Mi Kettle - We maybe also can find a way to get data from the MiKettle about miflora-mqtt-daemon HOT 31 OPEN

Ta-da
https://github.com/aprosvetova/xiaomi-kettle

from miflora-mqtt-daemon.

@drndos, @aprosvetova, any luck with your research ? any progress ? could you share what has been done so fare ?
thanks, GS.

from miflora-mqtt-daemon.

Hey guys, I made HA integration here: https://github.com/drndos/mikettle-ha
No integration for controlling the kettle for now though.

from miflora-mqtt-daemon.

Great ! Thank you !
молодчинка

from miflora-mqtt-daemon.

@beikeland nothing interesting at the moment. There are two ways to update the firmware on QN902x:

1. OTA Bluetooth update
2. Connecting to the MCU pins

First way requires us to pack and encrypt the firmware with special qotapack.exe utility and we need to know the 16-byte key Xiaomi used for their kettles.
We also need to obtain official firmware before modifying it, of course. I’ve succeeded to sniff the traffic and get OTA firmware file but it’s encrypted as I said.
Steps are:

1. guess the key
2. decrypt firmware (how? Quintic provides us with encrypting software only)
3. patch it
4. encrypt it back with the same key
5. upload via BLE

Second way is to connect to MCU pins directly so that we can dump an unencrypted firmware, then we can get the key from it and start from step 3 with OTA way.
But I didn’t disassemble my kettle and I guess the MCU is in protected mode.

If anyone knows or learns how to dump Quintic QN902x firmware, let’s talk.

from miflora-mqtt-daemon.

I have debugged it a bit, and it is possible to get data from Kettle. Unfortunately it requres some kind of authentication, and does not provide any data without authentication.

Anyone have experience with MiHome devices authentication ?

from miflora-mqtt-daemon.

I've not used it so far but there is an openHAB binding for MiHome specifically. Check it out!

from miflora-mqtt-daemon.

Ta-da
https://github.com/aprosvetova/xiaomi-kettle

Hello, we don't need perfect code 😄 , just working code, we can perfect it later. Could you please release the code? Thank you.

from miflora-mqtt-daemon.

@drndos, maybe later. Still need to refactor some things.

from miflora-mqtt-daemon.

Ta-da

This is awesome, sad to see the having to physically press a button limitation is still a thing. Is there any work out there for a custom firmware, my searches turn up nothing?

from miflora-mqtt-daemon.

Thanks for the insight! Disassembly done; base contains power supply, relay and buzzer, temperature sensor.

Inside handle (under touch buttons) there is a small board with 2x 3pin connections to the base.
(presumably power and relay + temperature and buzzer). Everything is encapsulated in clear silicone, some test points visible under the silicone. Reverse side is all plastic casing filled with silicone.

Will follow up if I get to removing the silicone. As the DT-06(?) module in the picture below indicates, a wifi version may be easier if the supply in the base can handle the load.

Followup; not too bad to remove board from plastic casing. Pull of cast silicone gasket, gentry pry under headers until board pops out. Silicone on top of chips dissolved in acetone to make legible.

U2 MCU QN9022 (11w2 8xef)
U3 Touch controller TS02NC
U1 SMP? I4BEB1 P1H014

from miflora-mqtt-daemon.

@beikeland of couse it’d be easier to replace the MCU with ESP32 or smth like that because you’ll have full access to firmware, but my goal was to hack the original kettle :D

from miflora-mqtt-daemon.

@beikeland

Replacing the bluetooth module with wifi one would quite possibly due to the size difference destroy the clean esthetics of the device. It seems like the PCB of the Mi Kettle is fully custom.

from miflora-mqtt-daemon.

@aprosvetova Guys in dustcloud https://github.com/dgiese/dustcloud managed to hack firmware for xiaomi vacuum, maybe worth the research whether there is anything in common. Also some guy hacked miband https://medium.com/machine-learning-world/how-i-hacked-xiaomi-miband-2-to-control-it-from-linux-a5bd2f36d3ad His tutorial seems very similar to yours. Maybe someone hacked firmware for miband and the procedure would be similar. I have managed to read stuff (not write) with his instructions and some BLE sniffing.

from miflora-mqtt-daemon.

Completely get that @aprosvetova , and there is likely a lot of people who would be very grateful. I figured I'd look into physical access in the off chance the chip was not locked for reading.

Getting to the board is simple. Three screws on the base (one under the barcode). To release the bezel on the handle, I depressed the locking tab inside, and gently pryed the gap that formed on the outside, the rest is snap fit, and one screw securing the board assembly.

@drndos There is ample room for at least a ESP8285 solution, quite possibly a ESP32 module as well. It would likely require a custom PCB to deal with the touch interface; but if there is no progress on the firmware I'll pursue that in the future. For now its just additional information.

from miflora-mqtt-daemon.

@drndos yea thanks, but they are completely different. Different chips, different communication ways, etc

from miflora-mqtt-daemon.

@aprosvetova If we manage to physically extract the MCU and connect to its debug ports. We have two options either it is unprotected and ezpz but most probably locked. Do you have any experience in dumping protected program from MCU ? I tried some cold boot stepping with STM32, I am not sure if it would apply here. What would you suggest ?

from miflora-mqtt-daemon.

@drndos oh I’m more softwareish, I just have a little experience in microcontrollers. So if you dump the fw, I’ll be able to patch it, encrypt and pack as an Quintic OTA update and write some software to let us upload this update on the kettle.

from miflora-mqtt-daemon.

I am reading through documentation on the MCU and it seems that flash is encrypted. But I see that the program is being loaded to sram on the start and I expect it to be unencrypted there. I know it is slightly different, but the logic might be viable: https://www.aisec.fraunhofer.de/en/FirmwareProtection.html
It seems like a long shot though, I don't have pirateswd on me nor do I have the means to do the precise power switching with my arduino. Do any of you have pirateswd ?

from miflora-mqtt-daemon.

Also I have extracted "fc502ce05f9bebf032e9f32884390b23_upd_yunmi.kettle.v2.bin" from "\Internal shared storage\Android\data\com.xiaomi.smarthome\cache\ble" is that the encrypted firmware ?

from miflora-mqtt-daemon.

Yes, it is, @drndos. I had different hash, maybe because of different version. Here's my bin
fw.bin.zip

from miflora-mqtt-daemon.

@aprosvetova Thanks I found these parts are exactly same:
0000-0001
0022-0052
0082-0091
00B2-00C1
00F2-0341
0352-03C1
Nothing more so far :/

from miflora-mqtt-daemon.

We'd better go that MCU extraction way. I'm sure there is nothing interesting in these encrypted firmwares :(

from miflora-mqtt-daemon.

Anybody know how can i convert european version of kette to chinese so i can pair it with China Mainland server ?

from miflora-mqtt-daemon.

@TheAnoni just wondering if you were able to convert your European kettle to Chinese?

from miflora-mqtt-daemon.

@TheAnoni just wondering if you were able to convert your European kettle to Chinese?

Not yet, we need to wait for devs :(

from miflora-mqtt-daemon.

Any news about the topic? :)

from miflora-mqtt-daemon.

Hey guys, I made HA integration here: https://github.com/drndos/mikettle-ha
No integration for controlling the kettle for now though.

But when I follow your links and and up at BLE protocol it seems like this in general is possible? Setting at least the heat up temperature would be very nice and all I need. :)

from miflora-mqtt-daemon.

Anybody know how can i convert european version of kette to chinese so i can pair it with China Mainland server ?

I'm keen to switch from China to Australia, did you find a solution?

from miflora-mqtt-daemon.

2. decrypt firmware (how? Quintic provides us with encrypting software only)

Decryption is possible using qotaunpack (given the key, of course).

from miflora-mqtt-daemon.

Yahtzee hotsauce
https://github.com/aleaksah/qn902x-dump

from miflora-mqtt-daemon.