Tuya cloudcutter tutorial. The tear-down process was straightforward, and I documented it with photos for reference. bin. Includes Home Assistant Add-On setup. Using cloudcutter means that you will NO LONGER be able to use Tuya's apps and servers. I either cut the power to the light, or just restart the HA server I go back to the bulb in the dashboard and the power indicator is greyed out I re-cloudcutter the bulb and it assigns it a new device ID and local key I bought in 2021 a wifi smart plug from a french vendor, Konyks : Unboxed : It is yet another Tuya device. See for example this teardown or this one. That is the OS unable to connect, not CloudCutter, there is nothing that can be changed in the way it connects. com/2023/04/10/tuya-cloudcutter-with-esphom tuya-cloudcutter is a tool that disconnects IoT devices from the Tuya cloud, while also allowing remote firmware flashing. Come chat and hang out with us while we attempt to do some live cloudcutting and load ESPHome on a few devices. Users share insights on disassembling the device, with tips on locating and releasing the housing clips. The vulnerability Disabling cloud connection & running locally. Any alternative measurement suggestions?. Btw, I think you can actually post all of these dump packs in one issue. First time trying to use cloudcutter or work with the tuya BK modules. Currently, there's no other way to use it. Plenty of tuya devices are actually cheaper to buy than try build yourself, being 'dirty cheap' is pretty their whole market share Note: since version 1. I connect it into HA with Local Tuya and it works fine. I did my first mini smart switch last night. Users emphasize the importance of verifying the actual chip on the PCB, as Tuya-cloudcutter provides a method to change the firmware of BK7231 device via WiFi, without the need to open device case and solder wires. com I've just flashed esphome on it using the tuya-cloudcutter exploit. 21 but mine is 1. sh command with sudo stopped me from having to reenter my user password; ONLY DO ONE DEVICE AT A I successfully flashed my BK7231N water leak detector using Tuya Cloudcutter with the configuration file BK7231N_TuyaConfig_obkE158665D. Be absolutely sure that you are never going to use them again! Additionally, please be aware that this software is experimental and provided without any guarantees from the authors strictly for peronal and educational use. I do not think that for this device there is a device pr Yes. It creates a "SmartLife-C531" AP, i've even checked and even my phone sees the SmartLife AP, but cloudcutter it keeps scanning for SmartLife APs. 0 of this tool, the --no-verify-checksum argument is not needed (even for BK7231N). Run Tuya-CloudCutter choosing no when requested to kill the service at port 53, let it build the docker image, then select your device mfg/make/firmware version, You can also import CloudCutter device data directly in OpenBeken web app, see youtube tutorial and article. At the point you receive an A-SSID prefix on the device, it is officially cut and will no longer connect to Download the tool herehttps://github. conf then add line denyinterfaces wlan0; I’ve only helped with bin dumps for a couple of tuya devices. It can be done now: How To Guide - Tuya CloudCutter with ESPHome Libretuya - No soldering | digiblurDIY. 8 Running 2578685 970766 Smart Plug CB2S does not result in a successful exploit. 21 which is not in the list of tuya cloudcutter. com sudo . But once the authors of the projects release a tutorial for profile building and a stable script for building, it Download the tool herehttps://github. kaczmarek2 kindly added to his program. Today, I’ll guide you through the process of wirelessly flashing Tuya IOT devices with ESPHome firmware using Tuya Cloudcutter. and strugeling to get it working again. 65 subscribers. I recommend trying it first for easier flashing. 0264 S/N: 13302112288aae|z That whole wireless daughter The only file you should need to run is build_profile. - tuya-cloudcutter/common. I shared the pinout details and calibration process, but I'm concerned about the high internal temperature readings. UPDATE (September Load up your Beken based chipset devices with ESPHome and Home Assistant #GYSOOTC - https://digiblur. To Run cloudcutter on BK7231 ESPHome/LibreTiny + Tuya-Cloudcutter - tutorial - Cloud-free, firmware for Home Assistant. [Tutorial] Flashing OpenBK via OTA using tuya-cloudcutter 13 Dec 2022 16:50 (37) The discussion revolves around flashing OpenBK firmware via OTA using the Tuya Cloudcutter tool. 17) and suggest alternative methods, including using a USB to TTL converter and jumper cables. Would be great if the check for port 53 could be added to this tool. In this guide I am using an Australian DETA 6922HA-Series 2 Double Power Wall outlet. This is the first step and one of the most important for profile building. At that stage, you can leave CloudCutter running, and put the device back into either fast or slow blink mode, then use the SmartLife app to connect to the cloudcutterflash ssid with the password abcdabcd and it should pick back up. sh -r -w wlan0 -s -v; put mini switch in AP mode (slow blinking) script -> finds the AP and setting up wlan0 -> Running initial exploit toolchain; device freezes and have to wait till its free to set it in AP mode again; A tool that disconnects Tuya IoT devices from the cloud, allowing them to run completely locally. The format is Manufacturer-Name_Model-name-and-number---with---dashes-Device I recently flashed my Denver SHP 102 Smart Plug using Tuya Cloudcutter without opening it. The available DPIDs are in the profile at https: Trying to flash a tuya KMC-30407 which p. 5. I successfully flashed my BK7231N water leak detector using Tuya Cloudcutter with the configuration file BK7231N_TuyaConfig_obkE158665D. sh script from tuya-cloudcutter before attempting to use this script though, otherwise when the cloudcutterflash AP is started, the devices never connect. It also helps me keep track of which ones have been completed. Device: LSC Smart Plug, 970766 This device is running version 1. I also found that another clone already had a profile in tuya-cloudcutter, branded Nous A1. Not really an issue, but could help with building profiles in batch. Previous reports on these bulb Tuya CloudCutter Exploit for Beken Chips Therefore, we would like to make it clear that there’s likely little to no impact for the average user. Reload to refresh your session. Furthermore, I’ve added a custom ESPHome YAML tailored to It can be done now: How To Guide - Tuya CloudCutter with ESPHome Libretuya - No soldering | digiblurDIY. In this guide I am using an Australian DETA 6922HA-Series 2 Double Power This is quick guide for flashing custom firmware to your tuya devices running on beken chip via ota. Several participants report challenges in flashing the device using Tuya Cloudcutter OTA due to firmware limitations (version 1. Additionally, I’ll show you how to use Itchiptool to extract pin configuration for the ESPHome YAML, enabling integration with Home Assistant for local control. !!! Hi man - love your videos! I haven't embarked on this yet - but have some questions. I tried this twice, constantly getting: [!] The profile you selected did not result in a Nope, you can't brick it that way, it's just that it's reliant on Tuya's network connection logic, which isn't the greatest. Tried a couple of other versions without success. CloudCutter resets the keys each exploit, when successful, but fails to do so if not successful, which is when you see errors. After a few searches I found it has many clones. Read it used to run tuya version 1. Today i start working on a different device. more. You switched accounts on another tab or window. i did use it to flash OpenBK7231 yesterday into devices. 3 button switch https://amzn. It uses WB3S - WB3S Module Datasheet-Tuya IoT Development Platform-Tuya Developer. That's kinda the whole point though; the goal is to cut the cloud connection, ditch any vendor-specific apps, and The documentation states: The downside to this test is that it won't tell you if the device is BK7231 based or not, since it seems that RTL87{1,2}0 devices are also exploitable but so far no work has been done to support them. SSH back into the RPI do the following steps to prepare for Tuya-CloudCutter. Has there been any progress on flashing custom firmware into exploited devices? If I knew where to start, I'd suggest writing it as a Node-Red flow? s You signed in with another tab or window. /tuya cloudcutter. Also, it doesn't help that SmartLife expects the 'connect command' to come from a phone to connect to an already running wireless network, but CloudCutter can't do that, it has to switch between, and different versions of Tuya's firmware I don't know much about Tuya-cloudcutter, but it seems that your WiFi dongle does not support the AP mode. I share my flashing process and tips for setting it to long blink mode for successful installation. As the name implies, Tuya CloudCutter cuts the cloud connection to the device, so any previous cloud based services will no longer work. The device appears in home assistant, but I can just control raw PWM/i2c pins. com/tuya-cloudcutter/tuya-cloudcutterBefore using the script, you need to verify your device tuya-firmware versionand do I have succesfully cloudcut my smart socket (no flashing yet, just cutting), and the cloudcutter set some random 20-chars deviceid. Install Network Manager (only reboot once all files are in place) sudo apt update && sudo apt install network-manager; sudo nano /etc/dhcpcd. The only firmware we have for this device is 7. Separate issues is actually better for if we ever use the github_issues value we're setting. I also shared my experience with flashing the BK7231N chip and the challenges faced in configuring dp_ids. Any alternative measurement suggestions? Introduction. . This repository contains the toolchain to exploit a wireless vulnerability that can jailbreak some of the latest smart devices built with the bk7231 chipset under various brand names by Tuya. I am now trying to use it with tinytuya and tuya-local, but they both fail to communicate with the device and I believe I know why: No, you pretty much can't brick these devices without a lot of effort. Ensure that the MCU is hooked up to a UART bridge such that: This occasionally happens. Here's a Tuya-cloudcutter supported devices list, brought to you by Here is a detailed guide on how to Open Bekenize/flash the new Tuya chips with OpenBK7231T. Has there been any progress on flashing custom firmware into exploited devices? If I knew where to start, I'd suggest writing it as a Node-Red flow? s check the version number and use the according version number during the cloudcutter process Fyi: with two devices I can confirm that the T/N annotation was correct in tuya cloudcutter regarding choosing the right firmware for the right chip, but can't tell whether this experience is I recently flashed the firmware on my Lumary 201202 RGB-CCT Controller (BK7231T - WB3S) using Tuya-Cloudcutter. 3. com/tuya-cloudcutter/tuya-cloudcutterBefore using the script, you need to verify your device tuya-firmware versionand do Here is a detailed guide on how to Open Bekenize/flash the new Tuya chips with OpenBK7231T. 0. Tuya Cloudcutter This repository contains the toolchain to exploit a wireless vulnerability that can jailbreak some of the latest smart devices built with the bk7231 chipset under various brand Download the tool herehttps://github. This is a great opportunity for Cutting keeps the existing Tuya software/operating system on your device and lets you use the original functionality, with the exception that it will no longer connect to Tuya's Yes, CloudCutter completed successfully with no errors at all which is why I was confused. Hi i teardowned my LED Bulb and I dump firmware with bk7231tools and try make profile but i understand There is no good guide to make i try used this help to make profile with this topic, but i can I use cloudcutter on the bulb and get the device id and local key. 0, and there is no update available for it. Firstly, once it's "cloud cut" my guess is that you can't use the native tuya or smartlife apps, right? I have spent 3 days cutting 5 Arlec PC191HA power plugs from HA LocalTuya using cloudcutter on a RasPi 4. 15K views 1 year ago. Added to CloudCutter as Tuya Generic QS-WIFI-S10-C04 Curtain Module v2. If you have devices that are just impossible to do teardown without damaging it then this is The discussion revolves around flashing OpenBK firmware via OTA using the Tuya Cloudcutter tool. 1. Here are my findings and pin configurations for the device. This prevents them from The discussion revolves around flashing OpenBK firmware via OTA using the Tuya Cloudcutter tool. It is recommended to remove that argument, to ensure that the captured dump is valid. AP mode is from either device is not very strong. to/3okTqsZ , iH Make sure the target device and device running CloudCutter are near by each other. Here are some similar models: Aliexpress: tuya smart life wifi Smart Energy Meter Hi all, thanks for the great software. I have a p Also, I still have to use the setup_checks. This means that it cant' create it's own WiFi network, Guide for WiFi Flashing of OpenBeken for Tuya Generic Power Strip ZLD-44EU-W - step by step tutorial Hi, Just got a new GU10 RGBW LED spot from MOES WB-TD5-RWW-GU10-MS. py, all other necessary scripts will be called from that script, and will properly guide you through making a complete and usable profile, should all necessary data be present. Still need to tweak the yaml to add the switch button, but it now has a basic config and can now be updated over the air. You will need a Windows OS computer and a USB-to-Serial converter to complete this this. Hello I have two ceiling lights (220V, 48W, dimmable CWW) but they are over Tuya so not reliable amongst other things and I was wondering if it would be possible to flash it and connect it to ESPHome, I took ot apart and found the wireless chip it has this information written on it Model: CBU P/N: PC9. Users emphasize the importance of verifying the actual chip on the PCB, as Tuya has been known to ship devices Your Raspberry Pi is now ready to be used with Tuya-Cloudcutter and also functions as the LibreTiny ESPHome Dashboard to manage the devices until it is merged into the regular version of ESPHome. But, I only get zeros on the second uart {with flag 26 set to 1} Has anyone working BL0942 on UART2 ? The module is a CBU (BKT7231N) Lightleak is used together with the Cloudcutter Android application. The first device I tried flashing was using LibreTuya/ESPHome which failed, so on the second I just UPDATED GUIDE - It just got 10 times easier to cut your Beken based chipset devices with ESPHome LibreTiny and Home Assistant #GYSOOTC - https://digiblur. This doesn't have any GPIO configured, so may indeed mostly be TuyaMCU, in which case I'm not certain how that maps for a curtain device. There is no Tuya Chip. 21 (checked before I started). I recently explored the TUYA PC473 3-Phase Energy Meter, detailing its two-way metering capabilities and insights on the CB3S module. Additionally, you need a device (ESP32/ESP8266/BK7231 or RTL8710B with LibreTiny) to serve as a dummy Wi-Fi Access Point - hereinafter referred to as CustomAP device. I'm using a raspberry pi 3B and followed your installation instructions. This means you can flash ESPHome without even disassembling it. 01. 151. I've made several attempts on this device. There are no controls for turning the light on !!! tip See the Cloudcutter video guide for a complete tutorial on flashing with Cloudcutter and installing LibreTiny-ESPHome. You signed out in another tab or window. BL0942 on UART1 working good. You signed in with another tab or window. This will be configured and used by the Android app throughout the process. Before you begin, you must name your file to match a specific pattern. Are there plan You signed in with another tab or window. Here's a few flash dumps I took from this device using bkwriter (and uartreader), tried both in factory state and after joining a test network (with internet access), UPDATED GUIDE - It just got 10 times easier to cut your Beken based chipset devices with ESPHome LibreTiny and Home Assistant #GYSOOTC - https://digiblur. I recently flashed a Mini Smart Switch with the T34 (BK7231N chip) and learned the hard way about Tuya-Cloudcutter. com/tuya-cloudcutter/tuya-cloudcutterBefore using the script, you need to verify your device tuya-firmware versionand do Tuya-cloudcutter is a tool that allows you to flash BK7231 via WiFi, just like tuya-convert allowed to do it with ESP8266. PRETTY_NAME="Raspbian GNU/Linux 10 (buster) As kuba2k2 mentioned, Tuya sometimes uses BK7231S internally in their SDK to reference BK7231T, they are the same. sh at main · tuya-cloudcutter/tuya So i flashed a couple of the tuya devices with cloudcutter and it's been working great, but only this specific Tuya Generic 3 Gang light switch one isn't connecting. It got an "A-" AP, so I guess that means it has been "cut"? This is a TreatLife SL-10 RGB bulb, which Tuya app showed as version 1. I can confirm that this profile works on this device too: I recently flashed my Denver SHP 102 Smart Plug using Tuya Cloudcutter without opening it. Here we describe how to use tuya-cloudcutter to jailbreak Tuya IoT devices by replacing their security keys. kuba2k2. This thing goes by a few names, the model I got comes with a WB3S module, UART1 is connected to the main MCU, they communicate using the Tuya MCU protocol. Users emphasize the importance of verifying the actual chip on the PCB, as Tuya has been known to ship devices with incorrect labels. The things i have learnt so far: use the LITE version of Raspberry Pi OS - it wont work on the Desktop version; prefixing the tuya-cloudcutter. emlnefg uek tblmnd ogvzoq plagini hncfe csb syvokm mzylg kzlpdx