disclaimer: you do it at your own risk. make sure you have a backup!
- MJSXJ02CM camera with 4.0.9_0409 firmware
- SPI flasher with SOIC8 clip (I use CH341A)
- linux host with:
- dd
- binwalk
- squashfs-tools
- flashrom
flashrom -p ch341a_spi -r 02_backup.bin
cp 02_backup.bin 02_backup_4.0.9_0409.bin
binwalk -e 02_backup.bin
You can use just dd
and unsquashfs
for extracting rootfs. I use binwalk because of the analysis of the entire firmware.
Replace _02_backup.bin.extracted/squashfs-root/etc/init.d/S49factory
with:
#!/bin/sh
if [ -f /mnt/sdcard/manu_test/manu.sh ]
then
touch /tmp/factory_mode
/mnt/sdcard/manu_test/manu.sh
fi
Remove any occurrence of umount /mnt/sdcard
in init scripts.
For FW 4.0.9_0409 it's just a file: _02_backup.bin.extracted/squashfs-root/etc/init.d/S12copylog
In the case of other FW version you can check the occurrences by: grep -ri 'umount /mnt/sdcard' _02_backup.bin.extracted/squashfs-root
Then re-pack rootfs:
cd _02_backup.bin.extracted
mksquashfs squashfs-root ../rootfs_patched.bin -comp xz
cd ..
create the beginning of the system image:
cp 02_backup.bin 02_backup_patched1.bin
dd if=rootfs_patched.bin of=02_backup_patched1.bin bs=1 count=7667764 seek=2490368 status=progress
then combine with the rest:
cp 02_backup.bin 02_backup_patched_final.bin
dd conv=notrunc if=02_backup_patched1.bin of=02_backup_patched_final.bin status=progress
compare original dump with final:
binwalk 02_backup.bin > backup.log
binwalk 02_backup_patched_final.bin > final.log
diff -c final.log backup.log
The only difference should be in the creation date of Squashfs. If not, stop here and see what's wrong.
before that, make sure you have a backup!
flashrom -p ch341a_spi -w 02_backup_patched_final.bin
For MJSXJ05CM camera, you can follow: telmomarques/xiaomi-360-1080p-hacks#18 (comment)
happy hacking!
I managed to flash the chip. I found the exact same values for offsets and sizes as @midi123. I really appreciate that everyone shared their findings. I couldn't have attempted this without these findings.
Unfortunately, the orange light on the camera is just permanently on. No internet connectivity or qr code request. I can't downgrade to the older firmware or mount the patches. Nothing happens. Perhaps I offered the files in a wrong order. Perhaps I made a mistake in the patches (although I doubt it, they were simple enough).
I'm really impressed by the hardware build of the camera. It's very nice and cleverly put together. It's not just glued plastic. It contains more than 20 screws. It's unfortunate that such a beautiful product is severely limited by software and vendor lock-in.
But this one is soft-bricked. Now I could try to do all the steps again. But to be honest, it's becoming expensive in terms of time. I'd rather buy an old Raspberry Pi Zero 1 W for $6 and a camera module for $3, and use something like this:
I hate to create e-waste so I'll try flash the backup and sell the thing for $9 to someone who doesn't mind the vendor lock-in yet.