solidssss
commented
3 years ago Thank you so much for sharing this!
At step 6 I'm getting the same text as in step 1. Not sure what I'm doing wrong.
This is what I'm getting from step 1:
mem=64M console=ttySAK0,115200n8 mtdparts=spi0.0:256k(bld)ro,64k(env)ro,64k(enc)ro,64k(sysflg)ro,2496k(sys),4608k(app),640k(cfg) ppsAppParts=5 ip=192.168.1.xx:::255.255.255.0 eth=xx:xx:xx:xx:xx:xx
Could you please take a look at my env file? Here it is ppsMmcTool.txt and initrun.sh is also on the root of the sd card. I noticed that a folder called SDT with files is also created when I boot the camera. I got a Nedis camera (WIFICI20CGY)
rkkoszewski
LouDnl
jandy123
adwiraguna
guino
lschafroth
The wires in the picture goes to diffrent motors for pan/tilting and speaker.
On the backside of the board its just some resistors, capacitors and sd-card reader. No pads.
jilleb
(Side comment you can skip -- Based on the interest in this project I went ahead and spent some more time (a lot actually) in ghidra looking at the boot loader code and managed to get the ppsMmcTool.txt file format figured out and found a way to use it to modify the boot settings in order to run a script in the SD card during boot process of the camera)
I assume the steps below can be used for any device using this PPStrong boot loader (Tuya cameras/doorbells like Geeni, Merkury, Bazz, Meari, etc).
Please check your device firmware version in the phone App OR with http://admin:056565099@192.168.x.x/devices/deviceinfo .
For 2.7.x firmware you should use the information on this project instead: https://github.com/guino/Merkury720
Special note for 2.9.0 firmware: this firmware is a bit trickier to get RTSP working (mjpeg/snap work the same), so if you have that version you need to use #13 along with the files/steps provided by @DanTLehman here: https://github.com/DanTLehman/orion_sc008ha
For 2.9.x you should be able to use the steps here or in #13 (either method should work).
Special note for 2.10.0 firmwae: This firmware (and newer) have port 80 closed by default -- so to use the http://admin:05656... links below you have to RIGHT CLICK this link: https://github.com/guino/Merkury720/raw/main/ppsFactoryTool.txt select "Save as.." and save this file to the root of the SD card. EDIT the file (avoid copy/paste the contents of it) and modify only the ssid and password as the file requires specific format to work. When the device detects the file (in the right format) it will disconnect and re-connect the wifi (to the ssid specified) and will OPEN port 80 so the http://admin:05656... links work.
Special note for 4.0.x firmwae: This firmware (and newer) have port 80 closed by default -- so to use the http://admin:05656... links below you have to RIGHT CLICK this link: https://github.com/guino/Merkury720/raw/main/ppsFactoryTool.txt select "Save as.." and save this file to the root of the SD card. EDIT the file (avoid copy/paste the contents of it) and modify only the ssid and password as the file requires specific format to work. When the device detects the file (in the right format) it will disconnect and re-connect the wifi (to the ssid specified) and will OPEN port 8090 so the http://admin:05656... links work but you have to add :8090 to every URL, for instance: http://admin:056565099@192.168.x.x:8090/devices/deviceinfo. Depending on the device you have you may need to use the information and files from https://github.com/guino/Merkury1080P#conclusion
WARNING: The process below will require a SD card with initrun.sh to always be present during power-on or the device WILL NOT BOOT. If you modify/remove this file the device may not boot. The process is always reversible but keep that in mind. You may choose to use #13 as it does not require a SD card to boot the device (it is a new/improved method).
These are the steps to hack (root) your device:
1-Verify your camera/doorbell is compatible using its local IP address (i.e. 192.168.x.x, etc) -- this is NOT the public IP displayed in the TUYA app (and likely other apps), if you're reading this there's a good chance you know how to find the IP from your router. Open a web browser and load this address: http://admin:056565099@192.168.x.x/proc/cmdline the result (kernel command line) should be something like this:
Copy/save that response (kernel command line) as we'll need it next (and also in case you want to restore original settings) -- If you get no response, or some very different response, please stop now -- chances are you're using the wrong IP or this won't work for your device (advanced users can still check/try #11 and #12) . Feel free to post your kernel command line if you have questions.
1.1 ADDENDUM-I highly recommend you get a backup of your flash memory using #11 -- there's no risk or side-effect from trying. It's better to have a backup and not need it than needing the backup and not having it.
1.2 ADDENDUM-Open this URL http://admin:056565099@ip/proc/self/root/etc/init.d/S90PPStrong and check if you have these lines:
If your MTDNUM line does not have a # in front you must use #13. If your line has # in front or you don't have that line, you can proceed with the steps below.
2-Edit the provided 'env' so it has the below contents (following details below):
VERY IMPORTANT DETAILS ABOUT THIS FILE: -The part after bootargs= should be the same as you got on step 1 (from your device) with the ppsAppParts=0 (instead of ppsAppParts=5). -The file has one single line "bootargs=..." and a new line (enter) at the end. It is a long line (on purpose) so it may show up as multiple lines in a browser so please account for it. A sample env file is attached for your conveninence. -The single line MUST have the same exact size as I posted above (924 characters + new line). Your kernel command line may be different which may require you to adjust (remove or add) to the ThankYou... text so that you match the size of the line. -There's a 0x00 (Zero character) at the end of the file -- if this is removed by your text editor (ie notepad, etc) you'll need to be sure it is there (or the process will not work). You may need to use a hex editor to change the last character to a "00" making sure there's at least a new line (0A) at the end of the line before the "00". Again the sample env file is a good reference.
3-Copy these 3 files (attached) to the root of a fat32 formatted SD card (do not place them in any 'folders'): env, ppsMmcTool.txt and initrun.sh -- MAKE SURE there's no 'upgrade.bin' file in the SD card or this could cause problems. Be sure to properly 'eject' (or unmount) the SD card before removing it from the computer.
4-Power off your device and insert the SD card with the 3 files in the SD card slot.
5-Press-and-hold the reset button, then power on the device (i.e. power wires/USB cable) and continue holding the reset button for 5 seconds after power on then let the device boot. It will take longer than usual (precisely 10 seconds longer) for it to fully boot up as that's part of the initial boot script.
6-Repeat step 1, this time your kernel command line should look like this:
(Notice how the 'ppsAppPart' is cut off at the end -- that's the intention and as long as it doesn't say ppsAppParts=n it should work)
7-Now browse to this address: http://admin:056565099@192.168.x.x/proc/self/root/tmp/hack -- it should say "done" which is the indication everything is working as designed.
8-You can now delete ppsMmcTool.txt and env files from the SD card but there's no harm leaving them there. You MUST always have initrun.sh in the SD card during boot or the device WILL NOT BOOT.
9-Download the mmc files and place them in the SD card (root directory). SEPARATELY download busybox from https://github.com/guino/BazzDoorbell/blob/master/mmc/busybox?raw=true and place it on the SD card (root directory). Your SD card should look like this:
NOTES:
-l /bin/shto thetelnetdline in custom.shIMPORTANT: The main application on the device will delete the SD card contents when free space is low so backup your files and either disable recording OR let it run the provided cleanup.cgi to prevent your files from being deleted. The last 5 lines of the custom.sh file will run cleanup.cgi once-a-day by default. You can remove the last 5 lines of custom.sh if you don't want that to run OR you can disable recording entirely by removing the # from the
#/mnt/mmc01/set record_enable 0in custom.sh. If your device/app doesn't have a motion-only recording (event recording) option you can enable it by removing the # from the line#/mnt/mmc01/set enable_event_record 1in custom.sh β there are more details here: https://github.com/guino/BazzDoorbell/issues/2#issuecomment-80811784410-For RTSP: DO NOT run a different version of ppsapp on your device or you may brick it. Your original ppsapp can be found under /home/app/ppsapp of the SD card. Please check https://github.com/guino/ppsapp-rtsp/issues/1 to see if your ppsapp has already been patched -- use the site in the first post of the link to patch your own ppsapp file (double check that the md5 matches when patching it) and place it on the root of your SD card with the name ppsapp then reboot. There's a full guide on https://github.com/guino/ppsapp-rtsp if you're computer savvy and want to try patching ppsapp yourself. I prefer that you post (create a new issue) your ppsapp (along with http://admin:056565099@192.168.x.x/devices/deviceinfo information) so I patch it than get your flash corrupted by using a corrupt/wrong ppsapp.
NOTE 1: It has also been reported that VLC for MAC has issues playing the RTSP streams from these devices (so try different devices/applications if you have issues with VLC on MAC). NOTE 2: It has also been reported that the default VLC playback is over UDP and causes the camera to use a lot of CPU/resources and causes it to reboot in about 13 minutes of viewing the RTSP feed. You can fix this by starting VLC like this:
OR you can go into VLC settings and selecting RTP over RTSP (TCP) : in 'Simple' mode click 'Tools > Preferences > Input / Codecs and select 'RTP over RTSP (TCP)' at the bottom, them click 'Save'. In 'Advanced' mode click 'Tools > Preferences > Input / Codecs > Demuxers > RTP/RTSP and select 'RTP over RTSP (TCP)' then click 'Save'
TROUBLESHOOTING / RESTORE
If you wish to 'restore' the operation of your camera with SD card (remove the 'hack'):
1-Edit/create the env file to be this:
NOTE: You should match the mem and console parameters as they were originally (step 1 of install process) and the env file must also have the new line (0x0A) and 0x00 (Zero character) at the end.
2-Copy ppsMmcTool.txt and env to the root of SD card (initrun.sh is NOT needed).
3-Follow steps 4, 5 and 6 of the install process, on step 6 the kernel command line should look like it was originally (before any changes).
If for some reason you can't get the the initrun.sh script to run please post a copy of your env file (zip format so I can verify it) and your kernel command line (before and after install attempt) so I can take a look.
If you'd like to buy me a beer/coffee in appreciation of the effort I put in to make the above possible, feel free to: http://paypal.me/wbbo cash app: $wbbo
Enjoy!
ppshack.zip