MJSXJ14CM camera firmware dump

[Regressor]

I got a Xiaomi C200 camera (MJSXJ14CM) opened it and downloaded a dump from 25vq128 spi nand. It looks like they hardened factory mode. Now it looks like this:

        if [ -f "${MANUFA_DAT}" ];
        then
                rm -rf /tmp/manu_test
                rm -rf ${TMP_BIN}
                rm -rf ${TMP_DAT}
                cp ${MANUFA_BIN} /tmp/
                cp ${MANUFA_DAT} /tmp/
                cd /tmp/
                if [ $RSA_TYPE -eq 1 ];then
                        imi_echo "==============rsa:openssl================="
                        rm -fr md5sum1.txt
                        openssl rsautl -verify -in "${TMP_DAT}" -inkey /mnt/data/data/cfg/public-key.pem -pubin -out md5sum1.txt
                        fact_md5=`md5sum -c md5sum1.txt`
                        if [ "${fact_md5}" = "manu.bin: OK" ] ; then
                                imi_echo "md5 ok"
                                rm -fr ${TMP_BIN}
                                tar -xf "${MANUFA_BIN}" -C /tmp/
                                cd /tmp/manu_test/
                                chmod -R 755 *
                                if [ -f "/tmp/manu_test/manu.sh" ]; then
                                        /tmp/manu_test/manu.sh
                                        if [ $? -ne 0 ]; then
                                                return 1
                                        else
                                                return 0
                                        fi
                                else
                                        return 1
                                fi
                        else
                                imi_echo "md5 fail"
                        fi

So it checks rsa sig before running manu.sh :( I'll try to replace key inside squashfs and check if this helps... Attached dump .bin file (renamed to log)

Xiaomi_c200_dump.log

[Duoslow]

any update ?

[Regressor]

I desoldered flash, downloaded firmware, changed script, uploaded changed firmware and now it allow to run any script. Also I disabled OTA in firmware to prevent firmware update

[faZam-dev]

@Regressor i saw you desoldered flash etc... Apparently you have more experience about flash chip. So i would like to know if my camera is KO or not because after i tested to hack the camera to add rtsp now it startn't. it is impossible to access at the uboot part i think i corrupted the boot part of flash because i have in uart this :

IPL g2cd6de2 D-01 64MB BIST0_0001-OK Load IPL_CUST from NOR offset:00010000 IPL_CUST header failed! Disable MMU and D-cache [HALT]

[danielopereira]

Hello @Regressor, could you share the files you used to flash it? Also if you could give us an help on how to do it, it would be really appreciated, i have same camera, and i would like to integrate it on HA. Thanks

[Regressor]

@Regressor i saw you desoldered flash etc... Apparently you have more experience about flash chip. So i would like to know if my camera is KO or not because after i tested to hack the camera to add rtsp now it startn't. it is impossible to access at the uboot part i think i corrupted the boot part of flash because i have in uart this :

IPL g2cd6de2 D-01 64MB BIST0_0001-OK Load IPL_CUST from NOR offset:00010000 IPL_CUST header failed! Disable MMU and D-cache [HALT]

If you have same camera model just desolder chip and flash Xiaomi_c200_dump.log.

[Regressor]

Hello @Regressor, could you share the files you used to flash it? Also if you could give us an help on how to do it, it would be really appreciated, i have same camera, and i would like to integrate it on HA. Thanks

Currently I stuck on compiling rtsp/drive applications. There was a lack of free time because of work so it stays without any movement for a month or so.

[tovy14]

Hi @Regressor did you get the time to make a how to? I think everyone would appreciate it