Is there any plan for Chinese version of YI Outdoor Camera?

[dylangerdaly]

If it is listening on 192.168.0.1:3333 you should be able to start POSTing JSON stuff at it.

[batrarobin]

There might be some useful info in this thread with regard to extracting encrypted firmware image: https://github.com/shadow-1/yi-hack-v3/issues/23

[dylangerdaly]

It looks like he's extracting a jffs2 image, however the firmware for this device appears to be encrypted, I'm waiting on my gear to arrive so I can extract the firmware directly from the SPI Flash (MX25L12835F)

Once there, we can trawl thru binaries and see what they're doing, maybe executing something on a flash card.

[dylangerdaly]

I can confirm it's 100% encrypted firmware

...
1+0 records in
1+0 records out
22 bytes (22B) copied, 0.001782 seconds, 12.1KB/s
Hisilicon Media Memory Zone Manager
Load hi_cipher.ko success.
1+0 records in
1+0 records out
22 bytes (22B) copied, 0.000359 seconds, 59.8KB/s
83017+1 records in
83017+1 records out
1826384 bytes (1.7MB) copied, 1.761122 seconds, 1012.8KB/s
1+0 records in
1+0 records out
1344 bytes (1.3KB) copied, 0.000397 seconds, 3.2MB/s
1357+1 records in
1357+1 records out
1825040 bytes (1.7MB) copied, 0.058107 seconds, 30.0MB/s
encrypt file is enc_key, and save decrypt file to dec_enc_key

prepare: open read and write files
crypt start
update
27666+1 records in
27666+1 records out
1825998 bytes (1.7MB) copied, 0.577843 seconds, 3.0MB/s
1+0 records in
1+0 records out
33 bytes (33B) copied, 0.000348 seconds, 92.6KB/s
1+0 records in
1+0 records out
33 bytes (33B) copied, 0.000359 seconds, 89.8KB/s
1+0 records in
1+0 records out
22 bytes (22B) copied, 0.000348 seconds, 61.7KB/s
is not
is not
update new file home/homever
/tmp/update
...

Monitoring UART while upgrading firmware.

[dylangerdaly]

@shadow-1 are you compiling the kernel as well as the new jefferson file system? Or just a new file system?

There are 2 ways the device is using the SD Card

Way 1

The device is using the SD Card as a method to upgrade the firmware

...
checkdisk

umount -l /tmp/sd
mount /dev/mmcblk0p1 /tmp/sd
#rm /tmp/sd/record/*.tmp
rm /tmp/sd/*.REC
find /tmp/sd/record -name "*.tmp" -exec rm {} \;

if [ -f /tmp/sd/home_h30m ]; then
    himm 0x2013002c 0
    dd if=/tmp/sd/home_h30m of=/tmp/newver bs=22 count=1
    newver=$(cat /tmp/newver)
    curver=$(cat /home/homever)
    if [ $newver != $curver ]; then
        insmod /home/base/mmz.ko mmz=anonymous,0,0x82200000,30M anony=1 || report_error
        insmod /home/base/hi_cipher.ko
        mkdir /tmp/update
        cp -rf /home/base/tools/extpkg.sh /tmp/update/extpkg.sh
        /tmp/update/extpkg.sh /tmp/sd/home_h30m
        rm /tmp/update -rf
        echo "update finish"
        reboot
    fi
fi
...

Way 2

The device is checking for wpa_factory_test.conf

...
  if ( !access("/tmp/sd/wpa_factory_test.conf", 0) )
  {
    memset(&s, 0, 0x200u);
    *(_DWORD *)(dword_1C2A8 + 1272) = 0;
    snprintf(&s, 0x200u, "cp %s /tmp/wpa_supplicant.conf", "/tmp/sd/wpa_factory_test.conf", v37);
    system_cmd(&s);
  }
...

With UBoot it should be possible to byte patch the countdown to something hard coded however I don't see this as a proper fix, people shouldn't need anything more than UART.

...
  v1 = sub_8081452C((int)&unk_8082C29C, &unk_80827A46);
  sub_808153F8(v1);
  v2 = (_BYTE *)sub_808145A0(0x8082CAD5);
  v4 = (int)v2;
  if ( v2 )
    v4 = sub_8081C704(v2, 0, 10, v3);
  v5 = sub_808145A0(0x8082A2DE);
  v6 = v5;
  if ( v5 )
    v6 = 1;
  if ( v4 < 0 )
    v6 = 0;
  v7 = v5;
  if ( v6 )
  {
    print_uart("Hit any key to stop autoboot: %2d ", v4);
    if ( sub_80815B00() )
    {
      v9 = sub_80815ADC();
      print_uart((const char *)&unk_8082CB02, v9);
      sub_80815B54(-2138911993);
      v8 = v9 == 33;
    }
...

[dylangerdaly]

FYI, this is uboot code for the specific chip set running on the camera, hypothetically, we should be able to compile this and replace it on the camera.

https://github.com/49handyman/u-boot-hi3518ev200

[dylangerdaly]

Update - It works!

It works!

Using an RPi, I was able to replace the old jffs2 file system with @shadow-1's hacked version and it appears to be working correctly.

root@192.168.35.70's password: 
Welcome to HiLinux.
~ # id
-sh: id: not found
~ # echo lol
lol
~ # ls
~ # cd /ls
-sh: cd: can't cd to /ls
~ # cd /
/ # ls
bin      dev      etc      home     lib      linuxrc  mnt      proc     root     sbin     sdcard   sys      tmp      usr      var
/ # ps
PID   USER     TIME   COMMAND
    1 root       0:00 init
    2 root       0:00 [kthreadd]
    3 root       0:00 [ksoftirqd/0]
    4 root       0:00 [kworker/0:0]
    5 root       0:00 [kworker/u:0]
    6 root       0:00 [khelper]
    7 root       0:00 [kworker/u:1]
   88 root       0:00 [sync_supers]
   90 root       0:00 [bdi-default]
   91 root       0:00 [kintegrityd]
   93 root       0:00 [kblockd]
  103 root       0:00 [khubd]
  105 root       0:00 [kusbotg]
  199 root       0:00 [kswapd0]
  251 root       0:00 [fsnotify_mark]
  264 root       0:00 [crypto]
  316 root       0:00 [romblock0]
  319 root       0:00 [mtdblock0]
  324 root       0:00 [romblock1]
  327 root       0:00 [mtdblock1]
  332 root       0:00 [romblock2]
  335 root       0:00 [mtdblock2]
  340 root       0:00 [romblock3]
  343 root       0:00 [mtdblock3]
  348 root       0:00 [romblock4]
  351 root       0:00 [mtdblock4]
  356 root       0:00 [romblock5]
  359 root       0:00 [mtdblock5]
  364 root       0:00 [romblock6]
  367 root       0:00 [mtdblock6]
  372 root       0:00 [romblock7]
  375 root       0:00 [mtdblock7]
  398 root       0:00 [cfinteractive]
  403 root       0:00 [kworker/0:1]
  412 root       0:00 [deferwq]
  413 root       0:00 [jffs2_gcd_mtd4]
  427 root       0:00 udevd --daemon
  431 root       0:00 udevd --daemon
  484 root       0:00 udevd --daemon
  660 root       0:01 [jffs2_gcd_mtd5]
  743 root       0:10 [RtmpTimerTask]
  744 root       0:01 [RtmpMlmeTask]
  745 root       0:00 [RtmpCmdQTask]
  746 root       0:00 [RtmpWscTask]
  749 root       0:00 ./log_server
  750 root       0:03 ./dispatch
  928 root       4:44 ./rmm
  939 root       0:00 ./mp4record
  942 root       0:00 ./oss
  943 root       0:00 ./watch_process
  953 root       0:00 [hidog]
  987 root       0:00 lwsws -D
  988 root       0:00 lwsws -D
 1005 root       0:00 pure-ftpd (SERVER)
 1022 root       0:00 dropbear -R
 1049 root       0:00 /home/base/tools/wpa_supplicant -c/tmp/wpa_supplicant.conf -g/var/run/wpa_supplicant-global -iwlan0 -B
 1094 root       0:00 ./arp_test
 1099 root       0:00 /sbin/udhcpc -i wlan0 -b -s /home/app/script/default.script -x hostname yi-hack-v3
 1139 root       0:00 ./cloud
 1141 root       0:10 ./p2p_tnp
 1949 root       0:01 dropbear -R
 1967 root       0:00 -sh
 1975 root       0:00 [flush-mtd-unmap]
 2658 root       0:00 ps

Even more interestingly, it remembered my NV Data, so it connected to my WiFi and even shows up in the App.

Looks like the camera itself works perfectly, I'll update in the coming days!

It looks like the Yi 1080p Home is using the exact same SoC, meaning all of the pinout for the camera, leds etc are the exact same. This is why its working.

[fredyagu]

Hi, @dylangerdaly , what is RPi? Can you make a tutorial how to do it?

[dylangerdaly]

@shadow-1 I do appear to be having issues with rootfs tho, it will randomly get stuck at boot

            _ _ _ _ _ _ _ _ _ _ _ _
            \  _  _   _  _ _ ___
            / /__/ \ |_/
           / __   /  -  _ ___
          / /  / /  / /
  _ _ _ _/ /  /  \_/  \_ ______
___________\___\__________________

[RCS]: /etc/init.d/S00devs
[RCS]: /etc/init.d/S01udev
usb 1-1: new high-speed USB device number 2 using hiusb-ehci
himci: mmc1: valid phase shift [5, 3] Final Phase 0
mmc1: new ultra high speed SDR104 SDHC card at address 0007
mmcblk0: mmc1:0007 SD32G 29.1 GiB 
Not recognise ACTION:change
 mmcblk0: p1
usbdev11 -> /dev/usbdev1.2
rm: can't remove '/sbin/reboot': No such file or directory
exFAT: Version 1.2.9
vm.dirty_background_ratio = 2
vm.dirty_ratio = 2
vm.dirty_writeback_centisecs = 100
vm.dirty_expire_centisecs = 500
fs.mqueue.msg_max = 256

And it dosn't seem to continue on, but then other times it will

[dylangerdaly]

@shadow-1 did you remove RTSP Server? The cloud and cloud-api binaries look so much like backdoored malware my goal is to turn this device into a dumb RTSP Stramer Cam

[dylangerdaly]

@fredyagu you'll need a RPi3 and a SOIC8 clip, then you'll need to tear the device down, trying to see if we can maybe mess around with the updater.

But I'm 2 Piña Colada's in 🍸, tomorrow I'll see if it's possible to mess with the updater (Create an OTA that dosen't care about encryption / isn't encrypted)

@shadow-1 seems to be software related, creating my own jffs2 images is successfull

After resoldering

[+] Launching Dropbear...
dropbear: can't load library 'libutil.so.0'

Absolutly Sucks...

At least I had it execute off the SD-Card

echo "[+] Launching Dropbear..."
dropbear -R

# If Dropbear Dosen't Work, have a 2nd way in
if [ -f /tmp/sd/fuck_sakes.sh ]; then
    echo "[!] Fuck Sakes Detected... Running Script on SD-Card..."
    export LD_LIBRARY_PATH=/tmp/sd/lib:$LD_LIBRARY_PATH
    export PATH=/tmp/sd/bin:$PATH
    /tmp/sd/fuck_sakes.sh
fi

[dylangerdaly]

Lol okay, I'm an idiot

On the SD-Card:

System startup
=========1
hello, open console

 do_auto_sd_update: detect flash size: 0x1000000, gsdexist=1 
Interface:  MMC
  Device 0: Vendor: Man 275048 Snr 01ce14b1 Rev: 3.0 Prod: SD32G
            Type: Removable Hard Disk
            Capacity: 29800.0 MB = 29.1 GB (61030400 x 512)
Partition 1: Filesystem: FAT32 "NO NAME    "
      190   fuck_sakes.sh 
            lib/
            record/
            bin/
   962448   rootfs_h30 
    41472   log_first_login.tar.gz 
    36864   log_wifi_connected.tar.gz 
  7696000   home_h30 

5 file(s), 3 dir(s)

1: fuck_sakes.sh!
2: rootfs_h30!
 find index 4: rootfs_h30 

3: log_first_login.tar.gz!
4: log_wifi_connected.tar.gz!
5: home_h30!
 find index 5: home_h30 

u-boot_h30 not found!

env_h30 not found!

conf_h30 not found!

kernel_h30 not found!
reading rootfs_h30

magic 0x27051956 0x27051956 
arch 0x2 0x2 
size 0xeaf50 0x40 
type 0x7 0x2 
crc 0xffe70a37 
name 0.1.5-hi3518-rootfs 
idx4: old : 59a7a584, new : 5a3f82a0
reading rootfs_h30
update finished, calc crc star...
Erase env area success!
reading home_h30

magic 0x27051956 0x27051956 
arch 0x2 0x2 
size 0x756e40 0x40 
type 0x7 0x2 
crc 0xbb15f81f 
name 0.1.5-hi3518-home 
idx5: old : 59e02d01, new : 5a3f82af
reading home_h30

It's possible to load @shadow-1's images just by renaming home_y20 to home_h30 and rootfs_y20 to rootfs_h30

No need to open the device up

[dylangerdaly]

I wouldn't recommend doing this yet as we're stopping randomly at boot, once fixed, supporting the 1080p camera will be ezpz!

[hiwing15]

@dylangerdaly Keep up the great work! I also bought a few yi outdoor cameras only to find they were region locked to China! I’m hoping the hacked version will allow for region unlocking. Thanks again guys

[mikfaina]

Thanks @dylangerdaly for your work. I'll keep following this thread. @shadow-1 seeems missing in action?

[dylangerdaly]

What were you guys after? Just being able to use it in China? I can't really debug / test because I don't have a Chinese Version, if the firmware is the same, then I'd say that flag would be somewhere in NV RAM (Where the WiFi Credentials, MAC Address and Yi Device Keys Live)

Or they're being smart about it and locking a device key to a region on the server side.

dispatch.c(main-4529)[00:01:56.664]:hw_type(2)

dispatch.c(get_config-1123)[00:01:59.237]:got sn(xxx)

dispatch.c(get_config-1124)[00:01:59.239]:got pwd(xxx)

dispatch.c(get_config-1125)[00:01:59.241]:got ssid(xxx)

dispatch.c(get_config-1126)[00:01:59.242]:got tnp_init_string(xxx)

dispatch.c(choose_server-623)[00:01:59.362]:in choose_server, region_id = 17, api_server = https://api.us.xiaoyi.com, sname = familymonitor-h30, dlproto = mius

dispatch.c(choose_server-623)[00:01:59.365]:in choose_server, region_id = 16, api_server = https://api.eu.xiaoyi.com, sname = familymonitor-h30, dlproto = mieu

Notice the Region ID

I'm currently fighting with rtsp2301 trying to get RTSP Enabled on this, looks like dispatch and rmm are required to be up.

Right now I'm at a point where all Xaomi Spywhere binaries are no longer booting up and I have telnet

→ telnet 192.168.35.70                                                                                                                                                                      
Trying 192.168.35.70...
Connected to 192.168.35.70.
Escape character is '^]'.

(none) login: root
Password: 
Welcome to HiLinux.
~ # 
~ # ops
-sh: ops: not found
~ # ps
PID   USER     TIME   COMMAND
-- snip --
  784 root       0:00 /home/base/tools/wpa_supplicant -c/tmp/wpa_supplicant.conf -g/var/run/wpa_supplicant-global -iwlan0 -B
  804 root       0:00 /sbin/udhcpc -i wlan0 -b -s /home/app/script/default.script
  971 root       0:00 [flush-mtd-unmap]
  975 root       0:00 busybox telnetd
  979 root       0:00 [hidog]
 1003 root       0:00 -sh
 1004 root       0:00 ps

[dylangerdaly]

Dispatch

Responsible for:

• Getting IPC Up
• Getting NV Ram from mtd (SN, Keys, SSID, Password)
• Choosing Server based on Region ID
• Some other SoC specific tasks

FD List:

dr-x------    2 root     root             0 Jan 19 06:41 .
dr-xr-xr-x    7 root     root             0 Jan  1  1970 ..
lrwx------    1 root     root            64 Jan 19 06:41 0 -> /dev/pts/0
lrwx------    1 root     root            64 Jan 19 06:41 1 -> /dev/pts/0
lrwx------    1 root     root            64 Jan 19 06:41 10 -> /tmp/mmap.info
lrwx------    1 root     root            64 Jan 19 06:41 11 -> socket:[1008]
lrwx------    1 root     root            64 Jan 19 06:41 12 -> /dev/cpld_periph
lrwx------    1 root     root            64 Jan 19 06:41 13 -> /dev/ssp
lrwx------    1 root     root            64 Jan 19 06:41 2 -> /dev/pts/0
lrwx------    1 root     root            64 Jan 19 06:41 3 -> /ipc_dispatch
lrwx------    1 root     root            64 Jan 19 06:41 4 -> /ipc_rmm
lrwx------    1 root     root            64 Jan 19 06:41 5 -> /ipc_cloud
lrwx------    1 root     root            64 Jan 19 06:41 6 -> /ipc_p2p
lrwx------    1 root     root            64 Jan 19 06:41 7 -> /ipc_rcd
lrwx------    1 root     root            64 Jan 19 06:41 8 -> /ipc_rtmp
lrwx------    1 root     root            64 Jan 19 06:41 9 -> /ipc_dispatch_worker

RMM

Responsible for:

• Specific Sensor Bring Up
• Motion Detection on Camera
• Using a bunch of IPC

FD List:

lrwx------    1 root     root            64 May 15 12:01 0 -> /dev/pts/0
lrwx------    1 root     root            64 May 15 12:01 1 -> /dev/pts/0
lrwx------    1 root     root            64 May 15 12:01 10 -> /dev/ai
lrwx------    1 root     root            64 May 15 12:01 11 -> /dev/mem
lrwx------    1 root     root            64 May 15 12:01 12 -> /dev/aenc
lrwx------    1 root     root            64 May 15 12:01 13 -> /dev/mmz_userdev
lrwx------    1 root     root            64 May 15 12:01 14 -> /dev/ao
lrwx------    1 root     root            64 May 15 12:01 15 -> /dev/adec
lr-x------    1 root     root            64 May 15 12:01 16 -> /dev/isp_dev
lr-x------    1 root     root            64 May 15 12:01 17 -> /dev/isp_dev
lrwx------    1 root     root            64 May 15 12:01 18 -> /dev/i2c-0
lr-x------    1 root     root            64 May 15 12:01 19 -> /dev/vi
lrwx------    1 root     root            64 May 15 12:01 2 -> /dev/pts/0
lr-x------    1 root     root            64 May 15 12:01 20 -> /dev/vi
lr-x------    1 root     root            64 May 15 12:01 21 -> /dev/vpss
lr-x------    1 root     root            64 May 15 12:01 22 -> /dev/vpss
lr-x------    1 root     root            64 May 15 12:01 23 -> /dev/vpss
lr-x------    1 root     root            64 May 15 12:01 24 -> /dev/vpss
lrwx------    1 root     root            64 May 15 12:01 25 -> /dev/venc
lrwx------    1 root     root            64 May 15 12:01 26 -> /dev/venc
lrwx------    1 root     root            64 May 15 12:01 27 -> /dev/venc
lrwx------    1 root     root            64 May 15 12:01 28 -> /dev/venc
lrwx------    1 root     root            64 May 15 12:01 29 -> /dev/venc
lrwx------    1 root     root            64 May 15 12:01 3 -> /ipc_dispatch
lr-x------    1 root     root            64 May 15 12:01 30 -> /dev/rgn
lrwx------    1 root     root            64 May 15 12:01 4 -> /ipc_rmm
lrwx------    1 root     root            64 May 15 12:01 5 -> /dev/cpld_periph
lrwx------    1 root     root            64 May 15 12:01 6 -> /dev/ssp
lrwx------    1 root     root            64 May 15 12:01 7 -> /dev/vb
lrwx------    1 root     root            64 May 15 12:01 8 -> socket:[1153]
lrwx------    1 root     root            64 May 15 12:01 9 -> /dev/sys

[dylangerdaly]

Anyone have a gdbserver compiled that runs on this chipset?

[sachin427]

@dylangerdaly I don't know about others but I would like to use the Chinese version camera outside of China, on the english version of the app.

[hiwing15]

As I bought these cameras directly from china, I'm hoping to use them outside of China too. I tried them only to be greeted with the message " this camera can only be used in china"

[batrarobin]

Once you have extracted the original firmware, incorporating @shadow-1 's Proxychains-ng (Region unblock) shouldn't be too hard. He has provided the step by step procedure here:

https://github.com/shadow-1/yi-hack-v3/issues/23

[dylangerdaly]

There's also a DID (Serial Number like thing), from the DID dispatch chooses what server you connect to (US, EU or China), it may be possible to just change the DID, or patch dispatch to always choose EU or US.

int __fastcall judge_did(int a1, int a2)
{
  int v2; // r3
  signed int v3; // r7
  int v4; // r6
  int v5; // r5
  int v6; // r0
  int v7; // r3
  int v9; // r3
  int v10; // r3
  int v11; // r3
  int v12; // r3
...
  v6 = choose_langue_by_local_did();
  v7 = dword_1C2A8;
  *(_DWORD *)(v5 + 8) = v6;
  *(_DWORD *)(v7 + 1056) = v3;
  return choose_server(v4);

int __fastcall choose_server(int a1)
{
  int v1; // r8
  int v3; // r0
  int v4; // r1
  int v5; // r2
  int v6; // r3
  const char *v7; // r4
  int v8; // r0
  int v9; // r1
  char v10; // [sp+10h] [bp-120h]
  int v11; // [sp+14h] [bp-11Ch]
  int v12; // [sp+18h] [bp-118h]
  int v13; // [sp+1Ch] [bp-114h]
  __int16 v14; // [sp+20h] [bp-110h]
  int v15; // [sp+50h] [bp-E0h]
  char v16; // [sp+54h] [bp-DCh]
  char s; // [sp+90h] [bp-A0h]

  v1 = a1;
  memset(&s, 0, 0x80u);
  memset(&v10, 0, 0x40u);
  memset(&v15, 0, 0x40u);
  switch ( v1 )
  {
    case 2:
      strcpy(&s, "http://familymonitor-interface-test.mi-ae.com.sg");
      strcpy(&v10, "familymonitor-h30");
      v15 = 7567201;
      break;
    case 3:
    case 4:
    case 5:
    case 6:
    case 7:
    case 8:
    case 9:
      strcpy(&s, "https://api.xiaoyi.com.tw");
      strcpy(&v10, "familymonitor-h30");
      v15 = 7567201;
      break;
    case 10:
    case 11:
    case 12:
    case 13:
    case 14:
    case 15:
    case 16:
      strcpy(&s, "https://api.eu.xiaoyi.com");
      v7 = "mieu";
      v3 = *(_DWORD *)"familymonitor-h30";
      v4 = *(_DWORD *)"lymonitor-h30";
      v5 = *(_DWORD *)"nitor-h30";
      v6 = *(_DWORD *)"r-h30";
      goto LABEL_6;
    case 17:
      strcpy(&s, "https://api.us.xiaoyi.com");
      v3 = *(_DWORD *)"familymonitor-h30";
      v4 = *(_DWORD *)"lymonitor-h30";
      v5 = *(_DWORD *)"nitor-h30";
      v6 = *(_DWORD *)"r-h30";
      v7 = "mius";
LABEL_6:
      *(_DWORD *)&v10 = v3;
      v11 = v4;
      v12 = v5;
      v13 = v6;
      v8 = *(_DWORD *)v7;
      v9 = *((_DWORD *)v7 + 1);
      strcpy((char *)&v14, "0");
      v15 = v8;
      v16 = v9;
      break;
    default:
      strcpy(&s, "https://api.xiaoyi.com");
      strcpy(&v10, "familymonitor-h30");
      strcpy((char *)&v15, "micn");
      break;
  }
  dump_string((unsigned int)&unk_11D84);
  memset((void *)(dword_1C2A8 + 12), 0, 0x80u);
  memset((void *)(dword_1C2A8 + 268), 0, 0x40u);
  memset((void *)(dword_1C2A8 + 332), 0, 0x40u);
  snprintf((char *)(dword_1C2A8 + 12), 0x80u, (const char *)&unk_11D28, &s, v1, &s, &v10, &v15);
  snprintf((char *)(dword_1C2A8 + 268), 0x40u, (const char *)&unk_11D28, &v10);
  return snprintf((char *)(dword_1C2A8 + 332), 0x40u, (const char *)&unk_11D28, &v15);
}

• Case 2 is Staging
• Case 9 is Taiwan
• Case 16 is Europe
• Case 17 is US
• Default is... I don't know, maybe also China?

It wouldn't be hard to patch the function judge_did() to call choose_server() with a static switch.

[milanzelenka]

@dylangerdaly Thanks for interesting and useful info. I have european version of yi outdoor cam, but without rtsp is absolutely useless toy...

I flashed @shadow-1's version home and rootfs by renaming _y20 to _h30. Boot sometimes freeze after "fs.mqueue.msg_max = 256", sometimes boot up successfully... Do you have any idea why?

            \  _  _   _  _ _ ___
            / /__/ \ |_/
           / __   /  -  _ ___
          / /  / /  / /
  _ _ _ _/ /  /  \_/  \_ ______
___________\___\__________________

[RCS]: /etc/init.d/S00devs
[RCS]: /etc/init.d/S01udev
usb 1-1: new high-speed USB device number 2 using hiusb-ehci
Not recognise ACTION:change
usbdev11 -> /dev/usbdev1.2
rm: can't remove '/sbin/reboot': No such file or directory
exFAT: Version 1.2.9
vm.dirty_background_ratio = 2
vm.dirty_ratio = 2
vm.dirty_writeback_centisecs = 100
vm.dirty_expire_centisecs = 500
fs.mqueue.msg_max = 256

[dylangerdaly]

Yeah this is due to a bug somewhere in @shadow-1's image, try this:

I have images that boot without Yi Applications and give you a Telnet Shell, did you want this?

[milanzelenka]

@dylangerdaly yes! Where can I get these images without yi app? ;-)

[dylangerdaly]

I've hardcoded my wpa_supplicant, let me cp it from the SD Card instead and I'll upload here, gimme 5

[feyen]

Thanks everyone for the hard work. So since firmware is encrypted, there is not much we can do right now to get the outdoor version camera working region-free , correct? I asked because i am just about to purchase a few in two weeks...

[dylangerdaly]

No, I did a chip off attack a few days ago, have firmware, there's essentially no change to firmware however. It depends what you're looking for, we're trying to get RTSP going currently but I have no idea how long that could take.

[feyen]

I actually don't mind using xiaoyi's app. All i want is to use this camera as is in its original function but in Canada. I am going to buy a few from China. So with the current progress, will i be able to flash and get it to work in Canada?

[dylangerdaly]

@milanzelenka try this https://mega.nz/#F!s9wVzZQZ!k6F3p8HcWCoWl-jla2Cxpw

It's getting wpa_supplicant.conf from the root of the SD Card

@feyen If you want, you wan be a test, buy one and I'll try byte patch it, no promises tho

[milanzelenka]

@dylangerdaly great! Thanks a lot!

[feyen]

@dylangerdaly thanks, i will post here once i get them. But i am sure lots users would like to test it out too if you can post the steps here openly to let them try.

[hiwing15]

@dylangerdaly Yes, I have a few of the chinese versions of the camera and happy to test too. If you could post step-by-step i'd gladly give it a test.

Thanks alot

[sachin427]

@feyen Is the xiaoyi app the Chinese version of the Yi Home app? If so, how do you plan on bypassing the phone number verification they require to setup an account? The Chinese version of the app will not send a verification code to a Canadian number.

[mugennam]

@feyen I just managed to get my china version of the yi outdoor to work. You need to download the china version of the YI app and go into your router and change the DNS to 54.84.30.91.

[sachin427]

@mugennam Are you using the Chinese version of the Yi Home app, or the one from Play Store?

[feyen]

@sachin427
What i was hoping was that the custom firmware change the region check to any region you want, no? then you can download non-Chinese version app to use it.

[mugennam]

@sachin427 http://app.xiaomi.com/details?id=com.ants360.yicamera

i got this redirect link from scanning the barcode on the back of the camera when using the Yi home app from the play store

[feyen]

@dylangerdaly i know someone that has a Canadian(probably international all the same) version of the camera. Do you think we can dump the firmware from that one to flash to the china version of the camera?

[sachin427]

@mugennam How did you sign up for an account using an international phone number? The Chinese version of the app won't send out a verification code to me.

[mugennam]

@sachin427 make a mi home account with your email and use that to sign in

[sachin427]

@mugennam interesting—I'll give that a shot. Do you just change the DNS server in your router, or have to use the yihttptunnel instructions provided by @HuipengRen ?

[mugennam]

@sachin427 yep just went into the router settings and changed it there. However it may not be stable cuz when i put in the memory card the camera started to tell me that i was out of region after. reset the camera again and added another Chinese DNS. seeing if this is better.

[dylangerdaly]

😟 remember guys, setting your DNS address to some strange Amazon IP isn't great.

[sachin427]

I think I'm just going to give in and buy the right camera for my region. Had I known there were two versions, I would've never bought the Chinese version to begin with. Thanks for all your responses. Keep up the great work @dylangerdaly

[milanzelenka]

@dylangerdaly Maybe I'm just discovered the wheel, but only for info... When I manually start these apps: dispatch, rmm, cloud and p2p_tnp (in this order), all original functions of camera works well. I can connect with original mobile app, etc...

RTSP does not work.

/home/app # ./rtsp2301
size of 2RTSP server START
Streaming URL: rtsp://192.168.18.110:554/ch0_0.h264
listen for client connecting...
enSize=16, u32BlkSize=1491840
=============SAMPLE_COMM_VI_SetMipiAttr enWDRMode: 0
[Func]:HI_MPI_ISP_MemInit [Line]:144 [Info]:ISP[0] get Mem info failed!
SAMPLE_COMM_ISP_Init: HI_MPI_ISP_Init failed!
[SAMPLE_COMM_VI_StartIspAndVi]-2087: SAMPLE_COMM_VI_StartIspAndVi: Sensor init failed!
[SAMPLE_VENC_1080P_CLASSIC_RTSP]-304: start vi failed!

RTSP is listening, but nothing is streamed.

[dylangerdaly]

Yeah so this is where I'm currently at, I feel like it should be an easy thing to get going

For reference, you only need dispatch and rmm running, p2p_tnp and cloud will contact Yi's Servers, you just need the shared memory stuff up as well as rmm's init stuff.

@sachin427 good idea, can't go wrong there

[ccorderor]

Hey guys, if there's anything I can help with, just ask. Just received an unlocked camera, not useful without rtsp...

[mugennam]

they must be aware of this thread. having issues connecting with the DNS. prolly going to need to wait until you guys can crack the firmware

[HuipengRen]

The server died two days ago somehow, just restarted it, it should be working now.