I’m doing this purely for fun. I have no guarantee this will work for you. It may brick your wyze camera, void your warranty or cause other damages. So do this at your own risk and don’t blame on me if bad things happen.
What else do you usually put into your shopping cart when you buy a Wyze Camera? Yep, an SD card. Wyze camera provides great cloud service, which includes uploading 12 seconds of motion clips onto AWS for free. However, it’s always good to put an SD card into the camera, so you get local recordings, and other features such as timelapse, etc. Some people also prefer continuous recording on SD card so you can always review what happened in last couple days.
However, there are some issues with SD card:
- Capacity: I didn’t try but searching around with google says the maximum SD card capacity Wyze camera support is 32GB. That sounds like a lot, but if you do continuous recording, it can quickly run out. Luckily there is loop recording feature, which means older recordings will be deleted so you will end up only a couple days recordings.
- Durability: In additional to capacity, durability is also a big concern if you are doing continuous recording. I’ve heard and experienced many instances that the SD card gets corrupted after some period. The last thing you want is finding out all the recordings on the SD card are not readable when something bad happened.
- Accessibility: Sure you can use the app to view the recordings, but it’s not very convenient to scroll in that small timeline. So you end up unplug the SD card, and copying all your recordings onto your computer. But that doesn’t work out very well if you need to do this every couple days, or if you need to access a camera mounted high.
- Data safety: If you are using wyze camera as security cameras, and relying on the recordings on the SD card. An intruder can easily grab your camera and then you lose everything, except the 12 second cloud recording.
- Cost: With the technology getting more advanced, the cost of the SD card is no longer such a big deal. However, consider that the camera only cost $20, a $10 SD card is still a significant portion of the overall cost.
Because of all the above reasons, there are always feature request about supporting alternative storage solutions, such as network share, etc. As a result, Wyze also published the separate RTSP firmware, which, partially addressed this issue. But, by using the RTSP firmware, I believe (didn’t try) you also lose some features provided by the main firmware.
I’ve been using and studying Wyze camera for quite a while and I’m amazed on what you can do with this little thing. So today, i’m going to present my solution to the SD card, without sacrificing any of the wyze features.
First, let me show you a picture:
See the capacity of my SD card? Of course there is no such SD card (well, there may be, but definitely not affordable to me…). So here is how I made it…
The work involves tearing apart a wyze camera, soldering UART cables, and openning TTY consoles, looking into it’s firmware, and logging, etc. It’s a long story but I will try to make it short:
- Wyze camera runs on an embedded Linux system. This means there are common Linux features, such as shell, kernel, file system, etc. The Wyze camera’s primary functionality is provided by an userspace executable named iCamera.
- Wyze camera does no signature check on it’s firmware. This is good for DIYers, because that means you can make your own modifications to the firmware, or even creating completely different firmware, and easily run it on the hardware.
- When started, the iCamera will create a dedicated thread, checking if the SD card is inserted or not. If it’s found, it will mount the SD card, using the standard Linux “mount” command.
- The SD card is mounted to “/media/mmcblk0p1” (assuming you don’t have any other removable storage, and there is only one partition on the SD card). Once mounted, a local recording thread will start recording clips.
- Surprisingly, the local recording is not directly saved onto the sd card. Instead, it’s recorded under /tmp, which is a temporary file system backed by RAM. The recording last for one minute, exactly.
- Once the one minute recording is done, the recording thread will do a “cp” command, copying the recording to SD card, based on the timestamp. If you are doing continuous recording, that happens for the clip of every minute; if you are doing event only, then the copy will only happen if there was a motion event in last minute.
- The recording thread also checks the capacity of the SD card using “df” command from time to time. So if the free space is less than 60% (or something), it will start enumerate all the files, and removing the oldest ones till there is enough free space.
- By randomly checking around, I found the kernel by default support NFS, which is a linux network based file system (similar to windows file sharing service).
OK, so here is my idea:
- First I don’t want patch the binary of iCamera, which may disrupt Wyze’s builtin features.
- I can manually mount NFS share to “/media/mmcblk0p1”. However, this doesn’t work, because wyse won’t start recordings, if there is no SD card insertion detected.
- I noticed in latest firmware, Wyze checks the existence of /dev/mmcblk0 and /dev/mmcblk0p1 as an indication of SD card present. So all I need is “touch” these two files after I mount the NFS share.
- Well, that sort of worked, but Wyze will try to mount the SD card which of course will fail, causing the entire thing not work.
- I noticed Wyze is doing the mount operation by simply calling “mount” command. So, i just throw in a shell script, name it “mount” into one of the folder in the system path environment. Wyze will happily run that, instead of the real “mount” tool. In the script, i simply returns “success”.
- Now I heard the nice beep sound which usually happens when you insert the physical card, and the recording works!
- Since wyze is using “df” command to check the free space, i’m getting something like “2 terabytes” from the phone app, which is the size of my NAS disk.
OK, so prototyping works. But there is one more question:
I did all this from the serial console, which you can only get by physically opening the camera and soldering some wires. Not even as convenient as using actual SD card. I need something easier without breaking my hardware. That took a bit longer until I found two approaches:
- When Wyze is deleting old SD content, it’s using “rm -rf <dir_name>”. The “<dir_name>” comes from the SD card without sanitization. So if I create a folder named “;telnetd”, it will happily run “rm -rf ;telnetd”, which, if you are familiar with Linux shell, starts a tool called “telnetd”. So, to try it out, I picked a small SD card (1GB size), format it, and fill it all the way to its 60% capacity. And then created a directory called “/record/;telnetd”. A couple seconds after I inserted the SD card into camera, I found I can telnet into the camera.
- I was using the “deleting old SD content” method for quite a while, until later I found an easier one: Wyze support upgrading from SD card. So what you do is copying a firmware file named FIRMWARE_660R.bin, and a version.ini onto the root of the SD card. When you insert the SD card, it will apply the update. So what’s in FIRMWARE_660R.bin? After analyzing the code, the bin file is actually a .tar archive. When applying update, it will untar the archive, and then look for a special shell script, and run it! There is no signature checks! So this basically gives me arbitrary code executions. Nice!
So, i think I finally have something working without opening the physical hardware. Btw, once you have telnetd running, always run “echo 1>/configs/.Server_config” first. This command will create a flag file, which is used to tell the wyze firmware to always run telnetd when starting. So you don’t have to use the above tricks every time after you reboot your camera.
Well, it’s quite a lot text here. Sounds complicated, right? No worries, I packed everything together into an “easy-to-use” “WyzeHacks” github project. All you need is following the steps in the README file.
You can now run your wyze camera without SD cards, and have all the recordings directly saved onto your NFS share!