ct-Open-Source / tuya-convert

A collection of scripts to flash Tuya IoT devices to alternative firmwares
MIT License
4.65k stars 499 forks source link

TW-02-based (WinnerMicro W600-based) smart socket #572

Closed reivilibre closed 4 years ago

reivilibre commented 4 years ago

I have a Tuya-based smart socket which unfortunately turned out not to be ESP8266-based (woops, I didn't realise they existed and so didn't pay much attention when ordering).

I cracked it open.

Turns out it is based on a ESP-alike 'TW-02' module which uses the ARM-based W600. W600 seems to have MicroPython ports and so on — I believe it should be possible to find/make firmware images for it if it comes to it.

So my question now would be — can we get tuya-convert to flash it?

I don't see anything in the code that would fundamentally stop an attempt to flash an ESP image to a non-ESP board, though warnings are produced.

However, it seems to me that the same API call is being made again and again — see logs, it feels as though it isn't progressing and even if I had a W600-compatible firmware image, it wouldn't get around to using it.

I have never seen tuya-convert against an ESP device and don't know where to start with this endeavour – if it is at all possible.

Do you have any more insight?

smarthack-mqtt.log smarthack-psk.log smarthack-udp.log smarthack-wifi.log smarthack-web.log

kueblc commented 4 years ago

Unfortunately I do not foresee this being supported anytime soon. The hack only works with ESP based hardware with compatible Tuya firmware.

There is nothing in the code stopping tuya-convert from continuing the hack -- it simply does not work with non ESP devices. This happens to be a Good Thing since uploading ESP firmware to a non ESP device would have a high chance of bricking the device.

Warnings were added to help users understand why tuya-convert is not working for any given device. They do not alter the program control flow.

I do not have any of these WinnerMicro based devices or I might try to develop a hack for them too. It would also obviously need an alternative firmware as you mentioned, and I'm not familiar with any mature projects attempting to do this.

If the situation changes I would be happy to revisit this. Closing as addressed, but comments left open for any new developments.

reivilibre commented 4 years ago

My confusion is: what specifically makes this hack only work for ESP devices?

My understanding is that the hack 'just' tricks the device into performing an OTA firmware upgrade with an image of our choosing; if I have misunderstood or underestimated the effort you have made, I'm sorry :).

If you are interested enough and it is just a matter of having a device, I could be happy to send you one… (though it is a UK socket which may be totally useless to you depending on where you live!)

In any case, I have one cracked open (the other will follow if I meet any success) on my desk now and, when I get a real 3.3V USB serial converter (my current one killed a Sonoff as the logic level emitted is still 5V in 3.3V mode :man_facepalming:!), I will see if I can reach any kind of bootloader to reflash it.

I notice it doesn't react to button presses for ~5 seconds after plugging in, maybe there is a bootloader giving a chance to flash there.

If I can get that far, I will try and create a basic W600 firmware which is Tasmota-like.

Pardon my manners, I forgot to thank you for this project in my prior post :). All the best.

kueblc commented 4 years ago

My confusion is: what specifically makes this hack only work for ESP devices?

This is a great question and I would be thrilled if you find any answers. Tuya has separate SDKs for each of their supported platforms. This project was built by reverse engineering the upgrade process for ESP devices, which apparently must be different for other devices/SDKs or else it should work for them too. Without access to other devices like this, we can't know what they do differently.

Another point is the accessibility of the ESP8266. The SDK is mature, hardware cheap, and alternative firmware projects thriving. It was, and still is in many places, the dominate microcontroller powering IoT.

If you are interested enough and it is just a matter of having a device, I could be happy to send you one… (though it is a UK socket which may be totally useless to you depending on where you live!)

Thank you, kind of you to offer, I am in the US though.

If I can get that far, I will try and create a basic W600 firmware which is Tasmota-like.

I am looking forward to hearing your progress. If you develop a hack for this platform too I would gladly accept a PR. We'll need some way of making sure only compatible binaries are sent if we start supporting multiple platforms.

TRSx80 commented 4 years ago

Hai guise,

I found this thread by way of adventure I outlined in post linked immediately above this one.

Turns out I also have the TW-02 module.

@kueblc,

I am in US and would be happy to send you one (or more) as I had originally bought a set of 4.

Let me know what you think!

Cheers!

TRSx80 commented 4 years ago

@reivilibre,

There is https://w600.chip.haus which I learned about in my earlier post where I first learned about this device.

I never even so much as flashed Tasmota yet, but I suppose there might be enough information over at that site a noob like me to begin poking around, at least...

I will share whatever I find, of course.

kueblc commented 4 years ago

I'm curious if you're able to get an alternative firmware running on the W600, such as MicroPython

TRSx80 commented 4 years ago

Well, I am low (maybe approaching medium by now?) level wizard, with some tools and free time, so certainly willing to give it a shot.

I already started doing some research on the Internet, but any pointers to info on how to get started would be appreciated (save me a little time maybe).

EDIT: Link literally has "getting started" in it. Doh! :laughing:

TRSx80 commented 4 years ago

I see w600tool only looks like it uploads firmware. My first thought is to try and dump the existing firmware...

I mean, I have 4 of them, but still...

reivilibre commented 4 years ago

Sorry for not keeping you updated, but yes I did manage to get MicroPython running on the W600 in a TW-02 round smart socket.

It has VCC, GND, TX, RX pins clearly marked (and findable on a pinout sheet, I can fetch for you if you'd like).

In my case, I had to desolder the tabs attached to the male (plug) end of the smart socket to get access to the pins of the TW-02 (don't know how similar the US variant looks).

The RST pin of the TW-02, which I found absolutely necessary to touch to GND when trying to flash with w600tool, was quite hard to get to, but I could poke it with the male end of a DuPont connector as and when needed, which was good enough for me.

On my model, the push button switch is shared with the (RX?) pin of the TW-02 and so it is inconvenient, but I'm still working on it as and when I have time.

Hope this may be useful to you, if you have questions let me know, @TRSx80 .

P.S. Make sure you use a 3v3 USB-UART adapter (if applicable), and beware there are some where the logic level is not 3.3V even if you switch to 3.3V — so 'Thou shalt measure voltages' applies here; measure the voltage TX-GND before you plug it in...

TRSx80 commented 4 years ago

VCC, GND, TX, RX pins clearly marked

Yes they are clearly marked on mine as well (can be seen in teardown link above).

Thanks a lot for the other tips! Sure to save me some time...

So, what can we do once we get MicroPython working? Whatever we want? Sorry if that's a dumb question, this is all new to me here.

I still think the first thing we should be doing is to dump the existing firmware, no?

TRSx80 commented 4 years ago

@reivilibre must be better at soldering than me. I ended up desoldering the pads on the main board while trying to attach wires to them. :cry:

So I just desoldered the entire module and then it was easier to get some wires onto it.

Got the following serial output (not much):

[01-01 00:00:10 TUYA Notice][tuya_device.c:694] free_mem_size:89888
[01-01 00:00:20 TUYA Notice][tuya_device.c:694] free_mem_size:89888
[01-01 00:00:30 TUYA Notice][tuya_device.c:694] free_mem_size:89888
[01-01 00:00:40 TUYA Notice][tuya_device.c:694] free_mem_size:89888
[01-01 00:00:50 TUYA Notice][tuya_device.c:694] free_mem_size:89888
[01-01 00:01:00 TUYA Notice][tuya_device.c:694] free_mem_size:89888
[01-01 00:01:10 TUYA Notice][tuya_device.c:694] free_mem_size:89888

< TUYA IOT SDK V:2.0.0 BS:30.01_PT:2.2_LAN:3.3_CAD:1.0.1_CD:1.0.0 >
[FW]: TC0025_TW02_PLUG_L1_P0 | [HW]: TW-02 V2.0 | [SW]: V1.4.0 (Nov 18 2019 08:48:17) | [PID]: nqvhejakb112obkn
[01-01 00:00:00 TUYA Notice][hw_table.c:532] wifi status is :0
[01-01 00:00:04 TUYA Notice][tuya_main.c:143] wf_assign_ap_scan failed(-606)
[01-01 00:00:04 TUYA Notice][gw_intf.c:2270] gw_cntl.gw_wsm.stat:1
[01-01 00:00:04 TUYA Info][wifi_hwl.c:1261] Low Power Mode
[01-01 00:00:05 TUYA Notice][hw_table.c:532] wifi status is :0
[01-01 00:00:14 TUYA Notice][tuya_device.c:694] free_mem_size:89904
[01-01 00:00:24 TUYA Notice][tuya_device.c:694] free_mem_size:89904
[01-01 00:00:34 TUYA Notice][tuya_device.c:694] free_mem_size:89904
[01-01 00:00:44 TUYA Notice][tuya_device.c:694] free_mem_size:89904
[01-01 00:00:54 TUYA Notice][tuya_device.c:694] free_mem_size:89904

Gap in middle there is where I jumped RST to GND to reset it and get logs from the beginning. Serial runs at 115200 apparently (lucky guess, same as I had last set pio device monitor for).

Because you basically have to cut into the case in order to get at the headers, what I am thinking I will do will be to try and sandbox them using Mock Tuya Cloud and just leave the stock firmware alone.

I do still have this one module out though, willing to keep playing around with this one...

reivilibre commented 4 years ago

I don't know how to dump the current firmware (I don't know if it is allowed by the bootloader, which afaict is called 'secboot' which sounds like they may have gone for 'secure').

My current approach is to write some MicroPython code to connect to an MQTT server and drive the relay that way (it's really easy to do as it's just flicking a GPIO).

I'll be happy to share code once it's ready — no guarantees on when this would be, though, sorry.

TRSx80 commented 4 years ago

Yeah, shouldn't be too hard to figure out, as you say just flicking a GPIO. Might help others though, no rush from my end. For me this was all just for fun / exploration / science / advancing the state of the art, if you will...

I don't know how your plugs are laid out across the pond (I have seen some pics, not sure if yours is same) but in order to get at the relevant pins on the US model, you basically need to cut the back of the case. Maybe someone else is better at disassembly than me though (I posted a lot of pics in my disassembly thread if anyone has ideas).

But for me, trying to get my other (3) units working, due to having to cut the case I think I will give up on flashing alternative firmware for now, and instead try and sandbox them using something like tuyapi or maybe Mock Tuya Cloud, etc. plus maybe some firewall rules, separate subnet, or whatever, and just try to use them in containment, but with stock firmware.

Thrasher2020 commented 4 years ago

I've got two of these - I did wonder why they wouldn't flash. Opened them up to find the TW-02 V2 board :(

TRSx80 commented 4 years ago

@Thrasher2020,

Opened them up

I hope you did the non-destructive way as shown at the end of my teardown thread, unlike me who sacrificed a module on the altar of science, so that others could be spared the same fate! :smile:

johanson commented 4 years ago

@Thrasher2020,

Opened them up

I hope you did the non-destructive way as shown at the end of my teardown thread, unlike me who sacrificed a module on the altar of science, so that others could be spared the same fate!

The EU/Schuko ones are glued as well but (probably because of the shape) it's possible to open them leaving them in semi-ok condition :) Mine's TW-02 V2 as well, looks like some older models were ESP8266 based, hence people reporting to successfully flashing them.

TRSx80 commented 4 years ago

I'm curious if you're able to get an alternative firmware running on the W600, such as MicroPython

@kueblc,

As I was sitting on the throne this morning, I had a thought. If we are able to get some MicroPython based firmware working, then this opens up the possibility for eventually possibly doing FOTA update with tuya-convert? With our newly developed firmware? Is this what you were hinting at further up thread?

At that point, as you said earlier I think, it would become necessary to add some checks to make sure which device we are dealing with, but I suppose that is a tangential discussion to the main issue here. But on this point, I would bring attention to the following serial output I posted back up thread here:

[FW]: TC0025_TW02_PLUG_L1_P0 | [HW]: TW-02 V2.0 | [SW]: V1.4.0 (Nov 18 2019 08:48:17) | [PID]: blablabla

Note the [HW]: TW-02 V2.0 part above. Of course Tuya would need to also send the hardware info some how, or they themselves could also brick the device during an update. This is serial output, but they must be sending similar information over the air.

I don't know how well you guys have figured that part out, but I am willing to set up Wireshark and capture packets or whatever is needed to move this forward.

When I removed the module before, I already had soldered on a header pin interface, at first to do serial capture, but also to ease any further development efforts:

IMG_20200702_121024_DRO

I guess what I realized, if there is possibly a way to update the firmware in a non invasive way, I am again interested. I had discounted the possibility before only because it seemed you would need to destroy the case in order to reach the relevant pins. But maybe there is another way...

kenthinson commented 4 years ago

more info https://fccid.io/2ASQV-TW-02/User-Manual/User-manual-4211029.pdf

p0ns commented 4 years ago

https://docs.w600.fun/?p=product/tw-02.md https://docs.w600.fun/?p=arduino/start.md

seems like it supports Arduino

ceaswaran commented 4 years ago

Has anyone explored to the possibility of replacing TW-02 with ESP01 or any other esp8266 board so we can tuyaconvert/tasmotize this?

guilfer-dev commented 4 years ago

http://www.winnermicro.com/en/html/1/156/158/497.html

I found this. But the effort to crack it is not worthy, in my opinion. Maybe the suggestion from @ceaswaran is better, but at this point I already gave up on this topic

ceaswaran commented 4 years ago

Managed to remove the TW02 module & Soldered Wemos D1 Mini I was able to map the Pins & Get all parameters working . Even the Power Monitoring works great. image image

TRSx80 commented 4 years ago

But the effort to crack it is not worthy, in my opinion.

In the case of my particular device (already mentioned up thread), I agree, as I don't even see how you could physically get at the leads without destroying the nice small form factor of the physical device, which would totally defeat the purpose IMO.

However, something else I said up thread seems to (so far) being overlooked:

I'm curious if you're able to get an alternative firmware running on the W600, such as MicroPython

@kueblc,

[...] I had a thought. If we are able to get some MicroPython based firmware working, then this opens up the possibility for eventually possibly doing FOTA update with tuya-convert? With our newly developed firmware? Is this what you were hinting at further up thread?

I think this should be the way forward, as (after initial development) could potentially be used to flash devices over the air. And thus not destroying the (nice, compact, neat) physical form factor in the process.

Unless I am misunderstanding something?

guilfer-dev commented 4 years ago

I was able to do the same. Here is the GPIOS I used: Tasmota - ZBR

(I had problems using this model, some components was inverted https://templates.blakadder.com/ZBR-001.html)

I used a ESP12F and followed the instructions from this guy: https://www.youtube.com/watch?v=37KlzYhJaQs

Also the instructions from Tasmota itself: https://tasmota.github.io/docs/Getting-Started/

Hope it can help someone

lroubinov commented 4 years ago

@sigma-guilhfer or @ceaswaran can you explain which pin you soldered to the wemos d1 in the picture attached it's hard to follow TX on board not soldered? Where you soldered the on board RX in the WEMOS? GND on board not soldered?

thank you

ceaswaran commented 4 years ago

@sigma-guilhfer or @ceaswaran can you explain which pin you soldered to the wemos d1 in the picture attached it's hard to follow TX on board not soldered? Where you soldered the on board RX in the WEMOS? GND on board not soldered?

thank you

This is what I did. Step 1. Flashed D1 mini with Tasmota & Changed it to the generic module. Step 2. with socket disconnected from Mains power !!! Put the multimeter in Continuity mode & probed the pins that lead to TW-02 pads) Example: Probing pin of BL0937 (CF) & pads of microcontroller one by one whichever beeps I noted it as CF. Similarly all.

Bacically u need the following 6 GPIO for this plug to work.

  1. Switch/button
  2. Relay
  3. Led
  4. Power monitoring 3 pins (Sel,CF .CF1) Step 3. Soldered those noted pads with suitable input/output pins on wemos d1.
lroubinov commented 4 years ago

Thx for the replay I have the same device as you having can you save me some time and tell me exactly which pin on the tw-02 you connected to the wemos d1?

guilfer-dev commented 4 years ago

image

I dont know wich one would be connected on the TW, I dont have them anymore, also I didnt use RX. This is the best photo I took when I did this. For u to reset you need to press the button for 40sec.

Edit: Try to make it with shorter wires than I did, the ESP module is far bigger than the TW-02 Edit2: Image change

lroubinov commented 4 years ago

thx alot

lroubinov commented 4 years ago

@sigma-guilhfer according the picture you connect something to gpio15 but in tasmota you didn't set anything to gpio15 am i missing something?

guilfer-dev commented 4 years ago

@sigma-guilhfer according the picture you connect something to gpio15 but in tasmota you didn't set anything to gpio15 am i missing something?

Sorry, I uploaded the worng image. Please, see my edited answer

lroubinov commented 4 years ago

@sigma-guilhfer according the picture you connect something to gpio15 but in tasmota you didn't set anything to gpio15 am i missing something?

Sorry, I uploaded the worng image. Please, see my edited answer

that's seems complicated... what all those resistors for? according @ceaswaran picture he connect them all straight forward to the wemos Is it because you use esp12f?

guilfer-dev commented 4 years ago

I opened my device and this is how it is wired:

Left side

Right side:

I dont think that the resistors are necessary, its only to protect the gpio, but you need to follow the instructions from the vendor for it to work: https://docs.ai-thinker.com/_media/esp8266/docs/esp-12f_product_specification_en.pdf (page 8)

It all depends on the module you are using, for the wemos I think they wired it already on the module.

lroubinov commented 4 years ago

thank you

lroubinov commented 4 years ago

I soldered everything the relay, button and led working fine but i can't get power monitoring reading... any idea?

ceaswaran commented 4 years ago

For PM make sure u mapped the BL0937 pins correctly. (Ensure using multimeter continuity mode ) Since BL0937 clone of HLW8012 u can ref below pic , try tapping pin 6,7,8 Ref: https://user-images.githubusercontent.com/36055354/38105799-4a922bf2-338d-11e8-884c-d8e40ff15833.jpg

guilfer-dev commented 4 years ago

Also make sure how your circuit works, the letter "i" stands for inverted (high/low), I had to invert most of the components logically for it to work, try to re-invert it.

After that, you must calibrate the sensor into the console on the device webpage or through mqtt. To do so, grab a multimeter and look at Tasmota web site.

ceaswaran commented 4 years ago

Yes in my experience of using PM plugs all are SELi Only. :)

lroubinov commented 4 years ago

thank i figured my problem it's seems like one of the wire was disconnected in the middle thank you all for the help

M-Ahmad-Naeem commented 4 years ago

Managed to remove the TW02 module & Soldered Wemos D1 Mini I was able to map the Pins & Get all parameters working . Even the Power Monitoring works great. image image

@ceaswaran

I am trying to do the same thing, I am actually here, can you please tell how did you manage to read all the parameters?

ceaswaran commented 4 years ago

For PM make sure u mapped the BL0937 pins correctly. (Ensure using multimeter continuity mode ) Since BL0937 clone of HLW8012 u can ref below pic , try tapping pin 6,7,8 Ref: https://user-images.githubusercontent.com/36055354/38105799-4a922bf2-338d-11e8-884c-d8e40ff15833.jpg

@M-Ahmad-Naeem I hope you are looking for above explain, hope it helps

M-Ahmad-Naeem commented 4 years ago

For PM make sure u mapped the BL0937 pins correctly. (Ensure using multimeter continuity mode ) Since BL0937 clone of HLW8012 u can ref below pic , try tapping pin 6,7,8 Ref: https://user-images.githubusercontent.com/36055354/38105799-4a922bf2-338d-11e8-884c-d8e40ff15833.jpg

@M-Ahmad-Naeem I hope you are looking for above explain, hope it helps

@ceaswaran I am asking, from picture I can see you have set the module to be generic "Generic Module". Please let me know what pins you have configured and how did you configured these pins. Sorry for such a basic question!!

ceaswaran commented 4 years ago

For PM make sure u mapped the BL0937 pins correctly. (Ensure using multimeter continuity mode ) Since BL0937 clone of HLW8012 u can ref below pic , try tapping pin 6,7,8 Ref: https://user-images.githubusercontent.com/36055354/38105799-4a922bf2-338d-11e8-884c-d8e40ff15833.jpg

@M-Ahmad-Naeem I hope you are looking for above explain, hope it helps

@ceaswaran I am asking, from picture I can see you have set the module to be generic "Generic Module". Please let me know what pins you have configured and how did you configured these pins. Sorry for such a basic question!!

Configuring pins on ESP8266/Wemos D1 mini is Individuals choice. u can configure based on whatever u feel ok But Figuring out the TW-02 GPIO is thru multimeter continuity mode

Hope u got it. anyways pasting my Tasmota config below: {"NAME":"TW02 TO ESP8266 PM","GPIO":[255,255,17,255,132,134,255,255,57,131,21,255,255],"FLAG":15,"BASE":18} image

M-Ahmad-Naeem commented 4 years ago

Configuring pins on ESP8266/Wemos D1 mini is Individuals choice. u can configure based on whatever u feel ok But Figuring out the TW-02 GPIO is thru multimeter continuity mode

Hope u got it. anyways pasting my Tasmota config below: {"NAME":"TW02 TO ESP8266 PM","GPIO":[255,255,17,255,132,134,255,255,57,131,21,255,255],"FLAG":15,"BASE":18} image

Thank you so much, I will try and come back if I face any problem.

qntris commented 4 years ago

Hi folks,

I am also trying to replace the TW-02 with a D1 mini, however I have two questions:

  1. Although I can see the tracks (visible on the first picture below) going from the Sel,CF and CF1 pins of the BL0937 chip to the pins of the TW-02 board, when I probe them with continuity mode on my multimeter, I don't get any sound. Why would that be? The multimeter is not faulty. Judging by the tracks it seems that the connections are exactly as per @sigma-guilhfer 's post, with the little difference that on the right side (it is inverted on the picture so it is on the left) I don't have 4 but 5 pins (see the 3rd picture below).

  2. Do you remove the TW-02 module, cut it or you directly solder the D1 mini to the existing pins on the wifi socket board and the TW-02? It seems that if the TW-02 is desoldered, there wouldn't be enough surface for soldering the cables from the D1 mini.

Below is the wifi switch that I have:

IMG_1759 IMG_1757 IMG_1758

tarontop commented 4 years ago

They seem to sell modules of esp8266 https://pt.aliexpress.com/store/5790427

Hendrikdenhond commented 4 years ago

Hi Folks,

I solved the Tuya problem by removing the old chip and inserting an ESP 12-E chip.

My plug is an Elivco european plug.

I first flashed an esp12-E with the tasmota and configured the GPIO pin. tasmota GPIO

I soldered wires on the esp12-E chip for all needed GPIO pins, 3.3V and Ground. Soldered a bridge between the enable pin and 3.3V soldered a bridge between GPIO15 and GND. 20201019_094604_resized

Then i removed the wifi- board from the plug and identified the contacts, my plug was layed out as in the picture below. 20201019_095140_Named

After this is soldered the wires from the esp to the plug. 20201019_100007_resized

the installed the circuitboard back into the plug.

20201019_103223_resized

I insulated the esp board with some electriciantape so that the board can not touch any of the exposed parts of the circuitboard. I installed the esp board roughly in the same place as the old wifi board and closed the plug.
20201018_155058_resized I closed the plug with a little bit of hot glue. and a working tasmota smart plug with power reading was born...

tasmota plug

Hope this helps some of you guys.

enny1170 commented 4 years ago

Nice, can you please add some Infos how to disassamble this plug?

Hendrikdenhond commented 4 years ago

Nice, can you please add some Infos how to disassamble this plug?

Jam a screwdriver in between... and gently open the plug

blackest commented 4 years ago

Hi I just opened up a jesled led strip controller 4 wire from Amazon it runs on 24volts with a uk plug built in. The cover has 5 recesses and squeezing from the cord end I was able to get them to release with no damage just using a fingernail. The chip inside is marked TW-02 V2.0 and has a metal shield over the IC. on 1 side i read 3v3 ,gnd, rx , tx, pb16, pb15. tx does not have a pad. Unfortunately the main board is glued in with some kind of white resin liberally applied to 2 corners with board components partly covered. It looks impossible to remove without doing damage. So not recommended

https://fccid.io/2ASQV-TW-02/User-Manual/User-manual-4211029.pdf

image