lost telnet & ftp upon upgrade to 2.1.0.0A_201703071456 firmware

[andy2301]

#My 1080p v1 comes with firmware 2.0 (2.0.0.1A_201612051401). I was able to apply this hack to get telnet and ftp. Thanks to @xmflsct!

However, yesterday I upgraded (through the YiHome app) to the latest 2.1 (2.1.0.0A_201703071456) firmware, and the hack doesn't work any more. Yes i tried to reapply the hack from scratch. I lost telnet & ftp.

Also tried to store the firmware using the home_y20m dump generated by @xmflsct as posted here, but it didn't restore at all (renamed it to "home" and put at root of sd card). I suspect it's a generated home partition dump, not an official firmware.

I'd appreciate if anybody can share a copy of the official firmware 2.0.0.1A_201612051401 for 1080p v1.

Btw, you can also download the latest firmware 2.1.0.0A_201703071456 here. http://www.xiaoyi.com/home/firmware/download/?version=4 Click on "download" of the "2.1.0.0A_201703071456" firmware

[xmflsct]

I did not even dare to upgrade myself. :D So I have no idea what has been changed in the newer upgrade.

But feel free to use my copy, or other copies provided in that thread.

[andy2301]

@xmflsct I tried to restore your copy through the "manual firmware upgrade" approach, but it didn't do anything. I'm still with the upgraded 2.1 version. Do you know another way to apply/use your copy?

My guess is that the new firmware gets rid of the factory_test.sh hole in its init.sh file. I tried to look into the firmware through binwalk but it appears the firmware is encrypted (binwalk returns nothing).

[shadow-1]

@andy2301 Yes you are absolutely correct. I have confirmed with the Yi Dome cameras that firmware upgrades remove /home/app/script/factory_test.sh (which in turn calls the script from microSD card). Hence why my own custom firmware goes in a different direction.

I can create a version of my custom firmware for this camera. However I can't test it as I don't have this camera. You MUST have access to the terminal through the serial port for troubleshooting.

As mentioned elsewhere. Official firmware upgrade file is not really a firmware file. It is an encrypted archive. Explanation and instructions on how to unpack below. https://github.com/fritz-smh/yi-hack/issues/124#issuecomment-275670843

[andy2301]

Great explanation of the firmware! @shadow-1 I'll get a serial port later tonight for troubleshooting.

[xmflsct]

Hello again guys. I tried to reflash my home partition with @shadow-1's copy and my copy, both doesn't work somehow. I remember I used it when I restored my camera last time when I bricked it.. Now I have detached the serial connection just today... Tomorrow I will attach them again and see what happened, and try to produce a new flashable image.

[xmflsct]

Oops, my copy is actually working again somehow. @andy2301 Do you still have it, and would you like to try again? My yellow flashes slowly when flashing, in between it flashes very quick for a second then comes back. After flashing is done, I have access to my cam again luckily.

[andy2301]

How did you flash it?

When I tried it this morning, I did the following: I downloaded the zip file you posted, extracted to the root of sd card, rename it to "home". But it did't do anything for me. Upon reboot, it's still my upgraded 2.1 version.

[shadow-1]

@andy2301 Do not rename the file. It needs to be named home_y20. In addition, make sure your microSD card is FAT32 formatted. By default high capacity SD cards (over 32gb) are formatted using exFAT.

[xmflsct]

@andy2301 Aha, that's why. Because both @shadow-1's and mine copy are for uboot to use, which means that it differs from the official way of updating it. So as said, you should keep it as home_y20.

Very interesting thing is that. With just @shadow-1's copy, it does not work (I have no serial output to examine the problem now). After using @shadow-1's copy, I use mine again which gives a bit different yellow led flashing pattern and that worked - at least to bring the brick device back.

[shadow-1]

@xmflsct U-Boot does a check to see whether the recovery image matches what is currently on the system. If it thinks they are the same, the firmware upgrade is skipped. Considering it is U-Boot that is doing the check, I believe the check must be quite primitive.

From experimentation (I have flashed my camera probably over 50 times debricking and getting the region ban workaround working), it appears that the check to see whether the firmware on the system matches the recovery image is based on the embedded name within the image and the timestamp. So most likely, your current recovery image will no longer work as it matches what is currently on the system. However my one will work now because (most likely) the embedded name is different and the timestamp is definitely different.

[xmflsct]

@shadow-1 Good one! I need more debricking to catch up with your experience. :D

So I assume U-Boot thinks your image should be flashed, though it (might?) contain some error. After then I use my long-ago image, U-Boot now believes my image should be flashed. Anyway, my long-ago image was simply wrapped the dd output with an uImage header, not as smart as your solution yet. I still need to figure out how I can properly pack jffs2 images. I think your v3 approach should be the way to go, as XiaoYi is tightening rules against hacking.

[shadow-1]

@xmflsct My image is unlikely to contain an error (although it might). I created a fresh jffs2 filesystem with the files from your long-ago backup. You are restoring the entire partition including the free space whilst my one skips the free space. Hence my image is smaller and a little quicker to flash. The end result is exactly the same as we are restoring exactly the same files. The only difference is the uImage header will be slightly different.

[xmflsct]

@shadow-1 Yes, I fully understand this part. :) Will first follow your approach and update this project, then see how far I can go with RTSP support as this is the function that I need - I don't care if I can use it with app or not. I have another 720p one working right now as a security cam, and would like to have another one. :)

[shadow-1]

@xmflsct Tomorrow I can send you an experimental version of my v3 firmware for this camera with working workaround for the region ban. However it will involve flashing the rootfs partition. As mentioned in the other thread, you have to upgrade uClibc which is almost impossible to upgrade on a running system on these cameras. Even if it were possible, it is highly risky and it is likely to brick. Using the offline upgrade through U-Boot is a much safer option.

I am confident that you will be able to restore your rootfs partition in case the camera gets bricked. The recovery method is exactly the same as for the home partition.

[xmflsct]

Thank you so much in advance! I will have a try of your ones and let you know if it is working.

Saying that, I have a 040 version of SDK. I think they should have 050 by now. I will share it if I can find it and download it from somewhere.

[shadow-1]

Thanks for the updated SDK. I knew the 040 version has been released, however I didn't find a download link for it yet. When I got the 030 version, I don't think the 040 version was released (perhaps it was very new). I haven't heard anything about a 050 version yet.

With a little luck HiSilicon may have provided an example RTSP server with the SDK. Unlikely...but we can always be hopeful.

[xmflsct]

You are welcome. :) Not sure what had been updated though. Hope it would be a bit useful to you. 050 is not released yet, at least not on the forum where I downloaded 040. While browsing, I found a post with an updated sample code that claims to support RTSP for Hi3518EV200. I will have a try tomorrow, see if I can compile it correctly. Otherwise I might need your help again. :)

[andy2301]

@xmflsct Using your copy of home_y20, I've got my camera back to version 2.0.0.1A_201612051401. That's awesome!

Just extract it under the root directory of sd card and reboot. Make sure the name is "home_y20".

[xmflsct]

@andy2301 Glad that it works!

Do you happen to have serial connection as well? If so, can you try to change the boot delay and see if you can enter U-Boot fritz-smh#141 (comment) My camera doesn't respond to any key press signal, so I was wondering whether they tweak the hardware or just a faulty part in my camera.

If you succeed in doing so, it would be nice if you could upgrade to the newest version again, and dump out the entire system in U-Boot. That provides an overview of what has been updated, and could be a base for the next step of this project. Let me know if this is feasible for you. :)

[shadow-1]

@xmflsct No need to tweak the U-Boot environment as you know how to flash rootfs and home partitions now. It should be a simple change on the env partition to get the countdown working if you really want to.

There is no need to upgrade the firmware to the newest version and dump the entire filesystem. I have provided instructions on how to extract the firmware and the upgrade is simply a replacement of the files on the camera within the /home directory.

Even so, if you want to make a backup of the camera and have serial access. It is easiest to use dd once booted rather than mucking around with U-Boot.

[xmflsct]

@shadow-1 That's true. Then I will wait for your updated release, and combine it into this 1080p camera. :)

[shadow-1]

@xmflsct I got around to creating a test firmware for the Yi 1080 Home. The links are below: rootfs_y20 home_y20

Creating the home partition took longer than what I thought it would. I need to create some more build scripts to make it fully automated.

To make the upgrade more controlled and to make it easier for issues to be identified and rectified, what I recommend to do is follow the following steps:

1. Upgrade only the rootfs partition.
2. Boot up the camera and check that everything still works just as before (telnet working etc.) If there is an issue at this point, we will know that I deleted something I wasn't meant to and it's preventing bootup.
3. Flash the home partition.
4. Test whether telnet is working, FTP is working, web server is working (all services are enabled by default on the firmware).
5. Enter a valid proxychains configuration with at least one proxy server from Mainland China. This will allow your camera to not complain about the region ban and be fully operational with the Xiaomi smartphone app.

---

For others that may want to try the firmware, please ensure you have access to the terminal through the serial port for debugging purposes. I do not have this particular camera so the firmware is completely untested.

[xmflsct]

@shadow-1 Thank you so much! I will try it just now and let you know how it goes.

By the way, the code I mentioned yesterday, I tried to compile it again, and still get the annoying line 1: syntax error: unexpected word (expecting ")"). All posts on the internet suggest that I might output an object file, but it is actually not - I test it with file which shows it as an executable. I suspect there might be some wrong flags in SDK's Makefile.param but my knowledge is not enough to find it out. Would you like to have a try? Here is the archive. hp-ipc_rtsp.zip

[maysamsh]

@shadow-1 I tried the rootfs, it revived the cam! When I tried to pair it with the phone it told me "This camera can only used within China", then I tried the other fine, home_y20, but unfortunately it didn't work and once again the status is still yellow.

[shadow-1]

@maysamsh Congratulations, it looks like your problem was with the rootfs partition afterall and it has now been restored.

This is completely experimental firmware and I have done quite a lot of changes to the home partition. I may have made a mistake with it because of all the changes I made without testing. You can restore the original home partition. You can use @xmflsct copy or my one and your camera will be back to how it was.

[xmflsct]

@maysamsh Yes, with my own copy of home_y20, I get my cam back and I can use it as before.

@shadow-1 Same happened to me. Flashing rootfs is fine, but bricked after home_y20. Still, I cannot run the proxychains4 from your home_h20 extract. I copy both the executable and the .so to exact the same location on my cam, I get Illegal instruction. The ld-uClibc-0.9.33.2.so in my /lib seems to be updated already with a last modify date at 03/06/17. Is that correct?

[maysamsh]

@shadow-1 Unfortunately it does not work anymore, even I have tried restoring images you already provided. What was the magic?!

[shadow-1]

@xmflsct Ah ok...looks like I tried to do too much at once.

I manually updated the firmware to 2.1.0.0A_201703071456. I must have messed it up (I did it quite quickly), I'll redo to firmware upgrade with 2.0.0.1A_201612051401 firmware which we know works properly.

Yes I updated ld-uClibc-0.9.33.2.so already from a previous compile. You will also notice that Busybox on rootfs has also updated to include a few extra but useful utilities.

[shadow-1]

@xmflsct I am very confused why you get Illegal instruction error with those programs. Can you provide me with the output of: cat /proc/cpuinfo

[maysamsh]

@shadow-1 How could you manage to update to 2.1.0.0A_201703071456? When I put it into the SD and then to the camera, it does nothing.