Hack for the new camera - mijia v3 / Basic 1080p
vitoo opened this issue · 121 comments
Hello,
here is a new xiaomi camera
it's called mijia-1080P basic / mijia V3. It had a white back.
How can we build a firmware compatible for this camera ?
Is it hard ?
Thanks for your help
I'm also very interested by this topic. I can't get an old version anymore.
Same problem for me.
Impossible to downgrade firmware on my mijia with white back.
Thx for help :-)
see EliasKotlyar/Xiaomi-Dafang-Hacks#624
they are still trying
It may takes months 😃
It's a cheap camera many hacker will try it
You can downgrade the cam with https://github.com/EliasKotlyar/Xiaomi-Dafang-Hacks/files/2320611/tf_recovery.for.SXJ02ZM.All.White.Xiaomi.1080P.smart.cam.zip and these files on root of sd card https://github.com/Filipowicz251/mijia-1080P-hacks/releases/download/0.8.7/release0.8.7.zip
... but there was no ssh server launched or something like that ... dont know whats happen or to do
@Snotmann the 0.8.7 was released in March, so I don't think it will work with the all new full white camera
@Snotmann @seewaldjan it will not work basically because the recovery of the V3 is already patched with the security flaws I found a year ago.
What you could do it to try to use the tf_recovery from the V2 and check if the camera starts.
The camera sensor might not work BUT if you can go to Mi App and upgrade the camera from there to whatever version is the latest for the V3, then there is a possibility we can hack that camera too.
Forget it... it seems the architecture is different.. I need to take a look but it seems so:
V3:
DECIMAL HEXADECIMAL DESCRIPTION
0 0x0 uImage header, header size: 64 bytes, header CRC: 0x3E8652CA, created: 2018-06-30 07:40:51, image size: 2240049 bytes, Data Address: 0x80010000, Entry Point: 0x80380060, data CRC: 0x6BAB1A28, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: gzip, image name: "Linux-3.10.14"
64 0x40 gzip compressed data, maximum compression, from Unix, NULL date (1970-01-01 00:00:00)
2621440 0x280000 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 4484222 bytes, 1916 inodes, blocksize: 131072 bytes, created: 2018-06-30 07:42:42
9895936 0x970000 JFFS2 filesystem, little endian
v2:
DECIMAL HEXADECIMAL DESCRIPTION
0 0x0 uImage header, header size: 64 bytes, header CRC: 0xF8DB532E, created: 2017-08-03 05:49:01, image size: 1909344 bytes, Data Address: 0x8000, Entry Point: 0x8000, data CRC: 0x4A5C7510, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-3.3.0"
18164 0x46F4 gzip compressed data, maximum compression, from Unix, NULL date (1970-01-01 00:00:00)
2752512 0x2A0000 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 8932790 bytes, 1304 inodes, blocksize: 131072 bytes, created: 2017-08-03 05:51:01
13238272 0xCA0000 JFFS2 filesystem, little endian
hello Any news ? the V3 is still no hackable to get a rtsp flow or to view the camera with a computer ?
Also hoping for updates. Hope there is something I can do to help
Has anyone tried this approach on these V3 camera's?
not tried but i don't really understand how to make it work on a macbook ?
The v3 contains validation based on RSA
try_ft_mode()
{
if [ -f $ft_files_zip ] && [ -f $sd_mountdir/ft/secret.bin ];then
mkdir -p $ft_running_dir
$ft_decrypt $sd_mountdir/ft/secret.bin $ft_running_dir/md5.sum $ft_securekey_file
if md5sum -cs $ft_running_dir/md5.sum;then
unzip $ft_files_zip -q -d $ft_running_dir
chmod -R 755 $ft_running_dir
ft_mode=cat /proc/ft_mode
if [ "$ft_mode" == "" ];then
ft_mode=0
fi
return $?
else
echo "check fail"
fi
else
echo "ignore ft mode"
fi
return 1
}
Hi, i try this tf_recovery.img whith the hack https://github.com/Filipowicz251/mijia-1080P-hacks. The tf_recovery seems to work because the camera downgrade (3.4.4_0039) but the Tools is not installed. Impossible to connect using SSH. I can update 3.4.5_0046 whith mi-home but impossible to activate RSTP.
If anybody have idea :-)
Has anyone tried this approach on these V3 camera's?
This doesn't work unfortunately, the camera doesn't respond to the "get_ipcprop" command that's needed to get the stream running
any news on this?
I want RTSP and I don't want any cloud service. Looks like I have a camera for sale now ... it speaks chinese, does not allow you to set your own country and is useless without cloud service where god knows who is watching your streams. thanks a lot, it's for sale
Same here. Hack does not work with the new model. I’m not leaving it on cloud service because the camera is in my living room. Wanted to use it to watch the dogs, but the idea of someone else watching my family is enough to leave it unplugged. Shame Xiaomi does not add local support.
For reference, i have the snowman version with white back, 1080p PTZ.
there is any news?
It is working with openfang; check it out in openfang. A modified bootloader was compiled for this purpose but we need to open the camera and program it manually. We will check if we can surpass some protection to upload the new firmware.
I have no problem to program the camera via serial
two questions:
- do you have some pictures how to open the camera without breaking it please?
- could you please paste here a link to a file to be programmed to camera please?
thanks
any news?
I opened mine today. How to connect to the PC? Via an USB to UART? What are the pinouts?
I found this manual:
https://www.winbond.com/resource-files/w25q128jv%20revf%2003272018%20plus.pdf
Please check more information at EliasKotlyar/Xiaomi-Dafang-Hacks#624 (comment)
It is working with openfang; check it out in openfang. A modified bootloader was compiled for this purpose but we need to open the camera and program it manually. We will check if we can surpass some protection to upload the new firmware.
@anmaped can you explain how to make it working whit openfang
@axlerose I have written the new bootloader directly to the flash. As soon as I have the device again I will check if we can upload the new bootloader in another way.
Can you explain how to flash directly to the flash
@axlerose You have to use a programmer like CH341 but you have to remove the chip from the pcb first and then use a soic test clip for flashing it.
@anmaped I've got removed chip in programmer. Now i shoud flash it with u-boot-lzo-with-spl.bin file and thats it ?
@anmaped Could you provide me a link to the right programmer? My doesn't really list the correct winbond chip. i already got all needed components.
I#d write the stuff down and upload some pictures for other people who want to do the same thing.
I made an initial backup, then tried to flash the custom bootloader, which flashed sucessfully. after re-soldering the flash, the cam is dead.
I tried restoring the original backup - without luck. it looks like something went really wrong, but I have no idea what.
My Flash is detected as W25Q128BV instead of w25q128jvsq. is this wrong?
Here's a screen: http://i.epvpimg.com/C3SZeab.png
Thx a lot in advance
Hello, with a mijia 1080p white back I successfully uploaded your last boatloader (dump file from your previous message). I opened the camera and use a ch341 programmer with clamp to flash the chip. Before writing your dump file, I erased the chip and then write the dump file.
Then I built an SD card with 2 partitions and write the image rootfs.ext2 into the first partition. I can mount this one and see the linux tree. So the SD card seems to be correctly prepared.
But it is not working or at least I still don't get any SSH access to the camera. The SD card is plugged in. It is working as if I did not do something. The camera works correctly with the mi home app.
Any idea what could be wrong? Thank you.
@llimz Are you able to compile the last version of openfang? I will do a release of the unified firmware this week. I'm just unifying some things (mainly video settings), but the current dev version is working well with the camera if you try to compile it.
You just have to use the u-boot-lzo-with-spl_t20_64M.bin bootloader.
Yes, I compiled successfully the last dev version from your git repository this morning. This is the files generated I get as result:
After compiling your code, I built the SD card with the last rootfs.ext2 file on the first partition. And format the second partition as fat32 and put my wpa_supplicant.conf file into it (there is only this file on the second partition). I put the SD card into the camera and power on the the camera. The led is blinking orange and blue for a few seconds, then it is only blinking orange. I assume that the network connection to my wifi is not done.
This is my wpa_supplicant.conf below file. It is the same file I'm using on some Raspberry PI's. Maybe the format is not correct of the camera?
`ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
country=FR
update_config=1
network={
ssid="NETGEAR91"
psk="***"
priority=3
}
network={
ssid="Linksys00758"
psk="---"
priority=2
}
network={
ssid="Zyxel"
psk="***"
priority=1
}`
Any other idea? Thank you.
@llimz Great! You only have to format the second partition in exfat. I didn't add support for fat32 due to the lack of wear-leveling.
Sorry, it is still the same.. Led blinking orange. I formatted the second partition with the command line
mkfs.exfat /dev/sdc2
This is the partitions on my SD Card
Could you try this wpa_supplicant.conf file ?
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
ap_scan=1
network={
ssid="<SSID>"
# Uncomment to connect to Hidden SSIDs
#scan_ssid=1
key_mgmt=WPA-PSK
pairwise=CCMP TKIP
group=CCMP TKIP WEP104 WEP40
psk="<PASSWORD>"
priority=2
}
Not working. I tried to check if the wpa_supplicant.conf file is correctly used and I saw that this file is copied in the /etc directory of the SD card. So I assume that the boot process and scripts are running correctly when powering the camera.
Is there any log files I can check written somewhere in the SD Card to find out where the problem could be? Or can you see something else to check/try? Thank you.
Sorry to jump in, but i just want to know if it is a prerequisite to program the custom bootloader from @anmaped in order to flash the openfang on the camera, i am really missing RTSP stream. The Mi Home is very unstable for me.
@llimz Strange! Are you using the compiled bootloader? If the file was replaced means that the init scripts are running.
You could add to the init script file S01logging the command dmesg > /var/log/mycurrent.log to dump the dmesg output to a file.
@jesperrix Yes, It only works with the new bootloader.
@anmaped Actually, I just found out that it is working ! Yes, I'm using the compiled bootloader. I still have the blinking orange led BUT I can reach the IP cam with SSH. The problem remaining is that the IP address and the Mac address is changing every time I powered down/up the camera... I will open a new thread into your github project after some investigations here to see why I had this behaviour. Many thanks for your help !
@jesperrix I bought on Ali Express a chip programmer with clamp. No need to unsolder the chip to program it ! https://fr.aliexpress.com/item/EEPROM-Flash-BIOS-USB-programmeur-SICO8-adaptateur-sop8-clip-avec-c-ble-1-8-Vadapter-CH341/32922583416.html?spm=a2g0s.9042311.0.0.2f4d6c37r5IcYL
Ok, flashed the chip with anmaped's bin file and the camera came back to life.
Now, I cannot flash the bootloader onto the chip without getting the error message
Write ok! Try to verify... Read started!
Error while writing. Check your device. May be it need to be erased.
@llimz could you make me a dump of your flash chip which already includes the bootloader? I'm having troubles in getting the bootloader into my dump/chip without screwing it up.
I would be very thankful if you could send me a dump which i "just" need to get on my mijia, like I did with the dump file of anmaped
Thx
@therosss You just need the bootloader bin and nothing else. Try to erase the nand/nor before.
@anmaped Sure :)
I can take care of a little guide.
Pictures will follow later on.
I desoldered only 1 leg of the SOP and it was enough to be able to program it.
I'll try erasing the chip and then applying the bootloader binary only (which is only about 200kb) which I got from the latest release from 2 months ago.
@therosss What pin? reset line? This bootloader will not work, I will provide you with the new binary.
@anmaped Preferably Pin 8, VCC, as anything else might power-up the rest of the board through the SOP Chip (something which happens if you don't desolder anything off the board).
I'm still struggling with the bootloader flashing as my camera dies when I flash it.
As soon as I get that done, I will buy another camera, and do a whole tutorial from disassembling the camera, to installing the c34a programmer on a clean linux VM up to flashing the SOP and preparing the SD-Card including the wifi-credentials-file. But I need to get this sorted out first before I write a guide which might not work properly
I can provide on a public URL the last bootloader I compiled. But @anmaped, you may prefer to publish first on your release page on your github repo?
@anmaped uploaded me a bootloader in his issues thread. But as said above, after erasing thee SOP and then flashing the bootloader binary onto it, the camera acts like it's dead.
- Desoldered a pin.
- used "./ch341prog -e" to erease the SOP
- used "./ch341prog -w u-boot-lzo-with-spl_t20_64M.bin" to write the bootloader
Console output:
Device reported its revision [4.03]
Manufacturer ID: ef
Memory Type: 4018
No CFI structure found, trying to get capacity from device ID. Set manually if detection fails.
Capacity: 18
Chip capacity is 16777216 bytes
File Size is [215873]
Write started!
Write ok! Try to verify... Read started!
Write completed successfully.
All done.
SDs are already prepared.
But not even a LED blinks - the cam is dead. When re-flashing the untouched dump from anamped, the cam works again (yet without any bootloader installed)
Might be because my SOP is a 128m one instead of a 64m one?
I'm kinda lost here :/
I did not have to unsolder any pin for progamming the camera here. I only had to unplugged the board from the IR led and MIC (the front panel).
Here are the 2 bootloaders I compiled the 2nd of February (64 and 128MB)
u-boot-lzo-with-spl_t20_64M.bin.zip
u-boot-lzo-with-spl_t20_128M.bin.zip
Thanks for the input @llimz
I took all wires out and even unplugged the lens module off the board - still no way to program the SOP while it is soldered on the board :( Kind of annoying having to de-solder 1 pin each time I want to flash the SOP.
Anyway, the bootloader does its thing.
anmaped gave me a compiled rootfs-image and the cam is now booting up properly.
Just having issues with the web UI not working properly, IR-Lights or any kind of lights not working and so on, but that's not surprising, having in mind that the image was previously for another camera :)
I'll order another cam and make the tutorial for it.
Might take 1-2 weeks until it's done properly.
Cheers
I'm using the 64MB version. The file is too big. I put it on wetransfer https://we.tl/t-h6XYvLRvH8
Thanks @llimz
I'm in the process of ordering a new cam to make a full guide for the process.
Great work @therosss
Have fun reading this everyone: https://dgiese.scripts.mit.edu/talks/DEFCON26/DEFCON26-Having_fun_with_IoT-Xiaomi.pdf
i have SXJ02ZM version 3.4.5_0046 with white back
can i integrate it with home assistant ? and how ? so many discussions but not positive answer (
Ich did not get my hands on a new cam yet, but I am still trying to so I can make the promised guide for you Guys!
Cam is on it's way, but it can take 2 more weeks until it arrives from china.
I will do a complete guide then.
@anmaped could you prepare a release on your repo by then?
I'd avoid the compilation by now :)
@perrykipkerrie yes, You should order one as you will need it. You will also have to desolder 1 leg of the SOP.
Some people say they can program the SOP without having to desolder anything, but in my case that didn't work out.
@anmaped
Ready for a release?
I just received the cam and I would take care about a guide in 2 days
What about SXJ02ZM and RTSP?
Works :)
Works :)
How i can use RTSP? i write to flash folder release0.8.7 with configs but RTSP not work
Your cam is not compatible with this Release.
You have to Flash the bootloader of Openfang from @anmaped
This involves soldering and SOP flashing.
I will release a guide shortly after I get a compiled release. You will have to buy additional hardware to flash your camera
Your cam is not compatible with this Release.
You have to Flash the bootloader of Openfang from @anmaped
This involves soldering and SOP flashing.
I will release a guide shortly after I get a compiled release. You will have to buy additional hardware to flash your camera
what hardware i need buy?
Waht about the support of "Original Xiaomi Mijia Smart Camera 1080P 130 Wide Angle 2.4GHz" with CMIIT ID 2018DP2586?
@therosss Could you use this image as example https://we.tl/t-eouUKOh9Hb ? I would like to include your guide in the new settings of the new release.
Something like we have for wyzecp1 https://github.com/anmaped/openfang/blob/master/doc/wyzecp1_instructions.md
A. Hack (the reason why we are writing in this repository)
B. Openfang Installation instructions
Hi,
Where I can find the guide to add rtsp on this camera? (https://m.joybuy.com/600356031.html) (seems linked to the description but not the color)
@anmaped will do so this weekend.
@anthosz that is the mijia 1080p v3 (usually cheaper to get). To add RTSP on it, you need to hack it a little bit. You need to get the openfang bootloader from anmaped on the cam. Unfortunately this can only be achieved by using a programmer to flash the openfang bootloader into the SOP.
This repo of mijia-1080-hacks is outdated and left alone. You need to get to the openfang repo
So far, so almost good....
I'm doing the guide and went quite far.
Yet I seem to have a problem with your image @anmaped
The second partition shall be exFat i Presume, like on the other ones.
the cam boots, does some blinks, and then stays at orange with very short purplpe blinking once in a while.
After each boot, the cam re-writes the "default" wpa_supplicant.conf in /etc
It looks like the cam can't read my wpa_supplicant.conf from the other partition and therefore does not connect to any network :(
Just use the openfang acess point to configure the wireless network!
Ah riiiight
Just saw it was launching an AP.
When connecting to it, I can ssh to it.
Unfortunately I can't sudo Admin in order to edit the wpa_supplicant.conf
I can't See any info in your documentation @anmaped
If you would guide me real quick, I'd be thankful to add this in the guide.
Maybe I just need the user and password of the root account.
Edit..
Ich was able to sudo into root after all.
After editing the wpa_supplicant.conf and rebboting the Cam, it still does not connect to the network.
Any hint?
If you are connected to the camera AP, just open a webbrowser to the access point ip address. Log in with admin/admin and go to the settings/wireless tab to setup the wifi connection.
With my camera, the IP address to use is 192.168.14.1 when connected to the AP.
edit 2 ...
There was no lighttpd service running, as the /etc/ssl/lighttpd.pem is empty.
I disabled the rewrite-rule and took all the https stuff out of lighthttpd, and it booted. after that I was able to change the wireless settings and got the cam in my network now.
This clearly is bug of the current release.
I guess I will not include this in my tutorial, as this might be fixed by @anmaped in the next release.
BTW, is there any discord channel or something else where we can discuss this? We're using an issue thread of a repo, which isn't even OpenFang :D
It's not a bug. You have to use the web ui to configure the model and wireless network.
Use openfang gitter channel.
@therosss Is there anything new about the guide / tutorial or where I can support?
Here's the guide, @jannodeluxe @anthosz @perrykipkerrie @axlerose . No need of anything at the moment. Feel free to let me know if anythign is wrong.
https://github.com/therosss/openfang/blob/master/doc/SXJ02ZM/SXJ02ZM_instructions.md
@therosss thank you very very much i'm waiting for the programmer and then i try your guide
Good job with the documentation, @therosss
And thanks @anmaped for making openfang available for this camera version.
@therosss just a note: the command I had to use to start lighttpd after generating the certificates was:
./S50lighttpd start
Edit: Also, for whatever reason the generated key kept getting deleted. I realized it's from these lines in S02factory:
# restore the SSL certifcate
nvram get rtdev certificate > "/etc/ssl/lighttpd.pem"
I tried saving the generated key in nvram via nvram set rtdev certificate "$(cat /etc/ssl/lighttpd.pem)" but that didn't persist across reboots for whatever reason.
I decided to comment out the above line in S02factory for things to work well after reboots.
Also I didn't need to de-solder any pin for the programmer to work 😄
Hey John.
Thanks for the input. You are right- it was S50 :)
Anyway, the bug is fixed in the last commit, and you don't need to do those steps anymore.
Please Check the original repo from anmaped to see the latest changes.
Feel free to join the conversation over gitter.
We need more people to get involved into this project :)
I'd like to see an Integration into dustcloud for example ;)
I already heard from someone around that he didn't have to desolder anything - lucky you. It never worked like that with my devices.
I could eventually add this to the documentation, but I guess most of the people will run into the same problem as I did.
Anyone who can provide me a new link to u-boot-lzo-with-spl_t20_64M.bin? The shared links above are expired.
Never mind, i managed to compile the .bin using the Docker container. Thanks for the work!
Hi,
I interested in rtsp protocol, then with the openfang firmware is possible?
Thanks very much, and excuseme for my level of English
Hello what would someone have a link to u-boot-lzo-with-spl_t20_64M.bin ?
After reprogramming the LED no longer lights up. The file is only 236kB while the original file is 16MB.
The end of the memory must be at FF?
@mrhang22 The same happened to me, after that I've compiled the last version and it works now.
Here you go, the bin and the rootfs: https://mega.nz/#F!0xtVSayS!DxZawSANY2IIXhypJG_UJQ
So following the guide will be enough to ge this done?
@mgx0 yes, i can confirm it works, but i think it needs some changes:
- I didn't need to de-solder anything, just using the clamp was enough to flash.
- The guide says to go to releases page and flash the last version, but that one (rc5) isn't working with this camera, you have to compile yourself or use the files I shared above.
Could somebody make a guide how to flash the chip with a Raspberry Pi?
@pablo-tx perfect, thanks. I'm waiting for my programmer to arrive and then I'll do it. I'll post my results here. Good job folks!
@pablo-tx this is a random thing with desoldering a leg or not. I had a few cams and I had to desolder the vcc leg. Regarding the release, I was hoping that @anmaped would release a rc for people to get started at least to be able to flash their ICs. This didn't happen yet.
Feel free to push a guide refinement about this :)