disclaimer: you do it at your own risk. make sure you have a backup!
- MJSXJ02CM camera with 4.0.9_0409 firmware
- SPI flasher with SOIC8 clip (I use CH341A)
- linux host with:
- dd
- binwalk
- squashfs-tools
- flashrom
flashrom -p ch341a_spi -r 02_backup.bin
cp 02_backup.bin 02_backup_4.0.9_0409.bin
binwalk -e 02_backup.bin
You can use just dd
and unsquashfs
for extracting rootfs. I use binwalk because of the analysis of the entire firmware.
Replace _02_backup.bin.extracted/squashfs-root/etc/init.d/S49factory
with:
#!/bin/sh
if [ -f /mnt/sdcard/manu_test/manu.sh ]
then
touch /tmp/factory_mode
/mnt/sdcard/manu_test/manu.sh
fi
Remove any occurrence of umount /mnt/sdcard
in init scripts.
For FW 4.0.9_0409 it's just a file: _02_backup.bin.extracted/squashfs-root/etc/init.d/S12copylog
In the case of other FW version you can check the occurrences by: grep -ri 'umount /mnt/sdcard' _02_backup.bin.extracted/squashfs-root
Then re-pack rootfs:
cd _02_backup.bin.extracted
mksquashfs squashfs-root ../rootfs_patched.bin -comp xz
cd ..
create the beginning of the system image:
cp 02_backup.bin 02_backup_patched1.bin
dd if=rootfs_patched.bin of=02_backup_patched1.bin bs=1 count=7667764 seek=2490368 status=progress
then combine with the rest:
cp 02_backup.bin 02_backup_patched_final.bin
dd conv=notrunc if=02_backup_patched1.bin of=02_backup_patched_final.bin status=progress
compare original dump with final:
binwalk 02_backup.bin > backup.log
binwalk 02_backup_patched_final.bin > final.log
diff -c final.log backup.log
The only difference should be in the creation date of Squashfs. If not, stop here and see what's wrong.
before that, make sure you have a backup!
flashrom -p ch341a_spi -w 02_backup_patched_final.bin
For MJSXJ05CM camera, you can follow: telmomarques/xiaomi-360-1080p-hacks#18 (comment)
happy hacking!
I'm unsure if it will work after recompressing, but that issue can be avoided by using the option
-1
or--preserve-symlinks
to preserve symlinks when using binwalk, so something like:binwalk -1 -e 02_backup.bin
. According to the man page, this option tells binwalk "Do not sanitize extracted symlinks that point outside the extraction directory (dangerous)".Same issue, everything works normally but the hacks don't seem to be enabled.