soft_hack.md

soft_hack.md

Soft hack to open telnet

You need gateway 3(mgl03) connected to MiHome. And also ip and gateway token.

1 way (recommended)

Via XiaomiGateway3 component.

You must input in the 'Open Telnet command' field(as it is without changing anything):

{"method":"set_ip_info","params":{"ssid":"\"\"","pswd":"123123 ; passwd -d admin ; echo enable > /sys/class/tty/tty/enable; telnetd"}}

2 way (recommended if not using Home Assistant)

php-miio (https://github.com/skysilver-lab/php-miio)

You may need to change id.

php miio-cli.php --ip GW_IP --token GW_TOKEN --sendcmd '{"id":123,"method":"set_ip_info","params":{"ssid":"\"\"","pswd":"123123 ; passwd -d admin ; echo enable > /sys/class/tty/tty/enable; telnetd"}}'

3 way (maybe problem with sequence id)

python-miio (https://github.com/rytilahti/python-miio)

miiocli device --ip GW_IP --token GW_TOKEN raw_command set_ip_info '{"ssid":"\"\"","pswd":"123123 ; passwd -d admin ; echo enable > /sys/class/tty/tty/enable; telnetd"}'

Login: admin

Password is empty

After opening telnet, it is better to install custom firmware (only for Xiaomi Gateway 3 mgl03).

Read here: https://github.com/zvldz/mgl03_fw/tree/main/firmware#the-easy-way

Open telnet command should also work with:

• lumi.gateway.mgl03 - Mi Smart Home Hub
• lumi.gateway.acn01 - Aqara Hub M1S CN
• lumi.gateway.aeu01 - Aqara Hub M1S EU
• lumi.aircondition.acn05 - Aqara Air Conditioning Controller P3
• lumi.gateway.sacn01 - Smart USB Wall Outlet Hub

Aqara Hub E1 (ZHWG16LM usb stick)

You need gateway E1 connected to MiHome. And also ip and gateway token.

1 way (recommended)

Via XiaomiGateway3 component, version 2+.

You must input in the 'Open Telnet command' field(as it is without changing anything):

{"method":"set_ip_info","params":{"ssid":"\"\"","pswd":"123123 ; /bin/riu_w 101e 53 3012; telnetd"}}

2 way (recommended if not using Home Assistant)

php-miio (https://github.com/skysilver-lab/php-miio)

You may need to change id.

php miio-cli.php --ip GW_IP --token GW_TOKEN --sendcmd '{"id":123,"method":"set_ip_info","params":{"ssid":"\"\"","pswd":"123123 ; /bin/riu_w 101e 53 3012; telnetd"}}'

3 way (maybe problem with sequence id)

python-miio (https://github.com/rytilahti/python-miio)

miiocli device --ip GW_IP --token GW_TOKEN raw_command set_ip_info '{"ssid":"\"\"","pswd":"123123 ;  /bin/riu_w 101e 53 3012 ; telnetd"}'

Login: root

Password is empty

I am not author, I just tested and improved and published.

Enable telnet on Aqara G3 hub

Error Infomation

Error: No response from the device

Device Information

Model: lumi.gateway.acn01
Hardware version: Linux
Firmware version: 4.0.1_0002

How it happens?

1. use miiocli to open the telnetd.
   miiocli -d device --ip 192.168.2.105 --token TOKEN raw_command set_ip_info '{"ssid":"\"\"","pswd":"123123 ; passwd -d admin ; echo enable > /sys/class/tty/tty/enable; telnetd"}'

2. the result is below:

   INFO:miio.cli:Debug mode active
   Running command raw_command
   DEBUG:miio.click_common:Unknown model, trying autodetection. None None
   DEBUG:miio.miioprotocol:Got a response: Container:
   data = Container:
   data = b'' (total 0)
   value = b'' (total 0)
   offset1 = 32
   offset2 = 32
   length = 0
   header = Container:
   data = b'!1\x00 \x00\x00\x00\x00\x1d\xbd\xc7\xe1c\xc0\n\xbd' (total 16)
   value = Container:
   length = 32
   unknown = 0
   device_id = unhexlify('1dbdc7e1')
   ts = 2023-01-12 13:27:25
   offset1 = 0
   offset2 = 16
   length = 16
   checksum = b'\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff' (total 16)
   DEBUG:miio.miioprotocol:Discovered 1dbdc7e1 with ts: 2023-01-12 13:27:25, token: b'ffffffffffffffffffffffffffffffff'
   DEBUG:miio.miioprotocol:192.168.2.105:54321 >>: {'id': 1, 'method': 'miIO.info', 'params': []}
   DEBUG:miio.miioprotocol:Retrying with incremented id, retries left: 3
   DEBUG:miio.miioprotocol:Got a response: Container:
   data = Container:
   data = b'' (total 0)
   value = b'' (total 0)
   offset1 = 32
   offset2 = 32
   length = 0
   header = Container:
   data = b'!1\x00 \x00\x00\x00\x00\x1d\xbd\xc7\xe1c\xc0\n\xc2' (total 16)
   value = Container:
   length = 32
   unknown = 0
   device_id = unhexlify('1dbdc7e1')
   ts = 2023-01-12 13:27:30
   offset1 = 0
   offset2 = 16
   length = 16
   checksum = b'\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff' (total 16)
   DEBUG:miio.miioprotocol:Discovered 1dbdc7e1 with ts: 2023-01-12 13:27:30, token: b'ffffffffffffffffffffffffffffffff'
   DEBUG:miio.miioprotocol:192.168.2.105:54321 >>: {'id': 102, 'method': 'miIO.info', 'params': []}
   DEBUG:miio.miioprotocol:Retrying with incremented id, retries left: 2
   DEBUG:miio.miioprotocol:Got a response: Container:
   data = Container:
   data = b'' (total 0)
   value = b'' (total 0)
   offset1 = 32
   offset2 = 32
   length = 0
   header = Container:
   data = b'!1\x00 \x00\x00\x00\x00\x1d\xbd\xc7\xe1c\xc0\n\xc7' (total 16)
   value = Container:
   length = 32
   unknown = 0
   device_id = unhexlify('1dbdc7e1')
   ts = 2023-01-12 13:27:35
   offset1 = 0
   offset2 = 16
   length = 16
   checksum = b'\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff' (total 16)
   DEBUG:miio.miioprotocol:Discovered 1dbdc7e1 with ts: 2023-01-12 13:27:35, token: b'ffffffffffffffffffffffffffffffff'
   DEBUG:miio.miioprotocol:192.168.2.105:54321 >>: {'id': 203, 'method': 'miIO.info', 'params': []}
   DEBUG:miio.miioprotocol:192.168.2.105:54321 (ts: 2023-01-12 13:27:35, id: 203) << {'partner_id': '', 'id': 203, 'code': 0, 'message': 'ok', 'result': {'hw_ver': 'Linux', 'fw_ver': '4.0.1_0002', 'mcu_fw_ver': '0616', 'ap': {'ssid': 'TP-LINK_774A', 'bssid': '60:45:3b:68:4a:93', 'rssi': '-32', 'freq': '2432'}, 'netif': {'localIp': '192.168.2.105', 'mask': '255.255.255.0', 'gw': '192.168.2.1'}, 'model': 'lumi.gateway.acn01', 'mac': '54:EF:43:40:D5:13', 'token': 'TOKEN', 'life': 4473}}
   DEBUG:miio.device:Detected model lumi.gateway.acn01
   DEBUG:miio.miioprotocol:192.168.2.105:54321 >>: {'id': 204, 'method': 'set_ip_info', 'params': '{ssid:"",pswd:123123 ; passwd -d admin ; echo enable > /sys/class/tty/tty/enable; telnetd}'}
   DEBUG:miio.miioprotocol:Retrying with incremented id, retries left: 3
   DEBUG:miio.miioprotocol:Got a response: Container:
   data = Container:
   data = b'' (total 0)
   value = b'' (total 0)
   offset1 = 32
   offset2 = 32
   length = 0
   header = Container:
   data = b'!1\x00 \x00\x00\x00\x00\x1d\xbd\xc7\xe1c\xc0\n\xcc' (total 16)
   value = Container:
   length = 32
   unknown = 0
   device_id = unhexlify('1dbdc7e1')
   ts = 2023-01-12 13:27:40
   offset1 = 0
   offset2 = 16
   length = 16
   checksum = b'\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff' (total 16)
   DEBUG:miio.miioprotocol:Discovered 1dbdc7e1 with ts: 2023-01-12 13:27:40, token: b'ffffffffffffffffffffffffffffffff'
   DEBUG:miio.miioprotocol:192.168.2.105:54321 >>: {'id': 305, 'method': 'set_ip_info', 'params': '{ssid:"",pswd:123123 ; passwd -d admin ; echo enable > /sys/class/tty/tty/enable; telnetd}'}
   DEBUG:miio.miioprotocol:Retrying with incremented id, retries left: 2
   DEBUG:miio.miioprotocol:Got a response: Container:
   data = Container:
   data = b'' (total 0)
   value = b'' (total 0)
   offset1 = 32
   offset2 = 32
   length = 0
   header = Container:
   data = b'!1\x00 \x00\x00\x00\x00\x1d\xbd\xc7\xe1c\xc0\n\xd1' (total 16)
   value = Container:
   length = 32
   unknown = 0
   device_id = unhexlify('1dbdc7e1')
   ts = 2023-01-12 13:27:45
   offset1 = 0
   offset2 = 16
   length = 16
   checksum = b'\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff' (total 16)
   DEBUG:miio.miioprotocol:Discovered 1dbdc7e1 with ts: 2023-01-12 13:27:45, token: b'ffffffffffffffffffffffffffffffff'
   DEBUG:miio.miioprotocol:192.168.2.105:54321 >>: {'id': 406, 'method': 'set_ip_info', 'params': '{ssid:"",pswd:123123 ; passwd -d admin ; echo enable > /sys/class/tty/tty/enable; telnetd}'}
   DEBUG:miio.miioprotocol:Retrying with incremented id, retries left: 1
   DEBUG:miio.miioprotocol:Got a response: Container:
   data = Container:
   data = b'' (total 0)
   value = b'' (total 0)
   offset1 = 32
   offset2 = 32
   length = 0
   header = Container:
   data = b'!1\x00 \x00\x00\x00\x00\x1d\xbd\xc7\xe1c\xc0\n\xd6' (total 16)
   value = Container:
   length = 32
   unknown = 0
   device_id = unhexlify('1dbdc7e1')
   ts = 2023-01-12 13:27:50
   offset1 = 0
   offset2 = 16
   length = 16
   checksum = b'\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff' (total 16)
   DEBUG:miio.miioprotocol:Discovered 1dbdc7e1 with ts: 2023-01-12 13:27:50, token: b'ffffffffffffffffffffffffffffffff'
   DEBUG:miio.miioprotocol:192.168.2.105:54321 >>: {'id': 507, 'method': 'set_ip_info', 'params': '{ssid:"",pswd:123123 ; passwd -d admin ; echo enable > /sys/class/tty/tty/enable; telnetd}'}
   ERROR:miio.miioprotocol:Got error when receiving: timed out
   DEBUG:miio.click_common:Exception: No response from the device
   Traceback (most recent call last):
   File "D:\ProgramFiles\anaconda\envs\miio\lib\site-packages\miio\miioprotocol.py", line 193, in send
   data, addr = s.recvfrom(4096)
   socket.timeout: timed out

   During handling of the above exception, another exception occurred:

   Traceback (most recent call last):
   File "D:\ProgramFiles\anaconda\envs\miio\lib\site-packages\miio\miioprotocol.py", line 193, in send
   data, addr = s.recvfrom(4096)
   socket.timeout: timed out

   During handling of the above exception, another exception occurred:

   Traceback (most recent call last):
   File "D:\ProgramFiles\anaconda\envs\miio\lib\site-packages\miio\miioprotocol.py", line 193, in send
   data, addr = s.recvfrom(4096)
   socket.timeout: timed out

   During handling of the above exception, another exception occurred:

   Traceback (most recent call last):
   File "D:\ProgramFiles\anaconda\envs\miio\lib\site-packages\miio\miioprotocol.py", line 193, in send
   data, addr = s.recvfrom(4096)
   socket.timeout: timed out

   The above exception was the direct cause of the following exception:

   Traceback (most recent call last):
   File "D:\ProgramFiles\anaconda\envs\miio\lib\site-packages\miio\click_common.py", line 51, in call
   return self.main(*args, **kwargs)
   File "D:\ProgramFiles\anaconda\envs\miio\lib\site-packages\click\core.py", line 1055, in main
   rv = self.invoke(ctx)
   File "D:\ProgramFiles\anaconda\envs\miio\lib\site-packages\click\core.py", line 1657, in invoke
   return _process_result(sub_ctx.command.invoke(sub_ctx))
   File "D:\ProgramFiles\anaconda\envs\miio\lib\site-packages\click\core.py", line 1657, in invoke
   return _process_result(sub_ctx.command.invoke(sub_ctx))
   File "D:\ProgramFiles\anaconda\envs\miio\lib\site-packages\click\core.py", line 1404, in invoke
   return ctx.invoke(self.callback, **ctx.params)
   File "D:\ProgramFiles\anaconda\envs\miio\lib\site-packages\click\core.py", line 760, in invoke
   return __callback(*args, **kwargs)
   File "D:\ProgramFiles\anaconda\envs\miio\lib\site-packages\miio\click_common.py", line 305, in wrap
   kwargs["result"] = func(*args, **kwargs)
   File "D:\ProgramFiles\anaconda\envs\miio\lib\site-packages\click\decorators.py", line 84, in new_func
   return ctx.invoke(f, obj, *args, **kwargs)
   File "D:\ProgramFiles\anaconda\envs\miio\lib\site-packages\click\core.py", line 760, in invoke
   return __callback(*args, **kwargs)
   File "D:\ProgramFiles\anaconda\envs\miio\lib\site-packages\miio\click_common.py", line 270, in command_callback
   return miio_command.call(miio_device, *args, **kwargs)
   File "D:\ProgramFiles\anaconda\envs\miio\lib\site-packages\miio\click_common.py", line 217, in call
   return method(*args, **kwargs)
   File "D:\ProgramFiles\anaconda\envs\miio\lib\site-packages\miio\click_common.py", line 184, in _wrap
   return func(self, *args, **kwargs)
   File "D:\ProgramFiles\anaconda\envs\miio\lib\site-packages\miio\device.py", line 126, in raw_command
   return self.send(command, parameters)
   File "D:\ProgramFiles\anaconda\envs\miio\lib\site-packages\miio\device.py", line 108, in send
   command, parameters, retry_count, extra_parameters=extra_parameters
   File "D:\ProgramFiles\anaconda\envs\miio\lib\site-packages\miio\miioprotocol.py", line 237, in send
   extra_parameters=extra_parameters,
   File "D:\ProgramFiles\anaconda\envs\miio\lib\site-packages\miio\miioprotocol.py", line 237, in send
   extra_parameters=extra_parameters,
   File "D:\ProgramFiles\anaconda\envs\miio\lib\site-packages\miio\miioprotocol.py", line 237, in send
   extra_parameters=extra_parameters,
   File "D:\ProgramFiles\anaconda\envs\miio\lib\site-packages\miio\miioprotocol.py", line 241, in send
   raise DeviceException("No response from the device") from ex
   miio.exceptions.DeviceException: No response from the device
   Error: No response from the device

Telnet cannot be enabled for version:
Version 4.0.1_0022.0642

ERROR:miio.miioprotocol:Unable to discover a device at address 192.168.0.187

The device is connected to the network and is alive.

Trying 192.168.0.187...
telnet: Unable to connect to remote host: Connection refused

The only way to enable Telnet is to flash custom firmware via serial port.
https://github.com/niceboygithub/AqaraM1SM2fw/

Note
Model: lumi.gateway.mgl03

Under Windows python and python-miio
there I was an error: {'code': -9999, 'message': 'user ack timeout'}

The problem was solved when I tried the same thing but under WSL(Ubuntu)

Trying to make it work but I'm not able to get it. My fw version is to old and I've tried to use the code shown in the image and also serrj_sv's way (https://community.home-assistant.io/t/xiaomi-mijia-smart-multi-mode-gateway-zndmwg03lm-support/159586/61). The code shown in the image get no response. The later returns ok, but still unable to telnet (asks for password). Any ideas?

Also, the first method shown here isn't possible

Aqara G3 Hub (lumi.camera.gwpagl01) https://github.com/Wh1terat/aQRootG3

@Wh1terat I'm trying to get your code working. I make the QR code, scan it with camera, all good to this point. After it fails, what specifically do I do? Reset the camera and add to Aqara app? fill in ssid/pwd in app and then use camera to scan legit QR code? thanks

@Wh1terat I'm trying to get your code working. I make the QR code, scan it with camera, all good to this point. After it fails, what specifically do I do? Reset the camera and add to Aqara app? fill in ssid/pwd in app and then use camera to scan legit QR code? thanks

No need to reset the camera, just try to add it to the app with a legit QR code. Be aware most firmwares for the last year or two have been patched and are no longer vulnerable. There are methods to downgrade.

I got lucky! I got the firmware that works
It must be working because I can use the G3 in Home Assistant
Is there a way to downgrade G2H Pro firmware?

@wizardofozzie niceboygithub/AqaraGateway#179

@wizardofozzie niceboygithub/AqaraGateway#179

@Wh1terat that's crazy- thanks so much!

For G2hPro, I have downgraded to firmware 3.3.4 but telnet won't work. I booted an SD with custom firmware onto the camera but telnet 192.168.1.101 is refused. Any ideas?

@wizardofozzie niceboygithub/AqaraGateway#179

@Wh1terat that's crazy- thanks so much!

For G2hPro, I have downgraded to firmware 3.3.4 but telnet won't work. I booted an SD with custom firmware onto the camera but telnet 192.168.1.101 is refused. Any ideas?

i think the new g2h pro camera fix the bug ,so you can not use telnet. Because my g2h pro can use telnet.

Is there any solution for lumi.gateway.mgl001?