commit 903600d1446a593a6c1fd72dc9788a85d7b6bfe6 Author: fritz-smh Date: Wed Mar 9 22:20:10 2016 +0100 first commit diff --git a/README.md b/README.md new file mode 100644 index 0000000..b92580a --- /dev/null +++ b/README.md @@ -0,0 +1,173 @@ +=============== +Yi-hack project +=============== + +Todo +==== + +* web server : add a link to the various rtsp feeds + +Purpose +======= + +This project is a collection of scripts and binaries file to hack your Xiaomi Yi Ants camera. + +This camera has the default following features : +* wifi +* night vision +* motion detection : a video file is generated if a motion have been detected in the last 60 seconds. +* send video data over the network on Chinese servers in the cloud to allow people to view camera data from their smartphone wherever they are. +* setup thanks to a smartphone application. +* local video storage on a SD card +* no RTSP server in the last firmwares + +This hack includes : +* ntpclient (set date and time over internet) +* Base firmware is : M release. +* no more cloud feature (nothing goes out of your local network) +* no more need to use a smartphone application +* RTSP server activated +* Telnet server activated +* HTTP server activated +* FTP server activated +* No more (chinese) voices on startup + +Installation on the Yi camera +============================= + +The memory card must stay in the camera ! If you remove it, the camera will start without using the hack. + +Prepare the memory card +----------------------- + +Clone this repository on a computer : + + git clone http://github.com/fritz-smh/yi-hack.git + +Then, format a micro SD card in fat32 (vfat) format and copy the content of the **yi-hack/sd/** folder at the root of your memory card. + +The memory card will so contain : + +* home : the official firmware file compliant with this hack +* test : the folder which contains the hack scripts and binaries +* record : this folder will only be created when some video records will be added on the memory card by the camera +* record_sub : this folder will only be created when some video records will be added on the memory card by the camera + +Configure the Yi camera on the memory card +------------------------------------------ + +You will need to set a static IP adresse to the camera. To check for the available IPs on your network, you can use the **Fing** application to scan the network on your Android smartphone. + +To configure the wifi network to use, edit the file **test/wpa_supplicant.conf**. + +To configure your IP address, open the file **test/yi-hack.cfg** and set the values. + +Start the camera +---------------- + +* If plugged, unplug the Yi camera +* Insert the memory card in the Yi camera +* Plug the Yi camera + +The camera will start. The led will indicate the current status : +* orange : camera startup +* blue blinking : network configuration in progress (connec to wifi, set up the IP address) +* blue : network configuration is OK. Camera is ready to use. + +You can test is your camera is up and running this hack with your browser on url **http://ip/**. You should see this page : + +**TODO : picture ** + +Warning : changes done on the original camera filesystem +-------------------------------------------------------- + +One change is needed on the camera filesystem which will not be reverted by removing the memory card : the file **/home/timeout.g726** is renamed to **/home/timeout.g726.OFF**. + +This is done because a process (rmm) tries to connect to the cloud process without success (as it is not started) and raise the play of a chinese voice timeout file. If this file would not be renamed, you would be bothered with this message. + + +Use the camera +============== + +Domogik +------- + +You can easily use the Yi camera with the Domogik (http://www.domogik.org) home automation solution. You just need to install the **domogik-plugin-yi** package. + +Access the video stream over RTSP +--------------------------------- + +RTSP server is on port 554. + +You can access the video over RTSP on 3 urls : +* High definition video and audio (h264) : http://ip:554/ch0_0.h264 +* Low definition video and audio (h264) : http://ip:554/ch0_1.h264 +* Audio (h264) : http://ip:554/ch0_3.h264 +* TODO : the other one + +There is no login and password and currently no way to set it. + +Access the history of motion detection +-------------------------------------- + +Each time a motion is detected, the camera will generate a video file (60s max). This file is stored on the memory card and can be accessed over : +* http server +* ftp server + +The simplest way is to browse the file from the http server. + +To know if a motion have been detected in the last minute, you can check the url http://ip/motion (GET). It can give : +* when no motion is detected : an empty content +* when motion is detected : a file path to the video file from the root of the http server + +Telnet server +------------- + +The telnet server is on port 23. + +Default login/password : +* login = root +* password = 1234qwer + +Ftp server +---------- + +The ftp server is on port 21. + +Default login/password : +* login = root +* password = 1234qwer + + +How it works ? +============== + +Hack content +------------ + +``` +home Official firmware +test/ Yi hack folder + yi-hack.cfg Yi hack configuration file + equip_test.sh This script is called on camera startup and will launch all the needed processes + check_motion.sh This script will check each minute if a motion video has been recorded and fill the **motion** file of the http server + rtspsrvK|L|M The various RTSP server binary releases (the final letter is corresponding to the firmware) + http/ HTTP server folder + index.html HTTP server home page + record/ Mount point to access video records + server HTTP server binary + wpa_supplicant.conf Configuration file for wifi + log.txt Log file of the hack (filled by equip_test.sh) +```` + +**TODO** : add network configuration file + +equip_test.sh +------------- + +**TODO** + +check_motion.sh +--------------- + +**TODO** diff --git a/sd/home b/sd/home new file mode 100644 index 0000000..1d8eff8 Binary files /dev/null and b/sd/home differ diff --git a/sd/test/check_motion.sh b/sd/test/check_motion.sh new file mode 100644 index 0000000..24ba5ab --- /dev/null +++ b/sd/test/check_motion.sh @@ -0,0 +1,12 @@ +#!/bin/sh +# each minute, check for a new video file (which is created in case of motion detection) +# and if found, create the appropriate file for the http server + +cd /home/hd1/record/ +while [ 1 -eq 1 ] + do + motion_file=$(find . -type f -name "*.mp4" -mmin -1 | tail -1) + echo "M="$motion_file + echo $motion_file | sed "s/.\//record\//" > /home/hd1/test/http/motion + sleep 30 +done diff --git a/sd/test/equip_test.sh b/sd/test/equip_test.sh new file mode 100644 index 0000000..7b79909 --- /dev/null +++ b/sd/test/equip_test.sh @@ -0,0 +1,308 @@ +#!/bin/sh +###################################################### +# Xiaomi Yi hack +###################################################### +# +# Features +# ======== +# +# * no more cloud ! +# * network configuration done in this file. No more need to use a Xiaomi app on a smartphone! +# * http server : port 80 +# * telnet server : port 23 +# * ftp server : port 21 +# * rtsp server : port 554 +# rtsp://192.168.1.121:554/ch0_0.h264 : replace with your ip +# rtsp://192.168.1.121:554/ch0_1.h264 : replace with your ip +# +# How it works +# ============ +# +# See http://github.com/fritz-smh/yi-hack/ +# +# TODO +# ==== +# +# * strem audio from network to camera ==> svoxpico ? +# * create a watchdog script + + +led() { + # example usage : + # led -boff -yon + # options : + # -bfast + # -bon + # -boff + # -yfast + # -yon + # -yoff + + # first, kill current led_ctl process + kill $(ps | grep led_ctl | grep -v grep | awk '{print $1}') + # then process + /home/led_ctl $@ & + +} + +LOG_FILE=/home/hd1/test/log.txt + +log_init() { + # clean the previous log file and add a starting line + echo "Starting to log..." > /home/hd1/test/log.txt +} + +log() { + # do_logging + echo "$@" >> /home/hd1/test/log.txt + sync +} + +get_config() { + key=$1 + grep $1 /home/hd1/test/yi-hack.cfg | cut -d"=" -f2 +} + + + +### first we assume that this script is started from /home/init.sh and will replace it from the below lines (which are not commented in init.sh : + +#if [ -f "/home/hd1/test/equip_test.sh" ]; then +# /home/hd1/test/equip_test.sh +# exit +#fi + +###################################################### +# start of our custom script !!!!!! +###################################################### + +### Get FIRMWARE version +FIRMWARE_VERSION=$(sed -n 's/version=1.8.5.1\(.\)_.*/\1/p' /home/version) + +### configure timezone +# paris winter +echo "GMT-1" > /etc/TZ + +### get time is done after wifi configuration! + + + + +### first, let's do as the orignal script does.... + +export LD_LIBRARY_PATH=/home/libusr:$LD_LIBRARY_PATH +mv /home/default.script /usr/share/udhcpc -f + +rm /etc/resolv.conf +ln -s /tmp/resolv.conf /etc/resolv.conf + +### TODO : comment this? +/home/log_server & + + +# some things from the original script... +cd /home +mount |grep "/tmp" +/home/productioninfoget.sh +insmod cpld_periph.ko + +cd /home/3518 +./load3518_audio -i + +# added : +himm 0x20050074 0x06802424 + +### start blinking blue led for configuration in progress +#/home/led_ctl -boff -yon & +led -yoff -bfast + + +insmod /home/mtprealloc7601Usta.ko +insmod /home/mt7601Usta.ko + +ifconfig ra0 up + +### INFORMATION : the 'clic' 'clic' is done after this line + + +sysctl -w fs.mqueue.msg_max=256 +mkdir /dev/mqueue +mount -t mqueue none /dev/mqueue + +#insmod /home/cpld_wdg.ko +#insmod /home/cpld_periph.ko +#insmod /home/iap_auth.ko +/home/gethwplatform + +#now begin app +sysctl -w net.ipv4.tcp_mem='3072 4096 2000000' +sysctl -w net.core.wmem_max='2000000' +sysctl -w net.ipv4.tcp_keepalive_time=300 net.ipv4.tcp_keepalive_intvl=6 net.ipv4.tcp_keepalive_probes=3 + +insmod /home/as-iosched.ko +echo "anticipatory" > /sys/block/mmcblk0/queue/scheduler +echo "1024" > /sys/block/mmcblk0/queue/read_ahead_kb + +### The followinf unmount+mount of hd1 allows a rw mount (on startup, it is ro mounted) + +umount /home/hd1 +umount /home/hd2 +mount -t vfat /dev/hd1 /home/hd1 +mkdir /home/hd1/record +mkdir /home/hd1/record_sub +mount -t vfat /dev/hd2 /home/hd2 +mkdir /home/hd2/record_sub +rm /home/web/sd/* -rf + + +cd /home/3518 +./load3518_left -i +/home/detect_ver +himm 0x20050074 0x06802424 + +### what is this ? +cd /home +./peripheral & +./dispatch & +./exnet & +#./mysystem & + +count=5 + +while [ $count -gt 0 ] +do +if [ -f "/tmp/init_finish" ]; then + break +else + count=`expr $count - 1` + echo "wait init" $count + sleep 1 +fi +done + + +### INFORMATION : the 'clic' 'clic' is done before this line + +### we copy our wpa_supplicant file in /home +cp /home/hd1/test/wpa_supplicant.conf /home/wpa_supplicant.conf + + +### Init logs +log_init +log "The blue led is currently blinking" +log "Firmware version letter = $FIRMWARE_VERSION" + +# first, configure wifi + +log "Check for wifi configuration file...*" +log $(find /home -name "wpa_supplicant.conf") + +log "Start wifi configuration..." +log $(/home/wpa_supplicant -B -i ra0 -c /home/wpa_supplicant.conf ) +log "Status=$?" + +log "Do network configuration 1/2 (ip and gateway)" +#ifconfig ra0 192.168.1.121 netmask 255.255.255.0 +#route add default gw 192.168.1.254 +ifconfig ra0 $(get_config IP) netmask $(get_config NETMASK) +route add default gw $(get_config GATEWAY) +log "Done" + +log "Configuration is :" +log $(ifconfig) + +### configure DNS (google one) +log "Do network configuration 2/2 (DNS)" +echo "nameserver 8.8.8.8" > /etc/resolv.conf +log "Done" + +### configure time on a NTP server +log "Get time from a NTP server..." +log "Previous datetime is $(date)" +ntpd -q -p 0.uk.pool.ntp.org +log "Done" +log "New datetime is $(date)" + +### set the root password +root_pwd=$(get_config ROOT_PASSWORD) +[ $? -eq 0 ] && echo "root:$root_pwd" | chpasswd + +### start blue led for configuration finished +log "Start blue led on" +led -yoff -bon + + +### Rename the timeout sound file to avoid being spammed with chinese audio stuff... +[ -f /home/timeout.g726 ] && mv /home/timeout.g726 /home/timeout.g726.OFF + +### Rmm stuff +# without this, most things does not work (http server, rtsp) +# It starts to use the cloud (which is no more launched) so you will find timeout in the logs +cd /home +./rmm & + + +sync + +### Launch web server + +cd /home/hd1/test/http/ +mkdir /home/hd1/test/http/record/ +mount -o bind /home/hd1/record/ /home/hd1/test/http/record/ +touch /home/hd1/test/http/motion +log "Start http server..." +./server 80 & +log "Done" + +sync + + + +### Launch record event +cd /home +./record_event & +./mp4record 60 & + +### Launch script to check for motion the last minute +/home/hd1/test/check_motion.sh & + +### Rtsp server +cd /home/hd1/test/ +./rtspsvrM & + +sleep 5 + +### Some configuration + +himm 0x20050068 0x327c2c +#himm 0x20050068 0x0032562c +himm 0x20050074 0x06802424 +himm 0x20050078 0x18ffc001 +#himm 0x20050078 0x1effc001 +himm 0x20110168 0x10601 +himm 0x20110188 0x10601 +himm 0x20110184 0x03ff2 +himm 0x20030034 0x43 +himm 0x200300d0 0x1 +himm 0x2003007c 0x1 +himm 0x20030040 0x102 +himm 0x20030040 0x202 +himm 0x20030040 0x302 +himm 0x20030048 0x102 +himm 0x20030048 0x202 +himm 0x20030048 0x302 + + +rm /home/hd1/FSCK* + +### Final led color + +#led $(get_config LED_WHEN_READY) + +### to make sure log are written... + +sync + + + + diff --git a/sd/test/http/index.html b/sd/test/http/index.html new file mode 100644 index 0000000..8e57f70 --- /dev/null +++ b/sd/test/http/index.html @@ -0,0 +1,32 @@ + + + + Yi hack + + +

Yi HTTP Server

+

This Yi is powered by a custom firmware. See https://github.com/fritz-smh/yi-hack for more informations.

+

RTSP stream channels

+

This camera IP is

+ +

API

+ +

Record files

+ + + + diff --git a/sd/test/http/motion b/sd/test/http/motion new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/sd/test/http/motion @@ -0,0 +1 @@ + diff --git a/sd/test/http/server b/sd/test/http/server new file mode 100644 index 0000000..71d4ab5 Binary files /dev/null and b/sd/test/http/server differ diff --git a/sd/test/rtspsvrI b/sd/test/rtspsvrI new file mode 100644 index 0000000..20dcdd1 Binary files /dev/null and b/sd/test/rtspsvrI differ diff --git a/sd/test/rtspsvrK b/sd/test/rtspsvrK new file mode 100644 index 0000000..04dbaa0 Binary files /dev/null and b/sd/test/rtspsvrK differ diff --git a/sd/test/rtspsvrM b/sd/test/rtspsvrM new file mode 100644 index 0000000..2fc406e Binary files /dev/null and b/sd/test/rtspsvrM differ diff --git a/sd/test/wpa_supplicant.conf b/sd/test/wpa_supplicant.conf new file mode 100644 index 0000000..7db8461 --- /dev/null +++ b/sd/test/wpa_supplicant.conf @@ -0,0 +1,11 @@ +ctrl_interface=/var/run/wpa_supplicant +ap_scan=1 +network={ +ssid="your_wifi_ssid" +scan_ssid=1 +proto=WPA RSN +key_mgmt=WPA-PSK +pairwise=CCMP TKIP +group=CCMP TKIP +psk="your_password" +} diff --git a/sd/test/yi-hack.cfg b/sd/test/yi-hack.cfg new file mode 100644 index 0000000..27c1aec --- /dev/null +++ b/sd/test/yi-hack.cfg @@ -0,0 +1,24 @@ +### Set the root password +ROOT_PASSWORD=1234qwer + +### Network configuration +# Don't forget to also fill the file wpa_supplicant.conf for the wifi configuration +IP=192.168.1.121 +NETMASK=255.255.255.0 +GATEWAY=192.168.1.254 + +### Led color after full boot +# The sequence will be : +# - orange : startup +# - blue blinking : configuration +# - blue : configuration finished, camera ready +# - ??? : color set a few seconds after the camera is ready + +# values : +# -bfast : blue blinking +# -bon : blue on +# -boff : blue off +# -yfast : yellow blinking +# -yon : yellow on +# -yoff : yellow off +LED_WHEN_READY=-boff -yon