Tuya -> Tasmota/ESPHome -> HomeAssistant and beyond

[deftdawg]

Picked up a pack of these last week, I'm impressed they are 15A and CSA marked for $20 CAD...

Have you had a chance to open one yet? Most of these devices seem to be tuya / Esp based controlled, I'm curious if this is as well. Would be good to get some picks of the board chips, pins, and general layout to see if it's already been converted by someone else under a different brand name.

I did grab the APK and unzip it: com.homedepot.sp1_131_apkplz.net.apk

App is written in Javascript, there are a ton of different devices in /assets and build.zip seems to contain the whole app, though it's been run through webpack.

Pasted com.homedepot.sp1_131_apkplz.net.apk/assets/static/js/wifi-devices.2dbbbda4.chunk.js into https://lelinhtinh.github.io/de4js/ and there are references to port 6666 and 6667 on 255.255.255.255 ... though the code is still impossible to read.

Anyway, I'd love to get these running on ESPHome or Tasmota so I can control them directly via HomeAssistant.

[gknepper]

Hi @deftdawg , Actually I opened one already. The images are in images folder. It runs on a RTL8710BX chipset, not on a ESP82XX. So the device it's not compatible with Tasmota which runs only on ESP8266 or ESP8285 chipsets. I sniffed the packages that this device receives and it's all MQTT packages. (with SSL). so it's a remote MQTT subscription that controls the relay.

The board has 4 pins marked as GND/+3V3/RX/TX where I want to try to get a firmware dump. ( some soldering job is needed and I don't have a soldering iron available ) but it's an alternative to understand the working of this device.

[deftdawg]

Ah yes, I started looking into this and it seems starting with Teckin sp22 plugs many manufactures have started switching to Realtek Arm chips.

There are some indications that these can be programmed like Ardunios

• Ameba Writer, easy programming interface for RTL8710 on Arduino IDE & Ameba Writer
• platformio-realtek-rtl8710b - PlatformIO development system platform for realtek microcontrollers.

Here are some other links I found:

• tuya_iot_sdk_for_RTL8710BN - OTA
• Tuya WR2 Developer Datasheet
• Hackaday: RTL8710 easy programming by Arduino IDE
• Some SDK by pvvx

BTW, Is there a non-destructive way to get it out of the casing? It looks like there's a seam along the back, is it clipped only or glued as well?

[gknepper]

Probably, I manage to open with a minimal damage on the case. I don't have but this tool can probably solve the issue:

https://www.amazon.ca/iFixit-Jimmy-Electronics-Opening-Tool/dp/B00NCFIVH4

It's only 4 clips but the way they did make it hard. I'll include some images later on.

[deftdawg]

It's only 4 clips but the way they did make it hard. I'll include some images later on.

Yeah some pics of the inside of the shell (or what's left of it 🤣) would be great. Maybe can get it open with a putty knife or something...

[deftdawg]

Not sure if it's useful, but seems to be a Russian firmware building site for RTL8710n here... https://wifi-iot.com/p/rtl87xx/

Login is demo/demo

Most of the features (red) appear to require payment.

[gknepper]

I would say worth a try, but without a better understanding on the firmware dump/written process it's quite a leap. I still don't know if an ameba writer is needed or only a serial connection can get the job done.

[deftdawg]

I'm also unsure... There is a discussion here: https://github.com/arendst/Tasmota/discussions/9262

Someone drops a link Ameba ARDUINO: Getting Started with RTL8710, but appears to be an official SDK board or something.

[gknepper]

@deftdawg I upload some photos of the case opened and my concerns about the way they create some sort of groove in the plastic.

[funroompc]

Best of luck guys. I’m following this :)

[gmcmicken]

I sniffed the packages that this device receives and it's all MQTT packages. (with SSL). so it's a remote MQTT subscription that controls the relay.

@gknepper How far did you get in capturing the mqtt packets, could you read the contents, is it a known certificate?

[gknepper]

@gmcmicken We are in the same page pretty much. It's a proprietary certificate for sure. I was trying to dump the RTL8710BX image and with some luck open and check the contents to find the cert. Some soldering is needed and I haven't done so far.

[gmcmicken]

@gknepper I found the keypair, it was in the apk in a keystore file (.bks) and I guessed the password. 👍

leedarson-keypair.zip

[gknepper]

@gmcmicken Sweet!

[gmcmicken]

I tried packet capturing tonight, but my wifi card doesn't support monitor mode. I then tried to capture on my android device while using the app to configure the smart plug but the app failed to start when the capture was running (an android vpn issue I guess?) I'll try again though.

[gknepper]

I tried using rpcapd inside my router but I wasn't able to open the packages. I think I'm doing something wrong on wireshark on TLS settings. For now my only findings was the MQTT gateway: azuremqtt.arnoo.com which leads us to the probable manufacturer of this Arnoo app. https://www.arnoo.com/

[gmcmicken]

It's possible the keypair I found is only for the intial setup during the stage where the switch is broadcasting an unsecured wifi and the app connects directly to it. It's also possible the keypair is for some other device supported by that app. I think we should be able to see the fingerprint (?) in the tls handshake though to be sure.

[GSzabados]

I know this is not the same device, but some hint where to look for some ideas...

https://www.reddit.com/r/homeautomation/comments/j5kb2o/hacking_a_7_zigbee_mqtt_hub_that_comes_with_two/

[bluesky-ca]

FCC info for the company making the reference design: https://fccid.io/2AB2Q, and this specific plug https://fccid.io/2AB2QHPPA11SWB has anybody been able to find more info on local control ?

[sree-86]

Any update on this?

[eastpole]

At long last I think some cool people got traction on this problem. https://github.com/libretiny-eu/libretiny

This project is enabling the creation of firmware that can be run on non-ESP32 IoT platforms including the relevant one here, the RTL8710BX. I really did not want to get tangled up with Ameba if I could help it -- this looks more likely to work for me.

[bluesky-ca]

I wonder if anybody has actually managed to flush a plug using that code - the project does look interesting.

For a while now I have been using the Sonoff S31 plugs with tasmota, but there is a big price difference between the HomeDepot and the Sonoff ( including the lite version without power monitoring ).
I did some hacking at the plug while back using ssl proxy but was not able to obtain local control - was using an older rooted phone, but have seen videos using the Android emulator making the process a bit simpler.

I believe HD still sells those plugs at a good price, so it would be great to have a low cost, easy to purchase option with local control ( checked the HD page and they still do sell them ).

[ESurge]

TLDR: I have this switch working with ESPHome. You will need to...

• solder some wires to TX0, RX0, and GND
• manually compile/download the OTA1/OTA2 files using ESPHome
• use rtltool.py for flashing OTA1/OTA2 (instructions below)
• use the YAML code (below) for ESPHome or use the following pin assignments
  • Button: PA22
  • Relay: PA00
  • Green LED: PA05
  • Red LED: PA14

  • LibreTiny Module: BW12

    I bought a three pack of switches on sale at Home Depot. At the time, there wasn't any information for the RTL8710 so I converted two switches with ESP8266 chips for an almost drop-in replacement. Flashed Tasmota on them and went on my way.

I had one switch remaining and until recently was just put aside. I was about to convert it, but I found out that the LibreTiny/ESPHome project exists which has made progress with RTL8710 chips.

LibreTiny mentions how to get a module setup in ESPHome, and then to use the ltchiptool for flashing. The ltchiptool helped me figure out that these SP1 boards have 2MB of flash. Using a generic rtl8710bx module configuration and no GPIO settings, I compiled a firmware. Sadly, my attempts to flash a UF2 firmware file caused ltchiptool to crash or not write to the chip.

I found another tool called rtltool.py. This tool plus the ability to manually download the OTA1/OTA2 files allowed me to flash the board. After this success, I manually figured out which pin assignment was associated to the components which I had previously reversed engineered from converting my other boards over to ESP8266.

Notes:

• I'm new to ESPHome and figured this out in the last day and a half, so this might not be the best but it's working for me.
• I can't use ESPHome to flash updates. I'm not sure how to get this working if at all.
• rtltool.py requires Python 2.7 to work
• When modifying the commands listed below, make sure to change the USB to Serial device port, and also ensure you get the flash addresses correct.
• I noticed that the SP1 doesn't always connect to wifi. I'm not sure if this is a consequence of using the BW12 LibreTiny module or maybe my wireless connection is spotty.

To flash the RTL8710BX chip: Manually download the OTA1/OTA2 bin files from ESPHome before proceeding.

• I used a power bar/strip with a on/off switch
• With the power bar off, plug in the SP1
  • The top cover was off, exposing the board
  • This is dangerous so proceed with caution!
  • Edit: You can do this more safely instead of connecting to power, use an external 3.3V source and connect it to the 3.3V pin on the back of the board.
• On the USB to Serial device:
  • Connect RX0 to TX
  • Connect GND to GND
  • Connect TX0 to GND
    • This is required to bring the RTL8710BX into Download Mode
• Power on the SP1
• Change the TX0 pin over to RX on the USB to Serial device
• In a command terminal:
  • Ensure the OTA1/OTA2 bin files are in the current working directory otherwise you'll need to specify the exact location
  • Modify and run the following command to write to OTA1:
    • python rtltool.py -p <USB_to_Serial_Port> wf 0xb000 name_of_device_0x00B000.bin
  • Modify and run the following command to write to OTA2:
    • python rtltool.py -p <USB_to_Serial_Port> wf 0x80000 name_of_device_0x080000.bin
• After flashing, power off the SP1, and then power on again
• You should now have ESPHome flashed to the SP1

YAML:

esphome:
  name: name_of_device
  friendly_name: "Name of Device"

rtl87xx:
  board: bw12

# Enable Home Assistant API
api:
  encryption:
    key: "keyhere"

ota:
  password: "ota_pass"

wifi:
  ssid: !secret wifi_ssid
  password: !secret wifi_password

binary_sensor:
  - platform: gpio
    pin:
      number: PA22
      mode:
        input: true
        pullup: false
      inverted: true
    name: "Button"
    on_press:
      - then:
        - switch.toggle: relay
    disabled_by_default: true

switch:
  - platform: gpio
    name: "Relay"
    pin: PA00
    id: relay
    on_turn_on:
      - then:
        - output.turn_on: green_led
    on_turn_off:
      - then:
        - output.turn_off: green_led

status_led:
  pin:
    number: PA14
    inverted: false

output:
  id: green_led
  platform: gpio
  pin: PA05

Some images:

[bluesky-ca]

Thanks for the info. Would be interesting if one could flash the plug over the air without having to crack it open. Even without that being able to flash it with ESPHome is great progress - would love to see Tasmota but I don't believe they are doing devices outside of ESP chips. I guess it is the time to cut them open :-)

[ESurge]

Ideally that would be best (flashing without having to tear apart the case). Perhaps when more research into how the original firmware operates is done but until then, I'll take what I can get.

I found a way to connect 3.3V and GND without having to take the screws out. The empty capacitor spot by the square cutout has GND (white striped/shaded section), and 3.3V (blank section) pins.

Image attached.

[ESurge]

Grabbed a few more 3pk boxes from Home Depot since they were on clearance.

When flashing one of these new devices, the button (PA22) didn't work with the ESPHome YAML I posted above. To fix this, I had to enable the internal pullup resistor.

Regarding the button (PA22) pullup resistor, I've seen a mixed result; detailed below.

Mostly I've been flashing with the pullup set to false. This is because when I was first experimenting to get the correct pins and settings for the YAML, I noticed the button wouldn't work unless the pullup was set to false.

After flashing a few of these, I ran into the device first mentioned above where the pullup needed to be set to true and didn't work otherwise.

I also tested some devices by leaving the pullup set to true. This worked on some devices but not others. Strange.