Yi 1080p Outdoor EUR support

[fedyfausto]

Hello guys! I have a Yi 1080p outdoor EUR version and i'm wondering if i can help you to support this camera, can i give to you some informations?

[fedyfausto]

Hello guys! Forgive me for my disappear :D in the next days i'll try to fix the rtsp server (if i can), anyway in which way we could use the ftp to access to the stream?

[quenrice]

Guys,

I followed the tasks mentioned and everything was working, I was on a 2017 firmware (out of the box)

And then, I wanted to try an upgrade on lastest firmware, (3.0.0.0D_201809111054)... Bad idea, it seems they counter the hack because now it doesn't work, I retry an upgrade from the rootfs_h30 and home_h30 but no telnet possible...

[EpicLPer]

I just updated to the latest firmware, I hope this won't break anything...

[mikfaina]

But with the hack, I'm still able to view cameras from YI Home app?

[arizzi]

@EpicLPer I also have updated to fw 3.0.0.0D_2018091110543.0.0.0D_201809111054 and it seems the hack is not working. Has anyone successfully hacked it with 3.0.0.0D ?

[EpicLPer]

I haven't tried since people keep saying that the RTSP stream keeps crashing.

[arizzi]

I managed, it seems to work also with 3.0.0.0D reverting it to B+mods. I noticed that rtsp2301_watch.sh is actually a github webpage download instead of the actual file content that I guess was meant to be https://github.com/xmflsct/yi-hack-1080p/blob/master/sd/test/app/rtsp2301_watch.sh

[EpicLPer]

Lol what, seriously

How did you exactly go about to hack the Outdoor 1080p, is it the same as any other camera described in the readme?

[gabrielegirardi]

Hi, I did the whole procedure and the camera works, the problem is that the stream rtsp: //192.168.0.13: 554 / ch0_0.h264 crashes very often, while both the app and the windows program work. Inside the FIX folder the files are not "rtsp2302, rtsp2302.sh" but "rtsp2303, rtsp2303.sh" go these well?

[evanfloden]

I think the newer original firmware is stopping the yi-hack-v3 from working.

I am using model YHS.3017 and have tried most things. I've used this hack before on other cameras with no problem.

@gabrielegirardi & @arizzi Any ideas where we can find the 3.0.0.0B versions of the original firmware?

On the download page I only get 3.0.0.0D.

I think the file should be something like: 3.0.0.0B_201712111936

Edit: figured out the naming scheme of the download site.

Will now try get the old firmware on if I can unbrick my camera somehow.

http://download.us.xiaoyi.com/yifirmware/smarthomecam/familymonitor-h30/3.0.0.0B_201712111936home_h30m

Edit 2: I'm stuck on yellow light so unable to test 3.0.0.0B firmware. Any reset hints would be great.

Edit3: I'm thoroughly bricked (3rd time) but this time I can't seem to get it working.

it seems to work also with 3.0.0.0D reverting it to B+mods.

What does this mean BTW?

[mvklingeren]

The unbrick guide for your: Yi Home Outdoor 1080p 👍

@evanfloden i had the same issue, to unbrick a 3.0.0xyz.. device

To fix it, add these 2 files to a sdcard:https://mega.nz/#F!s9wVzZQZ!k6F3p8HcWCoWl-jla2Cxpw the files in this zip are the 3.0.0B release, this is the only way you gonna get it to work again (2.x files, like from the 'recovery' folder provided by shadow-1 do not work)

1) reboot cam, check if the lights blink (amber/blue) until its done, wait a min after it burns solid

2) then turn it off, take the card out, add a wpa_supplicant.conf and remove the other files from sd

keep it turned on from now, until last step

3) telnet into the device (use a network scanner to find the ip on your network if needed) telnet: root, no password.

4) copy the content from this zip: https://mega.nz/#!9Fw0iYjZ!UmJ81DohmUpC1UetOW6JRvjR0ioHerm2qmh91XR1BGs (directory 'fix') to the sdcard. Put the sd back into the camera:

mount /dev/mmcblk0p1 /tmp/sd cd /tmp/sd cp rtsp2303.sh /home/app/ cp libstdc++.so.6 /home/app/ cp init.sh /home/app/

remove the sdcard, and reboot the device (unplug, plug : )

happy camming with the Yi, big thanks to fredyfausto

(in case the links in this post stop working -> i got a backup, just let me know)

[gabrielegirardi]

Thanks to all, I had already found this solution and the 5 cameras work well with both the App, PC and Home Assistant, the procedure you described is fine I guarantee, but if I do the update of the signature from 3.0.0B to the 3.0.0D, still work? has anyone tried?

[mvklingeren]

Do not update to 3.0.0D, your setup will stop working.

And then you can fix it again with above guide ;-)

[EpicLPer]

So is the RTSP stream working on the hack without any problems?

[fedyfausto]

Unfortunately my fix will crash the rtsp client after some seconds... :( sorry guys i did not found solutions for now

[mvklingeren]

Which RTSP client? I guess VLC... but is this the case with all clients?, because I was able to watch the rtsp steam from Android for a few minutes

[gabrielegirardi]

It depends, sometimes you can see the video playback for several minutes, sometimes it stops immediately. Someone knows how to do continuous recording in an HD, I can from the App to record on the phone, while from the HI HOME program of the PC I can only record one camera at a time and with PC on.

[mvklingeren]

i hope this will help us too with the partially broken RTSP then.. https://github.com/shadow-1/yi-hack-v3/issues/241

[TheCrypt0]

Hi everyone, I'm currently working on yi-hack-v4 which will feature a working RTSP server for the cameras. The errors that vlc shows in @fedyfausto's post (hey, I'm italian too!) are caused by the circular buffer not being parsed and read properly. Especially this error main warning: picture is too late to be displayed (missing 9984 ms) means that the stream is not consistent and the h264 frames are not correctly ordered. That makes sense because of the nature of the buffer.

To overcome this problem I created a daemon called viewd which scans the circular buffer every 50ms to know exactly where the current head offset is. This offset is then used by the RTSP server to move its reading pointer to the correct position. (More details here: https://github.com/shadow-1/yi-hack-v3/issues/126#issuecomment-449659465)

---

Support on the outdoor camera? Great! It would be cool if you could provide a dump of the stock partitions home and rootfs. I'm planning to support it natively from the first releases of the new hack:

• I spent the last week writing scripts and gathering informations about the process of creating and packing a custom firmware.
• The process is now almost straightforward with just a few scripts to call that will:
  1. Fetch all the submodules required (like proxychains, busybox, etc.)
  2. Unpack the original rootfs_XXX and home_XXX images to create a suitable base sysroot to work with.
  3. Init each submodule and patch it with the required configs or anything else needed.
  4. Compile each submodule and copy the "result" (executable, library or else) to the build directory.
  5. Combine the sysroot, the static files (like rootfs/etc/ configurations) and the build files into a final folder
  6. Pack the folder into a jffs2 filesystem and then into a flashable rootfs_XXX and home_XXX images.
  7. Flash the images onto the camera.
• The scripts are in a beta stage but the process works fine. The time required from cloning the repo to have a ready-to-flash custom firmware is around ~5 minutes (depending on the processing power).

More info here: [yi-hack-v4] Support and continue the development

Ciao!

[EpicLPer]

@TheCrypt0 I could provide a dump if only I'd knew how to do that 🤔 I guess I'd have to take the camera apart then.

[EpicLPer]

Maybe a stupid question but would a MJPEG stream with separate audio and talk function be easier and more reliable to implenet than the RTSP stream?

[TheCrypt0]

Hi @EpicLPer, yes, to provide a dump you'll need to take the camera apart and then use an USB to serial TTL adapter to issue a couple of commands.

To solve the problem of the streaming server we need access in some way a video capture:

1. Option one: direct access to the image sensor. This would be easier, there are a couple of samples in the SDK that implement some kind of streaming. However, all the app and cloud functions would't work.
2. Option two: access the circular buffer /tmp/view. This, in my opinion, is the right path to follow. It's not invasive and allows all the app/cloud functions to keep working. But this approach is a bit tricky, because we don't know the buffers' head, size and offset. Thats why I created viewd, which allowed me to create an almost working RTSP server from @andy2301's rtsp2303. (tested on Yi Dome 720p)

Greetings

[EpicLPer]

@TheCrypt0 tbh I wouldn't mind the cloud (((sh*t))) being broken for me since I don't want to use their sss...ucking app anyways. But I do know some people want to keep using it :)

I'm not sure how hard the Outdoor 1080p is to take apart but I do have a TTL to USB converter, just recently flashed a new firmare on a Smartplug so I happen to have one now :) As mentioned in the earlier other Issue you could add me on Discord and I'd be glad for your help so I can dump the firmware if possible.

[EpicLPer]

Is there any way to escape the running script on the latest 3.0.0.0D firmware? I'm now at the point where I got a serial connection and can see the console output and everything but I can't stop the initial script from running. Maybe they patched that?

[mvklingeren]

@TheCrypt0 great job so far; I totally agree with using the circular buffer - keeping access to all Yi features + RTSP is way to go..

[shadow-1]

@EpicLPer If all fails, I may be able to dump the firmware the other way around.

One person here sent me firmware dump of the Home partition for the Yi 1080p Outdoor camera. Perhaps examining this firmware will allow us to find a backdoor to running a script off the microSD card. This used to be a common feature on Xiaomi firmware until it started getting exploited.

Or I can slightly modify that firmware to allow to run a script off the microSD card and we can get a clean dump of the rootfs partition that way.

Just thinking out loud.

[EpicLPer]

@shadow-1 That'd be great! I saw that you can download the home partition from the official Xiaomi page so maybe that's the one.

You could join the Discord Server @TheCrypt0 posted in the other issue and we could take a look live without having to write a comment each time if you want :)

[TheCrypt0]

Discord Server

I've just created a Discord server with a couple of channels. Invite link.

---

I'm posting this here too, in case someone wants to join have a easier direct communication. The main information/discoveries about the cam will be posted on the issue too.

[shadow-1]

@EpicLPer No no, this is a binary dump (same as my custom firmware). This is not available from Xiaomi. Xiaomi updates are encrypted archives which replace some files on the Home partition. It is not what I call a 'firmware' at all since it is literally extracts the encrypted archive to ram disk and copy/replace some files from ram disk to flash memory.

I have no idea how he got the binary firmware file. However it is only for the Home partition and not for the rootfs.

[TheCrypt0]

@shadow-1

I was thinking to make a rootfs with an init.d script to dump the other partitions. IIRC @fedyfausto has managed to flash a renamed firmware image to the outdoor camera, even if it was the wrong version.

We would lose the original rootfs, but we could modify the dumped home partition to make a dump of the rootfs on another unmodified camera.

[shadow-1]

@TheCrypt0 That would work as well.

However I already have a home partition. Just need to check it out.

[kolotiloff]

Edit3: I'm thoroughly bricked (3rd time) but this time I can't seem to get it working.

@evanfloden, Could you make it work? I also have a brick.

[shadow-1]

@kolotiloff I think we are close to developing a recovery firmware to return the Yi 1080p Outdoor back to stock. I have a home partition backup which I will modify to allow us to backup the rootfs partition from an unmodified camera.

After this, I will be able to create proper recovery images that will be able to restore the firmware back to stock. Then all sorts of experimental developments can occur without risk of bricking the camera.

[EpicLPer]

@shadow-1 If you need a completely stock Outdoor Camera for firmware dumping I have one ;)

[kolotiloff]

I did everything according to the instructions and managed to connect the camera, but only in the Chinese version of Yi Home for iOS. When I tried to look at the picture from the camera, it gave errors, rebooted the camera and she again started saying that it was for use only in China (this is when connected to the Chinese version of Yi Home for IOS). I tried to repeat everything according to the instructions anew, but as a result a brick with a constant yellow light. It comes back to life after updating with the latest firmware 3.0.0.0D, but after that I can't get it to flash back to 3.0.0.0B.

[TheCrypt0]

@shadow-1 @EpicLPer @kolotiloff

I was trying to create a custom upgrade image (similar to the ones posted here). This would allow to inject a script to make the dump, however is seems like the update is encrypted with a private key (at least the first n bytes of the 7z file).

The two phases encryption is something like that:

1. The update files are encrypted in a 7zip file protected with a password.
2. The password, the version, a checksum and the first N bytes of the 7zip files are then RSA encrypted another time with a private key.

If all the 7z part wasn't RSA encrypted, we could easily create a custom dump-update.

@shadow-1 could you upload the stock recovery home_h30 here or on Discord? Thanks

Greetings

[EpicLPer]

I wonder how hard it would be to bruteforce that encryption.

[TheCrypt0]

Apparently:

5.95×10^211 years. (using every atom present in the universe as a CPU)

How much computing resource is required to brute-force RSA?

[EpicLPer]

Apparently:

5.95×10^211 years.

How much computing resource is required to brute-force RSA?

Fffff......

[shadow-1]

@TheCrypt0 It is not that hard to unpack the official Xiaomi updates. I have done it many times. I never bothered about repacking them with modifications. This would be quite difficult.

In fact if you go to my Box account. Under Official Firmware, you will see a collection of Xiaomi updates for various cameras. Both the original and unpacked versions in ZIP format. Link: https://app.box.com/s/cibs7n1mgvhqaqjlidtveegu1uajt5yr

It is correct that you cannot brute force the encryption. It is not practical.

[shadow-1]

@kolotiloff Unfortunately the Xiaomi updates disallow downgrading. I guess your only option for now is to wait until we develop a working recovery image.

[EpicLPer]

@shadow-1 But I was able to downgrade my 3.0.0.0D firmware to 3.0.0.0B on the Outdoor 1080p and it also showed up as 3.0.0.0B in the app. After that I was able to initiate an update via the app.

[TheCrypt0]

@shadow-1 Yes, I've unpacked the firmware update many times too, I was wondering how to repack it.

I can't find the home_h30 in your box account, maybe it is in a specific directory? I searched in yi-hack-v3/recovery

[shadow-1]

@TheCrypt0 Like I said, I need to do some checks on the file I have. I have not hosted it yet.

@EpicLPer Unusual, all the Xiaomi updates I have come across for the other cameras disallow downgrading.

[EpicLPer]

@TheCrypt0 Like I said, I need to do some checks on the file I have. I have not hosted it yet.

@EpicLPer Unusual, all the Xiaomi updates I have come across for the other cameras disallow downgrading.

Not kidding tho, here. Clearly shows 3.0.0.0B even tho I had 3.0.0.0D previously on it, as stated many times via issue comments and @TheCrypt0 can confirm this too :) I took this screenshot back when I was about to upgrade it again.

[kolotiloff]

The first time it turned out to go through all the steps of the instruction and connected via Telnet. Now I can not repeat everything according to the instructions.

The camera is flashed only with another version (I take https://github.com/shadow-1/yi-hack-v3/releases here and rename home_h20 as home_h30). I upload wpa_supplicant.conf file, but the camera does not connect to WiFi. Then I take the files here https://mega.nz/#F!s9wVzZQZ!k6F3p8HcWCoWl-jla2Cxpw, I upload the file wpa_supplicant.conf, but the camera also does not connect to WiFi. As a result, a brick.

You have to take 3.0.0.0D and the camera comes to life. But with 3.0.0.0D it is not possible to flash using files with Mega. I take files from yi-hack-v3 and flash it. And so in a circle ... To no avail.

Why for the first time managed to connect the camera to WiFi via wpa_supplicant.conf?

[mvklingeren]

After flashing 3.0.0B you should hear the voice from your camera: ready to scan QR code, otherwise it did not succeed.

When you hear that, only then add the wpasupplicant.conf and telnet into it, and copy the files I mentioned in my previous post.

[kolotiloff]

After flashing 3.0.0B

But after 3.0.0D, the camera does not want to flash on 3.0.0B. It is necessary to take the files here yi-hack-v3 and flash, and only then your files that are specified above, but after all these actions, a brick is obtained and the camera is silent. It remains only to go again to 3.0.0D.

[drlarsen77]

@shadow-1 @EpicLPer On my 1080P Dome I was also able to downgrade. I noticed the version check looks like this:

if [ $newver != $curver ]; then

Of course, a restriction could also exist in the updater binary, but I think at least on some devices it only cares that your version is different (greater or lower).

[mvklingeren]

@kolotiloff you might need to flash yi-hack-v3 first, but after flashing 3.0.0B, it must work

I went that route, and I'm on 3.0.0B and it's working fine.

-edit: and I seen that yellow light for some time too ;-)