Hacking the Silvercrest (Lidl/Tuya) Smart Home Gateway

Is it possible to use the built-in microphone in Home Assistant for voice controls?

Hi Francois,

I’m pretty sure I’ve done exactly the same thing. Did you ever get sent the linux.bin file you requested?

It is a bargain price. I have this Silvercrest device myself and it is the third (!) controller in my network and I doubt this is the right device for someone starting using Zigbee. It is the controller I trust the least because I had some stability issues.
If you are familiar to using a Linux terminal it is an option.
You better buy an of the shelf Zigbee router that requires less configuration in HA like Sonoff or Conbee (deCONZ)

I have the same problem here. Same firmware. Can’t make it work. Have anyone succeeded?

I was able to get a prompt using this how-to here (GitHub - parasite85/tuya_dmd2cc_gateway_hack). However, both FLR commands returns only FFFFFFFF on all the bytes. Thoughts?

So, it took me a few hours, but I finally managed to hack the Lidl Gateway and make it available in my HA. Initially, I stopped using Lidl stuff as it wasn’t as responsive as IKEA for example. On top of that, the constant connection made with Tuya cloud was annoying me.

I used most of Pauls guide, but I also found the FFFFFFFF in the KEK and AUSKEY. So then, I pulled the jffs2 filesystem (takes a lot longer than the rootfs) and I could open it with Jefferson Python tools (pretty much the same way the squashfs is opened).
From there, I could open the License files and use decode.py to get the root password.

Relevant links (also for my own administration):
Jefferson tools
git clone GitHub - sviehb/jefferson: JFFS2 filesystem extraction tool

decoding script:

Big thanks to Paul and the other authors who made this possible. I just did it for fun (don’t really need the gateway), but fun it gave!

Hello everyone, I changed the password in rootfs, downloaded the firmware, and nothing happens. What’s wrong?

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@
@ chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize
@ 0000000h 0c84018h 00000c8h 0000040h 0000018h 0000000h 0000018h 1000000h
@ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName
@ 0010000h 0000100h 0001000h 0001000h 0000100h 0000010h 000004eh GD25Q128
@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
DDR1:32MB

---RealTek(RTL8196E)at 2019.10.28-20:09+0800 v3.4T-pre2 [16bit](380MHz)
P0phymode=01, embedded phy
check_image_header  return_addr:05010000 bank_offset:00000000
no sys signature at 00010000!

---Escape booting by user
P0phymode=01, embedded phy

---Ethernet init Okay!
<Re
<RealTek>AUTOBURN 0
AutoBurning=0
<RealTek>LOADADDR 80500000
Set TFTP Load Addr 0x80500000
<RealTek>
**TFTP Client Upload, File Name: newroot.bin
-
**TFTP Client Upload File Size = 000E1002 Bytes at 80500000

Success!
<RealTek>FLW 200000 80500000 000E1002
Write 0x000e1002 Bytes to SPI flash#1, offset 0x00200000<0xbd200000>, from RAM 0                     x80500000 to 0x805e1002
(Y)es, (N)o->y
................................................................................                     ................................................................................                     ..................................................................<RealTek>
<RealTek>J 80c00000
---Jump to address=80C00000
decompressing kernel:
Uncompressing Linux... done, booting the kernel.
done decompressing kernel.
start address: 0x80003780
Linux version 3.10.90 (junzi@junzi) (gcc version 4.6.4 (Realtek RSDK-4.6.4 Build 2080) ) #70 Mon Oct 28 20:13:05 CST 2019
CPU revision is: 0000cd01
Determined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
Zone ranges:
  Normal   [mem 0x00000000-0x01ffffff]
Movable zone start for each node
Early memory node ranges
  node   0: [mem 0x00000000-0x01ffffff]
icache: 16kB/16B, dcache: 8kB/16B, scache: 0kB/0B
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 8128
Kernel command line:  console=ttyS0,38400 root=/dev/mtdblock2
PID hash table entries: 128 (order: -3, 512 bytes)
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 27700k/32768k available (2479k kernel code, 5068k reserved, 525k data, 192k init, 0k highmem)
SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
NR_IRQS:128
console [ttyS0] enabled
Calibrating delay loop... 378.47 BogoMIPS (lpj=1892352)
pid_max: default: 4096 minimum: 301
Mount-cache hash table entries: 512
reg e0=0
reg e1=0
reg e2=0
reg e3=0
reg e4=0
reg e5=0
reg e6=0
reg e7=0
reg f0=0
reg f1=0
reg f2=0
reg f3=0
reg f4=0
reg f5=0
reg f6=0
NET: Registered protocol family 16
bio: create slab <bio-0> at 0
NET: Registered protocol family 2
TCP established hash table entries: 512 (order: 0, 4096 bytes)
TCP bind hash table entries: 512 (order: -1, 2048 bytes)
TCP: Hash tables configured (established 512 bind 512)
TCP: reno registered
UDP hash table entries: 256 (order: 0, 4096 bytes)
UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
NET: Registered protocol family 1
squashfs: version 4.0 (2009/01/31) Phillip Lougher
jffs2: version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
msgmni has been set to 54
Block layer SCSI generic (bsg) driver version 0.4 loaded (major 254)
io scheduler noop registered
io scheduler deadline registered
io scheduler cfq registered (default)
Serial: 8250/16550 driver, 2 ports, IRQ sharing disabled
serial8250: ttyS0 at MMIO 0x18002000 (irq = 9) is a 16550A
serial8250: ttyS1 at MMIO 0x18002100 (irq = 13) is a 16550A
Realtek GPIO Driver for Flash Reload Default
tuya_gpio_init ok, scan expire time:50
SPI INIT
 ------------------------- Force into Single IO Mode ------------------------
|No chipID  Sft chipSize blkSize secSize pageSize sdCk opCk      chipName    |
| 0 c84018h  0h 1000000h  10000h  10000h     100h   84    0          GD25Q128|
 ----------------------------------------------------------------------------
SPI flash(GD25Q128) was found at CS0, size 0x1000000
boot+cfg offset=0x0 size=0x20000 erasesize=0x10000
linux offset=0x20000 size=0x1e0000 erasesize=0x10000
rootfs offset=0x200000 size=0x200000 erasesize=0x10000
tuya-label offset=0x400000 size=0x20000 erasesize=0x10000
jffs2-fs offset=0x420000 size=0xbe0000 erasesize=0x10000
5 rtkxxpart partitions found on MTD device flash_bank_1
Creating 5 MTD partitions on "flash_bank_1":
0x000000000000-0x000000020000 : "boot+cfg"
0x000000020000-0x000000200000 : "linux"
0x000000200000-0x000000400000 : "rootfs"
0x000000400000-0x000000420000 : "tuya-label"
0x000000420000-0x000001000000 : "jffs2-fs"
PPP generic driver version 2.4.2
nf_conntrack version 0.5.0 (432 buckets, 1728 max)
ip_tables: (C) 2000-2006 Netfilter Core Team
TCP: cubic registered
NET: Registered protocol family 17
l2tp_core: L2TP core driver, V2.0
8021q: 802.1Q VLAN Support v1.8
Realtek FastPath:v1.03

Probing RTL819X NIC-kenel stack size order[1]...
eth0 added. vid=9 Member port 0x10f...
eth1 added. vid=8 Member port 0x10...
[peth0] added, mapping to [eth1]...
VFS: Mounted root (squashfs filesystem) readonly on device 31:2.
Freeing unused kernel memory: 192K (802f0000 - 80320000)
init started: BusyBox v1.13.4 (2019-10-28 20:08:05 CST)
Set power startcmd read


b8000038: 2794A104  0000000F    00000042  00000018    '▒▒        B
cmd write
Write memory 0xb8000038 dat 0x1794a104: 0x1794a104
Set power end
killall: dropbear: no process killed
udhcpc (v1.13.4) started
Sending discover...
Sending select for 192.168.1.193...
Lease of 192.168.1.193 obtained, lease time 600
deleting routers
route: SIOCDELRT: No such process
adding dns 192.168.1.1
adding dns 8.8.8.8
adding dns 1.1.1.1
adding dns 77.88.8.8

Please press Enter to activate this console. Tuya Gateway Application Normal Srart /tuya/tuya_start.sh UserAppRunDir:
set defult run_dir:/tuya
TY_ENV_APP_RUN_DIR=/tuya
get user cfg file error, load defult cfg file
load platform configure file:/tuya/def.cfg
start.conf is exist
udhcpc (v1.13.4) started
current run dir:/tuya/tuya_user1
tuya_start_children.sh:UserAppRunDir:/tuya JsonFile Path:/tuya/def.cfg [engineer_mode: ]
nameserver 8.8.8.8
Sending discover...
Sending select for 192.168.1.193...
Lease of 192.168.1.193 obtained, lease time 600
deleting routers
route: SIOCDELRT: No such process
adding dns 192.168.1.1
adding dns 8.8.8.8
adding dns 1.1.1.1
adding dns 77.88.8.8
nameserver 8.8.8.8
killall: app_detect.sh: no process killed
killall: tyZ3Gw: no process killed
killall: log_detect.sh: no process killed
killall: process_monitor.sh: no process killed
killall: tyZ3Gw: no process killed
cat: can't open '/tuya/eng_mode': No such file or directory
no eng file
nlRecvFromAppSock sg_netlinkKeyPid:257
nlRecvFromAppSock port link sg_netlinkPid:257
chpasswd: an error occurred updating password for root
tuya-linux login: root
Password:
Tuya Linux versi
Please press Enter to activate this console.
tuya-linux login:

Also starting with zigbee. I got this as part of a starter kit (3 rgb bulbs, remote dimmer, bridge for €15).

Have you still been running into stability issues lately? Considering whether I should try to hack it or just try to sell it and get the sonoff dongle. Stability is most important since my gf also needs to use the lights lol.

I’ve flashed some tuya switches and bulbs with Tasmota and esphome so I’m not per sé unfamiliar, but maybe it’s not worth the hassle and potential lack of support in the future.

Yes it works, but I had some issues:

• The intial troubles of flashing it. The instructions on the internet are great, but it takes time and experience to do.
• Software interference of ZHA (using the Silvercrest-router) and deConz (using the Conbee-stick) showing devices twice in HA. I never found out what happend… I removed and readded all those devices
• Lights loose connection too frequent.

The Lidl hardware has some more disadvantages:

• Pairing the Ldil remote control succeeded, but the device never reliable as the device lost it’s connection quick.
• The quality of the light spectrum doesn’t match that of the more expensive bulbs
• It’s too easy to get the lights in pairing mode. My partner was unaware of the lights being Zigbee controlled and ‘off’. Angrily for not getting light instantly she flipped an electrical switch three times in quick succession and got the 3 bulbs in ‘disco style’ pairing mode.

The bridge itself is pretty stable after all now. I still don’t dare to pair what I consider ‘essential’ light and sensors to it. So the living room and bedroom are controlled by Ikea Tradfri and Conbee which haven proven to be reliable bridges. It is not just me as a hobbyist who uses Zigbee controlled lighting and can easily fix things, my family expects stable and predicable lighting.

The Silvercrest / Livarno (Lidl) stuff was already quite cheap and I think Lidl is currently dumping their stock. I suspect they will be leaving this market. Their Blck Friday offer is about Euro 2,40 for a lamp with E14 socket. This is a real dump price for a Zigbee compatible light bulb.
So I don’t expect any future support or new hardware from Lidl. When the supply of hardware runs out I expect also less interest from the community in maintaining and updating the software.
So you can get it working, but I doubt it will be easy, if possible, to upgrade it.

Thanks for your elaborate response Randy. The Lidl has 50% discount often in the NL on smart-home stuff but you might be right; even the cheapest tuya WiFi lamps on AliExpress or local budget stores are more expensive.

Notwithstanding I did get the starter kit, 2 ceiling lamps and some rgb e14 bulbs because they were just so cheap. I also ordered a sonoff 3.0 usb dongle to pair them with my HA instead of the Lidl bridge, which I’ll try to sell if there’s any market for it. Next lights I’ll shell out a bit more for some better light quality lamps (if you have any tips, most welcome!), since my GF also needs to use the lights and really doesn’t appreciate lights not working

Is there a newer radio firmware somewhere i have been folowing the openhab Hacking the Lidl Silvercrest ZigBee Gateway: A Step-by-Step Tutorial - Tutorials & Examples - openHAB Community tutorial but they only have v8 radio firmware but zigbee2mqtt wants 13-14

Hi, please tell me how to get the JFFS2 firmware? I tried using a script
but it doesn’t download the firmware and doesn’t give any errors. Tell me how to download the firmware correctly? Do I need to press ESC when executing the code?

python dump_flash.py --serial-port COM3 --output-file jffs2.img --start-addr 0x420000 --end-addr 0x1000000

Hello, how to execute this script correctly?

Like this:
python dump_flash.py --serial-port /dev/serial0 --output-file jffs2.bin --start-addr 0x420000 --end-addr 0x1000000
But this will take quite some time, the filesystem is much bigger!

Yes, I ran it on both Ubuntu and Windows. A null file named jffs2.img is being created, a day has passed and the file has remained empty. I’m asking if I’m running the command the wrong way? after all, she doesn’t make any mistakes. The loader is not activated by the command and nothing happens, the board is loaded as usual. How should it work? How should it run properly?

I ran it from a Raspberry Pi: connecting the wires will be very easy then.
After I sent the command, you will immediately see the data coming in. It takes a while, but when you have the prompt back there is the bin file.
If a null file is created, then it means the script doesn’t get any data. Check the wiring between your machine and the Tuya device. If you can escape the boot process, do so and wait until it’s done. Then, leave the terminal connection and use the python script to extract the filesystem (only one terminal connection can be made at any time).

I bought Lidl Silvercrest about 2 years ago, but just now hacked it. It was unused before that. I added it to home assistant.
I have also bought Aeotec MultiSensor 6. Should it work with Silvercrest?
I am trying to add it to home assistant but it doesn’t see any device. Next I killed serialgateway program and restarted it manually in command line. In command line I only see connection with home assistant.
In sensor I have pressed button once or press and hold it a while. Some light change, I don’t understand what does it mean.

Where I can get cross compiler for Lidl Silvercrest Realtek linux? If I want to recompile that serial gateway.

You have to take first serial connection, then reboot it and during boot press ESC. Now you are in boot loader. Then exit from serial connection and run that python script. You can’t run python if it is not in boot loader state.

Please help

I read all the threads here, and although there were already such questions, I did not find the answer

• I connected the board to the UART adapter,
• set the recommended communication parameters,
• but I cannot stop the bootloader on RealTek.

Is there any way to effectively stop the startup process?

My output:

Booting...

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@
@ chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize
@ 0000000h 0c84018h 00000c8h 0000040h 0000018h 0000000h 0000018h 1000000h
@ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName
@ 0010000h 0000100h 0001000h 0001000h 0000100h 0000010h 000004eh GD25Q128
@ 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
DDR1:32MB
 
---RealTek(RTL8196E)at 2024.07.31-17:51+0800 v3.4T-pre2 [16bit](380MHz)
P0phymode=01, embedded phy
check_image_header  return_addr:05010000 bank_offset:00000000
no sys signature at 00010000!
get uboot flag failed
Jump to image start=0x80c00000...
decompressing kernel:
Uncompressing Linux... done, booting the kernel.
done decompressing kernel.
start address: 0x80003780
Linux version 3.10.90 (lx@LAPTOP-MUK09GQH) (gcc version 4.6.4 (Realtek RSDK-4.6.4 Build 2080) ) #2 Mon Aug 5 10:37:24 CST 2024
CPU revision is: 0000cd01

I can type on the keyboard, entering the login and password, so I assume that RX and TX are connected correctly

My board Tuya from China

20241206_0923031816×4032 378 KB

Which serial connection app are you using? Have you change keyboard settings? Windows, Linux or Mac?