Tuya Wi-Fi Temperature & Humidity Sensor
Tuya Wi-Fi Temperature and Humidity Sensor.
back to home automation page.
Links
tuya-cloudcutter, LibreTiny, OpenBeken IoT devices teardowns database,
Tuya Wifi Smart Temperature Humidity Sensor,
History
2025-10-07: try a proof
tingo@z30b:~/work/projects/2025/20251007_tuya_wifi_temp_and_hum_sensor_th06/tuya-cloudcutter$ python3 proof-of-concept/test_device_exploitable.py This script will attempt to help you lower the chances of prying open a device that won't be exploitable However, it's not 100% foolproof either, there are more devices that are vulnerable which are not based on the BK7231 chipset. So, please take that into account. Before continuing, please set your device in AP mode first. This can usually be accomplished by either: - 3 power cycles off and on with ~1 sec between each, wait for the device to fast-blink, then repeat 3 more power cycles - Long press the power/reset button on the device until it starts fast-blinking, then release, and then hold the power/reset button again until the device starts slow-blinking. Is your device now in AP mode? (yes/no) [default: no]: yes Please connect to the device's AP then hit enter to continue. Exploit payload sent! If the device has an LED and now seems to be 'frozen', it's likely exploitable. Leave it be for ~60 seconds, if its WiFi AP stops showing up then it reboots and 'unfreezes' by itself, then it's almost definitely exploitable.
it did freeze and reboot after about 60 seconds.
2025-10-07: try to run tuya-cloudcutter on it
tingo@z30b:~/work/projects/2025/20251007_tuya_wifi_temp_and_hum_sensor_th06/tuya-cloudcutter$ ./tuya-cloudcutter.sh Building cloudcutter docker image [+] Building 101.2s (13/13) FINISHED docker:default => [internal] load build definition from Dockerfile 0.0s => => transferring dockerfile: 465B 0.0s => [internal] load metadata for docker.io/library/python:3.9.18-slim-bullseye 2.2s => [internal] load .dockerignore 0.0s => => transferring context: 2B 0.0s => [base 1/2] FROM docker.io/library/python:3.9.18-slim-bullseye@sha256:9ac27d4ecadc3ef02f980a8e2b37c7e8cdbf24039c5eddd9f98aff00d23b9e03 12.9s => => resolve docker.io/library/python:3.9.18-slim-bullseye@sha256:9ac27d4ecadc3ef02f980a8e2b37c7e8cdbf24039c5eddd9f98aff00d23b9e03 0.0s => => sha256:a7ce18212da88560af0de25f7a930fef41e9c812d022e1c22921b141c8e21ba2 11.05MB / 11.05MB 8.1s => => sha256:9ac27d4ecadc3ef02f980a8e2b37c7e8cdbf24039c5eddd9f98aff00d23b9e03 1.86kB / 1.86kB 0.0s => => sha256:a0222b9c4a9075f89f498f067f39f7a6e5fc14c2c87ebeea72bbb68fe69d6b97 1.37kB / 1.37kB 0.0s => => sha256:d694778260c16966493dade9a0595a510312f9ec30e3a5ed6d370af5e35643e1 6.92kB / 6.92kB 0.0s => => sha256:c0edef2937fa3b888b0cc3f9f5a4db00a1be6f297be5f057a77d738f91e675a0 31.42MB / 31.42MB 10.2s => => sha256:29ff364e54a5ec5ba946a5f20c50a8bcb5b8e25fca65999d411230bbc8c201c6 1.08MB / 1.08MB 1.9s => => sha256:ebe0cb710295e600c2aeed542399e01fb57e2139de3eedf3470b46d05fd835ec 243B / 243B 2.8s => => sha256:b0ab41d7c4e45eeac92c48f7fb5e5c7a35d16a2a8bda10ef2dc52a2273f89d9c 3.14MB / 3.14MB 5.8s => => extracting sha256:c0edef2937fa3b888b0cc3f9f5a4db00a1be6f297be5f057a77d738f91e675a0 1.5s => => extracting sha256:29ff364e54a5ec5ba946a5f20c50a8bcb5b8e25fca65999d411230bbc8c201c6 0.1s => => extracting sha256:a7ce18212da88560af0de25f7a930fef41e9c812d022e1c22921b141c8e21ba2 0.5s => => extracting sha256:ebe0cb710295e600c2aeed542399e01fb57e2139de3eedf3470b46d05fd835ec 0.0s => => extracting sha256:b0ab41d7c4e45eeac92c48f7fb5e5c7a35d16a2a8bda10ef2dc52a2273f89d9c 0.2s => [internal] load build context 0.0s => => transferring context: 851.54kB 0.0s => [base 2/2] RUN apt-get -qq update && apt-get install -qy --no-install-recommends git hostapd rfkill dnsmasq build-essential libssl-dev 45.1s => [python-deps 1/4] RUN pip install --upgrade pipenv 11.0s => [python-deps 2/4] COPY src/Pipfile /src/ 0.0s => [python-deps 3/4] COPY src/Pipfile.lock /src/ 0.0s => [python-deps 4/4] RUN cd /src && PIPENV_VENV_IN_PROJECT=1 pipenv install --deploy 26.0s => [cloudcutter 1/2] COPY src /src 0.0s => [cloudcutter 2/2] WORKDIR /src 0.0s => exporting to image 3.5s => => exporting layers 3.4s => => writing image sha256:e71b9792015869f4974edf854bf24849d73fa8707396fc8c6791feeaea9c1833 0.0s => => naming to docker.io/library/cloudcutter 0.0s Successfully built docker image 1) Detach from the cloud and run Tuya firmware locally 2) Flash 3rd Party Firmware [?] Select your desired operation [1/2]: 2 Loading options, please wait... [?] How do you want to choose the device?: By manufacturer/device name ► By manufacturer/device name By firmware version and name From device-profiles (i.e. custom profile) [?] Select the article number of your device: Temperature and Humidity Sensor v1.1.17 SWWFD1C412 RGBCT Downlight Temperature and Humidity Sensor CHT8315 v1.1.27 Temperature and Humidity Sensor LED Display v1.0.4 Temperature and Humidity Sensor v1.0.10 Temperature and Humidity Sensor v1.0.5 Temperature and Humidity Sensor v1.1.11 ► Temperature and Humidity Sensor v1.1.17 Temperature and Humidity with Display and Probe v1.2.7 TH08 Temperature and Humdity Sensor v1.0.0 Touch Switch v1.0.4 TuyaMCU Temperature and Humidity Sensor v2.1.8 TY-02-1CH Dimmer TY-02-1CH LED Strip [?] Select the firmware version and name: 1.1.17 - BK7231N / oem_bk7231n_temp_hum_sensor ► 1.1.17 - BK7231N / oem_bk7231n_temp_hum_sensor Checking TCP port 8886... Available. Detected app armour This has been known to block hostapd, which is required to complete the exploit Do you wish to stop the app armour service? [y/N] y Unloading AppArmor profiles AppArmour has been turned off. You will need to manually restart it or reboot your OS for it to turn back on. Safety checks complete. [?] Select your custom firmware file for BK7231N chip: ESPHome-Kickstart-v23.08.29_bk7231n_app.ota.ug.bin ► ESPHome-Kickstart-v23.08.29_bk7231n_app.ota.ug.bin OpenBeken-v1.18.130_bk7231n.ug.bin ================================================================================ Place your device in AP (slow blink) mode. This can usually be accomplished by either: Power cycling off/on - 3 times and wait for the device to fast-blink, then repeat 3 more times. Some devices need 4 or 5 times on each side of the pause Long press the power/reset button on the device until it starts fast-blinking, then release, and then hold the power/reset button again until the device starts slow-blinking. See https://support.tuya.com/en/help/_detail/K9hut3w10nby8 for more information. ================================================================================ Scanning for open Tuya SmartLife AP ...... Found access point name: "SmartLife-F4D0", trying to connect... Device 'wlp2s0' successfully activated with '5389b2d5-6ee3-4c91-88ac-71364ebbdd61'. . Found access point name: "SmartLife-F4D0", trying to connect... Device 'wlp2s0' successfully activated with '5389b2d5-6ee3-4c91-88ac-71364ebbdd61'. Connected to access point. Waiting 1 sec to allow device to set itself up... Running initial exploit toolchain... Exploit run, saved device config too! output=/work/configured-devices/qir9FQ1twLas.deviceconfig Saved device config in /work/configured-devices/qir9FQ1twLas.deviceconfig ================================================================================ Power cycle and place your device in AP (slow blink) mode again. This can usually be accomplished by either: Power cycling off/on - 3 times and wait for the device to fast-blink, then repeat 3 more times. Some devices need 4 or 5 times on each side of the pause Long press the power/reset button on the device until it starts fast-blinking, then releasing, and then holding the power/reset button again until the device starts slow-blinking. See https://support.tuya.com/en/help/_detail/K9hut3w10nby8 for more information. ================================================================================ Failed to start NetworkManager.service: Connection timed out See system logs and 'systemctl status NetworkManager.service' for details. Scanning for open Tuya SmartLife AP ..... Found access point name: "SmartLife-F4D0", trying to connect... Device 'wlp2s0' successfully activated with '5389b2d5-6ee3-4c91-88ac-71364ebbdd61'. Connected to access point. ================================================================================ [!] The profile you selected did not result in a successful exploit. ================================================================================
2025-10-07: the Tuya app on my smartphone finds the device once it is in pairing mode (long press on reset button until the LED blinks rapidly) and says that it is a "TH06". The device information in the app tell me that the mac address is 80:64:7c:d4:f4:d0. This matches what I find in for an ip address in my dhcp server database
lease 10.1.150.3 { starts 2 2025/10/07 18:16:54; ends 3 2025/10/08 06:16:54; cltt 2 2025/10/07 18:16:54; binding state active; next binding state free; rewind binding state free; hardware ethernet 80:64:7c:d4:f4:d0; client-hostname "wlan0"; }
the hostname is a bit weird, but so what.
2025-10-07: I created this page.