How to flash WiFi socket without disassembly

How to flash WiFi socket without disassembly

Summary:

Tuya company is one of the biggest IoT players and has one of the biggest IoT cloud used by many devices. I will show you how to use tuya-convert to simulate this cloud locally and flash alternative firmware inside without disassembly.

Difficult: Hard

What is tuya-convert

Michael Steigerwald, founder of the German start-up VTRUST, has revealed by reverse engineering how the Chinese firm tuya performs firmware updates remotely on individual devices – tuya is currently one of the biggest IoT players and delivers its solution to more than 10,000 manufacturers.

Original tuya cloud
Original tuya cloud

It led Michael to the idea of using this method of a remote update to load its own firmware out of the cloud – in principle, it is a firmware upload without having to disassemble the device by simulation of tuya cloud locally.

Tuya-convert is a project hosted on GitHub and includes set of python scripts designed to simulate tuya cloud.

💡It is fair to note that tuya-convert is definitely not an application with nice UI and you can face many technical problems. However, the result without having to physically dismantle the device is worth it.

🥁 Keep in mind that there may be unexpected problems when flashing, which may cause the device to be unfunctional where you load the firmware and you will need to physically disassemble the device.

Now we know what will be our goal and let’s look at the whole process that we can divide into these parts:

  • Preparation and installation tuya-convert
  • Preparation of alternative firmware
  • Flashing alternative firmware by using tuya-convert
  • Final tuning

Preparation and installation tuya-convert

To install tuya-convert we will need a computer running Linux and ideally a combination of Ethernet plus WiFi or two WiFi interfaces.

One of the most popular Raspberry Pi 3B+ “credit-card sized” computer (you could buy it at AliExpress if you don’t have it yet) seems to be ideal. Even older versions without plus will be sufficient.

Credit-card sized computer Raspberry Pi 3B+

I will present to you today a slightly different procedure when using Armbian OS with NanoPi M4 board (available on AliExpress) manufactured by company Chinese FriendlyElec – it’s the same size as Raspberry Pi but much more powerful from many perspectives.

Credit-sized computer NanoPi M4
Credit-sized computer NanoPi M4

Operating System Installation – Armbian OS

The installation is quite straightforward and fast, as we can use pre-prepared disk image (s) for NanoPi M4.

We currently have two options:

  • Armbian Bionic – includes Ubuntu 18.04
  • Armbian Stretch – includes Debian 9

For our purposes of installing tuya-convert, Debian is a better choice.

However, if you prefer Ubuntu for some reason you need to resolve one problem:

dnsmasq: failed to create listening socket for port 53: Address already in use

The solution should not be complicated. Before running tuya-convert, you need to call the stop service running on the same port as the needed dnsmasq:

sudo systemctl stop systemd-resolved

Disk images are available on Armbian website and download version you prefer.

To upload an image to an SD card, use the Etcher application.

App Etcher for uploading and image tp an SD card
App Etcher for uploading and image tp an SD card

After booting system from the SD card, we will use the root / 1234 login and then we will have to change the password to any yours.

Update all packages (apt update && apt upgrade) and enable ssh service in the armbian-config utility.

Installing a tuya-convert repository

So we have the basic system ready and we can plunge into cloning the tuya-convert repository and start installing the necessary (required) packages:

git clone https://github.com/ct-Open-Source/tuya-convert
cd tuya-convert
./install_prereq.sh

Installation should end with the following lines:

Successfully built paho-mqtt pyaes tornado
Installing collected packages: paho-mqtt, pyaes, tornado
Successfully installed paho-mqtt-1.4.0 pyaes-1.6.1 tornado-6.0.2
Ready to start upgrade

Now we have tuya-convert ready and we can go for the firmware preparation.

Preparation of alternative firmware

Nowadays, there are more options to use alternative firmware and today I will focus on two of them – Sonoff-Tasmota and ESPHome.

I chose WiFi socket BlitzWolf BW-SHP2 (available at AliExpress, Banggood) as the product for flashing, which is actually the same product as Koogeek KLSP1 (AliExpress) or Gosund SP1 .. and probably some others.

All three products are physically manufactured in China by tyua and differ only slightly based on the vendor’s requirements, which then distribute them under their brands. And of course they use tuya cloud.

Three same WiFi sockets with different brand
Three same WiFi sockets with different brand

The big advantage of the product is the price – approx. $ 13.

However, the process of preparing firmware and recording via tyua-convert should be very similar regardless of the product – more important is the original firmware version.

🥁 It is currently not possible to flash a device that contains the original firmware version 1.0.5. Therefore, do not connect with the manufacturer’s application before you start flashing – it is quite possible that the background update will be performed in this case.

1st option – Sonoff-Tasmota

There’s no need to do any special preparation for Sonoff-Tasmota firmware.

The advantage may be that currently the basic Sonoff-Basic variant is included in tuya-convert package and there is no need to download anything else.

The settings for these sockets will be described in the last section of this article.

2nd option – ESPHome

The ESPHome firmware has a different philosophy. Instead of a relatively general image, we need to compile a product-specific image. So now you have to look at the configuration.

In the beginning, I recommend doing something similar to Sonoff-Basic, ie completely basic firmware without any additional functionality.

The following configurations should suffice for the sockets described:

esphome:
  name: blitzwolf01
  platform: ESP8266
  board: esp8285

wifi:
  ssid: '<wifi_name>'
  password: '<wifi_password>'

logger:

web_server:
  port: 80

api:

ota:

Check the configuration in the ESPHome dashboard and use the three dots icon to compile firmware. The compiled file has to be transferred to the minicomputer (where you have tuya-convert installed) in the tuya-convert/files directory.

We’ll add more functionality in the last chapter.


In a nutshell how to install ESPHome

  • Setup Python 2.7 with PIP component
  • Install virtualenvpip install virtualenv
  • Create a virtual environment – virtualenv esphome
  • Activate virtual environment – source esphome/bin/activate
  • Install ESPHome – pip install esphome
  • Run ESPHome dashboard – esphome myhome dashboard
  • Connect to the dashboard via browser – url http://localhost:6052
ESPHome Dashboard
ESPHome Dashboard

Flashing alternative firmware by using tuya-convert

Finally, here’s a chapter where we use tyua-convert the fullest.

Run the application using ./start_flash.sh and you will see a screen asking you to type yes and confirm with Enter. Once we do this, tuya-convert will launch several services:

  • WiFi access point called vtrust-flash
  • Web server for HTTP/HTTPS communication
  • MQTT server Mosquito for MQTT communicatio
======================================================
TUYA-CONVERT

https://github.com/ct-Open-Source/tuya-convert
... 
... CAN NOT be held accountable for ANY DAMAGE or LOSS OF FUNCTIONALITY by typing yes + Enter 

yes
======================================================
  Starting AP in a screen
  Stopping any apache web server
  Starting web server in a screen
  Starting Mosquitto in a screen

Potencial issue: ImportError: No module named Crypto.Cipher

If I ran tuya-convert after these steps, everything looked fine, but the upload process didn’t work. So I’ve looked in the logs and found a message about the missing Crypto.Cipher library. So I do not know whether it is necessary to install it in Armbian OS only, but if you would see this, it can be solved by:

apt-get install python3-dev
pip install pycrypto

Two more steps are required now:

  • connect from any WiFi-enabled device to the newly created AP point called vtrush-flash – the ideal is to use a cell phone. The network password is flashmeifyoucan.
  • plug in the device you want to flash and initialize the pairing mode – since the device has not yet been used, it should pop up in this mode automatically. You can recognize it by fast flashing blue diode.

💡I have great update for first step – this is available Arduino project for ESP82xx chipsets what could replace necessity to connect vtrush-flash AP point via mobile phone and make flashing more smoothly. If you are interested have a look on GitHub.

Once you have these two points done you can press enter and the process will move to the next step:

======================================================
Starting pairing procedure in screen
RTNETLINK answers: File exists
~/tuya-convert
Waiting for the upgraded device to appear
If this does not work have a look at the '*.log'-files in the 'scripts' subfolder!

You have now reached the most problematic point – at least it was for me. For a better overview of whether the process continues, I suggest you connect to the minicomputer via another console and run a log listing:

cd tuya-convert/scripts
tail -f smarthack-wifi.log

You will find all the information about the activity of the newly created WiFi AP and half-won when the flashed device appears in this log.

Initially, only the initialization will be in the log:

Creating new /etc/dnsmasq.conf...
Writing hostapd config file...
Configuring AP interface...
Applying iptables rules...
Starting DNSMASQ server...
Starting AP on wlan0 in screen terminal...
Configuration file: /etc/hostapd/hostapd.conf
Using interface wlan0 with hwaddr b0:f1:ec:65:xx:xx and ssid "vtrust-flash"
wlan0: interface state UNINITIALIZED->ENABLED
wlan0: AP-ENABLED

Once you connect with your mobile phone, the following should appear in the log:

wlan0: STA f4:31:c3:2b:xx:xx IEEE 802.11: associated
wlan0: AP-STA-CONNECTED f4:31:c3:2b:xx:xx
wlan0: STA f4:31:c3:2b:xx:xx RADIUS: starting accounting session 20CEAEEFCA602DA5
wlan0: STA f4:31:c3:2b:xx:xx WPA: pairwise key handshake completed (RSN)

… And finally if a flashed device connects:

wlan0: STA dc:4f:22:fe:xx:xx IEEE 802.11: associated
wlan0: AP-STA-CONNECTED dc:4f:22:fe:xx:xx

💡If you do not see the device in the log then it is good to turn off tuya-convert and turn it on again. Unfortunately, except for Blitzwolf, it wasn’t always the first time and I really don’t understand why.

After the connection is established, the current firmware of the flashed device is automatically backed up – you can theoretically return to the original firmware later. The file is stored in the tuya-convert root directory.

IoT-device is online with ip 10.42.42.42
Fetching firmware backup
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 1024k  100 1024k    0     0  26642      0  0:00:39  0:00:39 --:--:-- 24706
curl: Saved to filename 'firmware-c49c5e.bin'
======================================================
Getting Info from IoT-device
VTRUST-FLASH 1.1
(c) VTRUST GMBH https://www.vtrust.de/35c3/
READ FLASH: http://10.42.42.42/backup
ChipID: c49c5e
MAC: 60:01:94:C4:xx:xx
BootVersion: 4
BootMode: normal
FlashMode: 1M DOUT @ 40MHz
FlashChipId: 144051
FlashChipRealSize: 1024K
Active Userspace: user2 0x81000

======================================================
Please make sure to note the correct SPI flash mode!
Installing an alternative firmware with the wrong flash mode will leave the ESP unable to boot!

Next steps:
1. To go back to the orginal software
   # curl http://10.42.42.42/undo

2. Be sure the conversion software runs in user2
   # curl http://10.42.42.42/flash2

3. Flash a third party firmware to the device
BE SURE THE FIRMWARE FITS THE DEVICE AND USES THE CORRECT FLASH MODE!
MAXIMUM SIZE IS 512KB
put or link it to ./files/thirdparty.bin
A basic build of Sonoff-Tasmota v6.5.0 is already included in this repository.
   # curl http://10.42.42.42/flash3
Alternatively let the device download and flash a file via HTTP:
   # curl http://10.42.42.42/flashURL?url=http://10.42.42.1/files/thirdparty.bin

f you got here, there is one last step. This is an alternative firmware upload.

In the case of Sonoff-Tasmota in the basic configuration of Sonoff-Basic, enter the command:

curl http://10.42.42.42/flash3

If we want to load the compiled ESPHome firmware directly then we will change the symbolic link thirdparty.bin to not point to sonoff-basic.bin, but our firmware file.

Then start the upload process with:

curl http://10.42.42.42/flashURL?url=http://10.42.42.1/files/thirdparty.bin

The screen informs you that the firmware will be loaded and then the device will automatically restart.

Final tunning

We will show two options again. First for Sonoff-Tasmota and the second for ESPHome.

Sonoff-Tasmota tunning

After flashing we should see in the Tasmota web interface approx. the following welcome screen:

Sonoff-Tasmota - Sonoff Basic welcome screen
Sonoff-Tasmota – Sonoff Basic welcome screen

To turn on all the features that the WiFi socket offers, it is necessary to change the configuration and for our mentioned sockets it will be Gosund SP1 v23.

After rebooting, we should also see all the information regarding current and daily consumption.

Sonoff-Tasmota - specific configuration for Gosund SP1
Sonoff-Tasmota – specific configuration for Gosund SP1

ESPHome tunning

With ESPHome, we should see the device as Online in the dashboard after successful flashing.

Socket is online after successful flashing
Socket is online after successful flashing

We can also verify the web interface directly on your device:

ESPHome web interfrace

To add socket functionality support, you need to edit the configuration and add the following lines:

binary_sensor:
  - platform: gpio
    id: button
    pin:
      number: GPIO3
      inverted: True
    on_press:
      - switch.toggle: fakebutton

switch:
  - platform: template
    name: "Blitzwolf SHP2 Switch"
    optimistic: true
    id: fakebutton
    turn_on_action:
    - switch.turn_on: relay
    - light.turn_on: led
    turn_off_action:
    - switch.turn_off: relay
    - light.turn_off: led
  - platform: gpio
    id: relay
    pin: GPIO14

output:
  - platform: esp8266_pwm
    id: pow_blue_led
    pin:
      number: GPIO1
      inverted: True

light:
  - platform: monochromatic
    output: pow_blue_led
    id: led

sensor:
  - platform: wifi_signal
    name: "Blitzwolf SHP2 WiFi Signal"
    update_interval: 60s
  - platform: uptime
    name: "Blitzwolf SHP2 Uptime"
  - platform: hlw8012
    sel_pin:
      number: GPIO12
      inverted: True
    cf_pin: GPIO04
    cf1_pin: GPIO05
    current_resistor: "0.0028"
    voltage_divider: "960"
    current:
      name: "Blitzwolf SHP2 Current"
      unit_of_measurement: A
    voltage:
      name: "Blitzwolf SHP2 Voltage"
      unit_of_measurement: V
    power:
      name: "Blitzwolf SHP2 Power"
      unit_of_measurement: W
      id: power
    change_mode_every: 8
    update_interval: 10s
  - platform: total_daily_energy
    name: "Blitzwolf SHP2 Total Daily Energy"
    power_id: power
    unit_of_measurement: W

text_sensor:
  - platform: version
    name: "Blitzwolf SHP2 Firmware version"

status_led:
  pin: GPIO13

time:
  - platform: sntp
    id: my_time

In the log, after the restart we can see the individual parameters:

[16:14:58][C][ota:128]:   Address: blitzwolf01.local:8266
[16:15:02][D][time.sntp:077]: Synchronized time: Wed Mar 27 16:15:30 2019
[16:15:13][D][sensor.hlw8012:084]: Got power=19.6W, voltage=240.4V
[16:15:15][D][api:546]: Client 'Home Assistant 0.90.1 (10.2.1.158)' connected successfully!
[16:15:23][D][sensor.hlw8012:084]: Got power=19.8W, voltage=240.2V

If you have any experience with tyua-convert I’ll be happy to share them in the comments. Useful information will be added directly to the article.

Join the discussion