Smart Gateway RSH-GW006 to OBK Conversion: Tools, Files, Setup, and Integration Guide

DeDaMrAz 4740 43

#31 21655761 07 Sep 2025 13:46

insmod insmod

Level 30

Helpful post? (0)

Post #31
21655761 07 Sep 2025 13:46

The only other thing i can suggest is updating the bootloader.
I didn't attempt it, so i don't know if it even works.
But if it doesn't, then recovery is only possible via j-link/st-link.
https://github.com/NonPIayerCharacter/silabs-...actions/runs/15886210949/artifacts/3404884556
ADVERTISEMENT
#32 21656030 07 Sep 2025 19:04

diepeterpan diepeterpan

Level 8

Helpful post? (0)

Post #32
21656030 07 Sep 2025 19:04

I will attempt to flash the bootloader once I have a proper J-Link device (I am struggling to get one at the moment).

Maybe secure boot is enabled by the Tuya bootloader. I suppose it's worth a try since all other avenues are exhausted.

https://www.silabs.com/documents/public/user-guides/ug266-gecko-bootloader-user-guide.pdf

Code: Text
Log in, to see the code

Maybe the custom firmware GBLs don't pass signature verification.
ADVERTISEMENT
#33 21658955 10 Sep 2025 15:03

diepeterpan diepeterpan

Level 8

Helpful post? (0)

Post #33
21658955 10 Sep 2025 15:03

Good news: >>21655761
I was able to use a Chinese converted ST-LINK V2 to JLINK Link and a custom version of OpenOCD Link to backup and restore the firmware on the ZS3L, and then proceeded with installing the new bootloader.

Code: Bash
Log in, to see the code

Code: Bash
Log in, to see the code

Good news and bad news.

Good news: flashing the new bootloader did NOT brick the device and still booted the stock firmware. This is where I started to get suspicious. If the new bootloader also boots the stock firmware, then it's unlikely to be the cause of other firmware not booting.

Anyways, I proceeded to flash again 8.2.0.0

Code: Bash
Log in, to see the code

Bad news: After flashing, the firmware still did not work

Code: Bash
Log in, to see the code

Nothing, nada ....

I then flashed a couple more like zs3l_ncp-uart-hw_EmberZNet8.0.1.0.gbl, zs3l_zigbee_ncp_8.1.1.0_115200.gbl, G01-pro-ncp-uart-hw_4.gbl .... but they all did the same, nothing..... tested with bellows and Z2M and ZHA

I then reverted to my backup and am back on stock

Code: Bash
Log in, to see the code

There must be something stored in the flash or some other spot on the ZS3L preventing non-stock firmware from booting or making them crash, but I am too scared to go and erase the entire flash; maybe it's not in the flash, and then I'll brick it completely.

Hopefully, these experiments and write-up help someone else, and maybe they come up with a solution.

Maybe the secure boot hash/key is stored somewhere else, see if I can read more about it]Link
#34 21676976 10 Sep 2025 15:18

insmod insmod

Level 30

Helpful post? (0)

Post #34
21676976 10 Sep 2025 15:18

Sadly, st-link to j-link is not allowed to operate with anything but stm32 in standard segger applications, and any other that uses jlinkarm.dll
Unfortunately, simplicity commander uses it too. Meaning you would have to either buy a j-link probe, or search for some patched jlinkarm.dll that works with non-stm32 chips. I initially tried that too, but it didn't work for me.
You can ask for help in https://github.com/darkxst/silabs-firmware-builder as my firmware is built as a fork of this repository.
#35 21680501 10 Sep 2025 15:21

diepeterpan diepeterpan

Level 8

Helpful post? (0)

Post #35
21680501 10 Sep 2025 15:21

>>21676976

I managed to work with it using the custom OpenOCD as a workaround.
ADVERTISEMENT
#36 21686233 10 Sep 2025 15:42

insmod insmod

Level 30

Helpful post? (0)

Post #36
21686233 10 Sep 2025 15:42

>>21680501
There was something similar to your situation: https://github.com/darkxst/silabs-firmware-builder/issues/84
gbl file in there might not work for you (or if it works, you would have to reboot to bootloader manually (via pin), since UART pins are different).
Perhaps you can do full flash erase via OpenOCD?
ADVERTISEMENT
#37 21686371 10 Sep 2025 18:28

diepeterpan diepeterpan

Level 8

Helpful post? (0)

Post #37
21686371 10 Sep 2025 18:28

>>21686233 Thanks, I have just tried the init file, and there are a couple of specific .gbl files for the CPU that the ZS3L uses, but I had no luck after erasing the flash.

Link

I flashed the new bootloader 3.1.0
Code: Bash
Log in, to see the code

Then, with the new bootloader, I erased the storage
Code: Bash
Log in, to see the code

The flashed e.g. 8.0.2, tried various, but it did not work after flashing
Code: Bash
Log in, to see the code

Then, with the new bootloader flashed, the stock firmware worked again
Code: Bash
Log in, to see the code

It just does not make sense, somewhere something is wrong.....

Anyway, let's see if somebody else has experienced similar and maybe come up with a new way to fix it.
#38 21686394 10 Sep 2025 18:47

insmod insmod

Level 30

Helpful post? (0)

Post #38
21686394 10 Sep 2025 18:47

Try first app_clear, then nvm3_clear, power cycle, then 8.2.0
Anyway, what exactly was the problem with flash erase with openocd?
#39 21693229 17 Sep 2025 23:49

diepeterpan diepeterpan

Level 8

Helpful post? (0)

Post #39
21693229 17 Sep 2025 23:49

I eventually got to JLINK the chip, making an interesting discovery, but I had no joy running a newer version.

1) I first tried the command-line Simplicity Commander to unlock the chip, just in case it was the problem. Chip unlocked, but newer firmware did not work

2) This was very interesting as the chip is marked ZS3L, but the identification gave MGM210L022JNF2 with 1024kB flash instead of an EFR32 with 768kB. Does Tuya have a newer version of the ZS3L, and that's why the firmware doesn't run?

3) I was able to wipe the chip, just in case. I then flashed a new bootloader and firmware, but no go to running it

4) I then flashed back the stock firmware backup, and it works. So I trust the JLINK is working correctly.

I wonder if someone can create a custom .gbl file for this chip, if it indeed is the problem.
#40 21693266 18 Sep 2025 04:59

insmod insmod

Level 30

Helpful post? (0)

Post #40
21693266 18 Sep 2025 04:59

>>21693229
Build for 1024 flash 96 ram
https://github.com/NonPIayerCharacter/silabs-firmware-builder/actions/runs/17816582309
And MGM210L022JNF (without 2)
https://github.com/NonPIayerCharacter/silabs-firmware-builder/actions/runs/17817962778

I suggest you try 1024 build first.
#41 21693329 18 Sep 2025 08:19

diepeterpan diepeterpan

Level 8

Helpful post? (0)

Post #41
21693329 18 Sep 2025 08:19

>>21693266
Tested both, but only one worked.

You are a genius, so apparently, there are different ZS3L's out there!

"And MGM210L022JNF (without 2)" <= worked!!!!

I will add some devices to it in Zigbee2MQTT and let it run for a day or so, and provide feedback again. A BIG thanks again!!!!!

Code: Bash
Log in, to see the code
#42 21694269 19 Sep 2025 08:06

diepeterpan diepeterpan

Level 8

Helpful post? (0)

Post #42
21694269 19 Sep 2025 08:06

>>21693329
"Everything is working fine with the MGM210L022JNF firmware '8.2.0.0 build 191' for the ZS3L on the Tuya MOES gateway - NH-THP01-ZB using Z2M."

Tuya MOES gateway - NH-THP01-ZB

Teardown pictures of the device:
The device has 4 small screws hidden under the rubber feet

Device top view:

Device back view:

Device PCB view:

Board pinout to flash WRBG1, need to solder lines as there are no headers on the board:
Follow the bootloader procedure with the resistor to put WRBG1 into bootloader mode and load OpenBeken for RTL8720D UART file using the Imagetool.

To load firmware for the ZS3L:
Use the following firmware and universal-silabes-flasher that can be found here - https://github.com/NabuCasa/universal-silabs-flasher
Code: Bash
Log in, to see the code

My version of the device has a ZS3L using the MGM210L022JNF chip and needs the firmware at https://github.com/NonPIayerCharacter/silabs-firmware-builder/actions/runs/17817962778 ; if you are unsure of what type of ZS3L your device has, you have to use JLINK and Simplicity Commander to identify it.

firmware-b...115200.zip Download(1.26 MB)

OpenBeken pin configuration:
Code: Text
Log in, to see the code

autoexec.bat
Code: Text
Log in, to see the code

The Zigbee chip can be reset by toggling "Zigbee reset"; handy when the Zigbee chip stops working and you need to remotely reset it.

Force the bootloader to load new firmware by toggling "Zigbee bootloader" followed by a "Zigbee reset" loader; this is helpful when the firmware becomes unresponsive e.g., when you load the incorrect chip firmware.

Zigbee2MQTT config:
Code: Text
Log in, to see the code
#43 21702763 28 Sep 2025 00:34

DeDaMrAz DeDaMrAz

Level 21

Topic author Helpful post? (0)

Post #43
21702763 28 Sep 2025 00:34

insmod wrote:
I will later try to add support for BTHome in OBK

@insmod

Any luck with this? Asking because I am about to go full in on changing everything in my apartment to "smart house" it and this would be somewhat more elegant than the separate BT proxy device.

If you like my work, support me at: https://paypal.me/openshwprojects
Helpful post

#44 21702818 28 Sep 2025 08:02

insmod insmod

Level 30

Helpful post? (+1)

Helpful post
Post #44
21702818 28 Sep 2025 08:02

>>21702763
Nothing yet, though my idea evolved a little.
Just get advertisements packets, publish them to mqtt and via HA automation pass them to "Passive BLE monitor" addon
Create an account, log in here. You will receive points by participating in discussions.
Join this discussion.

Install Elektroda application

Topic summary

The discussion focuses on converting the Smart Gateway model RSH-GW006 to run OpenBeken (OBK) firmware, aiming to centralize tools, files, setup instructions, and integration guidance. The device teardown reveals four hidden screws and detailed board pinouts and schematics. Firmware for the WBRG1 module is based on OpenRTL8720D, with stable operation reported. The ZS3L module firmware is built with hardware flow offload and can be updated via TCP, though flashing can be sporadic and sometimes requires bootloader mode activation by pulling specific pins high. Universal-silabs-flasher is the primary tool used for flashing ZS3L firmware, supporting both UART and socket connections. Various firmware versions (8.0.2.0, 8.1.1.0, 8.2.0.0, and stock Tuya 6.5.5.0) were tested, with 8.2.0.0 and a specific build for MGM210L022JNF silicon identified as stable and fully functional for the ZS3L on the Tuya MOES NH-THP01-ZB gateway. Challenges include bootloader detection issues, secure boot possibly blocking custom firmware, and hardware differences in ZS3L variants. J-Link and ST-LINK V2 probes with custom OpenOCD were used for chip unlocking, backup, and flashing, as standard Segger tools are limited to STM32 devices. ESP32-S3 and C3 modules were tested for Bluetooth proxy functionality, with temperature and frequency tuning discussed. Bluetooth support in OBK is limited, with ongoing efforts to add BTHome support. The thread includes detailed logs, flashing commands, and troubleshooting steps to aid in successful firmware conversion and integration with Zigbee2MQTT (Z2M) and Home Assistant (HA).
Summary generated by the language model.

FAQ

TL;DR: Convert the Smart Gateway RSH-GW006 to OBK on the WBRG1 and bridge its ZS3L Zigbee over TCP. 1 month uptime reported; "Stable, I've got a month uptime." Flash with Ameba Image Tool, integrate ZHA at tcp://:8888, and update ZS3L via universal‑silabs‑flasher. [Elektroda, insmod, post #21588192] Why it matters: You reclaim a Tuya gateway for local control with Home Assistant or Zigbee2MQTT, no cloud required.

Quick Facts

- Platform: WBRG1 (Realtek RTL8720D/AmebaD) runs OBK; ZS3L is the Zigbee NCP exposed over TCP. [Elektroda, DeDaMrAz, post #21588187]
- Bootloader entry: ENABLE to GND, LogTX to GND via 2.2–4.7 kΩ, then release ENABLE and remove the resistor. [Elektroda, DeDaMrAz, post #21588187]
- Full backup: rtltool.py reads flash to ff.bin; expected size is 8Mb after completion. [Elektroda, DeDaMrAz, post #21588187]
- HA ZHA setup: Add integration using tcp://<OBK_IP>:8888; enable Hardware flow control only with latest ZS3L FW. [Elektroda, DeDaMrAz, post #21588187]
- Zigbee2MQTT: ZS3L 8.2.0.0 needs latest-dev (EZSP v17); 8.1.1.0 works on stable. [Elektroda, insmod, #21589890

What hardware is inside the RSH-GW006, and where does OBK run?

The gateway houses a WBRG1 (Realtek RTL8720D/AmebaD) Wi‑Fi SoC and a Silicon Labs ZS3L Zigbee NCP. OBK (OpenRTL8720D) runs on the WBRG1, while the ZS3L stays as the Zigbee radio exposed over a TCP‑to‑UART bridge. [Elektroda, DeDaMrAz, post #21588187]

How do I open the RSH-GW006 case without damage?

Flip the unit and peel the four rubber feet. Remove the four small screws hidden beneath them. Lift the lid carefully to avoid stressing internal cables. This exposes the WBRG1 and ZS3L modules for UART and J‑Link access. [Elektroda, DeDaMrAz, post #21588187]

How do I put the WBRG1 into bootloader (download) mode?

Follow this 3‑step sequence:

Connect UART (GND, 3V3, RX, TX) to P1 and pull ENABLE to GND.
Pull LogTX to GND via a 2.2–4.7 kΩ resistor.
Release ENABLE, then remove the resistor from LogTX; the module is in bootloader mode. [Elektroda, DeDaMrAz, post #21588187]

How can I back up the original WBRG1 firmware safely?

Enter download mode, then run rtltool.py to read full flash, e.g., py -3.12 rtltool.py -p COMx -b1000000 rf 0 0x8000000 ff.bin. Adjust Python version with python -V and tweak baud (up to 1,500,000). Expect ff.bin ≈ 8Mb. Use COMx on Windows or /dev/tty* on Linux. [Elektroda, DeDaMrAz, post #21588187]

How do I flash OBK onto the WBRG1 with Ameba Image Tool?

Open Ameba-ImageTool v2.3.2, load the latest RTL8720D UART build into the first field, and do not change other options. Put WBRG1 into bootloader, click Download, then reboot. The device should broadcast an OBK AP; connect and configure at 192.168.4.1. [Elektroda, DeDaMrAz, post #21588187]

What OBK pin roles should I set for LEDs and the button?

Use these roles: pin 25 = LED;1, pin 54 = WifiLED;0, pin 55 = Btn_n;0. Apply via OBK’s pin configuration. This maps the status LED, Wi‑Fi LED, and the front button to expected behaviors. [Elektroda, DeDaMrAz, post #21588187]

How do I expose Zigbee over TCP and add it in Home Assistant (ZHA)?

In OBK autoexec.bat, start the TCP‑UART bridge: startdriver uarttcp 115200 512 1 1, label the channel, hide it, and set type OpenClosed_Inv. In Home Assistant, add ZHA and select tcp://:8888 as the port. Enable Hardware flow control only if you flashed the latest ZS3L FW. [Elektroda, DeDaMrAz, post #21588187]

How do I flash or update the ZS3L Zigbee firmware over TCP?

Use universal‑silabs‑flasher from your PC: universal-silabs-flasher --device socket://:8888 flash --firmware zs3l_zigbeencp_115200.gbl. It detects EZSP and Gecko bootloader, then writes the GBL image. You can downgrade with --allow-downgrades. Example upgrades to 8.2.0.0 and downgrades to 8.1.1.0 were successful. [Elektroda, insmod, post #21589890]

Which ZS3L firmware version should I use with Zigbee2MQTT today?

Use 8.1.1.0 with stable Zigbee2MQTT. Version 8.2.0.0 requires the latest‑dev container because it uses EZSP protocol v17. As one tester noted, “8.1.1.0 works.” You can switch with universal‑silabs‑flasher as needed. [Elektroda, insmod, post #21589890]

Zigbee2MQTT fails after upgrading to ZS3L 8.2.0.0—what’s the fix?

You may see: “Adapter EZSP protocol version (17) is not supported by Host [13‑16].” Run the latest‑dev Zigbee2MQTT (dev branch supports EZSP v17), or downgrade the NCP to 8.1.1.0 using universal‑silabs‑flasher with --allow-downgrades. This restores stable connectivity. [Elektroda, insmod, post #21589890]

Can I flash the ZS3L over UART directly?

Direct UART flashing proved unreliable here. The author tried multiple tool combinations without success. Recommended methods are J‑Link with Simplicity Commander or universal‑silabs‑flasher over the OBK TCP bridge on port 8888. [Elektroda, DeDaMrAz, post #21588187]

My USB‑UART struggles at 1,500,000 bps. What should I do?

Lower the baud rate and retry. Edit the script’s -b value and test alternatives like 921600 or 1000000. Confirm your Python version (python -V) and call the correct interpreter (e.g., py -3.12). Use quality cables and a reliable adapter. [Elektroda, DeDaMrAz, post #21588187]

Does Bluetooth work on this gateway under OBK?

Not currently. A UART‑to‑Linux BT attempt required kernel patches and still failed to function; bluetoothctl saw nothing. The developer mentioned exploring BTHome support in OBK later. “It didn’t work” summarizes current status. [Elektroda, insmod, post #21588894]

Can I update the ZS3L while the gateway still runs stock Tuya firmware?

Yes. universal‑silabs‑flasher can talk to the stock NCP. However, very old stock may not work with the ember driver in Zigbee2MQTT. Plan to update NCP firmware after migrating WBRG1 to OBK for best compatibility. [Elektroda, insmod, post #21588402]

What extra universal‑silabs‑flasher flags are useful but hidden from --help?

Useful flags include --allow-cross-flashing, --allow-downgrades, --ensure-exact-version, and --force. These control cross‑flashes, downgrades, strict versioning, or skipping safeguards. They are handy when aligning NCP firmware with your Zigbee stack or rolling back from an incompatible build. [Elektroda, DeDaMrAz, post #21590140]

Should I always flash the newest ZS3L firmware?

No. Match firmware to your Zigbee stack support level. As the maintainer noted, “Newer does not mean better.” Prefer 8.1.1.0 for broad compatibility now, or move to 8.2.0.0 if your Zigbee2MQTT build supports EZSP v17. [Elektroda, insmod, post #21588567]