search

EliasKotlyar / Xiaomi-Dafang-Hacks

4.19k stars 1k forks source link

Support for China Eyes360 #1225

Closed paultbarrett closed 4 years ago

paultbarrett commented 4 years ago

Purchased a China Eyes360 camera from Aliexpress

image

Opened it up and found that it has a T21 chip and not a T10/T20

Serial interface seen at the bottom.

2019-11-27 21_50_03-Photos

Have not had much luck in getting root yet. Followed the instructions here but modified the boot environment to reflect the current one with the exception of /bin/sh https://github.com/EliasKotlyar/Xiaomi-Dafang-Hacks/blob/master/hacks/getroot.md

When booting with the follow boot arguments it just reboots.

setenv bootargs console=ttyS1,115200n8 mem=39M@0x0 rmem=25M@0x2700000 init=/bin/sh rootfstype=squashfs root=/dev/mtdblock2 rw mtdparts=jz_sfc:512K(boot),1600k(kernel),2816k(root),1536k(user),832k(web),896k(mtd)

Extract from serial

isvp_t21# boot
the manufacturer ef
SF: Detected W25Q64

--->probe {pend 4 ms
SF: 2621440 bytes @ 0x80000 Read: OK
--->read spend 423 ms
## Booting kernel from Legacy Image at 80600000 ...
   Image Name:   Linux-3.10.14__isvp_turkey_1.0__
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    1503922 Bytes = 1.4 MiB
   Load Address: 80010000
   Entry Point:  803a6fb0
   Verifying Checksum ... OK
   Uncompressing Kernel Image .>. OK
(Len of pw_cmdline):194,(Len of pw_cmdinfo):214
pw_cmdline:console=ttyS1,115200n8 mem=39M@0x0 rmem=25M@0x2700000 init=/bin/sh rootfstype=squashfs root=/dev/mtdblock2 rw mtdparts=jz_sfc:512K(boot),1600k(kernel),2816k(root),1536k(user),832k(web),896k(mtd)
pw_cmdinfo:HWID=0000000000000000000000000000000000000000 ID=0000000000000000000000000000000000 SSID_NAME=QC8 SSID_VALUE=12345678 MAC=40:6A:8E:5B:55:14 IP=192.168.31.174 SENSOR=140A WIFI=8188FTV TYPE=T21L ipncuart=1 ipncauto=1

Starting kernel ...

Any idea's ??

TheExpertNoob commented 4 years ago

My eyes360 is based of a T20, 32MB. If I can get it working on this one, it should work on yours. Working on obtaining root right now but having the same problem obtaining root.

setenv bootargs console=ttyS1,115200n8 mem=32M@0x0 ispmem=11M@0x2000000 rmem=21M@0x2B00000 init=/bin/sh rootfstype=squashfs root=/dev/mtdblock2 rw mtdparts=jz_sfc:512K(boot),1600k(kernel),2816k(root),1536k(user),832k(web),896k(mtd),-(flag) 

isvp_t20# printenv
HWID=0000000000000000000000000000000000000000
ID=0000000000000000000000000000000000
IP=192.168.9.111
MAC=40:6A:8E:21:01:C3
SENSOR=4236
SSID_NAME=QC2
SSID_VALUE=12345678
TYPE=T20L
WIFI=8188FTV
baudrate=115200
bootargs=console=ttyS1,115200n8 mem=32M@0x0 ispmem=11M@0x2000000 rmem=21M@0x2B00000 init=/linuxrc rootfstype=squashfs root=/dev/mtdblock2 rw mtdparts=jz_sfc:512K(boot),1600k(kernel),2816k(root),1536k(user),832k(web),896k(mtd)
bootcmd=sf probe;sf read 0x80600000 0x80000 0x280000; bootm 0x80600000
bootdelay=1
ethact=Jz4775-9161
ethaddr=40:6A:8E:21:01:C3
gatewayip=193.169.4.1
ipaddr=193.169.4.81
ipncauto=1
ipncuart=1
loads_echo=1
netmask=255.255.255.0
serverip=193.169.4.2
stderr=serial
stdin=serial
stdout=serial
paultbarrett commented 4 years ago

Any luck getting root. I have tried with a number of different bootargs specifying different serial ports ttyS0 / ttyS0 and I cannot get any console after Starting kernel ...

What did you mean by

My eyes360 is based of a T20, 32MB. If I can get it working on this one, it should work on yours.

From what I understand a custom firmware which matches the hardware is first required before the camera will then boot from SD and run CFW.

https://github.com/EliasKotlyar/Xiaomi-Dafang-Hacks/blob/master/hacks/faq.md

This custom firmware which allows for booting from the SDCard is hardware specific / device specific and is not generic.

As far as I know there is no T21L supported device yet.

paultbarrett commented 4 years ago

Anyone have any ideas on how to progress this one

paultbarrett commented 4 years ago

Ok, so an update on this.

I managed to get root in a very roundabout way. I removed removed the flash chip 25Q64JVS10 and used a ch341a to dump the contents.

Did some digging through binwalk and using information in uboot I was able to work out the split for the relevent filesystems and the kernel file.

I modified the start.sh file located in /user/init to start telnetd. Repacked the squashfs filesystem and then reflashed it back to the camera with u-boot.

I also did not touch the original flash chip (for safety) but replaced it with a bigger 25Q128 one.

Now i can telnet to the camera and get a root shell session.

Now working on getting the new firmware working

paultbarrett commented 4 years ago

Loaded up firmware_mod without much luck. Web page works but no video feed nor any motor control.

Attached is the dump from flash. @EliasKotlyar, could you assist ?

dump.zip

jmichault commented 4 years ago

Hello, I have purchased on aliexpress a "shiningpo ipcam-100 model DID-N43P-400". image This camera has the following features: CPU : ingenic T21 (like yours). CMOS sensor : gc2053. linux kernel : 3.10.14isvp_turkey_1.0 (like yours)

At boot a telnet daemon run on port 9527 for 5 minutes, user=root password=jco66688, so i have root access without opening the camera (Have you tried telnet with your camera ?).

I have tried to install executables from the firmware_mod with same result as you : Web page works but no video feed nor any motor control.

I have also solved my motor problem, but your motors are not the same as mine (you have a module named steppermotor.ko, and i have a motor.ko).

Running manually v4l2rtspserver-master gives the following errors : 

ImpEncoder.cpp:984    ERR| ##### sensor not found
ImpEncoder.cpp:997      0| Found Sensor with ID:-1
ImpEncoder.cpp:1017   ERR| failed to open ISP
ImpEncoder.cpp:710    ERR| IMP_System_Init() failed

I have solved "failed to open ISP" by replacing libimp.so from firmware_mod by libimp.so from my original firmware : libimp.zip

This can help you, as i have seen you don't have libimp.so in your original firmware.

Now I am trying to get my sensor recognized by v4l2rtspserver-master.

sperglord8008s commented 4 years ago

Loaded up firmware_mod without much luck. Web page works but no video feed nor any motor control.

Attached is the dump from flash. @EliasKotlyar, could you assist ?

dump.zip

maybe the bootcmd probes the memory address and then just overwrites any changes to made to bootargs on reboot?

"bootcmd=sf probe;sf read 0x80600000 0x80000 0x280000; bootm 0x80600000"

why not read out the memory and check if setenv changes the address

stale[bot] commented 4 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

NicolaiVdS commented 4 years ago

@paultbarrett any updates on this ? i happen to have the same camera

paultbarrett commented 4 years ago

Nah, I gave up.

Sent from Outlook Mobilehttps://aka.ms/blhgte

From: Nicolai Van der Storm notifications@github.com Sent: Sunday, May 31, 2020 8:48:32 PM To: EliasKotlyar/Xiaomi-Dafang-Hacks Xiaomi-Dafang-Hacks@noreply.github.com Cc: Paul Barrett pbarrett@bitsystems.com.au; Mention mention@noreply.github.com Subject: Re: [EliasKotlyar/Xiaomi-Dafang-Hacks] Support for China Eyes360 (#1225)

@paultbarretthttps://github.com/paultbarrett any updates on this ? i happen to have the same camera

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/EliasKotlyar/Xiaomi-Dafang-Hacks/issues/1225#issuecomment-636454028, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AFQMVDXLIDQJWQPWVOCXLMDRUIYYBANCNFSM4JSFBJGQ.

NicolaiVdS commented 4 years ago

Nah, I gave up. Sent from Outlook Mobilehttps://aka.ms/blhgte

Shame cuz im also stuck i can see the output but cant send any commands

paultbarrett commented 4 years ago

Yeh that isn't the difficult part The hardware is different so the stuff to access the camera, control the motors are not supported.

I got shell into the device by physically removing the flash, dumping the filesystem, adding in telnetd to RC.local then reflasing and finally resoldering.

You could do this in uboot but I actually replaced the flash with a new chip so I could go back if I ended up bricking it as the firmware wasn't available anywhere.

Sent from Outlook Mobilehttps://aka.ms/blhgte

vasyok-92 commented 4 years ago

Hello! Dear paultbarrett could you share the dump of the flash drive of the original image? After the arrival of the camera with aliexpress, it does not turn on. By UART log: U-Boot SPL 2013.07 (Jan 25 2019 - 18:09:46) Timer init CLK stop PLL init pll_init:399 pll_cfg.pdiv = 10, pll_cfg.h2div = 5, pll_cfg.h0div = 5, pll_cfg.cdiv = 1, pll_c fg.l2div = 2 fbdiv = 36 , refdiv = 1 , fdivq = 2 ,pllod = 1 range = 3 cppcr is 02300860 CPM_CPAPCR 0470484d fbdiv = 38 , refdiv = 1 , fdivq = 2 ,pllod = 1 range = 3 cppcr is 02500860 CPM_CPMPCR 04a0484d fbdiv = 50 , refdiv = 1 , fdivq = 2 ,pllod = 1 range = 3 cppcr is 03100860 CPM_CPVPCR 0310086d cppcr 0x9a773310 apll_freq 864000000 mpll_freq 900000000 vpll_freq = 1200000000 ddr sel mpll, cpu sel apll ddrfreq 450000000 cclk 864000000 l2clk 432000000 h0clk 180000000 h2clk 180000000 pclk 90000000 CLK init SDRAM init sdram init start ddr_inno_phy_init ..! phy reg = 0x00000007, CL = 0x00000007 ddr_inno_phy_init ..! 11: 00000004 ddr_inno_phy_init ..! 22: 00000006 ddr_inno_phy_init ..! 33: 00000006 REG_DDR_LMR: 00000210 REG_DDR_LMR: 00000310 REG_DDR_LMR: 00000110 REG_DDR_LMR, MR0: 00d73011 T30_0x5: 00000007 T30_0x15: 0000000c T30_0x4: 00000000 T30_0x14: 00000002 INNO_TRAINING_CTRL 1: 00000000 INNO_TRAINING_CTRL 2: 000000a1 T30_cc: 00000003 INNO_TRAINING_CTRL 3: 000000a0 T30_118: 0000003c T30_158: 0000003c T30_190: 00000020 T30_194: 0000001f jz-04 : 0x00000051 jz-08 : 0x000000a0 jz-28 : 0x00000024 DDR PHY init OK INNO_DQ_WIDTH :00000003 INNO_PLL_FBDIV :00000014 INNO_PLL_PDIV :00000005 INNO_MEM_CFG :00000051 INNO_PLL_CTRL :00000018 INNO_CHANNEL_EN :0000000d INNO_CWL :00000006 INNO_CL :00000007 DDR Controller init DDRC_STATUS 0x80000001 DDRC_CFG 0x0a688a40 DDRC_CTRL 0x0000891c DDRC_LMR 0x00400008 DDRC_DLP 0x00000000 DDRC_TIMING1 0x040e0706 DDRC_TIMING2 0x02150607 DDRC_TIMING3 0x2006051b DDRC_TIMING4 0x17240031 DDRC_TIMING5 0xff060405 DDRC_TIMING6 0x32150505 DDRC_REFCNT 0x00da5a01 DDRC_MMAP0 0x000020fc DDRC_MMAP1 0x00002400 DDRC_REMAP1 0x03020100 DDRC_REMAP2 0x07060504 DDRC_REMAP3 0x0b0a0908 DDRC_REMAP4 0x0f0e0d0c DDRC_REMAP5 0x13121110 DDRC_AUTOSR_EN 0x00000000 sdram init finished SDRAM init ok board_init_r image entry point: 0x80100000

U-Boot 2013.07 (Jan 25 2019 - 18:09:46)

Board: ISVP (Ingenic XBurst T21 SoC) DRAM: 64 MiB Top of RAM usable for U-Boot at: 84000000 Reserving 446k for U-Boot at: 83f90000 Reserving 32832k for malloc() at: 81f80000 Reserving 32 Bytes for Board Info at: 81f7ffe0 Reserving 124 Bytes for Global Data at: 81f7ff64 Reserving 128k for boot params() at: 81f5ff64 Stack Pointer at: 81f5ff48 Now running in RAM - U-Boot at: 83f90000 MMC: msc: 0 the manufacturer ef SF: Detected W25Q64

*** Warning - bad CRC, using default environment

In: serial Out: serial Err: serial Net: cpm_mphyc_rst = 0x00000000 cpm_mphyc = 0x00000000 ====>GMAC failed to reset! Jz4775-9161 Card did not respond to voltage select! Bad device mmc 0 fs_set_blk_dev failed platform:,sensor:,bootargs:console=ttyS1,115200n8 mem=39M@0x0 rmem=2 5M@0x2700000 init=/linuxrc rootfstype=squashfs root=/dev/mtdblock2 rw mtdparts=j z_sfc:512K(boot),1600k(kernel),2816k(root),1536k(user),832k(web),896k(mtd) Hit any key to stop autoboot: 0 the manufacturer ef SF: Detected W25Q64

--->probe spend 4 ms SF: 2621440 bytes @ 0x80000 Read: OK --->read spend 423 ms

Booting kernel from Legacy Image at 80600000 ...

Image Name: Linux-3.10.14isvp_turkey_1.0 Image Type: MIPS Linux Kernel Image (lzma compressed) Data Size: 1585000 Bytes = 1.5 MiB Load Address: 80010000 Entry Point: 803669e0 Verifying Checksum ... OK Uncompressing Kernel Image ... OK (Len of pw_cmdline):195,(Len of pw_cmdinfo):105 pw_cmdline:console=ttyS1,115200n8 mem=39M@0x0 rmem=25M@0x2700000 init=/linuxrc r ootfstype=squashfs root=/dev/mtdblock2 rw mtdparts=jz_sfc:512K(boot),1600k(kerne l),2816k(root),1536k(user),832k(web),896k(mtd) pw_cmdinfo:HWID=0000000000000000000000000000000000000000 ID=00000000000000000000 00000000000000 ipncuart=1 ipncauto=1

Starting kernel ...

ferbar commented 4 years ago

For anyone googling for Sannce I41GH: It's having a T21, too

BiatuAutMiahn commented 3 years ago

The Wyze Cam V3 has the same image sensor

prazsmarid commented 2 years ago

Loaded up firmware_mod without much luck. Web page works but no video feed nor any motor control.

Attached is the dump from flash. @EliasKotlyar, could you assist ?

dump.zip

Dear Paul, Can you send the original or the modified dump in .bin format? Thanks in advance.