Eswin ECR6600 flashing guide, datasheet, pinout, 100% local setup, Home Assistant

insmod wrote:

I just changed 1.0.22 to 1.0.23 and it started to download another archive
Inside it is folder named eswin_ecr6600_1.0.23_temp

oh cool. it's not listed here, so, dunno



We could get all the BK, XR806 etc TuyaOS SDKs too..

>>21481466 Is there any for TR6260?
I'm also getting 1.0.0, but it's more than 3 times the size
It contains unpacked toolchain, that's the reason for the size.
It also contains uboot and stub source

insmod wrote:

Is there any for TR6260?

sadly no, not in GUI

Here's a list of some from Sep 2023, so later can probably be guessed



Added after 29 [minutes]:

p.kaczmarek2 wrote:

I see, used SDK is nds32le-elf-mculib-v3s.tar.gz, but now it seems that we would need to compile Ghidra from source...

Did you go down this route?

I haven't tried it yet, but if you have some time we can try it together.

The only interesting thing I've found is that Ghidra can currently load BK7231 libtuya_iot.a as is, so if we need a reference...

Added after 9 [minutes]:

It seems that "tuya_storge" is actually just calling "Simple Flash App", as in "sf". At least on Beken.


Added after 4 [minutes]:


__sf_protected_block_init is the function that reads first block (on Beken, at least), and it works for us on ECR

Added after 24 [minutes]:

sf_hand_s structure
https://github.com/search?q=sf_hand_s&type=code

Added after 57 [seconds]:

https://github.com/openshwprojects/OpenRTL871.../tuya_base/kv_storge/flash/simple_flash.h#L93

divadiow wrote:

Here's a list of some from Sep 2023, so later can probably be guessed

also. these are easy enough to get from Tuya Wind IDE in VS Code but must be done on Linux
-Sign-up for Tuya developer account https://developer.tuya.com/
-Install Tuya Wind IDE extension in VS Code

-Sign into Tuya Wind as developer account

-filter in Resource Center according to requirements


I choose to save somewhere custom

then the link to main zip is in the SDKInformation.json file, by which point you've downloaded it anyway and have it unzipped


Added after 2 [minutes]:

VSC on Windows just says get Linux



Added after 3 [minutes]:

p.kaczmarek2 wrote:

I haven't tried it yet, but if you have some time we can try it together.

could...do..
I sense people around me irl will try to pull me away from computer today though.

Added after 19 [minutes]:

insmod wrote:

It also contains uboot and stub source

what possibilities does this open up?

Added after 16 [minutes]:

divadiow wrote:

could...do..
I sense people around me irl will try to pull me away from computer today though.

im trying build of https://github.com/osy/ghidra/tree/tim/add_nds32_processor now

Added after 43 [minutes]:

divadiow wrote:

I believe this is because TuyaOS3 has changed the way config is stored. It needs working out and a new config extractor made I guess. A few OS3 firmwares are about, including all Tuya LNs so far

this whole config extraction issue ties in with this I believe. I think any TuyaOS3 (3.3+ maybe?) has this new way of storing config, on any platform. eg BK-N Tuya_3Phase_Power_Meter_PC321-W-TY_(schemaID-ey2r2s)_key83r5jq9qqeaxt_TuyaMCU_CBU_3.1.28.bin = failed to extract keys

Does Tuya_3Phase_Power_Meter_PC321-W-TY_(schemaID-ey2r2s)_key83r5jq9qqeaxt_TuyaMCU_CBU_3.1.28.bin also fail at second block? I'll try.

Added after 3 [minutes]:

No, it has correct CRCs on along all blocks. It's a different fault scenario.

p.kaczmarek2 wrote:

No, it has correct CRCs on along all blocks. It's a different fault scenario.

hmm ok ok. to which failure point do any of the LNs align?

Added after 1 [minutes]:

divadiow wrote:

im trying build of https://github.com/osy/ghidra/tree/tim/add_nds32_processor now

Jsondoclet dependency issues. trying to sort. might switch to linux/fresh machine

LN882H dumps are the same like PC321. It decrypts all blocks without CRC errors.

The underlined checks are only failing for ECR6600 configs:


I can get this from LN882H:


Added after 27 [minutes]:




Google for: aes128_ecb_decode_raw
https://www.tuyaos.com/viewtopic.php?t=2885

Quote:

Module: WBR1D, tuyaos: 3.3.4.
Decryption error using aes128_ecb_decode_raw decryption interface in aes_inf.h header file. The decrypted data is incorrect. Please help me look at the same data. The encryption is successful, but the decryption cannot be done with the same key. The following is a code snippet.

Code: text Expand Select all Copy to clipboard

BYTE_T data1[] ="b4046667e3c549673aa75369b605f342";
		BYTE_T datakey1[] ="6r4mq0ptoan2wf70";
		//UINT32_T outlen1 = 0;
		BYTE_T  outdata1[33] = {0};

	aes128_ecb_decode_raw(data1, strlen(data1), outdata1, datakey1);

		TAL_PR_INFO("data1;%s", data1);
		TAL_PR_INFO("strlen(data1);%d", strlen(data1));
		TAL_PR_INFO("outdata1;%s", outdata1);
		TAL_PR_INFO("strlen(outdata1);%d", strlen(outdata1));
		TAL_PR_INFO("datakey1;%s", datakey1);
	TAL_PR_DEBUG("AES_DE2: ");
        memset(dataget,0,32);
	for (int j = 0; j < strlen(outdata1); j++) {
        memset(cat,0,8);
        sprintf(cat,"%02x",outdata1[j]);
        strcat(dataget,cat);
	}
		TAL_PR_INFO("dedataget;%s", dataget);
	aes_free_data(outdata1);

The following is the log content

Code: text Expand Select all Copy to clipboard

[2024-03-06 08:27:34.144]# RECV ASCII>
 I][tuya_app_main.c:268] data1;b4046667e3c549673aa75369b605f342

[01-01 08:00:03 TUYA I][tuya_app_main.c:269] strlen(data1);32

[01-01 08:00:03 TUYA I][tuya_app_main.c:270] outdata1;?

[01-01 08:00:03 TUYA I][tuya_app_main.c:271] strlen(outdata1);2

[01-01 08:00:03 TUYA I][tuya_app_main.c:272] datakey1;6r4mq0ptoan2wf70

[01-01 08:00:03 TUYA D][tuya_app_main.c:273] AES_DE2: 

[01-01 08:00:03 TUYA I][tuya_app_main.c:280] dedataget;9231

Added after 2 [minutes]:





Added after 3 [minutes]:

https://github.com/tuya/TuyaOpen/blob/3f4ed7f...86bf/src/tal_security/src/tal_symmetry.c#L270

divadiow wrote:

divadiow wrote:

im trying build of https://github.com/osy/ghidra/tree/tim/add_nds32_processor now

done. for Linux



https://1drv.ms/u/c/88c85548b4baddc3/ESkfHPehxD9Kmd1EaIPDx-MBi6XzRDStAPCAsDwZ_f0VTg?e=Up0e78

Added after 3 [minutes]:

p.kaczmarek2 wrote:

I can get this from LN882H:

p.kaczmarek2 wrote:

LN882H dumps are the same like PC321. It decrypts all blocks without CRC errors.

oh cool. potential for Easy Flasher extraction for other platforms

Good job, so are you able to open ECR6600 binary now?

To sum up - there are currently two issues with keys extraction.
Issue 1 - as discussed here, ECR6600 seems to have different secondary key
Issue 2 - our json extraction is "naive" and it produces partially messed up JSON, as you probably saw many times.

For now, we're focusing on issue 1 - ECR6600 keys. Later we could also look into issue 2, try to transcribe the KV logic partition into our flasher so JSON is reconstructed correctly.

p.kaczmarek2 wrote:

Good job, so are you able to open ECR6600 binary now?

hmm. I don't know Ghidra. not got far

If you click on a function, are you actually able to view disassembly with that?

>>21483399

So it works, nice.... very good job

Well, if you want to try going futher, then next step probably is to search string references for that "key" message you've found yourself in the boot log, and then check where is the function that prints it.

You can also share your Ghidra binary now here, I could try doing it as well, which Linux do I need? Well I will have to set a VM.

divadiow wrote:

https://1drv.ms/u/c/88c85548b4baddc3/ESkfHPehxD9Kmd1EaIPDx-MBi6XzRDStAPCAsDwZ_f0VTg?e=Up0e78

here. file is too big to upload as attachment actually not true, attached

I'm using Ubuntu 24.04.1

anything interesting?


keyge8wsy99n5pr7, HHRRQbyemofrtytf don't show any results for me and aes128_ecb_decode_raw only has


your previous screenshots had more

I'm barely at "downloading Ubuntu LTS stage", but I will try to use what you've compiled.

I don't know Ghidra well, I remember playing with IDA PRO back in school, but Ghidra is relatively new to me. Still, here is how I would start - we need to find the SF/keyvars functions in the flash. They won't be labelled like I shown in decompiled Tuya library, they will have no names, but if you look here (my old screenshot from tuya lib):

You can see that sf_protected_block_init is referencing 0x13579753 constant, so it should be possible to look for that constant with search and then find the function as well.
Alternatively, you can also try looking for the string references, for example for the "key data is not matched" on my screenshot above. If you find this string in Ghidra, and do "find functions referencing this data", you may find sf_protected_block_init (of course, under FUNC_xyz name, as it has no label)

not been able to get any references found for anything so far

eg the one you mention

Here's a brief tutorial on how I do it.
1. Click search:

2. Choose "Memory":

3. Enter 0x13579753 and search:

Yes. Cheers, I did do a memory search in the course of things but later hit a wall and haven't progressed further yet.

Added after 32 [minutes]:

what was your base address btw?

My sample was made on tuya_iot library from BK7231 SDK. The one with function names, not the flash dump.

I've tried your compiled Ghidra on Ubuntu and it seems I'm stuck.

Look:

Font blinks and only like 1% of text is visible...
I've tried so far:
https://github.com/NationalSecurityAgency/ghidra/issues/212

I'm on:

p.kaczmarek2 wrote:

My sample was made on tuya_iot library from BK7231 SDK. The one with function names, not the flash dump.

ah yes, of course.

p.kaczmarek2 wrote:

Font blinks and only like 1% of text is visible...

oh. hmm. um. I RDP into my Ubuntu, could try that rather VM console (assuming that's how you're viewing it)

It's a virtual machine

Windows

im still fiddling

Nice, how did you manage to compile it? I'll check this out once I get some free time. Hopefully today.

p.kaczmarek2 wrote:

Nice, how did you manage to compile it?

Ghidra? The main culprit was this https://github.com/NationalSecurityAgency/ghidra/pull/6610 so overwrote those two affected files

It seems we indeed need to figure out a way to get proper addressing, base address and flash start. I've tried to use the partition table from the start of the file (0x9000), but no luck yet.

giving these a spin

https://github.com/8051Enthusiast/allyourbase
https://github.com/soyersoyer/basefind2

I've tried the first one you gave and it seems correct?


Added after 2 [minutes]:

but not all match?