Skip to content

Lumi Aqara Gateway Root

Jump to bottom Edit New page
Vladimir Dronnikov edited this page Jun 30, 2019 · 3 revisions

Warning: For this you need to open the device. Make sure that you never touch the power supply, as it is connected directly to mains (110V/220V).

Warning: This works so far only for the versions without homekit (lumi.gateway.miXX01). The Aqara Homekit versions have a different firmware, where additional steps are required (lumi.gateway.aqhm0X).

Warning: Be careful what you do, as there is no fallback or recovery method.

  1. Open the device. Be careful with removing the screws, as the plastic inside breaks easily (it is advised to loosen up all screws equally to avoid that).

  2. Connect your serial adapter to GND, TX and RX (see Pinout of Aqara Gateways). Do not connect VCC/3.3V.

  3. Setup your serial port with 115200 Baud, Flow control off!

  4. Power on Gateway, as soon as you see any output, press multiple times "Enter" to exit in the U-Boot shell

  5. setenv bootargs 'console=ttymxc0,115200 ubi.mtd=3 root=ubi0:rootfs rootfstype=ubifs cma=96M mtdparts=gpmi-nand:3m(boot),7m(kernel),1m(dtb),-(rootfs) rw single init=/bin/bash'

  6. As soon as you see the prompt, paste this command line: "mv /etc/rc5.d/K10dropbear /etc/rc5.d/S99dropbear" 6a) (You have only a few seconds time until the watchdog resets the gateway)

  7. redo 2-5

  8. Set the root password by using the command "passwd". You have again only a few seconds time until the watchdog kicks in.

  9. You should be able to SSH to the gateway

  10. Secure SSH

  • on your host
ssh-keygen -t rsa -f ~/.ssh/mihome
ssh-copy-id -i ~/.ssh/mihome gateway
  • on gateway
chown -R root:root /home/root
chmod 755 /home/root
# disable password logins
vi /etc/default/dropbear # edit so that DROPBEAR_EXTRA_ARGS="-m -s -g"
passwd -d root # expire root password
reboot
  1. A hackish way to snoop messages
  • create /lumi/app/miio/hack.sh with the following content:
strace -f -v -s1024 -yy -e trace=recv -p `pgrep -f 'miio_client -l 0 -d /lumi/conf'` 2>&1 \
  | stdbuf -o0 sed -nr 's/^.+<TCP:\[127\.0\.0\.1:54322->.+]>, "(.+)", .+$/\1/p' | stdbuf -o0 sed -r 's/\}\{/}\n{/g;s/\\"/"/g'
  • To forward to YOUR-HOST YOUR-PORT run on the gateway
sh /lumi/app/miio/hack.sh | while read s; do echo "$s" | nc YOUR-HOST YOUR-PORT ; done
  • To pull messages run on your host
ssh root@gateway sh /lumi/app/miio/hack.sh

Enjoy!

Add a custom footer

Navigation

Clone this wiki locally