Xiaomi has released new 2.1.1 firmware

[micturkey]

It seems that the way to update firmware using telink flasher has been forbidden.

[atc1441]

Thank you for the hint.
That really reads like they closed it

[pvvx]

Not closed, but changed the "activation". + Changed the "advertising interval" to 2100 ms
"Login", works with known keys. OTA also works.
Set "Mi Token", "Mi Bind Key" and press "Login":

A piece of the activation log (sniffer + MiHome):
"Sent Read Request, Handle: 0x00xx" abbreviated as "Send enc_XX".
"Rcvd Read Response, Handle: 0x00xx" abbreviated as "Rcvd enc_XX".

// > Checking for transmission with MTU size
Send enc_10: a4 // Test MTU
Rcvd enc_19: 000004000612 // ?
Send enc_19: 000005000612
Rcvd enc_19: 0000040112121212121212121212121212121212
Send enc_19: 0000050112121212121212121212121212121212
// > Get Device id
Send enc_10: a2000000 // SYS_DEV_INFO_GET
Rcvd enc_19: 000000000200 // ?, 2 blks
Send enc_19: 00000101
Rcvd enc_19: 01000200000000626c742e362e316667336a736f
Rcvd enc_19: 0200726f73673030
Send enc_19: 00000100 // ACK
// ????
Send enc_10: 15000000 // REG_START_WO_PKI
Send enc_19: 000000030400 // ECC_PUBKEY?, 4 blks
Rcvd enc_19: 00000101
Send enc_19: 01003b412a2b060a1d7da21033ff4e584bf4f8f3
Send enc_19: 02001a9dee5c4dc95e198c4bc3be5953d6babfdb
Send enc_19: 0300415a9eda4e42ac53e864d1ebd6c9b4616ce5
Send enc_19: 04004c9f1e094e30fc77ce51 // 18*3+10=64 bytes
Rcvd enc_19: 00000100 // ACK
Rcvd enc_19: 000000030400 // ECC_PUBKEY?, 4 blks
Send enc_19: 00000101
Rcvd enc_19: 010025c4faa9e119108b3133915e663ee3d4d0fb
Rcvd enc_19: 02009ada216d9d91928725dea0bb88f44639f8a1
Rcvd enc_19: 0300bb69a33f849bdbb0c2be2b8910271244c5dd
Rcvd enc_19: 04006bc5edefc593dc2d8557 // 18*3+10=64 bytes
Send enc_19: 00000100 // ACK

Send enc_10: 13000000 // REG_VERIFY_SUCC
Send enc_19: 000000000600   // DEV_SHARE_INFO?, 6 blks
Rcvd enc_19: 00000101
Send enc_19: 01001904e3c44b8ab77b3e2f9b7371b4606d9a8a
Send enc_19: 0200e7c71cc8bc712b7d080af2153d8638b7701e
Send enc_19: 0300ab70d36fceb296c3f8805d4073216e542f93
Send enc_19: 0400523da93c45061966487db32dd32936159b3e
Send enc_19: 05006739aa0281d368eac3205bc87d419ebc838e
Send enc_19: 06007457 // 18*5+2=92 bytes
Rcvd enc_19: 00000100 // ACK

Send enc_19: 000000071600 // SERVER_CERT?, 22 blks 
Rcvd enc_19: 00000101
// send certificate: https://github.com/Ai-Thinker-Open/Telink_SIG_Mesh/blob/master/example/AT_Ali_Mesh/mesh/mi_api/certi/cryptography/mi_crypto.c#L46
Send enc_19: 0100308201773082011ea003020102020101300a
Send enc_19: 020006082a8648ce3d0403023022311330110603
Send enc_19: 030055040a130a4d696a696120526f6f74310b30
Send enc_19: 04000906035504061302434e3020170d31363131
Send enc_19: 050032333038323032355a180f32303636313131 
Send enc_19: 0600313038323032355a30233114301206035504
Send enc_19: 07000a0c0b4d696a696120436c6f7564310b3009
Send enc_19: 080006035504061302434e3059301306072a8648
Send enc_19: 0900ce3d020106082a8648ce3d03010703420004
Send enc_19: 0a00a752ecd44b6b3b17abc34f8300c6320f2e4c
Send enc_19: 0b00bec57a51034b5ecadf7347d745df8c3dbcfa
Send enc_19: 0c00aedb67b04cace5aff798182e43c5a444b627
Send enc_19: 0d00c2d7f361629d3f914802a3423040301f0603
Send enc_19: 0e00551d2304183016801496b7a27c39b1b96633
Send enc_19: 0f00a9f8d109b20060c8e6c511301d0603551d0e
Send enc_19: 1000041604145a29bffb2fb7500ce9c420f23d89
Send enc_19: 11009b6fe0803293300a06082a8648ce3d040302
Send enc_19: 1200034700304402205eb096d630f92f092ae39d
Send enc_19: 13001356f836c529697a355d765f4eccce785b89
Send enc_19: 14009a6d1602207e206b22aa04e6dee818c7d4c4
Send enc_19: 150080e5fabd99074bdecf45346e37f1cffd8646
Send enc_19: 160090 // 18*22+1=397 bytes
Rcvd enc_19: 00000100 // ACK
Rcvd enc_10: 11000000 // REG_SUCCESS

[atc1441]

Thanks Victor,
So the activation part is not cracked right now, and you need to currently get the set key first from the app etc. to OTA ?

I would expect them to sign the activation on the server side with an unknown private key but lets hope not

[thazro]

Can i downgrade via Uart? With correct key/token cannot downgrade or change fw. Even if login is correct and OTA seems to work, it doesn't .

[pvvx]

I haven't clarified the whole process yet.
There is an assumption that the OTA firmware is signed with an additional key.
The "OTA" procedure itself always works, but at the end the "OTA" code itself may not be included. Previously, for some variants of thermometers, the signature was the correct "CRC" of the OTA code.

It is quite possible that because of these "security worries" Xiaomi has changed the activation and "OTA":
https://francozappa.github.io/publication/2023/espoofer/

PS: I can't clarify because I adhere to the "user agreement" in "MiHome". It is forbidden to view their code and other manipulations with it. And no one wants to publish the binary file of the new official firmware for public access :)

[maltiboi]

is this going to get fixed please? thank you

[Tim-The-Woodsman]

And I just updated the firmware without checking in here 😞

[wwnkrull]

I've made the same mistake by updating to the latest firmware. Hope this will be fixed soon.
Thanks guys for all the hard work!

[PerssonNiklas]

So for those of us who updated to the latest firmware, is there any way to downgrade when the flasher does not connect due to being on unsupported firmware? Catch 22 situation!

[igorlesiv]

I also can't flat on 2.1.1_0159 version, let me know please it if possible or not. Thanks!

[pvvx]

At the moment, you can only write another firmware using a hardware programmer.

[PerssonNiklas]

At the moment, you can only write another firmware using a hardware programmer.

How would I go about doing that?

[kri5to]

damn, got it with the new firmware so cant install the custom also :(
Is there a hope to get the upgrade soon ?

[pvvx]

A hint may occur when a new version is released. When it will be possible to upgrade version 2.1.1_0159 in Mi Home to the next one.

[VonalOrdu]

To go back to the old version (Original_OTA_Xiaomi_LYWSD03MMC_v1.0.0_0130.bin );
To do this, you must remove your temperature sensor and connect it with the cables by following the steps below.
This is how I solved my problem.
I'm sorry for my bad english.

1. https://github.com/pvvx/ATC_MiThermometer/blob/master/Original_OTA_Xiaomi_LYWSD03MMC_v1.0.0_0130.bin download
2. https://pvvx.github.io/ATC_MiThermometer/USBCOMFlashTx.html
3. 
4. 
5. File select Original_OTA_Xiaomi_LYWSD03MMC_v1.0.0_0130.bin
6. Write to flash

[pvvx]

@VonalOrdu

1. The contact on the PCB marked as "reset" is not an RST signal for the TLSR825x SoC !
2. https://pvvx.github.io/ATC_MiThermometer/USBCOMFlashTx.html - does not use RX pin, resistor and connection RX is not needed !

[VonalOrdu]

@VonalOrdu

1. The contact on the PCB marked as "reset" is not an RST signal for the TLSR825x SoC !
2. https://pvvx.github.io/ATC_MiThermometer/USBCOMFlashTx.html - does not use RX pin, resistor and connection RX is not needed !

I have no idea about this.
I succeeded by doing this.
Maybe it will happen if you do as you say.
I used the suggestion below.

https://github.com/atc1441/ATC_MiThermometer/blob/master/Mi_SWS_Connection.jpg

[pvvx]

The very name of the utility describes: TLSR825x USB-COM Flash Writer v0.4 (TX-SWS only!) :)

The picture is from another version of the programmer - https://github.com/pvvx/TlsrComSwireWriter - does not work on FTDI chips!

Comment edited: Fixed a link error.

[VonalOrdu]

The very name of the utility describes: TLSR825x USB-COM Flash Writer v0.4 (TX-SWS only!) :)

The picture is from another version of the programmer - https://github.com/pvvx/TlsrComProg825x - does not work on FTDI chips!

Are you saying that I am enough like this?

[pvvx]

Are you saying that I am enough like this?

Yes

[VonalOrdu]

Are you saying that I am enough like this?

Yes

python.exe TLSR825xComFlasher.py -p COM3 -t 70 wf 0 Original_full_flash_Xiaomi_LYWSD03MMC.bin

Why didn't this method work?
"Chip sleep? -> Use reset chip (RTS-RST): see option --tact"
It was giving error.

https://pvvx.github.io/ATC_MiThermometer/USBCOMFlashTx.html

This method worked. Thank you very much for your sharing.

[pvvx]

Why didn't this method work?

https://github.com/pvvx/TlsrComSwireWriter - does not work on FTDI chips! (Only Chinese USB-COM chips)

On FTDI chips, reception is performed by checking bitwise synchronization with the removal of bad characters from the buffer with error generation, which does not allow emulating "Telink Swire".

https://github.com/pvvx/TlsrComProg825x - this programmer uses a loader that switches to work with the RX and TX chip UART pins.
It takes a lot of wires...

---

https://github.com/pvvx/ATC_MiThermometer#the-usb-com-adapter-writes-the-firmware-in-explorer-web-version

[ceinmart]

Hi,
I just made the same mistake as everyone here.
I bought two of these sensors and was planning to flash them and use them with a BLE Tracker on my Home Assistant.
However, curious to see how it works originally I did the firmware upgrade when added to mihome app.... stupid curious...

So, after sharing my disgrace...

How hard is to get one of this USB-COM board and use it to downgrade? any link from Aliexpress?
I get little confused about which board is compatible, which link should be used to do the downgrade, how is the right way to wiring...
Please, can anyone share where to buy this USB-COM and a step-by-step how to downgrade the firmware ?

[thazro]

Hi, I just made the same mistake as everyone here. I bought two of these sensors and was planning to flash them and use them with a BLE Tracker on my Home Assistant. However, curious to see how it works originally I did the firmware upgrade when added to mihome app.... stupid curious...

So, after sharing my disgrace...

How hard is to get one of this USB-COM board and use it to downgrade? any link from Aliexpress? I get little confused about which board is compatible, which link should be used to do the downgrade, how is the right way to wiring... Please, can anyone share where to buy this USB-COM and a step-by-step how to downgrade the firmware ?

Hi. Downgraded using this ch340 usb to ttl rs232 converter:
https://www.aliexpress.com/item/32354359382.html?gatewayAdapt=glo2isr
Solder p14 on thermometer to txd
Solder Gnd to gnd
Solder + to 3.3V
Flash using:
https://pvvx.github.io/ATC_MiThermometer/USBCOMFlashTx.html

[kimol88]

Maybe I can't differently, but flash by site only works on Windows "machine". On MacBook I bricked by flash. On Windows "machine" I recovery firmware without problems :)

[ceinmart]

Hi. Downgraded using this ch340 usb to ttl rs232 converter: https://www.aliexpress.com/item/32354359382.html?gatewayAdapt=glo2isr Solder p14 on thermometer to txd Solder Gnd to gnd Solder + to 3.3V Flash using: https://pvvx.github.io/ATC_MiThermometer/USBCOMFlashTx.html

Hi Guys,
Just giving an feedback, I just flashed and downgraded my sensor successfully!!!

However I didn't used the board referenced by @tharzo, I got with a Friend the FTDI 232 and followed the steps passed by tarzho.

I did the downgrade of my firmware from v2 to v1 and then flashed it with the custom firmware v4.5 successfully!!
Very , very happy :)
Thanks all for the support.
Now , let's try to setup it on my Home Assistant using a ESP32 as BLE Tracker...

[vdende]

I'm not that familiar with soldering and boards, so I decided to buy a new one from Ali, from the same shop as my previous one. It was shipped very fast and fortunately the firmware version of the new device was still on v1.0.
So for this one I was able to flash it with the custom v4.5, set it to BTHome and configured it in HomeAssistant.

[adamb94]

Is there any expected date when soft 2.1.1 will be supported by Telink Mi Flasher? I was not able to downgrade by Serial

[pvvx]

So far no one is doing this or it is unknown.
I'm waiting for the next version to come out.
This will make it possible to understand how to update version 2.1.1.

Disassembling or otherwise viewing codes from Xiaomi is prohibited in the MiHome user agreement. For this reason, other methods that are not prohibited will be used. And this requires the next new version of OTA from MiHome.

[1eretoile]

j'ai essayé connecté
gnd a gnd
txd a P14
3v3 a v+

mais après quand je rallume le thermomètre plus rien a l'écran

[perfect-deform]

Guys, just successfully downgraded using ch340g (no jumper, or resistor. just 2 wires).
Connected

• gnd to gnd
• tx to P14
• with battery inserted.
  
  
  

UPD
works with v1.4
tried v1.5 - failed

UPD 2
nope, flashed rev 1.5 the same way
tried to flash with OTA 1.0.0_0130 straightaway. But worked the same way, after first try - blank screen, after second - flashed ok

Step-by-step

1. Connect gnd under battery, tx to p14 and insert battery
2. Choose 460800 and Atime: 3sec
3. Flash OTA 1.0.0_0130
4. DO NOT MOVE :) DO NOT DISCONNECT ANYTHING!
5. Change baud to 115200
6. Flash the same firmware again
7. Now your device is dead
8. Disconnect everything (ch340g too)
9. Update page
10. Connect everything the same way
11. Choose 460800 and Atime: 3sec
12. Flash OTA 1.0.0_0130
13. ...
14. PROFIT

[uncompteabcd]

do your "Step-by-step" work for rev 1.5 ?

Guys, just successfully downgraded using ch340g (no jumper, or resistor. just 2 wires). Connected

* gnd to gnd

* tx to P14

* with battery inserted.
  ![image](https://private-user-images.githubusercontent.com/60361408/319551166-7180b4ba-4498-4d20-9e96-727306fef7b0.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTI1OTkxMDYsIm5iZiI6MTcxMjU5ODgwNiwicGF0aCI6Ii82MDM2MTQwOC8zMTk1NTExNjYtNzE4MGI0YmEtNDQ5OC00ZDIwLTllOTYtNzI3MzA2ZmVmN2IwLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA0MDglMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNDA4VDE3NTMyNlomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWFkYWY4ODRkYzE5YmM2MjBmYzNiY2MxM2E2MWYwMmU5ODg1ZmVlOTMyZTc3ZWJhN2M5YTc4NWU4MWI2ZDQyZTAmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.il3nMfTJHI3U6_3oMnQvtJi0CI8vQQg5nASMS5muvxI)
  ![image](https://private-user-images.githubusercontent.com/60361408/319550527-f57c381b-d2e1-498a-9ae6-e715a90e329f.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTI1OTkxMDYsIm5iZiI6MTcxMjU5ODgwNiwicGF0aCI6Ii82MDM2MTQwOC8zMTk1NTA1MjctZjU3YzM4MWItZDJlMS00OThhLTlhZTYtZTcxNWE5MGUzMjlmLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA0MDglMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNDA4VDE3NTMyNlomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWFmYzgwYWRiN2NmZGNkOGM2NmI2NTY4MzU4ZmZlMjNlY2ZiYWMxOGRkN2Q1Yjk3MGJiNjkwMzFiNTQ3NThhMjYmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.x0rh1iBo7yOa8HGiU03E3SU0IuY1mXNbAsfA4fQw7mY)
  ![image](https://private-user-images.githubusercontent.com/60361408/319550282-18cea4f3-c728-404d-a580-a68567a2f959.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTI1OTkxMDYsIm5iZiI6MTcxMjU5ODgwNiwicGF0aCI6Ii82MDM2MTQwOC8zMTk1NTAyODItMThjZWE0ZjMtYzcyOC00MDRkLWE1ODAtYTY4NTY3YTJmOTU5LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA0MDglMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNDA4VDE3NTMyNlomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWM5YTYwYzM1YTdiOWY4YTk3ZDZlYzE5YTg4Mzc1YjZhMWIwZTc4MTdlZTg2NWYyOTZkZjI2ODdmOGJhMzNiZTImWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.D0DeVlFGcy97eA7MgRLN3Dz4EHk7FYkOfJylaXKex78)

UPD works with v1.4 tried v1.5 - failed

UPD 2 nope, flashed rev 1.5 the same way tried to flash with OTA 1.0.0_0130 straightaway. But worked the same way, after first try - blank screen, after second - flashed ok

Step-by-step

1. Connect gnd under battery, tx to p14 and insert battery

2. Choose 460800 and Atime: 3sec

3. Flash OTA 1.0.0_0130

4. DO NOT MOVE :) DO NOT DISCONNECT ANYTHING!

5. Change baud to 115200

6. Flash the same firmware again

7. Now your device is dead

8. Disconnect everything (ch340g too)

9. Update page

10. Connect everything the same way

11. Choose 460800 and Atime: 3sec

12. Flash OTA 1.0.0_0130

13. ...

14. PROFIT

[perfect-deform]

do your "Step-by-step" work for rev 1.5 ?

Yep. Downgraded one 1.4 and four 1.5 devices

[uncompteabcd]

do your "Step-by-step" work for rev 1.5 ?

Yep. Downgraded one 1.4 and four 1.5 devices

Had no luck on macOS.
But Linux Ubuntu 22.04.4 LTS with CH340G driver from driver, USB flasher from Aliexpress and Original_OTA_Xiaomi_LYWSD03MMC_v1.0.0_0130.bin
worked for me (hardware v1.5, gnd, 3,3v, pin 14).
only flashing on time at 460800 and Atime: 3sec.
driver CH340G install on Linux tutorial
had to add sudo usermod -a -G dialout <USER> (logout or reboot) for the flasher on Chrome to open /dev/ttyUSB0 (ch340)

[mrzocker88]

Guys, just successfully downgraded using ch340g (no jumper, or resistor. just 2 wires). Connected

• gnd to gnd
• tx to P14
• with battery inserted.
  
  
  

UPD works with v1.4 tried v1.5 - failed

UPD 2 nope, flashed rev 1.5 the same way tried to flash with OTA 1.0.0_0130 straightaway. But worked the same way, after first try - blank screen, after second - flashed ok

Step-by-step

1. Connect gnd under battery, tx to p14 and insert battery
2. Choose 460800 and Atime: 3sec
3. Flash OTA 1.0.0_0130
4. DO NOT MOVE :) DO NOT DISCONNECT ANYTHING!
5. Change baud to 115200
6. Flash the same firmware again
7. Now your device is dead
8. Disconnect everything (ch340g too)
9. Update page
10. Connect everything the same way
11. Choose 460800 and Atime: 3sec
12. Flash OTA 1.0.0_0130
13. ...
14. PROFIT

Awesome! Thank you very much! Works well.

Edit:
Hardware version 1.4

Edit2:
14 thermometer all version 1.4 working well :)
Next Mod is to use two AA battery to power them for ever...

[rucknapucknavitz]

Amazing, I received 10 unicorns today - hardware B1.5 and still on the 1.0.0_0130 firmware. Sticker on the box suggests 2024.01 manufacture date. They’re still out there, I guess! I was prepared to go this route - thanks for all the tips above.

[citizenjc]

Hello, just in case someone is attempting flash the firmware with a ESP8266/ESP32, some feedback:

1. Shorting EN and GROUND is absolutely the way
2. For two days I wasn't able to get any data to pass to the chip, until I tested the python flasher and saw the error about "Chip sleep? RTS-RST", which made me search more deeply and find out I needed to short the RESET pin (or just press the RESET button) during activation.
3. I attempted a read from the python flasher, timing the reset, with 5 seconds delay, and it worked!
4. Then with the web flasher and 8 seconds wait I flashed it successfully, by pressing reset on esp8266 1 or 2 seconds after flash started.
5. I did this using the schematic with resistor with both TX and RX connected to pin14 and it worked, but i'm pretty sure it's not related to that. In any case, if you can't do it, try that

[GaryJS3]

My pack of LYWSD03MMC came brand new with 2.11 installed, date code 2023.11. However, it is pretty easy to resolve, I saw some people flashing older OG firmware a few times then doing the custom OTA... not sure why. But I am able to just use a CH340 (worth just picking it up, 5 Pack for $10 USD on Amazon 2Day) and flash the ATC_v47.bin firmware directly, works first time (3 sensors done so far). I found just the 3 pins (3V, GND, P14) were all that I needed, I used clips on the 3V and GND since you can directly go to the battery leads, but I ended up soldering P14 since that was easier and less annoying then trying to keep it perfectly held on by hand. Flashed using the web flasher.

In case someone just wants to flash a 2.1.1 sensor with the custom PVVX firmware, this is what I did:

1. Open up the sensor, I just took off the back to expose the entire board.
2. Connect 3V and GND to the battery terminals
3. Solder or hold your CH340's TX pin to the P14 test pad.
4. Go to the web flasher
5. Open your comm port
6. Select your custom firmware, in my case; ATC_v47.bin
7. Flash it with default settings
8. Connect to it with the web flasher: ATC1441 or PVVX
   

Extra details:
I set them up with minimal issue in Home Assistant when setting the protocol to PVVX (Custom) and using an ESP32 with OpenMQTTGateway.

[littlesmithsro]

Hello, just in case someone is attempting flash the firmware with a ESP8266/ESP32, some feedback:

1. Shorting EN and GROUND is absolutely the way
2. For two days I wasn't able to get any data to pass to the chip, until I tested the python flasher and saw the error about "Chip sleep? RTS-RST", which made me search more deeply and find out I needed to short the RESET pin (or just press the RESET button) during activation.
3. I attempted a read from the python flasher, timing the reset, with 5 seconds delay, and it worked!
4. Then with the web flasher and 8 seconds wait I flashed it successfully, by pressing reset on esp8266 1 or 2 seconds after flash started.
5. I did this using the schematic with resistor with both TX and RX connected to pin14 and it worked, but i'm pretty sure it's not related to that. In any case, if you can't do it, try that

Hi, can you elaborate how to connect and flash esp32 to sensor? Thank you

[citizenjc]

Hello, just in case someone is attempting flash the firmware with a ESP8266/ESP32, some feedback:

1. Shorting EN and GROUND is absolutely the way
2. For two days I wasn't able to get any data to pass to the chip, until I tested the python flasher and saw the error about "Chip sleep? RTS-RST", which made me search more deeply and find out I needed to short the RESET pin (or just press the RESET button) during activation.
3. I attempted a read from the python flasher, timing the reset, with 5 seconds delay, and it worked!
4. Then with the web flasher and 8 seconds wait I flashed it successfully, by pressing reset on esp8266 1 or 2 seconds after flash started.
5. I did this using the schematic with resistor with both TX and RX connected to pin14 and it worked, but i'm pretty sure it's not related to that. In any case, if you can't do it, try that

Hi, can you elaborate how to connect and flash esp32 to sensor? Thank you

Not much else I can say really, short esp pins EN to a GND, TX to pin 14, connect via USB, web flasher, trial and error. Unless you have some specific doubt?

[mucden]

Hi, I just made the same mistake as everyone here. I bought two of these sensors and was planning to flash them and use them with a BLE Tracker on my Home Assistant. However, curious to see how it works originally I did the firmware upgrade when added to mihome app.... stupid curious...
So, after sharing my disgrace...
How hard is to get one of this USB-COM board and use it to downgrade? any link from Aliexpress? I get little confused about which board is compatible, which link should be used to do the downgrade, how is the right way to wiring... Please, can anyone share where to buy this USB-COM and a step-by-step how to downgrade the firmware ?

Hi. Downgraded using this ch340 usb to ttl rs232 converter: https://www.aliexpress.com/item/32354359382.html?gatewayAdapt=glo2isr Solder p14 on thermometer to txd Solder Gnd to gnd Solder + to 3.3V Flash using: https://pvvx.github.io/ATC_MiThermometer/USBCOMFlashTx.html

This method has worked for me with B1.4, thank you.
I've used this fellow:

[flexisss]

This method has worked for me with B1.4, thank you.
I've used this fellow:
This method also worked on HW V1.5, SW 2.1.1
Today I downgraded the version and updated it to firmware that supports ZIGBEE

[praneeth03]

Maybe I can't differently, but flash by site only works on Windows "machine". On MacBook I bricked by flash. On Windows "machine" I recovery firmware without problems :)

Can confirm this - flashing (atleast via web) bricks the device on MacOS (it works perfectly on Windows). Also like @pvvx mentioned only 3 wires are needed for flashing - Gnd to Gnd, Vcc to 3.3v and P14 to TX on serial adapter. Like someone else mentioned, I was able to pull this off without soldering but I had all types of dupoint connectors at my disposal.

In hindsight this was easy enough to do (thanks to @pvvx @atc1441 and others), but the fact that it didn't work on Macbook made me spend a few hours trying to figure this out (somethings are just weird on Macs).

[js4jiang5]

Maybe I can't differently, but flash by site only works on Windows "machine". On MacBook I bricked by flash. On Windows "machine" I recovery firmware without problems :)

Can confirm this - flashing (atleast via web) bricks the device on MacOS (it works perfectly on Windows). Also like @pvvx mentioned only 3 wires are needed for flashing - Gnd to Gnd, Vcc to 3.3v and P14 to TX on serial adapter. Like someone else mentioned, I was able to pull this off without soldering but I had all types of dupoint connectors at my disposal.

In hindsight this was easy enough to do (thanks to @pvvx @atc1441 and others), but the fact that it didn't work on Macbook made me spend a few hours trying to figure this out (somethings are just weird on Macs).

I was waiting for @pvvx to release the version that support 2.1.1 devices, but it's been 9 months, I guess it's not possible. Therefore I decided to do it myself with ESPHome last month. Add AES decrypt function to extract the temperature, humidity and battery level from advertised data, then use MQTT to send the info back to HA. It works well, but the downside is the data update period is as long as 10 minutes. Well, from another point of view the battery will last longer, not bad at all. At least I don't have to flash with wire.

[pvvx]

Add AES decrypt function to extract the temperature, humidity and battery level from advertised data, then use MQTT to send the info back to HA

https://www.home-assistant.io/integrations/xiaomi_ble

It works well, but the downside is the data update period is as long as 10 minutes.

The thermometer with Xiaomi firmware still transmits every 1.6 or 2 seconds, but not temperature and humidity data, but registration information.

I was waiting for @pvvx to release the version that support 2.1.1 devices, but it's been 9 months,

As described, I’m waiting for a new version to scan the new authorization protocol. MiHome's user agreement prohibits code reverse engineering.

[hashier]

scan the new authorization protocol

Will this be done with sniffing the bluetooth traffic in wireshark or what is the way to do this?

[pvvx]

Will this be done with sniffing the bluetooth traffic in wireshark or what is the way to do this?

Yes, in Wireshark, as version 2.1.1_0159 will update...

[henkiejan1]

Small reminder for people who have problems with flash on TLSR825x USB-COM Flash Writer tool wit. h a CH340 adapter: there are some serial to USB adapters where the TX pin is labled RX on the adapter. So you need to connect the RX pin of some of this adapters to P14. The Robotdyn USB to TTL UART is one of these. It works perfect is you just change the pin.

[hashier]

Looking at the datasheet for CH340 it states:

CH340 chip supports 5V and 3.3V power voltage. When using 5V source power, the VCC pin input 5V
power and the V3 pin should connect with decoupling 0.1uF capacitor. When using 3.3V power voltage,
connects V3 with VCC, both input 3.3V power voltage, and the other circuit voltage which connected with
CH340 cannot exceed 3.3V.

I'm not fully sure I understand this paragraph fully. It talks about 5V source power, since the chip is powered over USB this would be true or am I misunderstanding how to read "source power" and they mean if the 5V pin is used to source power from?

I'm slightly confident it means I should short VCC and 3V3.

[TioBundy]

My pack of LYWSD03MMC came brand new with 2.11 installed, date code 2023.11. However, it is pretty easy to resolve, I saw some people flashing older OG firmware a few times then doing the custom OTA... not sure why. But I am able to just use a CH340 (worth just picking it up, 5 Pack for $10 USD on Amazon 2Day) and flash the ATC_v47.bin firmware directly, works first time (3 sensors done so far). I found just the 3 pins (3V, GND, P14) were all that I needed, I used clips on the 3V and GND since you can directly go to the battery leads, but I ended up soldering P14 since that was easier and less annoying then trying to keep it perfectly held on by hand. Flashed using the web flasher.

In case someone just wants to flash a 2.1.1 sensor with the custom PVVX firmware, this is what I did:

1. Open up the sensor, I just took off the back to expose the entire board.
2. Connect 3V and GND to the battery terminals
3. Solder or hold your CH340's TX pin to the P14 test pad.
4. Go to the web flasher
5. Open your comm port
6. Select your custom firmware, in my case; ATC_v47.bin
7. Flash it with default settings
8. Connect to it with the web flasher: ATC1441 or PVVX
   

Extra details: I set them up with minimal issue in Home Assistant when setting the protocol to PVVX (Custom) and using an ESP32 with OpenMQTTGateway.

Thanks Bro!, this work for me

[Rafals87]

Hi,
I used LYWSD03MMC sensors to read humidity and temperature using the script "https://github.com/JsBergbau/MiTemperature2". Unfortunately, I updated the firmware to 2.1.1_0159 and since then my script has lost connectivity. Is there any way to fix it or the only option is to change the firmware via UART.

I tried to change the firmware via UART, but unfortunately the attempt was unsuccessful. The sensor is dead (dark screen). While fighting it, I switched the jumper on the programmer to 5volt. Could I have damaged it? I use FTDI FT232RL but I also ordered and am waiting for CH340G. Maybe further attempts will bring some results.

[pvvx]

While fighting it, I switched the jumper on the programmer to 5volt. Could I have damaged it?

If you didn’t connect more than 3.6V to the power (battery) terminals, then nothing should have damaged.

[Rafals87]

Hello, unfortunately I damaged the first sensor by powering it with 5 volts. However, in the other two I managed to change the software with the CH340G device without any problems.

[Write]

Flashing works perfectly, indeed flashing on macOS brick the device (ie: nothing on screen), but it can be re-flashed again on Windows just fine.

[Auksland]

Hi everyone. I tried to flash my temperature device without success. I bought sensors 1 month ago from Xiaomi european store.

I read the whole thread carefully but i can't figure out what i am doing wrong. I am using Arduino UNO to transfer data to my sensor and here are my settings :

GND <-> GND
TX <-> Pin 14

Baudrate : 460800
Activation time : 3 seconds.

I plug TX pin while the activation time.
I hooked a scope and i see the frames going from 5V (idle) to 0V on the TX pin.

I also tried resetting RST to GND on the device during activation time.

Every attempt, i can reconnect to my sensor with Xiaomi Home by Bluetooth connexion and the version remains 2.1.1_0159.

Any help ? ;)

[pvvx]

I plug TX pin while the activation time. I hooked a scope and i see the frames going from 5V (idle) to 0V on the TX pin.

5V will kill the chip.
Requires USB-UART adapter with 3.3V outputs.

[Auksland]

Ok, i may assume i fried my device 😅 let me try again...

[Auksland]

Hi, I tried to flash with another sensor. this time I added a voltage divider to my pin 14 in order to limit the voltage to 3.3V.
Yet, when i go back to my Xiaomi Home, i still have version 2.1.1... I tried restarting the device as well, nothing changes :(