Jailbreaking the MOES Zigbee Gateway
Introduction
The MOES Zigbee Gateway is a Tuya-based device commonly used to bridge Zigbee devices with cloud services. However, many users seek local control to reduce latency, increase privacy, and gain integration flexibility with platforms like Home Assistant. This guide documents the process of jailbreaking the MOES gateway to unlock root access and bypass cloud restrictions.
Disclaimer
Warning: Jailbreaking your gateway will void any warranties and carries the risk of rendering the device non-functional. Proceed at your own risk and make full backups before making any changes.
Device Overview
- Processor: SSD202D (dual-core Cortex-A7 SoC)
- RAM: 128 MB
- Storage Layout (MTD):
root@SmartGateway:~# cat /proc/mtd
dev: size erasesize name
mtd0: 003c0000 00020000 "UBOOT"
mtd1: 00300000 00020000 "KERNEL0"
mtd2: 01200000 00020000 "ROOTFS0"
mtd3: 01000000 00020000 "USER0"
mtd4: 00200000 00020000 "FACTORY"
mtd5: 00300000 00020000 "KERNEL1"
mtd6: 01200000 00020000 "ROOTFS1"
mtd7: 01000000 00020000 "USER1"
mtd8: 02380000 00020000 "DATA"
Tools & Preparation
Hardware
- CH341A programmer for dumping NAND flash
Software
- snander-mstar — for NAND dumping and flashing
- sigma-tools — jailbreak and custom firmware tools
Tip: Always make a full NAND backup before modifying anything. This allows you to recover if something goes wrong.
Finding Access Points
- Locate UART pads on the PCB (shared with I2C)
- Common baud rate:
115200 - Observe boot logs using a serial terminal.
Exploitation / Root Access
Tuya gateways use a base firmware and an encrypted USER0 partition provided by manufacturers. This USER0 partition contains cloud integration code and custom logic.
The jailbreak process replaces this encrypted USER0 partition with a custom version, encrypted with the same key, allowing execution of custom code and bypassing the Tuya cloud entirely.
Steps to Jailbreak
You have two main options to jailbreak your device. Choose one:
Option 1: Use a Prebuilt USER0 Partition (Recommended for most users)
This is the quickest and simplest method.
- Download the Prebuilt Image:
- Download the
user0.imgfrom sigma-tools releases page.
- Download the
- Proceed to Initial Flashing:
- Once downloaded, skip to the “Initial Flashing” section below.
Option 2: Build the USER0 Partition from Scratch (Advanced users)
This path offers full control and customization but requires more technical steps.
- Obtain the Partition Key:
- Dump the NAND flash using
snander-mstar. - Parse and extract U-Boot environment with
nand_parser. - Extract the AES key from the U-Boot image.
- Use
env_decoderto decrypt the partition key.
- Dump the NAND flash using
- Build a Custom USER0 Partition:
- Set
PARTITION_KEYinwork/device.mk. - Run
make. - This produces an
user0.imgfile.
- Set
- Proceed to Initial Flashing:
- With your custom
user0.imgready, continue to the “Initial Flashing” section below.
- With your custom
Initial Flashing (Required for both options)
This step is necessary whether you chose Option 1 or Option 2.
- Prepare for Flashing:
- By default, device access is limited, so flashing is only possible with the
snander-mstartool. - You need to find the address of the
USER0partition. You can typically find this by watching the Linux boot process (via UART) and noting the partition table.
- By default, device access is limited, so flashing is only possible with the
- Flash the Image:
TODO(mb): add flash command here (using snander-mstar and your user0.img)
- Reboot and Verify:
- After flashing, reboot the device and watch the boot process via UART.
- If successful, the device should obtain an IP address via DHCP and start an SSH server.
- You can then access it with user
rootand the password defined insigma-tools/alt_app/startup.sh. - Note on Future Updates: Once you have SSH access, subsequent updates to your custom firmware can be applied directly over SSH, without needing to repeat the NAND flashing process.
Modifications
The jailbreak process uses a startup.sh script as the entry point for modifications.
You can include your own changes and generate updated partition image.
A simple web interface is hosted on the device at port 80.
Integration & Use
Once jailbroken, the gateway can be used with:
- Home Assistant
- ZHA: Add integration using socket://{IP}:1234
- No cloud dependency
- Works locally on LAN
Status: Tested with 15 Zigbee devices; stable performance and no disconnects over several weeks of use.
Recovery & Failsafe
If the device becomes unresponsive or fails to boot:
- Connect NAND programmer
- Flash your previously saved NAND backup using snander-mstar
- Reboot and test UART output
#zigbee #tuya #moes #home assistant #jailbreak #iot #reverse engineering