atc1441 / ATC_MiThermometer

Custom firmware for the Xiaomi Thermometer LYWSD03MMC and Telink Flasher via USB to Serial converter
2.82k stars 472 forks source link

Xiaomi has released new 2.1.1 firmware #298

Open micturkey opened 1 year ago

micturkey commented 1 year ago

image It seems that the way to update firmware using telink flasher has been forbidden.

atc1441 commented 1 year ago

Thank you for the hint. That really reads like they closed it

pvvx commented 1 year ago

Not closed, but changed the "activation". + Changed the "advertising interval" to 2100 ms "Login", works with known keys. OTA also works. Set "Mi Token", "Mi Bind Key" and press "Login": image

A piece of the activation log (sniffer + MiHome): "Sent Read Request, Handle: 0x00xx" abbreviated as "Send enc_XX". "Rcvd Read Response, Handle: 0x00xx" abbreviated as "Rcvd enc_XX".

// > Checking for transmission with MTU size
Send enc_10: a4 // Test MTU
Rcvd enc_19: 000004000612 // ?
Send enc_19: 000005000612
Rcvd enc_19: 0000040112121212121212121212121212121212
Send enc_19: 0000050112121212121212121212121212121212
// > Get Device id
Send enc_10: a2000000 // SYS_DEV_INFO_GET
Rcvd enc_19: 000000000200 // ?, 2 blks
Send enc_19: 00000101
Rcvd enc_19: 01000200000000626c742e362e316667336a736f
Rcvd enc_19: 0200726f73673030
Send enc_19: 00000100 // ACK
// ????
Send enc_10: 15000000 // REG_START_WO_PKI
Send enc_19: 000000030400 // ECC_PUBKEY?, 4 blks
Rcvd enc_19: 00000101
Send enc_19: 01003b412a2b060a1d7da21033ff4e584bf4f8f3
Send enc_19: 02001a9dee5c4dc95e198c4bc3be5953d6babfdb
Send enc_19: 0300415a9eda4e42ac53e864d1ebd6c9b4616ce5
Send enc_19: 04004c9f1e094e30fc77ce51 // 18*3+10=64 bytes
Rcvd enc_19: 00000100 // ACK
Rcvd enc_19: 000000030400 // ECC_PUBKEY?, 4 blks
Send enc_19: 00000101
Rcvd enc_19: 010025c4faa9e119108b3133915e663ee3d4d0fb
Rcvd enc_19: 02009ada216d9d91928725dea0bb88f44639f8a1
Rcvd enc_19: 0300bb69a33f849bdbb0c2be2b8910271244c5dd
Rcvd enc_19: 04006bc5edefc593dc2d8557 // 18*3+10=64 bytes
Send enc_19: 00000100 // ACK

Send enc_10: 13000000 // REG_VERIFY_SUCC
Send enc_19: 000000000600   // DEV_SHARE_INFO?, 6 blks
Rcvd enc_19: 00000101
Send enc_19: 01001904e3c44b8ab77b3e2f9b7371b4606d9a8a
Send enc_19: 0200e7c71cc8bc712b7d080af2153d8638b7701e
Send enc_19: 0300ab70d36fceb296c3f8805d4073216e542f93
Send enc_19: 0400523da93c45061966487db32dd32936159b3e
Send enc_19: 05006739aa0281d368eac3205bc87d419ebc838e
Send enc_19: 06007457 // 18*5+2=92 bytes
Rcvd enc_19: 00000100 // ACK

Send enc_19: 000000071600 // SERVER_CERT?, 22 blks 
Rcvd enc_19: 00000101
// send certificate: https://github.com/Ai-Thinker-Open/Telink_SIG_Mesh/blob/master/example/AT_Ali_Mesh/mesh/mi_api/certi/cryptography/mi_crypto.c#L46
Send enc_19: 0100308201773082011ea003020102020101300a
Send enc_19: 020006082a8648ce3d0403023022311330110603
Send enc_19: 030055040a130a4d696a696120526f6f74310b30
Send enc_19: 04000906035504061302434e3020170d31363131
Send enc_19: 050032333038323032355a180f32303636313131 
Send enc_19: 0600313038323032355a30233114301206035504
Send enc_19: 07000a0c0b4d696a696120436c6f7564310b3009
Send enc_19: 080006035504061302434e3059301306072a8648
Send enc_19: 0900ce3d020106082a8648ce3d03010703420004
Send enc_19: 0a00a752ecd44b6b3b17abc34f8300c6320f2e4c
Send enc_19: 0b00bec57a51034b5ecadf7347d745df8c3dbcfa
Send enc_19: 0c00aedb67b04cace5aff798182e43c5a444b627
Send enc_19: 0d00c2d7f361629d3f914802a3423040301f0603
Send enc_19: 0e00551d2304183016801496b7a27c39b1b96633
Send enc_19: 0f00a9f8d109b20060c8e6c511301d0603551d0e
Send enc_19: 1000041604145a29bffb2fb7500ce9c420f23d89
Send enc_19: 11009b6fe0803293300a06082a8648ce3d040302
Send enc_19: 1200034700304402205eb096d630f92f092ae39d
Send enc_19: 13001356f836c529697a355d765f4eccce785b89
Send enc_19: 14009a6d1602207e206b22aa04e6dee818c7d4c4
Send enc_19: 150080e5fabd99074bdecf45346e37f1cffd8646
Send enc_19: 160090 // 18*22+1=397 bytes
Rcvd enc_19: 00000100 // ACK
Rcvd enc_10: 11000000 // REG_SUCCESS
atc1441 commented 1 year ago

Thanks Victor, So the activation part is not cracked right now, and you need to currently get the set key first from the app etc. to OTA ?

I would expect them to sign the activation on the server side with an unknown private key but lets hope not

thazro commented 1 year ago

Can i downgrade via Uart? With correct key/token cannot downgrade or change fw. Even if login is correct and OTA seems to work, it doesn't .

pvvx commented 1 year ago

I haven't clarified the whole process yet. There is an assumption that the OTA firmware is signed with an additional key. The "OTA" procedure itself always works, but at the end the "OTA" code itself may not be included. Previously, for some variants of thermometers, the signature was the correct "CRC" of the OTA code.

It is quite possible that because of these "security worries" Xiaomi has changed the activation and "OTA": https://francozappa.github.io/publication/2023/espoofer/ image

PS: I can't clarify because I adhere to the "user agreement" in "MiHome". It is forbidden to view their code and other manipulations with it. And no one wants to publish the binary file of the new official firmware for public access :)

maltiboi commented 1 year ago

is this going to get fixed please? thank you

Tim-The-Woodsman commented 1 year ago

And I just updated the firmware without checking in here 😞

wwnkrull commented 1 year ago

I've made the same mistake by updating to the latest firmware. Hope this will be fixed soon. Thanks guys for all the hard work!

PerssonNiklas commented 1 year ago

So for those of us who updated to the latest firmware, is there any way to downgrade when the flasher does not connect due to being on unsupported firmware? Catch 22 situation!

igorlesiv commented 1 year ago

I also can't flat on 2.1.1_0159 version, let me know please it if possible or not. Thanks!

pvvx commented 1 year ago

At the moment, you can only write another firmware using a hardware programmer.

PerssonNiklas commented 1 year ago

At the moment, you can only write another firmware using a hardware programmer.

How would I go about doing that?

kri5to commented 1 year ago

damn, got it with the new firmware so cant install the custom also :( Is there a hope to get the upgrade soon ?

pvvx commented 1 year ago

A hint may occur when a new version is released. When it will be possible to upgrade version 2.1.1_0159 in Mi Home to the next one.

VonalOrdu commented 1 year ago

To go back to the old version (Original_OTA_Xiaomi_LYWSD03MMC_v1.0.0_0130.bin ); To do this, you must remove your temperature sensor and connect it with the cables by following the steps below. This is how I solved my problem. I'm sorry for my bad english.

  1. https://github.com/pvvx/ATC_MiThermometer/blob/master/Original_OTA_Xiaomi_LYWSD03MMC_v1.0.0_0130.bin download
  2. https://pvvx.github.io/ATC_MiThermometer/USBCOMFlashTx.html
  3. image
  4. image
  5. File select Original_OTA_Xiaomi_LYWSD03MMC_v1.0.0_0130.bin
  6. Write to flash
pvvx commented 1 year ago

@VonalOrdu

  1. The contact on the PCB marked as "reset" is not an RST signal for the TLSR825x SoC !
  2. https://pvvx.github.io/ATC_MiThermometer/USBCOMFlashTx.html - does not use RX pin, resistor and connection RX is not needed !
VonalOrdu commented 1 year ago

@VonalOrdu

  1. The contact on the PCB marked as "reset" is not an RST signal for the TLSR825x SoC !
  2. https://pvvx.github.io/ATC_MiThermometer/USBCOMFlashTx.html - does not use RX pin, resistor and connection RX is not needed !

I have no idea about this. I succeeded by doing this. Maybe it will happen if you do as you say. I used the suggestion below.

https://github.com/atc1441/ATC_MiThermometer/blob/master/Mi_SWS_Connection.jpg image

pvvx commented 1 year ago

The very name of the utility describes: TLSR825x USB-COM Flash Writer v0.4 (TX-SWS only!) :)

The picture is from another version of the programmer - https://github.com/pvvx/TlsrComSwireWriter - does not work on FTDI chips!

Comment edited: Fixed a link error.

VonalOrdu commented 1 year ago

The very name of the utility describes: TLSR825x USB-COM Flash Writer v0.4 (TX-SWS only!) :)

The picture is from another version of the programmer - https://github.com/pvvx/TlsrComProg825x - does not work on FTDI chips!

image

Are you saying that I am enough like this?

pvvx commented 1 year ago

Are you saying that I am enough like this?

Yes

VonalOrdu commented 1 year ago

Are you saying that I am enough like this?

Yes

python.exe TLSR825xComFlasher.py -p COM3 -t 70 wf 0 Original_full_flash_Xiaomi_LYWSD03MMC.bin

Why didn't this method work? "Chip sleep? -> Use reset chip (RTS-RST): see option --tact" It was giving error.

https://pvvx.github.io/ATC_MiThermometer/USBCOMFlashTx.html

This method worked. Thank you very much for your sharing.

pvvx commented 1 year ago

Why didn't this method work?

https://github.com/pvvx/TlsrComSwireWriter - does not work on FTDI chips! (Only Chinese USB-COM chips)

On FTDI chips, reception is performed by checking bitwise synchronization with the removal of bad characters from the buffer with error generation, which does not allow emulating "Telink Swire".

https://github.com/pvvx/TlsrComProg825x - this programmer uses a loader that switches to work with the RX and TX chip UART pins. It takes a lot of wires...


https://github.com/pvvx/ATC_MiThermometer#the-usb-com-adapter-writes-the-firmware-in-explorer-web-version

image

ceinmart commented 1 year ago

Hi, I just made the same mistake as everyone here. I bought two of these sensors and was planning to flash them and use them with a BLE Tracker on my Home Assistant. However, curious to see how it works originally I did the firmware upgrade when added to mihome app.... stupid curious...

So, after sharing my disgrace...

How hard is to get one of this USB-COM board and use it to downgrade? any link from Aliexpress? I get little confused about which board is compatible, which link should be used to do the downgrade, how is the right way to wiring... Please, can anyone share where to buy this USB-COM and a step-by-step how to downgrade the firmware ?

thazro commented 1 year ago

Hi, I just made the same mistake as everyone here. I bought two of these sensors and was planning to flash them and use them with a BLE Tracker on my Home Assistant. However, curious to see how it works originally I did the firmware upgrade when added to mihome app.... stupid curious...

So, after sharing my disgrace...

How hard is to get one of this USB-COM board and use it to downgrade? any link from Aliexpress? I get little confused about which board is compatible, which link should be used to do the downgrade, how is the right way to wiring... Please, can anyone share where to buy this USB-COM and a step-by-step how to downgrade the firmware ?

Hi. Downgraded using this ch340 usb to ttl rs232 converter: https://www.aliexpress.com/item/32354359382.html?gatewayAdapt=glo2isr Solder p14 on thermometer to txd Solder Gnd to gnd Solder + to 3.3V Flash using: https://pvvx.github.io/ATC_MiThermometer/USBCOMFlashTx.html

kimol88 commented 12 months ago

Maybe I can't differently, but flash by site only works on Windows "machine". On MacBook I bricked by flash. On Windows "machine" I recovery firmware without problems :)

ceinmart commented 12 months ago

Hi. Downgraded using this ch340 usb to ttl rs232 converter: https://www.aliexpress.com/item/32354359382.html?gatewayAdapt=glo2isr Solder p14 on thermometer to txd Solder Gnd to gnd Solder + to 3.3V Flash using: https://pvvx.github.io/ATC_MiThermometer/USBCOMFlashTx.html

Hi Guys, Just giving an feedback, I just flashed and downgraded my sensor successfully!!!

However I didn't used the board referenced by @tharzo, I got with a Friend the FTDI 232 and followed the steps passed by tarzho.

I did the downgrade of my firmware from v2 to v1 and then flashed it with the custom firmware v4.5 successfully!! Very , very happy :) Thanks all for the support. Now , let's try to setup it on my Home Assistant using a ESP32 as BLE Tracker...

image

image

image

image

vdende commented 12 months ago

I'm not that familiar with soldering and boards, so I decided to buy a new one from Ali, from the same shop as my previous one. It was shipped very fast and fortunately the firmware version of the new device was still on v1.0. So for this one I was able to flash it with the custom v4.5, set it to BTHome and configured it in HomeAssistant.

adamb94 commented 11 months ago

Is there any expected date when soft 2.1.1 will be supported by Telink Mi Flasher? I was not able to downgrade by Serial

pvvx commented 11 months ago

So far no one is doing this or it is unknown. I'm waiting for the next version to come out. This will make it possible to understand how to update version 2.1.1.

Disassembling or otherwise viewing codes from Xiaomi is prohibited in the MiHome user agreement. For this reason, other methods that are not prohibited will be used. And this requires the next new version of OTA from MiHome.

atc1441 commented 11 months ago

While i dont know 100% i am veeery sure they added a signing to the update which can not be bypassed without any exploit

So ota is unlikely.

Just my assumption

pvvx commented 11 months ago

While i dont know 100% i am veeery sure they added a signing to the update which can not be bypassed without any exploit

They could also add key reading to their cloud for a registered user. Tuya BLE has had all this for a long time, but no one is interested...

atc1441 commented 11 months ago

Disassembling or otherwise viewing codes from Xiaomi is prohibited in the MiHome user agreement. For this reason, other methods that are not prohibited will be used. And this requires the next new version of OTA from MiHome.

I did never agree to anything like that so no problem with disassambly ^^

pvvx commented 11 months ago

Using information from open sources is not prohibited... -> Need a publication :)

rmappleby commented 11 months ago

I have also never installed MiHome (or anything else from Xiaomi), and so am not subject to any of their terms and conditions. I assume @atc1441 will provide the information that is needed far more effectively than I can, but if not give me a nudge.

rezmus commented 11 months ago

it looks they are now using signed ota. same protection been there since 2020 for some wifi devices (robots, cams, hubs), but first time i see it for ble.

https://pastebin.com/raw/5AR7JNVp

atc1441 commented 11 months ago

Yep thats a singed OTA :(

rmappleby commented 11 months ago

But there's still nothing to stop us flashing your custom firmware using wires and an FTDI converter, I assume?

atc1441 commented 11 months ago

@rmappleby yes, the SoC can always be flashed via wires

pvvx commented 11 months ago

Original_OTA_SJWS01LM_1.1.1_0018.bin -----BEGIN CERTIFICATE----- MIIBhTCCASugAwIBAgIBAjAKBggqhkjOPQQDAjAiMRMwEQYDVQQKEwpNaWppYSBS b290MQswCQYDVQQGEwJDTjAgFw0xODAxMTgwMjE5MTVaGA8yMDY4MDEwNjAyMTkx NVowIjETMBEGA1UECgwKTWlqaWEgT3BlbjELMAkGA1UEBhMCQ04wWTATBgcqhkjO PQIBBggqhkjOPQMBBwNCAASTPDXoepwRzEV0nVioPiILRzjKTNZo1dUSzutyn8op V4NaQDmCwtdvGGz/UzWEqEdlgVuncnG8S8de1mVxZhzIo1AwTjAfBgNVHSMEGDAW gBSWt6J8ObG5ZjOp+NEJsgBgyObFETAdBgNVHQ4EFgQU6ik3eeFQQohlpo7V0Ehr wLBT+GUwDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNIADBFAiEAnQyFwFhYV/Zm n5OY0H4FG7qVarqVUMrXiNCg/cIif+ACIEW1J06zPTYNLe9SqIIaFiCBMTtvPUvM JJHkc890sLAY -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIBlzCCAT2gAwIBAgIGAXRoWA0NMAoGCCqGSM49BAMCMCIxEzARBgNVBAoMCk1p amlhIE9wZW4xCzAJBgNVBAYTAkNOMCAXDTIwMDkwNzExMzM1NVoYDzIxMjAwODE0 MTEzMzU1WjAcMQswCQYDVQQGEwJDTjENMAsGA1UEChMEY2VydDBZMBMGByqGSM49 AgEGCCqGSM49AwEHA0IABF1W2an4g7STG3WAPEo5GyADHqIG+78VehOcVKnj/My3 krQf6jJ6tpE9krOvI5djAi18rGbfLK5xmLRB3p6ybM6jYzBhMA4GA1UdDwEB/wQE AwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB8GA1UdIwQY MBaAFOopN3nhUEKIZaaO1dBIa8CwU/hlMAsGA1UdEQQEMAKCADAKBggqhkjOPQQD AgNIADBFAiAY0qwBcD9Tse8VayhUjFyMFeNOD3/4pozRP7WygCJYRgIhAMac6yq2 vh54uDyirfDu3YvLCyISIvkO1wW0ytsj2Xkp -----END CERTIFICATE-----

And mi_api/certi/cryptography/mi_crypto.c ... https://github.com/Ai-Thinker-Open/Telink_SIG_Mesh/blob/master/example/SFS_Ali_Mesh/mesh/mi_api/certi/gatt_dfu/mible_dfu_auth.c

pvvx commented 11 months ago

https://pastebin.com/raw/5AR7JNVp

0b55e3f04bd1d0f0fcf3b34389514ac1_upd_miaomiaoce.sensor_ht.t2.bin -> image

    uint8_t magic[] = {0x47, 0x26, 0x56, 0x82, 0x41, 0x54, 0x4F, 0x46,
                       0x54, 0xEF, 0x49, 0x4D, 0x00, 0x00, 0x00, 0x00};

https://github.com/Ai-Thinker-Open/Telink_SIG_Mesh/blob/master/example/SFS_Ali_Mesh/mesh/mi_api/certi/gatt_dfu/mible_dfu_auth.c#L220C1-L221

signed_001f1cd2ac16030abc7c8c53f62993c0_upd_miaomiaoce.sensor_ht.t2.bin -> At the end of this file there is some kind of certificate... Same as file SJWS01LM_1.1.1_0018.bin.

volodymyr-koval-vitech commented 11 months ago

Using instruction from @thazro with CH340C I've successfully downgraded firmware, but only under Windows as @kimol88 mentioned. Take this into consideration. Who knows what can be issue under Mac?

pvvx commented 11 months ago

Who knows what can be issue under Mac?

None of the developers of alternative firmware work on Mac.

besanur commented 11 months ago

What did I do wrong when flashing? Nothing is shown on the display after I used https://pvvx.github.io/ATC_MiThermometer/USBCOMFlashTx.html to flash.

My connection from the UART-TTL USB Adapter to the thermostat was like this. TX -> P14 GND -> GND 3V3 -> V+

I tried several times to flash the original firmware but also the zigbee version. Erase all Flash didn't help either

volodymyr-koval-vitech commented 11 months ago

I had similar symptoms when tried to flash on Mac. Which OS are you using to flash?

besanur commented 11 months ago

I had similar symptoms when tried to flash on Mac. Which OS are you using to flash?

I am using macos,i have tried it on a window vm with no success. I'll try it with a windows computer.

volodymyr-koval-vitech commented 11 months ago

MacOS doesn't work. I've successfully flashed from Windows run under Parallels Desktop.

besanur commented 11 months ago

MacOS doesn't work. I've successfully flashed from Windows run under Parallels Desktop.

Can you pls tell me how you wired it. Like me ? TX -> P14 GND -> GND 3V3 -> V+

TX without resistor ?

pvvx commented 11 months ago

Programmers attempting to emulate the Telink Swire hardware protocol on a UART chip:

The USBCOMFlashTx.html program does not require any resistors. https://github.com/pvvx/ATC_MiThermometer#the-usb-com-adapter-writes-the-firmware-in-explorer-web-version

This programmer has no feedback - it does not read or receive information about what is happening.

For other programs, use as described is required: https://github.com/pvvx/TlsrComSwireWriter https://github.com/pvvx/TlsrComProg825x - programmer with transition to UART connection. Chinese clone copy of the programmer https://github.com/pvvx/TlsrComProg825x from Ai-Thinker

Complete programmer, with hardware implementation of Telink SWire: https://github.com/pvvx/TLSRPGM


Telink BDT https://aliexpress.com/item/1005003712968248.html

pvvx commented 11 months ago

Can you pls tell me how you wired it. Like me ?

https://github.com/pvvx/ATC_MiThermometer#the-usb-com-adapter-writes-the-firmware-in-explorer-web-version

USBCOMFlashTx.html The USB-COM adapter writes the firmware in explorer. Web version. Connect only TX-SWS and GND wires. image

In difficult cases, when the chip contains an unknown FW, it is necessary to use a chip reset or power supply during "activation".

image

At the same time, take into account that the chip can be powered from the TX output.


This is solved by connecting TX and +Vbat during "activation".

besanur commented 11 months ago

Can you pls tell me how you wired it. Like me ?

https://github.com/pvvx/ATC_MiThermometer#the-usb-com-adapter-writes-the-firmware-in-explorer-web-version

USBCOMFlashTx.html The USB-COM adapter writes the firmware in explorer. Web version. Connect only TX-SWS and GND wires. image

In difficult cases, when the chip contains an unknown FW, it is necessary to use a chip reset or power supply during "activation".

image

At the same time, take into account that the chip can be powered from the TX output.

This is solved by connecting TX and +Vbat during "activation".

GND and TX-SWS only. And 3.3V not ?