- author: @danielk117
This instruction is for a new LX06, bought in late 2021. Xiaomi did some things to make it hard to get access. Just the serial connection isn't working me. So I have found an another solution using the micro usb port on the board. A serial connection is helpful but not needed!
The latest revision of the speaker has some different chips on its board (i.e. wifi). So in my case the speaker doesn't work properbly when using an older firmware (before 1.74.x). Furthermore an older firmware doesn't remove the new magic password generation for root. So I'm using a 1.74.10 for the follwing steps.
I'm using the Windows versions of the "Amlogic Flash Tool" and the "WorldCup" driver. There are some sources on the internet. I was using the latest version (6.0.0) downloaded from https://androidmtk.com/download-amlogic-flash-tool.
-
download "Amlogic Flash Tool" and unzip
-
install the "WorldCup" driver from
drivers
folder of the zip -
open the speaker (loosen the 6 screws under the rubber at the bottom, put the cap off and take the 2 cables out of the holder)
-
try to push the inner part upwards until you see the board (be careful, as the power and aux jacks are still screwed to the case)
-
connect a cable to the micro usb and your computer
-
(only for first run after installing the driver) power on -> windows recognize the devices and starts a service, which seems to be needed for using the update tool -> power speaker off
-
power on -> when windows plays a sound (or ~ 2 seconds after power on) -> run
update.exe identify
(update tool is inside thebin
folder of the dowloaded zip)- you should see a message like this...
update.exe identify
AmlUsbIdentifyHost
This firmware version is 0-7-0-16-0-0-0-0
- if you don't see this message then you wasn't successful and you need to try it again (power on -> wait -> run update identify)
- (optional, but recommended) restore uboot access
- when using serial connection, you aren't able the interrupt the autoboot of uboot. this is caused by the bootdelay which is setted to 0.
- I setted it to 30, because in my case, this aren't 30 seconds -> it counts really fast, so 30 are aproxomittly 3-4 seconds.
> update.exe bulkcmd "setenv bootdelay 30"
AmlUsbBulkCmd[setenv bootdelay 30]
> update.exe bulkcmd "saveenv"
AmlUsbBulkCmd[setenv bootdelay 30]
- dump partitions (for backup)
- the update tool doesn't show any output from the speaker, so without serial connection,
we dont see stdout/stderr and we can't get the real size of the partitions.
so we assume a size of 1GB (1073741824 Bytes -> 0x40000000)
- the dump stops at the real end of the partition
- if you have a serial connection, then run
mtdparts
and calculate the real sizes
- the last argument of
update.exe mread
is the path on your local machine - run this for
boot0
,system0
anddata
:
- the update tool doesn't show any output from the speaker, so without serial connection,
we dont see stdout/stderr and we can't get the real size of the partitions.
so we assume a size of 1GB (1073741824 Bytes -> 0x40000000)
> update.exe mread store boot0 normal 0x40000000 boot0.dump
AmlUsbBulkCmd[upload store boot1 normal 0x40000000]
Want read 65536 bytes, actual len 0
AmlReadMedia failed
ERR: ReadMediaFile failed!
> update.exe mread store system0 normal 0x40000000 system0.dump
AmlUsbBulkCmd[upload store system0 normal 0x40000000]
Want read 65536 bytes, actual len 0
AmlReadMedia failed
ERR: ReadMediaFile failed!
> update.exe mread store data normal 0x40000000 data.dump
AmlUsbBulkCmd[upload store data normal 0x40000000]
Want read 65536 bytes, actual len 0
AmlReadMedia failed
ERR: ReadMediaFile failed!
- restart speaker and set it up using the Xiaomi Home app
(wifi access -> for me, only the official app is able to set all the config files correct, otherwise you need to it over serial connection)
- choose speaker -> Speaker Pro -> enter wifi credentials -> connect to local AP from Speaker
xiaomi-wifispealer-lx06...
- turn off the speaker when setting in the app is done
- choose speaker -> Speaker Pro -> enter wifi credentials -> connect to local AP from Speaker
- create a img file using
binwalk
- follow the main instructions from the readme
- build the docker and install packages
- extract and patch (edit the
squashfs-root/etc/shadow
file before building an image, otherwise you need calculate your root password using the serial number...) - build a firmware
- flash it
option b: the manual way (credits goes to http://javabin.cn/2021/xiaoai_fm.html)
- download http://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/lx06/mico_firmware_9c712_1.74.10.bin
binwalk -e mico_firmware_9c712_1.74.10.bin
unsquashfs -dest unsquashed_image m5.img
- (optional) modify
unsquashed_image/etc/inittab
file and changettyS0::askfirst:/bin/login
tottyS0::askfirst:/bin/ash --login
to restore root access without password over serial connection - set a new root password in
unsquashed_image/etc/shadow
- generate the hash of a password using
openssl passwd -1 -salt 'N0Iz0LLs' 'mysuperpassword'
->$1$N0Iz0LLs$8bU0h3Y9Imcgs4r.Kca0C1
- replace the hash between the first two colons ->
root:$1$N0Iz0LLs$8bU0h3Y9Imcgs4r.Kca0C1:18128:0:99999:7:::
- generate the hash of a password using
- modify
unsquashed_image/etc/rc.local
and add[ -d /data/dropbear ] || mkdir /data/dropbear [ -s /data/dropbear/rsa.key ] || dropbearkey -t rsa -s 1024 -f /data/dropbear/rsa.key &> /dev/null /usr/sbin/dropbear -E -P /var/run/dropbear.pid -r /data/dropbear/rsa.key > /tmp/ssh.log
- remove or comment out the line
* 3 * * * /bin/ota slient # check ota
inunsquashed_image/etc/crontabs/root
to deativate the OTA update - build an image using
mksquashfs unsquashed_image my_prepared_image.img -b 131072 -comp xz -no-xattrs
my_prepared_image.img
should be ready for flashing
-
power on -> when windows plays a sound (or 2 seconds after power on) -> run
update.exe identify
-
for me,
boot1
andsystem1
are empty on a new speaker, so i flashed myboot0
dump toboot1
...
> update.exe partition boot1 boot0.dump
file size is 0x600000
AmlUsbTplCmd = download store boot1 normal 0x600000 rettemp = 1 buffer = download store boot1 normal 0x600000
AmlUsbReadStatus retusb = 1
Downloading....
[update]:Cost time 1Sec
[update]:Transfer size 0x600000B(6MB)
AmlUsbBulkCmd[download get_status]
[update]:mwrite success
- ... and the prepared image to
system1
andsystem0
> update.exe partition system1 my_prepared_image.img
file size is 0x23bf000
AmlUsbTplCmd = download store system1 normal 0x23bf000 rettemp = 1 buffer = download store system1 normal 0x23bf000
AmlUsbReadStatus retusb = 1
Downloading....
[update]:Cost time 11Sec
[update]:Transfer size 0x23bf000B(35MB)
AmlUsbBulkCmd[download get_status]
[update]:mwrite success
> update.exe partition system0 my_prepared_image.img
file size is 0x23bf000
AmlUsbTplCmd = download store system0 normal 0x23bf000 rettemp = 1 buffer = download store system0 normal 0x23bf000
AmlUsbReadStatus retusb = 1
Downloading....
[update]:Cost time 10Sec
[update]:Transfer size 0x23bf000B(35MB)
AmlUsbBulkCmd[download get_status]
[update]:mwrite success
-
(optional) if you want to get the factory installed firmware from the speaker and patch it (because the factory installed version might be newer, than the one we try to flash), then...
- skip flashing the
system0
- change active partion to
boot1
(set/usr/bin/fw_env -s boot_part boot1
) - restart speaker, search it in your network and try connect to ssh (using root and the password you prepared in the image)
- get an copy of
mtd4
, i.e. bydd if=/dev/mtd4 of=/tmp/system0.img
andscp
for transfering to your computer - repeat all steps from create/prepare image -> option a
- skip flashing the
-
restart speaker, search it in your network and try connect to ssh (using root and the password you prepared in the image)
_____ _ __ __ __ ___ ___
| ||_| ___ ___ | | | | || || _|
| | | || || _|| . | | |__ |- -|| | || . |
|_|_|_||_||___||___| |_____||__|__||___||___|
------------------------------------------------
ROM Type:release / Ver:1.74.10
------------------------------------------------
root@LX06-0239:~#
-
remove usb cable and reassemble your speaker
-
done 😄