Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
soft_hack.md

Soft hack to open telnet

You need gateway 3(mgl03) connected to MiHome. And also ip and gateway token.

1 way (recommended)

Via XiaomiGateway3 component.

You must input in the 'Open Telnet command' field(as it is without changing anything):

{"method":"set_ip_info","params":{"ssid":"\"\"","pswd":"123123 ; passwd -d admin ; echo enable > /sys/class/tty/tty/enable; telnetd"}}

2 way (recommended if not using Home Assistant)

php-miio (https://github.com/skysilver-lab/php-miio)

You may need to change id.

php miio-cli.php --ip GW_IP --token GW_TOKEN --sendcmd '{"id":123,"method":"set_ip_info","params":{"ssid":"\"\"","pswd":"123123 ; passwd -d admin ; echo enable > /sys/class/tty/tty/enable; telnetd"}}'

3 way (maybe problem with sequence id)

python-miio (https://github.com/rytilahti/python-miio)

miiocli device --ip GW_IP --token GW_TOKEN raw_command set_ip_info '{"ssid":"\"\"","pswd":"123123 ; passwd -d admin ; echo enable > /sys/class/tty/tty/enable; telnetd"}'

Login: admin

Password is empty

After opening telnet, it is better to install custom firmware (only for Xiaomi Gateway 3 mgl03).

Read here: https://github.com/zvldz/mgl03_fw/tree/main/firmware#the-easy-way

Open telnet command should also work with:

  • lumi.gateway.mgl03 - Mi Smart Home Hub
  • lumi.gateway.acn01 - Aqara Hub M1S CN
  • lumi.gateway.aeu01 - Aqara Hub M1S EU
  • lumi.aircondition.acn05 - Aqara Air Conditioning Controller P3
  • lumi.gateway.sacn01 - Smart USB Wall Outlet Hub

Aqara Hub E1 (ZHWG16LM usb stick)

You need gateway E1 connected to MiHome. And also ip and gateway token.

1 way (recommended)

Via XiaomiGateway3 component, version 2+.

You must input in the 'Open Telnet command' field(as it is without changing anything):

{"method":"set_ip_info","params":{"ssid":"\"\"","pswd":"123123 ; /bin/riu_w 101e 53 3012; telnetd"}}

2 way (recommended if not using Home Assistant)

php-miio (https://github.com/skysilver-lab/php-miio)

You may need to change id.

php miio-cli.php --ip GW_IP --token GW_TOKEN --sendcmd '{"id":123,"method":"set_ip_info","params":{"ssid":"\"\"","pswd":"123123 ; /bin/riu_w 101e 53 3012; telnetd"}}'

3 way (maybe problem with sequence id)

python-miio (https://github.com/rytilahti/python-miio)

miiocli device --ip GW_IP --token GW_TOKEN raw_command set_ip_info '{"ssid":"\"\"","pswd":"123123 ;  /bin/riu_w 101e 53 3012 ; telnetd"}'

Login: root

Password is empty

I am not author, I just tested and improved and published.

Enable telnet on Aqara G3 hub

@mikeinblue
Copy link

mikeinblue commented Oct 15, 2021

But I tried this a day later,still this error.Also I never enable telnet successful.

@mikeinblue
Copy link

mikeinblue commented Oct 15, 2021

And this miiocli command worked.

image

@mikeinblue
Copy link

mikeinblue commented Oct 15, 2021

BAFE70C7-652F-4355-B650-A97D5CBF8B50
887313E6-025D-4325-97A5-F9564AA6BF98

finally, I get it done with Ubuntu!!

@mikeinblue
Copy link

mikeinblue commented Oct 16, 2021

I cahnged cmd to run this command ,IT IS OK

how did you change command ? it might still be useful to someone.

I changed cmd instead Powershell in win10. But it is useless.

@niceboygithub
Copy link

niceboygithub commented Nov 5, 2021

For Aqara M1S 2022,

php miio-cli.php --ip GW_IP --token GW_TOKEN --sendcmd '{"id":123,"method":"set_ip_info","params":{"ssid":"\"\"","pswd":"123123 ; passwd -d root ; /bin/riu_w 101e 53 3012; telnetd"}}'

@mikeinblue
Copy link

mikeinblue commented Nov 5, 2021

For Aqara M1S 2022,

php miio-cli.php --ip GW_IP --token GW_TOKEN --sendcmd '{"id":123,"method":"set_ip_info","params":{"ssid":"\"\"","pswd":"123123 ; passwd -d root ; /bin/riu_w 101e 53 3012; telnetd"}}'

good news

@xnadalpi
Copy link

xnadalpi commented Nov 29, 2021

I'm using the 3 way and always receive "user ack tmeout". Please help me.

miiocli device --ip 192.168.xxx.xxx --token yyyyyyyyyyyyy info
Model: lumi.gateway.mgl03
Hardware version: Linux
Firmware version: 1.5.0_0102

miiocli device --ip 192.168.xxx.xxx --token yyyyyyyyyyyyy raw_command set_ip_info '{"ssid":"""","pswd":"123123 ; passwd -d admin ; echo enable > /sys/class/tty/tty/enable; telnetd"}'
Running command raw_command
Error: {'code': -9999, 'message': 'user ack timeout'}

@zvldz
Copy link
Author

zvldz commented Nov 29, 2021

I'm using the 3 way and always receive "user ack tmeout". Please help me.
you may have run some of the commands more than once.
python miio does not know how to change the id, you have to pause between commands

@xnadalpi
Copy link

xnadalpi commented Nov 30, 2021

How must I pause between commands?
I'm only executing this: miiocli device --ip 192.168.xxx.xxx --token yyyyyyyyyyyyy raw_command set_ip_info '{"ssid":"""","pswd":"123123 ; passwd -d admin ; echo enable > /sys/class/tty/tty/enable; telnetd"}'

@xnadalpi
Copy link

xnadalpi commented Dec 1, 2021

In the instruction should I indicate the ssid and the pswd of the wifi? Or should I execute the statement as is?

That's the debug info output:
DEBUG:miio.miioprotocol:Discovered 185be15b with ts: 1970-01-01 12:08:29, token: b'ffffffffffffffffffffffffffffffff'
DEBUG:miio.miioprotocol:192.168.1.130:54321 >>: {'id': 1, 'method': 'set_ip_info', 'params': '{ssid:"",pswd:123123 ; passwd -d admin ; echo enable > /sys/class/tty/tty/enable; telnetd}'}
DEBUG:miio.miioprotocol:192.168.1.130:54321 (ts: 1970-01-01 12:08:33, id: 1) << {'id': 1, 'error': {'code': -9999, 'message': 'user ack timeout'}, 'exe_time': 4070}
DEBUG:miio.click_common:Exception: {'code': -9999, 'message': 'user ack timeout'}

@zvldz
Copy link
Author

zvldz commented Dec 1, 2021

In the instruction should I indicate the ssid and the pswd of the wifi? Or should I execute the statement as is?

Yes, execute the statement as is.
without changing anything

@xnadalpi
Copy link

xnadalpi commented Dec 2, 2021

How must I pause between commands?
Thank you

@zvldz
Copy link
Author

zvldz commented Dec 2, 2021

How must I pause between commands?

wait ~30 sec before executing the next command ))

@xnadalpi
Copy link

xnadalpi commented Dec 3, 2021

Sorry. This trick does not run. I'm waiting hours before execute the instruccion.

@zvldz
Copy link
Author

zvldz commented Dec 3, 2021

gateway must be connected to the MiHome.
Is your gateway connected?

@xnadalpi
Copy link

xnadalpi commented Dec 3, 2021

yes, connected.

@Wh1terat
Copy link

Wh1terat commented Dec 19, 2021

Aqara G3 Hub (lumi.camera.gwpagl01)
https://github.com/Wh1terat/aQRootG3

@niceboygithub
Copy link

niceboygithub commented Dec 19, 2021

@Wh1terat You are genius! Thanks! rtsp als works

@ahit976
Copy link

ahit976 commented Dec 28, 2021

i used the way3 to enable the telnet on M1S(CN version, firmware 3.3.4-0005)
after run the cli, [ok] is as shown
but in telnet, login with "user : admin ,passwrd: ", then it shown login incorrect.

ah@ubuntu:~/python-miio/miio$ python3 cli.py device --ip 192.168.1.40 --token 6d859 raw_command set_ip_info '{"ssid":"""","pswd":"123123 ; passwd -d admin ; echo enable > /sys/class/tty/tty/enable; telnetd"}'
Running command raw_command
['ok']

telnet with M1S
Aqara-Hub-M1S-4284 login: admin
Password: [leave it as empty]
Login incorrect
Aqara-Hub-M1S-4284 login:
...

what should i do?
i have communicated with lumi's surpport service, they said the telnet's password is a set of random strings.(maybe the new version is)

it was resolved.

--
m1s 2022, user is root, passwd is [empty]
python3 cli.py device --ip 192.168.1.40 --token 6d859 raw_command set_ip_info '{"ssid":"""","pswd":"123123 ; passwd -d root ; echo enable > /sys/class/tty/tty/enable; telnetd"}'
unfortunately,niceboy has made a reply to M1S 2022, AQARA GATEWAY wont surpport M1S 2022. That is mean that M1S 2022 cannot integrated to HA.
many thanks to @niceboygithub

@GuidoKuo
Copy link

GuidoKuo commented Feb 9, 2022

Aqara M1S 2022 cannot integrated to HA?
I have already use php and miio-cli way,always failure.
what should i do?
i don't want to use reverse access way.

@zvldz
Copy link
Author

zvldz commented Feb 9, 2022

Aqara M1S 2022 cannot integrated to HA?

I don't know.
look here https://github.com/niceboygithub/AqaraGateway

@Haldyz
Copy link

Haldyz commented Mar 7, 2022

hi. thx for the guide. i have telnet access to my GW, but I would like to access also the sdcard via telnet/ssh. is there any way to do that?

@xquyan
Copy link

xquyan commented Mar 30, 2022

1 way and 3 way not working on lumi.aircondition.acn05 firmware 4.0.1_0001, result says

ERROR:miio.miioprotocol:Got error when receiving: timed out
Error: No response from the device

what can I do?

@alirezadigi
Copy link

alirezadigi commented Apr 16, 2022

same problem like @xquyan

@xquyan wrong token was the problem ...

@xquyan
Copy link

xquyan commented Apr 16, 2022

same problem like @xquyan

@xquyan wrong token was the problem ...

My problem turned out to be a python problem, tried on another device that can run python properly and it worked out. Couldn't figure out what's wrong with my python install tho

@kingwap99
Copy link

kingwap99 commented May 3, 2022

For Aqara M1S 2022,

php miio-cli.php --ip GW_IP --token GW_TOKEN --sendcmd '{"id":123,"method":"set_ip_info","params":{"ssid":"\"\"","pswd":"123123 ; passwd -d root ; /bin/riu_w 101e 53 3012; telnetd"}}'

thanks, it worked, but why this script cannot work well

Flash M1S Custom firmware method
cd /tmp && wget -O /tmp/curl "http://master.dl.sourceforge.net/project/mgl03/bin/curl?viasf=1" && chmod a+x /tmp/curl
/tmp/curl -s -k -L -o /tmp/m1s_update.sh https://raw.githubusercontent.com/niceboygithub/AqaraM1SM2fw/main/modified/M1S/m1s_update.sh
chmod a+x /tmp/m1s_update.sh && /tmp/m1s_update.sh

/tmp/curl: line 1: syntax error: unexpected "("

@zvldz
Copy link
Author

zvldz commented May 3, 2022

thanks, it worked, but why this script cannot work well

mgl03 and m1s have different processor architectures, so on m1s do not work binaries used for mgl03

@vinter-wu
Copy link

vinter-wu commented May 9, 2022

What is the reason?
PS C:\Users\Administrator\Desktop\python-miio-master> miiocli device --ip 192.168.2.174 --token 455155476f71697552 raw_command set_ip_info '{"ssid":"""","pswd":"123123 ; passwd -d admin ; echo enable > /sys/class/tty/tty/enable; telnetd"}'
Traceback (most recent call last):
File "C:\Users\Administrator\AppData\Local\pypoetry\Cache\virtualenvs\python-miio-6Z4gUOLp-py3.8\Scripts\miiocli", line 5, in
create_cli()
File "C:\Users\Administrator\Desktop\python-miio-master\miio\cli.py", line 63, in create_cli
return cli(auto_envvar_prefix="MIIO")
File "C:\Users\Administrator\Desktop\python-miio-master\miio\click_common.py", line 51, in call
return self.main(*args, **kwargs)
File "C:\Users\Administrator\AppData\Local\pypoetry\Cache\virtualenvs\python-miio-6Z4gUOLp-py3.8\lib\site-packages\click\core.py", line 1055, in main
rv = self.invoke(ctx)
File "C:\Users\Administrator\AppData\Local\pypoetry\Cache\virtualenvs\python-miio-6Z4gUOLp-py3.8\lib\site-packages\click\core.py", line 1657, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "C:\Users\Administrator\AppData\Local\pypoetry\Cache\virtualenvs\python-miio-6Z4gUOLp-py3.8\lib\site-packages\click\core.py", line 1655, in invoke
sub_ctx = cmd.make_context(cmd_name, args, parent=ctx)
File "C:\Users\Administrator\AppData\Local\pypoetry\Cache\virtualenvs\python-miio-6Z4gUOLp-py3.8\lib\site-packages\click\core.py", line 920, in make_context
self.parse_args(ctx, args)
File "C:\Users\Administrator\AppData\Local\pypoetry\Cache\virtualenvs\python-miio-6Z4gUOLp-py3.8\lib\site-packages\click\core.py", line 1378, in parse_args
value, args = param.handle_parse_result(ctx, opts, args)
File "C:\Users\Administrator\AppData\Local\pypoetry\Cache\virtualenvs\python-miio-6Z4gUOLp-py3.8\lib\site-packages\click\core.py", line 2360, in handle_parse_result
value = self.process_value(ctx, value)
File "C:\Users\Administrator\AppData\Local\pypoetry\Cache\virtualenvs\python-miio-6Z4gUOLp-py3.8\lib\site-packages\click\core.py", line 2316, in process_value
value = self.type_cast_value(ctx, value)
File "C:\Users\Administrator\AppData\Local\pypoetry\Cache\virtualenvs\python-miio-6Z4gUOLp-py3.8\lib\site-packages\click\core.py", line 2304, in type_cast_value
return convert(value)
File "C:\Users\Administrator\AppData\Local\pypoetry\Cache\virtualenvs\python-miio-6Z4gUOLp-py3.8\lib\site-packages\click\types.py", line 82, in call
return self.convert(value, param, ctx)
File "C:\Users\Administrator\Desktop\python-miio-master\miio\click_common.py", line 99, in convert
return ast.literal_eval(value)
File "c:\users\administrator\appdata\local\programs\python\python38-32\lib\ast.py", line 59, in literal_eval
node_or_string = parse(node_or_string, mode='eval')
File "c:\users\administrator\appdata\local\programs\python\python38-32\lib\ast.py", line 47, in parse
return compile(source, filename, mode, flags,
File "", line 1
{ssid:"",pswd:123123 ; passwd -d admin ; echo enable > /sys/class/tty/tty/enable; telnetd}
^
SyntaxError: invalid syntax
PS C:\Users\Administrator\Desktop\python-miio-master> miiocli device --ip 192.168.2.174 --token 45515547626143726f5a736f71697552 info
Model: lumi.gateway.acn01
Hardware version: Linux
Firmware version: 4.0.1_0026

@brainb203
Copy link

brainb203 commented May 18, 2022

SyntaxError: invalid decimal literal
image

can any body help?

@aminhusni
Copy link

aminhusni commented Jun 30, 2022

Anybody has an idea on how do I set or change password for Telnet?
Feels insecure when there is no password at all.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment