Rooting Xioami MJSTG1 about dustcloud HOT 28 OPEN

Btw: there is also a debug port on the top side. I didn't look at the pinout yet, but I'd assume you could even flash it without disassembling it, like you have to do no.

from dustcloud.

Here are some images of the robot:

Main board (has lots of tests points):

The connectors in the corners without soldered components look like USB:

The ESP32 is attached to the mainboard through the keyboard board:

Some pics of the robot as a whole:

from dustcloud.

@dgiese any ideas?

from dustcloud.

@phodina I think this uses the ESP32 as the CPU not only for bluetooth and wifi. Try to play with that pcb, maybe a serial output will give out some hints.

from dustcloud.

@xedsvg you mean there's actually no beefy processor running Linux but just tiny microcontroller like ESP32 running some RTOS or baremetal handling all the main tasks while the chip on the mainboard AM308S handles all the IO?

from dustcloud.

Don't take my word for it but that's my guess.

Linux would bloat the ESP32. You may be able to reverse engineer something from it tho.
If I were you, I would poke all the uart pins and see what's the deal between the AM308S and the ESP.
If you are lucky you might get some uart comunication and expand on that.
If that's not the case, see if you can dump the ESP. If it's encrypted use a power glitch.
If you can dump the firmware, search for strings inside of it, you may get the mqtt credentials. I would set up a mqtt proxy (IOXI) and replace them with the local proxy and see what's sending back.

from dustcloud.

The ESP32 is only doing WIFI/cloud communication. The robot also works with the ESP32 removed.

from dustcloud.

@xedsvg was able to extract the flash from the ESP32. no protection used. dump is readable.
ESP32 communicates with xiaomi cloud over tls-based protocol authenticating with device-specific keys. (derived from hardware, mac address?, fuses..?)
still need to find out what is sent over the UART between ESP and AM308S

from dustcloud.

protocol is simple text protocol using commands like: get_properties and action

from dustcloud.

I installed esphome on the ESP32 and am able to control it with it :-)

from dustcloud.

On the keyboard PCB there's debug port J1 which is exposed on the top of the robot if a plastic cover is removed. I haven't looked at the pinout though.

from dustcloud.

Nice @philhug, haven't had the time. I disassembled the device but didn't do into the pins.

Could you post the link to the firmware dump from the ESP32? I can I also dump mine and we can compare the differences.

from dustcloud.

I've been looking into routers/modems capable running OpenWrt. I can divert the attention to ESP32. And to make the robot be controlled by the commandes recived by the Wifi/Bluetooth. It's dirt cheap and would open new world of IoT devices.

from dustcloud.

@phodina I have it working as far to send commands to the robot to start/stop/dock get_properties,...
the only real thing I'm missing is the map.

from dustcloud.

Looking into this robot, could be interesting to replace the ESP32 with something like an Orange Pi Zero or similar board and install there Valetudo.

from dustcloud.

@daniel-dona no need to replace it, just flash esphome on it.

from dustcloud.

Valetudo does not run on ESP32, is a Node.js based tool/interface, too heavy for that SoC. https://github.com/Hypfer/Valetudo

from dustcloud.

I know, that's why I suggest to use esphome for the esp32.

from dustcloud.

Sure, but ESPhome is more like an interfacing software, Valetudo is an integrated dashboard... they can even integrate if Valetudo is installed outside the robot.

from dustcloud.

Some more information about this robot. The main chip is this one http://en.amicro.com.cn/?product/chip/master/1675.html

Looks like a purpose build SoC for vacuum cleaning robots with a custom SDK/RTOS (http://en.amicro.com.cn/?platform/open/), no Linux or something similar. Only 64 KB or SRAM anyway...

The debug port on the top looks like it's only an UART connection for debuging this Amicro AM380S chip. Nothing interesting but I logged it here: https://github.com/daniel-dona/xiaomi_MJSTG1_hacking/blob/main/main_bootlog.txt

from dustcloud.

Thanks for the log+finding the SoC.
I'm using the ESP32 mostly as an UART over Wifi bridge, so it would also be possible to run Valetudo externally.

The main thing I am missing at the moment are the commands for the map. Start/stop/dock are easy.

from dustcloud.

@daniel-dona I just looked at your dumps (ipc dump is what I am interested in) can you do a dump that contains some map updates during cleaning?
I replaced the firmware too early :-)))

from dustcloud.

@daniel-dona I just looked at your dumps (ipc dump is what I am interested in) can you do a dump that contains some map updates during cleaning? I replaced the firmware too early :-)))

I don't think so, the robot was just in my desk during the capture, but I will try to capture a whole cleaning session. Anyway I'm not sure the map is used for anything more than eye-candy in the Xiaomi App... no LiDAR or V/SLAM in this robot, so is more like the log of all the bumps with things around the house than something that is used during the cleaning session.

from dustcloud.

I don't think so, the robot was just in my desk during the capture, but I will try to capture a whole cleaning session. Anyway I'm not sure the map is used for anything more than eye-candy in the Xiaomi App... no LiDAR or V/SLAM in this robot, so is more like the log of all the bumps with things around the house than something that is used during the cleaning session.

Yeah, but it still builds some kind of map that resembles the room.
Also the reads/writes are somehow buffered in your log, so the commands are not in the correct order.
it should look like this:

> get_down
< down none
> get_down
< down ...

from dustcloud.

I don't think so, the robot was just in my desk during the capture, but I will try to capture a whole cleaning session. Anyway I'm not sure the map is used for anything more than eye-candy in the Xiaomi App... no LiDAR or V/SLAM in this robot, so is more like the log of all the bumps with things around the house than something that is used during the cleaning session.

Yeah, but it still builds some kind of map that resembles the room. Also the reads/writes are somehow buffered in your log, so the commands are not in the correct order. it should look like this:

> get_down
< down none
> get_down
< down ...

That is because I captured only one line at a time, TX from the SoC or TX from the ESP32. I only have a cheap UART to USB adapter in hand currently :/

from dustcloud.

HI!
Do you have a firmware for ESP32 or dump? I need a dump to write flash.

from dustcloud.

@Petro0872 If you can write the flash you should also be able to dump it yourself.
What's the issue?

from dustcloud.

from dustcloud.