Help with identifying the camera

[NiiiYaa]

Help with identifying the camera I wish to apply the right 'hack' so I need to identify the camera. The camera was bought on AliExpress - "no brand". Works with the "YI IOT" app. On GoogleHome identifies itself as: "xiaoyi". Firmware: 6.0.05. 10_202112100938 ID: "A1769004DDT2Q6220729"

Motherboard: Looks like this: image

Chip 1: ANYKA AK3918EN080 V200 CDSJ21F22

Chip 2: SV6256P TAC2204 IR498B5 -- I might be 1 -- B might be 8

Chip3: OK291323 ULN2803VS -- 8 might be B

Camera looks like this:

[ghost]

Ok, can you be more precise about what "don't work for me"? I wrote that redirection stderr to null works only when the designer of the app understands Linux principles and will not s... debug messages to stdout. If they mix and send debug messages to stdout and stderr then you have got the following options: 1) redirect stdout and stderr to null cmd > /dev/null 2>&1 but then YOU WILL see nothing 2) Send an email to developers asking them to redesign the code so that error or debug messages will be only printed when some argument/key will be used to switch mode typically for Unix is -v or -d. Good luck to you if they will implement your request :)

[d0gleg]

Yeh, I was trying to redirect stderr to /dev/null when I saw your message. Just a coincidence :) I was hoping that if I type "command 2> /dev/null" at the command prompt then it would work. I'm not sure if I'm using the correct syntax at the command prompt. I was just reporting that it was not working for me. I understand and agree with what you had said.

My linux days are long time over. I at best have dabbled with linux, and unix before that :)

[ghost]

I am surprised because the concept of pipe is not new. It was used in VMS, Unix even Windows/DOS so I am surprised that it does not work. If you redirect the stderr snd stdout as follows cmd > /dev/null 2>&1 then you will not see any messages. Just to verify, what I am saying. I have created the script sending every second hello message to std and err pipes. Then I sent it to the background and the messages popup even prompt was ready to accept the new command. A repeated the script piping to null and nothing was on the screen. I am guessing that you are thinking about redirection std/err of running images, yes You can but is a little more complex https://stackoverflow.com/questions/593724/redirect-stderr-stdout-of-a-process-after-its-been-started-using-command-lin Next time please be a little precise about what you want to achieve because many who will try to help don't know your level of Unix knowledge.

[ghost]

I need your help, I bought a new camera that supports ONVIF and RTPS services. I would like to dump flash partitions to a file in order to share with you but the camera uses telnet (which is enabled) with username and password. I have tried to use Hydra to crack the password using default usernames and passwords downloaded from the Internet but after 2 days Hydra gave up. Obviously, I could use "a hammer or stone" approach to open it and solder USB UART but I am not sure that concept makes any sense. Anyka camera init script has commented out log-in via getty and as such you can connect via UART otherwise I am s..... See source code in rcS #ttySAK0::respawn:/sbin/getty -L ttySAK0 115200 vt100 # GENERIC_SERIAL ttySAK0::respawn:-/bin/sh
The camera uses CareCamPro software. The sticker says that the username and password is admin/admin123456 but those credentials are valid for ONVIFS, not generic Telenet login. Any support in this matter is highly appreciated.

[d0gleg]

Thanks haps-basset, noted. Yeh, I also noticed that the command prompt had disappeared. I've used redirection very rarely over the years. I was hoping for a quick and nasty way of removing the messages from the console. I had the impression that AILIFE4798 had a similar issue to me. The other option I was hoping to explore was to kill off some of the processes.

BTW I've got a lot to learn about internet etiquette. Thanks for your kind words. I see you mentioned VMS. In case you're talking about the old VAX computers, I worked on VAXs on and off for 20 years. Before that I spent a few years on Gould minicomputers.

[d0gleg]

I see your last message. In case you're talking to me, I'll have a look at what I can find out. But at my rate somebody else may (hopefully) jump in....

[ghost]

I love VMS, It was designed by engineers for engineers, with a limited number of well-documented commends, not Unix BS but that is history. Sorry for the misunderstanding, I addressed my previous post to all members, readers etc. hoping that we would be able to crack the b.. and get a workable solution. I have installed a few of those cameras in-house and they work well but I don't like Chinese spyware :(. I am not going to force or tell you what to do but consider usage strace for browsing what's happened during an app execution. You will be able to find what the app uses during the run e.g. drivers, memory usage etc. Based on my studies of some SDKs parts because I was never able to find a full set of SDKs, I end-up with some primitive picture of our camera architecture. Since lsmod shows installed kernel modules, I am guessing that one is for the control sensor; frame oriented and the second to stream frames. In a nutshell, the stream-oriented driver pushes the frames and the "sensor" driver allows to pull frames from the sensor by applications. I am sorry that I am telling you obvious BS because as a VMS dude, you know what is pull/push device :) My problem is that I don't know how to initiate or use the bloody stream device. Having this component under control we would be able via v4l mechanism connect the camera's sensor stream to any applications. I am not keen to replicate or develop a new streaming device that would not be compatible with most media apps. Anyway, I am so happy that I met another DEC head although some spelled it in a different way :)

[AILIFE4798]

I had the impression that AILIFE4798 had a similar issue to me. The other option I was hoping to explore was to kill off some of the processes. yes i do.and yes you can kill the main app to stop the message but for someone using windows im not skilled enough to do so ill try the redirection later and hope for the best

[ghost]

Just a few hints: 1) To find what is running use ps . Unfortunately, Anyka ps is very limited. An alternative is top, but I am not sure if the top is part of the release or I compiled it 4 myself. 2) to kill an application you can use the following command kill -SIGNAL app ID, where id is the id of the app that you found using ps , signal use -9 The alternative is pkill name of the app Note: Some apps for example anyka_ipc spawn a sub-process with watchdog which will re-spawn it so it is not that easy to kill it if you do not kill them in particular

[d0gleg]

I use "ps -aef" out of habit. It'll show you a little more than "ps". Yeh, I spent a good hour randomly killing processes with all sorts of unpredictable results including respawning.

ps -aef.txt

[d0gleg]

I might have already killed off a couple of processes in that listing

[ghost]

I have killed a few processes and scripts and that is my ps. (I removed from ps dump kernel threads) 1 root 0:00 init 356 root 0:00 /usr/bin/tcpsvd 0 21 ftpd -w / -t 600 357 root 0:00 syslogd -D -n -O /var/log/messages -s 200 -b 3 358 root 0:00 klogd -n 390 root 0:00 -/bin/sh 398 root 0:00 {config.sh} /bin/sh /mnt/debug/config.sh 402 root 0:02 telnetd 406 root 0:08 /bin/sh -x /usr/sbin/wifi_run.sh 478 root 0:00 wpa_supplicant -B -iwlan0 -Dwext -f /tmp/wpa_log -c /etc/jffs2/wpa_supplicant.conf 555 root 0:00 udhcpc -i wlan0 611 root 0:00 /bin/login 614 root 0:02 -sh 3102 root 0:00 sleep 1 3103 root 0:00 ps aux

The kernel threads (those in []) can only be removed by rmmod

[d0gleg]

The kernel threads (those in []) can only be removed by rmmod

That's interesting. I'll have a look at that

[ghost]

The kernel threads are those that are executed or started by for modules loader. To see what creates the kernel thread run lsmod

[ghost]

To find more about kernel modules and Linux architectures read https://www.wiley.com/en-au/Professional+Linux+Kernel+Architecture-p-9780470343432
It is a very good book A good introduction to the development Linux Linux-embedded systems is https://www.oreilly.com/library/view/building-embedded-linux/9780596529680/ It is little obsolete but still ok

[d0gleg]

I've attached a copy of my boot log. It's similar to what AILIFE4798 uploaded earlier. Hopefully I've redacted all identifying keys and passwords, and I've changed all mac addresses. This log is for a V200 camera with wifi only.

I noticed a line down at the end of the log stating, "check_sd_exist not find tf card!". I've previously noticed some talk about placing certain files in the root directory of the SD card. I'm going to explore that for now. I'm still not game to remove the flash to do a dump. I'm hoping I can achieve a dump from the console. I just have to stop those pesky messages.

[ghost]

I have been using this method for almost 2 years ... Works 4 me. It requires a sd micro card and after setting config.sh file in debug directory on sd card or /mnt, you will be able to get telnet access to the camera. I am not going to repeat myself, I posted how to a few posts before.

[d0gleg]

Ok, sounds good. I'll have a look at it tomorrow. Here's the log.

ak3918ev200_bootlog.txt

[filder35]

haps-basset Thank you very much for the literature links. I will definitely read it. I don't have enough knowledge to master Linux systems. d0gleg To connect to my wifi network, I changed in the file /etc/jffs2/anyka_cfg.ini [wireless] ssid = "your SSID" mode = Infra security = 3 password = "your password" running = softap since I collected the firmware piece by piece, I don’t have an SD connection, the information here helped me a lot: https://github.com/EliasKotlyar/Xiaomi-Dafang-Hacks/issues/1672

[d0gleg]

[haps-basset] To find more about kernel modules and Linux architectures read https://www.wiley.com/en-au/Professional+Linux+Kernel+Architecture-p-9780470343432

I actually had the first edition of that book. It was a very good read. I wrote a couple of simple device drivers at the time. I think it's a lot more complex nowadays. Security has ruined everything ;)

[ghost]

Yes, it is not a bad book, actually not so much about Linux internals apart from Internet noise. I learnt to develop Unix drivers based on Sun Microsystem documentation and those were wonderful although DEC books about True Unix were even better. The Linux book I used as a reference, overall the concept is the same. I would not say that new development is more clever than before, adding a new layer of code without understanding architecture leads to bloated very complex code. In most cases, the protection is implemented only to protect the system against arrogance and stupidity. At least that is my view. In the past, computer systems were managed by highly paid and well-trained specialists, not pretenders who claim that they are experts because they were able to install and compile kernels. That is only my view, now I am retired and I don't give a ..... :) All the best with your fight with Anyka kernel.

[AILIFE4798]

ak3918ev300_processes.txt this is the result i got from ps what should i do to remove depanancy from cloud i need to kill the main app eventually right how can i know which one is it i have no idea what im doing rn but i have full dump so nothing can possibly go wrong

[filder35]

/mnt/mtd/stopallapp.sh

[filder35]

and try to edit the files nvipcstart.sh comment out as9nvserver as9updatednsip log_server eventthub_core if you don’t know how to edit in the terminal, write, I will make an instruction

[filder35]

if [ "$debug" == "0" ] then ulimit -s 1024

/mvs/apps/hwwtd 3&

#/mvs/apps/eventhub_core &
sleep 2
#/mvs/apps/vsipbroadcast > /dev/null &
#/mvs/apps/as9nvserver &
#/mvs/apps/as9updatednsip &
sleep 1
/mvs/apps/recorder &
    /mvs/apps/mvrtsp 1 &
    #/mvs/apps/log_server &
    /mvs/apps/mqtt_test &

[filder35]

and try to run /mvs/apps/mvrtsp start

[filder35]

if you manage to stop, try to run .mnt/mtd/wificonf/wifi_softap.sh start

[AILIFE4798]

i really should go buy some ch340 so i dont need to keep swapping between camera and routers and potentaly damage the pads on pcb although my soldering skill i think is ok

[filder35]

mnt/mtd/stopallapp.sh start did the command work?

[AILIFE4798]

cant try usb serial is on other device

[filder35]

soldering strongly I do not advise you can break the board

[AILIFE4798]

/mnt/mtd/stopallapp.sh

i got killall: udp_broadcast: no process killed

[AILIFE4798]

The message proceed but it seems like they have restarted And I've successfully modified a USB ir blaster into USB serial adapter so now I always have one handy ![Uploading PXL_20230829_014559069.jpg…]()

[filder35]

try one by one killall -9 eventhub_core killall -2 recorder killall -9 as9updatednsip killall -9 as9nvserver killall -9 udp_broadcast killall -9 vsipbroadcast killall -9 recorder

[AILIFE4798]

actually i think its killed and if i try multiple time it will say no process killed but there is still some other app sending messages

[filder35]

ps w show when processes killed

[AILIFE4798]

ps w PID USER TIME COMMAND 1 root 0:00 init 2 root 0:00 [kthreadd] 3 root 0:01 [ksoftirqd/0] 5 root 0:03 [kworker/u:0] 6 root 0:00 [khelper] 7 root 0:00 [kdevtmpfs] 137 root 0:00 [sync_supers] 139 root 0:00 [bdi-default] 141 root 0:00 [kblockd] 147 root 0:00 [khubd] 164 root 0:00 [cfg80211] 165 root 0:02 [kworker/0:1] 181 root 0:00 [rpciod] 186 root 0:00 [kswapd0] 234 root 0:00 [fsnotify_mark] 240 root 0:00 [nfsiod] 281 root 0:00 [ak-spi] 290 root 0:00 [mtdblock0] 299 root 0:00 [mtdblock1] 304 root 0:00 [mtdblock2] 309 root 0:00 [mtdblock3] 314 root 0:00 [mtdblock4] 319 root 0:00 [mtdblock5] 324 root 0:00 [mtdblock6] 329 root 0:00 [mtdblock7] 334 root 0:00 [mtdblock8] 360 root 0:00 [deferwq] 376 root 0:00 [jffs2_gcd_mtd8] 377 root 0:00 syslogd -D -n -O /var/log/messages -s 200 -b 3 378 root 0:00 klogd -n 382 root 0:00 [loop0] 387 root 0:00 /bin/login -- root 401 root 0:01 [kworker/u:2] 438 root 0:00 /mvs/apps/hwwtd 3 461 root 0:00 /mvs/apps/log_server 462 root 0:00 /mvs/apps/mqtt_test 586 root 0:00 [usb_otg_wq] 624 root 0:00 [RTW_CMD_THREAD] 2689 root 0:00 [kworker/0:0] 5939 root 0:00 -sh 6560 root 0:00 ps w

[filder35]

438 root 0:00 /mvs/apps/hwwtd 3 461 root 0:00 /mvs/apps/log_server 462 root 0:00 /mvs/apps/mqtt_test try to kill them too You can also try killall -9 hwwtd killall -9 log_server killall -9 mqtt_test

[ghost]

AILIFE4798 can you be a little precise about what you want to kill? If you want to kill all processes especially init, then use reboot :) if you want to "kill" processes in "square brackets" then I strongly suggest you read man pages about ps. :) The camera's Linux is a very "castrated" distro and ps -w is not implemented. You can only use the following syntax Usage: ps [-o COL1,COL2=HEADER] [-T], if you want to get more info about the system use top.

[AILIFE4798]

@filder35 after i killed mqtt and log server it stopped all message

[filder35]

now try to connect to wifi mnt/mtd/wificonf/wifi_softap.sh start

[AILIFE4798]

now try to connect to wifi mnt/mtd/wificonf/wifi_softap.sh start

It worked now and won't turn off by it's self But there's still no open port I've scanned

[filder35]

I understand there are no open ports. Now you need to disable unnecessary applications in boot files. nvipcstart.sh in terminal type vi /mnt/mtd/nvipcstart.sh click "i" -to enable editing And comment out the following lines as below. if [ "$debug" == "0" ] then ulimit -s 1024 /mvs/apps/hwwtd 3&

/mvs/apps/eventhub_core &

sleep 2
#/mvs/apps/vsipbroadcast > /dev/null &
#/mvs/apps/as9nvserver &
#/mvs/apps/as9updatednsip &
sleep 1
/mvs/apps/recorder &
    /mvs/apps/mvrtsp 1 &
    #/mvs/apps/log_server &
    #/mvs/apps/mqtt_test &

Press to exit "Shift+ ZZ" And you can reboot

[filder35]

and output the download log

[filder35]

then you can edit the file factory_const.ini vi \mnt\mtd\mvconf\factory_const.ini if not these lines add rtsp=1 or rtsp_enable=1 I don’t know what camera you have on different versions, these lines work differently, you can add wallpaper reboot mnt/mtd/wificonf/wifi_softap.sh start

And you can try to connect to the application

[filder35]

Don't forget to check the ports. Later I will write how to connect to my local network

[AILIFE4798]

I understand there are no open ports. Now you need to disable unnecessary applications in boot files. nvipcstart.sh in terminal type vi /mnt/mtd/nvipcstart.sh click "i" -to enable editing And comment out the following lines as below. if [ "$debug" == "0" ] then ulimit -s 1024 /mvs/apps/hwwtd 3& #/mvs/apps/eventhub_core & sleep 2 #/mvs/apps/vsipbroadcast > /dev/null & #/mvs/apps/as9nvserver & #/mvs/apps/as9updatednsip & sleep 1 /mvs/apps/recorder & /mvs/apps/mvrtsp 1 & #/mvs/apps/log_server & #/mvs/apps/mqtt_test & Press to exit "Shift+ ZZ" And you can reboot

i have done it and i commented out the recorder as well cuz it dose produce message

[filder35]

Here's more for your camera Very good Camera after a little hack to activate RTSP and ONVIF. Great picture Quality at 20fps on FullHD. Nice feature is to activate LED Flashlite on Motiondetection for Color Nightpicture.

For Hack format a sdcard to FAT32 and make file "ceshi.ini" on root with that:

[CONST_PARAM] rtsp=1 rtspaudio=1 audio=1 audiorec=1 audiorecord=1 micrec=1 mic=1 micrecord=1 telnet=1 ssh=1 onvif=1 web=1 webinterface=1 webif=1 http=1

1. insert Sdcard and Power on.
2. wait for blablabla ~2-4min to System ready and works on V380 app
3. turn sdcard out and power off again.
4. Power on and after picture back again on V380 app now you can do:

LAN/WLAN: RTSP_TCP rtsp://admin:yourpassword@yourip:554/live/ch00_1 1920x1080 20fps rtsp://admin:yourpassword@yourip:554/live/ch00_2 1920x1080 20fps rtsp://admin:yourpassword@yourip:554/live/ch00_3 1920x1080 20fps rtsp://admin:yourpassword@yourip:554/live/ch00_0 640x480 20fps

ONVIF: http://yourip:8899/onvif/device_service

Happy use your nice IPCAM ;)

Kind regards Sofie B.

[AILIFE4798]

then you can edit the file factory_const.ini vi \mnt\mtd\mvconf\factory_const.ini if not these lines add rtsp=1 or rtsp_enable=1 I don’t know what camera you have on different versions, these lines work differently, you can add wallpaper reboot mnt/mtd/wificonf/wifi_softap.sh start

And you can try to connect to the application

this file is empity by default and is read only

[AILIFE4798]

Here's more for your camera Very good Camera after a little hack to activate RTSP and ONVIF. Great picture Quality at 20fps on FullHD. Nice feature is to activate LED Flashlite on Motiondetection for Color Nightpicture.

For Hack format a sdcard to FAT32 and make file "ceshi.ini" on root with that:

[CONST_PARAM]

rtsp=1 rtspaudio=1 audio=1 audiorec=1 audiorecord=1 micrec=1 mic=1 micrecord=1 telnet=1 ssh=1 onvif=1 web=1 webinterface=1 webif=1 http=1

1. insert Sdcard and Power on.
2. wait for blablabla ~2-4min to System ready and works on V380 app
3. turn sdcard out and power off again.
4. Power on and after picture back again on V380 app now you can do:

LAN/WLAN: RTSP_TCP rtsp://admin:yourpassword@yourip:554/live/ch00_1 1920x1080 20fps rtsp://admin:yourpassword@yourip:554/live/ch00_2 1920x1080 20fps rtsp://admin:yourpassword@yourip:554/live/ch00_3 1920x1080 20fps rtsp://admin:yourpassword@yourip:554/live/ch00_0 640x480 20fps

ONVIF: http://yourip:8899/onvif/device_service

Happy use your nice IPCAM ;)

Kind regards Sofie B.

ok ill try this insted