Tuya doorbell V1.3.8

[Zeunas]

Hi,

Would it ever be possible for this to work on older firmwares? I have a Tuya doorbell which obviously works via cloud, no local connection, with Main Module firmware V1.3.8 / MCU Module V1.3.8 - It has no new updates available and it's been like this since I bought it a couple of years ago.

Link to the doorbell here

I can easily open it if you need to see what is inside. I'm just afraid that trying the bootloader for versions above mine might brick the doorbell.

Just wanted to see if there's any flash of hope of ever getting it to at least send me snapshots on motion, without the need of going to the app.

Thanks!

Note: I did try this: http://admin:056565099@IP/devices/deviceinfo but does nothing.

[guino]

@Zeunas did you try creating a ppsFactoryTool.txt file as indicated in https://github.com/guino/Merkury720 to see if it would allow the http://admin:056565099@ip/devices/deviceinfo link to work?

I have not seen any firmware before 2.7.x so I have no idea if it’s similar in any way to 2.7.x. Chances are the bootloader may not even be protected so you could potentially gain root access directly using the serial port and we could modify it that way.

Without the device the only way I can help is if you are willing to open it, take some pictures and then connect/solder onto the serial port so we can get some information from it and try a few commands. This would require having a ttl-usb ot ttl-serial adapter and soldering iron along with some wiring to connect to it (plus your time/commitment to work on it). Another possible solution would be to use a hardware programmer to read the flash which would require opening and possibly removing the flash chip to read/program.

If you don’t have the required equipment or skills the only way I could help is if I had the device (which I don’t).

[Zeunas]

@guino thank you for coming back so promptly. Tried the ppsFactoryTool.txt procedure but didn't work - Tried the url with both ports (80 and 8090), with no avail.

I did end up trying the hack and even though it didn't work at all, I've noticed when the doorbell boots (with all the mmc files and busybox file in the SD card) the light stays on, it connects to my rooter but I lose access to it via app (it shows Offline) - Not sure if it gives you any hints?

I have opened the camera up but I have zero skills with soldering / using ttl-usb/serial, etc. So I think I'll just leave you with the pictures here just for the record and will leave it at that. Don't really have great hopes of being able to flash it but thought I could give it a go.

[guino]

@Zeunas your flash chip is the black 8-pin chip on the top-left of the last picture. If I had to guess the serial port is the 4 silver oval/rectangular pins on the top right. If you have no soldering skills I won't recommend you try anything because your serial port would require both soldering to the pins mentioned AND having a ttl-usb or ttl-serial adapter. If you were to use a hardware programmer you would likely have to remove the chip on the top-left which is harder than using the serial port unless you have the right tools. So unless you know someone with the tools or skills to do it I would leave it alone or you will most likely damage the board.

If the hack had any effect at all (even if it is not good) then something worked to some extent. Did you check if it created a /home directory or anything new in the SD card ? I assume that removing the SD card allowed the device to boot normally ?

Without having the device myself there's not much I can do (even if you dismantled the device a little more). With the device in hands I can definitely read/modify the flash directly with the hardware programmer and there's a chance the hardware programmer is the only solution but I can't say anything for sure unless I had the device (so I could hook up the serial port and/or read the flash with my programmer). You may be better off selling this device and putting that money towards a device that has built-in mjpeg/RTSP (or at least a device that you know can be hacked).

[Zeunas]

Yes, I suppose it worked to some extend indeed but no, unfortunately it didn't create any additional files/folders.

Like you said, I'm better of selling it and buying a hackable device or with built in mjpeg/rtsp.

Thanks you for your assistance though, much appreciated!