Compatibility with Mijia 1080p MJSXJ05CM ?

[Jayah59]

Hi !

Is this compatible ? I tried downloading tf_recovery.bin to sdcard and flashing but it did not work and I worse, I think my camera is bricked ...

LED amber is not blinking, it is permanent on and the camera does not move. Same observation without sd card

.<

[Jayah59]

It might occur that the SOIC clip will also power up the camera, this will interfere the flash programming. One solution is to cut HOLD (pin7) and VCC (pin8) to reduce power delivery, this can be done with some dupont wires:

I don't understand: when you say you have to cut pin 7 and 8, you mean cut the pin from the PCB, or just from the programmer?

If you have a W25Q128 flash chip, unplug/cut pin 8 only on the programmer, it's easier. If it's a EON chip, keep the pin 8. It was my case with EN25QH128.

This is my programmer :

[2879597772]

I used a method that is more convenient for disassembly and assembly. This method is more suitable for hacks testers who are testing. This method is what I learned when I was brushing the router, it needs a little hands-on ability

[jandy123]

@viktorxda : Somehow nobody noticed this... Where did you guys get the RSA private key from ???

[rezmus]

it was early christmas present from xiaomi/imilab. they posted cam sources (with manu_test/tf_recovery.img tools) to github some time ago. probably by mistake because it was taken down after a few days.

[Jayah59]

Using the SPI programmer shouldn't be necessary anymore, copy the attached archive to the sdcard and edit override.sh to start the needed programs.

manu_test.zip

Yes indeed. The best is to test the alpha version for the 05 posted earlier by Telmo on discord.

https://discordapp.com/channels/713125176971231233/713478693363777566/757605306120405204

[giomasce]

it was early christmas present from xiaomi/imilab. they posted cam sources (with manu_test/tf_recovery.img tools) to github some time ago. probably by mistake because it was taken down after a few days.

Is a copy of these sources still available?

[giomasce]

More in general, is there some doc/write-up on the various roads to gain the control of the firmware? I'd like to learn more, not just repeat the instructions.

[spbdimka]

https://discordapp.com/channels/713125176971231233/713478693363777566/757605306120405204

This message is unavailable more. Is it ready img firmware for 05 or only hw hack available at this moment?

[HugoPoi]

Edited for @chepa92

1. I just flash the firmware given here https://github.com/telmomarques/xiaomi-360-1080p-hacks/issues/18#issuecomment-598550451
2. Then place on sdcard files provided here : The link to last patched firmware for MJSXJ05CM https://drive.google.com/file/d/1HhdIDuxslfv5-mONTYbJTnRbgra-0FeZ/view

@spbdimka the link works you need to join the discord channel with this link first https://discord.gg/qggupzu

[chepa92]

can you explain how to use it? I have v4.0.9, possible to downgrade?

[teras]

@puuhderbaer

I can confirm the statement from @slock83, that the MJSXJ05CM (IPC019) has a 16MB Flash EN25QH128, same as in my CMSXJ16A (IPC016).

Did you try (and/or) manage to properly flash the CMSXJ16A camera?

[seetendra]

Edited for @chepa92

1. I just flash the firmware given here #18 (comment)
2. Then place on sdcard files provided here : The link to last patched firmware for MJSXJ05CM https://drive.google.com/file/d/1HhdIDuxslfv5-mONTYbJTnRbgra-0FeZ/view

@spbdimka the link works you need to join the discord channel with this link first https://discord.gg/qggupzu

I was able to downgrade the firmware and able to get the Webpage open as well but unable to use RTSP. Is it not working till now or i am missing something

[spbdimka]

Edited for @chepa92

1. I just flash the firmware given here #18 (comment)
2. Then place on sdcard files provided here : The link to last patched firmware for MJSXJ05CM https://drive.google.com/file/d/1HhdIDuxslfv5-mONTYbJTnRbgra-0FeZ/view

@spbdimka the link works you need to join the discord channel with this link first https://discord.gg/qggupzu

I was able to downgrade the firmware and able to get the Webpage open as well but unable to use RTSP. Is it not working till now or i am missing something

Is you downgraded it with disassembly and chip flashing or by sd card?

[seetendra]

Edited for @chepa92

1. I just flash the firmware given here #18 (comment)
2. Then place on sdcard files provided here : The link to last patched firmware for MJSXJ05CM https://drive.google.com/file/d/1HhdIDuxslfv5-mONTYbJTnRbgra-0FeZ/view

@spbdimka the link works you need to join the discord channel with this link first https://discord.gg/qggupzu

I was able to downgrade the firmware and able to get the Webpage open as well but unable to use RTSP. Is it not working till now or i am missing something

Is you downgraded it with disassembly and chip flashing or by sd card? Sd card

[spbdimka]

@seetendra strange. I've tried with 05 and 4.0.9 fw - no way. Now im flashing 02 with same fw and its downgrading

[seetendra]

@seetendra strange. I've tried with 05 and 4.0.9 fw - no way. Now im flashing 02 with same fw and its downgrading

I am on 3.5.1_0052 should i use another firmware?

[seetendra]

@spbdimka Are you able to get the RTSP working?

[liv3010m]

Hi everyone, another person with a MJSXJ05CM here!

Did anyone got it working? If we already are on 3.5.1_0052 (default firmware), do we have to flash tf_recovery.img from IPC019_3.5.1_0052.zip from https://github.com/telmomarques/xiaomi-360-1080p-hacks/issues/18#issuecomment-598550451 ? Or we just go to step number 2 from @HugoPoi post https://github.com/telmomarques/xiaomi-360-1080p-hacks/issues/18#issuecomment-701484630 ?

Thanks!

[seetendra]

Hi everyone, another person with a MJSXJ05CM here!

Did anyone got it working? If we already are on 3.5.1_0052 (default firmware), do we have to flash tf_recovery.img from IPC019_3.5.1_0052.zip from #18 (comment) ? Or we just go to step number 2 from @HugoPoi post #18 (comment) ?

Thanks!

ok i did downgrade but the RTSP stream did now work. After that i upgraded to the latest version and RTSP stream is working but the frames are badly dropping on the stream. So i can suggest give it a try with the latest firmware and check

[liv3010m]

OK, I just copied the content of sdcard folder to the SD card and fired up a browser to camera's IP address. Enabled RSTP but couldn't open a stream with VLC, be it h264 or h265, mainstream or substream.

How are you consuming the stream in Home Assistant/HASS?

I also just wanted to add from the moment I start the camera with the SD card inserted I can move it using the Xiaomi Home app but I can't view anything from it because it's staying at initializing 99%.

[danergo]

Guys, someone knows a solution for HW watchdog for this SSC323 ARM chip? Maybe with custom kernel? Thanks

[HepoH3]

mjpg streamer

I've managed to get mjpg streamer working on 05CM. If you want to try it, unpack the archive in some folder on the sdcard, login on the cam and start it in console using:

./mjpg_streamer -i "input_snapshot.so -d 1000" -o output_http.so

Then, on a different computer, in the browser go to http:::8080/?action=stream. You should be able to see the mjpeg stream. To take a snapshot use: http:::8080/?action=snapshot.

The parameter -d above is the delay between frames in ms. As is, the delay is 1 sec. You may try to decrease it, but keep an eye on the CPU load. If too small values are used, seems that streaming stops working, so please be careful.

This is useful here, since I can finally get the stream in hassio, while still keeping the app functional.

Please test and report here.

https://drive.google.com/file/d/1C5dw4VxRW4Hu__eJI2W-2AnMqtHCPcqc/view?usp=sharing

@jandy123 , can you share this archive again? The link above says the file has been deleted.

[EricJeedom]

mjpg streamer I've managed to get mjpg streamer working on 05CM. If you want to try it, unpack the archive in some folder on the sdcard, login on the cam and start it in console using: ./mjpg_streamer -i "input_snapshot.so -d 1000" -o output_http.so Then, on a different computer, in the browser go to http:::8080/?action=stream. You should be able to see the mjpeg stream. To take a snapshot use: http:::8080/?action=snapshot. The parameter -d above is the delay between frames in ms. As is, the delay is 1 sec. You may try to decrease it, but keep an eye on the CPU load. If too small values are used, seems that streaming stops working, so please be careful. This is useful here, since I can finally get the stream in hassio, while still keeping the app functional. Please test and report here. https://drive.google.com/file/d/1C5dw4VxRW4Hu__eJI2W-2AnMqtHCPcqc/view?usp=sharing

@jandy123 , can you share this archive again? The link above says the file has been deleted.

hello @HepoH3 I copy your files on the sdcard and when I write _./mjpg_streamer -i "input_snapshot.so -d 1000" -o outputhttp.so in console

here is error message :

./mjpg_streamer -i "input_snapshot.so -d 1000" -o output_http.so

MJPG Streamer Version: svn rev: Unversioned directory ERROR: could not find input plugin Perhaps you want to adjust the search path with:

export LD_LIBRARY_PATH=/path/to/plugin/folder

   dlopen: File not found

Can you explain me please

thanks

[HepoH3]

mjpg streamer I've managed to get mjpg streamer working on 05CM. If you want to try it, unpack the archive in some folder on the sdcard, login on the cam and start it in console using: ./mjpg_streamer -i "input_snapshot.so -d 1000" -o output_http.so Then, on a different computer, in the browser go to http:::8080/?action=stream. You should be able to see the mjpeg stream. To take a snapshot use: http:::8080/?action=snapshot. The parameter -d above is the delay between frames in ms. As is, the delay is 1 sec. You may try to decrease it, but keep an eye on the CPU load. If too small values are used, seems that streaming stops working, so please be careful. This is useful here, since I can finally get the stream in hassio, while still keeping the app functional. Please test and report here. https://drive.google.com/file/d/1C5dw4VxRW4Hu__eJI2W-2AnMqtHCPcqc/view?usp=sharing

@jandy123 , can you share this archive again? The link above says the file has been deleted.

hello @HepoH3 I copy your files on the sdcard and when I write _./mjpg_streamer -i "input_snapshot.so -d 1000" -o outputhttp.so in console

here is error message :

./mjpg_streamer -i "input_snapshot.so -d 1000" -o output_http.so

MJPG Streamer Version: svn rev: Unversioned directory ERROR: could not find input plugin Perhaps you want to adjust the search path with:

export LD_LIBRARY_PATH=/path/to/plugin/folder

dlopen: File not found

Can you explain me please

thanks

Thoose files are actually not mine, and I've asked for them in post you've quoted ;)

[paulomanuelp]

Hello, any news about the compatibility for MJSXJ105CM? Is this feature is going to be pushed in github ?

[telmomarques]

Hello, any news about the compatibility for MJSXJ105CM? Is this feature is going to be pushed in github ?

Hi,

Not enough testing has been done on the alpha version for 05cm to be safe for a github release. Please check the discord server for more information on how to help.

[Shevbo]

Hi! globally speaking i did not get at all - reading above - is anybody able to downgrade MJSXJ05CM with SD Card from current firmware is 4.0.9_0426 to 3.5.1_0052?

[rezmus]

@Shevbo you can't downgrade from 4.0.9_0426 with sdcard neither use hack, because they replaced uboot with this firmware and closed backdoor.

[cmiguelcabral]

I just tested this version (https://drive.google.com/file/d/1HhdIDuxslfv5-mONTYbJTnRbgra-0FeZ/view), on my MJSXJ05CM just by using the sdcard method. Worked at first attempt. RTSP and ssh are working well. The image was a bit brownish on the begining, but I opened Mi Home and forced the camera to be Full-HD, now it is just fine, like it was on the app before the hacks. Perfect, thanks!!

[doudouhightech]

Yes as cmiguelcabral said, it's works, thanks a lot everyone

[cmiguelcabral]

I'm just being unable to use the motor-control and onvif-server.

[liv3010m]

Guys what's the format of the h264/265 RTSP stream?

[ciapecki]

Guys what's the format of the h264/265 RTSP stream?

rtsp://IP:8554/mainstream

[liv3010m]

Guys what's the format of the h264/265 RTSP stream?

rtsp://IP:8554/mainstream

Thanks, don't know why it wasn't working before when I was copying the URL from the web admin page but it now works.

[Karwail]

Hello,

Thanks for this work! From my side the hack works. SSH, RTSP H265 and Web interface is ok. The RTSP H264 and webstream stream does not seem to work.

[LeandroIssa]

I just tested this version (https://drive.google.com/file/d/1HhdIDuxslfv5-mONTYbJTnRbgra-0FeZ/view), on my MJSXJ05CM just by using the sdcard method. Worked at first attempt. RTSP and ssh are working well. The image was a bit brownish on the begining, but I opened Mi Home and forced the camera to be Full-HD, now it is just fine, like it was on the app before the hacks. Perfect, thanks!!

Is this file working? What is the installation step by step? Just have to put the contents of the .rar on a sdcard on the camera? I have the camera in version 4.0.9_0425 do I need to do any type of downgrade? Thanks

[LeandroIssa]

I downgraded to version 3.5.0.1_0052 and it worked perfectly. Now my problem is the following, when I put the microsd card in the camera and enter the web config client, no image appears, not even in mi home. Without the card the image will appear on the mi home normally.

[LeandroIssa]

I noticed that when I turn on the enable websocket stream, the image hangs on the Mi home, it says " getting ready to reproduce ... 90%" and there is no image. Turning the image off appears on Mi Home. In both cases the image does not appear in my Home Assistant. Turning off the enable websocket stream the image on the Mi home will work perfectly.

[LeandroIssa]

@Karwail They informed me this: actualy for MJSXJ02CM it's working because video's coding is H264 but not working for MJSXJ05CM because video's coding is H265 and navigators don't manage H265.

[cmiguelcabral]

This is my configuration, is working well on Home Assistant and also on Agent DVR. I just needed to open Mi Home and force the camera to work full-hd.

I also would like to remove the timestamp as I'm blocking internet connection to the camera and it's showing we are in 1970... :-) I just cannot make onvif_srvd and motor_control to work, the just don't start and report "-sh: ./motord: not found" for both. Tried the pre-compiled binaries and compiling myself using a docker container, no go...

[cmiguelcabral]

Actually, regarding home assistant I can only watch the stream on android app. On browser I'm getting this error.

[LeandroIssa]

Esta é a minha configuração, está funcionando bem no Home Assistant e também no Agent DVR. Eu só precisava abrir o Mi Home e forçar a câmera a funcionar em full-hd.

Também gostaria de remover o carimbo de data / hora, pois estou bloqueando a conexão com a internet para a câmera e está mostrando que estamos em 1970 ... :-) Não consigo fazer onvif_srvd e motor_control funcionarem, apenas não inicie e relate " -sh: ./motord: não encontrado "para ambos. Tentei os binários pré-compilados e compilei-me usando um contêiner do docker, não vá ...

Would you mind passing what setting you placed in the camera's configuration.yaml in Home Assistant?

[cmiguelcabral]

camera:

• platform: generic name: Big Brother still_image_url: http://HOME_ASSISTANT/local/images/big_brother.png stream_source: rtsp://CAMERA_IP:8554/mainstream verify_ssl: false

Then placed an image of the camera taken from the internet on 'www/images' folder.

[LeandroIssa]

Nothing yet, no image appears in the Home Assistant but in Mi Home it works perfect. I put the configuration in yaml just like yours.

[liv3010m]

When I set the stream to h264 it stays at h265 (reported by VLC).

@cmiguelcabral are you able to run the h264 version of the RTSP stream?

[cmiguelcabral]

When I set the stream to h264 it stays at h265 (reported by VLC).

@cmiguelcabral are you able to run the h264 version of the RTSP stream?

Nope...

[third-bank-of-the-river]

I'm just being unable to use the motor-control and onvif-server.

Did you use this motor-control code? https://github.com/thewh1teagle/xiaomi-1080-360-motor-control/commit/006161941e8843d61a181a36ae8302b6417ed491

[cmiguelcabral]

I'm just being unable to use the motor-control and onvif-server.

Did you use this motor-control code? thewh1teagle/xiaomi-1080-360-motor-control@0061619

Yes, I tried that one. No luck.

[KhArtNJava]

A firmware hack is possible, but requires some tools:

• CH341A flash programmer
• SOIC8 clip and some dupont wires
• Complete device teardown

Basic steps are:

• Create a flash backup: flashrom -p ch341a_spi -r backup.bin
• Download the firmware and put it into the same folder.
• Run this script to patch the backup:

#!/bin/bash
# extract firmware
mkdir -p files
dd if=tf_recovery.img of=files/kernel.bin bs=1 count=2097152
dd if=tf_recovery.img of=files/rootfs.bin bs=1 count=7733248 skip=2097152
dd if=tf_recovery.img of=files/data.bin bs=1 count=6488064 skip=9830400
dd if=backup.bin of=files/vendor.bin bs=1 count=131072 skip=16646144

# patch jffs2 partition
sudo modprobe mtdblock
sudo modprobe mtdram total_size=6336
sudo dd if=files/data.bin of=/dev/mtdblock0 bs=1
mkdir mount
sudo mount -t jffs2 /dev/mtdblock0 mount
echo '#!/bin/sh' | sudo tee -a mount/bin/log_diag_platform.sh
echo '/mnt/sdcard/override.sh' | sudo tee -a mount/bin/log_diag_platform.sh
sudo chmod 755 mount/bin/log_diag_platform.sh
sudo umount mount
rmdir mount
sudo dd if=/dev/mtdblock0 of=files/data.bin bs=1

# update flash backup
mkdir -p out
cp backup.bin -f out/flash.bin
dd if=files/kernel.bin of=out/flash.bin bs=1 count=2097152 seek=327680
dd if=files/rootfs.bin of=out/flash.bin bs=1 count=7733248 seek=2424832
dd if=files/data.bin of=out/flash.bin bs=1 count=6488064 seek=10158080
dd if=files/vendor.bin of=out/flash.bin bs=1 count=131072 seek=16646144

• Re-flash the modified backup: flashrom -p ch341a_spi -w out/flash.bin
• Prepare the sdcard script:

/sdcard/override.sh

#!/bin/sh
main() {
  # start telnet
  /mnt/sdcard/busybox telnetd
}

if [ ! -f /tmp/.override ]; then
 touch /tmp/.override
 main
fi

• Press the reset button (briefly) on the camera to launch the override script.

Hello. I finally found time to flash my camera, flashed it well, but there is two problems now: 1) Xiaomi App Mi Home doesn't work with cameras with 3.5.1_0052 firmware. App said Establishing a safe connection... 20% . Couldn't open camera -10, try again later...

I thought, that my camera was initiallly at 3.5.1_0052 firmware, so I updated it in Mi Home app. After update up to 4.0.9_0426 firmware it started to work fine in Mi Home app.

So, I re-flashed it again after update and I expected, that in this case I'll have patched 4.0.9_0426 firmware. But after re-flashing it's said again, that I am on 3.5.1_0052 firmware. So, looks like old version came from tf_recovery.img in instruction. Where can I find tf_recovery.img for 4.0.9_0426 firmware?

Is it possible to don't use tf_recovery.img and to extract all needed *.bin files (kernel.bin , rootfs.bin, data.bin) not from tf_recovery.img, but directly from backup.bin, that was uploaded (or, if to speak as common users, downloaded) from my camera with flashrom? I see, that backup.bin and tf_recovery.img have different sizes...

Couldn't open camera -10, try again later 2) I placed https://busybox.net/downloads/binaries/1.31.0-defconfig-multiarch-musl/busybox-armv7l to sdcard (copied in Windows 10), near override.sh file, but camera doesn't respond to telnet (23 port).

[KhArtNJava]

OK, I figured out and telnet is up now

#!/bin/bash
# extract firmware
mkdir -p files

dd if=backup.bin of=files/kernel.bin bs=1 count=2097152 skip=327680
dd if=backup.bin of=files/rootfs.bin bs=1 count=7733248 skip=2424832
dd if=backup.bin of=files/data.bin bs=1 count=6488064 skip=10158080
dd if=backup.bin of=files/vendor.bin bs=1 count=131072 skip=16646144

# patch jffs2 partition
sudo modprobe mtdblock
sudo modprobe mtdram total_size=6336
sudo dd if=files/data.bin of=/dev/mtdblock0 bs=1
mkdir mount
sudo mount -t jffs2 /dev/mtdblock0 mount

echo '#!/bin/sh' | sudo tee -a mount/bin/log_diag_platform.sh

echo 'echo qqq >> /mnt/sdcard/qqq.txt' | sudo tee -a mount/bin/log_diag_platform.sh
echo '/mnt/sdcard/override.sh' | sudo tee -a mount/bin/log_diag_platform.sh

sudo chmod 755 mount/bin/log_diag_platform.sh

sudo umount mount
rmdir mount
sudo dd if=/dev/mtdblock0 of=files/data.bin bs=1

# update flash backup
mkdir -p out
cp backup.bin -f out/flash.bin
dd if=files/kernel.bin of=out/flash.bin bs=1 count=2097152 seek=327680
dd if=files/rootfs.bin of=out/flash.bin bs=1 count=7733248 seek=2424832
dd if=files/data.bin of=out/flash.bin bs=1 count=6488064 seek=10158080
dd if=files/vendor.bin of=out/flash.bin bs=1 count=131072 seek=16646144

sudo flashrom -p ch341a_spi -w out/flash.bin

Flash on my board is qh128a-104hip, it may be EN25QH128A datasheet.pdf

Update 2. Cool! RTSP is working now.