Back in 2020, we first brought you word of the Xiaomi LYWSD03MMC — a Bluetooth Low Energy (BLE) temperature and humidity sensor that could be had from the usual sources for just a few dollars each. Capable of being powered by a single CR2032 battery for up to a year, the devices looked extremely promising for DIY smart home projects. There was only one problem, you needed to use Xiaomi’s app to read the data off of the things.
Enter [Aaron Christophel], who created an open source firmware for these units that could easily be flashed using a web-based tool from a smartphone in BLE range and opened up all sorts of advanced features. The firmware started getting popular, and a community developed around it. Everyone was happy. So naturally, years later, Xiaomi wants to put a stop to it.
The good news is, [Aaron] and [pvvx] (who has worked on expanding the original custom firmware and bringing it to more devices) have found a workaround that opens the devices back up. But the writing is on the wall, and there’s no telling how long it will be until Xiaomi makes another attempt to squash this project.
We can’t imagine why the company is upset about an extremely popular replacement firmware for their hardware. Unquestionably, Xiaomi has sold more of these sensors thanks to the work of [Aaron] and [pvvx]. This author happens to have over a dozen of them all over the house, spitting out data in a refreshingly simple to parse format. Then again, the fact that you could use the devices without going through their software ecosystem probably means they lose out on the chance to sell your data to the highest bidder…so there’s that.
The duo aren’t releasing any information on how their new exploit works, which will hopefully buy them some time before Xiaomi figures out how to patch it. In the short video below, [Aaron] shows the modified installation process that works on the newer official firmware. Unfortunately you now have to connect each unit up to the Xiaomi app before you can wipe it and install the open firmware, but it’s still better than the alternative.
It’s not better than supporting the myriad of open source climate monitoring options available.
If you’re aware of a similar sensor for $5 that comes with an open source firmware from the factory, I’m sure we’d all love to hear about it.
This strange love for some brand names play a dirty trick with you :)
Look for much cheaper $1 clones. Basically they have firmware from BT SoC SDK examples with minor, if any, changes, so if SDK is leaked (with high probability you will find it on csdn.net) or released, clones firmware is de-facto opensource.
For similar thermometers SDK look for https://github.com/pvvx/PHY62x2 (original) or GCC port https://github.com/AloyseTech/PHY6202_GCC
Clone makers don’t care about modifications and even often don’t protect SoC flash from reading.
So, it is pretty logical to support clone-makers, not that arrogant brands who whant not only sell you brand name, but also profit from selling your private data stolen via all that apps and cloud services.
Nearly any BT device with some sensor and battery could be reflashed to be such BT thermometer.
There are tons of leaked/released SDKs for BT chips. From haughty CSR102x BLE to something like 10 cent JL or Beken or whatever ICs. Many cheap BLE SoC’s are just 8051 or Cortex-M0 with BLE baseband, so pretty easy to utilise for your own purposes. Just do it.
Leaked source != Open source.
I have zero brand loyalty.
I will not install/activate their software, even if it only happens one just to break out of their ecosystem.
But you are delusional if you really believe that the poor knockoffs are any competition for the “real” ones.
The real ones are so cost optimized at this point, likely subsidized by data sales, that you literally cannot build one at at wholesale for less money.
I have paid $1.50-$2.50 for each of mine and have bought many dozens over the years.
I quite literally give them away after flashing them, and even have a label sticker layout with instructions on how to flash them that I stick to the back.
I have a drawer with over a dozen unopened ones right now.
Exactly as the article says.
Only reason I bought these.
Lock me out, lose me forever.
But piss me off and I’ll find a way around your DRM.
Props to Aaron and pvvx
You should see about making your efforts a CVE if that’s possible:
“It’s about sending a message”
Thing is Bob, these things are so cheap, I wouldn’t be surprised if they’re being sold around the same price it costs to make and sell them. They probably adapted this stratedgy to get people into their eco-system and you (and me) aren’t the people they want buying them anyway.
They’re upset because they don’t make their money from selling the thermometers; they make it from harvesting your data.
I want it too!
The alternative is to connect an uart adapter and reprogram the damn thing directly. I’m not sure if that’s so much more troublesome than installing the Xiaomi crapp.
UART ftmfw.
That’s not the case specific to IoT stuff, really. Take a look f.e. at WhatsApp and third-party clients. A story that deserve a whole book with no happy end and with authors persecutions and Github betrayal. The only remaining yowsup thing is more dead than alive now.
“We can’t imagine why the company is upset about an extremely popular replacement firmware for their hardware. Unquestionably, Xiaomi has sold more of these sensors thanks to the work of [Aaron] and [pvvx].”
I can’t imagine either. Is the data they collect really worth that much? Wishing these companies would wake up and smell the opportunities. Just look at the Raspberry Pi Foundation and their success.
They very well may sell the hardware at cost or even a slight loss so they can sell more for the data they can collect via the app. That would make this project worthwhile for them to stop, unfortunately
Welcome to the future, where the purpose of a temperature and humidity sensor is not to tell users what the temperature and humidity is. Rather the purpose is to leech private information off of the user.
That is very very very unlikely. You can DIY a board like that for about 5$. Cheap ESP32 C3 supermini board: 2$, humidity/temp sensor: 1$, display: 1$, everything including shipping. 3D printed enclosure: 5ct. And all that crap that you wouldn’t need in a custom PCB, like a USB-C connector… and in singles quantity. Xiaomi likely pays less then 2$ for each unit.
Success in what? Success in pushing proprietary hardware with proprietary supervisor as “opensource SBC”? How is that project of reverse-engineering RPi GPU firmware and other stuff going? Or, may be, broadcom already declassified full datasheets for one of RPi SoC’s?
Or let’s recall Android. Do you remember, how everybody was excited, when Google announced Linux-based OS for smartphones? “Yeah! we will be able to install Debian on our smartphones!”. And how this turned out, eventually – proprietary, user surveiling devices without any possibility to get them fully working and useable under Linux, thanks to tons of proprietary Android-specific blobs and “commercial secrets” around everything . It was a huge spit in the face of opensource community. Much bigger than that first tivoized Motorola “Linux” smartphones.
Or let’s take a look at IP cameras. Nearly all of them running Linux inside, but you will not find standard Linux v4l interface there, to install something your own. All things, from sensor interaction and video encoding to mandatory telemetry leaks and cloud stuff done in a giant proprietary binary blob – “superapp” or “superserver” running on top of Linux kernel. And you will be instantly banned and persecuted on all more or less public platforms if you dare to publish reverse engineered or extracted from NDA SDK sources that will allow somebody to get rid of all that surveillance things, vendor backdoors and cloud stuff from IP-camera firmware.
So, you see – ” Wishing these companies would wake up and smell the opportunities.”. Companies already did that. They wake up, stole opensource projects and restricted users rights heavily with adding proprietary blobs and hiding behind patents, GPL flaws and marketing lies. That was the opportunity they smelled, and then exploited heavily and successfully, without any serious backlash from opensource community.
Companies successfully parasitizing on opensource community and none is even thinking about fair business with opensource. Literally none of them. There is no any modern SoC with full documentation that will make creation of opensource distribution where everything will work with opensource code possible. WiFi, GPU, NFC, 2G/3G/4G/5G and other peripherals will always be NDA’d and classified.
Things will get much worse in the future. Because people, even those at HaD continue to buy all that proprietary things, and even more – propagandize the use of all that cloud, SaaS, vendor-locked, tivoized and blobbed stuff. And even condemn those rare attempts to hack and opensource, say, WiFi baseband firmware because “rEGulaTionS!!!”. I find all that extremely dusgusting and sad.
Don’t praise the Raspberry Pi Foundation, their hardware explicitly enables this vendor lock-in / keep-the-user-out-of-their-own-hardware DRM with the RP2350.
The ability to OPT in to using some security features doesn’t negate the generally open and hacker friendly approach of the company. If anything those features are good for us too, as there are plenty of reasons you’d potentially find it useful to have that ‘security’ on your own projects…
It uses an app on your phone. The average user will grant the app whatever permissions it wants. So, it can collect much more than just the sensor data.
Which is why
I keep old phones for throw away purposes
We have android emulators
It’s terrible. Utterly terrible.
But wars are won this way.
Which is why
I keep old phones for throw away purposes
We have android emulators
It’s terrible. Utterly terrible.
But wars are won this way.
Based on Tom Nardi’s post https://hackaday.com/2024/12/21/custom-firmware-for-even-cheaper-bluetooth-thermometers/, I purchased a few of the Xiaomi sensors and but unable to upgrade (new version was sent). Reordered again, but specifically ordered sensor that matched the upgradable version. Yesterday received latest version, not the upgradeable version pictured (version 2.1.1_0159 with the signed OTA).
Haven’t tried yet, Home Assistant has a post about ‘Mijia LYWSD03MMC’ dated Dec 2024 that describes a method to update the newer version of the firmware.
You know I read on an article like this, and I’m on two sides about it. One, yeah, having open devices is nice for customization and open source feature enhancement.
On the other hand, the method used to flash the custom firmware is itself technically a security vulnerability flaw, and good on Xiaomi for actually patching their software on such an insignificant IoT device..
Exactly. Security to keep the bad guys out vs security to keep me out (of my own devices) is a tricky problem, especially with devices like this that have no interface to speak of.
What are the “bad guys” going to do with your thermometer? Tell you the wrong temperature?
https://www.entrepreneur.com/business-news/a-casino-gets-hacked-through-a-fish-tank-thermometer/368943
ugh – if your fishtank IoT thermometer isn’t separated on the network level it’s your own damn fault.
It’s not like a casino would treat their indoor WiFi for guests as an internal network… (would they?)
That is a startling lack of imagination – anything on your network is already inside one bubble of trust and can potentially be remotely used to exploit the unpatched and in some cases unpatchable (for not every vulnerability is a bug, just a gotcha if you don’t setup paranoid enough) security vulnerabilities on anything else. And in the case of Wireless devices it can also be used simply to cause trouble to other devices in the vicinity preventing them from staying connected etc. More annoyance than danger in most cases there, but still.
Just because its supposed to be a thermometer doesn’t limit it very much in risks. it is a less dangerous than some sensor type. A thermometer is of little use deciding if your house is empty or worth robbing compared to the human presence sensors or camera you might have and of little value to spoof. But the brain behind that thermometer/camera is effectively just another computer with the only limit on how evil it can be being the hardness of your other systems and the onboard software, and processing limits to do those nefarious deeds while also safely pretending to be the networked CO2 sensor or Bluetooth thermometer.
…but it is BT not Wifi. How could it possibly be any risk at all?
In this case as it seems it can only be used with a specific app that is by far the biggest threat vector, as the only thing keeping that app from turning your powerful, connected device, holding all your life’s worth of secrets* into a nightmare in almost unlimited ways is the app store’s malicious app filters and the limited sandboxing and security of the phone OS – which even if you assume is 100% flawless and the app really can never exploit a bug/flaw. Then there is still just demanding permissions it doesn’t actually need to harvest all that lovely data it has no reason to access…
But BT is not bug free or bullet proof – look through HAD for Bluetooth hacking and you’ll see plenty of examples of benign breaking of the supposed security of BT in the name of reverse engineering, but what can be used for good… And with some creatively I’ve no doubt there are many more malicious things you can do with a device that functionally appears to be only a BT device but actually is rather more malicious in similar vein to a rubber ducky (including just giving it WiFi and having the app pass the SSID etc – after all you have to use their app and nobody is paranoid enough to filter the things trying to connect to their WiFi enough to catch that extra device they can’t identify quickly if at all (and that is assuming it doesn’t get really clever and spoof a Mac address – it might for instance pretend to actually be your smartphone, and only when the BT link suggests you have been out of the house!)).
*most folks seem to live entirely off their one smart phone, with every single secret stored on the device.
Maybe we should build our own open-source version?
That’s almost already a thing. I’m not sure that there’s a fully organized project with a case & components purchase links & code all in one place, but for people who already DIY their IoT devices, it’s trivial to put together. I think the real value of this device is that you get a fully assembled one for not much more than the cost of the components.
Personally, I’ve got many similar self-built units around my house, but it’s honestly pretty time consuming each time I want another one, despite having only a few components. (I’m still anxious to try these…I went to order one after the last article about them was posted, but then researched and found that getting a definitely-flashable one was going to be tricky.)
Best part is that ideally a good open-source design will be cheap to make and we’ll see many of the retailers/manufacturers in China pumping them out and driving prices down similar to the big named ones from China.
It’s like the Tuya devices. Early ones could be flashed, thus leading to the development of Tasmota. Later ones, no.
Later ones can be flashed too! With OpenBeken [0], it can even be done via WiFi with tuya-cloudcutter (in my experience, it requires some trial and error, but you can surely finally get it done)
[0] https://github.com/openshwprojects/OpenBK7231T_App
[1] https://github.com/tuya-cloudcutter/tuya-cloudcutter
I suspect they are making more money out of “the chance to sell your data” than they are on the hardware – which they not only have to make, but store, ship, etc etc.
Much easier to make you the product and sell your data to someone..
Hey Tom! Long time no hear. Message me please? Looks like you’ve been busy.
How much is a few dollars each? I read that you can build your own for 5 bucks. I don’t even want the teno sensor…I just want to plug the bluetooth into a meshtastic and use it as a plug and play extra screen for a meshtastic node to have another messaging screen somewhere near the meshtastic …to show messages for various purposes …also just to connect t to a phone or place on a rifle would be fun for fosscad as maybe a bullet counter that uses accelerometer etc