Any news about this? I’ve also been trying to dig into it but you guys have made more progress than me

Any news?
I have seen this on the OpenWrt page(looks to be quite close to the camera gateway):
https://openwrt.org/toh/xiaomi/nano

Hi.
No, I haven’t made any progress since my last posts.
As the OpenWrt page for the Xiaomi Wifi Nano states, the gateway is also blocked for updating firmware/Uboot from the console.

But there is interesting information on that Openwrt page, that might be relevant to the gateway too.
I will look into it in the future. Currently I’m in the middle of moving to a new house, so all my stuff is packed up, and I’m pretty busy.
I hope to make progress after the move. I’ll keep you guys updated, but it could take me some time.

In the meantime, I suggest you guys try too and update any progress here.
Thanks

Hi,

I can assist with the SSIDs and passwords the gateway is using, including the shell access (root user).

But getting this information has killed my stock firmware and there is no download of the file available. Actually I’m running a Pandora OpenWRT for testing, the nano version from the link above doesn’t boot.

Therefore a firmware dump would be really appreciated Hopefully I can summarize my findings the next days.

If you can give some instructions I could try to dump it

This is what I found out so far:

• The first connect from the APP to the gateway is done by using a config SSID chuangmi-hub-xxxx which shows up once the gateways reset is pressed. It means it’s simply used to configure the network settings including the internet gateway / router. Afterwards, the config SSID is switched off / hidden.

• The APP / Cams seem to use the hidden SSID hodor-auth and there seems to exist a P2P connection between the gateway and each camera

Problem: there is no possibility to save the firmware from the integrated (limited) U-Boot as all possible write commands have been removed from U-Boot

Solution 1: Update U-Boot by using a generic (full) U-Boot -> That’s what I did
Solution 2: Connect the “real” SSID and use SSH to connect to the gateway. From the shell it should be possible to dump the firmware to the SD-CARD using dd or mtdtools (http://www.linux-mtd.infradead.org/index.html) or ftpput (busybox)

The gateway seems to be a moonbox gateway.

Limited U-Boot command set:

? - alias for ‘help’
bootm - boot application image from memory
cp - memory copy
crc32 - checksum calculation
erase - erase SPI FLASH memory
fatinfo - print information about filesystem
fatload - load binary file from a dos filesystem
fatls - list files in a directory (default /)
go - start application at address ‘addr’
help - print online help
loadb - load binary file over serial line (kermit mode)
md - memory display
mdio - Ralink PHY register R/W command !!
mm - memory modify (auto-incrementing)
nm - memory modify (constant address)
printenv- print environment variables
reset - Perform RESET of the CPU
rf - read/write rf register
saveenv - save environment variables to persistent storage
setenv - set environment variables
spi - spi command
tftpboot- boot image via network using TFTP protocol
usb - USB sub-system
usbboot - boot from USB device
uufw - USB upgrade FW
version - print monitor version

Boot summary:

U-Boot 1.1.3 (Jul 23 2018 - 21:02:41)

Board: Moobox Hodor Hub DRAM: 64 MB
relocate_code Pointer at: 83f68000
flash manufacture id: ef, device id 40 18
find flash: W25Q128BV

Hodor Hub UBoot Version: 1.0.1.0

ASIC 7628_MP (Port5<->None)
DRAM component: 512 Mbits DDR, width 16
DRAM bus: 16 bit
Total memory: 64 MBytes
Flash component: SPI Flash
Date:Jul 23 2018 Time:21:02:41

icache: sets:512, ways:4, linesz:32 ,total:65536
dcache: sets:256, ways:4, linesz:32 ,total:32768

'##### The CPU freq = 575 MHZ ####
estimate memory size =64 Mbytes
RESET MT7628 PHY!!!
Please choose the operation:
1: Load system code to SDRAM via TFTP.
2: Load system code then write to Flash via TFTP.
3: Boot system code via Flash (default).
4: Entr boot command line interface.
7: Load Boot Loader code then write to Flash via Serial.
9: Load Boot Loader code then write to Flash via TFTP 0

3: System Boot system code via Flash.
'## Booting image at bc050000 …
Image Name: OpenWrt Linux-3.10.14
Image Type: MIPS Linux Kernel Image (lzma compressed)
Data Size: 1217799 Bytes = 1.2 MB
Load Address: 80000000
Entry Point: 80000000
Verifying Checksum … OK
Uncompressing Kernel Image … OK
No initrd
'## Transferring control to Linux (at address 80000000) …
'## Giving linux memsize in MB, 64

Determined physical RAM map:
memory: 04000000 @ 00000000 (usable)
Initrd not found or empty - disabling initrd
Zone ranges:
Normal [mem 0x00000000-0x03ffffff]
Movable zone start for each node
Early memory node ranges
node 0: [mem 0x00000000-0x03ffffff]
Primary instruction cache 64kB, 4-way, VIPT, linesize 32 bytes.
Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 16256
Kernel command line: console=ttyS1,57600n8 root=/dev/mtdblock5 rootfstype=squashfs,jffs2

Creating 5 MTD partitions on “raspi”:
0x000000000000-0x000001000000 : “ALL”
0x000000000000-0x000000030000 : “Bootloader”
0x000000030000-0x000000040000 : “Config”
0x000000040000-0x000000050000 : “Factory”
0x000000050000-0x000001000000 : “firmware”
0x000000179547-0x000001000000 : “rootfs”
mtd: partition “rootfs” must either start or end on erase block boundary or be smaller than an erase block – forcing read-only
mtd: partition “rootfs_data” created automatically, ofs=0x710000, len=0xf0000
0x000000710000-0x000000800000 : “rootfs_data”

Here are the appropriate settings from the gateway:

config wifi-iface
option device ‘mt7628’
option ifname ‘ra0’
option network ‘lan’
option mode ‘ap’
option ssid ‘chuangmi-gateway-ipc011_miapC9ED’
option encryption ‘none’
option ApCliAuthMode ‘WPA2PSK’
option ApCliEncrypType ‘AES’
option ApCliSsid ‘xxxxxx’ <= SSID from initial config
option ApCliBssid ‘b8:27:eb:fb:75:14’
option ApCliWPAPSK ‘’ <= Password from your router
option hidden ‘1’
option ApCliEnable ‘0’

config wifi-iface
option device ‘mt7628’
option ifname ‘ra1’
option network ‘lan’
option mode ‘ap’
option ssid ‘hodor-auth’
option encryption ‘psk2’
option key ‘2A5E0g2i’

config wifi-iface
option device ‘mt7628’
option ifname ‘ra2’
option network ‘lan’
option mode ‘ap’
option ssid ‘chuangmi-hub-C9ED’
option encryption ‘psk2’
option key ‘gS0XcDMp’

config interface ‘loopback’
option ifname ‘lo’
option proto ‘static’
option ipaddr ‘127.0.0.1’
option netmask ‘255.0.0.0’

config globals ‘globals’
option ula_prefix ‘fdd7:d244:e0e6::/48’

config interface ‘lan’
option ifname ‘eth0.1’
option force_link ‘1’
option type ‘bridge’
option proto ‘static’
option ipaddr ‘10.17.1.1’
option netmask ‘255.255.255.0’
option macaddr ‘B8:DE:5E:50:99:F5’

config interface ‘auth’
option type ‘bridge’
option proto ‘static’
option ipaddr ‘10.17.2.1’
option netmask ‘255.255.255.0’

config interface ‘wan’
option proto ‘dhcp’
option macaddr ‘B8:DE:5E:51:32:4D’
option ifname ‘apcli0’

# Certificate defaults for px5g key generator

config cert px5g

# Validity time
option days		730

# RSA key size
option bits		1024

# Location
option country		DE
option state		Berlin
option location		Berlin

# Common name
option commonname	OpenWrt

'# Download /tmp file
config uhttpd download
list listen_http 10.17.1.1:80
list listen_http [::]:80

option home		/tmp/camera	
option cgi_prefix	/cgi-bin 

'# Generated by uci2dat
'# The word of “Default” must not be removed
Default
CountryRegion=1
CountryRegionABand=0
CountryCode=
BssidNum=3
SSID1=chuangmi-gateway-ipc011_miapC9ED
SSID2=hodor-auth
SSID3=chuangmi-hub-C9ED
SSID4=
WirelessMode=9
TxRate=0
Channel=1
BasicRate=15
BeaconPeriod=100
DtimPeriod=10
TxPower=100
DisableOLBC=0
BGProtection=0
TxAntenna=
RxAntenna=
TxPreamble=0
RTSThreshold=2347
FragThreshold=2346
TxBurst=0
PktAggregate=0
TurboRate=0
WmmCapable=1
APSDCapable=1
DLSCapable=0
APAifsn=3;7;1;1
APCwmin=4;4;3;2
APCwmax=6;10;4;3
APTxop=0;0;94;47
APACM=0;0;0;0
BSSAifsn=3;7;2;2
BSSCwmin=4;4;3;2
BSSCwmax=10;10;4;3
BSSTxop=0;0;94;47
BSSACM=0;0;0;0
AckPolicy=0;0;0;0
NoForwarding=0
NoForwardingBTNBSSID=0
HideSSID=1;0;0
StationKeepAlive=0
ShortSlot=1
AutoChannelSelect=0
IEEE8021X=;;
IEEE80211H=0
CSPeriod=10
WirelessEvent=0
IdsEnable=0
AuthFloodThreshold=32
AssocReqFloodThreshold=32
ReassocReqFloodThreshold=32
ProbeReqFloodThreshold=32
DisassocFloodThreshold=32
DeauthFloodThreshold=32
EapReqFooldThreshold=32
PreAuth=0;0;0
AuthMode=OPEN;WPA2PSK;WPA2PSK
EncrypType=NONE;TKIPAES;TKIPAES
RekeyInterval=0;0;0
PMKCachePeriod=10;10;10
WPAPSK1=
WPAPSK2=2A5E0g2i
WPAPSK3=gS0XcDMp
WPAPSK4=
DefaultKeyID=1;1;1;
Key1Type=0;0;0;
Key1Str1=
Key1Str2=
Key1Str3=
Key1Str4=
Key2Type=0;0;0;
Key2Str1=
Key2Str2=
Key2Str3=
Key2Str4=
Key3Type=0;0;0;
Key3Str1=
Key3Str2=
Key3Str3=
Key3Str4=
Key4Type=0;0;0;
Key4Str1=
Key4Str2=
Key4Str3=
Key4Str4=
AccessPolicy0=0
AccessControlList0=
AccessPolicy1=0
AccessControlList1=
AccessPolicy2=0
AccessControlList2=
AccessPolicy3=0
AccessControlList3=
WdsEnable=0
WdsEncrypType=NONE
WdsList=EOF
Wds0Key=
Wds1Key=
Wds2Key=
Wds3Key=
RADIUS_Server=0;0;0
RADIUS_Port=1812;1812;1812
RADIUS_Key1=
RADIUS_Key2=
RADIUS_Key3=
RADIUS_Key4=
own_ip_addr=192.168.5.234
EAPifname=br-lan
PreAuthifname=br-lan
HT_HTC=0
HT_RDG=0
HT_EXTCHA=0
HT_LinkAdapt=0
HT_OpMode=0
HT_MpduDensity=5
HT_BW=0
VHT_BW=0
VHT_Sec80_Channel=
VHT_SGI=1
VHT_STBC=0
VHT_BW_SIGNAL=0
VHT_DisallowNonVHT=
VHT_LDPC=1
HT_AutoBA=1
HT_AMSDU=0
HT_BAWinSize=64
HT_GI=1
HT_MCS=33
WscManufacturer=
WscModelName=
WscDeviceName=
WscModelNumber=
WscSerialNumber=
FixedTxMode=0
AutoProvisionEn=0
FreqDelta=0
CarrierDetect=0
PreAntSwitch=1
PhyRateLimit=0
DebugFlags=0
ITxBfTimeout=0
ETxBfNoncompress=0
FineAGC=0
StreamMode=0
StreamModeMac0=
StreamModeMac1=
StreamModeMac2=
StreamModeMac3=
RDRegion=
DfsLowerLimit=0
DfsUpperLimit=0
DfsOutdoor=0
SymRoundFromCfg=0
BusyIdleFromCfg=0
DfsRssiHighFromCfg=0
DfsRssiLowFromCfg=0
DFSParamFromConfig=0
FCCParamCh0=
FCCParamCh1=
FCCParamCh2=
FCCParamCh3=
CEParamCh0=
CEParamCh1=
CEParamCh2=
CEParamCh3=
JAPParamCh0=
JAPParamCh1=
JAPParamCh2=
JAPParamCh3=
JAPW53ParamCh0=
JAPW53ParamCh1=
JAPW53ParamCh2=
JAPW53ParamCh3=
FixDfsLimit=0
LongPulseRadarTh=0
AvgRssiReq=0
DFS_R66=0
BlockCh=
GreenAP=0
WapiPsk1=
WapiPsk2=
WapiPsk3=
WapiPsk4=
WapiPsk5=
WapiPsk6=
WapiPsk7=
WapiPsk8=
WapiPskType=
Wapiifname=
WapiAsCertPath=
WapiUserCertPath=
WapiAsIpAddr=
WapiAsPort=
RekeyMethod=TIME
MeshAutoLink=0
MeshAuthMode=
MeshEncrypType=
MeshDefaultkey=0
MeshWEPKEY=
MeshWPAKEY=
MeshId=
HSCounter=0
HT_BADecline=0
HT_STBC=0
HT_LDPC=1
HT_TxStream=2
HT_RxStream=2
HT_PROTECT=1
HT_DisallowTKIP=0
HT_BSSCoexistence=0
WscConfMode=0
WscConfStatus=2
WCNTest=0
WdsPhyMode=
RADIUS_Acct_Server=
RADIUS_Acct_Port=1813
RADIUS_Acct_Key=
Ethifname=
session_timeout_interval=0
idle_timeout_interval=0
WiFiTest=0
TGnWifiTest=0
ApCliEnable=1
ApCliSsid=xxxxxx
ApCliBssid=b8:27:eb:fb:75:14
ApCliAuthMode=WPA2PSK
ApCliEncrypType=AES
ApCliWPAPSK=xxxxx
ApCliDefaultKeyID=0
ApCliKey1Type=0
ApCliKey1Str=
ApCliKey2Type=0
ApCliKey2Str=
ApCliKey3Type=0
ApCliKey3Str=
ApCliKey4Type=0
ApCliKey4Str=
EfuseBufferMode=0
E2pAccessMode=1
RadioOn=1
BW_Enable=0
BW_Root=0
BW_Priority=
BW_Guarantee_Rate=
BW_Maximum_Rate=
AutoChannelSkipList=
WscConfMethod=
WscKeyASCII=
WscSecurityMode=
Wsc4digitPinCode=
WscVendorPinCode=
WscV2Support=
HT_MIMOPS=3
G_BAND_256QAM=0
DBDC_MODE=0
txbf=
IgmpSnEnable=1
MUTxRxEnable=0
ITxBfEnCond=0

root:x:0:0:root:/root:/bin/ash
daemon::1:1:daemon:/var:/bin/false
ftp::55:55:ftp:/home/ftp:/bin/false
network::101:101:network:/var:/bin/false
nobody::65534:65534:nobody:/var:/bin/false
mosquitto:x:200:200:mosquitto:/var/run/mosquitto:/bin/false

root:$1$LeHwJ4ZH$eGNDqaycY7QjVuVnLkP0x.:17728:0:99999:7:::
daemon::0:0:99999:7:::
ftp::0:0:99999:7:::
network::0:0:99999:7:::
nobody::0:0:99999:7:::
mosquitto:x:0:0:99999:7:::

For the shell connection:

SSID: chuangmi-hub-xxxx <= individual number
PW: gS0XcDMp

SSH-User: root / admin

cat /proc/mtd should show the memory partition map:

mtd0: 0x000000000000-0x000001000000 : “ALL”
mtd1: 0x000000000000-0x000000030000 : “Bootloader”
mtd2: 0x000000030000-0x000000040000 : “Config”
mtd3: 0x000000040000-0x000000050000 : “Factory”
mtd4: 0x000000050000-0x000001000000 : “firmware”
mtd5: 0x000000179547-0x000001000000 : “rootfs”

cat /proc/mounts should show the mounted mtdblocks, something like this:

rootfs / rootfs rw 0 0
/dev/root / squashfs ro 0 0
none /dev tmpfs rw 0 0
/proc /proc proc rw 0 0
none /var tmpfs rw 0 0
none /tmp tmpfs rw 0 0
none /mnt tmpfs rw 0 0

to export the partitions busybox’s ftpput could be used:

ftpput -s -v -u -p -l /dev/mtd1 -r ftpdir/mtdblock_all 192.168.1.5

or

ftpput -s -v -u -p -l /dev/mtd2 -r ftpdir/mtdblock_config 192.168.1.5
ftpput -s -v -u -p -l /dev/mtd3 -r ftpdir/mtdblock_factory 192.168.1.5
ftpput -s -v -u -p -l /dev/mtd4 -r ftpdir/mtdblock_firmware 192.168.1.5

etc.

Thank you for the explanation! Seems like every gateway has it’s own password, all my gateways have different SSIDs and passwords.
I’m trying to avoid to change the uboot

How about connecting via LAN and using the shell access directly ?

Seems like there is no SSH active at all on the stock Uboot, i tried with LAN directly to my computer(but maybe I’m missing something, I did set a static address)

Did you use an IP from the LAN range 10.17.1.x ? Is the gateway pingable ?

I used:

Ip-address: 10.17.1.11
Subnet: 255.255.255.0
Router: 10.17.1.1

And no it’s not pingable

I’m pretty sure I could connect via SSH but at that time I did’nt have the root password. Furthermore,I’m not sure at what stage: before doing the initial Wifi config or after.

The “official” procedure is having LAN disconnected, connect via Wifi and then the gateway creates a bridge between LAN and Wifi. Therefore I assume that the Wifi config has to be done first so the network settings can be setup afterwards automatically, including the LAN interface.

I have to dig through my ssh logs to see whether I logged these tries.

Thought about this: how do the cameras then get to know the password of a specific gateway to connect to during initialization phase ? Never heard that the cams are bound to a specific gateway.

At least there needs to be either a standard password for the gateway to have an initial Wifi connection between the gateway and the camera or the cameras provide an accesspoint to the gateway or the password can be determined / calculated from the gateway SSID.

Maybe I have to dive a little bit into Wifi WDS…

Any new information ?

Hi all. I recently bought a cmsxj11a Camera. First i had problem with the region Lock, your device is not supported in this area… Than i installed a modde MI Hompe app, and the region lock was gone, it worked on China and UK Region, but the connection was very slow. Then i changed the Region to Germany, and sinc then, i cannot pair the hub with the Camera. I tried everything, switchet the region back to China and UK, tried different wifi networks, different mobile with different MI Account. Nothing works, i get the notification while pairing: ,please make the wire-free gateway and camera close to the router, keep a good network environment’’ and the pairing fails.
Is for this a solution? Any idea, what should i do? Maybe somehow a hard reset, or firmware downgrade, or anything? Thank you!

1584032679_Screenshot_20200606-233144_MiHome.jpg.c247827a7c8777091d133c16148baf871440×3040 105 KB

1. Take note that China region only supports 1 camera to 1 gateway pairing, so use a different region.
2. Try to use wireless instead of wired when doing initial configuration of the gateway.
3. If you already have Mi Home app configured for China due to other smart devices, if android, use a clone app.
4. Please create a new homeassistant topic rather than using this thread.

Hi acelle, thank you for the reply. 1, its ok, i want to use only 1 camera 2, i used a wireless connection 3, i used a modded MI Home app with no region lock (i was not aware, that i ordered a Chinese version of the camera). I dont have any other Xiaomi smart things, only this camera. The IMILAB support is terrible, they said, there is no hard reset or such thing, and that i should buy a new Global version of the camera… Maybe contact the seller from Aliexpress. Im looking for a solution to get the Camera work again.

do you still need firmware dump?

telnet is open on the hub before first mi home connection. you can use ap chuangmi-gateway-ipc011_miapXXXX without password or chuangmi-hub-XXXX with password 12345678. ip 10.17.1.1, root:admin.

after hub gets net connection they run test_hub binary (probably using some p2p exec) which changes chuangmi-hub-XXXX password to random, closes telnet and uart.

we should be able to modify squashfs part of firmware and sysupgrade from telnet.

cams can connect to hub because ra1 interface (hodor-auth) has static password 2A5E0g2i (ifconfig ra1 up when you click add camera in the app).

Yes, still need the dump.

While trying to dump I used the wrong write command expecting an error but instead I have overwritten part of the sqashfs resulting in a corrupt system where I could only recover some of the config files from.

BTW, they use MQTT to connect to the server, I have a few findings about this too (checking also the android source of the app) as I tried to find out the update mechanism. So far, I could manage to send a versione check for the specific device to the webservice and get the appropriate response but I was not able to initiate the download as the CAMS seem to use the hub as a relay for the update, so no firmware download After crashing the hub there were no further tests possible as the CAMs need the hub as an internet gateway.

The hub logs to the SD card, there you can find the P2P passwords, MQTT-URLs, CAM-IDs, Batterystatus etc.

hope you did not damage other partitions like config/rootfs_data, these are pretty important because of cloud credentials

here is bootloader

and latest ota

ota contains hub firmware (kernel+rootfs) and camera firmware. you need to strip 0x80 header, copy the rest until HODOR3 (camera firmware header) and write it to firmware mtd.