WyzeCam without SD card?

Disclaimer:

I’m doing this purely for fun. I have no guarantee this will work for you. It may brick your wyze camera, void your warranty or cause other damages. So do this at your own risk and don’t blame on me if bad things happen.

What else do you usually put into your shopping cart when you buy a Wyze Camera? Yep, an SD card. Wyze camera provides great cloud service, which includes uploading 12 seconds of motion clips onto AWS for free. However, it’s always good to put an SD card into the camera, so you get local recordings, and other features such as timelapse, etc. Some people also prefer continuous recording on SD card so you can always review what happened in last couple days.

However, there are some issues with SD card:

  1. Capacity: I didn’t try but searching around with google says the maximum SD card capacity Wyze camera support is 32GB. That sounds like a lot, but if you do continuous recording, it can quickly run out. Luckily there is loop recording feature, which means older recordings will be deleted so you will end up only a couple days recordings.
  2. Durability: In additional to capacity, durability is also a big concern if you are doing continuous recording. I’ve heard and experienced many instances that the SD card gets corrupted after some period. The last thing you want is finding out all the recordings on the SD card are not readable when something bad happened.
  3. Accessibility: Sure you can use the app to view the recordings, but it’s not very convenient to scroll in that small timeline. So you end up unplug the SD card, and copying all your recordings onto your computer. But that doesn’t work out very well if you need to do this every couple days, or if you need to access a camera mounted high.
  4. Data safety: If you are using wyze camera as security cameras, and relying on the recordings on the SD card. An intruder can easily grab your camera and then you lose everything, except the 12 second cloud recording.
  5. Cost: With the technology getting more advanced, the cost of the SD card is no longer such a big deal. However, consider that the camera only cost $20, a $10 SD card is still a significant portion of the overall cost.

Because of all the above reasons, there are always feature request about supporting alternative storage solutions, such as network share, etc. As a result, Wyze also published the separate RTSP firmware, which, partially addressed this issue.  But, by using the RTSP firmware, I believe (didn’t try) you also lose some features provided by the main firmware.

I’ve been using and studying Wyze camera for quite a while and I’m amazed on what you can do with this little thing. So today, i’m going to present my solution to the SD card, without sacrificing any of the wyze features.

First, let me show you a picture:

20190716234946

See the capacity of my SD card? Of course there is no such SD card (well, there may be, but definitely not affordable to me…). So here is how I made it…

The work involves tearing apart a wyze camera, soldering UART cables, and openning TTY consoles, looking into it’s firmware, and logging, etc. It’s a long story but I will try to make it short:

  1. Wyze camera runs on an embedded Linux system. This means there are common Linux features, such as shell, kernel, file system, etc. The Wyze camera’s primary functionality is provided by an userspace executable named iCamera.
  2. Wyze camera does no signature check on it’s firmware. This is good for DIYers, because that means you can make your own modifications to the firmware, or even creating completely different firmware, and easily run it on the hardware.
  3. When started, the iCamera will create a dedicated thread, checking if the SD card is inserted or not. If it’s found, it will mount the SD card, using the standard Linux “mount” command.
  4. The SD card is mounted to “/media/mmcblk0p1” (assuming you don’t have any other removable storage, and there is only one partition on the SD card). Once mounted, a local recording thread will start recording clips.
  5. Surprisingly, the local recording is not directly saved onto the sd card. Instead, it’s recorded under /tmp, which is a temporary file system backed by RAM. The recording last for one minute, exactly.
  6. Once the one minute recording is done, the recording thread will do a “cp” command, copying the recording to SD card, based on the timestamp. If you are doing continuous recording, that happens for the clip of every minute; if you are doing event only, then the copy will only happen if there was a motion event in last minute.
  7. The recording thread also checks the capacity of the SD card using “df” command from time to time. So if the free space is less than 60% (or something), it will start enumerate all the files, and removing the oldest ones till there is enough free space.
  8. By randomly checking around, I found the kernel by default support NFS, which is a linux network based file system (similar to windows file sharing service).

OK, so here is my idea:

  1. First I don’t want patch the binary of iCamera, which may disrupt Wyze’s builtin features.
  2. I can manually mount NFS share to “/media/mmcblk0p1”. However, this doesn’t work, because wyse won’t start recordings, if there is no SD card insertion detected.
  3. I noticed in latest firmware, Wyze checks the existence of /dev/mmcblk0 and /dev/mmcblk0p1 as an indication of SD card present. So all I need is “touch” these two files after I mount the NFS share.
  4. Well, that sort of worked, but Wyze will try to mount the SD card which of course will fail, causing the entire thing not work.
  5. I noticed Wyze is doing the mount operation by simply calling “mount” command. So, i just throw in a shell script, name it “mount” into one of the folder in the system path environment. Wyze will happily run that, instead of the real “mount” tool. In the script, i simply returns “success”.
  6. Now I heard the nice beep sound which usually happens when you insert the physical card, and the recording works!
  7. Since wyze is using “df” command to check the free space, i’m getting something like “2 terabytes” from the phone app, which is the size of my NAS disk.

OK, so prototyping works. But there is one more question:

I did all this from the serial console, which you can only get by physically opening the camera and soldering some wires. Not even as convenient as using actual SD card. I need something easier without breaking my hardware. That took a bit longer until I found two approaches:

  1. When Wyze is deleting old SD content, it’s using “rm -rf <dir_name>”. The “<dir_name>” comes from the SD card without sanitization.  So if I create a folder named “;telnetd”, it will happily run “rm -rf ;telnetd”, which, if you are familiar with Linux shell, starts a tool called “telnetd”.  So, to try it out, I picked a small SD card (1GB size), format it, and fill it all the way to its 60% capacity. And then created a directory called “/record/;telnetd”. A couple seconds after I inserted the SD card into camera, I found I can telnet into the camera.
  2. I was using the “deleting old SD content” method for quite a while, until later I found an easier one: Wyze support upgrading from SD card. So what you do is copying a firmware file named FIRMWARE_660R.bin, and a version.ini onto the root of the SD card. When you insert the SD card, it will apply the update. So what’s in FIRMWARE_660R.bin? After analyzing the code, the bin file is actually a .tar archive. When applying update, it will untar the archive, and then look for a special shell script, and run it! There is no signature checks! So this basically gives me arbitrary code executions. Nice!

So, i think I finally have something working without opening the physical hardware. Btw, once you have telnetd running, always run “echo 1>/configs/.Server_config” first. This command will create a flag file, which is used to tell the wyze firmware to always run telnetd when starting. So you don’t have to use the above tricks every time after you reboot your camera.

Well, it’s quite a lot text here. Sounds complicated, right? No worries, I packed everything together into an “easy-to-use” “WyzeHacks” github project. All you need is following the steps in the README file.

You can now run your wyze camera without SD cards, and have all the recordings directly saved onto your NFS share!

 

This entry was posted in Computer and Internet, IOT, programming, reverse engineering. Bookmark the permalink.

25 Responses to WyzeCam without SD card?

  1. rahlquist says:

    Your mention of the sd wearing out, reminded me of something I saw recently. A microsd to eMMC adapter. for like $25 w/16gb eMMC on it.

    • hclxing says:

      sure, other storage solutions do exist, but if there is an easier/cheaper way, why not just use it.

      • rahlquist says:

        Oh I dont disagree at all, but for users who dont have an external storage space etc the other provides what may be a more reliable long term solution, than being stuck with an SD.

  2. Justin says:

    So, this is cool. I need to set up a FreeNAS VM. What other interesting things can be done? Can SMB support be added with the arbitrary execution bug? Does the kernel support a USB ethernet adapter? Can support be added?

    • hclxing says:

      Well, it’s an embedded linux so many things are possible. You can even rebuild your own kernel image but in my case i’m looking for minimal/non-invasive modifications, of which I don’t know if SMB/USB ethernet adapters are supported. I think the easiest way to figure out is just try it…

  3. cr08 says:

    You mention early on getting in through the UART connection in the camera. How possible is it to skip the SD card steps altogether and set all this up exclusively through the UART access?

    Reason I ask is I do have a spare v2 cam that has a completely bunk SD reader that I’d be willing to throw at this to try out but obviously no way any longer to do stuff that relies on SD card usage including the Dafang hacks and currently it is restricted to the basic 12s event clips uploaded to AWS. Ultimately if it breaks in the process there’s nothing lost as this one has essentially been collecting dust for a while now.

  4. Tim Hall says:

    Do you have a youtube channel? I would love to follow if so.
    Thanks

  5. tom says:

    Is this still working with all the latest firmware releases from Wyze?

  6. TheDon says:

    Just tried installing the wyzehacks – and now get a “cannot find specified network name”.

    The file /tmp/wpa_supplicant.conf exists and looks ‘normal’… see below.
    I’ve manually killed the wpa_supplicant instance 768 and tried rerunning manually.
    761 root 4388 S wpa_supplicant -D nl80211 -iwlan0 -c/tmp/wpa_supplicant.conf -B

    When I remove the /tmp/wpa_supplicant.conf and try re-connect using the app….. I again get the ‘cannot find specified name’ error.

    Any ideas on this?

    [root@Ingenic-uc1_1:~]# cat /tmp/wpa_supplicant.conf

    ctrl_interface=/var/run/wpa_supplicant
    ap_scan=0
    network={
    ssid=”My-network”
    key_mgmt=WPA-PSK
    pairwise=CCMP TKIP
    group=CCMP TKIP WEP104 WEP40
    psk=”password!shere”
    scan_ssid=1
    priority=2
    }

  7. rhauff says:

    Thanks for the great work! I have been using this for a couple months on Wyze Cam V2 with FW 4.9.5.36 and it is working nicely. I would like to turn on the Auto Reboot as I have noticed a few times that my cams will stop recording. Is it possible to telnet in & just change a config for that, rather than editing the config.inc & re-running install.sh.
    Thanks!

    • hclxing says:

      Sure, just telnet in, and go find config.inc under system/wyze_hack. you can modify it from there using vi and then reboot should make the change effective.

      • Rhauff says:

        Works perfectly. It took me a few days to verify, missed the fact that the reboot time is UTC, then found there is also a two minute delay.
        Thanks!

  8. Troy Bos says:

    I’ve inserted the SD Card with all files at the root, but nothing happens. I hear the sound that indicates the SD card was inserted, but nothing about installing anything. Do I have to push the button or plug and unplug the camera?

  9. Troy Bos says:

    After the I here “Installation completed” and I remove the SD card it still tells me there is no SD card and I can’t turn on recording. Why might this not be working?

    • hclxing says:

      well, you will need to debug your way out by checking the logs. It’s very likely you have some incorrect NFS settings causing the issue. If you telnet into the device, you should be able to see logs in /tmp/boot.log. Search “NFS” for details.

  10. Praneeth Reddy says:

    Thanks for the great detective work here. I have been able to follow along on most things. One question though – is there any way to view all the detailed logs via telnet instead of via a direct serial connection?

    I tried to cat /dev/console and some other tty devices to no avail.

    P.s. Dmesg only shows the boot log, not the running output (sprintf or kernel messages?) .

    • hclxing says:

      Yes, with the wyzehack installation, it redirects the console logs to /tmp/boot.log. And even better, if you enable the “sync log” option in config file at installation, (or you can do by editing /params/wyzehacks.cfg after installation), the logs will be synchronized (about ~5 seconds delay) to your NFS share as well.

  11. David says:

    Very cool! I did need to spend a couple of hours with it but now it is working. My issues:

    1) I read “Extract the release archive to the root directory of the SD card” as “copy the entire repo to the SD card”….my bad… Perhaps better wording:
    Unzip WyzeHacks/release/wyze_hacks_X_X_XX.zip to root directory of SD card.

    2) My NFS drive would not mount. I am running nfs-server on latest Fedora 32. If anybody is interested the following is required:
    setenforce Permissive # Figure out SElinux later
    firewall-cmd –permanent –add-service=nfs
    firewall-cmd –permanent –add-service=mountd
    firewall-cmd –permanent –add-service=rpc-bind
    firewall-cmd –reload
    # Edit /etc/exports
    systemctl start nfs-server

    Thanks Again

  12. ScottK says:

    Finally got around installing this, after wanting to check it out for quite awhile.
    Awesome job getting into the system.

    I am shocked at how un-locked down it is.
    Firmware not signed, filesystems aren’t read-only, etc.

    Not much space on the device to do things, but with your NFS mount, you don’t really need space. You can store cross compiled binaries on the other side of the NFS mount, and just run them as needed.

    One thing that is intriguing to me, is the raw .mp4 file it dumps into the memory file in /tmp.
    It appears to rotate between record.mp4 and record1.mp4.
    But more importantly, it appears they are feeding those files live.
    I have not attempted to see how real-time it is, but I am guessing it probably is close to live.

    I know Wyze has an RTSP firmware already, but supposedly it is pretty flaky.
    It might be interesting to create a simple socket server that eats those record files live, and dumps the data over a connected socket. (Perhaps use VLC to connect to it and watch?)

    The other thing I was thinking of investigating is the USB connection for the bridge.
    Not sure if you are aware, but Wyze came out with Web Cam firmware.
    It uses that USB port for the data transfer of all the Web Cam data.
    (And I was able to power the cam from that same connection/cable as well)

    Would it be interesting to see if we could send the live video data across USB? Effectively creating a wired version of the Wyze cam?

  13. Ken says:

    Is it possible to tee the recordings to both the SD card and NFS share simultaneously?

    • hclxing says:

      possible, but you will have to know the right file name to tee.

    • David says:

      The SD card is replaced by the NFS share (the NFS share is mounted on top of the directory of the SD card, so in my cameras there is no SD card present.

      The NFS share does not get the recordings in ‘real time’, so using ‘tee’ doesn’t make much sense. At the end of each minute the Wyze software copies a file to the NFS share for the previous minute. I believe the live recordings are built in /tmp. The file ‘record.mp4’ and ‘record1.mp4’ can be seen growing, and at the end of a minute that is the file copied to the SD card (aka NFS share) by the Wyze Software.

      What I think you are asking, is the same question I have asked….how to get the recording in ‘realtime’ so we can stream the video. Somehow the /tmp/record.mp4 and /tmp/record1.mp4 video files would need to be streamed but I am not sure how possible that is.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s