disclaimer: you do it at your own risk. make sure you have a backup!
- MJSXJ02CM camera with 4.0.9_0409 firmware
- SPI flasher with SOIC8 clip (I use CH341A)
- linux host with:
- dd
- binwalk
- squashfs-tools
- flashrom
flashrom -p ch341a_spi -r 02_backup.bin
cp 02_backup.bin 02_backup_4.0.9_0409.bin
binwalk -e 02_backup.bin
You can use just dd
and unsquashfs
for extracting rootfs. I use binwalk because of the analysis of the entire firmware.
Replace _02_backup.bin.extracted/squashfs-root/etc/init.d/S49factory
with:
#!/bin/sh
if [ -f /mnt/sdcard/manu_test/manu.sh ]
then
touch /tmp/factory_mode
/mnt/sdcard/manu_test/manu.sh
fi
Remove any occurrence of umount /mnt/sdcard
in init scripts.
For FW 4.0.9_0409 it's just a file: _02_backup.bin.extracted/squashfs-root/etc/init.d/S12copylog
In the case of other FW version you can check the occurrences by: grep -ri 'umount /mnt/sdcard' _02_backup.bin.extracted/squashfs-root
Then re-pack rootfs:
cd _02_backup.bin.extracted
mksquashfs squashfs-root ../rootfs_patched.bin -comp xz
cd ..
create the beginning of the system image:
cp 02_backup.bin 02_backup_patched1.bin
dd if=rootfs_patched.bin of=02_backup_patched1.bin bs=1 count=7667764 seek=2490368 status=progress
then combine with the rest:
cp 02_backup.bin 02_backup_patched_final.bin
dd conv=notrunc if=02_backup_patched1.bin of=02_backup_patched_final.bin status=progress
compare original dump with final:
binwalk 02_backup.bin > backup.log
binwalk 02_backup_patched_final.bin > final.log
diff -c final.log backup.log
The only difference should be in the creation date of Squashfs. If not, stop here and see what's wrong.
before that, make sure you have a backup!
flashrom -p ch341a_spi -w 02_backup_patched_final.bin
For MJSXJ05CM camera, you can follow: telmomarques/xiaomi-360-1080p-hacks#18 (comment)
happy hacking!
For MJSXJ05CM with 4.0.9_0426 you can use the tutorial above.
Just change everywhere occurrences in the names
02
to05
,e.g.
02_backup.bin
change to05_backup.bin
or
02_backup_4.0.9_0409.bin
to05_backup_4.0.9_0426.bin
(for better readability)You have to change only one step:
prepare a new (hacked) image:
create the beginning of the system image: