HclX / WyzeHacks

Hacks I discovered allowing Wyze camera owners to do customizations
MIT License
810 stars 75 forks source link

Request for USB Ethernet driver? #62

Open ryny24 opened 3 years ago

ryny24 commented 3 years ago

I just found this WyzeHacks and I can't wait to try it.

Would it be possible to add ethernet (USB) support to the WyzeCam? For locations that don't have Wifi. Just a thought!

Keep up the good work!

gtxaspec commented 3 years ago

I was just thinking of this before bed last night, lol.

Reading the source to dafang, you need to compile usb-net support for the kernel and probably an asix ethernet device driver, as modules.

Can these be used from the dafang source? Hmm

gtxaspec commented 3 years ago

Download:

https://github.com/EliasKotlyar/Xiaomi-Dafang-Hacks/blob/master/firmware_mod/driver/usbnet.ko https://github.com/EliasKotlyar/Xiaomi-Dafang-Hacks/blob/master/firmware_mod/driver/asix.ko

copy these onto the camera somehow (you could have a custom script do this probably), then run the commands (example):

cd /tmp insmod usbnet.ko (this must be done first, or you will get "unknown symbol" errors when loading asix.ko) insmod asix.ko

then plug in your usb to ethernet adapter:

[44726.370013] usbcore: registered new interface driver asix [45015.713488] usb 1-1: new high-speed USB device number 2 using dwc2 [45016.558155] asix 1-1:1.0 eth0: register 'asix' at usb-dwc2-1, ASIX AX88772B USB 2.0 Ethernet, xx:xx:xx:xx:xx

then configure eth0 using udhcpc or use ifconfig to set a static ip etc.

report back if it works for you...

now the real kicker is, lets do this for the v3 =D

ryny24 commented 3 years ago

NO WAY! No way! I can't wait to try this. Thank you!

gtxaspec commented 3 years ago

remember, you'll need an ASIX based ethernet adapter; with a specific model ASIX chipset

ref https://github.com/EliasKotlyar/Xiaomi-Dafang-Hacks/pull/536 https://cateee.net/lkddb/web-lkddb/USB_NET_AX8817X.html

gtxaspec commented 3 years ago

looks like the V3 cam has these modules built in to the kernel. using a pass through USB otg cable, it works.

cable: https://www.amazon.com/gp/product/B07QGZK4FF

ryny24 commented 3 years ago

Wow, that's great! Sadly I don't have any of pass-thru cables but they are on the way now! I have several V2 on NYC roof tops with a great view. I'll get some swapped out to V3 with ethernet. I'll share the feed if you want it :)

I'm still trying the above driver on my V2 & PAN but I've been unable to get telnet to accept. Probably hasn't installed WyzeHacks correctly. Still trying!

ryny24 commented 3 years ago

FYI - the cheap white $3 dongles off eBay from China do not work. Will confirm where to buy when I get one that works.

[root@v2_camera:ryan]# lsusb Bus 001 Device 003: ID 0fe6:9700

gtxaspec commented 3 years ago

this would work https://www.amazon.com/USB-RJ45-LAN-Ethernet-Converter/dp/B0863YJB8W

ryny24 commented 3 years ago

Great! on it's way. Thank you.

ryny24 commented 3 years ago

My USB dongle arrived today, and you are correct. The V3 already has the drivers for it. I created a custom script to UP eth0 and start dhcp. This works, I get an IP and can telnet into the camera over ethernet. Unfortunately, when Wifi is dropped, I also lose ethernet (ping & telnet). This is probably because the route table has the same subnet for wlan0 and eth0. Maybe wlan0 hasn't dropped yet, and the packets are still going out wlan0.

So I decided to keep Wifi off and reboot, it should bring up eth0 without wlan0 ever creating the duplicate subnet. Unfortunately, ping never starts for the ethernet IP, but I think this is due to the wait_wlan() function performed on startup. It's waiting for wifi, and thus, never runs my custom script.

I tried to modify wait_wlan() in main.sh to exit early without actually checking for wifi, but because the V3 has a read only file system, my changes are not saved on reboot.

CUSTOM_SCRIPT='/configs/eth0.sh'

/configs/eth0.sh ifconfig eth0 up udhcpc -i eth0 -p /var/run/udhcpc_eth0.pid -b

ryny24 commented 3 years ago

I was able to get the camera to ping over ethernet on bootup. I had to modify a little in main.sh. Telnet is still connection refused, so I guess WyzeHacks is not finishing. And the Camera doesn't come online until Wifi is connected. But, it's progress.

I have created a 'fork'. It's my first fork, but it looks like I did it right. https://github.com/ryny24/WyzeHacks

thompatry commented 3 years ago

Can you disable WiFi and force all the traffic to go through Ethernet? Just a thought to try. I am going to try to implement this on the v2.

ryny24 commented 3 years ago

How would you disable Wifi? Here is where I think the problem is, the boot log shows the camera waiting at this spot:

[netService:1199]war: wpa_state=DISCONNECTED wiif disconnect [0211 19:50:27.993][A][iCam]shellcall.c:548 cmd:[wpa_cli -p /var/run/wpa_supplicant -i wlan0 STATUS | grep wpa_state] [0211 19:50:28.004][A][iCam]shellcall.c:553 msgque ret:[wpa_state=SCANNING ]

I did manage to get Video and telnet working over ethernet with Wifi disabled by doing "ifconfig wlan0 down", but this was only after it booted up with Wifi.

thompatry commented 3 years ago

Could you put it in the script to do ifdown on the wlan?

ryny24 commented 3 years ago

I will try. I'm not sure it will satisfy the wpa_cli, but it's worth a shot. I'll try tomorrow.

MelonSmasher commented 3 years ago

The ethernet adapter that your using uses the USB A port not the microUSB port? If so I'll purchase one to help, just want to make sure I get the right adapter. I bought one of these hoping I could get power and ethernet working through just the micro USB port. No luck. I'm hoping you get it working and I can pair the setup with one of these.

gtxaspec commented 3 years ago

use this with a v3:

https://www.amazon.com/gp/product/B07QGZK4FF

MelonSmasher commented 3 years ago

So my parts came in today and I'm having some success on the V2 camera.

Here's my hardware:

Image

I'm attempting to get everything working manually before I try to script anything. Here's where I'm at:

usbnet.ko and asix.ko are on my NAS in the emulated SD card folder. I have them there for testing until I figure out a better place to put them. I was thinking about eventually splicing them into the official RTSP firmware.

I run the following:

[root@WyzeCam]# insmod usbnet.ko
[root@WyzeCam]# insmod asix.ko
[root@WyzeCam]# ifconfig eth0 up

As expected I'm able to see the device in ifconfig:

[root@WyzeCam]# ifconfig
eth0      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:1038 (1.0 KiB)

However I run into a roadblock with DHCP. The device never gets a DHCP address. I get the following when I try to request a lease:

[root@WyzeCam]# udhcpc -i eth0 -p /var/run/udhcpc_eth0.pid -b
udhcpc (v1.22.1) started
Sending discover...
Sending discover...
Sending discover...
No lease, forking to background

If I manually assign an IP address I'm able to ping it from another machine and telnet into that address.

[root@WyzeCam]# ifconfig eth0 192.168.0.28
[root@WyzeCam]# ifconfig
eth0      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
          inet addr:192.168.0.28  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

Any ideas what I'm doing wrong for DHCP to work?

Scratch the DHCP issue above. The switch I was using had link aggregation enabled on the ports I was using. As soon as I disabled link aggregation DHCP worked.

MelonSmasher commented 3 years ago

Could you put it in the script to do ifdown on the wlan?

When I try that with a working ethernet connection everything works for a few minutes. After a minute or two the camera reboots. Seems like something is checking that the camera is connected to wireless and reboots the camera if it's not.

ryny24 commented 3 years ago

The boot log shows that Wyze is waiting for wpa_cli to return "COMPLETED". Wyze does not finish booting until this. Until Wifi is available and connected, wpa_cli will return "SCANNING, ASSOCIATING or DISCONNECTED".

Unfortunately, we can't modify the wpa_cli since the file system is read only (V3 at least). very depressing.

[exec-assis:386]: (no.100000) popen  ret:[wpa_state=SCANNING  
wpa_state=ASSOCIATING                                              
wpa_state=DISCONNECTED

[root@ETH-TEST-3:tmp]# printf '#!/bin/sh\necho "wpa_state=COMPLETED"\n' > /bin/wpa_cli 
-sh: can't create /bin/wpa_cli: Read-only file system

I'll keep trying.

MelonSmasher commented 3 years ago

@ryny24 I've been messing around with making a custom firmware based on this video. I've been able to modify files on the firmware and flash it and then apply WyzeHacks on top with success. wpa_cli is on the JFFS2 block within the firmware. I've been able to unpack the JFFS2 system using sviehb/jefferson however I'm not sure how to repack the JFFS2 system after making changes. It's been fairly trivial to make changes to the squashfs systems.

My thinkings is we may need to modify the stock firmware using the methods described in that video. Flash the modded firmware, then apply WyzeHacks on top. The mods to the firmware would include the kernel modules for USB ethernet and automatic detection of the USB ethernet adapter to choose and provision either Wifi or Ethernet.

ryny24 commented 3 years ago

@MelonSmasher wow, he makes that look so simple lol. The only problem is, keeping wpa_cli functional when ETHERNET is not enabled in the config. Maybe we can create wpa_cli a link to another file system that we can modify. I will give it a try.

ryny24 commented 3 years ago

Doing a binwalk on the Wyze firmware file shows the same as the video. Multiple volumes including Squashfs. However, the firmware.bin which WyzeHacks sends is only a tar file. I think it's only sending the hacked scripts needed and not the firmware itself. Good idea actually. But, that will make it a bit more complicated to fix wpa_cli.


DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             POSIX tar archive (GNU)
MelonSmasher commented 3 years ago

I made a tool that unpacks and repacks the firmware. It mounts the JFFS2 image read/write so that changes can be made. I've only tried on the Cam V2 firmware. Here's a link if your interested: MelonSmasher/WyzeFirmwareTool

MelonSmasher commented 3 years ago

@ryny24 I have been able to modify the JFFS2 file system with some success. What would you do to wpa_cli if you could modify it?

I've tried renaming both wpa_cli and wpa_supplicant to wpa_cli.disabled and wpa_supplicant.disabled. When I do that it does not connect to wireless, but unfortunatly the Wyze app does not see the camera as online even though it has a connection via eth0. I'm assuming that icamera it checking for a connection on wlan0 or something.

MelonSmasher commented 3 years ago

While not ideal, I found that killing wpa_supplicant after the camera has been running for a while allows the camera to stay up and running with no wifi connection forcing all traffic over eth0. I generated some Wyze Cam v2 firmware images using my WyzeFirmwareTool. I've noticed that when wpa_supplicant is dead without the hacks in this repo the camera stays up and running. However when the hacks are enabled the camera reboots within a minute or two of wpa_supplicant being killed off.

Below are 4 different firmware images I generated for the cam v2. Two are based off the latest firmware from Wyze and two are based off of the RTSP firmware from Wyze. Two of them will kill wpa_supplicant after boot to force the connection over eth0 and the other two leave wpa_supplicant alone but do enable the ethernet adapter.

If I can't get the camera to stop rebooting, I may just work in the NFS mods from this repo into my firmware generator tool.

MelonSmasher/WyzeFirmwareTool/releases

gtxaspec commented 3 years ago

didn't @HclX add a subroutine to reboot if wifi is lost? I forgot, I may be wrong, I'll check the source.

MelonSmasher commented 3 years ago

Something else to note, here is that even with both wifi and eth0 enabled, traffic seems to be going over the ethernet adapter. While probably not the best way to measure this, but when I open the Wyze and look at the camera the ethernet adapter goes from a steady light to flashing continuously. I'm wondering if it's even worth killing the wifi connection.

gtxaspec commented 3 years ago

you're saying that the camera works even with no wifi to initially connect? I think some folks want to use this in areas with no wifi

MelonSmasher commented 3 years ago

I don't think it will work as is for those who have no wifi. I'll try to explain what I've observed thus far better, but they all require an wifi connection in some capacity.

Ethernet and Wireless enabled:

Ethernet only:

gtxaspec commented 3 years ago

"Requires wireless during boot for Wyze software to initialize. If wifi is killed to early something never fully starts and the Wyze app shows the camera as offline, even though it has network via eth0." this is what @ryny24 is talking about. theres a program that runs and checks the output of wpa_cli. if it sees the right text output from the program, it proceeds.

feed that "wpa_state=COMPLETED" and you don't need wifi.

try replacing "/bin/wpa_cli" with an ash script that just echo's "wpa_state=COMPLETED"

MelonSmasher commented 3 years ago

so in theory replacing wpa_cli with a shell script that just echos "wpa_state=COMPLETED" should do the trick.

gtxaspec commented 3 years ago

yes, the programs that the wyze cams run that monitors various states and variables are pretty rudimentary and mostly monitor the console output of various system utilities.

MelonSmasher commented 3 years ago

I replaced wpa_cli with:

#!/bin/sh

echo 'wpa_state=COMPLETED'

Unfortunately the Wyze app sees the camera as offline and the back light flashes between yellow and blue, it never seems to fully initialize.

gtxaspec commented 3 years ago

we will have to analyze the logs, maybe there are some other strings that must be echo'd in sequence...

gtxaspec commented 3 years ago

https://pastebin.com/D68Sy61F

MelonSmasher commented 3 years ago

@gtxaspec Thanks for the logs. I got it working! I replaced the following files with shell scripts:

There are also two scripts that are started from the init scripts in /system/init:

Below is a firmware image for the Wyze Cam v2 that will enable the USB ethernet adapter, disable wireless, and enables telnet. I haven't tried the hacks from this repo yet, but fingers are crossed that they work with it.

MelonSmasher/WyzeFirmwareTool/releases

MelonSmasher commented 3 years ago

I've installed the hack on top of the custom firmware. The camera is up and running and the hacks installed. However my NFS server is not mounting. I'll keep monitoring it for any other issues see if I can see whats going on with NFS. Other than that, things seems ok, my password changed, and the hostname was set correctly.

MelonSmasher commented 3 years ago

I tried to manually run /configs/wyze_hack.sh from a telnet session and now I can't get the camera to boot :(. Stuck on a solid orange light after multiple attempts to flash the modded and stock firmware. I might have bricked it some how? Anyway just posting that to warn others that the firmware I made and that script do not like each other.

gtxaspec commented 3 years ago

just reflash the stock firmware via SD card and start over. these cameras (v2) are hard to brick

MelonSmasher commented 3 years ago

Yeah I tried that, after getting the blue light when holding the reset button with the firmware on the SD card the camera clicks once and sits on a solid orange light.

gtxaspec commented 3 years ago

sd card inserted, you are holding down setup, with usb unplugged, keep holding, then plug USB in, keep holding 10-15 seconds? that should be the bootloader sequence

MelonSmasher commented 3 years ago

Yup, thats what I'm doing. It's been the process for flashing the modded firmware I made as well. Of course I'm doing it with the stock firmware this time, but it should be the same. I guess don't play with fire if you don't want to get burned lol. Not a big deal, I'll get another one, kinda the cost of doing business.

gtxaspec commented 3 years ago

have you tried to factory reset the unit? not flashing the firmware, but triggering the unit to wipe configs...now I recall I had a similar situation as you with modded firmware, since flashing firmware doesn't wipe the camera.

MelonSmasher commented 3 years ago

How do you do that?

gtxaspec commented 3 years ago

https://wyzelabs.zendesk.com/hc/en-us/articles/360031484511-How-to-factory-reset-your-Wyze-Cam-v1-v2-or-Pan

may take a few tries, it always does for me.

MelonSmasher commented 3 years ago

Unfortunately no luck with that either :(

MelonSmasher commented 3 years ago

I just ordered a new camera, until it arrives I'm not going to be able to move this along any further. The firmware itself did not brick the device and neither did applying WyzeHacks to it. It all went downhill when I ran /configs/wyze_hack.sh from a telnet session. I'll be happy to help from the sidelines to figure out why NFS does not work with the modified firmware, but I won't be able to test directly.

gtxaspec commented 3 years ago

I will duplicate what you did, which firmware file did you do? if I brick my unit, I can hook up to serial port to see what's going on.

MelonSmasher commented 3 years ago

Awesome, I was on this firmware here:

https://github.com/MelonSmasher/WyzeFirmwareTool/releases/download/4.28.4.49-rtsp/cam_v2_usb-eth_no-wlan_demo_v2_rtsp_4.28.4.49_1614819324.zip

Just a heads up, I've been uninstalling WyzeHacks before flashing, then re-installing. Not sure if thats required, but it seemed like the cleanest way. That firmware has wireless disabled so you'll need to connect it to ethernet with and asix USB ethernet adapter.

You can also generate the firmware from this tool I made: MelonSmasher/WyzeFirmwareTool

sudo ./wyzefwtool -r -t -d