Note
The tools in this repository are not feature-complete and are not intended to be. For more comprehensive libraries, check out meross-iot and meross_lan
This repository is built upon research and tools from the following excellent projects:
- Meross – Initial access
- meross-iot – Detailed protocol reference
- ltchiptool – Flash structure details
- Ameba-AIoT – Chip documentation
This repository contains tools and additional information regarding hidden functionalities:
- Tools & Examples
- Device & Chip Deep Dive (or: how to brick and unbrick your device)
- Teardown & Pinout
Most important conclusions:
- Meross uses no encryption in their firmware and within the flash, allowing to extract all possible secrets as plain text
- The serial shell includes special commands that may brick your device
- Using the Cloud API it is possible to register dummy devices which can be used to retrieve the firmware image
- Meross' firmware is not encrypted, meaning all secrets stored within the firmware and flash can be easily extracted as plain text.
- The serial shell includes special commands that, if used incorrectly, may brick your device.
- It is possible to register devices using the Cloud API without providing internal network data (see Tools - Device Linking)
This repository and its associated tools are not affiliated with, endorsed by, or connected to Meross or any of its parent companies. The tools and research presented here are for educational and informational purposes only. Use them at your own risk. The author(s) of this repository do not take responsibility for any damage, data loss, or other issues caused by using the tools provided.
Distributed under the MIT License. See LICENSE for more information.