Gen 3 (T6) Root

[Nixon506E]

Just got a T6 and was hoping to help get the T6 verified as rootable. I believe the first step would be getting a copy of the latest firmware but am not sure where to look without connecting the vacuum to the internet and reading its request urls. Any suggestions?

[dgiese]

Rockrobo changed the encryption of the Firmware+Soundfiles and some of the update process. As I don't have a T6, I cannot really help. So its at the moment not rootable.

[Nixon506E]

Any suggestions on what would be a good next step considering I do have one. Hoping to help the community if I can.

[fvollmer]

You may find https://dgiese.scripts.mit.edu/talks/34c3-2017/34c3.html interesting. IIRC the initial rooting was done by shorting pins with aluminium foil. So a pretty invasive method.

[Nixon506E]

I have seen @dgiese's talk on this but it seems like the encryption key was kind of just stumbled upon? Not really looking to dump the entire flash of my device especially if it might not have the same passwords in plaintext as before.

[fvollmer]

I'm sure @dgiese can answer this better, but I think the encryption key was found by analyzing the flash dump (which wasn't encrypted).

[Nixon506E]

@fvollmer yes it was, but it was stored on the operating system in plain text and was being used as a password for something else, seems like it just happened to be the same for the ota encryption as well

[dgiese]

Yeah, back then I extracted it by reverse engineering the binaries (its not stored in plaintext). However I think they learned from their mistakes and are doing things now differently. My usual approach would be to open the device and de-solder the MMC, and dump it. That has of cause the risk that you have a bricked device...at least if you are not familiar with BGA chips. But that's purely speculation, as I don't have the device. Time will show. I mean it took 1,5 years for Gen1 until someone, me, published the stuff. Guess for T6 it will be a little bit faster, but still someone needs to sacrifice his/her device.

[Nixon506E]

Gotcha, not sure I am the right person to reverse engineer a password out of the new binary. I got a T6 pretty easily so they are obviously becoming more available. @dgiese, so you don't suggest we try to grab the flash through the usb port and FEL mode anymore? Hoping to not need to modify any hardware if I can get around it.

[dgiese]

Honestly, no idea. If you disassembled it, make some pictures of the hardware. Would like to take a look at it.

[zvldz]

Does anyone have a link to the encrypted firmware?

[dgiese]

Maybe I know someone. But that's a discussion, which we should not have publicly yet. Thats more of a thing I would discuss in telegram or slack or something.

[MickL]

The T6 is now officially available in the EU known as the S6. It launched in Germany, France and Spain for now. Would really really appreciate rooting this device!

Are there news on this? You might also rename this issue from T6 to T6/S6 as i assume the devices are the same.

I am thinking of buying one. If i do so, is there be any possibility supporting you? I see you are also from Germany. They are available at Alternate and Cyberport at least.

[dgiese]

Unfortuantly they started to sign all firmware files and soundpackages. CCrypt is not used anymore. In addition they changed a lot of other things. One thing which is especially nasty is the fact, that now the region is set in a signed config file, which is bound to the cpu id of the device. So there is no trivial way to change the region (t6->s6). Also there is no simple way to root the device like v1 or s5. Beware: some of the nasty stuff seems to be backported to s5 models produced after march 2019. See my twitter comment for that.

If you are interested in working on the t6/s6 firmware, drop me a message.

[MickL]

Thanks for the update! Sounds bad so far, but if the Nintendo Switch is hackable i have a lot of hopes! I ordered the S5 and hope it is not affected of the march update as you said.

Please tell us how we can support you. Donations, Patreon, etc. I want to help where i can.

[dgiese]

A root of the S6/T6 and even for M1S is possible. However it is not as easy as the existing method for the Mi Vacuum Robot (aka Gen1 aka v1) or Roborock S5x (aka Gen2). Especially as it requires opening the device at the moment. I explore with some other peoples at the moment a different approach, however, if you want to have an easy rootable device, you should stay away from S6/T6 and M1S in particular (as M1S uses a completely different platform). The only difference between S5 and S6 seems to be a different brush and an additional sensor for the water tank. More information can be found here: https://www.roboter-forum.com/index.php?thread/35506-hack-des-roborock-s6-t6-planung-ger%C3%A4tekauf-fortschritte/&postID=474142#post474142

For S5: If you buy an global model, you should have no problems with the geoblocking. Also, if you use only valetudo, you should be OK even with the chinese model. The geoblocking is only in effect in combination with the Mi Home app + Cloud.

I am always happy about support for the procurement of new devices (as potential alternatives to v1 and s5). I did a fundraising for the T6 which went okayish. At the moment I look also at other vendors. If you have too much $$$, then drop me an email (dgi[at]mit.edu) and we find a way ;)

[kiekerjan]

Beware: some of the nasty stuff seems to be backported to s5 models produced after march 2019.

Which nasty stuff do you mean? Does the newer s50 not accept the rooted firmware?

[dgiese]

They backported the Geoblocking mechanism of the T6 to newer S5. I cant really tell how it is exactly implemented on the newer S5, as I dont have one.

[apll64]

@dgiese Any chance you could provide some insight to the method you are referring to in your comment https://github.com/dgiese/dustcloud/issues/213#issuecomment-505842643? I am currently thinking about buying a S6/T6 and would not mind opening the device. However, I need to be sure it is indeed rootable. I would prefer the S6/T6 because it supposedly charges quicker and makes a little less noise.

[breichldomico]

@dgiese Any chance you could provide some insight to the method you are referring to in your comment #213 (comment)? I am currently thinking about buying a S6/T6 and would not mind opening the device. However, I need to be sure it is indeed rootable. I would prefer the S6/T6 because it supposedly charges quicker and makes a little less noise.

I already own an S6 and would not mind opening the device if there is a way to get Valetudo on the device. If you could provide some hints it would be awesome! ;)

[dgiese]

It is now supported, however you need to disassemble the devices :( I did not find a trivial way to root the device without disassembling. All options require some amount of it... See my message here with the links to the tutorials. https://twitter.com/dgi_DE/status/1277223172862029824

[dgiese]

As a sidenote: The current image builder is not compatible with the S6/T6 due to the different firmware package format.

[scholdan]

Hello do you think this will work with the S5 max also? i added pictures in #252

[jwveldhuis]

@dgiese would this work with the Roborock S4 too?

[dgiese]

S5 Max is different. S4 might work... do you have one? then contact me ;) Btw: I created an overview of the hardware to give you an idea: https://dontvacuum.me/robotinfo/

[jwveldhuis]

@dgiese yes I have an S4, will send you an email.

[daihashi]

S5 Max is different. S4 might work... do you have one? then contact me ;) Btw: I created an overview of the hardware to give you an idea: https://dontvacuum.me/robotinfo/

The S4 is the model I disassembled and sent you pictures at the beginning of January. Not sure if you were ever able to look at the pictures I sent you. I sent a follow up email on March 18th, but I suspect you are very busy with other projects and may not have seen it.

The email conversation in question was to your @seemoo.xx-xxxxxxxxx.de email address.

[dgiese]

Oh, sorry about that. I will check it. March was a very busy month due to a competition and c'na. If you have some time, we could run a quick beta test for the root and valetudo. Can you ping me again?

Update: had 2800 unread emails, so it got lost. We tested a S4 to root and run in some issues which we are fixing right now.

[xsasx]

Does it mean that a 1S is now also rootable ?

[cbergmann]

@dgiese I just got my S5 Max. Is there a Rooting method available? I don't have a big issue with opening the device. BGA soldering is another story.

[dgiese]

Soon (TM). Ping me if you really need to root the device. At the moment we are still working on the tooling and fix the bugs.

[cbergmann]

Hi, Thanks for the update and the work. I got it connected to my home assistant and that was the first goal. Disconnecting it from the cloud would be a nice addon but is not time critical. If I can help somehow (e.g. beta-testing tools or procedures) don't hesitate to contact me. You can also reach me via mail (dustcloud[at]cbergmann.net) in english or german.

[bb12489]

Watching this thread with great enthusiasm! I'm hoping to pickup an S5 Max soon and would love to root it.

[jgladch]

Subscribing for updates - looking forward to rooting my S5 Max 👍 Thank you for the work

[dgiese]

The S5 Max video and tooling is delayed as my device is bricked :( This happened while I was testing the tools and methods (to that you guys don't brick your devices). There is a chance that the NAND flash is faulty... and I obviously cannot really send it in for warranty ;) It will take me some time to repair it.

[jaantaponen]

@dgiese Could we donate somewhere/somehow to help you get a new one?🤔

[dgiese]

I hope that I don't need to buy a new one. I hope that at some point I have some free financial resources to just buy the PCB. If you really have too much $$$, you can ping me via mail ;) But don't worry. Eventually I find a solution.

[Miph120]

@dgiese Just got an S5 Max as well. Let me know if there's anything I can do to assist. Thanks!

[Trilis29]

Waiting also 👍

[pit34]

Got an S5 Max too. Waiting and can help too.

[DrDragonKiller]

Will the root require a certain firmware? Or are we free to upgrade to the latest one? (Asking as there are Nintendo Switch Roots that don't work anymore on newer firmwares) :wink:

[dgiese]

So I ordered a new board and it technically arrived a week ago. However, the package got lost somewhere in the university mail center (there is a lot of packages due to the new undergrads moving in). So I need to wait until they find it :(

[dgiese]

Will the root require a certain firmware? Or are we free to upgrade to the latest one? (Asking as there are Nintendo Switch Roots that don't work anymore on newer firmwares) 😉

As far as I can tell, all firmwares for T6 are rootable. However, newer versions are little bit more tricky. So far one can always factory reset to a older version.

[annabarnes1138]

ooohh ooohh me too! S5 Max root please! :)

[dgiese]

Contact me over Telegram if you dare to test drive the S5 Max root. I fixed my S5 Max again, and created a PhoenixSuit image in case that happens again to me ;)

[annabarnes1138]

@dgiese has anyone taken you up on your offer? I don't really want to be the first... lol

[cbergmann]

I would be interested depending on how risky/technical the process is.

[andreas-bulling]

me too

[scholdan]

Me too!

[pit34]

Me too

[jberg-netik]

Is there any chance/possibility that in the distant future it will be possible to root the S5 Max / gen3 without having to tamper with the hardware?

Has the installation of the sound packages been fundamentally changed or is only the encryption different? If the latter is the case: Do you already know which encryption and which key was used?

btw: Thank you for your commitment, your effort and your ambition! 👍💘 @dgiese