70mai Firmware Update (changing from Chinese to English)

If we check on Android with a File Explorer App (like ES File Explorer) we will find on our internal memory or SDCard root a folder called "MiDriveDashApp".
Inside this folder we will find a "midrive" file with debug information. There we can see the URL that checks for a new version (this is from my chinese version):

Code:
2018-02-05 16:11:54,592 INFO  [c.d]-[94] f--httpPost url https://jly.midrive.com.cn/otaService/checkNewVersion
2018-02-05 16:11:54,593 INFO  [c.d]-[94] f--httpPost requestBody {"body":"WLYpFfeIJiz8QpVIL7oWLiCYmgsKtGj5ohv1nknAuApv1YPcq70V0BkE7Jpfd\/XnCACIvduRg0I4\nKK5mQkhwWU8pkxJVbIgL8TJ+KWmcD8wa1eSN21Rx1vufyhXFe5+aRPZPsuappbksKgk6Y569qBbU\nxi9dhB0A+ClgQQoWjw4=\n","ts":"1517843503770","signature":"432eee52d6957g2c45ca62he97ks8u16"}
2018-02-05 16:11:55,692 DEBUG [c.d]-[148] {"resultBodyObject":{"newVersion":{"id":16,"type":1,"channel":8001001,"version":"1.0.3","description":"优化GSensor触发阈值\r\n关机过程增加兼容性处理\r\n优化录制视频逻辑","downloadUrl":"http:\/\/rom-cdn.midrive.com.cn\/SD_CarDV_70mai_1_0_3.zip","fileSize":3167014,"md5":"2e4136f88ccaba49309d53ac3325030e","valid":2,"uploadTimestamp":1513751858000,"createTimestamp":1513751858000,"updateTimestamp":1513768043000},"newVersionExist":true},"error":false,"errorMessage":null,"errorCode":0}
2018-02-05 16:11:56,309 DEBUG [c.d]-[148] {"resultBodyObject":"DONE","error":false,"errorMessage":null,"errorCode":0}
 
There is no such file for the APP from play store. It is checking for the new version of firmware but such file is not created.

Krawiec
 
Well, I have decompiled the international App and found out that the JSON URL that is used to check for an update is the following:
Code:
https://int-api.70mai.com/versionApi/V2/checkNewRomFromApp

JSON Parameters:
JSON:
{"deviceType":"0","deviceModule":"0","baseVersion":"0","baseSubversion":"0"}

The problem is that I do not know what parameter values are needed and I become always the same error:
JSON:
{"resultBodyObject":null,"error":true,"errorMessage":"eXCEPTION!","errorCode":-1}

Maybe someone here will find out how to get a "Success" response... :)
 
I've made some reverse engineering with the new version of the app and here are my findings:

To check if the new version of firmware exists the app is using https://int-api.70mai.com (international version) or us-api.70mai.com (us version)
and it is sending:

POST /versionApi/V2/checkNewRomFromApp HTTP/1.1
_ver_: 1.0.0
_product_: 70mai
_os_: Android
Content-Type: application/json; charset=utf-8
Content-Length: 175
Host: int-api.70mai.com
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: okhttp/2.4.0

{"deviceId":"84:20:96:8a:17:85","baseSubversion":"a","token":"b0bfe117-be4c-49ac-8598-d5973ddc6834","deviceType":8,"deviceModule":8001,"channel":8001001,"baseVersion":"1.0.3"}

After that is getting the answer

{"resultBodyObject":{"newVersion":false,"version":null,"versionOrder":null,"subVersion":null,"fileUrl":null,"fileMd5":null,"fileSize":null,"desc":null,"packageId":null,"releaseTime":null},"error":false,"errorMessage":null,"errorCode":0}

The simple change of the baseVersion parameter is not causing that we will get the link to the software. I'm trying to find what else need to be change to get the link.

Krawiec
 
Michael,

I'm using linux openssl with s_client mode.
openssl s_client -connect int-api.70mai.com:443

And after establishing connection you need to paste the data

Krawiec
 
I think the problem is with the token. If I change all the parameter values to zero:
JSON:
{"deviceId":"0","baseSubversion":"0","token":"b0bfe117-be4c-49ac-8598-d5973ddc6834","deviceType":0,"deviceModule":0,"channel":0,"baseVersion":"0"}
I got the same response:
JSON:
{"resultBodyObject":{"newVersion":false,"version":null,"versionOrder":null,"subVersion":null,"fileUrl":null,"fileMd5":null,"fileSize":null,"desc":null,"packageId":null,"releaseTime":null},"error":false,"errorMessage":null,"errorCode":0}
If I change the token I get an error:
JSON:
{"resultBodyObject":null,"error":true,"errorMessage":"invalid token","errorCode":500001}
I think that the token identifies the dashcam and Xiaomi is recording this on a database with the last installed firmware on this dashcam...
 
Michael,

I'm using linux openssl with s_client mode.
openssl s_client -connect int-api.70mai.com:443

And after establishing connection you need to paste the data

Krawiec

But how did you find out what is the App sending? Did you use a special App on your Android device?
 
Are you able to check with the decompiled app if the token is generated by the app or downloaded from the device?

Krawiec
 
Michael,

How did you find the JSON URL in the APP? For the us version there is different URL as https://us-api.70mai.com//versionApi/V2/checkNewRomFromApp version is not working (404 not found). The Chinese version is using URL:
https://jly.midrive.com.cn//versionApi/V2/checkNewRomFromApp but when trying to check it with my token it I'm getting the error. So I think the app is generating the token itself using probably the device serial number (or WiFi MAC) and the installed software version.

Krawiec
 
Are you able to check with the decompiled app if the token is generated by the app or downloaded from the device?

Krawiec

This is what I have, but it is all with generic names for functions and variables, so more difficult to find out how the token is generated:
Java:
    public void m6051a(Long l, Integer num, Integer num2, String str, String str2, String str3) {
        this.f5237c = str;
        DBDeviceOtaInfo f = this.f5238d.m6076f(str);
        if (f == null || f.getQueryTime() == null || System.currentTimeMillis() - f.getQueryTime().longValue() >= 5000) {
            TokenRequestBody tokenRequestBody = new TokenRequestBody(this.a);
            if (num != null) {
                tokenRequestBody.setChannel(l);
                tokenRequestBody.addParam("deviceType", num);
                tokenRequestBody.addParam("deviceModule", num2);
            }
            tokenRequestBody.addParam("deviceId", str);
            tokenRequestBody.addParam("baseVersion", str2);
            tokenRequestBody.addParam("baseSubversion", str3);
            m6029b().mo3208a(C1236d.m6100a(this.a).m6101a().interfaces.host + "/versionApi/V2/checkNewRomFromApp", tokenRequestBody.toString(), (C1175b) this);
            return;
        }
        this.b.mo2985a(f);
    }
 
Last edited:
Michael,

How did you find the JSON URL in the APP? For the us version there is different URL as https://us-api.70mai.com//versionApi/V2/checkNewRomFromApp version is not working (404 not found). The Chinese version is using URL:
https://jly.midrive.com.cn//versionApi/V2/checkNewRomFromApp but when trying to check it with my token it I'm getting the error. So I think the app is generating the token itself using probably the device serial number (or WiFi MAC) and the installed software version.

Krawiec

I have download the APK file on the internet (just search for com.banyac.midrive.app.intl on google).
Then just used an online APK decompiler: http://www.javadecompilers.com/apk
 
I think the key to get the English firmware is to find how the token is generated and then get all needed parameters from English version of course if APP is the same for both languages.
I will try to downgrade my cam to 1.0.2 to get the url for the 1.0.3 firmware.

Krawiec
 
I think the key to get the English firmware is to find how the token is generated and then get all needed parameters from English version of course if APP is the same for both languages.
I will try to downgrade my cam to 1.0.2 to get the url for the 1.0.3 firmware.

Krawiec
do you also have an english version of the cam?
 
do you also have an english version of the cam?
No. I have Chinese. I'm wondering if you are able to install packet capture on your mobile and check where the English version is looking for the new firmware and post the result here.

Krawiec
 
Please for all who have the ENGLISH version with the ENGLISH voice try to check the following directory (see the image). With any luck you should have the bin file there. If there was an ota update then it should be stored there. I have the Chinese version and got an update from 1.0.2 to 1.0.3 and that bin file showed up and it's there even after installation through app. I know that this might be silly, but I also need that ENGLISH bin file badly :D

Screenshot_2018-03-28-17-48-18-864_com.android.fileexplorer.png
 
The new international app is ****ed-up. I've downgraded my second camera to version 1.0.2 add it to the app and have the same token when trying to check for updates. Of course the app is saying that the firmware is up-to-date and indicating that the newest version is 1.0.2. I even created a new user and get a new token, but still have information that firmware is up-to-date.
I don't have futer ideas how to find the link to the english firmware.

Krawiec
 
The new international app is ****ed-up. I've downgraded my second camera to version 1.0.2 add it to the app and have the same token when trying to check for updates. Of course the app is saying that the firmware is up-to-date and indicating that the newest version is 1.0.2. I even created a new user and get a new token, but still have information that firmware is up-to-date.
I don't have futer ideas how to find the link to the english firmware.

Krawiec

Hello, please with the international app you mean the EU app? Because there is also an US app. Actually there are 3kinds(US,EU and Chinese). I can try to download the US version with vpn if that could somehow help you.
 
Hello, please with the international app you mean the EU app? Because there is also an US app. Actually there are 3kinds(US,EU and Chinese). I can try to download the US version with vpn if that could somehow help you.
There are four Android apps.
1. Chinese - newest version 1.0.4 - still available for download.
2. English - same as Chinese but in English - installing as "70mai dash cam", dash cam pictograph as app icon - it was available for download from the http://www.70mai.com/en/, currently not.
3. New International English - version 1.0.0 - installing as "70mai", "70" as app icon - available in play store
4. New US English - same as 3 but with different servers in configuration xml file

Actually the OTA service for number 2 is not working - "Could not check error in app". When trying to connect manually I've got an error 404 so the update service is currently not available on the server. This version has also some bugs - for example the initial WiFi state configuration is switched. So when we set it to "ON" in the app it will be "OFF".

The difference between US and international version is only a different set of servers that are in the configuration file. Actually the OTA service for US version is not working - there is no OTA service installed on the US server. Not sure if there are no other differences (language maybe) between those two.

The OTA service for the international app is working but is returning always that no update is available.

Currently I think that the English version of the firmware is not available via the OTA service. Only English cams have it and it is some initial or even beta version.

I don't know if there is a way to access camera internal memory via USB.

Krawiec
 
Back
Top