Good news: >>21655761 I was able to use a Chinese converted ST-LINK V2 to JLINK Link and a custom version of OpenOCDLink to backup and restore the firmware on the ZS3L, and then proceeded with installing the new bootloader.
Code: Bash
Log in, to see the code
Code: Bash
Log in, to see the code
Good news and bad news.
Good news: flashing the new bootloader did NOT brick the device and still booted the stock firmware. This is where I started to get suspicious. If the new bootloader also boots the stock firmware, then it's unlikely to be the cause of other firmware not booting.
Anyways, I proceeded to flash again 8.2.0.0
Code: Bash
Log in, to see the code
Bad news: After flashing, the firmware still did not work
Code: Bash
Log in, to see the code
Nothing, nada ....
I then flashed a couple more like zs3l_ncp-uart-hw_EmberZNet8.0.1.0.gbl, zs3l_zigbee_ncp_8.1.1.0_115200.gbl, G01-pro-ncp-uart-hw_4.gbl .... but they all did the same, nothing..... tested with bellows and Z2M and ZHA
I then reverted to my backup and am back on stock
Code: Bash
Log in, to see the code
There must be something stored in the flash or some other spot on the ZS3L preventing non-stock firmware from booting or making them crash, but I am too scared to go and erase the entire flash; maybe it's not in the flash, and then I'll brick it completely.
Hopefully, these experiments and write-up help someone else, and maybe they come up with a solution.
Maybe the secure boot hash/key is stored somewhere else, see if I can read more about it]Link
Sadly, st-link to j-link is not allowed to operate with anything but stm32 in standard segger applications, and any other that uses jlinkarm.dll
Unfortunately, simplicity commander uses it too. Meaning you would have to either buy a j-link probe, or search for some patched jlinkarm.dll that works with non-stm32 chips. I initially tried that too, but it didn't work for me.
You can ask for help in https://github.com/darkxst/silabs-firmware-builder as my firmware is built as a fork of this repository.
>>21680501 There was something similar to your situation: https://github.com/darkxst/silabs-firmware-builder/issues/84 gbl file in there might not work for you (or if it works, you would have to reboot to bootloader manually (via pin), since UART pins are different).
Perhaps you can do full flash erase via OpenOCD?
>>21686233 Thanks, I have just tried the init file, and there are a couple of specific .gbl files for the CPU that the ZS3L uses, but I had no luck after erasing the flash.
I eventually got to JLINK the chip, making an interesting discovery, but I had no joy running a newer version.
1) I first tried the command-line Simplicity Commander to unlock the chip, just in case it was the problem. Chip unlocked, but newer firmware did not work
2) This was very interesting as the chip is marked ZS3L, but the identification gave MGM210L022JNF2 with 1024kB flash instead of an EFR32 with 768kB. Does Tuya have a newer version of the ZS3L, and that's why the firmware doesn't run?
3) I was able to wipe the chip, just in case. I then flashed a new bootloader and firmware, but no go to running it
4) I then flashed back the stock firmware backup, and it works. So I trust the JLINK is working correctly.
I wonder if someone can create a custom .gbl file for this chip, if it indeed is the problem.
>>21693329 "Everything is working fine with the MGM210L022JNF firmware '8.2.0.0 build 191' for the ZS3L on the Tuya MOES gateway - NH-THP01-ZB using Z2M."
Tuya MOES gateway - NH-THP01-ZB
Teardown pictures of the device: The device has 4 small screws hidden under the rubber feet
Device top view:
Device back view:
Device PCB view:
Board pinout to flash WRBG1, need to solder lines as there are no headers on the board:
Follow the bootloader procedure with the resistor to put WRBG1 into bootloader mode and load OpenBeken for RTL8720D UART file using the Imagetool.
firmware-b...115200.zip (1.26 MB)You must be logged in to download this attachment.
OpenBeken pin configuration:
Code: Text
Log in, to see the code
autoexec.bat
Code: Text
Log in, to see the code
The Zigbee chip can be reset by toggling "Zigbee reset"; handy when the Zigbee chip stops working and you need to remotely reset it.
Force the bootloader to load new firmware by toggling "Zigbee bootloader" followed by a "Zigbee reset" loader; this is helpful when the firmware becomes unresponsive e.g., when you load the incorrect chip firmware.
Any luck with this? Asking because I am about to go full in on changing everything in my apartment to "smart house" it and this would be somewhat more elegant than the separate BT proxy device.
>>21702763 Nothing yet, though my idea evolved a little.
Just get advertisements packets, publish them to mqtt and via HA automation pass them to "Passive BLE monitor" addon
>>21871429 Thanks for the quick reply. I will try again with the Log-RX and Log-TX. Is there a way to flash via Linux as well? I'm trying to minimize Windows usage.
Edit: I read that it could be run using Mono, I will try that.
>>21871479 What steps have you took exactly?
I have the same gateway as you, and i did it that way:
1. Solder wires to LOG-TX/RX, GND and connect them to UART adapter
2. Connect LOG-TX to GND
3. Power it via USB Type-C
4. Disconnect LOG-TX from GND
If done correctly, it should start spamming NAK symbol (ASCII 0x15) at 115200 baud
After that, flash read/write can be performed.
>>21871513 After disabling Windows Smart App Control, I could run it, and it did work! Finally, thanks for your help. Don't know why it didn't work with Linux.
Added after 6 [minutes]:
>>21871513 Windows 11 seems to block any executables that are not signed correctly if Smart App Control is active.
Added after 1 [hours] 51 [minutes]:
>>21871522 Update: the gateway is up and running with zs3l_zigbee_ncp_8.2.0.0_115200.gbl
Will there be a 8.2.2 as well? I have that on my Sonoff Dongle-E.
Added after 4 [minutes]:
insmod wrote:
Also, in last OBK versions minimal BT Proxy support was added
Where can I get info on that? I have two more of those gateways, I'd like to try BT as well.
And maybe one with OT_RCP firmware? Even if OTBR discourages thread over wifi or ethernet.
In HA, connect it as an ESPHome device. No api key or password required.
Connections aren't supported. Only scanning is. Passive by default, to enable active scan - BTSetScanMode 1
Attachments:
firmware-build-zs3l_zigbee_ncp_8.2.2.0_115200.zip(1.29 MB)
You must be logged in to download this attachment.
firmware-build-zs3l_openthread_rcp_2.7.2.0_GitHub-fb0446f53_gsdk_2025.6.2_460800.zip(1.1 MB)
You must be logged in to download this attachment.
>>21871543 Ok, next gateway flashed, with Zigbee NCP 8.2.2. Tried Bluetooth as well (before upgrading the ZS3L firmware). Can Bluetooth be used concurrently with Zigbee or Thread? After registering the device as ESPHome in HA, HA immediately suggested an upgrade of ESPHome, would that even work?
>>21872393 I haven't tried it concurrently, but it should. If there are problems, ble window and interval can be reduced (on RTL it's concurrent by default - window=interval). Command is BTSetWindowInterval, first argument - window, second - interval. Values in ms.
For example - 150ms interval, 50ms window. That way 33% of time it scans, 66% idle or wifi communication.
>>21872452 Yesterday, I deployed the first gateway, runs fine with 6 devices at my mother's home.
Today, I noticed there is a new release, so I tried to update my freshly flashed third gateway with the latest OTA build (https://github.com/openshwprojects/OpenBK7231T_App/releases/download/1.18.281/OpenRTL8720D_1.18.281_ota.img). Can't get it to work, it logs the following error:
Info:OTA:Current firmware index is 1
Error:OTA:Get OTA header failed
Error:OTA:OTA failed
Thanks for the fix @insmod! I'm curious: was it really a Firefox issue or was Firefox only revealing the issue?
At least for the OTA related issues with LN882H and W800 it was just showing the original code didn't expect fast and "filled" (valid) HTTP packets but relied on Chrome(ium)-based browsers' behavior, which IIRC seems to be slower and not putting e.g. header and load into one TCP packet.
I've forgot about request->bodystart/request->bodylen, and used request->received, which contains http headers and could contain part of the body.
I came across this issue when doing mDNS for RTL, do you mind looking into that and enabling it on RTL as I have skipped that for that OTA problem reason.
✨ The discussion focuses on converting the Smart Gateway model RSH-GW006 to run OpenBeken (OBK) firmware, aiming to centralize tools, files, setup instructions, and integration guidance. The device teardown reveals four hidden screws and detailed board pinouts and schematics. Firmware for the WBRG1 module is based on OpenRTL8720D, with stable operation reported. The ZS3L module firmware is built with hardware flow offload and can be updated via TCP, though flashing can be sporadic and sometimes requires bootloader mode activation by pulling specific pins high. Universal-silabs-flasher is the primary tool used for flashing ZS3L firmware, supporting both UART and socket connections. Various firmware versions (8.0.2.0, 8.1.1.0, 8.2.0.0, and stock Tuya 6.5.5.0) were tested, with 8.2.0.0 and a specific build for MGM210L022JNF silicon identified as stable and fully functional for the ZS3L on the Tuya MOES NH-THP01-ZB gateway. Challenges include bootloader detection issues, secure boot possibly blocking custom firmware, and hardware differences in ZS3L variants. J-Link and ST-LINK V2 probes with custom OpenOCD were used for chip unlocking, backup, and flashing, as standard Segger tools are limited to STM32 devices. ESP32-S3 and C3 modules were tested for Bluetooth proxy functionality, with temperature and frequency tuning discussed. Bluetooth support in OBK is limited, with ongoing efforts to add BTHome support. The thread includes detailed logs, flashing commands, and troubleshooting steps to aid in successful firmware conversion and integration with Zigbee2MQTT (Z2M) and Home Assistant (HA). Generated by the language model.
TL;DR: Convert the Smart Gateway RSH-GW006 to OBK on the WBRG1 and bridge its ZS3L Zigbee over TCP. 1 month uptime reported; "Stable, I've got a month uptime." Flash with Ameba Image Tool, integrate ZHA at tcp://:8888, and update ZS3L via universal‑silabs‑flasher. [Elektroda, insmod, post #21588192]
Why it matters: You reclaim a Tuya gateway for local control with Home Assistant or Zigbee2MQTT, no cloud required.
Zigbee2MQTT: ZS3L 8.2.0.0 needs latest-dev (EZSP v17); 8.1.1.0 works on stable. [Elektroda, insmod, #21589890
What hardware is inside the RSH-GW006, and where does OBK run?
The gateway houses a WBRG1 (Realtek RTL8720D/AmebaD) Wi‑Fi SoC and a Silicon Labs ZS3L Zigbee NCP. OBK (OpenRTL8720D) runs on the WBRG1, while the ZS3L stays as the Zigbee radio exposed over a TCP‑to‑UART bridge. [Elektroda, DeDaMrAz, post #21588187]
How do I open the RSH-GW006 case without damage?
Flip the unit and peel the four rubber feet. Remove the four small screws hidden beneath them. Lift the lid carefully to avoid stressing internal cables. This exposes the WBRG1 and ZS3L modules for UART and J‑Link access. [Elektroda, DeDaMrAz, post #21588187]
How do I put the WBRG1 into bootloader (download) mode?
Follow this 3‑step sequence:
Connect UART (GND, 3V3, RX, TX) to P1 and pull ENABLE to GND.
How can I back up the original WBRG1 firmware safely?
Enter download mode, then run rtltool.py to read full flash, e.g., py -3.12 rtltool.py -p COMx -b1000000 rf 0 0x8000000 ff.bin. Adjust Python version with python -V and tweak baud (up to 1,500,000). Expect ff.bin ≈ 8Mb. Use COMx on Windows or /dev/tty* on Linux. [Elektroda, DeDaMrAz, post #21588187]
How do I flash OBK onto the WBRG1 with Ameba Image Tool?
Open Ameba-ImageTool v2.3.2, load the latest RTL8720D UART build into the first field, and do not change other options. Put WBRG1 into bootloader, click Download, then reboot. The device should broadcast an OBK AP; connect and configure at 192.168.4.1. [Elektroda, DeDaMrAz, post #21588187]
What OBK pin roles should I set for LEDs and the button?
Use these roles: pin 25 = LED;1, pin 54 = WifiLED;0, pin 55 = Btn_n;0. Apply via OBK’s pin configuration. This maps the status LED, Wi‑Fi LED, and the front button to expected behaviors. [Elektroda, DeDaMrAz, post #21588187]
How do I expose Zigbee over TCP and add it in Home Assistant (ZHA)?
In OBK autoexec.bat, start the TCP‑UART bridge: startdriver uarttcp 115200 512 1 1, label the channel, hide it, and set type OpenClosed_Inv. In Home Assistant, add ZHA and select tcp://:8888 as the port. Enable Hardware flow control only if you flashed the latest ZS3L FW. [Elektroda, DeDaMrAz, post #21588187]
How do I flash or update the ZS3L Zigbee firmware over TCP?
Use universal‑silabs‑flasher from your PC: universal-silabs-flasher --device socket://:8888 flash --firmware zs3l_zigbeencp_115200.gbl. It detects EZSP and Gecko bootloader, then writes the GBL image. You can downgrade with --allow-downgrades. Example upgrades to 8.2.0.0 and downgrades to 8.1.1.0 were successful. [Elektroda, insmod, post #21589890]
Which ZS3L firmware version should I use with Zigbee2MQTT today?
Use 8.1.1.0 with stable Zigbee2MQTT. Version 8.2.0.0 requires the latest‑dev container because it uses EZSP protocol v17. As one tester noted, “8.1.1.0 works.” You can switch with universal‑silabs‑flasher as needed. [Elektroda, insmod, post #21589890]
Zigbee2MQTT fails after upgrading to ZS3L 8.2.0.0—what’s the fix?
You may see: “Adapter EZSP protocol version (17) is not supported by Host [13‑16].” Run the latest‑dev Zigbee2MQTT (dev branch supports EZSP v17), or downgrade the NCP to 8.1.1.0 using universal‑silabs‑flasher with --allow-downgrades. This restores stable connectivity. [Elektroda, insmod, post #21589890]
Can I flash the ZS3L over UART directly?
Direct UART flashing proved unreliable here. The author tried multiple tool combinations without success. Recommended methods are J‑Link with Simplicity Commander or universal‑silabs‑flasher over the OBK TCP bridge on port 8888. [Elektroda, DeDaMrAz, post #21588187]
My USB‑UART struggles at 1,500,000 bps. What should I do?
Lower the baud rate and retry. Edit the script’s -b value and test alternatives like 921600 or 1000000. Confirm your Python version (python -V) and call the correct interpreter (e.g., py -3.12). Use quality cables and a reliable adapter. [Elektroda, DeDaMrAz, post #21588187]
Does Bluetooth work on this gateway under OBK?
Not currently. A UART‑to‑Linux BT attempt required kernel patches and still failed to function; bluetoothctl saw nothing. The developer mentioned exploring BTHome support in OBK later. “It didn’t work” summarizes current status. [Elektroda, insmod, post #21588894]
Can I update the ZS3L while the gateway still runs stock Tuya firmware?
Yes. universal‑silabs‑flasher can talk to the stock NCP. However, very old stock may not work with the ember driver in Zigbee2MQTT. Plan to update NCP firmware after migrating WBRG1 to OBK for best compatibility. [Elektroda, insmod, post #21588402]
What extra universal‑silabs‑flasher flags are useful but hidden from --help?
Useful flags include --allow-cross-flashing, --allow-downgrades, --ensure-exact-version, and --force. These control cross‑flashes, downgrades, strict versioning, or skipping safeguards. They are handy when aligning NCP firmware with your Zigbee stack or rolling back from an incompatible build. [Elektroda, DeDaMrAz, post #21590140]
Should I always flash the newest ZS3L firmware?
No. Match firmware to your Zigbee stack support level. As the maintainer noted, “Newer does not mean better.” Prefer 8.1.1.0 for broad compatibility now, or move to 8.2.0.0 if your Zigbee2MQTT build supports EZSP v17. [Elektroda, insmod, post #21588567]
