niceboygithub
commented
1 month ago You got key, that is enough for XG3
Open dmitkam opened 1 month ago
niceboygithub
commented
1 month ago You got key, that is enough for XG3
dmitkam
commented
1 month ago Telnet is closed. Custom component for control Xiaomi Multimode Gateway (aka Gateway 3), Xiaomi Multimode Gateway 2, Aqara Hub E1 - https://github.com/AlexxIT/XiaomiGateway3 - can't connect. You can't telnet via PuTTY.
niceboygithub
commented
1 month ago The telnet will be enabled by XG3 via token and key.
dmitkam
commented
1 month ago Apparently the root user is missing. )
niceboygithub
commented
1 month ago mgl001 use root as user.
dmitkam
commented
1 month ago If the key and Token are present, telnet will not open. The creator of the XiaomiGateway3 integration assumes that there is no root user.
niceboygithub
commented
1 month ago The "root" user was NOT removed in every firmware till now.
ZNDMWG04LM does not reset password firmware 1.0.7_0019
== Gateway Global Tool version:20240218==
IPL gdf99011 D-17 HW Reset 01481480 00000000 Resume? N, addr 00000000 miupll_233MHz SPI 54M 128MB BIST0_0001-OK SPI 54M [BBT] Found table @ 0x00020000
Checksum OK
IPL_CUST gdf99011 Export ENV 1
U-Boot 2015.01 (Sep 22 2022 - 15:39:48)
Version: P3g1fd806f I2C: ready DRAM: WARNING: Caches not enabled SPINAND_I: [FLASH] Found SNI in block 0. [FLASH] dev_id = 0xee [FLASH] mfr_id = 0xa1, dev_id= 0xe4 id_len = 0x2 [SPINAND] RFC ues command 0x6b with 0x08 dummy clock. [SPINAND] Program load with command 0x32. [SPINAND] Random load with command 0x34. [FLASH] Unlock all block. [FLASH] Use BDMA. 128 MiB MMC: MStar SD/MMC: 0 ENV: offset = 0x480000 size = 0x40000 ENV1: offset = 0x4c0000 size = 0x40000 In: serial Out: serial Err: serial Net: No ethernet found. clk=12M, u16Div=0 u32Duty=0x2cf u32Period=0x4af [halPWMPadSet][107] (pwmId, padId) = (1, 5) clk=12M, u16Div=0 u32Duty=0x4af u32Period=0x4af [halPWMPadSet][107] (pwmId, padId) = (2, 6) clk=12M, u16Div=0 u32Duty=0x4af u32Period=0x4af [halPWMPadSet][107] (pwmId, padId) = (3, 7) gpio debug MHal_GPIO_Pad_Set: pin=43 gpio[43] is 1 gpio debug MHal_GPIO_Pad_Set: pin=44 gpio[44] is 1 gpio debug MHal_GPIO_Pad_Set: pin=59 gpio[59] is 0 gpio debug MHal_GPIO_Pad_Set: pin=62 gpio[62] is 1 gpio debug MHal_GPIO_Pad_Set: pin=63 gpio[63] is 0 gpio debug MHal_GPIO_Pad_Set: pin=61 gpio[61] is 1 gpio debug MHal_GPIO_Pad_Set: pin=60 gpio[60] is 1 gpio debug MHal_GPIO_Pad_Set: pin=44 gpio[44] is 0 gpio debug MHal_GPIO_Pad_Set: pin=63 gpio[63] is 1 gpio debug MHal_GPIO_Pad_Set: pin=59 gpio[59] is 1 gpio debug MHal_GPIO_Pad_Set: pin=60 gpio[60] is 0 SigmaStar # SigmaStar # SigmaStar # SigmaStar # SigmaStar # SigmaStar # SigmaStar # SigmaStar # SigmaStar # SigmaStar # printenv bootargs bootargs=root=/dev/mtdblock7 rootfstype=squashfs ro init=/linuxrc LX_MEM=0x7FE00 NV),256k(ENV1),128k(KEY_CUST),5m(KERNEL),5m(KERNEL_BAK),16m(rootfs),16m(rootfs_b SigmaStar # setenv bootargs root=/dev/mtdblock7 rootfstype=squashfs ro init=/bin 664k(BOOT1),256k(ENV),256k(ENV1),128k(KEY_CUST),5m(KERNEL),5m(KERNEL_BAK),16m(ro SigmaStar # run bootcmd
NAND read: device 0 offset 0x520000, size 0x500000 Time:558574 us, speed:9386 KB/s 5242880 bytes read: OK incorrect device type in MISC incorrect device type in LOGO
Booting kernel from Legacy Image at 22000000 ...
Image Name: MVX4##P3##g294517324KL_LX409##[B Image Type: ARM Linux Kernel Image (lzma compressed) Data Size: 2188580 Bytes = 2.1 MiB Load Address: 20008000 Entry Point: 20008000 Verifying Checksum ... OK -usb_stop(USB_PORT0) -usb_stop(USB_PORT2) Uncompressing Kernel Image ... [XZ] !!!reserved 0x21000000 length=0x 1000000 for xz!! XZ: uncompressed size=0x46b000, ret=7 OK atags:0x20000000
Starting kernel ...
early_atags_to_fdt() success Booting Linux on physical CPU 0x0 Linux version 4.9.84 (luobo@embedded-compile20) (gcc version 9.1.0 (GCC) ) #12 S CPU: ARMv7 Processor [410fc075] revision 5 (ARMv7), cr=50c5387d CPU: div instructions available: patching division code CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache early_atags_to_fdt() success OF: fdt:Machine model: PIONEER3 SSC020A-S01A-S [ERR] LX_MEM, LX_MEM2, LX_MEM3 not 1MB aligned LXmem is 0x7fe0000 PHYS_OFFSET is 0x20000000 Add mem start 0x20000000 size 0x7fe0000!!!!
LX_MEM = 0x20000000, 0x7fe0000 LX_MEM2 = 0x0, 0x0 LX_MEM3 = 0x0, 0x0 EMAC_LEN= 0x0 DRAM_LEN= 0x0 deal_with_reserved_mmap memblock_reserve success mmap_reserved_config[0].reserve 0x27c00000
deal_with_reserve_mma_heap memblock_reserve success mma_config[0].reserved_start 0x27700000
cma: Reserved 2 MiB at 0x27400000 Memory policy: Data cache writealloc percpu: Embedded 14 pages/cpu @c7f9c000 s25688 r8192 d23464 u57344 Built 1 zonelists in Zone order, mobility grouping on. Total pages: 32480 Kernel command line: root=/dev/mtdblock7 rootfstype=squashfs ro init=/bin/sh LX_ OT1),256k(ENV),256k(ENV1),128k(KEY_CUST),5m(KERNEL),5m(KERNEL_BAK),16m(rootfs),1 PID hash table entries: 512 (order: -1, 2048 bytes) Dentry cache hash table entries: 16384 (order: 4, 65536 bytes) Inode-cache hash table entries: 8192 (order: 3, 32768 bytes) Memory: 114592K/130944K available (2616K kernel code, 239K rwdata, 1336K rodata, Virtual kernel memory layout: vector : 0xffff0000 - 0xffff1000 ( 4 kB) fixmap : 0xffc00000 - 0xfff00000 (3072 kB) vmalloc : 0xc8000000 - 0xff800000 ( 888 MB) lowmem : 0xc0000000 - 0xc7fe0000 ( 127 MB) modules : 0xbf800000 - 0xc0000000 ( 8 MB) .text : 0xc0008000 - 0xc02964f4 (2618 kB) .init : 0xc040a000 - 0xc0436000 ( 176 kB) .data : 0xc0436000 - 0xc0471c90 ( 240 kB) .bss : 0xc0473000 - 0xc04a02f0 ( 181 kB) SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=2, Nodes=1 Preemptible hierarchical RCU implementation. Build-time adjustment of leaf fanout to 32. RCU restricting CPUs from NR_CPUS=4 to nr_cpu_ids=2. RCU: Adjusting geometry for rcu_fanout_leaf=32, nr_cpu_ids=2 NR_IRQS:16 nr_irqs:16 16 ms_init_main_intc: np->name=ms_main_intc, parent=gic ms_init_pm_intc: np->name=ms_pm_intc, parent=ms_main_intc ss_init_gpi_intc: np->name=ms_gpi_intc, parent=ms_main_intc Find CLK_cpupll_clk, hook ms_cpuclk_ops arm_arch_timer: Architected cp15 timer(s) running at 6.00MHz (virt). clocksource: arch_sys_counter: mask: 0xffffffffffffff max_cycles: 0x1623fa770, m sched_clock: 56 bits at 6MHz, resolution 166ns, wraps every 4398046511055ns Switching to timer-based delay loop, resolution 166ns Console: colour dummy device 80x30 console [ttyS0] enabled Calibrating delay loop (skipped), value calculated using timer frequency.. 12.00 pid_max: default: 4096 minimum: 301 Mount-cache hash table entries: 1024 (order: 0, 4096 bytes) Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes) CPU: Testing write buffer coherency: ok CPU0: update cpu_capacity 1024 CPU0: thread -1, cpu 0, socket 0, mpidr 80000000 Setting up static identity map for 0x20008280 - 0x200082cc CPU1: update cpu_capacity 1024 CPU1: thread -1, cpu 1, socket 0, mpidr 80000001 Brought up 2 CPUs SMP: Total of 2 processors activated (24.00 BogoMIPS). CPU: All CPU(s) started in SVC mode. devtmpfs: initialized VFP support v0.3: implementor 41 architecture 2 part 30 variant 7 rev 5 clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 1911 futex hash table entries: 16 (order: -2, 1024 bytes) NET: Registered protocol family 16 DMA: preallocated 256 KiB pool for atomic coherent allocations
Version : MVX4##P3##g294517324KL_LX409##[BR:release]#XVM
GPIO: probe endhw-breakpoint: found 5 (+1 reserved) breakpoint and 4 watchpoint hw-breakpoint: maximum watchpoint size is 8 bytes. SCSI subsystem initialized [DrvPWMDutyQE0 L1064] grp:0 x0(0) [DrvPWMDutyQE0 L1064] grp:0 x0(0) [DrvPWMDutyQE0 L1064] grp:0 x0(0) [DrvPWMDutyQE0 L1064] grp:0 x0(0) [NOTICE]pwm-isr(58) success. If not i6e or i6b0, pls confirm it on .dtsi clocksource: Switched to clocksource arch_sys_counter NET: Registered protocol family 2 TCP established hash table entries: 1024 (order: 0, 4096 bytes) TCP bind hash table entries: 1024 (order: 2, 20480 bytes) TCP: Hash tables configured (established 1024 bind 1024) UDP hash table entries: 128 (order: 0, 6144 bytes) UDP-Lite hash table entries: 128 (order: 0, 6144 bytes) NET: Registered protocol family 1 hw perfevents: enabled with armv7_cortex_a7 PMU driver, 5 counters available workingset: timestamp_bits=30 max_order=15 bucket_order=0 squashfs: version 4.0 (2009/01/31) Phillip Lougher jffs2: version 2.2. ТЉ 2001-2006 Red Hat, Inc. fuse init (API version 7.26) io scheduler noop registered io scheduler deadline registered (default) libphy: Fixed MDIO Bus: probed mousedev: PS/2 mouse device common for all mice =======gpio_free(43 & 44);==for ti_zb====== lumi_btn_probe key=42!! [ss_gpi_intc_domain_alloc] hw:42 -> v:62 input: main-key as /devices/virtual/input/input0 i2c /dev entries driver 1f221000.uart0: ttyS0 at MMIO 0x0 (irq = 33, base_baud = 10800000) is a unknown 1f221200.uart1: ttyS1 at MMIO 0x0 (irq = 34, base_baud = 10800000) is a unknown 1f220400.uart2: ttyS2 at MMIO 0x0 (irq = 35, base_baud = 10800000) is a unknown [MHal_GPIO_Check_PE] set gpio85 PE MSYS: DMEM request: [emac0_buff]:0x00000812 MSYS: DMEM request: [emac0_buff]:0x00000812 success, CPU phy:@0x27440000, virt:@ libphy: mdio: probed mdio_bus mdio-bus@emac0: /soc/emac0/mdio-bus/ethernet-phy@0 has invalid PHY addr mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 0 mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 1 mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 2 mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 3 mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 4 mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 5 mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 6 mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 7 mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 8 mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 9 mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 10 mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 11 mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 12 mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 13 mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 14 mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 15 mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 16 mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 17 mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 18 mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 19 mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 20 mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 21 mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 22 mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 23 mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 24 mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 25 mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 26 mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 27 mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 28 mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 29 mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 30 mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 31 [emac_phy_connect][3534] connected mac emac0 to PHY at mdio-bus@emac0:00 [uid=11 [ms_cpufreq_init] Current clk=799999872 [FLASH] Found SNI in block 0. [FLASH] dev_id = 0xee MSYS: DMEM request: [BDMA]:0x00000840 MSYS: DMEM request: [BDMA]:0x00000840 success, CPU phy:@0x27441000, virt:@0xC744 [FLASH] mfr_id = 0xa1, dev_id= 0xe4 id_len = 0x2 [SPINAND] RFC ues command 0x6b with 0x08 dummy clock. [SPINAND] Program load with command 0x32. [SPINAND] Random load with command 0x34. [FLASH] Use BDMA. nand: device found, Manufacturer ID: 0xa1, Chip ID: 0xe4 nand: 128 MiB, MLC, erase size: 128 KiB, page size: 2048, OOB size: 64 12 cmdlinepart partitions found on MTD device nand0 Creating 12 MTD partitions on "nand0": 0x000000140000-0x0000002e0000 : "BOOT0" 0x0000002e0000-0x000000480000 : "BOOT1" 0x000000480000-0x0000004c0000 : "ENV" 0x0000004c0000-0x000000500000 : "ENV1" 0x000000500000-0x000000520000 : "KEY_CUST" 0x000000520000-0x000000a20000 : "KERNEL" 0x000000a20000-0x000000f20000 : "KERNEL_BAK" 0x000000f20000-0x000001f20000 : "rootfs" 0x000001f20000-0x000002f20000 : "rootfs_bak" 0x000002f20000-0x000003020000 : "factory" 0x000003020000-0x000004420000 : "RES" 0x000004420000-0x000008000000 : "UBI" [wakeup source] HW gate_xtal:0 SourceNum:1 [wakeup source] WakeupSource:61
[ss_gpi_intc_domain_alloc] hw:61 -> v:63 [ss_gpi_irq_set_wake] hw:61 enable? 1 nf_conntrack version 0.5.0 (2048 buckets, 8192 max) ip_tables: (C) 2000-2006 Netfilter Core Team NET: Registered protocol family 10 sit: IPv6, IPv4 and MPLS over IPv4 tunneling driver NET: Registered protocol family 17 [mstar_pm_init] resume_pbase=0x200114F5, suspend_imi_vbase=0xC8057000 ThumbEE CPU extension supported. Registering SWP/SWPB emulation handler VFS: Mounted root (squashfs filesystem) readonly on device 31:7. devtmpfs: mounted This architecture does not have kernel memory protection. [emac_phy_link_adjust] EMAC Link Down /bin/sh: can't access tty; job control turned off / # mount -t ramfs ramfs /var; mkdir /var/tmp / # cp /etc/init.d/rcS /var/tmp/rcS / # sed -i 's/fw_manager.srandom: fast init done h -r/echo skip/g' /var/tmp/rcS sed -i 's/${CUSTOM_POST_INIT} &/echo skip/g' /var/tmp/rcS / # sed -i 's/${CUSTOM_POST_INIT} &/echo skip/g' /var/tmp/rcS / # /var/tmp/rcS passwd -d root net.core.rmem_default = 163840 net.core.rmem_max = 163840 net.core.wmem_default = 524288 net.core.wmem_max = 1048576 net.ipv4.tcp_mem = 924 1232 1848 net.ipv4.tcp_rmem = 4096 87380 325120 net.ipv4.tcp_wmem = 4096 131072 393216 mount: mounting none on /sys failed: Device or resource busy mount: mounting none on /sys/kernel/debug failed: Device or resource busy Mstar_ehc_init version:20180309 Sstar-ehci-1 H.W init Titania3_series_start_ehc start [USB] config miu select [70] [e8] [ef] [ef] [USB] enable miu lower bound address subtraction [USB] init squelch level 0x2 BC disable ==20180309==> hub_port_init 1 #0 Plug in USB Port1 Gateway token in ASCII (use xxd -p to convert to 32 characters hexadecimal strin
cat /data/miio/device.token
_import_default_cfg, /etc/ssw105at-wifi.cfg
sstar1xxx_hci_init() start sstar1xxx_dev_probe(): SSW105AT device "SSW105AT" found ! SSTAR1XXX HCI TX Task started. MAC address from e-fuse EFUSE configuration Read efuse chip identity[105a0000] r_calbration_result- 0 sar_result- 0 crystal_frequency_offset- a1 tx_power_index_1- 72 tx_power_index_2- d9 MAC address - 14:c9:cf:10:8a:b0 rate_table_1- 70 rate_table_2- 0 flash_file /tmp/flash.bin not found str_table = sstar105at_if_chk_mac2: is not need to check MAC addres 2 for this model sstar105at_adj_config: clear hci rx aggregation setting sstar105at_adj_config: clear hci tx aggregation setting sstar105at_adj_config: clear hw beacon sstar105at_adj_config: not support external PA for this chip ht40 rate gain value 0 SSTAR1XXX RX Task started. sstar1xxx_usb_rx_task: nr_recvbuff=5 wait 0 ms for usb rom code ready [Isp_Driver_Init] [s32CurClkIdx] = 2 [ISP] Request IRQ: 51, 87 [IspMid_Driver_Init] ispsclttl:0 [CSI] probe vif driver probe Create device file. vif_ints,0 jpe driver probed [DRV_DIVP_PROC_Init] AudioProcInit 299 module [sys] init MI_SYSCFG_SetupMmapLoader default_config_path:/config/config_tool, argv1:/config config...... cmdpath:/config/config_tool, argv0:/config/load_config config...... cmdpath:/config/config_tool, argv1:/misc/config.ini config...... cmdpath:/config/config_tool, argv2:/misc/PQConfig.ini config...... cmdpath:/config/config_tool, argv3:(null) mi_sys_mma_allocator_create success, heap_base_addr=20000000 length=20000 module [ao] init module [ai] init ubiattach /dev/ubi_ctrl -m 10 -d 0 UBI device number 0, total 160 LEBs (20316160 bytes, 19.4 MiB), available 0 LEBs ubiattach /dev/ubi_ctrl -m 11 -d 1 chan change ch 6, type 1, off_chan 0 INIT SSTAR CONTROL GENERIC NETLINK MODULE UBI device number 1, total 479 LEBs (60821504 bytes, 58.0 MiB), available 0 LEBs [WatchDogInit 15] init watch dog, timeout:30s skip / # passwd -d root passwd: unknown uid 0 / # / # cat /data/miio/device.token WLv59RA0Lwk5x7UH / # Gateway Info:
cat /data/miio/device.conf did=499480362 key=kWHyh7Yh1IovFjhn mac=54:EF:44:48:60:A9 vendor=lumi model=lumi.gateway.mgl001 / # / # reboot / #