fang-hacks
fang-hacks copied to clipboard
samtap
Only mainland China: how to unlock camera for EU?
Dear users, I bought a Xiaofang camera without paying attention to the country. Now, my camera can only operate from China IP when connected. Since I want use the camera from Europe, this is banned! How can I update firmware unlocking region ban?
On all but one of mine, you can still install the chinese setup app. Go through the setup process and install the mod via TF card.
Dont worry too much if it says "mainlaind china only" or some such
New camera's are blocked from using mi home cloud outside China. You can still use the app to connect the camera to wifi and then apply the hacks by inserting sd-card and using the status web-page. I've got one of these new cams and confirmed this works, also with the latest 3,0,4,9 firmware.
Please report here if you have a different experience. Include mi home version, iOS/Android, firmware version and camera model (pinhole or lever reset button)
Applying the hack worked flawlessly for me after initial setup on 3.0.4.9 via mi home, despite the camera being geoblocked ("only used in mainland china") by Xiaomi.
It seems there is a hack for the same problem on an other Xiaomi camera: https://diy.2pmc.net/solved-xiaomi-xiao-yi-ant-home-camera-can-used-china/ Is someone able to transpose to XiaoFang ?
Good spot, I'll look into this when I get a chance
On Tue, May 16, 2017, 21:06 sfornengo [email protected] wrote:
It seems there is a hack for the same problem on an other Xiaomi camera: https://diy.2pmc.net/solved-xiaomi-xiao-yi-ant-home-camera-can-used-china/ Is someone able to transpose to XiaoFang ?
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/samtap/fang-hacks/issues/123#issuecomment-301899668, or mute the thread https://github.com/notifications/unsubscribe-auth/ABJjszNcFykNXNAfS8JCV9U24vqg0BGlks5r6gGygaJpZM4NZupr .
-- Regards, Miles Burton
So for me i was able to use the mi home app (4.0.11, android) with my new camera (MAC 34:xx...+QR on bottom+button instead of this needle push thing there), but im still on FW 3.0.3.56. Does this "workaround" still work if i update the camera to 3.0.4.9?
However I'm going to flash the hack this evening, the Mi Home app isn't that great imho.
I hacked the camera and got the log.txt. when I used the usa vpn it didn't work, "mainland china only", log is wahaha.txt; when I used the china local net it worked, log is chinangb.txt. I can't find the differences between them.
Connect Server g_stTutkUserServerInfo.nLoginFlag = 0XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX nLoginRet -10 <><><><><><><><><><><><><><><><><><><><><><><><>88888888888888888888:TUTK LOGIN ER UNLICENSE
how can fake the response ???
I don't really have any interest in circumventing the region check, the goal of this project is to create an open-source alternative firmware that doesn't require any of the Xiaomi stuff.
But for those interested to hack the region block:
- It appears the old version is accepted regardless of cam firmware and mi home version. These can be recognized by not having a QR code on the base. The wifi chip is sourced from some Shenzen supplier and the MAC address does not match the MAC address in device.conf (28:XX...) used for identification with cloud services.
- The new version has a wifi chip from Xiaomi with MAC address that matches the one set in device.conf (34:XX...). Now the interesting bit: device.conf does not exist on a virgin camera. It is created by iCamera when it starts, way before a wifi connection is up or Mi Home is involved. (iCamera is the executable running on the cam doing all the work). Ergo: If you can make a new cam appear like an old cam, by providing a device.conf with a 28:XX MAC, it will be accepted by Mi Home.
- The MAC address on wlan0 is set by iCamera when it starts so spoofing it before it starts is useless (i.e. run 'strings iCamera |grep ifconfig'). I believe from that point forward, the MAC address is stored in memory of iCamera, spoofing after it starts has no effect (wifi works fine with a different mac, device.conf still contains 34: MAC).
- Each time you press the setup button (required for pairing with Mi Home), device.conf is rewritten in case you messed with it. It writes the 34 MAC regardless of the MAC used by wlan0 at that time. A device.token is written when Mi Home starts the pairing process, it is different each time. When making device.conf inaccessible, iCamera enters an infinite loop and doesn't proceed with pairing. Messing with it too much during pairing simply causes the pairing process in Mi Home to timeout and you have to start from scratch. Ergo: iCamera has a way to retrieve the MAC address which is not simply reading ifconfig HWaddr. It is also unlikely stored in some kind of file as that would require them to flash each cam with a different file as they are produced, possible but unlikely (and I could find no evidence of such file). It is not provided by Mi Home or cloud services either since it's used to configure wlan0 before any pairing is initiated.
- Interestingly, the MAC is stored in the 'serial' field of the USB device descriptors provided by the wifi chip. And iCamera happens to link with libusb....! I can't think of any other reason they would need libusb besides doing accessing the wifi device. I've added some debug probes in libusb in the most likely places: functions that return the serial descriptor. Those didn't get hit. But there're still many other calls that are more low-level and could equally be used to retrieve the serial.
Conclusion: If somebody would build a custom libusb that rewrites the serial in case it starts with 34 before returning it to caller, it might trick iCamera into thinking it is running on a old cam.
@samtap wouldn't it work to hard code the Mac directly in the Driver for rtl8188E , recompile it for arm and replace the original one ? do you think the 28..... mac address needs to be the actual mac of a Camera they produced( they have a DB with all their own macs ) or not ? How could the community motivate you to circumvent the geo block ? Regards
I'm not interested in using the Xiaomi cloud stuff, there're many other things that need to get done... Since my previous post I noticed the mac is also stored in nvram so that may also play a role. I don't think the wifi driver is involved since I was able to spoof it and not get around the region block, and the older version has a 'fake' mac that doesn't match the hw mac but is used to identify with xiaomi cloud. I don't think they have a db with blocked mac, it's the mi home app that accepts or rejects the cam. If you use an older version of the app and block location services the cam is accepted (or, that's what I've been told).
I have three cameras with MAC 34 and none of them works with the fang-hacks...
Guys, me too. There's no solution. I have sent back the product to chinese online shop in order to be refunded.
There is EU solution https://www.ismartalarm.com/devices/cameras/spot/isa00013.html Only caveat is it costs 2x > https://www.leroymerlin.fr/v3/p/produits/camera-connectee-ismartalarm-e1500580033 Bought one discounted for 49 eur
Is it possible to "export" the firmware of that camera? It would be great if we could upgrade the firmware of our xiaofang to the ismartalarm original firmware
My configuration is Camera (MAC start with 34) firmware 3.0.3.56 downgradet from this maual - https://github.com/samtap/fang-hacks/wiki/HowTo:-Flash-original-Xiaomi-firmware-from-sdcard-(factory-reset)#via-sdcard
Android Mi Home - version 4.0.11 :) from this link www.apkmirror.com/apk/xiaomi-inc/mihome/mihome-4-0-11-release/mihome-4-0-11-android-apk-download/
everything works.
The above worked for me, 3.0.3.56 showing, getting video on mi home 4.0.11 tho motion sensing is patchy. Blue led flashing.
@TweeldeMB I have the same configuration but the app sees the the camera only if on the same wifi. Over 3g the app doesn't see the cam. Is it the same for you? Does anyone know what tcp/udp port uses the camera? Maybe I just need to better setup my router. Thanks!
@TweedleMB and @Damadgeruk , I have installed 4.0.11 Mi Home App and my cam's firmware is 3.0.3.56 with hacks applied. I can do rtsp streaming. But I still cannot connect to my camera using MiHome App, even after disabling "stop-cloud" and "rtsp-server" services by following FAQ. The app is stuck at "Connecting (1/3)"
Are you saying that you are using the 4.0.11 Mi Home and 3.0.3.56 smoothly without applying the fang-hacks?
Thanks
Be gentle first post, and not a programmer, I have three of these camera's 3x MAC code 34 ****** . They all behave differently ! The first doesn't have a press button for the reset - it has a hole - this works with the MiHome app and I even managed to upgrade to 3.2.0.30 with no dreaded 'only works in China error' - still working no errors. The second has a push button for the reset and I upgraded the software believing from my previous experience with the first camera this would be ok - I got the dreaded 'only works in China error' That brought me here to this thread and website - although I do not profess to be a programmer I can follow the SD format protocols and writing image files or working out what goes in a root directory etc. I created a downgrade microSD card to 3.0.3.56 and flashed the second camera. It now has 3.0.3.56 firmware but still reports 'only works in China error' and has the option to upgrade to 3.2.0.30 in the firmware update section. It took several attempts but I think the key is the duration of holding the reset button after reapplying power as mentioned above. The third camera also has MAC code 34 ***** but I have never upgraded the firmware when prompted and this one works with the MiHome app with no errors.
Summary: Camera 1 - earlier vrs no button to reset (has a hole) MAC code 34 - currently 3.2.0.30 - working Camera 2 later vrs button reset MAC code 34 - currently upgraded to 3.2.0.30 then flashed to 3.0.3.56 - it has region code error Camera 3 later vrs button reset MAC code 34 never upgraded - currently 3.0.3.56 - working
My question/s are: Is the second camera now flashed to a point where the China region error cannot be removed ? If I use the fang hack would the MiHome app stop its remote functionality - appreciate that is the whole point to not use MI server to bounce/stream data - I'm looking at converting all three ultimately but want to try to recover camera number 2 so that if I want to revert to 'factory settings' I have the knowledge how to. I am using IOS vrs of MiHome 3.19.0 set to mainland China
With the different permutations I have it is quite easy to see why members are having difficulty as I have three cameras all behaving differently all with MAC code beginning 34 *****
Has anyone had any success in the email link when you get the 'China Region Error' Can anyone translate what this page is saying ? It 'appears' to request you take a photo of the base of the unit and email that to an address to request international use, has anyone tried this ?
My experience, so far, is that once the firmware upgrade is applied, although the downgrade can be applied the region error is retained ( see my comments above re camera 2 and camera three differences) I will try flashing camera 2 a few more times to see if it can be returned to factory settings and post my findings.
Hi all dudes!
I'm trying to downgrade my xiaofang cam, but I don't know how time must press the button to know when it is flashing the firmware... Is there and led colour blink to detect that it is flashing or how to know when it is rebooting after flashing?
To Downgrade - Start camera, wait, scan with app to pair to wifi, wait, when nothing new is happening insert SD card and hold button down .... keep holding it down, voice says something in Chinese, keep holding button down, when she's finished speaking wait until the orange light stays on then let go of the button BUT DO NOTHING ELSE at this point leave the power on and WAIT once it is doing nothing new remove SD card and cycle the power. That's how I have been flashing mine to revert to lower firmware.