Xiaomi console access

balrog

New Member
Joined
May 1, 2015
Messages
5
Reaction score
6
Country
Spain
At least two users indicated (in this thread) that, once associated to the camera with WiFi, they could telnet into it and log in to a Linux shell. I'm very interested in that so I can run scripts that would send commands to port 7878 at specific times to start or stop recording, and take pictures. Possibly do more interesting stuff.

I've tried the following firmware versions:
1.0.2 (shipped)
1.0.7 genuine
1.0.7 with the 30mbps modification from this forum.

On all of them only the following ports accept connections: 53, 80, 554, 7878 and 8787, no telnet port. Does anyone know what conditions must be met for telnet to work? Can an autorun.ash or some other file trigger enabling telnet?
 
Last edited by a moderator:
SOLVED: in short you need to create a file named "enable_info_display.script" in the root directory of the SD card, that triggers the main OS (the one that boots before Linux) to tell Linux to run telnetd once Linux comes up. I've tried it with 1.0.7 and 1.0.9 and it worked with both versions.

I've tried a bunch of hacks I found documented for GoPro but none worked. Also tried to use the Ambarella Firmware Tool (AFT) to extract the Linux ubifs partition, then mount it through the nandsim module, then edit /etc/init.d/S50service to uncomment the invocation of telnetd, but once I rebuilt the firmware image in AFT, it would flash but Linux wouldn't boot for some reason. Quite a learning experience. Eventually found the enable_info_display and other commands in the firmware image and this worked.
 
How cool is that stuff, thanks and welcome to DCT.
 
SOLVED: in short you need to create a file named "enable_info_display.script" in the root directory of the SD card, that triggers the main OS (the one that boots before Linux) to tell Linux to run telnetd once Linux comes up. I've tried it with 1.0.7 and 1.0.9 and it worked with both versions.

I've tried a bunch of hacks I found documented for GoPro but none worked. Also tried to use the Ambarella Firmware Tool (AFT) to extract the Linux ubifs partition, then mount it through the nandsim module, then edit /etc/init.d/S50service to uncomment the invocation of telnetd, but once I rebuilt the firmware image in AFT, it would flash but Linux wouldn't boot for some reason. Quite a learning experience. Eventually found the enable_info_display and other commands in the firmware image and this worked.

Hi @balrog
I'm not good at linux, but I wonder in the file "enable_info_display.script", what's the content inside?
 
Yeah, it just checks if this file exists. Other file names also trigger unit testing, debug logs and other actions.
 
Out of curiosity...i have a question. If you can access via telnet or any other protocol into a linux box (meaning the camera), in case one could be able to map some "button combinations" (maybe keymap) e.g. three clicks on the main power button , would it be possible to make it so the cam could be set at desired recording settings having some feedback via the leds?
For example, clicking 3 times in video recording mode , it would change to the next setting and the leds would blink and depending on the number of blinks it would provide the info about the setting selected so there would not be so much dependency on the app.

Or this could be just done via firmware? or not even like that and i'm just a crazy dude with insane ideas?:)
 
Out of curiosity...i have a question. If you can access via telnet or any other protocol into a linux box (meaning the camera), in case one could be able to map some "button combinations" (maybe keymap) e.g. three clicks on the main power button , would it be possible to make it so the cam could be set at desired recording settings having some feedback via the leds?
For example, clicking 3 times in video recording mode , it would change to the next setting and the leds would blink and depending on the number of blinks it would provide the info about the setting selected so there would not be so much dependency on the app.

Or this could be just done via firmware? or not even like that and i'm just a crazy dude with insane ideas?:)

Great idea ! If can be done, that's really great !
But I think this need to get the Ambarella SDK to modify the firmware. Almost impossible if just hack & mod the firmware.
 
Another way to enable telnet. Create an autoexec.ash file on the root of the SD card with content "lu_util exec telnetd -l/bin/sh"
 
Great idea ! If can be done, that's really great !
But I think this need to get the Ambarella SDK to modify the firmware. Almost impossible if just hack & mod the firmware.

Yeah, it might be difficult because I believe the buttons are handled by the host system, the proprietary RTOS. As far as I've seen the Wi-Fi stack is the only thing really managed by Linux here. That said you can use Linux to send commands to the host OS whenever you like.
 
How do you send commands to the main RTOS from telenet? I tried SendToItron command but it seems it doesn't work.
 
Yeah, it might be difficult because I believe the buttons are handled by the host system, the proprietary RTOS. As far as I've seen the Wi-Fi stack is the only thing really managed by Linux here. That said you can use Linux to send commands to the host OS whenever you like.

Hi @balrog, do you have any successful command that you can communicated with the Yi Cam, other than openning the telnet.
that would be appreciated if you can share more examples.
 
So far I've only done this by sending commands to port 7878 from Linux, I'll see if there's a better way to do this. There might be.
 
So far I've only done this by sending commands to port 7878 from Linux, I'll see if there's a better way to do this. There might be.
Is is possible to change the Yi Cam IP Address Mask by change the linux configure?
Now is: 192.168.42.1, maybe change to anothers, let say: 192.168.52.1 or something else.
 
Is is possible to change the Yi Cam IP Address Mask by change the linux configure?
Now is: 192.168.42.1, maybe change to anothers, let say: 192.168.52.1 or something else.

Yes, it's possible.

Make a blank file named wifi.conf in the SD card /MISC/ folder
unplug the USB cable and reboot the camera
plug the USB cable
now the camera will create a /MISC/wifi.conf file with some settings in it, copy it somewhere safe in case you need it later to restore the original settings.
change the settings you want IP, SSID, password under the SoftAP section on the bottom in the /MISC/wifi.con file and save
unplug usb and reboot

That's it.
 
Yes, it's possible.

Make a blank file named wifi.conf in the SD card /MISC/ folder
unplug the USB cable and reboot the camera
plug the USB cable
now the camera will create a /MISC/wifi.conf file with some settings in it, copy it somewhere safe in case you need it later to restore the original settings.
change the settings you want IP, SSID, password under the SoftAP section on the bottom in the /MISC/wifi.con file and save
unplug usb and reboot

That's it.

Hi @funnel !
That is great to get wifi.conf content, following your instructions.
Do you know any more *.conf files, that I can get or set from the Yi Cam?
 
Got the default wifi.conf as the following. Post here for backup only:D
Code:
##### Wifi configuration file ##########################################
## Empty lines and lines starting with # are ignored
# ap: SoftAP mode
# sta: Station mode
# p2p: Enable Wifi Direct Support for peer-to-peer connectibity
WIFI_MODE=ap
# GPIO pin to enable or disable WiFi
WIFI_EN_GPIO=11
# GPIO physical button that user can turn WiFi ON/OFF
#WIFI_SWITCH_GPIO=43

##### STA mode configuration ##########################################
# SSID
ESSID=amba_boss
# Passphrase. Leave empty at no security mode; please edit wpa_supplicant.conf when your AP cannot be detected
PASSWORD=1234567890
# Device Name for AMBA Discovery Protocol (optional)
STA_DEVICE_NAME=amba-1
# Do not detect SSID setting changes, use previous scanned results
STA_SKIP_SCAN=yes

##### Wifi Direct configuration ##########################################
# Find devices with correct name prefix and automatically connect at startup
P2P_AUTO_CONNECT=no
# Auto-connect with devices if the name prefix matches
P2P_CONNECT_PREFIX=amba
## Do not enable this optional field unless you are certain
# please provide a unique name amoung multiple devices to prevent confusion
#P2P_DEVICE_NAME=amba-1
## Do not enable this optional field unless you are certain
# Set the default P2P GO Intent
#P2P_GO_INTENT=0
## Do not enable this optional field unless you are certain
# Specify P2P operating channel
#P2P_OPER_CHANNEL=1
## Do not enable this optional field unless you are certain
# Default mode for HT40 enable when operating as GO
#P2P_GO_HT40=0

##### SoftAP configuration ##########################################
# SSID (1 ~ 32 characters)
AP_SSID=YDXJ_1234567
# IP address
LOCAL_IP=192.168.42.1
# IP subnet mask
LOCAL_NETMASK=255.255.255.0
# IP pool starting address of DHCP server
DHCP_IP_START=192.168.42.2
# IP pool end address of DHCP server
DHCP_IP_END=192.168.42.6
# Wifi channel number, set 0 to use Auto Channel Selection
AP_CHANNEL=0
# Maximum number of stations allowed in station table
AP_MAXSTA=5
# If you say yes here, all WPA/WEP settings will be ignored
AP_PUBLIC=no
# WPA Passphrase (8 ~ 63 characters)
AP_PASSWD=1234567890
# AP Type (0:BCM4330 1:A7L)
AP_TYPE=0
 
There're no other useful .conf files.
 
would be great to see if it's possible to control aperture/iso/shutter speed via the linux shell. And I'm sure there are other default Ambarella settings available. Wish they would document them
 
I have extracted directly from the firmware all of this commands, some of them look very interesting. I hope them to be useful. As I'm doing an autoexec manager to create from a GUI the autoexec files I have to test them carefully, but until my camera arrives I have nothing to do with all of this. I have left the ".txt" file in my gitHub with everything that I could extract: https://github.com/kerenmac/Xiaomi-Yi

Regards!
 
Back
Top