Recovering the root password of a Xiaomi vacuum robot

I got myself a Xiamo vacuum robot a while ago. Being the kind of person I am, I opened it up almost immediately (and then bricked it). I’ll write a more detailed post on this soonish, but I figure I’d rather get the information out so that people who are stuck in the same situation can find it.

Long story short, I managed to recover it, but for some reason, it wouldn’t connect to my Wifi anymore, nor open up an access point for initial provisioning, so you can only control it using its buttons, which isn’t that pleasant. To debug that, I wanted to get access to the underlying Linux system via the serial console, which can be reached via some testpoints on the PCB (check the documentation by the Dustcloud people on where to find them).

Alas, while the root password defaults to “rockrobo”, it gets replaced with a device-specific one during the update process. I wanted to replicate the method the Dustcloud people used to read and modify the flash to reset it, but they were unwilling to supply me with the images they used, so I had redo the work. I’m documenting this here so you don’t have to.

Take the (haphazardly, sorry) patched U-Boot from here and either build it yourself or use the precompiled u-boot-sunxi-with-spl.bin file. Get yourself a current version of the sunxi-tools (I used the version 5c1971040c6c44caefb98e371bfca9e18d511da9). Plug yourself into the USB-port in the rear of the robot and then powercycle the robot while shorting the data lines towards the eMMC using some tinfoil, as described in the Dustcloud PDF. It might take a few tries, but eventually, a device such as

Bus 001 Device 087: ID 1f3a:efe8 Onda (unverified) V972 tablet in flashing mode

should appear on your system. Run sunxi-fel uboot /path/to/u-boot-sunxi-with-spl.bin, and an U-Boot prompt should appear on the serial console (115200n8). You can then explore the file systems with ext4ls and ext4load using a dev-id of 1.

The seed for the root password is contained in the vinda file (as far as I can tell at the moment, this cannot be derived from other data which would be more easily accessible), you can dump it as follows:

mmc rescan
ext4load mmc 1:6 0x43200000 vinda
md 0x43200000

You should get a 16-digit ASCII string such as CDSQ[VBQ][VP[VPV. The root password is derived from this by XORing each character with 0x37. Calculate this with the language of your choice, for example Perl:

$ perl -e ‘print(join(“”, (map { chr(ord($_) ^ 0x37) } split(//, $ARGV[0]))), “\n”);’ ‘CDSQ[VBQ][VP[VPV’

This is your root-password.

More on fun with this platform at a later date.