Hack for the new camera - mijia v3 / Basic 1080p

[vitoo]

Hello,

here is a new xiaomi camera it's called mijia-1080P basic / mijia V3. It had a white back.

How can we build a firmware compatible for this camera ? Is it hard ?

Thanks for your help

[llimz]

I'm also very interested by this topic. I can't get an old version anymore.

[gbarral]

Same problem for me. Impossible to downgrade firmware on my mijia with white back.

Thx for help :-)

[jnsw]

see https://github.com/EliasKotlyar/Xiaomi-Dafang-Hacks/issues/624

they are still trying

[vitoo]

It may takes months :smiley:

It's a cheap camera many hacker will try it

[jnsw]

@vitoo hopefully 😃

[Snotmann]

You can downgrade the cam with https://github.com/EliasKotlyar/Xiaomi-Dafang-Hacks/files/2320611/tf_recovery.for.SXJ02ZM.All.White.Xiaomi.1080P.smart.cam.zip and these files on root of sd card https://github.com/Filipowicz251/mijia-1080P-hacks/releases/download/0.8.7/release0.8.7.zip

... but there was no ssh server launched or something like that ... dont know whats happen or to do

[jnsw]

@Snotmann the 0.8.7 was released in March, so I don't think it will work with the all new full white camera

[willthrom]

@Snotmann @seewaldjan it will not work basically because the recovery of the V3 is already patched with the security flaws I found a year ago.

What you could do it to try to use the tf_recovery from the V2 and check if the camera starts.

The camera sensor might not work BUT if you can go to Mi App and upgrade the camera from there to whatever version is the latest for the V3, then there is a possibility we can hack that camera too.

[willthrom]

Forget it... it seems the architecture is different.. I need to take a look but it seems so:

V3: DECIMAL HEXADECIMAL DESCRIPTION 0 0x0 uImage header, header size: 64 bytes, header CRC: 0x3E8652CA, created: 2018-06-30 07:40:51, image size: 2240049 bytes, Data Address: 0x80010000, Entry Point: 0x80380060, data CRC: 0x6BAB1A28, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: gzip, image name: "Linux-3.10.14" 64 0x40 gzip compressed data, maximum compression, from Unix, NULL date (1970-01-01 00:00:00) 2621440 0x280000 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 4484222 bytes, 1916 inodes, blocksize: 131072 bytes, created: 2018-06-30 07:42:42 9895936 0x970000 JFFS2 filesystem, little endian

v2: DECIMAL HEXADECIMAL DESCRIPTION 0 0x0 uImage header, header size: 64 bytes, header CRC: 0xF8DB532E, created: 2017-08-03 05:49:01, image size: 1909344 bytes, Data Address: 0x8000, Entry Point: 0x8000, data CRC: 0x4A5C7510, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-3.3.0" 18164 0x46F4 gzip compressed data, maximum compression, from Unix, NULL date (1970-01-01 00:00:00) 2752512 0x2A0000 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 8932790 bytes, 1304 inodes, blocksize: 131072 bytes, created: 2017-08-03 05:51:01 13238272 0xCA0000 JFFS2 filesystem, little endian

[gregou2007]

hello Any news ? the V3 is still no hackable to get a rtsp flow or to view the camera with a computer ?

[jaaperror]

Also hoping for updates. Hope there is something I can do to help

[liaanvdm]

Has anyone tried this approach on these V3 camera's?

https://github.com/miguelangel-nubla/videoP2Proxy

[gregou2007]

not tried but i don't really understand how to make it work on a macbook ?

[hmajed]

The v3 contains validation based on RSA

try_ft_mode() { if [ -f $ft_files_zip ] && [ -f $sd_mountdir/ft/secret.bin ];then mkdir -p $ft_running_dir $ft_decrypt $sd_mountdir/ft/secret.bin $ft_running_dir/md5.sum $ft_securekey_file if md5sum -cs $ft_running_dir/md5.sum;then unzip $ft_files_zip -q -d $ft_running_dir chmod -R 755 $ft_running_dir ft_mode=cat /proc/ft_mode if [ "$ft_mode" == "" ];then ft_mode=0 fi $ft_running_dir/ft_boot.sh ${ft_mode} ${ft_running_dir} return $? else echo "check fail" fi else echo "ignore ft mode" fi return 1 }

[gbarral]

Hi, i try this tf_recovery.img whith the hack https://github.com/Filipowicz251/mijia-1080P-hacks. The tf_recovery seems to work because the camera downgrade (3.4.4_0039) but the Tools is not installed. Impossible to connect using SSH. I can update 3.4.5_0046 whith mi-home but impossible to activate RSTP.

If anybody have idea :-)

[joelhaasnoot]

Has anyone tried this approach on these V3 camera's?

https://github.com/miguelangel-nubla/videoP2Proxy

This doesn't work unfortunately, the camera doesn't respond to the "get_ipcprop" command that's needed to get the stream running

[mgx0]

any news on this?

[Sender76]

Russian Hello! That is, you want to say that none of the methods work. And you can remotely view the camera Mijia 1080 only with the application MiHome ???😕

чт, 6 дек. 2018 г. в 20:05, Thach Nguyen [email protected]:

any news on this?

Maybe no. Any idea where to start with this camera, trying to flash other fw won't work.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/Filipowicz251/mijia-1080P-hacks/issues/55#issuecomment-444949297, or mute the thread https://github.com/notifications/unsubscribe-auth/ARnx8PNl5zgKyMHCSS8TNy0T6OYDYRCHks5u2U5igaJpZM4WZfQI .

-- С Уважением, Генеральный директор ООО "Центральный Регион" Парамонов Сергей Александрович e-mail: [email protected] mob: +7(903)755-79-50

[Sender76]

I can not understand one thing, so how can I hack this seemingly simple camera ... (((

Sergei Paramonov [email protected]

четверг, 6 декабря 2018 г., 23:09 +0300 от [email protected] [email protected]:

Yes, it works with Mi Home. Set Region to Main Land China, start pairing to any 2.4Ghz wifi and it should work. — You are receiving this because you commented. Reply to this email directly, view it on GitHub , or mute the thread .

[mgx0]

I want RTSP and I don't want any cloud service. Looks like I have a camera for sale now ... it speaks chinese, does not allow you to set your own country and is useless without cloud service where god knows who is watching your streams. thanks a lot, it's for sale

[Knuppel1983]

Same here. Hack does not work with the new model. I’m not leaving it on cloud service because the camera is in my living room. Wanted to use it to watch the dogs, but the idea of someone else watching my family is enough to leave it unplugged. Shame Xiaomi does not add local support.

[Knuppel1983]

For reference, i have the snowman version with white back, 1080p PTZ.

[Sender76]

I would be very grateful if you would share!!! 07.12.2018, 13: 48, "Knuppel1983" [email protected]:For reference, i have the snowman version with white back, 1080p PTZ.—You are receiving this because you commented.Reply to this email directly, view it on GitHub, or mute the thread.  --  

[axlerose]

there is any news?

[anmaped]

It is working with openfang; check it out in openfang. A modified bootloader was compiled for this purpose but we need to open the camera and program it manually. We will check if we can surpass some protection to upload the new firmware.

[mgx0]

I have no problem to program the camera via serial

two questions:

• do you have some pictures how to open the camera without breaking it please?
• could you please paste here a link to a file to be programmed to camera please?

thanks

[axlerose]

any news?

[marcotuna]

I opened mine today. How to connect to the PC? Via an USB to UART? What are the pinouts?

I found this manual: https://www.winbond.com/resource-files/w25q128jv%20revf%2003272018%20plus.pdf

[anmaped]

Please check more information at https://github.com/EliasKotlyar/Xiaomi-Dafang-Hacks/issues/624#issuecomment-451488962

[axlerose]

It is working with openfang; check it out in openfang. A modified bootloader was compiled for this purpose but we need to open the camera and program it manually. We will check if we can surpass some protection to upload the new firmware.

@anmaped can you explain how to make it working whit openfang