Hacking the Silvercrest (Lidl/Tuya) Smart Home Gateway

fahadshery · June 19, 2021, 9:45am

Have you followed commands from this tutorial?

I just did and everything works.

but this command doesn’t work:
cat serialgateway.bin | ssh -p2333 [email protected] “cat >/tuya/serialgateway”

This command needs to be executed from a Linux/Mac machine which is able to ssh into the gateway. That’s the reason you need to sort out ssh first

PS when you sort out ssh then it is available at the normal ssh port 22

sandoz.cloud · June 24, 2021, 7:09am

i am running all from a linux machine.

I portscan the ip adress on open ports with nmap, but the ssh port is not open on port 2333.
Thats why the connection is refused

daniz · June 25, 2021, 12:47pm

I am getting the following error, can anyone help me? Thank you.

lidl_auskey_decode.py:

UnicodeDecodeError: 'ascii' codec can't decode byte 0x9b in position 0: ordinal not in range(128)

peedrr · June 30, 2021, 5:33pm

I am having the same issue. I have also run nmap against the device and I see the same 2 ports open as you.

Annoyingly, I did have access via SSH but it seemed to hang as I was transferring the serialgateway.bin across. I rebooted the device and I haven’t been able to access it since.

Do you think it is possible that they performed an OTA upgrade and switched off the SSH server?

I still have serial access and I would be really grateful of any pointers

peedrr · June 30, 2021, 5:38pm

I’ve just managed to restart the ssh server. Connected via serial, if you run:

cat /tuya/ssh_monitor.sh

you’ll see what looks like a script which puts dropbear to sleep for extended periods of time for each failed login. But at the end there is the command to fire up dropbear again:

/tuya/tuyadropbear -P /var/run/dropbear.tuya.pid -p 2333 -K 300 -T 1

I don’t know enough about these things to know what it does exactly, but I can SSH in again. @daniz - I hope this helps you too.

daniz · June 30, 2021, 5:57pm

have already managed to complete the integration, it has been a difficult and long process, but I will be happy to help if I can.
thanks to all.

PD: English is not my native language, I am sorry for the inconvenience.

fahadshery · July 10, 2021, 1:34pm

Hi All,

I have been running flashed lidl gateway for few weeks now. It goes offline every now and then (because I’ve setup an automation if the device goes offline). But The main problem is that I can’t change the Lidl E27 and GU10 bulbs colours. It shows the colour pallet but doesn’t do anything.
I am thinking to revert back to the factory firmware but I didn’t take the backup (for my sins).
Any ideas how to revert back to the lidl firmware?

Cheers

gerosaf · July 14, 2021, 10:47am

HI, I had same issue. This is how I solved:

swedude · July 20, 2021, 11:54am

hello im trying to use the script above but zigbee are unreachable until I change back to the original file from the guide, can you spot what I am doing wrong?

//remove old file

rm ./tuya/tuya_start.sh


//make new file
cat >/tuya/tuya_start.sh <<EOF
#!/bin/sh
while true; do
pgrep -x serialgateway >/dev/null
if [[ $? -ne 0 ]] ; then
echo “Restarting SerialGateway: $(date)” >> /var/log/serialgateway.txt
/tuya/serialgateway &
fi
sleep 30
done &
EOF

//set permissions just in case
chmod 755 /tuya/tuya_start.sh

reboot

it looks like it should work and I just cant figure it out.

do I have to make /var/log/serialgateway.txt myself or will it be created?
or something else? any and all ideas are welcome
Thank You!!!

Mark5 · July 21, 2021, 7:22am

I had the exact same problem.
Just change that line :

cat >/tuya/tuya_start.sh <<EOF

to

cat >/tuya/tuya_start.sh <<‘EOF’

This will prevent bash from evaluating variables in the cat stuff.

swedude · July 21, 2021, 7:38am

Thank you that works!!!
but I don’t know if its a copy and paste error I had to change from ´` to ‘’
so if someone do copy and past try this:

cat >/tuya/tuya_start.sh <<'EOF'
#!/bin/sh
while true; do
pgrep -x serialgateway >/dev/null
if [[ $? -ne 0 ]] ; then
echo “Restarting SerialGateway: $(date)” >> /var/log/serialgateway.txt
/tuya/serialgateway &
fi
sleep 30
done &
EOF

Again big thank you!!

swedude · July 21, 2021, 6:11pm

So I got this idea to monitor the zigbee connection just to see that it is stable

sensor:
  - platform: command_line
    name: zigbee connected
    command:  '/bin/bash -c "( netstat -tn |  grep  -c  "192.168.1.133:8888")"'

and its kind of but not really working
it reads 1 when its connected, and when its not connected I get a error message in the log saying the command failed… and it stays 1

Command failed: /bin/bash -c "( netstat -tn | grep -c "192.168.1.133:8888")"

when I run it directly in the command line its working and I get 1 or 0

Any ideas why its not working? or any other ideas how to check that it is online?

challs · July 24, 2021, 1:54pm

I think I can see the problem: The exit code of grep will be non zero if the number of lines matched is zero.

Try adding || true to always return a success exit code:

command: '/bin/bash -c "( netstat -tn | grep -c "192.168.1.133:8888" || true)"'

swedude · July 24, 2021, 7:28pm

Thank you that helped a lot,

this is what I ended up with I added " ESTABLISHED" just to make sure it was connected and not just trying to connect
if u use this just make sure that you add or remove enough spaces " " between 8888 and ESTABLISHED so it can get a match, this should be 35 chars long in total

>>192.168.1.133:8888      ESTABLISHED<<

  - platform: command_line
    name: zigbee connected
    command: /bin/bash -c "( netstat -tn | grep -c '192.168.1.133:8888      ESTABLISHED' || true)"
    scan_interval: 20
    command_timeout: 10
    unit_of_measurement: ' '

Big thank you for the work you all put into this

challs · July 26, 2021, 8:49pm

Glad to hear it worked!

You could tell grep to match any number of spaces, which would make it slightly more robust:

 \+ESTABLISHED

The space is the the character to match
+ says one or more of those characters (‘+’ needs to be escaped if not using extended regular expressions)

In your case that would be:

    command: /bin/bash -c "( netstat -tn | grep -c '192.168.1.133:8888 \+ESTABLISHED' || true)"

Germil · August 1, 2021, 4:46am

Hello,
I try and try, but I fail.
I get the same error over and over again when entering the KEK code:
What am i doing wrong?

C:\Users\Milan>lidl_auskey_decode.py
Enter KEK hex string line>      39713448               4B4F666C        367C7943
       526C3A39
Traceback (most recent call last):
  File "C:\Python32\SCRIPTS\lidl_auskey_decode.py", line 54, in <module>
    kek = _decode_kek(_get_bytes(input("Enter KEK hex string line>")))
  File "C:\Python32\SCRIPTS\lidl_auskey_decode.py", line 52, in _get_bytes
    return unhexlify(a[0] if len(a)==1 else a[1])
TypeError: 'str' does not support the buffer interface

Thanks.

robertklep · August 1, 2021, 9:07am

Start by removing any superfluous whitespace from the hex string.

Germil · August 1, 2021, 9:31am

I have try one space, just one space on the start, just on the end of string, no spaces, but no luck.

robertklep · August 1, 2021, 5:01pm

The input should be “397134484B4F666C367C7943526C3A39”, no spaces (and no quotes). Seems to get accepted when I try and run the script.

Germil · August 1, 2021, 6:13pm

Thank you, on my pc it doesnt accept the string, so it must have been something wrong.
Can you please tell me whith which program do you work?
I have 3.2 python, and use that script.
Error i get:

(base) C:\Python32>lidl_auskey_decode.py
Enter KEK hex string line>397134484B4F666C367C7943526C3A39
Traceback (most recent call last):
  File "C:\Python32\lidl_auskey_decode.py", line 54, in <module>
    kek = _decode_kek(_get_bytes(input("Enter KEK hex string line>")))
  File "C:\Python32\lidl_auskey_decode.py", line 52, in _get_bytes
    return unhexlify(a[0] if len(a)==1 else a[1])
TypeError: 'str' does not support the buffer interface