cannot access rtsp

[drakbar]

About Device

firmware version	hardware version	model
ppstrong-a3-tuya2_merkury-4.0.7.20210624	M11S_A2_V20_GC1	mini 11s

Summary

So, after successfully rooting my camera I am able to log (telnet) into the device and use vi to edit tuya_config.json. I have set onvif_enable to 1 and have set the onvif_pwd. Attempting to access the rtsp stream using a variety of methods has not yielded any success to include:

/* using web browser */
rtsp://( admin | user ):password@ip:8554
rtsp://( admin | user ):password@ip:8554//Streaming/Channels/10[1|2]
rtsp://ip:8554
rtsp://ip:8554//Streaming/Channels/10[1|2]

/* using vlc */
vlc --rtsp-tcp rtsp://ip:8554

My thought is that onvif is not actually serving up rtsp. When using netstat to check for active connections, I don't see the onvif server on 8000 or the rtsp server on 8554. All that is present are the web servers on 8080 and 8090, the tuya service on 6668, and the telnet connection on 23.

tuya_config.json

{
    "version"                  : 0,
    "sleep_mode"               : 0,
    "alarm_fun_onoff"          : 0,
    "alarm_fun_sensitivity"    : 1,
    "alarm_fun_mode_switch"    : 0,
    "alarm_fun_time_start"     : 0,
    "alarm_fun_time_end"       : 0,
    "flip_onoff"               : 0,
    "light_onoff"              : 1,
    "night_mode"               : 0,
    "sound_detect_onoff"       : 0,
    "sound_detect_sensitivity" : 0,
    "watermark_onoff"          : 1,
    "event_record_time"        : 60,
    "enable_event_record"      : 2,
    "record_enable"            : 1,
    "motion_trace"             : 1,
    "motion_area_switch"       : 0,
    "motion_area"              : "",
    "motion_tracking"          : 0,
    "cry_detection_switch"     : 0,
    "humanoid_filter"          : 0,
    "loudspeaker_vol_pct"      : 100,
    "onvif_enable"             : 1,
    "onvif_pwd"                : "mini11s"
}

I read in #18 that there is a ppsapp.log somewhere. I am currently not aware of its dump location, or else I would be digging through that as well. I don't know why this procedure isn't working since most 4.0.x devices don't need a patch. In any case I looked at the requirements for patching and began the process but stopped when I found out about the config json, here is my findings thus far:

/* ONVIF PATCHING */

starting address: 0x8000

onvif_enable vairable: DAT_002b4ee8

addresses setting onvif_enable variable

0000f3a8 - 8000 = 73a8 -> 01 20 a0 e3
0000fba0 - 8000 = 7ba0 -> 01 00 a0 e3
00013b14 - 8000 = bb14 -> 01 20 a0 e3

/* SNAP.CGI AND MJPEG.CGI PATCHING */

cannot find pps_media_md_get_pic in binary

/* PLAY.CGI */

cannot find "talkTask" in binary

My camera is connected to a network that does not have internet, does that have an impact on either onvif or rtsp servers? Thanks in advance for any help.

[guino]

@drakbar the camera needs to connect to the tuya servers to set the date and time - only after that it will start thr onvif/rtsp service. In addition the camera must have been setup in the app as it won’t do much while in ‘factory mode’ (also be sure ppsFactoryTool.txt is removed/renamed after rooting for the same reason).

The only way for the camera to start up completely without internet is to use an offline patch (we don’t make those unless specifically requested).

[drakbar]

@guino you are correct, it has to phone home prior to working. Interestingly, once you get the onvif and rtsp servers up on the device they will stay up even in the event that the network loses connection to the internet. Now how long the servers will remain in that state (besides a power cycle) I have yet to see.

Would you be willing to assist me in creating a offline patch?

[guino]

@drakbar once started the device will continue to work (forever) unless it is powered off or frozen , then it will need internet to bootup completely again.

I should be able to make an offline patch once I am back on my feet.

[drakbar]

@guino do you need a copy of ppsapp?

[guino]

@drakbar yes, I need ppsapp for your version.

[drakbar]

@guino Here you go. Do you patch this strictly based on the de-compilation? Or do you have some type of emulator?

I tried to create a patch similar to #11, but mqtt just spams the output with error messages and doesn't advance on to firing up the onvif and rtsp servers.

ppsapp.zip

[guino]

@drakbar play.cgi address: 0x003940e4, mjpeg/snap.cgi address: 0x03932e8 -- still working on the offline patch.

[guino]

@drakbar I just use ghidra to view the code and figure out what needs changing, then patch the file directly (hex editor) to build a patch file later. I don't have a way to run/emulate it but have an idea of what to do comparing with my own devices which are different but allowed me to do initial testing and know what works.

Here's the offline patch you can try: ppsapp-offline.zip (Please use these instructions to patch it: https://github.com/guino/ppsapp-rtsp/issues/1#issue-759079080)

Let me know the results of the patch so I can post it on the main list if it works, Thanks

[drakbar]

@guino wow I am shaking my head over here. I was so close yet so far. I patched the while loop near the top of that function. I didn't even notice that one hiding in there. I am super impressed with the patch though all it takes is changing one byte to a no op and the flow of execution just drops out of the while loop.

Anyways it works like a charm as can be seen from netstat.

Thanks for all your help.

[guino]

@drakbar glad it works, thanks for reporting back.

Usually it’s simple like this but some versions have a bit of a convoluted nested loop in that check and you have to get a little creative with the changes.