Have anyone implemented Xiaomis new wireless IP camera with battery, CMSXJ11A?
It’s a new video camera from Xiaomi and seems to be a Arlo-clone. The hardware seems impressive and built-in rechargeable battery for $69.
Would be great to include this in Hass.io!
That would be great! It could be an awesome alternative for blink or arlo cameras.
As it seems to be on pre-order I doubt anyone has made it work.
How would you charge an outdoor camera?
Anyway, the advertising is rather light on technical detail. It is not a cheap purchase, however I am sure some technical details will emerge once it ships. In the meantime, I wouldn’t be buying unless it was viable for me to hack it, and at my level of skill, that is not viable.
You remove the battery and charge it? Like the Arlo-cameras? It’s to avoid installing power or POE cable to inaccessible places where you want the camera.
I understand the idea of what the battery is for, but the charging port is on the back of the camera. There is no mention of being able to remove the battery (although that would solve the problem).
There is a review here https://www.wovow.org/xiaomi-mijia-cmsxj11a-review-camera-2019/ but it is not particularly informative - it largely just reiterates the advertising.
Any estimate on supporting this device?
There is no indication that anyone is working on it.
Do you actually have one?
Yes I do. Just got one, works really well, but really wanted to integrate it with Hassio.
That doesn’t seem to be an option. Searching for the model number:
A search of this forum reveals only this thread.
A search of homeassistant’s github reveals nothing.
A search of the whole of github reveals 4 issues, which I can’t see are actually related to getting this going in anything other than the mi-home app.
The reason I asked whether you had one is that now someone in the community has one, maybe you can develop an integration.
Have you tried iSpy Connect to see if there’s a URL for monitoring https://www.ispyconnect.com/man.aspx?n=xiaomi
I received this camera last week.
What can I do to hack it?
Is there any kind of guide, or testing I can do? I am a programmer, although I have little experience with hardware analysis.
A little camera review:
Has a microphone.
Has a speaker. (I found the sound a bit low, but I think it was expected.)
Has infrared.
Has an internal battery.
Besides the camera, it also comes with a kind of receiver.
This receiver has a memory card slot, a wired network slot and a micro usb slot.
The receiver creates a new Wireless Network.
In Mi Home app, it was not possible to access the camera directly, only via the receiver.
I need to do more testing to see if it is possible to use the camera without the receiver.
The only issue with this camera is that it is 1:1 with the gateway.
When scanned, the only port open on the gateway is 53, which is the DNS.
I have recently received it, and started “looking around” to see what can be done 
Before I describe what I have found, I want to explain the biggest issues with this camera (and some similiar “cloud” or p2p cameras running on batteries):
Ok, so here are some of my findings:
Thats about it for now.
My goal is to hack away at the gateway so that I could connect to the camera, without Mi App, and without need for internet connection (only local Wifi LAN), for example using MJPEG or RTSP. Maybe get notifications using mqtt (I think that I saw some mqtt client installed on the gateway).
Anyways, does anyone have any idea how I can get the WPA2 password the camera uses, given that I have full access to the gateway?
I know that there are methids to do this, but most of them involve brute force cracking, using a dictionary of possible words. Because I have no idea what the password could be, I think its not that feasible to do in this case.
BTW, I also have the Reolink Argus 2, which is similar to the EC2, except doesn’t use a gateway.
I also tried to “snoop around”, and sniffed communication between the camera and the App which controls it. After many hours of examining and sniffing, it seems like Reolink are using some proprietary way of sending the video to the App (using UDP). But that’s only after some sort of p2p handshake the app does with the camera, in which the camera knows what IP and port the app is listening on. I was unable to decipher how this handshake works and what exactly the app sends (in Wireshark it was just a bunch of bytes with no obvious format, maybe even encrypted).
These p2p cameras are hard to “open”, and pretty difficult to hack for an inexperienced guy like me
But I haven’t given up yet, just need to find the time to continue snooping around.
I’m optimistic about the Imilab EC2, because it uses the gateway, and I have been able to get console access. And because its running OpenWrt, I hope I will be able to “open” it up for a more general use.
Well, a small update: It seems that while I can get console prompt on the gateway, the filesystem is loaded as readonly. Meaning that I can’t change anything on it. I suppose its possible to load the filesystem as read-write, but they are using some weird (custom) version of u-boot, which doesn’t have all the regular u-boot commands/paramters.
Can you use the mount command?
I guess I can…
Can you remind me how I would go about remounting the filesystem so its read-write?
Its a Jffs filesystem.
Usually something like adding the option
-o remount-rw
at the end of the mount comnand. However I have no experience of jffs.