Can't install CFW on Dafang 2017DP3894 on 5.5.1.353

[DanielePetrarolo]

Hello everyone

I really can't install the CFW on my dafang DF3 1080p. I tryed eveything. Downlaod cfw from 1.0 to 1.3, put on microsd, holdsetup button than powered and release at different times. I tried 2 different microsd from Lexar: one is 16GB the other is 8GB. Eveytime I try to flash the camera start spin in just 20seconds, and when I test the blue shining led, I don't get it. Also, passing the steps above give me no result. The camera use always the original firmware. On MiHome the camera is on firmware 5.5.1.353.

Can you give me some advice?

Maybe my DaFang is a new versione? I have bought it some weeks ago.

[DanielePetrarolo]

Me too tried to downgrade: no success. I think the problem is the same: on 353, every demo.bin must be lighter than the ones published now. At the moment, every dafang on 353 can’t be hacked or downgrade.

[Shaker1978]

Sorry, if I can't be bothered to read everything.

I was having problems, too. The blue light just won't come on. I was using a 1GB microSD card at first. I HAD TO use a 64MB card to finally flash the hacked FW. Don't try a small partition, try a microSD card < 1GB, maybe only 64, like me.

[TimvdEijnden]

@sanjeewasam @Shaker1978 Can you both confirm that you successfully downgraded using a microSD card?

[M203]

Also. please verify that you downgraded from the fw in question ie 5.5.1.353. It didnt work for me.

[nicolas-fricke]

Just to chime in, I am experiencing the exact same issues with an older FW version: 5.5.1.285.

I've tried four different micro SD cards (2GB, 8GB, two different 32GB). But the Dafang cam just jumps into the normal startup sequence. I've ensured via terminal that there are no files other than the demo.bin on the card and that this has the correct checksum. I've also tried smaller partitions (both FAT16 and FAT32), without success. The startup sequence is always the same @DanielePetrarolo described here. I also kept it "flashing" for much longer (~15 min), but without any difference. And when I re-insert the SD card into my computer, I then have record and time_lapse folders, the first one holding videos from right after the calibration phase.

I also tried other versions of the CFW firmware, as well as downgrading to an even older firmware, all with the exact same outcome: The cam just won't flash from any SD card.

In the next days I'll try getting some more info via the serial connection. Please tell me if there's something specific I should check. Looking forward to getting this fixed :)

Specs: Xiaomi Dafang camera, CMIIT ID: 2017DP3894, Firmware Version: 5.5.1.285, Serial Number: DF3-00402***, purchased from here.

[nicolas-fricke]

Small update from my side, sadly with no good news.. I have successfully installed & connected the serial port eventually managed to downgrade to the 5.5.1.200 firmware from this repository using the dd commands from @jplh42's comment. But even after a (seemingly) successful downgrade to the 200 firmware, I still cannot flash the CFW firmware due to the len plus offset more than flash size! error.

Here's the log output I get via the serial port: cfw_flash.log

Similarly to the size issues we're getting in the regular shell, interrupting the startup sequence to get to the isvp_t20 shell and trying to flash it that way causes the same issues:

isvp_t20# fatload mmc 0:1 0x80600000 demo.bin 0xa8ffc0 0x40
reading demo.bin
11075520 bytes read in 672 ms (15.7 MiB/s)
isvp_t20# sf probe
the id code = 1c7018
unsupport ID is if the id not be 0x00,the flash is ok for burner
the manufacturer 1c
SF: Detected FM25Q64

--->probe spend 11 ms
isvp_t20# sf update 0x80600000 0x40000 0xa90000
ERROR: attempting update past flash size (0x800000)
--->update spend 5 ms
isvp_t20# 

Just a few pointers if others try to follow this process, too:

• Downgrading using the full demo_*.bin file doesn't work due to the size issue
• I initially had the same issue using the unpacker.py script as @masgar had, manually creating the flash/ folder solved this
• But then, unpacker.py only extracts four files (kernel.bin, rootfs.bin, driver.bin, and appfs.bin)
  • Don't just flash those! (I stupidly did, thereby temporarily bricking my cam and sending it into a bootloop)
  • Using the unpacked .bin files in this repo worked for me
• After downgrading, the size limit seems to still be in place; it's not allowing me to flash anything else

If anyone has other ideas on what might work, I'd be more than happy try them :)

[hansaya]

Any updates on putting the firmware on a diet or a way to properly downgrade?

[moritzj29]

@nicolas-fricke have you tried installing the custom firmware using the dd commands for the single elements of the firmware or did you try flashing via SD card after downgrading? as far as I understand, flashing the CFW using dd commands should be possible? Until now I had no time/ambitions to try the serial connection for myself :D

[magunz]

Any update with that? I suggest to put a note on the Project main PAGE to inform the people about this problem!! I have spent hours in trying to install the CFW in my new Xiaofang. ATM the Xiaofang (T20) with the latest firmware (or if updated to it) ARE NOT SUPPORTED!!! SO it's Fair to inform people before thy buy the camera, or before they update the camera. https://github.com/magunz/Xiaomi-Dafang-Hacks/blob/ed888cff9001fcf80ecb796e2c614ff741eed895/README.md Thank you!!

[magunz]

Sorry about the typos on the my commit (above), feel free to change it

[hansaya]

same applies for Wyzecam Pan camera as well

[corvy]

Noone found any workarounds here? Downgrading or other?

[magunz]

Sorry Guys to insist.. Can you please upgrade the project main page specifying some model ARE NOT SUPPORTED ANYMORE with the latest firmware or if upgraded. THERE IS PEOPLE LIKE ME WHO BOUGHT CAMERAS JUST BECAUSE that page says are supported. It cost nothing to change it and it's fair. What do you think?

[jmtatsch]

@magunz I think you have pretty high expectations for a little project called dafang hacks maintained by some people in their free time. I suggest you stop shouting around immediately and start learning how to do a proper pull request on GitHub. If you manage to collect proper data on which versions didn't work on which camera models and for which users I may choose to merge it.

[jmtatsch]

@nicolas-fricke can you please attempt to create an new cfw based on 5.5.1.353

[magunz]

@nicolas-fricke I have committed the changes here a week ago https://github.com/magunz/Xiaomi-Dafang-Hacks/blob/ed888cff9001fcf80ecb796e2c614ff741eed895/README.md Hey I am trying to help here informing people in the real status of the project.. Do you agree with that? Reporting issues, updating status, and documenting is an important part of contributing. So my changes to the README.md file have been committed.. So what i did wrong?

[hellad]

Let me add the information about problem with Dafang camera latest firmware 5.5.1.391.

I have not seen this thread before and was sure I can do experiments with my Dafang camera freely. I successfuly hacked the camera and played with it a few days. Then I upgraded firmware to the latest original version from 5.5.1.287 to 5.5.1.391 from Xiaomi. That was big fault! After that camera did not recognise microSD cards at all. Only usb flash can be used to record video. If I'm not mistaken, now the only way to hack/downgrade camera is to use the dd commands from @jplh42's comment. Thus, I'd like to support efforts of @magunz and appeal to make changes on main page of this project. Users should not upgrade original firmware!!! (at least till the moment the new solution will be found).

[EliasKotlyar]

Hello everyone,

Can someone summarize what is the exact problem? Can someone provide a dump of the latest firmware(5.5.1.391)? I suppose that they are providing somehow a new updated bootloader in the latest firmware. We can try to bypass it somehow, but need some more investigation.

Greatings Elias

[EliasKotlyar]

Hello everyone,

Can someone summarize what is the exact problem? Can someone provide a dump of the latest firmware(5.5.1.391)? I suppose that they are providing somehow a new updated bootloader in the latest firmware. We can try to bypass it somehow, but need some more investigation.

Also i have edited the main page to warn new users.

Ok after a short investigation, i think i know what happened. Here is the code for the error which appears when you try to flash a new memory:

isvp_t20# sf update 0x80600000 0x40000 0xa90000
ERROR: attempting update past flash size (0x800000)

https://github.com/Dafang-Hacks/uboot/blob/a1d19316522425d61035a9e897e9d8b0424b7f74/common/cmd_sf.c#L255

It appears that the maximal flash size which can be flashed is only 0x800000 in this type of bootloader. In comparison, here is a positive flash log: https://github.com/EliasKotlyar/Xiaomi-Dafang-Hacks/blob/master/information/flashlog.md

Greatings Elias

[EliasKotlyar]

Can someone with this error try to create a smaller firmware package without the appfs/driver? Just uncomment this variables in the packer script. I suppose that it could be used for flashing.

[hansaya]

I created a new image without appfs but same issue as before.

reading demo.bin
reading demo.bin
jiabo_au_check_cksum_valid!!!!!!!!!!!!!!!!!!!!!!!!
jiabo_idx=4
misc_init_r before change the blue_gpio
gpio_request lable = blue_gpio gpio = 39
misc_init_r after gpio_request the blue_gpio ret is 39
misc_init_r after change the blue_gpio ret is 0
jiabo_start=40000,jiabo_len=a90000
flash erase...
len plus offset more than flash size!
sfc erase error
SPI flash sector erase failed
the id code = 1c7018
unsupport ID is if the id not be 0x00,the flash is ok for burner
the manufacturer 1c
SF: Detected FM25Q64

after removing appfs firmware_hacked.bin went down to 6225984 bytes from 11075648 bytes. I used wyzecam pan to test it

[EliasKotlyar]

Can someone dump the new bootloader and provide it here? I would install it on my camera and try to investigate the issue.

Greatings Elias

[hansaya]

do you have any documentation on how can I go about doing this? I have the serial line hooked up and I can interrupt the booting sequence to get into uboot.

[hansaya]

I manage to dump the memory from 0x000000000000 to 40000 using md.b 0x000000000000 40000

I hope this is what you want and I'm really new to Uboot :) putty.log

[EliasKotlyar]

You can use the following Tutorial: https://github.com/EliasKotlyar/Xiaomi-Dafang-Hacks/blob/master/hacks/firmware-dump.md

[hansaya]

I saw that but I'm having issues logging in with root ismart12 password. However i was able to get a root shell from uboot but then i couldn't change password without passwrd and could not get it to dump the firmware. Unless I'm missing something. Is there a difference between normal boot vs manually boot?

[hellad]

Can somebody tell me what codepage is used by camera(or terminal) while booting to display all those diagnostic information? I disassembled my camera with latest firmware(5.5.1.391) , connected usb-to-serial ftdi adapter to Raspberry and tried to see picocom output. Unfortunatelly it looked like unreadable set of characters (like wrong boud rate or coding applied). Part of that output to illustrate: pi@hassbian:~/test $ sudo picocom -b 115200 /dev/ttyUSB0 picocom v3.2a

port is : /dev/ttyUSB0 flowcontrol : none baudrate is : 115200 parity is : none databits are : 8 stopbits are : 1 escape is : C-a local echo is : no noinit is : no noreset is : no hangup is : no nolock is : no send_cmd is : sz -vv receive_cmd is : rz -vv -E imap is : omap is : emap is : crcrlf,delbs, logfile is : none initstring : none exit_after is : not set exit is : no

Type [C-a] [C-h] to see available commands Terminal ready ▒֪J▒BB.~▒▒▒~6>:2F>"~^▒jr~6:~6>:"~J~:..22Z▒▒▒ɒ(K$K▒1f2eyy=p▒&Ғ▒R%r▒▒S▒&▒▒▒▒▒▒▒O▒=▒▒ɒ(N&L4▒▒2▒S▒▒▒▒▒▒ɒ(N&L4▒▒▒2▒S▒s▒▒▒▒ɒ(N&L4▒▒▒2▒S▒s▒▒▒▒ɒ(N&L4N▒ɑS▒▒▒▒▒▒ɒ(N&L4▒3▒ɑS擦O▒=02R&f▒3▒▒S▒▒▒r▒▒S▒▒▒r▒▒S▒ӦO▒=r>>r6~Z2~>6.>.>>▒▒▒^▒K▒▒▒▒▒▒▒▒&▒▒L▒▒R▒▒▒&a▒33▒▒S▒▒▒r▒▒S▒▒▒r▒▒S▒ӦO▒=r>>r6~Z2~>6z>.>>▒▒▒^▒K▒^▒▒%▒▒▒&▒▒&▒▒▒R▒▒▒&ae▒3▒▒S▒▒▒r▒▒S▒▒▒r▒▒S▒ӦO▒=r>>r6~Z2~>26>.>>▒▒▒^▒K▒/e▒%▒▒▒&f▒▒▒▒R▒֐▒▒▒▒▒▒▒▒v▒▒V▒▒O▒t:

I changed boud rates, connected adapter to Windows PC and tried several code pages in MobaXterm programm but without any luck. All symbols were displayed during first 1 or 2 seconds. Is this ok?

I'd like to make firmware dump but don't realize yet how to achieve boot prompt and issue commands. Thus any explanations are appreciated.

[hansaya]

I was able use putty with default settings and 115200 bud rate. Make sure your adapter compatible with 3.3v logic level and tx pin connected to rx and visa versa.

[EliasKotlyar]

@hansaya : what kind of issues do you have with logging in? is it about the whole display is spammed?

[hansaya]

No, it says incorrect login. I do get my screen spammed but i was able to type the user/pass fast

[hellad]

@hansaya I checked several times that TX pin (middle one on picture) connected to RX on adapter. I also used another aten uc-232a adapter with the same unreadable text on screen. It's difficult to say surely whether my adapters support 3.3v logic level or not. As a tradeoff I can try to use one of my esp8266 boards to read serial. They shold support 3.3v level I suppose.

[stainlessray]

@magunz I think you have pretty high expectations for a little project called dafang hacks maintained by some people in their free time. I suggest you stop shouting around immediately and start learning how to do a proper pull request on GitHub. If you manage to collect proper data on which versions didn't work on which camera models and for which users I may choose to merge it.

This is as useless a comment as I've seen on this forum. Why so defensive? The request was well intentioned. People (myself included) make purchase decisions based on the documentation. The page is updated now which was needed. The request was not laced with any undue "expectations" as you put it.

[hansaya]

@hellad If you think you got the correct wires hooked up then you might have ground loop problem or signal integrity problems. Maybe shorten the wire lengths and double check the ground wire. Other thing, which camera do you own?

[hmrac]

Hi ppl how can i change the password and login?

[peterhoeg]

@hmrac, please open a new issue for questions unrelated to this issue.

[hellad]

@hansaya

Other thing, which camera do you own? I've got Xiaomi Dafang PTZ 1080P camera

[hansaya]

@hellad I have the same camera but from Waze so your serial connection should work. Make sure you connected to the correct pin header with good cables.

[jplh42]

@hellad, did you also connect the GND ? TX and RX only are not enough.

On 16 Nov 2018, at 00:49, Hans notifications@github.com wrote:

@hellad I have the same camera but from Waze so your serial connection should work. Make sure you connected to the correct pin header with good cables.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[hellad]

@jplh42 Certainly I used 3-wire connection with RX/TX crossed. @hansaya I hoped to see boot diagnostic information easily but that not happend. I guess could it be due to latest firmware version or this part of system behaviour should remain unchanged (and problem with my usb-to-serial cables)? By the way I've ordered FTDI FT232RL USB To TTL Serial IC Adapter Converter Module with 3.3/5v switch. Hope it will help.

[arkhub]

I don't know if this can be any help, I also have the 5.5.1.391 but before updating to the latest firmware I've already installed the open source bootloader (I'd like to use the 1080p and ext3 partition) and went back to use the mi-home for a while. After reading this I've tried using the hack again (the main fat32) and the web, rtsp streaming, etc still functioning as normal (that's a relief). Maybe because I've already use the open source bootloader?

[EliasKotlyar]

@arkhub : I suppose that the overriding of the old bootloader with the new bootloader happens trough some routine in the old bootloader itself. So if you are using the open source bootloader, its wont be overwritten because it doesnt support that feature.

[Kolin314]

I have a Wyze Pan with firmware version 4.10.0.222 but everything here is referring to the Defang 5.5.1.353. I'm trying to find my way to the correct thread that will help me to load CFW on my Wyze Pan. There are comments here that refer to the Pan but still the FW version is not what I have.

[EliasKotlyar]

Hello everyone,

I have captured an update log of my Dafang. It confirms that the update-package includes a new bootloader. I still lacking a binary of it, but i hope that i can get it sooner or later. For reference here is my update log: Update.txt

My bootloader was not overwritten with the new version, but i suppose that it has something to do with the custom bootloader which i flashed to my camera. They should use some MD5-Checks and update the old bootloader into a new one. So i would advice everyone with the hack installed to upgrade their bootloader to the open source variant. For people with newer dafangs, there is still the possibility to flash the hack using a serial connection. I hope we will find a solution for this new bootloader soon.

[EliasKotlyar]

Hello everyone,

I have investigated the update-process, and it really includes a new bootloader.

Here is an archive with the update, and the Update Log #2: update2.txt

Here is the received update file: 929f6e91d055e7f96a33d1f6daa5cd3e_upd_isa.camera.df3.bin.tar.gz

Extract the binary file with tar, to view its content. It includes a newer Bootloader Version: U-Boot 2013.07-gdce8f63-dirty (Nov 18 2018 - 21:09:33)

The old Bootloader was(included in 5.5.1.200 Firmware) was: U-Boot 2013.07 (Jul 28 2017 - 17:10:01)

However, the bootloader is still capable of the flashing of the CFW. I have sucessfully installed the Dafang-Hacks CFW with the help of it.

Can someone please dump the "problematic bootloader" for investigation?

[nbarrientos]

For those who might have recently bought a Dafang and are unsure if the hack would work, mine was shipped on Nov 12 and came with this bootloader:

U-Boot 2013.07 (Dec 21 2017 - 18:44:33)

I know this does not help those with a problematic one but I thought it'd be useful to add another data point to the thread.

[hellad]

Meanwhile I can add that one more new version of firmware became available for Dafang 1080P camera. Since my camera quite useless at the moment I decided to do upgrade to 5.5.1.418. Nothing changed. Camera still does not recognize usb flash and microsd cards. Only MiHome application can be used in my case.

[EliasKotlyar]

I suppose that xiaomi accidentally rolled out a new "broken" bootloader version, which has a bug which prevents it from accepting flash files. However they haven`t rolled out the newer "bootloader" (which i have dumped ), which does not have this bug. It may be rolled out in newer firmware versions.

[a0n]

Is this a Dafang specific Issue or does this bootloader update affect all types of Supported Cameras?

[gdgeist]

4.9.2.52 wont install bootloader

I have a Wyze Pan with firmware version 4.10.0.222 but everything here is referring to the Defang 5.5.1.353. I'm trying to find my way to the correct thread that will help me to load CFW on my Wyze Pan. There are comments here that refer to the Pan but still the FW version is not what I have.

WYZE Cam v2 4.9.2.52 and wont load cfw.bin flash to bootloader.

[blueacidic]

Currently in 5.5.1.418

Didn't manage to flash cfw either