telmomarques / xiaomi-360-1080p-hacks

Hacks for the Xiaomi Mi 360 1080p camera (MJSXJ02CM).
788 stars 133 forks source link

Compatibility with Mijia 1080p MJSXJ05CM ? #18

Open Jayah59 opened 5 years ago

Jayah59 commented 5 years ago

Hi !

Is this compatible ? I tried downloading tf_recovery.bin to sdcard and flashing but it did not work and I worse, I think my camera is bricked ...

LED amber is not blinking, it is permanent on and the camera does not move. Same observation without sd card

.<

crckmc commented 5 years ago

Looks like you found out it isnt compatible :)

Try to find the recovery image for your camera type. uboot is not overwritten so should still be working

Jayah59 commented 5 years ago

Looks like you found out it isnt compatible :)

Try to find the recovery image for your camera type. uboot is not overwritten so should still be working

Yes indeed 😅

I'm trying to find a recovery image but I'm struggling. I opened a post on the Xiaomi forum, I hope someone can help me (https://c.mi.com/thread-2609368-1-0.html).

I started to disassemble the camera to connect a serial port. As soon as possible, I will solder the serial port and I will post the result.

Thx

Jayah59 commented 5 years ago

Maybe we would like the ARM chip :)

20191115_224223

none815 commented 4 years ago

A firmware hack is possible, but requires some tools:

Basic steps are:

patch jffs2 partition

sudo modprobe mtdblock sudo modprobe mtdram total_size=6336 sudo dd if=files/data.bin of=/dev/mtdblock0 bs=1 mkdir mount sudo mount -t jffs2 /dev/mtdblock0 mount echo '#!/bin/sh' | sudo tee -a mount/bin/log_diag_platform.sh echo '/mnt/sdcard/override.sh' | sudo tee -a mount/bin/log_diag_platform.sh sudo chmod 755 mount/bin/log_diag_platform.sh sudo umount mount rmdir mount sudo dd if=/dev/mtdblock0 of=files/data.bin bs=1

update flash backup

mkdir -p out cp backup.bin -f out/flash.bin dd if=files/kernel.bin of=out/flash.bin bs=1 count=2097152 seek=327680 dd if=files/rootfs.bin of=out/flash.bin bs=1 count=7733248 seek=2424832 dd if=files/data.bin of=out/flash.bin bs=1 count=6488064 seek=10158080 dd if=files/vendor.bin of=out/flash.bin bs=1 count=131072 seek=16646144


- Re-flash the modified backup:
`flashrom -p ch341a_spi -w out/flash.bin`

- Prepare the sdcard script:

> /sdcard/override.sh

!/bin/sh

main() {

start telnet

/mnt/sdcard/busybox telnetd }

if [ ! -f /tmp/.override ]; then touch /tmp/.override main fi



- Press the reset button (briefly) on the camera to launch the override script.
none815 commented 4 years ago

The flash chip is located right beside the camera sensor, it is necessary to partially remove the lens:

71787897-7bf41500-301d-11ea-9097-f03601b45524 1

It might occur that the SOIC clip will also power up the camera, this will interfere the flash programming. One solution is to cut HOLD (pin7) and VCC (pin8) to reduce power delivery, this can be done with some dupont wires:

71787661-0be48f80-301b-11ea-88c6-c3280cfd85d1

phamthanhtri commented 4 years ago

@Jayah59 Have you successfully hacked MJSXJ05CM yet ? I also want to hack but don't know what to do :)

ahmetikbal commented 4 years ago

@Jayah59 @phamthanhtri @none815 firmware update didn't complete and my MJSXJ05CM bricked. I want to hack with tf_recovery.img file. If you have for 05CM, can you share?

phamthanhtri commented 4 years ago

@ahmetikbal you can use this file to reset camera into stable version (https://drive.google.com/open?id=1ve6XlBEiZebJV6ukJ0Oiu7DePw2JCsWj). I still haven't hacked yet

gurkburk76 commented 4 years ago

RIght, so i have version mjsxj05cm, could the firmware posted by @phamthanhtri be hacked so telnet can be enabled? at least that would be a start towards getting rtsp working i guess :)

DaeMonSx commented 4 years ago

still nothing at MJSXJ05CM hack? It seems nowadays thise are the cameras found in shops.

Fruityski commented 4 years ago

I have managed to un-brick my MJSXJ05CM with https://drive.google.com/file/d/1ve6XlBEiZebJV6ukJ0Oiu7DePw2JCsWj/view

Any update on the hack?

KhArtNJava commented 4 years ago
UndeRus commented 4 years ago

The flash chip is located right beside the camera sensor, it is necessary to partially remove the lens:

71787897-7bf41500-301d-11ea-9097-f03601b45524 1

It might occur that the SOIC clip will also power up the camera, this will interfere the flash programming. One solution is to cut HOLD (pin7) and VCC (pin8) to reduce power delivery, this can be done with some dupont wires:

71787661-0be48f80-301b-11ea-88c6-c3280cfd85d1

How did you flash this chip with cutted 7 and 8 wires? My programmer didn't detect chip when these wires are cutted

lucperreau commented 4 years ago

I am also waiting for MJSXJ05CM flash. Don't want to open the camera up. Thanks :)

KhArtNJava commented 4 years ago

A firmware hack is possible, but requires some tools:

  • CH341A flash programmer
  • SOIC8 clip and some dupont wires
  • Complete device teardown

Basic steps are:

  • Create a flash backup: flashrom -p ch341a_spi -r backup.bin
  • Download the firmware and put it into the same folder.
  • Run this script to patch the backup:
#!/bin/bash
# extract firmware
mkdir -p files
dd if=tf_recovery.img of=files/kernel.bin bs=1 count=2097152
dd if=tf_recovery.img of=files/rootfs.bin bs=1 count=7733248 skip=2097152
dd if=tf_recovery.img of=files/data.bin bs=1 count=6488064 skip=9830400
dd if=backup.bin of=files/vendor.bin bs=1 count=131072 skip=16646144

# patch jffs2 partition
sudo modprobe mtdblock
sudo modprobe mtdram total_size=6336
sudo dd if=files/data.bin of=/dev/mtdblock0 bs=1
mkdir mount
sudo mount -t jffs2 /dev/mtdblock0 mount
echo '#!/bin/sh' | sudo tee -a mount/bin/log_diag_platform.sh
echo '/mnt/sdcard/override.sh' | sudo tee -a mount/bin/log_diag_platform.sh
sudo chmod 755 mount/bin/log_diag_platform.sh
sudo umount mount
rmdir mount
sudo dd if=/dev/mtdblock0 of=files/data.bin bs=1

# update flash backup
mkdir -p out
cp backup.bin -f out/flash.bin
dd if=files/kernel.bin of=out/flash.bin bs=1 count=2097152 seek=327680
dd if=files/rootfs.bin of=out/flash.bin bs=1 count=7733248 seek=2424832
dd if=files/data.bin of=out/flash.bin bs=1 count=6488064 seek=10158080
dd if=files/vendor.bin of=out/flash.bin bs=1 count=131072 seek=16646144
  • Re-flash the modified backup: flashrom -p ch341a_spi -w out/flash.bin
  • Prepare the sdcard script:

/sdcard/override.sh

#!/bin/sh
main() {
  # start telnet
  /mnt/sdcard/busybox telnetd
}

if [ ! -f /tmp/.override ]; then
 touch /tmp/.override
 main
fi
  • Press the reset button (briefly) on the camera to launch the override script.

none815, can you tell us please, what flash chip installed in MJSXJ05CM? As I understand, it's SPI flash. But what is series/number of the chip? What's flash size in that chip?

gmrizzo commented 4 years ago

@none815 I did flash the chip like you suggested but it didn‘t work properly. Any suggestion what the steps are necessary after resetting the camera?

gmrizzo commented 4 years ago

@KhArtNJava

A firmware hack is possible, but requires some tools:

  • CH341A flash programmer
  • SOIC8 clip and some dupont wires
  • Complete device teardown

Basic steps are:

  • Create a flash backup: flashrom -p ch341a_spi -r backup.bin
  • Download the firmware and put it into the same folder.
  • Run this script to patch the backup:
#!/bin/bash
# extract firmware
mkdir -p files
dd if=tf_recovery.img of=files/kernel.bin bs=1 count=2097152
dd if=tf_recovery.img of=files/rootfs.bin bs=1 count=7733248 skip=2097152
dd if=tf_recovery.img of=files/data.bin bs=1 count=6488064 skip=9830400
dd if=backup.bin of=files/vendor.bin bs=1 count=131072 skip=16646144

# patch jffs2 partition
sudo modprobe mtdblock
sudo modprobe mtdram total_size=6336
sudo dd if=files/data.bin of=/dev/mtdblock0 bs=1
mkdir mount
sudo mount -t jffs2 /dev/mtdblock0 mount
echo '#!/bin/sh' | sudo tee -a mount/bin/log_diag_platform.sh
echo '/mnt/sdcard/override.sh' | sudo tee -a mount/bin/log_diag_platform.sh
sudo chmod 755 mount/bin/log_diag_platform.sh
sudo umount mount
rmdir mount
sudo dd if=/dev/mtdblock0 of=files/data.bin bs=1

# update flash backup
mkdir -p out
cp backup.bin -f out/flash.bin
dd if=files/kernel.bin of=out/flash.bin bs=1 count=2097152 seek=327680
dd if=files/rootfs.bin of=out/flash.bin bs=1 count=7733248 seek=2424832
dd if=files/data.bin of=out/flash.bin bs=1 count=6488064 seek=10158080
dd if=files/vendor.bin of=out/flash.bin bs=1 count=131072 seek=16646144
  • Re-flash the modified backup: flashrom -p ch341a_spi -w out/flash.bin
  • Prepare the sdcard script:

/sdcard/override.sh

#!/bin/sh
main() {
  # start telnet
  /mnt/sdcard/busybox telnetd
}

if [ ! -f /tmp/.override ]; then
 touch /tmp/.override
 main
fi
  • Press the reset button (briefly) on the camera to launch the override script.

none815, can you tell us please, what flash chip installed in MJSXJ05CM? As I understand, it's SPI flash. But what is series/number of the chip? What's flash size in that chip?

I did a little bit of research and the Chip seems to be the cFeon Q32B-104HIP, 32Mbit SPI Serial Flash, SOIC-8 or also many times referenced as EN25Q32B.

https://www.kean.com.au/oshw/WR703N/teardown/EN25Q32B%2032Mbit%20SPI%20Flash.pdf

Does this help?

slock83 commented 4 years ago

Hello everyone,

So I tried @none815 method and it worked well. The flash chip, in my case, was an EN25QH128.

I did a few modification though, instead of having the script launched by the diagnosis launcher, I modified wifi_start, which allows me to run my script on boot, instead of on reset.

I'm still working on getting the current hacks to run, runsvdir doesn't seem to work yet ...

Thanks !

fumanchi commented 4 years ago

Hi slock82,

I am stuck with runsvdir as well... the file itself seams to be there but i always get: "/mnt/sdcard/manu_test/configure_services.sh: line 50: runsvdir: not found" As if the file wouldn't be there... I found the file has been compiled dynamically... It directly depends on: Shared library: [libc.so.6] Shared library: [ld-linux-armhf.so.3] which seams to be fine...

As we are using a newer firmware they might have blocked the system from running binaries from sdcard. what do you think? Have you made any progress?

puuhderbaer commented 4 years ago

Hello everybody,

today my programmer arrived and I managed to successfully flash the spi-flash with the by @none815 described method. Cam is powering up correctly and re-setup went fine.

But now I'm stuck with the mentioned override.sh script. telnet is to be run by busybox /mnt/sdcard/busybox telnetd , right? Can anybody please tell me what I'm missing? Where to get busybox from?

I can confirm the statement from @slock83, that the MJSXJ05CM (IPC019) has a 16MB Flash EN25QH128, same as in my CMSXJ16A (IPC016).

Thanks in advance!

twosky2000 commented 4 years ago

New busybox would contain runit (runsv/dir). @puuhderbaer busybox can be downloaded here: https://busybox.net/downloads/binaries/1.31.0-defconfig-multiarch-musl/busybox-armv7l Also I got runit with busybox working. /mnt/sdcard/busybox --list | awk '/runsv|chpst|svlog|^sv$/' | xargs -I{} ln -sv /mnt/sdcard/busybox /mnt/data/bin/{} I'm not sure how to make it permanent jet.

Also my MJSXJ05CM uses Camera model 'ipc019' not ipc009, we would have to recompile the mija-framegrabber.

puuhderbaer commented 4 years ago

Thanks a lot @twosky2000! That did the trick. Telnet is up and running. But there is not yet any progress getting rtsp to work on 'ipc019', right?

jandy123 commented 4 years ago

Since I do not have the HW tools required to flash the EEPROM, I was wondering what would happen if I just patch the jffs2 partition as described by @none815 and try to flash via OTA update ? Would this work ? HAs anyone already tried this ?

Thanks !

fumanchi commented 4 years ago

Has anybody experience in cross compiling for that architecture? I do have obtained the SDK but do not have any idea which toolchain to use and so on...

jandy123 commented 4 years ago

Well, could you share the SDK ? I managed to cross-compile mosquitto to signal motion detect events to hassio. It's a nuisance, though. I simply used arm-linux-gnueabihf on a standard ubuntu 18.04 install. Some libraries had to be pulled from the camera to get it link.

fumanchi commented 4 years ago

Well, could you share the SDK ? I managed to cross-compile mosquitto to signal motion detect events to hassio. It's a nuisance, though. I simply used arm-linux-gnueabihf on a standard ubuntu 18.04 install. Some libraries had to be pulled from the camera to get it link.

The SDK is freely available... https://dl.openipc.org/SDK/MStar

jandy123 commented 4 years ago

Thanks ! I see the toolchain sources there.

On Mon, Sep 7, 2020 at 10:12 AM fumanchi notifications@github.com wrote:

Well, could you share the SDK ? I managed to cross-compile mosquitto to signal motion detect events to hassio. It's a nuisance, though. I simply used arm-linux-gnueabihf on a standard ubuntu 18.04 install. Some libraries had to be pulled from the camera to get it link.

The SDK is freely available... https://dl.openipc.org/SDK/MStar

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/telmomarques/xiaomi-360-1080p-hacks/issues/18#issuecomment-688142543, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADRSNYKCURYWIJF6QVJ4UVLSESIWDANCNFSM4JM7SLMQ .

fumanchi commented 4 years ago

I do so as well.. but i do not know what i actually need to compile e.g. the mija-framegrabber... I do work on an ubuntu 16.04 LTS at the moment... A toolchain is a set of compilers (e.g. cc, cxx),and archivers (e.g. ar).. but there are no such linux binaries (elf binaries for amd64)... Have I missed something? Do we just use our "native" gnu toolchain using the ubuntu packaged arm gnu abi for cross compilation? How do we access the hardware? This should be provided by the SDK I posted above, right?

jandy123 commented 4 years ago

Could you please share the SDK and toolchain using e.g. google drive ? I cannot download them for free from the location you indicated. Then, I could have a look at the toolchain.

On Mon, Sep 7, 2020 at 10:24 AM fumanchi notifications@github.com wrote:

I do so as well.. but i do not know what i actually need to compile e.g. the mija-framegrabber... I do work on an ubuntu 16.04 LTS at the moment... A toolchain is a set of compilers (e.g. cc, cxx),and archivers (e.g. ar).. but there are no such linux binaries (elf binaries for amd64)... Have I missed something?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

fumanchi commented 4 years ago

https://drive.google.com/file/d/1DnTe8G4FV4rMuopYFrdX6sx_ZeFv9YMD/view But I do not have access to https://dl.openipc.org/SDK/MStar/MStar-MSC3XX-SDK-toolchain.tgz

jandy123 commented 4 years ago

Thanks for the link, but is this the same with the one from https://dl.openipc.org/SDK/MStar ? File naming suggests otherwise.

On Mon, Sep 7, 2020 at 10:33 AM fumanchi notifications@github.com wrote:

https://drive.google.com/file/d/1DnTe8G4FV4rMuopYFrdX6sx_ZeFv9YMD/view

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/telmomarques/xiaomi-360-1080p-hacks/issues/18#issuecomment-688162105, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADRSNYOYZOER6YJ37TSZLE3SESLDZANCNFSM4JM7SLMQ .

fumanchi commented 4 years ago

Thanks for the link, but is this the same with the one from https://dl.openipc.org/SDK/MStar ? File naming suggests otherwise. … On Mon, Sep 7, 2020 at 10:33 AM fumanchi @.***> wrote: https://drive.google.com/file/d/1DnTe8G4FV4rMuopYFrdX6sx_ZeFv9YMD/view — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#18 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADRSNYOYZOER6YJ37TSZLE3SESLDZANCNFSM4JM7SLMQ .

This is all I have got :(

jandy123 commented 4 years ago

Anyways, back to your question, I suppose you mean compile this: https://github.com/crckmc/mija-framegrabber

I understand all steps, but the problem is that I do not have on MJSXJ05CM. libpthread-2.25 libc-2.25

For the rest it should all be doable with the toolchain from https://dl.openipc.org/SDK/MStar and the SDK.

telmomarques commented 4 years ago

Check https://github.com/telmomarques/mija-framegrabber/ The makefile has a target for ipc019 (MJSXJ05CM), the LIBS variable is the shared libraries you need.

fumanchi commented 4 years ago

Anyways, back to your question, I suppose you mean compile this: https://github.com/crckmc/mija-framegrabber

I understand all steps, but the problem is that I do not have on MJSXJ05CM. libpthread-2.25 libc-2.25 You mean you do not have the headers aka development files? Shouldn't the api (at least as far as it might be used in the frame grabber sources) compatible to other gnu platforms (e.g. linux?)

For the rest it should all be doable with the toolchain from https://dl.openipc.org/SDK/MStar and the SDK. Yes.. I think we should try to get the toolchain anyhow... the SDK is not helping a lot :(

fumanchi commented 4 years ago

Check https://github.com/telmomarques/mija-framegrabber/ The makefile has a target for ipc019 (MJSXJ05CM), the LIBS variable is the shared libraries you need. So we need the shared libraries at compile time :( are they not available on the cam? At least the libpthread.so and librt.so are part of the SDK/arm-linux-gnueabihf)...

telmomarques commented 4 years ago

Yes, they are available on the cam 🙂 Notice on the makefile that the libs for MJSXJ05CM are different, you don't need libpthread or librt for target ipc19.

telmomarques commented 4 years ago

I noticed I still have framegrabber compiled locally for ip019. So if you want to try it out I uploaded a new release: https://github.com/telmomarques/mija-framegrabber/releases/tag/temp

jandy123 commented 4 years ago

Well, I've just tried. It compiles and links fine (using libs pulled from the camera), but at runtime it still has a dependency:

framegrabber: can't load library 'libc.so.6'

Any idea ?

telmomarques commented 4 years ago

@jandy123, IPC019 does not use libc (it uses uClibc), so I think you're using the wrong binary. Check my previous message for a compiled framegrabber binary for IPC019.

jandy123 commented 4 years ago

@telmomarques: Yes, I've seen the libs used from the camera and copied them from there. I also had to modify the makefile for the toolchain path.

I'm sure I compile just fine and for target IPC019. I still get the libc dependency, which I do not understand... The only explanation may be that you use a different toolchain. Could you please share it ?

EDIT: As I said, I had lots of issues cross-compiling mosquitto.The only way out was to pass -nostdlib -nolibc and manually link all required libraries.

telmomarques commented 4 years ago

I used buildroot to build a cross-compile toolchain for armhf with uClibc. Here's my buildroot .config if you want to try it: config.zip

jandy123 commented 4 years ago

@telmomarques: Thanks for the config file. I'll first test the binary you provided and see what happens. as a last resort I'll compile buidlroot.

Are you aware of a smarter way of detecting motion events on the camera ? Right now I have a stupid shell script watching /tmp/cloud. Whenever *.mp4 appear in that folder, I signal to my MQTT broker using mosquitto_pub.

Thanks again !

telmomarques commented 4 years ago

Regarding motion detection, at this time no, sorry :\

jandy123 commented 4 years ago

Well, the framegrabber you provided definitely works ! I need to compile buildroot...

fumanchi commented 4 years ago

@jandy123 So, the newly provided frame grabber (for IPC019) works as you say... am I right assuming the whole hack here works with the new frame grabber deployed on the sdcard?

jandy123 commented 4 years ago

Well, I did not properly test it. I've just started, saw it running and stopped it... But yes, all hacks run from an sdcard. Please read carefully the installation instructions.

fumanchi commented 4 years ago

@jandy123 I did :) a also managed to hack the cam using a programmer (CH341A) to be able to run arbitrary shell scripts or binaries (e.g. busybox) off my sd card... my question was if all the "modules" the hack consists off are running on the new revision cams now? So that I just need to exchange the frame grabber binaries and it should work... right?

jandy123 commented 4 years ago

@fumanchi: I see, sorry my bad. I did not test the various modules yet, so I don't know, sorry. I'm still struggling to get a cross-compiler working without a lot of headache ;).

rezmus commented 4 years ago

no, most binaries are for MJSXJ02CM so not compiled against uclibc.

edit: use rtspserver from older version of the hack. as far as i remember it worked fine with uclibc framegrabber.

https://drive.google.com/file/d/1a4nPmhqWqEYlWQMLZT4tfZpVDE15rRpe/view