I bought my unit on banggood, my friend on the gearbest. The question is not “where” but “when”. You should wait for discounts or sales ;).

Ok, it’s easy to distinguish them. Better buy mijia (in my opinion).

It is not mandatory to sick to stock version. Currently, I’ve the latest version of mi home app on my phone and the latest firmware on the gateway. IMPORTANT: enable development options and “additional communication” before updating the gateway firmware or you will have to disassemble the device and solder things.
If you are afraid of soldering, stay on the default firmware.

I have an UART adapter and a soldering iron if I mess stuff up

So I don’t have to download an old version apk, just go with the recent one and turn in dev mode?

Wow Thanks ! This is the solution !

But sadly some of us aren’t really good at electronic. I clearly prefer the dev.

Thanks for the complete solution.

Stupid question: Do you not need a password from the app?

As far as i know the topic, you should be fine.

Hi,

has anybody tried to downgrade/install firmware via miiocli? All i can achieve is an error and no incoming queries on my http server.

miiocli device --ip 192.168.0.101 --token xxxx raw_command miIO.ota '{"app_url":"http://192.168.0.102/063df95bd538a9cfa22c7c86642cf11e_upd_lumi.gateway.v3.bin","file_md5":"063df95bd538a9cfa22c7c86642cf11e","install":"1","proc":"dnld install","mode":"normal"}'
Running command raw_command
Error: {'code': -5000, 'message': 'invalied'}

miIO.info does work:

miiocli device --ip 192.168.0.101 --token xxxx raw_command miIO.info
Running command raw_command
{'life': 1184, 'cfg_time': 0, 'token': 'xxxx', 'mac': '78:11:DC:xxxx', 'fw_ver': '1.4.1_161', 'hw_ver': 'MW300', 'model': 'lumi.gateway.v3', 'mcu_fw_ver': '0158', [..]}

Is a public ip/specific hostname required for ota?

PS: I tried this in unprovisioned and provisioned mode with internet access and without.

I tried, but without success. I did not spend too much time on this attack vector.

I also thought to create fake xiaomi http server (via the fake local-dns server or iptables rules) and serve the old firmware with the server. Then wait for the new official firmware from xiaomi. Turn on my spoofed server and run the upgrade from the android/ios app. Unfortunately, I did not have enough time to configure and prepare the entire attack.

Hi,

Just to confirm the method from @rsx2007 worked like a charm, my 1st gateway has now its ports 4321/9898 opened.

Thank you ! and thanks to “ds2003”

Hi. I can’t read or send any commands to the gateway.

Here are my steps:

1. Connect USB-TTL Serial Modul FT232RL GND to GND on Gateway and RX from UART to TX on Gateway
2. Plug in USB Modul to PC --> red light in corner of module turns on
3. Turn on Gateway --> flashes blue for a few seconds, then turns off
4. In Putty, select COM3 (Speed 9600, Data bits 8, Stop bits 1, Parity None, Flow control None) --> Open
5. Connect TX from UART to RX on Gateway. No additional LED turn on on UART

In the Putty window I now sporadically see some cryptical characters showing up, but nothing like “You will see all messages of gateway.” Also sending a command does not do anything.

Does anyone have an idea what I’m doing wrong? Thanks a lot

Hi @D1rk,
Speed should be 115200 bauds, I’ve figured it out by trying different speed and with 115200 you will see some readable characters ie : a boot sequence like this

mi_i2s_init ok I2S_IRQn= 11
                       player starting......
SetFreq 44100
mi_i2s_set_freq 44.1KHz
                   gpio stat:1
audio mixer init done
                  find 0 channels on flash,temp_play=0
find_list = -1
dac_freq_set_ = 44100 , 44100
Creat Thread mi_ipc_looper

not sure about the other config (data bits, stop … ) as I used the a mac os terminal with the ‘screen’ command, so should be the defaults :

 screen /dev/cu.usbserial-***** 115200

Yes speed is 115200.
Other params by default in putty.
But you should see mesage without connected TX from UART.

Hi @D1rk.

my working settings in Putty were: Speed 115200, Data bits 8, Stop bits 1, Parity None, Flow control XON/XOFF

Hope this helps.

Kindest regards,
Christian…

Flow control can be also completely off.
Btw: I am not sure if the old trick with the firmware updates MITM from my Defcon Talk still works or if they patched the MD5 checksum check…

Hi guys. Thanks a lot for your help. Christian’s settings did work and the Hub was discovered in OH after waiting for a few minutes. Now I will disconnect it from the manufacturer cloud so that they cannot make any unwanted changes In the next days I will try to connect some additional sensors.

Hello all together,
does anybody know if this serial command psm-set works with the Camera-Hub too ?

Greetings Matthias

Is this for sure ? I have 2 gateway both with round text and both dev mode enable, first one is lock (port 9898 not open) but I’ve enable dev mode after firmware updates. Second is not lock, I currently use it with my openhab but I’m afraid to make firmware updates. (I need to do updates because Aqara cube doesn’t work fine). Is it confirmed that I can make updates on this one ? Is anyone here have done the firmware updates after enabling dev mode on this version of the gateway and still have the port 9898 open ?

Thanks for your reply guys.

No.

No

Just updated to 1.4.1_164.0158, and still drops connection after less than an hour.

Same Gateway appears to work fine in Domoticz…so far

Update. same thing happens in HA and Domoticz, drops connection after about 15 mins

I have a question, sorry for my bad english.

i see the log from gateway in putty and then i send the command psm-set network.open_pf 3 several times

and then i send psm-get network.open_pf and putty say:

psm-set network.open_pf

[psm] Usage: psm-set
[psm] Error: invalid number of arguments

What is the problem?

Don’t type this command by hand, try to copy-paste and confirm by “enter”, several times.