The root password is set to the last 8 characters of AUSKEY which is some kind of identifier for the cloud services. The AUSKEY is stored, encrypted, in the SPI flash. (in the "tuya-label" partition.) The decryption key is also stored here so it is possible to recover the AUSKEY and thus also the root password for the device.
Getting the root password comprises three steps. 1. Accessing the bootloader. 2. Using it to read the raw encoded values from the flash. 3. Decoding the values.
To get the required values, you need to have attached a TTY3v3 serial port to the J1 connector on the board. The serial port parameters are 38400 baud, 8, N, 1 and no flow control. (If you find you can't type, check flow control is turned off.)
Power cycle the device whilst at the same time pressing the ESC key on the serial console. You should interrupt the boot process and end up at the RealTek bootloader prompt.
Press ENTER to get a fresh prompt.
It should look something like this:
---RealTek(RTL8196E)at 2020.04.28-13:58+0800 v3.4T-pre2 [16bit](400MHz) P0phymode=01, embedded phy check_image_header return_addr:05010000 bank_offset:00000000 no sys signature at 00010000! ---Escape booting by user P0phymode=01, embedded phy ---Ethernet init Okay! <Real <RealTek>
The AUSKEY is itself encrypted by another key that we'll call the KEK. To read the KEK, type the following commands into the bootloader. The first command reads the value from flash into RAM. The next one displays the contents.
FLR 80000000 401802 16 DW 80000000 4
Make a note of the single line of output. This is your KEK.
Use the following commands
FLR 80000000 402002 32 DW 80000000 8
Make a note of the two lines of output. They are your encrypted AUSKEY.
The script linked below can be used to decode the AUSKEY and root password.
Start the python script and, when prompted, paste the lines obtained above to reveal your auskey and root password.
Example decode run :