Strange situation with mjsxj09cm

[KhArtNJava]

Hello. I've already successfully started RTSP on MJSXJ05CM ( https://github.com/telmomarques/xiaomi-360-1080p-hacks/issues/18#issuecomment-734339211 ) and now I am working on mjsxj09cm.

I dumped firmware from camera with CH341A to backup.bin .

My script is

#!/bin/bash
# extract firmware
mkdir -p files

dd if=backup.bin of=files/kernel.bin bs=1 count=2097152 skip=327680
dd if=backup.bin of=files/rootfs.bin bs=1 count=7733248 skip=2424832
dd if=backup.bin of=files/data.bin bs=1 count=6488064 skip=10158080
dd if=backup.bin of=files/vendor.bin bs=1 count=131072 skip=16646144

# patch jffs2 partition
sudo modprobe mtdblock
sudo modprobe mtdram total_size=6336
sudo dd if=files/data.bin of=/dev/mtdblock0 bs=1
mkdir mount
sudo mount -t jffs2 /dev/mtdblock0 mount

echo '#!/bin/sh' | sudo tee -a mount/bin/log_diag_platform.sh

echo 'echo qqq >> /mnt/sdcard/qqq.txt' | sudo tee -a mount/bin/log_diag_platform.sh
echo '/mnt/sdcard/override.sh' | sudo tee -a mount/bin/log_diag_platform.sh

sudo chmod 755 mount/bin/log_diag_platform.sh

sudo umount mount
rmdir mount
sudo dd if=/dev/mtdblock0 of=files/data.bin bs=1

# update flash backup
mkdir -p out
cp backup.bin -f out/flash.bin
dd if=files/kernel.bin of=out/flash.bin bs=1 count=2097152 seek=327680
dd if=files/rootfs.bin of=out/flash.bin bs=1 count=7733248 seek=2424832
dd if=files/data.bin of=out/flash.bin bs=1 count=6488064 seek=10158080
dd if=files/vendor.bin of=out/flash.bin bs=1 count=131072 seek=16646144

sudo flashrom -p ch341a_spi -w out/flash.bin

The board of mjsxj09cm is same to MJSXJ05CM board

Here is dump of it backup.zip

The camera has different authorisation in Mi Home process - after QR code it saying in Chinese randomly generated 4 digit password, that you should type in Mi Home App. I used Google Audio Translate to understand those 4 digits.

The problem is that they are possibly changed something in firmware, because it can't start *.sh file from sdcard.

I especially added line in the code echo 'echo qqq >> /mnt/sdcard/qqq.txt' | sudo tee -a mount/bin/log_diag_platform.sh To check that it can access sdcard. In result, /mnt/sdcard/qqq.txt created with qqq text, so it can access sdcard.

But /mnt/sdcard/override.sh doesn't execute, in log/diagnosis.txt there is an error

+ log_diag_platform.sh
/mnt/data/bin/log_diag_platform.sh: line 3: /mnt/sdcard/override.sh: not found

Log folder archive log.zip

override.sh

#!/bin/sh
main() {
  # start telnet
  /mnt/sdcard/busybox telnetd
}

if [ ! -f /tmp/.override ]; then
 touch /tmp/.override
 main
fi

May be they are locked execution of *.sh scripts on sdcard? How to make it run sh scripts?

And yeah, I checked many times, override.sh and busybox are on my sdcard, sdcard are recognizable in Mi Home app in camera settings, camera writing videos on it successfully. The similar configuration works well on MJSXJ05CM.

[xrays72]

Привет, Артур. Получается завести RTSP на mjsxj09cm?

[KhArtNJava]

Привет, Артур. Получается завести RTSP на mjsxj09cm?

Пока что не занимался, времени не было... Постараюсь на днях время выкроить, собрать для ipc029 frame grabber.

[xrays72]

Спасибо, очень бы хотелось RTSP получить с этой камеры, а если бы прошивка с хаком была и завести эту камеру в home assistant, то вообще бы сказка была =)

[wangshuo2020]

Hello bro, can rtsp work on mjsxj09cm now?

[cstrassburg]

You have to change your script :

#!/bin/sh

echo qqq >> /mnt/sdcard/qqq.txt
exec /mnt/sdcard/override.sh &

You have to use exec because there are is no x (execute) bit on the fat file and send it to background with &

[cstrassburg]

@KhArtNJava If you have already read out the flash chip, why don't you change the init.d scripts directly? you can add a hook or call a telnetd / ssh inside the rootfs or data jffs2 partition?

[SubZero77]

Привет, Артур. Получается завести RTSP на mjsxj09cm?

Пока что не занимался, времени не было... Постараюсь на днях время выкроить, собрать для ipc029 frame grabber.

Дружище привет! Я готов заплатить за взлом этой камеры. Купил себе 2 таких и понял что это развод от Xiaomi. Хочу чистую rtsp и onvif без всяких китайских серверов :) (5 т.р. за взлом готов отдать)

[nickthegreek]

I assume you're using Windows to create the override script. You need to do EOL conversion. If you use Notepad++ go to Edit->EOF conversion -> Unix(LF).

Alternatively run dos2unix -u override.sh

[dpolyakov]

@KhArtNJava this link may be help https://github.com/SungurLabs/sungurlabs.github.io/blob/6043366d497943e0a246a6a420ba8fb2adfcef31/_posts/2021-07-14-Xiaomi-Smart-Camera---Recovering-Firmware-and-Backdooring.md

[SuperJack1967]

Hi Artur, Can you have any news in your work with RTSP on MJSXJ05CM?

[usehelloworld]

MJSXJ09CM.zip framegrabber from ipc019 https://github.com/telmomarques/xiaomi-360-1080p-hacks/issues/18#issuecomment-774597146 https://github.com/telmomarques/xiaomi-360-1080p-hacks/files/5938292/MJSXJ05CM.zip

Hello, I'm running now MJSXJ09CM with following steps:

1. Connect to serial console
2. boot with:

   setenv bootargs console=ttyS0,115200 root=/dev/mtdblock2 rootfstype=squashfs ro init=/bin/sh LX_MEM=0x3fe0000 mma_heap=mma_heap_name0,miu=0,sz=0x1400000 mma_memblock_remove=1
   sf probe 0;sf read 0x22000000 ${sf_kernel_start} ${sf_kernel_size};bootm 0x22000000

3. mount data mount /dev/mtdblock3 /tmp -t jffs2
4. create file custom_startup.sh and update wpa_event.sh

   echo "#!/bin/sh" >custom_startup.sh
   echo "/mnt/sdcard/busybox-armv7l telnetd &" >>custom_startup.sh
   echo "mkfifo /tmp/f" >>custom_startup.sh
   echo "mkfifo /tmp/s" >>custom_startup.sh
   echo "/mnt/data/bin/framegrabber -f /tmp/f -c 0 2>&1 >/dev/null &" >>custom_startup.sh
   echo "/mnt/data/bin/framegrabber -f /tmp/s -c 1 2>&1 >/dev/null &" >>custom_startup.sh
   echo "/mnt/data/bin/rtspserver -m /tmp/f -s /tmp/s -c /mnt/data/bin/config.json  2>&1 >/dev/null &" >>custom_startup.sh
   chmod +x custom_startup.sh
   echo "#!/bin/sh"> wpa_event.sh
   echo "">> wpa_event.sh
   echo "case \"\$2\" in">> wpa_event.sh
   echo "    CONNECTED)">> wpa_event.sh
   echo "    pidof framegrabber && echo \"running fg\" || /mnt/data/bin/custom_startup.sh">> wpa_event.sh
   echo "  PID=\`/bin/pidof udhcpc\`;">> wpa_event.sh
   echo "        /bin/kill -SIGUSR1 $PID;">> wpa_event.sh
   echo "  ;;">> wpa_event.sh
   echo "    DISCONNECTED)">> wpa_event.sh
   echo "        ;;">> wpa_event.sh
   echo "esac">> wpa_event.sh
   chmod +x wpa_event.sh

5. delete sound files (cn,hk,en) to have some free space, keep only en/error and link everything to that

   
   cd /tmp/sound/hk
   rm -f 5GHz_wifi_supported
   rm -f alarm1
   rm -f alarm2
   rm -f alarm3
   rm -f binding_fail
   rm -f binding_success
   rm -f booting
   rm -f connecting_pease_wait
   rm -f ding
   rm -f error
   rm -f numb_eight
   rm -f numb_five
   rm -f numb_four
   rm -f numb_nine
   rm -f numb_one
   rm -f numb_seven
   rm -f numb_six
   rm -f numb_three
   rm -f numb_two
   rm -f numb_zero
   rm -f ota
   rm -f pincode_input
   rm -f pincode_supported1
   rm -f pincode_supported2
   rm -f qrcode_success
   rm -f qrcode_supported
   rm -f reset_success
   rm -f waiting_connection
   rm -f wifi_connected
   rm -f wlan_passwd_err
   ln -s ../en/error 5GHz_wifi_supported
   ln -s ../en/error alarm1
   ln -s ../en/error alarm2
   ln -s ../en/error alarm3
   ln -s ../en/error binding_fail
   ln -s ../en/error binding_success
   ln -s ../en/error booting
   ln -s ../en/error connecting_pease_wait
   ln -s ../en/error ding
   ln -s ../en/error error
   ln -s ../en/error numb_eight
   ln -s ../en/error numb_five
   ln -s ../en/error numb_four
   ln -s ../en/error numb_nine
   ln -s ../en/error numb_one
   ln -s ../en/error numb_seven
   ln -s ../en/error numb_six
   ln -s ../en/error numb_three
   ln -s ../en/error numb_two
   ln -s ../en/error numb_zero
   ln -s ../en/error ota
   ln -s ../en/error pincode_input
   ln -s ../en/error pincode_supported1
   ln -s ../en/error pincode_supported2
   ln -s ../en/error qrcode_success
   ln -s ../en/error qrcode_supported
   ln -s ../en/error reset_success
   ln -s ../en/error waiting_connection
   ln -s ../en/error wifi_connected
   ln -s ../en/error wlan_passwd_err

cd /tmp/sound/cn rm -f 5GHz_wifi_supported rm -f alarm1 rm -f alarm2 rm -f alarm3 rm -f binding_fail rm -f binding_success rm -f booting rm -f connecting_pease_wait rm -f ding rm -f error rm -f numb_eight rm -f numb_five rm -f numb_four rm -f numb_nine rm -f numb_one rm -f numb_seven rm -f numb_six rm -f numb_three rm -f numb_two rm -f numb_zero rm -f ota rm -f pincode_input rm -f pincode_supported1 rm -f pincode_supported2 rm -f qrcode_success rm -f qrcode_supported rm -f reset_success rm -f waiting_connection rm -f wifi_connected rm -f wlan_passwd_err ln -s ../en/error 5GHz_wifi_supported ln -s ../en/error alarm1 ln -s ../en/error alarm2 ln -s ../en/error alarm3 ln -s ../en/error binding_fail ln -s ../en/error binding_success ln -s ../en/error booting ln -s ../en/error connecting_pease_wait ln -s ../en/error ding ln -s ../en/error error ln -s ../en/error numb_eight ln -s ../en/error numb_five ln -s ../en/error numb_four ln -s ../en/error numb_nine ln -s ../en/error numb_one ln -s ../en/error numb_seven ln -s ../en/error numb_six ln -s ../en/error numb_three ln -s ../en/error numb_two ln -s ../en/error numb_zero ln -s ../en/error ota ln -s ../en/error pincode_input ln -s ../en/error pincode_supported1 ln -s ../en/error pincode_supported2 ln -s ../en/error qrcode_success ln -s ../en/error qrcode_supported ln -s ../en/error reset_success ln -s ../en/error waiting_connection ln -s ../en/error wifi_connected ln -s ../en/error wlan_passwd_err

cd /tmp/sound/en rm -f 5GHz_wifi_supported rm -f alarm1 rm -f alarm2 rm -f alarm3 rm -f binding_fail rm -f binding_success rm -f booting rm -f connecting_pease_wait rm -f ding rm -f numb_eight rm -f numb_five rm -f numb_four rm -f numb_nine rm -f numb_one rm -f numb_seven rm -f numb_six rm -f numb_three rm -f numb_two rm -f numb_zero rm -f ota rm -f pincode_input rm -f pincode_supported1 rm -f pincode_supported2 rm -f qrcode_success rm -f qrcode_supported rm -f reset_success rm -f waiting_connection rm -f wifi_connected rm -f wlan_passwd_err ln -s error 5GHz_wifi_supported ln -s error alarm1 ln -s error alarm2 ln -s error alarm3 ln -s error binding_fail ln -s error binding_success ln -s error booting ln -s error connecting_pease_wait ln -s error ding ln -s error numb_eight ln -s error numb_five ln -s error numb_four ln -s error numb_nine ln -s error numb_one ln -s error numb_seven ln -s error numb_six ln -s error numb_three ln -s error numb_two ln -s error numb_zero ln -s error ota ln -s error pincode_input ln -s error pincode_supported1 ln -s error pincode_supported2 ln -s error qrcode_success ln -s error qrcode_supported ln -s error reset_success ln -s error waiting_connection ln -s error wifi_connected ln -s error wlan_passwd_err

6. unmount partition

cd / umount /tmp

7. copy files to sdcard root
8. insert sdcard to camera
9. reboot - disconnect power, connect power
10. now telnet should run, so we can connect
11. copy files [framegrabber,rtspserver,config.json] from sdcard to  /mnt/data/bin

cp /mnt/sdcard/framegrabber /mnt/data/bin/ cp /mnt/sdcard/rtspserver /mnt/data/bin/ cp /mnt/sdcard/config.json /mnt/data/bin/

12. reboot - disconnect power, connect power
13. rtsp stream should start at rtsp://<IP_ADDR>:8554/mainstream

Any idea how to compile framegrabber from source? I tried to compile/crosscompile but without success (cannot compile or if it is compiled then it is not running on camera).

[valentinbaud]

Hello! Do you have any update on this issue ? Maybe consider doing a fork like for the mjsxj05cm. BR

[WooDeNDark]

Same problem. There is very little left, but here it is =(

[darkfuncat]

Hi all, I recently bought a MJSXJ09CM and custom firmware seems to be the only way to use this cam (dont want chinese servers). I understand that there is a way to hack whith a serial wired disasembled camera, but is it possible to hack/flash the camera only via sdcard ? I successfully hacked an old MJSXJ02HL with another project (full root access with only flash sd), but this model is much better. Many thanks !

[chicaneau]

@usehelloworld how did you connect the camera to your wifi? there doesnt appear to be anywhere to configure SSID and pass? for some reason mine wouldnt connect with mi home, hence trying to use a custom solution. I have shell access over UART and managed to run your command sequence above, however no wifi makes it kinda useless.

Cheers

[mrpg99]

Would love to get onvif / rtsp support on the mjsxj09cm model, is it possible with some form of sdcard hack?

[moreni57]

one have the solution for hack RTSP MJSXJ09CM

[M4K14]

@usehelloworld I formatted the sd-card as a FAT partition and then copied your 6 files inside the root of it. unplugged the MJSXJ09CM camera and inserted the sd-card inside. plugged it again to the power and tried to telnet local_ip 80 but it rejected the telnet. I use windows 10. telnet is enabled and usable on the machine. used two different sd-cards with no chance. any idea on how I can solve this issue?

[r-science]

@usehelloworld I formatted the sd-card as a FAT partition and then copied your 6 files inside the root of it. unplugged the MJSXJ09CM camera and inserted the sd-card inside. plugged it again to the power and tried to telnet local_ip 80 but it rejected the telnet. I use windows 10. telnet is enabled and usable on the machine. used two different sd-cards with no chance. any idea on how I can solve this issue?

@Agha-Shadi remember to "cd /tmp/bin" before 4. step from usehelloworld tutorial :)

[glemag]

Can't get this camera to HA, any updates?

[geldelo]

Can't get this camera to HA, any updates?

Рабочего варианта по интеграции в HA нет. Единственное решение RTSP, но я не пробовал, предложил выше usehelloworld, но там паять надо…

[geldelo]

https://github.com/hacefresko/Xiaomi-Mi-360-UART-shell

[ARMarchetti]

Hi. Not sure if this project is complete and if you managed to get this working for the MJSXJ09CM. If so pls can you help me to get RTSP hack on my cameras. Sorry I am a NOOB to this so any help would be appreciated.

[nik-prostok]

https://github.com/hatsujouki/xiaomi-camera-MJSXJ09CM-hack