Xiaomi Zigbee Gateway HackIn this article I want to share with you my best practices and successes in parsing Xiaomi gateway (Version with euro plug with I take.ru). I’ll tell you how to install alternative software on it, how to restore a gateway with a wiped software and even revive a gateway with a wiped u-boot.--------- LOTS OF PICTURES -------------
First of all, I will tell you how to connect to the gateway board and get the root.First, some details about the gateway.This article discusses the version of the gateway built on the imx6ull processor .Some technical specifications of the board:- Wifi RTL8723BS - the driver from it for some reason is loaded separately.
- CPU IMX6ULL
- RAM 256 mb
- ROM 256 mb
- ZIgbee module based on JN5169.
On the board, service dimes, P2 and P4 are displayed. Ideally, they are made under the pogopins, but they are easier to solder to.P2 is Wart 0 of the processor where all the service information is displayed, the uboot bootlog and system management, you can use any usb-uart adapter.P4 - USB OTG, which is used to upload firmware to nand. (As a full-fledged OTG, until the end I could not start it, when connected, the device is detected, but apparently something else is missing).
The Chinese usb adapter board is ideally suited to the nicknames P4.
After everything is soldered and connected, you first need to get root.I did according to this instruction (link to the manual), but with a little clarification after point 5, you need to type the boot commandotherwise, the system sits and waits for a command, the instructions were probably written with the hope that everyone understands Linux.For some reason, the SSH server did not turn on according to instructions and was turned on only by manually starting the command to start /etc/init.d/dropbear start.The next step, after receiving the root, I copied the contents of the system using WinScp (we select SCP mode when creating the connection).Further on good, you need to backup the full system, in case the experiments lead to sad consequences (as I did, but I didn’t backup). Theflash memory of the gateway is divided into 4 sections.
As it turned out, there is not a lot of free space either, while in memory there are a lot of different duplicate files.
After playing for a couple of hours, I changed something in the software and the gateway stopped loading :)Now, let's figure out how to revive this piece of iron and fill anything with it.
Perform actions only if you have a brick!The Imx6ULL processor contains all information in an open form, all data boards and reference manuals are available on the manufacturer’s website after registration.U-boot was still loading at me ... But while I was trying to recover, I accidentally copied an extra command and completely wiped the nand. And u-boot, as it turned out, was in Nanda. And he got a brick.The processor supports various boot modes. In the reference manual, they are all described.
The development boards usually have switches, but there is nothing like that. The datasheet describes what kind of processor dimes it is.
And then the Chinese made a very nice gift too. They brought them to a very convenient place and almost signed them)On the board next to the processor, two resistors are soldered, where boot-mode pins just fit.
These two resistors are just switches of boot modes, by default it is set to nand, but by moving each of them to the side we get the serial boot mode.I transferred my gateway to the serial boot mode, in some way this mode is more convenient to test various firmware.To upload the firmware, a proprietary utility from NXP mfgtools is used. The only thing in it is to prepare a profile for the processor.Download mfgtools. The archive is already prepared version with all the necessary settings.We connect the gateway via USB. In serial boot mode, the gateway will try to download the firmware via the USB interface and a new HID device will appear on the computer.Mfgtools, in turn, will inform you that it sees a new device.
Sometimes the computer does not see it, with what it is connected I can not say.After the utility saw it, click Start, and the process of downloading the firmware will begin.The utility will format the nand, flood the new ubut, kernel, dtb and rootfs. The rootfs in the archive was compiled by a friend Aleksandr Faronov, he put together a clean Linux build on Yocto. The U-boot, Kernel, DTB sections were pulled out of the gateway's native firmware.In this Linux assembly, only a clean system will boot, there will be nothing more (zigby also does not work yet ).After the utility works in my case, the gateway will not do anything and load, too, because as we recall the processor in the serial boot mode.Therefore, he needs to be given a bootable U-boot image. In the archive with mfgtools there is an additional uuu utility that loads U-boot into the board's Ram, let's go to the folder containing it.We close mfgtools and reconnect the gateway with a new one, the HID device should be detected again, then we execute the command.uuu u-boot-small.imx
The board will start loading, but since it doesn’t have env, it will get up after loading U-boot. In the gateway console, we execute two commands, we register ENV for loading.setenv bootargs 'console=ttymxc0,115200 ubi.mtd=3 root=ubi0:rootfs rootfstype=ubifs cma=96M mtdparts=gpmi-nand:3m(boot),7m(kernel),1m(dtb),-(rootfs)'
and start the boot boot , the gateway starts loading from nanda and from the firmware that we uploaded.
By and large, that’s all. In mfgtools in the \ Profiles \ Linux \ OS Firmware \ files folder all the firmware files are located, replacing which you can load any compatible system. I tried downloading openwrt.
The system is loading, but I still have not figured out how to slip the right core, and where to get it.I hope by joint efforts we will still bring this gateway to its logical conclusion)Backup of the gateway directories . Telegram for discussion .