[UPDATE] added instruction for latest firmware ver. 1.8.7.0C_201705091058
Recently I bought a Xiaomi Xiao Yi (IP) camera (also known as Yi Home), Chinese version. The camera looks nice, the picture quality is ok, and worked fine on my local Wifi.
However, I was unfortunate enough to receive and test the camera when Xiaomi decided to deny access from the iOS app to the camera outside of China (error 5400). I was hoping a firmware upgrade would solve this issue so I have upgraded from 1.8.5.1L to 1.8.6.1B. Now my camera was useless. The camera would say “This camera can only be used in China” and would shut down.
This was the tipping point when I have decided I will investigate what’s happening with this camera and what can be done to make it functional again. At the time of writing the remote access (error 5400) has been solved by the provider so no additional action is required. (I tried to convert a CN camera to international one by changing the serial of the device, but couldn’t test from a European or US IP and probably I would have needed access to the system files of a functional international camera to compare)
So the remaining issue was the camera shut down with the latest firmware (tested with 1.8.6.1A and 1.8.6.1B).
If you do a search there are heaps of websites describing how you can gain access to the camera and ultimately enable remote access via telnet. I won’t get into those details, you can check some of the websites I listed below.
Once you logged into the camera via telnet the fun part begins. The camera is running a Linux version.
# uname -a Linux (none) 3.0.8 #1 Wed Apr 30 16:56:49 CST 2014 armv5tejl GNU/Linux
This is familiar territory, we can check what processes are running, log files, the /home directory and we can mess around with the system. I have to mention this is for educational purposes only and you can easily brick your camera.
Back to the “This camera can only be used in China” message. So if you look carefully in the log file “/tmp/log.txt” at some point you will see the forbidden.g726 sound being played and not long before that there is an API call to the mothership to check if your device is allowed to run on not. With this call, the camera sends your IP automatically so there is not much to be done about that.
[/home/cloud][4/29/22:51:48:52]: req_info=https://api.xiaoyi.com/v4/ipc/check_did?hmac= danger danger danger danger danger%3D&seq=9 &uid= danger danger danger dangerXX×tamp=4294938554 {"allow":false,"code":"20000"}
Now the nice thing about this is that we can fake the response from the server in many different ways.
1. You set up a proxy to be used and the proxy will change the reply from “allow”: false to true. The certificate on the camera can be changed so you can set up a valid proxy for https request for a man in the middle attack. (/home/ca.crt). Possible but too complicated and you need a proxy running.
2. You can set up a fake response on the camera via the local HTTP server and redirect (see point 3 😉 ) the check_did call to this file. (/home/web/response.json -> {“allow”:true,”code”:”20000″}). Again possible but not really needed.
3. And finally, we got to the solution. In the log files, we saw that /home/cloud is responsible for checking the permission for our device. This is a binary file and we can check what calls are made from this file:
# strings /home/cloud | grep http http://log.xiaoyi.com/info.gif?p=home_v1&sysVersion=%s&mac=(lots' of other details) %s -c 311 -url https://api.xiaoyi.cox/v4/ipc/check_did -uid %s -keySec %s %s -c 139 -keySec %s -url https://api.xiaoyi.com/v4/ipc/reset -uid %s -version %s -mac %s ...... %s -c 138 -key %s -keySec %s -url https://api.xiaoyi.com/v4/ipc/on_line -uid %s -version %s -mac %s -packetloss %d -p2pconnect %d -p2pconnect_success %d -tfstat %d %s -c 136 -url http://api.xiaoyi.com/v2/ipc/sync_time (yes, the camera logs and sends everything back to xiaomi)
Now if we change the call check_did to our local file mentioned above that would make /home/cloud happy and the camera will run. Luckily /home/cloud will lock your device just if the remote server replied with “allow”: false. Now, all we need to do is to block that call or break/invalidate that URL (ie. DNS error).
THE SOLUTION:
# ps | grep /home/watch_process | grep -v "grep" | awk '{print $1}' | xargs kill -9 # ps | grep /home/cloud | grep -v "grep" | awk '{print $1}' | xargs kill -9 # sed -i 's|api.xiaoyi.com/v4/ipc/check_did|api.xiaoyi.cox/v4/ipc/check_did|g' /home/cloud # reboot
First commands will kill watch_process so it doesn’t restart other processes.
The second command will stop the cloud service, so we can change the file.
The third one will change the text in the binary file. It will change com to cox which will invalidate the URL and will not return the allow: false message anymore.
Once the camera reboots it will be functional just as before you upgraded to the latest firmware. In case anything goes wrong just install a fresh, unmodified firmware.
Drop me a line if this worked for you!
Update: Read the comments for CNxx160622 hardware with FW 1.8.6.1C or 1.8.6.1Q.
Serial port connection to the camera explained in this video (credit to fedeant):
1.8.6.1C and 1.8.6.1Q problem solved by JonesChi:
I wrote a scrip to make the camera work again outside China. Download the file, and decompress it to root of SD card. http://diy.2pmc.net/wp-content/uploads/2016/10/hack_yi.tar.gz
If your device’s FW is 1.8.6.1C, you just need to insert the SD card into your camera, and it will hack your device automatically, when it finished, the camera will reboot automatically, then your camera is free.
If your device’s FW is 1.8.6.1Q, you need to connect your camera via serial port to get console, then insert the SD card into your camera, when you see the command prompt, just type “/tmp/sd/hack_yi.sh”, then your camera is free.
If you are using the latest firmware 1.8.7.0C_201705091058, controsensi updated the script above to support this. The file name that needs to be uploaded to the SD card has changed to equip_test.sh and the location of the home directory in the script has changed as well. The rest seems to be functioning the same way.
Create this file on the SD card and reboot your camera. It should work without the annoying restriction message. controsensi’s full solution is described here.
[sd_card]/test/equip_test.sh
#!/bin/sh # JonesChi's script. # Modified by halnovemila (HalEx) to work on CN12 model timestamp=`date` sdcarddir=`dirname $0 | sed -n 's/\/test//p'` testdir="${sdcarddir}/test" logfile="${testdir}/hacklog" echo "Current dir= ${testdir}" >> $logfile echo "SDcard dir= ${sdcarddir}" >> $logfile cat /home/version >> $logfile echo "========== LIST OF /home ============" >> $logfile ls -l /home >> $logfile if [ -f /home/cloudAPI_real ] then echo "Already hacked ${timestamp}" >> $logfile sync else echo "Start hacking ${timestamp}" >> $logfile cp /home/cloudAPI $sdcarddir/cloudAPI.bak mv /home/cloudAPI /home/cloudAPI_real cp $sdcarddir/cloudAPI /home/cloudAPI echo "Done hacking ${timestamp}" >> $logfile # fix bootcycle mv $testdir/equip_test.sh $testdir/equip_test.sh.moved sync reboot fi # ATTENTION! # Once the script is executed the boot process is halted, # nothing else will be executed. # Therefore if the hack has been already applied # and this script executed, # the camera will not complete the boot process # and will seem like if it's not working.
Some websites to check to see how you can enable the remote access (telnet/nc):
http://xiaoyi.querex.be/
https://yadi.sk/d/MpaQaTC1mU2kQ
http://en.miui.com/thread-224653-1-1.html
– Peter
566 comments: On [SOLVED] Xiaomi Xiao Yi Ant HOME CN12 – This camera can only be used in China (1.8.6.1 – 1.8.7.0)
I still have the chinese app and it works okay along with the north american app together. The chinese app works with my old 720p camera and the 1080p chinese (second gen). The 1080p camera gen 2 stopped working as of December 8th. The only trick is that the chinese app I have the MI-Login and I chose China as the region. I also have the dome camera, but that works only with the mi-app in the google play, along with the old 720p chinese camera (but 1080p can’t be paired here with the mi-app).
To summarize it all:
Use the Chinese app with the chinese camera and mi-login.
Use the google play store app with the international version and the YI login.
Tim, can help to explain again how u manage to get the Dome Camera working?
Camera is International version or Chinese version?
mi-app or yi-app? Chinese app or North America app?
Mi-Login?
Need to use China as region?
TQVM.
I used the mi home app. I have the Chinese dome camera and it works for me. The only thing is you have to set the region to China and you login with the mi home account not yi home account.
Tim, how did you get the 1080 second generation to work outside China
Same issue – 1.8.1.6R – does anybody know what to do? ( How to downgrade – RS232 or SD card) I have 2 CN ver. in EU
Thanks to all who finds new ways (scripts, RS232) how to hack or trying to find new ways 🙂
Hello, this is load another firmware does not work when the sd card ???
I am still on 1.8.5.1K firmware version. Camera works with MiHome app only if I use it via wifi in my house. If I am out of the house….it does not work with either wifi or LTE. Any idea what I need to do to get this working from outside of the house?
I have a YI camera in version Chineese but impossible for me to connect my camera. I have installed the firmware 1861B.02 and dowload the last version of MI HOME on china market and also on Google play but impossible to connect my Camera.
Please could you help me ?
Thanks a lot
I previously hacked mine 17CN dangerx cameras(simple SD card application) with the instructions and they worked fine.
Unfortunately I made a crucial mistake couple of days ago, and hit the button to update the software on camera.
Now even I RESET and follow the same instructions to hack the camera again, it does not work. Basically when hacking the camera with first file, the orange light should have been light continuosly, but it does not. I think somehow that latest update avoids me to go back to its original state.
Any advise, would be appreciated. Thanks.
hello
24cn danger danger 1080 camera stuck in 50% and couldn’t use even with 2.1.1_20160429113900home firmware
please help … any suggestion !
i have 1.8.6.1R.Please help to unlock
help me… 1.8.6.1Q_201607271501 users..
i’ve deleted a original ‘/home/app/cloudAPI’ file…
can anybody help me?
[email protected] plz send to me this file.
I use the 1.8.6.1B_rtspfix and I can connect to wifi and use it perfectly with rtsp. Only problem is whenever the camera is unplugged from the power, it forgets the wifi connection and I have to do the setup all over again. Is there any fix for that? Thanks!
i have model 18CN (YI ANT Home V1 upgrade 1080p) Please help to unlock
I have 4 Xiaomi 1080p I cant check firmware but at the back with the QR code it says 18cny6DKUU. I tried all the firmware it seems to ignore it. The only way i got it to stop saying the device can only be used in china was loading the hack firmware. However it never completes. Orange light stays solid. I can add the camera to the china Yi app. But when i check for signal it crashes at 25% and says network issue. Also wont load settings for me to check current firmware or make changes in the application. PLEASE HELP!!!!
hello, i am confused i currently live in thailand so if i buy the [International Edition] Xiaomi YI Home Camera 2 will it not work and come up blocked as i liked the features and the price
If I buy the international version can I use in Thailand without problems?, i thought we had posted a question but not showing
is there any way to create applications or install an app manager like opkg?
THE SOLUTION WORKED!!! THANK YOU VERY MUCH 🙂 I’m running version 1.8.6.1R_201611191201 and my camera model is 12CNLJ****
# ps | grep /home/watch_process | grep -v “grep” | awk ‘{print $1}’ | xargs kill -9
# ps | grep /home/cloud | grep -v “grep” | awk ‘{print $1}’ | xargs kill -9
# sed -i ‘s|api.xiaoyi.com/v4/ipc/check_did|api.xiaoyi.cox/v4/ipc/check_did|g’ /home/cloud
# reboot
please anyone has step by step to enable telnet and ftp on firmware 1.8.6.1C and version 17CN.
I already unlock the camera and be able to use this outside chine.
But without ftp there is no way to put the only record stay on sdcard.
thanks in advance.
I got error on my init.sh
can anyone provide me the file init.sh
my camera is 17CN and 1.8.6.1C firmware
thanks alot
i messed up with init.sh
did anyone can help me uploading the file : init.sh
my camera is 17CN and firmware 1.8.6.1C
big thanks
Any update on downgrading 1.8.6.1R ?
or unlock / cracked it, so it can be used?
try this http://diy.2pmc.net/wp-content/uploads/2016/10/hack_yi.tar.gz
if not working downgrade to 1.8.6.1B and try the hack again.
Is this working? also what version is this?
Step by step to back live again your xiaomi ant cam
Check video: https://www.youtube.com/watch?v=fBjKTfWN4TI
unfortunatelly 1 8 6 1 c and scripts downloaded from latest comment is not working. this camera is a piece of shit.
I came across http://ike.twbbs.org/index.php/2014-07-22-09-51-45/34-solved-160622-this-camera-can-only-be-used-in-china and i followed step 2 & 3, and i got it working. A check on the Mi Home App shows i’m on Firmware 1.8.6.1Q_201607271501 (I didn’t know what i was before this) so i guess you can give it a try if you haven’t got it sorted.
SOLVING: “WiFi password error”.
I have just noticed one thing:
When I was trying to connect to the new WiFi network – I was encountering the message “WiFi password error” all times. Even after reset of the camera – still got the same error message. But one time (after reset) I have just unplugged the camera from the power supply and reconnect again. Then when I tried to connect to new WiFi network again – I have connected without any problems.
Hello I have asked Yi about RTSP access at http://forum.xiaoyi.com/forum.php?mod=viewthread&tid=45663&extra=page%3D1 , let’s see what (if) they will reply.
Hi. Any solution for 12CN version? Please help.
i have model 18CN (YI ANT Home V1 upgrade 1080p) Please help to unlock
i can try hack_yi (credit to fedeant) not work
please shere firmware stock
http://textuploader.com/d1vmi my log in boots
I have Xiaomi 1080p I cant check firmware but at the back with the QR code it says 18CN danger danger. I tried all the firmware it seems to ignore it. The only way i got it to stop saying the device can only be used in china was loading the hack firmware. However it never completes. Orange light stays solid. I can add the camera to the china Yi app. But when i check for signal it crashes at 25% and says network issue. Also wont load settings for me to check current firmware or make changes in the application. PLEASE HELP!!!!
Hello, how do I know which firmware version is it installed on my current Xiaoyi camera? without a successful hack yet. thanks!
I have a 12CN hardware. Somehow I managed to activate the camera with firmware 1.8.5.1K, but sometimes I can’t connect to the camera from outside my intranet.
To upgrade to 1.8.6.1 I need a modified firmware, or can I just use stock CN firmware with equip_test.sh patch to /home/cloud ?
Can I use the international version of Mi Home app or am I stuck with Chinese version?
Thanks in advance
hi, i have a dome and its also doing the same thing. anyone have a working hack?
My camera was 1.8.6.1C
I tried the hack state above half a year ago and it work. I had been using it since then.
But recently late Feb the prompt “This Camera can only work in China” came back. I tried using the same hack I did but it no longer work. Anybody had the same problem as me?? Or any genius here can fix the problem again??
Hi guys..since this page helping me to understand how yi cctv work, i would like to give back and give you alternative solution..
This solutin does not need any modified firmware. you can run it “out of the box” firmware. And i believe all the future firmware update is going to work.
What you need:
1. VPN service that have server on china.i use pureVPN.
2. Router with OpenVPN client feature. I use WRT1200AC with Gargoyle Firmware.
How-to:
1. Set your OpenVPN client on gargoyle, my VPN provider give a nice guide to set this in Gargoyle. Basically you need to import their configuration file and input username and password that they give to you on Gargoyle Config Page. Use the china server config file.
2. Test the VPN connection. Make sure when you check on whatismyipaddress.com, it showing china map, it means you already have chinese IP. Xiaomi will check this IP and you can avoid the IP Region check.
3. Once step 2 is OK, you have to put custom config on your OpenVPN client, by default all of your route will be going to/tunneled to china first, this is bad because your regular web browsing will be slow.
On your custom config
– Remove “route 0.0.0.0 0.0.0.0” #so all your traffic will not routed to china
– add “route-nopull” #so your gargoyle did not pull default route, the same with above command
– add “route 139.129.76.123 255.255.255.0 vpn_gateway” #redirect access to api.xiaoyi.com to china
4. Save your config from step 4. And voila! All your CCTV will work.
The magic happen when your CCTV did IP check to api.xiaoyi.com. By routing traffic to China VPN the xiaomi server will look that CCTV is from china and will not region block your CCTV.
I hope i can give you more detailed instruction, but im writing this on my phone. You are welcome to ask more off course. Ill be happy to answer.
Thanks very much Anthony, you saved my money spent for a “till yesterday unuseful” camera.
Thanks for the guide man
Any china vpn you could recommend?
Can we run some script through telnet to make time lapse straight from camera. Making pictures twice an hour would be more than ok ? How to write that script on xiaoyi ant first version.
Hi folks, 4pda.ru seems to have a solution for new version 1.6.1r, unfortunately I can’t create an account to download, if any of you have access would be nice to grab it. Thanks.
https://4pda.ru/forum/index.php?showtopic=638230&st=5760
the solution work with latest firmware 18.6.1R
thanks
telnet in cam
# ps | grep /home/watch_process | grep -v “grep” | awk ‘{print $1}’ | xargs kill -9
# ps | grep /home/cloud | grep -v “grep” | awk ‘{print $1}’ | xargs kill -9
# sed -i ‘s|api.xiaoyi.com/v4/ipc/check_did|api.xiaoyi.cox/v4/ipc/check_did|g’ /home/cloud
# reboot
Is it possible to convert the Chinese version to US ? Or allow the Chinese version connected to the US app ?
hai. i’m adi from indonesia, i bought dome camera 720 from Online. that was CN ( 13CNYE30LA ) that is correct ? but when i turn on dome camera 720 the language is english “waiting to connect”, everything is ok but, always fail to pairing. have a solution ?
Good Day! I accidentally updated Xiaoyi Smart Home camera to the latest 1.8.7.0B version. Now, it’s being flagged again as ” can only be used in China”. Was confident I’d be able to use the (1.8.6.1Q_201607271501_AK_MOD_CN_FIRMWARE) again. But sadly, the MOD fw isn’t working with the 1.8.7upgrade. Can you help us find a solution to this?
Thank you.
i got a new yicamera 1080p. cant seems to work out of singapore. i’m able to telnet but cant kill proccess. it states whom to kill. 😛 when put in sd card, it stays to amber light.
need help
1.8.7.0B can’t use the telnet to hack it, roll back to 1.8.6.1Q
1.8.7.0B can’t telnet to hack it…
Hi,
I’ve seen you do quite a lot of amazing tech stuff.
I have prchased the afore-mentioned Hualai cam to have an ey eon my elderly dad nad it doesn’t work. It just won’t connect – i’m thinking it could have something to do with firmware – do you know how to extract it from a similar working cam? my friend has purchased one shortly after me, and his camera works just fine…
would be great if you could help 🙂
cheers,
For those who are dealing with a CN12 model and the JonesChi script doesn’t work.
https://controsensi.blogspot.com/2019/08/solved-xiaomi-xiao-yi-home-cn12-this.html
Hope this helps! 🙂
P.S. Many thanks to Csaba Peter for his findings and clever solution and the article he published on this page..
All the best!
Dear Csaba Peter,
please help with my YI DOM : 45CN dangerx
may I usíng this firmware ? and please show me what version of app?
Note : I using windows 10
Thanks and best regards.
Reed.
Hi all, I was able to upgrade all my yi home camera to latest firmware from the link and path the “This camera can only be used within China” issue:
http://controsensi.blogspot.com/2019/08/solved-xiaomi-xiao-yi-home-cn12-this.html?showComment=1575403294204#c6117862621131574025
controsensi script is works! thank you
Mine is 1.8.7A, I put files in sd card then into the camera, power on , nothing happened. Please help. Keep saying only win China.
Is it possible to activate a jpg-snapshot on the camera with that fritz-smh firmware like on http://192.168.178.26/snapsot.jpg or so (how?) ?
Sliding Sidebar
About Me
I am passionate about Cyber Security, Pentesting and just making things work.
Recent Posts
Archives