This repository contains the toolchain to exploit a wireless vulnerability that can jailbreak some of the latest smart devices built with the Beken BK7231 (BK7231T,BK7231N) or Realtek RTL8720CF chipsets under various brand names by Tuya. The vulnerability as well as the exploitation tooling were identified and created by Khaled Nassar and Tom Clement with support from Jilles Groenendijk.
Our tool disconnects Tuya devices from the cloud, allowing them to run completely locally. Additionally, it can be used to flash custom firmware to devices over-the-air.
ℹ️ Do you like this tool? Please consider giving it a star on Github so it reaches more people. ✨
Using Tuya CloudCutter means that you will NO LONGER be able to use Tuya's apps and servers. Be absolutely sure that you are never going to use them again!
Additionally, please be aware that this software is experimental and provided without any guarantees from the authors strictly for personal and educational use. If you will still use it, then you agree that:
If you're curious about the vulnerability and how the exploit chain works, here's the detailed writeup and the proof of concept script.
-r parameter if you continue to have issues.Check out usage instructions for info about flashing custom firmware and local cloud-less usage (detaching). There are also some host specific instructions for setups on devices like a Raspberry Pi.
Please see the FAQ section of the wiki for the most up-to-date questions and answers. This will cover many things like how to get your device into pairing mode, how to find more information about your device like the current firmware installed, and is expanding as new questions are asked/answered. Additionally, you may want to consider searching issues.
Tuya has patched their SDK as of February 2022. Any device with a firmware compiled against a patched SDK will not be exploitable, but you can still apply 3rd party firmware via serial. For a list of known patched firmware/devices, see the known patched firmware wiki page.
We'd be happy to receive your contributions! One way to contribute if you already know your way around some binary exploitation or would like to get your hands into it is by building device profiles to support more exploitable devices. Check out the detailed writeup for the information about the vulnerability and exploit chain.
Additional work on expanding the Lightleak project, which can dump unexploited firmware, could use additional attention, as well as possibly expanding it to flash firmware, similiar to regular cloud-cutter as well. A port to bash/linux may also be useful.
You can also contribute device dumps by making an issue with a your device dump attached, but be aware if your device was already onboarded on your WiFi AP:
Remove Device and click Disconnect and wipe data.Flash dumps of devices that have never been joined to Smart Life (or disconnected with a data wipe) are now generally acceptable. In order to not potentially leak personal information, that may be the preferred way.
Tools to dump flash from devices:
Note: other tools, such as hid_download_py or BkWriter, create incomplete dumps, or have data out-of-order which makes processing more difficult. Please use the tools outlined above instead.
bk7231tools read_flash -d COM5 device-make-and-model.bin-s and -c parameters are not needed (additionally, -c is deprecated in favor of -l/--length <bytes>). The program now reads the entire flash contents by default.Additionally, device profiles require a proper Datapoint ID (DPID) schema for local configuration with stock firmware. These can be pulled directly from flash on a device (config region starts at 0x1EF000 on BK7231 devices) if it has been configured to communicate with Tuya servers at least once, or through the profiler-builder scripts with the aid of an active Smart Life account. Profile builder's pull-schema.py script will walk you through the process. If you are not comfortable with this, just submit the full 2 MiB bin in an issue and a schema will be pulled and added.
If you'd like to check if a device is exploitable, one way to lower the chance of having to pry open a device that's not exploitable is testing it out with this test script. The downside to this test is that it won't tell you if the device is BK7231, RTL8720CF, or based on some other chipset.
A big thank you to all who have provided meaningful contributions to the success of the Tuya CloudCutter project. Those include, but are not limited to
and many other contributors (and here) over the years!
$ claude mcp add tuya-cloudcutter \
-- python -m otcore.mcp_server <graph>