Compatibility with Mijia 1080p MJSXJ05CM ?

[Jayah59]

Hi !

Is this compatible ?
I tried downloading tf_recovery.bin to sdcard and flashing but it did not work and I worse, I think my camera is bricked ...

LED amber is not blinking, it is permanent on and the camera does not move.
Same observation without sd card

.<

[crckmc]

Looks like you found out it isnt compatible :)

Try to find the recovery image for your camera type.
uboot is not overwritten so should still be working

[Jayah59]

Looks like you found out it isnt compatible :)

Try to find the recovery image for your camera type.
uboot is not overwritten so should still be working

Yes indeed 😅

I'm trying to find a recovery image but I'm struggling. I opened a post on the Xiaomi forum, I hope someone can help me (https://c.mi.com/thread-2609368-1-0.html).

I started to disassemble the camera to connect a serial port. As soon as possible, I will solder the serial port and I will post the result.

Thx

[Jayah59]

Maybe we would like the ARM chip :)

[none815]

A firmware hack is possible, but requires some tools:

• CH341A flash programmer
• SOIC8 clip and some dupont wires
• Complete device teardown

Basic steps are:

• Create a flash backup:
  flashrom -p ch341a_spi -r backup.bin

• Download the firmware and put it into the same folder.

• Run this script to patch the backup:

#!/bin/bash
# extract firmware
mkdir -p files
dd if=tf_recovery.img of=files/kernel.bin bs=1 count=2097152
dd if=tf_recovery.img of=files/rootfs.bin bs=1 count=7733248 skip=2097152
dd if=tf_recovery.img of=files/data.bin bs=1 count=6488064 skip=9830400
dd if=backup.bin of=files/vendor.bin bs=1 count=131072 skip=16646144

# patch jffs2 partition
sudo modprobe mtdblock
sudo modprobe mtdram total_size=6336
sudo dd if=files/data.bin of=/dev/mtdblock0 bs=1
mkdir mount
sudo mount -t jffs2 /dev/mtdblock0 mount
echo '#!/bin/sh' | sudo tee -a mount/bin/log_diag_platform.sh
echo '/mnt/sdcard/override.sh' | sudo tee -a mount/bin/log_diag_platform.sh
sudo chmod 755 mount/bin/log_diag_platform.sh
sudo umount mount
rmdir mount
sudo dd if=/dev/mtdblock0 of=files/data.bin bs=1

# update flash backup
mkdir -p out
cp backup.bin -f out/flash.bin
dd if=files/kernel.bin of=out/flash.bin bs=1 count=2097152 seek=327680
dd if=files/rootfs.bin of=out/flash.bin bs=1 count=7733248 seek=2424832
dd if=files/data.bin of=out/flash.bin bs=1 count=6488064 seek=10158080
dd if=files/vendor.bin of=out/flash.bin bs=1 count=131072 seek=16646144

• Re-flash the modified backup:
  flashrom -p ch341a_spi -w out/flash.bin

• Prepare the sdcard script:

/sdcard/override.sh

#!/bin/sh
main() {
  # start telnet
  /mnt/sdcard/busybox telnetd
}

if [ ! -f /tmp/.override ]; then
 touch /tmp/.override
 main
fi

• Press the reset button (briefly) on the camera to launch the override script.

[none815]

The flash chip is located right beside the camera sensor, it is necessary to partially remove the lens:

It might occur that the SOIC clip will also power up the camera, this will interfere the flash programming. One solution is to cut HOLD (pin7) and VCC (pin8) to reduce power delivery, this can be done with some dupont wires:

[phamthanhtri]

@Jayah59 Have you successfully hacked MJSXJ05CM yet ? I also want to hack but don't know what to do :)

[ahmetikbal]

@Jayah59 @phamthanhtri @none815 firmware update didn't complete and my MJSXJ05CM bricked. I want to hack with tf_recovery.img file. If you have for 05CM, can you share?

[phamthanhtri]

@ahmetikbal you can use this file to reset camera into stable version (https://drive.google.com/open?id=1ve6XlBEiZebJV6ukJ0Oiu7DePw2JCsWj). I still haven't hacked yet

[gurkburk76]

RIght, so i have version mjsxj05cm, could the firmware posted by @phamthanhtri be hacked so telnet can be enabled? at least that would be a start towards getting rtsp working i guess :)

[DaeMonSx]

still nothing at MJSXJ05CM hack?
It seems nowadays thise are the cameras found in shops.

[Fruityski]

I have managed to un-brick my MJSXJ05CM with https://drive.google.com/file/d/1ve6XlBEiZebJV6ukJ0Oiu7DePw2JCsWj/view

Any update on the hack?

[KhArtNJava]

• 1 to those who are waiting for MJSXJ05CM support.

[UndeRus]

The flash chip is located right beside the camera sensor, it is necessary to partially remove the lens:

It might occur that the SOIC clip will also power up the camera, this will interfere the flash programming. One solution is to cut HOLD (pin7) and VCC (pin8) to reduce power delivery, this can be done with some dupont wires:

How did you flash this chip with cutted 7 and 8 wires? My programmer didn't detect chip when these wires are cutted

[lucperreau]

I am also waiting for MJSXJ05CM flash. Don't want to open the camera up. Thanks :)

[KhArtNJava]

A firmware hack is possible, but requires some tools:

• CH341A flash programmer
• SOIC8 clip and some dupont wires
• Complete device teardown

Basic steps are:

• Create a flash backup:
  flashrom -p ch341a_spi -r backup.bin
• Download the firmware and put it into the same folder.
• Run this script to patch the backup:

#!/bin/bash
# extract firmware
mkdir -p files
dd if=tf_recovery.img of=files/kernel.bin bs=1 count=2097152
dd if=tf_recovery.img of=files/rootfs.bin bs=1 count=7733248 skip=2097152
dd if=tf_recovery.img of=files/data.bin bs=1 count=6488064 skip=9830400
dd if=backup.bin of=files/vendor.bin bs=1 count=131072 skip=16646144

# patch jffs2 partition
sudo modprobe mtdblock
sudo modprobe mtdram total_size=6336
sudo dd if=files/data.bin of=/dev/mtdblock0 bs=1
mkdir mount
sudo mount -t jffs2 /dev/mtdblock0 mount
echo '#!/bin/sh' | sudo tee -a mount/bin/log_diag_platform.sh
echo '/mnt/sdcard/override.sh' | sudo tee -a mount/bin/log_diag_platform.sh
sudo chmod 755 mount/bin/log_diag_platform.sh
sudo umount mount
rmdir mount
sudo dd if=/dev/mtdblock0 of=files/data.bin bs=1

# update flash backup
mkdir -p out
cp backup.bin -f out/flash.bin
dd if=files/kernel.bin of=out/flash.bin bs=1 count=2097152 seek=327680
dd if=files/rootfs.bin of=out/flash.bin bs=1 count=7733248 seek=2424832
dd if=files/data.bin of=out/flash.bin bs=1 count=6488064 seek=10158080
dd if=files/vendor.bin of=out/flash.bin bs=1 count=131072 seek=16646144

• Re-flash the modified backup:
  flashrom -p ch341a_spi -w out/flash.bin
• Prepare the sdcard script:

/sdcard/override.sh

#!/bin/sh
main() {
  # start telnet
  /mnt/sdcard/busybox telnetd
}

if [ ! -f /tmp/.override ]; then
 touch /tmp/.override
 main
fi

• Press the reset button (briefly) on the camera to launch the override script.

none815, can you tell us please, what flash chip installed in MJSXJ05CM? As I understand, it's SPI flash. But what is series/number of the chip? What's flash size in that chip?

[gmrizzo]

@none815 I did flash the chip like you suggested but it didn‘t work properly. Any suggestion what the steps are necessary after resetting the camera?

[gmrizzo]

@KhArtNJava

A firmware hack is possible, but requires some tools:

• CH341A flash programmer
• SOIC8 clip and some dupont wires
• Complete device teardown

Basic steps are:

• Create a flash backup:
  flashrom -p ch341a_spi -r backup.bin
• Download the firmware and put it into the same folder.
• Run this script to patch the backup:

#!/bin/bash
# extract firmware
mkdir -p files
dd if=tf_recovery.img of=files/kernel.bin bs=1 count=2097152
dd if=tf_recovery.img of=files/rootfs.bin bs=1 count=7733248 skip=2097152
dd if=tf_recovery.img of=files/data.bin bs=1 count=6488064 skip=9830400
dd if=backup.bin of=files/vendor.bin bs=1 count=131072 skip=16646144

# patch jffs2 partition
sudo modprobe mtdblock
sudo modprobe mtdram total_size=6336
sudo dd if=files/data.bin of=/dev/mtdblock0 bs=1
mkdir mount
sudo mount -t jffs2 /dev/mtdblock0 mount
echo '#!/bin/sh' | sudo tee -a mount/bin/log_diag_platform.sh
echo '/mnt/sdcard/override.sh' | sudo tee -a mount/bin/log_diag_platform.sh
sudo chmod 755 mount/bin/log_diag_platform.sh
sudo umount mount
rmdir mount
sudo dd if=/dev/mtdblock0 of=files/data.bin bs=1

# update flash backup
mkdir -p out
cp backup.bin -f out/flash.bin
dd if=files/kernel.bin of=out/flash.bin bs=1 count=2097152 seek=327680
dd if=files/rootfs.bin of=out/flash.bin bs=1 count=7733248 seek=2424832
dd if=files/data.bin of=out/flash.bin bs=1 count=6488064 seek=10158080
dd if=files/vendor.bin of=out/flash.bin bs=1 count=131072 seek=16646144

• Re-flash the modified backup:
  flashrom -p ch341a_spi -w out/flash.bin
• Prepare the sdcard script:

/sdcard/override.sh

#!/bin/sh
main() {
  # start telnet
  /mnt/sdcard/busybox telnetd
}

if [ ! -f /tmp/.override ]; then
 touch /tmp/.override
 main
fi

• Press the reset button (briefly) on the camera to launch the override script.

none815, can you tell us please, what flash chip installed in MJSXJ05CM? As I understand, it's SPI flash. But what is series/number of the chip? What's flash size in that chip?

I did a little bit of research and the Chip seems to be the cFeon Q32B-104HIP, 32Mbit SPI Serial Flash, SOIC-8 or also many times referenced as EN25Q32B.

https://www.kean.com.au/oshw/WR703N/teardown/EN25Q32B%2032Mbit%20SPI%20Flash.pdf

Does this help?

[slock83]

Hello everyone,

So I tried @none815 method and it worked well.
The flash chip, in my case, was an EN25QH128.

I did a few modification though, instead of having the script launched by the diagnosis launcher, I modified wifi_start, which allows me to run my script on boot, instead of on reset.

I'm still working on getting the current hacks to run, runsvdir doesn't seem to work yet ...

Thanks !

[fumanchi]

Hi slock82,

I am stuck with runsvdir as well...
the file itself seams to be there but i always get:
"/mnt/sdcard/manu_test/configure_services.sh: line 50: runsvdir: not found"
As if the file wouldn't be there...
I found the file has been compiled dynamically...
It directly depends on:
Shared library: [libc.so.6]
Shared library: [ld-linux-armhf.so.3]
which seams to be fine...

As we are using a newer firmware they might have blocked the system from running binaries from sdcard. what do you think?
Have you made any progress?

[puuhderbaer]

Hello everybody,

today my programmer arrived and I managed to successfully flash the spi-flash with the by @none815 described method. Cam is powering up correctly and re-setup went fine.

But now I'm stuck with the mentioned override.sh script. telnet is to be run by busybox /mnt/sdcard/busybox telnetd , right? Can anybody please tell me what I'm missing? Where to get busybox from?

I can confirm the statement from @slock83, that the MJSXJ05CM (IPC019) has a 16MB Flash EN25QH128, same as in my CMSXJ16A (IPC016).

Thanks in advance!

[twosky2000]

New busybox would contain runit (runsv/dir).
@puuhderbaer busybox can be downloaded here: https://busybox.net/downloads/binaries/1.31.0-defconfig-multiarch-musl/busybox-armv7l
Also I got runit with busybox working.
/mnt/sdcard/busybox --list | awk '/runsv|chpst|svlog|^sv$/' | xargs -I{} ln -sv /mnt/sdcard/busybox /mnt/data/bin/{}
I'm not sure how to make it permanent jet.

Also my MJSXJ05CM uses Camera model 'ipc019' not ipc009, we would have to recompile the mija-framegrabber.

[puuhderbaer]

Thanks a lot @twosky2000! That did the trick. Telnet is up and running. But there is not yet any progress getting rtsp to work on 'ipc019', right?

[Sergey-SRG]

@aeremichev Hi! Do you have a working backup of your flash drive?

[sean666888]

Hi does anybody have a copy of 05 hack.zip Whoever's Google Drive the zip comes from Is being rate Limited And it looks like Google has fixed all of the standard bypasses and workarounds.

[ciapecki]

Is it not the same here? https://github.com/cmiguelcabral/mjsxj05cm-hacks/tree/dev/sdcard/hacks

…

On Thu, 4 Feb 2021, 14:58 Sean Taylor, ***@***.***> wrote: Hi does anybody have a copy of 05 hack.zip Whoever's Google Drive the zip comes from Is being rate Limited And it looks like Google has fixed all of the standard bypasses and workarounds. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#18 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAIKVTXUJ4J2ITBXAT62NTS5KRYBANCNFSM4JM7SLMQ> .

[sean666888]

Oh I should really learn to follow the conversation better I didn't realise that that was where it was from

[agujensen]

Hi, I can't get it to work in home assistant, what is your configuration?

[agujensen]

Hi, I can't get it to work in home assistant, what is your configuration?

It was the problem that chromium does not reproduce h265

[agujensen]

Will someone do me a favor to re-upload this file? https://drive.google.com/file/d/1GQGvkmFvJO_DF_vFNlVTC7ymFry8EjnJ/view?usp=sharing because it's down
I would appreciate

This one did not work for me https://github.com/cmiguelcabral/mjsxj05cm-hacks/tree/dev/sdcard/hacks

[Vizards]

MJSXJ05CM.zip
@agujensen You can try this one.

[Sagittaq2]

I tried to downgrade to 3.4.2_0062 from 3.5.1.0052 firmware, but when i powered it camera was standing with yellow led without any moves. Then i have to unbrick using 3.5.1.0052 firmware again. Is possible to downgrade from 3.5.1.0052 to 3.4.2_0062? Maybe have a wrong firmware file? Anybody can share the 3.4.2_0062 firmware, apart the file of this web?

[nazt]

OK, I figured out and telnet is up now

#!/bin/bash
# extract firmware
mkdir -p files

dd if=backup.bin of=files/kernel.bin bs=1 count=2097152 skip=327680
dd if=backup.bin of=files/rootfs.bin bs=1 count=7733248 skip=2424832
dd if=backup.bin of=files/data.bin bs=1 count=6488064 skip=10158080
dd if=backup.bin of=files/vendor.bin bs=1 count=131072 skip=16646144


# patch jffs2 partition
sudo modprobe mtdblock
sudo modprobe mtdram total_size=6336
sudo dd if=files/data.bin of=/dev/mtdblock0 bs=1
mkdir mount
sudo mount -t jffs2 /dev/mtdblock0 mount

echo '#!/bin/sh' | sudo tee -a mount/bin/log_diag_platform.sh

echo 'echo qqq >> /mnt/sdcard/qqq.txt' | sudo tee -a mount/bin/log_diag_platform.sh
echo '/mnt/sdcard/override.sh' | sudo tee -a mount/bin/log_diag_platform.sh



sudo chmod 755 mount/bin/log_diag_platform.sh

sudo umount mount
rmdir mount
sudo dd if=/dev/mtdblock0 of=files/data.bin bs=1

# update flash backup
mkdir -p out
cp backup.bin -f out/flash.bin
dd if=files/kernel.bin of=out/flash.bin bs=1 count=2097152 seek=327680
dd if=files/rootfs.bin of=out/flash.bin bs=1 count=7733248 seek=2424832
dd if=files/data.bin of=out/flash.bin bs=1 count=6488064 seek=10158080
dd if=files/vendor.bin of=out/flash.bin bs=1 count=131072 seek=16646144

sudo flashrom -p ch341a_spi -w out/flash.bin

Flash on my board is qh128a-104hip, it may be EN25QH128A
datasheet.pdf

Update 2. Cool! RTSP is working now.

@KhArtNJava I've red all your thread but not quite sure, can you confirm that you're flashing using the programmer? Am I correct?

[schrmh]

I'd like to know how to set WiFi credentials so that it doesn't need to scan a QR code again..

[Aroxyson]

I am trying to flash MJSXJ05CM using CH314A. I connected all the wires, connected to the raspberry pi 4, but the flashrom does not see the eeprom / flash device, although the programmer is detected. I tried to connect to the desktop - I still can't see it. What mistakes could I have made?

[enwony]

Just to be clear, my camera bricked too using described method (Mi Home Security Camera 360 1080p Model: MJSXJ05CM).
I reflashed it using instruction above (thanks!). But in addition:

• download busybox from link - rename it to busybox and place near override.sh
• override.sh main function should look like:

  # start telnet
  /mnt/sdcard/busybox > /mnt/sdcard/busybox_version
  /mnt/sdcard/busybox telnetd

• script started working after pressing reset button once, not after power-on.

[colder1989]

Hi all...i have a MJSXJ06CM with china firmware.... i want to flash global firmware....i have dump with ch341 and now i need help to create a script to change in global firmware....someone can help me please to create a script? @rezmus it told me i need to replace kernel / rootfs / data.

[YKatrechko]

Just to be clear, my camera bricked too using described method (Mi Home Security Camera 360 1080p Model: MJSXJ05CM).
I reflashed it using instruction above (thanks!). But in addition:

• download busybox from link - rename it to busybox and place near override.sh
• override.sh main function should look like:

  # start telnet
  /mnt/sdcard/busybox > /mnt/sdcard/busybox_version
  /mnt/sdcard/busybox telnetd

• script started working after pressing reset button once, not after power-on.

what firmware version on your camera?

[enwony]

Just to be clear, my camera bricked too using described method (Mi Home Security Camera 360 1080p Model: MJSXJ05CM).
I reflashed it using instruction above (thanks!). But in addition:

• download busybox from link - rename it to busybox and place near override.sh
• override.sh main function should look like:

  # start telnet
  /mnt/sdcard/busybox > /mnt/sdcard/busybox_version
  /mnt/sdcard/busybox telnetd

• script started working after pressing reset button once, not after power-on.

what firmware version on your camera?

I checked it's 3.5.1_0052

[argetlam-coder]

Hi,
i tried to downgrade the firmware of my MJSXJ05CM camera with a CH341A flash programmer but all tf_recovery.img files i find are to small. Flashrom tells me it has to be exactly 16mb but all files i find are smaller.

Do i need to do something with the file before flashing it or do i need another file?

[cstrassburg]

You can't use a tf_recovery.img to flas directly your spi chip. The tf_recovery.img has 3 partitions and a signature, your spi flash has 6 partitions.
I can help you to build a modified flash layout or upgrade only the partitions from tf_ recovery.img. The procedure is also described here.

[argetlam-coder]

Thanks for your answer. In the meantime I managed to flash a modified version of the 4.0.9_0426 firmware onto my camera.
Telnet, SSH and Motor Control work but RTSP only works with h.265. Has anyone got RTSP h.264 or the video preview in the webconfig running?

[Angel038]

Hi everyone,
i have a xiaomi 360 camera MJSXJ05CM, i use it with Synology Surveillance Station, is there a way to drive the camera with the Syno interface?
For nom i have to use the xiaomi app to turn my camera and return to Syno to see video.
Thanks

[HVPereira]

Thanks for your answer. In the meantime I managed to flash a modified version of the 4.0.9_0426 firmware onto my camera. Telnet, SSH and Motor Control work but RTSP only works with h.265. Has anyone got RTSP h.264 or the video preview in the webconfig running?

How did you managed to do it?
I have 2 cameras on this 4.0.9 and want to hack them I would like to avoid to open them. But I don't like my cameras to be connected to xiaomi cloud 🗡️

[argetlam-coder]

Thanks for your answer. In the meantime I managed to flash a modified version of the 4.0.9_0426 firmware onto my camera. Telnet, SSH and Motor Control work but RTSP only works with h.265. Has anyone got RTSP h.264 or the video preview in the webconfig running?

How did you managed to do it? I have 2 cameras on this 4.0.9 and want to hack them I would like to avoid to open them. But I don't like my cameras to be connected to xiaomi cloud 🗡️

I wasn't able to downgrade the firmware and use the normal hack procedure. I have created a modified image and flashed it with my CH341A programmer. There seems to be no way to hack the camera without disassembling it. But if you manage to hack it, there is a way to set up the camera without using the Xiaomi app.

While looking at the scripts on the camera, I found a way to configure the camera's wifi without the app (mjsxj05cm).

To get this working you have to uncomment line 118 and 119 ("echo $ssid" and "echo $passwd" in the funtion "get_ssid_passwd") in the in the wifi start script at /mnt/data/bin/wifi_start.sh. From now on it is possible to set the wlan configuration with the following commands:

mortoxc set nvram default key_mgmt WPA
mortoxc set nvram default miio_passwd "YourWifiPassword"
mortoxc set nvram default miio_ssid "YourWifiName"
mortoxc set nvram default bind_status ok
mortoxc sync nvram

The following commands can be used to display lists of available parameters:

mortoxc list default
mortoxc list nvram

[GaetanPTX]

Hello, I have a little problem, when I put the file "tf_recovery.img" in my SD card (8GB) and then put it on when my camera turns off and then I turn it on, it ignores the SD card and the camera starts normally. When I retrieve the SD card and look at the file, it is renamed to "tf_recovery.img.bak". How can I solve this problem? Thanks

Model: 05CM

[dongFangTuring]

@colder1989
Can you share me the MJSXJ06CM china firmware.My camera is stucked with orange light indicator.thanks.

[dongFangTuring]

@colder1989 Can you share me the MJSXJ06CM china firmware.My camera is stucked with orange light indicator.thanks.

I want to use CH341A write firmware to flash chip.

[MYTAHT2]

Two cameras came with the same firmware and the MAC addresses became the same and they conflict in the wifi network. The backup was not saved. How to fix it? Or can anyone throw off their backup?

[jaco7777]

New busybox would contain runit (runsv/dir). @puuhderbaer busybox can be downloaded here: https://busybox.net/downloads/binaries/1.31.0-defconfig-multiarch-musl/busybox-armv7l Also I got runit with busybox working. /mnt/sdcard/busybox --list | awk '/runsv|chpst|svlog|^sv$/' | xargs -I{} ln -sv /mnt/sdcard/busybox /mnt/data/bin/{} I'm not sure how to make it permanent jet.

Also my MJSXJ05CM uses Camera model 'ipc019' not ipc009, we would have to recompile the mija-framegrabber.

Hello.
Can you explain me step by step how to solve this problem: runsvdir: not found

[batyrbek1984]

A firmware hack is possible, but requires some tools:

• CH341A flash programmer
• SOIC8 clip and some dupont wires
• Complete device teardown

Basic steps are:

• Create a flash backup:
  flashrom -p ch341a_spi -r backup.bin
• Download the firmware and put it into the same folder.
• Run this script to patch the backup:

#!/bin/bash
# extract firmware
mkdir -p files
dd if=tf_recovery.img of=files/kernel.bin bs=1 count=2097152
dd if=tf_recovery.img of=files/rootfs.bin bs=1 count=7733248 skip=2097152
dd if=tf_recovery.img of=files/data.bin bs=1 count=6488064 skip=9830400
dd if=backup.bin of=files/vendor.bin bs=1 count=131072 skip=16646144

# patch jffs2 partition
sudo modprobe mtdblock
sudo modprobe mtdram total_size=6336
sudo dd if=files/data.bin of=/dev/mtdblock0 bs=1
mkdir mount
sudo mount -t jffs2 /dev/mtdblock0 mount
echo '#!/bin/sh' | sudo tee -a mount/bin/log_diag_platform.sh
echo '/mnt/sdcard/override.sh' | sudo tee -a mount/bin/log_diag_platform.sh
sudo chmod 755 mount/bin/log_diag_platform.sh
sudo umount mount
rmdir mount
sudo dd if=/dev/mtdblock0 of=files/data.bin bs=1

# update flash backup
mkdir -p out
cp backup.bin -f out/flash.bin
dd if=files/kernel.bin of=out/flash.bin bs=1 count=2097152 seek=327680
dd if=files/rootfs.bin of=out/flash.bin bs=1 count=7733248 seek=2424832
dd if=files/data.bin of=out/flash.bin bs=1 count=6488064 seek=10158080
dd if=files/vendor.bin of=out/flash.bin bs=1 count=131072 seek=16646144

• Re-flash the modified backup:
  flashrom -p ch341a_spi -w out/flash.bin
• Prepare the sdcard script:

/sdcard/override.sh

#!/bin/sh
main() {
  # start telnet
  /mnt/sdcard/busybox telnetd
}

if [ ! -f /tmp/.override ]; then
 touch /tmp/.override
 main
fi

• Press the reset button (briefly) on the camera to launch the override script.

hi
please help how to tf_recovery.img convert to recovery.bin
above mentioned scripts used in which software ? could some one share this soft if it is possible share original dump file (.bin) for MJSXJ05CM