TreatLife SK50 Smart Plug - Can't Receive Packets

[IeSTrErCHiAlIoLf]

Hello, When trying to grab a dump from a TreatLife SK50 plug, I get a "Can't receive packets" error I added the plug to SmartLife and can see it's on 1.0.6 firmware. Are there other steps I can try? It has a WB2S chip, at least the one I cracked open did.

[kuba2k2]

Did you run the process with "unconfigured" state?

[IeSTrErCHiAlIoLf]

Yes I did

[kuba2k2]

Okay, do the following:

• make sure you used "disconnect & wipe data" in smartlife, and that the plug doesn't join your home network
• enable AP mode - slow blinking
• wait around 3 minutes, it should exit AP mode and stop blinking
• enable AP again. Run Lightleak with T profile from the start (unconfigured state)
• let it finish all the way to "device connected" screen. If there are any errors, report them and try again
• wait 5 minutes. It should keep blinking forever. Check if that's what happens.

[IeSTrErCHiAlIoLf]

I followed these steps exactly and tried multiple times to be certain. No errors were seen at all, green check marks all the way along.

The device does not keep blinking forever, it stops blinking after a couple of minutes. After waiting several minutes, after the devices already stopped blinking, clicking read flash gives that same "couldn't receive packets" error, as expected.

[kuba2k2]

This can only mean that 1.0.6 firmware is built with a newer, post-disclosure SDK - which means it's patched, and not exploitable by neither Lightleak nor Cloudcutter. We haven't seen any patched firmware yet, so if you could dump this device by UART, it would be highly appreciated.

[IeSTrErCHiAlIoLf]

That is odd, these devices are pretty old, I got them August of 2020

[kuba2k2]

Did they get any firmware OTA update? Or were they at 1.0.6 from the factory?

[IeSTrErCHiAlIoLf]

I did not update any firmware. That was the version number as soon as they were connected. Unless there was a very fast silent update somewhere behind the scenes or something, but it was only connected to the smart life app for a minute or two in order to get the version number.

[IeSTrErCHiAlIoLf]

I was hoping this was a good sign, it definitely seemed to connect to the device, but no dice

[kuba2k2]

If it doesn't disable AP timeout and the device stops blinking, it means the exploit doesn't run. Usually, when the exploit doesn't run, the device freezes or reboots instantly. In your case, it looks just as if the device ignored all exploit packets completely.

[IeSTrErCHiAlIoLf]

I am not sure if you want another issue opened, or just comments here, but the exact same behavior is happening on some TreatLife SL20's now. I pulled a couple out of production and tried to flash them using cloudcutter the same as I had last week on other matching bulbs. That failed, and I got the "profile you selected did not result in a successful exploit." error. So I tried to grab a bin using lightleak, and am having the exact same behavior.

These bulbs seem to be on V3.3.35

[Cossid]

3.3.35 indicates they might actually be ESP as opposed to Beken.

You can verify by putting them in AP mode, and getting the BSSID (mac address) and doing a lookup. If it comes up as `Tuya Smart Inc", it is likely Beken. If it comes up as not found, subtract hex 0x2 from the first octet set, and it will probably come up Espressif Inc

[IeSTrErCHiAlIoLf]

Vendor not found in both cases

[IeSTrErCHiAlIoLf]

If it helps at all, I added a system dump of the SK50 here pulled using BK7231Flasher