Skip to content

Instantly share code, notes, and snippets.

@belkone

belkone/02.md Secret

Last active May 16, 2024 09:15
Show Gist options
  • Save belkone/fb63376a9b6b6ebe969e9c8f96c0defb to your computer and use it in GitHub Desktop.
Save belkone/fb63376a9b6b6ebe969e9c8f96c0defb to your computer and use it in GitHub Desktop.
Download ZIP
Xiaomi Mi Home Security Camera 360° 1080p (MJSXJ02CM) firmware hack using SPI flasher method (for FW version 4.0.9_0409)
Raw
02.md

Xiaomi Mi Home Security Camera 360° 1080p (MJSXJ02CM)

firmware hack using SPI flasher method (for FW version 4.0.9_0409)

disclaimer: you do it at your own risk. make sure you have a backup!

requirements:

  • MJSXJ02CM camera with 4.0.9_0409 firmware
  • SPI flasher with SOIC8 clip (I use CH341A)
  • linux host with:
    • dd
    • binwalk
    • squashfs-tools
    • flashrom

backup first

flashrom -p ch341a_spi -r 02_backup.bin
cp 02_backup.bin 02_backup_4.0.9_0409.bin

unpack image

binwalk -e 02_backup.bin

You can use just dd and unsquashfs for extracting rootfs. I use binwalk because of the analysis of the entire firmware.

patching rootfs

Replace _02_backup.bin.extracted/squashfs-root/etc/init.d/S49factory with:

#!/bin/sh

if [ -f /mnt/sdcard/manu_test/manu.sh ]
then
  touch /tmp/factory_mode
  /mnt/sdcard/manu_test/manu.sh
fi

Remove any occurrence of umount /mnt/sdcard in init scripts. For FW 4.0.9_0409 it's just a file: _02_backup.bin.extracted/squashfs-root/etc/init.d/S12copylog

In the case of other FW version you can check the occurrences by: grep -ri 'umount /mnt/sdcard' _02_backup.bin.extracted/squashfs-root

Then re-pack rootfs:

cd _02_backup.bin.extracted
mksquashfs squashfs-root ../rootfs_patched.bin -comp xz
cd ..

prepare a new (hacked) image:

create the beginning of the system image:

cp 02_backup.bin 02_backup_patched1.bin
dd if=rootfs_patched.bin of=02_backup_patched1.bin bs=1 count=7667764 seek=2490368 status=progress

then combine with the rest:

cp 02_backup.bin 02_backup_patched_final.bin
dd conv=notrunc if=02_backup_patched1.bin of=02_backup_patched_final.bin status=progress

compare original dump with final:

binwalk 02_backup.bin > backup.log
binwalk 02_backup_patched_final.bin > final.log
diff -c final.log backup.log

The only difference should be in the creation date of Squashfs. If not, stop here and see what's wrong.

flash it

before that, make sure you have a backup!

flashrom -p ch341a_spi -w 02_backup_patched_final.bin

For MJSXJ05CM camera, you can follow: telmomarques/xiaomi-360-1080p-hacks#18 (comment)

happy hacking!

@jimmycr
Copy link

jimmycr commented Apr 28, 2023

Guys, who successfully patched latest Firmware 409 (have working camera), could you, please, provide link to your patched BIN file? Thanks

@bpfc12
Copy link

bpfc12 commented Jun 15, 2023

Hello guys. I did everything according to the described method, the camera works normally, I put an SD card with hacks, but I don't have rtsp and web. The hacks don't work for me. Do you have an idea?

@Raizelian
Copy link

Raizelian commented Sep 2, 2023
edited

OK i think i've got all dependencies to run binwalk without real errors but still while running it i have plenty things like:

739543        0xB48D7         Cisco IOS experimental microcode, for "Y"

WARNING: Symlink points outside of the extraction directory: /home/wariat/hack/MI MJSXJ02CM camera/_02_backup.bin-1.extracted/squashfs-root-0/data -> /mnt/data/data; changing link target to /dev/null for security purposes.

WARNING: Symlink points outside of the extraction directory: /home/wariat/hack/MI MJSXJ02CM camera/_02_backup.bin-1.extracted/squashfs-root-0/etc/crontab -> /mnt/data/etc/crontab; changing link target to /dev/null for security purposes.

WARNING: Symlink points outside of the extraction directory: /home/wariat/hack/MI MJSXJ02CM camera/_02_backup.bin-1.extracted/squashfs-root-0/etc/os-release -> /mnt/data/etc/os-release; changing link target to /dev/null for security purposes.

(...)

Will it work after I recompress the bin file after patching?

I'm unsure if it will work after recompressing, but that issue can be avoided by using the option -1 or --preserve-symlinks to preserve symlinks when using binwalk, so something like: binwalk -1 -e 02_backup.bin. According to the man page, this option tells binwalk "Do not sanitize extracted symlinks that point outside the extraction directory (dangerous)".

Hello guys. I did everything according to the described method, the camera works normally, I put an SD card with hacks, but I don't have rtsp and web. The hacks don't work for me. Do you have an idea?

Same issue, everything works normally but the hacks don't seem to be enabled.

@aktaanos
Copy link

aktaanos commented Feb 3, 2024

Hello guys. I did everything according to the described method, the camera works normally, I put an SD card with hacks, but I don't have rtsp and web. The hacks don't work for me. Do you have an idea?

I have the same issue here, is someone answer u ?

@TheBarber82
Copy link

TheBarber82 commented Apr 26, 2024
edited

Hi, I have tryied all seems going ok (event the @midi123 solution tested) and the hack seems do nothing but camera still work on mihome app.
If someone can help please.

@rainow
Copy link

rainow commented May 16, 2024

One question from newbie, can we just flashrom a bin file of version 3.4.2_0062?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment