Wyze-Up Your Camera Game and Go Cloud-Free: Get in control and use the camera completely offline

May 13, 2024

TL;DR

Setup Wyze V3 without using Wyze app or the cloud with the help of wz_mini_hacks.
gort2c WebUI HTTPs and Basic Auth.
Disable Internet access on the camera.
Setup Wireguard/Tailscale.

Motive

I wanted to install indoor CCTV inside my house. Still, I was worried about privacy issues, so I started looking for cameras that could be tweaked and allow me to fully control them so that at least they could function without needing any cloud services or apps. After looking around the internet, I got a Wyze Camera and used wz_mini_hacks to tweak it and achieve what I had in mind.

The post's content is the conclusion of the research I did on achieving the goal I had in mind. I've put it all together on a single page and published it to make it easier for others who want to achieve the same thing.

Warning/Disclaimer

Please know that by doing what is mentioned in this blog post:

There is a chance to permanently damage/brick your device.
You will lose some of the functions available via the Wyze App since the whole idea of this blog post is to not use their app or the cloud.
Please check the "Warning Section" and any other disclaimers in the wz_mini_hacks repository page.

1. Camera's Firmware

First, we must check the supported firmware versions by wz_mini_hacks to know which firmware to download; we can do so by visiting the Firmware Support page. We will use the latest supported version, 4.36.9.139, which can be downloaded from Wyze website. If you want other versions, please check this GitHub repo.
Format the MicroSD to FAT32 with a MSDOS partition map.
Copy the firmware file named demo_wcv3.bin to the root directory of the microSD, safely eject it, and insert it into the camera.
Press and hold the setup button on the camera, and while doing that, power it on. Hold the button until the lights on the camera are blueish and reddish, then release the button.
The camera will reboot once the process is done, and the light will be red. At this point, turn off the camera.

2. wz_mini_hacks

Get wz_mini_hacks from the official GitHub page.
Copy all of the files and folders inside the SD_ROOT directory into the root directory of the MicroSD (exact location of the firmware file)
A couple of things must be done at this point before we turn on the camera.

3. SSH (Securely and remotely accessing the camera)

To SSH into the camera, you must add your public key to the wz_mini/etc/ssh/authorized_keys file.
To generate a public key, run the following command:

ssh-keygen

The public key file will end with .pub. Copy its content into the wz_mini/etc/ssh/authorized_keys file.
For more information about ssh-keygen and copying the key, check these tutorial: Linux, Windows

4. WIFI (Connect the camera to your WIFI network without using the Wyze App or the internet)

First, enable the Self-hosted / Isolated Mode in the wz_mini_hacks main configuration file. This is a crucial step, allowing the camera to scan the needed QR Code to connect to the WIFI network. The configuration file path is wz_mini/wz_mini.conf.

ENABLE_SELFHOSTED_MODE="true"

Prepare the QR Code so the camera can join the WIFI network. You can use the following Wyze Config Generator instead of the Wyze App.

5. First boot with wz_mini_hacks

Insert the MicroSD into the camera and turn it on. The "wz_mini_hacks initializing first boot" sound will be played. Wait a couple of minutes until the first boot is done.
Press the Setup button on the camera once, a sound indicating that the camera is ready to connect to the WIFI network is played.
Scan the QR code with the camera and wait for it to connect. A sound indicating that it is linked will be played.
Find the IP address of the camera and SSH into it to verify that everything is working well.

Now the camera is ready. Please make sure to read through the wz_mini_hacks GitHub page, specially the configuration page

Extra: Enable HTTPs and Basic Authentication on gort2c WebUI

Motive: If you plan to use gort2c's, consider using authentication and HTTPS for the WebUI.

To use HTTPS, you need to generate PEM-encoded full-chain certificates. Running the following command will generate the required certificates (Not full-chain though)

openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem

Update go2rtc config file /opt/wz_mini/etc/go2rtc.yml to enable HTTPS, add the needed TLS data, and add the username/password for the basic authentication.

api:
    listen: ""                            # Disable HTTP
    username: "user"                      # Username
    password: "StrongPasswordPlease"      # Password
    tls_listen: ":443"                    # Enable HTTPS server
    tls_cert: |                           # PEM-encoded fullchain certificate for HTTPS
      -----BEGIN CERTIFICATE-----
    
      -----END CERTIFICATE-----

    tls_key: |                            # PEM-encoded private key for HTTPS
      -----BEGIN PRIVATE KEY-----
    
      -----END PRIVATE KEY-----

Save the file and reboot the camera.
Please check go2rtc repository. You can find more information about this exact step in the Module: API section in the repository.

Extra: Disable Internet

Motive: The way I see things is that any home camera should never be available directly via the internet nor have access to the internet itself (some cameras might have backdoors in them, for example).

Advice: I will always advise making the camera only available locally(LAN) and accessing it remotely via a self-hosted VPN.

SSH into the camera and set the following entries in the main configuration file /opt/wz_mini/wz_mini.conf to true.

ENABLE_ITPABLES="true"

ENABLE_CRONTAB="true"

Create a new file containing the iptables rules needed to restrict internet access. E.g.. /opt/wz_mini/root/iptables.sh

# Default Policy to drop all traffic
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# Allow loopback communications
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow all incoming traffic from the local network
iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT

# Allow all outgoing traffic to the local network
iptables -A OUTPUT -d 192.168.0.0/24 -j ACCEPT

Now, we need to execute this file every time the camera boots; we can achieve this by adding a new entry in the /opt/wz_mini/etc/cron/root file.

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed
#45 05 * * * /sbin/reboot
@reboot /opt/wz_mini/root/iptables.sh

Extra: Tailscale

Motive: Privately and seamlessly access the camera from anywhere.

Note: If there is any iptables rules restricting the camera form accessing the internet, you need to either drop them or allow connections to Tailscale server (unless you are hosting your local headscale server)

You need to download a version of Tailscale that can work on the camera's architecture, which is mipsle. You can find the binary on the official tailscale website. Once downloaded, copy the binary to the camera.
For Tailscale to work, we need the tailscaled daemon to be working as well. Lets update the crontab file to run tailscaled on reboot. This is assuming that you've placed the tailscaled binary in /opt/wz_mini/bin/, if not, then put the full path for tailscaled binary.

@reboot tailscaled -statedir /opt/wz_mini/etc/tailscale

Generate a Tailscale auth key Read more about Auth Keys.
Start tailscale with the Auth key

tailscale up --authkey tskey-abcdef1432341818

Extra: Wireguard