EFR32-FW
EFR32-FW copied to clipboard
MattWestb
SUPPORT Request for Tuya RSH-GW-018 DM Zigbee Gateway ZS3L + WBRG1 Gateway
Hello,
First of all i would like to say thank you for your commitment and effort on this!
I recently bought Tuya Smart Gateway model GW-018 (wifi + ble + zigbee) (https://a.aliexpress.com/_EjwjehJ)
My hope is to use it as "open" zigbee Gateway bridge detaching it from Tuya Cloud.
From PCB I see the well known ZS3L plus wifi+ble on separate WBRG1.
Do you have any suggestion? Do you think something feasible? Thanks! Luca
First your pictures is private so cant taking one closer look on them. The WiFi/Ble module is the one that doing the "tuya things". https://developer.tuya.com/en/docs/iot/wbrg1-module-datasheet?id=Ka015vo8tfztz The 7 row pads (i think its marked P3) for the Zigbee module SWD / debut interface plus comport for the tuya things. (the last is only likely). P1 looks being one comport for console but cant see and you must testing if you is getting some output then booting from it.
Hi @MattWestb , Thank you for your fast reply. Sorry but I didn't get what you mean with private picture.. If i understood well, you are suggesting to test if some UART Output is present on P1 pads since you suspect it is for console right? Somehow it seems that the P2 one is directly connected to ZS3Lš¤ ? Anyway, ill try both and ill report here any useful Output. Thanks!
The picture is now working so i can taking one close look later (i have seen the same some times before and its taking some times until being released).
Try find the Linux console then its booting and its very likely on one of the connections. If finding it the next step is trying getting in bootloader mode of the WiFi module but first the local console.
PS: the P2 is the first going to the Zigbee module but the last 3 is going to both but can being used for sortieing interesting.
Hi, You where right, uart out is on P1 :) Here is the log, but i was not able to interrupt boot process.. Tried esc, Enter and all usual key. Thanks! Tuya.log
Great you getting the boot log from the WiFi / Bt module !!
Bad news is not running one Linux like the old Eth box was doing.
[01-01 18:12:15 TUYA N][tuya_device.c:139] SDK INFO: < TUYA IOT SDK V:3.1.7 BS:40.00_PT:2.2_LAN:3.4_CAD:1.0.4_CD:1.0.0 >
Its tuya IOT SDK / System so need looking if tuya IOT is hackebal or one SDK from the chip that is doing one normal Linux.
wbrg1, contains realtek RTL8721CSM wifi+bt with cortex cpu.. so it will be SOC, i think this project could help to write own system, and use it as you like..
https://github.com/ambiot/ambd_sdk
@geduxas Or https://docs.libretiny.eu/
It's say's rb8710, not sure is it compatible sdk with 8721 or not.. it could be different products
Hi guys, Thanks Your feedbacks! @MattWestb honestly I was not expecting Linux, but somehow I was expecting a kind of bootloader on it which seems not accessible (maybe?) Via that UART. @geduxas, regarding amebaD, I cannot fine any reference to tuya SoC, I belive this are only for the radio Chip correct? In this case, do you have any suggestion for a way forward on it? @mihsu81 , this is another very interesting project but seems that wbrg1 is in the unsupported board list (even if I see 2 flag on both wifi and bt colums? Not clear:( ) Regardless the alternative compatible SDK, how to flash then? And also this is for WiFi chip, should I do a similar stuff (new firmware) for ZS3L right? Really appreciate your interest guys, Thank you very much! Luca
@luconedj it's truly nothing to do with tuya, chip made bye realtek, and it contains cortex cpu, where all tuya software is running.
Tuya only packed components from shelf and made it's software. So if you wana untie this device from tuya, you need to find out other software, or write in your own.. so SDK (Software development kits) are tool bundle which you're required to build and compile your own software..
Take example other tuya products which runs on ESP chips, they are also wifi chips with cpu, and also as same as @mihsu81 mentioned..
@geduxas thank you, got it. At this point I can pick one of the 2, try to write an hello world and then figure out how to tunnel ZS3L through wifi right?
If can getting one ser2net working all shall being OK its the only thing that is needed. If not putting in one ESP8266 / 32 and cutting the com lines to the Zigbee module and it shall working as we is doing with ESPHome (some problems with the serial server is still there) or somthing else on the ESP. The Zigbee module is pity good (MG21 chip) and can running newer EZSP or RCP / Thread firmware without problems only little week antenna for my taste (compered with Silabs original that IKEA is using).
Hope we can getting one more tuya GW well hacked !!!!!
If can getting one ser2net working all shall being OK its the only thing that is needed. If not putting in one ESP8266 / 32 and cutting the com lines to the Zigbee module and it shall working as we is doing with ESPHome (some problems with the serial server is still there) or somthing else on the ESP. The Zigbee module is pity good (MG21 chip) and can running newer EZSP or RCP / Thread firmware without problems only little week antenna for my taste (compered with Silabs original that IKEA is using).
Hope we can getting one more tuya GW well hacked !!!!!
Yes i hope the same! About EZSP, SWD must be used correct? if so, let me order a Chinese ST-Link V2 from Amazon :)
For ESP only USB-TTL is needed but for the ZS3L if not the bootloader (it shall working) you need flashing new bootloader on the MG21 chip you need one SWD that supporting MG2X devices (not all do it then its have extra hardware security).
Hi @MattWestb , thanks. do you know if this will work? (https://www.amazon.it/gp/product/B0B5WYQ4FT/ref=ppx_yo_dt_b_asin_title_o00_s00?ie=UTF8&th=1) sorry page is in italian basically is the st-link v2 clone. Thanks, Luca
Its working 100% on MG1 chips like first and second gen IKEA devices but likely not on MG2X but some users have getting it working but i donnt knowing witch firmware and program they was using (I have one original Silabs WSDK do its one genuine Seeger device and its having extra things for Silabs chips in the firmware).
mmm ok, i'll try, 7 euro is affordable and honestly it's long time that i need one to start playing with STM32 haah Thanks!
Hello guys!
Got ST-Link v2 clone and made some progress here.
Using opeocd and arm-none-eabi-gdb with the attached configs, i managed to connect to Z3SL and dump memory (I think hahah):
Here is the log: [luconedj@archlinux ~]$ cat st.cfg set CPUTAPID 0x6BA02477 adapter driver hla hla_layout stlink hla_device_desc "ST-LINK" hla_vid_pid 0x0483 0x3744 0x0483 0x3748 0x0483 0x374b 0x0483 0x374d 0x0483 0x374e 0x0483 0x374f 0x0483 0x3752 0x0483 0x3753 0x0483 0x3754 0x0483 0x3755 0x0483 0x3757 transport select hla_swd adapter speed 50 [luconedj@archlinux ~]$ openocd -f st.cfg -f target/efm32.cfg -c "gdb_memory_map disable" Open On-Chip Debugger 0.12.0 Licensed under GNU GPL v2 For bug reports, read http://openocd.org/doc/doxygen/bugs.html adapter speed: 50 kHz
Info : The selected transport took over low-level target control. The results might differ compared to plain JTAG/SWD Info : Listening on port 6666 for tcl connections Info : Listening on port 4444 for telnet connections Info : clock speed 1000 kHz Info : STLINK V2J39S7 (API v2) VID:PID 0483:3748 Info : Target voltage: 3.246684 Info : [efm32.cpu] Cortex-M33 r0p3 processor detected Info : [efm32.cpu] target has 8 breakpoints, 4 watchpoints Info : starting gdb server for efm32.cpu on 3333 Info : Listening on port 3333 for gdb connections Info : accepting 'gdb' connection on tcp/3333 [efm32.cpu] halted due to debug-request, current mode: Thread xPSR: 0x69000000 pc: 0x0000e6a0 msp: 0x2000b4f8 Info : dropped 'gdb' connection
On the other Terminal with GDB:
[luconedj@archlinux ~]$ cat gdb.cfg target extended-remote 127.0.0.1:3333 set confirm off monitor halt info mem dump memory dump.bin 0x00000000 0x00080000 quit [luconedj@archlinux ~]$ arm-none-eabi-gdb -x gdb.cfg GNU gdb (GDB) 14.1 Copyright (C) 2023 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "--host=x86_64-pc-linux-gnu --target=arm-none-eabi". Type "show configuration" for configuration details. For bug reporting instructions, please see: https://www.gnu.org/software/gdb/bugs/. Find the GDB manual and other documentation resources online at: http://www.gnu.org/software/gdb/documentation/.
For help, type "help". Type "apropos word" to search for commands related to "word". warning: No executable has been specified and target does not support determining executable automatically. Try using the "file" command. 0x0000e6a0 in ?? () Using memory regions provided by the target. There are no memory regions defined. [Inferior 1 (Remote target) detached] [luconedj@archlinux ~]$
Attached also dump.bin. Analyzing it with an hex editor, seems quite valid. I found also some tring related to Gecko bootloader and ember. dump.bin.zip Any feedback really appreciated š!! THanks guys, Luca
Great work done @luconedj !!! The first 0x0 - 0x3FFFF is the bootloder and then the "APP" is resident 0x4000 as long its need and after that is one random block of for the NVM file higher in the flash memory. If all is being OK dumped it shall being possible restoring the module also after one chip erase. The main flash is good but some chip information is stored in the aria "user data" that can being needed / interesting if tuya have using it and putting some device specific there we can need it in the future.
Hi @MattWestb thank you very much for the feedback ā¤ļø. Do you know How to extract user data? Meanwhile I'm still stuck on WBRG1, I'm not able to find a way to interact with it. If you look at the boot log, you will find this output: [01-01 18:12:15 TUYA N][af-main-host.c:659] >>>Normal UART bootup with FLOWCTRL<<< And exactly at that point, there is some kind of fixed pause in the output (like waiting for some interrupt character/pin) and then it continues.. My thought is that due to some Hw flow control, it is ignoring my button pressed, what do you think, any suggestion on the WiFi bastard? Thanks!
https://www.silabs.com/documents/public/data-sheets/efr32mg21-datasheet.pdf
Figure 3.2. EFR32MG21 Memory Map ā Core Peripherals and Code Space
You shall have it all.
If i remember shall GDB detecting it and you can listing it (at least with MG1P chips) with the information command.
Do one normal dump with start and end dress / range or the name of the memory bank shall working OK like you was doing with the main flash.
Ok cool! To let it works i used this on GDB: -c "gdb_memory_map disable" And in openocd conf: dump memory dump.bin 0x00000000 0x00080000
So i think i don't have all.. i'll try to repeat process according to memory map you shared. Ill let u know thanks! Luca
ok i used this: dump memory flash.bin 0x00000000 0x00100000 dump memory flash_user.bin 0x0fe00000 0x0fe00400 dump memory flash_dev_info.bin 0x0fe08000 0x0fe08400 dump memory flash_chip_config.bin 0x0fe0e000 0x0fe0e400 dump memory flash_reserved_partial.bin 0x0ff00000 0x0ff00400
nothing in user data... This is binwalk out on flash.bin:
DECIMAL HEXADECIMAL DESCRIPTION
19276 0x4B4C Boot section Start 0x57424257 End 0x42703857
What about WBRG1 ? any idea on this? Thank you so much! Luca
Only the first two is interesting then device info is burned in the factory and we dont have any user of the info stored in the RAM then the processor is running in debug mode.
One IKEA 3trd gen controller with Silabs commander:
Only the first two is interesting then device info is burned in the factory and we dont have any user of the info stored in the RAM then the processor is running in debug mode. One IKEA 3trd gen controller with Silabs commander:
Ok Perfect, it make sense. Thanks!
nothing in user data... This is binwalk out on flash.bin:
DECIMAL HEXADECIMAL DESCRIPTION 19276 0x4B4C Boot section Start 0x57424257 End 0x42703857
From https://www.silabs.com/documents/public/user-guides/ug103-06-fundamentals-bootloading.pdf
On EFR32xG21, the main bootloader resides in main flash: ā¢ Main bootloader @ 0x0 ā¢ Application @ 0x4000
And they is using 2 different bootloaders one for coordinator / CLI apps with X-Modem and one other for devices for OTA updates.
And one good thing putting in the userdata if running EZSP: https://github.com/MattWestb/EFR32-FW/tree/main/Branding_EFR32
Use same st-link for wbrg1 :)
Yes.. but how? haah
As told earlier it's just realtek chip inside.. so need to find out which pins are exposed in tuya board.. i almos sure you should find those easy.
Here is realtek manual i found AN0400 Ameba-D Application Note_v3_watermark.pdf
Use same st-link for wbrg1 :)
Yes.. but how? haah
As told earlier it's just realtek chip inside.. so need to find out which pins are exposed in tuya board.. i almos sure you should find those easy.
Here is realtek manual i found AN0400 Ameba-D Application Note_v3_watermark.pdf
Yes i saw that application note, but i belive is not so useful because related to evaluation board.
This should be the pinout of the chip:
Pin 33 and 43.
I tried all the probable Combination on WRGB1 but i think SWD is not exposed because im not able to see anything. Morover I'm not able to find anything related to SWD for 8721.
Thanks!
Luca