[Off Topic - Need Advice] Reset Firmware: Unable to Pair G2H to Homekit

[ashwindz]

Hello - I understand this is Off Topic but would really appreciate some help. Newbie Alert.

I got this camera about a month back. About 2 weeks back, this camera dropped off the network. I could not bring it back online so I removed it from homekit hoping I could pair it again.

But, try as I might with multiple resets, it just looping through "ready to connect. please open the aqara home app" and does not get paired on Homekit. Same goes with the Aqara app - it just wont add the camera (QR scan fails).

My presumption is that the firmware is corrupt. Is there a way to reset the firmware in some way or load the default firmware from SD Card? Totally out of ideas and open to any suggestion! Thanks.

PS: Wifi is 2Ghz only and has no underscores.

[mcchas]

If you have used this mod the Aqara app wont work unless you reverse all the changes the script does. Make sure you're not using a hidden SSID, I hear switching to CN version in the app can help too.

I had issues with mine around the same time with Homekit, I'd get 'Not Responding' in homekit or after a reboot the camera would respond but only briefly. I could see in the logs there was an error relating to communication with the Apple MFI chip. I was able to resolve this issue by updating to the latest version, by replacing the /local/app.tar.xz (more specifically just the camera binary within this tar) with that from the v2.2.3 firmware.

[ashwindz]

@mcchas Thank you for the suggestions. At this point, I am not sure if the script was executed on the camera.

by updating to the latest version, by replacing the /local/app.tar.xz (more specifically just the camera binary within this tar) with that from the v2.2.3 firmware.

How do I go about this? Via Telnet ? Should I hook up FTDI to an USB cable to do this?

[ashwindz]

by updating to the latest version, by replacing the /local/app.tar.xz (more specifically just the camera binary within this tar) with that from the v2.2.3 firmware

Also, where can I find this @mcchas ?

[mcchas]

A sure-fire way in would be to use a serial cable, especially if it won't connect to wifi and the firmware has been patched to prevent it calling home. It just takes a 3.3v serial adapter like an FTDI and an old usb cable to butcher. The firmware can be taken from Aqara but I think someone has also published them on GitHub.

[ashwindz]

@mcchas thank you. I will definitely try to rig up the cable. I think the wiring is somewhere on this repo.

I will get the firmware from Aqara. What should I do once I have these? telnet and replace a file within /local/app.tar.xz ?

PS: is there a non-sure-fire easier way I can try before this?

[mcchas]

The serial console method is going to give you immediate feedback.

Another way might be to modify the hostname script to correct the wifi config files (with trial and error).. or modify it to create a new wpasupplicant.conf and start an access point or attempt to directly connect to your wifi.

You could try inject other commands to copy /var/log/* to your SD card to try see what's going on.

These are your only ways in (sd card and serial) if wifi is broken.

[mcchas]

To copy the files over once you have networking, you can use nc (netcat). Plenty of examples online for that, wget might be available but it's usually a version that won't support HTTPS

[mcchas]

Lastly you don't have to update the firmware this way, you could restore the original config files the Aqara app should work again.

[ashwindz]

Lastly you don't have to update the firmware this way, you could restore the original config files the Aqara app should work again.

thank you so much for all the advice. This is exactly what I wanted to see if is possible - use hostname to push in the original config files or set the wifi information!

How can I modify the hostname script to push config files - and WHERE can I find these config files ?

I really appreciate these suggestions - thank you!

[ashwindz]

@mcchas I just tried hostname with cp -f /var/log/* /mnt/sdcard/

Nothing came up after boot. I guess whatever loads hostname is broken :(

[mcchas]

@ashwindz may be time to try the serial console. You can substitute an FTDI adapter with an raspberry pi or similar if you have that handy..

[ashwindz]

I agree - tried to dodge it unnecessarily :)

I do have an FTDI adapter @mcchas - will try it hopefully this weekend.

Thank you very much for all the advice. Will connect again when I have it all hooked up!

[ashwindz]

@mcchas how do I wire up the FTDI to the USB wires ? I was not able to understand from the Readme and the wiring diagram I see on https://github.com/mcchas/g2h-camera-mods/issues/2 seems to be for USB2UART ?

I can guess the Rx/Tx connect to the Ds but not sure about power ..

[ashwindz]

Or instructions around using an rpi is also fine - I do have one somewhere

[mcchas]

@ashwindz there is an example in this issue: https://github.com/mcchas/g2h-camera-mods/issues/2#issuecomment-811557644

[ashwindz]

@mcchas - I thought a UART connection was different from FTDI. Thanks - will try this!

On the FTDI I see connections to 3.3V, GND and TX / Rx - I need BOTH Tx and Rx to be connected to Green on the USB?

[mcchas]

@ashwindz FTDI is a device used to talk UART over USB. Connect the wires as in the diagram - USB data wires (green and white??) are used for UART tx/rx and power wires (red and ...?) are used to power the camera. Best to confirm which colours are what with a google search before applying power!

[ashwindz]

@mcchas I am trying to connect as below:

USB Green from Camera - RX FTDI USB White from Camera - TX FTDI USB Black (GND) from Power - To Camera and GND of FTDI USB Red from Power - To Camera

With this, I see some characters printing on screen when the camera powers up using

screen /dev/tty.usbserial-00000000 9600

but not getting a prompt of any sort. Am I doing this right? (Obviously not!)

[mcchas]

@ashwindz that's a good sign that you see some characters on boot. Try changing the baud rate to 115200

[ashwindz]

Great! Now its in English :)

Gets stuck on this line here: ERROR: in ms_i2c_xfer_write: Send Start error

Log is attached - pl let me know if you have any suggestions @mcchas error.txt

[ashwindz]

A fuller log is here - right from the start - pl ignore previous @mcchas 2022-01-23 16-51-16 FT232R USB UART.txt

[mcchas]

If you hit the enter key do you get a login prompt? You might be able to log in with root/password

[mcchas]

If not, you can see its starting the camera program which means it will execute a hostname file from the sdcard. Make sure your sdcard is formatted as FAT32.

[ashwindz]

No - when I hit enter, it keeps spewing the ERROR: in ms_i2c_xfer_write: Send Start error line repeatedly. I can see a newline but no prompt or change happens.

I cant see it starting the camera program - but the logs do show a line below - not sure what this means

Camera-Hub-G2H login: 19700101 05:00:12.896 NOTICE monitor 322: stop process /tmp/out/mosquitto...

[mcchas]

It might just be spamming you with kernel logs. Try blindly enter 'root' then enter followed by 'password' and enter. Then you could run 'killall -9' with the name of the process that is printing those logs, however the watchdog may reboot the device or restart that service.

[ashwindz]

I tried entering root. I see "Password" but nothing happens when I enter 'password' - I just see the same stuff scrolling past

[   24.400394] ERROR: in ms_i2c_xfer_write: Send Start error 
[   24.443029] ERROR: in ms_i2c_xfer_write: Send Start error 

Password: [   24.486847] ERROR: in ms_i2c_xfer_write: Send Start error 
[   24.551407] ERROR: in ms_i2c_xfer_write: Send Start error 
[   24.594520] ERROR: in ms_i2c_xfer_write: Send Start error 
[   24.636073] ERROR: in ms_i2c_xfer_write: Send Start error 
[   24.683889] ERROR: in ms_i2c_xfer_write: Send Start error 
[   24.723433] ERROR: in ms_i2c_xfer_write: Send Start error 

[mcchas]

If that worked, the text won't stop scrolling, but you should get a command prompt (#). From there you can try kill whatever is printing all those logs.

[ashwindz]

Thank you so much @mcchas - was able to login with the password root and 09qjuS@3 (which was on another issue)

I see the logs below - but I could not find what is spewing those logs

PID USER VSZ STAT COMMAND 1 root 1684 S {linuxrc} init 2 root 0 SW [kthreadd] 3 root 0 SW [ksoftirqd/0] 4 root 0 SW [kworker/0:0] 5 root 0 SW< [kworker/0:0H] 6 root 0 SW [kworker/u2:0] 7 root 0 SW [rcu_preempt] 8 root 0 SW [rcu_sched] 9 root 0 SW [rcu_bh] 10 root 0 SW [watchdog/0] 11 root 0 SW< [khelper] 12 root 0 SW< [netns] 13 root 0 SW< [writeback] 14 root 0 SW< [crypto] 15 root 0 SW< [bioset] 16 root 0 SW< [kblockd] 17 root 0 SW [kworker/0:1] 18 root 0 SW< [cfg80211] 19 root 0 SW< [rpciod] 20 root 0 SW [kswapd0] 21 root 0 SW [fsnotify_mark] 22 root 0 SW< [nfsiod] 36 root 0 SW [kworker/u2:1] 37 root 0 SW< [SCLDAZA_THREAD] 38 root 0 SW [VIPDazaTask] 41 root 0 SW< [ipv6_addrconf] 42 root 0 SW< [deferwq] 43 root 0 SW [kworker/u2:2] 47 root 460 S /minit 48 root 476 S /sbin/ueventd 49 root 1684 S /bin/sh /etc/init.d/rcS 55 root 0 SWN [jffs2_gcd_mtd3] 57 root 0 SWN [jffs2_gcd_mtd4] 79 root 2912 S hotplug 82 root 0 SWN [jffs2_gcd_mtd6] 90 nobody 1976 S mdnsd 96 root 4224 S monitor -C /etc/normal.xml 101 root 1688 S -sh 117 root 2912 S /local/bin/property_service -i /etc/build.prop -p /mnt/config/prop.dat 118 root 2048 S /tmp/out/mosquitto 119 root 2988 S /tmp/out/ha_agent 120 root 7936 S /tmp/out/proxy_server -D 137 root 11304 S /tmp/out/ha_master -a /lib/libha_auto.so -g /lib/libha_energy.so -G /mnt/config 145 root 3544 S /tmp/out/zigbee_agent -f /etc/zigbeeAgent.conf 149 root 4244 S /tmp/out/ha_driven -d /mnt/config/ha_driven 177 root 0 SW [kworker/u2:3] 276 root 0 SW [kworker/u2:4] 382 root 0 SW [kworker/0:2] 531 root 82428 S /tmp/out/camera -M 620 root 1688 R ps w

I tried to kill /tmp/out/camera -M but that just restarted the camera as you said.

PS: I am really glad to get this far! Thank you so much!

[mcchas]

Nice! If the password was never updated then I'd say this hack may have failed on your camera - as it should have changed it to 'password'.

You can update /etc/normal.xml (?) and stop all these spamming services from starting or rebooting if they are stopped. Then your console should be usable.. There is reference to this file in the hostname script. You could use an SD card and copy the modified file to make your life easier.

[ashwindz]

@mcchas - some good progress now - thanks to you!

I have a flickering blue light and clean login :)

I added a factory.ini to the sdcard. This got copied over I think. Now there is a flickering blue light but no errors on the serial console. Able to login with no issues.

How do I proceed with resetting it now?

[ashwindz]

Unfortunately got a bit too experimental and lost the prompt completely.

Flashed this mod to see if it now fixes the network. But now unable to see the login prompt. trying to recover it again. Tried resetting but it does not restore the earlier state. Tried booting with factory.ini on SDCARD - that too does not show the login prompt.

[ashwindz]

If not, you can see its starting the camera program which means it will execute a hostname file from the sdcard. Make sure your sdcard is formatted as FAT32.

I think it is stuck here for some reason. I dont see a login prompt. Is there anything else I can try @mcchas

[mcchas]

That's no good. What output do you get on the console now? Can you use some test commands in a hostname file?

[ashwindz]

@mcchas I do think hostname is getting executed. I tried with this:

#!/bin/sh
passwd -d root
echo WITH_TELNET=y >> /etc/.config
cp -f /etc/factory.xml /etc/normal.xml
cp -f /var/log/* /mnt/sdcard/
echo "hostname fix"

While I see that the log directory is created, the log files themselves are empty and I dont see a telnet prompt

[mcchas]

I wouldn't rely on that file starting telnetd. Can you start telnetd directly from the hostname file?

[ashwindz]

I tried this:

#!/bin/sh
test -f /etc/init.d/S91telnetd || cat << EOF > /etc/init.d/S91telnetd
#!/bin/sh
telnetd
# uncomment for no password
# telnetd -l /bin/sh
homekit_ntp au.pool.ntp.org
EOF
chmod 755 /etc/init.d/S91telnetd

I did see a line in the logs after this which said:

'/dev/stdin' -> '/proc/self/fd/0'
[RCS]: /etc/init.d/S90app
Can't find upgrade file
mDNSResponder: mDNSResponder (Engineering Build) (May 27 2019 12:17:34) starting
mDNSResponder: mDNS_AddDNSServer: Lock not held! mDNS_busy (0) mDNS_reentrancy (0)
mDNSResponder: mDNSPlatformSourceAddrForDest: connect 1.1.1.1 failed errno 101 (Network is unreachable)
**[RCS]: /etc/init.d/S91telnetd**

But I am still not able to see a login prompt.

[mcchas]

Apologies, without a network telnet is not very useful. If you are not getting a login prompt you could try run getty (with the same arguments as in /etc/inittab) from the hostname file which could start this.

[ashwindz]

@mcchas is there anywhere I can find the default files? I tried to copy over the inittab via hostname. It copied the file but like log files it was 0 bytes.

[mcchas]

what could be happening is the rcS script is blocked and never starts getty, perhaps have a hostname script just start this using this command /sbin/getty -L ttyS0 115200 vt100.

Its possible the filesystem is not syncing which is why your files are empty, you can run sync to overcome that

[ashwindz]

@mcchas - cant say how thankful I am but /sbin/getty -L ttyS0 115200 vt100 fixed it. I am able to now login!

how can I make this persist? and how do I proceed now?

[ashwindz]

PS: password was "password" so the hostname script got executed for the mod from my experiment here

[ashwindz]

I had issues with mine around the same time with Homekit, I'd get 'Not Responding' in homekit or after a reboot the camera would respond but only briefly. I could see in the logs there was an error relating to communication with the Apple MFI chip. I was able to resolve this issue by updating to the latest version, by replacing the /local/app.tar.xz (more specifically just the camera binary within this tar) with that from the v2.2.3 firmware.

I tried to do this but unfortunately looks like I picked the wrong camera file from v2.2.1! - now the boot is stuck in the part:

19700101 05:00:14.423 NOTICE   monitor 348: ========== start all process ==========
19700101 05:00:14.423 NOTICE   monitor 351: start process /local/bin/property_service...
19700101 05:00:14.931 NOTICE   monitor 351: start process /tmp/out/mosquitto...
19700101 05:00:14.931 WARN     monitor 355: process[/tmp/out/mosquitto] not exist
19700101 05:00:15.431 NOTICE   monitor 351: start process /tmp/out/ha_agent...
19700101 05:00:15.431 WARN     monitor 355: process[/tmp/out/ha_agent] not exist
19700101 05:00:15.931 NOTICE   monitor 351: start process /tmp/out/proxy_server...
19700101 05:00:15.931 WARN     monitor 355: process[/tmp/out/proxy_server] not exist
19700101 05:00:16.432 NOTICE   monitor 351: start process /tmp/out/camera...
19700101 05:00:16.432 WARN     monitor 355: process[/tmp/out/camera] not exist
19700101 05:00:16.932 NOTICE   monitor 351: start process /tmp/out/ha_master...
19700101 05:00:16.932 WARN     monitor 355: process[/tmp/out/ha_master] not exist
19700101 05:00:17.432 NOTICE   monitor 351: start process /tmp/out/zigbee_agent...
19700101 05:00:17.432 WARN     monitor 355: process[/tmp/out/zigbee_agent] not exist
19700101 05:00:17.932 NOTICE   monitor 351: start process /tmp/out/ha_driven...
19700101 05:00:17.932 WARN     monitor 355: process[/tmp/out/ha_driven] not exist

I do have a backup of the old app.tar.xz - how can I update it or a clean version of 2.2.3 ?

PS: sorry about being such a bother @mcchas - I really am thankful for your patience!

[ashwindz]

It does look like hostname is getting executed though. Command to copy over log files creates the directory, but with no files.

[mcchas]

What did you want to do with the camera? If you want to add it to HomeKit then you shouldn't have to make any changes. There is some commented script in the hostname file that helped me join wifi networks that failed to join automatically.

[mcchas]

You can also manually join wifi networks the same way you would with any other Linux machine.

[ashwindz]

What did you want to do with the camera? If you want to add it to HomeKit then you shouldn't have to make any changes. There is some commented script in the hostname file that helped me join wifi networks that failed to join automatically.

I want to add it to Homekit.

But right now, I am stuck with a possibly corrupt app.tar.xz which is blocking the camera from booting completely. Not seeing telnet either.

I need to know where I can find 2.2.3 files and how I can copy this over to /local/ using hostname

[ashwindz]

Once this is resolved, I will try to use the commented section in the hostname script to connect it to wifi

[ashwindz]

It does look like hostname is getting executed though. Command to copy over log files creates the directory, but with no files.

I need to correct this. I dont think hostname is getting executed any longer :(

I tried a couple of copies:

#!/bin/sh
cp -f /var/log/* /mnt/sdcard/
cp -f /etc/inittab /mnt/sdcard/
sync 

Nothing shows up on /mnt/sdcard

The full log of a session is also attached. Have I irretrievably broken the camera ? :(

FullLogFailedBoot.txt

[ashwindz]

Realised what got messed up. I guess app.tar.xz loads camera which in turn loads the hostname script and when I messed up the app.tar.xz this stopped loading. I guess its broke for good without getting into the SPI flash ROM - which is probably beyond my skills and I sure dont want to trouble @mcchas any more!

thank you @mcchas for all the help - sorry I messed up bad. Felt really close to reviving it at times but it was not to be.

[mcchas]

@ashwindz thats a shame, its inspired me to put a larger disclaimer in the readme!

Don't give up - there will be other ways in. I see a script that tries to update the app.tar.gz but this may not work. You can try copy https://github.com/niceboygithub/AqaraCameraHubfw/raw/main/G2H/2.1.1_0002.0515_ota/ota.bin to your sdcard as it tries to copy this from /mnt/sdcard/ota.bin. There is also mention of updating via tftp using a USB ethernet adapter, one would have to find the real USB pins on the inside of the device to get that working..