Xiaomi imilab ec2

Hello friends..
I would like to set up an RSP server so I can view my camera without depending on the XIAOMI cloud, could anyone help me with how I can get the service running?

I leave some settings about the hardware, if you need more information just ask!!

root@hodor:/etc# cat /proc/version
Linux version 3.10.14 (kyle@kyle) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 unknown) ) #245 Fri Mar 6 18:16:37 CST 2020
root@hodor:/etc#  cat /proc/cpuinfo
system type             : MT7628
machine                 : Unknown
processor               : 0
cpu model               : MIPS 24KEc V5.5
BogoMIPS                : 382.46
wait instruction        : yes
microsecond timers      : yes
tlb_entries             : 32
extra interrupt vector  : yes
hardware watchpoint     : yes, count: 4, address/irw mask: [0x0ffc, 0x0ffc, 0x0ffb, 0x0ffb]
isa                     : mips1 mips2 mips32r1 mips32r2
ASEs implemented        : mips16 dsp
shadow register sets    : 1
kscratch registers      : 0
core                    : 0
VCED exceptions         : not available
VCEI exceptions         : not available

root@hodor:/etc# ps
    1 root      1420 S    /sbin/procd
    2 root         0 SW   [kthreadd]
    3 root         0 SW   [ksoftirqd/0]
    4 root         0 SW   [kworker/0:0]
    5 root         0 SW<  [kworker/0:0H]
    6 root         0 SW   [kworker/u2:0]
    7 root         0 SW<  [khelper]
   62 root         0 SW<  [writeback]
   64 root         0 SW<  [bioset]
   66 root         0 SW<  [kblockd]
   71 root         0 SW   [khubd]
   91 root         0 SW   [kworker/0:1]
   98 root         0 SW   [kswapd0]
   99 root         0 SW   [fsnotify_mark]
  100 root         0 SW<  [crypto]
  185 root         0 SW<  [deferwq]
  200 root         0 SW<  [kworker/0:1H]
  245 root         0 SWN  [jffs2_gcd_mtd6]
  405 root       892 S    /sbin/ubusd
  684 root      1048 S    /sbin/logd -S 16
  726 root      1572 S    /sbin/netifd
  742 root      1184 S    /usr/sbin/odhcpd
  856 root      1468 S    /usr/sbin/crond -f -c /etc/crontabs -l 5
  957 mosquitt  1344 S    /usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf
  969 root         0 SW   [RtmpCmdQTask]
  970 root         0 SW   [RtmpWscTask]
  971 root         0 SW   [RtmpMlmeTask]
 1022 root      1468 S    udhcpc -p /var/run/udhcpc-apcli0.pid -s /lib/netifd/dhcp.script -f -t 0 -i apcli0 -C
 1042 root      1464 S    syslogd -S -s 200 -O /tmp/messages
 1046 root      1476 S    telnetd
 1107 root      1136 S    /usr/sbin/uhttpd -f -h /tmp/camera -r hodor -x /cgi-bin -n 3 -p -p [::]:80
 1304 nobody    1068 S    /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf -k
 1307 root     32156 S    cm-ipcamera -d
 1315 root         0 SW   [kworker/u2:2]
 1333 root      3680 S    miio_client -D
 1334 root      1512 S    {miio_client_hel} /bin/sh /usr/bin/miio_client_helper.sh
 1436 root      9080 S    miio_log
 1451 root      2088 S    ipcamera-daemon
 1525 root      1480 S    -ash
 1624 root      1476 T    vi openwrt_version
 1629 root      1476 T    vi openwrt_version
 1659 root      1476 T    vi device_info
 1669 root      1480 T    vi diag.sh
 1688 root      1476 T    vi miio/
 1702 root      1476 T    vi openwrt_release
 2502 root      1320 S    /usr/bin/mqtt_recv_line
 2769 root      1468 R    ps

run free and cat /proc/mtd , 8/64 will be one-mans show, less unsupportable.

root@hodor:/# free
             total         used         free       shared      buffers
Mem:         61420        38024        23396            0         4484
-/+ buffers:              33540        27880
Swap:            0            0            0
root@hodor:/#  cat /proc/mtd
dev:    size   erasesize  name
mtd0: 01000000 00010000 "ALL"
mtd1: 00030000 00010000 "Bootloader"
mtd2: 00010000 00010000 "Config"
mtd3: 00010000 00010000 "Factory"
mtd4: 00fb0000 00010000 "firmware"
mtd5: 00e86a23 00010000 "rootfs"
mtd6: 000f0000 00010000 "rootfs_data"

It is some proprietary firmware based on 10 years old OpenWRT. Device is not supported by OpenWRT, and having no wired ports unlikely to ever be....

I have access via UART or Telnet


Try to get binwalk running, you will need pip install --local -r requirements.txt some of filesystem extractors.

So sweet of them to leave mtd0/etc/kernel.config for examination.
And mtd0/lib/network/switch.sh with switch init registers

I did the extraction with binwalk but now I don't know what I should do next.
I tried checking several files, without success.

But this file cm-ipcamera caught my attention because of this:

2139          0x85B           mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
2180          0x884           ESP Image (ESP32): segment count: 3, flash mode: QUIO, flash speed: 40MHz, flash size: 1MB, entry address: 0x2a1
9012          0x2334          ESP Image (ESP32): segment count: 2, flash mode: QUIO, flash speed: 40MHz, flash size: 1MB, entry address: 0x26a
35661         0x8B4D          Unix path: /home/kyle/Object/Cm/hodor-hub-op/build_dir/target-mipsel_24kec+dsp_uClibc-
97175         0x17B97         JBOOT SCH2 kernel header, compression type: none, Entry Point: 0x2B1D012, image size: 33566756 bytes, data CRC: 0x2FFF212, Data Address: 0x2000624, rootfs offset: 0xBF00FC12, rootfs size: 1057167 bytes, rootfs CRC: 0xB100F802, header CRC: 0xB000F48F, header size: 2191 bytes, cmd line length: 57344 bytes
110245        0x1AEA5         JBOOT STAG header, image id: 2, timestamp 0x4C240600, image size: 1168351744 bytes, image JBOOT checksum: 0x200, header JBOOT checksum: 0x5024
114905        0x1C0D9         JBOOT STAG header, image id: 2, timestamp 0xB817C200, image size: 1160225281 bytes, image JBOOT checksum: 0x300, header JBOOT checksum: 0x7C3C
136109        0x213AD         JBOOT STAG header, image id: 5, timestamp 0x10240603, image size: 2377097728 bytes, image JBOOT checksum: 0x105B, header JBOOT checksum: 0xCC0C
187105        0x2DAE1         JBOOT STAG header, image id: 5, timestamp 0x10240600, image size: 2377097728 bytes, image JBOOT checksum: 0x105B, header JBOOT checksum: 0x7C0C
228617        0x37D09         JBOOT STAG header, image id: 2, timestamp 0x21120200, image size: 167919656 bytes, image JBOOT checksum: 0x0, header JBOOT checksum: 0xC12
324737        0x4F481         JBOOT STAG header, image id: 3, timestamp 0x129200, image size: 2617245696 bytes, image JBOOT checksum: 0x400, header JBOOT checksum: 0x38E
327969        0x50121         JBOOT STAG header, image id: 3, timestamp 0x144300, image size: 1207959552 bytes, image JBOOT checksum: 0x1400, header JBOOT checksum: 0xC48E
339840        0x52F80         Unix path: /etc/config/wifi.conf
346228        0x54874         Unix path: /home/kyle/Object/Cm/hodor-hub-op/build_dir/target-mipsel_24kec+dsp_uClibc-
350400        0x558C0         Unix path: /home/kyle/Object/Cm/hodor-hub-op/build_dir/target-mipsel_24kec+dsp_uClibc-
360064        0x57E80         Unix path: /home/kyle/Object/Cm/hodor-hub-op/build_dir/target-mipsel_24kec+dsp_uClibc-

I don't know if I'm on a good path...


It is cryptographically signed camera module firmware that is not v4l compatible. Without that I think it is quite useless to run OpenWRT there.
There are some camera hacking forums, basically you add RTSP server grabbing images from proprietary camera API and some file browser to device and can access camera and recordings off-cloud. Not here but check for any xiaomi cameras, if somebodu made mips32 binaries ready they worth trying.