Wyze Cam Pan units shipping with broken bootloader

[agent86ix]

Description

I recently purchased 2 new Wyze Cam Pan units from a major US retailer. I attempted to install Dafang Hacks on them, but failed. I went through the typical troubleshooting steps with no luck. I then tried stock Wyze firmware - direct from their download site - and this also failed. No matter what firmware I put on the card, the camera refuses to flash it.

I found this thread on the Wyze forums with people mentioning similar issues trying to swap the stock firmware with the RTSP build - https://forums.wyzecam.com/t/cant-flash-firmware-to-cam-pan/95238

The impacted models appear to contain code "F00" in the QR code on the back of the unit (and on the back of the box)

Note that flashing via the app works fine.

What did you do to debug the issue

After consulting with others on the Gitter channel (thanks @tachang), I decided to open one of the cameras and solder serial headers on. According to the serial logs (see below) the bootloader is attempting to flash the firmware, and finds the card/partition/binary just fine, but fails to write the flash.

It also appears that the routine for writing a new binary is called regardless of whether or not the "SETUP" button is held during startup.

Evidence

With demo.bin from an official Wyze release and SETUP button held the serial output looks like:

Hit any key to stop autoboot:  1  0 
jiabo_do_auto_update!!!!!!!!!!!!!!!!!!!!!!!!
gpio_request lable = sdupgrade gpio = 46
setup_button set long!!!!!!!!!!!!!!!!!!!
Interface:  MMC
  Device 0: Vendor: Man 000002 Snr 00351a00 Rev: 9.12 Prod: SA02G
            Type: Removable Hard Disk
            Capacity: 1946.0 MB = 1.9 GB (3985408 x 512)
Filesystem: FAT32 "NO NAME    "
the id code = 1c7018
unsupport ID is if the id not be 0x00,the flash is ok for burner
the manufacturer 1c
SF: Detected FM25Q64

reading demo.bin
reading demo.bin
jiabo_au_check_cksum_valid!!!!!!!!!!!!!!!!!!!!!!!!
jiabo_idx=4
misc_init_r before change the blue_gpio
gpio_request lable = blue_gpio gpio = 39
misc_init_r after gpio_request the blue_gpio ret is 39
misc_init_r after change the blue_gpio ret is 0
jiabo_start=40000,jiabo_len=a90000
flash erase...
len plus offset more than flash size!
sfc erase error
SPI flash sector erase failed
the id code = 1c7018
unsupport ID is if the id not be 0x00,the flash is ok for burner
the manufacturer 1c
SF: Detected FM25Q64

--->probe spend 12 ms
SF: 2621440 bytes @ 0x40000 Read: OK
--->read spend 381 ms
## Booting kernel from Legacy Image at 80600000 ...

Same demo.bin, but SETUP button NOT held during boot:

Hit any key to stop autoboot:  0
jiabo_do_auto_update!!!!!!!!!!!!!!!!!!!!!!!!
gpio_request lable = sdupgrade gpio = 46
the id code = 1c7018
unsupport ID is if the id not be 0x00,the flash is ok for burner
the manufacturer 1c
SF: Detected FM25Q64

jiabo_update_to_flash!!!!!!!!!!!!!!!!!!!!!!!!
jiabo_au_do_update!!!!!!!!!!!!!!!!!!!!!!!!
start=0
start=40000
len=40000
flash check read...
FWGRADEUP=kernel+drivers!!!!!!!!!!!!!
back flash read...
kenral flash erase...
drivers flash erase...
kernel flash write...
drivers flash write...
flag flash earse...
len plus offset more than flash size!
sfc erase error
SPI flash sector erase failed
the id code = 1c7018
unsupport ID is if the id not be 0x00,the flash is ok for burner
the manufacturer 1c
SF: Detected FM25Q64

Erasing SPI flash...addr align as 10000 !
sfc erase error
the id code = 1c7018
unsupport ID is if the id not be 0x00,the flash is ok for burner
the manufacturer 1c
SF: Detected FM25Q64

--->probe spend 12 ms
SF: 2621440 bytes @ 0x40000 Read: OK
--->read spend 381 ms
## Booting kernel from Legacy Image at 80600000 ...

Contribute Back

What I'd like to solve is:

• How do I get Dafang Hacks on this unit now that I have serial headers?
• Is there any way I can leverage my camera to help people who might have this same issue flash firmware via SD card?

[xVadr]

I have the exact same problem with a Wyze Cam Pan, same code "FOO", found the same forum entry but I have not tried the headers, looking for other options I found this tool: https://github.com/HclX/WyzeUpdater

which tries to emulate the Wyze App and pushes any arbitrary firmware to the cam. I see the cam going through I flash cycle (by cycle in the led) and then reboot, the same as in the many many attempts I did with many SD cards, still nothing, but at least it removed the uncertainty about the SD, format/partition, etc.

Since his tool emulates the App, and the App did push a firmware for me initially (before I knew better), I think there may be an improvement/mod that can be done to this tool to make it work successfully even for this broken-boot-loader-Pans. At lease it should help speed-up your tests and/or maybe @HclX himself could help us diagnose further.

[agent86ix]

@flxCarlosA thanks for the pointer! I'm looking into using that tool. I also encountered an issue trying to update. I captured a serial log and posted it as https://github.com/HclX/WyzeUpdater/issues/2

[agent86ix]

@flxCarlosA if you're feeling brave: https://github.com/agent86ix/wyze-cam-pan-sd-flash-fix

I've tested it on both of my F00 Pans and both were able to go through the process successfully. After the fix was applied, I could use the SD card flashing routine like a "normal" Pan.

[xVadr]

Thanks a lot @agent86ix and @HclX, I'm so happy I came across the WyzeUpdater and then this post and now thanks to both of you I could finally update my Wyze Pan after 2 months of frustration.

[agent86ix]

@flxCarlosA Fantastic! If you're feeling generous, maybe post in the Wyze forum thread to let them know about the fix? I'd do it, but I don't want to go be self promotional over there.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.