New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support DaFang? #234

Open
jejer opened this Issue Oct 10, 2017 · 229 comments

Comments

Projects
None yet
@jejer

jejer commented Oct 10, 2017

Hi,

Will you support DaFang?
I want to use RTSP directly without MiHome.

Thanks!

@samtap

This comment has been minimized.

Owner

samtap commented Oct 10, 2017

I'm looking into it. I have one, and succeeded in getting serial console access. I've also intercepted a firmware update, but it's only a partial update not a complete firmware image.

Unfortunately it doesn't share any of the hardware components with XiaoFang. It is MIPS based instead of ARM, and has a different SoC. There don't appear to be many security provisions though (i.e. no signing like on Mijia1080p). It runs a telnetd on boot, which get killed immediately when Xiaomi software is started, so I don't have a simple 'jailbreak' method yet that doesn't require getting serial console access.

Any help or info is appreciated!

@samtap samtap added the help wanted label Oct 10, 2017

@ykhandler

This comment has been minimized.

ykhandler commented Oct 10, 2017

Try creating script in /etc/init.d
Ex: S07service
Contains:
#!/bin/sh

busybox telnetd &

@samtap

This comment has been minimized.

Owner

samtap commented Oct 10, 2017

Sure, how do I create that without having serial console? ;-)

@ykhandler

This comment has been minimized.

ykhandler commented Oct 10, 2017

"I have one, and succeeded in getting serial console access", i thought you already have serial console access. Please share the firmware update file, maybe it has a clue.

@samtap

This comment has been minimized.

Owner

samtap commented Oct 10, 2017

I have serial console access but you can't expect regular users to take it apart and solder wires to the pcb.

We need to find something like the snx_autorun.sh trick in the older XiaoFang firmware. But the DaFang doesn't appear to use any scripts for mounting, same as on latest XiaoFang firmware they've integrated mounting into their executable instead of handling it using regular hotplug kernel facilities.

@ykhandler

This comment has been minimized.

ykhandler commented Oct 10, 2017

I see... may be someday i'll buy this camera and take a look of it...

@robinson4

This comment has been minimized.

robinson4 commented Oct 13, 2017

I just got one of these. I'm keen to get basic RTSP or even still image capabilities as well as GET requests to control PTZ functions.

I'm happy to help out with device testing etc. I have FTDI gear also.

@EliasKotlyar

This comment has been minimized.

EliasKotlyar commented Oct 15, 2017

@samtap: Could you please provide a picture of the Pins on the Board? Will get my DaFang soon and want to try to investigate some details about the hardware.

@jimmyktp

This comment has been minimized.

jimmyktp commented Oct 17, 2017

One of the reviews out there. https://www.youtube.com/watch?v=nDdnphZF6Cw

Seems like some function is not working. Currently, the latest firmware is 5.5.1.177, anyone tried that? I dare not to update the original firmware as I'm worried it might get shittier.

@EliasKotlyar

This comment has been minimized.

EliasKotlyar commented Oct 20, 2017

Hello everyone,

Today i got mine. I havent managed to connect it yet, but have made a teardown. I collected all the informations in a new Repository.
https://github.com/EliasKotlyar/Xiaomi-Dafang-Teardown

Feel free to contribute any information about the dafang.

Greatings,
Elias

@samtap

This comment has been minimized.

Owner

samtap commented Oct 20, 2017

Did you get a serial console? The pads are visible here https://github.com/EliasKotlyar/Xiaomi-Dafang-Teardown/blob/master/teardown/mainboard3.jpg on the side of the board you can easily add a header for gnd, rx, tx and route some wires through the bottom of the cam.

@EliasKotlyar

This comment has been minimized.

EliasKotlyar commented Oct 20, 2017

Hello samtap,

Havent tried the serial connection yet. I need to get a FTDI-Adapter to try it out, and i will get it hopefully soon.

I just want to clarify about the serial connection:

Is the order of the Pins correct?
https://github.com/EliasKotlyar/Xiaomi-Dafang-Teardown/blob/master/teardown/headers_sample.jpg

Could you please explain which bitrate and voltage you have used? I assume it is:
115200 Bits and 5V.

Also i found out that there are some ports open which can be used to control this device. Will try MitM if i have time. Maybe we can control it using simple commands.

Greatings
Elias

@samtap

This comment has been minimized.

Owner

samtap commented Oct 21, 2017

Yes 115200, the level is 3.3V, I don't remember order of tx and rx pins but you can just switch them when it doesn't work ;)

@beikeland

This comment has been minimized.

beikeland commented Oct 21, 2017

Would it be feasible to add a bluethooth serial module and find 3.3V on the board to avoid having to run wires. Anyone identified a 3.3V pad?

I'll gladly add serial headers - FTDI / Bluetooth to help test stuff when I get mine.

@EliasKotlyar

This comment has been minimized.

EliasKotlyar commented Oct 21, 2017

Hello everyone,

I managed to get a FTDI with 3.3V and got a connection to the uboot. I have documented my way in my Repository.

Here is a bootlog of the device:
https://github.com/EliasKotlyar/Xiaomi-Dafang-Teardown/blob/master/mod_serial/booting.txt

Will try to dump the firmware soon/get a Telnet running. Any tips on that @samtap ?

@beikeland : It should work, there are a lot of 3.3V pads inside. Have a look on my solution - I just drilled a hole and routed some wires inside.

Greatings
Elias

@Kadalia

This comment has been minimized.

Kadalia commented Oct 21, 2017

Hello,
I've just received a couple of Dafang ... unable to use then !
Read some forum comments, it seems that these cams are dedicated to china market :-(
definitively need a hack :-)
Go Elias Go !
I dont know how to help you .... so if I can do something for you, then just ask !
Thank you,
Philippe

@samtap

This comment has been minimized.

Owner

samtap commented Oct 21, 2017

If you disconnect flatcable to the sensor pcb, iCamera doesn't start since the sensor chip is missing, and you can see telnetd is running. It is killed by iCamera when it starts.

@nateinaus

This comment has been minimized.

nateinaus commented Oct 22, 2017

Hi, new to github so im not sure if sharing a file this way will work. I just received one of these and it turned up dead, I managed to track down the firmware from a guy on youtube. Not sure if its the full thing or not but it seemed to work for him. My camera doesn't even light up at all. The board is getting power and it warms up but nothing else. Hope this helps.
demo_5.5.1.194.zip

@EliasKotlyar

This comment has been minimized.

EliasKotlyar commented Oct 22, 2017

Hello everyone,

I have several interesting news:

  1. I have dumped the firmware and uploaded it here for further investigations.
  2. There is some code in the bootloader (u-boot) which can make an whole update from the microsd. Unfortunately , i was not able to find out how to trigger it. Maybe someone can have a look? It starts with "jiabo":
    jiabo_do_auto_update!!!!!!!!!!!!!!!!!!!!!!!!
    jiabo_au_check_cksum_valid!!!!!!!!!!!!!!!!!!!!!!!!
    jiabo_update_to_flash!!!!!!!!!!!!!!!!!!!!!!!!
    jiabo_au_do_update!!!!!!!!!!!!!!!!!!!!!!!!
    jiabo_idx=%d
    jiabo_start=%x,jiabo_len=%x

I tried the binary from @nateinaus , but this code dont see it.
@nateinaus : Can you please tell us the video of this guy on youtube?
@ALL: Could someone please ask Xiaomi if they can pass us the source of the u-boot? Its GPL, so they have to. I know there is little chance that they will do it, but we still can try.

  1. I have managed to crosscompile a dropbear server, but i cannot login. Its always says that it cannot find my user:
    TRACE (176) 29.525551: enter checkusername
    TRACE (176) 29.525586: leave checkusername: user 'root' doesn't exist

I dont see any error. Maybe someone can check?

Here is my build of the Dropbear:
https://github.com/EliasKotlyar/Dropbear-Dafang

Greating
Elias

@Kadalia

This comment has been minimized.

Kadalia commented Oct 22, 2017

Hello,
I have "chat" with Xiaomi US team, they told me that Dafang was not yet available in US ... So they can't help me, and suggest me to mail to service.global@xiaomi.com.
Done ... wait for the source code of u-boot :-)
Very little chance .... but who knows !
Philippe

@nateinaus

This comment has been minimized.

nateinaus commented Oct 23, 2017

Yeah I thought it might just be an update to the firmware or something. I emailed xiaomi directly asking for the uboot but not sure if I'll have any luck. The guy on YouTube was a Spanish guy.

https://youtu.be/8ouH4_Pq4Ng

@ykhandler

This comment has been minimized.

ykhandler commented Oct 23, 2017

Nice, sample make easier...

@Sniper-Wolf

This comment has been minimized.

Sniper-Wolf commented Oct 23, 2017

Hi there!

Just offering my modest help :
-> I can't help a lot with serial connections, but once we can get an easy telnet/ssh access, I can probably help with some scripts, dropping chinese server ip connections, replacing chinese voice files by english ones, and so on.

I messed around with the xiaomi mini router (i've since thrown it away, too much bugs).

Here's a backup of the demo firmware from the video posted by nateinaus, just in case :
https://drive.google.com/open?id=0B4WQ7BDk2rtZYy1Hb1dfaWE0TzA

5.5.1.194 suggests it's a newer firmware than the one often found in shipped webcams (usually 5.5.1.177 or lower)

@beikeland

This comment has been minimized.

beikeland commented Oct 23, 2017

Just received my first camera; took some step-by-step pictures while opening it https://photos.app.goo.gl/Yjwh9TcIZiwLfXwL2

Is U2 / 25Q127CSIG on the bottm an spi flash containing the firmware? Google didn't turn up much info on the part name, but could try a SOIC clip or desolder it and stick it in my CH341A and see if its able to pull some data.

@EliasKotlyar

This comment has been minimized.

EliasKotlyar commented Oct 23, 2017

Hello everyone,

@Sniper-Wolf : Could you please have a look at my attemp to compile dropbear?
https://github.com/EliasKotlyar/Dropbear-Dafang
I had the problem that could not login sucessfully. After that i found some patches(https://github.com/zcutlip/dropbear-hacks) and applied them. Now i can get past the login, but its segfaulting, and i cannot get reason for this error.

@beikeland I suppose it is the flash, but i am not sure. But you dont need to insert it into your programmer, because i already dumped the firmware here:
https://github.com/EliasKotlyar/Xiaomi-Dafang-Teardown/tree/master/firmware/5.5.1.177

Here are some instructions for dumping it with serial connection:
https://github.com/EliasKotlyar/Xiaomi-Dafang-Teardown/blob/master/mod_getroot/getroot.md
https://github.com/EliasKotlyar/Xiaomi-Dafang-Teardown/blob/master/mod_getroot/firmware-dump.md

@nateinaus

This comment has been minimized.

nateinaus commented Oct 23, 2017

Is there some way to reflash the whole firmware onto this camera using the sd card slot? I tried just copying all the files on and holding the setup button as I plugged it in, but nothing happened. Cheers

@EliasKotlyar

This comment has been minimized.

EliasKotlyar commented Oct 23, 2017

Hello @nateinaus,

Unfortunately this is not possible at the moment. I have found some code in the bootloader(u-boot) which can do this, but i dont know how to make it work. If we would find a way to achieve this, it would be a huge step to a user-friendly flashing method. For now i can flash it only using serial-connection.

Greatings,
Elias

@beikeland

This comment has been minimized.

beikeland commented Oct 23, 2017

@Sniper-Wolf if you'd be interested in remote access to the serial console I'd be happy to hook you with ssh access to a host with access to the serial console of the camera if it'll help us make progress. My email should be visible on my github profile for a while.

@EliasKotlyar

This comment has been minimized.

EliasKotlyar commented Oct 25, 2017

I finally got this "firmware" from @nateinaus flashed on my Dafang. Many thanks @nateinaus!!

Here is a howto and my log:
https://github.com/EliasKotlyar/Xiaomi-Dafang-Teardown/blob/master/firmware/howto_firmwareflash.md

Warning: Dont try to do this unless you have a Serial Connection to rollback to the old one. I havent tested this firmware yet, i only know that its working for now.

I suppose that its not hard to modify it, because its a simple "uImage" Format.

@marvinroger

This comment has been minimized.

marvinroger commented Dec 10, 2017

@lolouk44

This comment has been minimized.

lolouk44 commented Dec 11, 2017

Thanks @EliasKotlyar !
I know the RTSP is still a work in progress, so for now I'm using the GetImage URL with motion.
It's a bit slow as I only get ~1 frame every 2 sec, but it works.
Looking forward to get real RTSP now :)

@lolouk44

This comment has been minimized.

lolouk44 commented Dec 22, 2017

Wondering whether we'll get some RTSP For Xmas? That would be a great gift to end the year :)

@rodrigoscoelho

This comment has been minimized.

rodrigoscoelho commented Dec 27, 2017

@EliasKotlyar , just to know. Do you have any idea if will be possible to have full RTSP sometime in future?
What is your opinion since you know the insides better than us.

@EliasKotlyar

This comment has been minimized.

EliasKotlyar commented Dec 27, 2017

@rodrigoscoelho : I already have a working RTSP. Its just in the dafang-hacks repository:
https://github.com/EliasKotlyar/Xiaomi-Dafang-Hacks

I dont know what exactly you are expecting/missing in the actual version. It supports both H264 and MJPEG. Moreover, its based on
https://github.com/mpromonet/v4l2rtspserver
and supports all kind of parameters.

@rodrigoscoelho

This comment has been minimized.

rodrigoscoelho commented Dec 27, 2017

Ohh Great. I didn't see that. I was watching this forum and the latest info was about RTSP only for JPEG. Great to know. Thank you so much.

@EliasKotlyar

This comment has been minimized.

EliasKotlyar commented Dec 27, 2017

Yeah, i think its time to close this issue - we have a full support for the Dafang.

@samtap Could you please close this issue? Many Thanks!

@rodrigoscoelho

This comment has been minimized.

rodrigoscoelho commented Dec 27, 2017

on the page, there is:

"RTSP with mJPEG (low quality):
/system/sdcard/bin/mjpegStreamer 10
Local h264 recording:
/system/sdcard/bin/h264Snap > /system/sdcard/video.h264"

Only local h264 recording?

@rodrigoscoelho

This comment has been minimized.

rodrigoscoelho commented Dec 27, 2017

RTSP only with mJPEG?

@EliasKotlyar

This comment has been minimized.

EliasKotlyar commented Dec 27, 2017

@rodrigoscoelho : I have corrected this. It was not updated during the development.

@rodrigoscoelho

This comment has been minimized.

rodrigoscoelho commented Dec 27, 2017

perfect. Thanks Elias

@bmwm69

This comment has been minimized.

bmwm69 commented Dec 27, 2017

Hello,

that RTSP works with HA ? Home Assistant ? Tks

@hdano1

This comment has been minimized.

hdano1 commented Dec 27, 2017

Hi all,

I updated latest cfw, I have all files on SD card, I can connect to the web interface of the camera.
But I would like to use camera with some app in android to watch the video + move with it.
Any guide, how to get this? Which app can support this?
Possible to connect to the camera in AP mode? Without router ?
Thx for reply.

@lolouk44

This comment has been minimized.

lolouk44 commented Dec 27, 2017

@bmwm69 I use motion for this as RTSP in HA is not the most stable

@EliasKotlyar

This comment has been minimized.

EliasKotlyar commented Dec 27, 2017

@hdano1 : You can use any RTSP capable client on Android to watch the stream. The PTZ functionality (moving around the camera) wont work.

@WOnken

This comment has been minimized.

WOnken commented Dec 29, 2017

As for me, everything works but not the webserver. I can connect via SSH and so on but the wenserver doesn't work (on port 80)...

@effendieffendi

This comment has been minimized.

effendieffendi commented Jan 4, 2018

HI, how to check the firmware version on camera?

@WOnken

This comment has been minimized.

WOnken commented Jan 4, 2018

Before using the custom firmware I upgraded to the latest update > 200. But doesn't the custom firmware replace the existing with Version 5.5.1.200 anyways?

@jmtatsch

This comment has been minimized.

jmtatsch commented Jan 6, 2018

@effendieffendi check http://dafanghacks/cgi-bin/status.cgi for the version the custom fw is based upon
@WOnken The latest custom fw is also based on 5.5.1.200, so no need to update with xiaomi app first.

@olskar

This comment has been minimized.

olskar commented Jan 6, 2018

What are the latest instructions for installing latest custom fw on this device?

@jmtatsch

This comment has been minimized.

jmtatsch commented Jan 6, 2018

@olskar

This comment has been minimized.

olskar commented Jan 6, 2018

thanks @jmtatsch ! got it to work :)

@Dgak10

This comment has been minimized.

Dgak10 commented Jan 10, 2018

Hi
I must be a bit stupid for not getting to work with https://github.com/EliasKotlyar/Xiaomi-Dafang-Hacks/blob/master/hacks/install_cfw.md
In general information it says that we have to put a run.sh file in the sd card
In installation of cfw that There should be no other files on the microSD
I dont understand why a i have to installa a new fw in Installation of the new Firmware if i already have the CFW ?

Yes i'm lost ;)

thanks for your help

@ykaminoh

This comment has been minimized.

ykaminoh commented Jan 11, 2018

@Dgak10
It's 2 separate steps, 1st step to install the custom bootloader (demo.bin), then 2nd step to run the custom firmware (run.sh).

@ron-ald52

This comment has been minimized.

ron-ald52 commented Jan 12, 2018

Hi

Is anyone here working on the tracking capability the original firmware has? I'd like to have it setup such that:

if movement is detected capture image either to SDcard or emailed, and/or make accessible from the UI

Thanks

@fincanbill

This comment has been minimized.

fincanbill commented Feb 2, 2018

Hi Evry mode when motion comes on my ios apple iphone 6 motion is waiting short time then %100 not showing how can I solve this problem ?

185853d7pk4ljfc7jxjz77 jpeg thumb
185949mfgttg9iw9mee0mf jpeg thumb

@zgadgeter

This comment has been minimized.

zgadgeter commented Feb 3, 2018

I'm stil not able to flash my device. I have tried 3 different SD cards, so do not think it is a problem with the SD card.
What I do is as follows:
I format my SD card with FAT32
I copy the demo.bin onto the car. There are no other files on the card.
I put the card into the camera.
I hold the setup button on the camera
I then plug in the camera to power.
I have tried holding the setup button for a long time, and also have let it go after powering the camera up, same result.
The camer powers up, and with about 10 seconds begins to turn it's base as though it's starting up normally.
So, does anyone have any further suggestions?

thanks.

@effendieffendi

This comment has been minimized.

effendieffendi commented Feb 4, 2018

Hi, how to remove name, data&time signature from rtsp stream?

@shinebar1001

This comment has been minimized.

shinebar1001 commented Feb 4, 2018

Please ask this questions in the Issues of Dafang-Hacks, they will be answered faster.
At the moment you have to edit run.sh on the sdcard
Change

/system/sdcard/bin/busybox nohup /system/sdcard/bin/v4l2rtspserver-master -D "DafangHacks %I:%M:%S %d.%m.%Y" -d UP &>/dev/null &

to
/system/sdcard/bin/busybox nohup /system/sdcard/bin/v4l2rtspserver-master &>/dev/null &

@kevincaradant

This comment has been minimized.

kevincaradant commented Mar 25, 2018

I@zgadgeter, Hi! , I know it's not the good location for that but did you find the answer ? I have exactly the same issue ! I'm currently running with the lastest firmware .287. Thank you

Edit: problem solved using format under Linux a low level in fat32 :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment