Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AP config #966

Open
wants to merge 1 commit into
base: development
Choose a base branch
from
Open

AP config #966

wants to merge 1 commit into from

Conversation

kueblc
Copy link
Collaborator

@kueblc kueblc commented Jul 28, 2021

This allows a Tuya device to pair with the tuya-convert AP without using EZ config
Device must first be in AP config mode "slow blink" vs the EZ config "fast blink"
Once connected to the IoT device's AP, running ./apconfig.py will bind the device to tuya-convert
./start_flash.sh can then be executed as normal, skipping the pairing process

This allows a Tuya device to pair with the tuya-convert AP without using EZ config
Device must first be in AP config mode "slow blink" vs the EZ config "fast blink"
Once connected to the IoT device's AP, running ./apconfig.py will bind the device to tuya-convert
./start_flash.sh can then be executed as normal, skipping the pairing process
@dachshund-digital
Copy link

Cool, looking forward to it!

@AdriaanDeVos
Copy link

Using this script helped me from:
No ESP82xx based devices connected according to your wifi log.
to
An ESP82xx based device connected according to your wifi log.
👍

@tauno
Copy link

tauno commented Dec 11, 2021

Attempting to test this out but unclear on the steps. Is this correct?

  1. Put device in AP config mode (slow blink)
  2. On the tuya-convert machine, connect to the device AP
  3. Run apconfig.py
  4. Run start_flash.py

Do you need to modify start_flash to skip the pairing step?

@darkmattercoder
Copy link

@kueblc I am a bit lost, too. The apconfig gives me some long number Sending 000055aa00000000000000010000003e7b2273736964223a227674727573742d666c617368222c22706173737764223a22222c22746f6b656e223a223030303030303030227d726cfc610000aa55

and nothing else. The start_flash.sh script then seems to still want to start the ap and cannot find any devices

@jonasbark
Copy link

Thank you @kueblc - it works very well!

@jonasbark
Copy link

if anyone stumbles upon this: the token needs to be the combination of the region (e.g. EU) + token + secret, as described in https://github.com/ct-Open-Source/tuya-convert/blob/master/scripts/smartconfig/smartconfig.py#L47

@Hervshahn
Copy link

Hello @kueblc and all,

I ran into the same problem like @darkmattercoder.

Do I have to modify the Defaults section of the script apconfig.py, like replacing SSID "vtrust-flash" with the SSID of my Gosund device?

Also would I have to change the BIND ADDRESS and what should be entered here?

@MacSass
Copy link

MacSass commented May 23, 2022

Yes - this sounds very interesting and might help to solve my issue, but would really be great if @kueblc could provide some more info / backtround on the steps required, because I also do not understand the full procedure ...

  • Do we need to make changes to the existing scripts?
  • Do we need to make modifications to your additional script?
  • What about the remark about the needed token? Is this required? Where?
  • How can your script bind the device to tuya-convert before starting start_flash.py, as the vtrust-flash AP is not running yet?

I´m a bit lost and your help would really be appreciated as I´m hopeful to be able to flash my last devices with that method finally ... thanks!

@Hervshahn
Copy link

Looks like unfortunately the developer is not actively monitoring this space anymore :-(

@kueblc
Copy link
Collaborator Author

kueblc commented May 28, 2022

No additional script or config modifications should be necessary. @tauno has the correct procedure.

  1. Put device in AP config mode (slow blink)
  2. On the tuya-convert machine, connect to the device AP
  3. Run apconfig.py
  4. Run start_flash.py

At the point where start_flash asks you to put the device into EZ config mode and press enter, you can just press enter, as the device has already been configured with AP config.

The purpose of the apconfig.py script is to configure the IoT device over it's own AP. After running the script, the device will store the network config and stop broadcasting it's own network. It will then repeatedly attempt to connect to vtrust-flash. At this point, running the start_flash script as normal will create the vtrust-flash network and allow you to proceed with flashing.

Please let me know if there is anything else I can clarify.

@kueblc
Copy link
Collaborator Author

kueblc commented May 28, 2022

I should also note that connecting a third device is not necessary, since that is only to facilitate EZ config.

@MacSass
Copy link

MacSass commented May 29, 2022

thanks a lot @kueblc for the clarification.
I will try that today or tomorrow and report back. That would be a nice enhancement to make everything more "robust".

@MacSass
Copy link

MacSass commented May 30, 2022

Wow @kueblc !!!
I had 5 plugs of which I could only flash two with default tuya-convert, three obviously identical ones always had the issue that they would not connect back to the vtrust-flash AP.
I tried all the workarounds and issues I could find (different name of network service, etc.) - nothing worked. In the end I even broke one open and serial flashed it ...

Yesterday I tried apconfig.py and "bingo" - it worked right away for my remaining two devices (the second on first run of start_flash showed a timout within 1s, re-running it worked perfectly).

For me this method of connecting "manually" and using apconfig.py seems much more robust than the "automatic" way and should be integrated into tuya-convert.

Thanks @kueblc for making your work available to us!

@Hervshahn
Copy link

Thanks a lot, this is great feedback! I had flashed my two devices meanwhile using a USB-TTL adapter but will use apconfig.py for the next couple of devices as well

@kueblc
Copy link
Collaborator Author

kueblc commented May 30, 2022

Thanks for reporting back @MacSass, I'm very happy to hear it worked well for you

@chaudhryfaisal
Copy link

hi everyone, I ordered following from Amazon and I am not able to get it to flash.

  1. Press and hold the power button, light start to blink
  2. I don't see any AP to connect to so assume plug is not creating any AP so not able to run appconfig.py
  3. ran ./start_flash.sh but with no success

I wouldn't mind opening them to flash but it seems like there is no way way to open this either

Any suggestions ?

@MacSass
Copy link

MacSass commented Jun 3, 2022

Make sure you have your device on „slow blinking“, only then you get an AP to show …

I need to hold the button for my device, then it goes to fast blink, then I need to hold button again until it changes to slow blinking…

@chaudhryfaisal
Copy link

here is videos of what it does https://www.veed.io/view/5877f0b6-85c2-4064-86ab-45a97e5bcbc0

as soon I let the button go it reboots and starts blinking fast. I never see additional AP created
I only have vtrust-flash which is created by running ./start_flash.sh

@MacSass
Copy link

MacSass commented Jun 7, 2022

Hmm, as per https://support.tuya.com/en/help/_detail/K9hut3w10nby8 doing a second "hold button" when device is blinking fast should take you to the "led blinging slow" = AP mode.
That worked for me - I don´t have any unflashed devices anymore right now - so I´m afraid I can´t help.
When I had gotten my devices in slow blink AP mode, I could see the wifi on my mobile (I think the name was including something like "smart device" or so ...

@montyx99
Copy link

montyx99 commented Aug 13, 2022

When I run the apconfig.py my gosound sp1 device is turning OFF. What can cause this issue? Thanks

@floxboy
Copy link

floxboy commented Sep 5, 2022

where can i get appconfig.py? I don't see it in tuya-convert folders

@kesselborn
Copy link

where can i get appconfig.py? I don't see it in tuya-convert folders

this pull request is not merged yet, you need to use the version from https://github.com/kueblc/tuya-convert/tree/ap-config

@kueblc
Copy link
Collaborator Author

kueblc commented Sep 13, 2022

When I run the apconfig.py my gosound sp1 device is turning OFF. What can cause this issue? Thanks

@montyx99 it will appear to "turn off" once it has successfully paired.

@preese
Copy link

preese commented Mar 5, 2023

Might this thread still be alive, even after the commit?

I've tried this approach with several TopGreener TGWF115PQM plugs. No luck. (Yes the dreaded 4 pack from Amazon)

My experience is that I get the plug in AP mode and the host gets a 192.168.175.100/24 wlan address, from the plug.
I run the apconfig.py script and the long number shows on the screen but no change to the wlan IP, yet.
Next, I run start_flash.sh, and shortly hit Enter, it gives out a 10.42.42.1/24 address for the wlan now.
But the dance starts and continues with the Resending refrain.
Eventually, I'm left with a wlan ip in the ever popular space of 169.254.148.1/16.

Seems the formerly solid tuya-convert wins of the TopGreener plugs no longer work for us hobbyists even after the VERY helpful work on the general issue by Kuebic!

@kueblc
Copy link
Collaborator Author

kueblc commented Mar 7, 2023

@preese could you share your logs? I'm curious if the AP config succeeded and then failed at the provision stage.

@preese
Copy link

preese commented Mar 7, 2023

Here is the log. I'm using a RPI4 with fresh build from RPI Imager, 64bit and then tuya-convert+apconfig.py. This is a fresh trial today, with the same results. I've log before this point in time but thought this covers the issue. Let me know if earlier logs would help.

Failed-apconfig-tuyaconvert-TopGreenerplug.txt

@kueblc
Copy link
Collaborator Author

kueblc commented Mar 8, 2023

@preese have you retained the logs from the tuya-convert directory? smarthack-web.log may be of particular interest.

Recent reports have suggested that newer releases of RPi OS are not working as intended. You may want to try an older release (Buster). I have not been able to verify this myself.

@preese
Copy link

preese commented Mar 8, 2023

Not much progress. I did go back to a RPI OS based on Buster, and ran through all the steps a few times with similar results as before.

A few tech points to be clear on.

  1. I have the RPI on an enet connection and am using its WiFi for these tests while still logged in via enet.
  2. When start-flash starts up, it asks to terminate dnsmasq service, I assume should be answered with 'Y'
  3. Similarly, it wants to stop mosquitto, again I assume 'y'.
  4. No ufw found
  5. I never manually connect my phone to the vtrust-flash SSID.
  6. I turned BlueTooth off to try to minimize the logs.

In general is it better to run is on separate hardware, RPI, or use the more standard Docker version with small tweaks to config.txt file?

Thanks for you persistence in looking into the issue! Sent you some Coffee!

Large log file and concatenated smarthack-xx files below:
RPI-Buster-TuyaCon-logs-fail.txt

all-smarthack-logs.txt

@kueblc
Copy link
Collaborator Author

kueblc commented Mar 9, 2023

Hi @preese, thank you very much for the coffee!

Your process looks absolutely fine to me. Connecting over ethernet is the way to go in your setup. We stop dnsmasq and mosquitto to free up the ports for our own configuration. You will not need to connect your phone if using AP config. Keeping other wireless radios off for clean logs is a great idea.

As far as whether to use your own hardware, a RPi, or Docker is mostly a matter of preference. I personally run this directly on a standard laptop running an Ubuntu based distro. I don't have an RPi available and the Docker version was a community addition.

From your logs it seems the process is failing between the AP config and the server provisioning. I do not see any attempts from the device to connect to your AP or the web server.

After you put the device into slow blink mode, you were able to connect to it's AP, so we can affirm that it does permit AP config. Does the device "click" or make any other observable changes when the AP config script is run?

It might be that this device is not an ESP82xx (we can check the MAC address). Or it could be that the firmware has been patched to prohibit aspects related to tuya-convert, like it's SSID or password (we could try tweaking these).

EDIT: Unfortunately it looks like it may be likely that this device is not an ESP82xx. You may have gotten lucky with an old batch, so it is still worth checking the MAC address you get when connecting to the device or opening the device to inspect the chipset.

@preese
Copy link

preese commented Mar 9, 2023

@kueblc I think you've hit the nail on the head, or is it put the last nail in the coffin! One MACADDR from the new set of four is 38:1f:8d:9f:4a:02. In my google searches this doesn't seem to be in any of the EXP82xxx MAC ranges. Plus your link to the blakaddr page suggests similar info about these TopGreener plugs. Let's call this one done.

I do appreciate your work on the project and in this particular question specifically.

In broader searching, I've run across this site: https://cloudfree.shop/ They offer several openHAB/HomeAssistant type device options pre-loaded with Tasmota. Including their own 15A plug, as well as Sonoff's S31 plug. Their prices are slightly higher then Amazon and no free shipping. However, just being able to directly use the device rather than poke around for a number of hours seems to offset the higher price. Shipping can be first class USPS, which comes pretty fast and was modest in cost, $5 for four plugs.

@kueblc
Copy link
Collaborator Author

kueblc commented Mar 9, 2023

Bummer, sorry to hear these plugs can't be cut off the cloud! Glad to help diagnose anyway and I appreciate your support and kind words.

A while back I had considered trying to set up my own shop of cloudless IoT back when that was unheard of, glad to see there are more options popping up. Like you say, it might be worth a marginal cost for the convenience and security of getting exactly what you're looking for. I might still consider it if there's demand / room for competition. Wouldn't want there to be any (appearance of) conflict of interest with this project though!

@bugsyb
Copy link

bugsyb commented Jul 4, 2024

Hi All and special thanks to all behind the tuya-convert and @kueblc .

This is about the new Gosund SP111 marked as 3680W which are resistant to standard tuya-convert.
Trying with your ap-config, I've noticed that it prompts the plug to try to connect to my IP (.3):

19:38:45.981668 IP 192.168.175.3.40724 > 255.255.255.255.6669: UDP, length 78
19:38:56.470147 IP 192.168.175.1.49154 > 192.168.175.3.6667: UDP, length 108
19:38:57.475243 IP 192.168.175.1.49154 > 192.168.175.3.6667: UDP, length 108
19:38:58.481261 IP 192.168.175.1.49154 > 192.168.175.3.6667: UDP, length 108
19:38:59.489613 IP 192.168.175.1.49154 > 192.168.175.3.6667: UDP, length 108

And it does it at least couple of time after running ap-config.py.

It does not stop it's own AP and it does not try to connect to our AP.

I can take a dump of it's firmware if needed as if won't be successful with tuya-convert will program than via serial.

Full dump of these packets:

Frame 1: 120 bytes on wire (960 bits), 120 bytes captured (960 bits)
    Encapsulation type: Ethernet (1)
    Arrival Time: Jul  4, 2024 19:38:45.981668000 CEST
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1720114725.981668000 seconds
    [Time delta from previous captured frame: 0.000000000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 0.000000000 seconds]
    Frame Number: 1
    Frame Length: 120 bytes (960 bits)
    Capture Length: 120 bytes (960 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:udp:data]
Ethernet II, Src: 66:77:88:99:aa:bb (66:77:88:99:aa:bb), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
    Destination: Broadcast (ff:ff:ff:ff:ff:ff)
        Address: Broadcast (ff:ff:ff:ff:ff:ff)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
    Source: 66:77:88:99:aa:bb (66:77:88:99:aa:bb)
        Address: 66:77:88:99:aa:bb (66:77:88:99:aa:bb)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.175.3, Dst: 255.255.255.255
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 106
    Identification: 0xbdd6 (48598)
    Flags: 0x40, Don't fragment
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 64
    Protocol: UDP (17)
    Header Checksum: 0x0d01 [validation disabled]
    [Header checksum status: Unverified]
    Source Address: 192.168.175.3
    Destination Address: 255.255.255.255
User Datagram Protocol, Src Port: 40724, Dst Port: 6669
    Source Port: 40724
    Destination Port: 6669
    Length: 86
    Checksum: 0xd975 [unverified]
    [Checksum Status: Unverified]
    [Stream index: 0]
    [Timestamps]
        [Time since first frame: 0.000000000 seconds]
        [Time since previous frame: 0.000000000 seconds]
    UDP payload (78 bytes)
Data (78 bytes)

0000  00 00 55 aa 00 00 00 00 00 00 00 01 00 00 00 3e   ..U............>
0010  7b 22 73 73 69 64 22 3a 22 76 74 72 75 73 74 2d   {"ssid":"vtrust-
0020  66 6c 61 73 68 22 2c 22 70 61 73 73 77 64 22 3a   flash","passwd":
0030  22 22 2c 22 74 6f 6b 65 6e 22 3a 22 30 30 30 30   "","token":"0000
0040  30 30 30 30 22 7d 72 6c fc 61 00 00 aa 55         0000"}rl.a...U
    Data: 000055aa00000000000000010000003e7b2273736964223a227674727573742d666c6173…
    [Length: 78]

Frame 2: 150 bytes on wire (1200 bits), 150 bytes captured (1200 bits)
    Encapsulation type: Ethernet (1)
    Arrival Time: Jul  4, 2024 19:38:56.470147000 CEST
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1720114736.470147000 seconds
    [Time delta from previous captured frame: 10.488479000 seconds]
    [Time delta from previous displayed frame: 10.488479000 seconds]
    [Time since reference or first frame: 10.488479000 seconds]
    Frame Number: 2
    Frame Length: 150 bytes (1200 bits)
    Capture Length: 150 bytes (1200 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:udp:data]
Ethernet II, Src: 36:98:7a:f9:18:a2 (36:98:7a:f9:18:a2), Dst: 66:77:88:99:aa:bb (66:77:88:99:aa:bb)
    Destination: 66:77:88:99:aa:bb (66:77:88:99:aa:bb)
        Address: 66:77:88:99:aa:bb (66:77:88:99:aa:bb)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: 36:98:7a:f9:18:a2 (36:98:7a:f9:18:a2)
        Address: 36:98:7a:f9:18:a2 (36:98:7a:f9:18:a2)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.175.1, Dst: 192.168.175.3
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 136
    Identification: 0x06f5 (1781)
    Flags: 0x00
        0... .... = Reserved bit: Not set
        .0.. .... = Don't fragment: Not set
        ..0. .... = More fragments: Not set
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 255
    Protocol: UDP (17)
    Header Checksum: 0xd519 [validation disabled]
    [Header checksum status: Unverified]
    Source Address: 192.168.175.1
    Destination Address: 192.168.175.3
User Datagram Protocol, Src Port: 49154, Dst Port: 6667
    Source Port: 49154
    Destination Port: 6667
    Length: 116
    Checksum: 0x7ddd [unverified]
    [Checksum Status: Unverified]
    [Stream index: 1]
    [Timestamps]
        [Time since first frame: 0.000000000 seconds]
        [Time since previous frame: 0.000000000 seconds]
    UDP payload (108 bytes)
Data (108 bytes)

0000  00 00 55 aa 00 00 00 00 00 00 00 15 00 00 00 5c   ..U............\
0010  00 00 00 00 0e 08 51 bc cc ec fc ec 81 ae dc 51   ......Q........Q
0020  2f a3 58 81 86 2d 9a 24 f2 a1 aa cf 3c 69 1f d6   /.X..-.$....<i..
0030  47 e6 b0 3c 7d 5d 86 d5 bc c8 0b aa 4a 3d 29 ea   G..<}]......J=).
0040  92 c5 42 a0 7f c5 41 32 f2 30 d8 af 4d 72 11 d0   ..B...A2.0..Mr..
0050  01 bf 3a 17 62 21 b7 44 2c 31 60 17 dc 88 d6 f0   ..:.b!.D,1`.....
0060  01 e7 4b 0f ad 8d 14 9a 00 00 aa 55               ..K........U
    Data: 000055aa00000000000000150000005c000000000e0851bcccecfcec81aedc512fa35881…
    [Length: 108]

Frame 3: 150 bytes on wire (1200 bits), 150 bytes captured (1200 bits)
    Encapsulation type: Ethernet (1)
    Arrival Time: Jul  4, 2024 19:38:57.475243000 CEST
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1720114737.475243000 seconds
    [Time delta from previous captured frame: 1.005096000 seconds]
    [Time delta from previous displayed frame: 1.005096000 seconds]
    [Time since reference or first frame: 11.493575000 seconds]
    Frame Number: 3
    Frame Length: 150 bytes (1200 bits)
    Capture Length: 150 bytes (1200 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:udp:data]
Ethernet II, Src: 36:98:7a:f9:18:a2 (36:98:7a:f9:18:a2), Dst: 66:77:88:99:aa:bb (66:77:88:99:aa:bb)
    Destination: 66:77:88:99:aa:bb (66:77:88:99:aa:bb)
        Address: 66:77:88:99:aa:bb (66:77:88:99:aa:bb)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: 36:98:7a:f9:18:a2 (36:98:7a:f9:18:a2)
        Address: 36:98:7a:f9:18:a2 (36:98:7a:f9:18:a2)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.175.1, Dst: 192.168.175.3
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 136
    Identification: 0x06f6 (1782)
    Flags: 0x00
        0... .... = Reserved bit: Not set
        .0.. .... = Don't fragment: Not set
        ..0. .... = More fragments: Not set
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 255
    Protocol: UDP (17)
    Header Checksum: 0xd518 [validation disabled]
    [Header checksum status: Unverified]
    Source Address: 192.168.175.1
    Destination Address: 192.168.175.3
User Datagram Protocol, Src Port: 49154, Dst Port: 6667
    Source Port: 49154
    Destination Port: 6667
    Length: 116
    Checksum: 0x7ddd [unverified]
    [Checksum Status: Unverified]
    [Stream index: 1]
    [Timestamps]
        [Time since first frame: 1.005096000 seconds]
        [Time since previous frame: 1.005096000 seconds]
    UDP payload (108 bytes)
Data (108 bytes)

0000  00 00 55 aa 00 00 00 00 00 00 00 15 00 00 00 5c   ..U............\
0010  00 00 00 00 0e 08 51 bc cc ec fc ec 81 ae dc 51   ......Q........Q
0020  2f a3 58 81 86 2d 9a 24 f2 a1 aa cf 3c 69 1f d6   /.X..-.$....<i..
0030  47 e6 b0 3c 7d 5d 86 d5 bc c8 0b aa 4a 3d 29 ea   G..<}]......J=).
0040  92 c5 42 a0 7f c5 41 32 f2 30 d8 af 4d 72 11 d0   ..B...A2.0..Mr..
0050  01 bf 3a 17 62 21 b7 44 2c 31 60 17 dc 88 d6 f0   ..:.b!.D,1`.....
0060  01 e7 4b 0f ad 8d 14 9a 00 00 aa 55               ..K........U
    Data: 000055aa00000000000000150000005c000000000e0851bcccecfcec81aedc512fa35881…
    [Length: 108]

Frame 4: 150 bytes on wire (1200 bits), 150 bytes captured (1200 bits)
    Encapsulation type: Ethernet (1)
    Arrival Time: Jul  4, 2024 19:38:58.481261000 CEST
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1720114738.481261000 seconds
    [Time delta from previous captured frame: 1.006018000 seconds]
    [Time delta from previous displayed frame: 1.006018000 seconds]
    [Time since reference or first frame: 12.499593000 seconds]
    Frame Number: 4
    Frame Length: 150 bytes (1200 bits)
    Capture Length: 150 bytes (1200 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:udp:data]
Ethernet II, Src: 36:98:7a:f9:18:a2 (36:98:7a:f9:18:a2), Dst: 66:77:88:99:aa:bb (66:77:88:99:aa:bb)
    Destination: 66:77:88:99:aa:bb (66:77:88:99:aa:bb)
        Address: 66:77:88:99:aa:bb (66:77:88:99:aa:bb)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: 36:98:7a:f9:18:a2 (36:98:7a:f9:18:a2)
        Address: 36:98:7a:f9:18:a2 (36:98:7a:f9:18:a2)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.175.1, Dst: 192.168.175.3
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 136
    Identification: 0x06f7 (1783)
    Flags: 0x00
        0... .... = Reserved bit: Not set
        .0.. .... = Don't fragment: Not set
        ..0. .... = More fragments: Not set
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 255
    Protocol: UDP (17)
    Header Checksum: 0xd517 [validation disabled]
    [Header checksum status: Unverified]
    Source Address: 192.168.175.1
    Destination Address: 192.168.175.3
User Datagram Protocol, Src Port: 49154, Dst Port: 6667
    Source Port: 49154
    Destination Port: 6667
    Length: 116
    Checksum: 0x7ddd [unverified]
    [Checksum Status: Unverified]
    [Stream index: 1]
    [Timestamps]
        [Time since first frame: 2.011114000 seconds]
        [Time since previous frame: 1.006018000 seconds]
    UDP payload (108 bytes)
Data (108 bytes)

0000  00 00 55 aa 00 00 00 00 00 00 00 15 00 00 00 5c   ..U............\
0010  00 00 00 00 0e 08 51 bc cc ec fc ec 81 ae dc 51   ......Q........Q
0020  2f a3 58 81 86 2d 9a 24 f2 a1 aa cf 3c 69 1f d6   /.X..-.$....<i..
0030  47 e6 b0 3c 7d 5d 86 d5 bc c8 0b aa 4a 3d 29 ea   G..<}]......J=).
0040  92 c5 42 a0 7f c5 41 32 f2 30 d8 af 4d 72 11 d0   ..B...A2.0..Mr..
0050  01 bf 3a 17 62 21 b7 44 2c 31 60 17 dc 88 d6 f0   ..:.b!.D,1`.....
0060  01 e7 4b 0f ad 8d 14 9a 00 00 aa 55               ..K........U
    Data: 000055aa00000000000000150000005c000000000e0851bcccecfcec81aedc512fa35881…
    [Length: 108]

Frame 5: 150 bytes on wire (1200 bits), 150 bytes captured (1200 bits)
    Encapsulation type: Ethernet (1)
    Arrival Time: Jul  4, 2024 19:38:59.489613000 CEST
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1720114739.489613000 seconds
    [Time delta from previous captured frame: 1.008352000 seconds]
    [Time delta from previous displayed frame: 1.008352000 seconds]
    [Time since reference or first frame: 13.507945000 seconds]
    Frame Number: 5
    Frame Length: 150 bytes (1200 bits)
    Capture Length: 150 bytes (1200 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:udp:data]
Ethernet II, Src: 36:98:7a:f9:18:a2 (36:98:7a:f9:18:a2), Dst: 66:77:88:99:aa:bb (66:77:88:99:aa:bb)
    Destination: 66:77:88:99:aa:bb (66:77:88:99:aa:bb)
        Address: 66:77:88:99:aa:bb (66:77:88:99:aa:bb)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: 36:98:7a:f9:18:a2 (36:98:7a:f9:18:a2)
        Address: 36:98:7a:f9:18:a2 (36:98:7a:f9:18:a2)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.175.1, Dst: 192.168.175.3
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 136
    Identification: 0x06f8 (1784)
    Flags: 0x00
        0... .... = Reserved bit: Not set
        .0.. .... = Don't fragment: Not set
        ..0. .... = More fragments: Not set
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 255
    Protocol: UDP (17)
    Header Checksum: 0xd516 [validation disabled]
    [Header checksum status: Unverified]
    Source Address: 192.168.175.1
    Destination Address: 192.168.175.3
User Datagram Protocol, Src Port: 49154, Dst Port: 6667
    Source Port: 49154
    Destination Port: 6667
    Length: 116
    Checksum: 0x7ddd [unverified]
    [Checksum Status: Unverified]
    [Stream index: 1]
    [Timestamps]
        [Time since first frame: 3.019466000 seconds]
        [Time since previous frame: 1.008352000 seconds]
    UDP payload (108 bytes)
Data (108 bytes)

0000  00 00 55 aa 00 00 00 00 00 00 00 15 00 00 00 5c   ..U............\
0010  00 00 00 00 0e 08 51 bc cc ec fc ec 81 ae dc 51   ......Q........Q
0020  2f a3 58 81 86 2d 9a 24 f2 a1 aa cf 3c 69 1f d6   /.X..-.$....<i..
0030  47 e6 b0 3c 7d 5d 86 d5 bc c8 0b aa 4a 3d 29 ea   G..<}]......J=).
0040  92 c5 42 a0 7f c5 41 32 f2 30 d8 af 4d 72 11 d0   ..B...A2.0..Mr..
0050  01 bf 3a 17 62 21 b7 44 2c 31 60 17 dc 88 d6 f0   ..:.b!.D,1`.....
0060  01 e7 4b 0f ad 8d 14 9a 00 00 aa 55               ..K........U
    Data: 000055aa00000000000000150000005c000000000e0851bcccecfcec81aedc512fa35881…
    [Length: 108]

@bugsyb
Copy link

bugsyb commented Jul 4, 2024

Additional interesting finding, as by accident, I left tuya_discovery.py running, a bit modded, to not ignore same IP again and dumping json data package.
This did spit out below:
Legend:

  • 192.168.175.1 - is the IP of Tuya SmartAP-...
  • 192.168.12.26 - that subnet and IP was never configured at my end though it was dumped most likely when adding Tuya plug from Tuya/Gosund app keeping plug in the very same AP mode and pre-configured with ap-config.py. Not sure how, but hope it helps somehow. After further investigation it seems it is the device running Tuya app, which sent these packets - hopefully this helps.
192.168.175.1 
192.168.175.1 
192.168.175.1 
192.168.175.1 
192.168.12.26 {"ip":"192.168.12.26","gwId":"7550104234987af918a2","active":2,"ability":0,"mode":0,"encrypt":true,"productKey":"37mnhia3pojleqfh","version":"3.3"}
{'ip': '192.168.12.26', 'gwId': '7550104234987af918a2', 'active': 2, 'ability': 0, 'mode': 0, 'encrypt': True, 'productKey': '37mnhia3pojleqfh', 'version': '3.3'}
192.168.12.26 {"ip":"192.168.12.26","gwId":"7550104234987af918a2","active":2,"ability":0,"mode":0,"encrypt":true,"productKey":"37mnhia3pojleqfh","version":"3.3"}
{'ip': '192.168.12.26', 'gwId': '7550104234987af918a2', 'active': 2, 'ability': 0, 'mode': 0, 'encrypt': True, 'productKey': '37mnhia3pojleqfh', 'version': '3.3'}
192.168.12.26 {"ip":"192.168.12.26","gwId":"7550104234987af918a2","active":2,"ability":0,"mode":0,"encrypt":true,"productKey":"37mnhia3pojleqfh","version":"3.3"}
{'ip': '192.168.12.26', 'gwId': '7550104234987af918a2', 'active': 2, 'ability': 0, 'mode': 0, 'encrypt': True, 'productKey': '37mnhia3pojleqfh', 'version': '3.3'}
192.168.12.26 {"ip":"192.168.12.26","gwId":"7550104234987af918a2","active":2,"ability":0,"mode":0,"encrypt":true,"productKey":"37mnhia3pojleqfh","version":"3.3"}
{'ip': '192.168.12.26', 'gwId': '7550104234987af918a2', 'active': 2, 'ability': 0, 'mode': 0, 'encrypt': True, 'productKey': '37mnhia3pojleqfh', 'version': '3.3'}
192.168.12.26 {"ip":"192.168.12.26","gwId":"7550104234987af918a2","active":2,"ability":0,"mode":0,"encrypt":true,"productKey":"37mnhia3pojleqfh","version":"3.3"}
{'ip': '192.168.12.26', 'gwId': '7550104234987af918a2', 'active': 2, 'ability': 0, 'mode': 0, 'encrypt': True, 'productKey': '37mnhia3pojleqfh', 'version': '3.3'}
192.168.12.26 {"ip":"192.168.12.26","gwId":"7550104234987af918a2","active":2,"ability":0,"mode":0,"encrypt":true,"productKey":"37mnhia3pojleqfh","version":"3.3"}
{'ip': '192.168.12.26', 'gwId': '7550104234987af918a2', 'active': 2, 'ability': 0, 'mode': 0, 'encrypt': True, 'productKey': '37mnhia3pojleqfh', 'version': '3.3'}
192.168.12.26 {"ip":"192.168.12.26","gwId":"7550104234987af918a2","active":2,"ability":0,"mode":0,"encrypt":true,"productKey":"37mnhia3pojleqfh","version":"3.3"}
{'ip': '192.168.12.26', 'gwId': '7550104234987af918a2', 'active': 2, 'ability': 0, 'mode': 0, 'encrypt': True, 'productKey': '37mnhia3pojleqfh', 'version': '3.3'}
192.168.12.26 {"ip":"192.168.12.26","gwId":"7550104234987af918a2","active":2,"ability":0,"mode":0,"encrypt":true,"productKey":"37mnhia3pojleqfh","version":"3.3"}
{'ip': '192.168.12.26', 'gwId': '7550104234987af918a2', 'active': 2, 'ability': 0, 'mode': 0, 'encrypt': True, 'productKey': '37mnhia3pojleqfh', 'version': '3.3'}
192.168.12.26 {"ip":"192.168.12.26","gwId":"7550104234987af918a2","active":2,"ability":0,"mode":0,"encrypt":true,"productKey":"37mnhia3pojleqfh","version":"3.3"}
{'ip': '192.168.12.26', 'gwId': '7550104234987af918a2', 'active': 2, 'ability': 0, 'mode': 0, 'encrypt': True, 'productKey': '37mnhia3pojleqfh', 'version': '3.3'}
192.168.12.26 {"ip":"192.168.12.26","gwId":"7550104234987af918a2","active":2,"ability":0,"mode":0,"encrypt":true,"productKey":"37mnhia3pojleqfh","version":"3.3"}
{'ip': '192.168.12.26', 'gwId': '7550104234987af918a2', 'active': 2, 'ability': 0, 'mode': 0, 'encrypt': True, 'productKey': '37mnhia3pojleqfh', 'version': '3.3'}
192.168.12.26 {"ip":"192.168.12.26","gwId":"7550104234987af918a2","active":2,"ability":0,"mode":0,"encrypt":true,"productKey":"37mnhia3pojleqfh","version":"3.3"}
{'ip': '192.168.12.26', 'gwId': '7550104234987af918a2', 'active': 2, 'ability': 0, 'mode': 0, 'encrypt': True, 'productKey': '37mnhia3pojleqfh', 'version': '3.3'}

I've fully packet captures if required from the made up Access Point which was given as to which Gosund was to connect.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.