@ferguson88 do you remember where and when you got these LSPA9 on W600? Is this something new?
Helpful post? Buy me a coffee.
Czy wolisz polską wersję strony elektroda?
Nie, dziękuję Przekieruj mnie tambogran wrote:Hi!
I have a WIFIPO120FWT SmartPlug 16A (Nedis) but can't find any teardown for tuya-cloudcutter. Looks like some people have managed to flash BK7231T, but I'm curious which profile is then used? I tested with test_device_exploitable.py and per comment it is exploitable since it "seems to be 'frozen'".
ferbulous wrote:@p.kaczmarek2
With my scheduled router reboot (close to 5 am daily)
I noticed my N device took longer to reconnect while T reconnects instantly.
Is there a timer event if wifi offline I can use to trigger restart with the script?
p.kaczmarek2 wrote:Can you do an experiment - power off and power on the problematic device manually and see if it also takes so long to connect to WiFi?
//delay script to start after 15 seconds on startup so device can connect to wifi
delay_s 15
//starts event id 01 with 2 minuter then restarts openbk
alias myboot addRepeatingEventID 01 120 1 restart
//cancel event id 01 timer
alias noboot cancelRepeatingEvent 01
if MQTTState 0 then myboot else nobootferbulous wrote:You can choose the correct profile based on the tuya firmware version.
And you can use lightleak to dump the stock firmware bin wirelessly for the pinout details from the json file.
https://github.com/tuya-cloudcutter/lightleak
ferbulous wrote:@bogran the lightleak is optional and you probably won’t need to dump your firmware now there’s pinout available on the openbk database.
You’ll just need to run cloudcutter on a pi or any arm board to flash it ota. If you start getting ‘A-xxx’ prefix instead of ‘Smartlife-xxx’ after running the script then it can be flashed
Quote:Example: ./run_flash.sh -p avatar-asl04-tv-backlight -f custom_firmware_UG_file.bin
![[BK7231T] My HTTP server, configurator, MQTT support from Home Assistant](https://obrazki.elektroda.pl/9099107700_1670589470.png "[BK7231T] My HTTP server, configurator, MQTT support from Home Assistant")
![[BK7231T] My HTTP server, configurator, MQTT support from Home Assistant](https://obrazki.elektroda.pl/9175407300_1670589520.png "[BK7231T] My HTTP server, configurator, MQTT support from Home Assistant")
![[BK7231T] My HTTP server, configurator, MQTT support from Home Assistant](https://obrazki.elektroda.pl/5209508200_1670589571.png "[BK7231T] My HTTP server, configurator, MQTT support from Home Assistant")
p.kaczmarek2 wrote:this script might need some fixes, but in general, if the "ping watchdog" doesn't work then I am not sure what might be happening. We might need to investigate it a bit more, any possibility of getting UART log of such device?
In worst case I might consider adding some kind of self-logging history to the LittleFS.....
//delay script to start after 15 seconds on startup so device can connect to wifi
delay_s 15
//starts event id 01 with 2 minuter then restarts openbk
alias myboot addRepeatingEventID 01 120 1 restart
//cancel event id 01 timer
alias noboot cancelRepeatingEvent 01
if MQTTState 0 then myboot else noboot
if MQTTState 1 then noboot else mybootInfo:EVENT:CMD_Alias: the alias you are trying to use is already in use (as an alias or as a command)
Info:EVENT:CMD_Alias: the alias you are trying to use is already in use (as an alias or as a command)
Info:EVENT:CMD_If: second argument always must be 'then', but it's '0'p.kaczmarek2 wrote:I remember you had very good ideas for scripts, can you take the time and list here what you'd think would be cool to do with scripting?
ferbulous wrote:@bogran I didn't have to specify anything
just run the script ./run_flash.sh
it's gonna ask for the firmware you want to flash (downlaod firmware to custom-firmware directory)
then just pick the profile based on your device firmware
1.0.2 - BK7231N / oem_bk7231n_dctrl_switch
> 1.0.2 - BK7231T / bk7231t_common_user_config_ty
1.0.2 - BK7231T / cuco_sw5_bk_common
1.0.2 - BK7231T / oem_bk7231s_control_switch
1.0.2 - BK7231T / oem_bk7231s_light_mix4to5_db_rmdferbulous wrote:@bogran yeah, if the current profile doesn’t work, just keep trying the next one. Bring the device closer to rpi so the script can finish the ota
> 1.0.2 - BK7231T / bk7231t_common_user_config_ty
[?] Select the brand of your device: Minoston
> Minoston
> 1.0.2 - BK7231T / cuco_sw5_bk_common
[?] Select the brand of your device: Gosund
> Gosund
> 1.0.2 - BK7231T / oem_bk7231s_control_switch
[?] Select the brand of your device: KOGAN
> KOGAN
> 1.0.2 - BK7231T / oem_bk7231s_light_mix4to5_db_rmd
[?] Select the brand of your device: TreatLife
> TreatLife
[?] Select your custom firmware file: OpenBK7231T_UG_1.15.130.bin
> OpenBK7231T_UG_1.15.130.bin
OpenBK7231T_App-1.15.161/src/httpserver/http_fns.c:// { Setup_Device_NedisWIFIPO120FWT_16A, "Nedis WIFIPO120FWT SmartPlug 16A"},OpenBK7231T_App-1.14.143/src/httpserver/http_fns.c: { Setup_Device_NedisWIFIPO120FWT_16A, "Nedis WIFIPO120FWT SmartPlug 16A"},ferbulous wrote:@bogran no, with tuya-cloudcutter, it's all about the firmware version, not the model/brand name of the device. If Gosund/Treatlife ect is listed, then choose that one
So you've picked all the profiles for 1.0.2 (T) but you're still not getting the 'A-xxx' after running the run_flash script?
Then you might need to consider using lightleak app that can dump your firmware wirelessly.
Once you have the firmware bin, you can request for new profile in cloudcutter github page, so far this only works for T device (haven't had success with N..yet) after I tested it
==> Toggle Tuya device's power off and on again 6 times, with ~1 sec pauses in between, to enable AP mode. Repeat if your device's SSID doesn't show up within ~30 seconds. For smart plugs long press the reset button on the device for about 5 seconds. See https://support.tuya.com/en/help/_detail/K9hut3w10nby8 for more information.
Scanning for known AP SSID prfixes: "A-" "GRID-" "Geeni-" "Globe Suite-" "LDV SMART+-" "Lumary-" "Merkury-" "Nexxt Home-" "SL-CreeLighting-" "SL-FLSNT-" "SmartLife-" "TreatLife-SL-" "UltraPro-" "Woox-" "atomi-smart-" "iHome-"
.
Found access point name: "SmartLife-8555", trying to connect..
Device 'wlan0' successfully activated with 'dfdd78e3-cbd0-4a6d-a6df-86ad10bf14de'.
Connected to access point.
Waiting 1 sec to allow device to set itself up..
Running initial exploit toolchain..
Exploit run, saved device config to!
output=/work/configured-devices/MpM63HRiBZlX.deviceconfig
Saved device config in /work/configured-devices/MpM63HRiBZlX.deviceconfig
==> Turn the device off and on again once. Repeat 6 more times if your device's SSID doesn't show up within ~5 seconds. For smart plugs long press the reset button on the device for about 5 seconds. See https://support.tuya.com/en/help/_detail/K9hut3w10nby8 for more information.
Scanning for known AP SSID prfixes: "A-" "GRID-" "Geeni-" "Globe Suite-" "LDV SMART+-" "Lumary-" "Merkury-" "Nexxt Home-" "SL-CreeLighting-" "SL-FLSNT-" "SmartLife-" "TreatLife-SL-" "UltraPro-" "Woox-" "atomi-smart-" "iHome-"
.
Found access point name: "SmartLife-8555", trying to connect..
Error: Connection activation failed: (53) The Wi-Fi network could not be found.
..
Found access point name: "SmartLife-8555", trying to connect..
Device 'wlan0' successfully activated with 'dfaa33e3-caa1-3b2d-b6bb-46bb11aa22de'.
Connected to access point.
Configured device to connect to 'cloudcutterflash'
Device is connecting to 'cloudcutterflash' access point. Passphrase for the AP is 'abcdabcd' (without ')
Flashing custom firmware ..
==> Wait for 20-30 seconds for the device to connect to 'cloudcutterflash'. This script will then show the firmware upgrade requests sent by the device.
Using WLAN adapter: wlan0
Dec 10 17:39:06 dnsmasq[15]: started, version 2.80 cachesize 150
Dec 10 17:39:06 dnsmasq[15]: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify dumpfile
Dec 10 17:39:06 dnsmasq-dhcp[15]: DHCP, IP range xx.xx.xx.xx -- xx.xx.xx.yy, lease time 12h
Dec 10 17:39:06 dnsmasq-dhcp[15]: DHCP, sockets bound exclusively to interface wlan0
Dec 10 17:39:06 dnsmasq[15]: read /etc/hosts - 8 addresses
Configuration file: /dev/stdin
wlan0: Could not connect to kernel driver
Using interface wlan0 with hwaddr aa:aa:aa:aa:aa:aa and ssid "cloudcutterflash"
wlan0: interface state UNINITIALIZED->ENABLED
wlan0: AP-ENABLED
Dec 10 17:40:07 dnsmasq-dhcp[15]: 2017981830 available DHCP range: xx.xx.xx.xx -- xx.xx.xx.yy
Dec 10 17:40:07 dnsmasq-dhcp[15]: 2017981830 client provides name: wlan0
Dec 10 17:40:10 dnsmasq-dhcp[15]: 2017981830 DHCPDISCOVER(wlan0) bb:bb:bb:bb:bb:bb
Dec 10 17:40:10 dnsmasq-dhcp[15]: 2017981830 tags: wlan0
. . .logs removed. . .
[W 221210 17:40:11 iostream:1404] SSL Error on 12 ('xx.xx.xx.xx', 49153): [SSL: DECRYPTION_FAILED_OR_BAD_RECORD_MAC] decryption failed or bad record mac (_ssl.c:1129)
Using PSK v1 - Received PSK ID version 02
![[BK7231T] My HTTP server, configurator, MQTT support from Home Assistant](https://obrazki.elektroda.pl/1590165100_1670695002.png "[BK7231T] My HTTP server, configurator, MQTT support from Home Assistant")
Dark Man wrote:
I would like:
- after pressing the button, the Toggle function would work (setting the pin to BTN_TGL_ALL always activates the maximum brightness), but after turning on the light, it would set the appropriate color and brightness of the CW light,
- when double clicked, the light turned off after 60 minutes
- after holding down the button, you could change the brightness alternately, e.g. 15% 30% 45% 60% 75% 100%
I am able to write something similar in Tasmota, but how to do it here?
//
// SetButtonTimes [ValLongPress] [ValShortPress] [ValRepeat]
// Each value is times 100ms.
// Defaults:
// SetButtonTimes 10 3 5
// more responsive hold:
SetButtonTimes 10 3 5
// shortcut for command. Repetas time is 10 sec, repeats count is 1
alias add_turnoff_event addRepeatingEvent 10 1 led_enableAll 0
// toggles light state - not needed, done automatically
//addEventHandler OnClick 7 led_enableAll toggle
// exec alias
addEventHandler OnDblClick 7 add_turnoff_event
// turn on and do add_dimmer 5 with bWrapInteadOfClamp enabled
addEventHandler OnHold 7 backlog led_enableAll 1; add_dimmer 5 1
![[BK7231T] My HTTP server, configurator, MQTT support from Home Assistant](https://obrazki.elektroda.pl/6718305400_1670754005.png "[BK7231T] My HTTP server, configurator, MQTT support from Home Assistant")
![[BK7231T] My HTTP server, configurator, MQTT support from Home Assistant](https://obrazki.elektroda.pl/9932765900_1670751724.png "[BK7231T] My HTTP server, configurator, MQTT support from Home Assistant")
![[BK7231T] My HTTP server, configurator, MQTT support from Home Assistant](https://obrazki.elektroda.pl/2396818800_1670752453.png "[BK7231T] My HTTP server, configurator, MQTT support from Home Assistant")
ferbulous wrote:@bogran any luck with the other profiles?
==> Turn the device off and on again once. Repeat 6 more times if your device's SSID doesn't show up within ~5 seconds. For smart plugs long press the reset button on the device for about 5 seconds. See https://support.tuya.com/en/help/_detail/K9hut3w10nby8 for more information.
Scanning for known AP SSID prfixes: "A-" "GRID-" "Geeni-" "Globe Suite-" "LDV SMART+-" "Lumary-" "Merkury-" "Nexxt Home-" "SL-CreeLighting-" "SL-FLSNT-" "SmartLife-" "TreatLife-SL-" "UltraPro-" "Woox-" "atomi-smart-" "iHome-"
..
Found access point name: "SmartLife-8555", trying to connect..
Error: Connection activation failed: (53) The Wi-Fi network could not be found.
....
Found access point name: "A-8555", trying to connect..
Device 'wlan0' successfully activated with '88ac386c-fd10-463e-a94a-0b6eac7b2eda'.
Connected to access point.
Configured device to connect to 'cloudcutterflash'
Device is connecting to 'cloudcutterflash' access point. Passphrase for the AP is 'abcdabcd' (without ')
Flashing custom firmware ..
==> Wait for 20-30 seconds for the device to connect to 'cloudcutterflash'. This script will then show the firmware upgrade requests sent by the device.
Using WLAN adapter: wlan0
.
. logs removed
.
[I 221211 12:25:41 web:2271] 200 GET /files/OpenBK7231T_UG_1.14.143.bin (xx.xx.xx.xx) 6490.30ms
[DEVICE OTA] Responding to device OTA HTTP request range: bytes=0-445231/445232
Sending firmware update message {"data":{"firmwareType":0},"protocol":15,"t":1670761543} using protocol 2.2
Firmware update messages triggered. Device will download and reset. Exiting in 30 seconds.
?
bogran wrote:Then it just went dark and not responding to anything. Guess the device is dead/bricked and there's nothing more to do about that ?
ferbulous wrote:
It's not bricked, if it doesn't respond or broadcast Openbeken AP that you could've flashed the wrong firmware for the chip (eg T firmware for N device and vice versa) and that would require serial method to reflash it again.
Which profile that worked for your device?
ferbulous wrote:@bogran then you’ve successfully flashed openbkt on it
Now you need to configure the pinout, select your device from the web application
![[BK7231T] My HTTP server, configurator, MQTT support from Home Assistant](https://obrazki.elektroda.pl/1112772700_1670779866.png "[BK7231T] My HTTP server, configurator, MQTT support from Home Assistant")
p.kaczmarek2 wrote:Code:
//
// SetButtonTimes [ValLongPress] [ValShortPress] [ValRepeat]
// Each value is times 100ms.
// Defaults:
// SetButtonTimes 10 3 5
// more responsive hold:
SetButtonTimes 10 3 5
// shortcut for command. Repeats time is 10 sec, repeats count is 1
alias add_turnoff_event addRepeatingEvent 10 1 led_enableAll 0
// toggles light state - not needed, done automatically
//addEventHandler OnClick 7 led_enableAll toggle
// exec alias
addEventHandler OnDblClick 7 add_turnoff_event
// turn on and do add_dimmer 5 with bWrapInteadOfClamp enabled
addEventHandler OnHold 7 backlog led_enableAll 1; add_dimmer 5 1
) or at least specify what the configuration for a CW bulb would look like?
