[SOLVED] Openhab2 - Xiaomi Mi Gateway - does not respond

Ok, I managed to find UART RX/TX on lumi.gateway EU version – the one pictured by @jsiemins and @F_C . I also made connection to the gateway successfully!

The problem is after booting we’re getting into factory testing mode, which can be exited, but then it asks about password to access the OS.

Here is complete boot snapshot:

U-Boot 2016.03 (Nov 07 2017 - 20:11:55 +0800) 

CPU:   Freescale i.MX6ULL rev1.1 528 MHz (running at 396 MHz)
CPU:   Commercial temperature grade (0C to 95C) at 39C
Reset cause: POR
Board: Lumi international Gateway
I2C:   ready
DRAM:  256 MiB
NAND:  256 MiB
MMC:   FSL_SDHC: 0, FSL_SDHC: 1
*** Warning - bad CRC, using default environment

Display: TFT43AB (480x272)
Video: LCDIF@0x21c8000 is fused, disable it
In:    serial
Out:   serial
Err:   serial
Net:   Ethernet@0x20b4000 is fused, disable it
Board Net Initialization Failed
No ethernet found.

## Enter main_loop() Now##
Normal Boot
Hit any key to stop autoboot:  0 

NAND read: device 0 offset 0x300000, size 0x700000
 7340032 bytes read: OK

NAND read: device 0 offset 0xa00000, size 0x100000
 1048576 bytes read: OK
Kernel image @ 0x80800000 [ 0x000000 - 0x617290 ]
## Flattened Device Tree blob at 83000000
   Booting using the fdt blob at 0x83000000
   Using Device Tree in place at 83000000, end 8300c0e1
Modify /soc/aips-bus@02000000/tsc@02040000:status disabled
Modify /soc/aips-bus@02000000/can@02090000:status disabled
Modify /soc/aips-bus@02000000/can@02094000:status disabled
Modify /soc/aips-bus@02100000/lcdif@021c8000:status disabled
Modify /soc/aips-bus@02100000/pxp@021cc000:status disabled
Modify /soc/aips-bus@02100000/csi@021c4000:status disabled
Modify /soc/aips-bus@02000000/ethernet@020b4000:status disabled
Modify /soc/aips-bus@02100000/usb@02184200:status disabled
Modify /soc/aips-bus@02000000/spba-bus@02000000/sai@0202c000:status disabled
Modify /soc/aips-bus@02000000/spba-bus@02000000/sai@02030000:status disabled
Modify /soc/aips-bus@02100000/serial@021f4000:status disabled
Modify /soc/aips-bus@02100000/serial@021fc000:status disabled
Modify /soc/aips-bus@02000000/spba-bus@02000000/serial@02018000:status disabled
Modify /soc/aips-bus@02000000/pwm@020f0000:status disabled
Modify /soc/aips-bus@02000000/pwm@020f4000:status disabled
Modify /soc/aips-bus@02000000/pwm@020f8000:status disabled
Modify /soc/aips-bus@02000000/pwm@020fc000:status disabled
Modify /soc/aips-bus@02000000/spba-bus@02000000/ecspi@02010000:status disabled
Modify /soc/aips-bus@02000000/spba-bus@02000000/ecspi@02014000:status disabled
Modify /soc/aips-bus@02100000/i2c@021a8000:status disabled
Modify /soc/aips-bus@02100000/i2c@021f8000:status disabled
Modify /soc/aips-bus@02000000/gpt@020e8000:status disabled
Modify /soc/aips-bus@02000000/epit@020d4000:status disabled
ft_system_setup for mx6
No PMIC found!

Starting kernel ...

[    0.000000] Booting Linux on physical CPU 0x0
[    0.000000] Linux version 4.1.15+gb63f3f5 (chenlong@gitlab) (gcc version 5.3.0 (GCC) ) #37 SMP PREEMPT Tue Jun 19 15:28:38 CST 2018
[    0.000000] CPU: ARMv7 Processor [410fc075] revision 5 (ARMv7), cr=10c53c7d
[    0.000000] CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache
[    0.000000] Machine model: Freescale i.MX6 ULL 14x14 EVK Board
[    0.000000] Reserved memory: failed to allocate memory for node 'linux,cma'
[    0.000000] cma: Reserved 96 MiB at 0x8a000000
[    0.000000] Memory policy: Data cache writealloc
[    0.000000] PERCPU: Embedded 12 pages/cpu @89da3000 s16908 r8192 d24052 u49152
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 65024
[    0.000000] Kernel command line: console=ttymxc0,115200 ubi.mtd=3 root=ubi0:rootfs rootfstype=ubifs cma=96M mtdparts=gpmi-nand:3m(boot),7m(kernel),1m(dtb),-(rootfs) 
[    0.000000] PID hash table entries: 1024 (order: 0, 4096 bytes)
[    0.000000] Dentry cache hash table entries: 32768 (order: 5, 131072 bytes)
[    0.000000] Inode-cache hash table entries: 16384 (order: 4, 65536 bytes)
[    0.000000] Memory: 148920K/262144K available (8035K kernel code, 423K rwdata, 2812K rodata, 540K init, 426K bss, 14920K reserved, 98304K cma-reserved, 0K highmem)
[    0.000000] Virtual kernel memory layout:
[    0.000000]     vector  : 0xffff0000 - 0xffff1000   (   4 kB)
[    0.000000]     fixmap  : 0xffc00000 - 0xfff00000   (3072 kB)
[    0.000000]     vmalloc : 0x90800000 - 0xff000000   (1768 MB)
[    0.000000]     lowmem  : 0x80000000 - 0x90000000   ( 256 MB)
[    0.000000]     pkmap   : 0x7fe00000 - 0x80000000   (   2 MB)
[    0.000000]     modules : 0x7f000000 - 0x7fe00000   (  14 MB)
[    0.000000]       .text : 0x80008000 - 0x80aa01f8   (10849 kB)
[    0.000000]       .init : 0x80aa1000 - 0x80b28000   ( 540 kB)
[    0.000000]       .data : 0x80b28000 - 0x80b91fa0   ( 424 kB)
[    0.000000]        .bss : 0x80b94000 - 0x80bfeb5c   ( 427 kB)
[    0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[    0.000000] Preemptible hierarchical RCU implementation.
[    0.000000]  Additional per-CPU info printed with stalls.
[    0.000000]  RCU restricting CPUs from NR_CPUS=4 to nr_cpu_ids=1.
[    0.000000] RCU: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=1
[    0.000000] NR_IRQS:16 nr_irqs:16 16
[    0.000000] mxc_clocksource_init 24000000
[    0.000000] Switching to timer-based delay loop, resolution 41ns
[    0.000016] sched_clock: 32 bits at 24MHz, resolution 41ns, wraps every 89478484971ns
[    0.000055] clocksource mxc_timer1: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 79635851949 ns
[    0.002576] Console: colour dummy device 80x30
[    0.002617] Calibrating delay loop (skipped), value calculated using timer frequency.. 48.00 BogoMIPS (lpj=240000)
[    0.002651] pid_max: default: 32768 minimum: 301
[    0.002871] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.002902] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.004249] CPU: Testing write buffer coherency: ok
[    0.004743] /cpus/cpu@0 missing clock-frequency property
[    0.004784] CPU0: thread -1, cpu 0, socket 0, mpidr 80000000
[    0.004894] Setting up static identity map for 0x80008280 - 0x800082d8
[    0.041169] Brought up 1 CPUs
[    0.041209] SMP: Total of 1 processors activated (48.00 BogoMIPS).
[    0.041229] CPU: All CPU(s) started in SVC mode.
[    0.042328] devtmpfs: initialized
[    0.063995] VFP support v0.3: implementor 41 architecture 2 part 30 variant 7 rev 5
[    0.064876] clocksource jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[    0.072728] pinctrl core: initialized pinctrl subsystem
[    0.075402] NET: Registered protocol family 16
[    0.093456] DMA: preallocated 256 KiB pool for atomic coherent allocations
[    0.120891] cpuidle: using governor ladder
[    0.150945] cpuidle: using governor menu
[    0.193816] hw-breakpoint: found 5 (+1 reserved) breakpoint and 4 watchpoint registers.
[    0.193852] hw-breakpoint: maximum watchpoint size is 8 bytes.
[    0.197045] imx6ul-pinctrl 20e0000.iomuxc: Invalid fsl,pins property in node /soc/aips-bus@02000000/iomuxc@020e0000/imx6ul-evk/hoggrp-1
[    0.197751] imx6ul-pinctrl 20e0000.iomuxc: initialized IMX pinctrl driver
[    0.198424] imx6ul-pinctrl 2290000.iomuxc-snvs: initialized IMX pinctrl driver
[    0.258291] mxs-dma 1804000.dma-apbh: initialized
[    0.264946] SCSI subsystem initialized
[    0.266389] usbcore: registered new interface driver usbfs
[    0.266580] usbcore: registered new interface driver hub
[    0.266808] usbcore: registered new device driver usb
[    0.269337] i2c i2c-0: IMX I2C adapter registered
[    0.269384] i2c i2c-0: can't use DMA
[    0.270959] i2c i2c-1: IMX I2C adapter registered
[    0.271000] i2c i2c-1: can't use DMA
[    0.271306] Linux video capture interface: v2.00
[    0.271540] pps_core: LinuxPPS API ver. 1 registered
[    0.271564] pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giometti@linux.it>
[    0.271838] PTP clock support registered
[    0.274555] MIPI CSI2 driver module loaded
[    0.275251] Advanced Linux Sound Architecture Driver Initialized.
[    0.277394] Bluetooth: Core ver 2.20
[    0.277520] NET: Registered protocol family 31
[    0.277541] Bluetooth: HCI device and connection manager initialized
[    0.277581] Bluetooth: HCI socket layer initialized
[    0.277614] Bluetooth: L2CAP socket layer initialized
[    0.277697] Bluetooth: SCO socket layer initialized
[    0.279816] Switched to clocksource mxc_timer1
[    0.306527] NET: Registered protocol family 2
[    0.308171] TCP established hash table entries: 2048 (order: 1, 8192 bytes)
[    0.308275] TCP bind hash table entries: 2048 (order: 2, 16384 bytes)
[    0.308368] TCP: Hash tables configured (established 2048 bind 2048)
[    0.308505] UDP hash table entries: 256 (order: 1, 8192 bytes)
[    0.308565] UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)
[    0.308988] NET: Registered protocol family 1
[    0.312418] imx rpmsg driver is registered.
[    0.315091] Bus freq driver module loaded
[    0.317442] futex hash table entries: 256 (order: 2, 16384 bytes)
[    0.335580] VFS: Disk quotas dquot_6.6.0
[    0.336041] VFS: Dquot-cache hash table entries: 1024 (order 0, 4096 bytes)
[    0.340311] jffs2: version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
[    0.342101] fuse init (API version 7.23)
[    0.353298] io scheduler noop registered
[    0.353346] io scheduler deadline registered
[    0.353881] io scheduler cfq registered (default)
[    0.354905] imx-weim 21b8000.weim: Driver registered.
[    0.359458] lumi_r supply power not found, using dummy regulator
[    0.361643] lumi_b supply power not found, using dummy regulator
[    0.363409] lumi_g supply power not found, using dummy regulator
[    0.365696] MIPI DSI driver module loaded
[    0.366140] MIPI DSI driver module loaded
[    0.371933] imx-sdma 20ec000.sdma: no event needs to be remapped
[    0.372150] imx-sdma 20ec000.sdma: loaded firmware 3.3
[    0.380061] imx-sdma 20ec000.sdma: initialized
[    0.382144] 2020000.serial: ttymxc0 at MMIO 0x2020000 (irq = 19, base_baud = 5000000) is a IMX
[    1.031395] console [ttymxc0] enabled
[    1.036929] 21e8000.serial: ttymxc1 at MMIO 0x21e8000 (irq = 217, base_baud = 5000000) is a IMX
[    1.082853] imx-rng 2284000.rngb: iMX RNG Registered.
[    1.088576] imx sema4 driver is registered.
[    1.093064] [drm] Initialized drm 1.1.0 20060810
[    1.099023] [drm] Initialized vivante 1.0.0 20120216 on minor 0
[    1.131970] brd: module loaded
[    1.148912] loop: module loaded
[    1.152884] pn54x_dev_init-->lumi
[    1.156403] pn54x_probe
[    1.158923] pn544 1-0028: FIRM GPIO <OPTIONAL> error getting from OF node
[    1.165915] pn544 1-0028: CLKREQ GPIO <OPTIONAL> error getting from OF node
[    1.172985] 1-0028 supply nxp,pn54x-pvdd not found, using dummy regulator
[    1.180005] 1-0028 supply nxp,pn54x-vbat not found, using dummy regulator
[    1.186952] 1-0028 supply nxp,pn54x-pmuvcc not found, using dummy regulator
[    1.194109] 1-0028 supply nxp,pn54x-sevdd not found, using dummy regulator
[    1.201164] pn54x_probe: request irq_gpio 7
[    1.205391] pn54x_probe: request ven_gpio 3
[    1.210086] pn54x_probe : requesting IRQ 35
[    1.229557] nand: device found, Manufacturer ID: 0x2c, Chip ID: 0xda
[    1.236052] nand: Micron MT29F2G08ABAEAWP
[    1.240149] nand: 256 MiB, SLC, erase size: 128 KiB, page size: 2048, OOB size: 64
[    1.248534] gpmi-nand 1806000.gpmi-nand: enable the asynchronous EDO mode 5
[    1.256011] Bad block table found at page 131008, version 0x01
[    1.262160] Bad block table found at page 130944, version 0x01
[    1.268397] 4 cmdlinepart partitions found on MTD device gpmi-nand
[    1.274685] Creating 4 MTD partitions on "gpmi-nand":
[    1.279830] 0x000000000000-0x000000300000 : "boot"
[    1.287270] 0x000000300000-0x000000a00000 : "kernel"
[    1.294799] 0x000000a00000-0x000000b00000 : "dtb"
[    1.302051] 0x000000b00000-0x000010000000 : "rootfs"
[    1.310458] gpmi-nand 1806000.gpmi-nand: driver registered.
[    1.322448] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[    1.329052] ehci-mxc: Freescale On-Chip EHCI Host driver
[    1.334959] usbcore: registered new interface driver usb-storage
[    1.341269] usbcore: registered new interface driver usb_ehset_test
[    1.350183] 2184800.usbmisc supply vbus-wakeup not found, using dummy regulator
[    1.359244] 2184000.usb supply vbus not found, using dummy regulator
[    1.373860] mousedev: PS/2 mouse device common for all mice
[    1.381584] input: 20cc000.snvs:snvs-powerkey as /devices/platform/soc/2000000.aips-bus/20cc000.snvs/20cc000.snvs:snvs-powerkey/input/input0
[    1.399350] snvs_rtc 20cc000.snvs:snvs-rtc-lp: rtc core: registered 20cc000.snvs:snvs-r as rtc0
[    1.408562] i2c /dev entries driver
[    1.414997] IR NEC protocol handler initialized
[    1.419596] IR RC5(x/sz) protocol handler initialized
[    1.424788] IR RC6 protocol handler initialized
[    1.429372] IR JVC protocol handler initialized
[    1.433996] IR Sony protocol handler initialized
[    1.438658] IR SANYO protocol handler initialized
[    1.443449] IR Sharp protocol handler initialized
[    1.448203] IR MCE Keyboard/mouse protocol handler initialized
[    1.454124] IR XMP protocol handler initialized
[    1.464955] imx2-wdt 20bc000.wdog: use WDOG_B to reboot.
[    1.471366] imx2-wdt 20bc000.wdog: timeout 60 sec (nowayout=0)
[    1.478625] sdhci: Secure Digital Host Controller Interface driver
[    1.484961] sdhci: Copyright(c) Pierre Ossman
[    1.489378] sdhci-pltfm: SDHCI platform and OF driver helper
[    1.496842] /soc/aips-bus@02100000/usdhc@02190000: voltage-ranges unspecified
[    1.504130] sdhci-esdhc-imx 2190000.usdhc: could not get ultra high speed state, work on normal mode
[    1.514730] sdhci-esdhc-imx 2190000.usdhc: No vmmc regulator found
[    1.521028] sdhci-esdhc-imx 2190000.usdhc: No vqmmc regulator found
[    1.570060] mmc0: SDHCI controller on 2190000.usdhc [2190000.usdhc] using ADMA
[    1.604211] usbcore: registered new interface driver usbhid
[    1.610176] usbhid: USB HID core driver
[    1.614845] vf610-adc 2198000.adc: Debug vf610_adc_proble()
[    1.621166] 2198000.adc supply vref not found, using dummy regulator
[    1.627844] vf610-adc 2198000.adc: Debug[0] channels[2]
[    1.643496] wm8524_i2c_probe: 
[    1.650025] mmc0: new high speed SDIO card at address 0001
[    1.656475] wm8960 1-001a: Failed to issue reset
[    1.661537] wm8960: probe of 1-001a failed with error -5
[    1.670218] fsl-asrc 2034000.asrc: driver registered
[    1.683059] imx_wm8524_probe: 
[    1.686751] wm8524_probe: 
[    1.690973] imx-wm8524 sound2: wm8524-hifi <-> 2028000.sai mapping ok
[    1.698867] imx-wm8524 sound2: snd-soc-dummy-dai <-> 2034000.asrc mapping ok
[    1.706468] imx-wm8524 sound2: wm8524-hifi <-> 2028000.sai mapping ok
[    1.720174] NET: Registered protocol family 26
[    1.726819] NET: Registered protocol family 10
[    1.733626] sit: IPv6 over IPv4 tunneling driver
[    1.740329] NET: Registered protocol family 17
[    1.745151] Bluetooth: RFCOMM TTY layer initialized
[    1.750308] Bluetooth: RFCOMM socket layer initialized
[    1.755527] Bluetooth: RFCOMM ver 1.11
[    1.759345] Bluetooth: BNEP (Ethernet Emulation) ver 1.3
[    1.764758] Bluetooth: BNEP filters: protocol multicast
[    1.770082] Bluetooth: BNEP socket layer initialized
[    1.775095] Bluetooth: HIDP (Human Interface Emulation) ver 1.2
[    1.781109] Bluetooth: HIDP socket layer initialized
[    1.786121] 8021q: 802.1Q VLAN Support v1.8
[    1.790437] lib80211: common routines for IEEE802.11 drivers
[    1.796331] Key type dns_resolver registered
[    1.802586] cpu cpu0: dev_pm_opp_get_opp_count: device OPP not found (-19)
[    1.837399] ubi0: attaching mtd3
[    2.168158] random: nonblocking pool is initialized
[    2.525547] ubi0: scanning is finished
[    2.543900] ubi0: attached mtd3 (name "rootfs", size 245 MiB)
[    2.549703] ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
[    2.556735] ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
[    2.563959] ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
[    2.571008] ubi0: good PEBs: 1956, bad PEBs: 4, corrupted PEBs: 0
[    2.577126] ubi0: user volume: 1, internal volumes: 1, max. volumes count: 128
[    2.584479] ubi0: max/mean erase counter: 8/1, WL threshold: 4096, image sequence number: 1813099077
[    2.593678] ubi0: available PEBs: 0, total reserved PEBs: 1956, PEBs reserved for bad PEB handling: 36
[    2.603059] ubi0: background thread "ubi_bgt0d" started, PID 73
[    2.609050] dhd_module_init in
[    2.613906] input: regulators:gpio-keys as /devices/platform/regulators/regulators:gpio-keys/input/input1
[    2.624240] snvs_rtc 20cc000.snvs:snvs-rtc-lp: setting system clock to 1970-01-01 00:11:40 UTC (700)
[    2.654574] gpio_dvfs: disabling
[    2.657853] vref-3v3: disabling
[    2.661122] can-3v3: disabling
[    2.664553] ALSA device list:
[    2.667544]   #0: wm8524-audio
[    2.692163] UBIFS (ubi0:0): recovery needed
[    2.730261] UBIFS (ubi0:0): recovery deferred
[    2.734814] UBIFS (ubi0:0): UBIFS: mounted UBI device 0, volume 0, name "rootfs", R/O mode
[    2.743266] UBIFS (ubi0:0): LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
[    2.753255] UBIFS (ubi0:0): FS size: 241635328 bytes (230 MiB, 1903 LEBs), journal size 12062720 bytes (11 MiB, 95 LEBs)
[    2.764175] UBIFS (ubi0:0): reserved for root: 4952683 bytes (4836 KiB)
[    2.770926] UBIFS (ubi0:0): media format: w4/r0 (latest is w4/r0), UUID AD7DD6E8-1329-4760-93D9-E1A4D3A2465D, small LPT model
[    2.783076] VFS: Mounted root (ubifs filesystem) readonly on device 0:14.
[    2.790952] devtmpfs: mounted
[    2.795054] Freeing unused kernel memory: 540K (80aa1000 - 80b28000)
INIT: version 2.88 booting
Starting udev
[    3.875137] udevd[105]: starting version 3.1.5
[    4.380347] UBIFS (ubi0:0): completing deferred recovery
[    4.429536] UBIFS (ubi0:0): background thread "ubifs_bgt0_0" started, PID 129
[    4.441919] UBIFS (ubi0:0): deferred recovery completed
INIT: Entering runlevel: 5
Configuring network interfaces... eth0: ERROR while getting interface flags: No such device
Running local boot scripts (/etc/rc.local)[    7.739683] RTL871X: module init start
[    7.747651] RTL871X: rtl8723bs v4.4.2_17831.20160519_BTCOEX20151223-654a
[    7.754687] RTL871X: build time: Mar 29 2017 03:05:03
[    7.759763] RTL871X: rtl8723bs BT-Coex version = BTCOEX20151223-654a
[    7.775264] RTL871X: rtw_hal_config_rftype RF_Type is 3 TotalTxPath is 1 
[    7.782169] RTL871X: Chip Version Info: CHIP_8723B_Normal_Chip_TSMC_F_CUT_1T1R_RomVer(0)
[    7.793764] RTL871X: SetHwReg8723B: bMacPwrCtrlOn=1
[    7.799470] RTL871X: PowerOnCheck: val_mix:0x0000063f, res:0x0000063f
[    7.805982] RTL871X: PowerOnCheck: 0x100 the result of cmd52 and cmd53 is the same.
[    7.813840] RTL871X: PowerOnCheck: 0x1B8 test Pass.
[    7.819359] RTL871X: ReadAdapterInfo8723BS, 0x4e=0xe2
[    7.824620] RTL871X: EEPROM type is E-FUSE
[    7.829414] RTL871X: hal_EfuseSwitchToBank: Efuse switch bank to 0
[    7.910866] RTL871X: hal_ReadEFuse_WiFi: data end at address=0xad
[    7.916985] RTL871X: Efuse Realmap:
[    7.920524] 
[    7.922032] 29 81 03 7C 51 08 28 00 62 07 0D 45 10 02 00 00 
[    7.927968] 2B 2B 2B 2B 2B 2B 2D 2D 2D 2D 2D E0 FF FF FF FF 
[    7.933938] FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
[    7.939900] FF FF FF FF FF FF FF FF FF FF 2D 2D 2D 2D 2D 2D 
[    7.945834] 2D 2D 2D 2D 2D E0 FF FF FF FF FF FF FF FF FF FF 
[    7.951802] FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
[    7.957735] FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
[    7.963767] FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
[    7.969700] FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
[    7.975719] FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
[    7.981689] FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
[    7.987622] FF FF FF FF FF FF FF FF 20 23 1C 00 00 00 FF FF 
[    7.993590] FF 29 20 11 00 00 00 FF 00 FF 12 FF FF FF FF FF 
[    7.999521] 3E 10 01 02 23 00 00 FF 20 04 4C 02 23 B7 21 02 
[    8.005485] 0C 00 22 04 00 08 00 32 FF 21 02 0C 00 22 2A 01 
[    8.011448] 01 00 00 00 00 00 00 00 00 00 00 00 02 00 FF FF 
[    8.017377] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
[    8.023333] 00 EB 00 6E 01 00 00 00 00 FF 58 B3 FC 71 E3 04 
[    8.029264] FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
[    8.035223] FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
[    8.041185] FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
[    8.047118] FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
[    8.053120] FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
[    8.059054] FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
[    8.065079] FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
[    8.071048] FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
[    8.076980] FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
[    8.082946] FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
[    8.088878] FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
[    8.094840] FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
[    8.100799] FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
[    8.106732] FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
[    8.120782] RTL871X: Hal_EfuseParseBTCoexistInfo_8723B: Enable BT-coex, ant_num=1
[    8.128294] RTL871X: hal_com_config_channel_plan chplan:0x20
[    8.134822] RTL871X: Hal_EfuseParsePackageType_8723B phy efuse read 0x1FB =fc 
[    8.142249] RTL871X: PackageType = 0x4
[    8.146017] RTL871X: Hal_EfuseParseVoltage_8723B hwinfo[EEPROM_Voltage_ADDR_8723B] =62 
[    8.154135] RTL871X: Hal_EfuseParseVoltage_8723B pHalData->adjuseVoltageVal =6 
[    8.161496] RTL871X: AutoloadFail =0,
[    8.165509] RTL871X: pHalData->EEPROMRFGainVal=33
[    8.170276] RTL871X: EEPRORFGainOffset = 0x29
[    8.175803] RTL871X: SetHwReg8723B: bMacPwrCtrlOn=0
[    8.181748] RTL871X: rtw_hal_read_chip_info in 390 ms
[    8.187099] RTL871X: init_channel_set((null)) ChannelPlan ID:0x20, ch num:13
[    8.195421] RTL871X: rtw_alloc_macid((null)) if1, hwaddr:ff:ff:ff:ff:ff:ff macid:1
[    8.203190] RTL871X: Init_ODM_ComInfo_8723b(): fab_ver=0 cut_ver=0
[    8.209413] RTL871X: rtw_macaddr_cfg mac addr:58:b3:fc:71:e3:04
[    8.215731] RTL871X: bDriverStopped:True, bSurpriseRemoved:False, bup:0, hw_init_completed:0
[    8.224331] RTL871X: rtw_wiphy_alloc(phy0)
[    8.228450] RTL871X: rtw_wdev_alloc(padapter=90d39000)
[    8.233663] RTL871X: rtw_wiphy_register(phy0)
[    8.238036] RTL871X: Register RTW cfg80211 vendor cmd(0x67) interface 
[    8.248770] RTL871X: rtw_ndev_init(wlan0) if1 mac_addr=58:b3:fc:71:e3:04
[    8.281940] RTL871X: module init ret=0
====================================
========== start mi=================
====================================
fac_test bulid time:06:57:28 Aug 31 2018
gobal_cmd_list size 3204
Input cmd:

When I enter help:

help
    --Print help.
ver
    --Get fireware version.
LED01
    --LED RED ON.
LED11
    --LED Green ON.
LED21
    --LED BLUE ON.
LED3
    --LED white ON.
LED00
    --LED OFF.
LUMEN
    --Return illumination value.
speaker
    --Play 1khz sinusoidal sound.
key
    --Test key.
m_play
    --Play music.Usage : m_play name volume.
test_mfi
    --Test the mfi chip.
cmd_chk_zig
    --Test the zigbee chip communication, return zigbee chip firmware version
join
    --Zigbee join.
remove
    --remove device.
get_zig_temp
    --Get zigbee temperature.
cali_temp
    --Cal zigbee temperature.
test_zig_rf
    --Test zigbee rf.
test_ota
    --Test zigbee ota.
devices
    --Show the device in zigbee.
wifi_mac
    --Return wifi mac.
wifi
    --Return wifi rssi.
set_wifi_mac
    --set wifi mac for realtek modual.
set_wifi_modual
    --set wifi modual.
set_sn
    --Set soft version,usage:set_sn 123456.
get_sn
    --Get soft version.
set_hd_ver
    --Set hardware version,usage:set_hd_ver 123.
get_hd_ver
    --Get hardware version.
setup_code
    --Set homekit setup code.
set_language
    --Set homekit language.
set_hk_model
    --Set homekit model.
get_setup_code
    --get homekit setup code.
set_did
    --set mi did key mac model.
get_did
    --get mi did key mac model.
nfc_poll
    --NFC polling.
exit_factory
    --Exit test.
test_ok
    --Create the test ok file and exit test.
test_pcba
    --PCBA Test.
get_result
    --Get PCBA Test result.
reboot
    --Reboot.

get_did is quite interesting because it responds with:

did=...
key=...
mac=...
vendor=lumi
model=lumi.gateway.mieu01

exit_factory and we get to:

Exit test...
OK
.
umount: /mnt/.psplash: not mounted

Freescale i.MX Release Distro 4.1.15-2.0.0 imx6ull14x14evk /dev/ttymxc0

imx6ull14x14evk login:

And I’m stuck. root:root isn’t working. I tried some combinations but without success.

Any ideas?

Update:

  1. I managed to get to bootloader.
  2. I managed to change root password.
  3. I managed to get into the OS! Success!

Now: there’s no psm-... commands in it!

Update 2:

netstat -tlpun
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:54322         0.0.0.0:*               LISTEN      377/miio_client 
tcp        0      0 127.0.0.1:54323         0.0.0.0:*               LISTEN      377/miio_client 
udp        0      0 0.0.0.0:10008           0.0.0.0:*                           11982/gw        
udp        0      0 0.0.0.0:54321           0.0.0.0:*                           377/miio_client 
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           377/miio_client

Finally I can make it reopen port 9898.

My gateway is CHINA version. I don”t think other region version can open lan control.

cadavre seems you have exactly same gateway version as mine and definitely you are few steps ahead of me. Could you please share info which are RX/TX pins (please upload some photo if possible)?

@Pawel_Kowalski fairly simple:

I never know how to describe RX/TX so it might be otherwise. :stuck_out_tongue:

There are two ways of connecting:

To get to bootloader:

  1. Solder GND, RX and TX.
  2. Attach GND, RX and TX to UART 3.3V.
  3. You can connect all three pins, but do not connect UART to USB yet.
  4. Plug Gateway to AC.
  5. Plug UART to USB. Baudrate is 115200, 8-1, no parity and no flow control.
  6. Press enter and you’ll see a prompt from HUSH shell of bootloader.
  7. You can play here to reset root password. Look below.

To get into boot process:
1-2. As above, if haven’t done already.
3. Connect all three ping to UART and connect UART to USB.
4. Baudrate is 115200, 8-1, no parity and no flow control.
5. Plug Gateway to AC.
6. You’ll get into boot process finishing with starting mi.
7. You’ll end up in fac_test (factory test tool) that is launched at the very end of booting process (in /etc/rc.local).
8. You can exit this mode with exit_factory.
9. You’ll end up with login prompt into device and unknown root password.

To reset root password:

  1. Boot into bootloader.
  2. Enter printenv command.
  3. Find bootargs=... and copy all after bootargs= – for me it was “console=…”.
  4. Open notepad.
  5. Enter text: setenv bootargs '
  6. Paste copied text.
  7. Enter text: single rw init=/bin/bash' (whitespace before “single”!).
  8. You’ll end up with smth like setenv bootargs 'console=... someparams single rw init=/bin/bash'.
  9. Press enter. No message should show up. If anything shows – you copied smth wrong (watch out for quotes and whitespaces).
  10. Now you’re done for single-user root booting.
  11. Before you enter boot command to boot with new bootargs – prepare that you’ll have around 5s to change the root password. I don’t know why, but my prompt freezes after 5s.. You must set password that is at least long for 8 chars and contains alpfanumeric signs. Prepare password in notepad and copy it into clipboard – you’ll just paste it twice fast.
  12. Enter boot. Press enter.
  13. Now boot process will start and you’ll end up in bash# prompt.
  14. Now you have 5s.
  15. Enter passwd, press enter.
  16. Paste twice password from clipboard.
  17. You’ll end up with “root password changed”.
  18. Success!
  19. Now simply turn off AC, plug UART into USB so it will follow boot process instead of going into bootloader, turn on AC again.
  20. Wait for boot process to end, exit factory mode.
  21. In login prompt enter root and your password from notepad/clipboard.

Now you have root access to your gateway’s Linux.

What I’ve found so far:

  1. This gateway looks like supporting HomeKit – check two different /etc/rc.local.* – one for mi and one for homekit.
  2. In default “mi” mode – there are two main processes running:
    • miio_client – responsible for communication with Mi Cloud. (/lumi/app/miio)
    • miio_client_helper_nomqtt.sh – miio_client helper that uses miio_recv_line and miio_send_line to mock communication between gateway and miio_client.
    • gw – gateway binary to communicate with sensor devices.
  3. This one is interesting – you can launch SSH server on your gateway. :slight_smile: In rc.local you just need to add dropbear -p 22 just before fac_test. After this is removed my soldered pins and use gateway via SSH on port 22.

Finally

$ netstat -ulptn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:54322         0.0.0.0:*               LISTEN      368/miio_client 
tcp        0      0 127.0.0.1:54323         0.0.0.0:*               LISTEN      368/miio_client 
udp        0      0 0.0.0.0:10008           0.0.0.0:*                           5632/gw         
udp        0      0 0.0.0.0:54321           0.0.0.0:*                           368/miio_client 
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           368/miio_client

This actually shows that in case of Mija Gateway EU it’s not about “opening the ports”, because there are no actual multicast services working in the background. Nothing listens on 4321, 9898 etc.

3 Likes

It should be connected to the power.

It should not be connected to FTDI power – no 3.3V and no 5V. Only RX/TX/GND.

But it must be connected to the regular 230V, so plug it into cord with switch – it will ease up the process, because you’ll on/off a lot! :wink:

Thanks for the topic, I’ve also couldn’t add the gateway to the OH with only the MI Home app. I’ve just followed the instructions, and successfully set the port to open. Just a notice, you have to reboot the gateway for the changes to taking effect. After the reboot, the gateway discovered and added to the OH inbox immediately.

I have round text. Version 167 of the firmware. Is not auto discovered. Is there a software solution to the problem?

Hello everybody,

first of all, sorry for my simple English, that is not one of my favourites. :wink:

I have already run two Xiaomi MI V2 Gateways (lumi-gateway-v3) in my OH2 system. Everything works fine. I bought them last year, run them for some month only with MI Home App and setup OH2 last month. Both have actual firmware (167) and square text (ST). Auto discovery works fine and I activate the developer network settings first I setup the OH system.

I bought two more gateways and I tried to include them yesterday in my OH system. The first one I setup as described in the OH manual with firmware update as first step after including in MI Home App (->167). No auto discovery in OH! The second gateway I did not update the firmware, also no auto discovery in OH. Both are with round text (RT).

I spend the whole day yesterday to keep them running in OH without any success. I changed a lot of network configuration, install a new OH on a second computer… all the tips I read in the web… nothing helps.

Until I found this solution. My technical skills are similar to my English - I don’t know much about UART. And I am affright to destroy more then to repair it :slight_smile:

But I tried the way with the second gateway: first enable the developer network and after that update the firmware. IT WORKS!!! Without any UART and the things I only understand half. Directly after firmware update auto discovery works.

So, I have two new gateways with round text:

  1. Gateway: setup in MI Home App -> Firmware Update -> Open Developer Network -> no auto discovery in OH :face_with_symbols_over_mouth:

  2. Gateway: setup in MI Home App -> Open Developer Network -> no auto discovery in OH :face_with_symbols_over_mouth: -> Firmware Update (->167) -> auto discovery in OH :partying_face:

So, I have still one gateway which don’t work. I wait until the next firmware update, maybe I can “repair” it on this way?!?

Somebody has to change the sequence in the binding description/manual. If you first open the developer network and update the firmware after this step it seems to solve the problem.

Thanks for this thread, it was very helpful for me, even if I cannot implement the technical solution.

Sebastian

Update: 11.07.2019:
I wait some month for a firmware update of the gateway, hopes that will open the port. Due to the reason it takes a long time I buy a new one and follow my second way. It doesn’t work again, port is closed no discovery in OH. Also the firmware update dose not open the port as I hoped :face_with_symbols_over_mouth:

I have no experience with UART or soldering, but I bought a UART, some cabels and I found a 40 year old soldering iron from my childhood and I follow the instructions post 114. It works now :partying_face:, this is the right way to do it. Very helpful for me was also the spanish You-Tube Video - I don’t understand spanish but it was very helpful to follow the steps. Only the information displayed in putty was completely different. I only want to share the video to the community and I want to correct my statement above - they way discribed worked once but is not a solution at all.

I added a PR to recommend enabling the developer mode prior to updating the firmware. Hopefully I did that correctly.

Hi, Thanks for all the info on this thread. I tried to connect an Aqara gateway and found no way to enable the developer mode. Has anybody tried the procedure with the UART on an Aqara gateway?

I tried it.
I activated SSH / dropbear (@cadavre after a first /etc/init.d/dropbear start / stop).

Disclaimer: I’m new to Xiaomi miio stuff.
It looks like the “gw” binary (made by aqara/lumi) is just connecting to miio_client (to me, it looks like it’s the normal way to integrate into the Mi Ecosystem) and exposes a “miio like” interface on port 10008. I tried to connect to this port using the device token and key (present in /lumi/conf/device.conf) without any luck.
However I stopped looking for a way to connect to this port as I used strace (yes there is strace on this beast!).
strace -s 1500 -f -p will show you that “gw” is continuously exchanging unencrypted messages with miio_client AND pushing events! (grep on recv or send)
If I’m right and the port 10008 is just a “miio like” access, then it won’t push any event -> need to poll.

Thus, I decided to replace the “miio_client” and made a modified version of miio_client (see: https://github.com/dgiese/dustcloud/tree/master/devices/xiaomi.vacuum/miio_client_os).
The ARM binary is available here: https://ufile.io/3drwy5uc
To use it, just copy it to /tmp/ using ssh/scp and then launch: killall miio_client && /tmp/miio_client

It will replace the original Xiaomi miio client and launch this one. This “miio_client” will accept the connection from gw binary and answer to “local.*” requests. It acts like a relay.
(It should be possible to make an ota update with it, see dustcloud. If you need a .bin file there is one in /home/root/fac)

You will now be able to connect to UDP port 54321 (nc -u 54321) and all messages from “gw” will be sent to you. (except local ones which will only display in your ssh session)
You can also directly send commands to the gateway by entering a method (ie: {“id”:132,“method”:“get_arming”}).

Hi @rothm .

I have the Aqara Gateway, the one that has rouded text in the back, and says Aqara at front in the middle of the circle. I believe you have the same one. Please correct me if I’m wrong.

What would this replacement of the miio_client binary would allow us to do.
I get what you say about communicating with the gateway, but this binding would still be useless. Right?
Thanks

The protocol used between miio_client and gw binaries is a Mi one as far as I know.
(I own a mieu01)
So, using the miio_client I posted, you would need a binding talking the local miio protocol…

However, in the gw binary, there are these strings which look like Aqara local API:
{“cmd”:“read”,“model”:"%s",“sid”:"%llx",“short_id”:"%d",“token”:"%d",“data”:"{%s}"}
{“cmd”:“write”,“model”:"%s",“sid”:"%llx",“short_id”:"%d",“token”:"%d",“data”:"{%s}"}
{“cmd”:“subdevice_ota”,“model”:"%s",“sid”:"%llx",“ota_status”:"%d",“current_version”:"%d"}
{“cmd”:“subdevice_ota”,“model”:"%s",“sid”:"%llx",“ota_status”:"%d"}
{“cmd”:“report”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{"%s":"%s"}"}
{“cmd”:“report”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{"%s":"%d"}"}
{“cmd”:“report”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{"%s":“rotate”,“degree”:"%g",“time”:"%d"}"}
{“cmd”:“report”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{"%s":"%g"}"}
{“cmd”:“report_unknow_device”,“model”:“unknown device”,“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“status”:"%d"}"}
{“cmd”:“report”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"%s"}
{“cmd”:“remove_device”,“sid”:"%llx",“token”:"%d",“short_id”:0,“model”:"%s",“data”:"" }
{“cmd”:“dongle_info”,“info_type”:"%x",“token”:"%d",“data”:"{“status”:"%d", “ResultListSize”:"%d", “EnergyDetectChannel”:"%d", “EnergyValue”:"%d"}"}
{“cmd”:“dongle_info”,“info_type”:"%x",“token”:"%d",“data_len”:"%d",“data”:"%s"}
{“cmd”:“zigbee_join”,“model”:"%s",“sid”:"%llx",“token”:"%d",“short_id”:%d,“data”:""}
{“cmd”:“zigbee_join”,“model”:"%s",“sid”:"%llx",“token”:"%d",“short_id”:%d,“join_version”:"%d",“data”:""}
{“cmd”:“update_device”,“sid”:"%llx",“token”:"%d",“short_id”:%d,“data”:"{“status”:“announce”}"}
{“cmd”:“model_id_report”,“model”:"%s",“sid”:"%llx",“token”:"%d",“short_id”:%d,“data”:""}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“battery”:"%d", “voltage”:"%d", “lqi”:"%d", “pv_state”:"%d", “cur_state”:"%d", “pre_state”:"%d", “power_tx”:"%d", “CCA”:"%d", “send_all_cnt”:"%d", “send_fail_cnt”:"%d", “resend_sucess_cnt”:"%d", “resend_sucess_avg_cnt”:"%d", “reset_cnt”:"%d", “chip_temperature”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“voltage”:"%d", “battery”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “chip_temperature”:"%d", “reset_cnt”:"%d", “fw_ver”:"%d", “hw_ver”:"%d", “status”:"%d", “power_consumed”:"%g", “load_voltage”:"%d", “power”:"%g"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“version”:"%d.%d.%d", “status”:"%s", “power_consumed”:"%g", “load_voltage”:"%d", “power”:"%g"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “chip_temperature”:"%d", “reset_cnt”:"%d", “fw_ver”:"%d", “hw_ver”:"%d", “curtain_level”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“version”:"%d.%d.%d", “curtain_level”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “chip_temperature”:"%d", “reset_cnt”:"%d", “fw_ver”:"%d", “hw_ver”:"%d", “channel_0”:"%d", “channel_1”:"%d", “power_consumed”:"%g", “load_voltage”:"%d", “power”:"%g", “power_factor”:"%d", “load_current”:"%g", “load_s0”:"%d", “load_s1”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“version”:"%d.%d.%d", “channel_0”:"%s", “channel_1”:"%s", “power_consumed”:"%g", “load_voltage”:"%d", “power”:"%g"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “chip_temperature”:"%d", “reset_cnt”:"%d", “fw_ver”:"%d", “hw_ver”:"%d",“energy_0”:"%g",“energy_1”:"%g",“energy_2”:"%g",“energy_3”:"%g",“load_power_0”:"%g",“load_power_1”:"%g",“load_power_2”:"%g",“load_power_3”:"%g"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “chip_temperature”:"%d", “reset_cnt”:"%d", “fw_ver”:"%d", “hw_ver”:"%d", “channel_0”:"%d", “channel_1”:"%d", “power_consumed”:"%g", “load_voltage”:"%d", “power”:"%g"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “chip_temperature”:"%d", “reset_cnt”:"%d", “fw_ver”:"%d", “hw_ver”:"%d", “channel_0”:"%d", “power_consumed”:"%g", “load_voltage”:"%d", “power”:"%g"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“version”:"%d.%d.%d", “channel_0”:"%s", “power_consumed”:"%g", “load_voltage”:"%d", “power”:"%g"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “voltage”:"%d", “pre_state”:"%d", “cur_state”:"%d", “power_tx”:"%d", “CCA”:"%d", “reset_cnt”:"%d", “send_all_cnt”:"%d", “send_fail_cnt”:"%d", “send_retry_cnt”:"%d", “parent”:"%x", “temperature”:"%d", “humidity”:"%d", “battery”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “voltage”:"%d", “pre_state”:"%d", “cur_state”:"%d", “power_tx”:"%d", “CCA”:"%d", “reset_cnt”:"%d", “send_all_cnt”:"%d", “send_fail_cnt”:"%d", “send_retry_cnt”:"%d", “parent”:"%x", “temperature”:"%d", “humidity”:"%d", “pressure”:"%d", “battery”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“voltage”:"%d", “temperature”:"%d", “humidity”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“voltage”:"%d", “temperature”:"%d", “humidity”:"%d", “pressure”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “voltage”:"%d", “chip_temperature”:"%d", “pre_state”:"%d", “cur_state”:"%d", “power_tx”:"%d", “CCA”:"%d", “reset_cnt”:"%d", “send_all_cnt”:"%d", “send_fail_cnt”:"%d", “send_retry_cnt”:"%d", “parent”:"%x", “invalid_count”:"%d", “wakeup_num”:"%d", “disturbance_num”:"%d", “param_version”:"%d", “battery”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“voltage”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “voltage”:"%d", “chip_temperature”:"%d", “reset_cnt”:"%d", “parent”:"%x", “fw_ver”:"%d", “hw_ver”:"%d", “battery”:"%d", “fing_remain_num”:"%d", “card_remain_num”:"%d", “psw_remain_num”:"%d", “open_lock_times”:"%d", “tongue_state”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{ “voltage”:"%d", “fw_ver”:"%d", “hw_ver”:"%d", “battery”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “chip_temperature”:"%d", “reset_cnt”:"%d", “fw_ver”:"%d", “hw_ver”:"%d", “parent”:"%x", “channel_0”:"%d", “load_s0”:"%d", “power”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“version”:"%d.%d.%d", “channel_0”:"%s"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “chip_temperature”:"%d", “reset_cnt”:"%d", “fw_ver”:"%d", “hw_ver”:"%d", “parent”:"%x", “channel_0”:"%d", “channel_1”:"%d", “load_s0”:"%d", “load_s1”:"%d", “power”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“version”:"%d.%d.%d", “channel_0”:"%s", “channel_1”:"%s"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “voltage”:"%d", “chip_temperature”:"%d", “pre_state”:"%d", “cur_state”:"%d", “power_tx”:"%d", “CCA”:"%d", “reset_cnt”:"%d", “send_all_cnt”:"%d", “send_fail_cnt”:"%d", “send_retry_cnt”:"%d", “parent”:"%x", “battery”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “voltage”:"%d", “chip_temperature”:"%d", “pre_state”:"%d", “cur_state”:"%d", “power_tx”:"%d", “CCA”:"%d", “reset_cnt”:"%d", “send_all_cnt”:"%d", “send_fail_cnt”:"%d", “send_retry_cnt”:"%d", “parent”:"%x", “battery”:"%d", “lux”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“voltage”:"%d",“lux”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “voltage”:"%d", “chip_temperature”:"%d", “pre_state”:"%d", “cur_state”:"%d", “power_tx”:"%d", “CCA”:"%d", “reset_cnt”:"%d", “send_all_cnt”:"%d", “send_fail_cnt”:"%d", “send_retry_cnt”:"%d", “parent”:"%x", “battery”:"%d", “status”:"%s"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “voltage”:"%d", “chip_temperature”:"%d", “pre_state”:"%d", “cur_state”:"%d", “power_tx”:"%d", “CCA”:"%d", “reset_cnt”:"%d", “send_all_cnt”:"%d", “send_fail_cnt”:"%d", “send_retry_cnt”:"%d", “parent”:"%x", “battery”:"%d", “fw_ver”:"%d", “hw_ver”:"%d", “wakeup_num”:"%d", “disturbance_num”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “chip_temperature”:"%d", “reset_cnt”:"%d", “fw_ver”:"%d", “hw_ver”:"%d", “parent”:"%x", “density”:"%d", “voltage”:"%d", “alarm”:"%d", “sensor_info”:"%d" }"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“density”:"%g", “voltage”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “chip_temperature”:"%d", “reset_cnt”:"%d", “fw_ver”:"%d", “hw_ver”:"%d", “density”:"%d", “sensor_info”:"%d", “alarm”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“density”:"%g", “alarm”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“voltage”:"%d", “status”:"%s"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “chip_temperature”:"%d", “reset_cnt”:"%d", “fw_ver”:"%d", “hw_ver”:"%d", “parent”:"%x", “power_status”:"%d", “light_level”:"%d", “colour_temperature”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “voltage”:"%d", “chip_temperature”:"%d",“pre_state”:"%d", “cur_state”:"%d", “power_tx”:"%d",“CCA”:"%d",“reset_cnt”:"%d",“send_all_cnt”:"%d",“send_fail_cnt”:"%d",“send_retry_cnt”:"%d",“parent”:"%x",“wakeup_num”:"%d",“disturbance_num”:"%d",“coordination”:"%lld"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “chip_temperature”:"%d", “reset_cnt”:"%d", “fw_ver”:"%d", “hw_ver”:"%d", “red”:"%d", “green”:"%d", “blue”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“red”:"%d", “green”:"%d", “blue”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “chip_temperature”:"%d", “reset_cnt”:"%d", “fw_ver”:"%d", “hw_ver”:"%d",“ac_state”:"%d",“bindhtaddr”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“fw_ver”:"%d", “hw_ver”:"%d",“ac_state”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “chip_temperature”:"%d", “reset_cnt”:"%d", “fw_ver”:"%d", “hw_ver”:"%d",“ac_state”:"%d",“bindhtaddr”:"%d",“co2”:"%d",“temp_humi_src”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“fw_ver”:"%d", “hw_ver”:"%d",“ac_state”:"%d",“temp_humi_src”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “chip_temperature”:"%d", “reset_cnt”:"%d", “fw_ver”:"%d", “hw_ver”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“fw_ver”:"%d", “hw_ver”:"%d"}"}
{“cmd”:“report”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“encrypt_state”:"%d"}"}
{“cmd”:“report”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{"%s":"%d","%s":"%d"}"}
{“cmd”:“report”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{"%s":"%d","%s":"%s"
{“cmd”:“report”,“model”:“rgbw_light”,“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“hue”:"%d",“saturation”:"%d",“color_temperature”:"%d",“x”:"%d",“y”:"%d"}"}
{“cmd”:“report”,“model”:“light.aqcn02”,“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“color_temperature”:"%d"}"}
{“cmd”:“report”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“red”:"%d",“green”:"%d",“blue”:"%d"}"}
{“cmd”:“report”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{"%s":"%s",“source”:"%d"}"}
{“cmd”:“report”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{"%s":"%d",“source”:"%d"}"}
{“cmd”:“report”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{"%s":"%014llx"}"}
{“cmd”:“report”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{"%s":"%lld"}"}
{“cmd”:“report”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d", “data”:"{“sensitve_level”:"%s", “version”:"%s", “noise”:"%s", “alarm”:"%d", “simulate_alarm”:"%s"}"}
{“cmd”:“report”,“model”:“dongle”,“token”:"%d",“data”:"{“rf_test”:“complete”}"}
{“cmd”:“report”,“model”:“switch”,“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“status”:“long_click_press”}"}

I’m also providing the methods that can be invoked using through the miio_client local protocol:
change_router
miIO.config_router
get_prop
start_zigbee_join
get_zigbee_channel
toggle_plug
toggle_ctrl_neutral
send_data_frame
miIO.xset
miIO.xdel
get_lumi_bind
update_neighbor_token
play_alarm_clock
list_music
miIO.ota
miIO.reboot
miIO.restore
local.time
miIO.get_ota_state
miIO.get_ota_progress
welcome
delete_user_music
download_user_music
toggle_light
set_corridor_light
get_corridor_light
set_corridor_on_time
get_corridor_on_time
set_rgb
set_night_light_rgb
get_night_light_rgb
get_rgb
get_clock_volume
set_mute
get_mute
set_clock_volume
get_download_progress
local.status
get_arming
get_doorbell_push
get_arm_wait_time
get_arming_time
get_gateway_volume
get_doorbell_volume
get_alarming_volume
set_arming
set_doorbell_push
set_arm_wait_time
set_gateway_volume
set_doorbell_volume
set_alarming_volume
set_sound_playing
toggle_device
set_curtain_level
get_music_info
set_default_music
play_music_new
dis_alarm
get_prop_plug
get_prop_ctrl_neutral
get_prop_sensor_ht
get_device_prop
set_device_prop
get_device_prop_exp
linkage_alarm
miIO.info
ctrl_device_prop

(sorry for this very long post)

Hi guys,

I just got my new Aqara gateway v3 and was a bit disappointed, that the developer mode isn’t that easy accessible anymore as in the former versions of to the Aqara gateway or the gateway.

I wasn’t able to get the dev mode/key out of the current iOS app nor the current android app (Unfortunately I did not read to not update the hub firmware before running into the problems).

But I could connect the hub to my Wi-Fi and got SSH access by the soldering as described by @cadavre (thanks!).

Next I tried the new client of @rothm. But that didn’t open up any UDP port :frowning:

Did someone managed to read out the dev key by SSH and did someone managed to open up the UDP port by SSH?

With the miio_client I posted, the port used is still the same as the “standard” miio port.
Just launch this command: nc -u [ip of your gateway] 54321
Then just type ENTER once to get messages sent by the “gw” binary.

I have now a working MQTT implementation (python3) of a client which connects to this “miio_client” and allows to get events and send commands to the mieu01 gateway.
I can send it to you by PM.

Hi Roth, are you planning to build a binding for it?
How is it working through mqtt, is it reliable or worth it?

I would also be interested in having this implementation, even colaborating with ir if you have it uploaded to github.

At this time, I don’t plan to spend a lot of time on it. My aim is/was just to integrate the gateway with my setup. (that’s why I post as much information as possible here, for someone to pick up)

It looks like issuing a MIIO command (using the token provided in a debug version of the MiHome App for instance) to the gateway would allow a customized OTA package to be processed. The package is just a “tar file” with a script and binaries to apply on top of the current firmware.
So, if this is possible, then:

  • either add a script to /etc/rc.local to replace miio_client on startup
  • or turn the gateway into a HomeKit one
  • enable SSH access by launching “/etc/init.d/dropbear start” and setting a default password
    -> If someone is willing to test it with his own gateway (and possibly brick it) I can send the files needed (“rc.local” file to patch and the .bin / OTA package) or I can try to create such a custom OTA

As it looks like it is possible to run the HomeKit client on the mieu01 (binaries are present on the gateway), it might be a simpler way to go.

Concerning the current MQTT implementation, it has been running for the last 5 days without any issue. It’s fast. You can arm/unarm the gateway, turn on/off the light, get events from sensors, …
To me, it looks like it would be a good way to go as it uses the “internal protocol” used by Xiaomi to talk between “miio_client” (which then talk to the Xiaomi cloud) and an agent (“gw” binary is an agent). So developing a binding would be useful for other Mi products. But it would take more time than going directly for HomeKit.

So finally, I might put my stuff on github in a few days. But for it to be valuable, someone would have to create a custom OTA package (because going through soldering takes time…)

-> So it looks like getting a custom OTA package to root the gateway is the most important task

2 Likes