[UPDATE] added instruction for latest firmware ver. 1.8.7.0C_201705091058
Recently I bought a Xiaomi Xiao Yi (IP) camera (also known as Yi Home), Chinese version. The camera looks nice, the picture quality is ok, and worked fine on my local Wifi.
However, I was unfortunate enough to receive and test the camera when Xiaomi decided to deny access from the iOS app to the camera outside of China (error 5400). I was hoping a firmware upgrade would solve this issue so I have upgraded from 1.8.5.1L to 1.8.6.1B. Now my camera was useless. The camera would say “This camera can only be used in China” and would shut down.
This was the tipping point when I have decided I will investigate what’s happening with this camera and what can be done to make it functional again. At the time of writing the remote access (error 5400) has been solved by the provider so no additional action is required. (I tried to convert a CN camera to international one by changing the serial of the device, but couldn’t test from a European or US IP and probably I would have needed access to the system files of a functional international camera to compare)
So the remaining issue was the camera shut down with the latest firmware (tested with 1.8.6.1A and 1.8.6.1B).
If you do a search there are heaps of websites describing how you can gain access to the camera and ultimately enable remote access via telnet. I won’t get into those details, you can check some of the websites I listed below.
Once you logged into the camera via telnet the fun part begins. The camera is running a Linux version.
# uname -a Linux (none) 3.0.8 #1 Wed Apr 30 16:56:49 CST 2014 armv5tejl GNU/Linux
This is familiar territory, we can check what processes are running, log files, the /home directory and we can mess around with the system. I have to mention this is for educational purposes only and you can easily brick your camera.
Back to the “This camera can only be used in China” message. So if you look carefully in the log file “/tmp/log.txt” at some point you will see the forbidden.g726 sound being played and not long before that there is an API call to the mothership to check if your device is allowed to run on not. With this call, the camera sends your IP automatically so there is not much to be done about that.
[/home/cloud][4/29/22:51:48:52]: req_info=https://api.xiaoyi.com/v4/ipc/check_did?hmac= danger danger danger danger danger%3D&seq=9
&uid= danger danger danger dangerXX×tamp=4294938554
{"allow":false,"code":"20000"}
Now the nice thing about this is that we can fake the response from the server in many different ways.
1. You set up a proxy to be used and the proxy will change the reply from “allow”: false to true. The certificate on the camera can be changed so you can set up a valid proxy for https request for a man in the middle attack. (/home/ca.crt). Possible but too complicated and you need a proxy running.
2. You can set up a fake response on the camera via the local HTTP server and redirect (see point 3 😉 ) the check_did call to this file. (/home/web/response.json -> {“allow”:true,”code”:”20000″}). Again possible but not really needed.
3. And finally, we got to the solution. In the log files, we saw that /home/cloud is responsible for checking the permission for our device. This is a binary file and we can check what calls are made from this file:
# strings /home/cloud | grep http http://log.xiaoyi.com/info.gif?p=home_v1&sysVersion=%s&mac=(lots' of other details) %s -c 311 -url https://api.xiaoyi.cox/v4/ipc/check_did -uid %s -keySec %s %s -c 139 -keySec %s -url https://api.xiaoyi.com/v4/ipc/reset -uid %s -version %s -mac %s ...... %s -c 138 -key %s -keySec %s -url https://api.xiaoyi.com/v4/ipc/on_line -uid %s -version %s -mac %s -packetloss %d -p2pconnect %d -p2pconnect_success %d -tfstat %d %s -c 136 -url http://api.xiaoyi.com/v2/ipc/sync_time (yes, the camera logs and sends everything back to xiaomi)
Now if we change the call check_did to our local file mentioned above that would make /home/cloud happy and the camera will run. Luckily /home/cloud will lock your device just if the remote server replied with “allow”: false. Now, all we need to do is to block that call or break/invalidate that URL (ie. DNS error).
THE SOLUTION:
# ps | grep /home/watch_process | grep -v "grep" | awk '{print $1}' | xargs kill -9
# ps | grep /home/cloud | grep -v "grep" | awk '{print $1}' | xargs kill -9
# sed -i 's|api.xiaoyi.com/v4/ipc/check_did|api.xiaoyi.cox/v4/ipc/check_did|g' /home/cloud
# reboot
First commands will kill watch_process so it doesn’t restart other processes.
The second command will stop the cloud service, so we can change the file.
The third one will change the text in the binary file. It will change com to cox which will invalidate the URL and will not return the allow: false message anymore.
Once the camera reboots it will be functional just as before you upgraded to the latest firmware. In case anything goes wrong just install a fresh, unmodified firmware.
Drop me a line if this worked for you!
Update: Read the comments for CNxx160622 hardware with FW 1.8.6.1C or 1.8.6.1Q.
Serial port connection to the camera explained in this video (credit to fedeant):
1.8.6.1C and 1.8.6.1Q problem solved by JonesChi:
I wrote a scrip to make the camera work again outside China. Download the file, and decompress it to root of SD card. http://diy.2pmc.net/wp-content/uploads/2016/10/hack_yi.tar.gz
If your device’s FW is 1.8.6.1C, you just need to insert the SD card into your camera, and it will hack your device automatically, when it finished, the camera will reboot automatically, then your camera is free.
If your device’s FW is 1.8.6.1Q, you need to connect your camera via serial port to get console, then insert the SD card into your camera, when you see the command prompt, just type “/tmp/sd/hack_yi.sh”, then your camera is free.
If you are using the latest firmware 1.8.7.0C_201705091058, controsensi updated the script above to support this. The file name that needs to be uploaded to the SD card has changed to equip_test.sh and the location of the home directory in the script has changed as well. The rest seems to be functioning the same way.
Create this file on the SD card and reboot your camera. It should work without the annoying restriction message. controsensi’s full solution is described here.
[sd_card]/test/equip_test.sh
#!/bin/sh
# JonesChi's script.
# Modified by halnovemila (HalEx) to work on CN12 model
timestamp=`date`
sdcarddir=`dirname $0 | sed -n 's/\/test//p'`
testdir="${sdcarddir}/test"
logfile="${testdir}/hacklog"
echo "Current dir= ${testdir}" >> $logfile
echo "SDcard dir= ${sdcarddir}" >> $logfile
cat /home/version >> $logfile
echo "========== LIST OF /home ============" >> $logfile
ls -l /home >> $logfile
if [ -f /home/cloudAPI_real ]
then
echo "Already hacked ${timestamp}" >> $logfile
sync
else
echo "Start hacking ${timestamp}" >> $logfile
cp /home/cloudAPI $sdcarddir/cloudAPI.bak
mv /home/cloudAPI /home/cloudAPI_real
cp $sdcarddir/cloudAPI /home/cloudAPI
echo "Done hacking ${timestamp}" >> $logfile
# fix bootcycle
mv $testdir/equip_test.sh $testdir/equip_test.sh.moved
sync
reboot
fi
# ATTENTION!
# Once the script is executed the boot process is halted,
# nothing else will be executed.
# Therefore if the hack has been already applied
# and this script executed,
# the camera will not complete the boot process
# and will seem like if it's not working.
Some websites to check to see how you can enable the remote access (telnet/nc):
http://xiaoyi.querex.be/
https://yadi.sk/d/MpaQaTC1mU2kQ
http://en.miui.com/thread-224653-1-1.html
– Peter
566 comments: On [SOLVED] Xiaomi Xiao Yi Ant HOME CN12 – This camera can only be used in China (1.8.6.1 – 1.8.7.0)
Hi I ordered this camera recently (Apr 28) from ali express. When i received the camera I was told by seller to downgrade the firmware and i did that but it never connects and always fails at the QR scanning step and tell me to reset it. So the only time i was able to have it work was using the latest firmware (1.8.6.1) and chinese app (not updated) but it connects for a second and then i get the message saying this camera can only be used in China. Seems like you have the solution but instructions arent clear can you please tell me how to use Telnet to modify the camera code? or how you got it to work? According to the supplier i am doomed and i wont get a refund. Thanks looking forward to your reply.
In order to get telnet access you can follow the instructions from here:
http://en.miui.com/thread-224653-1-1.html
In a nutshell:
Connect the memory card to a computer via a card reader
Create a directory named “test” on the sdcard root
Edit file X:\test\equip_test.sh with notepad or your favorite text editor.
Add this content:
#!/bin/sh
# Telnet
if [ ! -f "/etc/init.d/S88telnet" ]; then
echo "#!/bin/sh" > /etc/init.d/S88telnet
echo "telnetd &" >> /etc/init.d/S88telnet
chmod 755 /etc/init.d/S88telnet
fi
dr=`dirname $0`
# fix bootcycle
mv $dr/equip_test.sh $dr/equip_test.sh.moved
reboot
Safetly detach sdcard, put it into your camera, it will reboot twice.
The login details are:
User: root
Password: 1234qwer
Once you have access you can follow the steps in the SOLUTION section on this page.
The problem is that with the last Q firmware, the camera seems to completely ignore any script.
Is there an easy way to set the time so it can adjust automatically based on daylight saving time or not?
Is there a way to altogether block it from checking for a firmware update? In the app it will randomly pop up and say there is a firmware update available and if you accidentally click the button it screws everything up and goes back to Chinese and has to be flashed all over again. Im running Chinese camera flashed with a custom English 1.8.6.1B_201503181307 and also cannot seem to get the time stamp working properly. Is there a unix command to change the time when logged in through telnet or what? Ive tried some other fixes online but had no luck getting the time right.
I have the same issue. when I downgrade my Yi camera firmware, it will have failure connecting to my WIFI, having the error “Wi-Fi password invalid”. But when I install the latest firmware 1.8.6.1B, it will connect to my Wifi but have the error “Not to be use outside china”
Previous firmware that can enable Telnet, cannot connect to wifi. The latest firmware that can connect to wifi not able to enable the Telnet.
Hope someone can help to advise.
Use the previous firmware to enable telnet. Than from the mobile app upgrade the firmware on your camera. Telnet access should be still active.
If you wifi is not working try to reset the camera and connect to wifi again.
same as me. now new lot of can it have problem WiFi password error for firmware 1.8.5
@DIY Thanks for the work. Have you tested this procedure with the latest firmware 1.8.6.1C? I tried both upgrading from the app or download it to the sd card then reset the cam. In both cases when I got the prompt “cannot be used outside China”, the camera shut off automatically and telnet got rejected. How to get telnet to work to do the trick?
@WonderMan I just solved my Yi Ants on version 1.8.6.1c (latest) with this description and it works, after it said that the camera can be only used in China I still was bale to telnet into it as described and was able to execute the commands and now it is finally working for me, only still struggeling with RTSP…
@DIY thanks I can confirm it is also working in 1.8.6.1C software version!
There is a new english speaking firmware for the ‘China only’ version linked from
http://www.banggood.com/Original-Xiaomi-Xiaoyi-Ants-Night-Vision-720P-Smart-Wireless-WebcamSecurity-IP-Camera-p-983655.html
https://www.dropbox.com/sh/4s2r8l5ajqim64o/AAA83mRz6Vgcb9cUj92rtw53a?dl=0
Thank you for this link. Have tried almost every firmware but this is the only one that worked for my China version. I flashed first with the older firmer series M then flashed it with firmware.
Do we need to flash it twice and how?
Thank you very much. The link and firmware worked for me.
Thank you, this firmware worked for me
excellent, I thought I would not run my camera but this version made it work again. Thanks for the help.
Hi I flashed the firmware you specified but when I try to connect with Wifi with the QR code it first says connected then it says QR code invalid. Please help.
I have the same issue!!
Mee too
thanks Arne this one works with mine…
Many Thanks Arne, it worked perfectly for me. Earlier it was Chinese and now I can hear in English too. 🙂 thanks …
One more request, can we connect one CAM with multiple phones ?
When trying the above firmware, I reach to the point where it says WiFi is connected and then “Invalid QR code.PLease reset camera”.
any advice?
which app should be used here?
My camera’s back QR code shows 12CN7CL4UV.
Dear, does your camera work now ? i have one since a year and working flawlessly.
When I typed in the command
sed -i ‘s|https://api.xiaoyi.com/v4/ipc/check_did|https://api.xiaoyi.cox/v4/ipc/check_did|g’
It complains “sed -i” missing argument
That was not the full command. The end of the command was hidden on the screen. I’ve updated the command and now everything should be visible.
The end of the command was not visible on the page. I’ve updated the command and now you should see the end of it as well. Give it another try.
Can’t run “sed”..can’t find the correct line..below is what I have after using the K firmware..pls help.
# strings /home/cloud | grep http
%s -c 136 -url http://api.xiaoyi.com/v2/ipc/sync_time
/home/curl http://%s/cgi-bin/luci/api/xqsystem/init_info
The K firmware doesn’t have this restriction. you should use MiHome on iOS to connect to the camera.
I can connect now the camera thru Wi-Fi but still unable to connect using LTE. Before the error 5400 last month, it was still working and just two days after it was restored(May 3-4)..Where do you think I have a problem. Thanks
Hi,I have a CN version but i wrote to contact support in Poland and They send me a file – home and home.bin of international version for YI. I try to upgrade firmware to use with Google Play version of app but not work. Is there a solution? The app from GP is much better – some stuff from motion detection etc.
If the camera is the CN version the international firmware will not work. However MiHome iOS app is in english so there is no drama using that. The camera itself has motion detection, so it does not matter what app you are using on your phone. For now, until someone manages to convert a CN version to international one, stick to the CN firmware.
Ok my works with CN firmware and CN app. But International version with Goggle Play app have a motion detection section to mark and have a Sensivity Level – https://www.youtube.com/watch?v=HNhWKRzhWes
🙁
I dont understand why the CN version app (not from google play store) is different from the xiaomi/Mi store version.
Why is it not possible to manipulate the eu/international Firmware to run on a CN device?
Greetings by Daniel-from-Germany
Exactly my thought also! Someone should be able to reverse engineer that part of the code….just like with the CN version of the Xiaomi mobile phones to run Global ROM.
Anyone up for the challenge? 🙂
Excellent work ! It works perfectly with the new firmware.
At the beginning, I have difficulty to enter the solution command because the third line is too long and not able to read the end part of the command.
I have to do a cut and paste the whole solution section to a text editor in order to see the complete command.
Thanks a lot for sharing !!
Thx for the feedback. I’ve updated the command to fit to the screen.
I have put the sd card back to the Yi camera and power on it. But the camera stuck at orange light.
It does not reboot twice as mentioned above. What step did i miss?
If it’s flashing you need to connect to your wifi using the mobile app.
Hi I have a similar problem, the orange light is stuck on
after i flash it, the light will flash orange a few times for a few minutes
after i assume the firmware is updated, it blinks orange very fast for a second then stays orange
AT no point in the process does it make any sound. Pressing the reset button does nothing now
All this device ever does is stay orange…
It’s work!!! Thank you I am using 1.8.6.1A
However, 1.8.6.1A Lost the RTSP Support! I can only telnet to it!
Any fix?
Thanks
I haven’t seen RTSP to be released for the latest version yet. If you need rtsp stick to an older version.
However, I have tried all older version. All of them not support outside China.
I will stick with current version better that it is still working
Thank!
i have found a way to add RTSP to 1.8.6.1C firmware. For that i needed FTP and telnet access to the yi camera. In my case both FTP and telnet were enabled after updating my yi camera. what i did was the following:
1 download 1.8.5.1M_test-rtspfix-4.zip (RTSP enable script) from http://xiaoyi.querex.be/
2 unpack 1.8.5.1M_test-rtspfix-4.zip to your harddisk
3 open an FTP connection to your Yi camera (username root, no pass)
4 copy rtspsvrM (from 1.8.5.1M_test-rtspfix-4.zip) to /home/rtspsvr
5 open a telnet connection to your Yi (username: root, password: 1234qwer)
6 in the telnet session type (without the “#”):
# chmod 0775 /home/rtspsvr
# chown 1001:1001 /home/rtspsvr
# reboot
wait about a minute for the Yi camera to boot and now open rtsp://192.168.0.106:554/ch0_0.h264 with VLC on your PC
You should of course change 192.168.0.106 in the URL to the correct IP address of your own Yi camera.
Hi Skelch
Thanks for the clear instructions – tried to follow it but cannot open a RTSP stream from my camera (CN version, fw 1.8.6.1C)
I placed the rtspsvrM file in the HOME directory and renamed to “rtspsvr”, and I can see the correct rights and owner has been set.
Any ideas?
Thanks
Gracias a mi me funciono.-
Hello there, the trick provided enabled me to use the cam on the latest fw, however, it seems that the camera losts conectivity with cloud after few minutes after booting up 🙁
Did anyone encounter this on the 1.8.6.1B? Any solution?
I am using the latest firmware (1.8.6.1B). No issues here, can access the camera via the cloud.
1.8.6.1B Update — I followed the instructions, rolled back to a previous version (1.8.5.1M from http://xiaoyi.querex.be, along with the RTSP/Telnet script), let it flash, then re-flashed the 1.8.6.1B official firmware (which is the only one that seems to allow connection to wifi). Immediately, telnet was there. I logged in and ran the commands in THE SOLUTION, which ultimately modified the URL check service. All is working… I will never get those past few hours of my life back, but at least this input may help someone else.
Just
It’s works!. I’m 1.8.6.1B version. Big Thanks!
Your sed command has double space after sed – i. After deleted extra space, I can execute the command. Thanks for the guide 🙂
Btw, my Yi ant only available in same Wifi network. If I remotely view via Yi Home android app, I cannot connect (only shows 5%), the workaround is to use MI Home instead of Yi Home.
I also have this issue after upgrade my internet to VDSL, and at the same time, I install new mi home to v3.9 Now, I can load live view only when I reset the camera and setup a new connection. Other than that, it stucks at 5% every time.
I have no idea how to telnet this camera. Could someone tell me how to do it?
Many Thanks for your work, work perfectly.
It’s nice if you could make this for Yi smart camera 2, I just update OTA then it’s not outside China. Thank you.
I do not own a Yi2 :), so can’t check. Send me one and I’ll have a look 🙂
These instructions worked perfectly!
Out of my 5 Xiaoyi cameras, two were China models and once upgrading the the current latest firmware (1.8.6.1B) spoke the dreaded China only message…
Following the instructions above worked perfectly – thanks !
thanks for the guide! It save me! I ‘m on 1.8.6.1b firmware and i’ve got “… only used within china”: with “the solution” now all works, even the notification popup (it didn’t work on previous firmware!)
Only one thing: it’s possible setup motion detection sensibility? It only works sometimes and I don’t understand why
Ok I found the IP adress but cannot connect with telnet.
When I plug the sd card the cam stays with yellow led lit and doesn’t reboot twice.
If someone could help me.
Tks
Hi! I have the same problem, but with a Yi Home Camera 2 1080p,the new model.
I event can’t pair it the first time, and I has no telnet access. I Managed the cam connect to the wifi, blue fixed light,but the phone app timeout.
Some ideas
Currently the latest firmware on Xiaomi’s website: 2.1.1_20160516110700, do not update to this version because “Block” and will be unusable. Link Homepage: http://www.yitechnology.com/support-faq.php?id=1
I have found just the older firmware, if you unfortunate upgrade to the latest firmware then you hear: this camera is only be used in China, so the only way is to restore an older firmware to connect to the new camera yi 2.
YI Home smart camera 2 in 1080 the old firmware: Version 2.1.1_20160429113900
https://www.fshare.vn/file/IS8E43SIXTZB
or
https://mega.nz/#!GRMyHCwA!0YNMhjTNKeTwG-iTF81iUws5HMb-_6ZP8VJMXZCW718
Note: this old firmware is only used to restore the camera to smart home Yi 2 of 1080, it is not for the 720.
How to restore: http://www.yitechnology.com/file/FirmwareUpdate.pdf
After the restore is completed, reset the camera and connect with Yi Smart App Store download from China store only.
I don’t what firmware version I have, because I can’t connect to my app. However, the camera DON’T give me any message. The camera connects correctly to the WIFI (fixed blue light) but the phone app tell me, time out.
My app is Chinese app, because I’m currently using with a Yi1 (720) Chinese model too.
Any solution of this
Hi, did you ever figure out how to configure the date/time for yi home 1080p?
Hi,
I have find a solution, i manage to pair my camera in 1.8.6B which it told me cannot to be use outside china and it was impossible to downgrade due to the newer hardware.
So, try to upgrade with this upgrade and solve yous problems : https://bisschopst.stackstorage.com/index.php/s/TuyR1JO8qBoNQpB/download?path=%2F1.8.6.1B&files=%5B%221861B.01.zip%22%5D
Let’s it 😉
Hi Krikri!
Great! It works fine! I can connect to the cam with the latest revision of the app.
Thank you very much.
great solution. thanks bro
YOURE AWESOME!
Thank you!
I got 2 cameras:
– One 720p Chinese version with the Night vision
– One 720p chinese version without the night vision
It will work with these ones ?
Thanks !
Hello Krikri
What version of the app should I install? Is it Chinese one? Can you link the *.apk probably?
Vit
Thank you krikri
I solve this problem for many day and finally it’s work
Thanks!! You’re awesome friend … Best solution ever… I really tried all.. Thanks
Hi Krikri
Its work, thank you so much for the solution. i hv been search whole day couldnt get it thru until i read yours. Its work perfectly now, and very appreciate your sharing. Awesome.
hello mr krikri i have cctv xiaomi 720 chinese version, but why i cannot see playback the video record in android, must take off the memory card and see the record playback video in computer..please advise
why can not playback record video yi ants 720p?
You are the only solution!
thank you soooo sooo much !!!
thanx man! you are great!
Please send link to file again.
Hi Krikri!
Great! It works fine! I can connect to the cam with the latest revision of the app.
Thank you very much.
You could run the international firmware in a camera of China ?, could you investigating?
Its work fine on china version. Newest FW is 1.8.6.1B.02 (Russian)
Whats the apps to use?
Is there like a pre-cracked firmware patch I could just apply. I have no experience with linux.
That’s it, Alex. From 4PDA.ru
http://www27.zippyshare.com/v/nXZP3NJY/file.html
Just update to this firmware and you’re go to go… it’s for Xiaomi Yi 720p Night mode…
Gustavo….is it just do upgrade with this version?
Yes, this is a pre patched version, here i just installed and used with no problem. Pairing, no “within china”, etc
Gus is there a later version? 1.8.6.1C_201605191103 is out. Wondering if there’s a patched version of this for download
Nope, 4PDA.RU is where this patched version came, nothing new until now…
this isn’t a pre patched version, because only M+ firmwares versions need to be patched, the one listed is inferior !
Thank you Gustavo!
I’ve been struggling the whole day, trying different methods, and only yours works, and works like a charm! It’s fantastic to hear, after updating to your firmware, Russian music playing during boot. lol.
FYI to anyone interested, I’m outside China, and ordered my Xiaomi Yi 720p Night mode directly from an authorised Xiaomi Reseller in China. It’s probably the latest hardware, and the stock firmware was 1.8.6.1B_201603181307. Yes, the s/n has CN in it.
Thanks again for sharing this wonderful piece of work!
Alan,
Can you scan the QR code on the back of camera? What is the latest 6 digits on the SN? Is it between Nov, 2015 and April, 2016? I think the latest HW version after April 2016 would not allow to downgrade the firmware.
Gustavo,
Do you have access to 4pda.ru? Can you help to download and share the following file?
http://4pda.ru/forum/dl/post/5866261/1.8.3.4J_201412291009.zip
I tried krikri home file and it says latest but do get promoted to update still,even though camera setting say latest. Hope this gets fully cracked. Anyway to adjust detection sensitivity?
How to get into telnet? can someone give complete tutorial?
Thanks
Go to command console in windows, terminal in Linux/Mac os, and write: telnet 192.168.x.x (ip camera), then user: root, password: 1234qwer
How about yi small ants home camera 2 aka 1080p?!
i’ve got same problem after upgrade but this tutrial didn’t solve my problem..
camera still said “only can use with in China”..
help me please..!!
Note: before updated pairing succeed and monitoring runs well..
thanks before
I had the same problem.
This is the solution, you have to downgrade, lower this firmware
http://yi-version.qiniudn.com/@/familymonitor-h21/2.1.1_20160429113900home
copy it on sd card (no more than 32gb) format in fat32, copy the file you downloaded to the root of the memory and rename the file to (home.bin)
turn on the camera, reset the camera, turn it off, insert and turn on the camera memora
You will start to read the memory and takes about a minute.
And then just register it normally should work.
Luck.
Dear Vic
Thanks it works
Greets Wilko