Xiaomi Xiaofang S1 RTSP hack

Xiaomi-xiaofang-S1

how to flash custom firmware:

download: https://github.com/EliasKotlyar/Xiaomi-Dafang-Hacks/raw/master/hacks/cfw/xiaofang/cfw-1.0.bin
1:Format your microSD to FAT32 (use a micro SD card smaller than 4GB) my 16GB kingston  cards where giving me trouble.
2:put the CFW-1.0.bin file on the MicroSD and rename CFW-1.0.bin to demo.bin
3: insert micro SD card into camera
4:hold reset buton & power on, keep pushing the reset button for 5 seconds. It should now enter flash mode. You can check via your FTDI/serial adapter.
5: follow this: https://github.com/EliasKotlyar/Xiaomi-Dafang-Hacks/blob/master/hacks/install_cfw.md#installation-of-the-new-firmware

if you want to login using Serial:
Username: root
Password: ismart12

Do i trust this device on my network: hell no!
The camera runs u-boot with some sketchy firmware someone wrote. By default SSH is open with default password :/  I think it’s a matter of time before someone will add these camera’s to his/her/ botnet…

CHANGE THE PASSWORD ONCE YOU FLASHED CUSTOM FIRMWARE! Or the Chinese/Russian/NSA might be looking with you 😉 (disclaimer: they might always, I’m not responsible for anything)

the T20 is a quite capable processor though:

Basically there is a small linux PC running inside that camera, without a heat sink though…

1 comment

  1. Yeah this specific firmware by EliasKotlyar looks VEEERY sketchy to me.
    I am using other custom firmwares which look better, but this one has some IP’s configured here and there in the sourcecode, and behind those IP’s there are actual servers in Russia which are working… so I wouldn’t assume this safe in any way… of course unless you change the IP’s in the sourcecode before flashing it and fully block outside traffic To/From the camera

Leave a comment

Your email address will not be published.