flywithu/yi-hack
1
0
Fork 0
mirror of https://github.com/fritz-smh/yi-hack synced 2025-06-07 16:06:11 +00:00
Code Issues Releases Wiki Activity

first commit

Browse Source
This commit is contained in:
fritz-smh 2016-03-09 22:20:10 +01:00
commit 903600d144
12 changed files with 561 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

173
README.md Normal file
View File

@ -0,0 +1,173 @@
===============
Yi-hack project
===============
Todo
====
* web server : add a link to the various rtsp feeds
Purpose
=======
This project is a collection of scripts and binaries file to hack your Xiaomi Yi Ants camera.
This camera has the default following features :
* wifi
* night vision
* motion detection : a video file is generated if a motion have been detected in the last 60 seconds.
* send video data over the network on Chinese servers in the cloud to allow people to view camera data from their smartphone wherever they are.
* setup thanks to a smartphone application.
* local video storage on a SD card
* no RTSP server in the last firmwares
This hack includes :
* ntpclient (set date and time over internet)
* Base firmware is : M release.
* no more cloud feature (nothing goes out of your local network)
* no more need to use a smartphone application
* RTSP server activated
* Telnet server activated
* HTTP server activated
* FTP server activated
* No more (chinese) voices on startup
Installation on the Yi camera
=============================
The memory card must stay in the camera ! If you remove it, the camera will start without using the hack.
Prepare the memory card
-----------------------
Clone this repository on a computer :
git clone http://github.com/fritz-smh/yi-hack.git
Then, format a micro SD card in fat32 (vfat) format and copy the content of the **yi-hack/sd/** folder at the root of your memory card.
The memory card will so contain :
* home : the official firmware file compliant with this hack
* test : the folder which contains the hack scripts and binaries
* record : this folder will only be created when some video records will be added on the memory card by the camera
* record_sub : this folder will only be created when some video records will be added on the memory card by the camera
Configure the Yi camera on the memory card
------------------------------------------
You will need to set a static IP adresse to the camera. To check for the available IPs on your network, you can use the **Fing** application to scan the network on your Android smartphone.
To configure the wifi network to use, edit the file **test/wpa_supplicant.conf**.
To configure your IP address, open the file **test/yi-hack.cfg** and set the values.
Start the camera
----------------
* If plugged, unplug the Yi camera
* Insert the memory card in the Yi camera
* Plug the Yi camera
The camera will start. The led will indicate the current status :
* orange : camera startup
* blue blinking : network configuration in progress (connec to wifi, set up the IP address)
* blue : network configuration is OK. Camera is ready to use.
You can test is your camera is up and running this hack with your browser on url **http://ip/**. You should see this page :
**TODO : picture **
Warning : changes done on the original camera filesystem
--------------------------------------------------------
One change is needed on the camera filesystem which will not be reverted by removing the memory card : the file **/home/timeout.g726** is renamed to **/home/timeout.g726.OFF**.
This is done because a process (rmm) tries to connect to the cloud process without success (as it is not started) and raise the play of a chinese voice timeout file. If this file would not be renamed, you would be bothered with this message.
Use the camera
==============
Domogik
-------
You can easily use the Yi camera with the Domogik (http://www.domogik.org) home automation solution. You just need to install the **domogik-plugin-yi** package.
Access the video stream over RTSP
---------------------------------
RTSP server is on port 554.
You can access the video over RTSP on 3 urls :
* High definition video and audio (h264) : http://ip:554/ch0_0.h264
* Low definition video and audio (h264) : http://ip:554/ch0_1.h264
* Audio (h264) : http://ip:554/ch0_3.h264
* TODO : the other one
There is no login and password and currently no way to set it.
Access the history of motion detection
--------------------------------------
Each time a motion is detected, the camera will generate a video file (60s max). This file is stored on the memory card and can be accessed over :
* http server
* ftp server
The simplest way is to browse the file from the http server.
To know if a motion have been detected in the last minute, you can check the url http://ip/motion (GET). It can give :
* when no motion is detected : an empty content
* when motion is detected : a file path to the video file from the root of the http server
Telnet server
-------------
The telnet server is on port 23.
Default login/password :
* login = root
* password = 1234qwer
Ftp server
----------
The ftp server is on port 21.
Default login/password :
* login = root
* password = 1234qwer
How it works ?
==============
Hack content
------------
```
home Official firmware
test/ Yi hack folder
yi-hack.cfg Yi hack configuration file
equip_test.sh This script is called on camera startup and will launch all the needed processes
check_motion.sh This script will check each minute if a motion video has been recorded and fill the **motion** file of the http server
rtspsrvK|L|M The various RTSP server binary releases (the final letter is corresponding to the firmware)
http/ HTTP server folder
index.html HTTP server home page
record/ Mount point to access video records
server HTTP server binary
wpa_supplicant.conf Configuration file for wifi
log.txt Log file of the hack (filled by equip_test.sh)
````
**TODO** : add network configuration file
equip_test.sh
-------------
**TODO**
check_motion.sh
---------------
**TODO**

BIN
sd/home Normal file
View File

Binary file not shown.

12
sd/test/check_motion.sh Normal file
View File

@ -0,0 +1,12 @@
#!/bin/sh
# each minute, check for a new video file (which is created in case of motion detection)
# and if found, create the appropriate file for the http server
cd /home/hd1/record/
while [ 1 -eq 1 ]
do
motion_file=$(find . -type f -name "*.mp4" -mmin -1 | tail -1)
echo "M="$motion_file
echo $motion_file | sed "s/.\//record\//" > /home/hd1/test/http/motion
sleep 30
done

308
sd/test/equip_test.sh Normal file
View File

@ -0,0 +1,308 @@
#!/bin/sh
######################################################
# Xiaomi Yi hack
######################################################
#
# Features
# ========
#
# * no more cloud !
# * network configuration done in this file. No more need to use a Xiaomi app on a smartphone!
# * http server : port 80
# * telnet server : port 23
# * ftp server : port 21
# * rtsp server : port 554
# rtsp://192.168.1.121:554/ch0_0.h264 : replace with your ip
# rtsp://192.168.1.121:554/ch0_1.h264 : replace with your ip
#
# How it works
# ============
#
# See http://github.com/fritz-smh/yi-hack/
#
# TODO
# ====
#
# * strem audio from network to camera ==> svoxpico ?
# * create a watchdog script
led() {
# example usage :
# led -boff -yon
# options :
# -bfast
# -bon
# -boff
# -yfast
# -yon
# -yoff
# first, kill current led_ctl process
kill $(ps | grep led_ctl | grep -v grep | awk '{print $1}')
# then process
/home/led_ctl $@ &
}
LOG_FILE=/home/hd1/test/log.txt
log_init() {
# clean the previous log file and add a starting line
echo "Starting to log..." > /home/hd1/test/log.txt
}
log() {
# do_logging
echo "$@" >> /home/hd1/test/log.txt
sync
}
get_config() {
key=$1
grep $1 /home/hd1/test/yi-hack.cfg | cut -d"=" -f2
}
### first we assume that this script is started from /home/init.sh and will replace it from the below lines (which are not commented in init.sh :
#if [ -f "/home/hd1/test/equip_test.sh" ]; then
# /home/hd1/test/equip_test.sh
# exit
#fi
######################################################
# start of our custom script !!!!!!
######################################################
### Get FIRMWARE version
FIRMWARE_VERSION=$(sed -n 's/version=1.8.5.1\(.\)_.*/\1/p' /home/version)
### configure timezone
# paris winter
echo "GMT-1" > /etc/TZ
### get time is done after wifi configuration!
### first, let's do as the orignal script does....
export LD_LIBRARY_PATH=/home/libusr:$LD_LIBRARY_PATH
mv /home/default.script /usr/share/udhcpc -f
rm /etc/resolv.conf
ln -s /tmp/resolv.conf /etc/resolv.conf
### TODO : comment this?
/home/log_server &
# some things from the original script...
cd /home
mount |grep "/tmp"
/home/productioninfoget.sh
insmod cpld_periph.ko
cd /home/3518
./load3518_audio -i
# added :
himm 0x20050074 0x06802424
### start blinking blue led for configuration in progress
#/home/led_ctl -boff -yon &
led -yoff -bfast
insmod /home/mtprealloc7601Usta.ko
insmod /home/mt7601Usta.ko
ifconfig ra0 up
### INFORMATION : the 'clic' 'clic' is done after this line
sysctl -w fs.mqueue.msg_max=256
mkdir /dev/mqueue
mount -t mqueue none /dev/mqueue
#insmod /home/cpld_wdg.ko
#insmod /home/cpld_periph.ko
#insmod /home/iap_auth.ko
/home/gethwplatform
#now begin app
sysctl -w net.ipv4.tcp_mem='3072 4096 2000000'
sysctl -w net.core.wmem_max='2000000'
sysctl -w net.ipv4.tcp_keepalive_time=300 net.ipv4.tcp_keepalive_intvl=6 net.ipv4.tcp_keepalive_probes=3
insmod /home/as-iosched.ko
echo "anticipatory" > /sys/block/mmcblk0/queue/scheduler
echo "1024" > /sys/block/mmcblk0/queue/read_ahead_kb
### The followinf unmount+mount of hd1 allows a rw mount (on startup, it is ro mounted)
umount /home/hd1
umount /home/hd2
mount -t vfat /dev/hd1 /home/hd1
mkdir /home/hd1/record
mkdir /home/hd1/record_sub
mount -t vfat /dev/hd2 /home/hd2
mkdir /home/hd2/record_sub
rm /home/web/sd/* -rf
cd /home/3518
./load3518_left -i
/home/detect_ver
himm 0x20050074 0x06802424
### what is this ?
cd /home
./peripheral &
./dispatch &
./exnet &
#./mysystem &
count=5
while [ $count -gt 0 ]
do
if [ -f "/tmp/init_finish" ]; then
break
else
count=`expr $count - 1`
echo "wait init" $count
sleep 1
fi
done
### INFORMATION : the 'clic' 'clic' is done before this line
### we copy our wpa_supplicant file in /home
cp /home/hd1/test/wpa_supplicant.conf /home/wpa_supplicant.conf
### Init logs
log_init
log "The blue led is currently blinking"
log "Firmware version letter = $FIRMWARE_VERSION"
# first, configure wifi
log "Check for wifi configuration file...*"
log $(find /home -name "wpa_supplicant.conf")
log "Start wifi configuration..."
log $(/home/wpa_supplicant -B -i ra0 -c /home/wpa_supplicant.conf )
log "Status=$?"
log "Do network configuration 1/2 (ip and gateway)"
#ifconfig ra0 192.168.1.121 netmask 255.255.255.0
#route add default gw 192.168.1.254
ifconfig ra0 $(get_config IP) netmask $(get_config NETMASK)
route add default gw $(get_config GATEWAY)
log "Done"
log "Configuration is :"
log $(ifconfig)
### configure DNS (google one)
log "Do network configuration 2/2 (DNS)"
echo "nameserver 8.8.8.8" > /etc/resolv.conf
log "Done"
### configure time on a NTP server
log "Get time from a NTP server..."
log "Previous datetime is $(date)"
ntpd -q -p 0.uk.pool.ntp.org
log "Done"
log "New datetime is $(date)"
### set the root password
root_pwd=$(get_config ROOT_PASSWORD)
[ $? -eq 0 ] && echo "root:$root_pwd" | chpasswd
### start blue led for configuration finished
log "Start blue led on"
led -yoff -bon
### Rename the timeout sound file to avoid being spammed with chinese audio stuff...
[ -f /home/timeout.g726 ] && mv /home/timeout.g726 /home/timeout.g726.OFF
### Rmm stuff
# without this, most things does not work (http server, rtsp)
# It starts to use the cloud (which is no more launched) so you will find timeout in the logs
cd /home
./rmm &
sync
### Launch web server
cd /home/hd1/test/http/
mkdir /home/hd1/test/http/record/
mount -o bind /home/hd1/record/ /home/hd1/test/http/record/
touch /home/hd1/test/http/motion
log "Start http server..."
./server 80 &
log "Done"
sync
### Launch record event
cd /home
./record_event &
./mp4record 60 &
### Launch script to check for motion the last minute
/home/hd1/test/check_motion.sh &
### Rtsp server
cd /home/hd1/test/
./rtspsvrM &
sleep 5
### Some configuration
himm 0x20050068 0x327c2c
#himm 0x20050068 0x0032562c
himm 0x20050074 0x06802424
himm 0x20050078 0x18ffc001
#himm 0x20050078 0x1effc001
himm 0x20110168 0x10601
himm 0x20110188 0x10601
himm 0x20110184 0x03ff2
himm 0x20030034 0x43
himm 0x200300d0 0x1
himm 0x2003007c 0x1
himm 0x20030040 0x102
himm 0x20030040 0x202
himm 0x20030040 0x302
himm 0x20030048 0x102
himm 0x20030048 0x202
himm 0x20030048 0x302
rm /home/hd1/FSCK*
### Final led color
#led $(get_config LED_WHEN_READY)
### to make sure log are written...
sync

32
sd/test/http/index.html Normal file
View File

@ -0,0 +1,32 @@
<!DOCTYPE html>
<html>
<head>
<title>Yi hack</title>
</head>
<body>
<h1>Yi HTTP Server</h1>
<p>This Yi is powered by a custom firmware. See <a href="https://github.com/fritz-smh/yi-hack">https://github.com/fritz-smh/yi-hack</a> for more informations</a>.</p>
<h2>RTSP stream channels</h2>
<p>This camera IP is <span id="ip"></span></p>
<ul>
<li><a id="ch0_0" href="">High definition video stream</a></li>
<li><a id="ch0_1" href="">Low definition video stream</a></li>
<li><a id="ch0_3" href="">Audio stream</a></li>
</ul>
<h2>API</h2>
<ul>
<li><strong><a href="/motion">GET /motion</a></strong> : if a motion has been detected in the last minute, display the filename. Else, display nothing. Example of filename : <em>record/2016Y03M08D22H/20M00S.mp4</em></li>
</ul>
<h2>Record files</h2>
<ul>
<li><a href="/record/">Click here to access the record files.</a></li>
</ul>
<script type="text/javascript">
var ip = location.host;
document.getElementById("ip").textContent=ip;
document.getElementById("ch0_0").href="rtsp://"+ip+":554/ch0_0.h264";
document.getElementById("ch0_1").href="rtsp://"+ip+":554/ch0_1.h264";
document.getElementById("ch0_3").href="rtsp://"+ip+":554/ch0_3.h264";
</script>
</body>
</html>

1
sd/test/http/motion Normal file
View File

@ -0,0 +1 @@

BIN
sd/test/http/server Normal file
View File

Binary file not shown.

BIN
sd/test/rtspsvrI Normal file
View File

Binary file not shown.

BIN
sd/test/rtspsvrK Normal file
View File

Binary file not shown.

BIN
sd/test/rtspsvrM Normal file
View File

Binary file not shown.

11
sd/test/wpa_supplicant.conf Normal file
View File

@ -0,0 +1,11 @@
ctrl_interface=/var/run/wpa_supplicant
ap_scan=1
network={
ssid="your_wifi_ssid"
scan_ssid=1
proto=WPA RSN
key_mgmt=WPA-PSK
pairwise=CCMP TKIP
group=CCMP TKIP
psk="your_password"
}

24
sd/test/yi-hack.cfg Normal file
View File

@ -0,0 +1,24 @@
### Set the root password
ROOT_PASSWORD=1234qwer
### Network configuration
# Don't forget to also fill the file wpa_supplicant.conf for the wifi configuration
IP=192.168.1.121
NETMASK=255.255.255.0
GATEWAY=192.168.1.254
### Led color after full boot
# The sequence will be :
# - orange : startup
# - blue blinking : configuration
# - blue : configuration finished, camera ready
# - ??? : color set a few seconds after the camera is ready
# values :
# -bfast : blue blinking
# -bon : blue on
# -boff : blue off
# -yfast : yellow blinking
# -yon : yellow on
# -yoff : yellow off
LED_WHEN_READY=-boff -yon