Lumi Aqara Camera root - dgiese/dustcloud GitHub Wiki

This is a DRAFT and incomplete!

Learn why this works here: https://www.youtube.com/watch?v=DHsqb2poGII or http://dontvacuum.me/talks/DEFCON26/DEFCON26-Having_fun_with_IoT-Xiaomi.html

Prewarnings

  1. This Howto is highly experimental and dangerous
  2. While there are 2 copies of the app partitions (mtdblock4/mtdblock5), there is only one copy of the system partition (mtdblock3)
  3. Flashing mtdblock3 while you running the camera is dangerous and will likely brick your device
  4. Whatever you do, your partition sizes must not exceed these sizes or else your device will be bricked
  5. After logging in, make copies of your partitions

If firmware older than October 2018 (without opening the device)

  1. Reset Wifi credentials (by pressing the reset button)
  2. telnet to camera (default ip 192.168.1.1) and login with root:lumi-201 [this password is hardcoded in the system partition]
  3. [ you have root now, right? stop reading ;) ]
  4. continue reading the root section

If firmware newer than October 2018 (requires opening the device)

  1. Connect to the serial ports of the device pinout(https://github.com/dgiese/dustcloud-documentation/blob/master/lumi.camera.aq1/photos/IMG_20180320_204425.jpg)
  2. The updated versions are killing the telnetd after loading the app, so you would not have telnet access
  3. If you are quick, you can login using root:lumi-201 ,if you wait too long or if you booted already the device, use root:6SmvyB2n
  4. continue reading the root section

Rooting (general approach)

  1. extract information from /lumi/conf/device.conf (this file contains your DID, Key, MAC and the P2P ID (for the camera stream))
  2. insert SD card
  3. backup all your partitions (mtdblock0 to mtdblock6) by using dd to SD card

Rooting (using mtd3)

  1. This method gives you the most freedom, survives updates but is dangerous (as you have only one copy)
  2. You can use my prebuild version of the partition from here
  3. OR: You can build your own version (skip this if you use my version)
    • (This assumes that you have the the backup of your partition on your computer)
unsquashfs mtdblock3
(do your modifications, e.g. patching /etc/passwd, /lumi/lumi_rum.sh or soundfiles)
mksquashfs squashfs-root/ mtdblock3dustcloud -force-uid 1000 -force-gid 1000 -comp xz
(make sure that the maximum partition size is not exceeded)
  1. run "flashcp /mnt/mtdblock3dustcloud /dev/mtd3" (this will likely brick your device at this point)

Rooting (using mtd4/mtd5)

  1. This method is safer, but does not survive updates You can build your own version (skip this if you use my version)
    • (This assumes that you have the the backup of your partition on your computer)
unsquashfs mtdblock4
(do your modifications, e.g. patching lumi_app.sh)
mksquashfs squashfs-root/ mtdblock4new -force-uid 1000 -force-gid 1000 -comp xz
(make sure that the maximum partition size is not exceeded)
  1. run "flashcp /mnt/mtdblock4new /dev/mtd5"
  2. run "flashcp /mnt/mtdblock4new /dev/mtd4"

Rooting / Recovering from messed up mtd3 (via SPI flash)

  1. This method is necessary in case you experienced a crash while flashing or something else went wrong. You need a SPI reader (e.g. Raspberry PI with flashrom, see here how) and need to unsolder the SPI flash chip.
  2. Dump (if not already done) the whole SPI flash
sudo flashrom -p linux_spi:dev=/dev/spidev0.0 -r dump.rom
  1. Create a working mtd3 partition (see above)
  2. Patch the SPI flash image (here called dump_fixed.rom) with your patched copy of mtd3 (here called mtdblock3cod)
dd if=mtdblock3cod of=dump_fixed.rom bs=1 seek=2228224 conv=notrunc
  1. Write new image to SPI flash
sudo flashrom -p linux_spi:dev=/dev/spidev0.0 -w dump_fixed.rom