Creating a version for the XiaoFang 1080p camera

[no1knows]

I'm trying to hack the XiaoFang 1080p camera (i.e. this: http://www.gearbest.com/ip-cameras/pp_487830.html)

I've got root access over serial and worked out what filename to include on the microSD (that gets launched on insert): "snx_autorun.sh" so I can now easily change the root password and launch telnetd. It already runs boa web server (albeit with no content to serve, yet).

fritz-smh - could you give me some pointers on compiling the rtsp binary so I can create a version for the XiaoFang?

[fijter]

@no1knows good stuff! Not an expert in this but I'd like to check out the fs as well to see what I can do. I've managed to enable telnetd through snx_autorun.sh but changing the root password with echo "root:testing123" | chpasswd didn't do the trick for me. Can you share what you did to get in?

[no1knows]

I originally got in over serial (by soldering leads onto the camera's motherboard) but I managed to brute force the root password yesterday so that should make life easier. It's "ismart12".

[fijter]

Thanks, great job. This device looks totally different from the Yi if I look at the script placed here. The processes iSC3S (I think for the streams itself) and miio_client (I think for cloud connection) do all the work. The device is constantly connected to a Chinese cloud server even when you are not using it, which is kind of creepy ;)

They didn't even bother to try to hide that this is just a iSmartAlarm Spot system with a slightly custom firmware; Even the hostname still is iSmartAlarm. The hardware is based on the Sonix 98600 SoC (http://www.sonix.com.tw/article-en-958-13487) which just seems to be a ARM based embedded linux platform with some webcam streams.

I wasn't able to use chpasswd since it's not in the Busybox build; passwd is so that could possibly be used but why bother with the default root password you bruteforced ;) A simple snx_autorun.sh in the root of my SD card with telnetd& inside of it was enough to give me root access using telnet.

The rtspsrv binary from this project seems to be some kind of live555 media server based server; I tried to run it but it didn't work because of some missing dependancy on this Busybox installation.

The iSC3S keeps the /dev/video0 device busy, as soon as I kill the process this resource is available again. Once you kill the iSC3S app the device reboots after a moment, I tried killing iSC3S and test_UP but it still rebooted; So in order to produce a RTSP stream this auto reboot needs to be disabled so the iSC3S app can be killed. The Boa webserver is indeed running on it with just a /cgi-bin/hello.cgi test script and a symlink to the SD card contents at /SDCard/, nothing really special or noteworthy.

SoniX seems to have a SDK but of course this doesn't seem to be publicly available. This is where it ends for me now since I don't have any experience with building binaries for embedded systems or decompiling/analysing the existing binaries. Hopefully it can be of some help on your quest to get this device to work; I think the hardware is great for the price if we can fully utilise it without having to rely on a third party app and a Chinese cloud to work.

[no1knows]

Thanks, that's all useful info. It's easy to disable the camera's phone-home and video streaming functionality - simply comment out the last line in /etc/init.d/rcS:
# /usr/bin/iSC3S/iSC3S &

...and then reboot. It'll then happily sit there doing nothing, including not connecting to wifi - so don't do this unless you have serial wires soldered to the board.

Looks like the Live555 rtsp server code is here: http://www.live555.com/mediaServer/ but I don't have any experience compiling for Arm systems either so will need to do some digging. Judging by some RPi threads, sounds like ffmpeg, cvlc or avconf could also create rtp streams if we can get them compiled and running on the camera. I suspect the issue will be that these need some grunt so unless we can take advantage of the SoC's hardware encoding, the CPU might struggle.

The SoniX SDK would be useful! I found the programming guide here:
http://pan.baidu.com/share/link?shareid=3532089155&uk=2654552623&fid=285728836228321 (also attached: SN986 Series SDK Programming Guide.pdf)

Paragraph 9.1 looks interesting:

9.1 SONiX Galaxy Streaming Sever. SONiX Galaxy is a full function streaming server for both video and audio in SONiX SN986 Serial SDK. Galaxy receives the live encoded video( from the hardware codec) and audio( from SONIX SN986 Serial middleware)as input, and then streams it through RTP over RTSP over UDP/TCP/HTTP. Users can connect to Galaxy and get video/audio stream through the IE browsers or the VLC Media players on the PC、mobile phone or the mobile pad.

I can't find the SDK or SONiX Galaxy Streaming Sever anywhere... Don't suppose anyone can get their hands on either?

[no1knows]

I've also found the attached "SN98600 Video Codec Programing Guide".
SN986 Series Video Codec Programing Guide.pdf

[jeffrey-bosma]

The iSC3S keeps the /dev/video0 device busy, as soon as I kill the process this resource is available again. Once you kill the iSC3S app the device reboots after a moment, I tried killing iSC3S and test_UP but it still rebooted; So in order to produce a RTSP stream this auto reboot needs to be disabled so the iSC3S app can be killed.

The iSC3S process interacts with /dev/watchdog and the board will reboot itself shortly after the process hangs or dies. I found that killing iSC3S and then unloading the watchdog kernel module (rmmod snx_wdt) will stop this reboot behavior.

[magnets110]

I think I found the SN986 SDK

here: http://pan.baidu.com/share/link?uk=3981671631&shareid=2974078675#list/path=%2F

rehosted on mega https://mega.nz/#!UpUmHDyJ!xGf7OvWNcRp-pXRxQ4e-Ze06WtnimWaB9rhF_ca5ibc

[no1knows]

Great work! I extracted SN986_1.50_037a_20151022_1049/package/app/galaxy-server.tgz to a microSD card. It also needs the following libraries:
libmtable.so from middleware/video.tgz
libsnx_cap.so from middleware/snx-cap-lib.tgz
libsnxconf.so from middleware/snxconf.tgz

So I put those in the galaxy-server/rootfs/lib folder alongside the existing libserverlog.so and libxmllib.so.

Once the microSD card is in the camera, telnet into it and then stop Xiaomi's streaming/cloud process hogging /dev/video[0-2] (thanks jeffrey-bosma!):

killall test_UP
kill -9 623 # replace "623" with whatever PID is associated with /usr/bin/iSC3S/iSC3S (which you can see by running "ps")
rmmod snx_wdt

Then cp the Galaxy Server config files from the microSD card into /etc:
cp -R /media/mmcblk0p1/galaxy-server/rootfs/root/etc_default/* /etc/

Then tell the camera where to find the new libraries, since we can't copy them into /lib as the filesystem is read only:
export LD_LIBRARY_PATH=/media/mmcblk0p1/galaxy-server/rootfs/lib

Then, at last, ./sonix-proj (in galaxy-server/rootfs/bin/) finally executes and spits out the following:

/media/mmcblk0p1/galaxy-server/bin # ./sonix-proj
Create recording fun[id:1]
Create recording fun[id:2]
Create recording fun[id:3]
init watchdog ok
Log name : console  Maxsize is 1048576
create video source [uuid:38BDB80C-9662-49AE-B53D-A046097950B4] /dev/video0  1280x720 @ 30 with h264
create video source [uuichannel 0 buffer count=2, size=462848
d:B93E7FB4-D37B-404F-9333-7F4E75919F29] /dev/video0  640x480 @ 30 with h264
create video source [uuid:B93E7FB4-D37B-404F-9333-7F4E75919F31] /dev/video0  640x480 @ 30 with mjpeg
create audio source [uuid:E2C4CF08-4BD2-48C8-9EDB-B390BAF5C893] snx_audio_mulaw @ 8000 with mulaw  bitrate:64000
WARNING : snx_conf.c 774:file /tmp/sources.conf is existing
nokey value is video h264 /dev/video0 640x480 30 /dev/video2 640x480 30 bitrate 614400 -1 30
debug: width 640 height 480  scales 1
debug: ispdev /dev/video0 codec_dev /dev/video2
debug:isp fps  30 codec fps 30
sc2135 start streaming
----->has ability to crop!!
cropcap.defrect = (0, 0, 1920, 1080)
----->sussess crop to (0, 0, 640, 480)
snx_audsnx_vc snx_vc: snx_vc_open: Created instance c31d6800, m2m_ctx: c33aa800
io_mulaw, 8000, 64000, mulaw, 0, uuid:e2c4cf08-4bd2-48c8-9edb-b390baf5c893
create audio source [uuid:E2C4CF08-4BD2-48C8-9EDB-B390BAF5C895] snx_audio_alaw @ 8000 with alaw  bitrate:64000
create audio source [uuid:E2C4CF08-4BD2-48C8-9EDB-B39snx_vc snx_vc: snx_vidioc_s_parm: snx_vidioc_s_parm: OUTPUT fps == 30
0BAF5C897] snx_audio_g72snx_vc snx_vc: snx_vidioc_s_parm: snx_vidioc_s_parm: CAPTURE fps == 30
6 @ 8000 with g726  bitrate:16000
snapshot res is 1280x720
snx_audio_alaw, 8000, 64000, alaw, 0, uuid:e2c4cf08-4bd2-48c8-9edb-b390baf5c895
snx_audio_g726, 8000, 16000, g726, 0, uuid:e2c4cf08-4bd2-48c8-9edb-b390baf5c897
isp init ok============
snx_vc snx_vc: s_fmt: Setting format for type 2, wxh: 640x480, fmt: 808596563
640 480  scale == 1
snx_vc snx_vc: s_fmt: Setting format for type 1, wxh: 640x480, fmt: 875967048
<<<snx_vb2_alloc>>> alloc size=925696 reduce size=462848
codec init ok============  CODEC
-----2_h-----
Can find folder rc-snx_vc snx_vc: snx_vc_release: Releasing instance c31d6800
>rc_folder, default folder is /etc/rc
Segmentation fault

So close! I have absolutely no idea what the issue is - perhaps a missing app/library? Incorrect config? I haven't looked at the conf files (in galaxy-server/rootfs/root/etc_default/) in detail yet, so suspect they need tailoring to the specific webcam hardware. I attach the folder containing all the necessary files:
XiaoFang_Galaxy_Server.zip

It would certainly help if we had the "SN986 Serial Galaxy Streaming Server Application Note" that's referred to in the SDK programming guide. @magnets110 - could you work your searching magic on that?

p.s. to stop iSC3S starting up in the first place, comment out the last line in /etc/init.d/rcS ("# /usr/bin/iSC3S/iSC3S &"). This will stop wifi starting up as well but you can make that happen by adding the following into /etc/wpa_supplicant.conf:

network={
        ssid="YOURSSID"
        psk="YOURPASS"
}

...and the following into /etc/init.d/rc.local:

sleep 5
echo "Start wifi..."
ifconfig wlan0 up
wpa_supplicant -B -iwlan0 -c /etc/wpa_supplicant.conf
udhcpc -i wlan0

[samtap]

For some reason the snx_autorun.sh trick doesn't work for me. The script isn't executed or telnetd fails to start, either way I get connection refused when trying to connect over telnet. I still have the 'original' firmware (2.8.0.0, app wants to update to 2.8.3.5 but I'm refusing).

How should the sd card be formatted? Are there any instructions available (a photo would be awesome) of the cable connections for serial console?

[fijter]

@no1knows Good work on getting rid of the running cloud stuff and @magnets110 great work on finding the SDK. Not sure if Galaxy server is going to do us any good for getting a local RTSP stream up and running, it looks like this service just connects the stream to a configurable cloud server. Too bad the documentation of the SDK is a bit lacking, can't find an example for a RTSP server in there without the cloud connect part; Maybe I should look a bit harder ;)

@samtap Just a FAT32 formatted card, the file should be in the root of that card containing telnetd & - Please note that this script doesn't get executed on boot like the Yi device but on insertion of the SD card, so just leave your cam on, remove the SD, replace it, wait until you hear a sound and telnetd should be running. If you reboot the device with the card inserted you need to re-inject it for it to run again.

[jonnycastaway]

I did the telnet thing so:
First start with the snx_autorun.sh trick.
Then in /etc/init.d/rc.local remove the last line that begins with "cp "
then Append on the end "/bin/sleep 30 && telnetd"

so after every reboot the script waits 30 seconds and then start the telnet daemon
no SD-Card needed. it also stays after press the setup switch and connect to a new network. only a reboot after the successful reconf is needed.

But attention, it will broke by a firmware update.

[jonnycastaway]

I searched in the SDK to and find the SnOnvif executable. It also will have an extra library. i copy the files SnOnvif and libxmllib.so to my card, add the Library Path as described above and start SnOnvif but get the same error:
Segmentation fault

Nothing more. :-/

[samtap]

@fijter Thanks, it works when inserting the sd-card after boot. Strange, but anyway it's only needed once, to make the fix in /etc/init.d/rc.local

The SDK actually contains live555 rtsp_server! So I have high hopes we'll get somewhere. I was able to build and run it but unfortunately it also segfaults. But gdbserver is available so next step is creating a debug build.

/tmp # ./snx_rtsp_server
Video source = /dev/video1
----->has ability to crop!!
cropcap.defrect = (0, 0, 1920, 1080)
----->sussess crop to (0, 0, 1280, 720)
1280 720 scale == 1
Can find folder rc->rc_folder, default folder is /etc/rc
Segmentation fault (core dumped)

[petero-dk]

I have just purchased a couple of these. I will start by testing the above. This is to let you know there is one more interested party willing to test and contribute. Wish: rtsp streaming, and final hope: Onvif support with events.

[no1knows]

@samtap - can't believe I didn't see that. I'm trying to cross compile it on Ubuntu 16.04 but struggling. Sounds like you know what you're doing rather better than me... keep us posted!

[samtap]

It's working reasonably well. You'll need to get middleware/_install/lib/libsnx_rc.so from the SDK as well.

/tmp # ./snx_rtsp_server_dbg
Video source = /dev/video1
----->has ability to crop!!
cropcap.defrect = (0, 0, 1920, 1080)
----->sussess crop to (0, 0, 1280, 720)
1280 720 scale == 1
Can find folder rc->rc_folder, default folder is /etc/rc
[snx_get_file_value] open md_ratectl_en error
Start V4L2 Capture... /dev/video1

------- V4L2 Infomation --------
m2m_en: 1
codec_dev: /dev/video1
codec_fps: 30
isp_fps: 30
width: 1280
height: 720
scale: 1
bit_rate: 1048576
dyn_fps_en: 0
GOP: 30
ds_font_num: 128

---

isp buffers: 1384448 , outpack maxsize : 262144
lay this stream using the URL: "rtsp://192.168.42.123/unicast"
H264 thread 1280x720
m_a profile-level-id=644029;sprop-parameter-sets=Z2RAKawsqAUAW5A=,aO44gA==
RTSP DESCRIBE received
auxLine a=fmtp:96 profile-level-id=644029;sprop-parameter-sets=Z2RAKawsqAUAW5A=,aO44gA==

RTSP SETUP received
RTSP PLAY received
out tv_sec: 1484002726, fps: 1, bandwidth: 10 kbps
afterGettingFrame1: start playing time 1484002726:873275
RTSP GET_PARAMETER received
out tv_sec: 1484002727, fps: 11, bandwidth: 102 kbps
out tv_sec: 1484002728, fps: 10, bandwidth: 85 kbps
out tv_sec: 1484002729, fps: 10, bandwidth: 330 kbps
out tv_sec: 1484002730, fps: 10, bandwidth: 93 kbps
out tv_sec: 1484002731, fps: 10, bandwidth: 87 kbps
out tv_sec: 1484002732, fps: 10, bandwidth: 330 kbps
out tv_sec: 1484002733, fps: 10, bandwidth: 94 kbps
out tv_sec: 1484002734, fps: 10, bandwidth: 85 kbps
out tv_sec: 1484002735, fps: 10, bandwidth: 330 kbps
out tv_sec: 1484002736, fps: 10, bandwidth: 91 kbps
out tv_sec: 1484002737, fps: 10, bandwidth: 87 kbps
out tv_sec: 1484002738, fps: 10, bandwidth: 331 kbps
out tv_sec: 1484002739, fps: 10, bandwidth: 92 kbps
RTSP TEARDOWN received

^CSignal received (2)
Exiting....
~V4L2DeviceSource
stopping: (null)
Segmentation fault (core dumped)
/tmp #

Seems to be limited to 10fps? It drops even lower when I move the cam around a bit.

[ykhandler]

Hi samtap. I need a hand on xiaomi yi ants 17CN rtspsvr. Can i have your email? Or maybe you can email me on [email protected]... Thx..

[no1knows]

@samtap looks promising! can you share the compiled binary for me to test? What system did you compile it on? Any tips/tricks for cross compiling?

[jonnycastaway]

@samtap did you cross compile it for arm? any special parameters or packages needed? i have a ubuntu install with cross compile things for arm to so i can also test and check this.

[samtap]

@no1knows I built it on Kubuntu 16.10 x64. There're a couple of small issues to resolve when using the SDK. Is there anything particular you're running into?

Basicly what I did to build snx_rtsp_server was change a couple of scripts to use bash instead of sh (change #!/bin/sh to #!/bin/bash). Run sdk.unpack. I run setup_env.sh but it's probably safe to omit. Add bin and lib from the toolchain dirs to PATH and LD_LIBRARY_PATH. There's probably a better way to do this with a crosstool command. I had to create an empty file buildscript/include/config/snx_sdk.conf. Also had to mess around in some perl file to make it work with the perl version on my machine. When all is well you should be able to enter the buildscript dir and build the kernel with make oldconfig && make. This builds a kernel image and sets everything up so you'll be able to build the apps using their individual makefiles.

Note there's lots of room for tweaking stuff. You can configure the kernel with 'make menuconfig' and there're lots of config files that I didn't touch. I was able to debug with the supplied arm-linux-gdb so that's promising. But eventually you'll probably need knowledge about the low level hardware to tweak the SDK for our specific target. Also the SDK might be a bit outdated (Oct 2015) and not match the latest firmware (though my binaries work on the latest fw). We should also look for a recovery method (I'm sure there's some way to flash it from the sd card, maybe bootloader output gives some clues?). Before messing with the system and risking to brick the device ;-)

[petero-dk]

I am currently in the process of aquiring the latest SDK for the platform, is any one sure which of the SN986 versions this is?

Part No	Package Type	Max Performance	DDR	LCD/HDMI	I2S	I2C	SPI	TV-out	MIPI	Serial/NAND Flash	JTAG
SN98600	LQFP128	1080P15	64MB DDR2 SIP	N/A	N/A	1	1	V	V	Serial/NAND Flash	N/A
SN98601	LQFP128	1080P15	64MB DDR2 SIP	N/A	N/A	1	1	N/A	V	Serial Flash	V
SN98610	TFBGA292	1080P15	16 / 32-bit DDR2	V	V	2	2	V	V	Serial/NAND Flash	V
SN98660	LQFP128	1080p30 + 480p30	64MB DDR2 SiP	N/A	V	2	1	N/A	V	Serial Flash	V
SN98661	LQFP128	1080p30 + 480p30	64MB DDR2 SiP	N/A	V	1	1	N/A	V	Serial Flash	V
SN98671	QFN88	720p30 + 720p30	32MB DDR2 SiP	N/A	N/A	1	0	N/A	V	Serial Flash	V
SN98672	QFN88	1080p30 + 480p30	32MB DDR2 SiP	N/A	N/A	1	0	N/A	V	Serial Flash	V

[jeffrey-bosma]

I am currently in the process of aquiring the latest SDK for the platform, is any one sure which of the SN986 versions this is?
[...]

That would be great to have! It's SN98660(AFG), someone posted a teardown here.

[no1knows]

The teardown is a good find. In case anyone is interested in getting a serial console access, the pads are shown in this photo: http://cdn.geekifix.com/forum/201612/07/172112zf9lv9as3y3kdtzx.jpg (see four empty pads on the right hand side labelled 3.3v, rx, tx, gnd). That's on the back of the motherboard, so you need to remove the two ribbon cables and the motherboard to get at the pads. It's pretty striaghtforward - I've done this on both of my cameras and reassembled them with the wires coming out of the back of the camera through a small hole I cut in the plastic grate section between the speaker and USB port. Baud speed is 115,200.

[samtap]

@no1knows I assume you hooked it up to a 3.3v ftdi uart adapter? I'll try this evening. A warning for anyone who tries to connect it directly to an USB or serial port: those run on 5V and will probably fry the board...

[samtap]

RTSP server binaries available here: https://mega.nz/#F!aFZDVAiQ!9DBh2xMR9D_JynwtYSiASQ

[jonnycastaway]

@samtap Thank you for the rtsp server, it works perfect exept one little thing. The IR-Filter lens is not working anymore. I think it's also controlled by the iSC3 bin. The delay is 1 second in my config, so its ok. Now im searching a way to switch the ir-filter lens.

[jonnycastaway]

Hey guys,
after some testing i doing this to kill the unwanted things and start the rtsp server automatically:
first i kill all necsessary processes with the following lines in /etc/init.d/rc.local at the end:
killall test_UP
ps | grep -i iSC3S | grep -v grep | cut -d " " -f 3 | xargs kill -9
/bin/sleep 30 && rmmod snx_wdt
After that i make a new dir in /etc called rtsp and copy the 2 files from samtap in (wget is your friend). so the files are not gone after a reboot. don't forget chmod a+x snx_rtsp_server! Then also in rc.local i do the stuff to load the rtsp server:
export LD_LIBRARY_PATH=/etc/rtsp
/etc/rtsp/snx_rtsp_server &

if you do all right your cam runs the rtsp server ;-) test the stream with
rtsp://yourcamiphere/unicast

attention, after a reboot it needs 1 minute to do all the stuff and start the rtsp server
another thing is that des LED on the back is not lighting up.

this works all without an sd card ;-) and now i can put this cams into my synology suveilance station!
Pretty cool!

[navigonic]

Very impressive to see device-hacking happening in real-time. I'm following this thread like a hawk hoping for a howto from your respective successes. Maybe the xiaofang deserves it's own project page? :-)

[jonnycastaway]

Ok, here is a little summary. I merged the Infos from no1knows, samtap, fijter and me.
Now i don't start iSC3S and the watchdog. So the new way comes here:

in /etc/init.d/rcS commend out the following lines with an # at the beginning
modprobe snx_wdt
/usr/bin/iSC3S/iSC3S &

then in /etc/wpa_supplicant.conf remove all in the network section except:
ssid="YOURSSID"
psk="YOURPASS"
fill YOURSSID and YOURPASS with valid Data for your wlan!

make a new dir in /etc called rtsp and copy the 2 files from samtap in (wget is your friend). so the files are not gone after a reboot. don't forget chmod a+x snx_rtsp_server!

in /etc/init.d/rc.local remove the last line that begins with "cp "
then Append on the end:

sleep 5
echo "Start wifi..."
ifconfig wlan0 up
wpa_supplicant -B -iwlan0 -c /etc/wpa_supplicant.conf
udhcpc -i wlan0

echo "Start telnet..."
/bin/sleep 30 && telnetd

echo "Start RTSP Server..."
export LD_LIBRARY_PATH=/etc/rtsp
/etc/rtsp/snx_rtsp_server -W 1920 -H 1080 -Q 15 -b 4096 -a &

Check all twice! An error may let your device unusable!
I have 2 Cams running with this adjustments without Problems.

[no1knows]

Well done everyone! I'll try this out tomorrow and once all tested perhaps get started on an snx_autorun.sh (in a new project) that automates everything to make it easier for others to benefit from all our good work!

@samtap good point - I should have mentioned, no need to hook up the 3.3v - it works fine with just the RX, TX and gnd wires connected. I'm using a cheap universal USB to serial adapter and Putty.

[denierlexiese]

Tried again yesterday to set my router to mixed WPA/WPA2 mode. The xiaofang camera wouldn't connect. The Yi ants had no problem connecting. When I set the router to WPA mode only i got an error from the routerv suggesting the wireless devices could only work at A speed, but ignoring that error, and hitting ok, lead the xiaofang camera to immediately connect correctly. There is something about WPA2 this hack does not like.

[gitingear]

I have seen references to vbox image uploaded by dibuti but don't see location for it, if anyone knows can you please post link, thanks

update:
[https://mega.nz/#F!nloDQLaT!6-h14bzYpdM_G5d3SEMRkg!LkoBQKTa]

(.ova file, thanks benji)
after importing, username/pw are shown in Oracle VM: Settings->General->Description

update2: image referenced above is apparently work in progress for which it is unclear how to build fully functional snx_rtsp_server, would appreciate if anyone has further suggestions

[Sander456654]

http://ifotohost.com/pic/325/30muar.jpg

I stupidly deleted the time zone and the server - now I can not fix the time, through the web interface, help me fix the file locally

[MacManas]

Managed to pull another bin(v3.0.4.9) but it seems to be an partial update only as it does not contain as many files as previous one.
Also, has a problem with Mega, therefore changing the link for the FW folder:
https://mega.nz/#F!IiJxTCYZ!NeUd7y21rmOsWIIoqPnw0w

[andrewtvuong]

Hi! This is a very interesting project. It turns out I received wrong shipments of Original Mainland use only cameras that do not work in the US. I'm interested in hacking these otherwise obsolete cameras.

I have some experience writing in Arduino IDE and experience with IoT in general but have two questions.

1. What language is used for serial commands or whichever language is required for this project? Any advice on where to read up/learn the language?

2. Would hacking this camera open up my home network to vulnerability? asides from anyone with the camera's IP being able to view it.

Thanks!

[Toriniasty]

Is it all stable by now? Just wondering if I should flash mine, or wait a moment.

[csloz]

@andrewtvuong

The camera's run linux. older version - 2.6 (at least on the one I checked earlier)
Mine is running 3.2 firmware, I couldn't get telnet running using the snx_autorun.sh script, so used a bog standard usb -> ttl adaptor and connected to the serial pins exposed on the side of the camera insides.

wire up
tx -> rx, rx -> tx, gnd -> gnd (and don't connect 3.3v!)

Then use a serial terminal to connect to the serial port @ 115200, 8,n,1
You'll find that the default terminal is a little spammy, so you'll want to get telnet running or ssh.

telnet is still on the latest firmware, but I think that the Camera software may looks for it now and kill -9's it on startup, as strings camera binary shows that.

Once you have telnet running, you can connect remotely.
I would suggest using the sd card as storage for your own tools.

You'll need to setup a crosscospiler environment to develop for it. Download the SDK and setup.
You'll use C code generally to dev stuff.

Read the notes above about where to get the SDK.
I'd start off by making some tools - e.g. ssh-server, ftpd or tftpd so you can get stuff in / out.

You can read my rather old posts on http://www.openipcam.com about doing dev stuff. Its still applicable for this, as its a bog standard embedded environment.

I should probably make a new section on there for this actually...

[kulokoy]

Hi, is there anybody here that can give a link to download the old firmware 2.8.3.5 for xiaofang camera pls. Many thanks.

[nragon]

Is there any way to use python in it?

[andrewtvuong]

@csloz

Hi thanks for the reply. This is a great project to learn more about telnet and SSH. (I've never tried telnet, but have a pretty good experience with SSH)

Though I haven't tried connecting via telnet or SSH, I prefer serial connection, so I'll break it apart.

http://imgur.com/a/pE739 I included pictures of the boards after I broke apart the camera. Can't seem to find the serial ports. Is it visible to you from these pictures?

I was just wondering if it was even possible to write an iOS app to replace the Mi App? This would give me an iOS project to work towards and perhaps build something more usable and flexible than their app.

I'll read more about the hack on the website you linked, thanks!

[Koffie-Verkeerd]

@andrewtvuong
Below a picture showing the location and the layout of the serial connection pins.

Regarding your question whether or not it's possible to write an iOS app: no idea......

[andrewtvuong]

@Koffie-Verkeerd Thanks!! Tricky designers hid the ports under the ribbon. I appreciate the picture!

[4ishops]

Hi,

can somebody share SN986 chip full datasheet? I need pin-out to find AV out.
I have find short version, but no pin-out provided.
thanks!
SN98660 Series-CG-BZZD-160728.2X.pdf

[juz22]

Does anybody know if it is still possible to downgrade via serial connection on this version?..
I bought Xiaofang cameras from DD4.com which came with MAC addresses starting 78; they are region locked to China and the FangHack doesn't work on them (despite hearing the loading sound). I have tried to downgrade via microSD but have been unsuccessful trying many times.
I disassembled one in order to try to solder to serial USB TTL connection, following this guide (https://www.youtube.com/watch?v=OOghPawyIms) however I cannot see the pins and the board layout appears different.

Thanks

[csloz]

Looks like an Ingenic T20, so will be MIPS. T20 is the large black chip. Pinouts for the Ingenic SOC will be needed to check what the serial i/o pins are. Cursory google says this should be a datasheet. - ftp://ftp.ingenic.com/SOC/T20/T20_PB.PDF ftp://ftp.ingenic.com/SOC/T20/ <ftp://ftp.ingenic.com/SOC/T20/> may have some more files if you’re lucky, not loading for me here in China at the moment though. If they are exposed, then should be straightforward. You’ll need to read the datasheet to see what the serial io pins are, then look at the board to see what that correlates to, then follow to see if they’re easily accessible or not. https://hackaday.com/tag/ingenic-t20/ <https://hackaday.com/tag/ingenic-t20/> also has some bits n bobs about the T20 Good luck!

…

On 20 Jun 2018, at 20:08, juz22 ***@***.***> wrote: Does anybody know if it is still possible to downgrade via serial connection on this version?.. I bought Xiaofang cameras from DD4.com which came with MAC addresses starting 78; they are region locked to China and the FangHack doesn't work on them (despite hearing the loading sound). I have tried to downgrade via microSD but have been unsuccessful trying many times. I disassembled one in order to try to solder to serial USB TTL connection, following this guide (https://www.youtube.com/watch?v=OOghPawyIms <https://www.youtube.com/watch?v=OOghPawyIms>) however I cannot see the pins and the board layout appears different. <https://user-images.githubusercontent.com/40423341/41657070-729ee430-74d5-11e8-8aa9-a4801c2c8fd4.jpg> Thanks — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#118 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ADHTchZpdhBnjaAv8FdhzVkrvnHnZt4rks5t-jsygaJpZM4LbILw>.

[ykhandler]

@juz22, the problem of not downgrading with sdcard, might be because incompatible sdcard. I've create a video that shows that some sdcard might result a different checksum of the firmware, that causing the camera will not flash the firmware, i still dont understand the cause.
Although i've format with the same allocation size, it still resulting the same. If it already uploaded, i'll show you that.

So,the solution is to change to other sdcard for now, but i still not know yet how to determine a compatible one...

[juz22]

Thank you both for the great responses and advice.
I'm probably not knowledgable enough to manage correlating a data sheet diagram to the physical board and tracing the pins, but I'll have a look into it and see how I go.
I did buy high quality Samsung microSD cards purely for these cameras so don't really want to start buying random additional cards to find ones that just might work - otherwise the cost of my cheap security camera project could quickly stack up! But if you have the link to your video showing the firmware checksums being different I would be interested to take a look? Thanks

[ykhandler]

@juz22
https://youtu.be/VOnKD1Sn-Ds

fyi, i am able to use both sdcard to flash xiaoyi dome camera, but it is failed on xiaofang.

[sshaikh]

@juz22 @ykhandler

FWIW I was having trouble restoring original firmware (from here: https://github.com/GrumpyMeow/XiaomiXiaofangFirmware) until I flashed ykhandler's english mod. From there I was able to reflash the original, and then back to fang-hacks.

I'm not sure what the difference was but it wasn't the SD Card for me.

[ykhandler]

@juz22, now i realize that there are 2 kind of xiaofang, the old version one and 1s one. They use different firmware.

@sshaikh, the ykhandler's english mod is based on original firmware. But apparently, xiaomi use multiple combination brand of their component. The reason why i have this conclusion is that, some xiaofang may have error on reading sdcard with firmware version newer than 3.2 (although it can flashing), some xiaofang may have wifi device not working on firmware older than 3.3.
I dont know why not xiaomi create a newer firmware version that support all the combination.
I've tried to restore all the partition, using the backup from a normal xiaofang that run newest version, but it didnt work normal on some devices.

I'm still learning why is this happening.
But for flashing, the problem that i've found as follow:

• sdcard compatiblity(as shown on my youtube video)
• sdcard is not eject properly (need scandisk to fix the problem)
• sdcard is not FAT32 with default allocation size.
• xiaofang 1s not support FIRMWARE_660R.bin nor FIRMWARE_660R_F.bin

[sshaikh]

Okay. But in my testing with a single camera and single SD card:

1. Started with stock
2. Flashed Fang_hacks okay
3. Flashed GrumpyMeow okay
4. Stock firmware wouldn't flash back
5. fang_hacks wouldn't flash back
6. YK English mod flashed first try
7. Stock now flashed back first try
8. fang_hacks (specifically openipc) flashed first try

Maybe I was doing something wrong, but for me the order in which the flashing attempts were made was significant (it doesn't make sense to me why).

[ykhandler]

The firmware can flash multiple times. It means, after you flash the firmware, you can apply it again by turn off the camera then hold the reset button for 10 seconds while turning it on. If you use uart you know what you're doing wrong. Dont worry about your xiaofang, even if you flash a wrong firmware it is still recoverable, even if it is the uboot which only contain on FIRMWARE_660R_F.bin.

[kittenarmy]

I'm probably not knowledgable enough to manage correlating a data sheet diagram to the physical board and tracing the pins, but I'll have a look into it and see how I go.

I couldn't find a datasheet for the T20 showing pin out to trace but it appears the designer dropped 3.3V so it's just RX, TX, GND pins as follows (I put a header already):