niceboygithub
Aqara G5 Pro (PoE) bricked, stuck yellow/purple, only telnet open. Anyone know default creds or have OTA firmware?
I have an Aqara Camera Hub G5 Pro (PoE) that seems to have bricked itself after a reset.
When powering up it goes solid yellow, then black, then solid purple. It never reaches the flashing yellow pairing mode. If I hold reset it goes into siren/floodlight toggle mode, but the app and Apple Home can’t see it.
The device still picks up an IP on my LAN. Nmap shows only port 23 open with BusyBox telnetd. The telnet banner gives “Camera-Hub-G5Pro-xxxx login:” but none of the common credentials work (root/admin/app/debug with blank, admin, 1234, aqara, MAC suffix, etc). No CoAP or miIO ports are open, just 5353/udp for zeroconf. mDNS briefly advertises _aqara-setup and _aqara but never publishes a proper instance name.
So far telnet is the only thing alive, but without a password it goes nowhere.
Has anyone managed to get into telnet on a G5 Pro, or knows the default login? Has anyone grabbed an OTA firmware file from Aqara Home app updates? If the file is not device-bound, it might be possible to use it to revive the G5.
I have a replacement on the way, but I’d like to try and recover this one for testing and research. Happy to share more logs or details if it helps!
The password of root was generated in production line and each device has different password.
The generated script is generated_pswd.sh
===unique_id:%s,mac:%s,dac_crt_md5:%s
generate_pswd.sh unique_id mac dac_crt_md5
agetprop persist.sys.magicpair_id
agetprop persist.sys.miio_mac
agetprop persist.sys.dac_crt | md5sum
I disassembled G5 Pro and wired out UART to clear password of root.
You can use python aiot script to get OTA firmware.
https://github.com/niceboygithub/python-aiot/tree/master
python cli.py ota-firmware
'''
Thanks for the quick reply and for sharing! I tried running the python-aiot script on macOS with both Python 3.13 and 3.11, but whenever I run the cloud command with my account it just returns:
load ./aiot_login.json failed
encrypt password failed
So I don’t think I can actually pull the OTA firmwares until my replacement G5 Pro arrives and is online in my account. Was planning to use Proxyman to catch it. You mentioned that you disassembled your unit further and cleared the root password over UART. I did open mine from the back but couldn’t get the inside loose after finding 4 deep Philips screws, not even with pliers and a lot of force. How did you get it out?
I do have a DSD TECH SH-U09C2 USB-to-TTL adapter, plus a Tag-Connect TC2070 cable with Dupont wires. Would you be able to share what adapter/settings you used (baud rate etc.) and what you did once you got console access to clear the password? Was it obvious which pins to connect where? Also, do you think having the new device online later could somehow help me recover the bricked one (e.g. by grabbing its firmware and reusing it)?
Really appreciate your time and patience. It’s a learning process for me, so any details would help a lot.
I’ve been trying on two different Macs with multiple Python versions, but I keep running into the same “encrypt password failed” error in python-aiot, even after patching cloud.py. At this point I can’t seem to pull the OTA myself.
Would it be possible for you to share the direct OTA URL or the firmware file for the Aqara Camera Hub G5 Pro PoE (EU region)? That way I can at least get the correct blob and work on restoring my bricked unit.
Really appreciate the time you’ve already spent pointing me in the right direction. Still working on disassembling the camera so that I can reach the pins on the board.
Thank you so much man!! Trying this as soon as I get home. Did you have difficulty getting it out? The 4 inner screws were the only ones? Couldn’t see any more keeping it lodged in.
Just to follow up: I double-checked my macOS permissions and Terminal already had Full Disk Access, so unfortunately the encrypt password failed issue isn’t related to file access. I’ve tried on two Macs and different Python versions, but the script still fails at the same step.
Since I can’t capture the OTA URL anymore and the tool isn’t working for me, would you be able to share the direct OTA URL or the .bin file for the G5 Pro PoE (EU region)? That would let me finally try flashing the bricked unit.
After a lot (!) of prying, I was able to remove the front pane of glass, but it didn't reveal any screw holes underneath. so I have not been able to open the front cover. I think I've messed up the entire unit in doing so. I have absolutely no idea how you got that off: there is no way anything like a Stanley knife will fit between the casing and the front cover.
Really appreciate all the help you’ve given so far!
If you did not get any info about ota, that is meaning that there is no any ota under your Aqara account.
Thanks for sharing the output. I tried what you suggested, but I’m still hitting encrypt password failed on both Macs so I can’t pull the OTA myself.
On the hardware side, I still haven’t been able to pry off the front cover. I’ve already damaged the inside front edges quite substantially and have no idea how much more risk I should take on that: any tips? If it helps, I can share photos of how far I got so it’s documented for others attempting the same.
At this point what I still really need is either the direct OTA URL or the .bin for the G5 Pro PoE (EU), since without it I can’t proceed further. You shared one for a Lumi switch so I'm guessing you can't currently grab it either, but please let me know if you do! Still have hope of being able to salvage it with your Repo!
It is not easy to open G5 pro. If you force to open it, the waterproof may not work anymore.
Thanks for sharing the output. I tried what you suggested, but I’m still hitting encrypt password failed on both Macs so I can’t pull the OTA myself.
From the picture I uploaded, you can see the script of python-aiot is working. Please check your env, or change to use it in Windows. And check "lumiunited.cer" is exist with the script.
At this point what I still really need is either the direct OTA URL or the .bin for the G5 Pro PoE (EU), since without it I can’t proceed further. You shared one for a Lumi switch so I'm guessing you can't currently grab it either, but please let me know if you do! Still have hope of being able to salvage it with your Repo!
My G5 pro is using latest versoin, so I can not get any ota now.
Thanks for clarifying, that makes sense now. I realize the reason I can’t get the G5 Pro firmware isn’t just my setup, but also because there’s no OTA being served at the moment, not an issue with the repo or anything. I also tried again in a Windows 10 Parallels environment to rule out macOS issues, but got the same result.
If you ever manage to grab the OTA URL or .bin for the G5 Pro PoE (EU) from a future update, I’d be very grateful if you could share it. In the meantime, I’ll wait until Aqara pushes a new build and try capturing it then.
Really appreciate all your patience and help so far. I'll keep at it with the front cover, but have already broken the tips of 5 stanley knife blades and broke my thin Hoto disassembly prying tool, so taking a break for a little while.
I managed to get the front cover off. It was indeed not easy. My circuit board, although not the exact same, seems relatively similar with the pads you annotated in the same spot.
I managed to get stable UART output on my G5 Pro PoE and captured the full boot log (attached). U-Boot is clearly present, but unlike your case I never see a “Hit any key” or autoboot prompt, so I can’t interrupt it. I’ve tried spamming space/break via script and manually in minicom, but it always boots straight through.
Do you know if Aqara disabled the autoboot break on later builds, or if there’s another way you used to get into the bootloader? Any tips would be really appreciated!
P.S. I was able to capture the OTA firmware file via a proxy setup, so I already have the correct .bin for this model/region. At this point the only thing stopping me is figuring out how to actually flash it, since without access to U-Boot I don’t see a way in.
U-Boot is clearly present, but unlike your case I never see a “Hit any key” or autoboot prompt, so I can’t interrupt it.
Try to keep press "Enter" while uboot boot up.
I did try that, both manually pressing enter and also with a script that spams enter during boot in case I was not fast enough. I have repeated the process many times and also tested with other keys and key combinations (Ctrl+A, Esc+Z, Spacebar), but nothing ever stops the boot. At this point I have probably rebooted a hundred times without getting U-Boot to halt.
The UART wiring and baud rate should be correct, since I am consistently getting clean boot logs in Minicom. Do you think Aqara may have disabled autoboot break on newer firmware or hardware revisions, or is there another method to trigger it?
In some lumi's products after production, the 'Enter' interrupt did be removed.
There a another method to interrupt uboot, but it is RISK. It may casue the factory data lost, and can not be provisioned to Aqara's cloud. You can short the pin between SoC and Flash while uboot try to read kernel from Flash. These pins was showed as red in the picture that I uploaded.
You sir, are a wizard. After following your advice, I was able to glitch into U-Boot and get to the SigmaStar # prompt (see attached log). That part worked, but I then ran into another problem: I wasn’t able to send any input. Everything was read-only.
To troubleshoot, I tried resoldering the UART pads to see if one of the connections was bad, but in the process both the RX and GND pads lifted off the board... The TX pad is still intact.
Do you have any pointers on where to pick up alternative solder points for RX and GND on this board revision, or whether there’s another way you’d recommend proceeding from here?
Thanks a lot for your time and help — getting into U-Boot was already a big step forward, but I’m stuck again now.
I see. GND would be fine on one of the exposed screw holes, but RX is the real issue, since I can’t solder to one of the chip’s super-small contact points. I don't have the tools or quite frankly the skills, since this was my first soldering job. If there really aren’t any alternative RX pads or vias, it is probably game over.
Thanks a lot for all your help man: hopefully this thread will still be useful to others in the future.