Gen 3 (T6) Root #213
Comments
|
Rockrobo changed the encryption of the Firmware+Soundfiles and some of the update process. As I don't have a T6, I cannot really help. So its at the moment not rootable. |
|
Any suggestions on what would be a good next step considering I do have one. Hoping to help the community if I can. |
|
You may find https://dgiese.scripts.mit.edu/talks/34c3-2017/34c3.html interesting. IIRC the initial rooting was done by shorting pins with aluminium foil. So a pretty invasive method. |
|
I have seen @dgiese's talk on this but it seems like the encryption key was kind of just stumbled upon? Not really looking to dump the entire flash of my device especially if it might not have the same passwords in plaintext as before. |
|
I'm sure @dgiese can answer this better, but I think the encryption key was found by analyzing the flash dump (which wasn't encrypted). |
|
@fvollmer yes it was, but it was stored on the operating system in plain text and was being used as a password for something else, seems like it just happened to be the same for the ota encryption as well |
|
Yeah, back then I extracted it by reverse engineering the binaries (its not stored in plaintext). However I think they learned from their mistakes and are doing things now differently. My usual approach would be to open the device and de-solder the MMC, and dump it. That has of cause the risk that you have a bricked device...at least if you are not familiar with BGA chips. But that's purely speculation, as I don't have the device. Time will show. I mean it took 1,5 years for Gen1 until someone, me, published the stuff. Guess for T6 it will be a little bit faster, but still someone needs to sacrifice his/her device. |
|
Gotcha, not sure I am the right person to reverse engineer a password out of the new binary. I got a T6 pretty easily so they are obviously becoming more available. @dgiese, so you don't suggest we try to grab the flash through the usb port and FEL mode anymore? Hoping to not need to modify any hardware if I can get around it. |
|
Honestly, no idea. If you disassembled it, make some pictures of the hardware. Would like to take a look at it. |
|
Does anyone have a link to the encrypted firmware? |
|
Maybe I know someone. But that's a discussion, which we should not have publicly yet. Thats more of a thing I would discuss in telegram or slack or something. |
|
The T6 is now officially available in the EU known as the S6. It launched in Germany, France and Spain for now. Would really really appreciate rooting this device! Are there news on this? You might also rename this issue from I am thinking of buying one. If i do so, is there be any possibility supporting you? I see you are also from Germany. They are available at Alternate and Cyberport at least. |
|
Unfortuantly they started to sign all firmware files and soundpackages. CCrypt is not used anymore. In addition they changed a lot of other things. One thing which is especially nasty is the fact, that now the region is set in a signed config file, which is bound to the cpu id of the device. So there is no trivial way to change the region (t6->s6). Also there is no simple way to root the device like v1 or s5. Beware: some of the nasty stuff seems to be backported to s5 models produced after march 2019. See my twitter comment for that. If you are interested in working on the t6/s6 firmware, drop me a message. |
|
Thanks for the update! Sounds bad so far, but if the Nintendo Switch is hackable i have a lot of hopes! I ordered the S5 and hope it is not affected of the march update as you said. Please tell us how we can support you. Donations, Patreon, etc. I want to help where i can. |
|
A root of the S6/T6 and even for M1S is possible. However it is not as easy as the existing method for the Mi Vacuum Robot (aka Gen1 aka v1) or Roborock S5x (aka Gen2). Especially as it requires opening the device at the moment. I explore with some other peoples at the moment a different approach, however, if you want to have an easy rootable device, you should stay away from S6/T6 and M1S in particular (as M1S uses a completely different platform). The only difference between S5 and S6 seems to be a different brush and an additional sensor for the water tank. More information can be found here: https://www.roboter-forum.com/index.php?thread/35506-hack-des-roborock-s6-t6-planung-ger%C3%A4tekauf-fortschritte/&postID=474142#post474142 For S5: If you buy an global model, you should have no problems with the geoblocking. Also, if you use only valetudo, you should be OK even with the chinese model. The geoblocking is only in effect in combination with the Mi Home app + Cloud. I am always happy about support for the procurement of new devices (as potential alternatives to v1 and s5). I did a fundraising for the T6 which went okayish. At the moment I look also at other vendors. If you have too much $$$, then drop me an email (dgi[at]mit.edu) and we find a way ;) |
Which nasty stuff do you mean? Does the newer s50 not accept the rooted firmware? |
|
They backported the Geoblocking mechanism of the T6 to newer S5. I cant really tell how it is exactly implemented on the newer S5, as I dont have one. |
|
@dgiese Any chance you could provide some insight to the method you are referring to in your comment #213 (comment)? I am currently thinking about buying a S6/T6 and would not mind opening the device. However, I need to be sure it is indeed rootable. I would prefer the S6/T6 because it supposedly charges quicker and makes a little less noise. |
I already own an S6 and would not mind opening the device if there is a way to get Valetudo on the device. If you could provide some hints it would be awesome! ;) |
|
It is now supported, however you need to disassemble the devices :( I did not find a trivial way to root the device without disassembling. All options require some amount of it... |
|
As a sidenote: The current image builder is not compatible with the S6/T6 due to the different firmware package format. |
|
Hello do you think this will work with the S5 max also? i added pictures in #252 |
|
@dgiese would this work with the Roborock S4 too? |
|
S5 Max is different. S4 might work... do you have one? then contact me ;) |
|
@dgiese yes I have an S4, will send you an email. |
The S4 is the model I disassembled and sent you pictures at the beginning of January. Not sure if you were ever able to look at the pictures I sent you. I sent a follow up email on March 18th, but I suspect you are very busy with other projects and may not have seen it. The email conversation in question was to your @seemoo.xx-xxxxxxxxx.de email address. |
Is there any way to install custom voices package without rooting the Roborock S5 Max? (I don't want disassembly it) |
Hi @andreas-bulling , thanks this is really helpful. |
|
@napopa - Check picture 14.
Reference: https://www.youtube.com/watch?v=r_04K5SPEXI |
|
@hunterOO1 - After I gained root on my S5M, I discovered that the filesystem is squashfs and mostly read-only. This limits most mods from working correctly. E: See Issue 14 on Roborock Oucher |
|
Is there any disassembly guide for S5 Max? I just found a YT video for S6/T6 version but I don't know if this is valid -> https://www.youtube.com/watch?v=r_04K5SPEXI |
|
@smtdev Here is a good one: https://www.youtube.com/watch?v=0vLa4-iikzM |
|
@urholaukkarinen thanks! I'll check it now. |
|
Hello |
Nothing is wrong. S5M is squashfs, and therefore not really editable. |
|
Hi everbody I've got an S5 Max 2020 Variant. I followed the instructions step by step to root the device. Thx in advance. |
I would double-check your COM/SERIAL port settings. https://youtu.be/r_04K5SPEXI?t=594 |
|
@mazak-ui what does the squashfs mean? is it still a usable modification? |
See: #213 (comment) or S-FS Wiki |
|
Ok i get what squashfs is and i read your post and the linked issues. i rather meant: does it make sense to flash dustcloud currently on those devices (and possibly valetudo) or will this not work correctly anway. |
|
@x29a - Oh, got it! I may go back to stock fw because of the current limitations. Besides the fun process of learning how to solder and use USB Serial adapters, I haven't had much luck in integrating with Home Assistant and the associated mods it brings. Still grateful that the capability exists and the efforts of those involved. |
|
Hi guys,
I've successfully rooted an S5 Max recently using these instructions. But today I'm trying with a second device but can only get partial junk at the serial terminal. I'm using all the same settings as worked before. Anyone know what might be the problem? I tried swapping out the USB/serial adapter and replaced the wiring, none of which fixed it. Pressing 's' regardless does not seem to work.
|
|
Turns out the USB port I was using for the micro USB/ground wasn't working. So now I have clean output. Still pressing 's' still doesn't work and I end up at Edit: I remembered I was using Putty last time, not Termite. Now 's' works. But perhaps someone else can learn from my idiocy :) |
|
I also had to try a few times - make sure you keep pressing from the very beginning |
|
Thanks to this thread I was able to jailbreak my device in four hours of work. Thanks everyone! Resources used: |
|
Hi again, Now I've rooted two S5Ms I'm keen to upgrade to the latest Valentudo optimised for low memory. I've tried asking on their GitHub for the process but no reply. I was wondering if anyone here has managed it? |
|
see my comment above #213 (comment) |
|
Hi, hope someone can help me here. I'm trying to root the S5 Max, but can't seem to get to the console. I disassembled it and soldered some wires to the pins. When I start the S5 Max I can see the boot process in the putty console, but I can't for the life of me get him to stop the autoboot and get to a console. No matter if I press from the beginning or at any other time, it just continues booting. Edit: I should note, I saw the "nand block 6 is bad", "** Bad device mmc 2 **", "filled invalid page(0,30,0)..." things in the boot, but for some reason my S5 Max isn't really bothered by it, atleast with the Roborock app it works flawlessly still, even performed an minor firmware upgrade earlier to test. |
|
Is there potentially a way to avoid disassembly by creating a webserver that mirrors the update path that the vacuum is looking for and redirecting DNS? Basically hosting the rooted firmware for the vacuum to install similar to the push method, but in a pull method. Just curious if that's already been ruled out or not. |
I might be wrong, but I think we have to go the disassembly route so we can bypass some crypto checks done during the update process that we currently can't go around. |
Good day, just checking to see if you managed to root your S5e yet. I am stuck in the same position, with working UART access (and commands like "2" working) but "s" being ignored by the robot. Would love to solve this. |
Same issue here. I've now tried minicom, picocom, screen, Serial.app on macOS, and Putty on Windows with two different USB-TTL adapters and nothing is happening when I hold "s" during boot. I also get the same " ** Bad device mmc 2 ** unable to open file ./rockrobo/dram.size" error: https://pastebin.com/raw/FVzjMMzi Anyone got any ideas? FEL mode, is that an option to get a shell? |
|
For reference: for all NAND based Roborock robots (S5 Max, S4 Max, S6 Pure, S7,...) you can use the FEL rooting method. You need to build a FEL firmware in builder.dontvacuum.me . The exact steps to install it are here: https://builder.dontvacuum.me/howtos/nand/fel/_howto.html |
and others
Just got a T6 and was hoping to help get the T6 verified as rootable. I believe the first step would be getting a copy of the latest firmware but am not sure where to look without connecting the vacuum to the internet and reading its request urls. Any suggestions?
The text was updated successfully, but these errors were encountered: