Meco J5 Plus - Finding the password

[realroywalker]

Hi all,

I have a Meco J5 doorbell (seems to be another spin on the same ppstrong hardware) - however this one runs using CloudEdge app (not Tuya). However, I've played around and have dumped the firmware (using #11) and it seems that its running ppsapp etc. the same as the Tuya models. The doorbell has port 80 disabled by default, so I've used the ppsFactoryTool trick to get port 8090 open, I can connect to http://admin:056565099@:8090/devices/deviceinfo the connection works, but the login credentials fail (they just keep popping back up). I tried Firefox and Chrome but same result, so I guess the password may be different for this unit.

Does anyone know if I might be able to find the password within the firmware dump ? - I've run it through binwalk and extracted the contents, but not sure where it may be buried.

[trizmark]

@guino The camera doesn't start without the SD card as the hack I applied the hack from #2 . I added some debug messages to initrun.sh and custom.sh and everything seems to be executed, but the camera does not connect to wifi. I even added a netstat to custom.sh and I can see ssh/telnet/www all listening. Not sure where to go from here. Should I try to revert the mod and see if the camera works that way and start over. Oh, one more thing: I think the startup sound/chime of the camera has changed. It's a different tune compared to what it was before. (Hope it's not my memory failing me 🤔)

[guino]

@trizmark if the startup sound changed, the camera ma y have gotten an update (without your permission) -- try removing the ppsapp file and the 'home' folder from the SD card and let it boot to see if it works. Regardless of working or not check if the ppsapp in the home folder (will be recreated) is the same as the one you had before.

There are 'troubleshooting' steps to 'remove' the hack on #2 which you can use to allow the camera to start normally (without SD card), you try that and re-apply the hack later if you wish to try but I'd check the above first -- chances are it got an update and the old ppsapp (from SD card) may not run correctly with the new firmware and you just need to use the new one.

[trizmark]

@guino The changed startup tone is a red herring - it's probably my memory failing me. I removed the home folder and booted the camera, but the two ppsapp binaries have the same MD5, so there was no update. Unfortunately, the camera was only working with the ppsFactoryTool in the root, which meant no video. That is until today. I noticed that the camera is off the network. Tried rebooting it, but it no longer boots. Just get a flashing red light. Tried removing the hack, but no luck. No boot, just red flashing light. How long do I have to hold the bell button when using the ppsMmcTool? The guide says 5 seconds from power on, but I don't see it doing anything different when trying to revert the hack. Got a feeling that at this point it's ready for the bin.

[guino]

@trizmark if the camera booted and created the home directory but didn’t start ppsapp completely (red light) it could be something wrong with the video hardware.

If you have restored the original settings (troubleshooting steps on #2) and it is not booting then either the reversal didn’t work or there’s something wrong with the hardware.

Can you try to get a current /proc/cmdline from the device using ppsFactoryTool.txt? That would tell us the current state. Alternatively you can simply apply #13 and see if you can enable telnet (this may work even though ppsapp isn’t starting completely).

It is ppsapp that controls the led state, so if it doesn’t turn blue it means ppsapp may not be finishing the startup process but it doesn’t mean it isn’t running (ps -w Command on telnet would tell us).

The reset button on power on simply tells the device to read ppsMmcTool.txt which sets the boot command line using the env file. I think it may blink blue briefly when it is reading ppsMmcTool.txt but it may be different on some devices. When not using reset button it would probably stay red until later in the boot process. The 5 seconds is just enough time to make sure the device started to boot after power on. Anyway, the only thing to compare is boot without holding reset vs boot holding reset to see if there’s any LED status difference during the first few seconds.

You could also try using ppsFactoryTool.txt and holding reset button after it has been powered on for a few minutes to see if it can reset it back to factory state.

you are welcome to post a zip of the files you’re using to restore original boot settings and/or apply #13 and I will be happy to review.

Lastly if you changed SD cards after you originally applied the hack, there’s a chance the new SD card may not be working (during boot) to change the boot settings — most SD cards work after boot of the device but many don’t work with the boot loader (first few seconds after power on).

[trizmark]

@guino So, after everything was working, the first thing that went was the video stream. One morning the red light was flashing on the doorbell and it would simply not boot up properly. Managed to get it on the network using the ppsFactoryTool.txt. This meant the the camera was on the network, I was getting notifications via MQTT, but no video. Also, the RF chime was working. Day before yesterday the doorbell fell of WiFi and I have been unable to get it on the network. Tried removing the hack using the attached files on the SD card (which has not been changed and has been working fine). With the ppsMmcTool in place all I get is a solid red light. Nothing else. It sounds that the doorbell might be rebooting every 30 or so seconds, but it's still only solid red light. With ppsFactoryTool in place, the doorbell boots, but never joins WiFi. First the red light blinks slowly (boot started), then flashing frequency speeds up (WiFi connection attempt). Got a UniFi controller, but cannot see any trace of it actually trying to connect. At this point I'm not sure what else to try. doobell_restore.zip

[guino]

@trizmark your files look fine. If the device isn't connecting to the wifi with ppsFactoryTool.txt the only thing you can do is try different SD cards to do the restore (using the files you just posted) -- if one SD card works the device should boot completely (at least to the point of hearing the startup sound). It would not hurt to keep the initrun.sh from #2 in the SD card just in case the hack from #2 is still installed (and hasn't been removed by your attempts). If you exhaust your SD card options I'd repartition+reformat the SD cards available and try again just to be sure. If your device is still under the warranty period I'd try to get a replacement under warranty (as the changes you have performed should have not damaged the hardware in any way -- but this is sounding like a hardware issue).

[trizmark]

@guino ok, I am totally embarrassed. I really should read the manual before posting stuff. I've been pressing the doorbell button instead of reset. Guess what? As soon as you start doing the right things, you end up with a working doorbell. 😭 Now that I'm back to where I started, I can try to mod the bell again!

[guino]

@trizmark I am just glad your device is working, hopefully you can set it up like you wanted again.

[trizmark]

@guino It only took 20 mins to get it back to a state I wanted. Everything is working well again. One last thing: is there a way to get a hi-res snapshot on the camera? I am using the ONVIF integration with HA and when I take a screenshot it takes 4-5 seconds. If I use the snap.cgi upon button press, the image is instantaneous, but I'm only getting a low-res pic.

[guino]

@trizmark Glad you got it all working. The resolution of the jpeg images is fixed by the device (hardware encoder) and are always low resolution. You can get a high-resolution snapshot using something like this https://github.com/guino/rtsp2jpeg but it will add considerable delays unless you're constantly taking snapshots. I have tried to change the code to see if I could make high-res JPG snapshots but was not successful.

[pioneershahid]

folks, i am back with another query and hope if anyone can help me.. I have the hack successfully deployed and working. I can see i have onvif enabled by default. i was hoping if i could get iegeek doorbell motion and button pressed into Home assistant. i followed the advise and the motion and button trigger working intermittently.

Problem: when I connect doorbell to power and it turns on fine. it detects motions and sends trigger to Ha. However, within few seconds, it restarts and stays connected. when i try to press the button, nothing registers in doorbell.. if i restarts doorbell via telenet or powercycle it. same things happens again.

i know there is somewhere minor issue with the code and cannot seem to comprehend what needs to be fixed .. here is the content of my sd card please thank you.

https://1drv.ms/f/s!AvaxC7ZX6jaOggmn9tln0Mty74nQ?e=kiHpUN

[guino]

@pioneershahid "However, within few seconds, it restarts and stays connected. " --> you're saying the doorbell is restarting after you get a motion trigger from the doorbell ? if so, that's not normal.

The image you posted suggests you 'received' some doorbell button and motion notifications in HA ? (maybe you were testing by hand)

I would advise you to do the following: -Login via telnet -execute (replace user+password accordingly):

/mnt/mmc01/mosquitto_pub -h 192.168.178.36 -p 1883 -u $MQTT_USER -P $MQTT_PW -t "homeassistant/binary_sensor/doorbellMotion/state" -m ON

-execute (replace user+password accordingly):

/mnt/mmc01/mosquitto_pub -h 192.168.178.36 -p 1883 -u $MQTT_USER -P $MQTT_PW -t "homeassistant/binary_sensor/doorbellButton/state" -m ON

The above commands should allow you to test if HA is receiving the notifications correctly and/or/if any of the above commands is causing the device to restart.

If the commands work correctly on telnet and HA receives the notifications correctly without causing the device to restart we may just need to review the otutput.log file -- the one on the link you posted didn't seem to have any motion/button events in it (so you'd have to create one and upload it for review).

[pioneershahid]

Hi @guino, Apologies for the late reply.

yes, this is what happening.. its stays connected after it restarts. when i attempt to press button, nothing happen.

I test the MQTT message and the commands are sent to HA without issue .. i have used the code and it is receiving in HA without issue. please see attached snip and output log. The issue appears to be on the doorbell side i think.

output.log

Thanks once again for your time.

[pioneershahid]

@guino just trying over again.. the output of each commands are as follows after placing ppsFactoryTool in the root. I hope this may help?

http://WeEyE:&$ChuTian_91@192.168.xx.xx:8090/devices/deviceinfo

{ "devname": "Smart Home Camera", "model": "Bell 5T", "serialno": "062800664", "softwareversion": "4.3.3", "hardwareversion": "BE5T_H1_V10_433", "firmwareversion": "ppstrong-c5-s_joys-4.3.3.20210122", "identity": "MR2008260201205079", "uuid": "", "licence_id": "ppscd7a7c5a949204994", "WiFi MAC": "7c:25:da:c0:a4:fc" }

http://WeEyE:&$ChuTian_91@192.168.xx.xx:8090/proc/cmdline

output as follows, mem=36M console=ttyAMA0,115200n8 mtdparts=hi_sfc:384k(bld)ro,64k(env),64k(enc)ro,64k(sysflg),3584k(sys),6656k(app),1536k(cfg),1m(recove),2880k(user),128k(oeminfo) ppsAppParts=5 ppsWatchInitEnd - ip=${T//_/$'\\x20'}:::::;T=\"sleep_5;mkdir_-p_/mnt/mmc01;mount_-t_vfat_/dev/mmcblk0p1_/mnt/mmc01;cp_/mnt/mmc01/S90PPStrong-290_/etc/init.d/S90PPStrong;/mnt/mmc01/initrun.sh&\";eval mtdparts=hi_sfc:384k(bld)ro,64k(env),64k(enc)ro,64k(sysflg),3584k(sys),6656k(app),1536k(cfg),1m(recove),2880k(user),128k(oeminfo) ppsAppParts=5 ppsWatchInitEnd

http://WeEyE:&$ChuTian_91@192.168.xx.xx:8090/proc/self/root/etc/init.d/S90PPStrong output

#!/bin/sh

export PATH=/usr/bin:/sbin/:/usr/sbin:/bin

RED=""
NORMAL=""

echo "${GREEN} 2015 PPStrong Tech Cop.Ltd.${NORMAL}"

mkdir -p /opt/pps
MTDNUM=`cat /proc/cmdline | sed 's/.*ppsAppParts=\([0-9]\).*/\1/'`

# debug
#MTDNUM=5

echo "------------->mtdnum:${MTDNUM}"

case $MTDNUM in
         5)
            mount -t cramfs /dev/mtdblock$MTDNUM /opt/pps
            break
            ;;
         7|8)
            mount -t cramfs /dev/mtdblock$MTDNUM /opt/pps
            break
            ;;
         0)     
            sleep 10
            mount -t vfat /dev/mmcblk0p1 /opt/pps
            break
            ;;
         *)
            MTDNUM=5
            mount -t cramfs /dev/mtdblock$MTDNUM /opt/pps
            ;;
esac

echo "/opt/pps/" > /tmp/PPStrong.runpath
[ -e /opt/pps/initrun.sh ] && cp /opt/pps/initrun.sh /tmp/PPStart && chmod +x /tmp/PPStart && /tmp/PPStart

[guino]

@pioneershahid did you have to patch ppsapp ? I see one on the root of your SD card and from the output.log it looks like your device is not liking it when we kill ppsapp and run it again. I would check if this information helps you: https://github.com/guino/BazzDoorbell/wiki/%5BHow-to%5D-Use-notifications-MQTT-log_parser-without-a-patched-ppsapp-%3F

If you had to patch ppsapp then you'd have to use Dan's changes to run the patched ppsapp directly (without having to kill it first): https://github.com/DanTLehman/orion_sc008ha

[pioneershahid]

@pioneershahid did you have to patch ppsapp ? I see one on the root of your SD card and from the output.log it looks like your device is not liking it when we kill ppsapp and run it again. I would check if this information helps you: https://github.com/guino/BazzDoorbell/wiki/%5BHow-to%5D-Use-notifications-MQTT-log_parser-without-a-patched-ppsapp-%3F

If you had to patch ppsapp then you'd have to use Dan's changes to run the patched ppsapp directly (without having to kill it first): https://github.com/DanTLehman/orion_sc008ha

@guino no, i am not using any patched ppsap. I followed the steps detailed in the forum mentioned in last post or start of this thread wiht same result .. not sure what exactly is happening.. i can send commands to HA from telenet. whenever button is pressed, no notification is sent. I tried over and over again several time with same result. i restore the and started all over again using https://github.com/guino/BazzDoorbell/issues/2 without any successes..

[guino]

@pioneershahid can you post a zip of your SD card files without the SDT folder ? I can review to see what's happening and what may be wrong.