From f025a0062d17663dbbb94ae39d88a00f227a4de3 Mon Sep 17 00:00:00 2001 From: Eyal <109809+eyal0@users.noreply.github.com> Date: Sun, 29 Jun 2025 18:02:40 -0600 Subject: [PATCH] Improve the documentation about how to enter AP mode. (#815) This unifies the instructions so that they will be consistent and correct across the various tools and docs. --- INSTRUCTIONS.md | 4 +++- common_run.sh | 2 +- proof-of-concept/test_device_exploitable.py | 7 +++++-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/INSTRUCTIONS.md b/INSTRUCTIONS.md index 4ac16da..b944c3a 100644 --- a/INSTRUCTIONS.md +++ b/INSTRUCTIONS.md @@ -31,7 +31,9 @@ Knowing this, you can run `sudo ./tuya-cloudcutter.sh` without any parameters. T * You can specify the device profile name using `-p my-device-name`; otherwise an interactive menu will be shown. * **If your SSID and/or password have special characters like $ ! or @, make sure to pass them with ' characters, e.g. 'P@$$W0rD!'. If it has the ' character then also make sure to escape that, with bash that'd be `'P@$$W0rD!'"'"' 1234'` to use the password `P@$$W0rD!' 1234`** **Optionally run with parameter -r to reset NetworkManager connections, which may help with some wifi adaptors ( sudo ./tuya-cloudcutter.sh -r -s )** * If you wish to set a custom deviceid or localkey, prepend these parameters like so: `sudo ./tuya-cloudcutter.sh -d 20characterdeviceid -l 16characterlocalkey -s `, Note, localtuya in homeassistant currently requires unique deviceid to work. -* When instructed, put your Tuya device in _AP Mode_ by toggling it off and on again 6 times, with around 1 second in between each toggle. If it's a light bulb, it will blink _slowly_. If it blinks _quickly_, power cycle it 3 more times. +* When instructed, put your Tuya device in _AP Mode_. This can usually be accomplished by either: + * Toggling it off and on again 6 times, with around 1 second in between each toggle. If it's a light bulb, it will blink _slowly_. If it blinks _quickly_, power cycle it 3 more times. + * Long pressing the power/reset button on the device until it starts fast-blinking, then releasing, and then holding the power/reset button again until the device starts slow-blinking. * The script will automatically connect to your light (assuming it creates a "SmartLife-*" SSID. If not, let us know.) and run the exploit that replaces the security keys (now it can't connect to the cloud anymore) * The exploit freezes the light. It will reboot back into AP mode if left alone, and you can speed this up by power cycling it yourself one time * The script will start up an access point of its own called "cloudcutterflash", using your WiFi adapter diff --git a/common_run.sh b/common_run.sh index ee4b908..c8e55e5 100755 --- a/common_run.sh +++ b/common_run.sh @@ -66,7 +66,7 @@ else echo "================================================================================" echo "Place your device in AP (slow blink) mode. This can usually be accomplished by either:" echo "Power cycling off/on - 3 times and wait for the device to fast-blink, then repeat 3 more times. Some devices need 4 or 5 times on each side of the pause" - echo "Long press the power/reset button on the device until it starts fast-blinking, then releasing, and then holding the power/reset button again until the device starts slow-blinking." + echo "Long press the power/reset button on the device until it starts fast-blinking, then release, and then hold the power/reset button again until the device starts slow-blinking." echo "See https://support.tuya.com/en/help/_detail/K9hut3w10nby8 for more information." echo "================================================================================" echo "" diff --git a/proof-of-concept/test_device_exploitable.py b/proof-of-concept/test_device_exploitable.py index ed1e630..3e06ff4 100644 --- a/proof-of-concept/test_device_exploitable.py +++ b/proof-of-concept/test_device_exploitable.py @@ -49,7 +49,10 @@ def check_valid_payload(value): print("This script will attempt to help you lower the chances of prying open a device that won't be exploitable") print("However, it's not 100% foolproof either, there are more devices that are vulnerable which are not based on") print("the BK7231 chipset. So, please take that into account.") -print('Before continuing, please set your device in AP mode first. This usually takes 6 power cycles off and on with ~1 sec between each.') +print('Before continuing, please set your device in AP mode first. This can usually be accomplished by either:') +print(' - 3 power cycles off and on with ~1 sec between each, wait for the device to fast-blink, then repeat 3 more power cycles') +print(' - Long press the power/reset button on the device until it starts fast-blinking, then release, and then hold the power/reset button again until the device starts slow-blinking.') + answer = input('Is your device now in AP mode? (yes/no) [default: no]: ').lower() if not 'y' in answer: @@ -69,4 +72,4 @@ for _ in range(5): time.sleep(0.200) print("Exploit payload sent! If the device has an LED and now seems to be 'frozen', it's likely exploitable.") -print("Leave it be for ~60 seconds, if its WiFi AP stops showing up then it reboots and 'unfreezes' by itself, then it's almost definitely exploitable.") \ No newline at end of file +print("Leave it be for ~60 seconds, if its WiFi AP stops showing up then it reboots and 'unfreezes' by itself, then it's almost definitely exploitable.")