Notes on NEO Tuya Zigbee HomeKit Hub

Until recently Zemismart ZMHK-01 was the only Zigbee hub with Apple HomeKit integration. Now there is also NEO NAS-ZW05B0 Zigbee hub (affiliate link) with a HomeKit integration produced by Shenzhen NEO Electronic for around $25 with pretty much the same components. Note that only the wired version (with RJ45 ethernet connections instead of wi-fi) appears to have the HomeKit support!

How to open NEO NAS-ZW05B0 Tuya Zigbee HomeKit hub
Use a pry tool to push open the four corners around the hub.

It is based on the Tuya TYZS4-IPEX module for the Zigbee connectivity and Realtek RTL8196E controller for the USB and ethernet functionality similar to the Zemismart ZMHK-01 hub I reviewed earlier and the Lidl Silvercrest Zigbee hub.

NEO NAS-ZW05B0 Zigbee HomeKit Hub with Tuya TYZS4-IPEX radio controller
NEO NAS-ZW05B0 Zigbee HomeKit Hub with Tuya TYZS4-IPEX radio and GD25Q127CSIG flash.

Considering the shared components, it should be possible to get root access to the device by connecting directly to that UART pins on the PCB (see below) but the bootloader on this device RealTek(RTL8196E) at 2022.01.10-18:12+0800 v3.4T-pre2 doesn’t support the ESC key sequence for entering the boot options as described by this open issue.

The pins at the bottom-left of the PCB (J1) are:

  • Pin 1 (square): 3.3V
  • Pin 2: GND
  • Pin 3: RTL8196E U0_TX (B0)
  • Pin 4: RTL8196E U0_RX (A7)
  • Pin 5: Tuya TYZS4-IPEX SWDIO
  • Pin 6: Tuya TYZS4-IPEX SWCLK

Connecting just the GND, TX and RX pins I was able to read the boot logs:


@ chip__no chip__id mfr___id dev___id cap___id size_sft dev_size chipSize
@ 0000000h 0c84018h 00000c8h 0000040h 0000018h 0000000h 0000018h 1000000h
@ blk_size blk__cnt sec_size sec__cnt pageSize page_cnt chip_clk chipName
@ 0010000h 0000100h 0001000h 0001000h 0000100h 0000010h 000004eh GD25Q128
---RealTek(RTL8196E)at 2022.01.10-18:12+0800 v3.4T-pre2 [16bit](400MHz)
P0phymode=01, embedded phy
check_image_header  return_addr:05010000 bank_offset:00000000
no sys signature at 00010000!
P0phymode=01, embedded phy
---Ethernet init Okay!
tuya:start receive production test frame ...
Jump to image start=0x80c00000...
decompressing kernel:
Uncompressing Linux... done, booting the kernel.
done decompressing kernel.
start address: 0x80003780
Linux version 3.10.90 (root@WorkPC) (gcc version 4.6.4 (Realtek RSDK-4.6.4 Build 2080) ) #1 Mon Jan 10 18:14:44 CST 2022
CPU revision is: 0000cd01
Determined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
Zone ranges:
  Normal   [mem 0x00000000-0x01ffffff]
Movable zone start for each node
Early memory node ranges
  node   0: [mem 0x00000000-0x01ffffff]
icache: 16kB/16B, dcache: 8kB/16B, scache: 0kB/0B
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 8128
Kernel command line:  console=ttyS0,38400 root=/dev/mtdblock2 
PID hash table entries: 128 (order: -3, 512 bytes)
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 27344k/32768k available (2763k kernel code, 5424k reserved, 562k data, 192k init, 0k highmem)
SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
console [ttyS0] enabled
Calibrating delay loop... 398.13 BogoMIPS (lpj=1990656)
pid_max: default: 4096 minimum: 301
Mount-cache hash table entries: 512
reg e0=0
reg e1=0
reg e2=0
reg e3=0
reg e4=0
reg e5=0
reg e6=0
reg e7=0
reg f0=0
reg f1=0
reg f2=0
reg f3=0
reg f4=0
reg f5=0
reg f6=0
NET: Registered protocol family 16
bio: create slab <bio-0> at 0
NET: Registered protocol family 2
TCP established hash table entries: 512 (order: 0, 4096 bytes)
TCP bind hash table entries: 512 (order: -1, 2048 bytes)
TCP: Hash tables configured (established 512 bind 512)
TCP: reno registered
UDP hash table entries: 256 (order: 0, 4096 bytes)
UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
NET: Registered protocol family 1
squashfs: version 4.0 (2009/01/31) Phillip Lougher
jffs2: version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
msgmni has been set to 53
Block layer SCSI generic (bsg) driver version 0.4 loaded (major 254)
io scheduler noop registered
io scheduler deadline registered
io scheduler cfq registered (default)
Serial: 8250/16550 driver, 2 ports, IRQ sharing disabled
serial8250: ttyS0 at MMIO 0x18002000 (irq = 9) is a 16550A
serial8250: ttyS1 at MMIO 0x18002100 (irq = 13) is a 16550A
Realtek GPIO Driver for Flash Reload Default
tuya_gpio_init ok, scan expire time:50
 ------------------------- Force into Single IO Mode ------------------------ 
|No chipID  Sft chipSize blkSize secSize pageSize sdCk opCk      chipName    |
| 0 c84018h  0h 1000000h  10000h  10000h     100h   84    0          GD25Q128|
SPI flash(GD25Q128) was found at CS0, size 0x1000000
boot+cfg offset=0x0 size=0x20000 erasesize=0x10000
linux offset=0x20000 size=0x1e0000 erasesize=0x10000
rootfs offset=0x200000 size=0x200000 erasesize=0x10000
tuya-label offset=0x400000 size=0x20000 erasesize=0x10000
jffs2-fs offset=0x420000 size=0xbe0000 erasesize=0x10000
5 rtkxxpart partitions found on MTD device flash_bank_1
Creating 5 MTD partitions on "flash_bank_1":
0x000000000000-0x000000020000 : "boot+cfg"
0x000000020000-0x000000200000 : "linux"
0x000000200000-0x000000400000 : "rootfs"
0x000000400000-0x000000420000 : "tuya-label"
0x000000420000-0x000001000000 : "jffs2-fs"
PPP generic driver version 2.4.2
nf_conntrack version 0.5.0 (427 buckets, 1708 max)
ip_tables: (C) 2000-2006 Netfilter Core Team
TCP: cubic registered
NET: Registered protocol family 10
sit: IPv6 over IPv4 tunneling driver
NET: Registered protocol family 17
l2tp_core: L2TP core driver, V2.0
8021q: 802.1Q VLAN Support v1.8
Realtek FastPath:v1.03
Probing RTL819X NIC-kenel stack size order[1]...
eth0 added. vid=9 Member port 0x10f...
eth1 added. vid=8 Member port 0x10...
[peth0] added, mapping to [eth1]...
VFS: Mounted root (squashfs filesystem) readonly on device 31:2.
Freeing unused kernel memory: 192K (80340000 - 80370000)
init started: BusyBox v1.13.4 (2022-01-10 18:11:37 CST)
Set power startcmd read
b8000038: 2794A104  0000000F    00000042  00000018    '��        B    
cmd write
Write memory 0xb8000038 dat 0x1794a104: 0x1794a104
Set power end
udhcpc (v1.13.4) started
Sending discover...
Please press Enter to activate this console. Tuya Gateway Application Normal Srart /tuya/ UserAppRunDir:
set defult run_dir:/tuya
get user cfg file error, load defult cfg file
load platform configure file:/tuya/def.cfg
start.conf is exist
udhcpc (v1.13.4) started
Normal mode.
current run dir:/tuya/tuya_user1
grep: /var/resolv.conf: No such file or directory JsonFile Path:/tuya/def.cfg [engineer_mode: ]
Sending discover...
killall: no process killed
killall: tyZ3Gw: no process killed
killall: no process killed
killall: no process killed
killall: tyZ3Gw: no process killed
Sending discover...
cat: can't open '/tuya/eng_mode_upg': No such file or directory
cat: can't open '/tmp/eng_mode': No such file or directory
no eng file
Sending discover...
nlRecvFromAppSock sg_netlinkKeyPid:239
nlRecvFromAppSock port link sg_netlinkPid:239
umw send to error.: Socket operation on non-socket
Jan  1 00:00:38 mDNSResponder: mDNSResponder (Engineering Build) (Jul 27 2021 20:15:30) starting
Jan  1 00:00:38 mDNSResponder: mDNS_AddDNSServer: Lock not held! mDNS_busy (0) mDNS_reentrancy (0)
Jan  1 00:00:38 mDNSResponder: mDNS_AddDNSServer: Lock not held! mDNS_busy (0) mDNS_reentrancy (0)
Jan  1 00:00:38 mDNSResponder: WARNING: mdnsd continuing as root because user "nobody" does not exist
Sending discover...

1 Comment

  1. Semyon says:

    Hello from neighboring Estonia!

    I would like to make my light at home smart using Zigbee relays, but I cannot choose between Zemismart and Neo hubs. Which one could you recommend more? Neo is much cheaper, but Zemismart has relays that I need.

    Their relays are perfect for me for a few reasons: they does not require Neutral, they support 2 gang switches and they support two-way switches.

    Also, I’m a HomeKit user. So, maybe you can recommend me any other/cheaper solution (hub + relays) instead of Zemismart?

    Thank you!

Leave a Reply