Is there any plan for Chinese version of YI Outdoor Camera?

[HuipengRen]

Or is there any way to do it by myself based on this project? I bought one two weeks ago, but I just found that I can not use it in the US unfortunately.

[shadow-1]

@HuipengRen This is a very interesting camera which I would like to support. However as I don't have this camera, I don't think I will be able to develop custom firmware for it yet.

I can guide you through a few basic steps to confirm whether the Yi Outdoor camera is similar to the other cameras I currently support. If it is very similar to the Yi Home or Yi Dome cameras, I should be able to support it without too many issues, even if I don't have the camera.

Unfortunately the only way to confirm this is to get access to the cameras serial interface which requires the camera to be opened up along with some soldering. If you are willing to do this, I may be able to help.

[javier26]

I am willing to help. I have the "YI Outdoor Security Camera, Cloud Cam Wireless IP" as described on amazon and sold to US customers.

[shadow-1]

@javier26 That is great. The first thing that you need to do is get access to the console of the camera. All the Xiaomi cameras I have seen have a serial port connection on the main board.

Older versions of the camera had a connector whilst newer ones only have pads which can be soldered.

Once you have the serial port connection soldered, you will need to use a USB-Serial converter to access the console.

You can use this YouTube video as a go by. It is for the original Yi Home and not the Yi Outdoor 1080p. Hopefully it isn't much different. https://www.youtube.com/watch?v=3e8jXuxiRzY

When you manage to open your camera to get access to the main board. Can you post some high resolution photos of the internals here? I'm sure it will be helpful to others.

[javier26]

I have no idea how to open this thing. There are no visible screws apart from the ones that hold the microSD slot door closed.
I tried to pry open from the front with a little pressure but it wouldnt give. Ill keep trying

[HuipengRen]

I actually unlocked the region lock without opening the camera couple weeks ago.

[javier26]

Are you able to enable rtsp on it and remove the cloud recording, and all the good stuff?

[HuipengRen]

No, it only unlocked the region lock, so basically

1. Set up a dns server with dnsmasq in your laptop, and config "api.xiaoyi.com" mapping to your laptop ip.
2. Log in to your wifi router and change the dns server to your new dns server (your laptop ip).
3. Set up a customize transparent http proxy on your laptop, which will forward all "api.xiaoyi.com" traffic to another http proxy in the Mainland China. I can not config squid or other http proxy to do it correctly, so I just wrote a very simple one.
4. You will need to set up the above again when the camera restarts.

[HuipengRen]

To unlock the region lock, I think you can also simply do ssh port forwarding for port 80/443 to a instance in a cloud provider in China (like aliyun or mtyun) after redirecting your dns server.

[HuipengRen]

I can share the simple transparent http proxy if anyone needs it.

[shadow-1]

@HuipengRen This is almost the same method my custom firmware uses to bypass the region lock. The main difference of course is that the firmware implements everything on the camera. No need for special routers or converting a spare computer into a transparent proxy server.

@javier26 Unfortunetly to develop a custom firmware, we need to find a way to open the camera. I guess it is much more difficult to open because it is dustproof and waterproof.

[chenkok]

@shadow-1 So, basically if you have physical access to the Yi Outdoor cam then you'll be able to make a custom firmware right? Then we'll be able to just flash the cam using a memory card? I bought a few awhile ago for my dad without knowing it has region lock. So, i might be able to give you one for testing. Is that ok with you?

[shadow-1]

@chenkok With physical access to the camera, we can do investigations within the embedded operating system and determine what needs to be done to hack the firmware.

This particular custom firmware (yi-hack-v3) is specific to Xiaomi cameras based on the HiSilicon Hi3518e chipset. If the Yi Outdoor is also based on a HiSilicon chipset, there is a good chance that this firmware can be adapted to provide Yi Outdoor 1080p support without a lot of modification. However if the Yi Outdoor camera is based on a different chipset, a completely different hack will need to be developed, potentially with a different way of applying firmware updates (if at all possible) and potentially a different method of hacking the firmware.

You never know with Xiaomi. For example, the Yi Home 2 camera, despite the similar product name, similar look and feel, it is a completely different camera to the original Yi Home series of cameras. The Yi Home is based on the HiSilicon Hi3518e chipset whilst the Yi Home 2 is based on the Ambarella S2LM chipset. A completely different firmware was developed to hack the Yi Home 2 camera because it is based on a different chip.

I am happy to have a look at the Yi Outdoor for testing purposes. However only after investigation and testing can we find out what needs to be done to hack the firmware. There is also a chance that it cannot be done easily.

[chenkok]

@shadow-1 Can you provide your address, will go get a quote from courier service.

[ykhandler]

Interesting...

[shadow-1]

@chenkok Can you provide me with an email address or a way I can send you my address privately?

However you can get a quote from your courier company to send to Melbourne, Australia. It should be exactly the same cost to send a parcel anywhere within Melbourne.

[earth2004]

@shadow-1 Just received my Chinese version yi outdoor camera today and couldn't have it work because the region lock and I came across to this page. I live in Melbourne and am willing to send you one for testing. Kindly email me liuwenzheng2004@gmail.com and thank you in advance!

[earth2004]

@HuipengRen Can you share the transparent http proxy to liuwenzheng2004@gmail.com please?

[HuipengRen]

@earth2004 @mugennam I just put it here, https://github.com/HuipengRen/yihttptunnel

[shadow-1]

@earth2004 I just sent you an email. Let me know if you are willing to send me a Yi Outdoor 1080p for development purposes.

[milanzelenka]

I would like to contribute to discovery YI Outdoor via serial, but it looks like impossible to open (dismout) camera without loosing it's watter resistance... :-(

There are no screw (only for sdcard cover), no hidden screw (under back-side label). I tried to unfold the join on perimeter in front, but unsuccess. If you have any idea how to dismout, please share it...

These YI cameras without this custom (hacked) firmware is just a piece of toy...

[jasperpants]

I'd like to contribute as well. I took a look at the camera when I received it and I think you'd basically have to destroy the case to get in to it. Maybe if there is enough of us chipping in $10 each we can get a sacrificial one to shadow-1.

[Koenkk]

I'm also willing to donate a few $.

@shadow-1 maybe you can start some fund raising for this so you can buy one yourself? (I'm not familiar with this but something like: https://gogetfunding.com/). This will also save on shipping costs because you can get it directly from store.

[ultimacarlos]

I bought the cam without knowing the region block. Have been searching the net on how to open the case and this is the best info I found thus far. https://fccid.io/2AFIB-YHS3017/Internal-Photos/Int-Photos-3558245. Hope this will help to develop the hack for it. Thanks.

[deviant77]

Looking at those photos, it's obvious that the black cover first needs to be removed to take apart the camera. It looks like the black cover is simply glued in place. You could try heating the edge of the black cover with a heat gun or hair dryer and try to pry and lift it off. Once the black cover is off, the rest looks easy!

[ultimacarlos]

@JustinTrouble You're right. The black cover is glued on the circumference. Can ply off easily by popping a thin object on the top hole. Be cautious not to push all the way in as there's a film behind the small hole for the light sensor, I guess. Just stick it in enough for plying. Next, you will need a slim and long screw driver to take off the 4 screws that hold the whole assembly.

[milanzelenka]

I successfully opened camera (thanks to @ultimacarlos for link). I used hair dryer and small screwdriver (in the sensor hole) to release front glass...

TTL connected, serial established on speed 115200 8N1. I've captured boot log of original firmware. here: https://pastebin.com/C9AcUJHi

What can I try? Is there any interactive shell to gathering some diagnostic data?

[milanzelenka]

Another bootlog with camera powered from original USB cable and adapter (not from UART): https://pastebin.com/DepPb3D8

At the end of bootlog camera was successfully connected to wifi.

[jasperpants]

@milanzelenka were you able to interrupt uboot at all? The youtube video @shadow-1 linked to on Dec-6th starts getting interesting around the 13 minute mark where he changes the boot args and eventually gets root on the camera.

[milanzelenka]

@jasperpants Ctrl-C (or any other key/s) does not work :-( It's look like there is bootloader timeout set to 0 sec and it's impossible to break it. Kernel starts boot as soon as UBOOT message was shown.

### UBOOT:test pin high! ###
Hit any key to stop autoboot:  0

What could be interesting is mentioned "test pin". I don't know what it is, maybe some pin on main board which is needed to connect to GND or VCC? I don't see any pin labeled with TEST :-( I'll keep trying...

[tiong0526]

Does any experts here managed to develop a custom firmware for outdoor camera?? I bought 2 units and didnt know it locked for mainland china used only. Many thanks in advance.

[HuipengRen]

54.84.30.91 This is my own DNS server (and transparent HTTP proxy), which is working well for my camera. If you want to have a try you can simply specify the dns server with this IP on your wifi router. Note, I can not guarantee any reliability since it's just a single instance on Amazon EC2.

[milanzelenka]

I've just littlebit investigated about Yi outdoor camera and custom firmware. The Problem is mainly in the uboot bootloader timeout set to 0. The only way how to change it is rewrite it directly into env_y30 image and flash it via sdcard. BUT where to get original env_y30 image?

1. Directly from flash via some usb programmer, but I don't have any experience with it. Do you?

2. From original Yi firmware image downloaded from yi support page. Here is very well described procedure from @shadow-1 to unpack/decode original firmware to get partition images, but in step 4. we need to more investigate how rsa_pub_dec script works.

3. Build env_y30 image from scratch and flash it. Without backup. Yes, it's crazy, it's fast way to hell...

Do you have any idea? Any experience with read flash directly via usb programmer?

[ultimacarlos]

@milanzelenka would the 2nd method in this link help? http://processors.wiki.ti.com/index.php/Change_U-Boot_bootdelay_setting

[shadow-1]

@milanzelenka I have been away for a little while and I am starting to catch up. Based on your log files, the Yi Outdoor camera is indeed almost identical to the other cameras I currently support.

I should be able to create a version of yi-hack-v3 which is compatible with the Yi Outdoor with a bit help from you as you have access to the camera via serial port.

---

Can you post the boot log with a microSD card inserted (it might need to be formatted to FAT32). The boot log should tell me what the filenames need to be for the custom firmware files to flash successfully. This information only appears if the camera is booted with a formatted microSD card inserted.

---

Can you post the output from the following command:

cat /proc/cpuinfo

This should confirm exactly what processor is running on the camera. This will tell me which compiler I should use when compiling custom software for the camera.

---

The most important thing you can do is backup the partitions on your camera. This will allow me to create Recovery images so that it will be possible to go back to stock firmware after experimenting with the camera. In addition, it forms the basis for my custom firmware images.

I start with an unmodified image, then alter it to add the additional features and programs. This allows me to create a firmware image which extends the functionality of the camera whilst still allowing the official Xiaomi smartphone app to work.

To backup the cameras partitions to the microSD card, execute the following commands:

dd if=/dev/mtd0 of=/tmp/sd/mtd0
dd if=/dev/mtd1 of=/tmp/sd/mtd1
dd if=/dev/mtd2 of=/tmp/sd/mtd2
dd if=/dev/mtd3 of=/tmp/sd/mtd3
dd if=/dev/mtd4 of=/tmp/sd/mtd4
dd if=/dev/mtd5 of=/tmp/sd/mtd5
dd if=/dev/mtd6 of=/tmp/sd/mtd6
dd if=/dev/mtd7 of=/tmp/sd/mtd7

This assumes that the microSD card is mounted to /tmp/sd like the other cameras I support.

When you post the partition files (mtd0 to mtd7), I can start work with creating a version of yi-hack-v3 which is compatible with the Yi Outdoor camera.

[milanzelenka]

@shadow-1 Great! Thanks...

Here is boot log with clean SD card inserted: https://pastebin.com/T1TZ1vpp

The problem is there are no way to enter commands. Shell is not executed at the end of system start. I can't break uboot to change kernel params (because of timeout 0). I tried Ctrl-C in combination with reset button, etc..

[shadow-1]

@milanzelenka For all the other Yi cameras I played around with, there is no need to login to the camera to access shell. All I ever needed to do is press Enter a few times to see the command line interface prompt. However the Xiaomi programs would constantly write to stdout which makes it very difficult to type commands or read the output from commands.

I had a quick look at your log file and it appears you have already tried pressing Enter a few times, pressing Ctrl-C etc and nothing happened. We might have to backup the partitions on the camera via startup script rather than via shell.

[milanzelenka]

@shadow-1 yes, It seems that shell is really not started after init... :-( The same behavior if camera is connected to wifi and after factory reset.

RX cable seems to work, because if I disconnect RX, I can't write (I don't see anything writen on console).

You mentioned some startup scripts? What is it?

[shadow-1]

@milanzelenka What I will do is examine the firmware and see if the camera executes a script from the microSD card.

What I have found is that most Xiaomi cameras execute a script from the microSD card upon bootup (when on stock firmware). However quite often this functionality is disabled during future firmware updates.

If this is the case for the Yi Outdoor, we may be able to back up the partitions without access to the console via serial port.

Your bootup log confirms the filenames required to flash the firmware.

[milanzelenka]

@shadow-1 I had only old one sdcard (2GB) and camera didn't mount it: checkdisk.c(main-387)[00:00:03.260]:ERROR! TF card space is too small: 1876 MB

Today I bought new 16GB microSD card and now SD is mounted:

checkdisk.c(do_fat_check-140)[00:00:04.259]:Mount sd ok.
checkdisk.c(check_partion_vfat-156)[00:00:04.259]:TF Card check finished.

I tried to make some shell script and copy it to sdcard as /factory_test.sh, /test/factory_test.sh, equip_test.sh, /test/equip_test.sh, etc... but nothing happened. :-(

According to log:

/home/app/init.sh: line 10: /home/app/script/factory_test.sh: not found

Seems like that /home/app/script/factory_test.sh which is calling factory_test.sh on SDcard is deleted.

When I press the button under SDcard slot, console shows this message:

[CPLD_PERIPH] factory test!

...but nothing will happen.

Is any other possibilities to backup partitions? Thanks...

[milanzelenka]

1. Maybe we would create completly new HOME partition (from scratch or from another model of camera) which has modified /home/app/init.sh to start shell.

2. Then we would make backup of other partitions (exept /home).

3. With this backup, it would be easy to make modified ENV partition to change u-boot timeout.

4. Someone else with same camera flash this new ENV partition and make backup of HOME.

Result: We have complete backup of this camera model for future development...

@shadow-1 what do you think about this procedure? Are you willing to help me create home partition?

[mcafici]

Hi, I have an "Yi outdoor" , and I'm very interested in your work to enable the RSTP server. You have some news.

[chenkok]

@shadow-1 hi, my addy is chenkok.chong@gmail.com

[neversleepnight]

Hi, bought a pair and realized its region locked to China. Have we figured out any way to flash the firmware or remove the region lock at all?

[RaulSe89]

I have 3 Yi outdoor cams and would like to use them with RSTP. I am also very interested in this update.

[steven-shi]

@neversleepnight at the moment, I can only using proxy to make it running but cannot flash the custom firmware

[mikfaina]

@milanzelenka @shadow-1 any news?

[dylangerdaly]

Well, I'm late to the party! Being board I've ordered 2 of these devices, let's get RTSP on this thing.

It looks like in the FCC Picture there's a 8 Pin SOIC Flash Chip, looks like it could be Windbond? I'll hook this badboy up to my RPi and see if I can dump the entire flash, perhaps we can append init=/bin/sh to the CMDLINE and get a shell over UART (Provided there's no Secure Boot / Code Signing)

Let's get into the firmware and see if [CPLD_PERIPH] factory test! is doing anything silly (Like running scripts on the SD Card)

[Edited] Anyone have a link to the firmware? Would save me REing the Yi APK. Firmware: https://www.yitechnology.com/firmware/index/class/home

[dylangerdaly]

Gah, they've encrypted the firmware, they really don't people messing around in here

00000000  33 2e 30 2e 30 2e 30 42  5f 32 30 31 37 31 32 31  |3.0.0.0B_2017121|
00000010  31 31 39 33 36 0a 73 aa  1f 9a fe ea 17 76 78 d6  |11936.s......vx.|
00000020  ac a8 f1 a5 61 18 8f 66  b8 3b 9a 57 c6 ce cd c0  |....a..f.;.W....|
00000030  e0 bb 4c 9f 39 64 32 eb  e2 c1 b1 72 12 8f e1 32  |..L.9d2....r...2|
...

No useful strings, binwalk comes up empty.

[dylangerdaly]

According to the APK, it connects to the Camera on 192.168.0.1:4444

        private void b() {
            Message v3;
            this.b = new Socket();
            try {
                this.b.connect(new InetSocketAddress("192.168.0.1", 0xD05), 3000);  // Open Socket on 192.168.0.1:3333
                OutputStream v0_1 = this.b.getOutputStream();
                InputStream v1 = this.b.getInputStream();
                this.b.setSoTimeout(10000);
                this.l = new InputStreamReader(v1, "UTF-8");
                this.k = new BufferedReader(this.l);
                this.m = new OutputStreamWriter(v0_1, "UTF-8");
                this.j = new BufferedWriter(this.m);
                this.j.write("{\"method\": \"dev_type_req\"}\r\n");
                this.j.flush();
                this.c = this.k.readLine();
                this.c = this.c.trim();
                AntsLog.d("UpdateFirmwareTcpService", "receive step 0 ThreadTcpMsg = " + this.c);
                this.d = new com.ants360.yicamera.bean.b.b(this.c);
                int v2 = this.d.c();
                AntsLog.d("UpdateFirmwareTcpService", "receive Method = " + this.d.b() + " DevType=" + v2);
                if(v2 == -1) {
                    goto label_197;
                }

                UpdateFirmwareTcpService.a(this.a, this.a.a("", "") + "/update");
                AntsLog.d("UpdateFirmwareTcpService", "filePath=" + this.g);
                UpdateFirmwareTcpService.a(this.a, this.a(new File(this.g), this.a.a("", "") + "/update", v2));
                this.f = UpdateFirmwareTcpService.e(this.a).a();
                this.i = p.a(new File(UpdateFirmwareTcpService.e(this.a).b()));
                this.h = String.format("{\"method\": \"file_size_check_req\", \"file_size\": %d,\"file_md5\":\"%s\"}", Long.valueOf(this.f), this.i);
                AntsLog.d("UpdateFirmwareTcpService", "reqFileSizeCheck=" + this.h);
...

Looks like the Application sends a zip to the device in order to update it, I'm getting the device tomorrow, so hopefully they haven't encrypted this firmware.

It's possible to force the app into 'firmware updating mode' via am start

am start -n com.ants360.yicamera.international/com.ants360.yicamera.activity.user.UserBrushUpdateFirmwareActivity

I think we might be able to use the activity above to load modified firmware onto the device:

05-07 20:49:45.757 12189 12189 D UpdateFirmwareTcpService: onCreate
05-07 20:49:45.757 12189 12189 D UpdateFirmwareTcpService: onBind filePath=
05-07 20:49:45.794 12189 13502 D UpdateFirmwareTcpService: interruptTcpQuery name =Thread-75
05-07 20:49:45.794 12189 13502 D UpdateFirmwareTcpService: ThreadTcpQuery initialize
05-07 20:49:48.804 12189 13502 D UpdateFirmwareTcpService: SocketTimeoutException =failed to connect to /192.168.0.1 (port 3333) from /192.168.35.38 (port 37690) after 3000ms

It's 100% trying to connect to 192.168.0.1:3333 or 4444

Can anyone see if the device has a 2nd IP @ 192.168.0.1?