Problems while rooting Mini 11S

[mmendozam]

Hi @guino, I'd like to thank you for your great job doing this project to root Merkury cams. I have a Merkury 1080 cam I tried to root following your instructions but it looks like I'm missing something. I took the files from this post and then replaced the 3 files as described here before copying them all over to my sd card. Then I turned my cam on while holding the reset button. At this point everything looked good to me, I was able to hit cmdline and deviceinfo URLs with the expected responses in my browser. The problem came when I tried to hit the hack one, I got no response. I read that some users do not get any response at all but still the root worked, so I extracted the sd card from the cam and I found no hack file nor home folder. I tried reformatting the sd card using Windows default formatter as well as AOMEI software with no luck (I didn't try using Linux yet). I even tried changing the value 30 in the env file to 60 as described here, I saw the cmdline with the updated value but it didn't help.

What could I be missing?

Please find below some outputs that may help you to figure out what is happening.

http://admin:056565099@192.168.0.13:8090/proc/cmdline

mem=64M console=ttySAK0,115200n8 loglevel=10 mtdparts=spi0.0:256k(bld),64k(env),64k(enc),64k(sysflg),3m(sys),4032k(app),640k(cfg) ppsAppParts=5 ip=0 - ip=30;/mnt/mmc01/initrun.sh)&:::::;date>/tmp/hack;(sleep

http://admin:056565099@192.168.0.13:8090/devices/deviceinfo

{
    "devname": "Smart Home Camera",
    "model": "Mini 11S",
    "serialno": "062843070",
    "softwareversion": "4.0.6",
    "hardwareversion": "M11S_A2_V10_F37",
    "firmwareversion": "ppstrong-a3-tuya2_merkury-4.0.6.20210207",
    "identity": "MR2009160301203856",
    "authkey": "xqF...",
    "deviceid": "pp01...",
    "pid": "aaa",
    "WiFi MAC": "XX:XX:XX:XX:XX:XX",
    "ETH MAC": "00:00:00:00:00:00"
}

http://admin:056565099@192.168.0.13:8090/proc/self/root/mnt/mmc01/hack

[HTTP/1.1 500 Internal Server]

http://admin:056565099@192.168.0.13:8090/proc/mounts

rootfs / rootfs rw 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0
tmpfs /dev tmpfs rw,relatime 0 0
devpts /dev/pts devpts rw,relatime,mode=600,ptmxmode=000 0 0
/dev/mtdblock6 /home/cfg jffs2 rw,relatime 0 0
/dev/mmcblk0p1 /mnt/mmc01 vfat rw,relatime,fmask=0022,dmask=0022,codepage=cp437,iocharset=iso8859-1,shortname=mixed,usefree,errors=continue 0 0

http://admin:056565099@192.168.0.13:8090/proc/self/root/mnt/mmc01/initrun.sh

#!/bin/sh

# Copy app partition if not already done
if [ ! -e /mnt/mmc01/home ]; then 
 MTDNUM=`cat /proc/cmdline | sed 's/.*ppsAppParts=\([0-9]\).*/\1/'`
 mount -t cramfs /dev/mtdblock$MTDNUM /opt/pps
 tar xf /opt/pps/app.* -C /mnt/mmc01/
fi

# Now flag the hack is done
echo done > /mnt/mmc01/hack

# Try to run custom.sh
while true; do
 if [ -e /mnt/mmc01/custom.sh ]; then
  /mnt/mmc01/custom.sh
 fi
 sleep 10
done

http://admin:056565099@192.168.0.13:8090/proc/self/root/etc/init.d/S80network

#!/bin/sh

ipaddr=
bootp=
gateway=
netmask=
hostname=
netdev=
autoconf=

for ipinfo in `cat /proc/cmdline`
do
    case "$ipinfo" in
    ip=*)
        for var in  ipaddr bootp gateway netmask hostname netdev autoconf
        do
            eval read $var
        done << EOF
        `echo "$ipinfo" | sed "s/:/\n/g" | sed "s/^[    ]*$/-/g"`
EOF
        ipaddr=`echo "$ipaddr" | cut -d = -f 2`
        [ x$ipaddr == x ] && ipaddr=x
        ;;
    esac
done

[ -z "$ipaddr" ] && exit 0

echo "      IP: $ipaddr"
echo "   BOOTP: $bootp"
echo " GATEWAY: $gateway"
echo " NETMASK: $netmask"
echo "HOSTNAME: $hostname"
echo "  NETDEV: $netdev"
echo "AUTOCONF: $autoconf"

if [ x$ipaddr == x- ] ; then
    # use DHCP
    :
else
    cmd="ifconfig $netdev $ipaddr"
    [ x$netmask != x- ] && cmd="$cmd netmask $netmask"
    eval $cmd
    [ x$gateway != x- ] && route add default gw $gateway
fi

ifconfig lo 127.0.0.1

[guino]

@mmendozam You seem to have done everything correctly and you have a version known to work with our process. You should NOT need to use the reset button again unless we find something very different.

I'd like you to post the response for http://admin:056565099@ip:8090/proc/self/root/etc/init.d/S90PPStrong so I can see if there's anything odd.

Can you also check if you have a response for http://admin:056565099@ip:8090/proc/self/root/tmp/hack ?

The above should tell us more and in the mean time if you want to try something you can try adding this line to your initrun.sh: mkdir -p /opt/pps (immediately after the if [ ! -e /mnt/mmc01/home ]; then line) and just powering up the device normally without using reset button again (with SD card inserted).

It is obvious the SD card is working based on the information you provided, so I'm not sure why the initrun.sh script isn't running. As long as you have a 'home' folder created by the device during boot everything should work (even if you don't get the 'hack' response like you mentioned).

[mmendozam]

Kindly find below the additional details:

http://192.168.0.13:8090/proc/self/root/etc/init.d/S90PPStrong

#!/bin/sh

export PATH=/usr/bin:/sbin/:/usr/sbin:/bin

RED=""
NORMAL=""

echo "${GREEN} 2015 PPStrong Tech Cop.Ltd.${NORMAL}"

mkdir -p /opt/pps
MTDNUM=`cat /proc/cmdline | sed 's/.*ppsAppParts=\([0-9]\).*/\1/'`

# debug
MTDNUM=5

case $MTDNUM in
         5)
            mount -t cramfs /dev/mtdblock$MTDNUM /opt/pps
            break
            ;;
         7)
            mount -t cramfs /dev/mtdblock$MTDNUM /opt/pps
            break
            ;;
         0)     
            sleep 10
            mount -t vfat /dev/mmcblk0p1 /opt/pps
            break
            ;;
         *)
            MTDNUM=5
            mount -t cramfs /dev/mtdblock$MTDNUM /opt/pps
            ;;
esac

echo "/opt/pps/" > /tmp/PPStrong.runpath
[ -e /opt/pps/initrun.sh ] && cp /opt/pps/initrun.sh /tmp/PPStart && chmod +x /tmp/PPStart && /tmp/PPStart

http://192.168.0.13:8090/proc/self/root/tmp/hack

Thu Jan  1 08:00:13 CST 1970

Also, I tried adding the mkdir command as you suggested (no luck): http://192.168.0.13:8090/proc/self/root/mnt/mmc01/initrun.sh

#!/bin/sh

# Copy app partition if not already done
if [ ! -e /mnt/mmc01/home ]; then 
 mkdir -p /opt/pps
 MTDNUM=`cat /proc/cmdline | sed 's/.*ppsAppParts=\([0-9]\).*/\1/'`
 mount -t cramfs /dev/mtdblock$MTDNUM /opt/pps
 tar xf /opt/pps/app.* -C /mnt/mmc01/
fi

# Now flag the hack is done
echo done > /mnt/mmc01/hack

# Try to run custom.sh
while true; do
 if [ -e /mnt/mmc01/custom.sh ]; then
  /mnt/mmc01/custom.sh
 fi
 sleep 10
done

[guino]

@mmendozam the hack line indicates the command is running (good) but the fact that initrun.sh isn't running is the problem.

Can you post a zip of your your SD card files so I can check ? I would like to rule out something like Windows formatting of the files, etc -- depending on how you created/edited the files this could be the issue.

[mmendozam]

Here is the zip with my sd card files, I only omitted ppsFactoryTool.txt file. mmc.zip

[guino]

@mmendozam it seems like all your files are saved in windows format -- this is likely why it isn't working. I recommend you use this link to download initial files: https://github.com/guino/Merkury720/archive/refs/heads/main.zip then use this link to download the 3 additional files for your device (overwriting existing files): https://github.com/guino/Merkury1080P/archive/refs/heads/main.zip then finally download busybox (the previous links may overwrite it): https://github.com/guino/Merkury720/blob/main/mmc/busybox?raw=true and after placing all files on SD card (without making changes to them) and booting (without reset button) the device you should get the home directory created.

Let me know how that goes, and if it doesn't work, zip the files again so I can review.

[mmendozam]

Thanks @guino! It looks like the problem was the file format! I copied your zipped files to my sdcard and it worked. Then, I looked at what was different between your files and my files. You were absolutely right, the issue was the file format:

I initially used Notepad++ to edit the files, after you mentioned the OS file format I simply did Edit > EOL Conversion > Unix (LF) in Notepad++ to change the format and it worked, too. I only transformed the initrun.sh file.

Thanks for your help!

[guino]

@mmendozam glad to help, thanks for the feedback.