Turn the region-locked Aqara G2H Camera into a global one

Intro

I have quite some devices from Aqara in my household. Some of them I ordered before they became available in local stores, and they turned out to be region-locked.

Before recently, they were all bound to the Chinese region in the Aqara app. After getting the new G100 version, I was unable to bind it in the Chinese region, as the global version is intended for all other regions except China.

Region Lock

Long story short, I decided to move all my Aqara devices to a single region so I can control their settings without constantly switching between regions.

The process went smoothly, but I've got a few G2Hs failing with error 668, stating that the device is not intended for use in the selected region.

Error in the Aqara Home app when binding a region-locked device.

There was no way to work around this by adding the camera to Apple Home first or by unbinding it from one region and rebinding it in another.

The only difference we can see between the global and Chinese versions is the model number in the Apple Home app. The region-locked version is identified as ZNSXJ12LM, whereas the global one displays CH-H01.

Chinese version in Apple Home.

Global version in Apple Home.

Hacking Camera

After a quick search, I discovered the mcchas/g2h-camera-mods repository, which contains some tweaks for the G2H camera. The author did a great job finding a way to get root access.

All you need to get remote access to the camera is to run the following script on your SD card:

cat >hostname <<EOF
#!/bin/sh

passwd -d root
echo WITH_TELNET=y >>/etc/.config

mv /mnt/sdcard/hostname /mnt/sdcard/hostname.bak
reboot
EOF

After rebooting, the camera became available via telnet. It's running Linux and has enough basic commands for experimenting.

Changing Model

First, I checked if there were occurrences of the model number in the filesystem:

$ grep -r ZNSXJ12LM /
/etc/build.prop:ro.sys.product=ZNSXJ12LM

That seems like a build parameter, and changing this string in /etc/build.prop obviously had no effect.

After checking the environment, I discovered some commands used to gather camera information:

$ get_
get_dev_status    get_homekit_info  get_lens          get_model         get_sn            get_zig_chipid    get_zig_ver
get_hd_ver        get_language      get_lumi_info     get_product_info  get_soft_ver      get_zig_mac

And here is another set to update it:

$ set_
set_hd_ver        set_homekit_info  set_language      set_led_b         set_led_r         set_lens          set_lumi_info     set_product_info  set_sn

After checking some of them, get_product_info seemed to be the one:

$ get_product_info
product: ZNSXJ12LM

And the corresponding pair seemed to do the job, updating the model number:

$ set_product_info CH-H01
set_product_info: ok

After rebooting, the camera started showing the updated model number in Apple Home, but unfortunately, it still did not allow it to bind in the desired region.

Changing Internal Model

I checked the build parameters once more, and apart from the model number, there was also a model name:

$ cat /etc/build.prop
ro.sys.name=Camera-Hub-G2H
ro.sys.model=lumi.camera.gwagl02
ro.sys.product=ZNSXJ12LM
ro.sys.spu=AC004
ro.sys.sku=000
ro.sys.ean13=6970504211889
ro.sys.manufacturer=Aqara
ro.sys.vendor=Lumi United Technology Co., Ltd.
ro.sys.fw_ver=2.2.7
ro.sys.hw_ver=1.0
ro.sys.build_num=0001
ro.sys.acc_tags=red

Quick search showed that lumi.camera.gwagl02 corresponds to a Chinese revision and lumi.camera.gwag03 to a global version.

Similarly, there is a get_model command returning the model name, but there is no set_model to override it:

$ get_model
model: lumi.camera.gwagl02

All these getter and setter commands are symlinks to the same binary:

$ ls -la /local/bin | grep get_model
lrwxrwxrwx    1 1020     1020            12 get_model -> factory_test

I tried to reverse engineer this binary using ghidra. After searching for the string model:, I've got the following:

Template string from the get_model command.

Unfortunately, it failed to disassemble some of the functions, including the one printing this string. But after checking the surroundings, I noticed this:

Potential config file.

This binary is using /mnt/config/miio/device.conf for some purposes, which has something interesting:

$ cat /mnt/config/miio/device.conf | grep lumi.camera
model=lumi.camera.gwagl02

And after changing the model line, I finally got get_model returning what's needed:

$ sed -ie 's/model=.*/model=lumi.camera.gwag03/' /mnt/config/miio/device.conf
$ get_model
model: lumi.camera.gwag03

And after rebooting, I was finally able to add my camera to another region.

Solution

In the end, I needed only two commands to remove the region lock on my camera. Those commands can be applied automatically using the hostname hack.

For that, just put a file named hostname on your SD card with the following contents:

#!/bin/sh

sed -ie 's/model=.*/model=lumi.camera.gwag03/' /mnt/config/miio/device.conf
set_product_info CH-H01

mv /mnt/sdcard/hostname /mnt/sdcard/hostname.bak
reboot

Hope this helps someone.

Translations of this article are allowed only upon permission.