Issues with rooting Mini 11S

[AvgAlice]

I've confirmed I've got the right SD cards, I have 3 different cameras to try from and none of them work. Using the directions from the 720p and the 1080p, i copied files from 720 to root of card, replaced with files from 1080, downloaded busybox to root, and downloaded ppsFactoryTool and modified with SSID and password. I did all of this in windows, and then again in ubuntu desktop.

When booting the camera, I'm still able to view the camera in the geeni app, when navigating to http://admin:056565099@ip:8090/proc/cmdline, i get no result, but when navigating to http://admin:056565099@ip/proc/cmdline, I'm presented with this info:

mem=37M console=ttyAMA0,115200n8 mtdparts=hi_sfc:192k(bld)ro,64k(env)ro,64k(enc)ro,64k(sysflg)ro,3136k(sys),4224k(app),448k(cfg) ppsAppParts=5 ppsWatchInitEnd I notice that I don't have the ip= section, and I haven't been able to get that far.

Navigating to any other page provided does not work, except for http://admin:admin@ip/devices/deviceinfo, which i receive the following info:

{"devname":"Smart Home Camera","model":"Mini 11S","serialno":"059344886","softwareversion":"2.10.6","hardwareversion":"M11S_H1_V10_F23","firmwareversion":"ppstrong-c51-tuya2_geeni-2.10.6.20210819","authkey":"vRkPUaX----FzZy8KQ","deviceid":"pp019a-37a","identity":"MR2002---8477","pid":"aaa","WiFi MAC":"7c:a--:13"}

When plugging the SD back into my computer, i don't see the /home/ directory, or a "hack" file. the only thing i see added is the SDT folder, which i'm assuming contains info placed by default by the camera.

I understand that there's a formatting issue with windows vs linux, I used parted to format the drive, mkfs vfat to create the fat32 partition, loaded and modified all files in linux and ejected using gui.

I understand that there's also a patch for specific hardware versions, but i believe that requires having a little more progress in the hack, unless I'm misunderstanding that.

I'm not sure what other options I can try, I've tried other cheap-o sd cards i've got lying around, the cards I bought for this are 32GB.

Thanks in advance! ♥

[guino]

@AvgAlice your /proc/cmdline response indicates that the boot settings are not changing. For 2.10.x firmware (your version) you need to use these instructions+files from https://github.com/guino/BazzDoorbell/issues/13 -- the instructions from 720p and 1080p are for different firmware versions (2.7.x and 4.x respectively), so this is possibly the reason you haven't been successful. I do recommend linux to prepare the files as windows can make the file formatting incompatible.

It can be hit-or-miss finding a compatible SD card to install the hack, after initial setup you can use any card you want (most should work). If you can't get your /proc/cmdline to change (as shown on the instructions) you should check if your reset button is working by using it while the camera is working normally with the app (may need to press and hold a few seconds) and check if the device reboots/resets indicating the reset button is working.

If you followed the steps from https://github.com/guino/BazzDoorbell/issues/13 and checked your reset button and still can't get it to work: post a zip of your SD card files you're using to try to install the hack and I can verify them.

[AvgAlice]

Alright, so I tried using the steps in doorbell#13, I checked my S90PPStrong readout, and I confirmed I have "#MTDNUM=5". my proc/cmdline did not change, nor did it show the "thankyou" bits at the end.

Attached are files i've been using, this would include the 3 files noted in #2 (i put those in the "doorbell files" folder for this upload, but they were the only files on the root of the card when attempting, also tried with ppsFactoryTool.txt), and the other files used from the 720 and 1080 hacks.

CamHackFiles.zip

[AvgAlice]

Also, thanks for obfuscating my mac, didn't think about that before i posted ;)

[guino]

@AvgAlice Based on your zip, your env file still the one from https://github.com/guino/BazzDoorbell/issues/2 and the env file is not formatted correctly (it has windows end of lines in it). Please use the 3 files from the zip posted with https://github.com/guino/BazzDoorbell/issues/13 instead -- it does NOT have the thank you stuff in it.

Regardless of what you'll need to use a text editor that doesn't remove the 00 byte marker at the end of the file -- whatever editor you used simply wrote \00 (three characters) which is just a representation of what the 00 byte should be (very bad). Please try a different text editor such as notepad++ (https://notepad-plus-plus.org/downloads/) that can handle the linux-style formatting used by the device. You'll also need to use it to edit other files after installing the hack.

Feel free to send me another env file for review if it doesn't work.

[AvgAlice]

I was able to get notepad++ up and running (i'm running a live ubuntu desktop), apparently the default text editor added the \00 when I saved. After confirming I have clean files, the camera took an extra few seconds to boot, as noted in your instructions. /proc/cmdline now shows the following:

mem=37M console=ttyAMA0,115200n8 mtdparts=hi_sfc:192k(bld)ro,64k(env)ro,64k(enc)ro,64k(sysflg)ro,3136k(sys),4224k(app),448k(cfg) ppsAppParts=0 ppsWatchInitEnd - ip=${T//_/$'\\x20'}:::::;T=\"sleep_5;mkdir_-p_/mnt/mmc01;mount_-t_vfat_/dev/mmcblk0p1_/mnt/mmc01;/mnt/mmc01/initrun.sh&\";eval mtdparts=hi_sfc:192k(bld)ro,64k(env)ro,64k(enc)ro,64k(sysflg)ro,3136k(sys),4224k(app),448k(cfg) ppsAppParts=5 ppsWatchInitEnd

I proceeded to step 7 in guino/BazzDoorbell#13, and hit another wall. When attempting to reach http://admin:056565099@192.168.x.x/proc/self/root/mnt/mmc01/hack, i'm presented with an HTTP error 500.

I plugged the sd card back into my laptop and confirmed I now have "bin" "home" and "lib" for directories, so I'm assuming something worked, just not sure if getting the "done" from /proc/self/root/mnt/mmc01/hack is necessary to proceed.

I did attempt to telnet to the device via putty, received a refused connection, so i think something got missed, unless this is where i add in the files from 720 and busybox, minus env, initrun, and ppsMmcTool.

Let me know if I'm on the right track, or if I need to backpedal.

Thanks for your help! ♥

[guino]

@AvgAlice your /proc/cmdline looks good and the fact that you got a home directory means it is working. You can proceed forward with the steps ignoring the 500 error from the hack url.

For telnet you need to make sure you have custom.sh, busybox and configure the passwd file.

You will need to rename/remove ppsFactoryTool.txt to get the app working again (including rtsp/mjpeg/etc) but you can wait until you have configured telnet.

You can post a zip of your SD card contents if you like me to review.

[AvgAlice]

I've gotten telnet up and running, logged in with my own creds, renamed ppsFactoryTool, ppsapp is patched using "ppstrong-c51-tuya2_geeni-2.10.1.20210207", followed the directions to a T. I'm able to "access" snap.cgi and mjpeg.cgi in browser, but all that shows is a small white square in the middle of the screen. I'm unable to access the RTSP stream via VLC or OBS, ran a quick netstat -tanp, didn't see 8554 or 8555 listed, only 6668, 23, and 8080.

are there any specific files you'd want to look at to get a better idea as to what my issue is?

I did note that my current version is 2.10.6, according to the geeni app, if that makes any difference for the patch.

Thanks again!

[guino]

@AvgAlice you can't use the patch for ppstrong-c51-tuya2_geeni-2.10.1.20210207 on your 2.10.6 firmware -- patches are highly specific so the whole firmware version must match and the md5sum on the patching site should also match or it won't work (and can cause problems).

For snap/mjpeg to work you have to edit the address in the cgi files to be the address posted with your patch and there's a patch for your specific version already available but you should not need to patch it:

Firmware Version	Hardware Version	Original ppsapp MD5	device
ppstrong-c51-tuya2_geeni-2.10.6.20210819	B4S_V10_H1_2063	53e21b3e67bed930a6e2762629c83d2d	Bullet 4S

NOTE: This version should have RTSP available without patching at rtsp://IP:8554//Streaming/Channels/101 and rtsp://IP:8554//Streaming/Channels/102 -- see: https://github.com/guino/BazzDoorbell/issues/2#issuecomment-745618597

NOTE2: Some people reported issues with ffmpeg not being able to play RTSP at the above URLs, and in that case you can try patching with the patch below:

ppsapp-rtsp.zip use port 8555 (rtsp://IP:8555) as ONVIF may already be using port 8554, please use this HOW TO PATCH GUIDE snap.cgi and mjpeg.cgi address: 0x056b5c0 play.cgi address: 0x0056eea4

[AvgAlice]

Alright, so I attempted to change the addresses without patching, restored the original ppsapp file, 8554 and 8555 did not open up.

Patched using the file above and the instructions, confirmed md5 is good, ports 8554 and 8555 are now open, but none of the streams will open up with VLC or OBS given any of the rtsp links.

~ # netstat -tanp Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:8554 0.0.0.0: LISTEN 1284/ppsapp tcp 0 0 0.0.0.0:8555 0.0.0.0: LISTEN 1284/ppsapp tcp 0 0 0.0.0.0:6668 0.0.0.0: LISTEN 1284/ppsapp tcp 0 0 0.0.0.0:8080 0.0.0.0: LISTEN 1274/busybox tcp 0 0 0.0.0.0:23 0.0.0.0: LISTEN 1270/busybox tcp 0 0 0.0.0.0:8000 0.0.0.0: LISTEN 1284/ppsapp

I've also confirmed my VLC is set to use TCP for rtsp streams. Also, the camera is now inaccessible to the geeni application. the device shows as online, but I'm not able to control it or view the stream

[guino]

@AvgAlice did you remove ppsFactoryTool.txt from the SD card -- some versions don't startup completely if that file is present (then no phone app or video would work).

[AvgAlice]

I confirmed i did remove that file from the root, i was also able to access main.cgi via port 8080. here's the output:

. .. .Trash-999 SDT bin cgi-bin home lib busybox custom.sh dropbearmulti env hosts httpd.conf index.html initrun.sh jpeg-arm mqtt_pub offline.sh passwd ppsMmcTool.txt ppsapp set upload.html

I was also having issues uploading a zip file containing the contents of the SD card, github just throws me an error "is not included on the list" when i try to upload

[AvgAlice]

Also, i removed all files from the SD, rebooted, loaded the files up with all of the initial files once more with the patch, 8554 and 8555 are open, but i'm still unable to access the rtsp stream, nor am I able to access the camera via the app, even though ppsFactoryTool.txt was never added from the start of it.

do i need to do something more to fully wipe the camera of what i've done, without killing the info created in the app, or is removing the SD and booting with out it/files enough?

Thanks again for all help so far ♥

[guino]

@AvgAlice github should allow you to upload the file as long as the file name ends with .zip -- if it doesn't work just try a different browser like firefox. Since you have 8554 and 8554 ports open I am assuming you patched it correctly and enabled onvif on the tuya_config.json correctly (otherwise the ports would not be open) -- for port 8554 you may need to specify a user/password like rtsp://admin:admin@IP:8554//Streaming/Channels/101 (or whatever password configured in the json file), for port 8555 it should just be rtsp://ip:8555 (no user/password or anything else). You may want to try a phone app to see if it works there since it isn't working on VLC.

You should be able to boot normally (no hack) if you don't have the SD card installed during boot OR by simply removing/renaming initrun.sh from the SD card. I recommend you check it in stages: 1-Try booting without SD card to see if it works (it should work with the app only, telnet won't work) 2-Try booting with SD card and initrun.sh but without ppsapp on the SD card to see if it works (it should work normally with the app as well as snap/mjpeg.cgi if you have it configured with the right address , telnet should work-- rtsp will only work on port 8554 as you have enabled it on the tuya_config.json file).

Only if you can't get rtsp to work on 8554 is that you should try the rtsp patch and place the patched ppsapp file in the root of the SD card.

Without having your files to review there's not much I can do to help.

[AvgAlice]

Finally figured out that the contents of the SD card exceeded github's size limit ;)

Please review the files below, this includes the patched ppsapp.

I confirmed without the SD card, it ran normally, put just initrun.sh and it created the directories, opened 8554, rtsp fails, telnet was still inaccessible, and i couldn't see the feed on geeni. Also, I'm not able to locate the tuya_config.json file, maybe that's part of my issue

--deleted--

[guino]

@AvgAlice your files seem fine but you have the wrong initrun.sh in the SD card -- you need the one from here: https://github.com/guino/BazzDoorbell/files/5792854/ppshack2.zip, I am not sure what kind of problems you may get by mixing files like you have right now (but it could be the cause of your problems).

To view your tuya_config.json, just type this command on telnet: cat /home/cfg/tuya_config.json

Please check it/post it to see if it has a password you may need in order to view the RTSP feed on port 8554 (but it should not need a password on port 8555).

[AvgAlice]

SUCCESS!! Thank you so much~! I'll be working on this a bit more tomorrow, but i'll get my other 2 cameras rooted, and I have another model with a floodlight i'll be attempting to root next.

Just to confirm for those googling, after figuring out my initrun.sh is incorrect, i wiped my sd card clean, and added only the correct initrun.sh, i did not need to patch ppsapp, i was able to access rtsp stream via windows vlc on rtsp://admin:admin@IP:8554/Streaming/Channels/101 and 102, respectively.

Here's an output of my http://myuser:mypass@IP:8080/cgi-bin/main.cgi

. .. .Trash-999 SDT bin cgi-bin home lib busybox custom.sh dropbearmulti env hack hosts httpd.conf index.html initrun.sh jpeg-arm mqtt_pub offline.sh passwd ppsMmcTool.txt set upload.html

Thank you so much again for your help ♥

[AvgAlice]

quick update to this, I was able to take the same files used for this and root my floodlight style camera. I'm not sure of the exact model offhand, devices/deviceinfo isn't working for me on that camera, but i'm able to access telnet, and the RTSP stream in the same way as the others, just had to enable onvif in the tuya config file for rtsp to work.

Thank you so much again for all of your help and support in this thread, and I hope it helps someone else out there ♥

Now to figure out how Monitor works ;)

[guino]

Thanks for the feedback!