The WyzeCam / Xiaomi Fang

The Xiaomi XiaoFang. Its a cheap IP camera (~$20-$30) that delivers decent quality. Is it a candidate to be ‘improved’ with a bit of hacking? You betcha!.

Spurred on by some external impetus, I acquired a WyzeCam. And of course, before turning it on, we took it apart!

A bit of squeezing, prying, and a small Philips screwdriver, and the contents were revealed. We can see the RX/TX/GND for the serial port, so lets assume its TTL and solder it up. I’m going to route the cables externally, so I hot-glue a header to the side of the USB-A connector and reach for the dremmel to expand the hole a little bit.

Inside, we have two PCB (the CPU etc board, and the camera board) connected by a pair of ribbon cables. Tweeze them out, and we are left with the individuals ready for the solder.

OK, reassemble, you can’t even tell the mod is there, the headers just peak through the case above the USB port.

Hacking it is embarrassingly simple. Place a SD card in, and it sells you its looking for a script to run. Or, you can just modify files in /etc since its jffs2 mounted overtop of the rootfs. OK, well that was simple.

Now. I’m not super interested in the embedded app, so we apply fang-hacks. These are very basic, and zero security (not even a thin patina of guessable password), so we’ll have to address that in a bit. The fang-hacks revectors the snx_rtsp_server to send a single stream locally. So i guess that’s better. But I really would prefer this have multiple streams, save to the NAS when there is motion, and have a snapshot interface for home-assistant. So, naively, I assume there will be a great OSS project that has something, perhaps from the Raspberry Pi folks. Something w/a simple web interface, and exposing the uvc video endpoints (the hardware does support multiple simultaneously). Sadly, this was not to be, closest i can find is mjpg-streamer which is somewhat out of date.

So, I’ll dive in and create a cross-compilation environment, get libjpeg going etc, and see where this ends up. If you know of anything (I mean anything) as an OSS project that would handle a HTTP snapshot interface, an RTSP streaming interface, and a simple web UI, let me know (maybe I’ll see if vlc can fit?)

PS, the default method of config for this device is a ‘novel’ concept. You press a button on the bottom, it says something in Chinese, you run the Mi home app, it then gives you a QR code, you hold that in front of the camera, and it reads it. Um, novel, but not that convenient for me. So I think putting the initial password/wifi info on the sdcard will be the way I go. Or, maybe, pressing the button starts a WiFi AP for the next minute and connect via web interface.

pps for you u-boot /dmesg junkies:

U-Boot 2011.09 (Sep 15 2017 - 20:19:00)                                                                                                  
DRAM:  64 MiB                                                                                                                            
MMC:   MMC: 0                                                                                                                            
SPI FLASH: 16 MB                                                                                                                         
In:    serial                                                                                                                            
Out:   serial                                                                                                                            
Err:   serial                                                                                                                            
GPIO[2] is high                                                                                                                          
Hit any key to stop autoboot:  0                                                                                                         
roofsr size = 0x6d3070                                                                                                                   
## Booting kernel from Legacy Image at 00008000 ...                                                                                      
   Image Name:   Linux-                                                                                                         
   Image Type:   ARM Linux Kernel Image (uncompressed)                                                                                   
   Data Size:    3038112 Bytes = 2.9 MiB                                                                                                 
   Load Address: 00008000                                                                                                                
   Entry Point:  00008040                                                                                                                
   Verifying Checksum ... OK                                                                                                             
   XIP Kernel Image ... OK                                                                                                               
Starting kernel ...                                                                                                                      
Uncompressing Linux... done, booting the kernel.                                                                                         
Linux version (fedora@localhost.localdomain) (gcc version 4.5.2 (SONiX GCC-4.5.2 Release 2011-12-06) ) #27 Thu Dec 22 18:48:16 6
CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00057177                                                                            
CPU: VIVT data cache, VIVT instruction cache                                                                                             
Machine: SONiX SN98600 Development Platform                                                                                              
Memory policy: ECC disabled, Data cache writeback                                                                                        
CPU: found ITCM 16k @ ffff4000, enabled                                                                                                  
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 16256                                                               
Kernel command line: console=ttyS0,115200 root=/dev/mtdblock2 init=/linuxrc mem=64M isp=10M vc=12M vo=0M mtdparts=snx-spi:768k(uboot),307)
PID hash table entries: 256 (order: -2, 1024 bytes)                                                                                      
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)                                                                            
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)                                                                             
Memory: 64MB = 64MB total                                                                                                                
Memory: 36836k/36836k available, 28700k reserved, 0K highmem                                                                             
Virtual kernel memory layout:                                                                                                            
    vector  : 0xffff0000 - 0xffff1000   (   4 kB)                                                                                        
    fixmap  : 0xfff00000 - 0xfffe0000   ( 896 kB)                                                                                        
    DMA     : 0xffa00000 - 0xffe00000   (   4 MB)                                                                                        
    vmalloc : 0xc4800000 - 0xe0000000   ( 440 MB)                                                                                        
    lowmem  : 0xc0000000 - 0xc4000000   (  64 MB)                                                                                        
    modules : 0xbf000000 - 0xc0000000   (  16 MB)                                                                                        
      .init : 0xc0008000 - 0xc0026000   ( 120 kB)                                                                                        
      .text : 0xc0026000 - 0xc04ec000   (4888 kB)                                                                                        
      .data : 0xc050a000 - 0xc0535440   ( 174 kB)                                                                                        
SLUB: Genslabs=11, HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1                                                                  
Hierarchical RCU implementation.                                                                                                         
        RCU-based detection of stalled CPUs is disabled.                                                                                 
        Verbose stalled-CPUs detection is disabled.                                                                                      
Console: colour dummy device 80x30                                                                                                       
console [ttyS0] enabled                                                                                                                  
Calibrating delay loop... 200.29 BogoMIPS (lpj=1001472)                                                                                  
pid_max: default: 32768 minimum: 301                                                                                                     
Mount-cache hash table entries: 512                                                                                                      
CPU: Testing write buffer coherency: ok                                                                                                  
NET: Registered protocol family 16                                                                                                       
0x00a00000 bytes system memory reserved for isp device at 0x005ec000                                                                     
0x00c00000 bytes system memory reserved for vc device at 0x00fec000                                                                      
bio: create slab  at 0                                                                                                            
SCSI subsystem initialized                                                                                                               
usbcore: registered new interface driver usbfs                                                                                           
usbcore: registered new interface driver hub                                                                                             
usbcore: registered new device driver usb                                                                                                
Linux media interface: v0.10                                                                                                             
Linux video capture interface: v2.00                                                                                                     
Advanced Linux Sound Architecture Driver Version 1.0.23.                                                                                 
cfg80211: Calling CRDA to update world regulatory domain                                                                                 
Switching to clocksource ft_clocksource                                                                                                  
NET: Registered protocol family 2                                                                                                        
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)                                                                           
TCP established hash table entries: 2048 (order: 2, 16384 bytes)                                                                         
TCP bind hash table entries: 2048 (order: 1, 8192 bytes)                                                                                 
TCP: Hash tables configured (established 2048 bind 2048)                                                                                 
TCP reno registered                                                                                                                      
UDP hash table entries: 256 (order: 0, 4096 bytes)                                                                                       
UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)                                                                                  
NET: Registered protocol family 1                                                                                                        
RPC: Registered udp transport module.                                                                                                    
RPC: Registered tcp transport module.                                                                                                    
RPC: Registered tcp NFSv4.1 backchannel transport module.                                                                                
exFAT: Version 1.2.9                                                                                                                     
JFFS2 version 2.2. (NAND)  2001-2006 Red Hat, Inc.                                                                                       
fuse init (API version 7.14)                                                                                                             
msgmni has been set to 71                                                                                                                
async_tx: api initialized (async)                                                                                                        
io scheduler noop registered (default)                                                                                                   
SONIX UART driver, (c) 2013 Sonix                                                                                                        
snx_uart.0: ttyS0 at MMIO 0x98a00000 (irq = 8) is a SONiX                                                                                
snx_uart.1: ttyS1 at MMIO 0x98b00000 (irq = 10) is a SONiX                                                                               
brd: module loaded                                                                                                                       
loop: module loaded                                                                                                                      
6 cmdlinepart partitions found on MTD device snx-spi                                                                                     
Creating 6 MTD partitions on "snx-spi":                                                                                                  
0x000000000000-0x0000000c0000 : "uboot"                                                                                                  
0x0000000c0000-0x0000003c0000 : "kernel"                                                                                                 
0x0000003c0000-0x000000ac0000 : "rootfs"                                                                                                 
0x000000ac0000-0x000000ec0000 : "rescue"                                                                                                 
0x000000ec0000-0x000000fc0000 : "etc"                                                                                                    
0x000000fc0000-0x000001000000 : "userconfig"                                                                                             
snx_spi_init register                                                                                                                    
PPP generic driver version 2.4.2                                                                                                         
PPP Deflate Compression module registered                                                                                                
PPP BSD Compression module registered                                                                                                    
usbcore: registered new interface driver zd1211rw                                                                                        
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver                                                                               
snx_ehci snx_ehci.0: snx_ehci                                                                                                            
snx_ehci snx_ehci.0: new USB bus registered, assigned bus number 1                                                                       
snx_ehci snx_ehci.0: irq 24, io mem 0x90800000                                                                                           
snx_ehci snx_ehci.0: USB 0.0 started, EHCI 0.96                                                                                          
usb usb1: New USB device found, idVendor=1d6b, idProduct=0002                                                                            
usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1                                                                       
usb usb1: Product: snx_ehci                                                                                                              
usb usb1: Manufacturer: Linux ehci_hcd                                                                                         
usb usb1: SerialNumber: sonix-ehci                                                                                                       
hub 1-0:1.0: USB hub found                                                                                                               
hub 1-0:1.0: 1 port detected                                                                                                             
Initializing USB Mass Storage driver...                                                                                                  
usbcore: registered new interface driver usb-storage                                                                                     
USB Mass Storage support registered.                                                                                                     
usbcore: registered new interface driver usbserial                                                                                       
USB Serial support registered for generic                                                                                                
usbcore: registered new interface driver usbserial_generic                                                                               
usbserial: USB Serial Driver core                                                                                                        
USB Serial support registered for GSM modem (1-port)                                                                                     
usbcore: registered new interface driver option                                                                                          
option: v0.7.2:USB Driver for GSM modems                                                                                                 
mice: PS/2 mouse device common for all mice                                                                                              
i2c /dev entries driver                                                                                                                  
SONIX SNX I2C adapter driver, (c) 2012 Sonix                                                                                             
snx_i2c.0: SNX I2C0 controller at 0x98300000 (irq = 1)                                                                                   
I2C GPIO driver INIT                                                                                                                     
snx_i2c.1: SNX I2C1 controller at 0x98400000 (irq = 2)                                                                                   
snx_hdma snx_hdma: SNX AHB DMA Controller (memcpy memset), 4 channels                                                                    
SNX AHB DMA driver register                                                                                                              
usbcore: registered new interface driver usbhid                                                                                          
usbhid: USB HID core driver                                                                                                              
usbcore: registered new interface driver snd-usb-audio                                                                                   
ALSA device list:                                                                                                                        
  No soundcards found.                                                                                                                   
Netfilter messages via NETLINK v0.30.                                                                                                    
nf_conntrack version 0.5.0 (575 buckets, 2300 max)                                                                                       
CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Please use                                                                     
nf_conntrack.acct=1 kernel parameter, acct=1 nf_conntrack module option or                                                               
sysctl net.netfilter.nf_conntrack_acct=1 to enable it.                                                                                   
ctnetlink v0.93: registering with nfnetlink.                                                                                             
xt_time: kernel timezone is -0000                                                                                                        
IPv4 over IPv4 tunneling driver                                                                                                          
GRE over IPv4 tunneling driver                                                                                                           
ip_tables: (C) 2000-2006 Netfilter Core Team                                                                                             
arp_tables: (C) 2002 David S. Miller                                                                                                     
TCP cubic registered                                                                                                                     
NET: Registered protocol family 10                                                                                                       
lo: Disabled Privacy Extensions                                                                                                          
tunl0: Disabled Privacy Extensions                                                                                                       
IPv6 over IPv4 tunneling driver                                                                                                          
sit0: Disabled Privacy Extensions                                                                                                        
ip6tnl0: Disabled Privacy Extensions                                                                                                     
NET: Registered protocol family 17                                                                                                       
lib80211: common routines for IEEE802.11 drivers                                                                                         
VFS: Mounted root (cramfs filesystem) readonly on device 31:2.                                                                           
Freeing init memory: 120K                                                                                                                
hub 1-0:1.0: /run/media/fedora/software/SN986_1.50_P2P_TUTK_050a_20160921_1712/snx_sdk/kernel/linux- 0
hub 1-0:1.0: port 1, status 0503, change 0000, 480 Mb/s                                                                                  
Create device file                                                                                                                       
snx_crypto driver loaded.                                                                                                                
sonix crypto diver register                                                                                                              
Init nvram id: 1303281516                                                                                                                
Init nvram_crc id: 0x65535                                                                                                               
nvram_check crc = 64197 crc_ref = 65535                                                                                                  
[nvram_check:725] CRC error                                                                                                              
SONIX Kernel NVRAM initialized                                                                                                           
starting pid 529, tty '': '/etc/init.d/rcS'                                                                                              
Load drivers...                                                                                                                          
usb 1-1: new high speed USB device using snx_ehci and address 2                                                                          
Sonix GPIO Driver                                                                                                                        
driver loaded.                                                                                                                           
sonix snx_aud_gpio diver register                                                                                                        
usb 1-1: New USB device found, idVendor=0bda, idProduct=0179                                                                             
usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3                                                                        
usb 1-1: Product: 802.11n NIC                                                                                                            
usb 1-1: Manufacturer: Realtek                                                                                                           
usb 1-1: SerialNumber: C06D1AFB799D                                                                                                      
Load audio drivers...                                                                                                                    
Load video drivers...                                                                                                                    
SNX_AUDIO: driver register.                                                                                                              
SNX_SIGMA: adc submod driver init ok.                                                                                                    
snx_isp snx_isp.0: [ISP] isp_camera_probe                                                                                                
soc-camera-pdrv soc-camera-pdrv.0: Probing soc-camera-pdrv.0                                                                             
SNX_R2R: dac submod driver init ok.                                                                                                      
sc2135 stop streaming                                                                                                                    
0x0103 = 0x00                                                                                                                            
0x0100 = 0x00                                                                                                                            
0x3e03 = 0x03                                                                                                                            
0x3e01 = 0x46                                                                                                                            
0x3e08 = 0x00                                                                                                                            
0x3e09 = 0x10                                                                                                                            
0x3416 = 0x11                                                                                                                            
0x3300 = 0x20                                                                                                                            
0x3301 = 0x08                                                                                                                            
0x3303 = 0x30                                                                                                                            
0x3306 = 0x78                                                                                                                            
0x330b = 0xd0                                                                                                                            
0x3309 = 0x30                                                                                                                            
0x3308 = 0x0a                                                                                                                            
0x331e = 0x26                                                                                                                            
0x331f = 0x26                                                                                                                            
0x3320 = 0x2c                                                                                                                            
0x3321 = 0x2c                                                                                                                            
0x3322 = 0x2c                                                                                                                            
0x3323 = 0x2c                                                                                                                            
0x330e = 0x20                                                                                                                            
0x3f05 = 0xdf                                                                                                                            
0x3f01 = 0x04                                                                                                                            
0x3626 = 0x04                                                                                                                            
0x3312 = 0x06                                                                                                                            
0x3340 = 0x03                                                                                                                            
0x3341 = 0x68                                                                                                                            
0x3342 = 0x02                                                                                                                            
0x3343 = 0x20                                                                                                                            
0x3333 = 0x10                                                                                                                            
0x3334 = 0x20                                                                                                                            
0x3621 = 0x18                                                                                                                            
modprobe: module 'mt7601Ust0x3626 = 0x04                                                                                                 
a' not found                                                                                                                             
0x3635 = 0x34                                                                                                                            
0x3038 = 0xa4                                                                                                                            
0x3630 = 0x84                                                                                                                            
0x3622 = 0x0e                                                                                                                            
0x3620 = 0x62                                                                                                                            
0x3627 = 0x08                                                                                                                            
0x3637 = 0x87                                                                                                                            
0x3638 = 0x86                                                                                                                            
0x3034 = 0xd2                                                                                                                            
0x5780 = 0xff                                                                                                                            
0x5781 = 0x0c                                                                                                                            
0x5785 = 0x10                                                                                                                            
0x3d08 = 0x01                                                                                                                            
0x3640 = 0x00                                                                                                                            
0x3662 = 0x82                                                                                                                            
0x335d = 0x00                                                                                                                            
0x4501 = 0xa4                                                                                                                            
0x3333 = 0x00                                                                                                                            
0x3627 = 0x02                                                                                                                            
0x3620 = 0x62                                                                                                                            
0x5781 = 0x04                                                                                                                            
0x3333 = 0x10                                                                                                                            
0x3306 = 0x69                                                                                                                            
0x3635 = 0x52                                                                                                                            
0x3636 = 0x7c                                                                                                                            
0x3631 = 0x84                                                                                                                            
0x3637 = 0x88                                                                                                                            
0x3306 = 0x6b                                                                                                                            
0x330b = 0xd0                                                                                                                            
0x3630 = 0x84                                                                                                                            
0x303a = 0x07                                                                                                                            
0x3039 = 0x76                                                                                                                            
0x3343 = 0x40                                                                                                                            
0x3f04 = 0x02                                                                                                                            
0x3f05 = 0x04                                                                                                                            
0x3340 = 0x03                                                                                                                            
0x3341 = 0xe5                                                                                                                            
0x3207 = 0x4e                                                                                                                            
0x335d = 0x20                                                                                                                            
0x3368 = 0x02                                                                                                                            
0x3369 = 0x00                                                                                                                            
0x336a = 0x04                                                                                                                            
0x336b = 0x65                                                                                                                            
0x330e = 0x20                                                                                                                            
0x3367 = 0x05                                                                                                                            
0x3620 = 0x92                                                                                                                            
0x3634 = 0xd2                                                                                                                            
0x3633 = 0x17                                                                                                                            
0x3315 = 0x02                                                                                                                            
0x3334 = 0xa0                                                                                                                            
0x3312 = 0x00                                                                                                                            
0x335e = 0x02                                                                                                                            
0x335f = 0x0a                                                                                                                            
0x3306 = 0x60                                                                                                                            
0x3f04 = 0x01                                                                                                                            
0x3f05 = 0xf7                                                                                                                            
0x303a = 0x15                                                                                                                            
0x3039 = 0x2e                                                                                                                            
0x3035 = 0x25                                                                                                                            
0x3034 = 0x2e                                                                                                                            
0x3036 = 0x00                                                                                                                            
0x320c = 0x04                                                                                                                            
0x320d = 0x65                                                                                                                            
0x320e = 0x04                                                                                                                            
0x320f = 0xb0                                                                                                                            
0x3368 = 0x02                                                                                                                            
0x3369 = 0x4b                                                                                                                            
0x363a = 0x04                                                                                                                            
0x336b = 0xb0                                                                                                                            
0x3306 = 0x70                                                                                                                            
0x3640 = 0x01                                                                                                                            
0x3034 = 0x2e                                                                                                                            
0x3633 = 0x16                                                                                                                            
0x3211 = 0x14                                                                                                                            
sensor:sc2135 (id:0x2135) driver loadded                                                                                                 
sc2135 start streaming                                                                                                                   
IQ.bin OK!                                                                                                                               
ubIdx = 6, fps = 25                                                                                                                      
priv->uwMaxExpL = 1440, info->frame_rate = 25                                                                                            
snx_isp snx_isp.0: ISP Camera driver loaded                                                                                              
snx_sd_initial:1289: SD initialisation done.                                                                                             
mmc_rescan:1159 = 0                                                                                                                      
mmc0: new high speed SDHC card at address e624                                                                                           
mmc_add_card:259 = 0                                                                                                                     
mmcblk0: mmc0:e624 ACLCF 119 GiB                                                                                                         
 mmcblk0: p1 p2                                                                                                                          
mmc_add_card:265 = 0                                                                                                                     
snx_vc snx_vc: sonix_vc device registered as /dev/video1                                                                                 
snx_vc snx_vc: sonix_vc device registered as /dev/video1                                                                                 
snx_vc snx_vc: sonix_vc device registered as /dev/video2                                                                                 
snx_vc snx_vc: sonix_vc device registered as /dev/video2                                                                                 
RTL871X: module init start                                                                                                               
RTL871X: rtl8188eu v4.3.24_16705.20160509                                                                                                
RTL871X: build time: Jan 19 2017 06:53:17                                                                                                
RTL871X: bLength=7                                                                                                                       
RTL871X: bDescriptorType=5                                                                                                               
RTL871X: bEndpointAddress=81                                                                                                             
RTL871X: wMaxPacketSize=512                                                                                                              
RTL871X: bInterval=0                                                                                                                     
RTL871X: RT_usb_endpoint_is_bulk_in = 1                                                                                                  
RTL871X: bLength=7                                                                                                                       
RTL871X: bDescriptorType=5                                                                                                               
RTL871X: bEndpointAddress=2                                                                                                              
RTL871X: wMaxPacketSize=512                                                                                                              
RTL871X: bInterval=0                                                                                                                     
RTL871X: RT_usb_endpoint_is_bulk_out = 2                                                                                                 
RTL871X: bLength=7                                                                                                                       
RTL871X: bDescriptorType=5                                                                                                               
RTL871X: bEndpointAddress=3                                                                                                              
RTL871X: wMaxPacketSize=512                                                                                                              
RTL871X: bInterval=0                                                                                                                     
RTL871X: RT_usb_endpoint_is_bulk_out = 3                                                                                                 
RTL871X: nr_endpoint=3, in_num=1, out_num=2                                                                                              
RTL871X: USB_SPEED_HIGH                                                                                                                  
RTL871X: CHIP TYPE: RTL8188E                                                                                                             
RTL871X: rtw_hal_config_rftype RF_Type is 3 TotalTxPath is 1                                                                             
RTL871X: Chip Version Info: CHIP_8188E_Normal_Chip_TSMC_D_CUT_1T1R_RomVer(0)                                                             
RTL871X: _ConfigNormalChipOutEP_8188E OutEpQueueSel(0x05), OutEpNumber(2)                                                                
RTL871X: EEPROM type is E-FUSE                                                                                                           
RTL871X: Boot from EFUSE, Autoload OK !                                                                                                  
RTL871X: SetHwReg8188E: bMacPwrCtrlOn=1                                                                                                  
bFWReady == _FALSE call reset 8051...                                                                                                    
RTL871X: =====> _8051Reset88E(): 8051 reset success .                                                                                    
RTL871X: efuse_read_phymap_from_txpktbuf bcnhead:0                                                                                       
RTL871X: efuse_read_phymap_from_txpktbuf len:111, lenbak:111, aaa:111, aaabak:111                                                        
RTL871X: efuse_read_phymap_from_txpktbuf read count:109                                                                                  
RTL871X: EEPROM ID=0x8129                                                                                                                
RTL871X: VID = 0x0BDA, PID = 0x0179                                                                                                      
RTL871X: Customer ID: 0x00, SubCustomer ID: 0xCD                                                                                         
RTL871X: Hal_ReadPowerSavingMode88E...bHWPwrPindetect(0)-bHWPowerdown(0) ,bSupportRemoteWakeup(1)                                        
RTL871X: ### PS params=>  power_mgnt(0),usbss_enable(0) ###                                                                              
RTL871X: ======= Path 0, Channel 1 =======                                                                                               
RTL871X: Index24G_CCK_Base[0][1] = 0x2e                                                                                                  
RTL871X: Index24G_BW40_Base[0][1] = 0x30                                                                                                 
RTL871X: ======= Path 0, Channel 2 =======                                                                                               
RTL871X: Index24G_CCK_Base[0][2] = 0x2e                                                                                                  
RTL871X: Index24G_BW40_Base[0][2] = 0x30                                                                                                 
RTL871X: ======= Path 0, Channel 3 =======                                                                                               
RTL871X: Index24G_CCK_Base[0][3] = 0x2d                                                                                                  
RTL871X: Index24G_BW40_Base[0][3] = 0x2f                                                                                                 
RTL871X: ======= Path 0, Channel 4 =======                                                                                               
RTL871X: Index24G_CCK_Base[0][4] = 0x2d                                                                                                  
RTL871X: Index24G_BW40_Base[0][4] = 0x2f                                                                                                 
RTL871X: ======= Path 0, Channel 5 =======                                                                                               
RTL871X: Index24G_CCK_Base[0][5] = 0x2d                                                                                                  
RTL871X: Index24G_BW40_Base[0][5] = 0x2f                                                                                                 
RTL871X: ======= Path 0, Channel 6 =======                                                                                               
RTL871X: Index24G_CCK_Base[0][6] = 0x2c                                                                                                  
RTL871X: Index24G_BW40_Base[0][6] = 0x2e                                                                                                 
RTL871X: ======= Path 0, Channel 7 =======                                                                                               
RTL871X: Index24G_CCK_Base[0][7] = 0x2c                                                                                                  
RTL871X: Index24G_BW40_Base[0][7] = 0x2e                                                                                                 
RTL871X: ======= Path 0, Channel 8 =======                                                                                               
RTL871X: Index24G_CCK_Base[0][8] = 0x2c                                                                                                  
RTL871X: Index24G_BW40_Base[0][8] = 0x2e                                                                                                 
RTL871X: ======= Path 0, Channel 9 =======                                                                                               
RTL871X: Index24G_CCK_Base[0][9] = 0x2c                                                                                                  
RTL871X: Index24G_BW40_Base[0][9] = 0x2e                                                                                                 
RTL871X: ======= Path 0, Channel 10 =======                                                                                              
RTL871X: Index24G_CCK_Base[0][10] = 0x2c                                                                                                 
RTL871X: Index24G_BW40_Base[0][10] = 0x2e                                                                                                
RTL871X: ======= Path 0, Channel 11 =======                                                                                              
RTL871X: Index24G_CCK_Base[0][11] = 0x2c                                                                                                 
RTL871X: Index24G_BW40_Base[0][11] = 0x2e                                                                                                
RTL871X: ======= Path 0, Channel 12 =======                                                                                              
RTL871X: Index24G_CCK_Base[0][12] = 0x2c                                                                                                 
RTL871X: Index24G_BW40_Base[0][12] = 0x2e                                                                                                
RTL871X: ======= Path 0, Channel 13 =======                                                                                              
RTL871X: Index24G_CCK_Base[0][13] = 0x2c                                                                                                 
RTL871X: Index24G_BW40_Base[0][13] = 0x2e                                                                                                
RTL871X: ======= Path 0, Channel 14 =======                                                                                              
RTL871X: Index24G_CCK_Base[0][14] = 0x2c                                                                                                 
RTL871X: Index24G_BW40_Base[0][14] = 0x2e                                                                                                
RTL871X: EEPROMRegulatory = 0x0                                                                                                          
RTL871X: hal_com_config_channel_plan chplan:0x20                                                                                         
RTL871X: CrystalCap: 0x21                                                                                                                
RTL871X: EEPROM Customer ID: 0x 0                                                                                                        
RTL871X: EEPROM : AntDivCfg = 0, TRxAntDivType = 3                                                                                       
RTL871X: Board Type: 0x 0                                                                                                                
RTL871X: ThermalMeter = 0xf                                                                                                              
RTL871X: rtw_hal_read_chip_info in 270 ms                                                                                                
RTL871X: init_channel_set((null)) ChannelPlan ID:0x20, ch num:13                                                                         
RTL871X: NR_RECVBUFF: 8                                                                                                                  
RTL871X: MAX_RECVBUF_SZ: 4000                                                                                                            
RTL871X: NR_PREALLOC_RECV_SKB: 16                                                                                                        
RTL871X: Enable CONFIG_FIX_NR_BULKIN_BUFFER                                                                                              
RTL871X: rtw_alloc_macid((null)) if1, hwaddr:ff:ff:ff:ff:ff:ff macid:1                                                                   
RTL871X: rtw_macaddr_cfg mac addr:c0:6d:1a:fb:79:9d                                                                                      
RTL871X: bDriverStopped:True, bSurpriseRemoved:False, bup:0, hw_init_completed:0                                                         
RTL871X: rtw_ndev_init(wlan0) if1 mac_addr=c0:6d:1a:fb:79:9d                                                                             
usbcore: registered new interface driver rtl8188eu                                                                                       
RTL871X: module init ret=0                                                                                                               
Set hostname ...                                                                                                                         
Executing script (enabled: 1)                                                                                                            
Cloud apps are disabled                                                                                                                  
Mounting /media/mmcblk0p1                                                                                                                
Starting boa webserver...                                                                                                                
1:0: SD power up.                                                                                                                        
right_count=3  value=0 last_value=0                                                                                                      
1:0: SD power up.                                                                                                                        
1:0: SD power up.                                                                                                                        
Linking /media/mmcblk0p1/bootstrap/www/action -> /tmp/www/cgi-bin/action                                                                 
right_count=3  value=0 last_value=0                                                                                                      
ln: /tmp/www/cgi-bin/action: No such file or directory                                                                                   
Linking /media/mmcblk0p1/bootstrap/www/func.cgi -> /tmp/www/cgi-bin/func.cgi                                                             
ln: /tmp/www/cgi-bin/func.cgi: No such file or directory                                                                                 
right_count=3  value=0 last_value=0                                                                                                      
Linking /media/mmcblk0p1/bootstrap/www/network -> /tmp/www/cgi-bin/network                                                               
ln: /tmp/www/cgi-bin/network: No such file or directory                                                                                  
Linking /media/mmcblk0p1/bootstrap/www/scripts -> /tmp/www/cgi-bin/scripts                                                               
ln: /tmp/www/cgi-bin/scripts: No such file or directory                                                                                  
right_count=3  value=0 last_value=0                                                                                                      
Linking /media/mmcblk0p1/bootstrap/www/status -> /tmp/www/cgi-bin/status                                                                 
ln: /tmp/www/cgi-bin/status: No such file or directory                                                                                   
Failed to find hacks in /media/mmcblk0p2/data!                                                                                           
0:0: SD power up.                                                                                                                        
0:0: SD power up.                                                                                                                        
0:0: SD power up.                                                                                                                        
EXT2-fs (mmcblk0p2): warning: mounting unchecked fs, running e2fsck is recommended                                                       
right_count=3  value=0 last_value=0                                                                                                      
Mounted /media/mmcblk0p2/data                                                                                                            
Running startup scripts                                                                                                                  
right_count=3  value=0 last_value=0                                                                                                      
Cloud is disabled                                                                                                                        
Welcome to XiaoFang Hacks :-)                                                                                                            
Starting Network...                                                                                                                      
WiFi Client mode: using wpa_supplicant.conf                                                                                              
right_count=3  value=0 last_value=0                                                                                                      
right_count=3  value=0 last_value=0                                                                                                      
right_count=3  value=0 last_value=0                                                                                                      
right_count=3  value=0 last_value=0                                                                                                      
rfkill: Cannot open RFKILL conRTL871X: +871x_drv - drv_open, bup=0                                                                       
trol device                                                                                                                              
RTL871X: Set RF Chip ID to RF_6052 and RF type to 3.                                                                                     
RTL871X: rtl8188e_FirmwareDownload fw:NIC, size: 15414                                                                                   
RTL871X: rtl8188e_FirmwareDownload: fw_ver=16 fw_subver=0000 sig=0x88e1, Month=11, Date=58, Hour=16, Minute=3c                           
RTL871X: polling_fwdl_chksum: Checksum report OK! (1, 0ms), REG_MCUFWDL:0x00030005                                                       
RTL871X: =====> _8051Reset88E(): 8051 reset success .                                                                                    
RTL871X: _FWFreeToGo: Polling FW ready OK! (1, 10ms), REG_MCUFWDL:0x000300c6                                                             
RTL871X: FWDL success. write_fw:1, 80ms                                                                                                  
not in singleboard test                                                                                                                  
starting pid 734, tty '/dev/ttyS0': '/sbin/getty -L ttyS0 115200 vt100'                                                                  
iSmartAlarm login: ==> rtl8188e_iol_efuse_patch                                                                                          
RTL871X: pDM_Odm TxPowerTrackControl = 1                                                                                                 
RTL871X: pDM_Odm TxPowerTrackControl = 1                                                                                                 
RTL871X: rtl8188eu_hal_init in 1070ms                                                                                                    
RTL871X: wlan0Port-0  set opmode = 2                                                                                                     
RTL871X: MAC Address = c0:6d:1a:fb:79:9d                                                                                                 
RTL871X: -871x_drv - drv_open, bup=1                                                                                                     
ADDRCONF(NETDEV_UP): wlan0: link is not ready                                                                                            
RTL871X: [rtw_wx_set_pmkid] IW_PMKSA_FLUSH!                                                                                              
RTL871X: set_mode = IW_MODE_INFRA                                                                                                        
RTL871X: wlan0Port-0  set opmode = 2                                                                                                     
RTL871X: set bssid:00:00:00:00:00:00                                                                                                     
ioctl[SIOCSIWAP]: Operation not permitted                                                                                                
RTL871X: [rtw_wx_set_pmkid] IW_PMKSA_FLUSH!                                                                                              
udhcpc (v1.22.1) started                                                                                                                 
Sending discover...                                                                                                                      
RTL871X: SetHwReg8188E:(HW_VAR_CHECK_TXBUF)TXBUF Empty(1) in 0 ms                                                                        
RTL871X: survey done event(42) band:0 for wlan0                                                                                          
RTL871X: rtw_indicate_scan_done(wlan0)                                                                                                   
RTL871X: wpa_set_auth_algs, AUTH_ALG_OPEN_SYSTEM                                                                                         
RTL871X: set_mode = IW_MODE_INFRA                                                                                                        
RTL871X: wlan0Port-0  set opmode = 2                                                                                                     
RTL871X: 0x30 0x14 0x01 0x00 0x00 0x0f 0xac 0x04                                                                                         
RTL871X: 0x01 0x00 0x00 0x0f 0xac 0x04 0x01 0x00                                                                                         
RTL871X: 0x00 0x0f 0xac 0x02 0x00 0x00 0x42 0x42                                                                                         
RTL871X: SetHwReg8188E, 4840, RCR= 700060ca                                                                                              
RTL871X: rtw_wx_set_freq: set to channel 11                                                                                              
RTL871X: =>rtw_wx_set_essid                                                                                                              
RTL871X: ssid=197mohawk-iot, len=13                                                                                                      
RTL871X: set ssid [197mohawk-iot] fw_state=0x00000008                                                                                    
RTL871X: Set SSID under fw_state=0x00000008                                                                                              
RTL871X: [by_bssid:0][assoc_ssid:197mohawk-iot][to_roam:0] new candidate: 197mohawk-iot(f0:b4:29:d9:9e:98, ch1) rssi:-76                 
RTL871X: [by_bssid:0][assoc_ssid:197mohawk-iot][to_roam:0] new candidate: 197mohawk-iot(06:25:9c:13:d4:36, ch11) rssi:-42                
RTL871X: rtw_select_and_join_from_scanned_queue: candidate: 197mohawk-iot(06:25:9c:13:d4:36, ch:11)                                      
RTL871X: link to new AP                                                                                                                  
RTL871X: <=rtw_wx_set_essid, ret 0                                                                                                       
RTL871X: rtw_chk_start_clnt_join(wlan0) req: 11,0,0                                                                                      
RTL871X: rtw_chk_start_clnt_join(wlan0) union: 11,0,0                                                                                    
RTL871X: set bssid:06:25:9c:13:d4:36                                                                                                     
RTL871X: Set BSSID under fw_state=0x00000088                                                                                             
RTL871X: OnBeacon: beacon keys ready                                                                                                     
RTL871X: link to new AP                                                                                                                  
RTL871X: start auth                                                                                                                      
RTL871X: issue_auth                                                                                                                      
RTL871X: OnAuthClient                                                                                                                    
RTL871X: auth success, start assoc                                                                                                       
RTL871X: network.SupportedRates[0]=82                                                                                                    
RTL871X: network.SupportedRates[1]=84                                                                                                    
RTL871X: network.SupportedRates[2]=8B                                                                                                    
RTL871X: network.SupportedRates[3]=96                                                                                                    
RTL871X: network.SupportedRates[4]=2C                                                                                                    
RTL871X: network.SupportedRates[5]=0C                                                                                                    
RTL871X: network.SupportedRates[6]=12                                                                                                    
RTL871X: network.SupportedRates[7]=18                                                                                                    
RTL871X: network.SupportedRates[8]=24                                                                                                    
RTL871X: network.SupportedRates[9]=30                                                                                                    
RTL871X: network.SupportedRates[10]=48                                                                                                   
RTL871X: network.SupportedRates[11]=60                                                                                                   
RTL871X: network.SupportedRates[12]=6C                                                                                                   
RTL871X: issue_assocreq(): the rate[4]=2C is not supported by STA!                                                                       
RTL871X: bssrate_len = 12                                                                                                                
RTL871X: OnAssocRsp                                                                                                                      
RTL871X: report_join_res(5)                                                                                                              
RTL871X: rtw_joinbss_update_network                                                                                                      
RTL871X: rtw_alloc_macid(wlan0) if1, hwaddr:06:25:9c:13:d4:36 macid:0                                                                    
RTL871X: rtw_joinbss_update_stainfo                                                                                                      
RTL871X: supp_mcs_set = 00, 00, 00, rf_type=195, tx_ra_bitmap=0000000000000fff                                                           
RTL871X: ### Set STA_(0) info ###                                                                                                        
RTL871X: assoc success                                                                                                                   
RTL871X: recv eapol packet                                                                                                               
ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready                                                                                       
RTL871X: send eapol packet                                                                                                               
RTL871X: ODM_Get_Rate_Bitmap ==> rssi_level:0x01, WirelessMode:0x03, rate_bitmap:0x00000f00                                              
RTL871X: UpdateHalRAMask8188E => mac_id:0, rate_id:4, networkType:0x03, mask:0x00000fff                                                  
         ==> rssi_level:1, rate_bitmap:0x00000f00                                                                                        
RTL871X: HW_VAR_BASIC_RATE: 0x15f -> 0x15f -> 0x15f                                                                                      
RTL871X: WMM(0): 0, a446                                                                                                                 
RTL871X: WMM(1): 0, a496                                                                                                                 
RTL871X: WMM(2): 0, 5e4332                                                                                                               
RTL871X: WMM(3): 0, 2f3232                                                                                                               
RTL871X: wmm_para_seq(0): 0                                                                                                              
RTL871X: wmm_para_seq(1): 1                                                                                                              
RTL871X: wmm_para_seq(2): 2                                                                                                              
RTL871X: wmm_para_seq(3): 3                                                                                                              
RTL871X: HTOnAssocRsp                                                                                                                    
RTL871X: ODM_Get_Rate_Bitmap ==> rssi_level:0x01, WirelessMode:0x03, rate_bitmap:0x00000f00                                              
RTL871X: UpdateHalRAMask8188E => mac_id:0, rate_id:4, networkType:0x03, mask:0x00000fff                                                  
         ==> rssi_level:1, rate_bitmap:0x00000f00                                                                                        
RTL871X: ### MacID(31),Set Max Tx RPT MID(32)                                                                                            
RTL871X: SetHwReg8188E(wlan0): [HW_VAR_MACID_WAKEUP] macid=0, org reg_0x48c=0x00000000                                                   
RTL871X: rtl8188e_set_FwJoinBssReport_cmd mstatus(1)                                                                                     
RTL871X: rtw_hal_set_fw_rsvd_page PageSize: 128, RsvdPageNUm: 8                                                                          
RTL871X: LocPsPoll: 2                                                                                                                    
RTL871X: LocNullData: 3                                                                                                                  
RTL871X: LocQosNull: 4                                                                                                                   
RTL871X: rtw_hal_set_fw_rsvd_page PageNum(5), pktlen(578)                                                                                
RTL871X: rtw_hal_set_fw_rsvd_page: Set RSVD page location to Fw ,TotalPacketLen(578), TotalPageNum(5)                                    
RTL871X: RsvdPageLoc: ProbeRsp=0 PsPoll=2 Null=3 QoSNull=4 BTNull=0                                                                      
RTL871X: wlan0: 1 DL RSVD page success! DLBcnCount:1, poll:1                                                                             
RTL871X: Set RSVD page location to Fw.                                                                                                   
RTL871X: =>mlmeext_joinbss_event_callback - End to Connection without 4-way                                                              
RTL871X: phydm_rssi_report mac_id:0, mac:06:25:9c:13:d4:36, rssi:61                                                                      
RTL871X: phydm_rssi_report RAINFO - TP:UL, TxBF:DIS, STBC:DIS, Noisy:True, Firstcont:True                                                
RTL871X: recv eapol packet                                                                                                               
RTL871X: send eapol packet                                                                                                               
RTL871X: recv eapol packet                                                                                                               
RTL871X: send eapol packet                                                                                                               
RTL871X:  ~~~~set sta key:unicastkey                                                                                                     
RTL871X: set pairwise key camid:4, addr:06:25:9c:13:d4:36, kid:0, type:AES                                                               
RTL871X:  ~~~~set sta key:groupkey                                                                                                       
RTL871X: ==> rtw_set_key algorithm(4),keyid(2),key_mask(0)                                                                               
RTL871X: set group key camid:5, addr:06:25:9c:13:d4:36, kid:2, type:AES                                                                  
RTL871X: SetHwReg8188E, 4836, RCR= 700060ce                                                                                              
Sending discover...                                                                                                                      
Sending select for                                                                                                     
Lease of obtained, lease time 7200                                                                                        
deleting routers                                                                                                                         
route: SIOCDELRT: No such process                                                                                                        
adding dns                                                                                                                  
Starting ntpd...                                                                                                                         
Starting dropbear on port 22...                                                                                                          
Starting RTSP server...                                                                                                                  
Starting IR script...                                                                                                                    
channel 0 buffer count=2, size=3133440                                                                                                   
snx_vc snx_vc: snx_vc_open: Created instance c339a000, m2m_ctx: c3346800                                                                 
snx_vc snx_vc: snx_vidioc_s_parm: snx_vidioc_s_parm: OUTPUT fps == 30                                                                    
snx_vc snx_vc: snx_vidioc_s_parm: snx_vidioc_s_parm: CAPTURE fps == 30                                                                   
snx_vc snx_vc: s_fmt: Setting format for type 2, wxh: 1920x1080, fmt: 808596563                                                          
snx_vc snx_vc: s_fmt: Setting format for type 1, wxh: 1920x1080, fmt: 875967048                                                          
<<>> alloc size=6266880 reduce size=3133440                                                                               
sc2135 start streaming                                                                           






13 Responses to “The WyzeCam / Xiaomi Fang”

  1. db

    “build: remove armv5/6 support”

    suggests I won’t be trying VLC 🙁

  2. Robert Carey

    Can I call Dan “external impetus” now? How about “The Imp” for short?

    1. db

      Just don’t ask about his internal impetus.

  3. Julez

    Probably too soon but any word of an updated kernel hack to move this and the wyzcam away from being accessible to something else besides wyze online? Good little cam for $20.00 but hate the dependencies.

    1. db

      i compiled the kernel, it works generally but there is some issue w/ the video device driver. I parked it for now.

  4. Banar Bagas Darujati

    do you have datasheet of this camera?

    1. db

      i dunno there is a datasheet?

  5. Anonymous

    Like!! Great article post.Really thank you! Really Cool.

  6. Jayme Snyder

    I’m always following in your footsteps accidently.
    I flashed two successfully.
    One came with a surplus screw inside.
    Two are clicking in some sort of boot loop. I’m hooking up the FTDI now… the Dafang-Hacks website doesn’t show the right image or I would have been able to access the serial without disassembling the hard way.

  7. Jayme Snyder

    Also I was planning on brushing their brains with nail polish before I put it outside in the unforgiving Canadian weather… what do you think? Will my wife’s vanity supplies be the conformal coating to conform to the climate or will I vainly waste my brain cells optimizing for a problem that doesn’t exist.

    1. db

      uh, define outdoor.
      you mean in a garage looking out a window?
      or you mean bolted to a tree?

      its not very waterproof.

      1. Jayme Snyder

        I was going to put one under the soffit on my shed, in an “outdoor enclosure” which is basically something I could have 3d printed myself had I had a 3d printer.
        Mine are actually wyze cam v2’s. I solved my boot loop issue by switching to a different project. Seems Dafang Hack’s cfw file doesn’t work on 2/4 cameras that appear identical and were ordered at the same time… but openmiko seems work quite fine… and can be tftp booted or run a usb ethernet

        1. Jayme Snyder

          Almost all exposed solder is now topped with clear and all the connectors now have a thin film of Permatex dielectric grease. I don’t think it will waterproof the camera but I am hoping that when it dies, it will die because the sensor died and not oxidization brought on by temperature cycles. I want to stretch that $20 – for science. I’ll pretend my time is free.

Leave a Reply

Your email address will not be published. Required fields are marked *