search

seaky / nspanel_pro_roottool_apk

27 stars 0 forks source link

Switch between Zigbee Coordinator or Repeater mode #3

Open svanrossem opened 6 months ago

svanrossem commented 6 months ago

I'm collecting info about the Coordinator and Repeater mode for the builtin Zigbee module.

My NSPanel Pro was root activated since version v1.5.6. To switch between the two modes you need v2.2.0 or higher. To archieve this, you'll need to update it, we'll use adb.

adb install nspanel-pro-roottools-1.0-release.apk
curl -L https://global-otadl2bsy.coolkit.cc/nspanel-pro/rom/25/CoolKit_Sonoff_480P_20231109_2.2.0-ota.zip --output system_update.zip
adb push system_update.zip /storage/emulated/0/

On the NSPanel Pro open the app and update it :rocket:. After a reboot the tool will tell you you're running v2.2.0.

Open the eWeLink app on you're smartphone, scan the QR-code and click ‘Device Settings–Pilot Features–Zigbee Mode’ to switch between the Coordinator and Repeater mode.

svanrossem commented 6 months ago

It looks like communication between the app on the NSPanel Pro and the builtin Zigbee module is done via MQTT.

px30_evb:/vendor/bin/siliconlabs_host

px30_evb:/ # ls -lh /vendor/bin/siliconlabs_host         
Readme.txt       libcrypto.so.1.1  libssl.so.1.1 mosquitto.conf     mosquitto_pub zgateway
factory_shell.sh libfreezgb.so     mosquitto     mosquitto.password mosquitto_sub
guard_process.sh libmosquitto.so.1 mosquitto.acl mosquitto_passwd   run.sh
px30_evb:/vendor/bin/siliconlabs_host # cat factory_shell.sh                                             
#!/bin/sh

export LD_LIBRARY_PATH=/vendor/bin/siliconlabs_host/:${LD_LIBRARY_PATH}

cp -r /vendor/bin/siliconlabs_host/libmosquitto.so.1 /vendor/lib
cp -r /vendor/bin/siliconlabs_host/libcrypto.so.1.1 /vendor/lib
cp -r /vendor/bin/siliconlabs_host/libssl.so.1.1 /vendor/lib
cp -r /vendor/bin/siliconlabs_host/mosquitto_pub /system/bin
cp -r /vendor/bin/siliconlabs_host/mosquitto_sub /system/bin

/vendor/bin/siliconlabs_host/mosquitto_pub -t "gw/factoryTest" -q 2 -m "{\"commands\":\"FactoryTest\"}" -i factory_Test

res=$(/vendor/bin/siliconlabs_host/mosquitto_sub -h "localhost" -t "gw/factoryTest" -i factory_Test -C 1)
echo "$res"

exit 0
px30_evb:/vendor/bin/siliconlabs_host # cat guard_process.sh                                             
#!/bin/bash

echo "-------------Zigbee guard_process run-------------------------"

export LD_LIBRARY_PATH=/vendor/bin/siliconlabs_host/:${LD_LIBRARY_PATH}
echo ${LD_LIBRARY_PATH}

Z3GatewayHost_sonoff_go() {
    echo "do Z3GatewayHost_sonoff_go"

    killall zgateway
    sleep 1

    # killall mosquitto
    # sleep 1

    echo $(pwd)
    cd /vendor/bin/siliconlabs_host/
    echo $(pwd)

    # sleep 1
    # /vendor/bin/siliconlabs_host/mosquitto -c /vendor/bin/siliconlabs_host/mosquitto.conf &

    sleep 3

    #在终端打印整个运行日志
    /vendor/bin/siliconlabs_host/zgateway &
}

check() {
    echo "do check"

    local Z3GatewayHost_sonoffNum=`ps -A | grep -w 'zgateway' | grep -v "grep" | wc -l`
    # local mosquittoNum=`ps -A | grep -w 'mosquitto' | grep -v "grep" | wc -l`

    echo "Z3GatewayHost_sonoffNum:"${Z3GatewayHost_sonoffNum}

    if [ ${Z3GatewayHost_sonoffNum} -ne 1 ]; then
        echo "Z3GatewayHost_sonoffNum restart `date +"%Y-%m-%d %H:%M:%S"`" >> /data/vendor/siliconlabs_host/zgatewayStatus

        Z3GatewayHost_sonoff_go
    fi

}

while true
do
    sleep 60
    check
done
px30_evb:/vendor/bin/siliconlabs_host # cat run.sh                                                       
#!/bin/bash

echo "-------------Zigbee Host run-------------------------"
LOCAL_TIME=$(date +"%Y-%m-%d %H:%M:%S")
echo $LOCAL_TIME 'Zigbee Host, start' > /vendor/run.log 

export LD_LIBRARY_PATH=/vendor/bin/siliconlabs_host/:${LD_LIBRARY_PATH}
echo ${LD_LIBRARY_PATH}

#检查是否需要拷贝
if [ ! -d "/data/vendor/siliconlabs_host" ]; then
    echo "cp oem..."
    mkdir /data/vendor/siliconlabs_host
    chmod 777 /data/vendor/siliconlabs_host
    echo $LOCAL_TIME 'Zigbee Host, start' > /data/vendor/run.log
    # cp -r /vendor/bin/siliconlabs_host/* /oem/siliconlabs_host/
else
    echo "file exist"
fi 

# sleep 1
# echo "copy libfreezgb.so"
# cp -r /vendor/bin/siliconlabs_host/libfreezgb.so /vendor/lib
# cp -r /vendor/bin/siliconlabs_host/libfreezgb.so /system/lib
# echo "copy libfreezgb.so"
# cp -r /vendor/bin/siliconlabs_host/libmosquitto.so.1 /vendor/lib
# cp -r /vendor/bin/siliconlabs_host/libmosquitto.so.1 /system/lib

# sleep 1

killall zgateway
# sleep 1
killall guard_process
killall mosquitto
sleep 1

echo $(pwd)
cd /vendor/bin/siliconlabs_host/
echo $(pwd)

#需要先启动MQTT 服务
/vendor/bin/siliconlabs_host/mosquitto -c /vendor/bin/siliconlabs_host/mosquitto.conf &

sleep 3

#在终端打印整个运行日志
/vendor/bin/siliconlabs_host/zgateway &

sh /vendor/bin/siliconlabs_host/guard_process.sh &
svanrossem commented 6 months ago

This tells we're be able ro run mosquito pub and sub commands e.g.

export LD_LIBRARY_PATH=/vendor/bin/siliconlabs_host/:${LD_LIBRARY_PATH}
/vendor/bin/siliconlabs_host/mosquitto_sub -v -h 127.0.0.1 -t "#" -i debug
export LD_LIBRARY_PATH=/vendor/bin/siliconlabs_host/:${LD_LIBRARY_PATH}
/vendor/bin/siliconlabs_host/mosquitto_pub -t "gw/factoryTest" -q 2 -m "{\"commands\":\"FactoryTest\"}" -i debug
svanrossem commented 6 months ago

I've modified mosquitto.conf to log *

mount -o remount,rw /vendor
busybox vi /vendor/bin/siliconlabs_host/mosquitto.conf
per_listener_settings false
allow_zero_length_clientid false
check_retain_source false
max_inflight_messages 20
max_keepalive 60
persistent_client_expiration 1w
retain_available true
sys_interval 3600
#listener 1883 127.0.0.1
listener 1883

persistence false

user root

allow_anonymous true
#password_file /oem/siliconlabs_host/mosquitto.password
#acl_file /oem/siliconlabs_host/mosquitto.acl

log_dest file /data/vendor/siliconlabs_host/mosquitto.log
log_type all
connection_messages true
log_timestamp true
log_timestamp_format %Y-%m-%dT%H:%M:%S
sys_interval 10

And a clean logfile (switched to Repeater mode)

px30_evb:/ # cat /data/vendor/siliconlabs_host/mosquitto.log                                             
2024-01-03T23:46:21: mosquitto version 2.0.8 starting
2024-01-03T23:46:21: Config loaded from /vendor/bin/siliconlabs_host/mosquitto.conf.
2024-01-03T23:46:21: Opening ipv6 listen socket on port 1883.
2024-01-03T23:46:21: Opening ipv4 listen socket on port 1883.
2024-01-03T23:46:21: mosquitto version 2.0.8 running
2024-01-03T23:46:24: New connection from 127.0.0.1:59082 on port 1883.
2024-01-03T23:46:24: New client connected from 127.0.0.1:59082 as zigbee (p5, c1, k60, u'zigbee').
2024-01-03T23:46:24: Will message specified (48 bytes) (r1, q2).
2024-01-03T23:46:24:    zigbee/system/availability
2024-01-03T23:46:24: Sending CONNACK to zigbee (0, 0)
2024-01-03T23:46:24: Received SUBSCRIBE from zigbee
2024-01-03T23:46:24:    zigbee/system/network-role/switch (QoS 2)
2024-01-03T23:46:24: zigbee 2 zigbee/system/network-role/switch
2024-01-03T23:46:24: Sending SUBACK to zigbee
2024-01-03T23:46:24: Received SUBSCRIBE from zigbee
2024-01-03T23:46:24:    zigbee/system/unpair (QoS 2)
2024-01-03T23:46:24: zigbee 2 zigbee/system/unpair
2024-01-03T23:46:24: Sending SUBACK to zigbee
2024-01-03T23:46:24: Received SUBSCRIBE from zigbee
2024-01-03T23:46:24:    zigbee/system/pair (QoS 2)
2024-01-03T23:46:24: zigbee 2 zigbee/system/pair
2024-01-03T23:46:24: Sending SUBACK to zigbee
2024-01-03T23:46:24: Received SUBSCRIBE from zigbee
2024-01-03T23:46:24:    zigbee/system/discover (QoS 2)
2024-01-03T23:46:24: zigbee 2 zigbee/system/discover
2024-01-03T23:46:24: Sending SUBACK to zigbee
2024-01-03T23:46:24: Received SUBSCRIBE from zigbee
2024-01-03T23:46:24:    zigbee/system/transmit-power-update (QoS 2)
2024-01-03T23:46:24: zigbee 2 zigbee/system/transmit-power-update
2024-01-03T23:46:24: Sending SUBACK to zigbee
2024-01-03T23:46:24: Received SUBSCRIBE from zigbee
2024-01-03T23:46:24:    zigbee/device/+/update/# (QoS 2)
2024-01-03T23:46:24: zigbee 2 zigbee/device/+/update/#
2024-01-03T23:46:24: Sending SUBACK to zigbee
2024-01-03T23:46:24: Received SUBSCRIBE from zigbee
2024-01-03T23:46:24:    zigbee/device/+/delete (QoS 2)
2024-01-03T23:46:24: zigbee 2 zigbee/device/+/delete
2024-01-03T23:46:24: Sending SUBACK to zigbee
2024-01-03T23:46:24: Received SUBSCRIBE from zigbee
2024-01-03T23:46:24:    hardware/button/factory-reset/updated/press (QoS 2)
2024-01-03T23:46:24: zigbee 2 hardware/button/factory-reset/updated/press
2024-01-03T23:46:24: Sending SUBACK to zigbee
2024-01-03T23:46:24: Received SUBSCRIBE from zigbee
2024-01-03T23:46:24:    gw/factoryTest (QoS 2)
2024-01-03T23:46:24: zigbee 2 gw/factoryTest
2024-01-03T23:46:24: Sending SUBACK to zigbee
2024-01-03T23:46:24: Received SUBSCRIBE from zigbee
2024-01-03T23:46:24:    zigbee/device/+/firmware-update (QoS 2)
2024-01-03T23:46:24: zigbee 2 zigbee/device/+/firmware-update
2024-01-03T23:46:24: Sending SUBACK to zigbee
2024-01-03T23:46:24: Received SUBSCRIBE from zigbee
2024-01-03T23:46:24:    zigbee/device/+/configure/# (QoS 2)
2024-01-03T23:46:24: zigbee 2 zigbee/device/+/configure/#
2024-01-03T23:46:24: Sending SUBACK to zigbee
2024-01-03T23:46:24: Received SUBSCRIBE from zigbee
2024-01-03T23:46:24:    zigbee/device/+/read/# (QoS 2)
2024-01-03T23:46:24: zigbee 2 zigbee/device/+/read/#
2024-01-03T23:46:24: Sending SUBACK to zigbee
2024-01-03T23:46:29: Received PUBLISH from zigbee (d0, q0, r1, m0, 'zigbee/system/availability', ... (43 bytes))
2024-01-03T23:46:29: Received PUBLISH from zigbee (d0, q0, r1, m0, 'zigbee/system/transmit-power-updated', ... (19 bytes))
2024-01-03T23:46:29: Received PUBLISH from zigbee (d0, q0, r1, m0, 'zigbee/system/network-role/information', ... (19 bytes))
2024-01-04T02:19:10: New connection from 127.0.0.1:59086 on port 1883.
2024-01-04T02:19:10: New client connected from 127.0.0.1:59086 as CKMQTTClientID_1 (p5, c1, k60, u'app_dev_1').
2024-01-04T02:19:10: No will message specified.
2024-01-04T02:19:10: Sending CONNACK to CKMQTTClientID_1 (0, 0)
2024-01-04T02:19:10: Received SUBSCRIBE from CKMQTTClientID_1
2024-01-04T02:19:10:    zigbee/system/availability (QoS 2)
2024-01-04T02:19:10: CKMQTTClientID_1 2 zigbee/system/availability
2024-01-04T02:19:10: Sending SUBACK to CKMQTTClientID_1
2024-01-04T02:19:10: Sending PUBLISH to CKMQTTClientID_1 (d0, q0, r1, m0, 'zigbee/system/availability', ... (43 bytes))
2024-01-04T02:19:10: Received SUBSCRIBE from CKMQTTClientID_1
2024-01-04T02:19:10:    zigbee/system/discovering (QoS 2)
2024-01-04T02:19:10: CKMQTTClientID_1 2 zigbee/system/discovering
2024-01-04T02:19:10: Sending SUBACK to CKMQTTClientID_1
2024-01-04T02:19:10: Received SUBSCRIBE from CKMQTTClientID_1
2024-01-04T02:19:10:    zigbee/system/discovered (QoS 2)
2024-01-04T02:19:10: CKMQTTClientID_1 2 zigbee/system/discovered
2024-01-04T02:19:10: Sending SUBACK to CKMQTTClientID_1
2024-01-04T02:19:10: Received SUBSCRIBE from CKMQTTClientID_1
2024-01-04T02:19:10:    zigbee/device/+/information (QoS 2)
2024-01-04T02:19:10: CKMQTTClientID_1 2 zigbee/device/+/information
2024-01-04T02:19:10: Sending SUBACK to CKMQTTClientID_1
2024-01-04T02:19:10: Received SUBSCRIBE from CKMQTTClientID_1
2024-01-04T02:19:10:    zigbee/device/+/availability (QoS 2)
2024-01-04T02:19:10: CKMQTTClientID_1 2 zigbee/device/+/availability
2024-01-04T02:19:10: Sending SUBACK to CKMQTTClientID_1
2024-01-04T02:19:10: Received SUBSCRIBE from CKMQTTClientID_1
2024-01-04T02:19:10:    zigbee/device/+/update-result/# (QoS 2)
2024-01-04T02:19:10: CKMQTTClientID_1 2 zigbee/device/+/update-result/#
2024-01-04T02:19:10: Sending SUBACK to CKMQTTClientID_1
2024-01-04T02:19:10: Received SUBSCRIBE from CKMQTTClientID_1
2024-01-04T02:19:10:    zigbee/device/+/updated/# (QoS 2)
2024-01-04T02:19:10: CKMQTTClientID_1 2 zigbee/device/+/updated/#
2024-01-04T02:19:10: Sending SUBACK to CKMQTTClientID_1
2024-01-04T02:19:10: Received SUBSCRIBE from CKMQTTClientID_1
2024-01-04T02:19:10:    zigbee/device/+/deleted (QoS 2)
2024-01-04T02:19:10: CKMQTTClientID_1 2 zigbee/device/+/deleted
2024-01-04T02:19:10: Sending SUBACK to CKMQTTClientID_1
2024-01-04T02:19:10: Received SUBSCRIBE from CKMQTTClientID_1
2024-01-04T02:19:10:    zigbee/device/+/firmware-updating (QoS 2)
2024-01-04T02:19:10: CKMQTTClientID_1 2 zigbee/device/+/firmware-updating
2024-01-04T02:19:10: Sending SUBACK to CKMQTTClientID_1
2024-01-04T02:19:10: Received SUBSCRIBE from CKMQTTClientID_1
2024-01-04T02:19:10:    zigbee/device/+/firmware-updated (QoS 2)
2024-01-04T02:19:10: CKMQTTClientID_1 2 zigbee/device/+/firmware-updated
2024-01-04T02:19:10: Sending SUBACK to CKMQTTClientID_1
2024-01-04T02:19:10: Received SUBSCRIBE from CKMQTTClientID_1
2024-01-04T02:19:10:    zigbee/device/+/configure-result/# (QoS 2)
2024-01-04T02:19:10: CKMQTTClientID_1 2 zigbee/device/+/configure-result/#
2024-01-04T02:19:10: Sending SUBACK to CKMQTTClientID_1
2024-01-04T02:19:10: Received SUBSCRIBE from CKMQTTClientID_1
2024-01-04T02:19:10:    zigbee/device/+/read-result/# (QoS 2)
2024-01-04T02:19:10: CKMQTTClientID_1 2 zigbee/device/+/read-result/#
2024-01-04T02:19:10: Sending SUBACK to CKMQTTClientID_1
2024-01-04T02:19:10: Received SUBSCRIBE from CKMQTTClientID_1
2024-01-04T02:19:10:    zigbee/system/transmit-power-updated (QoS 2)
2024-01-04T02:19:10: CKMQTTClientID_1 2 zigbee/system/transmit-power-updated
2024-01-04T02:19:10: Sending SUBACK to CKMQTTClientID_1
2024-01-04T02:19:10: Sending PUBLISH to CKMQTTClientID_1 (d0, q0, r1, m0, 'zigbee/system/transmit-power-updated', ... (19 bytes))
2024-01-04T02:19:10: Received SUBSCRIBE from CKMQTTClientID_1
2024-01-04T02:19:10:    zigbee/system/network-role/information (QoS 2)
2024-01-04T02:19:10: CKMQTTClientID_1 2 zigbee/system/network-role/information
2024-01-04T02:19:10: Sending SUBACK to CKMQTTClientID_1
2024-01-04T02:19:10: Sending PUBLISH to CKMQTTClientID_1 (d0, q0, r1, m0, 'zigbee/system/network-role/information', ... (19 bytes))
2024-01-04T02:19:10: Received SUBSCRIBE from CKMQTTClientID_1
2024-01-04T02:19:10:    zigbee/system/pairing (QoS 2)
2024-01-04T02:19:10: CKMQTTClientID_1 2 zigbee/system/pairing
2024-01-04T02:19:10: Sending SUBACK to CKMQTTClientID_1
2024-01-04T02:19:10: Received SUBSCRIBE from CKMQTTClientID_1
2024-01-04T02:19:10:    zigbee/system/paired (QoS 2)
2024-01-04T02:19:10: CKMQTTClientID_1 2 zigbee/system/paired
2024-01-04T02:19:10: Sending SUBACK to CKMQTTClientID_1
2024-01-04T02:19:10: Received SUBSCRIBE from CKMQTTClientID_1
2024-01-04T02:19:10:    zigbee/system/pair-information (QoS 2)
2024-01-04T02:19:10: CKMQTTClientID_1 2 zigbee/system/pair-information
2024-01-04T02:19:10: Sending SUBACK to CKMQTTClientID_1
2024-01-04T02:19:10: Received SUBSCRIBE from CKMQTTClientID_1
2024-01-04T02:19:10:    zigbee/system/unpaired (QoS 2)
2024-01-04T02:19:10: CKMQTTClientID_1 2 zigbee/system/unpaired
2024-01-04T02:19:10: Sending SUBACK to CKMQTTClientID_1

It looks like New client connected from 127.0.0.1:59086 as CKMQTTClientID_1 (p5, c1, k60, u'app_dev_1'). CKMQTTClientID_1 is identified as the eWelink app.

svanrossem commented 6 months ago

I thought it was maybe something special in config files in /vendor/bin/siliconlabs_host/ so i've pulled the directories in both scenarios, switching between Coordinator and Repeater mode in the eWelink app. adb pull /vendor/bin/siliconlabs_host repeater Switch to Coordinator mode in the app.

adb pull /vendor/bin/siliconlabs_host coordinator

And check if there are differences...

diff coordinator repeater

No differences :(

seaky commented 6 months ago

Thank you for the detailed info! I'll check it. Btw I opened a discussion (forum) here on github so with your retroactive permission I'll put it somehow there because it is very usefull!

regards, Robert

svanrossem commented 6 months ago

Trying to check differences in the android APK.

px30_evb:/ $ pm list packages | grep eWeLinkControlPanel                                                 
package:com.eWeLinkControlPanel
px30_evb:/ $ pm path com.eWeLinkControlPanel                                                             
package:/system/app/kz_app/kz_app.apk

adb pull /system/app/kz_app/kz_app.apk

I've pulled kz_app.apk from both scenarios, Coordinator mode and Repeater mode. After switching between modes in the eWelinkApp the app on the NSPanel Pro resets itself. Is there any difference?

sha256sum coo/kz_app.apk rep/kz_app.apk | sha256sum --check
coo/kz_app.apk: OK
rep/kz_app.apk: OK

Sadly, no!

svanrossem commented 6 months ago

I've unzipped the kz_app.apk app and decompiled classesX.dex

unzip kz_app.apk
for x in classes classes2 classes3; do enjarify ${x}.dex -o ${x}.jar; done

Inspecting classes.jar, classes2.jar and classes3.jar with JD-GUI for any clue.

svanrossem commented 6 months ago

I've searched in the wrong direction. It looks like the compiled ELF file zateway is doing all the work.

By inspecting zateway I've found two functions, I'll try to extract both for further progress.

adb pull /vendor/bin/siliconlabs_host/zgateway
strings zgateway | grep start_mqtt
start_mqtt_router
start_mqtt_coor
svanrossem commented 6 months ago

I've unzipped the kz_app.apk app and decompiled classesX.dex

unzip kz_app.apk
for x in classes classes2 classes3; do enjarify ${x}.dex -o ${x}.jar; done

Inspecting classes.jar, classes2.jar and classes3.jar with JD-GUI for any clue.

In com.eWeLinkControlPanel.MQTT.CKMQTTService$1 there was some interesting information.

class CKMQTTService$1 implements Runnable {
  public void run() {
    MemoryPersistence memoryPersistence = new MemoryPersistence();
    this();
    String str1 = "app_dev_1";
    String str2 = "12345678";
    try {
      MqttConnectionOptions mqttConnectionOptions = new MqttConnectionOptions();
      this();
      byte b = 1;
      mqttConnectionOptions.setCleanStart(b);
      long l = 0L;
      Long long_ = Long.valueOf(l);
      mqttConnectionOptions.setSessionExpiryInterval(long_);
      b = 60;
      mqttConnectionOptions.setKeepAliveInterval(b);
      mqttConnectionOptions.setUserName(str1);
      byte[] arrayOfByte = str2.getBytes();
      mqttConnectionOptions.setPassword(arrayOfByte);
      MqttAsyncClient mqttAsyncClient = new MqttAsyncClient();
      str2 = host;
      String str6 = clientId;
      this(str2, str6, (MqttClientPersistence)memoryPersistence);
      CKMQTTService$1$1 cKMQTTService$1$1 = new CKMQTTService$1$1();
      this(this);
      mqttAsyncClient.setCallback(cKMQTTService$1$1);
      String str4 = CKMQTTService.TAG;
      StringBuilder stringBuilder = new StringBuilder();
      this();
      str6 = "Connecting to broker:";
      stringBuilder = stringBuilder.append(str6);
      str6 = host;
      stringBuilder = stringBuilder.append(str6);
      String str5 = stringBuilder.toString();
      Log.i(str4, str5);
      IMqttToken iMqttToken = mqttAsyncClient.connect(mqttConnectionOptions);
      iMqttToken.waitForCompletion();
      String str3 = CKMQTTService.TAG;
      str5 = "mqtt is Connected";
      Log.i(str3, str5);
      CKMQTTService cKMQTTService = CKMQTTService.this;
      HashMap<String, MqttAsyncClient> hashMap = CKMQTTService.access$100(cKMQTTService);
      str5 = clientId;
      hashMap.put(str5, mqttAsyncClient);
    } catch (MqttException mqttException) {
      str1 = CKMQTTService.TAG;
      StringBuilder stringBuilder5 = new StringBuilder();
      this();
      stringBuilder5 = stringBuilder5.append("reason ");
      int i = mqttException.getReasonCode();
      String str7 = stringBuilder5.append(i).toString();
      Log.i(str1, str7);
      str1 = CKMQTTService.TAG;
      StringBuilder stringBuilder4 = new StringBuilder();
      this();
      stringBuilder4 = stringBuilder4.append("msg ");
      String str9 = mqttException.getMessage();
      String str6 = stringBuilder4.append(str9).toString();
      Log.i(str1, str6);
      str1 = CKMQTTService.TAG;
      StringBuilder stringBuilder3 = new StringBuilder();
      this();
      stringBuilder3 = stringBuilder3.append("loc ");
      str9 = mqttException.getLocalizedMessage();
      String str5 = stringBuilder3.append(str9).toString();
      Log.i(str1, str5);
      str1 = CKMQTTService.TAG;
      StringBuilder stringBuilder2 = new StringBuilder();
      this();
      stringBuilder2 = stringBuilder2.append("cause ");
      Throwable throwable = mqttException.getCause();
      String str4 = stringBuilder2.append(throwable).toString();
      Log.i(str1, str4);
      str1 = CKMQTTService.TAG;
      StringBuilder stringBuilder1 = new StringBuilder();
      this();
      String str8 = "excep ";
      String str3 = stringBuilder1.append(str8).append(mqttException).toString();
      Log.i(str1, str3);
      mqttException.printStackTrace();
    } 
  }
}
svanrossem commented 6 months ago

When starting zgateway it gives the following log.

px30_evb:/vendor/bin/siliconlabs_host # ./zgateway                                                       
#---Firmware compile time:Nov  1 2023 02:00:51  Firmware version:1.2.2---
{"modle":"ZBMINI-L","wait_flag":0}

{"modle":"S40LITE","wait_flag":0}

{"modle":"ZBCurtain","wait_flag":0}

{"modle":"ZBMINIL2","wait_flag":0}

{"modle":"CK-BL702-MWS-01(7016)","wait_flag":0}

{"modle":"CK-MG22-ROUTER-01(7018)","wait_flag":0}

{"modle":"CK-BL702-ROUTER-01(7018)","wait_flag":0}

{"modle":"SNZB-01P","wait_flag":1}

{"modle":"SNZB-02P","wait_flag":1}

{"modle":"SNZB-02D","wait_flag":1}

{"modle":"SNZB-04P","wait_flag":1}

{"modle":"SNZB-03P","wait_flag":1}

{"modle":"CK-BL702-SWP-01(7020)","wait_flag":0}

{"modle":"CK-BL702-SWP-01(7021)","wait_flag":0}

{"modle":"CK-BL702-SWP-01(7022)","wait_flag":0}

{"modle":"TRVZB","wait_flag":0}

{"modle":"CK-MG22-TRVZB-01","wait_flag":0}

{"modle":"SNZB-06P","wait_flag":0}

{"modle":"CK-MG22-TRVZB-01(7017)","wait_flag":0}

#uart_index:/dev/ttyS5
#workpath:/data/vendor/siliconlabs_host
#baudrate:115200
[host_open_handle] <159>: host open type : 2
[host_open_handle] <207>: path : /data/vendor/siliconlabs_host
[host_open_handle] <217>: port : /dev/ttyS5, baudrate : 115200 
[host_open_handle] <249>: ncp_argv 0PPPPP[mqtt_client_init] <374>: ------------mqtt client init---------------

[host_callback_thread] <126>: thread start ...
./Z3GatewayHost
-n1
-p/dev/ttyS5
-b115200
[mqtt_client_init] <384>: mosquitto_sub version running on libmosquitto 2.0.8.

----------message list init--------------
zcl open rev:0  
[startmain] <87>: devinfo path : /data/vendor/siliconlabs_host
[recv_message_queue_init] <58>: ----------recv message list init--------------

the workdir is /data/vendor/siliconlabs_host
[sonoff_gw_start] <1737>:  sonoff_gw_start 
Reset info: 11 (SOFTWARE)
Delaying 1 seconds
Setting up serial port
Error: Timeout occurred waiting for read data.
ncp in app we can init 
ezsp ver 0x08 stack type 0x02 stack ver. [6.10.1 GA build 216]
Ezsp Config: set security level to 0x0005:Success: set
Ezsp Config: set address table size to 0x0002:Success: set
Ezsp Config: set TC addr cache to 0x0002:Success: set
Ezsp Config: set stack profile to 0x0002:Success: set
Ezsp Config: set MAC indirect TX timeout to 0x1E00:Success: set
Ezsp Config: set max hops to 0x001E:Success: set
Ezsp Config: set tx power mode to 0x8000:Success: set
Ezsp Config: set supported networks to 0x0001:Success: set
Ezsp Value : set end device keep alive support mode to 0x00000003:Success: set
Ezsp Policy: set binding modify to "allow for valid endpoints & clusters only":Success: set
Ezsp Policy: set message content in msgSent to "return":Success: set
Ezsp Value : set maximum incoming transfer size to 0x00000052:Success: set
Ezsp Value : set maximum outgoing transfer size to 0x00000052:Success: set
--------------cca Threshold 0xf4b5
Ezsp Config: set binding table size to 0x0010:Success: set
Ezsp Config: set key table size to 0x0004:Success: set
Ezsp Config: set max end device children to 0x0020:Success: set
Ezsp Config: set aps unicast message count to 0x000A:Success: set
Ezsp Config: set broadcast table size to 0x000F:Success: set
Ezsp Config: set neighbor table size to 0x0010:Success: set
NCP supports maxing out packet buffers
Ezsp Config: set packet buffers to 253
Ezsp Config: set end device poll timeout to 0x0008:Success: set
Ezsp Config: set zll group addresses to 0x0000:Success: set
Ezsp Config: set zll rssi threshold to 0xFFD8:Success: set
Ezsp Config: set transient key timeout to 0x00B4:Success: set
Ezsp Endpoint 1 added, profile 0x0104, in clusters: 2, out clusters 2
534
Error: Could not create default directory '/data/vendor/siliconlabs_host/ota-files': File exists
check and create network the roleTypeis 0 and the nodeid is 65534
---------------network start success----------
[publish_sys_availability] <534>: pub string: {"online":true,"reason":"zigbee app start"}

mosquitto publish Error Code: 4  The client is not currently connected.
[publish_updated_transmit_power] <4073>: reqClientId:[zigbee]reqSequence[1704548047143]

[publish_updated_transmit_power] <4074>: pub string: {"transmitPower":9}
seaky commented 6 months ago

Trying to check differences in the android APK.

px30_evb:/ $ pm list packages | grep eWeLinkControlPanel                                                 
package:com.eWeLinkControlPanel
px30_evb:/ $ pm path com.eWeLinkControlPanel                                                             
package:/system/app/kz_app/kz_app.apk

adb pull /system/app/kz_app/kz_app.apk

I've pulled kz_app.apk from both scenarios, Coordinator mode and Repeater mode. After switching between modes in the eWelinkApp the app on the NSPanel Pro resets itself. Is there any difference?

sha256sum coo/kz_app.apk rep/kz_app.apk | sha256sum --check
coo/kz_app.apk: OK
rep/kz_app.apk: OK

Sadly, no!

It will be allways the same the apk does not store states /data/user/0/ stores the states

seaky commented 6 months ago

zgateway

NSPanel Pro uses the standard siliconlabs z3 gateway you can build it with https://www.silabs.com/developers/simplicity-studio

as I remeber the code is freely available.

svanrossem commented 6 months ago

So, I've finally found the solution!

I've removed all bloated applications from the NSPanel Pro and installed a few custom scripts. Switching to Coordinator mode without the eWelink smartphone app and start pairing mode is all done by shell scripts. It's in early stage, I'll try to make the scripts cleaner and adding checks in a few days.

You could test it by adding all scripts below.

Enable root adb shell and start a shell! adb root adb shell

px30_evb:/ # mount -o remount,rw /vendor
px30_evb:/ # cd /vendor/bin/siliconlabs_host                                                             
px30_evb:/vendor/bin/siliconlabs_host #

mod-debloat_nspanelpro.sh

#!/system/bin/busybox bash

echo "NSPanel Pro apps debloater!"
echo

# https://blakadder.com/nspanel-pro-secrets/#debloat-apps
for a in "com.eWeLinkControlPanel" \
         "com.eWeLinkNSPro.dev" \
         "com.rockchip.devicetest" \
         "android.rockchip.update.service" \
         "com.android.gl2jni" \
         "com.smatek.test" \
         "android.rk.RockVideoPlayer" \
         "acr.browser.barebones" \
         "org.chromium.webview_shell" \
         "com.android.music" \
         "com.android.nfc" \
         "com.DeviceTest" \
         "com.cghs.stresstest"
do
  echo Removing ${a}
  pm uninstall --user 0 ${a}
done

mod-mqtt_listen.sh

#!/system/bin/busybox bash

export LD_LIBRARY_PATH=/vendor/bin/siliconlabs_host/:${LD_LIBRARY_PATH}

/vendor/bin/siliconlabs_host/mosquitto_sub -v -h 127.0.0.1 -t "#" -i debug

mod-set_zigbee_coordinator_mode.sh

#!/system/bin/busybox bash

export LD_LIBRARY_PATH=/vendor/bin/siliconlabs_host/:${LD_LIBRARY_PATH}

/vendor/bin/siliconlabs_host/mosquitto_pub -t 'zigbee/system/network-role/switch' -q 0 -m '{"role":"Coordinator"}' -i whoami -D PUBLISH user-property reqClientId whoami

echo "Switch to Zigbee coordinator mode, rebooting..."
reboot

mod-set_zigbee_repeater_mode.sh

#!/system/bin/busybox bash

export LD_LIBRARY_PATH=/vendor/bin/siliconlabs_host/:${LD_LIBRARY_PATH}

/vendor/bin/siliconlabs_host/mosquitto_pub -t 'zigbee/system/network-role/switch' -q 0 -m '{"role":"Repeater"}' -i whoami -D PUBLISH user-property reqClientId whoami

echo "Switch to Zigbee repeater mode, rebooting..."
reboot

mod-zigbee_repeater_pairing_mode.sh

#!/system/bin/busybox bash

export LD_LIBRARY_PATH=/vendor/bin/siliconlabs_host/:${LD_LIBRARY_PATH}

echo "Start Zigbee repeater pair mode!"

/vendor/bin/siliconlabs_host/mosquitto_pub -t 'zigbee/system/pair' -q 0 -m '{"pair":true}' -i whoami -D PUBLISH user-property reqClientId whoami -D PUBLISH payload-format-indicator 1 -D PUBLISH user-property reqSequence 1337

echo "Wait for 180sec"
sleep 180
echo "Done!
px30_evb:/vendor/bin/siliconlabs_host # chmod +x mod-* -v                                                
chmod 'mod-debloat_nspanelpro.sh' to 100777
chmod 'mod-mqtt_listen.sh' to 100777
chmod 'mod-set_zigbee_coordinator_mode.sh' to 100777
chmod 'mod-set_zigbee_repeater_mode.sh' to 100777
chmod 'mod-zigbee_repeater_pairing_mode.sh' to 100777

From now on you could switch between modes and start pair mode.

If you wish to debug things, you could log the output of zgateway by patching line 49 in run.sh

/vendor/bin/siliconlabs_host/zgateway >> /data/vendor/siliconlabs_host/zgateway.txt &
svanrossem commented 6 months ago

So, I've finally found the solution!

I've removed all bloated applications from the NSPanel Pro and installed a few custom scripts. Switching to Coordinator mode without the eWelink smartphone app and start pairing mode is all done by shell scripts. It's in early stage, I'll try to make the scripts cleaner and adding checks in a few days.

You could test it by adding all scripts below.

Enable root adb shell and start a shell! adb root adb shell

px30_evb:/ # mount -o remount,rw /vendor
px30_evb:/ # cd /vendor/bin/siliconlabs_host                                                             
px30_evb:/vendor/bin/siliconlabs_host #

mod-debloat_nspanelpro.sh

#!/system/bin/busybox bash

echo "NSPanel Pro apps debloater!"
echo

# https://blakadder.com/nspanel-pro-secrets/#debloat-apps
for a in "com.eWeLinkControlPanel" \
         "com.eWeLinkNSPro.dev" \
         "com.rockchip.devicetest" \
         "android.rockchip.update.service" \
         "com.android.gl2jni" \
         "com.smatek.test" \
         "android.rk.RockVideoPlayer" \
         "acr.browser.barebones" \
         "org.chromium.webview_shell" \
         "com.android.music" \
         "com.android.nfc" \
         "com.DeviceTest" \
         "com.cghs.stresstest"
do
  echo Removing ${a}
  pm uninstall --user 0 ${a}
done

mod-mqtt_listen.sh

#!/system/bin/busybox bash

export LD_LIBRARY_PATH=/vendor/bin/siliconlabs_host/:${LD_LIBRARY_PATH}

/vendor/bin/siliconlabs_host/mosquitto_sub -v -h 127.0.0.1 -t "#" -i debug

mod-set_zigbee_coordinator_mode.sh

#!/system/bin/busybox bash

export LD_LIBRARY_PATH=/vendor/bin/siliconlabs_host/:${LD_LIBRARY_PATH}

/vendor/bin/siliconlabs_host/mosquitto_pub -t 'zigbee/system/network-role/switch' -q 0 -m '{"role":"Coordinator"}' -i whoami -D PUBLISH user-property reqClientId whoami

echo "Switch to Zigbee coordinator mode, rebooting..."
reboot

mod-set_zigbee_repeater_mode.sh

#!/system/bin/busybox bash

export LD_LIBRARY_PATH=/vendor/bin/siliconlabs_host/:${LD_LIBRARY_PATH}

/vendor/bin/siliconlabs_host/mosquitto_pub -t 'zigbee/system/network-role/switch' -q 0 -m '{"role":"Repeater"}' -i whoami -D PUBLISH user-property reqClientId whoami

echo "Switch to Zigbee repeater mode, rebooting..."
reboot

mod-zigbee_repeater_pairing_mode.sh

#!/system/bin/busybox bash

export LD_LIBRARY_PATH=/vendor/bin/siliconlabs_host/:${LD_LIBRARY_PATH}

echo "Start Zigbee repeater pair mode!"

/vendor/bin/siliconlabs_host/mosquitto_pub -t 'zigbee/system/pair' -q 0 -m '{"pair":true}' -i whoami -D PUBLISH user-property reqClientId whoami -D PUBLISH payload-format-indicator 1 -D PUBLISH user-property reqSequence 1337

echo "Wait for 180sec"
sleep 180
echo "Done!"
px30_evb:/vendor/bin/siliconlabs_host # chmod +x mod-* -v                                                
chmod 'mod-debloat_nspanelpro.sh' to 100777
chmod 'mod-mqtt_listen.sh' to 100777
chmod 'mod-set_zigbee_coordinator_mode.sh' to 100777
chmod 'mod-set_zigbee_repeater_mode.sh' to 100777
chmod 'mod-zigbee_repeater_pairing_mode.sh' to 100777

From now on you could switch between modes and start pair mode.

If you wish to debug things, you could log the output of zgateway by patching line 49 in run.sh

/vendor/bin/siliconlabs_host/zgateway >> /data/vendor/siliconlabs_host/zgateway.txt &

@seaky could you try above on a firmware below v2.2.0?

seaky commented 5 months ago

Thx for the info, I'm gonna try I have some 1.4, 1.5 devices.

svanrossem commented 5 months ago

I've added all scripts in https://gitlab.com/svanrossem/sonoff-nspanelpro-scripts, sorry I'm a Gitlab user...

As an extra I've also added Zigbee turbo mode :rocket: .

@seaky when you're done with testing it is maybe an idea to add a extra screen in nspanel_pro_tools or something with those extra's.

rb0135 commented 5 months ago

Hi @svanrossem I went through your scripts and it seems to have worked perfect. I was able to put it into Repeater Mode and was able to pair it with the Zigbee Controller I have in Home Assistant.

I did get ehis error after the 180secs was up when pairing: /vendor/bin/siliconlabs_host/mod-set_zigbee_repeater_pairing_mode.sh: line 11: syntax error: unterminated quoted string

I noticed in your script, line 11 you missed the double-quote (") at the end of the echo "Done" line: echo "Wait for 180sec" sleep 180 echo "Done!

ozumado commented 5 months ago

I have tried this with 1.6.0 without any success, but once I updated to 2.2.0 it worked on the first try. Successfully paired to zigbee2mqtt as repeater.

seaky commented 5 months ago

I've just checked the fw1.6 and I compared to 2.2.0 and the zgetway indeed upgraded significantly. But I assumed that I can incorporte the zigbee binaries of 2.2.0 into nspanel tools app after I finished the v2.1

bobzer commented 5 months ago

once it's connected as a repeater, does it exposed stuff ? I enabled adb : is it risky to updated from 1.7 to 2.2 ?

svanrossem commented 5 months ago

once it's connected as a repeater, does it exposed stuff ? I enabled adb : is it risky to updated from 1.7 to 2.2 ?

If you've already rooted your device it is safe to upgrade to 2.2 using @seaky's tools. @seaky also reported to backport the Zigbee binaries https://github.com/seaky/nspanel_pro_roottool_apk/issues/3#issuecomment-1913643105.

seaky commented 4 months ago

once it's connected as a repeater, does it exposed stuff ? I enabled adb : is it risky to updated from 1.7 to 2.2 ?

If you've already rooted your device it is safe to upgrade to 2.2 using @seaky's tools. @seaky also reported to backport the Zigbee binaries #3 (comment).

i'm just wanted to inform you I started to incorporate this into my app. If I have a working copy would be great to share with you for testing. Could you contact with me at seaky77(the big G's proprietary email system)

CFenner commented 4 months ago

I used this to update my old 1.4 panel to have Zigbee router mode enabled now, thank you!

percy10442 commented 4 months ago

I used mod-debloat_npanelpro.sh, but the display became blank. Is there any way to help?

seaky commented 4 months ago

I used mod-debloat_npanelpro.sh, but the display became blank. Is there any way to help?

That is normal, u removed all app which prevents the deep sleep. So your device went to deepsleep. Just restart it and set display time to never or install other apps which is able to wake up the device.

EnergieZ commented 3 months ago

Hi all, Their is a new version 3.0 :) My nspanel pro is up to date (3.0).

If i configure zigbee as router, can i connect zigbee2mqtt with out rooting ? If yes, do you know wich port is expose and if their is any user/password ? Thank you for your help (I'm new to zigbee protocols).

seaky commented 3 months ago

Hi,

Internal mosquito port is 1889 username: user password: user123

EnergieZ commented 3 months ago

Do I need to root or install something ? Triing to configure zigbee2mqtt with, and still having error can't connect.

Cool you provide a configuration.yaml of zigbee2mqtt ? Thank's for your help

svanrossem commented 2 months ago

once it's connected as a repeater, does it exposed stuff ? I enabled adb : is it risky to updated from 1.7 to 2.2 ?

If you've already rooted your device it is safe to upgrade to 2.2 using @seaky's tools. @seaky also reported to backport the Zigbee binaries #3 (comment).

i'm just wanted to inform you I started to incorporate this into my app. If I have a working copy would be great to share with you for testing. Could you contact with me at seaky77(the big G's proprietary email system)

@seaky I've tried contacting you without any response, are you still working on this?

maodun96 commented 1 month ago

一旦它作为中继器连接,它会暴露东西吗?我启用了 adb :从 1.7 更新到 2.2 有风险吗?

如果你已经 root 了你的设备,可以安全地升级到 2.2,使用@seaky的工具。@seaky还报告了反向移植 Zigbee 二进制文件#3 (评论)

hello @svanrossem

Could you please let me know if the chip model of your NSPanel Pro is EFR32MG13p, and what is the version of it?

I have some S6 smart panels, and their mainboard is very similar to the NSPanel Pro, produced by the same manufacturer. I want to know if in the future updates of the nspanel_pro_tools, my smart panels will be able to have the related zigbee functionality. The zigbee chip on mine is printed as: EFR32MG13

Through the elelabs-zigbee-ezsp-utility, I found the status of my chip:

~/elelabs-zigbee-ezsp-utility $ python3 Elelabs_EzspFwUtility.py probe -p /dev/ttyS5 2024/05/31 16:34:27 Elelabs_EzspFwUtility: Generic Zigbee EZSP adapter detected: 2024/05/31 16:34:27 Elelabs_EzspFwUtility: Firmware: 6.5.5-176 2024/05/31 16:34:27 Elelabs_EzspFwUtility: EZSP v7

After flashing the NSPanel Pro OTA 3.0 upgrade package, these parameters have not changed.

Thank you.