Hack for the new camera - mijia v3 / Basic 1080p

[vitoo]

Hello,

here is a new xiaomi camera
it's called mijia-1080P basic / mijia V3. It had a white back.

How can we build a firmware compatible for this camera ?
Is it hard ?

Thanks for your help

[llimz]

I'm also very interested by this topic. I can't get an old version anymore.

[gbarral]

Same problem for me.
Impossible to downgrade firmware on my mijia with white back.

Thx for help :-)

[jnsw]

see EliasKotlyar/Xiaomi-Dafang-Hacks#624

they are still trying

[vitoo]

It may takes months 😃

It's a cheap camera many hacker will try it

[jnsw]

@vitoo hopefully 😃

[Snotmann]

You can downgrade the cam with https://github.com/EliasKotlyar/Xiaomi-Dafang-Hacks/files/2320611/tf_recovery.for.SXJ02ZM.All.White.Xiaomi.1080P.smart.cam.zip and these files on root of sd card https://github.com/Filipowicz251/mijia-1080P-hacks/releases/download/0.8.7/release0.8.7.zip

... but there was no ssh server launched or something like that ... dont know whats happen or to do

[jnsw]

@Snotmann the 0.8.7 was released in March, so I don't think it will work with the all new full white camera

[willthrom]

@Snotmann @seewaldjan it will not work basically because the recovery of the V3 is already patched with the security flaws I found a year ago.

What you could do it to try to use the tf_recovery from the V2 and check if the camera starts.

The camera sensor might not work BUT if you can go to Mi App and upgrade the camera from there to whatever version is the latest for the V3, then there is a possibility we can hack that camera too.

[willthrom]

Forget it... it seems the architecture is different.. I need to take a look but it seems so:

V3:
DECIMAL HEXADECIMAL DESCRIPTION
0 0x0 uImage header, header size: 64 bytes, header CRC: 0x3E8652CA, created: 2018-06-30 07:40:51, image size: 2240049 bytes, Data Address: 0x80010000, Entry Point: 0x80380060, data CRC: 0x6BAB1A28, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: gzip, image name: "Linux-3.10.14"
64 0x40 gzip compressed data, maximum compression, from Unix, NULL date (1970-01-01 00:00:00)
2621440 0x280000 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 4484222 bytes, 1916 inodes, blocksize: 131072 bytes, created: 2018-06-30 07:42:42
9895936 0x970000 JFFS2 filesystem, little endian

v2:
DECIMAL HEXADECIMAL DESCRIPTION
0 0x0 uImage header, header size: 64 bytes, header CRC: 0xF8DB532E, created: 2017-08-03 05:49:01, image size: 1909344 bytes, Data Address: 0x8000, Entry Point: 0x8000, data CRC: 0x4A5C7510, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-3.3.0"
18164 0x46F4 gzip compressed data, maximum compression, from Unix, NULL date (1970-01-01 00:00:00)
2752512 0x2A0000 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 8932790 bytes, 1304 inodes, blocksize: 131072 bytes, created: 2017-08-03 05:51:01
13238272 0xCA0000 JFFS2 filesystem, little endian

[gregou2007]

hello Any news ? the V3 is still no hackable to get a rtsp flow or to view the camera with a computer ?

[jaaperror]

Also hoping for updates. Hope there is something I can do to help

[liaanvdm]

Has anyone tried this approach on these V3 camera's?

https://github.com/miguelangel-nubla/videoP2Proxy

[gregou2007]

not tried but i don't really understand how to make it work on a macbook ?

[hmajed]

The v3 contains validation based on RSA

try_ft_mode()
{
if [ -f $ft_files_zip ] && [ -f $sd_mountdir/ft/secret.bin ];then
mkdir -p $ft_running_dir
$ft_decrypt $sd_mountdir/ft/secret.bin $ft_running_dir/md5.sum $ft_securekey_file
if md5sum -cs $ft_running_dir/md5.sum;then
unzip $ft_files_zip -q -d $ft_running_dir
chmod -R 755 $ft_running_dir
ft_mode=cat /proc/ft_mode
if [ "$ft_mode" == "" ];then
ft_mode=0
fi
$ft_running_dir/ft_boot.sh ${ft_mode} ${ft_running_dir}
return $?
else
echo "check fail"
fi
else
echo "ignore ft mode"
fi
return 1
}

[gbarral]

Hi, i try this tf_recovery.img whith the hack https://github.com/Filipowicz251/mijia-1080P-hacks. The tf_recovery seems to work because the camera downgrade (3.4.4_0039) but the Tools is not installed. Impossible to connect using SSH. I can update 3.4.5_0046 whith mi-home but impossible to activate RSTP.

If anybody have idea :-)

[joelhaasnoot]

Has anyone tried this approach on these V3 camera's?

https://github.com/miguelangel-nubla/videoP2Proxy

This doesn't work unfortunately, the camera doesn't respond to the "get_ipcprop" command that's needed to get the stream running

[mgx0]

any news on this?

[Sender76]

Russian Hello! That is, you want to say that none of the methods work. And you can remotely view the camera Mijia 1080 only with the application MiHome ???😕 чт, 6 дек. 2018 г. в 20:05, Thach Nguyen <notifications@github.com>:

…

any news on this? Maybe no. Any idea where to start with this camera, trying to flash other fw won't work. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#55 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ARnx8PNl5zgKyMHCSS8TNy0T6OYDYRCHks5u2U5igaJpZM4WZfQI> .

-- С Уважением, Генеральный директор ООО "Центральный Регион" Парамонов Сергей Александрович e-mail: paraserge@gmail.com mob: +7(903)755-79-50

[Sender76]

I can not understand one thing, so how can I hack this seemingly simple camera ... ((( Sergei Paramonov paraserge@gmail.com четверг, 6 декабря 2018 г., 23:09 +0300 от notifications@github.com <notifications@github.com>:

…

Yes, it works with Mi Home. Set Region to Main Land China, start pairing to any 2.4Ghz wifi and it should work. — You are receiving this because you commented. Reply to this email directly, view it on GitHub , or mute the thread .

[mgx0]

I want RTSP and I don't want any cloud service. Looks like I have a camera for sale now ... it speaks chinese, does not allow you to set your own country and is useless without cloud service where god knows who is watching your streams. thanks a lot, it's for sale

[Knuppel1983]

Same here. Hack does not work with the new model. I’m not leaving it on cloud service because the camera is in my living room. Wanted to use it to watch the dogs, but the idea of someone else watching my family is enough to leave it unplugged. Shame Xiaomi does not add local support.

[Knuppel1983]

For reference, i have the snowman version with white back, 1080p PTZ.

[Sender76]

I would be very grateful if you would share!!! 07.12.2018, 13: 48, "Knuppel1983" <notifications@github.com>:For reference, i have the snowman version with white back, 1080p PTZ.—You are receiving this because you commented.Reply to this email directly, view it on GitHub, or mute the thread.  --  

[axlerose]

there is any news?

[anmaped]

It is working with openfang; check it out in openfang. A modified bootloader was compiled for this purpose but we need to open the camera and program it manually. We will check if we can surpass some protection to upload the new firmware.

[mgx0]

I have no problem to program the camera via serial

two questions:

• do you have some pictures how to open the camera without breaking it please?
• could you please paste here a link to a file to be programmed to camera please?

thanks

[axlerose]

any news?

[marcotuna]

I opened mine today. How to connect to the PC? Via an USB to UART? What are the pinouts?

I found this manual:
https://www.winbond.com/resource-files/w25q128jv%20revf%2003272018%20plus.pdf

[mrhang22]

After reprogramming the LED no longer lights up. The file is only 236kB while the original file is 16MB.

The end of the memory must be at FF?

[pablo-tx]

@mrhang22 The same happened to me, after that I've compiled the last version and it works now.

Here you go, the bin and the rootfs: https://mega.nz/#F!0xtVSayS!DxZawSANY2IIXhypJG_UJQ

[mgx0]

So following the guide will be enough to ge this done?

[pablo-tx]

@mgx0 yes, i can confirm it works, but i think it needs some changes:

1. I didn't need to de-solder anything, just using the clamp was enough to flash.
2. The guide says to go to releases page and flash the last version, but that one (rc5) isn't working with this camera, you have to compile yourself or use the files I shared above.

[pcmester]

Could somebody make a guide how to flash the chip with a Raspberry Pi?

[mgx0]

@pablo-tx perfect, thanks. I'm waiting for my programmer to arrive and then I'll do it. I'll post my results here. Good job folks!

[therosss]

@pablo-tx this is a random thing with desoldering a leg or not. I had a few cams and I had to desolder the vcc leg. Regarding the release, I was hoping that @anmaped would release a rc for people to get started at least to be able to flash their ICs. This didn't happen yet.

Feel free to push a guide refinement about this :)

[jesperrix]

I also had to desolder the vcc leg and compile it myself. But mine seems a little buggy, I cant get the sound on the RTSP feed working nor the IR leds for nightvision. Are yours working?

[pablo-tx]

@jesperrix I can activate the led from the web interface pressing OFF, if I press ON nothing happens, also most of the options don't work very well and don't persist across reboots.
I will try to fix it and send a pull request

About the sound, I couldn't make it work.

[mgx0]

proud to say a successful flash! Had to desolder the leg too. Please update the last lighthttpd start, it's S50lighthttpd.

Now, the camera is freezing, dropping connections, some controls are reverse (for example blue and yellow light are the opposite). I guess we have to report that to Openfang thread, right?

[Routout]

So have someone get this working properly with new mija 1080p camera? Just opened mine, but not certain if I even bother to try if big problems persist.

[therosss]

Please read the thread (Last 30 Posts) ....
You will find your answer

[mgx0]

well, I erased section 2860 from nvram :D is there anyone who can show me what it contains? I'd like to set it back ... I was trying to find IR and IRCUT pins but did a typo and the 2860 is gone :D

[mgx0]

anyone? please paste the output of "nvram show" here 😄 there are still incorrect pins but still I'd like to get it back

[mckebabs]

Please read the thread (Last 30 Posts) ....
You will find your answer

Maybe I'm missing something but I don't see anybody saying anything beside successful flashing.
Maybe you know how much of a functionality of e.g. V2 hack is supported? All/some/the camera is unstable and you shouldn't hack it for "production" use?

[martin-schlossarek]

Do I have to re-solder the vcc leg again if I want to start the camera?

[mgx0]

@martin-schlossarek yes you have to connect it again. Just use some thin wire, don't bend the leg back. Just in case you need to desolder it again

[pascalsaul]

Reprogramming was successful but also no LED activity. I did notice some short circuit when detaching the SOC cable with a detached and isolated VCC.... Looks like a bricked one now where the DC supply is faulty...

[anmaped]

@alexxus This thread was closed, please report your problems in https://github.com/anmaped/openfang/issues and please follow the rules in https://github.com/anmaped/openfang/

[none815]

@pablo-tx this is a random thing with desoldering a leg or not. I had a few cams and I had to desolder the vcc leg. Regarding the release, I was hoping that @anmaped would release a rc for people to get started at least to be able to flash their ICs. This didn't happen yet.

This might have something to do with the voltage supply, if the drop-off is significant enough it won't be able to start the device but could be sufficient to (only) power the flash ic.

Edit:
I got it working by dropping HOLD (pin 7) and VCC (pin 8), this can be done with some dupont wires:

[ciB89]

Is this still under development? I feel like Dafang is making a lot of progress and the promised RC6 has still not been published. A lot of stuff seems not to be working properly.

[eteixido1]

@pablo-tx this is a random thing with desoldering a leg or not. I had a few cams and I had to desolder the vcc leg. Regarding the release, I was hoping that @anmaped would release a rc for people to get started at least to be able to flash their ICs. This didn't happen yet.

This might have something to do with the voltage supply, if the drop-off is significant enough it won't be able to start the device but could be sufficient to (only) power the flash ic.

Edit:
I got it working by dropping HOLD (pin 7) and VCC (pin 8), this can be done with some dupont wires:

Hello, could you please verify if desoldering is not needed anymore? if we use dupont male to female between clamp and the first clamp-base we need de second base to do the bridge?

[jlazkano]

Hello,

I open the camera and put the programer, the green LED (RUN) is ON in the programmer, but this the output:

# flashrom --programmer ch341a_spi -r backup.bin
flashrom  on Linux 4.19.0-8-amd64 (x86_64)
flashrom is free software, get the source code at https://flashrom.org

Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
No EEPROM/flash device found.
Note: flashrom can never write if the flash chip isn't found automatically.

Need I to desolder any leg of the chip?

Thank you very much.

[73331]

Need I to desolder any leg of the chip?

@jlazkano You should desolder leg 8 according to these instructions:
https://github.com/anmaped/openfang/blob/master/doc/SXJ02ZM/SXJ02ZM_instructions.md

Did you manage to get this firmware working?
I have same camera, but don't have that clip for SOT8...

[cstrassburg]

I think this is not necessary, because you can upload a modified firmware from a SD card through u-boot and a serial connection.

[Geza60]

Hello Guys,
I have a camera with ripped traces and 2 missing resistor. Could somebody be a Hero and measure that 2 missing resistor? I can't find any boardview or schematics for this camera.

Thank you in advance.

[youpgao]

[NOYB4Europe]

@youpgao : You are a hero! Thank you! I flicked mine of too and than even found it on the floor but grilled it by the attempt to put it back on. :-(
Is that a size 0402 ?