Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CW017 research #21

Open
guino opened this issue Feb 7, 2021 · 130 comments
Open

CW017 research #21

guino opened this issue Feb 7, 2021 · 130 comments

Comments

@guino
Copy link
Owner

guino commented Feb 7, 2021

Here's a couple of images. Looks similar to the board in #11 from @swisslegacy

PXL_20210207_233815784.jpg

PXL_20210207_233849051.jpg

Originally posted by @parkerlreed in #2 (comment)

@parkerlreed
Copy link

parkerlreed commented Feb 7, 2021

👍 Thanks. Good idea keeping tracking in a separate thread (that's a pain in the ass to expand all the comments in the main)

@guino
Copy link
Owner Author

guino commented Feb 7, 2021

@parkerlreed yes :) similar but different hardware. The uart pads will likely be on the other side by removing the 4 silver colored screws

@parkerlreed
Copy link

Trying the 2.7.x files from #11 here's what I observe

  • Light blinks red and blue after holding reset for 5 seconds
  • I release, it sits on red for a second, and then goes blue
  • Stays solid blue (and never gets to the "Hey Im booted" beep)
  • Wait a couple minutes and check SD card
  • Looks to be the original MBR
    image

2.9.x on my first try resulted in a corrupted MBR which made me think it worked but was the same result (and subsequent tries the MBR stays in tact)

  • Red and blue after 5 seconds
  • This time stays red for about 20 seconds
  • Proceeds to boot normally
    image

@parkerlreed
Copy link

Inside shot

PXL_20210208_000123729.jpg

@guino
Copy link
Owner Author

guino commented Feb 8, 2021

There’s usually data left in the sectors of the card from before doing #11 so if you want to see if the process did anything you would have to zero out the sectors before using #11:

dd if=/dev/zero of=/dev/mmcblkX bs=512 count=32768 seek=1

@guino
Copy link
Owner Author

guino commented Feb 8, 2021

Serial pins should be the 4 pads on the bottom left of the picture you posted.

@guino
Copy link
Owner Author

guino commented Feb 8, 2021

You can use the screw hole as ground and test which is ground from the pads, then test which is 3.3v using pin 8 of the flash chip. Or you can just solder wires and swap them until you find what is rx, tx and ground (no need to connect 3.3v). Just make sure you don’t pull hard on wiring after soldering or they will come right out of the board.

@guino
Copy link
Owner Author

guino commented Feb 8, 2021

This should be pin 8 of the flash (3.3v) :

7BF53C1F-B857-4F6E-A5FD-C0B9068C93C9

@parkerlreed
Copy link

I tried zero'ing out beforehand and no difference. (Stayed blank instead of having any data)

Does the device not care that I blew out the MBR?

@guino
Copy link
Owner Author

guino commented Feb 8, 2021

The MBR is sector 0 (zero) the command I gave was supposed to start zeroing from sector 1 - but I realize I forgot to pass the parameter seek=1, it should have been:

dd if=/dev/zero of=/dev/mmcblkX bs=512 count=32768 seek=1

that was my bad - you would probably have to redo #11 to build a new MBR now.

@parkerlreed
Copy link

As for the serial, I have a couple Pi Zeros I can try and get working (They do have 3.3v UART right?)

Thanks for the tips.

@guino
Copy link
Owner Author

guino commented Feb 8, 2021

Yeah you could wire the serial from a pi zero directly.

@guino
Copy link
Owner Author

guino commented Feb 8, 2021

@parkerlreed I can’t read the numbers on the chips but based on the previous version of the board the flash may actually be the one on the other side of the board instead of the one I posted above (pin 8 3.3v marked):
9D8DBEDD-9FB3-4E4D-9F09-A43905EEEB13

Like I said before you don’t need to connect the 3.3v I only marked it as a way to try and determine which pads to use (so you don’t need to solder a wire to the 3.3v pad).

@parkerlreed
Copy link

U-Boot 2013.10.0-AK_V3.0.07 (Sep 19 2020 - 14:46:53)

DRAM:  64 MiB
8 MiB
ANYKA SDHC/MMC4.0: 0
PPS:Sep 19 2020 14:46:58   anyka_c3:  0 
                                        magic err
magic err
command:setenv bootargs mem=64M console=ttySAK0,115200n8 loglevel=10   mtdparts=spi0.0:256k(bld),64k(env),64k(enc),64k(sysflg),3m(sys),4032k(app),640k(cfg) ppsAppParts=5 ip=192.168.1.99:::255.255.255.0 eth=00:55:7b:b5:7d:f7
## Booting kernel from Legacy Image at 81c08000 ...
   Image Name:   Linux-3.4.35
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    2789360 Bytes = 2.7 MiB
   Load Address: 81c08000
   Entry Point:  81c08040
   Verifying Checksum ... OK
   XIP Kernel Image ... OK

Starting kernel ...

Uncompressing Linux... done, booting the kernel.
Anyka Linux Kernel Version: 1.1.12

@parkerlreed
Copy link

Also for reference here's the listing for this camera https://www.walmart.com/ip/Merkury-Innovations-Smart-Wifi-Camera-1080p-2-Way-Communication/679786717

@parkerlreed
Copy link

parkerlreed commented Feb 10, 2021

Middle two. TX on right hand side. PXL_20210210_023057636.jpg

@guino
Copy link
Owner Author

guino commented Feb 10, 2021

Send me an email and I can send you something to help out

@parkerlreed
Copy link

Sent. Thanks.

@guino
Copy link
Owner Author

guino commented Feb 10, 2021

Based on the bootargs shown the method used for Merkury 720p (my other repo) should work if you just adjust the load address (looks like 81c08000?)

@parkerlreed
Copy link

Thanks. Will give it a shot

@parkerlreed
Copy link

So do I do the port 80 enable first and then the rest?

@guino
Copy link
Owner Author

guino commented Feb 10, 2021 via email

@parkerlreed
Copy link

parkerlreed commented Feb 10, 2021

I'm sure I'm probably just being thick here. I am typing this correctly?

image

@guino
Copy link
Owner Author

guino commented Feb 10, 2021

Remove the hack= part and only do what is after the = sign .. the hack= part is to set the environment from file which is not needed in uboot.

@guino
Copy link
Owner Author

guino commented Feb 10, 2021

Actually nevermind that, we need to figure out where the files are loaded, can you execute printenv and post the response ?

@parkerlreed
Copy link

parkerlreed commented Feb 10, 2021

Ok so something like this?

setenv bootargs ${bootargs} '- ip=30;/mnt/mmc01/initrun.sh)&:::::;date>/tmp/hack;(sleep
ipaddr=0
bootm 0x81c08000

ipaddr is supposed to be it's own command or part of the first one? (There's a newline in the env so that's what's confusing me)

@guino
Copy link
Owner Author

guino commented Feb 10, 2021

Without being familiar with uboot it will be easier to just modify the hack for your camera — with the printenv output I can probably do it.

the commands from the env file would have to be like this I think:

setenv hack ‘setenv bootargs ${bootargs} \'- ip=30;/mnt/mmc01/initrun.sh)&:::::;date>/tmp/hack;(sleep’

then another command:

setenv ipaddr ‘0;run hack;bootm 0x81c08000;’

It would be nice if you execute and post the output for printenv and for help so I know what is available

@parkerlreed
Copy link

pps # printenv
              baudrate=115200
bootargs=mem=64 console=ttySAK0,115200n8 loglevel=10
bootcmd=loadk;bootm 0x81C08000
bootdelay=3
console=ttySAK0,115200n8 loglevel=10 
ethaddr=00:55:7b:b5:7d:f7
ipaddr=192.168.1.99
memsize=64M
netmask=255.255.255.0
serverip=192.168.1.1
setcmd=setenv bootargs console=${console}  mem=${memsize}
sf_hz=20000000
stderr=serial
stdin=serial
stdout=serial
ver=U-Boot 2013.10.0-AK_V3.0.07 (Sep 19 2020 - 14:46:53)

Environment size: 455/4088 bytes
pps # help
          ?       - alias for 'help'
auth    - encrypt product authfile
base    - print or set address offset
bootm   - boot application image from memory
clearCfg- clearCfg
cmp     - memory compare
cp      - memory copy
crc32   - checksum calculation
devmem  - read or write register, now just read
downimage- downimage   - download and write All-Image to FLASH device,partiton table from ENV partition.
downjffs2fs- load usr.jffs2 tftp
downkernel- load uImage tftp
downrootfs- load root.sqsh4 tftp
downsquashfs- load usr.sqsh4 tftp
downuboot- load uboot tftp
env     - environment handling commands
envreset- reset env para
erase   - erase FLASH memory
fatinfo - print information about filesystem
fatload - load binary file from a dos filesystem
fatls   - list files in a directory (default /)
flinfo  - print FLASH memory information
format  - erase all flash except bootloader part
go      - start application at address 'addr'
help    - print command description/usage
loadk   - load kernel to DRAM  
loop    - infinite loop on address range
md      - memory display
mm      - memory modify (auto-incrementing address)
mmc     - MMC sub system
mmcboot - from mmc start
mmcinfo - display MMC info
mw      - memory write (fill)
nm      - memory modify (constant address)
parts   - read out partitions table info.
parts_adjust- 
adjust parts info. Each part's size,offset etc.

pcbMenu - select Pcb
printenv- print environment variables
protect - enable or disable FLASH write protection
readcfg - read config from config.
reset   - Perform RESET of the CPU
run     - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv  - set environment variables
setloadaddr- set loadaddr to  config infor .
sf      - spi flash sub-system:
tfdownjffs2fs- load usr.jffs2TF
tfdownkernel- load uImageTF
tfdownrootfs- load root.sqsh4TF
tfdownsquashfs- load usr.sqsh4TF
tfdownuboot- load u-boot.binTF
tfupdateimage- tfupdateimage   - download and write All-Image to FLASH device
uartdown- down style 0:tftp 1:uart 2:mmc
upa     - update app image appfile
upb     - update bootloader bldfile
update  - update upgrade.bin
updatecfg- update config from config infor table.
upe     - update auth image authfile
upf     - update firmware, format and update (factory use upffile)
upk     - update uImage kernelfile
upr     - update backup.img
version - print monitor, compiler and linker version

@parkerlreed
Copy link

parkerlreed commented Feb 10, 2021

After setting those two

bootargs=mem=64 console=ttySAK0,115200n8 loglevel=10 - ip=30;/mnt/mmc01/initrun.sh)&:::::;date>/tmp/hack;(sleep
ipaddr=0;run hack;bootm 0x81c08000;

Should be good to power cycle?

@guino
Copy link
Owner Author

guino commented Feb 10, 2021

There’s a very good chance that if you just adjust the address in ppsMmcTool.txt and env files from the merkury 720p project to 81c08000 (instead of 81808000) you should be able to install the hack using the steps in that repo - that is what I would try first.

@parkerlreed
Copy link

parkerlreed commented Feb 10, 2021

onvif (tuyya_config.json) did reset. I forgot 8080 was the hack webserver.

~ # cat /home/cfg/tuya_config.json 
{
        "version":      0,
        "sleep_mode":   0,
        "alarm_fun_onoff":      0,
        "alarm_fun_sensitivity":        1,
        "alarm_fun_mode_switch":        0,
        "alarm_fun_time_start": 0,
        "alarm_fun_time_end":   0,
        "flip_onoff":   0,
        "light_onoff":  1,
        "night_mode":   0,
        "sound_detect_onoff":   0,
        "sound_detect_sensitivity":     0,
        "watermark_onoff":      1,
        "event_record_time":    60,
        "enable_event_record":  2,
        "record_enable":        1,
        "motion_trace": 1,
        "motion_area_switch":   0,
        "motion_area":  "",
        "motion_tracking":      0,
        "cry_detection_switch": 0,
        "humanoid_filter":      0,
        "loudspeaker_vol_pct":  100,
        "onvif_enable": 0,
        "onvif_pwd":    "admin"
}

@parkerlreed
Copy link

parkerlreed commented Feb 10, 2021

Ok bit the bullet and took the update. 4.0.6

Hack still works.

New ppsapp
--deleted--

@guino
Copy link
Owner Author

guino commented Feb 10, 2021

The new one looks like the old one too (not in the same format as 2.7.x and 2.9.x) -- the mjpeg/snap address should be: 00375b1c if you want to try play.cgi the address should be: 00376328 I still need more time to look at enabling RTSP/ONVIF (whatever is possible)

@guino
Copy link
Owner Author

guino commented Feb 10, 2021

--deleted--
I made a change to force the onvif_enable setting to 1 -- can you unzip it on the root of SD card, RENAME it to ppsapp and reboot to see if you get anything ? check open ports or even rtsp:https://IP:8554/Streaming/Channels/101 (may need user passowrd admin:admin) -- I have no idea if this will work but it's worth a shot. Additionally while you do this test, can you create a log file with the ppsapp (it can be helpful locating functions) -- just edit custom.sh so that the line /mnt/mmc01/ppsapp & looks like this: /mnt/mmc01/ppsapp 2>&1 > /mnt/mmc01/ppsapp.log & then after the reboot the file ppsapp.log should be in the SD card (and you can download it with https://user:password@IP:8080/ppsapp.log )

EDIT: Looking a little more in the code the change has good potential to enable onvif, the question is if the onvif implementation works (or if at least RTSP works)

@parkerlreed
Copy link

Will check it out and report back. I brought the camera to work but forgot the SD card. Doh.

@parkerlreed
Copy link

Do I still need to enable onvif in tuya_config or should that have forced it? Without touching the cfg, it doesn't appear to be open.

ppsapp.log

[parker@wolfcola ~]$ nmap 192.168.1.103
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-12 23:20 EST
Nmap scan report for 063492731.lan (192.168.1.103)
Host is up (0.023s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
23/tcp   open  telnet
6668/tcp open  irc
8080/tcp open  http-proxy

@guino
Copy link
Owner Author

guino commented Feb 13, 2021

You should not need to modify the json file but did you try onvif device manager or something similar anyway? The onvif/rtsp may be udp only and not show up on nmap - I will take a look at the log to see if I can find anything.

@guino
Copy link
Owner Author

guino commented Feb 13, 2021

Nevermind.. from the log it looks like the onvif function did not open as I hoped - either the change I made did not work OR the patched file did not run — since you got a log file I am certain that you placed the file in the right place and rebooted the device so unless it was the wrong file (unlikely) I assume change I made was not enough. I will review and give you something else to try.

@guino
Copy link
Owner Author

guino commented Feb 13, 2021

--deleted--

Can you try this one and make me another log ? I made 3 changes to ensure the onvif setting would be enable in all places that were setting it.

@guino
Copy link
Owner Author

guino commented Feb 16, 2021

@parkerlreed I assume you had no chance to try the new changes yet ?

@parkerlreed
Copy link

Have not. Sorry. Been tied up with work. I can test it tonight.

@parkerlreed
Copy link

8000 is open this time

What's the onvif username/password? I haven't been able to connect with any combo yet.

Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-17 20:13 EST
Nmap scan report for 063492731.lan (192.168.1.103)
Host is up (0.021s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
23/tcp   open  telnet
6668/tcp open  irc
8000/tcp open  http-alt
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 0.51 seconds

@parkerlreed
Copy link

parkerlreed commented Feb 18, 2021

Log
ppsapp.1.log

@guino
Copy link
Owner Author

guino commented Feb 18, 2021

Should be admin/admin - you may want to check onvif device manager (Windows) or some onvif app.

You may want to try rtsp:https://IP:8554/Streaming/Channels/101 (may need user passowrd admin:admin) and probably only will work on udp since tcp is not open

@parkerlreed
Copy link

That worked!

UDP 8554 and admin:admin

Since that worked is there any way to kill the connection to the tuya servers...

@parkerlreed
Copy link

Screenshot_20210217-202350.png

@guino
Copy link
Owner Author

guino commented Feb 18, 2021

Awesome!

Offline requires more changes and this being a totally different code it would require more research into it. I wonder also if there’s a time limit in using rtsp (udp) and wonder if tcp may also work (just not detected by nmap). I can take a quick look but no promises on the offline thing.

@guino
Copy link
Owner Author

guino commented Feb 18, 2021

By the way the same url /102 should be low resolution stream.

@parkerlreed
Copy link

Ahh yes TCP worked as well

@parkerlreed
Copy link

Screenshot_20210217-203040.png

@parkerlreed
Copy link

102 is indeed 640x480

@guino
Copy link
Owner Author

guino commented Feb 18, 2021

Cool! I will create/post a patch and probably make another repo with details of this camera just for future reference. If I find something regarding the offline mode I will let you know so you can test it.

@parkerlreed
Copy link

parkerlreed commented Feb 18, 2021

Trying with an ONVIF viewer on the computer and the device doesn't seem to be in spec for full operation. Two tools have failed to probe the full info/connect to the camera fully. Manual RTSP viewing is fine.

WSDDThread::probe
addDevice : "https://192.168.1.103:8000/onvif/device_service" , manual: false
wsdd: probe_done
"PPS-IPC\nAddress: 192.168.1.103\nFirmware: ppstrong-a3-tuya2_merkury-4.0.6.20210207\nLocation: Country/China/Hz"
on_listWidget_Devices_currentRowChanged,2323: 0==============================
wsddList.size():1
url: "https://192.168.1.103:8000/onvif/device_service"
initDevice: Bad onvif device
455 ,error: initDevice
on_worker_error ID: 0 ,: ""

@guino
Copy link
Owner Author

guino commented Feb 18, 2021

@parkerlreed New repo is up with details from here and from ghidra work: https://github.com/guino/Merkury1080P

@guino
Copy link
Owner Author

guino commented Feb 18, 2021

@parkerlreed if you'd like to try the device off-cloud you can use this patch:
ppsapp-onvif-offline.zip

Please note that you'll need to block off the tuya servers on your router AND add a call to ntpd like this: #4 (comment) in order to set the time on the device (or it will display incorrect time). Since this is a wifi device it's obvious it has to connect to some network in order to be used but this patch should allow it to start up without waiting 'forever' to connect to the tuya servers so you could use it in an isolated network with access to a local ntp server (or you could just use some other script/way to set the time in it when it boots up).

There may be other information on #4 that could be relevant so it may be worth glancing over.

If you do find the time to test it let me know how that goes.

@mariarti
Copy link

mariarti commented Feb 19, 2022

how to interrupt U-boot at PPS:Sep 19 2020 14:46:58 anyka_c3: 0
Ctrl+C didn't work
ps
found - "space bar", but asking password
please input password::

@guino
Copy link
Owner Author

guino commented Feb 19, 2022

@mariarti send me an email (it is on my github profile) and I can help you out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants