Xiaoai Speaker Play - L05B

[danielk117]

Hi,
I just bought a "Xiaoai Speaker Play", but i seems to be a new revision. 😞

The model number (l05b) is different from the one in the readme (lx05).
I found a TX0/RX0 and TX2/RX2. Any idea where i can get GND?

[duhow]

Can't find it either. Try removing the 4 button rubber pad?
Also try to follow connectivity on TP43 as it seems to be power ground?

[duhow]

@danielk117 any luck?

[danielk117]

Unfortunately, I have not found the time for a deeper research. ☹️

Removed the rubber. There is a protection or a adhesive layer now. Doesn‘t look like there is a GND under it.

You’re right, TP43 seems to be the power ground. I cant use it directly right?

[duhow]

You should be able to use TP43 directly.
Also if you have a multimeter, you can try to find contact with any other point without powering the speaker, in order to identify any other GND.

[danielk117]

Also if you have a multimeter, you can try to find contact with any other point without powering the speaker, in order to identify any other GND.

Good idea. TP7 (next to TX0/RX0) and the screw holes seems to be ground.

I soldered my adapter to TP7, TX0 and RX0. Which baudrate (or other settings) should work?

I only got this:

[duhow]

Default baud rate is 115200 8n1. Also ensure to disable hardware flow control.
This garbage output may be cause due to GND missing contact.

[danielk117]

nope, but 921600 8n1 seems to be working 👍
output_2021-12-14_09-08-28.log

how to interrupt this and get a logon?

[duhow]

NuttX? This doesn't seem to be it. Try with TX2/RX2 .
Do you have the Speaker with digital clock?

[danielk117]

no, its the one without the clock, but i think they have simular model numbers (l05b and l05c, https://home.miot-spec.com/s/wifispeaker) and could have simular hardware.

connected TX2/RX2 now, but I didn't get any output. not even garbage output. 😞

[danielk117]

I've done some quick research about xiaomi and NuttX... https://www.gizmochina.com/2020/11/05/xiaomi-launches-a-new-iot-software-platform-xiaomi-vela-based-on-nuttx-os/

[danielk117]

switching back to TX0/RX0... It's already running a shell (NuttShell) and no login is needed

for example

free
             total       used       free    largest  nused  nfree
Umem:      6957696    1680368    5277328    5175360   4887     22

df -h
  Filesystem    Size      Used  Available Mounted on
  binfs           0B        0B         0B /bin
  littlefs        7M      468K      6700K /data
  romfs        1072K     1072K         0B /etc
  procfs          0B        0B         0B /proc
  tmpfs           1K        0B         1K /tmp

env
PWD=/
ALSA_CONFIG_PATH=/data/etc/alsaALSA_CONFIG_DIR=/data/etc/
SN=31834/B1VD98309
WMAC=5C:02:14:54:77:06
BMAC=5C:02:14:54:77:07
DID=504390216
KEY=##############
UID=0000000000000001
IMEI=000000000000000
TZ=Asia/Shanghai

ap> ps
  PID GROUP PRI POLICY   TYPE    NPX STATE    EVENT     SIGMASK   STACK   USED  FILLED    CPU COMMAND
    0     0   0 FIFO     Kthread N-- Ready              00000000 003052 001044  34.2%   76.0% Idle Task
    1     1 253 RR       Kthread --- Waiting  Semaphore 00000000 003044 001296  42.5%    0.0% hpwork 0x20120f3c
    2     2 253 RR       Kthread --- Waiting  Semaphore 00000000 003044 001296  42.5%    0.0% hpwork 0x20120f3c
    3     3 253 RR       Kthread --- Waiting  Semaphore 00000000 003044 001296  42.5%    0.0% hpwork 0x20120f3c
    4     4 110 RR       Kthread --- Waiting  Semaphore 00000000 008164 002256  27.6%    0.0% lpwork 0x20120f30
    5     5 110 RR       Kthread --- Waiting  Semaphore 00000000 008164 001232  15.0%    0.0% lpwork 0x20120f30
    6     6 110 RR       Kthread --- Waiting  Semaphore 00000000 008164 000896  10.9%    0.0% lpwork 0x20120f30
    8     8 101 RR       Kthread --- Waiting  Semaphore 00000000 004060 001896  46.6%    0.0% bes_main  0x34010a04
    9     9 252 RR       Kthread --- Waiting  MQ empty  00000000 006108 000528   8.6%    0.0% app_thread  0x3400fcd8
   10    10 253 RR       Kthread --- Waiting  Semaphore 00000000 008124 000856  10.5%    1.1% audio_flinger  0x20045ca8
   11    11 100 RR       Kthread --- Waiting  Signal    00000000 003028 000720  23.7%    0.0% apps_recover  0x3400fcf8
   12    12 252 RR       Kthread --- Waiting  MQ empty  00000000 010180 000944   9.2%    0.0% net_wq  0x200480c0
   13    13 252 RR       Kthread --- Waiting  MQ empty  00000000 008132 000520   6.3%    0.0% net_tasklet  0x20048088
   14    14 252 RR       Kthread --- Waiting  Semaphore 00000000 004036 001104  27.3%    0.0% cw1200_bh  0x20048174
   15    15 224 RR       Kthread --- Waiting  Semaphore 00000000 004060 001400  34.4%    0.0% rptun audio 0x2014b8c0
   16    16 100 RR       Task    --- Waiting  Semaphore 00000000 004060 002536  62.4%    0.0% rc_raw_event_thx 0x2014d5e0
   17    17 100 RR       Task    --- Waiting  Signal    00000000 004084 001848  45.2%    0.0% init
   18    16 100 RR       pthread --- Waiting  Semaphore 00000000 016388 000448   2.7%    0.0% custom_ditective_speech_log_0 0x20135560
   19    17 100 RR       pthread --- Waiting  Semaphore 00000000 016388 000680   4.1%    0.0% custom_ditective_speech_log_1 0x20155a20
   20    20 100 RR       Task    --- Waiting  Semaphore 00000000 004084 002408  58.9%    0.0% kvdbd
   22    22 252 RR       Task    --- Waiting  Semaphore 00000000 004060 001016  25.0%    1.1% rpmsg-uorb-audio 0x341ac9f0
   23    23 232 RR       Task    --- Waiting  Semaphore 00000000 006132 001904  31.0%    0.0% usrsock
   24    24 100 RR       Task    --- Waiting  Signal    00000000 004076 002844  69.7%    0.0% mico_fluorided
   25    24 100 RR       pthread --- Waiting  Semaphore 00000000 010244 006640  64.8%    0.0% bt_stack_manager_thread 0x341b3cc0
   26    24 246 FIFO     pthread --- Waiting  Semaphore 00000000 002052 000376  18.3%    0.0% alarm_deprecated 0
   27    24 246 FIFO     pthread --- Waiting  Semaphore 00000000 004100 001544  37.6%    0.0% alarm_default_ca 0x341bca28
   29    24 246 FIFO     pthread --- Waiting  Semaphore 00000000 004100 001912  46.6%    0.0% alarm_dispatcher 0x341bca28
   30    24 100 RR       pthread --- Waiting  Semaphore 00000000 004100 002276  55.5%    0.0% bt_jni_thread 0x341b9510
   32    24 246 FIFO     pthread --- Waiting  Semaphore 00000000 004100 002276  55.5%    0.0% bt_hci_thread 0x341c6220
   33    24 246 FIFO     pthread --- Waiting  Semaphore 00000000 004100 001096  26.7%    0.0% bt_rx_thread 0
   34    24 246 FIFO     pthread --- Waiting  Semaphore 00000000 012804 009008  70.3%    0.0% bt_main_thread 0x341cc110
   35    24 246 FIFO     pthread --- Waiting  Semaphore 00000000 008196 002276  27.7%    0.0% bt_a2dp_sink_worker_thread 0x341c4bc0
   36    36 101 RR       Kthread --- Waiting  MQ empty  00000000 004060 000880  21.6%    0.0% wifi_event  0x340108d8
   37    37 252 RR       Kthread --- Waiting  MQ empty  00000000 004052 000608  15.0%    0.0% bes_netdev_wq
   38    38 100 RR       Kthread --- Waiting  Signal    00000000 004052 000680  16.7%    0.0% trans_stat_task  0x340108b8
   39    39 100 RR       Kthread --- Waiting  Signal    00000000 003036 000856  28.1%    1.1% temp_main  0x340109e4
   41    41 100 RR       Task    --- Waiting  Semaphore 00000000 008156 002360  28.9%    0.0% miio_client -n 128
   42    41 100 RR       pthread --- Waiting  MQ empty  00000000 004100 000560  13.6%    0.0% httpc_task 0x341de980
   43    41 100 RR       pthread --- Waiting  Semaphore 00000000 006148 001240  20.1%    0.0% otu_task 0x341dc77c
   44    44 100 RR       Task    --- Waiting  Semaphore 00000000 040940 002096   5.1%    0.0% mico_iot
   45    41 100 RR       pthread --- Waiting  MQ empty  00000000 004100 000792  19.3%    0.0% ots_task 0x341dcf70
   46    41 100 RR       pthread --- Waiting  MQ empty  00000000 006148 000784  12.7%    0.0% mi_otn 0x341dc730
   47    41 100 RR       pthread --- Waiting  MQ empty  00000000 010244 001648  16.0%    0.0% netMonitorTask 0x3407bbf8
   48    48 100 RR       Task    --- Waiting  Signal    00000000 014316 004168  29.1%    0.0% mediaserver
   49    48 100 RR       pthread --- Waiting  Semaphore 00002000 010244 001136  11.0%    0.0% nngepoll 0x3406c57c
   50    48 100 RR       pthread --- Waiting  Semaphore 00002000 010244 001208  11.7%    0.0% nngtaskq 0x341f3a84
   51    51 100 RR       Task    --- Waiting  Signal    00000000 004076 000976  23.9%    0.0% mico_aivs
   52    48 100 RR       pthread --- Waiting  Semaphore 00002000 010244 001520  14.8%    0.0% nngtaskq 0x341f3ac0
   53    51 100 RR       pthread --- Waiting  Semaphore 00000000 016388 000448   2.7%    0.0% aiutil 0x342012d0
   54    48 100 RR       pthread --- Waiting  Semaphore 00002000 010244 001080  10.5%    0.0% nngreap 0x3406c3d8
   55    55 100 RR       Task    --- Waiting  Signal    00000000 020460 001600   7.8%    0.0% mico_alarm
   56    48 100 RR       pthread --- Waiting  Semaphore 00002000 010244 000864   8.4%    0.0% nngtimer 0x3406c4f8
   57    48 100 RR       pthread --- Waiting  Semaphore 00002000 010244 000872   8.5%    0.0% nngaio 0x3406c448
   58    58 100 RR       Task    --- Waiting  Signal    00000000 008180 001176  14.3%    0.0% micoams
   59    48 100 RR       pthread --- Waiting  Semaphore 00000000 016388 000448   2.7%    0.0% mMicStPuber 0x34216560
   60    51 230 RR       pthread --- Waiting  Semaphore 00000000 006148 000928  15.0%    0.0% speech 0x342229a0
   61    51 100 RR       pthread --- Waiting  Semaphore 00000000 016388 000448   2.7%    0.0% speechDown 0x34227d00
   62    62 100 RR       Task    --- Waiting  Signal    00000000ore 00000000 016388 000448   2.7%    0.0% aiutil 0x342012d0
   54    48 100 RR       pthread --- Waiting  Semaphore 00002000 010244 001080  10.5%    0.0% nngreap 0x3406c3d8
   55    55 100 RR       Task    --- Waiting  Signal    00000000 020460 001600   7.8%    0.0% mico_alarm
   56    48 100 RR       pthread --- Waiting  Semaphore 00002000 010244 000864   8.4%    0.0% nngtimer 0x3406c4f8
   57    48 100 RR       pthread --- Waiting  Semaphore 00002000 010244 000872   8.5%    0.0% nngaio 0x3406c448
   58    58 100 RR       Task    --- Waiting  Signal    00000000 008180 001176  14.3%    0.0% micoams
   59    48 100 RR       pthread --- Waiting  Semaphore 00000000 016388 000448   2.7%    0.0% mMicStPuber 0x34216560
   60    51 230 RR       pthread --- Waiting  Semaphore 00000000 006148 000928  15.0%    0.0% speech 0x342229a0
   61    51 100 RR       pthread --- Waiting  Semaphore 00000000 016388 000448   2.7%    0.0% speechDown 0x34227d00
   62    62 100 RR       Task    --- Waiting  Signal    00000000 008172 001072  13.1%    0.0% micoplayer
   63    58 180 RR       pthread --- Waiting  Signal    00000000 016388 001792  10.9%    3.4% mico_led 0x34227310
   64    58 100 RR       pthread --- Waiting  Semaphore 00000000 016388 000448   2.7%    0.0% mico_touchpad_timer 0x34235df0
   65    65 100 RR       Task    --- Waiting  Semaphore 00000000 006116 001656  27.0%    0.0% mible_mesh_common_bt
   66    58 200 RR       pthread --- Waiting  Signal    00000000 010244 000880   8.5%    0.0% mico_touchpad 0x34235d4c
   67    67 227 FIFO     Kthread --- Waiting  Semaphore 00000000 001988 000776  39.0%    0.0% BT TX  0x341f09c0
   68    68 228 FIFO     Kthread --- Waiting  Semaphore 00000000 004036 000568  14.0%    0.0% BT RX  0x341f09c0
   69    69 230 FIFO     Kthread --- Waiting  Semaphore 00000000 001988 000424  21.3%    0.0% BT ECC  0x341f09c0
   70    70 228 FIFO     Kthread --- Waiting  Semaphore 00000000 004032 000776  19.2%    0.0% BT Driver  0x341f09c0
   72    65 100 RR       pthread --- Waiting  Semaphore 00000000 006148 000800  13.0%    0.0% mible_timer 0
   73    24 246 FIFO     pthread --- Waiting  Semaphore 00000000 006148 001112  18.0%    0.0% uipc-main 0x341d2cd0
   74    65 100 RR       pthread --- Waiting  Semaphore 00000000 008196 002360  28.7%    0.0% rpc_consume 0x3423bd10
   75    65 100 RR       pthread --- Waiting  Semaphore 00000000 008196 001168  14.2%    0.0% ble_gateway 0
   76    48 245 RR       pthread --- Waiting  Semaphore 00000000 081924 003920   4.7%   16.3% media_graph 0x34216030
   77    48 244 RR       pthread --- Waiting  Semaphore 00002000 061444 000592   0.9%    0.0% media_src_movie 0x34255630
   78    48 244 RR       pthread --- Waiting  Semaphore 00002000 061444 016304  26.5%    0.0% media_src_movie 0x34255e80
   79    48 244 RR       pthread --- Waiting  Semaphore 00002000 061444 005220   8.4%    0.0% media_src_movie 0x34256b40
   80    62 100 RR       pthread --- Waiting  Semaphore 00000000 016388 000448   2.7%    0.0% player_server 0x3422e6e0
   81    55 100 RR       pthread --- Waiting  Semaphore 00000000 016388 000448   2.7%    0.0% mico_alarm_timer 0x342d69e0
   82    44 100 RR       pthread --- Ready              00000000 016388 001680  10.2%    0.0% miot_helper 0x3429d720
   83    44 100 RR       pthread --- Waiting  Signal    00000000 006148 001608  26.1%    0.0% nightmode 0
   84    44 150 RR       pthread --- Waiting  Semaphore 00000000 016388 000536   3.2%    0.0% mico_iot_event 0x341ecbb0
   85    58 100 RR       pthread --- Waiting  Semaphore 00000000 006148 001152  18.7%    0.0% event_manager 0x3421b85c
   86    86 100 RR       Task    --- Running            00000000 002036 001552  76.2%    3.9% nsh

[duhow]

As per output, applications seem to run directly in there...

If we're unable to get a Linux console, this may mean mean the board is using a microcontroller instead of ARM computer. Hence this wouldn't be supported here.

Unless there's another computer that can reach internally from here - like another serial port?

[danielk117]

As per output, applications seem to run directly in there...

Yes, it seems to be the new way Xiaomi is making the firmware for this device.

I was able to set a wifi connection:

ifdown wlan0
ifup wlan0
wapi psk wlan0 PASSWORD 1
wapi essid wlan0 SSID 1
renew wlan0

and turning on telnet, by simply start the daemon:

telnetd

I browsed the whole filesystem (as NuttX/NuttShell hat all basic linux dir/file commands), but there isn't any file showing me the architecture of the chip. But I think I can confirm, that all the "magic" is done here: There are bluetooth, player or alarm daemons and I found config files for STT/TTS.

If we're unable to get a Linux console, this may mean mean the board is using a microcontroller instead of ARM computer. Hence this wouldn't be supported here.

Unless there's another computer that can reach internally from here - like another serial port?

https://www.gizmochina.com/2020/11/05/xiaomi-launches-a-new-iot-software-platform-xiaomi-vela-based-on-nuttx-os/

As my previous links show, wants Xaiomi using NuttX for all of his devices. I think they just started now with these speakers.
I don't know why they should run any different OS, as they new NuttX seems to do anything.

So yes, in this state your patches can't be used anymore. You could update your README, that the new "Speaker Play" doesn't work anymore. 😃

The board

I removed the metal housing, the rubbers and thermal paste from all chips. There are 4 "real" chips I can see:

• BES2300 (Bluetooth 5.0 Chip: https://airreps.info/files/datasheets/BES2300-IH_Datasheet_v0.25.pdf)
• ??? (? -> Next to the BES2300, I only can read "T1G" or "T1C"... I don't know what this could be)
• ESMT AD52580 (Audio Amplifier Chip: http://www.datasheet39.com/PDF/826755/AD52580-datasheet.html)
• JWH6J (? -> I only found it on AliExpress, which refers to a JW5052: https://www.joulwatt.com/en/proinfo_3407.html)

I don't which chip does the magic and is running the NuttX... 😞

And now?

When I bought the device, I was aware that I might not be able to hack it. My plan B was to remove the board and put a Pi Zero with a ReSpeaker 2-Mic in it. So just using the speaker and the housing, to build a real open source and good looking smart speaker. 😆

[duhow]

Just sad news... Anyway, thanks a lot for the investigation!
I'll close this issue as there's not much to do at the moment, but feel free to continue adding any investigation details you may find, I'll keep looking for it :)

[danielk117]

@duhow what do you think, is the "Xiaoai Speaker Pro" still the old hackable one? https://www.aliexpress.com/item/1005002212462596.html
if yes, would you recommend it? 😄

[duhow]

Yep, that one should be LX06 and with old firmware versions should be easy to get in.
If need any help with it open a new issue.

[Eric9453]

nope, but 921600 8n1 seems to be working 👍 output_2021-12-14_09-08-28.log

how to interrupt this and get a logon?

did you find the way to interrupt this and get a login?

seems that you find the way to get into the shell.

does there any key needs to press during startup? thank you.

[danielk117]

Connect your adapter to TX0/RX0. There is no login needed. Just press Enter when all boot stuff is done and you will get a shell.

[Eric9453]

l05c,

Tnahks for your reply.
I tried but it's still rolling and rollong. Nonstop rolling...