Wyze camera v2 hacking

Wyze makes these amazing little cameras for $25; 1080p, infrared capable, two way audio. $25! The drawback is their firmware is very limited and you’re stuck trusting their web services. I am not willing to upload video from my house to a cloud server.

Solution: Xiaomi-Dafang-Hacks. It’s a hacker firmware you can install on top of the Wyze v2 cameras and various other similar ones that’s much more flexible. It’s designed for local use, you can get the thing to put out an RTSP stream, MQTT events when there’s motion detected, etc.

I followed this guide for setting it up. Basically it comes down to “flash the firmware to this funky .bin file you put on a MicroSD card. Then copy a new OS to the SD card for it to boot”. I think it would have worked the first time but I had a typo in my WiFi config file. I got it right the second time. Or as I told a friend:

Well I carefully ground the powders, then charred them in the brazier with aqua regia. I collected the vapours in the alembic and distilled them three times, using a clean retort washed with the tears of a child each time. I poured the final elixir into the Wyze camera and rebooted it and… no joy.

Ah hah! I found a spec of dirt in my elixir, perhaps rheum from where the tears were not adequately filtered. I re-ran the distillation process and watched the one flashing light for signs of success. Previously, the light shone a steady yellow. This time it winked out. Success!

Now the camera is listening on https://dafang/ and lets me do various things, all without involving cloud servers I know nothing about. Now then.. what was my plan for using this thing anyway?


After dorking around with this for awhile I’m much less impressed. The firmware seems pretty flaky to me even once installed reliably. Either that or the camera is.

The RTSP stream for H.264 is a mess. The encoding isn’t quite right so VLC often displays corrupted video, it’s like it’s missing key frames or something. Sound is 50/50 whether it gets transmitted or not. The record feature in the system doesn’t seem to even try to record stuff and writes a naked .h264 file, not a container format. (Also it works by using RTSP to localhost, lol.)

The thing there is a lot of support for is doing something in response to motion detected, using the motion(1) program from Linux. It’ll send messages to an MQTT server, or record a static JPG to the SD card, or send an email, or send a Telegram message (!). I don’t know if that stuff is any more reliable than anything else but I can see how it’d be useful.

I have this same experience every time I hack with camera software; there’s a big gap between “eh, kinda works” and a nice usable system with clean rounded corners. I really want to just buy a working home security system that’s Internet and camera centric. But it has to not send stuff to a cloud server out of my control.

Update 2

After most of a year away I revisited this blog post, grateful to have the notes! Got the hacker firmware up and running and updated. It’s nicer! Also the update process is a bit buggy. It leaves your old config files in place but some of those files needed updating. In particular there’s a DCIM_PATH set in the configs for various recording services that should be set to /system/sdcard/DCIM or a subdirectory thereof; nothing was recording locally until I enabled it. Simplest thing is to go to /system/sdcard/config and diff the .conf files with their .dist versions and fix things by hand. (“Simplest”).

I haven’t figured out if the firmware is more reliable than it was last time I tried it. A bunch of stuff seems flaky. You pretty much have to reboot when changing the configuration for anything; even stopping and restarting services manually doesn’t always pick up new configurations for some weird reason. Recording audio with the video does not seem to work. If you delete a file in the web UI you have to reload the page to see the other files remaining. Trying to do unusual things doesn’t always work as planned. For instance I set the video framerate to 15fps. The recordings I get from it are still marked 25fps, but the on screen clock shows me we’re now playing in accelerated time. Dumb.

“Hilarious” thing: the default login is root/ismart12. You can change the HTTP login password easily, but that doesn’t change the SSH login that’s still there. Nice. I also found there were Telegram and Matrix accounts pre-configured; no idea if those were demos, or some automatic thing generated for me, or if by default the firmware just shuttles your video to some random people somewhere. The services weren’t enabled so it was probably harmless, but geez.

2 thoughts on “Wyze camera v2 hacking

  1. Coming back to leave a comment because “rheumy” was the answer to a crossword puzzle I was working on last night, and I wouldn’t have known the word until I read your spot on, literary description of what hacking so often feels like.

  2. I’m really still loving the setup – but I’m not using RTSP, VLC, etc – I’m using it to monitor my greenhouse via the site provided and it’s fit the bill thus far.

Comments are closed.