New firmware disabled SDCARD access

[willthrom]

Hi,

Can anyone with UART access to get me a copy of the new firmware [3.3.9_0139]? It looks like they have changed something and my valhalla.sh scripts are not been loaded...

Thanks.

[snoerenberg]

New FW:

NAME=Buildroot
VERSION=2016.02-git-00683-g432c038-dirty
ID=buildroot
VERSION_ID=2016.02-git
PRETTY_NAME="Buildroot 2016.02-git"
XIAOMI_VERSION=3.3.9_0139
XIAOMI_BUILDNO=414 

https://cdn.fds-ssl.api.xiaomi.com/miio_fw/5529fa82e3eb8659f17723922accb56b_upd_mijia.camera.v1.bin?GalaxyAccessKeyId=5721718224520&Expires=1514045709000&Signature=S+ngZH8VZNGY4zGswTDgW6GypxM=&uniqRequestId=98629710

http://www106.zippyshare.com/v/1HR9M7cX/file.html

[snoerenberg]

They replaced the private key in /ft/prikey.pem with the public key. (like it is correct 😄)

[willthrom]

@snoerenberg that makes more sense but now we need to find another place.. Although I am not sure it will be possible...

[papplampe1]

@snoerenberg How did you get that link? In wireshark it looked like an SSL connection was established to download that firmware, that's why I could not see that link in plain text. Please share your wisdom :-)

[willthrom]

@snoerenberg we will have to tick with 137 and then apply patches manually if we want to continue with the SDCARD access as we don´t know now what Private Key they are using... :(

[snoerenberg]

@papplampe1 at first I wanted to start the camera in normal mode with UART shell ... wasn't able to get it running :) ... miio_ota should write it as debug log

echo 8 > /proc/sys/kernel/printk
tail log with tail -f /var/log/messages

than I remembered that the whole communication was somehow on the SD card but I already got the DL link on the following way:

1. attach UART
2. copy revision 0.2 to SD card
3. start camera
4. start update of camera through Mi App on the phone
5. look at terminal on PC (UART)
6. unplug camera when it started to download the firmware (blinking LED)

from log:

Jan  1 01:00:55 miio_ota: handle_light_state() Blue: flashMode = 0, brightness = 0
Jan  1 01:00:55 miio_ota: handle_light_state() Red: flashMode = 1, brightness = 50
Jan  1 01:00:55 miio_ota: [INFO] will do ota, the ota parameters is 
Jan  1 01:00:55 miio_ota: [INFO] firmware_url      ====>: https://cdn.fds-ssl.api.xiaomi.com/miio_fw/5529fa82e3eb8659f17723922accb56b_upd_mijia.camera.v1.bin?GalaxyAccessKeyId=5721718224520&Expires=1514045709000&Signature=S+ngZH8VZNGY4zGswTDgW6GypxM=&uniqRequestId=98629710 
Jan  1 01:00:55 miio_ota: [INFO] md5               ====>: 5529fa82e3eb8659f17723922accb56b 

[willthrom]

Or.. modify the file after.ota.sh... And change the keys in the jffs2 :)

[snoerenberg]

@willthrom yes that's right ... downgrade is than necessary

[snoerenberg]

@willthrom than we need to resign the header from the upd file ... but I think this is written in SDK how to do this

[willthrom]

It will depend when the post-ota.sh is been executed :P.. I might be able to rewrite post-ota.sh to restore the original key.

I will try to do that as soon as I restore to the 3.3.6 version and upgrade again.

[willthrom]

I did the recovery with the tf_recovery.img but now I am not able to connect to any server.. no idea why.

For some servers I manage the camera to connect as the blue light stop flashing but the mobile application doesn´t connect.... I might have to find the previous version as I updated the mobile app.

[willthrom]

Forget about that.. it seems my routes got tired of the camera connecting and are rejecting the request. With an external (Mobile Data Connection it works :) )

[willthrom]

By the way....in you have an sdcard and the mode MTBF a log is created printing out the URL as well..

Sep 25 03:58:02 miio_ota: [INFO] firmware_url      ====>: https://cdn.fds-ssl.api.xiaomi.com/miio_fw/5529fa82e3eb8659f17723922accb56b_upd_mijia.camera.v1.bin?GalaxyAccessKeyId=5721718224520&Expires=1514059082000&Signature=L7iMnJwFGS0s45F24B6bzsPKnS4=&uniqRequestId=97877492 
Sep 25 03:58:02 miio_ota: [INFO] md5               ====>: 5529fa82e3eb8659f17723922accb56b 
Sep 25 03:58:02 miio_ota: [DEBUG] report progress: {"id":1751709383,"method":"props","params":{"ota_state":"downloading"}}
Sep 25 03:58:02 miio_ota: [DEBUG] report progress: {"id":2024761823,"method":"props","params":{"ota_progress":0}}

[willthrom]

I managed to inject a post OTA code to be executed after the firmware has been upgraded and seems to be executed but I might have done some mistake because it didn't work. I think it is because I need to mount the partition again.

Any way.. it looks good

[willthrom]

I am having some issues with injecting the changes because I don´t know what the OTA binary is really doing.... If I tried to change the jffs partition, the commands work but I get a kernel error in the dmesg.

jffs2_get_inode_nodes: Node header CRC failed at

I see the OTA saves the partition one by one but I don´t know how it writes them... or if I can get those new writes mounted ....

[willthrom]

I finally found a way to inject whatever I want when performing an OTA in the JFFs2 partition. Back to business.. although I was expecting some other people compiling the streamers.

I will upload a release tomorrow to work from upgrade < 339. People already there will have to install the recovery 009 and update from there.

[niladam]

Hey @willthrom any news on this ?

[willthrom]

that was resolved long time ago...

[niladam]

Actually I was referring to your jffs2 discovery. Had the feeling this relates to my other issue, #29 :)