Can't downgrade / install hack on 1.8.7.0A_201702081101 ?

[galadril]

I try to implement this hack to my Yi Home camera (international).
It boots up with the sd card, but it doesn't have al the features (h264, telnet, ftp, etc)

Im I doing something wrong?

Write FAT32 SD card with content
Config DHCP / Wifi settings
Put the sd in Yi camera
Reset camera
But then it doesn't connect to wifi automaticly, i need to setup the connection via app??

Then camera works with the app, but not via the hack (http/ip/ not accessable)

I've also tried to install the hack in combination with another home file, all with the same results..
?

[eeztrbo]

Galadril did you get the hack to work on 1.8.7 firmware?

[galadril]

nope

[dbldown7680]

broke for me as well. i tried everything.

[ghost]

do you guys have the white or black camera? I was able to install on two white cameras and failed on two black. I wonder if there's something different in the firmware.

[eeztrbo]

Black.

[galadril]

White

[ghost]

So I guess the color didn't matter. It must be just newer versions then.

[keith721]

I should have a late-model Yi arriving from Amazon this afternoon. I'll try to determine the firmware version and research it. It's a US model, and upon opening it to make a console/serial port connection, I find it has no connector installed, only the blank spot where one should be. :( It's the same firmware version in the title, 1.8.7.0A_201702081101.

[ghost]

I contacted support about a week ago and so far they can't figure out why these two cameras can't downgrade but the other ones can. They even sent me an older firmware and it didnt work either :(.

@keith721 so they are removing stuff from the new ones to avoid users from downgrading?

[keith721]

I'd guess they removed the console connector simply to save two cents per camera. My problem is trying to solder wires to those tiny traces is next to impossible. :(

I attempted loading only the 'home' firmware file from this project onto the TF/Mini-SD card, so that it was the very first and only directory entry on the card. It still did not downgrade. I'd guess they've installed some form of version checking in the firmware update process, but without console connectability, it's impossible to tell what's happening.

[keith721]

Got a serial console connected tonight, and found the newest version of U-Boot is looking for a file named 'home_y18' instead of 'home'. Unfortunately, U-Boot is not allowing an interrupt to change boot arguments. But it does appear we can overwrite/update the 'home' filesystem and downgrade the firmware again. :) Now, I need to figure out why it's not running the hacks script from the SD card as it boots up.

[ghost]

I saw your post on slickdeals. Nice progress! I found some info about it here but sadly it is in Russian:

https://4pda.ru/forum/index.php?showtopic=638230&st=9740

I tried downgrading and sadly it seems it is not booting anymore lol. Oh well 😆

[keith721]

I've noticed the camera has a tendency to just not initialize properly occasionally. Unplug the power, press the reset button once or twice, then wait five or ten seconds, and try again. Might work!

FYI, here's a helpful link that contains older versions of the camera firmware.

[ghost]

Thanks for the link! I've tried everything and nothing works. It blinks blue twice and then the light stays on (orange). Reset button does nothing either. It seems like it has the same issue as this guy:
http://bbs.xiaomi.cn/t-13123979 (Chinese)
No worries, it's going back anyway 😆

[keith721]

Can anybody with a fairly recent firmware (1.8.5.x or 1.8.6.x) and telnet access provide a dump of their MTD flash RAM partitions?

0x000000000000-0x000000040000 : "boot"     mtd0
0x000000040000-0x000000050000 : "env"      mtd1
0x000000050000-0x000000060000 : "conf"     mtd2
0x000000060000-0x0000001f0000 : "os"       mtd3
0x0000001f0000-0x000000330000 : "rootfs"   mtd4
0x000000330000-0x000000fe0000 : "home"     mtd5
0x000000fe0000-0x000000ff0000 : "vd1"      mtd6
0x000000ff0000-0x000001000000 : "ver"      mtd7

Of particular interest are the 'env' and 'conf' partitions, which are reasonably small. The 'os' partition is somewhat larger, but still desired.

Thanks!

[AdySan]

@keith721 I have 1.8.6.1B_rtspfix from here http://xiaoyi.querex.be/firmwares/, would that help in anyway?

[keith721]

@AdySan Thank you, but I'm afraid that would only be the 'home' partition.

[AdySan]

@keith721 OK, I meant my camera came with 1.8.6.1B and I installed this version of the firmware to get rtsp working. Still wouldn't help? If it would, I'd appreciate instructions on how to dump the firmware via telnet.

[keith721]

Oh! Yes, that would be helpful. Essentially, you use the Linux 'dd' command to read the MTDRAM block device and output to a file on the SD card.

dd bs=512 if=/dev/mtdblock1 of=/tmp/sd/mtd1.img
dd bs=512 if=/dev/mtdblock2 of=/tmp/sd/mtd2.img
dd bs=512 if=/dev/mtdblock3 of=/tmp/sd/mtd3.img

[AdySan]

Sorry, never played with Telnet. What am I doing wrong here?

pi@AdyPi3:~ $ telnet 192.168.1.128
Trying 192.168.1.128...
Connected to 192.168.1.128.
Escape character is '^]'.

(none) login: root
Password:
Welcome to HiLinux.
None of nfsroot found in cmdline.
# dd bs=512 if=/dev/mtdblock1 of=/tmp/sd/mtd1.img
dd: can't open '/tmp/sd/mtd1.img': No such file or directory
#

EDIT: Ok, so more progress, I had to cd / first. I dont have an SD folder though, only /tmp/hd1 and /tmp/hd2

I was able to dump the images onto the sd card. I'm not near the camera at hte moment, don't have physical access to SD card. But I can vpn onto hte same network. Any easy way to extract those files remotely?

[AdySan]

@keith721 Here you go: https://www.dropbox.com/sh/peffv41syexua7l/AAD7bHYBFeUfW1AdT-L_zdwPa?dl=0

I have three files in here, is that all?

[keith721]

Thank you, @AdySan !! I'll have to look at these after I get finished with a few conference calls. It will be a couple of hours before then, though. :( I'd much rather dig here than listen to these calls.

Whoops, I forgot I had VPN I could use on an alternate machine, to get the files.
MTD1 : "env" : U-Boot environment variables - this shows BOOTDELAY=1 which should be increased
MTD2 : "conf" : appears to be blank / empty, surprisingly
MTD3 : "os" : The Linux 3.0.8 kernel - good to have, just in case something goes very, very wrong

[keith721]

If you could also dump /dev/mtdblock4 "rootfs" that might be helpful. That would include everything in the "/" top-level/root directory which doesn't reside in the "/home" directory path. I'm guessing that includes the original call-out to the /tmp/sd/test/equip_test.sh script that's been disabled in the 1.8.7.0A firmware.

/dev/mtdblock5 "home" is what we already have in all the various firmware files. No need to dump this.

/dev/mtdblock6 "vd1" and /dev/mtdblock7 "ver" might be interesting/helpful as well. Guessing they're more configuration/version information, or they might be blank/empty, as well.

I'll use the U-Boot 'mkimage' command to wrap these dump files, and attempt to flash/burn them on my camera using the SD card at boot-up time. If that succeeds, I'll be able to hack my camera as we all expected in the first place. :)

[AdySan]

@keith721 ok, three more files added to same link.

https://www.dropbox.com/sh/peffv41syexua7l/AAD7bHYBFeUfW1AdT-L_zdwPa?dl=0

BTW, there is no mtdblock7, here's the directory listing https://gist.github.com/AdySan/d0cecbba65845ce203a4ef75f827407f

[keith721]

Thank you so very much, @AdySan :) Funny there's no mtdblock7, as the kernel boot log clearly shows eight MTD flash RAM partitions, with the eighth one named "ver". What I'm attempting right now is to build the U-boot image for the mtd1 "env" partition, with the bootwait value updated to '3'. If that is successful, then I should be able to interrupt the U-boot sequence and add the 'single' argument to the bootargs variable, leading to a root shell.

There are several options/arguments to the mkimage program, and I'm stuck trying to decide on the "image type" which could be any of :
aisimage, filesystem, firmware, flat_dt, gpimage, kernel, kernel_noload, kwbimage, imximage, multi, omapimage, pblimage, ramdisk, script, socfpgaimage, standalone, ublimage, mxsimage, atmelimage

I'm leaning towards / guessing 'script' as it's simply a bunch of null-terminated strings containing 'variable=value' assignment statements.

[bunver]

@keith721 go for it, Keith! My camera also has the same problem and I'm following you guys.

[keith721]

I've got the env_y18 uImage file copied to my SD card . . . I'm about to find out if it works or not. Thanks for the support!!

reading env_y18

magic 0x27051956 0x27051956
arch 0x2 0x2
size 0x20008 0x40
type 0x6 0x2
crc 0xfa7aeca7
name 7518-hi3518-env
Image env_y18 wrong type

:(

Changed it from 'script' to 'flat_dt' and got worse results, so that was clearly a wrong choice. Give me time to go through each option, and I'll find the right one, eventually. ;^)

reading env_y18

magic 0x0 0x27051956
arch 0x0 0x2
size 0x0 0x40
type 0x0 0x2
crc 0x0
name
Image env_y18 bad MAGIC or ARCH

[keith721]

Quite frustrating, honestly. I'm currently using this mkimage command syntax

mkimage -A arm -T filesystem -C none -a 4000 -e 0 -n '7518-hi3518-env' -d mtd1a.img  env_y18

and receiving the following lovely output from the U-boot startup process:

2: home_y18!
 find index 5: home_y18

u-boot_y18 not found!
reading env_y18

magic 0x27051956 0x27051956
arch 0x2 0x2
size 0x20000 0x40
type 0x7 0x2
crc 0xa351d2af
name 7518-hi3518-env
idx1: old : ffffffff, new : 592dd44d
reading env_y18
write_len too big

What's so frustrating is that the mtd1a.img file is the same as that extracted to dropbox, with the exception of bootdelay=5 instead of the default bootdelay=1. It's exactly 128K (131072) bytes, and with the 64-byte u-Boot image header added, it's 131136 bytes, as expected. So why the HECK does it complain the write_len is too big??

[ghost]

Would it help to have the files from 1.8.7?

[Minims]

@taellian what was the last firmware you tried to upload before this one ?

@hizel I saw it can have env_y18 do you have this file too. My 27US doesn't come back, maybe I've try too many things :/ and my serial is broken so I'm blind :/

[taellian]

Hey @Minims I believe it was stock 1.8.5.1N, but honestly I was just throwing stuff at the wall to see what would stick. I do know that just prior to this I was getting solid orange LED.
@astazed I can't get the hacked firmware to work at this time, but I will keep experimenting.

[Minims]

@taellian Ok i gonna try the 1.8.5.1N US. When broken, does your reset button was working ? making the camera reboot or something else ?

[taellian]

@Minims No, the reset button was totally unresponsive. I still followed the procedure of pushing it, unplugging the camera, inserting SD and powering on and resetting again though. But it seemed that the button wasn't really doing anything, but I wasn't console connected so I can't say for sure.

[ghost]

@hizel thank you! your firmware brought my camera back to life!

Edit: Hack doesn't seem to work. @hizel do you have it working? Is there anything else we should do?

Thanks again

[ontdamian]

I've also bricked my 27US camera yesterday by loading renamed home_y18 (hack) file and successfully revived it with @hizel files. I tried to load renamed home_y18 (also with updated equip_test.sh) but hack doesn't work. However, hizel files brings my camera back to life every time. If they are loaded, maybe this somehow is a hint?

[Minims]

Mine is still out of service after many try. I've loaded some old firmware and retry each time with @hizel firmware. but still fix orange on reboot. I have the 27US as everyone.
One thing i've tried env_y18 from here : #174 (comment)
@hizel are you able to generated this if you get time ?
it seems it works like this : mkenvimage -s 0x10000 -o env_y18 ./mtd1a.txt

One more thing is there a way to get console log to a file on the SD card so i can have some infortaion about the failure ?

[mdisieno]

I'm taking it that converting home to home_y18 is bricking cameras? I'm also on 1.8.7.0a and patiently waiting for a fix.

[arunshivaram]

@hizel Looks like shadow-1 has a working hack for the 17CN version which also uses the hi3518ev200 chip. shadow-1/yi-hack-v3#25. If you have a working serial connection, may be providing him with mtd dumps will help him generate a working hack for this model.

[patosullivan]

I'm having the same issues with this firmware on a YHS-113-IR.

The weird thing though is that I've got another of the same model, bought a few months prior, that is supposedly running on this same firmware (according to the YI app), and I can apply this hack to it just fine.

[patosullivan]

I can also confirm that pressing the reset button doesn't help. It just cleared the camera's settings, so I had to set it up again in the Yi app to get it to work at all. The camera still doesn't recognize anything from the hack on SD card.

[hazarjast]

I've been following this thread closely as I have a new 27US Yi Home as well as a 1080p Yi Home (18US version) that I want to enable RTSP on. There appears to be some progress via Shadow-1's Yi-Hack-v3 project already linked to by arunshivaram. He has provided some firmware files for the 27US here:

home: https://www.dropbox.com/s/lxwxvm1haydkqmb/home_y18?dl=0
rootfs: https://www.dropbox.com/s/w37nkc7bz0isv2o/rootfs_y18?dl=0

Also he has provided SDK here: https://app.box.com/s/cibs7n1mgvhqaqjlidtveegu1uajt5yr

Hi3518E_V200 is; Hi3518E_V200R001C01SPC040
Hi3518_V100 is: Hi3518E_V100R001C02SPC0A0

Hopefully I will have some time to test the firmware he has provided, if not I at least wanted to update folks in this thread.

[patosullivan]

Thanks for the update! Very interested to learn whether or not it works.

…

On July 23, 2017 11:03:08 AM CDT, hazarjast ***@***.***> wrote: I've been following this thread closely as I have a new 27US Yi Home as well as a 1080p Yi Home (18US version) that I want to enable RTSP on. There appears to be some progress via Shadow-1's Yi-Hack-v3 project already linked to by arunshivaram. He has provided some firmware files for the 27US here: home: https://www.dropbox.com/s/lxwxvm1haydkqmb/home_y18?dl=0 rootfs: https://www.dropbox.com/s/w37nkc7bz0isv2o/rootfs_y18?dl=0 Also he has provided SDK here: https://app.box.com/s/cibs7n1mgvhqaqjlidtveegu1uajt5yr Hi3518E_V200 is; Hi3518E_V200R001C01SPC040 Hi3518_V100 is: Hi3518E_V100R001C02SPC0A0 Hopefully I will have some time to test the firmware he has provided, if not I at least wanted to update folks in this thread. -- You are receiving this because you commented. Reply to this email directly or view it on GitHub: #174 (comment)

-- Patrick Sent from my phone.

[ghost]

Thanks for the update. I tried the files you linked, and everything works as intended by https://github.com/shadow-1/yi-hack-v3

For some this will be enough, but I want it to have RTSP support and work on a local network only, which it currently doesn't...

[mdisieno]

This seems promising : #166

Update: I've tried the downgrade method and didn't have any luck. My ideas for options are:

1. Try renaming the original firmware file provided in the link above to home_y18 with the hopes of not bricking the device.
2. Use shadow-1's firmware, via telnet attempt to modify required values for RTSP access. Give the talk of different hardware between the newer and older 27US's I'm feeling this might be a loss cause as it might be a different requirement.

[galadril]

I've installed the 27US version of the firmware.. works great
https://github.com/shadow-1/yi-hack-v3

I'm really waiting for RTSP access to integrate my camera in my domoticz system :)

[ghost]

@galadril I just got two more on Amazon hoping to try the new hack and didn't notice RTSP is not supported. They are useless to me without RTSP 😞 lol

[lastb0isct]

You should update this project and let people know that there are issues with new units. I'm not able to get this to boot at all...could it be because of this firmware? Just get a constant "waiting to connect"

[uraharakisuke12]

@lastb0isct Same happen to me. Try put on SD card home_y18 and rootfs_y18 from @hizel https://github.com/hizel/yi_dump . This unbrick my cam

[lastb0isct]

@uraharakisuke12 -- Just put both of those file alone on the SD card? Or along with the yi-hack file/folder?

[uraharakisuke12]

Just those files alone. After upgrade your cam can be paired again. Hack still will not work but you can use hack https://github.com/shadow-1/yi-hack-v3 or wait for new version of this hack

[lastb0isct]

@uraharakisuke12 -- not sure I'm able to use that one. I have the 720p version of the home camera =(

[ghost]

@lastb0isct agree... this project should be updated. The new cameras being sold now have completely different hardware and the hack old won't work.

[uraharakisuke12]

@lastb0isct 27US? shadow-1/yi-hack-v3#40 (comment) this work for my cam

[lastb0isct]

@uraharakisuke12 -- Looks like RTSP isn't supported with that still =( I'm using Zoneminder so it's a requirement for me sadly.

[wanwaner]

version 1.8.7.0C try this.https://github.com/wanwaner/xiaoyi1.8.7.0C_hack

[rmbrntt]

@wanwaner 27US/47US ignores the firmware as home and renaming to home_y18 causes a static orange light and after removing the sd it boots the official firmware so doesn't appear to be working on my side.