WB2S wifi plug - Error Couldn't receive packets from device

[deltamelter]

Poundland Ultrabrite UK Smart Wifi Plug 20J ST3 (WB2S)
Got the device open but the wifi board labelled WB2S is very close to some capacitors so I only have access to one side.
tried lightleak setup and 2 profiles get further than instant error. the one labelled LightLeak BK7231T and one of the N profiles marked XOR JTAG. Both go through the connection process and report exploitable success and go to the dump screen, but this just spins a while then says " Error Couldn't receive packets from device"

[deltamelter]

The opened device has stopped responding to ping since I tried the N (XOR JTAG) profile so I hope I haven't stuffed it up. if I manage to get at the rx1 and tx1 pins would I be able to dump the firmware with a CH340 USB serial device? 3.3v? does it have to be powered separately?

[kuba2k2]

The board is WB2S, so the only Lightleak profile that could work is BK7231T (that's the chip inside).

You can't really break anything with Lightleak, so I'm not sure what's that ping issue about. Maybe it just needs a reboot, or maybe the app is acting up.

If you connect RX1 and TX1, yes, you can dump the firmware. Here's a guide for dumping firmware.

It should be powered separately, using a regulated 3.3V power supply (connecting the GND lead as well, of course). DO NOT operate it while connected to mains! You risk damaging the device, the adapter, your computer and yourself.

[deltamelter]

So is there no chance of getting lightleak to work as is? will a dump of the firmware get me closer to wirelessly flashing the other unopened device?
The rx1 and tx1 are on the back side of the board up against some capacitors and the WB2S board it pushed down through the main board and I can't easily get to the other side because of construction.

[Cossid]

Did you try finding out what firmware version your device has to see if there are possibly other devices with a compatible firmware?
https://github.com/tuya-cloudcutter/tuya-cloudcutter/wiki/FAQ#how-do-i-find-out-what-firmware-version-my-device-has

[deltamelter]

Did you try finding out what firmware version your device has to see if there are possibly other devices with a compatible firmware? https://github.com/tuya-cloudcutter/tuya-cloudcutter/wiki/FAQ#how-do-i-find-out-what-firmware-version-my-device-has

That's exactly what I'm trying to find out with lightleak.
I never used the ultrabrite (tuya) app to avoid updating to a patched version. I have since tried, but didn't seem to connect
And then just now tried the app (while replying) and it has worked.... tells me V1.0.7 for both
Smart 1Way Adaptor

[Cossid]

Read the last paragraph of that FAQ entry. There are 2 BK7231T 1.0.7 firmware profiles related to plugs/switches you can try, you should try one device from each (unless the first one works). If you cut and it works, you might not have functionality (profile works, but schema doesn't), but you can flash without issue (flashing doesn't need a schema match).

[deltamelter]

Read the last paragraph of that FAQ entry. There are 2 BK7231T 1.0.7 firmware profiles related to plugs/switches you can try, you should try one device from each (unless the first one works). If you cut and it works, you might not have functionality (profile works, but schema doesn't), but you can flash without issue (flashing doesn't need a schema match).

OK, it wasn't clear to me tho. I can cut as many times as needed, but can still flash afterwards? but flash is not reversible. Right?
So so find a profile where cut works, then use that for full flash...
Thanks will try. Will have to remove the device from the app first tho right?

[Cossid]

That is correct, you can cut as many times as you like (until you flash), but you can only flash once (via cloudcutter). You do not need to remove it from the app, that is only a requirement for LightLeak, not CloudCutter.

[deltamelter]

So cloudcutter worked without issues, I don't yet have a way to use without the tuya app but as it is a simple on/off plug without sensors as far as I am aware. should be good to just flash using version 1.0.7 and tuya generic like I chose in cut?

[Cossid]

Correct. Then you can use Kickstart & ltchiptool (in combination with kickstart) to get a working base config.

[deltamelter]

openbeken can be flashed direct and then configured after? or is that also a 2 step config then flash confugred image?

[Cossid]

Yes, OpenBeken can be configured after flashing, but you'll have to refer to their tools/documentation on how to find that configuration.

[deltamelter]

I have mainly tasmota already and so openbeken looks familiar.
I would have liked to dump the firmware but there is just no access to the pins without destroying the plug. Is there any chance of getting lightleak to work before I flash?

[Cossid]

Not really. Once you use CloudCutter, there is only a small chance we can full support the device with full schema verification (it needs to have been activated on Smart Life at some point and not wiped, which your case probably meets). At that point a full backup would also be of a cut device, but sometimes we can piece it together if you A) tell use which profile you used to cut it, and B) are able to dump and upload the storage sections (something Kickstarter can do, and I think there is something in OpenBeken that can as well, I just don't know what).

[deltamelter]

I have a second unopened device which as far as I knew was the same chip as they were both from the same shelf in the same store and have the same label, wording a and numbers but in the tuya app this one reports as v1.1.1 and looking at the mac address (50:02:91) it says Espressif Inc. so no wonder lightleak didn't work with that
Probably TYWE2S so have to see if tuya-convert still works

[deltamelter]

Not really. Once you use CloudCutter, there is only a small chance we can full support the device with full schema verification (it needs to have been activated on Smart Life at some point and not wiped, which your case probably meets). At that point a full backup would also be of a cut device, but sometimes we can piece it together if you A) tell use which profile you used to cut it, and B) are able to dump and upload the storage sections (something Kickstarter can do, and I think there is something in OpenBeken that can as well, I just don't know what).

I cut using oem-bk7231s-rnd-switch-1.0.7-sdk-2.0.0-30.06.json because it was the 1 of 2 profiles that matched 1.0.7 vervsion number from tuya app. cut completed ok, but I couldn't tell what function it had. I went ahead and flashed openbeken, choosing the same profile.
Is this a good profile I don't know... but the default features (pins) were all wrong. Openbeken also had a backup of the "original" image and the button and LED were working again, but the relay doesn't. Used GPIOfinder too to "prod" each pin and confirmed the LED outputs and the button input, but still no relay. At this point don't know if it's just a failing hardware (relay) or incorrect profile to cut with or something just "blown" by too much "prodding"

How can I choose a better profile? is the dump I have from the "original" firmware (lightleaked, tuya-cc cut, tuya-cc flashed) (and containing 2 sets of wifi creds) any good to tell me which profile to use? I have another WB2S plug of the same brand and want to use the "correct" profile this time.

Itchiptool seems to understand all of the backup firmware better than bk7231flasher. What do these version details represent?

    "swv": "1.0.7",
    "bv": "30.06",
    "pv": "2.2",
    "lpv": "3.3",
    "cadv": "1.0.2",
    "cdv": "1.0.0",
    "dev_swv": "1.0.7",
    "jv": "1.0.9",

Are these from the "original" original firmware or from the profile I chose to for the cut (and flash)?
Can this backup be used to make a better lightleak profile to extract from a new WB2S plug? Do I need to pair that with tuya first to get version? Can I make a better tuya-cloudcutter profile from this existing backup for use with the new plug?

[kuba2k2]

1. If a Cloudcutter profile worked for flashing, that is the correct profile - there's no "better" one. Pin configuration in 3rd party firmware is not related to the cloudcutter profile that worked.
2. Same about the dumps; the fact that a working profile exists, means that we already had this particular 1.0.7 firmware dumped previously, from a different device.
3. Your dump (storage data in particular) would only be useful for creating a matching device profile for cloudcutter (which only matters for "detach" mode, not for flashing).
4. You say that ltchiptool understands backup firmware dump, where did you get the dump? I thought Lightleak didn't work in the end.
5. The version numbers are usually the same across all firmwares. Svw and dev_swv are versions of your particular firmware. BV is "baseline" version, PV is protocol version, LPV is LAN protocol version, CDV and CADV i have no idea, JV is JSON version. These are not meaningful for a typical user.
6. Making Lightleak profiles... well, all profiles that could be made already exist. Whether they work or not, is simply dependant on the particular build of the firmware. There can be different SDK configuration that makes Lightleak impossible to use on a specific build. Testing for that requires disassembling the code, and even hooking it up with JTAG in some edge cases.

[deltamelter]

3. Your dump (storage data in particular) would only be useful for creating a matching device profile for cloudcutter (which only matters for "detach" mode, not for flashing).

OK, so cutting made the profile.json, device.json and combined.json which are totally based on the cutting profile I chose.
After I flashed a FW to the device, it had no LEDs configured and the button wasn't responding, I have assumed that this default schema came from this. After prodding pins and importing the old config, everything worked except for the relay. I have assumed that this has somehow become misconfigured, as I am sure the relay was clicking away before I did anything with tuya-cc.

4. You say that ltchiptool understands backup firmware dump, where did you get the dump? I thought Lightleak didn't work in the end.

Openbeken has the ability to dump the 2MB and tuya_config portions of the backed up fw in its web app.

6. Making Lightleak profiles... well, all profiles that could be made already exist. Whether they work or not, is simply dependant on the particular build of the firmware. There can be different SDK configuration that makes Lightleak impossible to use on a specific build. Testing for that requires disassembling the code, and even hooking it up with JTAG in some edge cases.

In the android app, only the "lightleak" profiles at the top work, none of the "classic" ones do anything. I mean is there anything in my dump that can help to make one of these profiles that gets as far as dumping FW?
If not, I will just pair up to the tuya app and get version numbers (probably the same, but I've already seen 2 different versions of TYWE2S and a WB2S bought from the same store and I wouldn't be surprised if this 2nd WB2S is different again) remove the pairing and tuya-cc flash without cutting first (unless this is a different version after all).

Thanks for the help and answers.

[deltamelter]

Managed to get a bent pin header through the tiny gap under and behind the WB2S board and pressed them against the 3v3,gnd, tx and rx long enough to get a full flash dump from the new un-configured device.
It reports the same version and and pins layout as the backup dump of the previous device.
I can share this dump if it is of use to you. but otherwise you can close this issue if you want as I don't need lightleak any more.

[kuba2k2]

You can submit the dump to cloudcutter issues page. Cossid will know what to do :)

As for this issue, I'll probably keep it open, just so that people know that lightleak has issues 😄