Only mainland China: how to unlock camera for EU?

[walterkaos]

Dear users, I bought a Xiaofang camera without paying attention to the country. Now, my camera can only operate from China IP when connected. Since I want use the camera from Europe, this is banned! How can I update firmware unlocking region ban?

[jak0lantash]

I have the same issue

[gmruiz]

the same for me! Please, hack for this.

[milesburton]

On all but one of mine, you can still install the chinese setup app. Go through the setup process and install the mod via TF card.

Dont worry too much if it says "mainlaind china only" or some such

[samtap]

New camera's are blocked from using mi home cloud outside China. You can still use the app to connect the camera to wifi and then apply the hacks by inserting sd-card and using the status web-page. I've got one of these new cams and confirmed this works, also with the latest 3,0,4,9 firmware.

Please report here if you have a different experience. Include mi home version, iOS/Android, firmware version and camera model (pinhole or lever reset button)

[jak0lantash]

Applying the hack worked flawlessly for me after initial setup on 3.0.4.9 via mi home, despite the camera being geoblocked ("only used in mainland china") by Xiaomi.

[sfornengo]

It seems there is a hack for the same problem on an other Xiaomi camera: https://diy.2pmc.net/solved-xiaomi-xiao-yi-ant-home-camera-can-used-china/ Is someone able to transpose to XiaoFang ?

[milesburton]

Good spot, I'll look into this when I get a chance

On Tue, May 16, 2017, 21:06 sfornengo notifications@github.com wrote:

It seems there is a hack for the same problem on an other Xiaomi camera: https://diy.2pmc.net/solved-xiaomi-xiao-yi-ant-home-camera-can-used-china/ Is someone able to transpose to XiaoFang ?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/samtap/fang-hacks/issues/123#issuecomment-301899668, or mute the thread https://github.com/notifications/unsubscribe-auth/ABJjszNcFykNXNAfS8JCV9U24vqg0BGlks5r6gGygaJpZM4NZupr .

-- Regards, Miles Burton

[ChavezD]

So for me i was able to use the mi home app (4.0.11, android) with my new camera (MAC 34:xx...+QR on bottom+button instead of this needle push thing there), but im still on FW 3.0.3.56. Does this "workaround" still work if i update the camera to 3.0.4.9?

However I'm going to flash the hack this evening, the Mi Home app isn't that great imho.

[wahaha2017]

I hacked the camera and got the log.txt. when I used the usa vpn it didn't work, "mainland china only", log is wahaha.txt; when I used the china local net it worked, log is chinangb.txt. I can't find the differences between them.

wahaha.txt chinangb.txt

[wahaha2017]

Connect Server g_stTutkUserServerInfo.nLoginFlag = 0XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX nLoginRet -10 <><><><><><><><><><><><><><><><><><><><><><><><>88888888888888888888:TUTK LOGIN ER UNLICENSE

how can fake the response ???

[samtap]

I don't really have any interest in circumventing the region check, the goal of this project is to create an open-source alternative firmware that doesn't require any of the Xiaomi stuff.

But for those interested to hack the region block:

• It appears the old version is accepted regardless of cam firmware and mi home version. These can be recognized by not having a QR code on the base. The wifi chip is sourced from some Shenzen supplier and the MAC address does not match the MAC address in device.conf (28:XX...) used for identification with cloud services.
• The new version has a wifi chip from Xiaomi with MAC address that matches the one set in device.conf (34:XX...). Now the interesting bit: device.conf does not exist on a virgin camera. It is created by iCamera when it starts, way before a wifi connection is up or Mi Home is involved. (iCamera is the executable running on the cam doing all the work). Ergo: If you can make a new cam appear like an old cam, by providing a device.conf with a 28:XX MAC, it will be accepted by Mi Home.
• The MAC address on wlan0 is set by iCamera when it starts so spoofing it before it starts is useless (i.e. run 'strings iCamera |grep ifconfig'). I believe from that point forward, the MAC address is stored in memory of iCamera, spoofing after it starts has no effect (wifi works fine with a different mac, device.conf still contains 34: MAC).
• Each time you press the setup button (required for pairing with Mi Home), device.conf is rewritten in case you messed with it. It writes the 34 MAC regardless of the MAC used by wlan0 at that time. A device.token is written when Mi Home starts the pairing process, it is different each time. When making device.conf inaccessible, iCamera enters an infinite loop and doesn't proceed with pairing. Messing with it too much during pairing simply causes the pairing process in Mi Home to timeout and you have to start from scratch. Ergo: iCamera has a way to retrieve the MAC address which is not simply reading ifconfig HWaddr. It is also unlikely stored in some kind of file as that would require them to flash each cam with a different file as they are produced, possible but unlikely (and I could find no evidence of such file). It is not provided by Mi Home or cloud services either since it's used to configure wlan0 before any pairing is initiated.
• Interestingly, the MAC is stored in the 'serial' field of the USB device descriptors provided by the wifi chip. And iCamera happens to link with libusb....! I can't think of any other reason they would need libusb besides doing accessing the wifi device. I've added some debug probes in libusb in the most likely places: functions that return the serial descriptor. Those didn't get hit. But there're still many other calls that are more low-level and could equally be used to retrieve the serial.

Conclusion: If somebody would build a custom libusb that rewrites the serial in case it starts with 34 before returning it to caller, it might trick iCamera into thinking it is running on a old cam.

[wahaha2017]

how can I get the the open-source alternative firmware now?

[idostern]

Same here.

[nykoo]

same :( Cam FW 3.0.3.56 and iOS 3.17.0 Mi app

[idaadi]

@samtap wouldn't it work to hard code the Mac directly in the Driver for rtl8188E , recompile it for arm and replace the original one ? do you think the 28..... mac address needs to be the actual mac of a Camera they produced( they have a DB with all their own macs ) or not ? How could the community motivate you to circumvent the geo block ? Regards

[samtap]

I'm not interested in using the Xiaomi cloud stuff, there're many other things that need to get done... Since my previous post I noticed the mac is also stored in nvram so that may also play a role. I don't think the wifi driver is involved since I was able to spoof it and not get around the region block, and the older version has a 'fake' mac that doesn't match the hw mac but is used to identify with xiaomi cloud. I don't think they have a db with blocked mac, it's the mi home app that accepts or rejects the cam. If you use an older version of the app and block location services the cam is accepted (or, that's what I've been told).

[santianton]

I have three cameras with MAC 34 and none of them works with the fang-hacks...

[walterkaos]

Guys, me too. There's no solution. I have sent back the product to chinese online shop in order to be refunded.

[zg2302vi]

There is EU solution https://www.ismartalarm.com/devices/cameras/spot/isa00013.html Only caveat is it costs 2x > https://www.leroymerlin.fr/v3/p/produits/camera-connectee-ismartalarm-e1500580033 Bought one discounted for 49 eur

[carloslebreiro]

Is it possible to "export" the firmware of that camera? It would be great if we could upgrade the firmware of our xiaofang to the ismartalarm original firmware

[TweedleMB]

My configuration is Camera (MAC start with 34) firmware 3.0.3.56 downgradet from this maual - https://github.com/samtap/fang-hacks/wiki/HowTo:-Flash-original-Xiaomi-firmware-from-sdcard-(factory-reset)#via-sdcard

Android Mi Home - version 4.0.11 :) from this link www.apkmirror.com/apk/xiaomi-inc/mihome/mihome-4-0-11-release/mihome-4-0-11-android-apk-download/

everything works.

[Damadgeruk]

The above worked for me, 3.0.3.56 showing, getting video on mi home 4.0.11 tho motion sensing is patchy. Blue led flashing.

[Jumpertrekker]

@TweeldeMB I have the same configuration but the app sees the the camera only if on the same wifi. Over 3g the app doesn't see the cam. Is it the same for you? Does anyone know what tcp/udp port uses the camera? Maybe I just need to better setup my router. Thanks!

[mp3llll]

@TweedleMB and that work fine via HOME app also via 3G?

[Damadgeruk]

Works over mobile data for me on Mi Home app.

[ktanrtp]

@TweedleMB and @Damadgeruk , I have installed 4.0.11 Mi Home App and my cam's firmware is 3.0.3.56 with hacks applied. I can do rtsp streaming. But I still cannot connect to my camera using MiHome App, even after disabling "stop-cloud" and "rtsp-server" services by following FAQ. The app is stuck at "Connecting (1/3)"

Are you saying that you are using the 4.0.11 Mi Home and 3.0.3.56 smoothly without applying the fang-hacks?

Thanks

[J450NC]

Be gentle first post, and not a programmer, I have three of these camera's 3x MAC code 34 ** . They all behave differently ! The first doesn't have a press button for the reset - it has a hole - this works with the MiHome app and I even managed to upgrade to 3.2.0.30 with no dreaded 'only works in China error' - still working no errors. The second has a push button for the reset and I upgraded the software believing from my previous experience with the first camera this would be ok - I got the dreaded 'only works in China error' That brought me here to this thread and website - although I do not profess to be a programmer I can follow the SD format protocols and writing image files or working out what goes in a root directory etc. I created a downgrade microSD card to 3.0.3.56 and flashed the second camera. It now has 3.0.3.56 firmware but still reports 'only works in China error' and has the option to upgrade to 3.2.0.30 in the firmware update section. It took several attempts but I think the key is the duration of holding the reset button after reapplying power as mentioned above. The third camera also has MAC code 34 ***** but I have never upgraded the firmware when prompted and this one works with the MiHome app with no errors.

Summary: Camera 1 - earlier vrs no button to reset (has a hole) MAC code 34 - currently 3.2.0.30 - working Camera 2 later vrs button reset MAC code 34 - currently upgraded to 3.2.0.30 then flashed to 3.0.3.56 - it has region code error Camera 3 later vrs button reset MAC code 34 never upgraded - currently 3.0.3.56 - working

My question/s are: Is the second camera now flashed to a point where the China region error cannot be removed ? If I use the fang hack would the MiHome app stop its remote functionality - appreciate that is the whole point to not use MI server to bounce/stream data - I'm looking at converting all three ultimately but want to try to recover camera number 2 so that if I want to revert to 'factory settings' I have the knowledge how to. I am using IOS vrs of MiHome 3.19.0 set to mainland China

With the different permutations I have it is quite easy to see why members are having difficulty as I have three cameras all behaving differently all with MAC code beginning 34 *****

Has anyone had any success in the email link when you get the 'China Region Error' Can anyone translate what this page is saying ? It 'appears' to request you take a photo of the base of the unit and email that to an address to request international use, has anyone tried this ?

My experience, so far, is that once the firmware upgrade is applied, although the downgrade can be applied the region error is retained ( see my comments above re camera 2 and camera three differences) I will try flashing camera 2 a few more times to see if it can be returned to factory settings and post my findings.

[munineo]

Hi all dudes!

I'm trying to downgrade my xiaofang cam, but I don't know how time must press the button to know when it is flashing the firmware... Is there and led colour blink to detect that it is flashing or how to know when it is rebooting after flashing?

[J450NC]

To Downgrade - Start camera, wait, scan with app to pair to wifi, wait, when nothing new is happening insert SD card and hold button down .... keep holding it down, voice says something in Chinese, keep holding button down, when she's finished speaking wait until the orange light stays on then let go of the button BUT DO NOTHING ELSE at this point leave the power on and WAIT once it is doing nothing new remove SD card and cycle the power. That's how I have been flashing mine to revert to lower firmware.

[munineo]

Thx @J450NC downgrade done and cam with 34 MAC visible from Mi Home

[Jumpertrekker]

Hi, and are you able also to access to the stream by app via 3g.

Thank you.

Il 20 lug 2017 5:21 PM, "munineo" notifications@github.com ha scritto:

Thx @J450NC https://github.com/j450nc downgrade done and cam with 34 MAC visible from Mi Home

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/samtap/fang-hacks/issues/123#issuecomment-316737688, or mute the thread https://github.com/notifications/unsubscribe-auth/Acxd1rqj-blXAxk1oLtv1Me0IVTLIcUvks5sP3B8gaJpZM4NZupr .

[munineo]

No I can't over 3G @Jumpertrekker

[J450NC]

OK, I've tried discussion/email follow up with MiHome pop-up email for region error, here's the reply:

亲爱的用户： 非常抱歉，您的申请未通过审核。 如果您依然希望在大陆地区之外使用小方，请严格按照要求提供正确的资料。 请提供在小米官网/小米商城/小米天猫旗舰店/小米京东旗舰店等正规官方渠道购买的带有订单号的截图； 小方底部的MAC地址拍照示意图。 感谢您对小方智能摄像机的理解与支持。

Dear customers, We appreciate your business. Unfortunately, your device unlock request was not been approved. However, you still can use your Spot in Mainland China. If you still want to unlock your Spot and use it outside of Mainland China, please follow the Device Unlock Guide resubmit you request.
Please provide the purchase records of MI.com、JD、MI Tmall or others formal official store. Image of bar code. Thank you for choosing our products. .................................................................................................................................................

Needless to say I purchased from a cheaper alternative source, I've tried reapplying with bill of sale barcode photo etc but not holding out much hope. So fanghack is probably the only way to go unless someone can bypass the region / mac 34 lock out or able to achieve a 'true' factory reset as this appears to work for both the app and the hack (so long as you don't update the firmware)

[munineo]

They give me same answer... Bought at Gearbeast... I've other one without 34 MAC address and the newest with 34 MAC in which I must downgrade it to see on Mi Home.

[ojgolan]

did any1 try to flash the xiaomi xiaofang with the ismart spot firmware? Since there are too many similarities (even the root password is ismart12) did anyone manage to set this up? As this may be the way to clear this crap of the limitation with the global branding.

[snoerenberg]

Hi, is someone having the ismart spot firmware or the actual xiaofang firmware version 3.2.0.30 as binary? I already had a look with IDA Disassembler into the flashing part (1st part of binary) and I would like to ask if someone tried such a "cross-flash" and if there is any problem or error message.

So I would be able to change the existent ismart firmware to be flashable on xiaofang as well. I think there will be some model_id check which must be patched.

[ojgolan]

@snoerenberg If you manage to do this, this will be superb. Both cameras look the same, expect the ismart is supposed to be 720p and has 4 IRs instead of 2. It also costs 4 times the amount of the Xiaomi Xiaofang...

[munineo]

The spot with MAC starts with 34 doesn't work right with MiHome apk... not always connects when I try to access it on the same WIFI, thats a pitty. Hope you've got good news with your effords

[RylicR]

Hi guys, I tried everything to downgrade my XiaoFang but nothing work... I really don't know what to do. Someone can explain more precisely what exactly to do? I tried :

• Turn off, put card, hold button, Turn on, the light is orange fix, then i listen the "dudumdudum xabanheyhey" and light blink, then light turn off, i unhold button, 30 sec after light is blinking. Then when i connect, stil not downgrade.
• J450NC solution : i turn on, clic on button to have "dudumdudum xabanheyhey", connect to MiHome, light turn Blinking blue, insert the SD card, listening "klink klink", hold button and this done the usually "dudumdudum xabanheyhey", still hold then light turn fix orange... For 30sec then blanking again as usually... After connection it's stil the same FW... I really don't know what to do... Please help, explain what to do and what could happened :( TY

[J450NC]

Pair as normal - scan barcode. (This is no different to manufacturers instruction) Put in SD card and hold button in - voice says something - don't let go yet You should only have a constant yellow/orange light on - constantly on. Now you can let go - wait until nothing new is happening. Take out SD card. Cycle the power. If it is still not a lower firmware your SD card probably isn't set up correctly.

UPDATE: Now another of my cameras has China mainland only msg. I think any use of the MiHome app will soon be closed out for us Euro users - only solution will be a different firmware apk hack for the MiHome - region in MiHome App is set to 'Never' allowed location access but there is a default there and all update info on app page says to use location which should include 'locale region' - fanghack will be only option. Does anyone know how to fake a location in iOS - might be another option for those that want to use MiHome. Has anyone tried a location spoofer on iOS with a jail broken device ? Please post reply.

[ilkdostun]

I had the same problem before. I have a camera with Mac-adress starring with 34 (the one with the plastic reset button). I got it to work using the Mi Home app version 4.0.8 (you can download it on Google if you search for Mi Home 4.0.8 apk). Install the app and then unselect "update plug-ins", set region to "Mainland China" and change language to English. DO NOT UPDATE CAMERA OR APP.

When this is done you have to reset the camera to the firmware version 3.0.3.56. You can do this by holding in the plastic setup button for 12-15 seconds. The status-led will tur off or solid orange. Wait until the led starts flashing orange. Now the camera is reset to the firmware it came with.

Do the setup as usual and make all the steps on the screen.

When you are done, after a while, the camera status-led will start blinking blue. Now the camera will work on WiFi LAN only. Unplug the camera and leave it unplugged over night. plug the camera back in and wait for a couple of minutes and the status-led will turn solid blue. This means that the camera is connectet to the cloud server and now can be accessed via your phones 4g/3g or on a different WiFi than the cameras.

I don't know why you will have to wait over night for the camera to start working via cloud (4g/3g). But that's how it is.. I have tried this with 3 cameras and it works on all of them.

I hope i helped someone!

[devilweb77]

The reset the camera to the firmware version 3.0.3.56 holding in the plastic setup button for 12-15 seconds doesn't work. I still have firmware 3.2...

[J450NC]

Use the SD slot with 3.0.3.56 software on it to downgrade then.

[adrianmihalko]

Guys, is there any hostname/address which blocks firmware upgrade checks?

[Jumpertrekker]

@ilkdostun I'm almost there... I can access to some functions also from 3g but still no streaming. Do you also get the streming to work on 3g?

Il 07 ago 2017 8:17 AM, "ilkdostun" notifications@github.com ha scritto:

I had the same problem before. I have a camera with Mac-adress starring with 34 (the one with the plastic reset button). I got it to work using the Mi Home app version 4.0.8 (you can download it on Google if you search for Mi Home 4.0.8 apk). Install the app and then unselect "update plug-ins", set region to "Mainland China" and change language to English. DO NOT UPDATE CAMERA OR APP.

When this is done you have to reset the camera to the firmware version 3.0.3.56. You can do this by holding in the plastic setup button for 12-15 seconds. The status-led will tur off or solid orange. Wait until the led starts flashing orange. Now the camera is reset to the firmware it came with.

Do the setup as usual and make all the steps on the screen.

When you are done, after a while, the camera status-led will start blinking blue. Now the camera will work on WiFi LAN only. Unplug the camera and leave it unplugged over night. plug the camera back in and wait for a couple of minutes and the status-led will turn solid blue. This means that the camera is connectet to the cloud server and now can be accessed via your phones 4g/3g or on a different WiFi than the cameras.

I don't know why you will have to wait over night for the camera to start working via cloud (4g/3g). But that's how it is.. I have tried this with 3 cameras and it works on all of them.

I hope i helped someone!

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/samtap/fang-hacks/issues/123#issuecomment-320578055, or mute the thread https://github.com/notifications/unsubscribe-auth/Acxd1mxFXSxptSgnxwWo7kApCpRjTH1Bks5sVqvpgaJpZM4NZupr .

[schmurtzm]

Hi, For information, I've got the right version for IOS.

On Android you can use the version 4.0.11 (but that you already know). On IOS you can use versions 3.11 and 3.12 only. Inferior versions (3.10) does not have the XiaoFang in the device list and superior versions (3.13) have the lock to mainland china.

To get the right version on IOS it's not easy :

• you're jailbroken : install "App Admin" from cydia, go to app store and chose version 3.12 of Mi Home
• you're not jailbroken, follow one of these tutorial (not easy) : This one, other one and video. After that backup the .ipa file with itunes to be able to restore it later.

[Willian-Zhang]

To Downgrade - Start camera, wait, scan with app to pair to wifi, wait, when nothing new is happening insert SD card and hold button down .... keep holding it down, voice says something in Chinese, keep holding button down, when she's finished speaking wait until the orange light stays on then let go of the button BUT DO NOTHING ELSE at this point leave the power on and WAIT once it is doing nothing new remove SD card and cycle the power. That's how I have been flashing mine to revert to lower firmware.

The downgrade guide in wiki didn't work, this worked for me

[Resabiao]

The guide I followed: https://www.andryou.com/2017/07/11/setting-xiaomi-xiaofang-security-camera/. Resulting: When sd card keep inserted, blue light fix, hacks (rtsp) working , mi home 4.0.8 not getting image from camera ( lan neither 4g). Camera firmware: 3.0.3.56. SD card out (and re start): on lan, mi home fully functional. On 4g no video stream, no connection and getting some alerts from movement detection, but downloading video error. Thinking on sending this time consuming piece of trash to hell....

[Andreaux]

Does anyone know if the form (link in the error message page) where you could send in a proof of purchase and a photo of the mac address of the camera to have it unlocked for international use works? I can't read chinese so I can't tell, but I presume it's meant to be that... Anyone?

[Andreaux]

On the other hand, does anyone know how it would be possible to spoof the mac address of a camera to change it to something not beginning with 34 or so...?