[UPDATE] added instruction for latest firmware ver. 1.8.7.0C_201705091058
Recently I bought a Xiaomi Xiao Yi (IP) camera (also known as Yi Home), Chinese version. The camera looks nice, the picture quality is ok, and worked fine on my local Wifi.
However, I was unfortunate enough to receive and test the camera when Xiaomi decided to deny access from the iOS app to the camera outside of China (error 5400). I was hoping a firmware upgrade would solve this issue so I have upgraded from 1.8.5.1L to 1.8.6.1B. Now my camera was useless. The camera would say “This camera can only be used in China” and would shut down.
This was the tipping point when I have decided I will investigate what’s happening with this camera and what can be done to make it functional again. At the time of writing the remote access (error 5400) has been solved by the provider so no additional action is required. (I tried to convert a CN camera to international one by changing the serial of the device, but couldn’t test from a European or US IP and probably I would have needed access to the system files of a functional international camera to compare)
So the remaining issue was the camera shut down with the latest firmware (tested with 1.8.6.1A and 1.8.6.1B).
If you do a search there are heaps of websites describing how you can gain access to the camera and ultimately enable remote access via telnet. I won’t get into those details, you can check some of the websites I listed below.
Once you logged into the camera via telnet the fun part begins. The camera is running a Linux version.
# uname -a Linux (none) 3.0.8 #1 Wed Apr 30 16:56:49 CST 2014 armv5tejl GNU/Linux
This is familiar territory, we can check what processes are running, log files, the /home directory and we can mess around with the system. I have to mention this is for educational purposes only and you can easily brick your camera.
Back to the “This camera can only be used in China” message. So if you look carefully in the log file “/tmp/log.txt” at some point you will see the forbidden.g726 sound being played and not long before that there is an API call to the mothership to check if your device is allowed to run on not. With this call, the camera sends your IP automatically so there is not much to be done about that.
[/home/cloud][4/29/22:51:48:52]: req_info=https://api.xiaoyi.com/v4/ipc/check_did?hmac= danger danger danger danger danger%3D&seq=9
&uid= danger danger danger dangerXX×tamp=4294938554
{"allow":false,"code":"20000"}
Now the nice thing about this is that we can fake the response from the server in many different ways.
1. You set up a proxy to be used and the proxy will change the reply from “allow”: false to true. The certificate on the camera can be changed so you can set up a valid proxy for https request for a man in the middle attack. (/home/ca.crt). Possible but too complicated and you need a proxy running.
2. You can set up a fake response on the camera via the local HTTP server and redirect (see point 3 😉 ) the check_did call to this file. (/home/web/response.json -> {“allow”:true,”code”:”20000″}). Again possible but not really needed.
3. And finally, we got to the solution. In the log files, we saw that /home/cloud is responsible for checking the permission for our device. This is a binary file and we can check what calls are made from this file:
# strings /home/cloud | grep http http://log.xiaoyi.com/info.gif?p=home_v1&sysVersion=%s&mac=(lots' of other details) %s -c 311 -url https://api.xiaoyi.cox/v4/ipc/check_did -uid %s -keySec %s %s -c 139 -keySec %s -url https://api.xiaoyi.com/v4/ipc/reset -uid %s -version %s -mac %s ...... %s -c 138 -key %s -keySec %s -url https://api.xiaoyi.com/v4/ipc/on_line -uid %s -version %s -mac %s -packetloss %d -p2pconnect %d -p2pconnect_success %d -tfstat %d %s -c 136 -url http://api.xiaoyi.com/v2/ipc/sync_time (yes, the camera logs and sends everything back to xiaomi)
Now if we change the call check_did to our local file mentioned above that would make /home/cloud happy and the camera will run. Luckily /home/cloud will lock your device just if the remote server replied with “allow”: false. Now, all we need to do is to block that call or break/invalidate that URL (ie. DNS error).
THE SOLUTION:
# ps | grep /home/watch_process | grep -v "grep" | awk '{print $1}' | xargs kill -9
# ps | grep /home/cloud | grep -v "grep" | awk '{print $1}' | xargs kill -9
# sed -i 's|api.xiaoyi.com/v4/ipc/check_did|api.xiaoyi.cox/v4/ipc/check_did|g' /home/cloud
# reboot
First commands will kill watch_process so it doesn’t restart other processes.
The second command will stop the cloud service, so we can change the file.
The third one will change the text in the binary file. It will change com to cox which will invalidate the URL and will not return the allow: false message anymore.
Once the camera reboots it will be functional just as before you upgraded to the latest firmware. In case anything goes wrong just install a fresh, unmodified firmware.
Drop me a line if this worked for you!
Update: Read the comments for CNxx160622 hardware with FW 1.8.6.1C or 1.8.6.1Q.
Serial port connection to the camera explained in this video (credit to fedeant):
1.8.6.1C and 1.8.6.1Q problem solved by JonesChi:
I wrote a scrip to make the camera work again outside China. Download the file, and decompress it to root of SD card. http://diy.2pmc.net/wp-content/uploads/2016/10/hack_yi.tar.gz
If your device’s FW is 1.8.6.1C, you just need to insert the SD card into your camera, and it will hack your device automatically, when it finished, the camera will reboot automatically, then your camera is free.
If your device’s FW is 1.8.6.1Q, you need to connect your camera via serial port to get console, then insert the SD card into your camera, when you see the command prompt, just type “/tmp/sd/hack_yi.sh”, then your camera is free.
If you are using the latest firmware 1.8.7.0C_201705091058, controsensi updated the script above to support this. The file name that needs to be uploaded to the SD card has changed to equip_test.sh and the location of the home directory in the script has changed as well. The rest seems to be functioning the same way.
Create this file on the SD card and reboot your camera. It should work without the annoying restriction message. controsensi’s full solution is described here.
[sd_card]/test/equip_test.sh
#!/bin/sh
# JonesChi's script.
# Modified by halnovemila (HalEx) to work on CN12 model
timestamp=`date`
sdcarddir=`dirname $0 | sed -n 's/\/test//p'`
testdir="${sdcarddir}/test"
logfile="${testdir}/hacklog"
echo "Current dir= ${testdir}" >> $logfile
echo "SDcard dir= ${sdcarddir}" >> $logfile
cat /home/version >> $logfile
echo "========== LIST OF /home ============" >> $logfile
ls -l /home >> $logfile
if [ -f /home/cloudAPI_real ]
then
echo "Already hacked ${timestamp}" >> $logfile
sync
else
echo "Start hacking ${timestamp}" >> $logfile
cp /home/cloudAPI $sdcarddir/cloudAPI.bak
mv /home/cloudAPI /home/cloudAPI_real
cp $sdcarddir/cloudAPI /home/cloudAPI
echo "Done hacking ${timestamp}" >> $logfile
# fix bootcycle
mv $testdir/equip_test.sh $testdir/equip_test.sh.moved
sync
reboot
fi
# ATTENTION!
# Once the script is executed the boot process is halted,
# nothing else will be executed.
# Therefore if the hack has been already applied
# and this script executed,
# the camera will not complete the boot process
# and will seem like if it's not working.
Some websites to check to see how you can enable the remote access (telnet/nc):
http://xiaoyi.querex.be/
https://yadi.sk/d/MpaQaTC1mU2kQ
http://en.miui.com/thread-224653-1-1.html
– Peter
565 comments: On [SOLVED] Xiaomi Xiao Yi Ant HOME CN12 – This camera can only be used in China (1.8.6.1 – 1.8.7.0)
actually I seem to be using 1.8.5.1M 😮
Ivan, I’ve simply followed all the steps wrote by JonasChi. I must wait for over 20 minutes.
For those who want to turn off the Blue LED by console:
login the telnet
# Find out what is the PID of the led_ctl process
ps |grep led
# Here is the example output:
1638 root 904 S /home/led_ctl -bon -yoff
#kill the process ID
kill 1638
#Turn off the LED as backend process
/home/led_ctl -boff -yoff &
Is there any way to turn off the Infrared by command too? Killing a process or something? Or do I need to open the camera and unplug the IR LED wires.
Hi,
so how can I always turn off the blue led by default?
Thanks!
I’ve used chinese app for pairing and When asked gor upgrade go for it and you will have English version afterwards. Worked for me.
after hack by JonasChi file my camera can pair with app but have error -3006
who have same problem
already update app for latest version
already try mi home app
same result error -3006
Return it to your seller…
i have try another camera with this hack file is good no problem
only 1 cam found -3006 (some time can see some time is error)
this hack file can used with yi dome ??? or had another tirck
cam successfully pair after 20 mins loading of “test”
when connecting to cam at 90% then -3006
i check SD card, recording started the moment when cam goes online.
please help. thank you.
Exactly the same error here. I have the C chinese version and after the hack now i can pair and see the camera through the app but the most of time i cant reconnect and a can’t use the camera out from the wifi network.
i had tried and thank jonaschi….your tutorial make my camera online again….i have firmeare 1.8.6.1Q….. thank you. verymuch…..goodluck
Snap a tutorial of your method and share to us please
I also wonder why the Chinese version do not have the activity region setings like the international version does. It cannot be entirely differnet Hardware. I think this is a feature implemented by software. I have the camera sitting behind my window and everytime a car passes by I am getting alerted which is kind annoying. I wonder if there is something which can be done to set activity region too.
I have a C version and with the script the camera is working with the mi home app, but no with the yi home. Can downgrade the camera now or do somethig that can work with the app yi home?
I have the C version and before the hack i couldn’t even pair. Now even can connect with the app.
But the most of time that i want to reconnect i recieve the -3006 error. Also I can’t see nothing in my phone when im using 3G/4G, same -3006 error.
I really appreciate some help.. thanks a lot!!
——————————————
Tengo la versión C y antes del hack no podáa ni siquiera emparejar la cámara, ahora puedo conectarme desde la aplicación pero la mayor parte del tiempo recibo el error -3006. Tampoco puedo usarla fuera del a red wifi con 3G/4G.
Realmente agradecería si alguien puede ayudarme!! Gracias!!!
In my case, I also get the error -3006 almost every time I try to connect to any of my 4 cameras otherwise it disconnect after 1 or 2 minutes. However, I’ve noticed that this problem dissapear at night here in Peru (UTC-5), not sure what does it means, but in that moment all of them work fine using wifi or 4G.
I hope someone can find out what is going on and solve this problem.
PS: All my cameras use Q version and where working as expected 2 or 3 weeks ago.
That’s right, I was using 1.8.6.1 Q version on my 12CN version also get frequent -3006 error recently. I have to force to downgrade to 1.8.5.1K, follow by 1.8.5.1L then only it can work as normal.
Is possible downgrade from 17CN and 1.8.6.1C?? The camera seems to ignore the “home” file in any of its version.
Thanks!!
My Camera is working on Q version now..but I want downgrade it to 1.8.5.1K version , does it possible ? my QR code is 150925
PLEASE HELP! I have 17CN camera and it has 1.8.6.1C installed. I have tried flashing to lower firmwares of all kinds and it doesn’t work. I have also tried to flash to 1.8.6.1Q_201607271501_AK_MOD_CN_FIRMWARE.zip and it seems like the camera will not respond to any of the firmwares. I have older cameras which flashed perfectly but this 17CN hardware version seems not to respond to any firmware put in the SD card.
I did later use JonesChi’s hack_yi.tar.gz which allowed me to unlock it for outside of China. But no telnet, ftp, rtsp, http access. Anyone figure this out?!?!
horray… thanks to jonesChi and fedeant. now my yi 17cn can work (firmwareQ). the lesson is be late in updating firmware is better than it srew out.
btw can u give instruction to make able in rtsp, timezone, http? very appreciate in advance!
1. Scan QR code on backside of your camera
2. If it’s 17CNxx160622 than you should only try JonesChi sollution:
“Download the file, and decompress it to root of SD card
https://mega.nz/#!bEwzXJ7J!iyiUTEW8ojOrOqBh4zLNKQpktlaqbPwuDZdL-7jBcus
3. If your camera FW is 1.8.6.1C, you just need to insert the SD card into your camera, and it will hack your device automatically, when it finished, the camera will reboot automatically, then your camera is free.
4. If your device’s FW is 1.8.6.1Q, than at the moment no chance to make it free.
We already know this. However this does not enable telnet, ftp, rtsp, http access. Just blocks xiaomi cloud check for region.
Have you seen this?
https://youtu.be/pKLEwRFZSEM
HI… anyone can help with Yi Dome camera? I have bought a China unit, unable to use outside China. Any working firmware? Thank you
We already know this. However this does not enable telnet, ftp, rtsp, http access. Just blocks xiaomi cloud check for region.
Whoops replied to wrong post
problem
When prototypical camera can be heard only a click on twice as expected
not to take the sd card
keeps saying “this camera can only be used within China”
is there any solutions
Mine 17CN work with that script… anyone can change the timezone and unlock telnet, rtsp, and ftp? i’m using the C firmware, I tried the script from B version doesn’t work apparently.
The same applies to me also.Easily went free out off china lock through SD script but cannot make any kind of .sh to run inside o test folder for rtsp telnet ftp timezone etc…Any help from fedeant will be great.
Thank you in advance
Aris
While I am struggling to defend the regional lock in 17CN, the recent news has made me paranoid. What if the hacked firmware is part of botnet attacking?
The camera ejects wi fi error. I tried everything. I set up 20 cameras not only this.
12cnfjjlocj95f160122
1. Run CN camera outside China
2. Downgrade from 1.8.6.1Q
Requirement: access to filter internet bound traffic
Inspired by the analysis here, I notice that
1. if you block the camera access to internet bound tcp traffic, you can run 1.8.6.1Q. The only issue is that you lose access to the camera from internet.
2. I am not able to downgrade the firmware until I block the tcp traffic. I am then able to downgrade from 1.8.6.1Q to 1.8.6.1K, then upgrade to 1.8.6.1L(factory shipped version) without any issue. Both lower version works with access from internet. The tcp block can be removed when camera is not running 1.8.6.1Q.
how to downgrade from Q to K and then to L? Is it thru microsd or 3pin? please describe. thanks
Do you mean , the procedure to downgrade from 1.8.6.1Q to 1.8.6.1K is
step 1. block the camera (1.8.6.1Q) internet access
step 2. copy 1.8.6.1K version to sd card root directory with name “home” only
step 3. power off camera
step 4. insert sd card with 1.8.6.1K version
step 5. power on camera
step 6. wait…under 1 min , it should be success for downgrade
Hi, sorry for noob question, how to block camera access ? can i just switch off my adsl modem and let camera connect to local wifi ?
In step 1, allow udp(dns) but block tcp. Do not block internet access outright as it didn’t work for me.
I flashed via mi home the lastest firmware (btw i don’t know how to see what is my firmware)
I’ve never sucess to flash via the sd card.
I tried every firmware from this website :http://xiaoyi.querex.be/firmwares/
None work…
I also try to hack via connecting the pin but the camera doesn’t react, it always booting like nothing.
on putty i’ve always got a black screen…
help please
We locked CN version for used within china, you may buy international version.
UNLOCK IT. UNLESS YOU ADMIT HUAWEI IS THE SUPERIOR COMPANY.
thank joneschi, your method works like magic. 1.8.6.1C can hack 17CNY firmware.
Great Job!!!!!
sadly… no luck, no solved. latest Q fw perfectly locked hw v.2.1 17CN.. return to seller and buy the international version.
yes you right! no luck like lendir gawuk mengo… don’t buy CN version, it’s useless!
I’ve successful open Telnet and ftp service on 1.8.6.1Q.
This Yi Camera’s FW is native 1.8.6.1Q.201607271501 and the QR code is 17CN dangerxx160629.
First need connect to Yi Camera via COM – UART.
Then copy /bin/busybox from another Yi Camera running on Older FW( Mine is 1.8.6.1B).
and cp the busybox file to the path /home/ .
modify the file S88telnet and S89ftp in /etc/init.d/
S88telnet
/home/busybox telnetd &
S89ftp
/home/busybox tcpsvd -vE 0.0.0.0 21 /home/busybox ftpd -w / &
reboot and service success running!
how about rtsp ?
please do a video tutorial to share with us.
thank you very much!
Can you please share a /bin/busybox from any older FW (1.8.6.1C or older)?
I’v upload the buxybox file copy from Yi camera 1.8.6.1B.
http://www.megafileupload.com/gkiS/busybox(1.8.6.1B).zip
I copied the busy box file as per your instruction but after that camera stuck at boot. Yellow light stay ON all the time. Reset button does not work any more. I am on 1.8.6.1Q firmware and 17CNYQSSLT versiion. I already made it work outside china using the factory_test.sh script provided by jones chi. Is it possible to unbrick without serial connection? I ready someone posted on pda4u that if change the firmware file name from home to home_y18 there is a possibility. I did it and at boot yellow light flashes for around 18 seconds but then nothing happens. any suggestions are valueable. Thanks
Hi CoolYu,
can you help me by sharing the mtdblock4 (rootfs) image.
image can be exported by the following command
dd if=/dev/mtdblock4 of=/tmp/hd1/mtdblock4.img
Where /tmp/hd1 is the sd card directory.
Naveed,
http://wikisend.com/download/222812/mtdblock4.img
I have the same 1.8.6.1Q firmware and 17CN** . Also used the factory_test.sh script and also copied over busybox from 1.8.6.1B to enable telnetd and ftpd. Now trying to figure out how to run rtspsvr.
While installation I twisted the base and broken it, please share some mounting ideas for table top or wall fixing
Hi.
Any solution for 22CN models?
So i bought a camera 1.8.6.1Q 17CN last week from China and the only way is to connect it via serial port.
My questions now:
– where do i get such an adapter
– from where do i copy “/bin/busybox from another Yi Camera running on Older FW( Mine is 1.8.6.1B)”
Is there any easier way to unlock the camera via microSD card or USB cable as the workaround is pretty difficult for a non tech guy.
Thanks
Stefan
Connected via serial, ran the script but nothing, even if i have the message that it was successful (already hacked) when i try to connect it i have the blinking blue led and does not read the QR. If i reset it then it connects to the phone but cannot be used outside china.
Basically the script blocks the camera accessing the cloud, but somehow everything stops if it does not access it.
Did u success mount the SD card after Hi-Linux?
Check the folder with command ls /tmp/sd
if it shows ” No Such file or direction”,
that means u should solve the SD card mount problem first.
Script ran successful, it disables cloud access, the thing is that the camera does nothing afterward.
it will not read the QR and needs to be reset to come back to factory settings.
Check the file with command “ls /home/app/cloudAPI -al”
Make sure is the “Script ran successful”?
So how did get your cam connected via serial? solder or you got an adapter at the end?
Connected via serial, soldered the wires on the MB
HI Stefan , can you help me to make the image of the mtdblock4 which is the rootfs. you can use the below command in the console to save the image in the memory card. Normally memory card is mounted in /tmp/hd1
dd if=/dev/mtdblock4 of=/tmp/hd1/mtdblock4.img bs=65535
I have bricked my camera and need to restore rootfs. appreciate your help.
Thanks
Is there anyway to downgrade the firmware for 1.8.6.1Q 22CN model besides using serial port?
Any finding on this?
Can I simply write a firewall rule to block access to api.xiaoyi.com [139.129.76.123] to prevent the cameras from making API calls to Xiaoyi (akin to the DNS error method) and also log.xiaoyi.com [120.131.3.176] to prevent logs from being transferred back?
Perhaps then there is no need to modify the camera if the camera still runs if it cannot make the API call.
Is there any way to get an MJPEG stream from the camera? Or use a PI to convert the rtsp to MJPEG?
@breko yes,Pi works very well for home automation (doorbell,reed sensor,pir) get image from yi and sent it to your phone
Hello all.
I just bought Xiaomi 1080P dome ip camera but can not be used outside of china.
is there who can help me?
I soldered according to the video method.
And serial connection success !!
But
Ctrl + c x 3 ~~~
It did not enter the root state.
~ # <- It comes out like this.
In the video,
Hisilicon # <- like this.
But I am not.
To be like hisilicon #
Please let me know how to do it !!
Where did you bought it? how much it cost?
mi dome can used outside
but yi dome can’t use outside
please re check
hi,
anyone know how to force run home (upgrade or downgrade) via serial
i try running home by typing /tmp/sd/home there is massage “/tmp/sd/home: line 3: syntax error: unexpected “(“”
by the way manage to get the hack_yi.sh to run and it’s working.
@kkangddagu you are the right place.. just type /tmp/sd/hack_yi.sh and enter after the #
please i want to down grade so that telnet, rtsp. ftp, http tp work again in cn17q version.
thanks
Hello all.
My Xiaomi Xiao Yi Ant HOME is CN17*160622, the version: 1.8.6.1Q!!
I’m download the file(hack_yi.tar.gz), and decompress it to “/Yi” of SD card.
When i see the command prompt, just key “/tmp/sd/Yi/hack_yi.sh”.
Key try again, it’s response: “Already hack”, I think, I can free use the Cam.
But, I’m use the Xiao Yi App, It’s response “-3006”!
What else do I need to change??
have try used latest app for yi home and mi home ??
had hack 5 camer found 1 of 5 camera have problem -3006 some time can see camera some time error
I have An issue with the CN camera, when say waiting to connect never scann the code QR. And always say waiting to connect.
Telnet to Xiaoyi Smart Camera no longer works on 1.8.6.1R_201611191201home firmware. Maybe someone can make a solution soon.
no… hope it’s not the end.
for me is working telnet with 1.8.6.1R
Confirmed
Unavle to rewind video in app. Anyone else have this issue?
My 17CN with Q firmware, cannot update to R version using SD card. Need help and thanks in advance.
change the home file to home_y18 and put in the root of SD card. Then it will upgrade
Are there many of you who are successful with a home_y18 firmware update? Seems a few cams were bricked after trying a home_y18 update.
I have 1.8.6.1Q on 17CN danger.
1. I used factory_test.sh to get rid of the only be used in China message.
2. I copied busybox from 1.8.6.1Q and updated init.d telnet and ftp startup to use the older busybox and run telnet and ftd.
I can’t get rtspsvr working. I tried running rtspsvrM using the older busybox, but I get a “rtspsvM: applet not found error”. Any ideas?
Dear Friend,
I want my camera to record 24/7 inside sd card. can it be possible ?
Hello,
I bought a camera in Ali… I think the seller send the camera with M firmware
I have a 12CN danger danger160418 camera.
I can’t change the firmware.
I can’t connect with international Mi home.
International version of software won’t work with CN camera.
Mine is V2.1 firmware 1.8.6.1Q and it is working!!! Just extract hack_yi.tar.gz into sd card root, power up and wait for 5 mins (it will not reboot) then power off, take out sd card and power up again. Connect through Mi Home downloaded from Google Playstore and select Mainland China locale.
Many thanks for the solution!!!
I have yi ants 2 (1080p) change chinese version. Since 5 days ago i cannot connect to cam and it gave me “camera offline….(-9999)” error notification and sometimes stuck at “establishing connection 50%”.
My camera id is : 24CN and the fw 2.10.2.4_20160617. anyone could shed me a light what actually is going on with my cam? Kindly need your help to solve my issue here. Many thanks in advance.
Hi Tom,
I can confirm it is happening to mine also. I think it is being blocked, if anyone knows how to solve this please help us.
Hi Tom and Tim, it’s good to know that I’m not the only one facing this problem. Wonder if you guys found any resolution to this? Thanks.
I didn’t find any solution to this, unfortunately. Yesterday I went out to buy the international version. The camera is still recording but it’s always stuck at 50% when connecting to the camera. I even tried re-pairing the 1080p camera, it pairs alright since I have the old firmware, but after that I can’t connect to it. The last date of connect was December 8.
There is a thread here: http://en.miui.com/forum.php?mod=viewthread&tid=440098&highlight=1080p%2Bcamera
the same happens to me.i can’t access through the yi home apps but i can playback through the cloud service
hello wan, thanks a lot for the feedback. May I know how do you playback through the cloud service?
have u activated the cloud service? if so then go to http://yun.xiaoyi.com and login then you can playback the record of xiaoyi 1080p
Anyone bought the YI home dome camera? Any assistance to bypass the “This camera can only be use within China”? Thanks in advance!
Hello. What about YI DOME 360. Same problem, but cant find solve CN camera