle was the the Realtek bootloader was locked, sending the ESC character at boot did not work. Luckily @parasite85 trick of shorting the flash chip got me into the bootloader.

Next I couldn’t retreive the KEK encryption key or AUSKEY using the FLR+DW commands, i was getting FFFFFFFF only. I tried parasite85’s method #1 of dumping the “tuya-label” partition hoping the AUSKEY was in plaintext, but no luck. the partition was full of 0xFF only.
I finally resorted to his method #4 of dumping the “jffs2-fs” partition with @bool2 (paul banks) dump_flash.sh script

python dump_flash.py --serial-port COM3 --output-file jffs2.img --start-addr 0x420000 --end-addr 0x1000000

Note: this will take a very VERY long time to complete, but i periodically checked the output file and was able to extract the required files after ~30mins using:

jefferson jffs2.img -d jeff

Once i had config/License.file1, config/License.file2 and config/License.key i used parasite85s script to get Licence.out json. The root password is the last 8 characters of AUSKEY.

Third problem, i found the ssh server is not configured properly on this version of the hardware. I found i needed to create a file /tuya/enable_ssh_flag before the /tuya/ssh_monitor.sh script we edit in the guide, will run. I also had to add the line dropbear -p 22 -K 300 to ssh_monitor.sh, different from the guide (long story short, dropbear is commented out in initrc). Now the SSH server was up and running on port 22. I could put the case back together and connect remotely.
(newer version of openssh needed some extra config if you get Unable to negotiate with ... port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss)

The rest of the guide on zigbee.blakadder.com could be completed without a hitch.

:slight_smile: