Hack for the new camera - mijia v3 / Basic 1080p

[vitoo]

Hello,

here is a new xiaomi camera it's called mijia-1080P basic / mijia V3. It had a white back.

How can we build a firmware compatible for this camera ? Is it hard ?

Thanks for your help

[therosss]

@anmaped Sure :) I can take care of a little guide. Pictures will follow later on. I desoldered only 1 leg of the SOP and it was enough to be able to program it. I'll try erasing the chip and then applying the bootloader binary only (which is only about 200kb) which I got from the latest release from 2 months ago.

[anmaped]

@therosss What pin? reset line? This bootloader will not work, I will provide you with the new binary.

[therosss]

@anmaped Preferably Pin 8, VCC, as anything else might power-up the rest of the board through the SOP Chip (something which happens if you don't desolder anything off the board). I'm still struggling with the bootloader flashing as my camera dies when I flash it. As soon as I get that done, I will buy another camera, and do a whole tutorial from disassembling the camera, to installing the c34a programmer on a clean linux VM up to flashing the SOP and preparing the SD-Card including the wifi-credentials-file. But I need to get this sorted out first before I write a guide which might not work properly

[llimz]

I can provide on a public URL the last bootloader I compiled. But @anmaped, you may prefer to publish first on your release page on your github repo?

[therosss]

@llimz

@anmaped uploaded me a bootloader in his issues thread. But as said above, after erasing thee SOP and then flashing the bootloader binary onto it, the camera acts like it's dead.

• Desoldered a pin.
• used "./ch341prog -e" to erease the SOP
• used "./ch341prog -w u-boot-lzo-with-spl_t20_64M.bin" to write the bootloader Console output:

Device reported its revision [4.03]
Manufacturer ID: ef
Memory Type: 4018
No CFI structure found, trying to get capacity from device ID. Set manually if detection fails.
Capacity: 18
Chip capacity is 16777216 bytes
File Size is [215873]
Write started!

Write ok! Try to verify... Read started!

Write completed successfully. 

All done. 

SDs are already prepared. But not even a LED blinks - the cam is dead. When re-flashing the untouched dump from anamped, the cam works again (yet without any bootloader installed)

Might be because my SOP is a 128m one instead of a 64m one? I'm kinda lost here :/

[llimz]

I did not have to unsolder any pin for progamming the camera here. I only had to unplugged the board from the IR led and MIC (the front panel).

Here are the 2 bootloaders I compiled the 2nd of February (64 and 128MB) u-boot-lzo-with-spl_t20_64M.bin.zip u-boot-lzo-with-spl_t20_128M.bin.zip

[therosss]

Thanks for the input @llimz I took all wires out and even unplugged the lens module off the board - still no way to program the SOP while it is soldered on the board :( Kind of annoying having to de-solder 1 pin each time I want to flash the SOP.

Anyway, the bootloader does its thing. anmaped gave me a compiled rootfs-image and the cam is now booting up properly.

Just having issues with the web UI not working properly, IR-Lights or any kind of lights not working and so on, but that's not surprising, having in mind that the image was previously for another camera :)

I'll order another cam and make the tutorial for it. Might take 1-2 weeks until it's done properly.

Cheers

[llimz]

I'm using the 64MB version. The file is too big. I put it on wetransfer https://we.tl/t-h6XYvLRvH8

[therosss]

Thanks @llimz I'm in the process of ordering a new cam to make a full guide for the process.

[thachnb85]

Great work @therosss Have fun reading this everyone: https://dgiese.scripts.mit.edu/talks/DEFCON26/DEFCON26-Having_fun_with_IoT-Xiaomi.pdf

[axlerose]

Many thank @therosss please share to us the guide when it was complete

[EvgenPavlyuchek]

i have SXJ02ZM version 3.4.5_0046 with white back can i integrate it with home assistant ? and how ? so many discussions but not positive answer (

[therosss]

Ich did not get my hands on a new cam yet, but I am still trying to so I can make the promised guide for you Guys!

[therosss]

Cam is on it's way, but it can take 2 more weeks until it arrives from china. I will do a complete guide then.

@anmaped could you prepare a release on your repo by then? I'd avoid the compilation by now :)

[anmaped]

@therosss Sure! We'll release the first version of openfang - openfang01.

[perrykipkerrie]

First, thank you all for your hard work on this subject.

@therosss I'm looking forward to follow your guide. I'm having one question, when the guide is ready, do I need a CH341 programmer with clamp like @llimz told? If so, I will order one already and hopefully it will arrive in time.

[therosss]

@perrykipkerrie yes, You should order one as you will need it. You will also have to desolder 1 leg of the SOP. Some people say they can program the SOP without having to desolder anything, but in my case that didn't work out.

[therosss]

@anmaped Ready for a release? I just received the cam and I would take care about a guide in 2 days

[vladviolentiy]

What about SXJ02ZM and RTSP?

[therosss]

Works :)

[vladviolentiy]

Works :)

How i can use RTSP? i write to flash folder release0.8.7 with configs but RTSP not work

[therosss]

Your cam is not compatible with this Release. You have to Flash the bootloader of Openfang from @anmaped This involves soldering and SOP flashing. I will release a guide shortly after I get a compiled release. You will have to buy additional hardware to flash your camera

[vladviolentiy]

Your cam is not compatible with this Release. You have to Flash the bootloader of Openfang from @anmaped This involves soldering and SOP flashing. I will release a guide shortly after I get a compiled release. You will have to buy additional hardware to flash your camera

what hardware i need buy?

[jannodeluxe]

Waht about the support of "Original Xiaomi Mijia Smart Camera 1080P 130 Wide Angle 2.4GHz" with CMIIT ID 2018DP2586?

[anmaped]

@therosss Could you use this image as example https://we.tl/t-eouUKOh9Hb ? I would like to include your guide in the new settings of the new release.

Something like we have for wyzecp1 https://github.com/anmaped/openfang/blob/master/doc/wyzecp1_instructions.md

A. Hack (the reason why we are writing in this repository) B. Openfang Installation instructions

[anthosz]

Hi,

Where I can find the guide to add rtsp on this camera? (https://m.joybuy.com/600356031.html) (seems linked to the description but not the color)

[therosss]

@anmaped will do so this weekend. @anthosz that is the mijia 1080p v3 (usually cheaper to get). To add RTSP on it, you need to hack it a little bit. You need to get the openfang bootloader from anmaped on the cam. Unfortunately this can only be achieved by using a programmer to flash the openfang bootloader into the SOP. This repo of mijia-1080-hacks is outdated and left alone. You need to get to the openfang repo

[therosss]

So far, so almost good.... I'm doing the guide and went quite far.

Yet I seem to have a problem with your image @anmaped The second partition shall be exFat i Presume, like on the other ones. the cam boots, does some blinks, and then stays at orange with very short purplpe blinking once in a while. After each boot, the cam re-writes the "default" wpa_supplicant.conf in /etc It looks like the cam can't read my wpa_supplicant.conf from the other partition and therefore does not connect to any network :(

[anmaped]

Just use the openfang acess point to configure the wireless network!

[therosss]

Ah riiiight Just saw it was launching an AP. When connecting to it, I can ssh to it. Unfortunately I can't sudo Admin in order to edit the wpa_supplicant.conf I can't See any info in your documentation @anmaped

If you would guide me real quick, I'd be thankful to add this in the guide. Maybe I just need the user and password of the root account.

[therosss]

Edit..

Ich was able to sudo into root after all. After editing the wpa_supplicant.conf and rebboting the Cam, it still does not connect to the network. Any hint?

[llimz]

If you are connected to the camera AP, just open a webbrowser to the access point ip address. Log in with admin/admin and go to the settings/wireless tab to setup the wifi connection.

With my camera, the IP address to use is 192.168.14.1 when connected to the AP.

[therosss]

edit 2 ... There was no lighttpd service running, as the /etc/ssl/lighttpd.pem is empty. I disabled the rewrite-rule and took all the https stuff out of lighthttpd, and it booted. after that I was able to change the wireless settings and got the cam in my network now.

This clearly is bug of the current release. I guess I will not include this in my tutorial, as this might be fixed by @anmaped in the next release.

BTW, is there any discord channel or something else where we can discuss this? We're using an issue thread of a repo, which isn't even OpenFang :D

[anmaped]

It's not a bug. You have to use the web ui to configure the model and wireless network.

Use openfang gitter channel.

[jannodeluxe]

@therosss Is there anything new about the guide / tutorial or where I can support?

[therosss]

Here's the guide, @jannodeluxe @anthosz @perrykipkerrie @axlerose . No need of anything at the moment. Feel free to let me know if anythign is wrong.

https://github.com/therosss/openfang/blob/master/doc/SXJ02ZM/SXJ02ZM_instructions.md

[axlerose]

@therosss thank you very very much i'm waiting for the programmer and then i try your guide

[JohnRev]

Good job with the documentation, @therosss And thanks @anmaped for making openfang available for this camera version.

@therosss just a note: the command I had to use to start lighttpd after generating the certificates was: ./S50lighttpd start

Edit: Also, for whatever reason the generated key kept getting deleted. I realized it's from these lines in S02factory:

# restore the SSL certifcate
nvram get rtdev certificate > "/etc/ssl/lighttpd.pem"

I tried saving the generated key in nvram via nvram set rtdev certificate "$(cat /etc/ssl/lighttpd.pem)" but that didn't persist across reboots for whatever reason. I decided to comment out the above line in S02factory for things to work well after reboots.

Also I didn't need to de-solder any pin for the programmer to work :smile:

[therosss]

Hey John. Thanks for the input. You are right- it was S50 :) Anyway, the bug is fixed in the last commit, and you don't need to do those steps anymore. Please Check the original repo from anmaped to see the latest changes.

Feel free to join the conversation over gitter. We need more people to get involved into this project :)

I'd like to see an Integration into dustcloud for example ;)

I already heard from someone around that he didn't have to desolder anything - lucky you. It never worked like that with my devices. I could eventually add this to the documentation, but I guess most of the people will run into the same problem as I did.

[jesperrix]

Anyone who can provide me a new link to u-boot-lzo-with-spl_t20_64M.bin? The shared links above are expired.

Never mind, i managed to compile the .bin using the Docker container. Thanks for the work!

[fmsduran]

Hi, I interested in rtsp protocol, then with the openfang firmware is possible? Thanks very much, and excuseme for my level of English

[mrhang22]

Hello what would someone have a link to u-boot-lzo-with-spl_t20_64M.bin ?

[therosss]

here you go @mrhang22 and @jesperrix https://megaupload.nz/W2IaSdU8mb/u-boot-lzo-with-spl_t20_64M_bin

[mrhang22]

After reprogramming the LED no longer lights up. The file is only 236kB while the original file is 16MB.

The end of the memory must be at FF?

[pablo-tx]

@mrhang22 The same happened to me, after that I've compiled the last version and it works now.

Here you go, the bin and the rootfs: https://mega.nz/#F!0xtVSayS!DxZawSANY2IIXhypJG_UJQ

[mgx0]

So following the guide will be enough to ge this done?

[pablo-tx]

@mgx0 yes, i can confirm it works, but i think it needs some changes:

1. I didn't need to de-solder anything, just using the clamp was enough to flash.
2. The guide says to go to releases page and flash the last version, but that one (rc5) isn't working with this camera, you have to compile yourself or use the files I shared above.

[pcmester]

Could somebody make a guide how to flash the chip with a Raspberry Pi?

[mgx0]

@pablo-tx perfect, thanks. I'm waiting for my programmer to arrive and then I'll do it. I'll post my results here. Good job folks!

[therosss]

@pablo-tx this is a random thing with desoldering a leg or not. I had a few cams and I had to desolder the vcc leg. Regarding the release, I was hoping that @anmaped would release a rc for people to get started at least to be able to flash their ICs. This didn't happen yet.

Feel free to push a guide refinement about this :)