Hacking a $30 IoT camera to do more than it’s worth. by@tomac

Hacking a $30 IoT camera to do more than it’s worth.

February 28th 2018 104,714 reads
Read on Terminal Reader
react to story with heart
react to story with light
react to story with boat
react to story with money
Tomas C. HackerNoon profile picture

Tomas C.

The Xiaomi Dafang IP camera is a indoor motorized WiFi camera capable of 1080P resolution and decent night-vision, its price is cheap but in exchange you are tied to the Xiaomi’s Mi Home App & Cloud.


The Xiaomi Dafang IP camera is the successor of the $15 Xiaomi Xiaofang Camera and continues the line of Xiaomi’s range of quality inexpensive IP cameras. The new model comes with a set of new features: better image quality, MicroSD Port, a rotating gimbal, on the back a USB port which can be used to charge other devices, and a variety of alarm sensors and more. In this post, we take a closer look at camera CFW alternative open source firmware install.


Mainboard (Ingenic XBurst T20 SoC) and motor assembly.

For the lowest price (shipped from China), check out the usual retailers like Gearbest Xiaomi Dafang or Dealextreme Xiaomi Dafang (extra 5% coupon code for a better price, DX coupon: APRBRAND).

Out-of-the-box Limitations

Xiaomi has imposed a few limitations on this camera out of the box as camera footage only viewable through the MiHome app and a MiHome account is required.

Fixing the Limitations

EliasKotlyar on GitHub has released a collection of modifications (CFW) for the camera: https://github.com/EliasKotlyar/Xiaomi-Dafang-Hacks

The CFW contains of two parts:

The Custom-Firmware, which alters the original firmware to boot from microsd. It needs to be flashed instead of the original firmware. This part does not contain any custom software, its just allows you to boot from microsd. You will have to do this only once.

The CFW-Files, which contains the custom-software. You will have to install them onto your microsd-card after you completed before. You can modify this part easily by changing the files on the microsd.

Can i revert the firmware back to the original one? Yes, you can. However there is no need to revert it back. If your SD-Card does not contain the CFW-Files, you will just boot the original software.

How to flash CFW?

Download CFW-Binary. https://github.com/EliasKotlyar/Xiaomi-Dafang-Hacks/blob/master/hacks/cfw/cfw-1.3.bin

Ensure that the downloaded File-size is something about 11.1MB .

Steps to flash the hacked loader firmware:

Turn off the camera

Get a firmware binay and rename it to "demo.bin". There should be a FAT filesystem and no more files in the sdcard.

Insert the sdcard containing the firmware into the camera.

Press and hold the reset camera (setup button), then turn on the camera. Wait until the light get blue, you can release the reset button.

Wait until the firmware has finished flashing (like 5 minutes). Disconnect the power as soon as the base starts moving.

Steps to install CFW files:

Clone the repository from github. If you are on windows download the repository as zip file.

Copy everything from "firmware_mod" folder into the root of the microSD

It should look like this:

E:/├── bin├── config├── run.sh├── scripts└── www

Modify the file config/wpa_supplicant.conf on the microSD to match your wifi-settingsInsert the microSD and start the camera.

That’s it.

Which Features does the CFW contain?

  • Full working RTSP with H264/MJPEG. Based on https://github.com/mpromonet/v4l2rtspserver
  • SSH-Server(dropbear)
  • FTP-Server(bftpd)
  • Webserver(boa)
  • Image-Snap (Get Jpeg Image)
  • Horizontal/vertical motor rotation / move to center
  • Turn on/off blue/yellow/IR LEDs/IR-Cut
  • Local h264 recording possible
  • Remote Audio Playback & Recording
  • MQTT
  • Home-Assistant integration

Connecting to CFW

Once installed and setup as per the instructions open a web browser and enter the IP address of the camera in the address bar

Select services you want to run:


  • RTSP Stream(sample using MJPEG RTSP):

Once the RTSP stream is up and running at rtsp://ip-address:8554/unicast, you can to connecting to it with VLC (File > Media > Open Network Stream)

  • Local h264 recording possible:

    /system/sdcard/bin/h264Snap > /system/sdcard/video.h264

  • Audio recording/playing is also possible:

    Playing Audio:/system/sdcard/bin/ossplay /usr/share/notify/CN/init_ok.wav

    Recording Audio:/system/sdcard/bin/ossrecord /system/sdcard/test.wav

In addition you can control some functions of the camera directly from, GPIOS like the blue/yellow LED, IR Filter and IR LED, X and y motor movements etc

I use TinyCam on an Android to view my RTSP stream locally. You can get the basic PTZ stuff to work in TinyCam. Check out the instructions from MasterPIC in this thread: https://github.com/EliasKotlyar/Xiaomi-Dafang-Hacks/issues/41

I tested CFW with iSpy but over the Internet I view the stream from MotionEye running on my VIM2.


Sample night vision mode of Hanizzo

I would recommend this camera to everyone out there! You won’t find any other looking as great as this one with all those hacked extra features for such a small price!

react to story with heart
react to story with light
react to story with boat
react to story with money
. . . comments & more!