Skip to content

Instantly share code, notes, and snippets.

@zvldz

zvldz/soft_hack.md

Last active April 18, 2024 00:46
Show Gist options
  • Save zvldz/1bd6b21539f84339c218f9427e022709 to your computer and use it in GitHub Desktop.
Save zvldz/1bd6b21539f84339c218f9427e022709 to your computer and use it in GitHub Desktop.
Download ZIP
soft_hack.md
Raw
soft_hack.md

Soft hack to open telnet

You need gateway 3(mgl03) connected to MiHome. And also ip and gateway token.

1 way (recommended)

Via XiaomiGateway3 component.

You must input in the 'Open Telnet command' field(as it is without changing anything):

{"method":"set_ip_info","params":{"ssid":"\"\"","pswd":"123123 ; passwd -d admin ; echo enable > /sys/class/tty/tty/enable; telnetd"}}

2 way (recommended if not using Home Assistant)

php-miio (https://github.com/skysilver-lab/php-miio)

You may need to change id.

php miio-cli.php --ip GW_IP --token GW_TOKEN --sendcmd '{"id":123,"method":"set_ip_info","params":{"ssid":"\"\"","pswd":"123123 ; passwd -d admin ; echo enable > /sys/class/tty/tty/enable; telnetd"}}'

3 way (maybe problem with sequence id)

python-miio (https://github.com/rytilahti/python-miio)

miiocli device --ip GW_IP --token GW_TOKEN raw_command set_ip_info '{"ssid":"\"\"","pswd":"123123 ; passwd -d admin ; echo enable > /sys/class/tty/tty/enable; telnetd"}'

Login: admin

Password is empty

After opening telnet, it is better to install custom firmware (only for Xiaomi Gateway 3 mgl03).

Read here: https://github.com/zvldz/mgl03_fw/tree/main/firmware#the-easy-way

Open telnet command should also work with:

  • lumi.gateway.mgl03 - Mi Smart Home Hub
  • lumi.gateway.acn01 - Aqara Hub M1S CN
  • lumi.gateway.aeu01 - Aqara Hub M1S EU
  • lumi.aircondition.acn05 - Aqara Air Conditioning Controller P3
  • lumi.gateway.sacn01 - Smart USB Wall Outlet Hub

Aqara Hub E1 (ZHWG16LM usb stick)

You need gateway E1 connected to MiHome. And also ip and gateway token.

1 way (recommended)

Via XiaomiGateway3 component, version 2+.

You must input in the 'Open Telnet command' field(as it is without changing anything):

{"method":"set_ip_info","params":{"ssid":"\"\"","pswd":"123123 ; /bin/riu_w 101e 53 3012; telnetd"}}

2 way (recommended if not using Home Assistant)

php-miio (https://github.com/skysilver-lab/php-miio)

You may need to change id.

php miio-cli.php --ip GW_IP --token GW_TOKEN --sendcmd '{"id":123,"method":"set_ip_info","params":{"ssid":"\"\"","pswd":"123123 ; /bin/riu_w 101e 53 3012; telnetd"}}'

3 way (maybe problem with sequence id)

python-miio (https://github.com/rytilahti/python-miio)

miiocli device --ip GW_IP --token GW_TOKEN raw_command set_ip_info '{"ssid":"\"\"","pswd":"123123 ;  /bin/riu_w 101e 53 3012 ; telnetd"}'

Login: root

Password is empty

I am not author, I just tested and improved and published.

Enable telnet on Aqara G3 hub

@netdoggy
Copy link

Note
Model: lumi.gateway.mgl03

Under Windows python and python-miio
there I was an error: {'code': -9999, 'message': 'user ack timeout'}

The problem was solved when I tried the same thing but under WSL(Ubuntu)

@ddpsft
Copy link

ddpsft commented Nov 17, 2023

Trying to make it work but I'm not able to get it. My fw version is to old and I've tried to use the code shown in the image and also serrj_sv's way (https://community.home-assistant.io/t/xiaomi-mijia-smart-multi-mode-gateway-zndmwg03lm-support/159586/61). The code shown in the image get no response. The later returns ok, but still unable to telnet (asks for password). Any ideas?

image

Also, the first method shown here isn't possible
image

@wizardofozzie
Copy link

Aqara G3 Hub (lumi.camera.gwpagl01) https://github.com/Wh1terat/aQRootG3

@Wh1terat I'm trying to get your code working. I make the QR code, scan it with camera, all good to this point. After it fails, what specifically do I do? Reset the camera and add to Aqara app? fill in ssid/pwd in app and then use camera to scan legit QR code? thanks

@Wh1terat
Copy link

@Wh1terat I'm trying to get your code working. I make the QR code, scan it with camera, all good to this point. After it fails, what specifically do I do? Reset the camera and add to Aqara app? fill in ssid/pwd in app and then use camera to scan legit QR code? thanks

No need to reset the camera, just try to add it to the app with a legit QR code. Be aware most firmwares for the last year or two have been patched and are no longer vulnerable. There are methods to downgrade.

@wizardofozzie
Copy link

I got lucky! I got the firmware that works
It must be working because I can use the G3 in Home Assistant
Is there a way to downgrade G2H Pro firmware?

@Wh1terat
Copy link

@wizardofozzie niceboygithub/AqaraGateway#179

@wizardofozzie
Copy link

@wizardofozzie niceboygithub/AqaraGateway#179

@Wh1terat that's crazy- thanks so much!

For G2hPro, I have downgraded to firmware 3.3.4 but telnet won't work. I booted an SD with custom firmware onto the camera but telnet 192.168.1.101 is refused. Any ideas?

@bmwcar
Copy link

bmwcar commented Feb 15, 2024

@wizardofozzie niceboygithub/AqaraGateway#179

@Wh1terat that's crazy- thanks so much!

For G2hPro, I have downgraded to firmware 3.3.4 but telnet won't work. I booted an SD with custom firmware onto the camera but telnet 192.168.1.101 is refused. Any ideas?

i think the new g2h pro camera fix the bug ,so you can not use telnet. Because my g2h pro can use telnet.

@superclaw
Copy link

Is there any solution for lumi.gateway.mgl001?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment