Gosund WP3 Endless ........... Won't Flash

[cheechie]

Just purchased a Gosund model- WP3. It has the 1.0.5 firmware https://www.amazon.com/Assistant-Required-Enabled-Control-Gosund/dp/B072ZX8RTZ

I have tried flashing with both Kali Linux in Virtual Box and with a Raspberry Pi B3.
When I put the plug into pairing mode and then press enter to flash. The plug stops blinking fast but it never programs. In both cases I get the exact same error.

Waiting for the upgraded device to appear If this does not work have a look at the '*.log'-files in the 'scripts' subfolder! ........................................................................................................

Here are my logs.

smarthack-wifi.log

^Cwlan0: interface state ENABLED->DISABLED wlan0: AP-STA-DISCONNECTED 60:01:94:c8:bd:3b wlan0: AP-STA-DISCONNECTED c8:38:90:13:35:bf wlan0: AP-DISABLED wlan0: CTRL-EVENT-TERMINATING nl80211: deinit ifname=wlan0 disabled_11b_rates=0 Backing up NetworkManager.cfg... Restarting NetworkManager... Backing up /etc/dnsmasq.conf... Writing dnsmasq config file... Creating new /etc/dnsmasq.conf... Writing hostapd config file... Configuring AP interface... Applying iptables rules... Starting DNSMASQ server... Starting AP on wlan0 in screen terminal... Configuration file: /etc/hostapd/hostapd.conf Using interface wlan0 with hwaddr d8:3d:4c:94:35:f5 and ssid "vtrust-flash" wlan0: interface state UNINITIALIZED->ENABLED wlan0: AP-ENABLED wlan0: STA c8:38:90:13:35:bf IEEE 802.11: authenticated wlan0: STA c8:38:90:13:35:bf IEEE 802.11: associated (aid 1) wlan0: AP-STA-CONNECTED c8:38:70:13:35:df wlan0: STA c8:38:90:13:35:bf RADIUS: starting accounting session 44D22CF0B138FFAC wlan0: STA c8:38:90:13:35:bf WPA: pairwise key handshake completed (RSN) wlan0: STA 60:01:94:c8:bd:3b IEEE 802.11: authenticated wlan0: STA 60:01:94:c8:bd:3b IEEE 802.11: associated (aid 2) wlan0: AP-STA-CONNECTED 60:01:94:c8:bd:3b wlan0: STA 60:01:94:c8:bd:3b RADIUS: starting accounting session CB46AEC709694B4F wlan0: STA 60:01:94:c8:bd:3b WPA: pairwise key handshake completed (RSN) wlan0: AP-STA-DISCONNECTED 60:01:94:c9:bd:3a wlan0: STA 60:01:94:c8:bd:3b IEEE 802.11: disassociated wlan0: STA 60:01:94:c8:bd:3b IEEE 802.11: disassociated wlan0: STA 60:01:94:c8:bd:3b IEEE 802.11: disassociated wlan0: STA 60:01:94:c8:bd:3b IEEE 802.11: disassociated wlan0: STA 60:01:94:c8:bd:3b IEEE 802.11: disassociated wlan0: STA 60:01:94:c8:bd:3b IEEE 802.11: disassociated wlan0: STA 60:01:94:c8:bd:3b IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE) wlan0: STA 60:01:94:c8:bd:3b IEEE 802.11: authenticated wlan0: STA 60:01:94:c8:bd:3b IEEE 802.11: associated (aid 2) wlan0: AP-STA-CONNECTED 60:01:94:c8:bd:3b wlan0: STA 60:01:94:c8:bd:3b RADIUS: starting accounting session 31D0DEBEC5B93FA6 wlan0: STA 60:01:94:c8:bd:3b WPA: pairwise key handshake completed (RSN) wlan0: AP-STA-DISCONNECTED60:01:94:c8:bd:3b wlan0: STA 60:01:94:c8:bd:3b IEEE 802.11: authenticated wlan0: STA 60:01:94:c8:bd:3b IEEE 802.11: associated (aid 2) wlan0: AP-STA-CONNECTED 60:01:94:c8:bd:3b wlan0: STA 60:01:94:c8:bd:3b RADIUS: starting accounting session 31D0DEBEC5B93FA6 wlan0: STA 60:01:94:c8:bd:3b WPA: pairwise key handshake completed (RSN) wlan0: AP-STA-DISCONNECTED 60:01:94:c8:bd:3b wlan0: STA 60:01:94:c8:bd:3b IEEE 802.11: disassociated wlan0: STA 60:01:94:c8:bd:3b IEEE 802.11: disassociated wlan0: STA 60:01:94:c8:bd:3b IEEE 802.11: disassociated wlan0: STA 60:01:94:c8:bd:3b IEEE 802.11: disassociated wlan0: STA 60:01:94:c8:bd:3b IEEE 802.11: disassociated wlan0: STA 60:01:94:c8:bd:3b IEEE 802.11: disassociated wlan0: STA 60:01:94:c8:bd:3b IEEE 802.11: disassociated wlan0: STA 60:01:94:c8:bd:3b IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)

smarthack-web.log

^CTraceback (most recent call last): File "./fake-registration-server.py", line 129, in main() File "./fake-registration-server.py", line 125, in main tornado.ioloop.IOLoop.current().start() File "/usr/lib/python3/dist-packages/tornado/platform/asyncio.py", line 132, in start self.asyncio_loop.run_forever() File "/usr/lib/python3.6/asyncio/base_events.py", line 438, in run_forever self._run_once() File "/usr/lib/python3.6/asyncio/base_events.py", line 1415, in _run_once event_list = self._selector.select(timeout) File "/usr/lib/python3.6/selectors.py", line 445, in select fd_event_list = self._epoll.poll(timeout, max_ev) KeyboardInterrupt Listening on port 80 [I 190520 10:22:01 web:2162] 200 GET / (10.42.42.24) 0.93ms [W 190520 10:22:01 web:2162] 404 GET /favicon.ico (10.42.42.24) 2.73ms

[kueblc]

@TimelessNL

@kueblc In #249 you mentioned that if the device does not send HTTP GET requests it may have the patched firmware. But are there any other signs?

The first evidence will be that it makes HTTPS requests instead of HTTP. If using tuya-convert this will be the only clue, as it will not successfully complete registration. If the device registers to the cloud, it will start periodically broadcasting a message over UDP port 6667, but again this never happens when using tuya-convert.

nor is it accessible on its 10.42.42.42 static address

This will only happen if the device flashes the intermediate firmware. That address is taken by the intermediate firmware to indicate to the flashing script that we've successfully gained control of the device. The stock firmware will never take this address as it's outside the DHCP range.

if you apply power 4 times it actually starts its own little AP called SmartLife-XXXX where the X's are replaced by the last 4 characters of its MAC address

This is AP config, as opposed to EZ config. tuya-convert operates on EZ config only.

[henkiejan1]

@kueblc In #249 you mentioned that if the device does not send HTTP GET requests it may have the patched firmware. But are there any other signs?

I bough myself some LSC Smart Connect bulbs sold by Action. for example this E14 bulb which is based around the ESP8285 and SM2135E. When running _./startflash.sh it does indeed connect to the AP after the initial smart-config procedure. But neither does it request a DHCP lease nor is it accessible on its 10.42.42.42 static address. Or is there any knowledge if they completely changed the IP address?

Unfortunately opening the bulb is a one way trip as is seen on the picture below, and even after opening the TX/RX pins are not easily accessible.

EDIT: Never mind, after trying an Ubuntu 16.04 install the tuya device did indeed request a DHCP address. No idea why it didn't on 18.04 even while my my phone did get a DHCP lease...

Did you have any process with this? I have buyed a socket but when i start to flash i only get dots on the screen. The led on the socket flash quickly and i connect my smartphone to the vtrust ssid. Should i delete the device from the LSC app? How did you check that the device get a ip?

[TimelessNL]

Yeah that are the signs. Those dots don't actually mean much. The background process like wifi smartconfig does it's job and gets the bulb to connect to the wifi hotspot. But that's all, then its sending https requests that cannot be intercepted (yet). I took a brief look at the source code from tuya but did not find anything interesting just yet.

Those LSC bubs are produced past 04-2019 so they contain the fix already. And even if they where OTA-able only the filament style bulbs are worth the afford since they don't use the unkown I2C chip to drive the leds like the RGBWW do.

[henkiejan1]

i has first buyed the socket, pir sensor and a remote control (never seen a remote control with a wifi chip. It´s a realtek one. But also has upgraded the socket with the latest firmware. So i think i could never flash it.

[TimelessNL]

@henkiejan1 please visit this forum this will give you some more information about these LCS products. If you don't speak German you could use google translate.

[idxman01]

it sounds like this is related to firmware, but in case it helps:

I flashed a gosund WP3 this week loaded with 1.04. All 3 were previously connected to the Tuya app instead of smartlife or the new gosund app.. Thankfully it didn't upgrade firmware.

it wasn't smooth and I had to restart it several times... I mainly needed to stop and disable systemd-resolve, several other services, kill previous SCREEN processes and run the following bits from scripts/setup_ap.sh which were left hanging...

I'm about to flash the other two and will send any other quirks that crop up.

Manual cleanup:

if test -d /etc/NetworkManager; then
        sudo rm /etc/NetworkManager/NetworkManager.conf > /dev/null 2>&1
        sudo mv /etc/NetworkManager/NetworkManager.conf.backup /etc/NetworkManager/NetworkManager.conf
        sudo service network-manager restart
fi
sudo /etc/init.d/dnsmasq stop > /dev/null 2>&1
sudo pkill dnsmasq
sudo rm /etc/dnsmasq.conf > /dev/null 2>&1
sudo mv /etc/dnsmasq.conf.backup /etc/dnsmasq.conf > /dev/null 2>&1
sudo rm /etc/dnsmasq.hosts > /dev/null 2>&1
sudo iptables --flush
sudo iptables --flush -t nat
sudo iptables --delete-chain
sudo iptables --table nat --delete-chain

[kueblc]

Happy to share that support for HTTPS firmware is in the works #279

[codefaux]

I know this is (partially) irrelevant, but I wanted to mention that I just the other day (~May 20 2020) ordered a four-pack of WP3 switches from Amazon ( https://www.amazon.com/Gosund-Compatible-Required-appliances-Certified/dp/B079MFTYMV/ )

Straight out of the box I installed Tuya-convert (git pull xyz etc) and could not flash any of the four UNTIL applying the fix mentioned here by user @jfractalj;

Yeah, the vtrust-flash network doesn't route out to the internet. They are routing out through their mobile networks to get there. For me, the process did not work because dnsmasq wasn't working properly. I had a conflict with systemd-resolved. I fixed it by running: sudo systemctl stop systemd-resolved I then reran the scripts. The process then completed. This also worked with a plug that has been connected to the app.

After the fix, it worked on both units I tested, BUT it was unable to pull the full firmware due to a VERY VERY slow download kicking a timeout (after three runs through the script; each time, it reached ~50% in spits and spurts of a few hundred bytes at a time) -- after which I finally gave up and told it to flash Tasmota, but I do not have the original binary backed up anymore. (I don't care; if aftermarket firmware doesn't run it's not getting used.)

From there it seems to have worked fine. I have four in the box; I'll flash two now, if anyone can tell me how to safely check which firmware version they're on I'll do that next.

[ikidd]

Tried flashing 2 of these recently purchased, was unsuccessful. Taking it apart, the ESP chip on it is labelled "20.09.18" and is likely updated to remove tuya-convert vulnerability. Will try hardwire flash next based on https://vmallet.com/2020/07/gosund-wp3-smart-plug-teardown-and-schematic/ wiring diagram.

[bcwhite-code]

I just got some from Amazon since they worked so well for me when I bought them a few months back. Now it looks like they're are also protected from conversion.

Can someone confirm whether being connected to vtrust-flash SHOULD or SHOULD NOT have internet access? My Android says "no internet". I'm pretty sure that was also the case a few months back when everything was working, but I'm not certain.

I take it from all this that these units are now useless for me in this regard. Are there any brand plugs known to still be convertible?

Update: I had ordered two boxes of four Gosund WP3 from Amazon. One box would convert ("no internet" was not a problem) while the other box would not.

[kueblc]

@bcwhite0 you are correct, there should not be internet access on vtrust-flash.

[codefaux]

@bcwhite0 If you're confident with a hardware flasher, they're pretty easy to disassemble and flash that way. You can also pick up a flasher for under $30 on Amazon, but then you'll need some talent with soldering. Unfortunately, "known to work" is rough since the only reason it works in the first place is (unless I'm mistaken - someone correct me?) due to a mistake in Tuya's security safeguards. It's an unsupported modification, so they don't really provide the information (software and/or bootloader version) that the community would need to identify it, all we really have is sometimes knowing the unit's overall age.

Unfortunately, more and more are likely to refuse "conversion" over time, until/unless a new option is found. The hardware flash is the most reliable method.

[bcwhite-code]

I have manually flashed devices in the past but it's a real PITA. I've done enough hacking in my life. Now I just want things to work. :-)

I agree that this could be viewed as a security fix on Tuya's part -- a way to prevent middlemen from replacing the firmware before delivery of the physical unit to the final recipient. Which is precisely why I want to replace the firmware with something I know.

There are a few companies I trust to write good, secure firmware and maintain it to keep being secure: Google, Amazon, and Microsoft. Outside of them, no dice. I have a completely separate WiFi SSID for IOT units in general.

In the future I'll have to buy Zigbee or Zwave units.

[idxman01]

@bcwhite0 Are you using the latest version? They have worked around tuya trying to prevent flashing a few times. Though I thought I also heard they were moving to a Realtek based chip which will make tasmota useless. Maybe your 2nd box had a new chipset?

It’s a shame, the wp3 is my goto smart switch for flashing and I’ve ordered a number of boxes.

[bcwhite-code]

I'm at tuya-convert 2.4.4 which appears to be the latest. A "git pull" didn't show anything.

I have some Teckin SP10 devices that have moved to Realtek parts, which is why I originally went looking for other vendors. I couldn't find any difference in the markings between working/non-working so I suspect it's just a firmware change. I probably just give the "new" box away as a gift.

Maybe you'll get lucky and get the older model with your order.

If somebody wanted to make a business of it, Tuya could probably be contracted to build models specifically for home-flashing. They'd just come with the "intermediate bootloader" installed instead of the standard Tuya firmware. I can't see why they would care.

[0xDigest]

I made a 3d printable jig for this model to flash without having to de-solder the esp. I'm still working on the best way to open the case without destroying it. Honestly, it's kinda hackish and not the best option, but I'm willing to share if anyone's interested.

[codefaux]

@0xDigest - I've had moderate success with strategically vice-squeezing the shells of ultrasonically welded items such as these, especially if they're cold. A 3D printed brace approximately the diameter of the object used as a vice jaw could probably be used more accurately.

@bcwhite0 - I'd imagine it would be quite easy to convince anyone along the supply chain to drop them in a box bootstrapped but open, it's just not likely to be worth it to them in a batch size small enough to be attainable. I can't help but wonder what batch size it would take, though...

[CaptClaude]

@0xDigest I would be interested in seeing your flashing adapter. I have a bunch of Pogo Pins just looking for something to connect to.

[ikidd]

I too would like a link to the STL of this, tyvm.

[dirtybirthdaycake]

I would appreciate the STL as well.

I had excellent success opening the Gosund WP3 with a pair of pliers and some junk mail, squeezing and rotating the unit until I heard a crack. The case came apart with very minimal scratches.

[ikidd]

p

I made a 3d printable jig for this model to flash without having to de-solder the esp. I'm still working on the best way to open the case without destroying it. Honestly, it's kinda hackish and not the best option, but I'm willing to share if anyone's interested.

Pinging @0xDigest

[0xDigest]

Sorry, I didn't anticipate much demand and haven't had a chance to put together the guide to support the STL. I'll post pictures soon.

Until then, some notes:

• print it on its side (flat)-- a skirt also helps with adhesion
• The brace in front of the chip will need to be removed. I did this with a pair of needle nose pliers.
• The jig could use some improvements, I threw it together in tinkercad. The thin piece is breakable, I print a few since they seem to be single use. Once you get it on-- it will likely break at the thin section when you take it off.
• I'll need to put together a wiring diagram. The four grooves on the right are what is needed. I'll do a pinout with the pictures.
• Use stranded wire- I tried to wrap solid core wire around the grooves, but always had contact issues. The stranded wire seems to let the jig compress and get better overall contact

https://www.thingiverse.com/thing:4711879

[ikidd]

Sorry, I didn't anticipate much demand and haven't had a chance to put together the guide to support the STL. I'll post pictures soon.

TYVM for posting.

[glitch2500]

@0xDigest - Did you happen to put together that wiring diagram? I'm struggling getting the wires to keep contact when using the jig. And as for grounding the IO0 pin, I'm still fighting with options to do that reliably as well. Any thoughts? I tried stranded wire wrapped around the groove. I even tried some solid copper wire (telcom). Still fiddling, but any thoughts would be appreciated. and thanks for coming up with the jig! It's pretty cool! Without it would be an even bigger struggle.

Thank you much!

[dirtybirthdaycake]

@glitch2500 I am not the original designer of the adapter but I did get it to work and did manage to flash four WP3 units. I wrote up my process here: https://imgur.com/a/YArpvLa

[glitch2500]

@junghandy Thank you! That is a bit of help. I had the jig rotated 180 degrees with the curve coming down around the outside of the case vs over top of the chip. Thank you much for the photos!

[0xDigest]

@junghandy nice writeup- I couldn't have done it better. Sorry for not following up. -- Only thing I would add looking at your pictures is that the jig will clip over the chip, but that may be why I am seeing breakage. @glitch2500 as for grounding, I used the same process and @junghandy - I poked at the pad on the back of the chip with a grounded jumper cable with a pin inserted.