Creating initial hack

[Filipowicz251]

Hi.

I'm creating new topic, where we can discuss creating hack for Xiaomi Mijia 1080P Smart IP Camera (not Fang, not 360)

[andreq]

+1 I'll see what I can do when I receive my camera

[sendorm]

I am willing to give it a test also. Thanks

[tobbegutt]

Thank you all for help. Im sure a lot of people will benefit from this

[kollaesch]

boot-uart-log can be reviewed at pastebin

Pictures follow tomorrow.

I repeat it here:

So, guys - thanks for all the previous hints! - I can confirm ... It's alive ;)

Referring to the picture last picture in snoerenberg's post @fang The top right connection points are responding to: TX,RX (in that order from left to right) pictures and boot-uart-log follow.

[snoerenberg]

@kollaesch nice 👍

Can you "write" also something into console?

[kollaesch]

@snoerenberg Sry for not mentioning: Yes, I can type. But no response from the system. (If I removed the cable from TX - typing was not working) So RX and TX are working.

What would be the next steps?

[snoerenberg]

@kollaesch I wanted to copy the binaries from the cam to to the SD card. But without response from serial console it will not work.

On the xiaofang cam have been scripts which start a particular file on SD Card if inserted and present. I wanted to check if there is such an easy way to get root and to dig deeper into it.

Other way I want to try:

• configure cam with Mi app
• hopefully a firmware update is present
• capture the internet connection from my router (Fritz.Box raw capture)
• find firmware HTTP request (on this way captured the actual Xiaofang firmware)
• unplug cam before download is finished
• download and analyze firmware with binwalk
• find a way to get root
• IDA Dissaembler use to analyze Mi apps
• try to stop Mi Apps and start "rtspd" from GM8136S SDK

And so on 😉

[itanczos]

Great news! Looking forward to the developments! I am willing to give it a test also. Thanks

[snoerenberg]

@kollaesch can you interrupt the boot process? Press any key while not yet the Linux kernel was loaded. Maybe we can use U-Boot functionality to dump the actual firmware.

from your UART-Boot log it should be possible: Hit any key to stop autoboot: 0

This could be a starter: https://reverseengineering.stackexchange.com/questions/6300/extracting-a-firmware-image-via-u-boot https://www.google.com/search?q=u-boot+dump+firmware

• check if it can be interrupted, to remain in u-boot
• check which methods are present ("help" entered in uboot console)

[kollaesch]

@snoerenberg Cool! I missed that. I'll check in approx. 2 hours and let you know.

[snoerenberg]

@kollaesch @itanczos sad that mine is still in transit ... maybe we find a hack until its delivered ;)

[andreq]

@snoerenberg Same here! I'm following real close all those nice findings! Mine is sitting somewhere between China and Canada .

[itanczos]

Mine is already on the table. :)

[kollaesch]

Update: Diff from boot with pressed 'any'key ;) So this still means not active terminal on by USB-UART. Also we're looking for 'tf_recovery.img'.

-Card did not respond to voltage select!
-** Bad device mmc 0 **
-there's no sdcard, ignore dfu
+read file start
+reading tf_recovery.img
+** Unable to read file tf_recovery.img **
+read file size -1
+data check start
+Invalid data len
+data check NG
 Hit any key to stop autoboot:  0
 SF: Got idcodes
 00000000: c8 40 18 c8    .@..

[itanczos]

If I remember correctly, CTRL + C had to be interrupted for another model. Did you try?

[kollaesch]

Also one possible correction from my side regarding the two pins near the SoC: (I wrote the names of the USB-UART-PINs that have to be connected to that pins on the cam)

• The right one transmits the datalog from the unit.
• The left one receives the input from the terminal.

[kollaesch]

If I remember correctly, CTRL + C had to be interrupted for another model. from @itanczos

That did it ... I only have to hands, so I had to use my new 'helping hand'. I'm in the DFU-console.

GM # help
?       - alias for 'help'
boot    - boot default, i.e., run 'bootcmd'
bootd   - boot default, i.e., run 'bootcmd'
bootlogo- show lcd bootlogo
bootm   - boot application image from memory
bootp   - boot image via network using BOOTP/TFTP protocol
chpart  - change active partition
cmp     - memory compare
cp      - memory copy
crc32   - checksum calculation
dcache  - enable or disable data cache
env     - environment handling commands
erase   - erase FLASH memory
fatinfo - print information about filesystem
fatload - load binary file from a dos filesystem
fatls   - list files in a directory (default /)
flinfo  - print FLASH memory information
fwupd   - firmware upgrade from usb device for specified filename
go      - start application at address 'addr'
help    - print command description/usage
i2c     - I2C sub-system
icache  - enable or disable instruction cache
l2cache_test- Perform test of L2 cache
md      - memory display
memtester- memory tester
mii     - MII utility commands
mm      - memory modify (auto-incrementing address)
mmc     - MMC sub system
mmcinfo - display MMC info
mtdparts- define flash/nand partitions
mtest   - simple RAM read/write test
mw      - memory write (fill)
nm      - memory modify (constant address)
ping    - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
protect - enable or disable FLASH write protection
reset   - Perform RESET of the CPU
run     - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv  - set environment variables
sf      - SPI flash sub-system
sspi    - SPI utility command
tftpboot- boot image via network using TFTP protocol
usb     - USB sub-system
usbboot - boot from USB device
version - print monitor, compiler and linker version

[itanczos]

Temporarily change the kernel boot command. Instructions: https://www.youtube.com/watch?v=fBjKTfWN4TI&t=150s

[snoerenberg]

@itanczos to enable writable serial console on Linux?

@kollaesch great! Maybe you can try some "read only" methods (fatinfo, fatls, flinfo, mi!?, printenv)?

[itanczos]

@snoerenberg this temporarily!

[kollaesch]

In the meantime I'm struggeling with tcpdump. I limited the download-traffic and try to run the firmware update. Dumping cam and iphone didn't give me any results so far :( Ideas?

tcpdump host cam1  -s 65535 -w tcpdump_mijia.log

[snoerenberg]

@kollaesch hmm I have not used tcpdump yet. Could you see any traffic from the cam? I think the iPhone does not send anythin interesting. Maybe you can start firmware update through LTE and than look at the traffic at your home network.

@itanczos I just wanted to make sure that I got it right (could not yet have a look at the YouTube link).

In wireshark I used some predefined HTTP Requests view. Can you see UDP traffic from the cam?

[kollaesch]

I soldered cables to the pins to have a hand free ... now stopping the boot will be easy.

results:

GM # printenv
auimg0=u-boot_spi.bin
auimg1=uImage_8136
auimg2=rootfs-cpio_8136.squashfs.img
auimg3=mtd.img
auimgaio=flash.img
auimgbot=nsboot.bin
autoupdate=no
baudrate=115200
bootcmd=sf probe 0:0;run lm;bootm 0x2000000
bootdelay=3
cmd1=mem=64M gmmem=30M console=ttyS0,115200 user_debug=31 init=/squashfs_init root=/dev/mtdblock2 rootfstype=squashfs
cmd2=mem=128M gmmem=90M console=ttyS0,115200 user_debug=31 init=/squashfs_init root=/dev/mtdblock2 rootfstype=squashfs
cmd3=mem=256M gmmem=190M console=ttyS0,115200 user_debug=31 init=/squashfs_init root=/dev/mtdblock2 rootfstype=squashfs
cmd4=mem=512M gmmem=432M console=ttyS0,115200 user_debug=31 init=/squashfs_init root=/dev/mtdblock2 rootfstype=squashfs
ethact=eth0
ethaddr=XX:XX:XX:XX:XX:XX
gatewayip=10.0.1.51
ipaddr=10.0.1.52
lm=sf read 0x02000000 z
netmask=255.0.0.0
serverip=10.0.1.51
stderr=serial
stdin=serial
stdout=serial
verify=no

Environment size: 933/65532 bytes

[kollaesch]

Well, setting the boot-

GM # setenv cmd4 mem=512M gmmem=432M console=ttyS0,115200 user_debug=31 init=/squashfs_init root=/dev/mtdblock2 rootfstype=squashfs single
GM # printenv cmd4
cmd4=mem=512M gmmem=432M console=ttyS0,115200 user_debug=31 init=/squashfs_init root=/dev/mtdblock2 rootfstype=squashfs single
GM # saveenv
Saving Environment to SPI Flash...
SF: Got idcodes
00000000: c8 40 18 c8    .@..
SF: Detected GD25Q128c with page size 64 KiB, total 16 MiB
flash is 3byte mode
Erasing SPI flash...Erase command 64K
Writing to SPI flash...done
GM #

Brings me/us to...

mode 3
SPI NOR ID code:0xc8 0x40 0x18
SPI jump setting is 3 bytes mode
Boot image offset: 0x10000. size: 0x50000. Booting Image .....

U-Boot 2013.01 (Mar 02 2017 - 10:54:30)

I2C:   ready
DRAM:  64 MiB
data abort

    MAYBE you should read doc/README.arm-unaligned-accesses

pc : [<0000010c>]      lr : [<03f6d4fc>]
sp : 03e5cf50  ip : 02000f80     fp : 00000000
r10: 00041714  r9 : 03f6d000     r8 : 03e5cf60
r7 : 00000067  r6 : 03f6d000     r5 : 03e5cf60  r4 : 03e5cf50
r3 : 00041714  r2 : 00040004     r1 : 753d3067  r0 : 71604561
Flags: nzCv  IRQs off  FIQs off  Mode SVC_32
Resetting CPU ...

resetting ...

Ideas for reviving?

[snoerenberg]

@kollaesch I've no experience to change Linux startup commands.

You tried to set it to the initial state (nothing changed, just stored again) and it fails now to boot?

[snoerenberg]

doc/README.arm-unaligned-accesses Is within the SDK ... no clue

[kollaesch]

Fails to boot. The doc/README.arm-unaligned-accesses Is within the SDK ... no clue is from u-boot So basically it 'freezes' right after it starts. I hope waiting over the weekend helps. (ROM-reset?)

I opened up my second new cam. But didn't had any luck with wireshart or tcpdump yet. I'm continuing on Monday.

[itanczos]

Why did cmd4 have been modified? If I saw it, there are not 512MB of memory in the camera. I think cmd1 should be modified! Or maybe bootcmd?

[kollaesch]

I modified all cmd's ... I prepared the 2nd cam ... wish me luck ;)

[kollaesch]

AVIOD saveenv for now!!

Nailed it by: 1) connecting the UART by RX,TX as described before. 2) picocom -b 115200 /dev/tty.usbserial-XXXX 3) connecting the power to the cam 4) immediately hold Ctrl+C 5) enter the setenv ...-Line

setenv cmd2 mem=128M gmmem=90M console=ttyS0,115200 user_debug=31 init=/squashfs_init root=/dev/mtdblock2 rootfstype=squashfs single

6) then enter into the console boot to start the boot-process

boot

Result:

[    1.090000] mmc1: new high speed SDIO card at address 0001
# ls
bin      etc      lib      linuxrc  mnt      proc     run      sys      usr
dev      gm       lib32    media    opt      root     sbin     tmp      var
#

[theDoc5655]

Serious progress here 🥇

[itanczos]

Good News! 👍

[snoerenberg]

@kollaesch great 👍 try to copy as much as possible to a mounted SD card? Than upload it to zippyshare or something :)

My cam will be delivered tomorrow. Got the notification from Hermes (Germany) some minutes ago.

[kollaesch]

I tar-ed the whole system. (265MB) Particular interests?

[snoerenberg]

For the XiaoFang cam have been some scripts which executed the snx_autorun.sh. Something similar to this would be great.

Is telnetd installed?

Could you copy the rtspd from SDK to cam and start it? Before you would have to kill the Xiaomi/Mii apps for sure.

[kollaesch]

Is telnetd installed?

# busybox telnetd
telnetd: applet not found

Is also not to be found in /bin and /usr/bin.

[kollaesch]

Could you copy the rtspd from SDK to cam and start it? @snoerenberg You mean copy it precompiled?

[willthrom]

@kollaesch what happened to the first camera after you modified the env? Cannot you stop the booting and change it again?

[willthrom]

And from my completely ignorance... why did you save a change without testing it first? I mean, without running saveenv the changes are in memory... why did you need to save them?

[kollaesch]

@willthrom 1) no I can't stop it from booting. 2) I relied on/trusted the shared Youtube-video that said: "saveenv" => lesson learned...

[willthrom]

@kollaesch http://www.denx.de/wiki/publish/DULG/to-delete/UBootCmdGroupEnvironment.html for the future.. :)

According to some doc you might have to reset the board.. but I don´t know anything about that.. yet

[willthrom]

@itanczos that video doesn´t seem to do TEMPORAL changes... unless you mean a change to be removed later in a near future XDDD

[kollaesch]

I tried several ways of resetting my 'frozen' cam. 1) As the boottext indicated by 'Resetting CPU ...' and 'resetting ..." - I just waited a couple of minutes. => no change 2) I played around with resetting by the 'reset'-button on the side. So far no luck.

Option3) read-out the u-boot-Data-addresses from cam2 and write it (by tftp?) or uart to cam1. Any suggestions on that? (I got no experiences here.)

[willthrom]

@kollaesch so that camera is just resetting all the time? or just freezing in every power up...?

I have not experience with those commands but I am trying to find the purpose of the cmd and why you cannot stop the the boot process now.

Could you upload the boot log from the working camera and from the not-working camera? I would like to compare them.

[willthrom]

@kollaesch just reading about uploading U-Boot.... someone might know if this HW has a BDM or JTAG interface..... which are used to load U-Boot in "clean/new" boards...

[kollaesch]

Basically, if you compare this and that - you will have everything you need. The bootmessage on the frozen one is that short. :/ Thanks for looking into that! @willthrom :1st_place_medal:

[kollaesch]

@willthrom regarding the BDM / JTAG: based on the listed Chip "GD25Q128C" I found this here. It's also refered as "GigaDevice". It's also listed in their bootlogs. According to the 1st link that router-board has JTAG. The 2nd link points up a couple of things regarding tftp and serial console. But if this is all helpfull, I don't know (yet).

I found other sources, but their boot fails much later, unfortunately.

[willthrom]

Well... TFTP can be used to load a new U-Boot Image but you need for that a Working U-Boot which you don't have. The JTAG / BDM are interface to directly write to the memory a new U-Boot (I am not an expert on this though).

I am focus now in how to restore whatever is corrupted....

[willthrom]

@kollaesch

You are getting a DATA ABORT but I cannot find anyone (yet) getting that message BEFORE loading the kernel (:edit I found it but you haven't changed anything to U-BOOT only the cmd for the kernel, as far as I know).... You should see that message after the:

Hit any key to stop autoboot.

Could you try to check again the boot log from the broken one? Maybe you missed/lost some data coming from the UART interface....

[willthrom]

I am lost with that DATA ABORT.. it is like the U-BOOT image is corrupted but no idea why or how http://www.linuxjournal.com/files/linuxjournal.com/ufiles/imagecache/large-550px-centered/u1002061/11551f1_0.jpg

I still think you missed some logs dump to the terminal... :) Hopefully someone here can correct/amend all what I have said (from my 2 hours reading U-Boot documentation)