Last year, I wrote about a tool called ‘tuya-convert’ which exploits a vulnerability in ESP-based Tuya devices to install custom firmware such as Tasmota. But not all Tuya devices use ESP chips, and that’s where tuya-cloudcutter comes in.
I have one such device, an ‘S11’ RF and IR bridge (pictured above) that I picked up cheaply from AliExpress last year. Instead of one of Espressif’s ESP chips, it comes with a Beken BK7231N chip. Having disassembled its case, I also didn’t find any obvious pins for the UART bus. So I was relieved to come across tuya-cloudcutter, as it doesn’t require any soldering or disassembly. tuya-cloudcutter should work with any devices that use the BK7231T and BK7231N chips.
Like tuya-convert, tuya-cloudcutter exploits a vulnerability. This was responsibly disclosed to Tuya (the bug bounty was donated to charity), and newer devices are shipped without this vulnerability. However, there’s no firmware update for my S11 device to fix the issue, which is perhaps poor from a security perspective but suits my needs right now.
Running tuya-cloudcutter on a Raspberry Pi
You’ll need to run tuya-cloudcutter on a Linux device, and a Raspberry Pi is perfect for this. Indeed, there’s a detailed tutorial to follow. You’ll need Python, Docker, Git and NetworkManager installed and enabled, and there are a couple of configuration files to edit before you start. Everything is done using a command prompt, so you could do it over SSH using a Windows machine with Putty if you wanted to.
A note: I first tried this on my nine-year-old’s Raspberry Pi 400, and it didn’t work, whereas it did on my Raspberry Pi 4. I believe it was an issue with the specific Wi-Fi adaptor in the Raspberry Pi 400.
You may find that it’s easier to have the device already set up in the Tuya or Smart Life app, as you’ll be able to find the existing firmware version. You’ll need this when running the tuya-cloudcutter tool.
Detaching and flashing
tuya-cloudcutter offers two modes:
- Detach – this leaves the Tuya firmware intact on the device, but detaches it from the Tuya cloud. You can then use the LocalTuya or TuyaLocal custom Home Assistant integrations from HACS to control your device, but the official Tuya and Smart Life apps won’t work anymore.
- Flash – this also flashes new firmware onto the device.
In terms of firmware choices, by default you get:
- OpenBeken – a Tasmota-like firmware where you can configure the device
- ESPHome Kickstart – a minimal version of ESPHome, which can be updated later.
You can also add your own firmware, although be careful as you may brick your device if the firmware isn’t configured correctly.
If you choose to flash new firmware, then when the tool has run correctly, you’ll see a new Wi-Fi network appear for you to connect to. The Hotspot login page should open automatically, but if not, go to http://192.168.4.1/ to proceed. You can then configure the firmware to connect to your Wi-Fi network.
Switching firmware later
For my device, I tried OpenBeken first, but found that it wasn’t able to use the RF capabilities of the device. Instead, I built an ESPHome configuration, using the tuya_rf custom component, and flashed that, using OpenBeken’s OTA firmware updater. Because once you’ve used tuya-cloudcutter to install new firmware on a device, you don’t need to use it again – you can switch from OpenBeken to ESPHome and vice versa quite easily.
Also, if you read yesterday’s post about the Sonoff RF Bridge, no, this RF bridge didn’t work with my doorbell either.