[SOLVED] Xiaomi Xiao Yi Ant HOME – This camera can only be used in China (1.8.6.1)

Xiaomi Xiao Yi Ant HOME – This camera can only be used in China

Recently I bought a Xiaomi Xiao Yi (IP) camera (also known as Yi Home), Chinese version. The camera looks nice, the picture quality is ok, and worked fine on my local Wifi.

Xiaomi Xiao Yi Ant HOME

However, I was unfortunate enough to receive and test the camera when Xiaomi decided to deny access from the iOS app to the camera outside of China (error 5400). I was hoping a firmware upgrade would solve this issue so I have upgraded from 1.8.5.1L to 1.8.6.1B. Now my camera was useless. The camera would say “This camera can only be used in China” and would shut down.

This was the tipping point when I have decided I will investigate what’s happening with this camera and what can be done to make it functional again. At the time of writing the remote access (error 5400) has been solved by the provider so no additional action is required. (I tried to convert a CN camera to international one by changing the serial of the device, but couldn’t test from a European or US IP and probably I would have needed access to the system files  of a functional international camera to compare)

So the remaining issue was the camera shut down with the latest firmware (tested with 1.8.6.1A and 1.8.6.1B).

If you do a search there are heaps of websites describing how you can gain access to the camera and ultimately enable remote access via telnet. I won’t get into those details, you can check some of the websites I listed below.

Once you logged into the camera via telnet the fun part begins.  The camera is running a Linux version.

# uname -a
Linux (none) 3.0.8 #1 Wed Apr 30 16:56:49 CST 2014 armv5tejl GNU/Linux

This is familiar territory, we can check what processes are running, log files, the /home directory and we can mess around with the system. I have to mention this is for educational purposes only and you can easily brick your camera.

Back to the “This camera can only be used in China” message. So if you look carefully in the log file “/tmp/log.txt” at some point you will see the forbidden.g726 sound being played and not long before that there is an API call to the mothership to check if your device is allowed to run on not. With this call, the camera sends your IP automatically so there is not much to be done about that.

[/home/cloud][4/29/22:51:48:52]: req_info=https://api.xiaoyi.com/v4/ipc/check_did?hmac= danger danger danger danger danger%3D&seq=9
&uid= danger danger danger dangerXX&timestamp=4294938554
{"allow":false,"code":"20000"}

Now the nice thing about this is that we can fake the response from the server in many different ways.

1. You set up a proxy to be used and the proxy will change the reply from “allow”: false to true.  The certificate on the camera can be changed so you can set up a valid proxy for https request for a man in the middle attack. (/home/ca.crt). Possible but too complicated and you need a proxy running.

2. You can set up a fake response on the camera via the local HTTP server and redirect (see point 3 😉 ) the check_did call to this file. (/home/web/response.json -> {“allow”:true,”code”:”20000″}). Again possible but not really needed.

3. And finally, we got to the solution. In the log files, we saw that /home/cloud is responsible for checking the permission for our device. This is a binary file and we can check what calls are made from this file:

# strings /home/cloud | grep http
http://log.xiaoyi.com/info.gif?p=home_v1&sysVersion=%s&mac=(lots' of other details)
%s -c 311 -url https://api.xiaoyi.cox/v4/ipc/check_did -uid %s -keySec %s
%s -c 139 -keySec %s -url https://api.xiaoyi.com/v4/ipc/reset -uid %s -version %s -mac %s
......
%s -c 138 -key %s -keySec %s -url https://api.xiaoyi.com/v4/ipc/on_line -uid %s 
-version %s -mac %s -packetloss %d -p2pconnect %d -p2pconnect_success %d -tfstat %d
%s -c 136 -url http://api.xiaoyi.com/v2/ipc/sync_time
(yes, the camera logs and sends everything back to xiaomi)

Now if we change the call check_did to our local file mentioned above that would make /home/cloud happy and the camera will run. Luckily /home/cloud will lock your device just if the remote server replied with “allow”: false. Now, all we need to do is to block that call or break/invalidate that URL (ie. DNS error).

THE SOLUTION:

# ps | grep /home/watch_process | grep -v "grep" | awk '{print $1}' | xargs kill -9
# ps | grep /home/cloud | grep -v "grep" | awk '{print $1}' | xargs kill -9
# sed -i  's|api.xiaoyi.com/v4/ipc/check_did|api.xiaoyi.cox/v4/ipc/check_did|g' /home/cloud
# reboot

First commands will kill watch_process so it doesn’t restart other processes.
The second command will stop the cloud service, so we can change the file.
The third one will change the text in the binary file. It will change com to cox which will invalidate the URL and will not return the allow: false message anymore.

Once the camera reboots it will be functional just as before you upgraded to the latest firmware. In case anything goes wrong just install a fresh, unmodified firmware.

Drop me a line if this worked for you!

Update: Read the comments for CNxx160622 hardware with FW 1.8.6.1C or 1.8.6.1Q.

Serial port connection to the camera explained in this video (credit to fedeant):

1.8.6.1C and 1.8.6.1Q problem solved by JonesChi:

I wrote a scrip to make the camera work again outside China. Download the file, and decompress it to root of SD card. http://diy.2pmc.net/wp-content/uploads/2016/10/hack_yi.tar.gz

If your device’s FW is 1.8.6.1C, you just need to insert the SD card into your camera, and it will hack your device automatically, when it finished, the camera will reboot automatically, then your camera is free.

If your device’s FW is 1.8.6.1Q, you need to connect your camera via serial port to get console, then insert the SD card into your camera, when you see the command prompt, just type “/tmp/sd/hack_yi.sh”, then your camera is free.

Some websites to check to see how you can enable the remote access (telnet/nc):

http://xiaoyi.querex.be/
https://yadi.sk/d/MpaQaTC1mU2kQ
http://en.miui.com/thread-224653-1-1.html

– Peter

Csaba is passionate about Cyber Security, Pentesting and just making things work.

560 comments: On [SOLVED] Xiaomi Xiao Yi Ant HOME – This camera can only be used in China (1.8.6.1)

  • Avatar

    This works to get me to latest version.

    1. flash this first using microsd (1.8.6.1B02)
    http://www27.zippyshare.com/v/nXZP3NJY/file.html
    2. While this is not the latest but will also give you telnet access.
    3. Then update firmware from Mi home to latest
    4. After reboot it will say not working in china but you still have telnet access.
    5. Telnet to it root / 1234qwer
    6. Then issue the following commands

    # ps | grep /home/watch_process | grep -v “grep” | awk ‘{print $1}’ | xargs kill -9
    # ps | grep /home/cloud | grep -v “grep” | awk ‘{print $1}’ | xargs kill -9
    # sed -i ‘s|api.xiaoyi.com/v4/ipc/check_did|api.xiaoyi.cox/v4/ipc/check_did|g’ /home/cloud
    # reboot

  • Avatar

    On Android I have just updated to the latest app and flashed the latest firmware 1.8.6.1C and now my Chinese Yi Ant works without any modification required.

  • Avatar

    I’ve sucessfuly updated two new chinese Yi Ants with this and everything went fine, telnet was reachable and i could use the solution…
    http://www.mediafire.com/download/yndho0ifmzvmz2s/1.8.6.1C_Mod.zip

    Hope you guys can find it useful.

  • Avatar

    I’ve flashed with 1.8.6.1C, but still can’t Pairing.

    After QR code scanning, the led indicator turning from flashing blue into steady blue (I thought the wifi connecting is successful). A minute later, a message appears: ” Failed to load. Reset the camera.”

    When I verify the camera, it says “the camera is correct. Try another setting”

    When I reset the camera, it failed to load again.

    Pls advise me.

  • Avatar

    I had previously updated my China region 720p Ants camera and got the dreaded message so had downgraded via an SD Card. I had been having problems with remote connection being a little unreliable so read your instructions. I updated to 1.8.6.1C, got the “Not for use outside china” – Telnet’d in (Already had the files on the SD) – Copied and pasted the commands and its running like a dream. Now if only someone could work out how to hack the international firmware to run on these as the connection is a little slow and I assume its because I’m working via Chinese servers and I’m in New Zealand.

  • Avatar

    I keep getting the -5400 message plus some text in chinese when i try to run it on the mihome app. The phone i am using is the new samsung j7. My business partners are able to run the app and see the camera work on their phones. So the camera is working just not on my phone.
    Anyone who can help me it would be VERY much appreciated. The camera is overseas so i cant do anything with it physically.
    I am NOT a techi and dont really understand most of what is written in this thread.
    Like i said if someone has some simple guidance for me i will be grateful!
    Thanks in advance

  • Avatar

    Here is 1.8.6.1C with RTSP moded from Gustavo
    https://dl.dropboxusercontent.com/u/14191397/1.8.6.1C-mod-rtsp.zip

    If you already have 1.8.6.1C(with/without china fix), just do the step 3.

    Method 1
    1. Extract and copy to the SD card. Reboot your ip cam
    2. After reboot, wait 5 mins or until it say “this product is for china use only”.
    3. Copy “test” folder to the SD card again(overwrite if prompt) and reboot

    Method 2
    If you want to do it remotely without touching the SD card. Make sure you have FTP to the device.

    1. Extract and ftp all the file to /home/hd1/ and reboot
    2. After reboot, wait 5 mins or until it say “this product is for china use only”.
    3. ftp “test” folder to the /home/hd1/ again(overwrite if prompt) and reboot.

    • Avatar

      Great, works perfectly!

      1) Is it possible to easily adjust the timezone?
      2) Is it possible to set a password to the RTSP stream?

      Thanks a million

      • Avatar

        I telnetted into the camera (username: root / password: 1234qwer)

        Code:
        cd /home
        mv ntpdate ntpdate.orig
        touch ntpdate
        chmod 755 ntpdate
        date -s “2015-06-02 22:00”

        The commands above disable to program that tries to set the date from the internet, and then you can set the date manually to the current date/time. Hope this helps.

        Source: http://en.miui.com/thread-124292-1-1.html

    • Avatar

      This worked perfectly on my China cam!! Great instructions!!

  • Avatar

    Hi,

    I accessed via telnet and did the steps of the solution after the upgrade to 1.8.6.1C, but after rebooting the camera it just stayed with a permanent orange led on indefinitely, even if I disconnect it. So finally, I was able to get out from that state, but now I can’t play none of previous recordings videos that are stored in the SD card with any of the firmwares available.

    Can someone know how to fix that?

  • Avatar

    my camera cannot connect to WIFI and said “WIFI PASSWORD WRONG”,also cannot reset..how to fix ??

  • Avatar

    i also have CN version Manufactured date on 16.04.2016 had try on russian 1.8.6.1B 02 not work (rusian 1.8.6.1B previous can used for 01. 11.2015-01.03-2016)

    the error problem is after wifi is connected blue light is blink and in app show message fail to load

    who have new lot for Yi smart cam and alos problem like us

  • Avatar

    How to make the commands execute on boot?

  • Avatar

    Hello ! How can i do telnet to the camera if camera refuses to connect to wifi ??? I have the CN version :/

  • Avatar

    Funciono!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

  • Avatar

    I had some trouble with the camera, updated the firmware, and can’t connect to wifi since then, no matter what firmware I try. No matter what I do, it always throws a wifi password error for me (chinese message or english message depending on the firmware).
    Russian firmware or any else (L, M, N, etc) didn’t do the trick for me 🙁
    I’ve got another one working flawlessly, and I tried different routers.
    Its SN starts with 10CN… pretty old I guess?
    I even used the yi-hack firmware, which has a log that gave me this error:
    “fkill: Cannot open RFKILL control device Could not read interface ra0 flags: No such device WEXT: Could not set interface ‘ra0’ UP ra0: Failed to initialize driver interface”

    So… any ideas? Bricked wifi chip?
    If I could use the camera in “local mode”, recording and storing everything on the SD card, at least it would be something more than paperweight right now…

  • Avatar

    Hi Mr. Krikri..I have a question about xiaomi 720p. Im already use your firmware version of 1.8.6.1B.02. This firmware work for me, but i cannot playback my video recording. How to fix this problem?

    Thanks before.

    • Avatar

      Same with me. I also try to use 1.8.5.1K FW. everything works fine except video playback.
      I have identical V.21 camera with original FW (1.8.5.1L), the playback works normally (with same app)

  • Avatar

    Did anybody have issues with the Motion Detection Warning playback? After upgrading to 1.8.6.1C_201605191103_CN, everything works fine but motion detection warning could not be played. Clicking the warning will only results in Fail to load video .

  • Avatar

    I would also like to know how to fix playback of recorded video.

  • Avatar

    I buy yi Camera and it CN version Manufactured date on 20160622. Can not to update the firmware to 1.8.6.1C and use RTSP script to telnet. Have any idea to update 1.8.6.1 mod firmware?

  • Avatar

    hi all, i buy new yi ants 360 but cannot used, can help if someone have the firmware for this goods? thanks

  • Avatar

    Hi. I have a few important requests. Can we keep the best solution as a sticky on top and can anyone offer solutions for the series 2 and 360 models? Series 2 do not seem to allow/accept downgrading anymore and the 360 seems to be a ‘unicorn’ at the moment. I am ‘stuck with’ both. Chinese versions which I would very much like to see in Yi home. Together with my luckily old 720p’s.

  • Avatar

    hi robert, i think series 2 already discussed and got solution. but 360 still new

  • Avatar

    Everything work as expected, well done.
    But I have a problem with my V.21 version of my camera, after accidentally updating firmware via app to version Q. I can’t playback my recorded video, anyone know how to fix it ?

    I also have another V.21 with FW 1.8.5.1L default from factory, playback works fine. Problem only with timezone

  • Avatar

    At the end, I found the solution to the playback recording in this link http://en.miui.com/thread-193380-1-1.html, so basically I entered this command: echo “GMT+0” > /etc/TZ and then I reboot it and I was able to playback the recordings again using using even the newest firmware.

  • Avatar

    i have a new xiaoyi camera august buy from china several unit
    when i reset and insert card with home firmware …and power on ,the unit just say waiting for connection ,keep say waitting connection in chinese ,

    can any 1 tech how to flash?

    thanks

  • Avatar

    I have tried all of the firmwares posted here but the camera continues to ignore it. After inserting the sd card with the firmware, it just initializes and continues to wait to be paired. Is there anyway to FORCE flash the firmware to the IP cam?

  • Avatar

    currently using version 1.8.5.1L and cannot playback the motion detected videos. anyone doesnt have this problem? how to solve this?

  • Avatar

    if i understood. if you chenge the timezone you can´t playback the motion detected videos.

    any solutions?

  • Avatar

    Yesterday I made the Chinese version update since the camera does not work please help me I have a Chinese version and I am from Europe

  • Avatar

    Is anyone getting a very bad image quality (distorted) on night vision mode with the 1.8.6.1B_201603181307 firmware?

  • Avatar

    bought it on 14 august 2016, for the first time it connected showed video, then i disconnected and moved to another room but it says “this product can only be used within China”
    tried all files given in this blog till date but no solution seems it is not detecting memory card

    seems stuck

  • Avatar

    Has anyone attempted upgrading to the latest firmware 1.8.6.1Q?

    And how do you get Push Notifications to work on iOS. Currently I’ve set it on in the Settings for the camera but I don’t get any notification even when there’s activity on the camera.

    • Avatar

      I had the new camera with this firmware. Had not been able to get the telnet to work anymore and thus it just keep repeating “Camera can only work in China” and shut itself down. Anyone with solution for this ?

  • Avatar

    Is there anyone has the 1.8.3.4J_201412291009.zip firmware? Pls share it if you have it.

  • Avatar

    Guys, i’ve got the new test file/folder from 4pda.ru with mod aio, zipped it with the latest Q version, if anyone want to try, i couldn’t yet…

    http://www.mediafire.com/download/yg3b2l3v3yayu9f/1.8.6.1Q_201607271501_CN_MODDED.zip

    • Avatar

      I think AIO including modify the prompt message & timezone to Russian. Can you find the mod to activate outside China only?

    • Avatar
    • Avatar

      Gustavo,

      I would like to try out this one:

      http://4pda.ru/forum/index.php?showtopic=638230&st=5020#entry47152700

      Solution 100% for those who updated to 1.8.6.1A camera the V 2.1 (camera says that the type of work only in China)

      1) Turn on the camera (without SD card)
      2) Press the Reset button and hold for 10 seconds
      3) Releasing the Reset button
      4) Turn off the camera
      5) Format the SD card into the FAT32 (other file systems are not supported)
      6) Download the firmware 1.8.3.4J_201412291009.zip (yes it is! Since the camera not be sewn directly to 1.8.5.1L.zip )
      7) Throws in the root of the archive 1.8.3.4J_201412291009.zip SD card file home
      8) Turn on the camera for 3 seconds is lit orange after orange starts to blink for about 40 seconds (set by firmware!) and then wait until the camera speak
      9) Turn off the camera and remove the SD card
      10) Format the SD card to FAT32
      11) Download the firmware 1.8.5.1L.zip
      12) Throws the root of the SD card file from the archive home 1.8.5.1L.zip
      13) Turn on the camera for 3 seconds is lit orange after orange starts to blink about 40 seconds, (firmware installed!) and then wait until the camera to speak
      14) Turn off the camera and remove the SD card
      15) Turn on the camera (without SD card)
      16) Press the Reset button and hold for 10 seconds

    • Avatar

      Did not work on the new batch of camera that comes with 1.8.6.1Q firmware. Had not been able to flash it to anything other firmware. The equip_test.sh also not working.

      Any ideas ?

    • Avatar

      Gustavo, can you please help? Thanks.

  • Avatar

    How can i fix timestamp on mi home app, timezone on camera correct in my country (VietNam), but timestamp over 1h
    What app better ? Mi home or yi camera

  • Avatar

    Ok Guys, This is My version, no russian stuff in this, took latest firmware from here “www.xiaoyi.com/home/firmware/index.html?version=” (1.8.6.1Q_201607271501), added rtsp/telnet fix, and no Russian stuff in this, “THE SOLUTION” is already integrated into the “equip_test.sh” file, so just extract into a formatted micro SD card and flash it, thats all folks. There is a watermark saying “yi” bottom left hand corner, its so small that i don’t care for it.

    https://www.dropbox.com/s/71v2562uvqnz77w/1.8.6.1Q_201607271501_AK_MOD_CN_FIRMWARE.zip

    or

    http://www.mediafire.com/download/05zl1d7h06nzabb/1.8.6.1Q_201607271501_AK_MOD_CN_FIRMWARE.zip

    **For Playback issues/GMT Error follow this thread http://en.miui.com/thread-193380-1-1.html

  • Avatar

    Does anyone get push notification on iOS? I’m using the Mi Home app to access the camera but get no push notification despite there veing activity.

  • Avatar

    why my YIHOME always show “your account password is changed, please re-login in!

  • Avatar

    Thank you very much for your last MOD firmware 1.8.6.1Q AK, working like a charm on my CN Yi Cam 🙂

    • Avatar

      @AK: Thanks for the Firmware, now i have latest Firmware on my CN Cam in Germany, RTSP etc.,all works.
      Thank you very much.
      When there is a new Firmware an the App show me this, can i then Update the Firmware in the App?
      Or what must i do?
      Best regards

      • Avatar

        2 options :

        i) You can update the firmware in the app, but the camera would say “This camera can only be used in China” and would shut down. So you need to use the “THE SOLUTION” mod to fix it. Which can be found in this thread. This involves telnet to the camera.

        ii) If I am free i will make a mod for every new firmware, so just flash it into a formatted micro SD card, i will post the new firmware’s here.

    • Avatar

      how do you do it? can show the steps?

  • Avatar

    For those has CN edition after April 2016. Please be careful not to perform any upgrade unless you are pretty sure. I tried in my Yi Smart Camera V2.1 manufactured on June 22, 2016. It is completely dead. It boot up with amber light. I have to return it for replacement.

  • Avatar

    Lately, I’ve been getting disconnection, I’m using both the 720p and 1080p (xiaomi ants 2) versions of the camera. I’ve contacted the support, no luck so far. It works after I unplugged the 1080p camera off the power, works for a while, then it doesn’t work again. I think I’m getting forced log-off by the server every hour. The 720p version works fine.

  • Avatar

    Hi All,

    I am a Chinese from Hong Kong. I just bought a Yi Cam 720p CN version two weeks ago. I am also having “This camera can only be used in China ” issue as most of you all. According to other Chinese website, the Cam was added hardware lock to ensure CN version doesn’t work in other region, so all the fixes provided earlier shouldn’t be work on the this latest hardware version (20160622). If you want to know what hardware version of your cam, you just need to use QR code program to scan the QR code at the back of the Cam.

    Gustavo is saying that using firmware 1.8.3.4J should work, so I want to give it a try.

    Can someone please share this http://4pda.ru/forum/dl/post/5866261/1.8.3.4J_201412291009.zip ? I was not able to register a new ID in Russian website as it needs to find out the answer from the picture in Russian when creating an account.

    Thanks

  • Avatar

    When my camera came initially, it gave “This camera can only be used within China error”, I downloaded the firmware file as given in the post and it started to work fine. Today I accidentally pressed the update button and the camera upgraded to 1.8.6.1q. No matter how many times I downgrade, it just wouldn’t work. no firmware is working. please give a solution

    • Avatar

      Last night I updated to 1.8.6.1q and got the “This camera can only be used within China error” on one of my camera.
      I checked telnet and it was still enabled with the 1.8.6.1q update, so I just redid the check_did website from .com to .cox as explained in the solution above. I then rebooted the camera through telnet and it came back online.

      I did not have to downgrade firmware.

      • Avatar

        Bubuski,

        Is your hardware old version? Is it purchased before Nov, 2015?

        • Avatar

          I just scanned both QR codes

          151021 – always works

          160105 – I upgraded to the firmware to unmodified 1.8.6.1Q from the MiHome app and got the message “This camera can only be used in China”. I checked telnet and it was still enabled so I modified the check_did website.

  • Avatar

    I have a CN 20160622 version with 1.8.6.1c firmware as well. Apparently the device refuses to downgrade firmware or execute the equip_test.sh script. Currently I pair it with its app via a Chinese VPN. It’s possible that it’s hardwired to only allow upgrades, but I haven’t attempted to upgrade to 1.8.6.1q yet. The key is to obtain telnet access, with which all other modifications come easily. What I’ll try is to edit the 1.8.6.1q firmware to add the telnetd init script, and see if the device would take it.

  • Avatar

    hi i ‘ve a european version of yi camera 720 and i would register in mi home app.
    the error message is qr is invalid… and i cannot use in mihome app while i use it in Yi home app.
    how can i use this kind of camera in mihome app? in this camera is installed last firmware.

  • Avatar

    I use the Chinese App today i cant no longer Login to Mi Acount in the App. I became Error: Error occurred while Logging in, Please restart
    Has here anybody the same Problem, yesterday all ok and Login to Mi Account

  • Avatar

    how to solve CN 20160622 firmware? How to downgrade ?

  • Avatar

    Why my YIHOME always show “your account password is changed, please re-login in!
    It cannot retain the password. Any other experience on this?
    Is this related to that I have refused to update the FW to the latest one?
    Thanks.

  • Avatar

    All the Xiaoyi camera 720 with CN 20160622 and above already set hardware lock by Xiaoyi. No more upgrade/ downgrade firmware available from SD card. Any other solution push the new firmware into a camera?

  • Avatar

    Seems like with 1.8.6.1Q its not reading the .sh script at all, and not reading any firmwares.

  • Avatar

    the sh file can’t even flash into the cctv. how to telnet?

Leave a reply:

Your email address will not be published.

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Site Footer

Sliding Sidebar