New PSK format

[countcobolt]

Hi all

I am trying to flash a BSD34 smart socket. I have downloaded the latest tuya master built using git. Working on an RPI 3B. I can connect the socket using the normal smart life app. I did this after I absolutely could not manage to flash it at first (still cant). Decided to dive a bit deeper into it today and found this:

In smarthack-psk.log I have a ton of entries as following

new client on port 443 from 10.42.42.20:53000
ID: 0242416f68626d64366147393149465231509241f729c9f0af3aa41e355b7cbeb1ece63da6ff54b74f271af0ef044466e6
PSK: d9488a1b4524ae3e31acd0342e6d0b2eedbb5d55e957a9a51073b95e36ab1c5c
('could not establish sslpsk socket:', SSLError(1, u'[SSL: DECRYPTION_FAILED_OR_BAD_RECORD_MAC] decryption failed or bad record mac (_ssl.c:727)'))
new client on port 443 from 10.42.42.20:5371
ID: 0242416f68626d64366147393149465231509241f729c9f0af3aa41e355b7cbeb1ece63da6ff54b74f271af0ef044466e6
PSK: d9488a1b4524ae3e31acd0342e6d0b2eedbb5d55e957a9a51073b95e36ab1c5c
('could not establish sslpsk socket:', SSLError(1, u'[SSL: DECRYPTION_FAILED_OR_BAD_RECORD_MAC] decryption failed or bad record mac (_ssl.c:727)'))

My smartphone and device are actually connecting to the acces point. In smarthack-wifi.log you see

wlan0: AP-STA-DISCONNECTED ac:57:75:99:f2:9f
wlan0: AP-STA-CONNECTED ac:57:75:99:f2:9f
wlan0: AP-STA-CONNECTED c4:4f:33:bc:10:c6
wlan0: AP-STA-DISCONNECTED ac:57:75:99:f2:9f
wlan0: AP-STA-CONNECTED ac:57:75:99:f2:9f
wlan0: AP-STA-DISCONNECTED ac:57:75:99:f2:9f
wlan0: AP-STA-CONNECTED ac:57:75:99:f2:9f

The AC mac is my smartphone, while the C4 is the actual device I am trying to flash.

The mqtt log remains quite virgin

1578041479: mosquitto version 1.5.7 starting
1578041479: Using default config.
1578041479: Opening ipv4 listen socket on port 1883.
1578041479: Opening ipv6 listen socket on port 1883.

as does the UDP log

Listening for Tuya broadcast on UDP 6666
Listening for encrypted Tuya broadcast on UDP 6667

Smarthack-web.log does not give me more either Listening on 10.42.42.1:80

I have browsed and google for hours now and mostly I find that this might be due to not using the ESP8x chip. Yet funnily enough, when I simply configure them using the smart life app, I see them in my network as ESP_some_ref_number in it. And it does get an IP address.

The socket looks like this

Any clues on why the SSL error shows up? Using openssl 1.1.1d / Python 2.7.16 and 3.7.3

Kind regards Steve

[Woodpeckercz]

How did you manage to open the devices up to flash them? They look pretty impenetrable!

Pushed a screwdriver into the grounding pin hole and pushed until the weld gave in, nothing broke, i only had to use a tiny bit of superglue to make sure the cover didn't come off when pulling the plug out of the socket. I also had to desolder the L N terminals to access the bottom of the pcb for programing the esp8285. I can post pictures if needed.

[Tallboy22]

Pictures would be great if you could post some. Been a while since I've done any fine soldering, so slightly apprehensive about opening it up..

[leifclaesson]

Wow, buying tuya gear now is really hit and miss. Received four MALITAI Smart WiFi 9W RGBCCT E27 bulbs today. Three of them worked perfectly with tuya convert. The fourth one would not enter fast flashing mode, until I finally toggled the bulb on and off around 10 times... and then, it turned out to be blocked! I'll bet they pulled four bulbs off the shelf, helpfully tested one by pairing it, at which point it got updated.

I solved that one with a soldering iron -- not the easiest tasmota conversion ever, but... yeah. you know.

[CHAZICLE]

now the identity is a hash of the device's id and MAC address

@iracigt I'm not certain yet but it looks like you can use the Smart Life app to pair the device and get the prod_idx. I found it under "Device Information" as the first 8 characters of the "Virtual ID" string and it seems to match the prod_idx I found in the json blob. Can anyone else confirm this?

Also it looks like the prod_idx happens to be identical for the particular set of 6 BSD29s that I bought. I'll take a closer look when I have some more time but is that all we need to flash the firmware?

[akaBaib]

@CHAZICLE I have checked my BSD34, the Virtual ID is 83203175d8f15bd49015. Version of WI-FI module is 1.1.4. But I have no idea how to check the prod_idx "in the json blob" :(

[kueblc]

I'll take a closer look when I have some more time but is that all we need to flash the firmware?

No, it's a bit more complicated than that. The missing part is how to compute the PSK from the PSK identity, if that is possible with the information we have.

As @iracigt has said, the prod_idx is used to compute the PSK identity. This is handed to the server by the client during the handshake, so it is not secret information.

prod_idx is not secret information either, it is the first part of the gwId as you have noticed, @CHAZICLE. In fact the gwId is what is being hashed here, which is prod_idx + mac.

The point is that the previous implementation did leak secret information through the PSK identity, which we could use to compute the PSK. Now that it does not, our job is harder.

In order to solve this, we will need samples of actual communications between the client (smart device) and the server (Tuya cloud), along with a copy of that device's firmware. If anyone is able to provide both we may be able to crack this.

One possible procedure to accomplish this would be:

1. Start with a new device
2. Create a bridged hotspot using create_ap
3. Start recording the network interface with tcpdump or WireShark
4. Connect smart phone
5. Use the vendor app to connect the smart device to the hotspot
6. Disconnect and stop recording
7. Open the device and read the firmware over serial using esptool.py

[delneet]

🙋🏻‍♂️I just received two of the smart plugs described in the start post (the eu version) bsd34. After trying and googling for 4 days I just came across this post after discovering the DECRYPTION_FAILED_OR_BAD_RECORD_MAC error in the smarthack-psk.log file. This is a hard to find gh issue.

I'd love to help if someone can take me through the steps. I'm a (ruby) developer, have the tools (pi's, macbook, kali linux, soldering iron, arduino flash thingy), but not the know how to take the steps mentioned above.

I have one that's already linked with the smart life app and one that is still virging (except for the tuya-convert attempts). Just don't know which is which anymore.

So long story short. What do I do.

edit:

secondly , wondering how to enable the power metering ==> Sorry noticed it doesn't have that feature... Stupid me

The app does provide these features with the bsd34...

[leifclaesson]

@kueblc, there are yet several tuya devices heading here by mail. I'm sure at least one of them will be blocked, and if so I will attempt to capture the traffic and the binary as you described above. I don't actually know when I'll get a blocked device next (I beat all previous ones into submission with my soldering iron) so if someone beats me to it, that works too.

[kueblc]

@delneet

1. Install create_ap

   git clone https://github.com/oblique/create_ap
   cd create_ap
   sudo make install
   cd ..

2. Setup a pass through AP (assuming your interface is wlan0)

   sudo create_ap wlan0 wlan0 MyAccessPoint MyPassPhrase

3. Start recording

   tcpdump -i wlan0 -w capture.pcap

4. Connect your phone to MyAccessPoint (or whatever you decide to call it)
5. Use the app (SmartLife or vendor branded app) to pair the device
6. Wait for registration to complete
7. Disconnect the device
8. Go back to tcpdump and press Ctrl + C
9. Disassemble the device and connect to the serial port of the ESP
10. Download the firmware using esptool

    esptool.py read_flash 0 0x100000 firmware.bin

11. Upload both capture.pcap and firmware.bin

@leifclaesson great to hear, thank you for your contributions

[CHAZICLE]

The missing part is how to compute the PSK from the PSK identity, if that is possible with the information we have.

Oh damn. so THAT changed? Well here's my pcap and firmware: module1.zip

I'll have another one ready soon. Happy decrypting!

[leifclaesson]

Wouldn't you know it -- eight tuya-based ceiling lights arrived yesterday, and all eight worked perfectly with tuya convert. Maybe this is the trick to make sure any device you receive has older firmware -- hope for them to be blocked!

[masterflai]

🙋🏻‍♂️I just received two of the smart plugs described in the start post (the eu version) bsd34. After trying and googling for 4 days I just came across this post after discovering the DECRYPTION_FAILED_OR_BAD_RECORD_MAC error in the smarthack-psk.log file. This is a hard to find gh issue.

I'd love to help if someone can take me through the steps. I'm a (ruby) developer, have the tools (pi's, macbook, kali linux, soldering iron, arduino flash thingy), but not the know how to take the steps mentioned above.

I have one that's already linked with the smart life app and one that is still virging (except for the tuya-convert attempts). Just don't know which is which anymore.

So long story short. What do I do.

edit:

secondly , wondering how to enable the power metering ==> Sorry noticed it doesn't have that feature... Stupid me

The app does provide these features with the bsd34...

There is a new BSD34 device on the market with power metering.

I called it "BSD34-1 16A Modul" in the tasmota database, but it seems, that my entry isn't still visible there.

You can use the power metering with the following template.

{"NAME":"BSD34-1 16A","GPIO":[0,53,0,131,134,132,0,0,21,17,52,0,0],"FLAG":0,"BASE":18}

The new device has a 16A fuse instead of 10A and power metering. At the socket you won't find a difference. I opened the device to flash it und figured out, that there are two LEDs (red/blue).

With the original firmware it is possible to have red, blue and a purple combination of them. My template uses this purple color. You will find the LEDs at GPIO1 (LED2) and GPIO14 (LED1). You can use the normal or the inverted variant (LED1 vs. LED1i). I didn't spend so much time to figure out the correct color combination as it is in the original firmware.

Please feel free to use this template.

[akaBaib]

@masterflai Thanks for sharing! Working great!

[delneet]

I might have bricked them with tuya-convert. They won't connect with the SmartLife app anymore 😧 They just stop (fast) blinking after a second or two and don't respond.

[kueblc]

@delneet it is unlikely to be bricked, please open a new issue if you need help resolving.

I'd like to ask us to keep off topic discussion to a minimum to make collaboration and information sharing about this particular issue easier. The purpose of this issue will be collecting our findings and data until we hopefully find a workaround for the new PSK format.

[leifclaesson]

I got three identical downlights today -- all blocked! Will try to dump them tomorrow.

[leifclaesson]

Okay, severe case of cranial rectitis here. Good thing I had three devices, because I paired the first two into my main network, not the one I was capturing packets on! I thought I was smart to leave my phone on the main network so only the communication to/from the bulb would be logged, and then completely overlooked the fact that it didn't ask for my (previously saved, obviously) wifi password but just went ahead and paired it... Durrrr....

Anyway, at least i realized it before the third one. Real shame about the other two though. @kueblc , is it helpful to have more captures? I did actually save the pre-tuya-integration firmware for all three devices separately, so if it's useful I could re-flash the original firmware and attempt this again.

Here's before/after binaries and the capture (of the third device). tuya_pairing.zip

[leifclaesson]

Okay, I hate to leave stones unturned, and I was bored, so I did it. Here are the before/after and captures of three identical devices. It's the 3.5" RGBCW downlight with the recessed diffuser and orange arms -- different from for example the Zemismart downlights which has a flush diffuser and black arms.

Let me know if I can help any other way. Thanks for the great work with Tuya Convert, @kueblc and everyone else in the community.

[dinhchinh82]

@delneet

1. Install create_ap

git clone https://github.com/oblique/create_ap
cd create_ap
sudo make install
cd ..

1. Setup a pass through AP (assuming your interface is wlan0)

sudo create_ap wlan0 wlan0 MyAccessPoint MyPassPhrase

1. Start recording

tcpdump -i wlan0 -w capture.pcap

1. Connect your phone to MyAccessPoint (or whatever you decide to call it)
2. Use the app (SmartLife or vendor branded app) to pair the device
3. Wait for registration to complete
4. Disconnect the device
5. Go back to tcpdump and press Ctrl + C
6. Disassemble the device and connect to the serial port of the ESP
7. Download the firmware using esptool

esptool.py read_flash 0 0x100000 firmware.bin

1. Upload both capture.pcap and firmware.bin

@leifclaesson great to hear, thank you for your contributions

@kueblc I have new Tuya IR which could not OTA because of this issue. If you need the information above to debug, I will make for you.

Thank you.

[adridb]

Same Problem here with TB95 bulb.

new client on port 443 from 10.42.42.17:34775 ID: 023f3f3f3f3f3f3f3f3f3f3f3f3f3f3f3ff34d434ebeb1d22b0a8a672b34f45e8d1d6da8d7d7087ae47e82c7e4010e0d28 Prefix: b'????????????????' PSK: 42b1cbd08045d6d93a41749c666df553c6738c9b8b977265b2d90631e9d10ca0 could not establish sslpsk socket: [SSL: DECRYPTION_FAILED_OR_BAD_RECORD_MAC] decryption failed or bad record mac (_ssl.c:1056)

[zombielinux]

I have the same problem with a bunch of E12 RGB bulbs. I've opened one of them up and it unfortunately appears nearly impossible to solder a wire to GPIO0 to facilitate an offline flash. I'll fiddle with it though.

Let me know if you want me to test with what i've got, I've got 14 bulbs I can get captures and bins for.

[bottle12]

same here with a loratap sc500w curtain switch new client on port 443 from 10.42.42.24:26773 ID: 0242416f68626d64366147393149465231293a51d5543cb4717d4d645a9ef23f3f2d71437225 3b0bed72c16a89f4b06db9 PSK: 42df0b16a88c3f4ea40087c8f31cf95406b7dc9eece251f1c880cfe44a3b88d4 could not establish sslpsk socket: [SSL: DECRYPTION_FAILED_OR_BAD_RECORD_MAC] de cryption failed or bad record mac (_ssl.c:1056)

wlan0: AP-STA-DISCONNECTED d8:bf:c0:e6:e4:58 wlan0: AP-STA-CONNECTED d8:bf:c0:e6:e4:58

[borisneubert]

same here with a loratap sc500w curtain switch

I join this. The SC500W-v2 shutter switch resists flashing for me and other people as well (FHEM forum).

Procedure:

• Set SC500W pairing mode by pressing button. LED blinks rapidly.
• Follow instructions from tuya-convert up to and beyond the "Press ENTER" message.
• LED turns to steady on.
• tuya-convert times out after some time

[orrpan]

Same on deltaco SH-P01E (other manufacture of Gosund SP1)

[atus42]

Can someone please help me on manual flashing? I was able to solder 3.3, tx, rx, gnd.

If I'm correct they are in the order 3.3; ; RX ; TX; GND; on the 'upper' row.

I watch all the attached photoes, and didn't see how you managed to solder gpio0, and noone mentioned the 'en' pin. As far as I know, gpio0 should be pulled low (gnd) and 'en' should be pulled to high for a successfull flash.

I use an usb->serial converter, and HA's esphome plugin to flash.

On @countcobolt comment at Jan 4, I see 3.3; ?? ; RX ; TX soldered (black;white;grey;purple), but no gnd. Edit: Offtopic, but wanted to correct my error to prevent someone making the same mistake. I determined the pins by measuring the resistance between the circles on the panel and the soldered 'leggs'. My mistake was that I thought the G marked circle is the ground, but not. It is at the upper left corner, and indeed it is the ?? marked leg. So to make a manual flash, you need to solder the first four legg (from top left). 3.3; GND ; RX ; TX The gpio0 is the oo marked circle next to 'RX' and below 'R'. I didn't even try to solder it, but I was able to hold a pin to it while powering the ESP, so it entered flashing mode.

Good luck for converting.

[deemonrider]

Same with Gosund 800l bulbs :/

[joebusch67]

Is it possible that we get in near future a solution for this problem? What can i do?

[dogggonit]

Could not flash Merkury MI-EW003-999W LED Light strip. Ended up using Tasmotizer. The logs show some sort of decryption error? I made a backup of the firmware if you would like me to send it to you.

Logs: smarthack-psk.log smarthack-udp.log smarthack-web.log smarthack-wifi.log smarthack-mqtt.log

[dogggonit]

I also have a magic home backup if you'd like that too. I cant remember if I even tried tuya-convert on it or not, I just soldered to it.

[rickq]

Has anybody got BSD34 without HLW8012?

[ortegafernando]

Hi @kueblc , I think will be a good idea to change this post title to:

"new psk format. Device did not appear with the intermediate firmware"

That way may be more people could find it and not open new isues (like me and others)

[ThePirat91]

Hello, I have the same problem with LoraTap SC511WSC Curtain Switch. The flashing stuck at "Resending SmartConfig Packets" and no intermediate firmware at all....

[kinselp]

have the same problem with a DETA Quad Smart Switch (6904HA). Have successfully flashed single and dual gang switches, but the quad gang, has same failure as above (resending packets...). now having a hard time flashing via serial as well. Not my night!

smarthack-udp.log smarthack-web.log smarthack-psk.log smarthack-wifi.log smarthack-mqtt.log

[k0rtina]

have the same problem with a DETA Quad Smart Switch (6904HA). Have successfully flashed single and dual gang switches, but the quad gang, has same failure as above (resending packets...). now having a hard time flashing via serial as well. Not my night!

smarthack-udp.log smarthack-web.log smarthack-psk.log smarthack-wifi.log smarthack-mqtt.log

I have the same issue with the DETA Triple Smart Switch (this is my first attempt at tuya convert)

[dbquintao]

Hi!!

The same issue with tuya smart plug (brazilian version). If any log are required, please let me know.

[LaurentCoignot]

no help to provide, but one more device that fails : Etersky [aka Maxcio] curtain switch (WS-CS01) in smart life 1.0.6 new client on port 443 from 10.42.42.26:34096 ('could not establish sslpsk socket:', SSLError(1, u'[SSL: NO_SHARED_CIPHER] no shared cipher (_ssl.c:727)')) I used development branch on github to collect this log

[rbswift]

I seem to be having the same problem with Arlec GLD060HA lamp/bulb in Australia (Bunnings)

[ronytomen]

I have cracked open the Teckin SB50 bulb, but can someone guide me on how to backup the firmware in a way that will help here? As soon as I figure out the connection pads to use for programming, I will pull the currently problematic firmware.

As in the utility or format of the firmware backup?

[kinselp]

response_container_BBPPID{font-family: initial; font-size:initial; color: initial;} Tasmotiser allows for a back up of standard firmware Sent via BlackBerry Hub+ Inbox for Android From: notifications@github.comSent: 12 May 2020 21:48To: tuya-convert@noreply.github.comReply to: reply@reply.github.comCc: pekpetrolhead@gmail.com; comment@noreply.github.comSubject: Re: [ct-Open-Source/tuya-convert] New PSK format (#483)

I have cracked open the Teckin SB50 bulb, but can someone guide me on how to backup the firmware in a way that will help here? As soon as I figure out the connection pads to use for programming, I will pull the currently problematic firmware.

—You are receiving this because you commented.Reply to this email directly, view it on GitHub, or unsubscribe.

[tomrk-esteam8]

Hi, I have bought lately (Amazon Germany) sp112 plug. It seems to be the same issue as described over. I flashed sp1 successfully yesterday, and I am surprised, that it does not work with sp112 (bot bought at the same time).

smarthack-mqtt.log smarthack-psk.log smarthack-udp.log smarthack-web.log smarthack-wifi.log

As @rbswift mentioned, I would also flash them in old way maybe and backup firmware. Where can I find instructions how to back up the firmware - connections to the main board and tools I found already in some other article to know, how to flash.

Thanks in advance.

[atus42]

@tomrar1290 Making a backup is simple, if you soldered, and can flash a new image. It was mentioned earlyer in this thread: Get: https://github.com/espressif/esptool Issue command: esptool.py read_flash 0 0x100000 firmware-backup.bin

[Cheatha]

I bought an AOFO Smart Power Strip (ZLD-44EU-W) with 4 sockets and 4 USB ports. Unfortunately it was shipped with a new firmware, smarthack-psk.log shows the DECRYPTION_FAILED_OR_BAD_RECORD_MAC errors. Would it help anyone to get a dump of the installed firmware? It's a hassle to flash it via USB because it has to be disassembled completly.

[nickshew]

have the same problem with a DETA Quad Smart Switch (6904HA). Have successfully flashed single and dual gang switches, but the quad gang, has same failure as above (resending packets...). now having a hard time flashing via serial as well. Not my night!

smarthack-udp.log smarthack-web.log smarthack-psk.log smarthack-wifi.log smarthack-mqtt.log

Same here. The switch drops out of pairing mode with Tuya. Tried a serial flash but couldn't get it into flash mode. Did you have any luck getting it flashed?

[4Sayken]

Hi, Adding another one to the list, Arlec PC399HA, Australia, Bunnings.

[nickshew]

have the same problem with a DETA Quad Smart Switch (6904HA). Have successfully flashed single and dual gang switches, but the quad gang, has same failure as above (resending packets...). now having a hard time flashing via serial as well. Not my night! smarthack-udp.log smarthack-web.log smarthack-psk.log smarthack-wifi.log smarthack-mqtt.log

Same here. The switch drops out of pairing mode with Tuya. Tried a serial flash but couldn't get it into flash mode. Did you have any luck getting it flashed?

OK, I got it going. I had forgotten to pull up the enable pin. Once I did that the ESP programmed as usual. Some further experimenting got the 4 way set up as follows: {"NAME":"DETA 4G Switch","GPIO":[0,0,0,20,18,21,0,0,24,19,22,23,17],"FLAG":0,"BASE":18}

A bit of a pita, but I'll see if it behaves over the next few days.

[Jan003]

I bought an AOFO Smart Power Strip (ZLD-44EU-W) with 4 sockets and 4 USB ports. Unfortunately it was shipped with a new firmware, smarthack-psk.log shows the DECRYPTION_FAILED_OR_BAD_RECORD_MAC errors. Would it help anyone to get a dump of the installed firmware? It's a hassle to flash it via USB because it has to be disassembled completly.

I bought the exact same model. Is it enough to loosen the 6 screws on the back? Or do I have to disassemble it even further?

[LaurentCoignot]

as a hint, I noticed that Smart Life has rolled out a new release of their app. In the pairing steps, there now is a step to connect to a hot spot generated by the device (called SmartLife_xxxx or SL_xxxx) Don't know if this can help the process to hack this new firmware.

[joshgarde]

@LaurentCoignot I think that's related to the "slow pairing" mode. This tool exploits the "fast pairing" mode where joining the device's AP is not required

[Cheatha]

I bought an AOFO Smart Power Strip (ZLD-44EU-W) with 4 sockets and 4 USB ports. Unfortunately it was shipped with a new firmware, smarthack-psk.log shows the DECRYPTION_FAILED_OR_BAD_RECORD_MAC errors. Would it help anyone to get a dump of the installed firmware? It's a hassle to flash it via USB because it has to be disassembled completly.

I bought the exact same model. Is it enough to loosen the 6 screws on the back? Or do I have to disassemble it even further?

No, you have to disassemble it completly.

[RawSlugs]

I have cracked open the Teckin SB50 bulb, but can someone guide me on how to backup the firmware in a way that will help here? As soon as I figure out the connection pads to use for programming, I will pull the currently problematic firmware.

I have a SB50 as well, running latest firmware from tuya. What do I need to get this flashed?