kueblc
commented
4 years ago Connect to the vtrust-recovery access point with your phone or computer and you can then issue curl or use a web browser to access http://10.42.42.42/undo
Open pinkie16 opened 4 years ago
kueblc
commented
4 years ago Connect to the vtrust-recovery access point with your phone or computer and you can then issue curl or use a web browser to access http://10.42.42.42/undo
pinkie16
commented
4 years ago Tried that in multiple ways connected to both of the vtrust with diffrent phones, tried it with curl also with the webbrowser.
kueblc
commented
4 years ago I'm not sure I understand, since the images you posted are of the tuya-convert script.
You need to connect to the vtrust-recovery AP, and with that same device, issue curl http://10.42.42.42/undo or open that URL with a webbrowser, again from the same device connected to vtrust-recovery. This does not involve start_flash.sh.
mweinelt
commented
4 years ago I had the same problem with two SP111 I got delivered mid june. They would flash the intermediate firmware, show up with the vtrust-recovery SSID, I could even download the tasmota.bin from it, but as soon as you'd ask it to flash something it would crap itself.
Verified this via serial flash, where both devices I tested just stopped flashing at 15%. I'm sending those back.
mweinelt
commented
4 years ago Got a new batch of SP111 and retried flashing them. The intermediate firmware gets flashed, the backup is made. It then fails to flash a new firmware.
$ docker-compose exec tuya start
tuya-convert v2.4.4
======================================================
TUYA-CONVERT
https://github.com/ct-Open-Source/tuya-convert
TUYA-CONVERT was developed by Michael Steigerwald from the IT security company VTRUST (https://www.vtrust.de/) in collaboration with the techjournalists Merlin Schumacher, Pina Merkert, Andrijan Moecker and Jan Mahn at c't Magazine. (https://www.ct.de/)
======================================================
PLEASE READ THIS CAREFULLY!
======================================================
TUYA-CONVERT creates a fake update server environment for ESP8266/85 based tuya devices. It enables you to backup your devices firmware and upload an alternative one (e.g. ESPEasy, Tasmota, Espurna) without the need to open the device and solder a serial connection (OTA, Over-the-air).
Please make sure that you understand the consequences of flashing an alternative firmware, since you might lose functionality!
Flashing an alternative firmware can cause unexpected device behavior and/or render the device unusable. Be aware that you do use this software at YOUR OWN RISK! Please acknowledge that VTRUST and c't Magazine (or Heise Medien GmbH & Co. KG) CAN NOT be held accountable for ANY DAMAGE or LOSS OF FUNCTIONALITY by typing yes + Enter
yes
Checking for network interface wlp8s0... Found.
Checking UDP port 53... Available.
Checking UDP port 67... Available.
Checking TCP port 80... Available.
Checking TCP port 443... Available.
Checking UDP port 6666... Available.
Checking UDP port 6667... Available.
Checking TCP port 1883... Available.
Checking TCP port 8886... Available.
======================================================
Starting AP in a screen...
Starting web server in a screen
Starting Mosquitto in a screen
Starting PSK frontend in a screen
Starting Tuya Discovery in a screen
======================================================
IMPORTANT
1. Connect any other device (a smartphone or something) to the WIFI vtrust-flash
This step is IMPORTANT otherwise the smartconfig may not work!
2. Put your IoT device in autoconfig/smartconfig/pairing mode (LED will blink fast). This is usually done by pressing and holding the primary button of the device
Make sure nothing else is plugged into your IoT device while attempting to flash.
3. Press ENTER to continue
======================================================
Starting smart config pairing procedure
Waiting for the device to install the intermediate firmware
Put device in EZ config mode (blinking fast)
Sending SSID vtrust-flash
Sending wifiPassword
Sending token 00000000
Sending secret 0101
................
SmartConfig complete.
Resending SmartConfig Packets
....../start_flash.sh: line 135: 326 Terminated ./smartconfig/main.py
............................................................................................
IoT-device is online with ip 10.42.42.42
Fetching firmware backup
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1024k 100 1024k 0 0 105k 0 0:00:09 0:00:09 --:--:-- 32687
curl: Saved to filename 'firmware-208393.bin'
======================================================
Getting Info from IoT-device
VTRUST-FLASH 1.5
(c) VTRUST GMBH https://www.vtrust.de/35c3/
READ FLASH: http://10.42.42.42/backup
ChipID: 208393
MAC: 24:62:AB:20:83:93
BootVersion: 7
BootMode: normal
FlashMode: 1M DOUT @ 40MHz
FlashChipId: 144051
FlashChipRealSize: 1024K
Active Userspace: user2 0x81000
======================================================
Ready to flash third party firmware!
For your convenience, the following firmware images are already included in this repository:
Tasmota v8.1.0.2 (wifiman)
ESPurna 1.13.5 (base)
You can also provide your own image by placing it in the /files directory
Please ensure the firmware fits the device and includes the bootloader
MAXIMUM SIZE IS 512KB
Available options:
0) return to stock
1) flash espurna.bin
2) flash tasmota.bin
q) quit; do nothing
Please select 0-2: 2
Are you sure you want to flash tasmota.bin? This is the point of no return [y/N] y
Attempting to flash tasmota.bin, this may take a few seconds...
Could not reach the device!
Do you want to try something else? [y/N] y
Available options:
0) return to stock
1) flash espurna.bin
2) flash tasmota.bin
q) quit; do nothing
Please select 0-2: y
Invalid selection, please select 0-2: 2
Are you sure you want to flash tasmota.bin? This is the point of no return [y/N] y
Attempting to flash tasmota.bin, this may take a few seconds...
[....]Behind tthe scenes I ran tcpdump, at least for the "flash my third party firmware" part, which is where we see that it goes unreachable after being asked to flash tasmota. I did verify reachability via ICMP echo requests before asking tuya-convert to flash tasmota.
04:17:31.176074 ARP, Request who-has 10.42.42.42 tell 10.42.42.1, length 28
04:17:31.178032 ARP, Reply 10.42.42.42 is-at 24:62:ab:20:83:93, length 28
04:17:35.386167 IP 10.42.42.1 > 10.42.42.42: ICMP echo request, id 120, seq 1, length 64
04:17:35.388513 IP 10.42.42.42 > 10.42.42.1: ICMP echo reply, id 120, seq 1, length 64
04:17:36.387038 IP 10.42.42.1 > 10.42.42.42: ICMP echo request, id 120, seq 2, length 64
04:17:36.414957 IP 10.42.42.42 > 10.42.42.1: ICMP echo reply, id 120, seq 2, length 64
04:17:39.621427 IP 10.42.42.1.44226 > 10.42.42.42.80: Flags [S], seq 2693066599, win 64480, options [mss 1240,sackOK,TS val 761391714 ecr 0,nop,wscale 7], length 0
04:17:39.681773 IP 10.42.42.42.80 > 10.42.42.1.44226: Flags [S.], seq 6512, ack 2693066600, win 5840, options [mss 1460], length 0
04:17:39.681849 IP 10.42.42.1.44226 > 10.42.42.42.80: Flags [.], ack 1, win 64480, length 0
04:17:39.681943 IP 10.42.42.1.44226 > 10.42.42.42.80: Flags [P.], seq 1:121, ack 1, win 64480, length 120: HTTP: GET /flash?url=http://10.42.42.1/files/tasmota.bin HTTP/1.1
04:17:39.688736 IP 10.42.42.42.31971 > 10.42.42.1.80: Flags [S], seq 6513, win 5840, options [mss 1460], length 0
04:17:39.688806 IP 10.42.42.1.80 > 10.42.42.42.31971: Flags [S.], seq 4223798145, ack 6514, win 64480, options [mss 1240], length 0
04:17:39.690664 IP 10.42.42.42.31971 > 10.42.42.1.80: Flags [.], ack 1, win 5840, length 0
04:17:39.691781 IP 10.42.42.42.31971 > 10.42.42.1.80: Flags [P.], seq 1:155, ack 1, win 5840, length 154: HTTP: GET /files/tasmota.bin HTTP/1.1
04:17:39.691825 IP 10.42.42.1.80 > 10.42.42.42.31971: Flags [.], ack 155, win 64326, length 0
04:17:39.696957 IP 10.42.42.1.80 > 10.42.42.42.31971: Flags [P.], seq 1:2481, ack 155, win 64326, length 2480: HTTP: HTTP/1.1 200 OK
04:17:39.697039 IP 10.42.42.1.80 > 10.42.42.42.31971: Flags [P.], seq 2481:4961, ack 155, win 64326, length 2480: HTTP
04:17:39.720640 IP 10.42.42.42.31971 > 10.42.42.1.80: Flags [.], ack 2481, win 3360, length 0
04:17:39.727096 IP 10.42.42.42.31971 > 10.42.42.1.80: Flags [.], ack 4961, win 880, length 0
04:17:39.744778 IP 10.42.42.42.31971 > 10.42.42.1.80: Flags [.], ack 4961, win 3360, length 0
04:17:39.744823 IP 10.42.42.1.80 > 10.42.42.42.31971: Flags [P.], seq 4961:7441, ack 155, win 64326, length 2480: HTTP
04:17:39.757100 IP 10.42.42.42.31971 > 10.42.42.1.80: Flags [.], ack 7441, win 2120, length 0
04:17:39.757151 IP 10.42.42.1.80 > 10.42.42.42.31971: Flags [P.], seq 7441:9561, ack 155, win 64326, length 2120: HTTP
04:17:39.885085 IP 10.42.42.42.31971 > 10.42.42.1.80: Flags [.], ack 8681, win 3360, length 0
04:17:39.885143 IP 10.42.42.1.80 > 10.42.42.42.31971: Flags [P.], seq 9561:9921, ack 155, win 64326, length 360: HTTP
04:17:39.885182 IP 10.42.42.1.80 > 10.42.42.42.31971: Flags [.], seq 9921:11161, ack 155, win 64326, length 1240: HTTP
04:17:39.885302 IP 10.42.42.42.80 > 10.42.42.1.44226: Flags [.], ack 121, win 5720, length 0
04:17:39.888243 IP 10.42.42.42.31971 > 10.42.42.1.80: Flags [.], ack 9921, win 3360, length 0
04:17:39.888289 IP 10.42.42.1.80 > 10.42.42.42.31971: Flags [.], seq 11161:12401, ack 155, win 64326, length 1240: HTTP
04:17:39.893713 IP 10.42.42.42.31971 > 10.42.42.1.80: Flags [.], ack 12401, win 880, length 0
04:17:40.144079 IP 10.42.42.1.80 > 10.42.42.42.31971: Flags [P.], seq 12401:13281, ack 155, win 64326, length 880: HTTP
04:17:40.400083 IP 10.42.42.1.80 > 10.42.42.42.31971: Flags [P.], seq 12401:13281, ack 155, win 64326, length 880: HTTP
04:17:40.904087 IP 10.42.42.1.80 > 10.42.42.42.31971: Flags [P.], seq 12401:13281, ack 155, win 64326, length 880: HTTP
04:17:41.928040 IP 10.42.42.1.80 > 10.42.42.42.31971: Flags [P.], seq 12401:13281, ack 155, win 64326, length 880: HTTP
04:17:43.976063 IP 10.42.42.1.80 > 10.42.42.42.31971: Flags [P.], seq 12401:13281, ack 155, win 64326, length 880: HTTP
04:17:44.243894 IP 10.42.42.1 > 10.42.42.42: ICMP echo request, id 121, seq 1, length 64
04:17:48.008058 IP 10.42.42.1.80 > 10.42.42.42.31971: Flags [P.], seq 12401:13281, ack 155, win 64326, length 880: HTTP
04:17:56.264094 IP 10.42.42.1.80 > 10.42.42.42.31971: Flags [P.], seq 12401:13281, ack 155, win 64326, length 880: HTTP
04:18:06.789923 ARP, Reply 10.42.42.19 is-at 52:77:ab:96:99:0a, length 28
04:18:12.649096 IP 10.42.42.1.80 > 10.42.42.42.31971: Flags [P.], seq 12401:13281, ack 155, win 64326, length 880: HTTP
04:18:25.960033 IP 10.42.42.1.80 > 10.42.42.42.20279: Flags [P.], seq 12401:13281, ack 155, win 64326, length 880: HTTP
04:18:31.080043 ARP, Request who-has 10.42.42.42 tell 10.42.42.1, length 28
04:18:32.104071 ARP, Request who-has 10.42.42.42 tell 10.42.42.1, length 28
04:18:33.128042 ARP, Request who-has 10.42.42.42 tell 10.42.42.1, length 28
04:18:42.344050 ARP, Request who-has 10.42.42.42 tell 10.42.42.1, length 28
04:18:43.368037 ARP, Request who-has 10.42.42.42 tell 10.42.42.1, length 28
04:18:44.392034 ARP, Request who-has 10.42.42.42 tell 10.42.42.1, length 28
04:19:06.803847 ARP, Reply 10.42.42.19 is-at 52:77:ab:96:99:0a, length 28
04:19:16.649069 ARP, Request who-has 10.42.42.42 tell 10.42.42.1, length 28
04:19:17.672045 ARP, Request who-has 10.42.42.42 tell 10.42.42.1, length 28
04:19:18.696008 ARP, Request who-has 10.42.42.42 tell 10.42.42.1, length 28
04:19:43.784040 ARP, Request who-has 10.42.42.42 tell 10.42.42.1, length 28
04:19:44.808062 ARP, Request who-has 10.42.42.42 tell 10.42.42.1, length 28
04:19:45.832043 ARP, Request who-has 10.42.42.42 tell 10.42.42.1, length 28
04:19:48.904047 ARP, Request who-has 10.42.42.42 tell 10.42.42.1, length 28
04:19:49.928008 ARP, Request who-has 10.42.42.42 tell 10.42.42.1, length 28
04:19:50.952016 ARP, Request who-has 10.42.42.42 tell 10.42.42.1, length 28
[...]So let's reconnect the device and continue without tuya-convert and reset using curl.
❯ ping 10.42.42.42
PING 10.42.42.42 (10.42.42.42) 56(84) bytes of data.
64 bytes from 10.42.42.42: icmp_seq=1 ttl=128 time=116 ms
^C
--- 10.42.42.42 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 116.243/116.243/116.243/0.000 ms
❯ nmcli
❯ curl 10.42.42.42/undo -v
* Trying 10.42.42.42:80...
* Connected to 10.42.42.42 (10.42.42.42) port 80 (#0)
> GET /undo HTTP/1.1
> Host: 10.42.42.42
> User-Agent: curl/7.70.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Content-Type: text/plain
< Content-Length: 27
< Connection: close
< Access-Control-Allow-Origin: *
<
Rebooting into userspace 1
* Closing connection 0After 10 minutes I disconnected and reconnected the SP111, the LED ring stays blue, so it's not on the intermediate firmware anymore. Unfortunately I don't seem to be able to bring it back into pairing mode again. The first press seems to toggle the relay, further presses do nothing. I'm not familiar with the stock firmware, but this feels wrong.
Tried tuya-convert again, but it doesn't find the device. So I guess it will be UART next.
mweinelt
commented
4 years ago Flashing via UART is stuck again at 15%. What is wrong with these devices? :cry: This behaviour is reproducible, even with lower baud rates (115200, 38400, 19200, 9600).
# esptool.py --before default_reset --after hard_reset --baud 460800 --chip esp8266 --port /dev/ttyUSB0 write_flash 0x0 devices/gosund_sp111/208393/.pioenvs/208393/firmware.bin
esptool.py v2.7
Serial port /dev/ttyUSB0
Connecting....
Chip is ESP8285
Features: WiFi, Embedded Flash
Crystal is 26MHz
MAC: 24:62:ab:20:83:93
Uploading stub...
Running stub...
Stub running...
Changing baud rate to 460800
Changed.
Configuring flash size...
Auto-detected Flash size: 1MB
Compressed 477488 bytes to 323061...
Writing at 0x00008000... (15 %)
A fatal error occurred: Timed out waiting for packet header
INFO Upload with baud rate 460800 failed. Trying again with baud rate 115200.
INFO Running: esptool.py --before default_reset --after hard_reset --baud 115200 --chip esp8266 --port /dev/ttyUSB0 write_flash 0x0 devices/gosund_sp111/208393/.pioenvs/208393/firmware.bin
esptool.py v2.7
Serial port /dev/ttyUSB0
Connecting........_____....._____....._____....._____....._____....._____....._____
A fatal error occurred: Failed to connect to ESP8266: Timed out waiting for packet header
Hi, I tried to flash my Gosund Sp111 3450W it failed and now I have a vtrust-recovery open but cant connect to it or reflash it because it cant bring them back in paring mode. curl http://10.42.42.42/undo doesnt help it says the hole time cant find device when i try to flash.