xiaomi-360-1080p-hacks icon indicating copy to clipboard operation
xiaomi-360-1080p-hacks copied to clipboard

Published 20 hours ago verified publisher icon telmomarques

Support newer firmware versions

Open telmomarques opened this issue 6 years ago • 41 comments

Newer firmwares disable the S49factory exploit. Another exploit needs to be found for newer firmware versions.

telmomarques avatar Feb 22 '19 19:02 telmomarques

It is possible to manually flash the newer firmware and modify the data partition to load a custom script.

  • Shell script to download and patch the current firmware:
#!/bin/bash
# download firmware
wget http://cdn.cnbj2.fds.api.mi-img.com/chuangmi-cdn/product/ipc016/firmware/IPC016_16.3.4.5_0081.zip
unzip -j IPC016_16.3.4.5_0081.zip
rm IPC016_16.3.4.5_0081.zip

# extract firmware content
mkdir -p firmware
dd if=tf_recovery.img of=firmware/kernel.bin bs=1 count=2162688
dd if=tf_recovery.img of=firmware/rootfs.bin bs=1 count=7667712 skip=2162688
dd if=tf_recovery.img of=firmware/data.bin bs=1 count=6488064 skip=9830400
rm tf_recovery.img

# patch jffs2 partition
sudo modprobe mtdblock
sudo modprobe mtdram total_size=6336
sudo dd if=firmware/data.bin of=/dev/mtdblock0 bs=1
mkdir mount
sudo mount -t jffs2 /dev/mtdblock0 mount
echo '#!/bin/sh' | sudo tee -a mount/bin/log_diag_platform.sh
echo '/mnt/sdcard/override.sh' | sudo tee -a mount/bin/log_diag_platform.sh
sudo chmod 755 mount/bin/log_diag_platform.sh
sudo umount mount
rmdir mount
sudo dd if=/dev/mtdblock0 of=firmware/data.bin bs=1
  • Copy the new firmware to the sdcard and flash it to the camera via telnet/ssh:
dd if=/mnt/sdcard/kernel.bin of=/dev/mtdblock1
dd if=/mnt/sdcard/rootfs.bin of=/dev/mtdblock2
dd if=/mnt/sdcard/data.bin of=/dev/mtdblock3
  • SDcard script:

/sdcard/override.sh

#!/bin/sh
if [ ! -f /tmp/.override ]; then
    touch /tmp/.override
	
    # start telnet server
    /mnt/sdcard/busybox telnetd
fi

none815 avatar Jan 02 '20 04:01 none815

It is possible to manually flash the newer firmware and modify the data partition to load a custom script.

dd if=tf_recovery.img of=kernel.bin bs=1 count=2162688
dd if=tf_recovery.img of=rootfs.bin bs=1 count=7667712 skip=2162688
dd if=tf_recovery.img of=data.bin bs=1 count=6488064 skip=9830400
  • Patch the data partition:
#!/bin/bash
# patch jffs2 partition
sudo modprobe mtdblock
sudo modprobe mtdram total_size=6336
sudo dd if=data.bin of=/dev/mtdblock0 bs=1
mkdir mount
sudo mount -t jffs2 /dev/mtdblock0 mount
echo '#!/bin/sh' | sudo tee -a mount/bin/log_diag_platform.sh
echo '/mnt/sdcard/override.sh' | sudo tee -a mount/bin/log_diag_platform.sh
sudo chmod 755 mount/bin/log_diag_platform.sh
sudo umount mount
rmdir mount
sudo dd if=/dev/mtdblock0 of=data.bin bs=1
  • Flash the new firmware:
dd if=/mnt/sdcard/kernel.bin of=/dev/mtdblock1
dd if=/mnt/sdcard/rootfs.bin of=/dev/mtdblock2
dd if=/mnt/sdcard/data.bin of=/dev/mtdblock3
  • SDcard script:

/sdcard/override.sh

#!/bin/sh
main() {
  # start telnet
  /mnt/sdcard/busybox telnetd
}

if [ ! -f /tmp/.override ]; then
 touch /tmp/.override
 main
fi

The data partition is both /dev/mtdblock3 and /dev/mtdblock0 ?

elebeaup avatar Jan 10 '20 08:01 elebeaup

@elebeaup
The first two steps are for preparation and doesn't happen on the camera, only the flashing process needs to be done on the camera.

none815 avatar Jan 10 '20 10:01 none815

@none815 "Copy the new firmware to the sdcard and flash it to the camera via telnet/ssh"

you flash firmware via telnet/ssh to enable telnet or i'm missing something here? ;)

rezmus avatar Feb 18 '20 23:02 rezmus

@rezmus I think you must downgrade the camera firmware to 3.4.2_0062 and install the hacks and after you can upgrade to a new firmware release via telnet

elebeaup avatar Feb 19 '20 08:02 elebeaup

are you sure? this github hack was done for ipc009 camera (MJSXJ02CM), and firmware from this thread is for ipc016 (CMSXJ16A). imi/chuangmi has ~20 cams (~10 360/1080p) and soc in any of them may be same or different to ipc009.

rezmus avatar Feb 19 '20 08:02 rezmus

Steps are:

  1. Downgrade firmware
  2. Install the hacks
  3. Use the hacks to access camera via telnet
  4. Flash newer firmware (patched) using dd

You just need to make sure to have the correct newer firmware (patched) for your camera.

P.S. as of this moment I haven't provided a patched latest version of the firmware for the MJSXJ02CM, as I didn't work on this subject yet.

telmomarques avatar Feb 19 '20 08:02 telmomarques

I have found 2 versions available for IPC009 model: http://cdn.cnbj2.fds.api.mi-img.com/chuangmi-cdn/product/ipc009/firmware/IPC009_3.4.6_0213.zip http://cdn.cnbj2.fds.api.mi-img.com/chuangmi-cdn/product/ipc009/firmware/IPC009_3.5.1_0217.zip

Currently when checking my camera with Mi Home app, it shows that the newest version is 3.4.6_213. So I decided to used this version. On the first attempt, the camera brick when I was flashing rootfs.bin (don't know why). I have to recover the camera with the vulnerable version 3.4.2_0062. On the second attempt, I sleeped the camera first. The flashing process went well. The camera operates normally with the patched firmware. No more update prompted on the app. I didn't confirm the 3.5.1_0217 version yet but I've checked the file systems. It seem they have updated some parts but not much changes.

nhatnamg avatar Mar 16 '20 16:03 nhatnamg

Update: I will NOT recommend using version 3.5.1_0217. It has some minor updates but some script files in /etc/init.d/ will try to "umount /mnt/sdcard" upon finishing. Therefore if you place your hack scripts on /mnt/sdcard, they won't work. So to use 3.5.1_0217, you have to remove all "umount /mnt/sdcard" points in its init.d scripts.

Apparently there is 2 ways for patching firmware:

  1. The way @elebeaup did: inject your codes into <data.bin>/bin/log_diag_platform.sh. It will work but normally you will have to wait about 5 minutes after camera restarted because this script is executed by crontab on 5 mins interval.
  2. Instead of patching data partition, you can patch rootfs to make it behaves just like version 3.4.2_0062
apt-get install squashfs-tools
unsquashfs rootfs.bin

# Replace squashfs-root/etc/init.d/S49factory with the same one on version 3.4.2_0062

mksquashfs squashfs-root rootfs_patched.bin -comp xz

/etc/init.d/S49factory on version 3.4.2_0062

#!/bin/sh

#must to verify the sdcard

if [ -f /mnt/sdcard/manu_test/manu.sh ]
then
touch /tmp/factory_mode
/mnt/sdcard/manu_test/manu.sh
fi

then flash rootfs_patched.bin to /dev/mtdblock2 of the camera.

nhatnamg avatar Mar 19 '20 06:03 nhatnamg

It is possible to manually flash the newer firmware and modify the data partition to load a custom script.

  • Shell script to download and patch the current firmware:
#!/bin/bash
# download firmware
wget http://cdn.cnbj2.fds.api.mi-img.com/chuangmi-cdn/product/ipc016/firmware/IPC016_16.3.4.5_0081.zip
unzip -j IPC016_16.3.4.5_0081.zip
rm IPC016_16.3.4.5_0081.zip

# extract firmware content
mkdir -p firmware
dd if=tf_recovery.img of=firmware/kernel.bin bs=1 count=2162688
dd if=tf_recovery.img of=firmware/rootfs.bin bs=1 count=7667712 skip=2162688
dd if=tf_recovery.img of=firmware/data.bin bs=1 count=6488064 skip=9830400
rm tf_recovery.img

# patch jffs2 partition
sudo modprobe mtdblock
sudo modprobe mtdram total_size=6336
sudo dd if=firmware/data.bin of=/dev/mtdblock0 bs=1
mkdir mount
sudo mount -t jffs2 /dev/mtdblock0 mount
echo '#!/bin/sh' | sudo tee -a mount/bin/log_diag_platform.sh
echo '/mnt/sdcard/override.sh' | sudo tee -a mount/bin/log_diag_platform.sh
sudo chmod 755 mount/bin/log_diag_platform.sh
sudo umount mount
rmdir mount
sudo dd if=/dev/mtdblock0 of=firmware/data.bin bs=1
  • Copy the new firmware to the sdcard and flash it to the camera via telnet/ssh:
dd if=/mnt/sdcard/kernel.bin of=/dev/mtdblock1
dd if=/mnt/sdcard/rootfs.bin of=/dev/mtdblock2
dd if=/mnt/sdcard/data.bin of=/dev/mtdblock3
  • SDcard script:

/sdcard/override.sh

#!/bin/sh
if [ ! -f /tmp/.override ]; then
    touch /tmp/.override
	
    # start telnet server
    /mnt/sdcard/busybox telnetd
fi

none815, how did you find count values for dd?

dd if=tf_recovery.img of=firmware/kernel.bin bs=1 count=2162688 dd if=tf_recovery.img of=firmware/rootfs.bin bs=1 count=7667712 skip=2162688 dd if=tf_recovery.img of=firmware/data.bin bs=1 count=6488064 skip=9830400

How to get these values for this https://drive.google.com/file/d/1ve6XlBEiZebJV6ukJ0Oiu7DePw2JCsWj/view firmware? What is algorithm (logic steps) to obtain these values for that img file?

Thank you in advance.

KhArtNJava avatar May 25 '20 17:05 KhArtNJava

Oh, looks like I see, that it's only 2+7+6 MB. Cool. Thank you for sharing this. But MJSXJ05CM doesn't have root access, looks like SSH/telnet port is closed on it. How to access SSH/telnet on MJSXJ05CM?

KhArtNJava avatar May 25 '20 17:05 KhArtNJava

Oh!!! I understand it now https://github.com/telmomarques/xiaomi-360-1080p-hacks/issues/18 . Cool, I'm going to AliExpress for a programmer and clips )))

KhArtNJava avatar May 25 '20 18:05 KhArtNJava

Anyway, @none815, how did you discovered sizes 2162688, 7667712 and 6488064? Any marks in *.img files? Or, may be some of volume sizes standard?

KhArtNJava avatar May 25 '20 18:05 KhArtNJava

cat /proc/mtd dev: size erasesize name mtd0: 00050000 00010000 "BOOT" mtd1: 00210000 00010000 "KERNEL" mtd2: 00750000 00010000 "ROOTFS" mtd3: 00630000 00010000 "DATA" mtd4: 00010000 00010000 "CONFIG" mtd5: 00010000 00010000 "FACTORY"

rezmus avatar May 25 '20 21:05 rezmus

cat /proc/mtd dev: size erasesize name mtd0: 00050000 00010000 "BOOT" mtd1: 00210000 00010000 "KERNEL" mtd2: 00750000 00010000 "ROOTFS" mtd3: 00630000 00010000 "DATA" mtd4: 00010000 00010000 "CONFIG" mtd5: 00010000 00010000 "FACTORY"

Thank you. But in your case there's no value 2162688 for kernel, it's 00210000. Are your results from different device or maybe I can't understand meaning of value 00210000 for kernel?

KhArtNJava avatar May 25 '20 22:05 KhArtNJava

And, okay, how can I get those values, if I can't run cat /proc/mtd because there's no ssh/telnet access on MJSXJ05CM? Yeah, I know values for MJSXJ05CM now, but let's imagine that there's another one camera, without ssh/telnet and I can only access flash chip of the camera. How can I get those values to dd split dumped img file from flash chip?

KhArtNJava avatar May 25 '20 22:05 KhArtNJava

This is the latest firmware http://cdn.cnbj2.fds.api.mi-img.com/chuangmi-cdn/product/ipc009/firmware/IPC009_3.5.8.0406.zip

I tired to mount rootfs.bin to modify S49Factory but mount -t jffs2 /dev/mtdblock0 gave me a "Can't read superblock" error.

mwkchan avatar May 26 '20 08:05 mwkchan

But in your case there's no value 2162688 for kernel, it's 00210000. Are your results from different device or maybe I can't understand meaning of value 00210000 for kernel?

210000 hex = 2162688 dec. flash layout is the same for all imilab cams. just follow https://github.com/telmomarques/xiaomi-360-1080p-hacks/issues/18 to get telnet access.

I tired to mount rootfs.bin to modify S49Factory but mount -t jffs2 /dev/mtdblock0 gave me a "Can't read superblock" error.

rootfs is squashfs, data is jffs2.

rezmus avatar May 26 '20 10:05 rezmus

rootfs is squashfs, data is jffs2.

I see. That means I can't mount it rw and modify it. I tried unsquash it and modify it. After I squashed it back and dded it back, the camera was bricked. Luckily a firmware downgrade using an SD Card unblocked it.

mwkchan avatar May 28 '20 16:05 mwkchan

Hi could You tell me what files to put on the sdcard ? thanks

Cseb62 avatar May 29 '20 13:05 Cseb62

Hi. I've tried to use 'manual' update of IPC016 with new version of FW but something went wrong and now I've bricked the device... It looks U-boot was overwritten.

Just realized that MTD0 contains u-boot but it's just archived. Finally concatenated all MTD* and flashed the chip (with desoldering).

klym-tatarnikov avatar Jun 07 '20 14:06 klym-tatarnikov

if you did backup of /dev/mtdblock0 you should have uboot. anyway here is my copy.

https://ufile.io/rsb6u7fa

rezmus avatar Jun 07 '20 16:06 rezmus

si vous avez fait une sauvegarde de / dev / mtdblock0, vous devriez avoir uboot. de toute façon voici ma copie.

https://ufile.io/rsb6u7fa

Hi can I upload it with the CH341 ? Thanks

Cseb62 avatar Jun 08 '20 07:06 Cseb62

Hi can I upload it with the CH341 ? Thanks

yes that's definitely what I performed. Just append MTD0..MTD5 into a single file and flashed it with CH341A. Unfortunately it was necessary to completely disassemble the camera and desolder flash chip.

klym-tatarnikov avatar Jun 08 '20 08:06 klym-tatarnikov

Hi can I upload it with the CH341 ? Thanks

yes that's definitely what I performed. Just append MTD0..MTD5 into a single file and flashed it with CH341A. Unfortunately it was necessary to completely disassemble the camera and desolder flash chip.

Sorry I'm novice, how to do that :"Just append MTD0..MTD5 into a single file" ?

Cseb62 avatar Jun 08 '20 09:06 Cseb62

Sorry I'm novice, how to do that :"Just append MTD0..MTD5 into a single file" ?

on windows you can just use command line command "copy": copy mtd0.bin + mtd1.bin + mtd2.bin + mtd3.bin + mtd4.bin + mtd5.bin all_together.bin resulted file should be exactly 16Mb (16777216 bytes)

klym-tatarnikov avatar Jun 09 '20 14:06 klym-tatarnikov

some one could send me the complete bin? MTD0..MTD5

Cseb62 avatar Jun 15 '20 13:06 Cseb62

Hi. I've tried to use 'manual' update of IPC016 with new version of FW but something went wrong and now I've bricked the device... It looks U-boot was overwritten.

Just realized that MTD0 contains u-boot but it's just archived. Finally concatenated all MTD* and flashed the chip (with desoldering).

It there any chance you still have .bin for IPC016? I dumped mine with SOIC clip and patched as described, but probably something went wrong while making backup...

galichvitaliy avatar Feb 08 '21 01:02 galichvitaliy

if you did backup of /dev/mtdblock0 you should have uboot. anyway here is my copy.

https://ufile.io/rsb6u7fa

Do you still have this file? Link is expired, and i completly briked my IPC016. Thank you!

galichvitaliy avatar Feb 08 '21 09:02 galichvitaliy

I thinks it's this file https://ufile.io/4hsg0qwh

Cseb62 avatar Feb 08 '21 12:02 Cseb62