Compatibility with Mijia 1080p MJSXJ05CM ?

[Jayah59]

Hi !

Is this compatible ? I tried downloading tf_recovery.bin to sdcard and flashing but it did not work and I worse, I think my camera is bricked ...

LED amber is not blinking, it is permanent on and the camera does not move. Same observation without sd card

.<

[crckmc]

Looks like you found out it isnt compatible :)

Try to find the recovery image for your camera type. uboot is not overwritten so should still be working

[Jayah59]

Looks like you found out it isnt compatible :)

Try to find the recovery image for your camera type. uboot is not overwritten so should still be working

Yes indeed 😅

I'm trying to find a recovery image but I'm struggling. I opened a post on the Xiaomi forum, I hope someone can help me (https://c.mi.com/thread-2609368-1-0.html).

I started to disassemble the camera to connect a serial port. As soon as possible, I will solder the serial port and I will post the result.

Thx

[Jayah59]

Maybe we would like the ARM chip :)

[none815]

A firmware hack is possible, but requires some tools:

• CH341A flash programmer
• SOIC8 clip and some dupont wires
• Complete device teardown

Basic steps are:

• Create a flash backup: flashrom -p ch341a_spi -r backup.bin

• Download the firmware and put it into the same folder.

• Run this script to patch the backup:

  
  #!/bin/bash
  # extract firmware
  mkdir -p files
  dd if=tf_recovery.img of=files/kernel.bin bs=1 count=2097152
  dd if=tf_recovery.img of=files/rootfs.bin bs=1 count=7733248 skip=2097152
  dd if=tf_recovery.img of=files/data.bin bs=1 count=6488064 skip=9830400
  dd if=backup.bin of=files/vendor.bin bs=1 count=131072 skip=16646144

patch jffs2 partition

sudo modprobe mtdblock sudo modprobe mtdram total_size=6336 sudo dd if=files/data.bin of=/dev/mtdblock0 bs=1 mkdir mount sudo mount -t jffs2 /dev/mtdblock0 mount echo '#!/bin/sh' | sudo tee -a mount/bin/log_diag_platform.sh echo '/mnt/sdcard/override.sh' | sudo tee -a mount/bin/log_diag_platform.sh sudo chmod 755 mount/bin/log_diag_platform.sh sudo umount mount rmdir mount sudo dd if=/dev/mtdblock0 of=files/data.bin bs=1

update flash backup

mkdir -p out cp backup.bin -f out/flash.bin dd if=files/kernel.bin of=out/flash.bin bs=1 count=2097152 seek=327680 dd if=files/rootfs.bin of=out/flash.bin bs=1 count=7733248 seek=2424832 dd if=files/data.bin of=out/flash.bin bs=1 count=6488064 seek=10158080 dd if=files/vendor.bin of=out/flash.bin bs=1 count=131072 seek=16646144

- Re-flash the modified backup:
`flashrom -p ch341a_spi -w out/flash.bin`

- Prepare the sdcard script:

> /sdcard/override.sh

!/bin/sh

main() {

start telnet

/mnt/sdcard/busybox telnetd }

if [ ! -f /tmp/.override ]; then touch /tmp/.override main fi

- Press the reset button (briefly) on the camera to launch the override script.

[none815]

The flash chip is located right beside the camera sensor, it is necessary to partially remove the lens:

It might occur that the SOIC clip will also power up the camera, this will interfere the flash programming. One solution is to cut HOLD (pin7) and VCC (pin8) to reduce power delivery, this can be done with some dupont wires:

[phamthanhtri]

@Jayah59 Have you successfully hacked MJSXJ05CM yet ? I also want to hack but don't know what to do :)

[ahmetikbal]

@Jayah59 @phamthanhtri @none815 firmware update didn't complete and my MJSXJ05CM bricked. I want to hack with tf_recovery.img file. If you have for 05CM, can you share?

[phamthanhtri]

@ahmetikbal you can use this file to reset camera into stable version (https://drive.google.com/open?id=1ve6XlBEiZebJV6ukJ0Oiu7DePw2JCsWj). I still haven't hacked yet

[gurkburk76]

RIght, so i have version mjsxj05cm, could the firmware posted by @phamthanhtri be hacked so telnet can be enabled? at least that would be a start towards getting rtsp working i guess :)

[DaeMonSx]

still nothing at MJSXJ05CM hack? It seems nowadays thise are the cameras found in shops.

[Fruityski]

I have managed to un-brick my MJSXJ05CM with https://drive.google.com/file/d/1ve6XlBEiZebJV6ukJ0Oiu7DePw2JCsWj/view

Any update on the hack?

[KhArtNJava]

• 1 to those who are waiting for MJSXJ05CM support.

[UndeRus]

The flash chip is located right beside the camera sensor, it is necessary to partially remove the lens:

It might occur that the SOIC clip will also power up the camera, this will interfere the flash programming. One solution is to cut HOLD (pin7) and VCC (pin8) to reduce power delivery, this can be done with some dupont wires:

How did you flash this chip with cutted 7 and 8 wires? My programmer didn't detect chip when these wires are cutted

[lucperreau]

I am also waiting for MJSXJ05CM flash. Don't want to open the camera up. Thanks :)

[KhArtNJava]

A firmware hack is possible, but requires some tools:

• CH341A flash programmer
• SOIC8 clip and some dupont wires
• Complete device teardown

Basic steps are:

• Create a flash backup: flashrom -p ch341a_spi -r backup.bin
• Download the firmware and put it into the same folder.
• Run this script to patch the backup:

#!/bin/bash
# extract firmware
mkdir -p files
dd if=tf_recovery.img of=files/kernel.bin bs=1 count=2097152
dd if=tf_recovery.img of=files/rootfs.bin bs=1 count=7733248 skip=2097152
dd if=tf_recovery.img of=files/data.bin bs=1 count=6488064 skip=9830400
dd if=backup.bin of=files/vendor.bin bs=1 count=131072 skip=16646144

# patch jffs2 partition
sudo modprobe mtdblock
sudo modprobe mtdram total_size=6336
sudo dd if=files/data.bin of=/dev/mtdblock0 bs=1
mkdir mount
sudo mount -t jffs2 /dev/mtdblock0 mount
echo '#!/bin/sh' | sudo tee -a mount/bin/log_diag_platform.sh
echo '/mnt/sdcard/override.sh' | sudo tee -a mount/bin/log_diag_platform.sh
sudo chmod 755 mount/bin/log_diag_platform.sh
sudo umount mount
rmdir mount
sudo dd if=/dev/mtdblock0 of=files/data.bin bs=1

# update flash backup
mkdir -p out
cp backup.bin -f out/flash.bin
dd if=files/kernel.bin of=out/flash.bin bs=1 count=2097152 seek=327680
dd if=files/rootfs.bin of=out/flash.bin bs=1 count=7733248 seek=2424832
dd if=files/data.bin of=out/flash.bin bs=1 count=6488064 seek=10158080
dd if=files/vendor.bin of=out/flash.bin bs=1 count=131072 seek=16646144

• Re-flash the modified backup: flashrom -p ch341a_spi -w out/flash.bin
• Prepare the sdcard script:

/sdcard/override.sh

#!/bin/sh
main() {
  # start telnet
  /mnt/sdcard/busybox telnetd
}

if [ ! -f /tmp/.override ]; then
 touch /tmp/.override
 main
fi

• Press the reset button (briefly) on the camera to launch the override script.

none815, can you tell us please, what flash chip installed in MJSXJ05CM? As I understand, it's SPI flash. But what is series/number of the chip? What's flash size in that chip?

[gmrizzo]

@none815 I did flash the chip like you suggested but it didn‘t work properly. Any suggestion what the steps are necessary after resetting the camera?

[gmrizzo]

@KhArtNJava

A firmware hack is possible, but requires some tools:

• CH341A flash programmer
• SOIC8 clip and some dupont wires
• Complete device teardown

Basic steps are:

• Create a flash backup: flashrom -p ch341a_spi -r backup.bin
• Download the firmware and put it into the same folder.
• Run this script to patch the backup:

#!/bin/bash
# extract firmware
mkdir -p files
dd if=tf_recovery.img of=files/kernel.bin bs=1 count=2097152
dd if=tf_recovery.img of=files/rootfs.bin bs=1 count=7733248 skip=2097152
dd if=tf_recovery.img of=files/data.bin bs=1 count=6488064 skip=9830400
dd if=backup.bin of=files/vendor.bin bs=1 count=131072 skip=16646144

# patch jffs2 partition
sudo modprobe mtdblock
sudo modprobe mtdram total_size=6336
sudo dd if=files/data.bin of=/dev/mtdblock0 bs=1
mkdir mount
sudo mount -t jffs2 /dev/mtdblock0 mount
echo '#!/bin/sh' | sudo tee -a mount/bin/log_diag_platform.sh
echo '/mnt/sdcard/override.sh' | sudo tee -a mount/bin/log_diag_platform.sh
sudo chmod 755 mount/bin/log_diag_platform.sh
sudo umount mount
rmdir mount
sudo dd if=/dev/mtdblock0 of=files/data.bin bs=1

# update flash backup
mkdir -p out
cp backup.bin -f out/flash.bin
dd if=files/kernel.bin of=out/flash.bin bs=1 count=2097152 seek=327680
dd if=files/rootfs.bin of=out/flash.bin bs=1 count=7733248 seek=2424832
dd if=files/data.bin of=out/flash.bin bs=1 count=6488064 seek=10158080
dd if=files/vendor.bin of=out/flash.bin bs=1 count=131072 seek=16646144

• Re-flash the modified backup: flashrom -p ch341a_spi -w out/flash.bin
• Prepare the sdcard script:

/sdcard/override.sh

#!/bin/sh
main() {
  # start telnet
  /mnt/sdcard/busybox telnetd
}

if [ ! -f /tmp/.override ]; then
 touch /tmp/.override
 main
fi

• Press the reset button (briefly) on the camera to launch the override script.

none815, can you tell us please, what flash chip installed in MJSXJ05CM? As I understand, it's SPI flash. But what is series/number of the chip? What's flash size in that chip?

I did a little bit of research and the Chip seems to be the cFeon Q32B-104HIP, 32Mbit SPI Serial Flash, SOIC-8 or also many times referenced as EN25Q32B.

https://www.kean.com.au/oshw/WR703N/teardown/EN25Q32B%2032Mbit%20SPI%20Flash.pdf

Does this help?

[slock83]

Hello everyone,

So I tried @none815 method and it worked well. The flash chip, in my case, was an EN25QH128.

I did a few modification though, instead of having the script launched by the diagnosis launcher, I modified wifi_start, which allows me to run my script on boot, instead of on reset.

I'm still working on getting the current hacks to run, runsvdir doesn't seem to work yet ...

Thanks !

[fumanchi]

Hi slock82,

I am stuck with runsvdir as well... the file itself seams to be there but i always get: "/mnt/sdcard/manu_test/configure_services.sh: line 50: runsvdir: not found" As if the file wouldn't be there... I found the file has been compiled dynamically... It directly depends on: Shared library: [libc.so.6] Shared library: [ld-linux-armhf.so.3] which seams to be fine...

As we are using a newer firmware they might have blocked the system from running binaries from sdcard. what do you think? Have you made any progress?

[puuhderbaer]

Hello everybody,

today my programmer arrived and I managed to successfully flash the spi-flash with the by @none815 described method. Cam is powering up correctly and re-setup went fine.

But now I'm stuck with the mentioned override.sh script. telnet is to be run by busybox /mnt/sdcard/busybox telnetd , right? Can anybody please tell me what I'm missing? Where to get busybox from?

I can confirm the statement from @slock83, that the MJSXJ05CM (IPC019) has a 16MB Flash EN25QH128, same as in my CMSXJ16A (IPC016).

Thanks in advance!

[twosky2000]

New busybox would contain runit (runsv/dir). @puuhderbaer busybox can be downloaded here: https://busybox.net/downloads/binaries/1.31.0-defconfig-multiarch-musl/busybox-armv7l Also I got runit with busybox working. /mnt/sdcard/busybox --list | awk '/runsv|chpst|svlog|^sv$/' | xargs -I{} ln -sv /mnt/sdcard/busybox /mnt/data/bin/{} I'm not sure how to make it permanent jet.

Also my MJSXJ05CM uses Camera model 'ipc019' not ipc009, we would have to recompile the mija-framegrabber.

[puuhderbaer]

Thanks a lot @twosky2000! That did the trick. Telnet is up and running. But there is not yet any progress getting rtsp to work on 'ipc019', right?

[jandy123]

Since I do not have the HW tools required to flash the EEPROM, I was wondering what would happen if I just patch the jffs2 partition as described by @none815 and try to flash via OTA update ? Would this work ? HAs anyone already tried this ?

Thanks !

[fumanchi]

Has anybody experience in cross compiling for that architecture? I do have obtained the SDK but do not have any idea which toolchain to use and so on...

[jandy123]

Well, could you share the SDK ? I managed to cross-compile mosquitto to signal motion detect events to hassio. It's a nuisance, though. I simply used arm-linux-gnueabihf on a standard ubuntu 18.04 install. Some libraries had to be pulled from the camera to get it link.

[fumanchi]

Well, could you share the SDK ? I managed to cross-compile mosquitto to signal motion detect events to hassio. It's a nuisance, though. I simply used arm-linux-gnueabihf on a standard ubuntu 18.04 install. Some libraries had to be pulled from the camera to get it link.

The SDK is freely available... https://dl.openipc.org/SDK/MStar

[jandy123]

Thanks ! I see the toolchain sources there.

On Mon, Sep 7, 2020 at 10:12 AM fumanchi notifications@github.com wrote:

Well, could you share the SDK ? I managed to cross-compile mosquitto to signal motion detect events to hassio. It's a nuisance, though. I simply used arm-linux-gnueabihf on a standard ubuntu 18.04 install. Some libraries had to be pulled from the camera to get it link.

The SDK is freely available... https://dl.openipc.org/SDK/MStar

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/telmomarques/xiaomi-360-1080p-hacks/issues/18#issuecomment-688142543, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADRSNYKCURYWIJF6QVJ4UVLSESIWDANCNFSM4JM7SLMQ .

[fumanchi]

I do so as well.. but i do not know what i actually need to compile e.g. the mija-framegrabber... I do work on an ubuntu 16.04 LTS at the moment... A toolchain is a set of compilers (e.g. cc, cxx),and archivers (e.g. ar).. but there are no such linux binaries (elf binaries for amd64)... Have I missed something? Do we just use our "native" gnu toolchain using the ubuntu packaged arm gnu abi for cross compilation? How do we access the hardware? This should be provided by the SDK I posted above, right?

[jandy123]

Could you please share the SDK and toolchain using e.g. google drive ? I cannot download them for free from the location you indicated. Then, I could have a look at the toolchain.

On Mon, Sep 7, 2020 at 10:24 AM fumanchi notifications@github.com wrote:

I do so as well.. but i do not know what i actually need to compile e.g. the mija-framegrabber... I do work on an ubuntu 16.04 LTS at the moment... A toolchain is a set of compilers (e.g. cc, cxx),and archivers (e.g. ar).. but there are no such linux binaries (elf binaries for amd64)... Have I missed something?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

[fumanchi]

https://drive.google.com/file/d/1DnTe8G4FV4rMuopYFrdX6sx_ZeFv9YMD/view But I do not have access to https://dl.openipc.org/SDK/MStar/MStar-MSC3XX-SDK-toolchain.tgz

[jandy123]

Thanks for the link, but is this the same with the one from https://dl.openipc.org/SDK/MStar ? File naming suggests otherwise.

On Mon, Sep 7, 2020 at 10:33 AM fumanchi notifications@github.com wrote:

https://drive.google.com/file/d/1DnTe8G4FV4rMuopYFrdX6sx_ZeFv9YMD/view

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/telmomarques/xiaomi-360-1080p-hacks/issues/18#issuecomment-688162105, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADRSNYOYZOER6YJ37TSZLE3SESLDZANCNFSM4JM7SLMQ .

[fumanchi]

Thanks for the link, but is this the same with the one from https://dl.openipc.org/SDK/MStar ? File naming suggests otherwise. … On Mon, Sep 7, 2020 at 10:33 AM fumanchi @.***> wrote: https://drive.google.com/file/d/1DnTe8G4FV4rMuopYFrdX6sx_ZeFv9YMD/view — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#18 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADRSNYOYZOER6YJ37TSZLE3SESLDZANCNFSM4JM7SLMQ .

This is all I have got :(

[jandy123]

Anyways, back to your question, I suppose you mean compile this: https://github.com/crckmc/mija-framegrabber

I understand all steps, but the problem is that I do not have on MJSXJ05CM. libpthread-2.25 libc-2.25

For the rest it should all be doable with the toolchain from https://dl.openipc.org/SDK/MStar and the SDK.

[telmomarques]

Check https://github.com/telmomarques/mija-framegrabber/ The makefile has a target for ipc019 (MJSXJ05CM), the LIBS variable is the shared libraries you need.

[fumanchi]

Anyways, back to your question, I suppose you mean compile this: https://github.com/crckmc/mija-framegrabber

I understand all steps, but the problem is that I do not have on MJSXJ05CM. libpthread-2.25 libc-2.25 You mean you do not have the headers aka development files? Shouldn't the api (at least as far as it might be used in the frame grabber sources) compatible to other gnu platforms (e.g. linux?)

For the rest it should all be doable with the toolchain from https://dl.openipc.org/SDK/MStar and the SDK. Yes.. I think we should try to get the toolchain anyhow... the SDK is not helping a lot :(

[fumanchi]

Check https://github.com/telmomarques/mija-framegrabber/ The makefile has a target for ipc019 (MJSXJ05CM), the LIBS variable is the shared libraries you need. So we need the shared libraries at compile time :( are they not available on the cam? At least the libpthread.so and librt.so are part of the SDK/arm-linux-gnueabihf)...

[telmomarques]

Yes, they are available on the cam 🙂 Notice on the makefile that the libs for MJSXJ05CM are different, you don't need libpthread or librt for target ipc19.

[telmomarques]

I noticed I still have framegrabber compiled locally for ip019. So if you want to try it out I uploaded a new release: https://github.com/telmomarques/mija-framegrabber/releases/tag/temp

[jandy123]

Well, I've just tried. It compiles and links fine (using libs pulled from the camera), but at runtime it still has a dependency:

framegrabber: can't load library 'libc.so.6'

Any idea ?

[telmomarques]

@jandy123, IPC019 does not use libc (it uses uClibc), so I think you're using the wrong binary. Check my previous message for a compiled framegrabber binary for IPC019.

[jandy123]

@telmomarques: Yes, I've seen the libs used from the camera and copied them from there. I also had to modify the makefile for the toolchain path.

I'm sure I compile just fine and for target IPC019. I still get the libc dependency, which I do not understand... The only explanation may be that you use a different toolchain. Could you please share it ?

EDIT: As I said, I had lots of issues cross-compiling mosquitto.The only way out was to pass -nostdlib -nolibc and manually link all required libraries.

[telmomarques]

I used buildroot to build a cross-compile toolchain for armhf with uClibc. Here's my buildroot .config if you want to try it: config.zip

[jandy123]

@telmomarques: Thanks for the config file. I'll first test the binary you provided and see what happens. as a last resort I'll compile buidlroot.

Are you aware of a smarter way of detecting motion events on the camera ? Right now I have a stupid shell script watching /tmp/cloud. Whenever *.mp4 appear in that folder, I signal to my MQTT broker using mosquitto_pub.

Thanks again !

[telmomarques]

Regarding motion detection, at this time no, sorry :\

[jandy123]

Well, the framegrabber you provided definitely works ! I need to compile buildroot...

[fumanchi]

@jandy123 So, the newly provided frame grabber (for IPC019) works as you say... am I right assuming the whole hack here works with the new frame grabber deployed on the sdcard?

[jandy123]

Well, I did not properly test it. I've just started, saw it running and stopped it... But yes, all hacks run from an sdcard. Please read carefully the installation instructions.

[fumanchi]

@jandy123 I did :) a also managed to hack the cam using a programmer (CH341A) to be able to run arbitrary shell scripts or binaries (e.g. busybox) off my sd card... my question was if all the "modules" the hack consists off are running on the new revision cams now? So that I just need to exchange the frame grabber binaries and it should work... right?

[jandy123]

@fumanchi: I see, sorry my bad. I did not test the various modules yet, so I don't know, sorry. I'm still struggling to get a cross-compiler working without a lot of headache ;).

[rezmus]

no, most binaries are for MJSXJ02CM so not compiled against uclibc.

edit: use rtspserver from older version of the hack. as far as i remember it worked fine with uclibc framegrabber.

https://drive.google.com/file/d/1a4nPmhqWqEYlWQMLZT4tfZpVDE15rRpe/view