Skip to content

Lumi Aqara Camera root

Dennis Giese edited this page Feb 16, 2019 · 4 revisions

This is a DRAFT and incomplete!

Learn why this works here: https://www.youtube.com/watch?v=DHsqb2poGII or http://dontvacuum.me/talks/DEFCON26/DEFCON26-Having_fun_with_IoT-Xiaomi.html

Prewarnings

  1. This Howto is highly experimental and dangerous
  2. While there are 2 copies of the app partitions (mtdblock4/mtdblock5), there is only one copy of the system partition (mtdblock3)
  3. Flashing mtdblock3 while you running the camera is dangerous and will likely brick your device
  4. Whatever you do, your partition sizes must not exceed these sizes or else your device will be bricked
  5. After logging in, make copies of your partitions

If firmware older than October 2018 (without opening the device)

  1. Reset Wifi credentials (by pressing the reset button)
  2. telnet to camera (default ip 192.168.1.1) and login with root:lumi-201 [this password is hardcoded in the system partition]
  3. [ you have root now, right? stop reading ;) ]
  4. continue reading the root section

If firmware newer than October 2018 (requires opening the device)

  1. Connect to the serial ports of the device [pinout]
  2. The updated versions are killing the telnetd after loading the app, so you would not have telnet access
  3. If you are quick, you can login using root:lumi-201 ,if you wait too long or if you booted already the device, use root:6SmvyB2n
  4. continue reading the root section

Rooting (general approach)

  1. extract information from /lumi/conf/device.conf (this file contains your DID, Key, MAC and the P2P ID (for the camera stream))
  2. insert SD card
  3. backup all your partitions (mtdblock0 to mtdblock6) by using dd to SD card

Rooting (using mtd3)

  1. This method gives you the most freedom, survives updates but is dangerous (as you have only one copy)
  2. You can use my prebuild version of the partition from here
  3. OR: You can build your own version (skip this if you use my version)
    • (This assumes that you have the the backup of your partition on your computer)
unsquashfs mtdblock3
(do your modifications, e.g. patching /etc/passwd, /lumi/lumi_rum.sh or soundfiles)
mksquashfs squashfs-root/ mtdblock3dustcloud -force-uid 1000 -force-gid 1000 -comp xz
(make sure that the maximum partition size is not exceeded)
  1. run "flashcp /mnt/mtdblock3dustcloud /dev/mtd3" (this will likely brick your device at this point)

Rooting (using mtd4/mtd5)

  1. This method is safer, but does not survive updates You can build your own version (skip this if you use my version)
    • (This assumes that you have the the backup of your partition on your computer)
unsquashfs mtdblock4
(do your modifications, e.g. patching lumi_app.sh)
mksquashfs squashfs-root/ mtdblock4new -force-uid 1000 -force-gid 1000 -comp xz
(make sure that the maximum partition size is not exceeded)
  1. run "flashcp /mnt/mtdblock4new /dev/mtd5"
  2. run "flashcp /mnt/mtdblock4new /dev/mtd4"