Mi Kettle - We maybe also can find a way to get data from the MiKettle
Opened this issue · 31 comments
#Now MiKettle gets detected! (Xiomi Waterkettle)
Hey to Day I had to Fix something on the mqtt Deamon and suddenly My MiKettle was detected as a Bluetooth Device while running "lescan".
I tried to conected but the MAC is restricted via:
if not re.match("C4:7C:8D:[0-9A-F]{2}:[0-9A-F]{2}:[0-9A-F]{2}", mac):
so that did not work.
The Kettle uses Bluetooth as well and probably works similar to the flora sensors so at least the Water temp should be possible to fetch right?
Any Idea how to Check if this could also work?
I have debugged it a bit, and it is possible to get data from Kettle. Unfortunately it requres some kind of authentication, and does not provide any data without authentication.
Anyone have experience with MiHome devices authentication ?
I've not used it so far but there is an openHAB binding for MiHome specifically. Check it out!
Great ! Thank you !
молодчинка
Hello, we don't need perfect code 😄 , just working code, we can perfect it later. Could you please release the code? Thank you.
@drndos, maybe later. Still need to refactor some things.
Ta-da
This is awesome, sad to see the having to physically press a button limitation is still a thing. Is there any work out there for a custom firmware, my searches turn up nothing?
@beikeland nothing interesting at the moment. There are two ways to update the firmware on QN902x:
- OTA Bluetooth update
- Connecting to the MCU pins
First way requires us to pack and encrypt the firmware with special qotapack.exe utility and we need to know the 16-byte key Xiaomi used for their kettles.
We also need to obtain official firmware before modifying it, of course. I’ve succeeded to sniff the traffic and get OTA firmware file but it’s encrypted as I said.
Steps are:
- guess the key
- decrypt firmware (how? Quintic provides us with encrypting software only)
- patch it
- encrypt it back with the same key
- upload via BLE
Second way is to connect to MCU pins directly so that we can dump an unencrypted firmware, then we can get the key from it and start from step 3 with OTA way.
But I didn’t disassemble my kettle and I guess the MCU is in protected mode.
If anyone knows or learns how to dump Quintic QN902x firmware, let’s talk.
Thanks for the insight! Disassembly done; base contains power supply, relay and buzzer, temperature sensor.
Inside handle (under touch buttons) there is a small board with 2x 3pin connections to the base.
(presumably power and relay + temperature and buzzer). Everything is encapsulated in clear silicone, some test points visible under the silicone. Reverse side is all plastic casing filled with silicone.
Will follow up if I get to removing the silicone. As the DT-06(?) module in the picture below indicates, a wifi version may be easier if the supply in the base can handle the load.
Followup; not too bad to remove board from plastic casing. Pull of cast silicone gasket, gentry pry under headers until board pops out. Silicone on top of chips dissolved in acetone to make legible.
U2 MCU QN9022 (11w2 8xef)
U3 Touch controller TS02NC
U1 SMP? I4BEB1 P1H014
@beikeland of couse it’d be easier to replace the MCU with ESP32 or smth like that because you’ll have full access to firmware, but my goal was to hack the original kettle :D
Replacing the bluetooth module with wifi one would quite possibly due to the size difference destroy the clean esthetics of the device. It seems like the PCB of the Mi Kettle is fully custom.
@aprosvetova Guys in dustcloud https://github.com/dgiese/dustcloud managed to hack firmware for xiaomi vacuum, maybe worth the research whether there is anything in common. Also some guy hacked miband https://medium.com/machine-learning-world/how-i-hacked-xiaomi-miband-2-to-control-it-from-linux-a5bd2f36d3ad His tutorial seems very similar to yours. Maybe someone hacked firmware for miband and the procedure would be similar. I have managed to read stuff (not write) with his instructions and some BLE sniffing.
Completely get that @aprosvetova , and there is likely a lot of people who would be very grateful. I figured I'd look into physical access in the off chance the chip was not locked for reading.
Getting to the board is simple. Three screws on the base (one under the barcode). To release the bezel on the handle, I depressed the locking tab inside, and gently pryed the gap that formed on the outside, the rest is snap fit, and one screw securing the board assembly.
@drndos There is ample room for at least a ESP8285 solution, quite possibly a ESP32 module as well. It would likely require a custom PCB to deal with the touch interface; but if there is no progress on the firmware I'll pursue that in the future. For now its just additional information.
@drndos yea thanks, but they are completely different. Different chips, different communication ways, etc
@aprosvetova If we manage to physically extract the MCU and connect to its debug ports. We have two options either it is unprotected and ezpz but most probably locked. Do you have any experience in dumping protected program from MCU ? I tried some cold boot stepping with STM32, I am not sure if it would apply here. What would you suggest ?
@drndos oh I’m more softwareish, I just have a little experience in microcontrollers. So if you dump the fw, I’ll be able to patch it, encrypt and pack as an Quintic OTA update and write some software to let us upload this update on the kettle.
I am reading through documentation on the MCU and it seems that flash is encrypted. But I see that the program is being loaded to sram on the start and I expect it to be unencrypted there. I know it is slightly different, but the logic might be viable: https://www.aisec.fraunhofer.de/en/FirmwareProtection.html
It seems like a long shot though, I don't have pirateswd on me nor do I have the means to do the precise power switching with my arduino. Do any of you have pirateswd ?
Also I have extracted "fc502ce05f9bebf032e9f32884390b23_upd_yunmi.kettle.v2.bin" from "\Internal shared storage\Android\data\com.xiaomi.smarthome\cache\ble" is that the encrypted firmware ?
Yes, it is, @drndos. I had different hash, maybe because of different version. Here's my bin
fw.bin.zip
@aprosvetova Thanks I found these parts are exactly same:
0000-0001
0022-0052
0082-0091
00B2-00C1
00F2-0341
0352-03C1
Nothing more so far :/
We'd better go that MCU extraction way. I'm sure there is nothing interesting in these encrypted firmwares :(
Anybody know how can i convert european version of kette to chinese so i can pair it with China Mainland server ?
@drndos, @aprosvetova, any luck with your research ? any progress ? could you share what has been done so fare ?
thanks, GS.
@TheAnoni just wondering if you were able to convert your European kettle to Chinese?
@TheAnoni just wondering if you were able to convert your European kettle to Chinese?
Not yet, we need to wait for devs :(
Any news about the topic? :)
Hey guys, I made HA integration here: https://github.com/drndos/mikettle-ha
No integration for controlling the kettle for now though.
Hey guys, I made HA integration here: https://github.com/drndos/mikettle-ha
No integration for controlling the kettle for now though.
But when I follow your links and and up at BLE protocol it seems like this in general is possible? Setting at least the heat up temperature would be very nice and all I need. :)
Anybody know how can i convert european version of kette to chinese so i can pair it with China Mainland server ?
I'm keen to switch from China to Australia, did you find a solution?
2. decrypt firmware (how? Quintic provides us with encrypting software only)
Decryption is possible using qotaunpack (given the key, of course).
Yahtzee hotsauce
https://github.com/aleaksah/qn902x-dump