Xiaomi Mijia Smart Multi-Mode Gateway (ZNDMWG03LM) support

serrj-sv · June 14, 2020, 1:16pm

!!WARNING!!
For unknown reasons this instruction will lead to bootloop in most cases!! I could not figure the reason for this. Don’t follow unless you’re familiar with SPI flasing, etc…

Modifying filesystem:

First thing you MUST do once you got root access is to BACKUP EVERYTHING.

Check MTD table:

# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 000a0000 00020000 "bootloader"
mtd1: 00020000 00020000 "boot_info"
mtd2: 00020000 00020000 "factory"
mtd3: 00020000 00020000 "mtd_oops"
mtd4: 00100000 00020000 "bbt"
mtd5: 00300000 00020000 "linux_1"
mtd6: 01900000 00020000 "rootfs_1"
mtd7: 00300000 00020000 "linux_2"
mtd8: 01900000 00020000 "rootfs_2"
mtd9: 00100000 00020000 "homekit"
mtd10: 03820000 00020000 "AppData"

Copy EACH partition somewhere:
run on your linux device:

nc -l  -p 2222 | dd of=mtd0(1,2,3...)

run on Mi Gateway:

dd if=/dev/mtd0(1,2,3...) | nc linux_device_ip 2222

Check your boot configuration:

# boot_ctrl show
vernum: 0
bversion: 1.0.2.005
kernel: 0 0
rootfs: 0 0
kernel_0: 0 c8cf 2157572
kernel_1: 3 e87e 2126852
rootfs_0: 0 62c6 8552452
rootfs_1: 0 a40a 7704580
root_sum_check: off
priv_mode: on

If your “kernel” and “rootfs” has “0 0” it means your active kernel is kernel_0 and active root_fs is rootfs_0. If “kernel” and “rootfs” are “1 1” then your active kernel is kernel_1 and active root_fs is rootfs_1.
Do NOT make any modifications to kernel! Contrary to rootfs, kernel’s checksum is checking at every boot!
4. On your linux machine, unpack your ACTIVE root filesystem (rootfs_0 or rootfs_1):

sudo unsquashfs mtd6.bin

always run unsqashfs with root priveleges, because filesystem comtails “special” files wich cannot be accessed by normal user
5. “cd” to “squashfs-root” and make your changes. I did following:

Delete bin/tty0_disable. This app disables internal console for embedded UART0. You don’t need it

rm bin/tty0_disable
touch bin/tty0_disable
chmod +x bin/tty0_disable

edit etc/init.d/rcS and add “telnetd” line somewhere after network interfaces configuration block.
edit usr/app/bin/startup.sh and remove/comment out following line:

echo disable > /sys/class/tty/tty/enable

add following at the end of usr/app/bin/startup.sh, before “exit 0”:

/data/post_startup.sh

/data partition is writable, so so will not have to recompile rootfs next time when you want to run something on boot.
5. edit etc/mosquitto/mosquitto.conf and remove/comment out “listen 127.0.0.1”. Or (as I did), make a symlink of this file to /data partition.
6. When you ready with modifications, compile filesystem:

sudo mksquashfs squashfs-root/ livefs.squashfs -noappend -always-use-fragments -no-xattrs -comp xz

-no-xattrs and -comp xz are most important options. do NOT change them!
7. upload modified partition to gateway using netcat and dd to some temp location, but NOT to mtd device directly! for example to /var/tmp
8. using dd, copy partition to corresponding block device:
-if active rootfs is 0:

dd if=/var/tmp/new_rootfs of=/dev/mtdblock6

-if active rootfs is 1:

dd if=/var/tmp/new_rootfs of=/dev/mtdblock8

Wait few minutes after you finish. Do not reboot yet! You need to check if everything is ok. Dump again active rootfs (/dev/mtd6 or /dev/mtd8) and check if it has a data inside. If dump is empty - repeat steps 7-8-9!
Important:
-use /dev/mtdX to READ data
-use /dev/mtdbockX to WRITE data
REBOOT!

francisp · June 14, 2020, 3:34pm

Does that mean you can bridge the gateway’s mosquitto to your local mqtt broker, and control using mqtt ?

serrj-sv · June 14, 2020, 5:41pm

The gateway’s internal mqtt messaging format is not suitable for HA OOTB: all communications goes via same topic. So it makes no sense to bridge brokers. You need “something” between gateway’s broker and HA. NodeRed is good candidate, but maybe there is more sophisticated approach. I’m not specialist here, just learning

francisp · June 14, 2020, 5:47pm

Thanks for the information.

neldoreth · June 15, 2020, 10:43pm

User and password for telnet service ?

serrj-sv · June 16, 2020, 1:47am

it is in my original post:

neldoreth · June 16, 2020, 1:38pm

Sorry, my fault.

And the last custion. There is any possibility to do this from inside hub with telnet: network.open_pf = 3

serrj-sv · June 16, 2020, 2:02pm

Nope. There is no such command. This gateway don’t have easy/native integration with HomeAssistant (yet), but have big potential to have one.

neldoreth · June 16, 2020, 2:05pm

Then we wait. Thanks for all.

starkillerOG · June 20, 2020, 8:28am

@serrj-sv I have been working on a new homeassistant integration for xiaomi miio gateways (xiaomi miio) it is already in the latest HomeAssistant release and schould probably auto-detect this gateway ZNDMWG03LM.

I just created a PR to include your “enable_telnet_service” command to the python-miio library: https://github.com/rytilahti/python-miio/pull/734/files

Do you know more commands for the ZNDMWG03LM gateway?
Is there an easy way to get the zigbee device list from the telnet interface (some gateway models do not support the "get_device_prop", ["lumi.0", "device_list"] command)?

starkillerOG · June 20, 2020, 8:31am

@serrj-sv do you know if

{"id":0,"method":"disable_telnet_service", "params":[]}

is also a valid command?

serrj-sv · June 22, 2020, 1:00pm

I highly doubt so. This gateway works completely differently from previous ones. It uses MQTT internally and I honestly see no reason to use extra vendor layer (miio) to communicate with the gateway.

I didn’t inspect thoroughly because all functionality I needed were already provided by mqtt. There is no “psm-set” command for sure and no way to open port 9898 but as I said I see no reason for it. It would be better to make new integration for this particular model using mqtt.

I’m not familiar with miio protocol, so have no idea. Probably there is a way to get this information via mqtt.
You can see cannected devices here:

# cat /data/zigbee/device.info 
{"devInfo":[{"mac":"0x158d000363aab9","shortId":"0x2527","manuCode":"0x115f","model":"lumi.sensor_switch","did":"lumi.158d000363aab9","devType":0,"appVer":10,"hardVer":0,"devID":0,"status":0,"model_ver":0}]}

why on earth someone would need such a command?

davidrobertsen · July 5, 2020, 10:09am

Ok, i have enablet telnet. Now i want to integrate with openhab, but i don’t understand node-red yet. Do I have to write it myself or have someone made the Mija v3 gateway integration in node-red?

> telnet 192.168.10.195
> Trying 192.168.10.195...
> Connected to 192.168.10.195.
> Escape character is '^]'.
> 
> rlxlinux login: admin
> Lumi Linux version 3.0
>   _               _    _  _
>  | |             |_|  | ||_|
>  | | _  _  _____  _   | | _ ____  _   _  _  _
>  | || || ||     \| |  | || |  _ \| | | |\ \/ /
>  | || || || | | || |  | || | | | | |_| |/    \
>  |_|\____||_|_|_||_|  |_||_|_| |_|\____|\_/\_/
> 
> For further information check:
> https://www.aqara.com
> 
> 
> BusyBox v1.22.1 (2020-03-19 12:38:22 CST) built-in shell (ash)
> Enter 'help' for a list of built-in commands.`

Antoni_Czaplicki · July 6, 2020, 7:27am

After using the cat /data/miio/device.conf command, information with the same key as in previous versions of the gate pops up. Perhaps there is an option to use older integration.

# cat device.conf
did=332674158
key=BZLvRHKyG74y6O29
mac=64:**:**:**:C3:81
vendor=lumi
model=lumi.gateway.mgl03

and after cat /data/miio/device.token

# cat device.token
I29mD3cpIofKFoml

after # /data/cat /config/lumi.conf

# cat lumi.conf
eth=54:EF:44:03:A3:CA
temperature=27
language=ch
lumikey=gYbfKh6SqCNnwJKS

In addition, you can view information about connected devices

# cat /data/hw_setting/zigbee_gw.db
unqlite▒|'▒
           hash▒x-▒▒#▒▒▒>YBdev_list["lumi.158d000407ecd3"]v&
lumi.158d000407ecd3.mac158d000407ecd3▒1▒UElumi.158d000407ecd3.modellumi.remote.b286acn01

▒j
  lumi.158d000407ecd3.version1.2▒▒▒▒lumi.158d000407ecd3.prop{"props":{"CCA":1,"battery":95,"chip_temperature":30,"cur_state":3,"lqi":0,"power_tx":10,"pre_state":4,"pv_state":0,"reset_cnt":25,"send_all_cnt":7,"send_fail_cnt":3,"send_retry_cnt":0,"voltage":3025}}▒▒▒lumi.158d000407ecd3.prop{"props":{"CCA":1,"battery":95,"chip_temperature":30,"cur_state":3,"lqi":0,"power_tx":10,"pre_state":4,"pv_state":0,"reset_cnt":25,"send_all_cnt":1,"send_fail_cnt":0,"send_retry_cnt":0,"voltage":3025}}}:▒▒%▒▒lumi.158d000407ecd3.prop{"props":{"CCA":1,"battery":70,"chip_temperature":31,"cur_state":3,"lqi":0,"power_tx":10,"pre_state":4,"pv_state":0,"reset_cnt":25,"send_all_cnt":1,"send_fail_cnt":0,"send_retry_cnt":0,"voltage":3025}}}

devils73 · July 16, 2020, 1:46am

I am new to HA. I have added the gateway to integration of Xiaomi Miio. The api token should be correct. It is able to detect the model lumi.gateway.mgl03-Linux and the firmware version 1.4.6_0030. However, the sub-devices paired to this gateway are not able to detected. Any idea? Thanks!

AVZhuiko · July 16, 2020, 7:47am

I have the same issue.

devils73 · July 16, 2020, 8:36am

The only detected device is Xiaomi Gateway Alarm, but there is error “Got exception while fetching the state: No response from the device”

davidrobertsen · July 16, 2020, 8:07pm

I get the same when I add via miio, but i guess there is another binding for the gateway?

I guess the binding should be “Xiaomi Mi Smart Home Bridge,” but then the 9898 port needs to be opened. And then we need to telnet via the solder point inside the gateway…

devils73 · July 16, 2020, 11:34pm

You mean I should open the port 9898 in the gateway ? I can telnet to the gateway, but how to retrieve the binding ?

NikolayK · July 17, 2020, 9:53am

Same Q. php miio-cli.php --ip $ip --token $token --sendcmd ‘{“id”:0,“method”:“enable_telnet_service”, “params”:[]}’ doesn’t work anymore. No response from device