Latest upgrade (0147) breaks the hack..

[niladam]

Hello,

It appears that no matter what i try, upgrading to 0147 breaks the hack. No SSH, and no other services running either (using default midgard.ini);

The latest upgrade appears to be:

https://cdn.fds-ssl.api.xiaomi.com/miio_fw/356163bfddcfbf236804f90619553fdf_upd_mijia.camera.v1.bin?GalaxyAccessKeyId=5721718224520&Expires=1520091698000&Signature=CNQgzyUXhZN6TJwE3WAR9E4aKvQ=&uniqRequestId=67698601

[willthrom]

I haven´t tried myself if it is still working because I am not currently using. However I checked the firmware image and it seems ok.

Start the process again from the flashing, and upload the log somewhere so I can take a look (For myself going back to 0.99 is a pain because the camera cannot find my wifi router in that version and I have set up an access point with the mobile)

[willthrom]

I checked again and the version 147 is exactly the same as 146 (which was working with the tools) except the Xiaomi streamer and Nas.

So the tools should work without any problem...... It is true sometime for an unknown reason the tools got stuck in the upgrading process but normally starting the process again from 099 resolves the issue.

[niladam]

I tried this multiple times. Everything goes well. Flash .99, can ssh. Triple reboots. Flash latest (currently 8 as per the releases page) ssh works, triple reboots. Everything works.

Upgrade to latest version. No more ssh.

The reboots are made using ssh AND unplugging the cable.

Do I need to go through the re-pair process everytime?

[willthrom]

upload the logs from the log folder so we can take a look

[willthrom]

when upgrading, do not change the original midgard.ini file...

[niladam]

@willthrom - I haven't changed anything. The procedure that i followed is:

1. Reset the camera, unplugging it;
2. Put the SD card in my card reader (i'm on a macOS);
3. Copy the CONTENTS of release0.3_338.zip to the root of the SDcard.
4. Plug the SDcard into the camera.
5. Pair it.

Here, i already have ssh access. The only changes i'm doing are the root password.

6. Reboot 3 times (once via SSH, 2 times via UNPLUG);
7. After making sure i SSH is still active after reboots, i'm proceeding to the step 8.
8. Unplug the camera, unplug the SDcard, placing it into my card reader.
9. Copy the contents of the latest release (0.8) to the SDcard (again, only change is root password)
10. Plug the camera. SSH is still active, repeat step 6.

At this moment, the camera is still paired with my Mihome application.

I proceed to the UPDATE using MiHome.

SSH is no longer active.

The only thing i can actually think is the fact that i am NOT resetting the camera between the copying of the contents.

[niladam]

Alright -- so i attempted a NEW fresh reinstall, and i still cannot keep the hack.

I have attached the logs. Any hints/ideas ?

Archive.zip

[willthrom]

@niladam

In you case I can see this:

Jan 1 08:00:27 kernel: [ 27.710000] FAT-fs (mmcblk0p1): error, clusters badly computed (11 != 10) Jan 1 08:00:27 kernel: [ 27.710000] FAT-fs (mmcblk0p1): Filesystem has been set read-only

That is the SDCARD.... going wrong for some motive.... You might need to format the SDCARD using the Xiaomi MiHome apk

for some reason I cannot see in your logs the upgrading process under the file folder MTBF

[niladam]

Truth is, both cards were formatted using macOS' disk utility and/or diskutil..

I've just formatted the SD using Mihome app, and i'm trying again..

[willthrom]

I might upgrade mine from the beginning again, but it would be more easier if someone could connect to the camera using the USB/Serial

[niladam]

I'm using a USB cable to connect to the camera. Sadly, not a serial one.

I'm just running the update of the FW now, hopefully, this time it'll work and i'll be able to pinpoint this to the formatting of the SDCARD..

I'll update as i have more news..

[willthrom]

@niladam but you get logs from the camera at boot time from the USB interface, right? I mean, did you open the camera and solder the TX-RX pins? or you just mean you are connecting the camera to your computer to USB but just for charging?

[niladam]

No, i'm not opening the camera at all. My electronics skill is probably -5 or something. I just used the remove/add the SD card.

It didn't work.

And now that you mention, was i supposed to solder the camera ?

[willthrom]

no. only to do some debugging. That is fine, I will find someone

[niladam]

Darn, again -- it didn't work.

Here's the latest batch of logs. I have no idea why you can't find any upgrade logs..

Archive.zip

[willthrom]

I can see in your logs at least the Firmware download and the flashing process whoever I don´t know why the Script POST and PRE OTA are not been called. Without them the tools will not work after upgrading....

[willthrom]

I updated mine and the same thing happened.. it seems Xiaomi is commanding from the Server somehow to not call the PRE and POST OTA scripts.

The only solution for this is to start creating releases manually copying the binaries from the firmware.... A lot of work I am not going to maintain..

[niladam]

Another idea is to spoof the URL. Basically if you can provide me with the working binary (139?) I can setup a hosting account answering to the requested URL. I could then make sure to redirect to the new IP bypassing the CC?

[willthrom]

I think it is not a problem of what it is in the camera or what it is coming but the command Xiaomi Server requests when upgrading.

before 146 version, the OTA binary (in the .99) normally execute one script before running the OTA, and another after the OTA.

/mnt/data/miio_ota/post-ota.sh /mnt/data/miio_ota/pre-ota.sh

for some reason, when the Server ask to upgrade the camera these script are not called, so I cannot customize them.

The binaries are the same, as we are still in 99 version before the upgrading so the only option is the command to upgrade the camera from the Server is different. And I cannot do anything with that.

[niladam]

Well, if we could identify WHEN or WHERE the command happens, we could probably figure out a way to disable that -- wouldn't we ?

[willthrom]

Well. not idea. It is very weird Xiaomi has changed how they command the upgrade, but so far it is the only explanation I have.

[niladam]

Well, are we sure that post and pre scripts are still there after the flashing ? Any way i could know that ? Or find out ?

[willthrom]

It doesn´t matter if they are not there after the upgrade, but during the upgrade.

I know there are there because the tools created them. The problem is they are not been called for some reason.... I haven´t found why yet.

When the camera is going to upgrade, pre-ota.sh is been called, and post-ota.sh after the upgrade. None of them are been called when upgrading now.

[niladam]

Can you provide me with the steps the hack takes so that i can attempt to debug myself ?

[willthrom]

The tools have two different things:

• One is all the services
• The other is to prevent OTA to override the security measures.

The boot script is valhalla.sh, take a look to that. The prevention of the OTA security is done with tools/post-ota.sh and inject.sh

[NeoAcheron]

Hi everyone,

I can confirm niladam's camera behaviour with the 3.3.10_0147.

Once updated, it seems that the hack no longer takes effect. A strange behaviour is that the indicator LED gets stuck on orange, and no longer does the blue/orange flash sequence, or ever goes to blue. If you use the Xiaomi app to switch the light off and on again, the light goes to blue!

I'll investigate further to see what I can find.

[zadman7]

HenkBezuidenhout: Happened to me to and this is the reason i came here for help. The camera worked fine a week ago and after the last Firmware updated it does not connect and no reset is possible. Waiting for any kind of solution

[padmanek]

Seems like it's game over for this camera for now.

[willthrom]

Yep, The tools stop working after any new update because Xiaomi changed the update process somehow. When I have some free time after Christmas I will make a special version not using OTA but manual updates.

For now you can stick with version 99 and the tools

[ferdydek]

Im not sure why my works, I actually re-flashed to 99 and repeated entire process and I'm using the 147 version with ssh access and im running the experimental webserver.

# cat /mnt/media/mmcblk0p1/log-197001010800.log
Running Customm Script v1.7

Configuration:
  CLOUD_DISABLED=0
  CLOUD_STREAMING_DISABLED=0
  RTSP_ENABLED=0
  CONFIG_LINE=-b4098 -f20 -w1920 -h1080 -m1
  SSH_ROOT_PASS=qwerty123456
  DISABLED_OTA=0
  HTTP_ENABLED=0
  SAMBA_ENABLED=0
os-version
NAME=Buildroot
VERSION=2016.02-git-00743-g1a39fe8-dirty
ID=buildroot
VERSION_ID=2016.02-git
PRETTY_NAME="Buildroot 2016.02-git"
XIAOMI_VERSION=3.3.10_0147
XIAOMI_BUILDNO=432
 Staring SSH Server
 Getting root access
Changing password for root
New password:
Retype password:
Password for root changed by root

...Starting dropbear...
[198] Jan 01 08:00:09 Running in background

...Changing Language to English...
...Adding Protecction to Change of Keys...

Script Ends. Ok
[837] Dec 23 23:13:05 Child connection from 192.168.2.130:51351
[837] Dec 23 23:13:05 Password auth succeeded for 'root' from 192.168.2.130:51351
[198] Dec 23 23:13:42 Early exit: Terminated by signal
[837] Dec 23 23:13:42 Exit (root): Terminated by signal
[837] Dec 23 23:13:42 wtmp_write: problem writing /var/log/wtmp: No such file or directory

I have noticed that the hack works well only when both the log-1... files are present (so it has something to do with the correction of times made between 99 and 147 (they are created on different stages of "hack'ing":

-rwxrwxrwx    1 root     root        1.0K Dec 23 23:44 log-197001010000.log
-rwxrwxrwx    1 root     root        1.0K Dec 23 23:13 log-197001010800.log

[willthrom]

Check the log folder. The mtbp log...you should see the inject script been called. If it is not, then the upgrade will remove the tools....

[ferdydek]

yup, its here. Its I think 3rd time I went through this process and I never had the same issues as @niladam describes.

# ls -lha /mnt/media/mmcblk0p1/log/MTBF/
total 1304
drwxrwxrwx    2 root     root        8.0K Jan  1  1980 .
drwxrwxrwx    3 root     root        8.0K Dec 24 21:55 ..
-rwxrwxrwx    1 root     root        1.3M Dec 24 21:55 MTBF_log

[ferdydek]

What I have done each of these times is to go through entire process of reverting to _099 applying the hack, rebooting and then applying the firmware update. I also take my time, considering some things in the busybox run on 1 or 5 min cron I always take my time between actions and changes. @niladam try again please and really take your time, follow the https://github.com/Filipowicz251/mijia-1080P-hacks/wiki/Issues-installing-and-keeping-the-hack wiki.

Also @niladam try this

1. Format the SD card as FAT32. Make sure its less than 64GB.
2. From release0.3_338.zip extract only tf_recovery.img.bak to the SD card
3. Rename the tf_recovery.img.bak on the SD card to tf_recovery.img
4. Insert the SD card to camera, and wait for it to reboot (you will hear a click from the nightmode relay), then give it 3 minutes not less.
5. Pair with your WiFi

Now your WiFi details are saved in the flash of the camera and will not be affected with firmware changes unless you factory reset the device. Now lets do the same process with a little twist:

6. Take the SD out, and on your computer rename the tf_recovery.img.bak on the SD card to tf_recovery.img again
7. From release0.8.zip extract everything to the SD card.
8. Copy-paste the ft folder so there is backup of that folder on the SD card directly.
9. Insert the SD card to camera, and wait for it to reboot (you will hear a click from the nightmode relay) and give it 3 minutes.
10. Connect to the camera via SSH
11. in SSH client check content of the SD card by ls -l /mnt/media/mmcblk0p1/

12.1. if you dont see the folder ft rename the copy you created before (step 8) back to ft 12.2. if the ft folder is there we should be good to go. 12.3. wait 5 minutes

13. still on ssh client perform a reboot. Again wait for the click before you proceed.
14. on your MiHome app go to the usual firmware update and start the update. Xiaomi fixed the feedback process so you should see update progress on your phone. Anyway camera will slowly blink orange till the process is completed.
15. At the end of upgrade process you should see camera blinking few times orange-blue, this is the hack applying again.
16. wait 3 minutes and test SSH access again.

if you get stuck at any point of this please comment back with what were the errors, what did you see, what was the behavior of the camera etc.

[Alacika]

I did it as described by @ferdydek, and it works fine! Firmware version is now 3.3.10_0147 and i have ssh connection. Thank you very much and sorry for my poor english! :-)

[ferdydek]

@Alacika glad this helped @niladam so now, we only need to check if this works for you and then we can start figuring out what to improve in next release

[v-thomp4]

after firmware update, no SSH, camera still orange

[Alacika]

I think 13. (reboot from ssh) is a very important step. For the first time, I did not do a reboot, just pulled it out of the socket and plug back. The ssh lost after the firmware update. For the second time I did reboot from ssh command line and ssh access works after firmware update. (Sorry for my poor english!)

[ferdydek]

@thomph can you upload somewhere the logs from the SD card please? @Alacika nice feedback. I will actually try to "break" my install to spot which process does not complete. Maybe the weekend will be less busy :)

[willthrom]

I guess it might be with the permission of the OTA scripts. Whenever I have some free time I will take a look again.

for the time bean I am closing this issue as it seems following @ferdydek very well documented steps the process works.

[niladam]

@ferdydek i'll attempt this later today -- however, nothing seems different from what i initially attempted. The problem is, i am now on 3.3.1_0154 -- so hopefully it'll work.

@willthrom - i suggest you leave this open, as people coming to the issues screen might be able to see this first-hand (by default the closed issues are invisible -- you need to search/filter for them)

[santiacho]

I'm having problems to re-pairing the camera to Mi Home app, my reset button stoped working (some time before the hack) It seems a hardware problem.

Does anybody know how could I reset the camera via script and/or command?

I need to delete previous wifi settings and start again but I do not know what else to try.

Thanks.