[Off Topic - Need Advice] Reset Firmware: Unable to Pair G2H to Homekit

[ashwindz]

Hello - I understand this is Off Topic but would really appreciate some help. Newbie Alert.

I got this camera about a month back. About 2 weeks back, this camera dropped off the network. I could not bring it back online so I removed it from homekit hoping I could pair it again.

But, try as I might with multiple resets, it just looping through "ready to connect. please open the aqara home app" and does not get paired on Homekit. Same goes with the Aqara app - it just wont add the camera (QR scan fails).

My presumption is that the firmware is corrupt. Is there a way to reset the firmware in some way or load the default firmware from SD Card? Totally out of ideas and open to any suggestion! Thanks.

PS: Wifi is 2Ghz only and has no underscores.

[ashwindz]

Thank you for not giving up on me @mcchas

I tried to boot with the ota.bin you specified on /mnt/sdcard but that did not change things. It was stuck at the same spot as earlier.

as it tries to copy this from /mnt/sdcard/ota.bin._

Is there a specific time at which I need to do something? I just booted with the file ..

[ashwindz]

Also, should I consider the SPI flash route? What would the process be if I were to go this route?

Would I need SOIC 8 / SOP8 Clip, an rpi and a breadboard?

[mcchas]

@ashwindz that is an easier route and should work no matter what you do to the file system. If you already have a raspberry pi (or programable MCU with SPI) you just need a SOIC clip, they are available on eBay for a few dollars. I didn't have much success programming while the chip is still on the PCB but you might have more luck, otherwise you will need a soldering to remove it...

The other way is to go through the firmware and find another way in, which likely is possible but would take an unknown amount of time and could potentially not yield anything. The flash method is almost guaranteed to work..

[ashwindz]

Thanks @mcchas

you just need a SOIC clip, they are available on eBay for a few dollars.

I presume this is SOIC 8? I found one site which sells this but it may take 2-3 days to get to me. Will order it.

(or programable MCU with SPI)

Would the CH341A 24 25 Series EEPROM Flash BIOS USB Programmer work? Again this is available locally and I should get it in 2-3 days

The other way is to go through the firmware

While I wait for the SOIC clip and programmer - is there anything else you can suggest I try?

[mcchas]

Looks like it should work - https://www.win-raid.com/t4287f16-GUIDE-The-Beginners-Guide-to-Using-a-CH-A-SPI-Programmer-Flasher-With-Pictures.html

[ashwindz]

OK - ordered an EZP2019 instead @mcchas - should be with me next week!

I guess I need to use a raspberry pi anyway to flash it. I use OSX and I presume these devices wont be supported. Would it work with a VM?

[mcchas]

Great! I see flashrom is available from brew on OSX and that's all I used.

[ashwindz]

@mcchas - once I get the programmer, what should I do? I understand that as a first step, I can extract the bin and keep it as a backup. But what after that?

[ashwindz]

@mcchas - once I get the programmer, what should I do? I understand that as a first step, I can extract the bin and keep it as a backup. But what after that?

@mcchas could you pl. advice ? Thanks!

[mcchas]

@mcchas could you pl. advice ? Thanks!

I imagine you're going to need to extract a full image from the flash, validate the data integrity (i.e doubly ensure it's a verbatim copy). From there you can use tools to extract the root file system (like binwalk), change whatever you like (the file that was destroyed earlier) and repack the filesystem (squashfs?) and back to an image to write back to the flash device. A good step may be to update Uboot to enable interactive mode so a hardware programmer is not needed if the OS has issues again.

[ashwindz]

Ok! That sounds like quite an interesting ride! Will muster some courage and get to it next couple of days

From there you can use tools to extract the root file system (like binwalk), change whatever you like (the file that was destroyed earlier)

I do have the old file, but rebuilding to the previous version would just land me where I started. How can I resolve / reset fully?

update Uboot to enable interactive mode

is this a config parameter or do I need to find/ build a UBoot binary which supports this?

Thanks again @mcchas

[ashwindz]

Hello @mcchas - need some guidance again!

I finally got everything rigged and managed to dump the firmware from the camera. I did 2 copies to check the diff to make sure I got it all. I then tried

binwalk -e read01.bin

It took a while but I ended with a HUGE bunch of files which were like 1017FA8.xz 4F8730 50BF34 522AA4 538C70 58E62C.zlib 5A5114.zlib 5BED54 5D6138 5E896C.zlib

I tried with binwalk -e -y jffs2 read01.bin But this yielded just one file 4F04F8.jffs2

Can you help? I am not sure what I am doing wrong.

[mcchas]

hey @ashwindz

Were you able to read the flash without removing the chip?

Repacking the firmware might be tricky. It might be easiest to just write the original vulnerable firmware image back on this flash device and start again.

The image would have to come from a known good flash. Do you have another working camera to take this from?

[ashwindz]

Were you able to read the flash without removing the chip?

Yes @mcchas - I think I was. I did it twice and did a diff between the 2 to check.

The image would have to come from a known good flash. Do you have another working camera to take this from?

Unfortunately - no :( Can you pl help? Is this usable?

[mcchas]

Thats good, it didnt work for me... but my wiring was a bit shakey.

Those files are not a complete image... send some handle and i might be able to help with a file via DM

[mcchas]

I just noticed it bounced. Size too large. I can try split the file or use something else?

[mcchas]

I have not tested but imagine it is a full image of the camera including the bootloader. I would try write the entire 32mb image to the SPI flash - keep in mind it must be ungzipped first.

[ashwindz]

Thank you very much @mcchas - will try to push this in. Much appreciate all your help!

it is a full image of the camera including the bootloader. I meant to ask if uboot is set to be interactive as you asked me to do here

[ashwindz]

Hello @mcchas - I tried to write the image after gunzipping. I ran into the error below

Image size (33554433 B) doesn't match the flash chip's size (33554432 B)!

Can you pl advice ?

[mcchas]

Hello @mcchas - I tried to write the image after gunzipping. I ran into the error below

Image size (33554433 B) doesn't match the flash chip's size (33554432 B)!

Can you pl advice ?

Looks like it's 1 byte too long. Use something like dd to strip that unexpected byte from the end of the file.

[mcchas]

@ashwindz I used VIM to remove my ssid from the image and it added an OEL character to the file, if stripping off the last byte does not work send me the dropbox invite again and i'll upload a new file.

[ashwindz]

@mcchas I did strip it with dd but had trouble flashing it because of the contact with the clip

I would of course trust what you did better than what I did - so if you can re-upload it will be very helpful! The dropbox link is open again

[ashwindz]

@mcchas I think the stripped firmware flashed successfully (I hear prompts in Chinese - my original firmware used to be English). Thank you!

I am back now at square 1. Unable to pair it to homekit :)

Haven't yet checked the logs - need to fish out my cable again :)

[mcchas]

That's great! You can use the cable and configure wifi or whatever else you need with as you have the root password. With this Chinese firmware you can switch it to English fairly easily - one of the other issues covers that and the readme has a workaround there also.

[jarekmodra]

Hi, I have identified that the camera looses the default gateway settings.

Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default 192.168.1.254 0.0.0.0 UG 0 0 0 wlan0 192.168.1.0 * 255.255.255.0 U 0 0 0 wlan0

After powering up the camera and waiting a few minutes, it looses the default route. I can add the route using "route add default gw 192.168.1.254", but again after a few minutes is goes away.

Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.0 * 255.255.255.0 U 0 0 0 wlan0

Does anyone else have this problem with firmware version 2.2.5?

[jarekmodra]

The cameras was on a secure IOT wlan SSID that blocks ICMP. Found this error in /tmp/log/camera.0 19700101 20:51:15.865 ERROR camera_tmp 837: !!! ping gateway[192.168.1.254] timeout, need restart wlan0 !!!

After enabling inbound icmp(ping) to the interface of the router, the error stopped and the default route no was being deleted from the routing table. Hope this helps.