samtap
Wyze Cam firmware to Xiaofang?
Hi just wondering if its possible to use wyze cam firmware to xiaofang camera? I've seen the demo of the product and its literally same as xiaofang except for the app which is modified mi home in english version which is nice and working well.
https://www.wyzecam.com/product/wyze-cam/
Its only available in US so american who bought xiaofang cam before are lucky that they can buy a proper working security camera without problem in security and geo blocking. Hope somebody can port wyze FW to XioFang Cam.
I'm sure it runs as it's the same hardware but they will likely block device-id if it's not sold by them (same as iSmartAlarm).
I've contacted them to ask about open-source community/support. It would be nice to join forces, as they do sell a device that makes extensive use of open-source software (Linux) already.
That's what i thought, it could be the same as the ismartalarm that they selling here in europe but 3x higher price than the wyze cam. Hopefully someone could port it to xiaofang. As what you said its better if they will provide open source code of the FW..
I really hope, someone could make this happen - port Wyze firmware to xiaomi cameras, becaus i have 3 cameras at home that does not work.
According to Wyze they're using the same design, but different components inside. Someone should do a teardown guide with pics so we can check the differences. I doubt there're much differences, perhaps a different wifi chip?
Hi everyone, I was previously unfamiliar with this project, but I scooped up one of the Wyze cams and it arrived last night. I disassembled it to see what was inside, and took some photos of the journey. Hopefully they can be of some help in figuring out if this camera will be compatible. The photos are in an imgur album. Let me know if you have any questions on the hardware side!
Thanks, looks identical and even has the same PCB markings like iSC which clearly refers to iSmartAlarm Cam or whatever.. Would you happen to have a ftdi usb adapter to connect to the GND, TX, RX visible here: https://i.imgur.com/s4LAp5V.jpg (you don't even need to solder wires if you can get them through the holes, a c-grid header works great) That would allow to capture the boot log and check for fw differences. I don't believe the price of only 20 bucks allows for any research/development, so it's likely just config stuff to use their cloud/app instead of Xiaomi/iSmartAlarm.
Unfortunately, I don't... I've never done any sort of bare PCB/firmware hacking type stuff, so even taking apart the camera was a little bit of a learning experience. Fortunately it still worked when I put it all back together.
I agree with you though, unless they have some sort of massive VC funding, I can't see how they would rewrite a bunch of code for this with such a low price point.
Actually, I forgot I have a couple of these: https://docs.getchip.com/chip.html#pin-headers
I bought two of them but never really got around to using them for anything. Would that work? I'd need a decent amount of hand-holding, clearly.
It's probably doable with the device you linked, if you can flash the right software on it. You can get ready to use stuff for things like Arduino or esp8266, but I'm not familiar with the CHIP board.
Edit: I took a closer look and it seems to be some kind of raspberry pi clone. So if you have Linux and SSH running on it, you can probably attach some wires between UART1 pins and the camera and use something regular like gnu screen or minitel on Linux instead of more low-level software like arduino/esp8266 would need.
While it sounds like a fun project, I'm not sure I'll have time to get around to trying to hack it together. Hopefully someone with some more hardware abilities will come along.
is it possible to run this hack on the Wyzecam hardware? I push prepared the sdcard, put it in after the device boot, and I heard the sound and in "/cgi-bin/hello.cgi" i can see sdcard content("snx_autorun.sh" etc), however, the status page gives 404.
Can you share how do you find out the "snx_autorun.sh" is what it runs at boot for fang? maybe wyzecams are using different name for the startup script?
Mine has shipped. Well tear it down once I get it.
On Sat, Nov 4, 2017 at 8:56 PM, wsmlby [email protected] wrote:
is it possible to run this hack on the Wyzecam hardware? I push prepared the sdcard, put it in after the device boot, and I heard the sound and in "/cgi-bin/hello.cgi" i can see sdcard content("snx_autorun.sh" etc), however, the status page gives 404.
Can you share how do you find out the "snx_autorun.sh" is what it runs at boot for fang? maybe wyzecams are using different name for the startup script?
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/samtap/fang-hacks/issues/243#issuecomment-341941197, or mute the thread https://github.com/notifications/unsubscribe-auth/AAOJM08CRzYXzpP4qd-nbHespr_w9RXUks5szQfHgaJpZM4QFkS3 .
FCC submissions can be seen here: https://fccid.io/2ANJHWYZEC1/Internal-Photos/Internal-Photos-3565884
The partner company creating them is: http://www.hualaikeji.com/en
@dustinsterk I guess I didn't have to tear mine apart, then... 😄
Also, this is totally unrelated, but I found this entertaining:
The snx_autorun.sh 'backdoor' was pretty obvious and easy to find by reading the scripts of the original XiaoFang. Because it was so easy to get basic access to the cam, figuring out how other stuff works didn't take much effort. By now, we know all the details and can just build our own firmware, that doesn't require snx_autorun.sh to kickstart things. Bits and pieces of how to do this are unfortunately scattered across lots of github issues, wiki etc, but people have been able to build their own firmware (i.e. @ykhandler). I would be surprised if you can't just flash this to a WyzeCam and make it work (wifi may require a different driver). Obviously you won't be able to connect with their cloud, but fang-hacks should work fine.
My goal isn't to build my own firmware and never has been. I prefer running stuff off the sdcard as I don't have to worry about limitations of internal flash, opening up a lot of possibilities. One of them is higher potential for re-use on other cams.
RIght we have the SDK's and the build scripts from the vendor but what mechanism is there to actually flash it the device? I am not talking auto_run.sh trickery but camera out of box without opening it up. Did I miss something? Is this known? BTW I got my wyze last night. Hope to play with it this weekend.
On Tue, Nov 7, 2017 at 4:05 PM, PatrickM [email protected] wrote:
The snx_autorun.sh 'backdoor' was pretty obvious and easy to find by reading the scripts of the original XiaoFang. Because it was so easy to get basic access to the cam, figuring out how other stuff works didn't take much effort. By now, we know all the details and can just build our own firmware, that doesn't require snx_autorun.sh to kickstart things. Bits and pieces of how to do this are unfortunately scattered across lots of github issues, wiki etc, but people have been able to build their own firmware (i.e. @ykhandler https://github.com/ykhandler). I would be surprised if you can't just flash this to a WyzeCam and make it work (wifi may require a different driver). Obviously you won't be able to connect with their cloud, but fang-hacks should work fine.
My goal isn't to build my own firmware and never has been. I prefer running stuff off the sdcard as I don't have to worry about limitations of internal flash, opening up a lot of possibilities. One of them is higher potential for re-use on other cams.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/samtap/fang-hacks/issues/243#issuecomment-342621988, or mute the thread https://github.com/notifications/unsubscribe-auth/AAOJM7ZPPCS6TNKW4aFv9OSdhjUAjODsks5s0MYvgaJpZM4QFkS3 .
I found the sdk on a Chinese filesharing site like media fire. This was from the company that makes the SoC. I have seen links to other sdks on other issues.
On Thu, Nov 9, 2017 at 7:03 AM, kvcoates [email protected] wrote:
Where did you get SDK's from? which vendor
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/samtap/fang-hacks/issues/243#issuecomment-343134866, or mute the thread https://github.com/notifications/unsubscribe-auth/AAOJM7NPq-BVKQV4gDskUGSrKkbpcb1jks5s0uokgaJpZM4QFkS3 .
@ril3y It runs uboot so you simply provide a firmware image on sdcard (FIRMARE_660R.bin) and it is flashed before boot. The only modification required for fang-hacks is in the boot scripts: prevent it from starting iCamera and instead run the fang-hacks.sh script (which in turn mounts and starts stuff on sd-card, if present). If you intercept a firmware update, extract the image and modify some bootscripts, add fang-hacks.sh etc, repackage it, you don't even need to build a complete fw image with the SDK.
@PatrickM have you verified this? The repackaging / reflashing part? The uboot Firmware_660.bin is specific to fang bootloader code I assume then. Who knows what other cameras with the same hardware have compiled. Has someone done this?@kvcoates i will look around tonight for you.
Thanks.
On Thu, Nov 9, 2017 at 8:19 AM, PatrickM [email protected] wrote:
@ril3y https://github.com/ril3y It runs uboot so you simply provide a firmware image on sdcard (FIRMARE_660R.bin) and it is flashed before boot. The only modification required for fang-hacks is in the boot scripts: prevent it from starting iCamera and instead run the fang-hacks.sh script (which in turn mounts and starts stuff on sd-card, if present). If you intercept a firmware update, extract the image and modify some bootscripts, add fang-hacks.sh etc, repackage it, you don't even need to build a complete fw image with the SDK.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/samtap/fang-hacks/issues/243#issuecomment-343151955, or mute the thread https://github.com/notifications/unsubscribe-auth/AAOJM3cF690s-dnZmDjoJBBJ8tfY5d3Cks5s0vvkgaJpZM4QFkS3 .
@ril3y Nope not me but I've seen others like I mentioned before. The problem is with the rest of the stuff, i.e. the Xiaomi binaries won't work on a Wyze cam, you'd have to obtain an original fw image for all cams and modify it the same way. So what I really need is a image that only contains some updates for /etc and leaves the rest as is. Not sure if that can even be done from uboot. The official OTA updates are flashed using an application, not via uboot.
I'll just leave this here...
https://d1fk93tz4plczb.cloudfront.net/UpgradeKit/1508232228/img_wyze_snx_sys_3.9.1.42.img
@lokkju Greate, except not loading? might just be having the saturday morning blues!, how did you load the ISO onto camera?
Hello guys, I'm slightly confused. Is the aim to get fang-hacks to work on the Wyze or to get the Wyze firmware on the Xiaomi Xiaofang in order to use Whyze's app? I'd love to put Wyze's firmware on mine and use their app but also put the SD card in with fang-hack to stream RTSP
I have dug in a little with their app/api calls. Being able to load their firmware onto a non Wyze specific device may prove challenging, nor am I advocating/suggesting this, as is an exploit of their cloud infrastructure. The app calls seem to pass a bunch of metadata and MAC address of each camera along with some camera specific identifiers. I would assume each camera also has private keys for encryption to access video on AWS.
Personally, I would rather focus on unlocking RTSP, SFTP, on the exiting Wyze hardware so that you have the ability to use their device with or without the AWS cloud integration.
All versions of the cam (iSmart/Xiaomi/Wyze) presumably use the same mechanism to pair with cloud: some unique identification stored in nvram. You can easily clone that to a different cam, but you can't connect two cams with the same id to a cloud. One will simply get disconnected when the other one connects. Even if you're able to generate correct id's yourself, you are effectively exploiting their cloud infrastructure. The cloud infrastructure you don't own or pay for, but are allowed to use free of charge. By doing this, you are risking even more blocks and feature limits are put into place for the rest of us.
For $19.99 (plus shipping), honestly the camera and apps work incredibly well...Wyze did a fantastic job and I hope they continue to gain market share. I 100% agree with you that no one should work to exploit their infrastructure, they already have an incredible product for the price - just buy direct from them!
My fear is that they have undercut their pricing too far to obtain users and with the included 14 day AWS storage the company will not survive. Enabling RTSP and other functionality will ensure these devices will remain useful should something like this happen (and I really hope it does not).
Has anyone connected to the hardware on the Rx Tx pins via serial cable? If so, is the root password the same as xiaofang?