Hi there!
Hi,
The Aqara Camera Gateway (https://github.com/dgiese/dustcloud-documentation/tree/master/lumi.camera.aq1) uses the same protocol as all other Miio/Miija enabled devices. It behaves like a normal Gateway, except it has additional commands regarding the camera stuff.
Hello guys,
this might be a bit off topic, but:
I want to buy a new xiaomi gateway. Where is the best place to buy it… and what do I have to do to set it up and don’t mess up stuff?
I checked for a shop selling the Mijia, not the Aqara version.
Also I read that I should use an old version of the Mi Home App. And that the stock FW have to be at a certain low level.
I bought my unit on banggood, my friend on the gearbest. The question is not “where” but “when”. You should wait for discounts or sales ;).
Ok, it’s easy to distinguish them. Better buy mijia (in my opinion).
It is not mandatory to sick to stock version. Currently, I’ve the latest version of mi home app on my phone and the latest firmware on the gateway. IMPORTANT: enable development options and “additional communication” before updating the gateway firmware or you will have to disassemble the device and solder things.
If you are afraid of soldering, stay on the default firmware.
I have an UART adapter and a soldering iron if I mess stuff up 
So I don’t have to download an old version apk, just go with the recent one and turn in dev mode?
Wow Thanks ! This is the solution !
But sadly some of us aren’t really good at electronic. I clearly prefer the dev.
Thanks for the complete solution.
As far as i know the topic, you should be fine.
Hi,
has anybody tried to downgrade/install firmware via miiocli? All i can achieve is an error and no incoming queries on my http server.
miiocli device --ip 192.168.0.101 --token xxxx raw_command miIO.ota '{"app_url":"http://192.168.0.102/063df95bd538a9cfa22c7c86642cf11e_upd_lumi.gateway.v3.bin","file_md5":"063df95bd538a9cfa22c7c86642cf11e","install":"1","proc":"dnld install","mode":"normal"}'
Running command raw_command
Error: {'code': -5000, 'message': 'invalied'}
miIO.info does work:
miiocli device --ip 192.168.0.101 --token xxxx raw_command miIO.info
Running command raw_command
{'life': 1184, 'cfg_time': 0, 'token': 'xxxx', 'mac': '78:11:DC:xxxx', 'fw_ver': '1.4.1_161', 'hw_ver': 'MW300', 'model': 'lumi.gateway.v3', 'mcu_fw_ver': '0158', [..]}
Is a public ip/specific hostname required for ota?
PS: I tried this in unprovisioned and provisioned mode with internet access and without.
I tried, but without success. I did not spend too much time on this attack vector.
I also thought to create fake xiaomi http server (via the fake local-dns server or iptables rules) and serve the old firmware with the server. Then wait for the new official firmware from xiaomi. Turn on my spoofed server and run the upgrade from the android/ios app. Unfortunately, I did not have enough time to configure and prepare the entire attack.
Hi,
Just to confirm the method from @rsx2007 worked like a charm, my 1st gateway has now its ports 4321/9898 opened.
Thank you ! and thanks to “ds2003”
Hi. I can’t read or send any commands to the gateway.
Here are my steps:
In the Putty window I now sporadically see some cryptical characters showing up, but nothing like “You will see all messages of gateway.” Also sending a command does not do anything.
Does anyone have an idea what I’m doing wrong? Thanks a lot
Hi @D1rk,
Speed should be 115200 bauds, I’ve figured it out by trying different speed and with 115200 you will see some readable characters ie : a boot sequence like this
mi_i2s_init ok I2S_IRQn= 11
player starting......
SetFreq 44100
mi_i2s_set_freq 44.1KHz
gpio stat:1
audio mixer init done
find 0 channels on flash,temp_play=0
find_list = -1
dac_freq_set_ = 44100 , 44100
Creat Thread mi_ipc_looper
not sure about the other config (data bits, stop … ) as I used the a mac os terminal with the ‘screen’ command, so should be the defaults :
screen /dev/cu.usbserial-***** 115200Yes speed is 115200.
Other params by default in putty.
But you should see mesage without connected TX from UART.
Hi @D1rk.
my working settings in Putty were: Speed 115200, Data bits 8, Stop bits 1, Parity None, Flow control XON/XOFF
Hope this helps.
Kindest regards,
Christian…
Flow control can be also completely off.
Btw: I am not sure if the old trick with the firmware updates MITM from my Defcon Talk still works or if they patched the MD5 checksum check…
Hi guys. Thanks a lot for your help. Christian’s settings did work and the Hub was discovered in OH after waiting for a few minutes. Now I will disconnect it from the manufacturer cloud so that they cannot make any unwanted changes In the next days I will try to connect some additional sensors.
Hello all together,
does anybody know if this serial command psm-set works with the Camera-Hub too ?
Greetings Matthias
Is this for sure ? I have 2 gateway both with round text and both dev mode enable, first one is lock (port 9898 not open) but I’ve enable dev mode after firmware updates. Second is not lock, I currently use it with my openhab but I’m afraid to make firmware updates. (I need to do updates because Aqara cube doesn’t work fine). Is it confirmed that I can make updates on this one ? Is anyone here have done the firmware updates after enabling dev mode on this version of the gateway and still have the port 9898 open ?
Thanks for your reply guys.
No.