Filipowicz251/mijia-1080P-hacks

[TASK] RTSP support

Closed this issue · 46 comments

in reference to open items mentioned in #1

  1. choose a suitable rtsp-server from the known implementations
    We have to figure out how the data is streamed right now. Would be a waste of ressources to do a double-capture.
    Also interesting would be dss and v4l2rtspserver ?

  2. cross-compile chosen rtsp-server

How should we split this work?
I would look up the current streaming today in the evening.

Did you take a look how was done in other Xiaomi cameras hack? I was to take a look when I get my hands in the SDK...

wzpyh commented

the official site has released a new firmware using u-boot img file to upgrade the firmware ,not sure if this info will help the hack of this camera,

it is actually using a file named tf_recovery.img and I have uploaded the file here (downloaded from Official Site and uploaded)

https://ufile.io/t1e1t

@wzpyh could you include the source of the file? Thanks

@willthrom I'd say from here : http://en.miui.com/thread-525318-1-1.html

Edit : Or the Chinese original forum linked in the thread : http://bbs.xiaomi.cn/t-13385327

But that is from February.... so I am asking if there is any other place with the latest firmware....

Is there a way to get information where the camera or the mihome-app gathers the firmware file when attempting an update of the camera firmware?

My bad, I didn't realize the post was that old considering people are still asking for help up to August in the last pages :|. We need an insider from Mainland to help us find all those files!

@papplampe1
analyzing the network.. but pretty sure it is from ot.io.mi.com or ott.io.mi.com

@wzpyh where got you the new "tf_recovery.img"? It's not intended to use it with the Mijia 1080p.

If the camera buffer is "pure" H264, we might want to consider GStreamer framework to have a mp4 or webm stream over HTTP (or RTSP over http maybe?). Anyway I'll probably look into this myself when RTSP is up and running as it's specific for my needs :)

wzpyh commented

@snoerenberg sorry ,yep ,this can only be used for 720p I think , this file is released on AUG in Chinese forum. As I dont have any experience with u-boot file , I think there may be a way to extract files from u-boot?

@wzpyh look at my closed thread. There are all files unpacked. You can also use just binwalk -e on the recovery file.

Within my extract you can also find a way to get root on the system I think. There is some secret string Blabla which must be present on the cam.

Hi everyone, Im trying to get an RTSP server running on the 720p version as well. For now I have telnet acces to the running cam, read trough all the scripts and logs and decompiled some of the binairys. But im stuck now. @willthrom from the decompiled binairys I can confirm it trys to connect to ot.io.mi.com or ott.io.mi.com.

@brtwrs the URL can be seem in the logs, in the mi client log. (easier that the binaries).
Regarding to the 720p, careful with whatever is produced in this project, because it might not be compatible at all. (The toolchange could use a different link library). Have you check the CPU?
you can check the linking library using the Unix command "file'

Thanks for your reply. I got it working! Couldn't find the SDK for the 720p version so I tried the SDK from the readme, compiled the rtspd from there, copied it to the sdcard en was able to run it. I now have a working rtsp stream:) Now I only need to control the tilt/pan. Any ideas?

@brtwrs that means the CPU is compatible with the SDK however you need to take a look to the instructions (API) and check if there is any function to control the motors. After that you can create a small program to operate it remotely.

Is your streaming at the same time as Xiaomi?
Could you provide the makefile you used it? and from where did you download the source code of the rspd? from the SDK? I am currently worry about security connectivity.

I was thinking https://github.com/GStreamer/gst-rtsp-server but they state it is not mean to be used with public connection because the lack of security audit.

Yes it can stream at the same time but I noticed allot of frame errors and the stream was very slow. So I killed the miio_avstreamer proces and the rtsp stream way better but the xiaomi stream stopped working obviously (I dont use it).
I used the code and makefile from de SDK (GM8136 SDK release v1.0/Software/Embedded_Linux/source/gm_graph/product/GM8136_1MP/samples) I did changed the make file a bit. Added the croscompile and made it build static:

GMLIB=../../../gm_lib
CROSS_COMPILE=arm-linux-gnueabi-

ifeq ($(shell find $(GMLIB)/../ -name gmlib.mak),)
sinclude /usr/src/arm-linux-3.3/linux-3.3-fa/cross_compiler_def
else
sinclude $(GMLIB)/gmlib.mak
endif

uclibc=$(shell echo $(CROSS_COMPILE)|grep uclib)
ifeq ($(uclibc),)
LIBRTSP=librtsp_glibc.a
else
LIBRTSP=librtsp.a
endif

CC=$(CROSS_COMPILE)gcc
CPP=$(CC) -E
LD=$(CROSS_COMPILE)ld
AS=$(CROSS_COMPILE)as
MAKE=make
PROGS=rtspd

LDFLAGS += -L$(GMLIB)/lib -lpthread -lm -lrt -lgm
#CFLAGS += -I$(GMLIB)/inc
CFLAGS += -Wall -I$(GMLIB)/inc -static

TARGETS := $(PROGS)

.PHONY: $(TARGETS)

all: $(TARGETS)

$(TARGETS): %: %.c Makefile $(GMLIB)/inc/gmlib.h
$(CC) $(CFLAGS) $< $(LIBRTSP) $(LDFLAGS) -o $@

clean:
rm -f $(TARGETS)

Im planning to kill all the xiaomi stuff when I have the motor controls and IR leds figured out.

You can remove all the dependencies with gm (that is the API).. although you will need them for the motors. If you have strace in the camera you can check what call MIUI does to library to manage the motors :).

I didn't link statically uclib because it might changed between version (firmware upgrade) and require to recompile. What RTSP are you using? GM8136_1MP has a 4MP version and so on.

@brtwrs By the way... in that 720p camera.. how did you get access to it? I haven't seem the firmware to that camera so I don't know if you had to use the same "way" with the signing and valhalla.sh or you had telnet by default.

So you're saying gm also had the motor drivers somewhere?
First I tried to compile it without the static parameter, but wasnt able to run the rtspd without it. I use the GM8136_1MP because 720p is 1MP. For the 1080p version you need the 2MP one I think.
I took it apart and found the RX and TX pins. First I only got the Uboot output and nothing more. After a good look at the uboot env variables I found out the console argument of the kernel was directed to /dev/null. After pointing it to /dev/ttyS0 I got full root access to the camera. I found out it had a telnet server already installed but never started. So I just enabled the telnet startup script;p Never did anything with signing.

Thanks, that is what I thought. The 1080 doesn't have telnet installed.
So you changed the startup script and saved it? Is that init script in the JFFS2 partition? Did you modify it directly there?
In the 1080 the Init scripts are in the Squashfs so we cannot change them.

The signing is to allow users without soldering skills to install the tools produced in this and other Camera Modding Projects.

on the 720p version a bunch of startup script and files are stored on a mounted partition:
/dev/mtdblock3 2.9M 1.2M 1.7M 41% /mnt/data
Looks like some flash somewhere on the board. This part of the file system is writable and keeps intact after a reboot.
A sd-card only solution would be perfect indeed.

@brtwrs run the command "mount" so you can tell what kind of partition is /mnt/data (but I am 99.9999% sure it is JFFS2).

What you can do to jump to sd-card is to copy /dev/mtdblock3 to /sdcard and then mount /sdcard in /mnt/data :)
I would do that in an init script.. whatever is been used in your camera (if any).

@brtwrs have a look at the recovery image of the 720p with binwalk. There seems to be a similar hack possible only with SD Card. http://www43.zippyshare.com/v/NgfFX5ry/file.html <- new image folder

... Maybe not ... the "sdtest" is never called/used... and the privkey is missing in ft folder.

Look what i've got. I sniffed the traffic during an update and got the URL for the Version 3.3.9_0129 update file:

http://awssgp0-cdn.fds.api.xiaomi.com/default/0870c0254e9cd40a5e4cac2265c46e87_upd_mijia.camera.v1.bin?GalaxyAccessKeyId=5721718224520&Expires=1511835126000&Signature=YI6MRwNnCm7+bdjjqwND8bxpj5s=&uniqRequestId=89427518

As this link might expire soon, I made a save copy of it:
Download from MEGA.nz
Download from Dropbox

and here it is extracted for your convenience:
Download from Dropbox

Thats all I can contribute as I am not a linux or embedded/iot skilled guy. Hope this helps someone!

@papplampe1 thanks!

As you "like" to play with the sniffer. It will be handy to know how the configuration from the cloud is been sent, and how the camera notify the movement detection. Just in case we can create an app to do the same.

The config used is easy to "customize" as it is been saved in a file inside the the camera but I would like to know if we can reuse whatever xiaomi has developed...

@willthrom
I'll try. Can you give me a hint what to look for? Do you have a file name? When does it fetch the config? On every boot?

@papplampe1 can you provide the URL of the latest Firmware... _139...

@willthrom Yes I will try right now

China

Sorry, not able to get the link like the last time. I had to update the mi home app to get the new FW in the first place. Seems like they changed something in the way the device gets the firmware aswell.

np, just let me know when ever you have time.

Just to make sure: You know you can apply tf_recovery.img to SD card, this will set you back to a 3.3.6 FW. Then you can change the server of your mi home app to something else but China Mainland, and then you are offered to update to 3.3.9_0129 which might work again with your script.

@papplampe1 I could try that but I am more interesting in knowing what is in 0139. I need to figure out a way to download the images to the SDCARD form the camera before applying the patch.

That tf_recovery.img do you mean? I currently have 2 but I don´t know their source

This is the recovery I am using to get back to 3.3.6 (to again and aigain trying to capture how the heck the camera is updating):
http://en.miui.com/thread-525318-1-1.html (Alternative Mirror on Google Drive)

I will continue trying to get the 0139 :-)

Thanks. I will add some more debug in the script...

@papplampe1 Is that firmware for the 1080p? according to the picture it looks like but mine is now blue blinking and not yellow.... I will leave it there for 10min and see what happened...

My model I am using this tf_recovery.img on: SXJ01ZM (at Gearbest)

Same as mine... what the led does when it is writing the firmware? and when it finished?

Mine in blinking blue...

I put the tf_recovery.img in the root of the sd card. Put the card in. Power the camera up. It then should start rapidly blinking orange (writing image). After some time solid orange (booting). And then it should slowly blink orange to indicate it is ready for beeing discovered by the app. Try the reset for over 5 seconds. Maybe it somehow remembered something pre-recovery...

I checked again. After putting in sd card with recovery:
power on -> solid orange for some few seconds -> slow orange blinking while image is applied for a minute or so -> 2 seconds rapid orange blinking -> booting while solid orange -> after booting it might blink blue and then solid blue, thats when it did remember some wifi settings or gets those settings from the cloud. if not connected to wifi prior recovery it should rapidly blink orange and say something in chinese that it is ready to connect now.

@kollaesch how are you doing with the RTSP server ? :)

Well. I compiled a light version of rtspd. I will prepare a release with that. It is quite bad quality but it works...

Hi, I am looking RTSP for camera xiaomi minija 1080P. Is this topic for this camera and how to do it? http://nambor.com/wp-content/uploads/2017/03/Full-Review-of-Xiaomi-mijia-1080P-Smart-IP-Camera.png

Yep. This project is for the camera your linked.

Take a look to the Releases. Still it is alpha the RTSP support.

I am closing this issue as RTSP has been add. (and this threat has too big already).

I will create another one with the new RTSP proposal where I expect some other developer to work on it