mijia-720p-hack
mijia-720p-hack copied to clipboard
ghoost82
Support for Mijia 360 1080p?
Do you mean this camera https://github.com/niclet/xiaomi_hack? If yes it looks like it uses another entrypoint for the hack. But as I own only the 360 720p so this means I can not say this for sure. Maybe the hack can ported maybe not.
... I think the 1080p version is this: https://it.aliexpress.com/item/Original-Xiaomi-Mijia-Smart-Camera-IP-Camera-Camcorder-360-Angle-Panoramic-WIFI-Wireless-720P-Magic-Zoom/32819122739.html
Are different Cameras.
This Camera 360 mijia 720p is MJSXJ01CM. The new model is mijia 360 1080p, MJSXJ02CM, not the oldest 360 camera, (niclet hack), that is JTSXJ01CM
Im very interested in port the hack to MJSXJ02CM, I really need some extra features. My cam should arrive in a week, maybe we can find some luck
Are different Cameras.
This Camera 360 mijia 720p is MJSXJ01CM. The new model is mijia 360 1080p, MJSXJ02CM, not the oldest 360 camera, (niclet hack), that is JTSXJ01CM
Im very interested in port the hack to MJSXJ02CM, I really need some extra features. My cam should arrive in a week, maybe we can find some luck
I'm really interested into MJSXJ02CM cam, any news?
I dont have MJSXJ02CM yet, but I'm already have some interesting stuff...
Platform: MSC313E Sensor: SC2235
The Bad news:
MJSXJ02CM use android based firmware and different platform, new camera use ARM MStar. Old SDCard entry point is useless now, although partition layout its similar. MJSXJ01CM hack wont work
Telnet/SSH is disabled and non binary present
The Good News:
At preliminary glance, we will have a much more easy script execution at boot time. With script execution, we should be able to do the rest.
My next steps, once my camera arrive:
1º. check if I can confirm all this 2º. check if ADB is working, maybe another easy shell access. 3º. check script execution at boot time
If work:
4º. Cross compile tools to work with the new platform 5º. We can reuse/adapt MJSXJ01CM scripts
I have MJSXJ02CM version, any news about this model??
Sorry but... Did you read the previous comments?? stop asking again and again please. Im sure that any news (mine or from any other) would be posted.
Update:
Finally my MJSXJ02CM arrived
-After some problems with QR code (dont like WIFI with long WPA/PSK), was updated to last 209 version. The fists attempt was failed, maybe last firmwares are out of luck, but i will work the next days on it.
-After a successful downgrade, I was able to execute some command line, but putting camera in manufacture mode, not useful after all, because in this mode camera dont work, not camera, not wifi... nothing.
-Some more attempts and I was able to execute any code and boot camera in normal mode -Once in a working state and able to execute code at boot time, so I only just had to copy to my SD a generic non-limited arm7 busybox (basically, to use telned), edit boot script to up telnetd and... working!!
/ # uname -a
Linux mijia_camera 3.18.30 #1 PREEMPT Wed Jun 6 15:00:59 CST 2018 armv7l GNU/Linux
/ # ls -la
total 5
drwxr-xr-x 17 root root 299 Jun 6 09:02 .
drwxr-xr-x 17 root root 299 Jun 6 09:02 ..
drwxr-xr-x 2 root root 1069 Jun 1 11:01 bin
lrwxrwxrwx 1 root root 14 Jun 1 11:01 data -> /mnt/data/data
-rw-r--r-- 1 root root 132 Jun 1 11:01 default.prop
drwxr-xr-x 9 root root 1600 Jan 1 1970 dev
drwxr-xr-x 10 root root 634 Jun 6 09:02 etc
drwxr-xr-x 3 root root 1305 Jun 1 11:01 lib
lrwxrwxrwx 1 root root 3 Jun 6 08:43 lib32 -> lib
-rwxr-xr-x 1 root root 81 May 31 04:37 linuxrc
drwxr-xr-x 2 root root 3 May 31 04:37 media
drwxr-xr-x 4 root root 41 May 31 04:37 mnt
drwxr-xr-x 2 root root 3 May 31 04:37 opt
dr-xr-xr-x 78 root root 0 Jan 1 1970 proc
drwx------ 2 root root 3 May 31 04:37 root
drwxr-xr-x 14 root root 360 Jan 1 1970 run
drwxr-xr-x 2 root root 978 Jun 6 09:01 sbin
dr-xr-xr-x 11 root root 0 Jan 1 1970 sys
drwxrwxrwt 2 root root 200 Sep 28 17:10 tmp
-rw-r--r-- 1 root root 4026 Jun 1 11:01 ueventd.rc
drwxr-xr-x 6 root root 87 May 31 04:37 usr
drwxr-xr-x 4 root root 108 Jun 6 09:02 var
Next Steps:
-Compiling any binary should be "easy"... -Once all is (more or less) working, try with the latest firmware -If new firmware is "impossible", I, maybe, could inject some line in rw partition to survey firmware update, so should be possible: Any FW -> Downgrade -> Apply "hack" -> Update -More to come...
Update:
The latest firmwares need a "factory" key, similar to others Xiaomi Cameras.
In this case, our script file is compressed in tar. Our tar is md5 hashed and stored in another file. That file is signed with RSA key (private). In reverse, the system verify the sign with the public key and decode the content. Now compare md5 stored hash again md5 from the original file. If match, go on, tar is extracted and executed.
With the private key, we could sign any file, but without them, is a little more difficult. I have one or two ideas to "bypass" that, but should be necessary anyway to force a downgrade, is not possible begin the hack for now) from latest firmwares.
Update:
-SSH and SFTP Servers working now. -Unable to port hack to latest firmware (maybe possible, maybe not)
im on vacation now. For now, "hack" work well for 3.4.2_0062 (ssh/sftp/busybox). RTSP server is not ready yet in the other hand... platform is different, so we need find (internally) the original video streaming and passthrough it to a RTSP server (compiled for our device)
Hi, is this project for MJSXJ01CM 720p? (As I read on some merchant sites, they said MJSXJ01CM is 1080p?!!)
Btw, at first I was thinking of buying the MJSXJ02CM. But as I saw no hack for it, I started to consider finding the cam that works with this hack. However, reading this issue discussion, I think there would be hope for me with the MJSXJ02CM. Maybe I'll wait for some time :)
@Theliel is your hack compatible with the JTSXJ01CM model or you know any current that which works with the model? thanks
My hack probably only work with MJSXJ02CM, so... others cameras, different hacks, probably.
Is there something we can do / test, to support you? Can we test the MJSXJ02CM "hack"? Where can we download it?
I'm too keen to try something... I have MJSXJ02CM and it's soooo slow!!! Probably sends all the video through China servers or something..
Hi @Theliel . Very good job ! I have this camera for few month and I would to try your custom firmware. Where I can find it ? Thank's !
@Theliel Appreciate the progress you've made! Can you please share how you got to execute script during boot time? I have the 5FCNxxx version of Yi 1080p camera, and it uses the same Mstar MSC313E platform. A few people had bricked their camera because obviously Xiaoyi switched the platform from Hisilicon to Mstar MSC313E.
@Theliel Appreciate the progress you've made! Can you please share how you got to execute script during boot time? I have the 5FCNxxx version of Yi 1080p camera, and it uses the same Mstar MSC313E platform. A few people had bricked their camera because obviously Xiaoyi switched the platform from Hisilicon to Mstar MSC313E.
Hi @andy2301
Is not about platform dependent, is about each maker/developer add some backdoors. Platform is very important especially to compile binaries that may be necessary, but the role that it plays when it comes to gaining access is secondary. The role that it plays when it comes to gaining access is secondary. It would be necessary to see if there is a backdoor in the camera, and once this is discovered, access through it.
Another option would be directly an exploit against the camera itself. In any case, without the camera in question, it is impossible to know more.
How to unbrick MJSXJ02CM From here https://en.miui.com/thread-3547398-1-1.html
1.Download the firmware file “tf_recovery_0062.img” . file is here https://goo.gl/DhgbLH 2.Copy the file“tf_recovery.img” to the root folder of TF card 3. Cut off the power source of camera 4.Put the TF Card in camera 5.Connect the camera to a power source 6.The “Yellow light on” means the camera is installing the new firmware,which will last for 2 minutes. When the firmware finish update, the status light will become “flashing yellow”(if you have bound the camera to mi home app, the status light is “flashing blue” to “constantly blue”.
Hello everyone . I'm a little scared of everything I read about it. I bought a MJSXJ02CM me too ..... And for me also the qr code does not work. And I read this comment: https://www.amazon.in/gp/customer-reviews/R3GPH49A6GNJBJ/ref=cm_cr_arp_d_rvw_ttl?ie=UTF8&ASIN=B07HJD1KH4
Help :-(
hi I bought TWO units too.
apparently after 20 times to trying to connect, I managed to connect but unable to use the camera at all.
Thank you very much ... I made a screenshot and I sent it by mail on a computer .... and as if by magic oulahup barbatruc OvO. it worked the first time. So : Thank you, thank you, thank you, thank you very much. :-)
@Theliel - sorry for the picking, but is there any progress with the hack for MJSXJ02CM?
nothing new. SSH/SFTP is working, i can't apply the hack to newer firmware version (for now), and i want to add a RTSP server
Can you provide the steps you took to have SSH access so we can also help with the other steps (RTSP server)?
@Theliel why you not public your hack for this camera? ssh access its very good may be for rtsp server use official decision some vendors for custom direct streaming?
@ftc2019 Be patient, buddy. A responsible dev would not want anybody's device got bricked, hence his delay. It's your rush that even makes him more hesistant to publish the tools before he can be sure things work well.
I'm waiting (very impatiently as you can see) for RTSP server for the MJSXJ02CM. So if there's anything we can offer to help - please say
I made some changes to the rtspd.c so it supports snapshotting, recording and motion detection. Have a look at my fork if you want to implement something similar.
I made some changes to the rtspd.c so it supports snapshotting, recording and motion detection. Have a look at my fork if you want to implement something similar.
I assume this comment is directed at @Theliel in order to help him with development, right ?
@dragos-durlut It was mostly meant for @GuyKh as he was in a hurry and adding another rtspd to the build instead of the one from the toolchain is easy by copy pasting from other forks where people are still making progress on.
@fliphess, not sure if I understand.
I'm generally speaking a Java / JS dev - and I find the hardware parts hard to handle. Is your fork is something I can try?
Looking forward to RTSP server :)
Camera seems really good for the price, but I have two main issues:
- Cloud-only approach, where I can only access it through their servers (there is also a p2p connection mode from what I read, but it doesn't come handy). Triggers privacy flags.
- Motion detection lacks configuration in terms of the duration of the recording. I end up having always 9 seconds fragments (if there is a way to configure this I haven't found it)
@Theliel, it would be awesome if you could share what you have so far. I'm also looking forward for RTSP support and would love to help.
Looking forward to RTSP server :)
Camera seems really good for the price, but I have two main issues:
- Cloud-only approach, where I can only access it through their servers (there is also a p2p connection mode from what I read, but it doesn't come handy). Triggers privacy flags.
- Motion detection lacks configuration in terms of the duration of the recording. I end up having always 9 seconds fragments (if there is a way to configure this I haven't found it)
If you put an SD-card, it will unlock the copy to a windows share and records are longer than the free cloud records.
Can anyone share the image of the PCB inside this camera ?
I have a MJSXJ02CM that I don't mind opening to take photos if that helps porting the hack to this camera. Is this the case?
Still had to open it up, I'm trying to get to a serial console. Here's some pictures.
I was able to get to a serial console, it has access to U-boot and a Linux shell. As far as I can tell the shell is not restricted (in terms of permissions), and I was also able to run busybox from the SD Card.
I still didn't find where we can grab a stream to feed an RTSP server.
I'm currently working on a way of running code on startup that doesn't require tearing down the camera (through the SD card).
I'll be sure to share with you as soon as I have something you can try. I'm not used to embedded systems, so this might take a few days...
I Guys,
Again, my time is very limited, i have no problem with share any information, but but for responsibility, I have not published anything until I'm sure I do not break the cameras
@telmomarques I already have tell us the "problem" to gain shell access from SDCard. A script code canbe executed but we need:
-The script must be compressed and stored, not problem here. -MD5 of the compressed file, good too and copy it in a new file, called md5sum.dat -SING md5sum.dat with private key that we dont have :), so that is the problem.
The firmware can check the sign with the public key inside the firmware so only the private key from xiaomi can sign correcly the MD5.
Looking forward to RTSP server :) Camera seems really good for the price, but I have two main issues:
- Cloud-only approach, where I can only access it through their servers (there is also a p2p connection mode from what I read, but it doesn't come handy). Triggers privacy flags.
- Motion detection lacks configuration in terms of the duration of the recording. I end up having always 9 seconds fragments (if there is a way to configure this I haven't found it)
If you put an SD-card, it will unlock the copy to a windows share and records are longer than the free cloud records.
Thanks! I already have an SD card, so I thought records were directly stored in the SD card itself and not in the cloud. I will try your suggestion of setting up a windows share instead :)
``
This camera is now available in Google home (just for information)
The 1080p 360 camera? (jtsxj01cm) what server did u use in mihome app?
I've found a way of running scripts from the SD Card, I've uploaded the "hack" to this repo: https://github.com/telmomarques/xiaomi-360-1080p-hacks
Please note few things:
-
This is for the MJSXJ02CM camera only! Please confirm you camera model.
-
This does not provide anything that is "consumer-ready" yet!
-
Only telnet access for now, but that will hopefully enable people with more knowledge than me to setup an RTSP server (I still didn't find the stream to attach the RTSP server...)
-
The repo is still very basic. but I'll add additional information in the next days. This was a first for me, I've learned a lot and want to share everything I can.
This camera is now available in Google home (just for information)
Can confirm. Using server - mainland china Had to unlink and link Mi Home again, but now it's working.
What can you do with it though? Other than streaming it to your chromecast?
This camera is now available in Google home (just for information)
Can confirm. Using server - mainland china Had to unlink and link Mi Home again, but now it's working.
What can you do with it though? Other than streaming it to your chromecast?
Nothing a the moment I think maybe move the camera but I don't really test it a this time
It seems that I have the JTSXJ01CM model that seems to be the same thing but apparently isn't, its not working with Google home at the moment what a shame, maybe forcing the mjsxj02cm firmware somehow could make it work(?), I suspect it has the same innards
maybe forcing the mjsxj02cm firmware somehow could make it work(?), I suspect it has the same innards
According to a google search the JTSXJ01CM's SoC is an Ambarella S2Lm. Mot the same as MJSXJ02CM, unfortunately.
This camera is now available in Google home (just for information)
Can confirm. Using server - mainland china Had to unlink and link Mi Home again, but now it's working. What can you do with it though? Other than streaming it to your chromecast?
Nothing a the moment I think maybe move the camera but I don't really test it a this time
Based on this - it seems that you can just stream the camera
For what software version of the camera MJSXJ02CM the hack works?
Right now only tested on 3.4.2_0062 (it's the tf_recovery.img mentioned here https://en.miui.com/thread-3547398-1-1.html)
At this point I don't know if it works on newer versions of the firmware, will eventually test it.
I answered it a long time ago. It is possible to apply this access ONLY AVAILABLE in the factory firmware, in any other version, the procedure that I have explained previously is required.
The problem is that it is necessary to sign the md5 hash of the script, and that requires the private key, which obviously we do not have.
One possible option would be to replace the private key with another generated pair in the binary itself, but this would imply creating different binaries in each update. Another option would be to try to overwrite the private key (this is what I am working on) when the update is started / terminated, even if it implies starting from the factory version.
One possible option would be to replace the private key with another generated pair in the binary itself
The u-boot flashing procedure verifies a signature in the firmware, using libsodium. To flash a modified firmware we would also need to sign it.
This is a log of me trying to flash a modified firmware:
read file start
reading tf_recovery.img
read len = 0, actlen = 16318544
data check start
Verifying singature using libsodium
Hashing 1048576 bytes, 0 %
Hashing 1048576 bytes, 6 %
Hashing 1048576 bytes, 12 %
Hashing 1048576 bytes, 19 %
Hashing 1048576 bytes, 25 %
Hashing 1048576 bytes, 32 %
Hashing 1048576 bytes, 38 %
Hashing 1048576 bytes, 44 %
Hashing 1048576 bytes, 51 %
Hashing 1048576 bytes, 57 %
Hashing 1048576 bytes, 64 %
Hashing 1048576 bytes, 70 %
Hashing 1048576 bytes, 77 %
Hashing 1048576 bytes, 83 %
Hashing 1048576 bytes, 89 %
Hashing 589824 bytes, 96 %
Final...Failed
Maybe there's a way of working around this without replacing the boot loader?
It is possible to apply this access ONLY AVAILABLE in the factory firmware
That might be the case (I still haven't confirmed for myself), but since we can work on something using 3.4.2_0062, and downgrading is a very simple procedure, no need to sit still.
The u-boot flashing procedure verifies a signature in the firmware, using libsodium. To flash a modified firmware we would also need to sign it.
I see some keys for mstar controller in the below repo. Will it help? https://github.com/dipcore/mstar-bin-tool
It is possible to apply this access ONLY AVAILABLE in the factory firmware That might be the case (I still haven't confirmed for myself)
Confirmed, exploit works in 3.4.2_0062 only.
I see some keys for mstar controller in the below repo. Will it help?
Thank you very much for the link! I've taken a look but this is really out of my knowledge scope. To follow this lead I'd have to study packing, unpacking and signing the firmware in more detail; but right now I'm more interested in getting an RTSP server up and running. Maybe in the future I'll look into it.
As a side note, because I don't want to spam this repo (this repo is not related to MJSXJ02CM camera) I've opened an issue on https://github.com/telmomarques/xiaomi-360-1080p-hacks/issues/7 You're all welcome to follow me there, if you wish to!
@telmomarques the serial port is in TP TN TXO and RXO pads ? how do u get that ?
@j0se serial is TX0 and RX0 pads.
Steps:
- Get a USB FTDI adapter
- Connect TX0 (camera) to RX (USB FTDI)
- Connect RX0 (camera) to TX (USB FTDI)
- Connect USB UART to computer
- Download putty and open the COM port registered by the USB FTDI device
- Connected the camera to USB power cable, you should see the bootlog on putty
If you press any key during boot you will enter uboot prompt, if you do nothing you'll be dropped to a linux shell. If you just want to get to the linux shell check my repository, there's a way of getting there through telnet, without opening the camera.
Hello @Theliel may be do you have good news about camera Mijia 360 1080p (MJSXJ02CM) ? Did you manage to finally hack it and configured the rtsp server ? I wait your message about hack it, and i can to add camera to homekit
Here's a link for the MStar SDK (MSC313 and MSC316): MStar MSC3XX SDK.zip
This is for the 360º 1080P camera!
Some notes:
Download at your own risk. The only thing I added was the english translation of the docs.
The OS provided on the camera by Xiaomi is heavily modified (relative to the SDK). Binaries compiled with the SDK don't play along with the camera's shared libraries.
Finally, I'm sharing this here because I figured this issue might have greater visibility than my repo. If someone is looking they may end up here first.
FWIW The SDK (assuming it's the same one I got from taobao) you have doesn't actually seem to match most of the MSC313E cameras that are in the wild. The SDK is for the "infinity 1" platform but the MSC313E according to all of the IPL blobs and kernels I have seen is called "infinity 3". The SDK does reference the infinity 3 but it doesn't have the IPL blobs for it.
I ported a mainline kernel to the MSC313E based on what I found in that SDK so the hardware is at least very similar but I wouldn't try too hard to make what is in the SDK match up with what you see in actual firmware images.
hello, in what state is the integration for mijia 360? I read many different answers but I do not know if there is a real solution
There's currently a very, very experimental solution to provide RTSP on the xiaomi 360 camera. Anyone interested please feel free to check out my repo or join us on telegram: https://t.me/mijav4RTSP
I'm going to stop posting updates on this issue, because this repo is for a different camera and I don't want to spam it :)
I dont have MJSXJ02CM yet, but I'm already have some interesting stuff...
Platform: MSC313E Sensor: SC2235
The Bad news:
MJSXJ02CM use android based firmware and different platform, new camera use ARM MStar. Old SDCard entry point is useless now, although partition layout its similar. MJSXJ01CM hack wont work
Telnet/SSH is disabled and non binary present
The Good News:
At preliminary glance, we will have a much more easy script execution at boot time. With script execution, we should be able to do the rest.
My next steps, once my camera arrive:
1º. check if I can confirm all this 2º. check if ADB is working, maybe another easy shell access. 3º. check script execution at boot time
If work:
4º. Cross compile tools to work with the new platform 5º. We can reuse/adapt MJSXJ01CM scripts
@Theliel
Hi Theliel, I need your help regarding MSC313E chip. Can you please share me the MSC313E datasheet and other necessary details?
I am newbie for MSC313E and started to understand initial level details. I didn't find any useful information on the internet.
It will be much appreciated, if you share anything useful details of MSC313E, i.e. link, share the docs, SDK details, etc.
Regards, Jaymin
It will be much appreciated, if you share anything useful details of MSC313E, i.e. link
http://linux-chenxing.org/ https://github.com/breadbee/breadbee
Hi @jaymindabhi!
There's already an exploit for MJSXJ02CM, if you want to check it out: https://github.com/telmomarques/xiaomi-360-1080p-hacks
You can also join the telegram group, you can find the link in the issues of that repo! We're currently working on a RTSP prototype.
Lots of info also in the sdk: https://github.com/ghoost82/mijia-720p-hack/issues/10#issuecomment-478371474
It will be much appreciated, if you share anything useful details of MSC313E, i.e. link
http://linux-chenxing.org/ https://github.com/breadbee/breadbee
Thanks @fifteenhex for sharing the links.
Hi @jaymindabhi!
There's already an exploit for MJSXJ02CM, if you want to check it out: https://github.com/telmomarques/xiaomi-360-1080p-hacks
You can also join the telegram group, you can find the link in the issues of that repo! We're currently working on a RTSP prototype.
Lots of info also in the sdk: #10 (comment)
Hi @telmomarques ,
Thank you for sharing the worthy information, it will be much helpful for me.
I have camera with this code cmsxj03c. After plug in the usb cabel the light is yellow and constant. I can not do anything with camera it is not responding to reset button. Is there any possibility to make it running?
Hello , which patch can crack this camera?
https://a.aliexpress.com/sPntZn3P5
Where can I found the Hack with RTSP for MJSXJ02CM?
Can you help me please?
Where can I found the Hack with RTSP for MJSXJ02CM?
Can you help me please?
https://github.com/ghoost82/mijia-720p-hack/issues/10#issuecomment-549752233
RTSP is in closed beta, will be released to the public shortly.
Where can I found the Hack with RTSP for MJSXJ02CM? Can you help me please?
RTSP is in closed beta, will be released to the public shortly.
Hey @telmomarques , any updates here?
@muammercakir
https://github.com/ghoost82/mijia-720p-hack/issues/10#issuecomment-549752233
