Hacking the Silvercrest (Lidl/Tuya) Smart Home Gateway

Hi,
I can connect to the gateway.
But after

FLR 80000000 401802 16
    DW 80000000 4

there are the answer
FLR 80000000 401802 16
Flash read from 00401802 to 80000000 with 00000016 bytes ?
(Y)es , (N)o ? → y
Flash Read Successed!
DW 80000000 4
80000000: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF

and after the
FLR 80000000 402002 32
Flash read from 00402002 to 80000000 with 00000032 bytes ?
(Y)es , (N)o ? → y
Flash Read Successed!
DW 80000000 8
80000000: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
80000010: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF

What is the problem?
Thanx

hi,

i am stuck… i have solder the wire and can get a usb connection but i get garbage in it

image

i try to send key but nothing is happening even do the soldering is present…

thx in advance for your help :slight_smile:

so nuts… i had plug my device to a routeur usb3 then a power suply same garbage then i tried my usb3 from pc and all fine…

for those having issue with the esc input…i have just pin the wire directly on the test node (gold one above the hole) and it went through.

first time soldering and it was not a great success but at least achieved to hack my 2 gateway so: job done!

thank you so much for the contributor that made it happen.

cheers! :beers: :beers: :beers:

Can someone please dump the firmware for me and upload it somewhere? I’d like to run the Tuya gateway software on a box with the same CPU.

something bad happened to my device, i thinks its fried, I connected 3.3v on the device to 5v on uart and it stopped working anymore, does anyone know what needs to be fixed on the board? i can send it to a technician to replace the damaged part if i know what to tell him that needs replacement

Hi Tom,
I am in the same boat - no esc input.
Could you please elaborate which pin and wire are you referring to?
Thanks in advance!

first connect rx tx and gnd as in tutorial
2nd open terminal connection
3rd connect 3.3v the already open terminal will have the output text then pres ESC
and follow other steps

Hello @all,

I am interested in going of the cloud with my silvercrest but wanted to ask some questions.
If I perform this hack, is it still possible to use the Smartlife app? As I already have alot zigbee device also some wifi device that is all connecten to smartlife.

Once I perform the hack, is it possible to revert this action?

If I want to use HA with the silvercrest hub, do I need other hardware or is it possible to run HA on the hub itself? Sorry if these questions are “dumb” but I really could not find information about it on here.

I already got the CH340 TLL and was able to get into the hub. Only still could not get the password :grimacing:

Thank you in advance for clearing these things up!
Semi

These are not affected

Smartlife is TUYA. Not Zigbee. And yes those are not affected.

Is there any value in updating the firmware after I’ve unlocked the hub? I’m afraid to brick the device and wouldn’t try to risk it if it doesn’t bring some meaningful benefits.

BTW thanks to everyone for this thread. I’m still in awe about the technical expertise people have here. Wouldn’t be able to do it without you

Incase it helps others… i bought a Tuya TYGWZ-01 for £16 on aliexpress branded as “LoraTap” that required some extra steps to get to work for ZHA.

I mainly followed the Blakadder guide here.

Fisrt hurdle was the the Realtek bootloader was locked, sending the ESC character at boot did not work. Luckily @parasite85 trick of shorting the flash chip got me into the bootloader.

Next I couldn’t retreive the KEK encryption key or AUSKEY using the FLR+DW commands, i was getting FFFFFFFF only. I tried parasite85’s method #1 of dumping the “tuya-label” partition hoping the AUSKEY was in plaintext, but no luck. the partition was full of 0xFF only.
I finally resorted to his method #4 of dumping the “jffs2-fs” partition with @bool2 (paul banks) dump_flash.sh script

python dump_flash.py --serial-port COM3 --output-file jffs2.img --start-addr 0x420000 --end-addr 0x1000000

Note: this will take a very VERY long time to complete, but i periodically checked the output file and was able to extract the required files after ~30mins using:

jefferson jffs2.img -d jeff

Once i had config/License.file1, config/License.file2 and config/License.key i used parasite85s script to get Licence.out json. The root password is the last 8 characters of AUSKEY.

Third problem, i found the ssh server is not configured properly on this version of the hardware. I found i needed to create a file /tuya/enable_ssh_flag before the /tuya/ssh_monitor.sh script we edit in the guide, will run. I also had to add the line dropbear -p 22 -K 300 to ssh_monitor.sh, different from the guide (long story short, dropbear is commented out in initrc). Now the SSH server was up and running on port 22. I could put the case back together and connect remotely.
(newer version of openssh needed some extra config if you get Unable to negotiate with ... port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss)

The rest of the guide on zigbee.blakadder.com could be completed without a hitch.

:slight_smile:

1 Like

Looks like Zigbee2Mqtt are using a new Ember driver that this doesn’t support as it requires EmberZNet firmware 7.4.x (EZSP 13). Is it possible to upgrade the Lidl gateway to this?

Probably not, but the ezsp driver will not be removed from Zigbee2MQTT, it just don’t get any upgrades any more.

my bad, didnt see your reply earlier

so you will see a small gold point above the soldering one. you can try to make it rock and roll as my try and it should goes through :smiley:

Hey guys,

I just tried to hack this unit and been already stuck with the password. I was able to extract the hex from Terminal. I got this unit fresh frim Lidl an have never used it with Tuya or anything else.

This is what get as result from the script.

gu@gu-virtual-machine:~/Downloads$ python3 lidl_auskey_decode.py
Enter KEK hex string line>80000000: 5A5AA5A5 401A4000 8F7B238C 001AD582
Encoded aus-key as hex string line 1>80000000: 5A5AA5A5 401A4000 8F7B238C 001AD582
Encoded aus-key as hex string line 2>80000010: 001AD080 037AD821 401A2000 8F7B0000
Traceback (most recent call last):
File “/home/gu/Downloads/lidl_auskey_decode.py”, line 65, in
print(“Auskey:”, auskey.decode(“ascii”))
UnicodeDecodeError: ‘ascii’ codec can’t decode byte 0x8e in position 2: ordinal not in range(128)

Is it normal, that the KEK is the same as the first line of the AUSKEY?
I read the key two times, to make sure i did not made any mistake.

Any addvice what i could change?

Edit: Nevermind… used a different serial program… Working on the following points now.

It is due to unsupported zigbee hardware or due to process to upgrade is complicated ?

The Zigbee chip is too old to support the latest SDK.

I screw something up… has anyone got the original file from Silvercrest hub: /tuya/tuya_start.sh the file after backup called: /tuya/tuya_start.original.sh

That file before changing firmware. What is the content of the file? Please share

Hi, is this hub still worth purchasing (7.50€) or is it considered outdated? I am looking to get into Zigbee, so any other suggestions are welcome. Thanks