Off-cloud research

[jilleb]

@guino, I hope you don't mind me creating a seperate issue, but I think it helps to keep the other topics on-topic and easier to read.

So let's discuss here what's what when it comes to off-cloud/offline usage of the doorbell. Currently it uses the Tuya cloud, which means the following, according to @m11tch research

when internet connectivity is blocked:

• you can not view recordings from tuya app, so seems to be streaming directly from SD upon request.
• RTSP is not available. (connection refused) (will check logs later)
• snap.cgi and mjpeg.cgi work fine
• button press does make the "ding dong" sound, but no mqtt message is sent (will check logs later)
• Camera still switches to night mode if dark

[m11tch]

Just a short update on RTSP streaming over TCP, I did some more long term testing today, device and stream are still functioning without issues after atleast 5 hours of continuous streaming.. I'm probably going to mount it outside tomorrow..

btw, I think we are really just missing one more feature in "offline mode", that is the ability to "talk to the doorbell" e.g. send audio which is played by the doorbell.. but I don't really see myself using such feature anyway.. :D

[jandy123]

@m11tch:

talk to the doorbell

I think this actually works, btw.

[jilleb]

but I don't really see myself using such feature anyway.. :D

Same here. No crashes! And the intercom feature... It would be nice to be able to use it from another app, or have an automated response or something 😁😁 surveillance station has intercom support, but i have no idea what kind of bidirectional channel is used for audio.

[m11tch]

@m11tch:

talk to the doorbell

I think this actually works, btw.

How? :D the tuya app offers 2 way audio, the RTSP stream is 1 way unless I am mistaken?

[jandy123]

@m11tch No, you're right. Is one way.

[m11tch]

After some short googling, it seems that ONVIF support is needed for 2 way audio.. didn't @guino say something about ONVIF support?

Looking at Ghidra, I did find a URL related to audio:

http://192.168.2.89/media/audio/input/volume which returns:

{
    "volume":   90
}

and: http://192.168.2.89/media/audio/output/volume

{
    "volume":   50
}

other then that nothing really usefull yet..

[jilleb]

There are onvif xml responses inside the ppsapp, but they are not being published at their default URLs

[guino]

it seems ppsapp 2.9.7 has onvif support (check last comments on #2 ) but the RTSP provided by onvif doesn't seem to work (ovif device manager) and again I don't recommend running 2.9.7 ppsapp 2.9.6 (when I tried that I bricked my device and had to restore it with a programmer).

[jilleb]

Maybe we should try to make a 2.9.7 version of the offline app. From the looks of it, there's (at least partial) onvif support and maybe it has some bug fixes?

[m11tch]

well i'm a little hesistant to upgrade, as all the functionality i'm looking for is currently working :)

[jilleb]

Yeah good point, don't change a winning formula 😆

[jandy123]

I also do not plan to upgrade, unless there really is a good reason for it...

[lesleyvanrijn]

If I can provide some help with testing and provide files or logging, just let me know. I'm running 2.9.7 and as it seems it has onvif support but doesn't do much beside broadcasting.

[jandy123]

@lesleyvanrijn Which device you have exactly ?

[lesleyvanrijn]

@jandy123 LSC Smart Doorbell, 2.9.7 // BE8S_H1_V10_433 bought from Action NL

[jandy123]

@lesleyvanrijn Ok, so same device, just newer firmware. Did you upgrade from 2.9.6, or you bought it like this ?

Anyways, the good part is that apparently the device can still be hacked on 2.9.7. Question is, are there any improvements ?

[jilleb]

According to guino:

NOTE: This version may have RTSP available without patching at rtsp://IP:8554//Streaming/Channels/101 and rtsp://IP:8554//Streaming/Channels/102 -- try it before patching.

[m11tch]

I did some more reading on audio backchannel, according to the following page: http://www.happytimesoft.com/knowledge/audio-back-channel.html

a RTSP Server should respond if it supports audio back channel or not.

the tuya RTSP server does not respond with "unsupported" but there is also no mention of the back channel in the response:

but it also responds with "RTSP1/.0 200 OK" if i try to access non existant audio channels so I guess the RTSP server is just very limited..

[jilleb]

Is this with the 2.9.6 binary or 2.9.7?

[m11tch]

@jilleb 2.9.6

[jilleb]

Maybe if we capture the dialog during an actual intercom session... I would expect they didn't code some proprietary piece of backchannel functionality, but just regular rtsp functionality.

[m11tch]

But, do the intercom sessions via tuya app also go over RTP/RTSP? I'm afraid they are in the HTTPS connection which we cannot intercept due to certificate pinning

[jilleb]

hmmmmmm, damn :-( good point. Looking at the rtsp stuff inside ppsapp, I can find most of this RTSP output, but nothing related to audio backchannels. I hope in 2.9.7 it's there, but I don't have the binary yet.

[lesleyvanrijn]

I've got ONVIF working on 2.9.7 (out of the box). Will make some time the upcoming days to apply offline support provided by @jandy12 for 2.9.7, with the ONVIF support enabled by default.

[jandy123]

@lesleyvanrijn Great progress !

Please test the ONVIF, also the back audio channel and let us know. If you need help with the patch, let me know.

[m11tch]

So the doorbell currently has an up time of 22 hours, and I notice ppsapp is consuming 95% CPU, there are no RTSP streams running, so I'm not sure what is the source of this high CPU load.. @jilleb or @jandy123 are you seeing the same behaviour by any chance?

[jilleb]

Haven't checked it yet this morning, but it was running all night, very smoothly. I did turn off the night vision because it was causing false movement triggers whenever a car drove by and the exposure has to adjust(which took about 10 seconds!)

[m11tch]

hmm, it seems home-assistant does not send TEARDOWN when ending the sream, maybe this is causing some issues with the rtsp_server keeping open multiple connections.. I'll monitor it some more..

[lesleyvanrijn]

Made some progress, so time for an update!

Following @jandy123's instructions i've patched 2.9.7 and i'm thrilled to announce that ONVIF is working out of the box. Here's what i did:

1: Patch my original PPSAPP (obtained trough the initrun.sh script) and made it offline available (first time in using Ghidra, it was fun!) 2: Skip additional RTSP modification (since ONVIF is started by default, it will start the RTSP server). 3: Added a few instructions to initrun.sh (make a backup of tuya_config.json and put my modified tuya_config.json stored on my mmc in /home/cfg/ 4: Set onvif_enable to 1 in tuya_config.json 5: Block all internet access from / to the doorbell 6: Boot and test the onvif service with admin/admin credentials

Can someone explain how to create a ips patch file?

[m11tch]

Made some progress, so time for an update!

Following @jandy123's instructions i've patched 2.9.7 and i'm thrilled to announce that ONVIF is working out of the box. Here's what i did:

1: Patch my original PPSAPP (obtained trough the initrun.sh script) and made it offline available (first time in using Ghidra, it was fun!) 2: Skip additional RTSP modification (since ONVIF is started by default, it will start the RTSP server). 3: Added a few instructions to initrun.sh (make a backup of tuya_config.json and put my modified tuya_config.json stored on my mmc in /home/cfg/ 4: Set onvif_enable to 1 in tuya_config.json 5: Block all internet access from / to the doorbell 6: Boot and test the onvif service with admin/admin credentials

Can someone explain how to create a ips patch file?

Nice!

@lesleyvanrijn Go to https://www.marcrobledo.com/RomPatcher.js/ Select creator mode, upload both original and patched ppsapp, this should give you the ips patch file.

Do you see anything about the audio back channel in ONVIF?

[guino]

@lesleyvanrijn to make ips just go to https://www.marcrobledo.com/RomPatcher.js/ and select creator mode, then select original ppsapp and patched ppsapp and it will create it for you. The same page is where you go to use the patch later too. Feel free to post the patch on the ppsapp-rtsp repository.

Edit: @m11tch beat me to it

[lesleyvanrijn]

Patch available for LSC doorbell with 2.9.7 at guino/ppsapp-rtsp#1

Not looked into the audio back channel yet.

[lesleyvanrijn]

@m11tch Do you need to configure NTPD before it will start recording video's? Perhaps i've missed something that wasn't described in @jandy123's manual to patch ppsapp, but it is not recording anymore. Or is my tuya_config.json configured incorrectly?

// tuya_config.json
{
...
   "enable_event_record": 2,
   "record_enable": 1,
...
}

[m11tch]

@lesleyvanrijn uhm, I actually have recording disabled at the moment.. but I believe that still worked last time I tried.. Does recording work if you allow connection to internet? if that is the case further modification of ppsapp might be needed :(

If I understood correctly, i think recording is working for @jandy123 in offline mode though..

Also motion detection turns out to be completely useless for me now it is actually hanging outside on the wall, There is a tree in frame which is moving all the time due to the wind :joy:

[jandy123]

@lesleyvanrijn

Do you need to configure NTPD before it will start recording video's?

Yep, use something like /mnt/mmc01/busybox ntpd -d -q -n -p 192.53.103.108 #ptbtime1.ptb.de before starting ppsapp.

[BytheWWW]

@guino @lesleyvanrijn Goodmorning guys! I have been away this weekend so I didn't really keep up, but I read that firmware 2.9.7 has onvif on board. I went back to stock and tried the method @lesleyvanrijn commented, but I don't get the tuya config file. Do I don't need a patched PPSAPP right? Or do I use the one in the comment?

[lesleyvanrijn]

@jandy123 Yeah that might be a problem since i cant block specific urls in my router. Just block all internet access so reaching an external ntp server is not possible. On the other hand, updating the /etc/hosts file and point the tuyaeu.com to 127.0.0.1 might work..

@ByTheWWW You could try resetting the stock PPSAPP, start telnet and vi /home/cfg/tuya_config.json to update the onvif_enable to 1. Don't open the tuya app since the stock PPSAPP might update the tuya_config.json. I'll look into the shell script, i've might missed something in copying the config file to mmc.

[BytheWWW]

@BytheWWW You could try resetting the stock PPSAPP, start telnet and vi /home/cfg/tuya_config.json to update the onvif_enable to 1. Don't open the tuya app since the stock PPSAPP might update the tuya_config.json. I'll look into the shell script, i've might missed something in copying the config file to mmc.

I would love to do that, but my knowledge in telnet sessions is pretty poor so I'm not sure how to vi the file

[guino]

@BytheWWW if you have a chance please try this ppsapp-onvif.zip patch on your original ppsapp (use https://www.marcrobledo.com/RomPatcher.js/ to patch your original ppsapp). This only has changes to enable the onvif support on your 2.9.7 ppsapp with no other changes. You should try onvif manager and also use admin:admin (or try admin:056565099) for login and use rtsp://admin:admin@IP:8554//Streaming/Channels/101 or rtsp://admin:admin@IP:8554//Streaming/Channels/102 to test (replace IP with the IP of your camera like 192.168.x.x or whatever it is inside your home network).

[lesleyvanrijn]

@guino Is that the hardcoded onvif patch?

[guino]

@lesleyvanrijn yes, I got the original ppsapp and only patched it so it always thinks onvif_enable=1 (without needing to telnet and/or modify the json file).

[lesleyvanrijn]

Cool, so just the two edits you made? The function and memory patch?

[guino]

@lesleyvanrijn correct, only the 2 changes to force onvif_enable=1, nothing else changed (so it needs to be online).

[BytheWWW]

@guino I must be doing something wrogn (see what I did there :) Anyway, these are the exact steps I took:

1) Copied env, initrun, ppsmmc to the SD card - Hack says 'done' 2) Changed initrun to create PPS file 3) Patched PPS with onvif supplied 4) Added new PPS (without txt) and custom.sh file 5) Added lines in initrun (to get tuya config file which i don't think I need) 6) .... Nothing works, no config file on the SD card, no rtsp, not found in onvif manager

P.S. Rompatcher not in creator mode when patching the PPS right?

[guino]

@BytheWWW can you zip up these files from your mmc card and post it: -initrun.sh -custom.sh -ppsapp after patching (please note the original ppsapp is created in /home/app in the SD card while the patched ppsapp should be placed in the root of the SD card together with initrun.sh and custom.sh) I should be able to verify things from that.

[BytheWWW]

@guino Here you go: Archive.zip

[guino]

@BytheWWW your files seem fine -- if you're getting 'done' on step 7 of the hack it means your hack is in place -- I assume you also got ppsapp from home/app and to apply the patch as well (another confirmation the hack is in place). Now you said you don't get a copy of the tuya_config_original.json in your SD card ? if not, that would suggest you don't have the file in your device, so try this URL http://admin:056565099@IP/proc/self/root/home/cfg/tuya_config.json and post the result here (no response/blank would mean the file is not in your device). Can you also try this patch on your ppsapp: ppsapp-8555-onvif.zip

[BytheWWW]

@guino I'll try this in about 2 hours

[BytheWWW]

@guino Finally got something (with the ppsapp-8555 file)

{ "version": 1, "sleep_mode": 0, "alarm_fun_onoff": 0, "alarm_fun_sensitivity": 1, "alarm_fun_mode_switch": 0, "alarm_fun_time_start": 0, "alarm_fun_time_end": 0, "flip_onoff": 0, "light_onoff": 1, "night_mode": 0, "sound_detect_onoff": 0, "sound_detect_sensitivity": 0, "watermark_onoff": 0, "event_record_time": 60, "enable_event_record": 2, "record_enable": 1, "motion_trace": 1, "motion_area_switch": 0, "motion_area": "", "motion_tracking": 0, "cry_detection_switch": 0, "humanoid_filter": 1, "loudspeaker_vol_pct": 100, "jingle_mode": 0, "jingle_sound": 1, "jingle_volume": 100, "jingle_exist": 0, "flight_bright_mode": 0, "flight_light_brightness": 100, "flight_pir_set": 0, "flight_pir_one": 0, "flight_pir_two": 0, "flight_pir_three": 0, "flight_pir_sensitivity": 0, "flight_alarm_fun_onoff": 0, "flight_on_off": 0, "flight_pir_light_on_time": 30, "flight_warn_switch": 0, "flight_dualbrite": 0, "flight_ontime": 0, "flight_highbrightess": 10, "flight_lowbrightess": 10, "flight_mode": 0, "flight_motion_sens": 0, "onvif_enable": 0, "onvif_pwd": "admin" }

[guino]

@BytheWWW so you’re able to stream now or only got the json file to work?