mirror of
https://github.com/tuya-cloudcutter/tuya-cloudcutter.git
synced 2026-02-19 21:51:18 +01:00
b28723ae61
* Initial RTL8720CF support * Fix RTL8720CF_OTA file validation. * be a bit more robust on chip string matching * Really rough refactor of haxomatic for RTL8720CF, not complete. * Update RTL8720CF 2.3.0 haxomatic hex match strings * Remove length validation from authkey/uuid so it can work with both Tuya and CloudCutter generated keys. * Fix bk7231 string detection Add second RTL8720CF 2.3.0 profile * Refactor haxomatic to be more modular and maintainable. * haxomatic - minor cleanup * profile-building - Pull PSK when pulling schema. * Haxomatic - Search all binaries for patch patterns. Update known RTL8720CF match pattern identifiers. * Change network to custom 10.204.0.1/24 network (204 = 0xCC) Send multiple DNS servers, which may help devices that hang after DHCP Spend less time sending wifi connect requests so AP can start listening sooner. * Update exploit for new offsets. * Haxomatic - Add 1.0.x SDK * Update haxomatic for newer found patterns. * Minor tweaks * Updates to profile-building * Add storage parsing to extract_rtl8720cf * Switch to bk7231tools to extract rtl8720cf storage to remove an unneeded dependency. * remove debug code * Add special case for sdk identification for single build missing standard string. * Find swv before device_class, as we may want to search directly after it. * Update comments, seek entire bin for storage. * Add missing new address in profile. Add ability to process inactive OTA app. * Update documentation. * fix typo. * Fix a type in beken extract. * Add haxomatic pattern for oddball BK7231N 2.3.1 SDK. * Haxomatic - Add RTL8720CF 2.3.1 SDK pattern. * Fix copy/paste typo * profile-building - proceess_app - add more device class match strings. * one more * profile-building - better log SDK data * Add a special thanks section. * fix typo * Clean up documentation. * documentation - use numbered lists. * process_app - add another device class identifier.
73 lines
5.9 KiB
Markdown
73 lines
5.9 KiB
Markdown
# Instructions
|
||
|
||
## Disabling cloud connection & running locally
|
||
|
||
Here we describe how to use Tuya CloudCutter to jailbreak Tuya IoT devices by replacing their security keys. This prevents them from communicating with Tuya cloud servers, and allows you to control them via your local network instead.
|
||
|
||
### 🚨 ⚠️ WARNING⚠️ 🚨
|
||
|
||
**Using Tuya CloudCutter means that you will NO LONGER be able to use Tuya's apps and servers. Be absolutely sure that you are never going to use them again!**
|
||
|
||
### Prerequisites
|
||
|
||
- A laptop or computer with a WiFi adapter
|
||
- Running (non-virtualized) Ubuntu (other distributions with NetworkManager might also work, untested. VMs might work if you passthrough WiFi adapter.)
|
||
- Docker should be installed, and your user should be part of the "docker" group (reboot if you've just installed Docker, to reload the user groups.)
|
||
|
||
**Note**: the script mentioned below can also be run in interactive mode, i.e. without any parameters, in which the user will be asked to choose one of available options.
|
||
|
||
### Finding your device
|
||
|
||
Find the device you have in the [list of available devices](https://github.com/tuya-cloudcutter/tuya-cloudcutter.github.io/tree/master/devices). Note the device name, i.e. a lowercase, alphanumeric string like `avatar-asl04-tv-backlight` (without the .json extension).
|
||
|
||
If you don't know the exact device model, or your device does not have any available profile, you can choose the device by firmware version:
|
||
|
||
1. open the Tuya Smart/SmartLife app
|
||
2. click on the device (even if it's offline)
|
||
3. press the "edit" pencil (top-right corner)
|
||
4. choose "Device Update"
|
||
5. note the "Main Module" version number
|
||
|
||
Knowing this, you can run `sudo ./tuya-cloudcutter.sh` without any parameters. Then, use the `By firmware version and name` option and choose the version you found.
|
||
|
||
### Running the toolchain
|
||
|
||
1. Download or git clone this repository
|
||
2. Open a terminal and `cd` into the repository to make it your working directory
|
||
3. Run `sudo ./tuya-cloudcutter.sh -s <SSID> <SSID password>`, where SSID/password is the name of the access point you want the Tuya device to join.
|
||
|
||
- You can specify the device profile name using `-p my-device-name`; otherwise an interactive menu will be shown.
|
||
- **If your SSID and/or password have special characters like $ ! or @, make sure to pass them with ' characters, e.g. 'P@$$W0rD!'. If it has the ' character then also make sure to escape that, with bash that'd be `'P@$$W0rD!'"'"' 1234'` to use the password `P@$$W0rD!' 1234`** **Optionally run with parameter -r to reset NetworkManager connections, which may help with some wifi adaptors ( sudo ./tuya-cloudcutter.sh -r -s <SSID> <SSID password> )**
|
||
- If you wish to set a custom deviceid or localkey, prepend these parameters like so: `sudo ./tuya-cloudcutter.sh -d 20characterdeviceid -l 16characterlocalkey -s <SSID> <SSID password>`, Note, localtuya in homeassistant currently requires unique deviceid to work.
|
||
|
||
4. When instructed, put your Tuya device in _AP Mode_. This can usually be accomplished by either:
|
||
|
||
- Toggling it off and on again 6 times, with around 1 second in between each toggle. If it's a light bulb, it will blink _slowly_. If it blinks _quickly_, power cycle it 3 more times.
|
||
- Long pressing the power/reset button on the device until it starts fast-blinking, then releasing, and then holding the power/reset button again until the device starts slow-blinking.
|
||
|
||
5. The script will automatically connect to your light (assuming it creates a "SmartLife-*" SSID. If not, let us know.) and run the exploit that replaces the security keys (now it can't connect to the cloud anymore)
|
||
6. The exploit freezes the light. It will reboot back into AP mode if left alone, and you can speed this up by power cycling it yourself one time
|
||
7. The script will start up an access point of its own called "cloudcutterflash", using your WiFi adapter
|
||
8. Turn the device off and on again once. It will enter AP mode again. If it doesn't, power cycle it 6 times to enter AP mode. The script will now make the device connect to our "cloudcutterflash" AP.
|
||
9. Once the device connects (can take up to a minute), the script will set up your device's local access keys, and configure it to join the SSID you passed as an argument to the script
|
||
10. You should see the activation requests show up in the terminal as cloudcutter configures the device
|
||
11. **Note:** If you don't see anything show up for longer than 2 minutes, power cycle the device to enter AP mode again and use one of the "SmartLife" compatible apps to instruct the device to connect to the "cloudcutterflash" AP. The password for that AP is "abcdabcd" (without the " characters).
|
||
12. Your Tuya device should now be completely cut off from the cloud, and be locally controllable on your network using e.g. `tinytuya`
|
||
13. The randomly generated keys you need to connect to your device can be found in the `configured-devices` folder
|
||
14. Enjoy!
|
||
|
||
-------
|
||
|
||
## Flashing custom firmware
|
||
|
||
1. Copy your new firmware .bin file (UG or UF2 files only!) to ./custom-firmware
|
||
2. Find your device name, as instructed in the steps above.
|
||
3. Run `sudo ./tuya-cloudcutter.sh`. You can specify device profile name and firmware file using `-p` and `-f`, respectively (this is optional). Example: `sudo ./tuya-cloudcutter.sh -p avatar-asl04-tv-backlight -f custom_firmware_file.bin`
|
||
4. Follow the instructions from the script to turn off/on your device 6 times during 2 steps (similar to the steps above)
|
||
5. If all goes well, your device is now running your custom firmware, enjoy!
|
||
|
||
### Custom firmware options
|
||
|
||
Some common 3rd party firmware files have been included by default. See [custom-firmware](https://github.com/tuya-cloudcutter/tuya-cloudcutter/tree/main/custom-firmware) for further information.
|
||
For user-supplied custom options, please see the [wiki](https://github.com/tuya-cloudcutter/tuya-cloudcutter/wiki/FAQ#what-custom-firmware-options-are-available) for information about available 3rd party firmware.
|