search

ct-Open-Source / tuya-convert

A collection of scripts to flash Tuya IoT devices to alternative firmwares
MIT License
4.67k stars 501 forks source link

KMC 70011 stuck in a loop fetching intermediate firmware #1059

Closed a1k0n closed 2 years ago

a1k0n commented 2 years ago

Stock KMC 70011. Seems to come up just fine on the access point, but after that, web.log just continuously repeats this about every 15 seconds, as it attempts to fetch upgrade.bin (strangely, it does it with two Accept-Ranges GETs rather than the HEAD/GET that I see elsewhere):

[I 220814 00:11:39 web:2271] 200 POST /gw.json?a=tuya.device.upgrade.silent.get&gwId=50886654807d3a479f9b&t=30&v=4.1&sign=394f2d19d76184c77b1364d9933f5b3f (10.42.42.21) 5.63ms

POST /gw.json?a=s.gw.upgrade.updatestatus&gwId=50886654807d3a479f9b&t=1660432299&sign=ec32c41b6d53ab012caa8759a96a5901
Host: 10.42.42.1
Ty-Ua: HW
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 69

payload {"upgradeStatus":2}
Answer s.gw.upgrade.updatestatus
reply {"t":1660432299,"e":false,"success":true}
[I 220814 00:11:39 web:2271] 200 POST /gw.json?a=s.gw.upgrade.updatestatus&gwId=50886654807d3a479f9b&t=1660432299&sign=ec32c41b6d53ab012caa8759a96a5901 (10.42.42.21) 3.93ms
[I 220814 00:11:41 web:2271] 206 GET /files/upgrade.bin (10.42.42.21) 19.68ms
[I 220814 00:11:55 web:2271] 206 GET /files/upgrade.bin (10.42.42.21) 14525.15ms

POST /gw.json?a=tuya.device.upgrade.silent.get&gwId=50886654807d3a479f9b&t=30&v=4.1&sign=394f2d19d76184c77b1364d9933f5b3f
Host: 10.42.42.1
Ty-Ua: HW
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 37

payload {"subId":null}
Answer tuya.device.upgrade.get
reply {"t":1660432332,"e":false,"success":true,"result":{"auto":true,"type":0,"size":"505867","version":"9.0.0","url":"http://10.42.42.1/files/upgrade.bin","md5":"9aeeb1f7b6dacb6f251445aac49181a9"}}
[I 220814 00:12:12 web:2271] 200 POST /gw.json?a=tuya.device.upgrade.silent.get&gwId=50886654807d3a479f9b&t=30&v=4.1&sign=394f2d19d76184c77b1364d9933f5b3f (10.42.42.21) 5.75ms

POST /gw.json?a=s.gw.upgrade.updatestatus&gwId=50886654807d3a479f9b&t=1660432332&sign=6c0878292158af6f1d595dbde885b5e0
Host: 10.42.42.1
Ty-Ua: HW
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 69

payload {"upgradeStatus":2}
Answer s.gw.upgrade.updatestatus
reply {"t":1660432332,"e":false,"success":true}
[I 220814 00:12:12 web:2271] 200 POST /gw.json?a=s.gw.upgrade.updatestatus&gwId=50886654807d3a479f9b&t=1660432332&sign=6c0878292158af6f1d595dbde885b5e0 (10.42.42.21) 4.38ms
[I 220814 00:12:13 web:2271] 206 GET /files/upgrade.bin (10.42.42.21) 18.91ms
[I 220814 00:12:21 web:2271] 206 GET /files/upgrade.bin (10.42.42.21) 7139.15ms

The device is effectively bricked (can't connect with stock app) but it isn't running the intermediate firmware either, because then it'd come up on 10.42.42.42, right? It also appears to be in a boot loop -- if I manually turn on the relay, it turns itself off after a little, and it disconnects/reconnects to the AP every 15 seconds or so.

udp.log:

10.42.42.21 {"ip":"10.42.42.21","gwId":"50886654807d3a479f9b","active":2,"ability":0,"mode":0,"encrypt":true,"productKey":"4mbgrfotyNzMxDAv","version":"3.1"}

relevant mqtt.log:

1660421162: New connection from 127.0.0.1:55049 on port 1883.
1660421162: New client connected from 127.0.0.1:55049 as auto-B2B4275C-676D-78B0-1503-557F414CDBCF (p2, c1, k60).
1660421162: No will message specified.
1660421162: Sending CONNACK to auto-B2B4275C-676D-78B0-1503-557F414CDBCF (0, 0)
1660421162: Received PUBLISH from auto-B2B4275C-676D-78B0-1503-557F414CDBCF (d0, q0, r0, m0, 'smart/device/in/46376063807d3a47e5f4', ... (147 bytes))
1660421162: Received DISCONNECT from auto-B2B4275C-676D-78B0-1503-557F414CDBCF
1660421162: Client auto-B2B4275C-676D-78B0-1503-557F414CDBCF disconnected.

only complaints about no shared cipher (probably my phone) in psk.log.

wifi.log has 

wlan0: AP-STA-DISCONNECTED 80:7d:3a:47:9f:9b
wlan0: AP-STA-CONNECTED 80:7d:3a:47:9f:9b
wlan0: AP-STA-DISCONNECTED 80:7d:3a:47:9f:9b
wlan0: AP-STA-CONNECTED 80:7d:3a:47:9f:9b

for each reboot.

a1k0n commented 2 years ago

This is super weird. It asks for bytes 0-63, then bytes 253815-505866/505867 of upgrade.bin in the two requests.

a1k0n commented 2 years ago

Hooked up a serial terminal at 74480 baud, seems the firmware doesn't boot or it crashes before flashing it. Hm.


[notice]smart_wf_frame.c:3721 firmware self detect upgrade start...
[notice]smart_wf_frame.c:3736 fw_url:http://10.42.42.1/files/upgrade.bin
[notice]smart_wf_frame.c:3737 fw_md5:9aeeb1f7b6dacb6f251445aac49181a9
[notice]smart_wf_frame.c:3738 serv_sw_ver:9.0.0
[notice]smart_wf_frame.c:3754 serv_sw_ver:90000 sw_ver:10004
[notice]smart_wf_frame.c:978 smt_frm_cntl.fw_ug.tp:1
[notice]mqtt_client.c:484 DNS START 08-17 16:35:58
[notice]mqtt_client.c:515 who_fir:0 ip:10.42.42.1
[notice]mqtt_client.c:525 DNS END 08-17 16:35:58
[notice]mqtt_client.c:531 MQTT CONN START 08-17 16:35:58
[err]mqtt_client.c:536 op_ret:42.errno:0
[notice]mqtt_client.c:531 MQTT CONN START 08-17 16:35:59
[err]mqtt_client.c:536 op_ret:42.errno:0
Fatal exception (20):
epc1=0x00000000
epc2=0x00000000
epc3=0x4000e1ee
epcvaddr=0x00000000
depc=0x00000000
rtn_add=0x402536bc^M<FA>"@<8A>R^EdP151<EB>mt%<C4><D2>W<8C>@<C9>y.)Q*^A<EB>L8<C1>^@<CA>I
T1^Q    )D<D0>5<C3>     5Y*^E^B<FC>NZA<EE>^@    i<ED>~<D8>      <C8><DE>T1R<97>
1^Q@<CA>|^]u
5Y
9       <F8>NzA<EE>^@   i<CD>~v <C8><DE>tR<97>*5@<EA>|^YE*5Y
9       <F8>NzA<EC>^@)I<CD>~1r  <B8><F2><A7>^H1<8A>^B^X^A-^G<C9>y.=<84><D2>y^K^U<D2>8!! J^U!^A5^Y       a"@h<E2>^E      Q
^A^A!^U1eN<88>h<C2>^E^MI-AEa
-)<84>X1%Z^Gn^U^H<DA>EM^A<C8> <E9>^P<B7>^HVAnV<9B>^H<D0>!"<FC>OS SDK ver: 1.4.2(78f3caf) compiled @ Oct 23 2017 13:45:35
phy v[notice]user_main.c:294 SDK version:1.4.2(78f3caf)
[notice]user_main.c:298 fireware info name:esp_kt_kmc_dltj version:1.0.4
[notice]user_main.c:301 tuya sdk compiled at May 12 2018 15:21:21
[notice]user_main.c:303 BV:5.28 PV:2.1 LPV:3.1
reset reason: 2
Fatal exception (20):
epc1=0x00000000, epc2=0x00000000, epc3=0x40240d19, excvaddr=0x00000000,depc=0x00000000
mode : softAP(82:7d:3a:47:9f:9b)
dhcp server start:(ip:192.168.4.1,mask:255.255.255.0,gw:192.168.4.1)
add if1
bcn 100
[notice]gw_intf.c:240 Authorization success
bcn 0
del if1
usl
mode : sta(80:7d:3a:47:9f:9b)```
a1k0n commented 2 years ago

Since I went to the trouble to wire up serial, I ended up just reflashing it that way, but it's a bummer that the OTA method didn't work. Could be the result of a firmware update via the KMC app. Closing for now; doesn't look like anyone else has run into this exact crash and I don't feel like reverse engineering the stock firmware to debug. Sorry if someone else runs into this later; you'll have to open it up and solder some wires.