BmdOnline
commented
6 months ago
I've successfully opened the cam. We have two sets of GND/TX/RX pins. I've checked they're not linked. I will try both of them and see what happens.
Open BmdOnline opened 6 months ago
BmdOnline
commented
6 months ago
I've successfully opened the cam. We have two sets of GND/TX/RX pins. I've checked they're not linked. I will try both of them and see what happens.
BmdOnline
commented
6 months ago I got results with the GND/RX/TX on the bottom left.
Ver:20220425-T31ZC
vol=>60
curr pir sens:2
curr dev volume:8
spk_vol:45
func switch 0x4
[tuya] night mode:0 night_mode:0
low_power_value:10
[tuya] low_power_value 10
reconnect times:0;
[1B][m[-][ INFO][ZRT_WIFI_Get_Config][428] get ssid:(removed) pwd:(removed)
[1B][m[1B][m[-][ INFO][cadc_open][41] adc open success.
[1B][madc:239
[-][ INFO][system][243] echo 59 > /sys/class/gpio/export, ret: 0, target: 127.0.0.1:58878
[-][ INFO][system][243] echo out > /sys/class/gpio/gpio59/direction, ret: 0, target: 127.0.0.1:48597
[-][ INFO][system][243] echo 0 > /sys/class/gpio/gpio59/value, ret: 0, target: 127.0.0.1:34384
auto
chn[0] 264
chn[1] 264
chn->0,r:1.000000, b=1152
chn->1,r:1.000000, b=480
jpg:0, 0
snap_delay 2
[1B][1;32;40mINFO(jzdl): jzdl version:1.4.0(00010400_4e61bfb) built:20230907-1222(4.7.2 c)[1B][0m
[1B][m[-][ INFO][hal_init_slip][853] chn 0 set horizontal and vertical flip.
[1B][m[1B][1;32;40mINFO(persondet): Ingenic DL PersonDet Promotion Version:0.0.3(00000003_111fcc8) built:20231102-2000(4.7.2 simd)[1B][0m
param frameWidth: 640 frameHeight: 360 sense: -1 score: 0.400000 detdist: 1 ptime: 1 count: 0 mod: 1 enable_perm: 0 enable_move: 0 track_mode: 0 observation_period: 0 active_count: 0 move_scale: 1.000000
warn: shm_init,53shm init already
[1B][m[-][ INFO][__uart_rev_process][920] battery:b 6a = 2922, fxg:04, rtc:19,t:9746
[1B][mAA hwinfo.battery=100
cur adc 2922.000000
[1B][m[-][ INFO][hal_ai_start][328] ai start success.
[1B][mwarn: shm_init,53shm init already
[__sensor_process] line:1841
rtc_cnt=5
[frame_pooling_thread--419 Channel:1 ]:1126(ms)
[IMP_Encoder_GetStream_Impl--2558 Channel:1 ]:1129(ms)
[1B][m[-][ INFO][hal_ao_start][288] ao start success.
[1B][m[1B][m[-][ INFO][mdevinfo_set_timezone][335] set timezone [8][CST-08:00]
[1B][maac_len=2
15 88
Init aac encoder success :AAC max_out_buffer_len[768], input_pcm_frame_len[2048]
[1B][m[-][ INFO][__uart_rev_process][920] battery:b 5d = 2909, fxg:33, rtc:19,t:9747
[1B][mAA hwinfo.battery=100
cur adc 2909.000000
>power on<
audio_ready=1, cnt=0
[1B][m[-][ INFO][maudio_change_mode][217] change audio mode -1->0.
[1B][m[1B][m[-][ INFO][__uart_rev_process][920] battery:b 5e = 2910, fxg:30, rtc:7e,t:9747
[1B][mAA hwinfo.battery=100
cur adc 2910.000000
[1B][m[-][ INFO][_speak_process][74] start play audio:/system/voice/power_on(1).
[1B][m[1B][m[-][ INFO][hal_ao_set_volume][440] set volume 45
[1B][m[1B][m[-][ INFO][ZRT_WIFI_Get_Config][428] get ssid:(removed) pwd:(removed)
[1B][m[_led_process] line:377 pir,红ç¯äº®1秒
[1B][m[-][ INFO][__uart_rev_process][920] battery:b 5e = 2910, fxg:30, rtc:7e,t:9747
[1B][mAA hwinfo.battery=100
cur adc 2910.000000
===value:218.[night<200, day>250]
[1B][m[-][ INFO][sample_change_daynight][2005] turn day mode.
[1B][m[1B][m[-][ INFO][hal_gpio_cut_readlight][139] cut flag:0
[1B][mbiao debug msnapshot_get_file 40
person_detect_switch = 1
[frame_pooling_thread--419 Channel:0 ]:1593(ms)
[IMP_Encoder_GetStream_Impl--2558 Channel:5 ]:1597(ms)
[IMP_Encoder_GetStream_Impl--2558 Channel:0 ]:1608(ms)
snap file size:7518 limit:102400
snapshot file end!
len:7518, snap ok.
_person_detect_handle 740 w=640 h360
[1B][m[-][ INFO][zrt_wifi_set_sleep][3058] set wlc hostsleep 0
[1B][m[1B][m[-][ INFO][zrt_wifi_set_pm_mode][3102] wlc pm 0
[1B][m[1B][m[-][ INFO][zrt_wifi_set_deepsleep][3066] set wlc deepsleep 0
[1B][m[1B][m[-][ INFO][bcmwlan_get_wakeup_flag][2071] wlc wowl_wakeind 0
[1B][m[1B][m[-][ INFO][bcmwlan_get_wakeup_flag][2073] wlc wowl_wakeind clear
[1B][m[1B][m[-][ INFO][bcmwlan_get_wakeup_flag][2071] wlc wowl_wakeind 0
[1B][m[1B][m[-][ INFO][bcmwlan_get_wakeup_flag][2073] wlc wowl_wakeind clear
[1B][m[1B][m[-][ INFO][ZRT_CAM_Show_Wakeup_Source][1164] wifi wakeup flag: 0
[1B][m[1B][m[-][ INFO][ZRT_WIFI_Get_Config][428] get ssid:(removed) pwd:(removed)
[1B][m[1B][m[-][ INFO][mnet_init][1275] wifi config ready, get config.
[1B][m[1B][m[-][ INFO][set_wifi_status][90] WIFI_CONNECTING
[1B][m[1B][m[-][ INFO][wlc_checkstatus][1004] x
[1B][m[1B][m[-][ INFO][set_wifi_status][90] WIFI_CONNECTING
[1B][m[1B][m[-][ INFO][ZRT_WIFI_Get_Config][428] get ssid:(removed) pwd:(removed)
[1B][m[1B][m[-][ INFO][ZRT_WIFI_Get_Config][428] get ssid:(removed) pwd:(removed)
[1B][m[_led_process] line:384 pir,红ç¯ç,è“ç¯äº®1
[1B][m[-][ INFO][__uart_rev_process][920] battery:b 5f = 2911, fxg:31, rtc:7e,t:9747
[1B][mAA hwinfo.battery=100
cur adc 2911.000000
adc_val_avg 2910, max 2922,min 2909
Setting up swapspace version 1, size = 16773120 bytes
UUID=eb2c7587-1246-42de-8485-0a484a5b6368
[-][ INFO][system][243] touch /tmp/battery_ready, ret: 0, target: 127.0.0.1:60625
bat_adc_dg2=100
count: 0
person detect time: 882ms
person_detect_switch = 1
_person_detect_handle 740 w=640 h360
count: 0
person detect time: 458ms
person_detect_switch = 1
_person_detect_handle 740 w=640 h360
[1B][m[-][ INFO][ZRT_WIFI_Fast_Connect][698] ssid=(removed) mac:b8:ec:a3:dc:fa:2e channel=6, signal=-60
[1B][m[1B][m[-][ INFO][wifi_join_ap][2690] wifi(1) join ap ssid:(removed) pwd:(removed) auth:00400004
[1B][m[1B][m[-][ INFO][wlc_wowl_status][1741] status of wakeup: 0x0
[1B][m[1B][m[-][ INFO][bcmwlan_join_ap_specific][1571] start join (removed).
[1B][m[1B][m[-][ INFO][bcmwlan_join_ap_specific][1593] try scan and join ap: (removed)
[1B][m[1B][m[-][ INFO][ZRT_WIFI_Get_Config][428] get ssid:(removed) pwd:(removed)
[1B][m[_led_process] line:384 pir,红ç¯ç,è“ç¯äº®2
count: 0
person detect time: 702ms
person_detect_switch = 1
_person_detect_handle 740 w=640 h360
(and so on...)When SDCard is inserted I have some lines like this
curr sd total:62336000 used:0 empty:62336000
log_lxh_dbg01
curr sd_status:1
[tuya_ipc_sd_get_status] line:147 curr sd_status:2 total:60875
sd capacity: total: 62336272 KB, used 64 KB, free 62336208 KB
[1B][m[-][ INFO][_storage_init_process][395] found store dev /dev/mmcblk0.Interesting readings, sometimes
Show arguments:
create=false
update=true
tag_path=/dev/mtdblock1
cmdline=
sensor_init=
env=senv;[HW];init_vw=1920;init_vh=1080;nrvbs=2;mode=0;[SDK];fmode=0;[WIFI];SSID2=47616c617830;PASS2=575041304f5349524953;MAC=b8:ec:a3:dc:fa:2e;IP=192.168.0.155;CHANNEL=0;DNS1=192.168.0.1;IPSERVER=0.0.0.0;IPMASK=255.255.255.0;GATEWAY=192.168.0.1;LEASETIME=86400;dhcpc_ip_addr=192.168.0.155;dhcpc_ip_mask=255.255.255.0;dhcpc_gateway=192.168.0.1;dhcpc_dns_server=192.168.0.1;dhcpc_lease_time=86400;eenv;
g_bootinfo=
g_fwinfo=MQTT ?
[1B][m[-][ INFO][_get_ip][18] local address 192.168.0.155:59521
[1B][m[1B][m[-][ INFO][_get_ip][24] server address 3.120.92.134:1883
[1B][m[1B][m[-][ INFO][mnet_scrab_start][331] svr ip:3.120.92.134 port:1883
[1B][mscrab start okkey.cfg ?
[1B][0;32;31m[-][ERROR][muart_get_key][202] open key.cfg error!I don't know how to access any bootloader or anything else. I just have logs. I don't see anything referring to /mnt, sdcard, reading / writing.
mihovilkolaric
commented
6 months ago Hi,
I am fighting with the same device, also without any success so far, also only port 6668:
Nmap scan report for 10.42.0.240
Host is up (0.045s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
6668/tcp open ircI performed the update to 4.0.120 (as I had issues on my WIFI on 4.0.117, and also could not convince the camera to record to the MicroSD-Card) - but the update did neither help with those issues, nor it changed anything in regards to the rooting-options I tried so far.
After the update, I found an update.bin on the Micro-SD: update.bin.zip but could not find anything useful yet (using binwalk).
So far I tried:
Unfortunately, I have no programmer, so I can't provide any flash-dump.
Any other hints how I could further analyze?
mihovilkolaric
commented
6 months ago BTW: placing a file _ak39_factory.ini on the SD-Card does not lead to the effect described in https://github.com/guino/Merkury1080P/issues/42#issuecomment-1278036051 .
BmdOnline
commented
6 months ago I've ordered a CH341A programmer, I will try to dump the firmware when I receive it. Without desoldering the chip (like this) if it works.
mihovilkolaric
commented
6 months ago I might give it a try with an arduino - but I have no clue yet how to open the camera without damaging it. Do you have any hints?
BmdOnline
commented
6 months ago Remove the screw near of SD Card. Then pull gently around the front of the camera. Use a thin accessory that won't scratch. Possibly with your fingernails 😉 The black side should start to emerge from the white frame. Watch out for the cable used to connect the speaker.
guino
commented
5 months ago @mihovilkolaric the update file you posted seems to have 'part' of the root file system, but it doesn't seem to include the main application running on the device, settings or startup scripts. So there's not much we can do with it. If you do get a full flash dump I can take a look when I have a chance.
Getting into the bootloader should just be a matter of powering on (or power cycling) the device while you're connected to the RX/TX pins and pressing a key to stop the boot process and enter the bootloader. Many devices do have this disabled (it will boot no matter what you press), others have a password (it will ask for a password when you press something), and others just go right into the bootloader -- only way to know is trying.
BmdOnline
commented
5 months ago When I press any key, I can interact but mixed with log output. It's difficult to deal with it. I have to keep camera connected to tuya to prevent it to suspend.
Zeratul login: [1B][m[-][ INFO][set_wifi_status][96] WIFI_CONNECTED
[1B][m===value:169.[night<200, day>250]
[tuya_ipc_sd_get_status] line:147 curr sd_status:2 total:60875
count: 0
person detect time: 789ms
person_detect_switch = 1
(...)
root
Password: [1B][m[tuya_ipc_sd_get_status] line:147 curr sd_status:2 total:60875
count: 0
person detect time: 790ms
(...)
dgiot010
count: 0
person detect time: 511ms
person_detect_switch = 1
_person_detect_handle 740 w=640 h360
(...)
Login incorrectThen cleaned :
Zeratul login:
root (echoed)
Password:
dgiot010 (not echoed)
Login incorrectI've tried passwords dgiot010, telnet and root without success.
I will receive CH341A programmer soon. I hope I can dump flash without desoldering.
guino
commented
5 months ago I emailed you with information based on the log you provided, but just for future reference (to anyone else looking at this issue), the logs seem to indicate that this camera is not running Linux, likely it is running RTOS, meaning:a hardware programmer is the only option to make any modifications, and they would be very time consuming and limited to what's already compiled in the main application.
BmdOnline
commented
5 months ago I have received my CH341A programmer and dumped entire flash : (link removed due to privacy data stored in the flash. sorry)
mihovilkolaric
commented
5 months ago @BmdOnline glad to read that you managed to get a flash-dump!
(I tried with flashrom on a raspberry pi, but as I have no SOP8-Clip (and bad soldering skills), the results were not stable/reproducible).
However, also with your dump, binwalk seems to recognize a lot of linux-related stuff, but - as for the update.bin posted earlier, it fails to extract a "full" root-filesystem.
binwalk -e XMC.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
29048 0x7178 CRC32 polynomial table, little endian
30468 0x7704 LZO compressed data
31288 0x7A38 LZO compressed data
202000 0x31510 CRC32 polynomial table, little endian
206248 0x325A8 LZO compressed data
209836 0x333AC Android bootimg, kernel size: 0 bytes, kernel addr: 0x70657250, ramdisk size: 543519329 bytes, ramdisk addr: 0x6E72656B, product name: "mem boot start"
622592 0x98000 uImage header, header size: 64 bytes, header CRC: 0x1A3A734D, created: 2023-11-22 06:28:42, image size: 5226788 bytes, Data Address: 0x80010000, Entry Point: 0x803CDE70, data CRC: 0xA7939E61, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: none, image name: "Linux-3.10.14-Archon"
2327946 0x23858A bix header, header size: 64 bytes, header CRC: 0x628E0400, created: 2031-03-22 02:20:47, image size: 1048576 bytes, Data Address: 0x50A40000, Entry Point: 0x628E0400, data CRC: 0x73260000, image name: ""
3752610 0x3942A2 PGP RSA encrypted session key - keyid: 822CC2 401020 RSA (Encrypt or Sign) 1024b
4591776 0x4610A0 Linux kernel version 3.10.1
4657616 0x4711D0 DES SP2, little endian
4658128 0x4713D0 DES SP1, little endian
4676064 0x4759E0 LZO compressed data
4726848 0x482040 CRC32 polynomial table, little endian
5052572 0x4D189C xz compressed data
5277248 0x508640 CRC32 polynomial table, little endian
5483462 0x53ABC6 PARity archive data - file number 21057
5844156 0x592CBC ASCII cpio archive (SVR4 with no CRC), file name: "dev", file name length: "0x00000004", file size: "0x00000000"
5844272 0x592D30 ASCII cpio archive (SVR4 with no CRC), file name: "dev/console", file name length: "0x0000000C", file size: "0x00000000"
5844396 0x592DAC ASCII cpio archive (SVR4 with no CRC), file name: "root", file name length: "0x00000005", file size: "0x00000000"
5844512 0x592E20 ASCII cpio archive (SVR4 with no CRC), file name: "TRAILER!!!", file name length: "0x0000000B", file size: "0x00000000"
7260836 0x6ECAA4 mcrypt 2.5 encrypted data, algorithm: "-=", keysize: 11527 bytes, mode: "=",
8825076 0x86A8F4 Unix path: /var/lib/jenkins/workspace/Release_IPC_SDK/src/tuya_ipc_sdk/ai_detect_storage(x
8852370 0x871392 Unix path: /var/lib/jenkins/workspace/Release_IPC_SDK/src/tuya_iot_sdk/wifi_cfg_serv/ez_mc.c
8877037 0x8773ED AES Inverse S-Box
8888152 0x879F58 Certificate in DER format (x509 v3), header length: 4, sequence length: 1998
8901279 0x87D29F AES S-Box
8907262 0x87E9FE SHA256 hash constants, little endian
8932186 0x884B5A AES Inverse S-Box
8932442 0x884C5A AES S-Box
9115411 0x8B1713 Copyright string: "Copyright (C) 2J"
9171891 0x8BF3B3 ELF, 32-bit LSB processor-specific, ("")
9499250 0x90F272 Unix path: /sys/class/gpio/export
9539057 0x918DF1 mcrypt 2.5 encrypted data, algorithm: "^", keysize: 3934 bytes, mode: " ",
11069460 0xA8E814 mcrypt 2.5 encrypted data, algorithm: "", keysize: 26905 bytes, mode: "o",
12156928 0xB98000 uImage header, header size: 64 bytes, header CRC: 0xBA260EE2, created: 2021-08-07 09:15:35, image size: 2087483 bytes, Data Address: 0x80010000, Entry Point: 0x802EB500, data CRC: 0x247FD390, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "Linux-3.10.14-Immortal"
12156992 0xB98040 LZMA compressed data, properties: 0x5D, dictionary size: 67108864 bytes, uncompressed size: -1 bytes
14778368 0xE18000 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 1155118 bytes, 52 inodes, blocksize: 131072 bytes, created: 2023-11-26 07:45:12
16252928 0xF80000 JFFS2 filesystem, little endian@guino with this new information given - do you still think it is RTOS, or are the chances that it is a linux? The few extracted files at least look like linux ELF-binaries:
squashfs-root/bin/logcat: ELF 32-bit LSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, stripped@mihovilkolaric, I've removed my dump because it contains privacy data in it. 😞 @guino, I can mail you access to the dump.
mihovilkolaric
commented
5 months ago Good news!
Unblob succeeded in extracting the root-filesystem. app_init.sh looks promising.
gtxaspec
commented
5 months ago hi, if you guys need more info on this platform, you can join us here: https://discord.gg/xDmqS944zr we are experienced ingenic developers from the thingino project. have fun!
mihovilkolaric
commented
5 months ago Short update: The camera executes a shellscript called other.sh when it is placed on the root-folder of the MicroSD-card. With the path /tmp/mnt/sdcard/ you can access the SD-Card itself, and copy stuff from the "running filesystem" to the card.
E.g. the /etc/shadow looks like this:
root:dY6MT354.O2K.:0:0:root:/:/bin/sh@mihovilkolaric did you try to start a telnet server from that other.sh script ? may need to put a mips busybox on the SD card to try and run telnetd from it.
guino
commented
5 months ago @BmdOnline @guino with this new information given - do you still think it is RTOS, or are the chances that it is a linux? The few extracted files at least look like linux ELF-binaries:
The logs I had sees didn't show anything indicating linux but the dump seems to show it's linux, I asked @BmdOnline for a copy of the dump so I can take a look too.
mihovilkolaric
commented
5 months ago @guino yes, I was able to start a telnetd (at least according to ps and netstat). But until now I did all my tests with a factory-reset camera, so I could not try to connect.
This is the script I used:
other.sh.txt
And this is the output it produced:
myhack.log.txt
(needed to rename both files to .txt as github neither allows .sh, nor .log)
Next step it to connect my cam to a WIFI, and see whether telnetd still starts.
BmdOnline
commented
5 months ago I asked @BmdOnline for a copy of the dump so I can take a look too.
@guino I send you a link today. Have you received it ?
mihovilkolaric
commented
5 months ago @guino , @BmdOnline :
Also after connecting to WIFI, the other.sh is executed.
So I replaced /etc/passwd and /etc/shadow with a version containing the hash from https://github.com/guino/LSCOutdoor1080P?tab=readme-ov-file#root-access and afterwards start telnetd.
The first two connection-attempts with user root password telnet did not work (camera closed the connection)
$ telnet 10.0.0.9
Trying 10.0.0.9...
Connected to 10.0.0.9.
Escape character is '^]'.
Zeratul login: root
Password: Connection closed by foreign host.but then it worked:
$ telnet 10.0.0.9
Trying 10.0.0.9...
Connected to 10.0.0.9.
Escape character is '^]'.
Zeratul login: root
Password:
Hello Zeratul!
[root@Zeratul:~]# So, the camera is now rooted!
BmdOnline
commented
5 months ago Can you provide a working package ?
mihovilkolaric
commented
5 months ago Sure. Extract root_v1.zip to the SD-card, and boot with the card inserted.
mihovilkolaric
commented
5 months ago Now that we have root-access - does anyone know how to enable motion-detection + recording to SD-Card? (This is actually the reason why I started the investigation).
I guess it has to do with this files:
[root@Zeratul:tuya]# cat tuya_sd_record_on_off
1[root@Zeratul:tuya]# cat tuya_sd_record_mode
0[root@Zeratul:tuya]#but changing them has no effect, and after a reboot there are reset to the default.
BmdOnline
commented
5 months ago And how to enable rtsp stream...
BmdOnline
commented
5 months ago @mihovilkolaric, I'm trying to reproduce your work, but I'm not familiar to binwalk and unblob
How are you extracting the root partition :
5844396 0x592DAC ASCII cpio archive (SVR4 with no CRC), file name: "root", file name length: "0x00000005", file size: "0x00000000"basically I just called
$ unblob XMC.bin which outputs
╭───────────────────────────────────────────────────────────────────────────────────────────────────── unblob (24.4.5) ─────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Extracted files: 75 │
│ Extracted directories: 38 │
│ Extracted links: 147 │
│ Extraction directory size: 24.17 MB │
│ Chunks identification ratio: 33.79% │
╰───────────────────────────────────────────────────────────────────────────────────────────────────────── Summary ─────────────────────────────────────────────────────────────────────────────────────────────────────────╯
Chunks distribution
┏━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━┳━━━━━━━━┓
┃ Chunk type ┃ Size ┃ Ratio ┃
┡━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━╇━━━━━━━━┩
│ UNKNOWN │ 15.69 MB │ 66.21% │
│ CPIO_PORTABLE_ASCII │ 2.27 MB │ 9.58% │
│ LZMA │ 1.99 MB │ 8.40% │
│ ELF32 │ 1.84 MB │ 7.77% │
│ SQUASHFS_V4_LE │ 1.11 MB │ 4.66% │
│ JFFS2_NEW │ 512.00 KB │ 2.11% │
│ PADDING │ 308.00 KB │ 1.27% │
│ LZO │ 917.00 B │ 0.00% │
└─────────────────────┴───────────┴────────┘
Encountered errors
┏━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Severity ┃ Name ┃
┡━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ Severity.WARNING │ ExtractCommandFailedReport │
└──────────────────┴────────────────────────────┘and creates a directory XMC.bin_extract/ and a lot of sub-folders, one of it being the root-filesystem.
BmdOnline
commented
5 months ago Okay, I just have python issues. Will upgrade and try unblob.
BTW, root is working, but I have to keep camera connected (tuya app launched with camera preview) to prevent power sleep.
Thanks.
guino
commented
5 months ago @BmdOnline I have never seen any of the 'linux' devices sleep before, I have heard of the battery operated devices having an automatic sleep to reduce power consumption.
Are you guys able to execute anything like ls -laR / or ps -w to identify the main application file ?
gtxaspec
commented
5 months ago the platform you guys are working with is the Ingenic "Zeratul" battery platform, pretty common in the battery ip-cam world on the T series platforms... the way it works, theres typically an external MCU controlling power to the SoC, and reading motion input from something like a PIR sensor. When theres no motion, after a timeout the MCU will physically power down the SoC. Theres 2 different processor architectures built in to the SoC. RISC-V, and MIPS. The RISC-V core will perform sensor and ISP initialization as soon as motion is detected, while the linux core boots up, and then takes over.
BmdOnline
commented
5 months ago the platform you guys are working with is the Ingenic "Zeratul" battery platform, pretty common in the battery ip-cam world on the T series platforms... the way it works, theres typically an external MCU controlling power to the SoC, and reading motion input from something like a PIR sensor. When theres no motion, after a timeout the MCU will physically power down the SoC. Theres 2 different processor architectures built in to the SoC. RISC-V, and MIPS. The RISC-V core will perform sensor and ISP initialization as soon as motion is detected, while the linux core boots up, and then takes over.
Yes, it was something like this. When motion is detected (pir sensor) or if tuya app is streaming video, camera stays online. If not, it goes into deep sleep. Linux restarts on each motion detection, reconnect wifi, and so on.
@gtxaspec, how thingino-firmware can help ? @guino, I'm not sure you're receiving my emails ? Have you downloaded my flash dump ? I've mailed you a link yesterday.
gtxaspec
commented
5 months ago So far we don't support the battery powered zeratul platform, it's complex to support since each different vendor can and do use different microcontrollers in their respective designs. But we do have extensive documentation in case anyone wants to try and adapt and or create their own implementation.
mihovilkolaric
commented
5 months ago @guino : bot ps
[root@Zeratul:~]# ps -w
PID USER VSZ STAT COMMAND
1 root 1440 S {linuxrc} init
2 root 0 SW [kthreadd]
3 root 0 SW [ksoftirqd/0]
4 root 0 SW [kworker/0:0]
5 root 0 SW< [kworker/0:0H]
6 root 0 SW [kworker/u2:0]
7 root 0 SW [rcu_preempt]
8 root 0 SW [rcu_bh]
9 root 0 SW [rcu_sched]
10 root 0 SW [watchdog/0]
11 root 0 SW< [khelper]
12 root 0 SW< [writeback]
13 root 0 SW< [bioset]
14 root 0 SW< [kblockd]
15 root 0 SW [irq/37-isp-m0]
16 root 0 SW [irq/38-isp-w02]
17 root 0 SW [kworker/u2:1]
20 root 0 DW [isp_fw_process]
21 root 0 SW [kworker/0:1]
22 root 0 SW< [cfg80211]
23 root 0 SW [kswapd0]
24 root 0 SW [fsnotify_mark]
25 root 0 SW< [crypto]
39 root 0 SW< [deferwq]
40 root 0 SW [kworker/0:2]
86 root 0 SWN [jffs2_gcd_mtd6]
88 root 0 SW< [kworker/0:1H]
89 root 0 SW [kworker/0:3]
90 root 1732 S /usr/bin/alps
91 root 414m S /stone/main
118 root 0 SW [kworker/u2:2]
128 root 0 SW [wl_event_handle]
129 root 0 SW [dhd_watchdog_th]
130 root 0 SW [dhd_dpc]
131 root 0 SW [dhd_rxf]
152 root 0 SW [wl_event_handle]
187 root 1432 S {mem_free.sh} /bin/sh /usr/bin/mem_free.sh
237 root 0 SW [mmcqd/0]
339 root 1432 S telnetd
359 root 1440 S /sbin/getty -L console 115200 vt100
1082 root 1452 S -sh
2517 root 1424 S sleep 3
2533 root 1432 R ps -wand netstat
[root@Zeratul:~]# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:6668 0.0.0.0:* LISTEN 91/main
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN 339/telnetd
netstat: /proc/net/tcp6: No such file or directory
udp 0 0 127.0.0.1:9097 0.0.0.0:* 90/alps
udp 0 0 0.0.0.0:46767 0.0.0.0:* 91/main
udp 0 0 10.0.0.9:54723 0.0.0.0:* 91/main
udp 0 0 0.0.0.0:43486 0.0.0.0:* 91/main
udp 0 0 127.0.0.1:41711 0.0.0.0:* 91/main
udp 0 0 0.0.0.0:42750 0.0.0.0:* 91/main
netstat: /proc/net/udp6: No such file or directoryshow two interesting processes: alps and main.
You can find /usr/bin/alps in the mail I sent you yesterday - the interesting thing about "main" is, that it does not exist (on /stone/main) - the directory /stone/ is empty:
[root@Zeratul:~]# cat /proc/91/cmdline
[root@Zeratul:~]# ls -al /stone/
drwxrwxrwx 2 1000 1000 0 Jun 1 18:06 .
drwxrwxrwx 19 1000 1000 0 Jun 2 00:07 ..
[root@Zeratul:~]#also lsof states that /stone/main is deleted:
[root@Zeratul:~]# lsof
1 /bin/busybox /dev/console
1 /bin/busybox /dev/console
1 /bin/busybox /dev/console
90 /usr/bin/alps /dev/null
90 /usr/bin/alps /dev/console
90 /usr/bin/alps /dev/console
90 /usr/bin/alps socket:[449]
91 /stone/main (deleted) /dev/null
91 /stone/main (deleted) /dev/console
91 /stone/main (deleted) /dev/console
91 /stone/main (deleted) /dev/urandom
91 /stone/main (deleted) /dev/watchdog
91 /stone/main (deleted) /dev/ttyS1
91 /stone/main (deleted) /dev/jz_adc_aux_0
91 /stone/main (deleted) /dev/log_main
91 /stone/main (deleted) /dev/tx-isp
91 /stone/main (deleted) /dev/rmem
91 /stone/main (deleted) /dev/shm/imp_deubg_shm
91 /stone/main (deleted) /dev/avpu
91 /stone/main (deleted) /dev/isp-m0
91 /stone/main (deleted) /dev/mem
91 /stone/main (deleted) anon_inode:[eventfd]
91 /stone/main (deleted) anon_inode:[eventfd]
91 /stone/main (deleted) anon_inode:[eventfd]
91 /stone/main (deleted) /dev/framechan1
91 /stone/main (deleted) /dev/framechan0
91 /stone/main (deleted) /dev/dsp
91 /stone/main (deleted) /dev/ipu
91 /stone/main (deleted) /dev/dsp
91 /stone/main (deleted) /config/tuya/tuya_enckey.db
91 /stone/main (deleted) /config/tuya/tuya_user.db
91 /stone/main (deleted) /config/tuya/log_seq_stat
91 /stone/main (deleted) anon_inode:[eventpoll]
91 /stone/main (deleted) socket:[502]
91 /stone/main (deleted) socket:[506]
91 /stone/main (deleted) anon_inode:[eventpoll]
91 /stone/main (deleted) pipe:[509]
91 /stone/main (deleted) pipe:[509]
91 /stone/main (deleted) pipe:[510]
91 /stone/main (deleted) pipe:[510]
91 /stone/main (deleted) anon_inode:[eventfd]
91 /stone/main (deleted) pipe:[516]
91 /stone/main (deleted) pipe:[516]
91 /stone/main (deleted) anon_inode:[eventfd]
91 /stone/main (deleted) socket:[517]
91 /stone/main (deleted) socket:[518]
91 /stone/main (deleted) socket:[528]
91 /stone/main (deleted) socket:[526]
91 /stone/main (deleted) socket:[548]
91 /stone/main (deleted) /dev/null
91 /stone/main (deleted) socket:[530]
91 /stone/main (deleted) socket:[549]
187 /bin/busybox /dev/null
187 /bin/busybox /dev/console
187 /bin/busybox /dev/console
187 /bin/busybox /usr/bin/mem_free.sh
339 /bin/busybox /dev/null
339 /bin/busybox /dev/null
339 /bin/busybox /dev/null
339 /bin/busybox socket:[813]
339 /bin/busybox socket:[885]
339 /bin/busybox /dev/ptmx
359 /bin/busybox /dev/console
359 /bin/busybox /dev/console
359 /bin/busybox /dev/console
1082 /bin/busybox /dev/pts/0
1082 /bin/busybox /dev/pts/0
1082 /bin/busybox /dev/pts/0
1082 /bin/busybox /dev/tty
8855 /bin/busybox /dev/null
8855 /bin/busybox /dev/console
8855 /bin/busybox /dev/console
[root@Zeratul:~]#I have no idea where this /stone/main comes from, resp. why it vanishes after starting ...
I can send you ls -laR tomorrow, when I have physical access to the SD-Card - but in yesterday's mail you can find a copy of most folders.
mihovilkolaric
commented
5 months ago btw, dmesg reports:
[root@Zeratul:~]# dmesg
[ 0.000000] Initializing cgroup subsys cpu
[ 0.000000] Initializing cgroup subsys cpuacct
[ 0.000000] Linux version 3.10.14-Archon (biao@ubuntu) (gcc version 4.7.2 (Ingenic r2.3.3 2016.12) ) #17 PREEMPT Wed Nov 22 14:28:41 CST 2023
[ 0.000000] CPU0 RESET ERROR PC:D2C3289D
[ 0.000000] CPU0 revision is: 00d00100 (Ingenic Xburst)
[ 0.000000] FPU revision is: 00b70000
[ 0.000000] cgu_get_rate, parent = 1104000000, rate = 0, m = 0, n = 0, reg val = 0x081000ff
[ 0.000000] cgu_get_rate, parent = 1104000000, rate = 0, m = 0, n = 0, reg val = 0x081000ff
[ 0.000000] CCLK:1104MHz L2CLK:552Mhz H0CLK:200MHz H2CLK:200Mhz PCLK:100Mhz
[ 0.000000] Determined physical RAM map:
[ 0.000000] memory: 004ce000 @ 00010000 (usable)
[ 0.000000] memory: 00032000 @ 004de000 (usable after init)
[ 0.000000] User-defined physical RAM map:
[ 0.000000] memory: 02800000 @ 00000000 (usable)
[ 0.000000] Initial ramdisk at: 0x80600000 (13278208 bytes)
[ 0.000000] Zone ranges:
[ 0.000000] Normal [mem 0x00000000-0x027fffff]
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x00000000-0x027fffff]
[ 0.000000] On node 0 totalpages: 10240
[ 0.000000] free_area_init_node: node 0, pgdat 804dd4f0, node_mem_map 812ab000
[ 0.000000] Normal zone: 80 pages used for memmap
[ 0.000000] Normal zone: 0 pages reserved
[ 0.000000] Normal zone: 10240 pages, LIFO batch:1
[ 0.000000] Primary instruction cache 32kB, 8-way, VIPT, linesize 32 bytes.
[ 0.000000] Primary data cache 32kB, 8-way, VIPT, no aliases, linesize 32 bytes
[ 0.000000] pls check processor_id[0x00d00100],sc_jz not support!
[ 0.000000] MIPS secondary cache 128kB, 8-way, linesize 32 bytes.
[ 0.000000] pcpu-alloc: s0 r0 d32768 u32768 alloc=1*32768
[ 0.000000] pcpu-alloc: [0] 0
[ 0.000000] Built 1 zonelists in Zone order, mobility grouping off. Total pages: 10160
[ 0.000000] Kernel command line: console=ttyS0,115200n8 mem=40M@0x0 rmem=24M@0x2800000 root=/dev/ram0 rw rdinit=/linuxrc mtdparts=jz_sfc:256K(boot),352K(tag),5M(kernel),6M(rootfs),2560K(recovery),1440K(system),512K(config),16M@0(all) lpj=6955008 quiet senv;[HW];init_vw=1920;init_vh=1080;nrvbs=2;mode=0;[SDK];fmode=0;[WIFI];SSID2=**********;PASS2=****************;MAC=************;IP=10.0.0.9;CHANNEL=0;DNS1=10.0.0.138;IPSERVER=0.0.0.0;IPMASK=255.255.255.0;GATEWAY=10.0.0.138;LEASETIME=86400;dhcpc_ip_addr=10.0.0.9;dhcpc_ip_mask=255.255.255.0;dhcpc_gateway=10.0.0.138;dhcpc_dns_server=10.0.0.138;dhcpc_lease_time=86400;eenv; lzo_size=5917331 rd_start=0x80600000 rd_size=0xca9c00
[ 0.000000] ir_switch_parse mode: 2 threshold min:2000 max:2500
[ 0.000000] ir_switch_parse width:1920 height:1080 nrvbs:2
[ 0.000000] ir_switch_parse hight framerate mode change num:5
[ 0.000000] ir_switch_parse dayEv:0 nightEv:0 coeff:0 wbr:0 wbb:0
[ 0.000000] Sensor Calibration Mode:0
[ 0.000000] PID hash table entries: 256 (order: -2, 1024 bytes)
[ 0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
[ 0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
[ 0.000000] Memory: 21240k/40960k available (3867k kernel code, 19720k reserved, 1051k data, 200k init, 0k highmem)
[ 0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[ 0.000000] Preemptible hierarchical RCU implementation.
[ 0.000000] NR_IRQS:358
[ 0.000000] clockevents_config_and_register success.
[ 0.000018] Calibrating delay loop (skipped) preset value.. 1391.00 BogoMIPS (lpj=6955008)
[ 0.000030] pid_max: default: 32768 minimum: 301
[ 0.000236] Mount-cache hash table entries: 512
[ 0.000747] Initializing cgroup subsys debug
[ 0.000772] Initializing cgroup subsys freezer
[ 0.002756] NET: Registered protocol family 16
[ 0.003172] register process exit failed.
[ 0.012704] bio: create slab <bio-0> at 0
[ 0.014404] jz-dma jz-dma: JZ SoC DMA initialized
[ 0.014756] media: Linux media interface: v0.10
[ 0.014810] Linux video capture interface: v2.00
[ 0.014835] TTFF tx_isp_riscv_hf_prepare:240 tx_isp_stop_riscv start:400
[ 0.014845] AE Para ADDR = a3700000 HEAD:3aca3aca SENSOR:3aca3aca
[ 0.014859] Current sensor again:986331842 isp gain:986331850 inttime:986331850 luma:986329794 ev:2977
[ 0.014867] Current awb rgain:986329794 bgain:986331850
[ 0.014874] Riscv frame count:986331850
[ 0.014879] Tuning mode is:1
[ 0.014937] isp_memopt = 0
[ 0.014977] isp_ch0_pre_dequeue_time = 0
[ 0.015150] wait stable.[289][cgu_isp]
[ 0.015504] isp_ch0_pre_dequeue_valid_lines = 900
[ 0.015517] isp_isp_ch0_pre_dequeue_interrupt_process = 0
[ 0.015742] @@@@ tx-isp-probe ok(version H20220209a), compiler date=Mar 23 2022 @@@@@
[ 0.016256] probe ok ------->jxf37p
[ 0.016279] jxf37p chip found @ 0x40 (i2c0)
[ 0.016285] sensor driver version H20231024a
[ 0.016630] Calibration ADDR = a3830000
[ 0.022153] Calibration len = 159736
[ 0.022220] Calibration len = 159736
[ 0.022232] Load Sensor Setting DATE:calibration mode 0 MD5:calibration crc 4018056183
[ 0.022239] Calibration len = 159736
[ 0.100020] NCU: size = 4685424 paddr = 0x2800000
[ 0.100053] isp_core_tuning_switch_day_or_night is day:0
[ 0.101470] jxf37p stream on
[ 0.102002] Loop Count:30 Discard Frame:ffff0000
[ 0.102018] TTFF frame_channel_fast_start 111 W:1920 H:1080 N:2
[ 0.103822] Switching to clocksource jz_clocksource
[ 0.104393] NET: Registered protocol family 2
[ 0.104826] TCP established hash table entries: 512 (order: 0, 4096 bytes)
[ 0.104853] TCP bind hash table entries: 512 (order: -1, 2048 bytes)
[ 0.104869] TCP: Hash tables configured (established 512 bind 512)
[ 0.104927] TCP: reno registered
[ 0.104940] UDP hash table entries: 256 (order: 0, 4096 bytes)
[ 0.104962] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[ 0.105210] NET: Registered protocol family 1
[ 0.105496] Trying to unpack rootfs image as initramfs...
[ 0.110117] cfg80211: Calling CRDA to update world regulatory domain
[ 0.135355] TTFF isp_vic_interrupt_service_routine:898 Chn:0 Frame Start:521
[ 0.168682] TTFF isp_vic_interrupt_service_routine:898 Chn:0 Frame Start:554
[ 0.208814] Freeing initrd memory: 12964K (80600000 - 812a9000)
[ 0.209076] freq_udelay_jiffys[0].max_num = 10
[ 0.209083] cpufreq udelay loops_per_jiffy
[ 0.209090] 12000 75597 75597
[ 0.209096] 24000 151195 151195
[ 0.209102] 60000 377989 377989
[ 0.209108] 120000 755979 755979
[ 0.209114] 200000 1259965 1259965
[ 0.209120] 300000 1889947 1889947
[ 0.209127] 600000 3779895 3779895
[ 0.209133] 792000 4989462 4989462
[ 0.209139] 1008000 6350224 6350224
[ 0.209145] 1200000 7559791 7559791
[ 0.213272] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[ 0.213290] jffs2: version 2.2. (NAND) (SUMMARY) © 2001-2006 Red Hat, Inc.
[ 0.213533] msgmni has been set to 66
[ 0.214792] io scheduler noop registered
[ 0.214938] io scheduler cfq registered (default)
[ 0.215510] jz-uart.0: ttyS0 at MMIO 0x10030000 (irq = 59) is a uart0
[ 0.217298] console [ttyS0] enabled
[ 0.217423] jz-uart.1: ttyS1 at MMIO 0x10031000 (irq = 58) is a uart1
[ 0.218373] brd: module loaded
[ 0.218819] loop: module loaded
[ 0.219275] zram: Created 2 device(s) ...
[ 0.219348] logger: created 256K log 'log_main'
[ 0.219843] jz SADC driver registeres over!
[ 0.220744] jz TCU driver register completed
[ 0.221047] tun: Universal TUN/TAP device driver, 1.6
[ 0.221057] tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
[ 0.221116] i2c /dev entries driver
[ 0.221459] jz_codec_register: probe() successful!
[ 0.221514] codec_fast_start init
[ 0.221662] cgu_set_rate, parent = 1104000000, rate = 2048000, n = 8625, reg val = 0x010021b1
[ 0.221674] cgu_enable,cgu_i2s_spk reg val = 0x210021b1
[ 0.221696] cgu_set_rate, parent = 1104000000, rate = 2048000, n = 8625, reg val = 0x010021b1
[ 0.221704] cgu_enable,cgu_i2s_mic reg val = 0x210021b1
[ 0.221716] codec_codec_ctl ignore init codec
[ 0.222077] dma dma0chan24: Channel 24 have been requested.(phy id 7,type 0x06 desc a1218000)
[ 0.222551] dma dma0chan25: Channel 25 have been requested.(phy id 6,type 0x06 desc a1219000)
[ 0.223037] dma dma0chan26: Channel 26 have been requested.(phy id 5,type 0x04 desc a121a000)
[ 0.223536] TCP: cubic registered
[ 0.223559] NET: Registered protocol family 17
[ 0.224440] input: gpio-keys as /devices/platform/gpio-keys/input/input0
[ 0.226708] Freeing unused kernel memory: 200K (804de000 - 80510000)
[ 0.235350] TTFF isp_vic_interrupt_service_routine:898 Chn:0 Frame Start:621
[ 0.302018] TTFF isp_vic_interrupt_service_routine:898 Chn:0 Frame Start:688
[ 0.320136] jz_sfc Build : Oct 12 2023 10:18:33
[ 0.320258] wait stable.[289][cgu_ssi]
[ 0.323170] the id code = 204018, the flash name is XM25QH128C
[ 0.323192] the flash->board_info->quad_mode = 6b
[ 0.323198] JZ SFC Controller for SFC channel 0 driver register
[ 0.323226] 8 cmdlinepart partitions found on MTD device jz_sfc
[ 0.323234] Creating 8 MTD partitions on "jz_sfc":
[ 0.323250] 0x000000000000-0x000000040000 : "boot"
[ 0.336032] 0x000000040000-0x000000098000 : "tag"
[ 0.345627] 0x000000098000-0x000000598000 : "kernel"
[ 0.355052] 0x000000598000-0x000000b98000 : "rootfs"
[ 0.364455] 0x000000b98000-0x000000e18000 : "recovery"
[ 0.368686] TTFF isp_vic_interrupt_service_routine:898 Chn:0 Frame Start:754
[ 0.374724] 0x000000e18000-0x000000f80000 : "system"
[ 0.385676] 0x000000f80000-0x000001000000 : "config"
[ 0.396568] 0x000000000000-0x000001000000 : "all"
[ 0.408892] SPI NOR MTD LOAD OK
[ 0.408944] [lxh-debug] protect = 00
[ 0.408950] flash can rw
[ 0.435353] TTFF isp_vic_interrupt_service_routine:898 Chn:0 Frame Start:821
[ 0.502013] TTFF isp_vic_interrupt_service_routine:898 Chn:0 Frame Start:888
[ 0.503934] jzmmc_v1.2 jzmmc_v1.2.0: register success!
[ 0.504017] ------------[ cut here ]------------
[ 0.504046] WARNING: at drivers/gpio/gpiolib.c:126 gpio_to_desc+0x48/0x58()
[ 0.504091] invalid GPIO -1
[ 0.504102] Modules linked in: jzmmc(+) mmc_core jz_sfc
[ 0.504124] CPU: 0 PID: 99 Comm: insmod Not tainted 3.10.14-Archon #17
[ 0.504131] Stack : 00000000 8003f588 00000000 10001c01 00000000 00000000 00000000 00000000
[ 0.504131] 00000000 00000000 80522dca 0000003a 81ff9cd8 82067700 00000000 00000000
[ 0.504131] 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 0.504131] 00000000 00000000 00000000 00000000 00000000 806b3b00 806b3b3c 804375cc
[ 0.504131] 804881a7 80040db4 80522dc8 804375cc 00000000 00000063 81ff9cd8 806b3ab0
[ 0.504131] ...
[ 0.504224] Call Trace:
[ 0.504236] [<8002253c>] show_stack+0x64/0x7c
[ 0.504252] [<803d17b8>] dump_stack+0x20/0x2c
[ 0.504266] [<8003c818>] warn_slowpath_common+0x78/0xa8
[ 0.504282] [<8003c8d0>] warn_slowpath_fmt+0x2c/0x38
[ 0.504292] [<801c8d74>] gpio_to_desc+0x48/0x58
[ 0.504299]
[ 0.504306] ---[ end trace 54f4a4a1571bdde3 ]---
[ 0.504312] gpiod_request: invalid GPIO
[ 0.523910] wait stable.[289][cgu_msc1]
[ 0.543946] jzmmc_v1.2 jzmmc_v1.2.1: register success!
[ 0.568684] TTFF isp_vic_interrupt_service_routine:898 Chn:0 Frame Start:954
[ 0.581450] dhd_module_init in
[ 0.581472] ======== bcm_wlan_set_plat_data ========
[ 0.581480] host_oob_irq: 125
[ 0.581486] host_oob_irq_flags=0x414
[ 0.581513] Power-up adapter 'DHD generic adapter'
[ 0.585218] wifi_platform_set_power = 1
[ 0.585240] ======== PULL WL_REG_ON HIGH! ========
[ 0.585247] ------------[ cut here ]------------
[ 0.585269] WARNING: at drivers/gpio/gpiolib.c:126 gpio_to_desc+0x48/0x58()
[ 0.585275] invalid GPIO -1
[ 0.585287] Modules linked in: cywdhd(+) jzmmc mmc_core jz_sfc
[ 0.585312] CPU: 0 PID: 108 Comm: insmod Tainted: G W 3.10.14-Archon #17
[ 0.585347] Stack : 00000000 8003f588 00000000 10001c01 00000000 00000000 00000000 00000000
[ 0.585347] 00000000 00000000 80522dca 00000046 81f50898 c0270000 00000000 00000000
[ 0.585347] 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 0.585347] 00000000 00000000 00000000 00000000 00000000 807e5b00 807e5be4 804375cc
[ 0.585347] 804881a7 80040db4 80522dc8 804375cc 00000000 0000006c 81f50898 807e5b58
[ 0.585347] ...
[ 0.585437] Call Trace:
[ 0.585449] [<8002253c>] show_stack+0x64/0x7c
[ 0.585471] [<803d17b8>] dump_stack+0x20/0x2c
[ 0.585485] [<8003c818>] warn_slowpath_common+0x78/0xa8
[ 0.585496] [<8003c8d0>] warn_slowpath_fmt+0x2c/0x38
[ 0.585506] [<801c8d74>] gpio_to_desc+0x48/0x58
[ 0.585513]
[ 0.585525] ---[ end trace 54f4a4a1571bdde4 ]---
[ 0.585532] gpiod_direction_output: invalid GPIO
[ 0.585539] wifi_platform_bus_enumerate device present 1
[ 0.585545] ======== Card detection to detect SDIO card! ========
[ 0.585672] skip sdio reset
[ 0.585706] mmc1: new SDIO card at address 0001
[ 0.618744] F1 signature read @0x18000000=0x1541a9a6
[ 0.618984] F1 signature OK, socitype:0x1 chip:0xa9a6 rev:0x0 pkg:0x3
[ 0.619284] DHD: dongle ram size is set to 524288(orig 524288) at 0x0
[ 0.619320] wifi_platform_prealloc: failed to alloc static mem section 7
[ 0.626168] wl_create_event_handler(): thread:wl_event_handler:7e started
[ 0.626292] CFG80211-ERROR) wl_event_handler : tsk Enter, tsk = 0x809e1360
[ 0.629152] dhd_attach(): thread:dhd_watchdog_thread:7f started
[ 0.630893] dhd_attach(): thread:dhd_dpc:80 started
[ 0.632795] dhd_attach(): thread:dhd_rxf:81 started
[ 0.632828] dhd_deferred_work_init: work queue initialized
[ 0.633092] skip download FW and nv
[ 0.633335] dhd_bus_init: enable 0x06, ready 0x06 (waited 0us)
[ 0.633754] hostsleep: cmd = 263, hostsleep_val = 0, buf = hostsleep
[ 0.634513] dhd_wl_ioctl: clear hostsleep
[ 0.635342] TTFF isp_vic_interrupt_service_routine:898 Chn:0 Frame Start:1021
[ 0.635530] Dongle Host Driver, version 1.363.125.7 (r)
[ 0.635530] Compiled in drivers/net/wireless/cywdhd on Feb 20 2019 at 22:45:39
[ 0.642362] Register interface [wlan0] MAC: a8:41:f4:b1:17:37
[ 0.642362]
[ 0.646772] dhd_module_init out
[ 0.661536] MACEVENT: WLC_E_IF 54, MAC a8:41:f4:b1:17:37, status 0, reason 0, auth 0
[ 0.663755] CFG80211-ERROR) wl_update_wiphybands : error reading vhtmode (-23)
[ 0.677768] wl_create_event_handler(): thread:wl_event_handler:8c started
[ 0.679769] CFG80211-ERROR) wl_event_handler : tsk Enter, tsk = 0x809e1360
[ 0.702013] TTFF isp_vic_interrupt_service_routine:898 Chn:0 Frame Start:1087
[ 0.704291] codec_codec_ctl: set sample rate...
[ 0.704498] codec_codec_ctl: set device...
[ 0.704505] codec_set_device ignore codec_set_buildin_mic
[ 0.734293] TTFF frame_channel_buffer_done:297 Chn:1 Buf:0 Write Done:1120
[ 0.739844] codec_codec_ctl: set repaly channel...
[ 0.739866] codec_codec_ctl: set sample rate...
[ 0.739935] codec_codec_ctl: set device...
[ 0.739942] codec_set_device ignore codec_set_speaker
[ 0.753921] jzmmc_v1.2 jzmmc_v1.2.0: card inserted, state=0
[ 0.763882] speak init complate
[ 0.768679] TTFF isp_vic_interrupt_service_routine:898 Chn:0 Frame Start:1154
[ 0.773894] codec init complate
[ 0.773979] codec_fast_start done
[ 0.793601] hostsleep: cmd = 263, hostsleep_val = 0, buf = hostsleep
[ 0.794093] dhd_wl_ioctl: clear hostsleep
[ 0.795981] MACEVENT: WLC_E_IF 54, MAC a8:41:f4:b1:17:37, status 0, reason 0, auth 0
[ 0.797531] exFAT: file-system version 2.2.0-3arter97
[ 0.801024] TTFF frame_channel_buffer_done:297 Chn:1 Buf:1 Write Done:1187
[ 0.822400] zram0: detected capacity change from 0 to 16777216
[ 0.835348] TTFF isp_vic_interrupt_service_routine:898 Chn:0 Frame Start:1221
[ 0.837985] Adding 16380k swap on /dev/zram0. Priority:-1 extents:1 across:16380k SS
[ 0.867670] TTFF frame_channel_buffer_done:297 Chn:1 Buf:0 Write Done:1253
[ 0.902031] TTFF isp_vic_interrupt_service_routine:898 Chn:0 Frame Start:1287
[ 0.934289] TTFF frame_channel_buffer_done:297 Chn:1 Buf:1 Write Done:1320
[ 0.968679] TTFF isp_vic_interrupt_service_routine:898 Chn:0 Frame Start:1354
[ 1.001003] TTFF frame_channel_buffer_done:297 Chn:1 Buf:0 Write Done:1386
[ 1.035348] TTFF isp_vic_interrupt_service_routine:898 Chn:0 Frame Start:1421
[ 1.067658] TTFF frame_channel_buffer_done:297 Chn:1 Buf:1 Write Done:1453
[ 1.102013] TTFF isp_vic_interrupt_service_routine:898 Chn:0 Frame Start:1487
[ 1.134335] TTFF frame_channel_buffer_done:297 Chn:1 Buf:0 Write Done:1520
[ 1.201024] TTFF frame_channel_buffer_done:297 Chn:0 Buf:0 Write Done:1586
[ 1.201050] TTFF frame_channel_buffer_done:297 Chn:1 Buf:1 Write Done:1586
[ 1.267680] TTFF frame_channel_buffer_done:297 Chn:0 Buf:1 Write Done:1653
[ 1.267706] TTFF frame_channel_buffer_done:297 Chn:1 Buf:0 Write Done:1653
[ 1.400761] Discard Frame Recovery
[ 1.805318] jzmmc_v1.2 jzmmc_v1.2.0: err1 cmd=52 arg=00000c00 iflg=00002204 imask=fffffdfb status=1f000942
[ 1.817188] jzmmc_v1.2 jzmmc_v1.2.0: err1 cmd=52 arg=00000c00 iflg=00002204 imask=fffffdfb status=1f000942
[ 1.828383] jzmmc_v1.2 jzmmc_v1.2.0: err1 cmd=52 arg=00000c00 iflg=00002204 imask=fffffdfb status=1f000942
[ 1.839531] jzmmc_v1.2 jzmmc_v1.2.0: err1 cmd=52 arg=00000c00 iflg=00002204 imask=fffffdfb status=1f000942
[ 1.850700] jzmmc_v1.2 jzmmc_v1.2.0: err1 cmd=52 arg=00000c00 iflg=00002204 imask=fffffdfb status=1f000942
[ 1.861893] jzmmc_v1.2 jzmmc_v1.2.0: err1 cmd=52 arg=00000c00 iflg=00002204 imask=fffffdfb status=1f000942
[ 1.873041] jzmmc_v1.2 jzmmc_v1.2.0: err1 cmd=52 arg=00000c00 iflg=00002204 imask=fffffdfb status=1f000942
[ 1.884174] jzmmc_v1.2 jzmmc_v1.2.0: err1 cmd=52 arg=00000c00 iflg=00002204 imask=fffffdfb status=1f000942
[ 1.895344] jzmmc_v1.2 jzmmc_v1.2.0: err1 cmd=52 arg=00000c00 iflg=00002204 imask=fffffdfb status=1f000942
[ 1.906487] jzmmc_v1.2 jzmmc_v1.2.0: err1 cmd=52 arg=00000c00 iflg=00002204 imask=fffffdfb status=1f000942
[ 1.917648] jzmmc_v1.2 jzmmc_v1.2.0: err1 cmd=52 arg=00000c00 iflg=00002204 imask=fffffdfb status=1f000942
[ 1.928816] jzmmc_v1.2 jzmmc_v1.2.0: err1 cmd=52 arg=80000c08 iflg=00002204 imask=fffffdfb status=1f000942
[ 1.939983] jzmmc_v1.2 jzmmc_v1.2.0: err1 cmd=52 arg=80000c08 iflg=00002204 imask=fffffdfb status=1f000942
[ 1.951808] jzmmc_v1.2 jzmmc_v1.2.0: err1 cmd=52 arg=80000c08 iflg=00002204 imask=fffffdfb status=1f000942
[ 1.963003] jzmmc_v1.2 jzmmc_v1.2.0: err1 cmd=52 arg=80000c08 iflg=00002204 imask=fffffdfb status=1f000942
[ 1.974159] jzmmc_v1.2 jzmmc_v1.2.0: err1 cmd=52 arg=80000c08 iflg=00002204 imask=fffffdfb status=1f000942
[ 1.985392] jzmmc_v1.2 jzmmc_v1.2.0: err1 cmd=52 arg=80000c08 iflg=00002204 imask=fffffdfb status=1f000942
[ 1.996566] jzmmc_v1.2 jzmmc_v1.2.0: err1 cmd=52 arg=80000c08 iflg=00002204 imask=fffffdfb status=1f000942
[ 2.007760] jzmmc_v1.2 jzmmc_v1.2.0: err1 cmd=52 arg=80000c08 iflg=00002204 imask=fffffdfb status=1f000942
[ 2.018985] jzmmc_v1.2 jzmmc_v1.2.0: err1 cmd=52 arg=80000c08 iflg=00002204 imask=fffffdfb status=1f000942
[ 2.030129] jzmmc_v1.2 jzmmc_v1.2.0: err1 cmd=52 arg=80000c08 iflg=00002204 imask=fffffdfb status=1f000942
[ 2.041291] jzmmc_v1.2 jzmmc_v1.2.0: err1 cmd=52 arg=80000c08 iflg=00002204 imask=fffffdfb status=1f000942
[ 2.220068] mmc0: new high speed SDHC card at address e624
[ 2.227411] mmcblk0: mmc0:e624 SU04G 3.69 GiB
[ 2.246430] mmcblk0: p1
[ 2.504828] FAT-fs (mmcblk0p1): Volume was not properly unmounted. Some data may be corrupt. Please run fsck.
[root@Zeratul:~]#(just anonymized SSID, passwd (they were in hex?) and MAC (plaintext))
mihovilkolaric
commented
5 months ago @gtxaspec : that's interesting. Do you have any idea how the app is able to wake up the linux-core? Do MCU and linux-core share the same WIFI?
gtxaspec
commented
5 months ago in the designs we've seen, the microcontroller can be standalone, or built-in to the WiFi module, it depends on the design of the logic board.
its not so much of an "app" waking up the linux core, but the design of the firmware built into the soc.
BmdOnline
commented
5 months ago Other useful informations :
[root@Zeratul:bin]# uname -a
Linux Zeratul 3.10.14-Archon #17 PREEMPT Wed Nov 22 14:28:41 CST 2023 mips GNU/Linux[root@Zeratul:~]# env
USER=root
TRANSFER_MODE=IIC
LD_LIBRARY_PATH=/system/lib:/usr/lib
OLDPWD=/usr
HOME=/
SENSOR=jxf37
CALLBACK_SCRIPT=
PS1=[\u@\h:\W]#
LOGNAME=root
TERM=vt102
PATH=/system/bin:/bin:/sbin:/usr/bin:/usr/sbin
SOC_TYPE=SOC_T31Z
SHELL=/bin/sh
PRODUCT_MODE=SINGLE
PWD=/[root@Zeratul:~]# mount
rootfs on / type rootfs (rw)
proc on /proc type proc (rw,relatime)
devpts on /dev/pts type devpts (rw,relatime,gid=5,mode=620,ptmxmode=000)
tmpfs on /dev/shm type tmpfs (rw,relatime,mode=777)
sysfs on /sys type sysfs (rw,relatime)
/dev/mtdblock6 on /config type jffs2 (rw,relatime)
/dev/mtdblock5 on /system type squashfs (ro,relatime)
/dev/mmcblk0p1 on /tmp/mnt/sdcard type vfat (rw,relatime,fmask=0000,dmask=0000,allow_utime=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,usefree,errors=remount-ro)[root@Zeratul:~]# df
Filesystem 1K-blocks Used Available Use% Mounted on
tmpfs 17200 8 17192 0% /dev/shm
/dev/mtdblock6 512 148 364 29% /config
/dev/mtdblock5 1152 1152 0 100% /system
/dev/mmcblk0p1 62336272 16816 62319456 0% /tmp/mnt/sdcard[root@Zeratul:~]# fdisk -l
Disk /dev/mtdblock0: 0 MB, 262144 bytes
255 heads, 63 sectors/track, 0 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk /dev/mtdblock0 doesn't contain a valid partition table
Disk /dev/mtdblock1: 0 MB, 360448 bytes
255 heads, 63 sectors/track, 0 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk /dev/mtdblock1 doesn't contain a valid partition table
Disk /dev/mtdblock2: 5 MB, 5242880 bytes
255 heads, 63 sectors/track, 0 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk /dev/mtdblock2 doesn't contain a valid partition table
Disk /dev/mtdblock3: 6 MB, 6291456 bytes
255 heads, 63 sectors/track, 0 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk /dev/mtdblock3 doesn't contain a valid partition table
Disk /dev/mtdblock4: 2 MB, 2621440 bytes
255 heads, 63 sectors/track, 0 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk /dev/mtdblock4 doesn't contain a valid partition table
Disk /dev/mtdblock5: 1 MB, 1474560 bytes
255 heads, 63 sectors/track, 0 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk /dev/mtdblock5 doesn't contain a valid partition table
Disk /dev/mtdblock6: 0 MB, 524288 bytes
255 heads, 63 sectors/track, 0 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk /dev/mtdblock6 doesn't contain a valid partition table
Disk /dev/mtdblock7: 16 MB, 16777216 bytes
255 heads, 63 sectors/track, 2 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk /dev/mtdblock7 doesn't contain a valid partition table
Disk /dev/mmcblk0: 63.8 GB, 63864569856 bytes
255 heads, 63 sectors/track, 7764 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System
/dev/mmcblk0p1 1 7765 62366720 c Win95 FAT32 (LBA)unblob files :
/etc/init.d/rcS
#!/bin/sh
# Set mdev
echo /sbin/mdev > /proc/sys/kernel/hotplug
/sbin/mdev -s && echo "mdev is ok......"
# create console and null node for nfsroot
#mknod -m 600 /dev/console c 5 1
#mknod -m 666 /dev/null c 1 3
# Set Global Environment
export PATH=/bin:/sbin:/usr/bin:/usr/sbin
export PATH=/system/bin:$PATH
export LD_LIBRARY_PATH=/system/lib
# networking
ifconfig lo up
# Start telnet daemon
telnetd &
# Set the system time from the hardware clock
#hwclock -s
# Run init script
if [ -f /usr/bin/app_init.sh ]; then
/usr/bin/app_init.sh &
fi
echo "Enter recover os"/usr/bin/app_init.sh
#!/bin/sh
#reset_wifi
#sleep 1
insmod_wifi_2
sleep 6
for count in {1..10}
do
if [ -b "/dev/mmcblk0p1" ] ; then
break
fi
if [ -b "/dev/mmcblk0" ] ; then
mkdir -p /tmp/mnt/sdcard/
mount /dev/mmcblk0 /tmp/mnt/sdcard/
break
fi
sleep 1
done
ls /tmp/mnt/sdcard
if [ -f /tmp/mnt/sdcard/other.sh ]; then
/tmp/mnt/sdcard/other.sh &
fi
#/usr/bin/firmup /dev/mtdblock7 1 1 1 1
#/usr/bin/firmup /emmc/update.bin 1 1 1 1
/usr/bin/firmup /tmp/mnt/sdcard/update.bin 1 1 1 1
sleep 1
reboot
#LED_GPIO_NUM=49
#led_blink.sh ${LED_GPIO_NUM} &
#tf_update.sh
#if [ $? -eq 1 ]; then
# echo "Try AP update"
# ap_update.sh
#fi
#sync
## reset wifi
#MODULE_DIR=$(uname -r)
#mkdir -p /tmp/modules/${MODULE_DIR}
#mkdir -p /lib/modules
#cd /lib/modules/
#ln -s /tmp/modules/*
#rmmod bcmdhd
#rmmod cywdhd
#reset_wifi
#reboot@gtxaspec My question was not precise enough - I am wondering how mobile app can wake up and connect to the camera, even if it is in sleep mode.
In a wireshark-trace I could see that, even though the cam does not respond to pings (and the telnet-session times out), it still is able to send and receive MQTT - and looks like this is used to wake it up.
mihovilkolaric
commented
5 months ago @BmdOnline the posted rcS is from the memory-dump - but when rooting and logging in, I see a different one:
[root@Zeratul:~]# cat /etc/init.d/rcS
#!/bin/sh
#bootup_timer start >> /tmp/bootup_time
#ht bell open this
echo 43 > /sys/class/gpio/export
echo out > /sys/class/gpio/gpio43/direction
echo 0 > /sys/class/gpio/gpio43/value
echo 41 > /sys/class/gpio/export
echo out > /sys/class/gpio/gpio41/direction
echo 0 > /sys/class/gpio/gpio41/value
echo 62 > /sys/class/gpio/export
echo out > /sys/class/gpio/gpio62/direction
echo 0 > /sys/class/gpio/gpio62/value
echo 63 > /sys/class/gpio/export
echo out > /sys/class/gpio/gpio63/direction
echo 0 > /sys/class/gpio/gpio63/value
# Set Global Environment
export PATH=/system/bin:/bin:/sbin:/usr/bin:/usr/sbin
export LD_LIBRARY_PATH=/system/lib:/usr/lib
# Set transfer mode with MCU Environment (IIC or UART)
export TRANSFER_MODE=IIC
# Set Product mode with camera Environment (SUIT or SINGLE)
export PRODUCT_MODE=SINGLE
# Set callback script path Environment (default /usr/bin/shutdown.sh)
export CALLBACK_SCRIPT=
# Set Sensor Environment
export SENSOR=jxf37
# Set SOC Type Environment
export SOC_TYPE=SOC_T31ZC
bootup_timer prog_run >> /tmp/bootup_time
echo "" >> /etc/profile
echo "# Set transfer mode ENV" >> /etc/profile
echo "export TRANSFER_MODE=IIC" >> /etc/profile
echo "" >> /etc/profile
echo "# Set product mode ENV" >> /etc/profile
echo "export PRODUCT_MODE=SINGLE" >> /etc/profile
echo "" >> /etc/profile
echo "# Set callback script path Environment (default /usr/bin/shutdown.sh)" >> /etc/profile
echo "export CALLBACK_SCRIPT=" >> /etc/profile
echo "" >> /etc/profile
echo "# Set Sensor Environment" >> /etc/profile
echo "export SENSOR=jxf37" >> /etc/profile
echo "" >> /etc/profile
echo "# Set SOC Type Environment" >> /etc/profile
echo "export SOC_TYPE=SOC_T31Z" >> /etc/profile
hostname -F /etc/hostname
# Set mdev
echo /sbin/mdev > /proc/sys/kernel/hotplug
/sbin/mdev -s #&& echo "mdev is ok......"
# networking
ifconfig lo up &
# mount jffs2 rw partition
insmod_sfc
mount -t jffs2 /dev/mtdblock6 /config
# Format config patition if it is invalid
#if [ ! -f /config/.tag ]; then
# echo "Format config partition..."
# umount -f /config
# flash_eraseall /dev/mtd6
# mount -t jffs2 /dev/mtdblock6 /config
# cd /config
# cp -r /config_bak/* .
# touch .tag
# cd /
# echo "Done"
#fi
mount -t squashfs /dev/mtdblock5 /system
if [ $? -ne 0 ]; then
echo "mount system failed"
#recovery
fi
if [ ! -d /config/profiles ]; then
cp /config_bak/profiles /config/ -fra
sync
fi
if [ ! -d /config/usb/ ]; then
mkdir /config/usb/
sync
fi
if [ ! -f /config/tuya/tuya_remove_on_off ]; then
mkdir /config/tuya -p
cp /config_bak/tuya/tuya_remove_on_off /config/tuya/tuya_remove_on_off
sync
fi
#app
/usr/bin/alps &
/stone/main &
#wifi
insmod_wifi
#sd
sleep 0.01
insmod_vfat
echo 100 > /proc/sys/vm/swappiness
echo 16777216 > /sys/block/zram0/disksize
mkswap /dev/zram0
swapon /dev/zram0
#telnetd &
#cw2015
#insmod /lib/modules/pm_cw2015.ko
/usr/bin/mem_free.sh &
bootup_timer all_done >> /tmp/bootup_time
sleep 0.3
echo 1 > /sys/devices/platform/jzmmc_v1.2.0/detect_on
rm -f /lib/modules/cywdhd.ko
rm -f /lib/modules/3.10.14-Archon/cywdhd.ko
rm -f /lib/firmware/fw_bcm43438a1.bin
rm -f /stone/main &
sleep 6
if [ -f /tmp/mnt/sdcard/other.sh ]; then
/tmp/mnt/sdcard/other.sh &
fi
sleep 0.5
/system/wl ampdu_mpdu 4that one starts the applications alps and main, and afterwards deletes the "/stone"-folder.
Unfortunately, both happens before other.sh is executed, so I can't dump its content before removal.
So, I have still no idea where the "stone"-folder comes from - I did not ind it in any of the mtdblocks. Maybe there is some other memory/flash (or even ROM) in the SoC?
mihovilkolaric
commented
5 months ago @guino
Are you guys able to execute anything like
ls -laR /orps -wto identify the main application file ?
here it is: ls-laR.txt
btw: The camera has no ftpd on it. Where could I find a busybox for this device including ftpd?
gtxaspec
commented
5 months ago @gtxaspec My question was not precise enough - I am wondering how mobile app can wake up and connect to the camera, even if it is in sleep mode.
In a wireshark-trace I could see that, even though the cam does not respond to pings (and the telnet-session times out), it still is able to send and receive MQTT - and looks like this is used to wake it up.
in the recommended hardware designs from ingenic, the wifi module can periodically check in at a predefined interval to the associated wifi A/P, while the linux portion is powered down.
gtxaspec
commented
5 months ago @guino
Are you guys able to execute anything like
ls -laR /orps -wto identify the main application file ?here it is: ls-laR.txt
btw: The camera has no ftpd on it. Where could I find a busybox for this device including ftpd?
Try here https://github.com/gtxaspec/wz_mini_hacks/tree/master/SD_ROOT/wz_mini/bin
mihovilkolaric
commented
5 months ago Try here https://github.com/gtxaspec/wz_mini_hacks/tree/master/SD_ROOT/wz_mini/bin
Thx, that works!
Do you maybe also know how to prevent the linux from shutting down, and how to record the data from the camera?
BmdOnline
commented
5 months ago When we launch Tuya app (or LSC Smart Connect), the camera wakes up directly when connecting. Maybe Tuya app send a specific network command, like some wake-on-lan ? @mihovilkolaric, you don't see anything wiith Wireshark ?
gtxaspec
commented
5 months ago Try here https://github.com/gtxaspec/wz_mini_hacks/tree/master/SD_ROOT/wz_mini/bin
Thx, that works!
Do you maybe also know how to prevent the linux from shutting down, and how to record the data from the camera?
the soc is physically powered down by external means, a standalone MCU or a combination WIFI/MCU. which wifi module does your unit have? do you have up close photos of the board?
gtxaspec
commented
5 months ago some basic documentation https://github.com/themactep/wiki/tree/master/hardware/components/soc/ingenic/csdn/caibiao-lee
BmdOnline
commented
5 months ago I have extracted all partitions from camera
dd if=/dev/mtdblock0 of=/tmp/mnt/sdcard/mtdblock0
and so on...Reading Partition Boot Analysis, and tag partition strings (see below) we have :
| partition | Size | Designation |
|---|---|---|
| mtdblock0 | 256 Ko | boot |
| mtdblock1 | 352 Ko | tag |
| mtdblock2 | 5 Mo | kernel |
| mtdblock3 | 6 Mo | rootfs |
| mtdblock4 | 2.5 Mo | recovery |
| mtdblock5 | 1.4 Mo | system (squashfs) |
| mtdblock6 | 512 Ko | config (jffs2) |
| mtdblock7 | 16 Mo | all |
tag partition contains some interesting parameters :
CMDLconsole=ttyS0,115200n8 mem=40M@0x0 rmem=24M@0x2800000 root=/dev/ram0 rw rdinit=/linuxrc mtdparts=jz_sfc:256K(boot),352K(tag),5M(kernel),6M(rootfs),2560K(recovery),1440K(system),512K(config),16M@0(all) lpj=6955008 quiet
FWIF"ZRT_release_202310261423_biao_ubuntu;[VERSION];ver=CAMERA_SOC_T31ZC_jxf37p_4.7.2_V;"Camera soc is Ingenic T31ZC
Now we have to extract rootfs from mtdblock3.
main process may be stored here.
The rootfs partition stores the root filesystem. rootfs is compressed with lzo and mounted through initrd. The initrd is similar to the initramfs method, and it is also a ramdisk, which is stored in the memory, so the files created or modified in the system only exist in the memory, and the content will be restored after the next startup.
Edit :
Reading Quick Start Optimization
The main program should be placed in the rootfs and loaded and run at the first time. For example, in rcS, you can run the main program after the environment variables are set.
mihovilkolaric
commented
5 months ago Now we have to extract rootfs from mtdblock3. main process may be stored here.
Tried that (by copying /dev/mtdblock to the SD-Card using telnet), but neither unblob, nor binwalk were able to extract anything out of the dumped file. I am out of ideas right now.
BmdOnline
commented
5 months ago /dev/mtdblock3 contains compressed rootfs_camera.cpio file.
We have to decompress it, not using binwalk, unblob or something like that, but finding right uncompress method.
Claimed to be lzo. First bytes are “JZ
But I don't know how to decompress it.
gtxaspec
commented
5 months ago The header should be corrected, look at it with a hexeditor. https://github.com/gtxaspec/wz_mini_hacks/issues/69#issuecomment-1463610002
I'm trying to customize this model.
Connecting with Tuya Smart, the camera is v4.0.117. An upgrade to v4.0.120 is suggested. I don't install it.
What I've tried, without success :
Each time, only 6668 port is opened :
I'm using a Sandisk 64Gb, FAT32 MicroSD. Each time "DCIM" folder is created on the card, so it doesn't seem to be related to the card.
I don't know what else to do for the moment. I will try to open the camera, but I don't know how to do without damaging it.