New firmware: 3.2.0.30

[spxak1]

Hi all, both my cameras were update to newest firmware 3.2.0.30 and both now fail to see the SD card. I have tried formatting, new cards, different sizes, to no avail. As if the firmware disabled the SD slot. It also reset the time zone. As such I am back to stock and most annoyingly without the ability to record anything on the sd cards.

Anyone else affected?

[zhernovskyi]

I can confirm that hack can't be installed on 3.2.0.30 out of the box. After inserting card with hacks i can hear dang-dang sound, can access http://device-ip/cgi-bin/hello.cgi and cant access http://device-ip/cgi-bin/status - error 404. But if i try http://device-ip/cgi-bin/hello.cgi?name=record, i can see listing of record directory of my SDcard. So, for unknown circumstances snx_autorun wont run or run incorrcetly. The led is blinking blue and never become solid blue.

The only way is to downgrade to 3.0.3.56 according to wiki. After that hacks installed and works without any problem on 3.0.3.56 Afther that, you can upgrade cam to 3.2.0.30 and hacks will still be working fine.

[snoerenberg]

Hi, I captured the firmware download of the actual 3.2.0.30. So when someone wants to have a look into it: http://www5.zippyshare.com/v/x4gK3Yhp/file.html

There you can see that the whole "hotplug" functionality and autorun behaviour is removed. Within the "hello.cgi" you can see the new parameters like "name=..." in IDA Disassembler.

FolderComp between 3.0.3.56 and 3.2.0.30:

[pierangelof]

Hi Aleksandr, I have tried to downgrade my camera following the WIKI but without success. Please, could you clarify a couple of things?

• how many partitions and which type of partitions (e.g. FAT or FAT32) were in the SD-card?
• which type of SD-card have you used?

Thanks a lot for your help.

[zhernovskyi]

I've used a card that previously was written within latest fanghack image over dd. So the first partition is fat32 and i've done all the things as mentioned on wiki. The card is 2Gb microSD.

[samtap]

@snoerenberg How did you extract the img file? I've upgraded multiple cams and all still have hotplug functionality.

[pierangelof]

Just to be sure: what have you placed in the root of the sd-card: the entire directory _12c424a07178dceedb4b05130f736757_upd_isa.camera.isc5.bin.extracted or only the files content in it?

Thanks for your help

On 3 August 2017 at 10:54, Aleksandr Zhernovskiy notifications@github.com wrote:

I've used a card that previously was written within latest fanghack image over dd. So the first partition is fat32 and i've done all the things as mentioned on wiki. The card is 2Gb microSD.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/samtap/fang-hacks/issues/185#issuecomment-319909791, or mute the thread https://github.com/notifications/unsubscribe-auth/AATxKFcqN2bC4QtiMeKrJLKnSSxq6CYmks5sUYrWgaJpZM4OQyd0 .

[zhernovskyi]

@pierangelof Only content of folder and rename 0.elf to FIRMWARE_660R.bin

[pierangelof]

Thanks a lot but most probably I do some mistake and it does not work.

• I have used a 2 GB SD-Card that previously was used for the hack;
• I have copied in the root of the card the 3 files and the dir (cramfs-root);
• I have renamed the 0.elf file to FIRMWARE_660R.bin;
• I have inserted the card and switched on the camera by pushing the setup button for some seconds while the cable is connected;
• the LED is yellow for some seconds and then starts blinking (yellow)

I really do not understand where is my mistake.

On 3 August 2017 at 12:29, Aleksandr Zhernovskiy notifications@github.com wrote:

@pierangelof https://github.com/pierangelof Only content of folder and rename 0.elf to FIRMWARE_660R.bin

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/samtap/fang-hacks/issues/185#issuecomment-319931663, or mute the thread https://github.com/notifications/unsubscribe-auth/AATxKPiyJcEbrnZDKsTbkNUzKDlHQUXJks5sUaEEgaJpZM4OQyd0 .

[zhernovskyi]

@pierangelof

1. Hold setup button
2. Power on camera(put in power cable)
3. Do not release setup button for 10-15 seconds. I'm not sure, maybe you can hold it 5 second or should hold more than 15 sec, you should try )

[pierangelof]

How have you understood that the camera was writing the firmware? I have hold the button very long (more than 15 secs), the camera restarted, the yellow LED was fixed and then blinking but a the end the firmware was not changed :(

On 3 August 2017 at 12:56, Aleksandr Zhernovskiy notifications@github.com wrote:

@pierangelof https://github.com/pierangelof

1. Hold setup button
2. Power on camera(put in power cable)
3. Do not release setup button for 10-15 seconds. I'm not sure, maybe you can hold it 5 second or should hold more than 15 sec, you should try )

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/samtap/fang-hacks/issues/185#issuecomment-319936872, or mute the thread https://github.com/notifications/unsubscribe-auth/AATxKNebu_bXLhihWnwaffp-t_Rs4YF8ks5sUadNgaJpZM4OQyd0 .

[zhernovskyi]

@pierangelof Have no idea how to understand is the process of writing fw started or not )

[pierangelof]

Anyway, thank you very much for your support, very much appreciated.

On 3 August 2017 at 13:08, Aleksandr Zhernovskiy notifications@github.com wrote:

@pierangelof https://github.com/pierangelof Have no idea how to understand is the process of writing fw started or not )

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/samtap/fang-hacks/issues/185#issuecomment-319939338, or mute the thread https://github.com/notifications/unsubscribe-auth/AATxKNg_HsUntGLpsiiqYUemI4M6WKjbks5sUao2gaJpZM4OQyd0 .

[zhernovskyi]

@pierangelof You are welcome.

[snoerenberg]

@samtap

1. use "binwalk -e 96e2644d3fdada10cf54ad88b62d01fe_upd_isa.camera.isc5.bin" to extract the scramfs image -> https://github.com/devttys0/binwalk -> you can even try to use "binwalk -e -M 96e2644d3fdada10cf54ad88b62d01fe_upd_isa.camera.isc5.bin" or go to step 2
2. 2EE298.cramfs can be extracted with 7z or with binwalk as well -> easiest way is to use binwalk on linux and the "cramfsck" extractor or binwalk on windows and 7z

[bublikOff]

@pierangelof I had the same problem ... did not have success by downgrading firmware using SD card method. And only using serial connection I was able to downgrade it

[pierangelof]

@bublikOff I think that I am able to connect the camera through the serial port but I do not how to perform the downgrade (from the bootloader I assume). Could you help me?

[bublikOff]

@pierangelof Just recently I was finally able to downgrade its firmware 1) TTL to USB adapter is needed 2) Extracted 3.0.3.56 firmware on USB root 3) Ive connected USB power adapter to camera 4) Then connected TTL to USB adapter to camera contacts (RX, TX and GND only) ... 3.3v contact is not needed as camera already have enough power from USB adapter 5) And just continue with Wiki instructions ... loging with root and etc ...

[pierangelof]

@bublikOff Thanks a lot. I was able to open a serial console and it seems that the problem is that the camera cannot read the sd-card. I have tried with different cards but the result is always the same: the kernel sees that the card is inserted but is not able to find the partitions.

You wrote: "Extracted 3.0.3.56 firmware on USB root" do you mean that you have used an usb-stick?

[louis-lau]

I think he meant to say SD card root, doesn't make sense otherwise.

[bublikOff]

@louis-lau oh yee .. sorry ... SD card root

[samtap]

@snoerenberg Thanks, looks like a very useful tool. The cramfs section you refer to is only the read-only root file-system. The /etc folder is flashed to a different mtdblock and is mounted r/w, likely one of the LZMA compressed sections in the firmware file. Did you include those in your tree compare?

[snoerenberg]

@samtap seems thats only partially within the /etc folder. In the cramfs is only: /etc/hotplug/sdcard /etc/hotplug/udisk /etc/mdec.conf

Where the rest comes from I do not know right now. For which files you are looking for?

• app.ver

In the tree compare was only the cramfs section.

[snoerenberg]

@samtap I think you are searching for the contents in /root/etc_default This folder was in the comparison as well.

[samtap]

@snoerenberg No, I'm searching for the contents of the other mtdblocks. Because I doubt your statement regarding removal of hotplug. Binwalk is unable to extract them unfortunately, so I have no proof :(.

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             ELF, 32-bit LSB executable, ARM, version 1 (SYSV)
34376         0x8648          uImage header, header size: 64 bytes, header CRC: 0xD172, created: 2017-06-30 09:02:42, image size: 3038112 bytes, Data Address: 0x8000, Entry Point: 0x8040, data CRC: 0x10D5, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-2.6.35.12"
34440         0x8688          Linux kernel ARM boot executable zImage (little-endian)
40184         0x9CF8          LZO compressed data
40512         0x9E40          LZO compressed data
1654243       0x193DE3        mcrypt 2.5 encrypted data, algorithm: "\", keysize: 637 bytes, mode: "F",
2294168       0x230198        Cisco IOS microcode, for ""
2481618       0x25DDD2        LZMA compressed data, properties: 0x5D, dictionary size: 2097152 bytes, uncompressed size: 5587956330468999371 bytes
3072664       0x2EE298        CramFS filesystem, little endian, size: 7192576, version 2, sorted_dirs, CRC 0x9DCF7318, edition 0, 3742 blocks, 426 files
10265920      0x9CA540        Unix path: /home/yangdi_xu/git.t/st58600/toolchain/buildroot-2011.02/src/output/toolchain/gcc-4.5.2/libgcc/../gcc/config/arm/lib1funcs.asm
10267824      0x9CACB0        LZMA compressed data, properties: 0x8B, dictionary size: 16777216 bytes, uncompressed size: 4323455642326007808 bytes
10270157      0x9CB5CD        LZMA compressed data, properties: 0x93, dictionary size: 1048576 bytes, uncompressed size: 166633220608229376 bytes
10270413      0x9CB6CD        LZMA compressed data, properties: 0x93, dictionary size: 2097152 bytes, uncompressed size: 211387741904175104 bytes
10270493      0x9CB71D        LZMA compressed data, properties: 0x93, dictionary size: 1048576 bytes, uncompressed size: 226024440694177792 bytes

The uncompressed size is obviously wrong and the 7z/lzo files extracted by binwalk aren't actually archives that can be extracted.

[pierangelof]

@bublikOff, @zhernovskiy: thank you again for your help.

As the SD-slot appears to be broken, I have transferred the firmware through http and I was finally able to downgrade the camera. Anyway, since I cannot use an SD-card, I cannot also use the hack.

I am thinking about the possibility to permanently copy the hack in the EPROM of the camera (if the space is sufficient). Does anybody know how to permanently write the files and the correspondent conf files in the camera?

[xwarior2017]

@samtap

i want to keep using autorecord when device on is it possible?

[thecrazyfarang]

Hello there,

I am on fw 3.2.0.30 and I have one of those new cameras with the switch and mac qr code underneath the camera. I have installed fang hacks on the sd card and I can hear the hammer beeping twice which should mean that hack was successful but I'm unable to access the hack page. I get a 404 error like many of the peeps here. The hello.cgi page comes up blank.

I followed the instructions several times to downgrade, each time trying to tweak it a bit hopefully to make it work but still no luck. I believe my problem is I don't have a root folder on the sd card. I have the bootstrap and the other .sh file together with the downgrade files and folders but they are not into a root folder (I hope this makes sense). I think this is the reason why the downgrade is not working for me. Do you guys have any suggestions as this thing is driving me crazy?

[xwarior2017]

@thecrazyfarang

root = bootstrap folder and snx_autrun.sh directory

[thecrazyfarang]

I tried multiple times but still no success. When I flash the fang hacks image file, I only get a bootstrap folder and the snx_autorun.sh file. I don't get the structured folders as per this guide: https://www.andryou.com/2017/07/11/setting-xiaomi-xiaofang-security-camera/ . I feel like throwing this piece of garbage in the sea, damn Xiaomi and their region block. Really don't understand the reasoning behind it.

[wolverinevn]

Guys, any luck with SD card?

[PR0r]

I've just had my camera arrive and it's prompted to update the firmware. I've noticed an update to this git a few days ago, has this helped with getting this working on the latest firmware?

[fubar2]

For the record, firmware 3.2.0.30, which I unfortunately have on a new (qr/mac34) arrival is poorly tested rubbish I'd say. If you visit hello.cgi (I have no recordings), there's a blank page but the source shows the html is trivially invalid and thus broken - there are two tags instead of the last one being a close body tag. Ugh. Worse, it seems able to mount (ding,ding and the sd card shows as mounted in the app) a freshly formatted sd card but won't recognise (no dings and no SD card showing in the app) anything I've written fanghacks.img or an older version of the firmware to downgrade to. Sigh. The joys of being a xiaomi crap software beta tester... Pity - the camera works fine and I'd love to get fanghacks going so I can avoid their execrable cloudy software.

<html>
<head><title>CGI Output</title></head>
<body>
<h2></h2>
<body>
</html>

[samtap]

Maybe there's a difference between an upgraded cam (like mine) or one that was shipped with V3.2.0.30? I don't have any of those so I can't test :(. I could give instructions if anyone is interested + has some linux cli skills. Really curious to figure out what the deal is with V3.2.0.30 as I'm planning a new release and would want it to work on all devices...

[julianbb1]

@samtap I received my camera end of July (was shipped the 3rd of July) and it came with a firmware lower than 3.2.0.30 (I don't remember the version). I was having problems with the MiHome app and decided to upgrade the firmware to 3.2.0.30 (I didn't know about using older MiHome to make it work). I tried to downgrade via SDCard and it never worked (I tried different cards, Windows, Linux,..). My camera is mac34 with plastic reset button. I tried to use your hack and I have the same situation that fubar2 has. The only difference is that my SDCard mounts (I can find camera recordings on it) on both the cases: FangHacks img or normally formatted one.

[fubar2]

@samtap @julianbb1
The files and procedure suggested by tibiro on discus to use the method at https://www.andryou.com/2017/07/11/setting-xiaomi-xiaofang-security-camera/ worked for me to downgrade from 3.2.0.30 to 3.0.3.56. Then I was able to apply fanghacks without problems as long as I didn't use the img file from here - I had to build and fill the partitions manually to get the camera to ding when the card was inserted.

[samtap]

I was finally able to investigate a cam with 3.2.0.30 using serial console, and Xiaomi definitely patched the hole! The sdcard script is changed and no longer runs snx_autorun.sh. The root password is also changed. Why this didn't happen on my other cams that were also updated, I have no idea. So downgrading is required after all :(.

To downgrade you have to place the FIRMWARE_660R.bin file in a fat partition on the sdcard. You can simply use the fang-hacks image and place it next to the bootstrap folder. Then press down the reset button and keep it pressed while plugging in the cable to power the device. It takes about 5 seconds before the flashing starts and you can release the button. The led will be orange during the flash.

[julianbb1]

I was finally able to downgrade the camera. In the past, I tried the downgrade procedure on 2 different SDCards (4GB Chinese - 32GB Kingston). Today I decided to try with another SDCard I have (a 16GB Kingston) and It simply worked with the same procedure I have tried so many times on the other SDCards (https://www.andryou.com/2017/07/11/setting-xiaomi-xiaofang-security-camera/):

• Write Fang Hacks Image on SDCard (this time I used Win32DiskImager)
• Copy firmware files on bootstrap folder
• Insert SDCard on the camera
• Press reset and the power on the camera.
• Hold reset until you hear the chinese voice and the LED is fixed orange.
• The fixed orange LED stays like that for 1 minute. After the LED blinks orange and the camera was downgraded. On my case, I always heard the din din sound after inserting the SDCard with camera ON (on all the SDCard I have) and I always found videos of recording on the SDCards. I even found strange unreadable log files. The strange thing is that only the 16GB Kingston SDCard worked for the downgrade (don't know the reason because the procedure used was always the same).

[thecrazyfarang]

I managed to grab hold of a 2GB card and managed to downgrade the firmware so the problem was my 32GB Toshiba TF card. Looks like somehow the downgrade does not work on certain cards.

Now I have another issue, when applying the hacks I'm getting the following error: No 'data' directory found in /media/mmcblk0p2! . I guess it's the same Toshiba card that is causing the issues, will see if I can get the same error with the other card but for now just wanted to report that the downgrade works, it's a bit hit and miss though with the cards used.

[SpoKeys]

Having a look over:

/etc/miio # ls device.conf device.token wifi.conf /etc/miio # cat device.conf vendor=isa model=isa.camera.isc5 mac=34:CE:00:D5:A5:0A did=58535979 key=9FJhtuEPbBVofq9Y /etc/miio #

It may be possible to change the MAC from here? Can anyone that is having a working camera, in any region, provide the details they have?

[SpoKeys]

I can confirm that is not possible to change the MAC from /etc/miio # cat device.conf

[Swaktor]

DOWNGRADING to 3.0.3.56 from 3.2.0.30 And Installing Fang Hack without Error 404. !! Solution !!

I found this Tutorial Custom firmware in English Language. https://www.youtube.com/watch?v=mpzPWYONWZA

I just put this .bin File on my FAT32 formatted 16GB MicroSD Card with only 1 Volume / Partition and downgraded it as it is shown in the Video.

After downgrade, connect your XF Camera with the MiHome App 4.0.11 or 4.0.11 to the Wifi- I prefer using .11

Then I deleted the .bin File and copied the Fang hack Master File into your root folder of the MicroSD Card. Get it here and dowload the zip File : https://github.com/samtap/fang-hacks

Insert the MicroSD card while you XF Cam is Connected to the WiFi and then type http://camera.ip.address.here/cgi-bin/status. Thats it ! For me there was no Error 404 and I was able to check the http://camera.ip.address.here/cgi-bin/hello.cgi

[DejayRezme]

Thank you @Swaktor it worked for me too! I successfully downgraded to 3.0.3.56. But it's still not working with MiHome 4.0.11. Don't really care about that though.

Not sure what to do now. Is the Yk Handler firmware supposed to already contain the fang hack?

I wrote the fanghacks_v0.2.0.img to the sd card, inserted it, heard the clank clank but wasn't able to connect to hello or status.cgi. The camera stopped connecting after I tried to access the camera with mihome and didn't reconnect to the wifi anymore (blinked orange). Then I have to delete and add it again with MiHome. Now it blinks blue. But still no luck getting http access. I don't get a 404 error, just "This site can’t be reached" even though it's listed on my router. Should ping work?

I've never even seen my camera show a solid blue light. I did see it switching between blue and orange once. After boot mine blinks orange, then alternates blue/orange, then blinks blue. It turns on the red LEDs in front depending on lighting conditions (I guess those are IR leds?)

All this is extremely confusing :) So I figure this camera is basically a linux computer, and inserting the sdcard creates an overlay to the existing file system. Do I need to keep the SD card in after I hacked it the first time? Can I boot with the SD card in or not? Could I connect if I removed any password for my wifi? Could someone make a web page generating the picture to scan to connect the camera to wifi, therefor bypassing the need for the mifi app altogether? Questions over questions :)

[raphaelcmelo]

How can I back up the current configuration of my camera if the downgrade goes wrong or I do not like of it? I mean, go back the way it was before switching things. The way it is, at least I have the Video Records to see when there is any movement detection. Thanks

[samtap]

@raphaelcmelo Ask Xiaomi support? It's their firmware and settings you're asking about, as far as I know there's no backup/restore in mi home.

[raphaelcmelo]

@samtap I mean the factory config of cam, because I'm thinking in downgrade my 3.2.0.30 to 3.0.3.56 and apply the hack, I'm afraid that doing that the Mi Home app stops working (I use a lot of its motion alerts). By applying the hack does the Mi Home still work normally?

[samtap]

Yes.

[pharmasian]

Hi. I've used Win32diskimage to create the SDcard but I don't see any folder/partition named "mmcblk0p1"... Is it normal?

And it's weird coz theres are some recordings clips in the folder [record]...

[pharmasian]

@julianbb1 Do you have the new version of the XF (MAC 34...) ?

[tb205gti]

Does anybody have the 3.0.x firmware - it seems it has been taken down from all sites.

[samtap]

It's still here: https://github.com/samtap/fang-hacks/wiki/HowTo:-Flash-original-Xiaomi-firmware-from-sdcard-(factory-reset)