Valetudo

Valetudo aims to be a vendor-agnostic abstraction and cloud replacement for vacuum robots which started as a standalone binary on rooted roborock vacuums.

View the Project on GitHub Hypfer/Valetudo

General

Newcomer Guide Early 2021 Supported Robots Capabilities Overview Rooting instructions Upgrading

Installation

Roborock OTA Viomi

Companion Apps

Valeronoi Lovelace Valetudo Map Card I can't believe it's not Valetudo node-red-contrib-valetudo Fun & Games Other Noteworthy Projects

Integrations

MQTT Home Assistant Node-RED openHAB

Misc

FAQ Frequently requested features Roborock, Files to backup Troubleshooting

Development

Building and Modifying Valetudo Valetudo core concepts MQTT

Knowledge Base

Supported Roborock Devices Supported Viomi Devices Supported Dreame Devices

Rooting instructions

This page contains an incomplete overview of installation instructions for various robots

Roborock

For more information, simply click on the link if there is one. Overall, things got harder as time went by.

OTA

The Over-the-Air[-Update] rooting method is the easiest one requiring no disassembly nor attaching any cables. However, since Xiaomi disabled local OTA in newer versions of the miio_client (> 3.3.9), you might need to downgrade your firmware by factory resetting your robot.

Unfortunately, robots made after 2020-03 come with a non-local-OTA capable recovery firmware version so for those robots you will need to follow the instructions below.

This works by using the official OTA update mechanism to push a customized (rooted + valetudo) firmware image to the robot. It will happily accept that, because they aren’t signed. For more information, check out the talk Unleash your smart-home devices: Vacuum Cleaning Robot Hacking.

The procedure is documented here: https://valetudo.cloud/pages/installation/roborock-ota.html

This method applies to the following robots:

Vinda

The vinda file method unfortunately requires full disassembly of the robot as well as soldering some wires which will void your warranty.

In short, there’s a file called vinda which contains the root password XOR’d with 0x37. By dropping into the u-boot shell, you can use the ext4load u-boot command usually used for loading a kernel to load that file into memory and therefore read out the root password.

Then, you simply use an interactive shell via UART to achieve persistence.

Dennis made two videos explaining both disassembly as well as the actual root procedure. They can be found here: https://www.youtube.com/playlist?list=PL9PoaNtZCJRZc61c792VCr_I6jQK_IdSb

This method applies to the following robots:

Don’t be confused by the Video not mentioning your particular robot model. It’s the same procedure for all robots listed here.

Also, your robot might come with a newer firmware which doesn’t feature a vinda file. In that case, you’ll need to follow the instructions below.

Init override

Since there’s no vinda file on these robots/firmwares, the approach here is to drop into the u-boot shell and edit the kernel commandline so that init becomes /bin/sh which also gives you a rootshell, but requires you to quickly do some initializing, because otherwise the hardware watchdog will reboot the robot.

Furthermore, due to limited storage, the new firmware is actually streamed onto the device.

The disassembly process plus the testpoints used are the same as the vinda method above so make sure to watch those videos before attempting this.

The procedure is documented here: https://builder.dontvacuum.me/s5e-cheatsheet.txt

This method applies to the following robots:

Dreame

Dreame rooting is currently possible for

It has been released with Dennis Giese’s DEF CON 29 Talk Robots with lasers and cameras but no security Liberating your vacuum. For more information, head over to the Dustbuilder.

It is also recommended to join the Dreame Robot Vacuum Telegram Usergroup for rooting support etc.

Reset-Button UART

Dreame is aware of this and might patch it in newer firmwares. Therefore, don’t update your robot

There are other ways to root as well, however this one is very easy and very reliable so use that if you can. What we’re doing is basically just injecting a custom OTA update including hooks for valetudo, and sshd etc.

To do this, you’ll only need a pry tool, and a 3.3V USB UART Adapter (Like CP2102 or Pl2303) as well as basic linux knowledge.

Pressing the Wi-Fi Reset Button under the Lid for less than 3s will spawn a shell on the UART that is available via the Debug Port that can be found below the plastic cover.

How to open a Dreame

When opening the robot, take it slow, this is probably the hardest step.

Once you have the cover open, connect your USB UART adapters as following, TX(adapter) -> RX(robot), RX(adapter) -> TX(Robot), GND -> GND and plug it into your laptop. Make sure your device is docked since this will be needed in the next step.

Dreame Debug Connector

Now you have to open a serial connection from your laptop to the device, this can be done with putty or through a tool like screen with the following command: screen /dev/ttyUSB0 115200,ixoff.

When connected, you can log in as root. To calculate the password use the full serial number of your robot, which can be seen on the sticker below the dustbin. Not the one on the bottom of the robot nor the one on the packaging. There is a sticker below the dustbin. You’ll have to take out the dustbin and look below it into the now empty space.

To get the password, enter the full SN all uppercase into this command echo -n "P20290000US00000ZM" | md5sum | base64 or use the following Calculator

When logged in, build a patched firmware image for manual installation via the dustbuilder, download it on your laptop, spin up a temporary webserver (e.g. by using python3 -m http.server) in the directory where you downloaded your firmware image to, connect the laptop to the robots Wi-Fi access point and download the firmware image to the robot via e.g. wget http://<your-laptop-ip>/dreame.vacuum.p2028_fw.tar.gz.

Verify the md5 hash is correct by running md5sum dreame.vacuum.p2028_fw.tar.gz and comparing it to the md5 hash dustbuilder provides.

Then, untar tar -xvzf dreame.vacuum.p2028_fw.tar.gz it and execute the ./install.sh script. Note that the robot needs to be docked during that. The robot will then reboot and greet you with a shell mentioning the dustbuilder in the MOTD.

Switch to the tmp folder cd /tmp and repeat the previous steps (from wget to install.sh) to also install the firmware on the second partition which you are now booted to.

After that, check out the /misc/how_to_modify.txt, copy the _root_postboot.sh.tpl to /data (cp /misc/_root_postboot.sh.tpl /data/_root_postboot.sh), make it executable (chmod +x /data/_root_postboot.sh), put a matching Valetudo binary for your robot in /data (same webserver wget thing as above), call it valetudo and make that executable (chmod +x valetudo).

To select the correct Valetudo binary for your robot, refer to this list:

Reboot, connect to the robots Wi-Fi AP again, open up a browser, point it to http://192.168.5.1 and then set up Wi-Fi via Valetudo. Don’t be confused by the UI not loading the state. The robot needs to be provisioned (connected to a Wi-Fi) for that to work.

You now have a rooted Dreame vacuum robot running Valetudo.

It is recommended to now back up your calibration and identity data. One way of doing that is by creating a tar like so: cd / ; tar cvf /tmp/backup.tar /mnt/private/ /mnt/misc/ and then using scp root@<robot-ip>:/tmp/backup.tar . to copy it to a safe location that isn’t the robot.

Viomi

3irobotix is the manufacturer of vacuum robots sold under various brand names including

For now, only one vacuum robot is supported (WIP):

To install Valetudo on your Viomi V7, follow the instructions found here.

We’re currently looking into the possibility of reflashing other brands to Viomi so that they work with Valetudo without any additional code.