Support for Mijia 360 1080p?

[pronsta]

Hi,

Will this hack work with the 1080p version?

Thanks

[telmomarques]

I was able to get to a serial console, it has access to U-boot and a Linux shell. As far as I can tell the shell is not restricted (in terms of permissions), and I was also able to run busybox from the SD Card.

I still didn't find where we can grab a stream to feed an RTSP server.

I'm currently working on a way of running code on startup that doesn't require tearing down the camera (through the SD card).

I'll be sure to share with you as soon as I have something you can try. I'm not used to embedded systems, so this might take a few days...

[Theliel]

I Guys,

Again, my time is very limited, i have no problem with share any information, but but for responsibility, I have not published anything until I'm sure I do not break the cameras

@telmomarques I already have tell us the "problem" to gain shell access from SDCard. A script code canbe executed but we need:

-The script must be compressed and stored, not problem here. -MD5 of the compressed file, good too and copy it in a new file, called md5sum.dat -SING md5sum.dat with private key that we dont have :), so that is the problem.

The firmware can check the sign with the public key inside the firmware so only the private key from xiaomi can sign correcly the MD5.

[arnoakavdb]

This camera is now available in Google home (just for information)

[kir4h]

Looking forward to RTSP server :) Camera seems really good for the price, but I have two main issues:

• Cloud-only approach, where I can only access it through their servers (there is also a p2p connection mode from what I read, but it doesn't come handy). Triggers privacy flags.
• Motion detection lacks configuration in terms of the duration of the recording. I end up having always 9 seconds fragments (if there is a way to configure this I haven't found it)

If you put an SD-card, it will unlock the copy to a windows share and records are longer than the free cloud records.

Thanks! I already have an SD card, so I thought records were directly stored in the SD card itself and not in the cloud. I will try your suggestion of setting up a windows share instead :)

[diegocesaretti]

``

This camera is now available in Google home (just for information)

The 1080p 360 camera? (jtsxj01cm) what server did u use in mihome app?

[arnoakavdb]

Mi Home mainland China and the camera is the mjsxj02cm

[telmomarques]

I've found a way of running scripts from the SD Card, I've uploaded the "hack" to this repo: https://github.com/telmomarques/xiaomi-360-1080p-hacks

Please note few things:

1. This is for the MJSXJ02CM camera only! Please confirm you camera model.

2. This does not provide anything that is "consumer-ready" yet!

3. Only telnet access for now, but that will hopefully enable people with more knowledge than me to setup an RTSP server (I still didn't find the stream to attach the RTSP server...)

4. The repo is still very basic. but I'll add additional information in the next days. This was a first for me, I've learned a lot and want to share everything I can.

[GuyKh]

This camera is now available in Google home (just for information)

Can confirm. Using server - mainland china Had to unlink and link Mi Home again, but now it's working.

What can you do with it though? Other than streaming it to your chromecast?

[arnoakavdb]

This camera is now available in Google home (just for information)

Can confirm. Using server - mainland china Had to unlink and link Mi Home again, but now it's working.

What can you do with it though? Other than streaming it to your chromecast?

Nothing a the moment I think maybe move the camera but I don't really test it a this time

[diegocesaretti]

It seems that I have the JTSXJ01CM model that seems to be the same thing but apparently isn't, its not working with Google home at the moment what a shame, maybe forcing the mjsxj02cm firmware somehow could make it work(?), I suspect it has the same innards

[telmomarques]

maybe forcing the mjsxj02cm firmware somehow could make it work(?), I suspect it has the same innards

According to a google search the JTSXJ01CM's SoC is an Ambarella S2Lm. Mot the same as MJSXJ02CM, unfortunately.

[GuyKh]

This camera is now available in Google home (just for information)

Can confirm. Using server - mainland china Had to unlink and link Mi Home again, but now it's working. What can you do with it though? Other than streaming it to your chromecast?

Nothing a the moment I think maybe move the camera but I don't really test it a this time

Based on this - it seems that you can just stream the camera

[adi32k]

For what software version of the camera MJSXJ02CM the hack works?

[telmomarques]

For what software version of the camera MJSXJ02CM the hack works?

Right now only tested on 3.4.2_0062 (it's the tf_recovery.img mentioned here https://en.miui.com/thread-3547398-1-1.html)

At this point I don't know if it works on newer versions of the firmware, will eventually test it.

[Theliel]

I answered it a long time ago. It is possible to apply this access ONLY AVAILABLE in the factory firmware, in any other version, the procedure that I have explained previously is required.

The problem is that it is necessary to sign the md5 hash of the script, and that requires the private key, which obviously we do not have.

One possible option would be to replace the private key with another generated pair in the binary itself, but this would imply creating different binaries in each update. Another option would be to try to overwrite the private key (this is what I am working on) when the update is started / terminated, even if it implies starting from the factory version.

[telmomarques]

One possible option would be to replace the private key with another generated pair in the binary itself

The u-boot flashing procedure verifies a signature in the firmware, using libsodium. To flash a modified firmware we would also need to sign it.

This is a log of me trying to flash a modified firmware:

read file start
reading tf_recovery.img
read len = 0, actlen = 16318544
data check start
Verifying singature using libsodium
Hashing 1048576 bytes, 0 %
Hashing 1048576 bytes, 6 %
Hashing 1048576 bytes, 12 %
Hashing 1048576 bytes, 19 %
Hashing 1048576 bytes, 25 %
Hashing 1048576 bytes, 32 %
Hashing 1048576 bytes, 38 %
Hashing 1048576 bytes, 44 %
Hashing 1048576 bytes, 51 %
Hashing 1048576 bytes, 57 %
Hashing 1048576 bytes, 64 %
Hashing 1048576 bytes, 70 %
Hashing 1048576 bytes, 77 %
Hashing 1048576 bytes, 83 %
Hashing 1048576 bytes, 89 %
Hashing 589824 bytes, 96 %
Final...Failed

Maybe there's a way of working around this without replacing the boot loader?

It is possible to apply this access ONLY AVAILABLE in the factory firmware

That might be the case (I still haven't confirmed for myself), but since we can work on something using 3.4.2_0062, and downgrading is a very simple procedure, no need to sit still.

[jaytxrx]

The u-boot flashing procedure verifies a signature in the firmware, using libsodium. To flash a modified firmware we would also need to sign it.

I see some keys for mstar controller in the below repo. Will it help? https://github.com/dipcore/mstar-bin-tool

[telmomarques]

It is possible to apply this access ONLY AVAILABLE in the factory firmware That might be the case (I still haven't confirmed for myself)

Confirmed, exploit works in 3.4.2_0062 only.

I see some keys for mstar controller in the below repo. Will it help?

Thank you very much for the link! I've taken a look but this is really out of my knowledge scope. To follow this lead I'd have to study packing, unpacking and signing the firmware in more detail; but right now I'm more interested in getting an RTSP server up and running. Maybe in the future I'll look into it.

As a side note, because I don't want to spam this repo (this repo is not related to MJSXJ02CM camera) I've opened an issue on https://github.com/telmomarques/xiaomi-360-1080p-hacks/issues/7 You're all welcome to follow me there, if you wish to!

[long2ice]

hello,any news?

[j0se]

@telmomarques the serial port is in TP TN TXO and RXO pads ? how do u get that ?

[telmomarques]

@j0se serial is TX0 and RX0 pads.

Steps:

1. Get a USB FTDI adapter
2. Connect TX0 (camera) to RX (USB FTDI)
3. Connect RX0 (camera) to TX (USB FTDI)
4. Connect USB UART to computer
5. Download putty and open the COM port registered by the USB FTDI device
6. Connected the camera to USB power cable, you should see the bootlog on putty

If you press any key during boot you will enter uboot prompt, if you do nothing you'll be dropped to a linux shell. If you just want to get to the linux shell check my repository, there's a way of getting there through telnet, without opening the camera.

[DarkDenis]

Hello @Theliel may be do you have good news about camera Mijia 360 1080p (MJSXJ02CM) ? Did you manage to finally hack it and configured the rtsp server ? I wait your message about hack it, and i can to add camera to homekit

[iShortOne]

Hi! Any news?

[vladimirovsan]

Did you manage to finally hack it and configured the rtsp server ?

[telmomarques]

Here's a link for the MStar SDK (MSC313 and MSC316): MStar MSC3XX SDK.zip

This is for the 360º 1080P camera!

Some notes:

Download at your own risk. The only thing I added was the english translation of the docs.

The OS provided on the camera by Xiaomi is heavily modified (relative to the SDK). Binaries compiled with the SDK don't play along with the camera's shared libraries.

Finally, I'm sharing this here because I figured this issue might have greater visibility than my repo. If someone is looking they may end up here first.

[fifteenhex]

FWIW The SDK (assuming it's the same one I got from taobao) you have doesn't actually seem to match most of the MSC313E cameras that are in the wild. The SDK is for the "infinity 1" platform but the MSC313E according to all of the IPL blobs and kernels I have seen is called "infinity 3". The SDK does reference the infinity 3 but it doesn't have the IPL blobs for it.

I ported a mainline kernel to the MSC313E based on what I found in that SDK so the hardware is at least very similar but I wouldn't try too hard to make what is in the SDK match up with what you see in actual firmware images.

[DanielGBullido]

hello, in what state is the integration for mijia 360? I read many different answers but I do not know if there is a real solution

[ddamianus]

Staus?

[telmomarques]

There's currently a very, very experimental solution to provide RTSP on the xiaomi 360 camera. Anyone interested please feel free to check out my repo or join us on telegram: https://t.me/mijav4RTSP

I'm going to stop posting updates on this issue, because this repo is for a different camera and I don't want to spam it :)

[jaymindabhi]

I dont have MJSXJ02CM yet, but I'm already have some interesting stuff...

Platform: MSC313E Sensor: SC2235

The Bad news:

MJSXJ02CM use android based firmware and different platform, new camera use ARM MStar. Old SDCard entry point is useless now, although partition layout its similar. MJSXJ01CM hack wont work

Telnet/SSH is disabled and non binary present

The Good News:

At preliminary glance, we will have a much more easy script execution at boot time. With script execution, we should be able to do the rest.

My next steps, once my camera arrive:

1º. check if I can confirm all this 2º. check if ADB is working, maybe another easy shell access. 3º. check script execution at boot time

If work:

4º. Cross compile tools to work with the new platform 5º. We can reuse/adapt MJSXJ01CM scripts

@Theliel

Hi Theliel, I need your help regarding MSC313E chip. Can you please share me the MSC313E datasheet and other necessary details?

I am newbie for MSC313E and started to understand initial level details. I didn't find any useful information on the internet.

It will be much appreciated, if you share anything useful details of MSC313E, i.e. link, share the docs, SDK details, etc.

Regards, Jaymin

[fifteenhex]

It will be much appreciated, if you share anything useful details of MSC313E, i.e. link

http://linux-chenxing.org/ https://github.com/breadbee/breadbee

[telmomarques]

Hi @jaymindabhi!

There's already an exploit for MJSXJ02CM, if you want to check it out: https://github.com/telmomarques/xiaomi-360-1080p-hacks

You can also join the telegram group, you can find the link in the issues of that repo! We're currently working on a RTSP prototype.

Lots of info also in the sdk: https://github.com/ghoost82/mijia-720p-hack/issues/10#issuecomment-478371474

[jaymindabhi]

It will be much appreciated, if you share anything useful details of MSC313E, i.e. link

http://linux-chenxing.org/ https://github.com/breadbee/breadbee

Thanks @fifteenhex for sharing the links.

[jaymindabhi]

Hi @jaymindabhi!

There's already an exploit for MJSXJ02CM, if you want to check it out: https://github.com/telmomarques/xiaomi-360-1080p-hacks

You can also join the telegram group, you can find the link in the issues of that repo! We're currently working on a RTSP prototype.

Lots of info also in the sdk: #10 (comment)

Hi @telmomarques ,

Thank you for sharing the worthy information, it will be much helpful for me.

[corncholio]

I have camera with this code cmsxj03c. After plug in the usb cabel the light is yellow and constant. I can not do anything with camera it is not responding to reset button. Is there any possibility to make it running?

[OUARZA]

Hello , which patch can crack this camera?

https://a.aliexpress.com/sPntZn3P5

[Shevbo]

is the any hope to launch RTSP on MJSXJ05CM ?

[Drgonz017]

Where can I found the Hack with RTSP for MJSXJ02CM?

Can you help me please?

[telmomarques]

Where can I found the Hack with RTSP for MJSXJ02CM?

Can you help me please?

https://github.com/ghoost82/mijia-720p-hack/issues/10#issuecomment-549752233

RTSP is in closed beta, will be released to the public shortly.

[Drgonz017]

That sounds great, thank you very much.

[muammercakir]

Where can I found the Hack with RTSP for MJSXJ02CM? Can you help me please?

#10 (comment)

RTSP is in closed beta, will be released to the public shortly.

Hey @telmomarques , any updates here?

[telmomarques]

@muammercakir

https://github.com/ghoost82/mijia-720p-hack/issues/10#issuecomment-549752233

[Abbadon89]

is the any hope to launch RTSP on MJSXJ05CM ?

Bump?

[festum]

Bump. Any update?