logo elektroda
logo elektroda
X
logo elektroda
Advanced Search
logo elektroda

Avatto SWT60 Smart Watering Timer: Teardown, Constant Restarts and Firmware Analysis

Cramp1017 1608 19
ADVERTISEMENT
Reply | New topic
  • #1 21147933
    Cramp1017
    Level 4  
    Hi,
    I have bought an Avatto SWT60 Smart Watering Timer Irrigation timer.

    I paired it to the SmartLife app, and extracted the local key from my Tuya cloud project. However, the device constantly restarts with a hardware watchdog reset reason, and it is only controllable via wifi for mere seconds before each restart (so 2-3 seconds in every 2-3 minutes). The manufacturer didn't look into the issue, they simply refunded me instead of fixing the problem. I'd like to make use of the device, hence I'm considering using OpenBeken.

    Has anyone ever encountered this device? Is it using a dedicated microcontroller + a tuya board, or using the tuya board as the brain?

    Attached is a picture of the available test pads.

    Avatto SWT60 smart irrigation timer held in hand. Image of the interior of the Avatto SWT60 smart irrigation timer with visible test pads.

    I'd like to contribute to the development of OpenBeken by dumping the firmware, and maybe trying to analyze whatever's in the firmware. I have a logic analyzer, oscilloscope, multimeter, so all the tools needed to get information that is required to analyze this product.
  • ADVERTISEMENT
  • #2 21147957
    p.kaczmarek2
    Moderator Smart Home
    Sure, let's get this supported together. Just... how do you know it gets restarted because of the watchdog? Tuya logs?

    This is most likely a TuyaMCU device, so this guide applies:
    https://www.elektroda.com/rtvforum/topic4038151.html
    Helpful post? Buy me a coffee.
  • #3 21147996
    Cramp1017
    Level 4  
    >>21147957
    Okay, so I poked around with my multimeter (will poke around with an oscilloscope & logic analyzer tomorrow), the 5 pin port looked very interesting.
    Pin1: 3V3
    Pin2, 3: Pulled low
    Pin4: GND
    Pin5: Pulled high

    How could I identify with a logic analyzer which port is TX? I guess I should get some output at boot, correct?

    With regards to the watchdog, see the following (unfortunately Mandarin since I made the screenshot for the manufacturer) screenshot:
    Screenshot of device log with hardware watchdog reset errors in Mandarin.
    The error reason is 'hardware watchdog reset' and it happens in jittery, but periodical manner.
  • #4 21148045
    divadiow
    Level 34  
    what does the inside look like? please post pictures.
  • #5 21148498
    Cramp1017
    Level 4  
    >>21148045
    I tried taking it apart, unfortunately the internal screws are covered with silicone and they are not accessible, only by destroying the water seal.

    Added after 39 [minutes]:

    >>21148498
    Given I got refunded for it and I had no use for it without wifi, in the name of science I sacrificed the poor thing. (Ignore the mosfet that got destroyed in the process :D)
    Close-up of a circuit board with an Allwinner XR806 chip. Close-up of a motherboard with visible electronic components and UART test points. Close-up of a circuit board with visible components and markings. Close-up of a printed circuit board showing test points UART2_RX, UART2_TX, and GND, with a PS_3V3 marking. Motherboard with various electronic components, including an Allwinner XR806 SoC chip.

    It has an Allwinner XR806 SoC, and the most of the UART test points are not accessible without breaking the device.
  • ADVERTISEMENT
  • #6 21148584
    divadiow
    Level 34  
    ooh! an XR806. I've been angling to get to one to try the XR809 build on, though the XR806 does have a different SDK I think.

    Interesting.

    That BAT32G127 MCU is also seen in this https://www.elektroda.com/rtvforum/topic4064181.html

    One or more of those RX/TX pads must be good for boot log capture and then maybe firmware dump? Assuming you can get it into uart download mode.

    Added after 38 [minutes]:

    looks like only PB02 needs to be pulled low to get XR806 into download mode, as opposed to PB02 and PB03 on XR809
  • #7 21148686
    p.kaczmarek2
    Moderator Smart Home
    If this is TuyaMCU, you can still swap XR806 to ESP or to Beken and still use this device. What is the damaged MOSFET 7002K responsible for?
    Helpful post? Buy me a coffee.
  • ADVERTISEMENT
  • #8 21148689
    Cramp1017
    Level 4  
    >>21148686
    What is the damaged MOSFET 7002K responsible for?
    Turning on the valve :D

    It's not waterproof anymore, so it's more or less useless :(
  • #9 21148707
    divadiow
    Level 34  
    a good candidate for XR806 OBK support testing ;)
  • #10 21148711
    Cramp1017
    Level 4  
    >>21148707
    Okay, I can get boot logs on UART2, can reset the tuya chip by pulling NRST low. But I just cannot get it to go to download mode (https://www.elektroda.com/rtvforum/topic4063735.html - phoenixMC_v3.1.21014b.exe), there's nothing on UART0/1/2 when I pull PB02 low.
  • #13 21148767
    Cramp1017
    Level 4  
    >>21148718>>21148713
    I managed to get the board into bootloader mode and connect with the older PhoenixMC. I can dump the memory perfectly, but unfortunately the flash dump is all zeros :(
  • #14 21148871
    p.kaczmarek2
    Moderator Smart Home
    This reminds me of a flash protection, but I don't know if XR806 has this feature. Maybe we need to read more. Alternatively, we can just give up making backup and just try to flash it. Is XR809 firmware compatible with XR806? Or do we have to compile OpenXR809 app with another SDK?
    Helpful post? Buy me a coffee.
  • #16 21148886
    p.kaczmarek2
    Moderator Smart Home
    Is it totally dead? Maybe it would be possible to still capture some TuyaMCU traffic first?
    Helpful post? Buy me a coffee.
  • #17 21148887
    Cramp1017
    Level 4  
    >>21148886
    It's not totally dead, just the screen broke (and of course the water sealing) while I forced it apart. It was fully potted with silicone.
  • ADVERTISEMENT
  • #19 21431244
    divadiow
    Level 34  
    Hi @Cramp1017 do you still have this device?
  • #20 21441811
    divadiow
    Level 34  
    using the pk jbgpnksjxnlpdf9 found in the Tuya config file posted above, we can determine the following from Tuya

    Code: Text
    Log in, to see the code


    interesting is the update and upgrade responses

    Code: Text
    Log in, to see the code


    Code: Text
    Log in, to see the code


    those URLs give us a 2 unique files
    keyryxypduts8upx-1.0.4-1.0.0-1722682007418 and 172119857176074bd1f38.bin the smaller of the two, 145kb, being some kind of differential.
    Code: Text
    Log in, to see the code


    The larger, 1,167,192 bytes, is the OTA update. So now we have an OTA file to use for reference purposes.

    The files will land here eventually https://github.com/openshwprojects/FlashDumps/tree/main/IoT/XR806
Reply | New topic
Report a violation of the law

Topic summary

The discussion revolves around the Avatto SWT60 Smart Watering Timer, which experiences constant restarts due to a hardware watchdog reset. The user, after pairing the device with the SmartLife app and extracting the local key from Tuya, seeks to utilize OpenBeken for firmware analysis and development. Various contributors provide insights into the device's internal components, including the Allwinner XR806 SoC and the BAT32G127 MCU. They discuss methods for accessing UART test points, capturing boot logs, and the challenges faced in dumping firmware, which appears to be protected. The conversation also touches on the potential for replacing the XR806 with an ESP or Beken chip and the implications of a damaged MOSFET responsible for valve operation. The user ultimately sacrifices the device for scientific exploration, despite its compromised waterproofing.
Summary generated by the language model.
Popular Topics
ADVERTISEMENT