Zigbeeifying Xiaomi LYWSD03MMC temperature sensors

I asked for recommendations for good Zigbee temperature sensors, and lots of people recommended the Xiaomi LYWSD03MMC (which is Bluetooth rather than Zigbee, but can be flashed with custom Zigbee firmware).  I ordered a couple from AliExpress (https://www.aliexpress.com/item/4001209595851.html), which appear to have been dispatched from a UK warehouse and arrived very quickly.

I had some problems installing the new firmware, so this post is documenting the process.

These sensors came with a fairly new firmware, which unfortunately complicates the over-the-air firmware update process.  They must first be associated with the Xiaomi app and then the keys extracted.

1. Install the Xiaomi Android app, create an account and pair the sensors over Bluetooth.
2. Download the Xiaomi token extractor Python script (https://github.com/PiotrMachowski/Xiaomi-cloud-tokens-extractor) and execute it.  This will output some info for each device.  I had a lot of trouble with this because it kept telling me I needed to do 2-factor authentication, but that never worked.  Eventually after a lot of Googling, I tried setting a name for my home and a nickname for my user, and the 2-factor auth problems went away.  I'm not sure specifically what fixed the problem.  Beware: I came across a blog post suggesting that you can extract the "ssecurity" and "serviceToken" values from your HTTPS traffic and bodge them into the Python script - doing this appeared to make the login succeed, but the app would always tell me "No homes found for server" for each of the servers that it tried.  In the end I didn't need to bodge those values into the Python script.
3. Go to https://pvvx.github.io/ATC_MiThermometer/TelinkMiFlasher.html - I did this in Chrome from my phone because my workstation has a very old Bluetooth adaptor which didn't want to talk to the temperature sensors.
4. Click "Connect".
5. Wait while it finds devices to pair with, select the appropriate temperature sensor and click "Pair".
6. Once connected, copy and paste some of the values from the token extractor:
   ID -> Device known id
   TOKEN -> Mi Token
   BLE KEY -> Mi Bind Key
   (I found running KDE Connect very useful since it allowed me to copy into the clipboard on my workstation and then paste them on my phone).
7. Click "Login" and the status bar on the page should show "Login successful".
8. Press the "Original_OTA_Xiaomi...." button.  Flashing the original firmware is apparently the recommended thing to do before any custom firmwares, to make sure you're starting from a known firmware version.
9. Press "Start flashing" and wait.  The status bar will show the status of the update - it will take a couple of minutes.
10. Once flashing is complete, press "Reconnect" and wait until it has reconnected.
11. Copy and paste the same values from the token extractor again.
12. Click "Login" again.
13. This time, select "Custom Firmware: ATC_...".
14. Press "Start flashing" and wait again.
15. Once flashing is complete, press "Reconnect" and wait until it has reconnected.
16. This time, we don't need the info from the token extractor.  Select the Zigbee firmware and click "Start flashing".  The device will show dashed lines on the screen while you wait for the update to complete.
    
17. When complete, the device will briefly display "oo o" and then go back to showing temperature and humidity as normal.
18. Put the Zigbee bridge (in my case, Zigbee2MQTT) into pairing mode and wait for it to pair.  I needed to bring the temperature sensor close to the coordinator - it wouldn't pair to the nearest smart plug for whatever reason.

I'm now going to spend a few days evaluating these sensors, and if they work well I'll get a bunch of them.

Moving home with pets

We've recently moved house, and have needed to do an outrageous number of address updates and things like banks, insurers, etc.

Pets like cats and dogs should be microchipped, so if they get lost someone can hopefully scan them, look up the pet on a database and contact the owner.  There are a number of database operators, and Echo (our cat) is registered with Identibase.  As far as I understand, these database operators get paid a fee at registration time which covers the cost of running the database for the life of the pet.  Identibase also offers a few subscription services for an annual fee, which I'm not really interested in.

What came as a surprise to me is that Identibase don't allow you to update any of your personal details, such as your address, unless you have subscribed to one of their additional services (for a fee).  This seems a bit outrageous - the whole point of these national databases is to accurately identify a pet's owner, and they are actively putting blocks in the way of keeping their database up to date.  Some Googling shows that other providers are also charging for address updates.

In the grand scheme of things, a few quid at a time when you're spending thousands to move house isn't a lot, but also: it's a few extra quid that you'd prefer not to spend, at a time when you've already spent thousands!

Luckily, this is where knowing your rights pays off: your address is your "personal data", and is therefore covered by the United Kingdom General Data Protection Regulation (GDPR) and the Data Protection Act.  Article 16 of the UK GDPR provides data subjects (i.e. you) with a "right to rectification": if some of your personal data is inaccurate or out of date, you can tell the data controller (in this case, Identicare Limited) and, by law, they have to correct it.  What's more, Article 12(5) says they have to do this free of charge, and per Article 12(3), "without undue delay and in any event within one month".

So, I emailed their data protection officer (privacy@identibase.co.uk), asking for them to update my address, citing the above legislation.  I had already sent my request to their customer service address, which had been ignored, but it was actioned within a day of sending it to their privacy address.

The same legislation applies to all of the database operating companies, so there's no reason why you shouldn't be able to use this method to avoid the fees that any of them charge for personal data updates.