The device is a Nedis Smart Plug WIFIP110FWT.
When connected to the Tuya app both main and MCU versions are reported as 1.0.0. Opening the device revealed the chip is a BK7231N, but the existing cloudcutter profiles for this combination did not seem to do the trick. So I thought I'd dump the firmware and create a profile for this particular device. After using the Tuya app, I disconnected and wiped the device in the app so it should be good to go. The CustomAP I'm using is a esp8266-based NodeMCU.

Dumping the flash with Lightleak fails and does not seem to receive any packets from the plug. I can get to the flash dump screen after selecting unconfigured device, all actions are successful. Device exits AP mode and the app connects successfully to it after reboot to AP mode. I used the BK7231N - Variant 1 (Standard) profile: other N-profiles did not seem to exploit correctly and froze the plug, so at least something is happening.

Let me know if you need more information. Disassembling the device enough to get a dump needs a bit more prying but I'll do that if needed.
log_lightleak.txt
log_exploit.txt

Hello,
When trying to grab a dump from a TreatLife SK50 plug, I get a "Can't receive packets" error
I added the plug to SmartLife and can see it's on 1.0.6 firmware.
Are there other steps I can try?
It has a WB2S chip, at least the one I cracked open did.

Hi,

I keep getting the error "Couldn't receive packages from the device" while trying to read the flash from a bulb.
Tried selecting BK7231N - Variant 1 ( Standard), BK7231N - Variant 1 ( XOR) and BK7231N - Variant JTAG ( XOR) but they all get the same error.

-- UPDATE--

I opened one of the bulbs and it's using a WB2L chip, from what I found online the WB2L is a BK7231T chip, I tried selecting the BK7231T profile just gives me an "The device doesn't respond to ping requests" error.

Device details are here: tuya-cloudcutter/tuya-cloudcutter#233

Got a chance to work on this device again today, im using the Lightleak BK7231N Variant JTAG (XOR) profile and it successfully performs the exploit. i get an error when i try to dump the firmware. tried 2 different switches (one that was added to Tuya, on that was new in box) and got the same error on both. used newest version of Lightleak 0.6.1

"The platformio-custom-ap directory contains a PlatformIO project that can be compiled on any of the platforms mentioned above. You need to download this code, build it, and upload to your device of choice."

I'm confused on how to do this exactly.

Processing esp32 (platform: espressif32; board: esp32dev; framework: arduino)
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Verbose mode can be enabled via -v, --verbose option
CONFIGURATION: https://docs.platformio.org/page/boards/espressif32/esp32dev.html
PLATFORM: Espressif 32 (5.3.0) > Espressif ESP32 Dev Module
HARDWARE: ESP32 240MHz, 320KB RAM, 4MB Flash
DEBUG: Current (cmsis-dap) External (cmsis-dap, esp-bridge, esp-prog, iot-bus-jtag, jlink, minimodule, olimex-arm-usb-ocd, olimex-arm-usb-ocd-h, olimex-arm-usb-tiny-h, olimex-jtag-tiny, tumpa)
PACKAGES:

• framework-arduinoespressif32 @ 3.20006.221224 (2.0.6)
• tool-esptoolpy @ 1.40400.0 (4.4.0)
• toolchain-xtensa-esp32 @ 8.4.0+2021r2-patch5
  LDF: Library Dependency Finder -> https://bit.ly/configure-pio-ldf
  LDF Modes: Finder ~ chain, Compatibility ~ soft
  Found 34 compatible libraries
  Scanning dependencies...
  Dependency Graph
  |-- CRC32 @ 2.0.0
  |-- WiFi @ 2.0.0
  Building in release mode
  Compiling .pio\build\esp32\src\customap.cpp.o
  Archiving .pio\build\esp32\lib77d\libCRC32.a
  Compiling .pio\build\esp32\lib961\WiFi\WiFiClient.cpp.o
  Compiling .pio\build\esp32\lib961\WiFi\WiFiGeneric.cpp.o
  Compiling .pio\build\esp32\lib961\WiFi\WiFiMulti.cpp.o
  src/customap.cpp: In function 'void setup()':
  src/customap.cpp:15:63: error: no matching function for call to 'WiFiClass::onEvent(void (&)(arduino_event_id_t), system_event_id_t)'
  WiFi.onEvent(onStationConnected, SYSTEM_EVENT_AP_STACONNECTED);
  ^
  In file included from .platformio/packages/framework-arduinoespressif32/libraries/WiFi/src/WiFiSTA.h:28,
  from .platformio/packages/framework-arduinoespressif32/libraries/WiFi/src/WiFi.h:32,
  from include/customap.h:11,
  from src/customap.cpp:1:
  .platformio/packages/framework-arduinoespressif32/libraries/WiFi/src/WiFiGeneric.h:159:21: note: candidate: 'wifi_event_id_t WiFiGenericClass::onEvent(WiFiEventCb, arduino_event_id_t)'
  wifi_event_id_t onEvent(WiFiEventCb cbEvent, arduino_event_id_t event = ARDUINO_EVENT_MAX);
  ^~~~~~~
  .platformio/packages/framework-arduinoespressif32/libraries/WiFi/src/WiFiGeneric.h:159:21: note: no known conversion for argument 2 from 'system_event_id_t' to 'arduino_event_id_t'
  .platformio/packages/framework-arduinoespressif32/libraries/WiFi/src/WiFiGeneric.h:160:21: note: candidate: 'wifi_event_id_t WiFiGenericClass::onEvent(WiFiEventFuncCb, arduino_event_id_t)'
  wifi_event_id_t onEvent(WiFiEventFuncCb cbEvent, arduino_event_id_t event = ARDUINO_EVENT_MAX);
  ^~~~~~~
  .platformio/packages/framework-arduinoespressif32/libraries/WiFi/src/WiFiGeneric.h:160:21: note: no known conversion for argument 1 from 'void(arduino_event_id_t)' to 'WiFiEventFuncCb' {aka 'std::function<void(arduino_event_id_t, arduino_event_info_t)>'}
  .platformio/packages/framework-arduinoespressif32/libraries/WiFi/src/WiFiGeneric.h:161:21: note: candidate: 'wifi_event_id_t WiFiGenericClass::onEvent(WiFiEventSysCb, arduino_event_id_t)'
  wifi_event_id_t onEvent(WiFiEventSysCb cbEvent, arduino_event_id_t event = ARDUINO_EVENT_MAX);
  ^~~~~~~
  .platformio/packages/framework-arduinoespressif32/libraries/WiFi/src/WiFiGeneric.h:161:21: note: no known conversion for argument 2 from 'system_event_id_t' to 'arduino_event_id_t'
  *** [.pio\build\esp32\src\customap.cpp.o] Error 1
  ========================================================================================== [FAILED] Took 8.43 seconds ==========================================================================================

I'd like to flash one of my BK7231N devices to the lightleak/LibreTuya binary. Is it possible to reflash it after using it for its purpose back to e.g. OpenBeken (without manually flashing the device)?

The number of profiles and general items is getting rather long.

Request for a search function and this thing is about perfect!

Good job everyone!

So, managed to complete the steps and am searching for the dump to upload.
Unfortunately the app does not create its directory in /data (or any place of that matter).
Also the my dumps tab does not work, probably because of that.
Checked if the app requested additional permissions, but it did not.

Any ideas?

Trying to dump flash.
Have Sonoff SV that I flashed with the custom ap, the wifi network is visible.

The android app says device is nor responding...
Is the custom ap not ok? Or the device I am trying to exploit is not answering?

Do the instructions miss a part where I somehow connect the victim device manually to the custom ap or would that come later? I cannot understand/find out when and how to do that.
What am I doing wrong :P

In the platformio.ini it is using platform: libretuya,

This causes it to fail to compile on win11 64 (not sure about others).

I thought that my device was different than the one dumped by @blakadder below so I tried dumping with Lightleak. none of the profiles were able to run the LightLeak exploit. turns out it is the same device and i was able to use the profile built.

https://github.com/tuya-cloudcutter/tuya-cloudcutter.github.io/blob/master/devices/aubess-16a-mini-smart-switch.json

my device shows the aubess logo as below:

It would be nice if you can add support to it since it was a lot cheaper than esp8266 and esp32, at least here in my place.

Its funny that esp32-s2 is cheaper now compared to back then with esp8266 which only cost 2bucks, now it cost around 8bucks and esp32-s2 only cost around 2bucks.

thanks for making such a great tool!

Go through entire process and receive a notification that device is exploitable. when i choose "dump firmware" the screen changes and there is a rolling circle on the screen. after about 5 minutes of no change, I connect to phone and traverse to the device directory and see that the dump file is 0 bytes. there is a JSON file in there as well

any logs or advice on what to do?

Poundland Ultrabrite UK Smart Wifi Plug 20J ST3 (WB2S)
Got the device open but the wifi board labelled WB2S is very close to some capacitors so I only have access to one side.
tried lightleak setup and 2 profiles get further than instant error. the one labelled LightLeak BK7231T and one of the N profiles marked XOR JTAG. Both go through the connection process and report exploitable success and go to the dump screen, but this just spins a while then says " Error Couldn't receive packets from device"

Using WEMOS D1 ESP8266. when using upload and monitor seeing garbage characters in monitor.

Issue:

Trying to run lightleak, but receive error "device doesn't respond to packets" after the exploit payload is sent for all profiles.

I have 8 of these bulbs, and have so far been able to run cloudcutter with a similar profile to flash the OpenBK app without issue, but I would like to get the dump so that I can share with the community.

I would try the UART method, but don't believe I can do so without destroying the bulb.

I am using a Wemos D1 Mini as my Custom AP device.

Thoughts?

Hell, i have a pair of cheap smart plug Elivca LSPA9 that seems based on BK7231S, i tried to install the app but i was only T and S version on the chip, i tried the first 10 profiles but the app seems stuck at Wait for CustomerAP termination and then gives an error "Timed out while scanning for SSID "LightleadIdle"". What can i do?
Thanks!

I see a release in 2023. The readme has a link that says Tuya patched the vunerability.

Does this still work on all firmware? Or only those unpatched firmware?

Thank you.

I am Running Lightleak, trying to get a flash dump for my LSC Smart Power Plug 970761.1 (tuya-cloudcutter/tuya-cloudcutter#607)

Possibly related to #15 .

The chip inside is probably a WB2S, based on ARM Cortex M4.

Both the BK7231N - Type 1 / Addr 1 (XOR) and BK72131T profile will run all the steps but fail when trying to read flash, getting "Couldn't receive packets from the device"

Greetings!

I encountered the same "Couldn't receive packets, TODO describe this better" error as other people. Is there a way for me to help solve this, even if it's just for my specific device?

I entered the "cloudcutter community" only yesterday, so I might have overlooked something. I did follow the steps though, and the device seems to be exploitable.

I inspected the logs and didn't find anything interesting, but if anyone wants me to post them, I will.

Thanks in advance!

Executing task: platformio run --environment esp32 

Processing esp32 (platform: espressif32; board: esp32dev; framework: arduino)
-----------------------------------------------------------------------------------------------------------------------------------------------------
Verbose mode can be enabled via `-v, --verbose` option
CONFIGURATION: https://docs.platformio.org/page/boards/espressif32/esp32dev.html
PLATFORM: Espressif 32 (3.5.0) > Espressif ESP32 Dev Module
HARDWARE: ESP32 240MHz, 320KB RAM, 4MB Flash
DEBUG: Current (esp-prog) External (esp-prog, iot-bus-jtag, jlink, minimodule, olimex-arm-usb-ocd, olimex-arm-usb-ocd-h, olimex-arm-usb-tiny-h, olimex-jtag-tiny, tumpa)
PACKAGES: 
 - framework-arduinoespressif32 @ 3.10006.210326 (1.0.6) 
 - tool-esptoolpy @ 1.30100.210531 (3.1.0) 
 - toolchain-xtensa32 @ 2.50200.97 (5.2.0)
LDF: Library Dependency Finder -> https://bit.ly/configure-pio-ldf
LDF Modes: Finder ~ chain, Compatibility ~ soft
Found 29 compatible libraries
Scanning dependencies...
Dependency Graph
|-- CRC32 @ 2.0.0
|-- WiFi @ 1.0
Building in release mode
Compiling .pio/build/esp32/src/customap.cpp.o
Generating partitions .pio/build/esp32/partitions.bin
Compiling .pio/build/esp32/libaa3/CRC32/CRC32.cpp.o
Compiling .pio/build/esp32/lib375/WiFi/ETH.cpp.o
Compiling .pio/build/esp32/lib375/WiFi/WiFi.cpp.o
Compiling .pio/build/esp32/lib375/WiFi/WiFiAP.cpp.o
Compiling .pio/build/esp32/lib375/WiFi/WiFiClient.cpp.o
Compiling .pio/build/esp32/lib375/WiFi/WiFiGeneric.cpp.o
Compiling .pio/build/esp32/lib375/WiFi/WiFiMulti.cpp.o
Compiling .pio/build/esp32/lib375/WiFi/WiFiSTA.cpp.o
Compiling .pio/build/esp32/lib375/WiFi/WiFiScan.cpp.o
src/customap.cpp: In function 'void setup()':
src/customap.cpp:19:35: error: 'ARDUINO_EVENT_WIFI_AP_STACONNECTED' was not declared in this scope
  WiFi.onEvent(onStationConnected, ARDUINO_EVENT_WIFI_AP_STACONNECTED);
                                   ^
*** [.pio/build/esp32/src/customap.cpp.o] Error 1
============================================================ [FAILED] Took 1.88 seconds ============================================================

Environment    Status    Duration
-------------  --------  ------------
esp32          FAILED    00:00:01.877
======================================================= 1 failed, 0 succeeded in 00:00:01.877 =======================================================

Haven't touched the platformio.ini, and I see the arduino framework is already in the [env] block, so unsure why it's complaining at build.

Official vendor's product page

Home Assistant support page

This device runs Tuya. I tried to read out flash today by using the Cloudcutter app and then selecting Lightleak - BK7231N - Type 2 (Standard).

This works until the last step, getting the error Error: Couldn't receive packets from the device

Is it worth trying the other BK7231N / BK7231T profiles?