Hack for the new camera - mijia v3 / Basic 1080p

[vitoo]

Hello,

here is a new xiaomi camera it's called mijia-1080P basic / mijia V3. It had a white back.

How can we build a firmware compatible for this camera ? Is it hard ?

Thanks for your help

[llimz]

I'm also very interested by this topic. I can't get an old version anymore.

[gbarral]

Same problem for me. Impossible to downgrade firmware on my mijia with white back.

Thx for help :-)

[jnsw]

see https://github.com/EliasKotlyar/Xiaomi-Dafang-Hacks/issues/624

they are still trying

[vitoo]

It may takes months :smiley:

It's a cheap camera many hacker will try it

[jnsw]

@vitoo hopefully 😃

[Snotmann]

You can downgrade the cam with https://github.com/EliasKotlyar/Xiaomi-Dafang-Hacks/files/2320611/tf_recovery.for.SXJ02ZM.All.White.Xiaomi.1080P.smart.cam.zip and these files on root of sd card https://github.com/Filipowicz251/mijia-1080P-hacks/releases/download/0.8.7/release0.8.7.zip

... but there was no ssh server launched or something like that ... dont know whats happen or to do

[jnsw]

@Snotmann the 0.8.7 was released in March, so I don't think it will work with the all new full white camera

[willthrom]

@Snotmann @seewaldjan it will not work basically because the recovery of the V3 is already patched with the security flaws I found a year ago.

What you could do it to try to use the tf_recovery from the V2 and check if the camera starts.

The camera sensor might not work BUT if you can go to Mi App and upgrade the camera from there to whatever version is the latest for the V3, then there is a possibility we can hack that camera too.

[willthrom]

Forget it... it seems the architecture is different.. I need to take a look but it seems so:

V3: DECIMAL HEXADECIMAL DESCRIPTION 0 0x0 uImage header, header size: 64 bytes, header CRC: 0x3E8652CA, created: 2018-06-30 07:40:51, image size: 2240049 bytes, Data Address: 0x80010000, Entry Point: 0x80380060, data CRC: 0x6BAB1A28, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: gzip, image name: "Linux-3.10.14" 64 0x40 gzip compressed data, maximum compression, from Unix, NULL date (1970-01-01 00:00:00) 2621440 0x280000 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 4484222 bytes, 1916 inodes, blocksize: 131072 bytes, created: 2018-06-30 07:42:42 9895936 0x970000 JFFS2 filesystem, little endian

v2: DECIMAL HEXADECIMAL DESCRIPTION 0 0x0 uImage header, header size: 64 bytes, header CRC: 0xF8DB532E, created: 2017-08-03 05:49:01, image size: 1909344 bytes, Data Address: 0x8000, Entry Point: 0x8000, data CRC: 0x4A5C7510, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-3.3.0" 18164 0x46F4 gzip compressed data, maximum compression, from Unix, NULL date (1970-01-01 00:00:00) 2752512 0x2A0000 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 8932790 bytes, 1304 inodes, blocksize: 131072 bytes, created: 2017-08-03 05:51:01 13238272 0xCA0000 JFFS2 filesystem, little endian

[gregou2007]

hello Any news ? the V3 is still no hackable to get a rtsp flow or to view the camera with a computer ?

[jaaperror]

Also hoping for updates. Hope there is something I can do to help

[liaanvdm]

Has anyone tried this approach on these V3 camera's?

https://github.com/miguelangel-nubla/videoP2Proxy

[gregou2007]

not tried but i don't really understand how to make it work on a macbook ?

[hmajed]

The v3 contains validation based on RSA

try_ft_mode() { if [ -f $ft_files_zip ] && [ -f $sd_mountdir/ft/secret.bin ];then mkdir -p $ft_running_dir $ft_decrypt $sd_mountdir/ft/secret.bin $ft_running_dir/md5.sum $ft_securekey_file if md5sum -cs $ft_running_dir/md5.sum;then unzip $ft_files_zip -q -d $ft_running_dir chmod -R 755 $ft_running_dir ft_mode=cat /proc/ft_mode if [ "$ft_mode" == "" ];then ft_mode=0 fi
$ft_running_dir/ft_boot.sh ${ft_mode} ${ft_running_dir} return $? else echo "check fail" fi else echo "ignore ft mode" fi return 1 }

[gbarral]

Hi, i try this tf_recovery.img whith the hack https://github.com/Filipowicz251/mijia-1080P-hacks. The tf_recovery seems to work because the camera downgrade (3.4.4_0039) but the Tools is not installed. Impossible to connect using SSH. I can update 3.4.5_0046 whith mi-home but impossible to activate RSTP.

If anybody have idea :-)

[joelhaasnoot]

Has anyone tried this approach on these V3 camera's?

https://github.com/miguelangel-nubla/videoP2Proxy

This doesn't work unfortunately, the camera doesn't respond to the "get_ipcprop" command that's needed to get the stream running

[mgx0]

any news on this?

[Sender76]

Russian Hello! That is, you want to say that none of the methods work. And you can remotely view the camera Mijia 1080 only with the application MiHome ???😕

чт, 6 дек. 2018 г. в 20:05, Thach Nguyen notifications@github.com:

any news on this?

Maybe no. Any idea where to start with this camera, trying to flash other fw won't work.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/Filipowicz251/mijia-1080P-hacks/issues/55#issuecomment-444949297, or mute the thread https://github.com/notifications/unsubscribe-auth/ARnx8PNl5zgKyMHCSS8TNy0T6OYDYRCHks5u2U5igaJpZM4WZfQI .

-- С Уважением, Генеральный директор ООО "Центральный Регион" Парамонов Сергей Александрович e-mail: paraserge@gmail.com mob: +7(903)755-79-50

[Sender76]

I can not understand one thing, so how can I hack this seemingly simple camera ... (((

Sergei Paramonov paraserge@gmail.com

четверг, 6 декабря 2018 г., 23:09 +0300 от notifications@github.com notifications@github.com:

Yes, it works with Mi Home. Set Region to Main Land China, start pairing to any 2.4Ghz wifi and it should work. — You are receiving this because you commented. Reply to this email directly, view it on GitHub , or mute the thread .

[mgx0]

I want RTSP and I don't want any cloud service. Looks like I have a camera for sale now ... it speaks chinese, does not allow you to set your own country and is useless without cloud service where god knows who is watching your streams. thanks a lot, it's for sale

[Knuppel1983]

Same here. Hack does not work with the new model. I’m not leaving it on cloud service because the camera is in my living room. Wanted to use it to watch the dogs, but the idea of someone else watching my family is enough to leave it unplugged. Shame Xiaomi does not add local support.

[Knuppel1983]

For reference, i have the snowman version with white back, 1080p PTZ.

[Sender76]

I would be very grateful if you would share!!! 07.12.2018, 13: 48, "Knuppel1983" notifications@github.com:For reference, i have the snowman version with white back, 1080p PTZ.—You are receiving this because you commented.Reply to this email directly, view it on GitHub, or mute the thread.  --  

[axlerose]

there is any news?

[anmaped]

It is working with openfang; check it out in openfang. A modified bootloader was compiled for this purpose but we need to open the camera and program it manually. We will check if we can surpass some protection to upload the new firmware.

[mgx0]

I have no problem to program the camera via serial

two questions:

• do you have some pictures how to open the camera without breaking it please?
• could you please paste here a link to a file to be programmed to camera please?

thanks

[axlerose]

any news?

[marcotuna]

I opened mine today. How to connect to the PC? Via an USB to UART? What are the pinouts?

I found this manual: https://www.winbond.com/resource-files/w25q128jv%20revf%2003272018%20plus.pdf

[anmaped]

Please check more information at https://github.com/EliasKotlyar/Xiaomi-Dafang-Hacks/issues/624#issuecomment-451488962

[axlerose]

It is working with openfang; check it out in openfang. A modified bootloader was compiled for this purpose but we need to open the camera and program it manually. We will check if we can surpass some protection to upload the new firmware.

@anmaped can you explain how to make it working whit openfang

[anmaped]

@axlerose I have written the new bootloader directly to the flash. As soon as I have the device again I will check if we can upload the new bootloader in another way.

[axlerose]

Can you explain how to flash directly to the flash

[anmaped]

@axlerose You have to use a programmer like CH341 but you have to remove the chip from the pcb first and then use a soic test clip for flashing it.

[linkiln]

@anmaped I've got removed chip in programmer. Now i shoud flash it with u-boot-lzo-with-spl.bin file and thats it ?

[therosss]

@anmaped Could you provide me a link to the right programmer? My doesn't really list the correct winbond chip. i already got all needed components. I#d write the stuff down and upload some pictures for other people who want to do the same thing.

I made an initial backup, then tried to flash the custom bootloader, which flashed sucessfully. after re-soldering the flash, the cam is dead. I tried restoring the original backup - without luck. it looks like something went really wrong, but I have no idea what. My Flash is detected as W25Q128BV instead of w25q128jvsq. is this wrong? Here's a screen: http://i.epvpimg.com/C3SZeab.png

Thx a lot in advance

[anmaped]

@therosss I will upload a new bootloader soon. I have changed some pinouts in the current bootloader version but I didn't get enough time to test it well.

You can try my dump and use the ch341prog. It should work well. I also detected that the windows programmer is not reliable enough.

[llimz]

Hello, with a mijia 1080p white back I successfully uploaded your last boatloader (dump file from your previous message). I opened the camera and use a ch341 programmer with clamp to flash the chip. Before writing your dump file, I erased the chip and then write the dump file.

Then I built an SD card with 2 partitions and write the image rootfs.ext2 into the first partition. I can mount this one and see the linux tree. So the SD card seems to be correctly prepared.

But it is not working or at least I still don't get any SSH access to the camera. The SD card is plugged in. It is working as if I did not do something. The camera works correctly with the mi home app.

Any idea what could be wrong? Thank you.

[anmaped]

@llimz Are you able to compile the last version of openfang? I will do a release of the unified firmware this week. I'm just unifying some things (mainly video settings), but the current dev version is working well with the camera if you try to compile it.

You just have to use the u-boot-lzo-with-spl_t20_64M.bin bootloader.

[llimz]

Yes, I compiled successfully the last dev version from your git repository this morning. This is the files generated I get as result:

After compiling your code, I built the SD card with the last rootfs.ext2 file on the first partition. And format the second partition as fat32 and put my wpa_supplicant.conf file into it (there is only this file on the second partition). I put the SD card into the camera and power on the the camera. The led is blinking orange and blue for a few seconds, then it is only blinking orange. I assume that the network connection to my wifi is not done.

This is my wpa_supplicant.conf below file. It is the same file I'm using on some Raspberry PI's. Maybe the format is not correct of the camera?

`ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev country=FR update_config=1

network={ ssid="NETGEAR91" psk="***" priority=3 }

network={ ssid="Linksys00758" psk="---" priority=2 }

network={ ssid="Zyxel" psk="***" priority=1 }`

Any other idea? Thank you.

[anmaped]

@llimz Great! You only have to format the second partition in exfat. I didn't add support for fat32 due to the lack of wear-leveling.

[llimz]

Sorry, it is still the same.. Led blinking orange. I formatted the second partition with the command line

mkfs.exfat /dev/sdc2

This is the partitions on my SD Card

[anmaped]

Could you try this wpa_supplicant.conf file ?

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
ap_scan=1

network={
        ssid="<SSID>"
        # Uncomment to connect to Hidden SSIDs
        #scan_ssid=1 
        key_mgmt=WPA-PSK
        pairwise=CCMP TKIP
        group=CCMP TKIP WEP104 WEP40
        psk="<PASSWORD>"
        priority=2
}

[llimz]

Not working. I tried to check if the wpa_supplicant.conf file is correctly used and I saw that this file is copied in the /etc directory of the SD card. So I assume that the boot process and scripts are running correctly when powering the camera.

Is there any log files I can check written somewhere in the SD Card to find out where the problem could be? Or can you see something else to check/try? Thank you.

[jesperrix]

Sorry to jump in, but i just want to know if it is a prerequisite to program the custom bootloader from @anmaped in order to flash the openfang on the camera, i am really missing RTSP stream. The Mi Home is very unstable for me.

[anmaped]

@llimz Strange! Are you using the compiled bootloader? If the file was replaced means that the init scripts are running.

You could add to the init script file S01logging the command dmesg > /var/log/mycurrent.log to dump the dmesg output to a file.

@jesperrix Yes, It only works with the new bootloader.

[llimz]

@anmaped Actually, I just found out that it is working ! Yes, I'm using the compiled bootloader. I still have the blinking orange led BUT I can reach the IP cam with SSH. The problem remaining is that the IP address and the Mac address is changing every time I powered down/up the camera... I will open a new thread into your github project after some investigations here to see why I had this behaviour. Many thanks for your help !

@jesperrix I bought on Ali Express a chip programmer with clamp. No need to unsolder the chip to program it ! https://fr.aliexpress.com/item/EEPROM-Flash-BIOS-USB-programmeur-SICO8-adaptateur-sop8-clip-avec-c-ble-1-8-Vadapter-CH341/32922583416.html?spm=a2g0s.9042311.0.0.2f4d6c37r5IcYL

[anmaped]

@llimz Yes. I will fix it!

[therosss]

Ok, flashed the chip with anmaped's bin file and the camera came back to life. Now, I cannot flash the bootloader onto the chip without getting the error message

Write ok! Try to verify... Read started!
Error while writing. Check your device. May be it need to be erased.

@llimz could you make me a dump of your flash chip which already includes the bootloader? I'm having troubles in getting the bootloader into my dump/chip without screwing it up. I would be very thankful if you could send me a dump which i "just" need to get on my mijia, like I did with the dump file of anmaped Thx

[anmaped]

@therosss You just need the bootloader bin and nothing else. Try to erase the nand/nor before.

[anmaped]

@llimz and @therosss Someone could do a small tutorial on how to flash bootloaders on T20 SOCS using CH34a? Thanks in advance.