cadavre seems you have exactly same gateway version as mine and definitely you are few steps ahead of me. Could you please share info which are RX/TX pins (please upload some photo if possible)?
@Pawel_Kowalski fairly simple:
I never know how to describe RX/TX so it might be otherwise. 
There are two ways of connecting:
To get to bootloader:
- Solder GND, RX and TX.
- Attach GND, RX and TX to UART 3.3V.
- You can connect all three pins, but do not connect UART to USB yet.
- Plug Gateway to AC.
- Plug UART to USB. Baudrate is 115200, 8-1, no parity and no flow control.
- Press enter and you’ll see a prompt from HUSH shell of bootloader.
- You can play here to reset root password. Look below.
To get into boot process:
1-2. As above, if haven’t done already.
3. Connect all three ping to UART and connect UART to USB.
4. Baudrate is 115200, 8-1, no parity and no flow control.
5. Plug Gateway to AC.
6. You’ll get into boot process finishing with starting mi.
7. You’ll end up in fac_test (factory test tool) that is launched at the very end of booting process (in /etc/rc.local).
8. You can exit this mode with exit_factory.
9. You’ll end up with login prompt into device and unknown root password.
To reset root password:
- Boot into bootloader.
- Enter
printenvcommand. - Find
bootargs=...and copy all afterbootargs=– for me it was “console=…”. - Open notepad.
- Enter text:
setenv bootargs ' - Paste copied text.
- Enter text:
single rw init=/bin/bash'(whitespace before “single”!). - You’ll end up with smth like
setenv bootargs 'console=... someparams single rw init=/bin/bash'. - Press enter. No message should show up. If anything shows – you copied smth wrong (watch out for quotes and whitespaces).
- Now you’re done for single-user root booting.
-
Before you enter
bootcommand to boot with new bootargs – prepare that you’ll have around 5s to change the root password. I don’t know why, but my prompt freezes after 5s.. You must set password that is at least long for 8 chars and contains alpfanumeric signs. Prepare password in notepad and copy it into clipboard – you’ll just paste it twice fast. - Enter
boot. Press enter. - Now boot process will start and you’ll end up in
bash#prompt. - Now you have 5s.
- Enter
passwd, press enter. - Paste twice password from clipboard.
- You’ll end up with “root password changed”.
- Success!
- Now simply turn off AC, plug UART into USB so it will follow boot process instead of going into bootloader, turn on AC again.
- Wait for boot process to end, exit factory mode.
- In login prompt enter
rootand your password from notepad/clipboard.
Now you have root access to your gateway’s Linux.
What I’ve found so far:
- This gateway looks like supporting HomeKit – check two different
/etc/rc.local.*– one for mi and one for homekit. - In default “mi” mode – there are two main processes running:
- miio_client – responsible for communication with Mi Cloud. (
/lumi/app/miio) - miio_client_helper_nomqtt.sh – miio_client helper that uses
miio_recv_lineandmiio_send_lineto mock communication between gateway and miio_client. - gw – gateway binary to communicate with sensor devices.
- miio_client – responsible for communication with Mi Cloud. (
- This one is interesting – you can launch SSH server on your gateway.
In rc.localyou just need to adddropbear -p 22just beforefac_test. After this is removed my soldered pins and use gateway via SSH on port 22.
Finally
$ netstat -ulptn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:54322 0.0.0.0:* LISTEN 368/miio_client
tcp 0 0 127.0.0.1:54323 0.0.0.0:* LISTEN 368/miio_client
udp 0 0 0.0.0.0:10008 0.0.0.0:* 5632/gw
udp 0 0 0.0.0.0:54321 0.0.0.0:* 368/miio_client
udp 0 0 0.0.0.0:5353 0.0.0.0:* 368/miio_client
This actually shows that in case of Mija Gateway EU it’s not about “opening the ports”, because there are no actual multicast services working in the background. Nothing listens on 4321, 9898 etc.
It should be connected to the power.
It should not be connected to FTDI power – no 3.3V and no 5V. Only RX/TX/GND.
But it must be connected to the regular 230V, so plug it into cord with switch – it will ease up the process, because you’ll on/off a lot! 
Thanks for the topic, I’ve also couldn’t add the gateway to the OH with only the MI Home app. I’ve just followed the instructions, and successfully set the port to open. Just a notice, you have to reboot the gateway for the changes to taking effect. After the reboot, the gateway discovered and added to the OH inbox immediately.
I have round text. Version 167 of the firmware. Is not auto discovered. Is there a software solution to the problem?
Hello everybody,
first of all, sorry for my simple English, that is not one of my favourites. 
I have already run two Xiaomi MI V2 Gateways (lumi-gateway-v3) in my OH2 system. Everything works fine. I bought them last year, run them for some month only with MI Home App and setup OH2 last month. Both have actual firmware (167) and square text (ST). Auto discovery works fine and I activate the developer network settings first I setup the OH system.
I bought two more gateways and I tried to include them yesterday in my OH system. The first one I setup as described in the OH manual with firmware update as first step after including in MI Home App (->167). No auto discovery in OH! The second gateway I did not update the firmware, also no auto discovery in OH. Both are with round text (RT).
I spend the whole day yesterday to keep them running in OH without any success. I changed a lot of network configuration, install a new OH on a second computer… all the tips I read in the web… nothing helps.
Until I found this solution. My technical skills are similar to my English - I don’t know much about UART. And I am affright to destroy more then to repair it
But I tried the way with the second gateway: first enable the developer network and after that update the firmware. IT WORKS!!! Without any UART and the things I only understand half. Directly after firmware update auto discovery works.
So, I have two new gateways with round text:
-
Gateway: setup in MI Home App -> Firmware Update -> Open Developer Network -> no auto discovery in OH
-
Gateway: setup in MI Home App -> Open Developer Network -> no auto discovery in OH
-> Firmware Update (->167) -> auto discovery in OH 
So, I have still one gateway which don’t work. I wait until the next firmware update, maybe I can “repair” it on this way?!?
Somebody has to change the sequence in the binding description/manual. If you first open the developer network and update the firmware after this step it seems to solve the problem.
Thanks for this thread, it was very helpful for me, even if I cannot implement the technical solution.
Sebastian
Update: 11.07.2019:
I wait some month for a firmware update of the gateway, hopes that will open the port. Due to the reason it takes a long time I buy a new one and follow my second way. It doesn’t work again, port is closed no discovery in OH. Also the firmware update dose not open the port as I hoped
I have no experience with UART or soldering, but I bought a UART, some cabels and I found a 40 year old soldering iron from my childhood and I follow the instructions post 114. It works now , this is the right way to do it. Very helpful for me was also the spanish You-Tube Video - I don’t understand spanish but it was very helpful to follow the steps. Only the information displayed in putty was completely different. I only want to share the video to the community and I want to correct my statement above - they way discribed worked once but is not a solution at all.
I added a PR to recommend enabling the developer mode prior to updating the firmware. Hopefully I did that correctly.
Hi, Thanks for all the info on this thread. I tried to connect an Aqara gateway and found no way to enable the developer mode. Has anybody tried the procedure with the UART on an Aqara gateway?
I tried it.
I activated SSH / dropbear (@cadavre after a first /etc/init.d/dropbear start / stop).
Disclaimer: I’m new to Xiaomi miio stuff.
It looks like the “gw” binary (made by aqara/lumi) is just connecting to miio_client (to me, it looks like it’s the normal way to integrate into the Mi Ecosystem) and exposes a “miio like” interface on port 10008. I tried to connect to this port using the device token and key (present in /lumi/conf/device.conf) without any luck.
However I stopped looking for a way to connect to this port as I used strace (yes there is strace on this beast!).
strace -s 1500 -f -p will show you that “gw” is continuously exchanging unencrypted messages with miio_client AND pushing events! (grep on recv or send)
If I’m right and the port 10008 is just a “miio like” access, then it won’t push any event -> need to poll.
Thus, I decided to replace the “miio_client” and made a modified version of miio_client (see: https://github.com/dgiese/dustcloud/tree/master/devices/xiaomi.vacuum/miio_client_os).
The ARM binary is available here: https://ufile.io/3drwy5uc
To use it, just copy it to /tmp/ using ssh/scp and then launch: killall miio_client && /tmp/miio_client
It will replace the original Xiaomi miio client and launch this one. This “miio_client” will accept the connection from gw binary and answer to “local.*” requests. It acts like a relay.
(It should be possible to make an ota update with it, see dustcloud. If you need a .bin file there is one in /home/root/fac)
You will now be able to connect to UDP port 54321 (nc -u 54321) and all messages from “gw” will be sent to you. (except local ones which will only display in your ssh session)
You can also directly send commands to the gateway by entering a method (ie: {“id”:132,“method”:“get_arming”}).
Hi @rothm .
I have the Aqara Gateway, the one that has rouded text in the back, and says Aqara at front in the middle of the circle. I believe you have the same one. Please correct me if I’m wrong.
What would this replacement of the miio_client binary would allow us to do.
I get what you say about communicating with the gateway, but this binding would still be useless. Right?
Thanks
The protocol used between miio_client and gw binaries is a Mi one as far as I know.
(I own a mieu01)
So, using the miio_client I posted, you would need a binding talking the local miio protocol…
However, in the gw binary, there are these strings which look like Aqara local API:
{“cmd”:“read”,“model”:"%s",“sid”:"%llx",“short_id”:"%d",“token”:"%d",“data”:"{%s}"}
{“cmd”:“write”,“model”:"%s",“sid”:"%llx",“short_id”:"%d",“token”:"%d",“data”:"{%s}"}
{“cmd”:“subdevice_ota”,“model”:"%s",“sid”:"%llx",“ota_status”:"%d",“current_version”:"%d"}
{“cmd”:“subdevice_ota”,“model”:"%s",“sid”:"%llx",“ota_status”:"%d"}
{“cmd”:“report”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{"%s":"%s"}"}
{“cmd”:“report”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{"%s":"%d"}"}
{“cmd”:“report”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{"%s":“rotate”,“degree”:"%g",“time”:"%d"}"}
{“cmd”:“report”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{"%s":"%g"}"}
{“cmd”:“report_unknow_device”,“model”:“unknown device”,“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“status”:"%d"}"}
{“cmd”:“report”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"%s"}
{“cmd”:“remove_device”,“sid”:"%llx",“token”:"%d",“short_id”:0,“model”:"%s",“data”:"" }
{“cmd”:“dongle_info”,“info_type”:"%x",“token”:"%d",“data”:"{“status”:"%d", “ResultListSize”:"%d", “EnergyDetectChannel”:"%d", “EnergyValue”:"%d"}"}
{“cmd”:“dongle_info”,“info_type”:"%x",“token”:"%d",“data_len”:"%d",“data”:"%s"}
{“cmd”:“zigbee_join”,“model”:"%s",“sid”:"%llx",“token”:"%d",“short_id”:%d,“data”:""}
{“cmd”:“zigbee_join”,“model”:"%s",“sid”:"%llx",“token”:"%d",“short_id”:%d,“join_version”:"%d",“data”:""}
{“cmd”:“update_device”,“sid”:"%llx",“token”:"%d",“short_id”:%d,“data”:"{“status”:“announce”}"}
{“cmd”:“model_id_report”,“model”:"%s",“sid”:"%llx",“token”:"%d",“short_id”:%d,“data”:""}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“battery”:"%d", “voltage”:"%d", “lqi”:"%d", “pv_state”:"%d", “cur_state”:"%d", “pre_state”:"%d", “power_tx”:"%d", “CCA”:"%d", “send_all_cnt”:"%d", “send_fail_cnt”:"%d", “resend_sucess_cnt”:"%d", “resend_sucess_avg_cnt”:"%d", “reset_cnt”:"%d", “chip_temperature”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“voltage”:"%d", “battery”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “chip_temperature”:"%d", “reset_cnt”:"%d", “fw_ver”:"%d", “hw_ver”:"%d", “status”:"%d", “power_consumed”:"%g", “load_voltage”:"%d", “power”:"%g"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“version”:"%d.%d.%d", “status”:"%s", “power_consumed”:"%g", “load_voltage”:"%d", “power”:"%g"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “chip_temperature”:"%d", “reset_cnt”:"%d", “fw_ver”:"%d", “hw_ver”:"%d", “curtain_level”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“version”:"%d.%d.%d", “curtain_level”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “chip_temperature”:"%d", “reset_cnt”:"%d", “fw_ver”:"%d", “hw_ver”:"%d", “channel_0”:"%d", “channel_1”:"%d", “power_consumed”:"%g", “load_voltage”:"%d", “power”:"%g", “power_factor”:"%d", “load_current”:"%g", “load_s0”:"%d", “load_s1”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“version”:"%d.%d.%d", “channel_0”:"%s", “channel_1”:"%s", “power_consumed”:"%g", “load_voltage”:"%d", “power”:"%g"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “chip_temperature”:"%d", “reset_cnt”:"%d", “fw_ver”:"%d", “hw_ver”:"%d",“energy_0”:"%g",“energy_1”:"%g",“energy_2”:"%g",“energy_3”:"%g",“load_power_0”:"%g",“load_power_1”:"%g",“load_power_2”:"%g",“load_power_3”:"%g"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “chip_temperature”:"%d", “reset_cnt”:"%d", “fw_ver”:"%d", “hw_ver”:"%d", “channel_0”:"%d", “channel_1”:"%d", “power_consumed”:"%g", “load_voltage”:"%d", “power”:"%g"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “chip_temperature”:"%d", “reset_cnt”:"%d", “fw_ver”:"%d", “hw_ver”:"%d", “channel_0”:"%d", “power_consumed”:"%g", “load_voltage”:"%d", “power”:"%g"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“version”:"%d.%d.%d", “channel_0”:"%s", “power_consumed”:"%g", “load_voltage”:"%d", “power”:"%g"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “voltage”:"%d", “pre_state”:"%d", “cur_state”:"%d", “power_tx”:"%d", “CCA”:"%d", “reset_cnt”:"%d", “send_all_cnt”:"%d", “send_fail_cnt”:"%d", “send_retry_cnt”:"%d", “parent”:"%x", “temperature”:"%d", “humidity”:"%d", “battery”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “voltage”:"%d", “pre_state”:"%d", “cur_state”:"%d", “power_tx”:"%d", “CCA”:"%d", “reset_cnt”:"%d", “send_all_cnt”:"%d", “send_fail_cnt”:"%d", “send_retry_cnt”:"%d", “parent”:"%x", “temperature”:"%d", “humidity”:"%d", “pressure”:"%d", “battery”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“voltage”:"%d", “temperature”:"%d", “humidity”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“voltage”:"%d", “temperature”:"%d", “humidity”:"%d", “pressure”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “voltage”:"%d", “chip_temperature”:"%d", “pre_state”:"%d", “cur_state”:"%d", “power_tx”:"%d", “CCA”:"%d", “reset_cnt”:"%d", “send_all_cnt”:"%d", “send_fail_cnt”:"%d", “send_retry_cnt”:"%d", “parent”:"%x", “invalid_count”:"%d", “wakeup_num”:"%d", “disturbance_num”:"%d", “param_version”:"%d", “battery”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“voltage”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “voltage”:"%d", “chip_temperature”:"%d", “reset_cnt”:"%d", “parent”:"%x", “fw_ver”:"%d", “hw_ver”:"%d", “battery”:"%d", “fing_remain_num”:"%d", “card_remain_num”:"%d", “psw_remain_num”:"%d", “open_lock_times”:"%d", “tongue_state”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{ “voltage”:"%d", “fw_ver”:"%d", “hw_ver”:"%d", “battery”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “chip_temperature”:"%d", “reset_cnt”:"%d", “fw_ver”:"%d", “hw_ver”:"%d", “parent”:"%x", “channel_0”:"%d", “load_s0”:"%d", “power”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“version”:"%d.%d.%d", “channel_0”:"%s"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “chip_temperature”:"%d", “reset_cnt”:"%d", “fw_ver”:"%d", “hw_ver”:"%d", “parent”:"%x", “channel_0”:"%d", “channel_1”:"%d", “load_s0”:"%d", “load_s1”:"%d", “power”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“version”:"%d.%d.%d", “channel_0”:"%s", “channel_1”:"%s"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “voltage”:"%d", “chip_temperature”:"%d", “pre_state”:"%d", “cur_state”:"%d", “power_tx”:"%d", “CCA”:"%d", “reset_cnt”:"%d", “send_all_cnt”:"%d", “send_fail_cnt”:"%d", “send_retry_cnt”:"%d", “parent”:"%x", “battery”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “voltage”:"%d", “chip_temperature”:"%d", “pre_state”:"%d", “cur_state”:"%d", “power_tx”:"%d", “CCA”:"%d", “reset_cnt”:"%d", “send_all_cnt”:"%d", “send_fail_cnt”:"%d", “send_retry_cnt”:"%d", “parent”:"%x", “battery”:"%d", “lux”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“voltage”:"%d",“lux”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “voltage”:"%d", “chip_temperature”:"%d", “pre_state”:"%d", “cur_state”:"%d", “power_tx”:"%d", “CCA”:"%d", “reset_cnt”:"%d", “send_all_cnt”:"%d", “send_fail_cnt”:"%d", “send_retry_cnt”:"%d", “parent”:"%x", “battery”:"%d", “status”:"%s"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “voltage”:"%d", “chip_temperature”:"%d", “pre_state”:"%d", “cur_state”:"%d", “power_tx”:"%d", “CCA”:"%d", “reset_cnt”:"%d", “send_all_cnt”:"%d", “send_fail_cnt”:"%d", “send_retry_cnt”:"%d", “parent”:"%x", “battery”:"%d", “fw_ver”:"%d", “hw_ver”:"%d", “wakeup_num”:"%d", “disturbance_num”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “chip_temperature”:"%d", “reset_cnt”:"%d", “fw_ver”:"%d", “hw_ver”:"%d", “parent”:"%x", “density”:"%d", “voltage”:"%d", “alarm”:"%d", “sensor_info”:"%d" }"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“density”:"%g", “voltage”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “chip_temperature”:"%d", “reset_cnt”:"%d", “fw_ver”:"%d", “hw_ver”:"%d", “density”:"%d", “sensor_info”:"%d", “alarm”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“density”:"%g", “alarm”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“voltage”:"%d", “status”:"%s"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “chip_temperature”:"%d", “reset_cnt”:"%d", “fw_ver”:"%d", “hw_ver”:"%d", “parent”:"%x", “power_status”:"%d", “light_level”:"%d", “colour_temperature”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “voltage”:"%d", “chip_temperature”:"%d",“pre_state”:"%d", “cur_state”:"%d", “power_tx”:"%d",“CCA”:"%d",“reset_cnt”:"%d",“send_all_cnt”:"%d",“send_fail_cnt”:"%d",“send_retry_cnt”:"%d",“parent”:"%x",“wakeup_num”:"%d",“disturbance_num”:"%d",“coordination”:"%lld"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “chip_temperature”:"%d", “reset_cnt”:"%d", “fw_ver”:"%d", “hw_ver”:"%d", “red”:"%d", “green”:"%d", “blue”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“red”:"%d", “green”:"%d", “blue”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “chip_temperature”:"%d", “reset_cnt”:"%d", “fw_ver”:"%d", “hw_ver”:"%d",“ac_state”:"%d",“bindhtaddr”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“fw_ver”:"%d", “hw_ver”:"%d",“ac_state”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “chip_temperature”:"%d", “reset_cnt”:"%d", “fw_ver”:"%d", “hw_ver”:"%d",“ac_state”:"%d",“bindhtaddr”:"%d",“co2”:"%d",“temp_humi_src”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“fw_ver”:"%d", “hw_ver”:"%d",“ac_state”:"%d",“temp_humi_src”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“lqi”:"%d", “chip_temperature”:"%d", “reset_cnt”:"%d", “fw_ver”:"%d", “hw_ver”:"%d"}"}
{“cmd”:“heartbeat”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“fw_ver”:"%d", “hw_ver”:"%d"}"}
{“cmd”:“report”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“encrypt_state”:"%d"}"}
{“cmd”:“report”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{"%s":"%d","%s":"%d"}"}
{“cmd”:“report”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{"%s":"%d","%s":"%s"
{“cmd”:“report”,“model”:“rgbw_light”,“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“hue”:"%d",“saturation”:"%d",“color_temperature”:"%d",“x”:"%d",“y”:"%d"}"}
{“cmd”:“report”,“model”:“light.aqcn02”,“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“color_temperature”:"%d"}"}
{“cmd”:“report”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“red”:"%d",“green”:"%d",“blue”:"%d"}"}
{“cmd”:“report”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{"%s":"%s",“source”:"%d"}"}
{“cmd”:“report”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{"%s":"%d",“source”:"%d"}"}
{“cmd”:“report”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{"%s":"%014llx"}"}
{“cmd”:“report”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{"%s":"%lld"}"}
{“cmd”:“report”,“model”:"%s",“sid”:"%llx",“short_id”:%d,“token”:"%d", “data”:"{“sensitve_level”:"%s", “version”:"%s", “noise”:"%s", “alarm”:"%d", “simulate_alarm”:"%s"}"}
{“cmd”:“report”,“model”:“dongle”,“token”:"%d",“data”:"{“rf_test”:“complete”}"}
{“cmd”:“report”,“model”:“switch”,“sid”:"%llx",“short_id”:%d,“token”:"%d",“data”:"{“status”:“long_click_press”}"}
I’m also providing the methods that can be invoked using through the miio_client local protocol:
change_router
miIO.config_router
get_prop
start_zigbee_join
get_zigbee_channel
toggle_plug
toggle_ctrl_neutral
send_data_frame
miIO.xset
miIO.xdel
get_lumi_bind
update_neighbor_token
play_alarm_clock
list_music
miIO.ota
miIO.reboot
miIO.restore
local.time
miIO.get_ota_state
miIO.get_ota_progress
welcome
delete_user_music
download_user_music
toggle_light
set_corridor_light
get_corridor_light
set_corridor_on_time
get_corridor_on_time
set_rgb
set_night_light_rgb
get_night_light_rgb
get_rgb
get_clock_volume
set_mute
get_mute
set_clock_volume
get_download_progress
local.status
get_arming
get_doorbell_push
get_arm_wait_time
get_arming_time
get_gateway_volume
get_doorbell_volume
get_alarming_volume
set_arming
set_doorbell_push
set_arm_wait_time
set_gateway_volume
set_doorbell_volume
set_alarming_volume
set_sound_playing
toggle_device
set_curtain_level
get_music_info
set_default_music
play_music_new
dis_alarm
get_prop_plug
get_prop_ctrl_neutral
get_prop_sensor_ht
get_device_prop
set_device_prop
get_device_prop_exp
linkage_alarm
miIO.info
ctrl_device_prop
(sorry for this very long post)
Hi guys,
I just got my new Aqara gateway v3 and was a bit disappointed, that the developer mode isn’t that easy accessible anymore as in the former versions of to the Aqara gateway or the gateway.
I wasn’t able to get the dev mode/key out of the current iOS app nor the current android app (Unfortunately I did not read to not update the hub firmware before running into the problems).
But I could connect the hub to my Wi-Fi and got SSH access by the soldering as described by @cadavre (thanks!).
Next I tried the new client of @rothm. But that didn’t open up any UDP port 
Did someone managed to read out the dev key by SSH and did someone managed to open up the UDP port by SSH?
With the miio_client I posted, the port used is still the same as the “standard” miio port.
Just launch this command: nc -u [ip of your gateway] 54321
Then just type ENTER once to get messages sent by the “gw” binary.
I have now a working MQTT implementation (python3) of a client which connects to this “miio_client” and allows to get events and send commands to the mieu01 gateway.
I can send it to you by PM.
Hi Roth, are you planning to build a binding for it?
How is it working through mqtt, is it reliable or worth it?
I would also be interested in having this implementation, even colaborating with ir if you have it uploaded to github.
At this time, I don’t plan to spend a lot of time on it. My aim is/was just to integrate the gateway with my setup. (that’s why I post as much information as possible here, for someone to pick up)
It looks like issuing a MIIO command (using the token provided in a debug version of the MiHome App for instance) to the gateway would allow a customized OTA package to be processed. The package is just a “tar file” with a script and binaries to apply on top of the current firmware.
So, if this is possible, then:
- either add a script to /etc/rc.local to replace miio_client on startup
- or turn the gateway into a HomeKit one
- enable SSH access by launching “/etc/init.d/dropbear start” and setting a default password
-> If someone is willing to test it with his own gateway (and possibly brick it) I can send the files needed (“rc.local” file to patch and the .bin / OTA package) or I can try to create such a custom OTA
As it looks like it is possible to run the HomeKit client on the mieu01 (binaries are present on the gateway), it might be a simpler way to go.
Concerning the current MQTT implementation, it has been running for the last 5 days without any issue. It’s fast. You can arm/unarm the gateway, turn on/off the light, get events from sensors, …
To me, it looks like it would be a good way to go as it uses the “internal protocol” used by Xiaomi to talk between “miio_client” (which then talk to the Xiaomi cloud) and an agent (“gw” binary is an agent). So developing a binding would be useful for other Mi products. But it would take more time than going directly for HomeKit.
So finally, I might put my stuff on github in a few days. But for it to be valuable, someone would have to create a custom OTA package (because going through soldering takes time…)
-> So it looks like getting a custom OTA package to root the gateway is the most important task
Hi all,
I have a different issue here. I see in nmap that port 9898 is open on the gateway but the gateway shows up as offline in paperUI which means all sensors are offline too.
The gateway shows up as online in the mihome app and I’ve even tried resetting it. There’s no firewall on the OH machine.
On the router I’ve run packet monitoring and I see it phoning to some unknown IP address:
| IP 120.92.67.6.8053 > Gateway_IP.54321: UDP, length 32 |
|---|
| IP Gateway_IP.4321 > 224.0.0.50.9898: UDP, length 135 |
| ARP, Request who-has Gateway_IP tell ROUTER_IP, length 28 |
Also tons of cache flush:
| Gateway_IP.5353 > 224.0.0.251.5353 |
|---|
When I check traffic from OH, I see lots of this although I’m not sure which miio device it’s checking for this:
| IP OH_Machine.5353 > 224.0.0.251.5353: 0 [2a] PTR (QM)? _miio._udp.local. (123) |
|---|
Gateway is running 1.41.1_164 and keeps bugging me to update
Thanks!
Here is a repo with the tools I developed:
https://github.com/roth-m/miioclient-mqtt
If someone finds a way to get the “lummod_gw.bin” (firmware-mod directory) to be processed as an OTA package, it would be cool!