Mijia-720P-hack project
WARNING - DISCLAIMER
Many files on the Mijia 720P are writable. Be very careful when you modify files on it, you might brick it forever.
Purpose
This project is a collection of scripts and binaries file to hack your Xiaomi Mijia 720P camera.
This camera has the default following features:
- Wifi
- Night vision
- Motion detection: a video file is generated if a motion have been detected in the last 60 seconds.
- Send video data over the network on Chinese servers in the cloud to allow people to view camera data from their smartphone wherever they are.
- Setup thanks to a smartphone application.
- Local video storage on a SD card
- No RTSP server
This hack includes:
- No more cloud feature (nothing goes out of your local network)
- No more need to use a smartphone application
- Telnet server - Disabled by default.
- Web server with PHP support - Enabled by default.
- RTSP server - Disabled by default.
- SSH server - Disabled by default.
- FTP server - Disabled by default.
- Samba Server - Disabled by default.
- Syslog to memory card - Disabled by default.
- Configure Timezone and use ntpclient to set date and time over Internet
Planed futures:
- Configuration over web server
- Motor control
- Replace Chinese voice files with English
Installation on the Mijia 720P camera
The memory card must stay in the camera ! If you remove it, the camera will start without using the hack.
Build the binaries
To build the binaries the GM8136 SDK toolchain must be installed in /usr/src/arm-linux-3.3/toolchain_gnueabi-4.4.0_ARMv5TE
Clone this repository on a computer:
git clone https://github.com/ghoost82/mijia-720p-hack.git
Then change into the cloned directory, build the binaries and install them to the sdcard base directory
cd mijia-720p-hack
make
make install
Prepare the memory card
You can use the self compiled image from the cloned repository or download a precompiled release.
Then, format a micro SD card in fat32 (vfat) format and copy the content of the mijia-720p-hack/sdcard/ folder at the root of your memory card.
The memory card will so contain:
- ft: folder which contains the hack entry point
- ft_config.ini and manufacture.bin: files needed to enable the hack
- mijia-720p-hack: the folder which contains the hack scripts and binaries
- mijia-720p-hack.cfg: configuration file to configure the hack
- log: this folder will contains some log files from the hack and if enabled the system logs
- MIJIA_RECORD_VIDEO: this folder will only be created when some video records will be added on the memory card by the camera
Configure the Mijia camera on the memory card
To configure the wifi network to use, edit the file mijia-720p-hack.cfg.
To configure the services which should run on the camera, open the file mijia-720p-hack.cfg and set the values.
Start the camera
- If plugged, unplug the Mijia camera
- Insert the memory card in the Mijia camera
- Plug the Mijia camera
The camera will start. The led will indicate the current status:
- yellow: camera startup
- blue blinking: network configuration in progress (connec to wifi, set up the IP address)
- blue: network configuration is OK. Camera is ready to use.
You can test is your camera is up and running this hack with your browser on url http://your-camera-ip/.
Use the camera
Telnet server
If enabled the telnet server is on port 23.
Default login/password:
- login = root
- password = 1234qwer (unless you specified another password in mijia-720p-hack.cfg.cfg file)
SSH server
If enabled the SSH server is on port 22.
Default login/password:
- login = root
- password = 1234qwer (unless you specified another password in mijia-720p-hack.cfg.cfg file)
RTSP Server
If enabled the RTSP server is on port 554.
You can connect to live video stream (currently only supports 720p) on:
rtsp://your-camera-ip/live/ch00_0
For stability reasons it is recommend to disable cloud services while using RTSP.
FTP server
If enabled the FTP server is on port 21.
There is no login/password required.
Samba
If enabled the MIJIA_RECORD_VIDEO directory can be accessed via CIFS. The share is readable by everyone.
Default login/password for read/write access:
- login = root
- password = 1234qwer (unless you specified another password in mijia-720p-hack.cfg.cfg file)
Cloud Services
Disabling the cloud services disables the following functions:
- Motion detection
- No video data or configuration with the smartphone application
- No recordings on the SD card or a remote file system
For stability reasons it is recommend to disable cloud services while using RTSP.
I want more !
Some scripts are provided in the sd/mijia-720p-hack/scripts folder. Please read the README.md file in this folder for more informations.
Uninstall the hack
There are no files altered on the camera so simply remove the SD card to uninstall the hack.
How it works ?
Hack content
ft/ Folder that contains the start script for the hack
ft_config.ini Neccessary configuration file for the hack boot
manufacture.bin Archive that contains the script test_drv that will enable the hack
mijia-720p-hack/ Mijia 720O hack folder
bin/ Contains server and system binaries for the hack
etc/ Configuration files for the services provided by the hack
scripts/ Some scripts
www/ root of the erb server
mijia-720p-hack.cfg Mijia 720O hack configuration file