Smart Gateway RSH-GW006 to OBK Conversion: Tools, Files, Setup, and Integration Guide

DeDaMrAz 1818 40

#31 21655761 07 Sep 2025 13:46

insmod insmod

Level 27

Helpful post? (0)

Post #31
21655761 07 Sep 2025 13:46

The only other thing i can suggest is updating the bootloader.
I didn't attempt it, so i don't know if it even works.
But if it doesn't, then recovery is only possible via j-link/st-link.
https://github.com/NonPIayerCharacter/silabs-...actions/runs/15886210949/artifacts/3404884556
ADVERTISEMENT
#32 21656030 07 Sep 2025 19:04

diepeterpan diepeterpan

Level 8

Helpful post? (0)

Post #32
21656030 07 Sep 2025 19:04

I will attempt to flash the bootloader once I have a proper J-Link device (I am struggling to get one at the moment).

Maybe secure boot is enabled by the Tuya bootloader. I suppose it's worth a try since all other avenues are exhausted.

https://www.silabs.com/documents/public/user-guides/ug266-gecko-bootloader-user-guide.pdf

Code: Text
Log in, to see the code

Maybe the custom firmware GBLs don't pass signature verification.
#33 21658955 10 Sep 2025 15:03

diepeterpan diepeterpan

Level 8

Helpful post? (0)

Post #33
21658955 10 Sep 2025 15:03

Good news: >>21655761
I was able to use a Chinese converted ST-LINK V2 to JLINK Link and a custom version of OpenOCD Link to backup and restore the firmware on the ZS3L, and then proceeded with installing the new bootloader.

Code: Bash
Log in, to see the code

Code: Bash
Log in, to see the code

Good news and bad news.

Good news: flashing the new bootloader did NOT brick the device and still booted the stock firmware. This is where I started to get suspicious. If the new bootloader also boots the stock firmware, then it's unlikely to be the cause of other firmware not booting.

Anyways, I proceeded to flash again 8.2.0.0

Code: Bash
Log in, to see the code

Bad news: After flashing, the firmware still did not work

Code: Bash
Log in, to see the code

Nothing, nada ....

I then flashed a couple more like zs3l_ncp-uart-hw_EmberZNet8.0.1.0.gbl, zs3l_zigbee_ncp_8.1.1.0_115200.gbl, G01-pro-ncp-uart-hw_4.gbl .... but they all did the same, nothing..... tested with bellows and Z2M and ZHA

I then reverted to my backup and am back on stock

Code: Bash
Log in, to see the code

There must be something stored in the flash or some other spot on the ZS3L preventing non-stock firmware from booting or making them crash, but I am too scared to go and erase the entire flash; maybe it's not in the flash, and then I'll brick it completely.

Hopefully, these experiments and write-up help someone else, and maybe they come up with a solution.

Maybe the secure boot hash/key is stored somewhere else, see if I can read more about it]Link
ADVERTISEMENT
#34 21676976 10 Sep 2025 15:18

insmod insmod

Level 27

Helpful post? (0)

Post #34
21676976 10 Sep 2025 15:18

Sadly, st-link to j-link is not allowed to operate with anything but stm32 in standard segger applications, and any other that uses jlinkarm.dll
Unfortunately, simplicity commander uses it too. Meaning you would have to either buy a j-link probe, or search for some patched jlinkarm.dll that works with non-stm32 chips. I initially tried that too, but it didn't work for me.
You can ask for help in https://github.com/darkxst/silabs-firmware-builder as my firmware is built as a fork of this repository.
#35 21680501 10 Sep 2025 15:21

diepeterpan diepeterpan

Level 8

Helpful post? (0)

Post #35
21680501 10 Sep 2025 15:21

>>21676976

I managed to work with it using the custom OpenOCD as a workaround.
#36 21686233 10 Sep 2025 15:42

insmod insmod

Level 27

Helpful post? (0)

Post #36
21686233 10 Sep 2025 15:42

>>21680501
There was something similar to your situation: https://github.com/darkxst/silabs-firmware-builder/issues/84
gbl file in there might not work for you (or if it works, you would have to reboot to bootloader manually (via pin), since UART pins are different).
Perhaps you can do full flash erase via OpenOCD?
#37 21686371 10 Sep 2025 18:28

diepeterpan diepeterpan

Level 8

Helpful post? (0)

Post #37
21686371 10 Sep 2025 18:28

>>21686233 Thanks, I have just tried the init file, and there are a couple of specific .gbl files for the CPU that the ZS3L uses, but I had no luck after erasing the flash.

Link

I flashed the new bootloader 3.1.0
Code: Bash
Log in, to see the code

Then, with the new bootloader, I erased the storage
Code: Bash
Log in, to see the code

The flashed e.g. 8.0.2, tried various, but it did not work after flashing
Code: Bash
Log in, to see the code

Then, with the new bootloader flashed, the stock firmware worked again
Code: Bash
Log in, to see the code

It just does not make sense, somewhere something is wrong.....

Anyway, let's see if somebody else has experienced similar and maybe come up with a new way to fix it.
ADVERTISEMENT
#38 21686394 10 Sep 2025 18:47

insmod insmod

Level 27

Helpful post? (0)

Post #38
21686394 10 Sep 2025 18:47

Try first app_clear, then nvm3_clear, power cycle, then 8.2.0
Anyway, what exactly was the problem with flash erase with openocd?
ADVERTISEMENT
#39 21693229 17 Sep 2025 23:49

diepeterpan diepeterpan

Level 8

Helpful post? (0)

Post #39
21693229 17 Sep 2025 23:49

I eventually got to JLINK the chip, making an interesting discovery, but I had no joy running a newer version.

1) I first tried the command-line Simplicity Commander to unlock the chip, just in case it was the problem. Chip unlocked, but newer firmware did not work

2) This was very interesting as the chip is marked ZS3L, but the identification gave MGM210L022JNF2 with 1024kB flash instead of an EFR32 with 768kB. Does Tuya have a newer version of the ZS3L, and that's why the firmware doesn't run?

3) I was able to wipe the chip, just in case. I then flashed a new bootloader and firmware, but no go to running it

4) I then flashed back the stock firmware backup, and it works. So I trust the JLINK is working correctly.

I wonder if someone can create a custom .gbl file for this chip, if it indeed is the problem.
#40 21693266 18 Sep 2025 04:59

insmod insmod

Level 27

Helpful post? (0)

Post #40
21693266 18 Sep 2025 04:59

>>21693229
Build for 1024 flash 96 ram
https://github.com/NonPIayerCharacter/silabs-firmware-builder/actions/runs/17816582309
And MGM210L022JNF (without 2)
https://github.com/NonPIayerCharacter/silabs-firmware-builder/actions/runs/17817962778

I suggest you try 1024 build first.
#41 21693329 18 Sep 2025 08:19

diepeterpan diepeterpan

Level 8

Helpful post? (0)

Post #41
21693329 18 Sep 2025 08:19

>>21693266
Tested both, but only one worked.

You are a genius, so apparently, there are different ZS3L's out there!

"And MGM210L022JNF (without 2)" <= worked!!!!

I will add some devices to it in Zigbee2MQTT and let it run for a day or so, and provide feedback again. A BIG thanks again!!!!!

Code: Bash
Log in, to see the code
Create an account, log in here. You will receive points by participating in discussions.
Join this discussion.

Install Elektroda application

FAQ

TL;DR: Convert the Smart Gateway RSH-GW006 to OBK on the WBRG1 and bridge its ZS3L Zigbee over TCP. 1 month uptime reported; "Stable, I've got a month uptime." Flash with Ameba Image Tool, integrate ZHA at tcp://:8888, and update ZS3L via universal‑silabs‑flasher. [Elektroda, insmod, post #21588192] Why it matters: You reclaim a Tuya gateway for local control with Home Assistant or Zigbee2MQTT, no cloud required.

Quick Facts

- Platform: WBRG1 (Realtek RTL8720D/AmebaD) runs OBK; ZS3L is the Zigbee NCP exposed over TCP. [Elektroda, DeDaMrAz, post #21588187]
- Bootloader entry: ENABLE to GND, LogTX to GND via 2.2–4.7 kΩ, then release ENABLE and remove the resistor. [Elektroda, DeDaMrAz, post #21588187]
- Full backup: rtltool.py reads flash to ff.bin; expected size is 8Mb after completion. [Elektroda, DeDaMrAz, post #21588187]
- HA ZHA setup: Add integration using tcp://<OBK_IP>:8888; enable Hardware flow control only with latest ZS3L FW. [Elektroda, DeDaMrAz, post #21588187]
- Zigbee2MQTT: ZS3L 8.2.0.0 needs latest-dev (EZSP v17); 8.1.1.0 works on stable. [Elektroda, insmod, #21589890

What hardware is inside the RSH-GW006, and where does OBK run?

The gateway houses a WBRG1 (Realtek RTL8720D/AmebaD) Wi‑Fi SoC and a Silicon Labs ZS3L Zigbee NCP. OBK (OpenRTL8720D) runs on the WBRG1, while the ZS3L stays as the Zigbee radio exposed over a TCP‑to‑UART bridge. [Elektroda, DeDaMrAz, post #21588187]

How do I open the RSH-GW006 case without damage?

Flip the unit and peel the four rubber feet. Remove the four small screws hidden beneath them. Lift the lid carefully to avoid stressing internal cables. This exposes the WBRG1 and ZS3L modules for UART and J‑Link access. [Elektroda, DeDaMrAz, post #21588187]

How do I put the WBRG1 into bootloader (download) mode?

Follow this 3‑step sequence:

Connect UART (GND, 3V3, RX, TX) to P1 and pull ENABLE to GND.
Pull LogTX to GND via a 2.2–4.7 kΩ resistor.
Release ENABLE, then remove the resistor from LogTX; the module is in bootloader mode. [Elektroda, DeDaMrAz, post #21588187]

How can I back up the original WBRG1 firmware safely?

Enter download mode, then run rtltool.py to read full flash, e.g., py -3.12 rtltool.py -p COMx -b1000000 rf 0 0x8000000 ff.bin. Adjust Python version with python -V and tweak baud (up to 1,500,000). Expect ff.bin ≈ 8Mb. Use COMx on Windows or /dev/tty* on Linux. [Elektroda, DeDaMrAz, post #21588187]

How do I flash OBK onto the WBRG1 with Ameba Image Tool?

Open Ameba-ImageTool v2.3.2, load the latest RTL8720D UART build into the first field, and do not change other options. Put WBRG1 into bootloader, click Download, then reboot. The device should broadcast an OBK AP; connect and configure at 192.168.4.1. [Elektroda, DeDaMrAz, post #21588187]

What OBK pin roles should I set for LEDs and the button?

Use these roles: pin 25 = LED;1, pin 54 = WifiLED;0, pin 55 = Btn_n;0. Apply via OBK’s pin configuration. This maps the status LED, Wi‑Fi LED, and the front button to expected behaviors. [Elektroda, DeDaMrAz, post #21588187]

How do I expose Zigbee over TCP and add it in Home Assistant (ZHA)?

In OBK autoexec.bat, start the TCP‑UART bridge: startdriver uarttcp 115200 512 1 1, label the channel, hide it, and set type OpenClosed_Inv. In Home Assistant, add ZHA and select tcp://:8888 as the port. Enable Hardware flow control only if you flashed the latest ZS3L FW. [Elektroda, DeDaMrAz, post #21588187]

How do I flash or update the ZS3L Zigbee firmware over TCP?

Use universal‑silabs‑flasher from your PC: universal-silabs-flasher --device socket://:8888 flash --firmware zs3l_zigbeencp_115200.gbl. It detects EZSP and Gecko bootloader, then writes the GBL image. You can downgrade with --allow-downgrades. Example upgrades to 8.2.0.0 and downgrades to 8.1.1.0 were successful. [Elektroda, insmod, post #21589890]

Which ZS3L firmware version should I use with Zigbee2MQTT today?

Use 8.1.1.0 with stable Zigbee2MQTT. Version 8.2.0.0 requires the latest‑dev container because it uses EZSP protocol v17. As one tester noted, “8.1.1.0 works.” You can switch with universal‑silabs‑flasher as needed. [Elektroda, insmod, post #21589890]

Zigbee2MQTT fails after upgrading to ZS3L 8.2.0.0—what’s the fix?

You may see: “Adapter EZSP protocol version (17) is not supported by Host [13‑16].” Run the latest‑dev Zigbee2MQTT (dev branch supports EZSP v17), or downgrade the NCP to 8.1.1.0 using universal‑silabs‑flasher with --allow-downgrades. This restores stable connectivity. [Elektroda, insmod, post #21589890]

Can I flash the ZS3L over UART directly?

Direct UART flashing proved unreliable here. The author tried multiple tool combinations without success. Recommended methods are J‑Link with Simplicity Commander or universal‑silabs‑flasher over the OBK TCP bridge on port 8888. [Elektroda, DeDaMrAz, post #21588187]

My USB‑UART struggles at 1,500,000 bps. What should I do?

Lower the baud rate and retry. Edit the script’s -b value and test alternatives like 921600 or 1000000. Confirm your Python version (python -V) and call the correct interpreter (e.g., py -3.12). Use quality cables and a reliable adapter. [Elektroda, DeDaMrAz, post #21588187]

Does Bluetooth work on this gateway under OBK?

Not currently. A UART‑to‑Linux BT attempt required kernel patches and still failed to function; bluetoothctl saw nothing. The developer mentioned exploring BTHome support in OBK later. “It didn’t work” summarizes current status. [Elektroda, insmod, post #21588894]

Can I update the ZS3L while the gateway still runs stock Tuya firmware?

Yes. universal‑silabs‑flasher can talk to the stock NCP. However, very old stock may not work with the ember driver in Zigbee2MQTT. Plan to update NCP firmware after migrating WBRG1 to OBK for best compatibility. [Elektroda, insmod, post #21588402]

What extra universal‑silabs‑flasher flags are useful but hidden from --help?

Useful flags include --allow-cross-flashing, --allow-downgrades, --ensure-exact-version, and --force. These control cross‑flashes, downgrades, strict versioning, or skipping safeguards. They are handy when aligning NCP firmware with your Zigbee stack or rolling back from an incompatible build. [Elektroda, DeDaMrAz, post #21590140]

Should I always flash the newest ZS3L firmware?

No. Match firmware to your Zigbee stack support level. As the maintainer noted, “Newer does not mean better.” Prefer 8.1.1.0 for broad compatibility now, or move to 8.2.0.0 if your Zigbee2MQTT build supports EZSP v17. [Elektroda, insmod, post #21588567]