Accessing the kernel image within the CAMv3 firmware bundle

silverstr · August 1, 2025, 6:03pm

This is a more technical question for those that know the deep dark secrets of the CAMv3 firmware and uBoot booting process.

Using a more recent firmware image (demo_wcv3_4.36.14.3497.bin.zip) I am trying to extract the kernel image from the file.

I can use binwalk to extract down to jz_fw.bin just fine. When I do that, if I look at the structure for the image it looks something like this:

--------------------------------------------------------------------------------------------------------------------------------------------------------------
DECIMAL                            HEXADECIMAL                        DESCRIPTION
--------------------------------------------------------------------------------------------------------------------------------------------------------------
0                                  0x0                                uImage firmware image, header size: 64 bytes, data size: 1882651 bytes, compression: 
                                                                      lzma, CPU: MIPS32, OS: Linux, image type: OS Kernel Image, load address: 0x80010000, 
                                                                      entry point: 0x8040F090, creation time: 2022-05-28 09:15:24, image name: 
                                                                      "Linux-3.10.14__isvp_swan_1.0__"
2031616                            0x1F0000                           SquashFS file system, little endian, version: 4.0, compression: xz, inode count: 362, 
                                                                      block size: 131072, image size: 2969780 bytes, created: 2025-05-07 22:58:29
6029312                            0x5C0000                           SquashFS file system, little endian, version: 4.0, compression: xz, inode count: 160, 
                                                                      block size: 131072, image size: 3542882 bytes, created: 2025-05-07 22:58:30
--------------------------------------------------------------------------------------------------------------------------------------------------------------

I then extract the kernel image skipping the 64byte header as such:

dd if=jz_fw.bin bs=1 skip=64 count=1882651 of=kernel.lzma

That SHOULD render me a clean, LZMA compressed image. I can confirm this by executing file on the output, which renders:

kernel.lzma: LZMA compressed data, streamed

However, when I try to decompress it using lzma -d kernel.lzma, it tells me it’s corrupt:

lzma: kernel.lzma: Compressed data is corrupt

I’m obviously missing something here, but I am not sure what.

Can anyone shed some light on this, and help me understand how to get a clean kernel image out of the firmware bundle?

dave27 · August 1, 2025, 11:54pm

Only person I can think to possibly tag is @grapefruityoda but I believe Wyze has secured things a lot more than they used to be, which is why the custom 3rd party firmwares like wyze mini hacks don’t work anymore.

carverofchoice · August 2, 2025, 3:53am

Personally, if I needed help with this, I would consider going to this Discord server:

(Note, this link is not personal promotion as I am not a mod or in any way associated with that server or their leadership I joined and posted a request to be approved on 3/5/25 because I like the Thingino project and wanted to be able to browse around, even though I haven’t installed it on any cams yet)

That server is the official server for the “Thingino Project” which are people who reverse-engineered several Wyze cameras to install custom firmware onto them so they will run totally locally and use RTSP. There are guys on that server who are familiar with modifying Wyze cam V3 and be able to help guide you through this complexity. If I needed help, I would go post there and see if anyone is willing give you some pointers. Paul Philippov on there is definitely capable of pointing you in the right direction since he figured it out for Wyze cam v3’s already.

silverstr · August 5, 2025, 6:12pm

Thanks for the pointer to the Discord server. It was definitely helpful. Paul even posted a note on how to recover the image correctly based on the conversation I had with him. You can find it here.

carverofchoice · August 5, 2025, 10:16pm

That’s awesome!. Thanks for the follow-up.

They are great guys!. I’m very supportive of their work. I was pretty sure recommending you ask over there would be the most likely way you would get a helpful answer for your needs.

system · November 3, 2025, 10:16pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Apologize in advance but getting 404 NOT FOUND Power & Lighting not-platform-specific	12	884	January 12, 2020
Latest firmware update size Cameras not-platform-specific	4	392	August 29, 2020
Wyze Cam v3 Firmware zip file invalid? Cameras not-platform-specific	2	289	February 24, 2021
Firmware Reset - Does not work Power & Lighting cam-v1-v2 , iphone-ipad	3	922	December 2, 2020
Flashing your WyzeCam v1 firmware Beta	102	10863	January 26, 2021

Accessing the kernel image within the CAMv3 firmware bundle

Related topics