Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ZNDMWG04LM does not reset password #116

Open
dmitkam opened this issue Sep 22, 2024 · 7 comments
Open

ZNDMWG04LM does not reset password #116

dmitkam opened this issue Sep 22, 2024 · 7 comments

Comments

@dmitkam
Copy link

dmitkam commented Sep 22, 2024

ZNDMWG04LM does not reset password firmware 1.0.7_0019

== Gateway Global Tool version:20240218==

Power ON Gateway NOW!<<

IPL gdf99011
D-17
HW Reset
01481480 00000000
Resume? N, addr 00000000
miupll_233MHz
SPI 54M
128MB
BIST0_0001-OK
SPI 54M
[BBT] Found table @ 0x00020000

Checksum OK

IPL_CUST gdf99011
Export ENV 1

U-Boot 2015.01 (Sep 22 2022 - 15:39:48)

Version: P3g1fd806f
I2C: ready
DRAM:
WARNING: Caches not enabled
SPINAND_I: [FLASH] Found SNI in block 0.
[FLASH] dev_id = 0xee
[FLASH] mfr_id = 0xa1, dev_id= 0xe4 id_len = 0x2
[SPINAND] RFC ues command 0x6b with 0x08 dummy clock.
[SPINAND] Program load with command 0x32.
[SPINAND] Random load with command 0x34.
[FLASH] Unlock all block.
[FLASH] Use BDMA.
128 MiB
MMC: MStar SD/MMC: 0
ENV: offset = 0x480000 size = 0x40000
ENV1: offset = 0x4c0000 size = 0x40000
In: serial
Out: serial
Err: serial
Net: No ethernet found.
clk=12M, u16Div=0 u32Duty=0x2cf u32Period=0x4af
[halPWMPadSet][107] (pwmId, padId) = (1, 5)
clk=12M, u16Div=0 u32Duty=0x4af u32Period=0x4af
[halPWMPadSet][107] (pwmId, padId) = (2, 6)
clk=12M, u16Div=0 u32Duty=0x4af u32Period=0x4af
[halPWMPadSet][107] (pwmId, padId) = (3, 7)
gpio debug MHal_GPIO_Pad_Set: pin=43
gpio[43] is 1
gpio debug MHal_GPIO_Pad_Set: pin=44
gpio[44] is 1
gpio debug MHal_GPIO_Pad_Set: pin=59
gpio[59] is 0
gpio debug MHal_GPIO_Pad_Set: pin=62
gpio[62] is 1
gpio debug MHal_GPIO_Pad_Set: pin=63
gpio[63] is 0
gpio debug MHal_GPIO_Pad_Set: pin=61
gpio[61] is 1
gpio debug MHal_GPIO_Pad_Set: pin=60
gpio[60] is 1
gpio debug MHal_GPIO_Pad_Set: pin=44
gpio[44] is 0
gpio debug MHal_GPIO_Pad_Set: pin=63
gpio[63] is 1
gpio debug MHal_GPIO_Pad_Set: pin=59
gpio[59] is 1
gpio debug MHal_GPIO_Pad_Set: pin=60
gpio[60] is 0
SigmaStar #
SigmaStar #
SigmaStar #
SigmaStar #
SigmaStar #
SigmaStar #
SigmaStar #
SigmaStar #
SigmaStar #
SigmaStar # printenv bootargs
bootargs=root=/dev/mtdblock7 rootfstype=squashfs ro init=/linuxrc LX_MEM=0x7FE00 NV),256k(ENV1),128k(KEY_CUST),5m(KERNEL),5m(KERNEL_BAK),16m(rootfs),16m(rootfs_b
SigmaStar # setenv bootargs root=/dev/mtdblock7 rootfstype=squashfs ro init=/bin 664k(BOOT1),256k(ENV),256k(ENV1),128k(KEY_CUST),5m(KERNEL),5m(KERNEL_BAK),16m(ro
SigmaStar # run bootcmd

NAND read: device 0 offset 0x520000, size 0x500000
Time:558574 us, speed:9386 KB/s
5242880 bytes read: OK
incorrect device type in MISC
incorrect device type in LOGO

Booting kernel from Legacy Image at 22000000 ...

Image Name: MVX4##P3##g294517324KL_LX409##[B
Image Type: ARM Linux Kernel Image (lzma compressed)
Data Size: 2188580 Bytes = 2.1 MiB
Load Address: 20008000
Entry Point: 20008000
Verifying Checksum ... OK
-usb_stop(USB_PORT0)
-usb_stop(USB_PORT2)
Uncompressing Kernel Image ...
[XZ] !!!reserved 0x21000000 length=0x 1000000 for xz!!
XZ: uncompressed size=0x46b000, ret=7
OK
atags:0x20000000

Starting kernel ...

early_atags_to_fdt() success
Booting Linux on physical CPU 0x0
Linux version 4.9.84 (luobo@embedded-compile20) (gcc version 9.1.0 (GCC) ) #12 S
CPU: ARMv7 Processor [410fc075] revision 5 (ARMv7), cr=50c5387d
CPU: div instructions available: patching division code
CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache
early_atags_to_fdt() success
OF: fdt:Machine model: PIONEER3 SSC020A-S01A-S
[ERR] LX_MEM, LX_MEM2, LX_MEM3 not 1MB aligned
LXmem is 0x7fe0000 PHYS_OFFSET is 0x20000000
Add mem start 0x20000000 size 0x7fe0000!!!!

LX_MEM = 0x20000000, 0x7fe0000
LX_MEM2 = 0x0, 0x0
LX_MEM3 = 0x0, 0x0
EMAC_LEN= 0x0
DRAM_LEN= 0x0
deal_with_reserved_mmap memblock_reserve success mmap_reserved_config[0].reserve
0x27c00000

deal_with_reserve_mma_heap memblock_reserve success mma_config[0].reserved_start
0x27700000

cma: Reserved 2 MiB at 0x27400000
Memory policy: Data cache writealloc
percpu: Embedded 14 pages/cpu @c7f9c000 s25688 r8192 d23464 u57344
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 32480
Kernel command line: root=/dev/mtdblock7 rootfstype=squashfs ro init=/bin/sh LX_ OT1),256k(ENV),256k(ENV1),128k(KEY_CUST),5m(KERNEL),5m(KERNEL_BAK),16m(rootfs),1
PID hash table entries: 512 (order: -1, 2048 bytes)
Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
Memory: 114592K/130944K available (2616K kernel code, 239K rwdata, 1336K rodata,
Virtual kernel memory layout:
vector : 0xffff0000 - 0xffff1000 ( 4 kB)
fixmap : 0xffc00000 - 0xfff00000 (3072 kB)
vmalloc : 0xc8000000 - 0xff800000 ( 888 MB)
lowmem : 0xc0000000 - 0xc7fe0000 ( 127 MB)
modules : 0xbf800000 - 0xc0000000 ( 8 MB)
.text : 0xc0008000 - 0xc02964f4 (2618 kB)
.init : 0xc040a000 - 0xc0436000 ( 176 kB)
.data : 0xc0436000 - 0xc0471c90 ( 240 kB)
.bss : 0xc0473000 - 0xc04a02f0 ( 181 kB)
SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=2, Nodes=1
Preemptible hierarchical RCU implementation.
Build-time adjustment of leaf fanout to 32.
RCU restricting CPUs from NR_CPUS=4 to nr_cpu_ids=2.
RCU: Adjusting geometry for rcu_fanout_leaf=32, nr_cpu_ids=2
NR_IRQS:16 nr_irqs:16 16
ms_init_main_intc: np->name=ms_main_intc, parent=gic
ms_init_pm_intc: np->name=ms_pm_intc, parent=ms_main_intc
ss_init_gpi_intc: np->name=ms_gpi_intc, parent=ms_main_intc
Find CLK_cpupll_clk, hook ms_cpuclk_ops
arm_arch_timer: Architected cp15 timer(s) running at 6.00MHz (virt).
clocksource: arch_sys_counter: mask: 0xffffffffffffff max_cycles: 0x1623fa770, m
sched_clock: 56 bits at 6MHz, resolution 166ns, wraps every 4398046511055ns
Switching to timer-based delay loop, resolution 166ns
Console: colour dummy device 80x30
console [ttyS0] enabled
Calibrating delay loop (skipped), value calculated using timer frequency.. 12.00
pid_max: default: 4096 minimum: 301
Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
CPU: Testing write buffer coherency: ok
CPU0: update cpu_capacity 1024
CPU0: thread -1, cpu 0, socket 0, mpidr 80000000
Setting up static identity map for 0x20008280 - 0x200082cc
CPU1: update cpu_capacity 1024
CPU1: thread -1, cpu 1, socket 0, mpidr 80000001
Brought up 2 CPUs
SMP: Total of 2 processors activated (24.00 BogoMIPS).
CPU: All CPU(s) started in SVC mode.
devtmpfs: initialized
VFP support v0.3: implementor 41 architecture 2 part 30 variant 7 rev 5
clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 1911
futex hash table entries: 16 (order: -2, 1024 bytes)
NET: Registered protocol family 16
DMA: preallocated 256 KiB pool for atomic coherent allocations

Version : MVX4##P3##g294517324KL_LX409##[BR:release]#XVM

GPIO: probe endhw-breakpoint: found 5 (+1 reserved) breakpoint and 4 watchpoint
hw-breakpoint: maximum watchpoint size is 8 bytes.
SCSI subsystem initialized
[DrvPWMDutyQE0 L1064] grp:0 x0(0)
[DrvPWMDutyQE0 L1064] grp:0 x0(0)
[DrvPWMDutyQE0 L1064] grp:0 x0(0)
[DrvPWMDutyQE0 L1064] grp:0 x0(0)
[NOTICE]pwm-isr(58) success. If not i6e or i6b0, pls confirm it on .dtsi
clocksource: Switched to clocksource arch_sys_counter
NET: Registered protocol family 2
TCP established hash table entries: 1024 (order: 0, 4096 bytes)
TCP bind hash table entries: 1024 (order: 2, 20480 bytes)
TCP: Hash tables configured (established 1024 bind 1024)
UDP hash table entries: 128 (order: 0, 6144 bytes)
UDP-Lite hash table entries: 128 (order: 0, 6144 bytes)
NET: Registered protocol family 1
hw perfevents: enabled with armv7_cortex_a7 PMU driver, 5 counters available
workingset: timestamp_bits=30 max_order=15 bucket_order=0
squashfs: version 4.0 (2009/01/31) Phillip Lougher
jffs2: version 2.2. ТЉ 2001-2006 Red Hat, Inc.
fuse init (API version 7.26)
io scheduler noop registered
io scheduler deadline registered (default)
libphy: Fixed MDIO Bus: probed
mousedev: PS/2 mouse device common for all mice
=======gpio_free(43 & 44);==for ti_zb======
lumi_btn_probe key=42!!
[ss_gpi_intc_domain_alloc] hw:42 -> v:62
input: main-key as /devices/virtual/input/input0
i2c /dev entries driver
1f221000.uart0: ttyS0 at MMIO 0x0 (irq = 33, base_baud = 10800000) is a unknown
1f221200.uart1: ttyS1 at MMIO 0x0 (irq = 34, base_baud = 10800000) is a unknown
1f220400.uart2: ttyS2 at MMIO 0x0 (irq = 35, base_baud = 10800000) is a unknown
[MHal_GPIO_Check_PE] set gpio85 PE
MSYS: DMEM request: [emac0_buff]:0x00000812
MSYS: DMEM request: [emac0_buff]:0x00000812 success, CPU phy:@0x27440000, virt:@
libphy: mdio: probed
mdio_bus mdio-bus@emac0: /soc/emac0/mdio-bus/ethernet-phy@0 has invalid PHY addr
mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 0
mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 1
mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 2
mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 3
mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 4
mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 5
mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 6
mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 7
mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 8
mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 9
mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 10
mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 11
mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 12
mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 13
mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 14
mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 15
mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 16
mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 17
mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 18
mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 19
mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 20
mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 21
mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 22
mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 23
mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 24
mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 25
mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 26
mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 27
mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 28
mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 29
mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 30
mdio_bus mdio-bus@emac0: scan phy ethernet-phy at address 31
[emac_phy_connect][3534] connected mac emac0 to PHY at mdio-bus@emac0:00 [uid=11
[ms_cpufreq_init] Current clk=799999872
[FLASH] Found SNI in block 0.
[FLASH] dev_id = 0xee
MSYS: DMEM request: [BDMA]:0x00000840
MSYS: DMEM request: [BDMA]:0x00000840 success, CPU phy:@0x27441000, virt:@0xC744
[FLASH] mfr_id = 0xa1, dev_id= 0xe4 id_len = 0x2
[SPINAND] RFC ues command 0x6b with 0x08 dummy clock.
[SPINAND] Program load with command 0x32.
[SPINAND] Random load with command 0x34.
[FLASH] Use BDMA.
nand: device found, Manufacturer ID: 0xa1, Chip ID: 0xe4
nand: 128 MiB, MLC, erase size: 128 KiB, page size: 2048, OOB size: 64
12 cmdlinepart partitions found on MTD device nand0
Creating 12 MTD partitions on "nand0":
0x000000140000-0x0000002e0000 : "BOOT0"
0x0000002e0000-0x000000480000 : "BOOT1"
0x000000480000-0x0000004c0000 : "ENV"
0x0000004c0000-0x000000500000 : "ENV1"
0x000000500000-0x000000520000 : "KEY_CUST"
0x000000520000-0x000000a20000 : "KERNEL"
0x000000a20000-0x000000f20000 : "KERNEL_BAK"
0x000000f20000-0x000001f20000 : "rootfs"
0x000001f20000-0x000002f20000 : "rootfs_bak"
0x000002f20000-0x000003020000 : "factory"
0x000003020000-0x000004420000 : "RES"
0x000004420000-0x000008000000 : "UBI"
[wakeup source] HW gate_xtal:0 SourceNum:1
[wakeup source] WakeupSource:61

[ss_gpi_intc_domain_alloc] hw:61 -> v:63
[ss_gpi_irq_set_wake] hw:61 enable? 1
nf_conntrack version 0.5.0 (2048 buckets, 8192 max)
ip_tables: (C) 2000-2006 Netfilter Core Team
NET: Registered protocol family 10
sit: IPv6, IPv4 and MPLS over IPv4 tunneling driver
NET: Registered protocol family 17
[mstar_pm_init] resume_pbase=0x200114F5, suspend_imi_vbase=0xC8057000
ThumbEE CPU extension supported.
Registering SWP/SWPB emulation handler
VFS: Mounted root (squashfs filesystem) readonly on device 31:7.
devtmpfs: mounted
This architecture does not have kernel memory protection.
[emac_phy_link_adjust] EMAC Link Down
/bin/sh: can't access tty; job control turned off
/ # mount -t ramfs ramfs /var; mkdir /var/tmp
/ # cp /etc/init.d/rcS /var/tmp/rcS
/ # sed -i 's/fw_manager.srandom: fast init done
h -r/echo skip/g' /var/tmp/rcS
sed -i 's/${CUSTOM_POST_INIT} &/echo skip/g' /var/tmp/rcS
/ # sed -i 's/${CUSTOM_POST_INIT} &/echo skip/g' /var/tmp/rcS
/ # /var/tmp/rcS
passwd -d root
net.core.rmem_default = 163840
net.core.rmem_max = 163840
net.core.wmem_default = 524288
net.core.wmem_max = 1048576
net.ipv4.tcp_mem = 924 1232 1848
net.ipv4.tcp_rmem = 4096 87380 325120
net.ipv4.tcp_wmem = 4096 131072 393216
mount: mounting none on /sys failed: Device or resource busy
mount: mounting none on /sys/kernel/debug failed: Device or resource busy
Mstar_ehc_init version:20180309
Sstar-ehci-1 H.W init
Titania3_series_start_ehc start
[USB] config miu select [70] [e8] [ef] [ef]
[USB] enable miu lower bound address subtraction
[USB] init squelch level 0x2
BC disable
==20180309==> hub_port_init 1 #0
Plug in USB Port1
Gateway token in ASCII (use xxd -p to convert to 32 characters hexadecimal strin

cat /data/miio/device.token

*** _import_default_cfg, /etc/ssw105at-wifi.cfg ***

sstar1xxx_hci_init() start
sstar1xxx_dev_probe(): SSW105AT device "SSW105AT" found !
SSTAR1XXX HCI TX Task started.
MAC address from e-fuse
EFUSE configuration
Read efuse chip identity[105a0000]
r_calbration_result- 0
sar_result- 0
crystal_frequency_offset- a1
tx_power_index_1- 72
tx_power_index_2- d9
MAC address - 14:c9:cf:10:8a:b0
rate_table_1- 70
rate_table_2- 0
flash_file /tmp/flash.bin not found
str_table =
sstar105at_if_chk_mac2: is not need to check MAC addres 2 for this model
sstar105at_adj_config: clear hci rx aggregation setting
sstar105at_adj_config: clear hci tx aggregation setting
sstar105at_adj_config: clear hw beacon
sstar105at_adj_config: not support external PA for this chip
ht40 rate gain value 0
SSTAR1XXX RX Task started.
sstar1xxx_usb_rx_task: nr_recvbuff=5
wait 0 ms for usb rom code ready
[Isp_Driver_Init]
[s32CurClkIdx] = 2
[ISP] Request IRQ: 51, 87
[IspMid_Driver_Init]
ispsclttl:0
[CSI] probe
vif driver probe
Create device file. vif_ints,0
jpe driver probed
[DRV_DIVP_PROC_Init]
AudioProcInit 299
module [sys] init
MI_SYSCFG_SetupMmapLoader default_config_path:/config/config_tool, argv1:/config
config...... cmdpath:/config/config_tool, argv0:/config/load_config
config...... cmdpath:/config/config_tool, argv1:/misc/config.ini
config...... cmdpath:/config/config_tool, argv2:/misc/PQConfig.ini
config...... cmdpath:/config/config_tool, argv3:(null)
mi_sys_mma_allocator_create success, heap_base_addr=20000000 length=20000
module [ao] init
module [ai] init
ubiattach /dev/ubi_ctrl -m 10 -d 0
UBI device number 0, total 160 LEBs (20316160 bytes, 19.4 MiB), available 0 LEBs
ubiattach /dev/ubi_ctrl -m 11 -d 1
chan change ch 6, type 1, off_chan 0
INIT SSTAR CONTROL GENERIC NETLINK MODULE
UBI device number 1, total 479 LEBs (60821504 bytes, 58.0 MiB), available 0 LEBs
[WatchDogInit 15] init watch dog, timeout:30s
skip
/ # passwd -d root
passwd: unknown uid 0
/ #
/ # cat /data/miio/device.token
WLv59RA0Lwk5x7UH
/ # Gateway Info:

cat /data/miio/device.conf
did=499480362
key=kWHyh7Yh1IovFjhn
mac=54:EF:44:48:60:A9
vendor=lumi
model=lumi.gateway.mgl001
/ #
/ # reboot
/ #

@niceboygithub
Copy link
Owner

You got key, that is enough for XG3

@dmitkam
Copy link
Author

dmitkam commented Sep 22, 2024

Telnet is closed. Custom component for control Xiaomi Multimode Gateway (aka Gateway 3), Xiaomi Multimode Gateway 2, Aqara Hub E1 - https://github.com/AlexxIT/XiaomiGateway3 - can't connect. You can't telnet via PuTTY.

@niceboygithub
Copy link
Owner

The telnet will be enabled by XG3 via token and key.

@dmitkam
Copy link
Author

dmitkam commented Sep 28, 2024

Apparently the root user is missing. )

@niceboygithub
Copy link
Owner

mgl001 use root as user.

@dmitkam
Copy link
Author

dmitkam commented Sep 28, 2024

If the key and Token are present, telnet will not open. The creator of the XiaomiGateway3 integration assumes that there is no root user.

@niceboygithub
Copy link
Owner

The "root" user was NOT removed in every firmware till now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants