Closed Juumm closed 4 years ago
Can you dump an original firmware from such a camera?
I could use that, too. So I would check tomorrow if I can send you the original version. Can you tell me how to get it down there?
Search the project for dump firmware.
On my side I do not have the camera yet. Don't know if someone can dump the original firmware of this camera to help you ?
So I just didn't get the camera to make a dump yet. But I will take care of it as soon as possible.
No one else has the Xiaomi Xiaofang 1S T20L and can provide the dump firmware to jmtatsch ?
Hello, I have a Xiaofang 1S T20L. I am attaching the dump I have done today. I am not sure it is what is needed. The (unstable) hack is running currently on the device so maybe the dump is altered. i hope it can help to solve the issue. Xioafang.zip
Did you dump after installing the custom firmware?
Yes. I can try to revert back to old firmware, but you will have to guide me because I assume the xiaomi original firmware on the project is for T20 only. There is no ssh on factory firmware, isn't?
Any suggestion on how I can be usefull to help to solve this situation?
I'm waiting for a T20L xiaofang. I think it will be at home in a week or two. How can I dump original firmware without installing a custom one? Dumping procedure requires an access (telnet or SSH) to IP Camera, and I don't know how to do it with standard firmware...
You will likely need to solder a UART interface to your camera. There should be tutorials about it.
Thanks for the information. And as soon as the binary is install, it can't be resented for me to dump the firmware?
Do you think it will be easy to fix the hack with the dump? If I bought a second one, will I be almost sure to be able to use both of them quickly?
As soon as you install the custom firmware the original fw we want to dump is gone. Probably the hardware changed a little and they updated their libs a little. Cannot really promise anything. You will need to build your own custom firmware. I don't have a 1S to test/help.
Do you think we will have a working dafang hack for this new Xiaomi Xiaofang 1S T20L ?
any progress with the T20L?
still no original fw dump
is this the correct dump instruction? https://github.com/EliasKotlyar/Xiaomi-Dafang-Hacks/blob/master/hacks/newdevices.md
Correct
The seller described that the camera is a T20L chip. After opening the case, I have doubts ...
It looks like a T20L. I opened mine and it is also only marked T20. Mine has been manufactured on 2018-12-17 whiles your is very recent.
Do you have a ftdi? Will you be able to dump the firmware soon? :))
I have CP2102 konwerter USB UART RS232 TTL It's ok?
Should be fine. Apparently T20L increases the speed from 400 MHz to 1GHz. Nice.
I need help. I connected camera pins to the converter (photo found on the internet).
RX> TX TX> RX GND> GND
And I don't know what to do next (the instructions are not clear to me). I work on win10.
I tried to open Putty on COMX speed 115200 but nothing happens. Can anyone easily explain to me how to download firmware step by step?
Unfortunately, I was unable to download the original firmware :( Perhaps this is a problem with the converter :( I hope, however, that someone will succeed soon!
Baudrate seems to be to high for me. Try to halve it. When everything is set up correctly you should see the whole boot process when powering up the camera. Also try swapping Rx and tx if not working.
@jmtatsch Maybe something will come of it! I used
dd if=/dev/mtdblock0 of=uboot.bin dd if=/dev/mtdblock1 of=kernel.bin dd if=/dev/mtdblock2 of=rootfs.bin dd if=/dev/mtdblock3 of=driver.bin dd if=/dev/mtdblock4 of=appfs.bin dd if=/dev/mtdblock5 of=backupk.bin dd if=/dev/mtdblock6 of=backupd.bin dd if=/dev/mtdblock7 of=backupa.bin dd if=/dev/mtdblock8 of=config.bin dd if=/dev/mtdblock9 of=para.bin dd if=/dev/mtdblock10 of=flag.bin
Where to look for these files? how to download them?
FWIW I think I found out how to properly stream 1080p video over RTSP by reverse-engineering the Xiaofang 1S binaries. They used 2 undocumented SDK functions to increase the pool size, as well as reduce the number of video buffers to 2. It's been working on my 1S for half a year now without problems. No custom U-Boot bootloader is required.
Details for developers are here: https://github.com/geekman/t20-rtspd/commit/f30f0e86849a05a8d3f00608471348a8dd36e481
@majdzik84 : great you are getting there. I am trying to follow the process as well. So if it works like mine, the files are created in /root/ then what I tried is to copy them to the SD card: cp /root/XXXXXX.bin /system/sdcard/
Then I assume you will be able to get the files by unplugging the sd card. Hope it will help you
Gentlemen - I think it worked :) Original fw dump - T20L @jmtatsch , @maxencep02 - Thank you for your help.
Very good news - Thank you @majdzik84
@majdzik84 do you happen to know which version number the fw you dumped has?
Some drivers like sinfo.ko, tx-isp.ko, sensor_jxf22.ko seem to have changed. Can you replace those in your sdcard/driver directory with the ones from this zip file drivers.zip ?
@jmtatsch Now that we have the dump. Should I just manage to do the tuto below and change it to demo.bin to update my camera with the original firmware?: Or it is to me that you are asking to update the sdcard/driver with the mod to check it is compatible?
Thank you for your help, both of you.
`Pack Firmware Install requirements
sudo apt-get install u-boot-tools Use packer.py with the firmware files:
./packer.py kernel.bin rootfs.bin driver.bin appfs.bin new_firmware.bin`
@jmtatsch - Firmware 5.6.2.77
I couldn't resist to change the drivers. It looks promising. `Requesting system reboot [ 40.142514] codec_codec_ctl: set CODEC_TURN_OFF... [ 40.147466] codec_codec_ctl: set CODEC_SHUTDOWN... [ 40.152512] mmc0: card e624 removed [ 40.164559] Restarting system. [ 40.167710] Restarting after 4 ms
U-Boot SPL 2013.07 (Jul 05 2018 - 17:59:02) pll_init:365 l2cache_clk = 375000000 pll_cfg.pdiv = 8, pll_cfg.h2div = 4, pll_cfg.h0div = 4, pll_cfg.cdiv = 1, pll_cfg.l2div = 2 nf=30 nr = 1 od0 = 1 od1 = 1 cppcr is 03c05100 CPM_CPAPCR 03b0890d nf=42 nr = 1 od0 = 1 od1 = 1 cppcr is 02a04900 CPM_CPMPCR 07d0c90d nf=50 nr = 1 od0 = 1 od1 = 1 cppcr is 03204900 CPM_CPVPCR 0320490d cppcr 0x9a794410 apll_freq 712704000 mpll_freq 1000000000 vpll_freq = 1200000000 ddr sel mpll, cpu sel apll ddrfreq 500000000 cclk 712704000 l2clk 356352000 h0clk 250000000 h2clk 250000000 pclk 125000000 DDRC_DLP:0000f003
U-Boot 2013.07 (Jul 05 2018 - 17:59:02)
Board: ISVP (Ingenic XBurst T20 SoC) DRAM: 64 MiB Top of RAM usable for U-Boot at: 84000000 Reserving 400k for U-Boot at: 83f98000 Reserving 32784k for malloc() at: 81f94000 Reserving 32 Bytes for Board Info at: 81f93fe0 Reserving 124 Bytes for Global Data at: 81f93f64 Reserving 128k for boot params() at: 81f73f64 Stack Pointer at: 81f73f48 Now running in RAM - U-Boot at: 83f98000 MMC: msc: 0 the manufacturer c8 SF: Detected GD25Q128
*** Warning - bad CRC, using default environment
In: serial Out: serial Err: serial misc_init_r before change the IR_cut_gpio gpio_request lable = IR_cut_gpio gpio = 25 misc_init_r after gpio_request the IR_cut_gpio ret is 25 misc_init_r after change the IR_cut_gpio ret is 0 misc_init_r before change the TF_CD_gpio gpio_request lable = TF_CD_gpio gpio = 43 misc_init_r after gpio_request the TF_CD_gpio ret is 43 misc_init_r after change the TF_CD_gpio ret is 0 misc_init_r before change the SD_enable_gpio gpio_request lable = SD_able_gpio gpio = 48 misc_init_r after gpio_request the SD_able_gpio ret is 48 misc_init_r after change the SD_able_gpio ret is 0 misc_init_r before change the wifi_reset_gpio gpio_request lable = wifi_reset_gpio gpio = 46 misc_init_r after gpio_request the wifi_reset_gpio ret is 46 misc_init_r after change the wifi_reset_gpio ret is 1 misc_init_r before change the yellow_gpio gpio_request lable = yellow_gpio gpio = 38 misc_init_r after gpio_request the yellow_gpio ret is 38 misc_init_r after change the yellow_gpio ret is 0 misc_init_r before change the blue_gpio gpio_request lable = blue_gpio gpio = 39 misc_init_r after gpio_request the blue_gpio ret is 39 misc_init_r after change the blue_gpio ret is 1 gpio_request lable = night_led_gpio gpio = 81 misc_init_r after gpio_request the night_led_gpio ret is 81 misc_init_r after change the night_led_gpio ret is 0 misc_init_r before change the wifi_enable_gpio gpio_request lable = wifi_enable_gpio gpio = 62 misc_init_r after gpio_request the wifi_enable_gpio ret is 62 misc_init_r after change the wifi_enable_gpio ret is 0 misc_init_r before change the SPK_able_gpio gpio_request lable = SPK_able_gpio gpio = 63 misc_init_r after gpio_request the SPK_able_gpio ret is 63 misc_init_r after change the SPK_able_gpio ret is 0 misc_init_r before change the USB_able_gpio gpio_request lable = USB_able_gpio gpio = 47 misc_init_r after gpio_request the USB_able_gpio ret is 47 misc_init_r after change the USB_able_gpio ret is 0 Hit any key to stop autoboot: 0 jiabo_do_auto_update!!!!!!!!!!!!!!!!!!!!!!!! gpio_request lable = sdupgrade gpio = 46 the manufacturer c8 SF: Detected GD25Q128
jiabo_update_to_flash!!!!!!!!!!!!!!!!!!!!!!!! jiabo_au_do_update!!!!!!!!!!!!!!!!!!!!!!!! start=0 start=40000 len=40000 flash check read... FWGRADEUP not find !!!!!!!!! gradeup check fail!!!!!!!!!!!!!!!!!!! the manufacturer c8 SF: Detected GD25Q128
Erasing SPI flash...addr align as 10000 ! sfc erase error the manufacturer c8 SF: Detected GD25Q128
--->probe spend 4 ms SF: 2621440 bytes @ 0x40000 Read: OK --->read spend 339 ms
Image Name: Linux-3.10.14 Image Type: MIPS Linux Kernel Image (lzma compressed) Data Size: 1804956 Bytes = 1.7 MiB Load Address: 80010000 Entry Point: 803e3200 Verifying Checksum ... OK Uncompressing Kernel Image ... OK
Starting kernel ...
[ 0.000000] Initializing cgroup subsys cpu
[ 0.000000] Initializing cgroup subsys cpuacct
[ 0.000000] Linux version 3.10.14 (taozhang@zhangtao-ThinkPad-X220) (gcc version 4.7.2 (Ingenic r2.3.3 2016.12) ) #32 PREEMPT Wed Jan 24 02:40:56 CST 2018
[ 0.000000] bootconsole [early0] enabled
[ 0.000000] CPU0 RESET ERROR PC:801CB660
[ 0.000000] [<801cb660>] __delay+0x0/0x10
[ 0.000000] CPU0 revision is: 00d00101 (Ingenic Xburst)
[ 0.000000] FPU revision is: 00b70000
[ 0.000000] CCLK:712MHz L2CLK:356Mhz H0CLK:200MHz H2CLK:200Mhz PCLK:100Mhz
[ 0.000000] Determined physical RAM map:
[ 0.000000] memory: 0051b000 @ 00010000 (usable)
[ 0.000000] memory: 00035000 @ 0052b000 (usable after init)
[ 0.000000] User-defined physical RAM map:
[ 0.000000] memory: 028b9000 @ 00000000 (usable)
[ 0.000000] Zone ranges:
[ 0.000000] Normal [mem 0x00000000-0x028b8fff]
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x00000000-0x028b8fff]
[ 0.000000] Primary instruction cache 32kB, 8-way, VIPT, linesize 32 bytes.
[ 0.000000] Primary data cache 32kB, 8-way, VIPT, no aliases, linesize 32 bytes
[ 0.000000] pls check processor_id[0x00d00101],sc_jz not support!
[ 0.000000] MIPS secondary cache 128kB, 8-way, linesize 32 bytes.
[ 0.000000] Built 1 zonelists in Zone order, mobility grouping off. Total pages: 10343
[ 0.000000] Kernel command line: console=ttyS1,115200n8 mem=41700K@0x0 ispmem=8M@0x28B9000 rmem=15644K@0x30B9000 init=/linuxrc rootfstype=squashfs root=/dev/mtdblock2 rw mtdparts=jz_sfc:256k(boot),2048k(kernel),3392k(root),640k(driver),4736k(appfs),2048k(backupk),640k(backupd),2048k(backupa),256k(config),256k(para),-(flag)
[ 0.000000] PID hash table entries: 256 (order: -2, 1024 bytes)
[ 0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
[ 0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
[ 0.000000] Memory: 35192k/41700k available (3951k kernel code, 6508k reserved, 1275k data, 212k init, 0k highmem)
[ 0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[ 0.000000] Preemptible hierarchical RCU implementation.
[ 0.000000] NR_IRQS:418
[ 0.000000] clockevents_config_and_register success.
[ 0.000028] Calibrating delay loop... 709.42 BogoMIPS (lpj=3547136)
[ 0.057700] pid_max: default: 32768 minimum: 301
[ 0.062745] Mount-cache hash table entries: 512
[ 0.067960] Initializing cgroup subsys debug
[ 0.072227] Initializing cgroup subsys freezer
[ 0.079776] regulator-dummy: no parameters
[ 0.084054] NET: Registered protocol family 16
[ 0.109156] bio: create slab
Ingenic-uc1_1 login: [ 4.663924] RTL871X: module init start [ 4.667800] RTL871X: rtl8189ftv v4.3.24.7_21113.20170208.nova.1.01 [ 4.676776] RTL871X: build time: Nov 22 2017 16:25:23 [ 4.682084] wlan power on [ 4.701385] RTL871X: module init ret=0 [ 4.746678] mmc1: card claims to support voltages below the defined range. These will be ignored. [ 4.767516] mmc1: new SDIO card at address 0001 [ 4.776938] RTL871X: ++++++++rtw_drv_init: vendor=0x024c device=0xf179 class=0x07 [ 4.845216] RTL871X: HW EFUSE [ 4.848307] RTL871X: hal_com_config_channel_plan chplan:0x20 [ 5.074321] RTL871X: rtw_regsty_chk_target_tx_power_valid return _FALSE for band:0, path:0, rs:0, t:-1 [ 5.111298] RTL871X: rtw_ndev_init(wlan0) if1 mac_addr=78:11:dc:79:e5:07 udhcpc: started, v1.29.0.git udhcpc: sending discover [ 8.609902] RTL871X: rtw_set_802_11_connect(wlan0) fw_state=0x00000008 [ 8.616979] connect:wifi-namai(10) [ 9.319201] RTL871X: start auth [ 9.325337] RTL871X: auth success, start assoc [ 9.334577] bssid:74:9d:79:78:c5:7a [ 9.338181] channel error8093603c(2412),8093612c(2437) [ 9.343515] bssid:b0:98:2b:13:87:3a [ 9.347112] channel error8093603c(2412),8093612c(2437) [ 9.352414] bssid:b0:98:2b:13:87:3b [ 9.356007] channel error8093603c(2412),8093612c(2437) [ 9.361309] bssid:34:27:92:35:1d:e2 [ 9.364901] channel error809360fc(2432),8093612c(2437) [ 9.370187] bssid:60:35:c0:27:a6:8e [ 9.373789] is bss [ 9.375873] RTL871X: assoc success [ 9.379695] RTL871X: recv eapol packet [ 9.384113] conn: (null) channel:0 [ 9.387717] bssid:60:35:c0:27:a6:8e, ssid:wifi-namai(10) [ 9.395260] bssid:74:9d:79:78:c5:7a [ 9.398861] bssid:b0:98:2b:13:87:3a [ 9.402493] bssid:b0:98:2b:13:87:3b [ 9.406085] bssid:34:27:92:35:1d:e2 [ 9.409675] bssid:60:35:c0:27:a6:8e [ 9.413282] is bss [ 9.422689] RTL871X: send eapol packet [ 9.441836] RTL871X: recv eapol packet [ 9.448632] RTL871X: send eapol packet [ 9.456123] RTL871X: set pairwise key camid:4, addr:60:35:c0:27:a6:8e, kid:0, type:AES [ 9.468979] RTL871X: set group key camid:5, addr:60:35:c0:27:a6:8e, kid:1, type:AES udhcpc: sending discover udhcpc: sending select for 192.168.1.60 udhcpc: lease of 192.168.1.60 obtained, lease time 86400 [ 10.825726] jz_codec_register: probe() successful! [ 11.181363] dma dma0chan24: Channel 24 have been requested.(phy id 7,type 0x06 desc a0f1a000) [ 11.190653] dma dma0chan25: Channel 25 have been requested.(phy id 6,type 0x06 desc a0ef1000) [ 12.254455] motor_probe731 [ 12.277428] name : i2c-gpio1 nr : 1 [ 12.283598] name : i2c0 nr : 0 [ 12.348065] sensor_read: addr=0xa value = 0xf [ 12.353079] sensor_read: addr=0xb value = 0x23 [ 12.357754] info: success sensor find : jxf23 [ 12.521130] register all isp device successfully! [ 12.531007] @@@@ tx-isp-probe ok @@@@@ Starting Auto Night Detection Starting v4l2rtspserver-master /system/sdcard/run.sh: line 245: /system/sdcard/config/userscripts/startup/*: not found [ 14.832536] name : i2c-gpio1 nr : 1 [ 14.836139] name : i2c0 nr : 0 [ 15.277716] sensor_read: addr=0xa value = 0xf [ 15.283090] sensor_read: addr=0xb value = 0x23 [ 15.287770] info: success sensor find : jxf23 [ 15.292503] misc sinfo_release [ 15.313390] set sensor gpio as PA-low-10bit [ 15.471976] jxf23 0-0040: jxf23 chip found @ 0x40 (i2c0) [ 15.477450] tx_isp: Registered sensor subdevice jxf23 0-0040 [ 15.825501] ###### image_tuning_v4l2_open 4219 ####### [ 15.859768] &&& chan1 scaler.max_width = 1920 max_height = 1080 min_width = 128 min_height = 128 &&& [ 16.781002] codec_set_device: set device: MIC... `
:heart:
Still running stable?
Hello, I haven't let the camera on for the day. I replugged it one hour ago and it is running smoothly. Only recording is "NOK". the rtsp flux in mjpeg doesn't seems to work. At least I cannot access it with vlc, which I can with H264.
Do you know if there is a direct link to get a preview with the login/pwd in the address to avoid to have to authenticate? Is there a link for http address for rtsp fmjeg instead of the rtsp link?
What are the next steps ? Do you need other tests before creating a cfw bin dedicated for Xiaofang 1S T20L ?
uptime 19hrs. But I cannot really push it to check it more.
Can someone else give it a try?
I have a T20L and can have a crack at it but not until early next week.
I will try tomorrow
Firmware 5.6.2.77 - I can't upload a hack. Is the fw version too high? I copy to the 1Gb sd card demo.bin. (i try 32GB too) He proceeds as described but later on the card is only found ...
@majdzik84 Difficult to say, more likely you messed up the timings somehow. Was the sdcard completely empty, also no hidden files?
@jmtatsch Hooray! I have changed the drivers to the ones you provided. What now? observe?
Exactly
in addition to observe, do you need some logs or outputs to validate something before creating a cfw bin dedicated for Xiaofang 1S T20L ?
I received a new Xiaomi Xiaofang 1S T20(L) in the mail today. On the label there is a small date "2019.07" wich seems to be the production date. I flashed it with the latest firmware_mod and replaced the drivers as described above. Everything went smoothly and so far the camera works without problems. Webapp works as expected and I can also watch the h264 stream in VLC. Been streaming for about an hour so far.
I'm not sure it's the "L" model though. Is there a way I can check the CPU model without taking a peak inside? Maybe a shell command? I poked arount /proc a little but could not find anything definitve in comarison to a one year old Dafang.
I'll receive another Xiaofang camera next week. If there is anything I can do to help before applying the mod let me know.
Hi As all new Xiaomi Xiaofang 1S have T20L chip that does not work well with current dafang hack, is it planned soon to support officially new Xiaomi Xiaofang 1S T20L ?