Rooting Xioami MJSTG1 #325
Comments
|
Here are some images of the robot:
Main board (has lots of tests points):
The connectors in the corners without soldered components look like USB:
The ESP32 is attached to the mainboard through the keyboard board:
Some pics of the robot as a whole:
|
|
@dgiese any ideas? |
|
@phodina I think this uses the ESP32 as the CPU not only for bluetooth and wifi. Try to play with that pcb, maybe a serial output will give out some hints. |
|
@xedsvg you mean there's actually no beefy processor running Linux but just tiny microcontroller like ESP32 running some RTOS or baremetal handling all the main tasks while the chip on the mainboard AM308S handles all the IO? |
|
Don't take my word for it but that's my guess. Linux would bloat the ESP32. You may be able to reverse engineer something from it tho. |
|
The ESP32 is only doing WIFI/cloud communication. The robot also works with the ESP32 removed. |
|
@xedsvg was able to extract the flash from the ESP32. no protection used. dump is readable. |
|
protocol is simple text protocol using commands like: get_properties and action |
|
I installed esphome on the ESP32 and am able to control it with it :-) |
|
On the keyboard PCB there's debug port J1 which is exposed on the top of the robot if a plastic cover is removed. I haven't looked at the pinout though. |
|
Nice @philhug, haven't had the time. I disassembled the device but didn't do into the pins. Could you post the link to the firmware dump from the ESP32? I can I also dump mine and we can compare the differences. |
|
I've been looking into routers/modems capable running OpenWrt. I can divert the attention to ESP32. And to make the robot be controlled by the commandes recived by the Wifi/Bluetooth. It's dirt cheap and would open new world of IoT devices. |
|
@phodina I have it working as far to send commands to the robot to start/stop/dock get_properties,... |
|
Looking into this robot, could be interesting to replace the ESP32 with something like an Orange Pi Zero or similar board and install there Valetudo. |
|
@daniel-dona no need to replace it, just flash esphome on it. |
|
Btw: there is also a debug port on the top side. I didn't look at the pinout yet, but I'd assume you could even flash it without disassembling it, like you have to do no. |
|
Valetudo does not run on ESP32, is a Node.js based tool/interface, too heavy for that SoC. https://github.com/Hypfer/Valetudo |
|
I know, that's why I suggest to use esphome for the esp32. |
|
Sure, but ESPhome is more like an interfacing software, Valetudo is an integrated dashboard... they can even integrate if Valetudo is installed outside the robot. |
|
Some more information about this robot. The main chip is this one http://en.amicro.com.cn/?product/chip/master/1675.html Looks like a purpose build SoC for vacuum cleaning robots with a custom SDK/RTOS (http://en.amicro.com.cn/?platform/open/), no Linux or something similar. Only 64 KB or SRAM anyway... The debug port on the top looks like it's only an UART connection for debuging this Amicro AM380S chip. Nothing interesting but I logged it here: https://github.com/daniel-dona/xiaomi_MJSTG1_hacking/blob/main/main_bootlog.txt |
|
Thanks for the log+finding the SoC. The main thing I am missing at the moment are the commands for the map. Start/stop/dock are easy. |
|
@daniel-dona I just looked at your dumps (ipc dump is what I am interested in) can you do a dump that contains some map updates during cleaning? |
I don't think so, the robot was just in my desk during the capture, but I will try to capture a whole cleaning session. Anyway I'm not sure the map is used for anything more than eye-candy in the Xiaomi App... no LiDAR or V/SLAM in this robot, so is more like the log of all the bumps with things around the house than something that is used during the cleaning session. |
Yeah, but it still builds some kind of map that resembles the room. |
That is because I captured only one line at a time, TX from the SoC or TX from the ESP32. I only have a cheap UART to USB adapter in hand currently :/ |
|
HI! |
|
@Petro0872 If you can write the flash you should also be able to dump it yourself. |
|
The original flash is break. I replace it with a new spi flash and now i need a dump to write a new flash.
|
Hi,
I've got question if somebody tried to root the Xioami Robot Vacuum Mop Essential?
As I do own one I disassembled the cleaner and looked inside. Here are my observations:
There is custom processor AM308S which I do not recognize and even google has not returned anything useful. Without some datasheet is hard to guess the pinout of the chip (without reverseengineering the board). There is no STM32 for driving the peripherals. Just the main SoC and Winbond nonvolatile memory.
When I disconnected the mainboard R1_MainBoard_V1.4 (2019-12-27) I can see a lot of test points on the back of it. Though I have no Idea which is the UART or even if it's enabled.
There is also attached ESP-WROOM-32D for bluetooth and wifi.
This model does not have LIDAR nor up facing camera and relies only on infrared sensors. This makes is really affordable.
The
python-miiois able to recognize this device as the class is already implementedhttps://github.com/rytilahti/python-miio/blob/master/miio/integrations/vacuum/mijia/g1vacuum.py
There is no USB in the battery bay compartment so no real way to interact e.g. https://github.com/rumpeltux/viomi-rooting
So what should be the next steps to root this device?
Also any idea where to get the OTA firmware so that it could be analyzed (SoC architecture, security features ...)
The text was updated successfully, but these errors were encountered: