Monthly Archives: May 2016

[SOLVED] Xiaomi Xiao Yi Ant HOME – This camera can only be used in China (1.8.6.1)

(please link to this page, but do not copy the content to other sites)

Xiaomi Xiao Yi Ant HOME

Recently I bought a Xiaomi Xiao Yi (IP) camera (also known as Yi Home), Chinese version. The camera looks nice, picture quality is ok, and worked fine on my local Wifi.

However I was unfortunate enough to receive and test the camera when Xiaomi decided to deny access from the iOS app to the camera outside of China (error 5400). I was hoping a firmware upgrade would solve this issue so I have upgraded from 1.8.5.1L to 1.8.6.1B. Now my camera was useless. The camera would say “This camera can only be used in China” and would shut down.

This was the tipping point when I have decided I will investigate what’s happening with this camera and what can be done to make it functional again. At the time of writing the remote access (error 5400) has been solved by the provider so no additional action is required. (I tried to convert a CN camera to international one by changing the serial of the device, but couldn’t test from a European or US IP and probably I would have needed access to the system files  of a functional international camera to compare)

So the remaining issue was the camera shutdown with the latest firmware (tested with 1.8.6.1A and 1.8.6.1B).

If you do a search there are heaps of websites describing how you can gain access to the camera and ultimately enable remote access via telnet. I won’t get into those details, you can check some of websites I listed below.

Once you logged into the camera via telnet the fun part begins.  The camera is running a Linux version.

# uname -a
Linux (none) 3.0.8 #1 Wed Apr 30 16:56:49 CST 2014 armv5tejl GNU/Linux

This is familiar territory, we can check what processes are running, log files, the /home directory and we can mess around with the system. I have to mention this is for educational purposes only and you can easily brick your camera.

Back to the “This camera can only be used in China” message. So if you look carefully in the log file “/tmp/log.txt” at some point you will see the forbidden.g726 sound being played and not long before that there is an API call to the mothership to check  if you device is allowed to run on not. With this call the camera sends your IP automatically so there is not much to be done about that.

[/home/cloud][4/29/22:51:48:52]: req_info=https://api.xiaoyi.com/v4/ipc/check_did?hmac=XXXXXXXXXXXXXXX%3D&seq=9
&uid=XXXXXXXXXXXXXX&timestamp=4294938554
{"allow":false,"code":"20000"}

Now the nice thing about this is that we can fake the response from the server in many different ways.

1. You set up a proxy to be used and the proxy will change the reply from “allow”: false to true.  The certificate on the camera can be changed so you can set up a valid proxy for https request for a man in the middle attack. (/home/ca.crt). Possible but too complicated and you need a proxy running.

2. You can set up a fake response on the camera via the local http server and redirect (see point 3 😉 ) the check_did call to this file. (/home/web/response.json -> {“allow”:true,”code”:”20000″}). Again possible but not really needed.

3. And finally we got to the solution. In the log files we saw that /home/cloud is responsible to check the permission for our device. This is a binary file and we can check what calls are made from this file:

# strings /home/cloud | grep http
http://log.xiaoyi.com/info.gif?p=home_v1&sysVersion=%s&mac=(lots' of other details)
%s -c 311 -url https://api.xiaoyi.cox/v4/ipc/check_did -uid %s -keySec %s
%s -c 139 -keySec %s -url https://api.xiaoyi.com/v4/ipc/reset -uid %s -version %s -mac %s
......
%s -c 138 -key %s -keySec %s -url https://api.xiaoyi.com/v4/ipc/on_line -uid %s 
-version %s -mac %s -packetloss %d -p2pconnect %d -p2pconnect_success %d -tfstat %d
%s -c 136 -url http://api.xiaoyi.com/v2/ipc/sync_time
(yes, the camera logs and sends everything back to xiaomi)

Now if we change the call check_did to our local file mentioned above that would make /home/cloud happy and the camera will run. Luckily /home/cloud will lock your device just if the remote server replied with “allow”: false. Now all we need to do is to block that call or break/invalidate that url (ie. dns error).

THE SOLUTION:

# ps | grep /home/watch_process | grep -v "grep" | awk '{print $1}' | xargs kill -9
# ps | grep /home/cloud | grep -v "grep" | awk '{print $1}' | xargs kill -9
# sed -i  's|api.xiaoyi.com/v4/ipc/check_did|api.xiaoyi.cox/v4/ipc/check_did|g' /home/cloud
# reboot

First commands will kill watch_process so it doesn’t restart other processes.
Second command will stop the cloud service, so we can change the file.
The third one will change the text in the binary file. It will change com to cox which will invalidate the url and will not return the allow: false message anymore.

Once the camera reboots it will be functional just as before you upgraded to the latest firmware. In case anything goes wrong just install a fresh, unmodified firmware.

Drop me a line if this worked for you!

Update: Read the comments for CNxx160622 hardware with FW 1.8.6.1C or 1.8.6.1Q.

Serial port connection to the camera explained in this video (credit to fedeant):

 

1.8.6.1C and 1.8.6.1Q problem solved by JonesChi:

I wrote a scrip to make the camera work again outside China.
Download the file, and decompress it to root of SD card.
http://diy.2pmc.net/wp-content/uploads/2016/10/hack_yi.tar.gz

If your device’s FW is 1.8.6.1C, you just need to insert the SD card into your camera, and it will hack your device automatically, when it finished, the camera will reboot automatically, then your camera is free.

If your device’s FW is 1.8.6.1Q, you need to connect your camera via serial port to get console, then insert the SD card into your camera, when you see the command prompt, just type “/tmp/sd/hack_yi.sh”, then your camera is free.

[tiny_coffee]

Some websites to check to see how you can enable the remote access (telnet):

http://xiaoyi.querex.be/
https://yadi.sk/d/MpaQaTC1mU2kQ
http://en.miui.com/thread-224653-1-1.html

-Peter