Right now you can get security cameras cheap, super cheap. And the quality of the cameras are legit, 1080p cameras – super cheap. Luckily such cheap cameras like the Wyze Cam v2 can be hacked easily.

There are some brands available right now even at your local Home Depot for as little as $25. The manufacturer is selling them right now for even less – Wyze is letting their 1080p v2 camera go for as little as 20 bucks, though about the same price with tax and shipping.

Wyze Cam v2 price including tax and shipping on wyze.com
Wyze Cam v2 with Tax + Shipping @ Wyze.com

At these prices, you should pick one up if you’re a security, camera or home automation enthusiast like me. There is just one hitch.

Wyze and Xiaomi Cameras Phone Home

Not only does the camera call their servers, but so do the apps you install. The apps, mind you, that are practically required to operate them. Of course, if you’re on Android, you have to give the app rights to things like location and storage just to get it to pair with and send the camera the WiFi login information to the camera.

To be fair they are offering things like cloud storage – but we are lame, we don’t want that stuff, we want a cheap camera to plug into our network that doesn’t call back to China or an American server (maybe owned by China). And if you’re a real lamer, you’re already running a MotionEye install on a Linux machine or a Raspberry Pi that can do the motion detection for you.

If you are indeed lame, you can own the camera pretty easily.

Easily Hack Your WyzeCam v2

Requirements.

  • Wyze Cam v2 (or a Xiaomi equivalent, i.e. Dafang)
  • Small MicroSD Card (Hack and camera prefer size less than 512 MB – but you can make the partition this size if the SD Card is bigger)
  • 15 to 30 minutes to kill

After you’ve procured your cheap camera, head on over to the GitHub project and read up, make sure you still want to hack this sucker. After all, it’s a totally non-destructive hack that is easily reversible and gives you features like MQTT, RTSP, SSH and FTP support you didn’t get out of the box.

There are two parts – updating to a custom bootloader, then installing the hacked firmware (the magic sauce).

Applying the custom bootloader

  1. Prepare the MicroSD Card. I used my Debian machine which was a bit easier to work with.
    1. Unmounted the default partition that came with the card.
    2. Fired up Gparted and deleted all the partitions.
    3. Created a single FAT32 512MB partition in the front of the disk.
  2. Download the firmware file for your camera from the GitHub page here.
  3. Copy the firmware file only to the new FAT32 partition, and rename it demo.bin
  4. Insert the SD into the camera, hold the reset button while plugging it in.
  5. Watch the LED on the bottom of the camera – if you are using the Wyze Cam v2 there is no movement on the camera unlike the instructions in the link above mention. The light will go solid again when it’s all done (i.e. stop flashing). This takes about 2-3 minutes total.
  6. Power off
  7. Remove SD Card
  8. Power up!

Install the hacks!

  1. Grab a copy of the GitHub repository for Xiaomi-Dafang-Hacks. As suggested you should just grab the whole thing via zip, though you are really after just the modified firmware directory.
  2. Move the SD Card back to your machine. Remove the demo.bin file and replace it with the contents of the firmware_mod folder from the zip file above/GitHub link. All the files go in the top level of the SD Card.
  3. Setup WiFi – copy the file on the SD Card from the config folder “wpa_supplicant.conf.dist” to a new file called “wpa_supplicant.conf”
  4. Update the values on the lines in your new file for ssid & psk to meet your 2.4Ghz WiFi settings.
    • Line 9 of the file should have your WiFi network name in the SSID value
      (ssid = “FreeWifi”)
    • Line 15 should have the password
      (psk = “BuyYourOwnWifi”).
  5. Power off the camera (pull the lame plug) and reinsert the SD Card.
  6. Light up a smoke…
  7. Fire up now a browser and go to http://dafang

The default username and password for the Defang(ed) camera now are;

  • Username: root
  • Password: ismart12

Note – this is the password for the web server and SSH. You would have to change both separately. To change the password of the web server go to the administration settings once you log in.

Update the default web server password.

Enjoy your hacked camera!

Screenshot of my greenhouse camera on my hacked Wyze Cam v2 with custom firmware.
We start our tomatoes indoors in a Vivosun tent while winter is wintering and before spring hits.

At this point, you’re ready to rock with a camera running custom firmware. Just keep that tiny little SD Card in there, you can use it to capture time lapse videos and even SSH in and muck up the config if you’d like. If you’re going to want it to send messages to MQTT when motion is detected, SSH in and copy over the default MQTT settings and point them to your broker.

If you wanted the RTSP server, to view in VLC, pick up with MotionEye or do as you please – you’ll have to enable it in the video settings.

Where and how to change the video settings for the Wyze Cam v2 hacked fireware

Then scroll down to Start H264 RTSP

Where and how to start the RTSP server for the hacked firmware on the Wyze Cam v2
Here you can start the RTSP service

Having the RTSP service is something Wyze has been dragging their feet on until a recent beta firmware release – especially if it competes with the real money maker of selling online storage. Now when you enable it you can capture the video yourself or feed it to other services you own like MotionEye or ZoneMinder, Home Assistant or totally bake you own (with Mosquitto and Node Red).

Thanks to Elias Kotlyar for writing the hack, check out his other work on GitHub!

UPDATE: Extend Your Vision

These days I have my camera looking out into my backyard, capturing motion with MotionEye and letting my phone know through a webhook, Home Assistant and Node Red. To help me get there I added some distance to the webcam with a 25-foot USB cable from Amazon.