Anyone tried running nmap/Zenmap against one of these CMSXJ16A and finding open ports?
I just bought one of the cmsxj16a cameras. So I did some tests.
After connecting to the wifi, I blacklisted it in my wifi rules. Itâs interesting that on Mi Home, the device appears offline, BUT Mi Home is able to use the camera and move it around. When I disconnected my phone from the wifi and tried again, obviously the camera was black. Re-enable wifi, the camera is visible again.
Then tried to connect a second mobile phone with Mi Home installed, which (up to now) wouldnât know the new camera. And it has exactly the same behavior â it appears offline but I can manipulate the camera.
So it seems there is a way to locally communicate with the camera. Running nmap didnât show any open ports. So any idea?
# nmap -p 1-65535 192.168.1.101 -130- 11:02:59
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-01 11:03 EEST
Nmap scan report for 192.168.1.101
Host is up (0.0016s latency).
All 65535 scanned ports on 192.168.1.101 are closed
Nmap done: 1 IP address (1 host up) scanned in 1314.38 seconds
Chuangmi camera same as most other Xiaomi devices support Miio protocol via 54321 port
However I didnât find any where how to get AV stream from it somehow.
Everything Miio can get out of the camera is:
"
Power: True
Motion record: False
Light: True
Full color: False
Flip: False
Improve program: False
Wdr: False
Track: False
SD card status: 3
Watermark: True
Max client: 0
Night mode: 0
Mini level: 1
"
BTW according to this from init.d
âsysctl -w net.ipv4.ip_local_reserved_ports=54322,54321,54320â 2 other ports are opened
If you are good in linux you can try to find something interesting in the firmware image (for instance this one):
http://cdn.cnbj2.fds.api.mi-img.com/chuangmi-cdn/product/ipc016/firmware/IPC016_16.3.4.5_0081.zip
Hi there, i just bought the CMSXJ16A camera. Do you found a way to hack it?
Thanks 
Unfortunatly not. I gave up