Firmware 5.2.1 OEM device MINI7S-A5MB_F37 REV 1_0 2021-06-11

Hey, I will start a thread here with all my findings about a similar device

MINI7S-A5MB_F37 REV 1_0 2021-06-11

UART boot log:

U-Boot 2013.10.0-V3.1.27 (Jul 30 2021 - 13:36:36)

DRAM:  64 MiB
efuse_read:0x00000000
8 MiB
sd detect gpio mode:8!
mmc_sd: 0

total partitions: 6
In:    serial
Out:   serial
Err:   serial
enable watchdog

Hit any key to stop autoboot:  2 
..... 1 
..... 0 
sys: size:0x00300000, offset:0x00040000

SF: 3145728 bytes @ 0x40000 Read: OK
## Booting kernel from Legacy Image at 80008000 ...
   Image Name:   Linux-4.4.192V2.1
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    2644504 Bytes = 2.5 MiB
   Load Address: 80008000
   Entry Point:  80008040
   Verifying Checksum ... OK
   XIP Kernel Image ... OK
   kernel loaded at 0x80008000, end = 0x8028da18
using: FDT

Starting kernel ...

Uncompressing Linux... done, booting the kernel.

Cannot interrupt u-boot autoboot sequence, pressing any kay has no effect

Tried to change load address to 80008000 in both env and ppsMmcTool.txt - the device boots unrooted. /proc/cmdline output does not contain the hack traces:

console=/dev/null mtdparts=spi0.0:256K@0x0(BOOT),3072K@0x40000(sys),4288K@0x340000(app),448K@0x770000(cfg),64K@0x7E0000(enc),64K@0x7F0000(sysflg) mem=64M memsize=64M pcbversion=S2S_A5_V10 sensor=soif37mipi model_name=Mini-11S

When booting with the hack microSD card I see this output:

U-Boot 2013.10.0-V3.1.27 (Jul 30 2021 - 13:36:36)

DRAM:  64 MiB
efuse_read:0x00000000
8 MiB
sd detect gpio mode:8!
mmc_sd: 0

total partitions: 6
In:    serial
Out:   serial
Err:   serial
enable watchdog
reset key pressed!
cmd:fatload mmc 0 0x82008000 ppsMmcTool.txt
mmc/sd share pin!
send cmd 8 error, status = 2004
block rw command 8 is failed!
MMC: ak mmc mmc_send_if_cond Err!
** Bad device mmc 0 **
mmc/sd share pin!
send cmd 8 error, status = 2004
block rw command 8 is failed!
MMC: ak mmc mmc_send_if_cond Err!
mmc/sd share pin!
send cmd 8 error, status = 2004
block rw command 8 is failed!
MMC: ak mmc mmc_send_if_cond Err!
** Bad device mmc 0 **
mmc/sd share pin!
send cmd 8 error, status = 2004
block rw command 8 is failed!
MMC: ak mmc mmc_send_if_cond Err!
mmc/sd share pin!
send cmd 8 error, status = 2004
block rw command 8 is failed!
MMC: ak mmc mmc_send_if_cond Err!
** Bad device mmc 0 **
mmc/sd share pin!
send cmd 8 error, status = 2004
block rw command 8 is failed!
MMC: ak mmc mmc_send_if_cond Err!
mmc/sd share pin!
send cmd 8 error, status = 2004
block rw command 8 is failed!
MMC: ak mmc mmc_send_if_cond Err!
** Bad device mmc 0 **
mmc/sd share pin!
send cmd 8 error, status = 2004
block rw command 8 is failed!
MMC: ak mmc mmc_send_if_cond Err!
mmc/sd share pin!
send cmd 8 error, status = 2004
block rw command 8 is failed!
MMC: ak mmc mmc_send_if_cond Err!
** Bad device mmc 0 **
mmc/sd share pin!
send cmd 8 error, status = 2004
block rw command 8 is failed!
MMC: ak mmc mmc_send_if_cond Err!
failed to read file ppsMmcTool.txt or too large 0

Hit any key to stop autoboot:  2 
..... 1 
..... 0 
sys: size:0x00300000, offset:0x00040000

SF: 3145728 bytes @ 0x40000 Read: OK
## Booting kernel from Legacy Image at 80008000 ...
   Image Name:   Linux-4.4.192V2.1
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    2644504 Bytes = 2.5 MiB
   Load Address: 80008000
   Entry Point:  80008040
   Verifying Checksum ... OK
   XIP Kernel Image ... OK
   kernel loaded at 0x80008000, end = 0x8028da18
using: FDT

Starting kernel ...

Uncompressing Linux... done, booting the kernel.

With a different brand microSD card:

U-Boot 2013.10.0-V3.1.27 (Jul 30 2021 - 13:36:36)

DRAM:  64 MiB
efuse_read:0x00000000
8 MiB
sd detect gpio mode:8!
mmc_sd: 0

total partitions: 6
In:    serial
Out:   serial
Err:   serial
enable watchdog
reset key pressed!
cmd:fatload mmc 0 0x82008000 ppsMmcTool.txt
mmc/sd share pin!
reading ppsMmcTool.txt
102 bytes read in 1 ms (99.6 KiB/s)
cmdBuf:fatload mmc 0 0x82008000 env;env import 80008000;saveenv
reading env
131 bytes read in 1 ms (127.9 KiB/s)
## Warning: defaulting to text format
## Warning: Input data exceeds 1048576 bytes - truncated
## Info: input data size = 1048578 = 0x100002
Env export buffer too small: 4092, but need 1050313
ERROR: Cannot export environment: errno = 12

at env_sf.c:519/saveenv()
size:131
error: Pack header size error!
error: upgrade.bin unpack error!

Hit any key to stop autoboot:  2 
..... 1 
..... 0 
sys: size:0x00300000, offset:0x00040000

SF: 3145728 bytes @ 0x40000 Read: OK
## Booting kernel from Legacy Image at 80008000 ...
   Image Name:   Linux-4.4.192V2.1
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    2644504 Bytes = 2.5 MiB
   Load Address: 80008000
   Entry Point:  80008040
   Verifying Checksum ... OK
   XIP Kernel Image ... OK
   kernel loaded at 0x80008000, end = 0x8028da18
using: FDT

Starting kernel ...

Uncompressing Linux... done, booting the kernel.

Also sharing my device info:

{
  "devname": "Smart Home Camera",
  "model": "Mini 11S",
  "serialno": "xxx",
  "softwareversion": "5.2.1",
  "hardwareversion": "M11S_A5_V10_F37",
  "firmwareversion": "ppstrong-a5-tuya2_general-5.2.1.20210804",
  "identity": "xxx",
  "authkey": "xxx",
  "deviceid": "pp01xxx",
  "pid": "aaa",
  "WiFi MAC": "xxx",
  "ETH MAC": "xxx"
}

Slightly different error after changing address in ppsMmcTool.txt:

U-Boot 2013.10.0-V3.1.27 (Jul 30 2021 - 13:36:36)

DRAM:  64 MiB
efuse_read:0x00000000
8 MiB
sd detect gpio mode:8!
mmc_sd: 0

total partitions: 6
In:    serial
Out:   serial
Err:   serial
enable watchdog
reset key pressed!
cmd:fatload mmc 0 0x82008000 ppsMmcTool.txt
mmc/sd share pin!
reading ppsMmcTool.txt
102 bytes read in 1 ms (99.6 KiB/s)
cmdBuf:fatload mmc 0 0x82008000 env;env import 82008000;saveenv
reading env
131 bytes read in 1 ms (127.9 KiB/s)
## Warning: defaulting to text format
## Info: input data size = 130 = 0x82
Writing to SPI flash...
total partitions: 6
size:131
error: Pack header size error!
error: upgrade.bin unpack error!

Hit any key to stop autoboot:  2 
..... 1 
..... 0 
sys: size:0x00300000, offset:0x00040000

SF: 3145728 bytes @ 0x40000 Read: OK
## Booting kernel from Legacy Image at 80008000 ...
   Image Name:   Linux-4.4.192V2.1
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    2644504 Bytes = 2.5 MiB
   Load Address: 80008000
   Entry Point:  80008040
   Verifying Checksum ... OK
   XIP Kernel Image ... OK
   kernel loaded at 0x80008000, end = 0x8028da18
using: FDT

Starting kernel ...

Uncompressing Linux... done, booting the kernel.

Followed this manual to dump the flash: https://github.com/guino/BazzDoorbell/issues/11 Updated addresses to 82008000

$ binwalk flash.bin 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
122488        0x1DE78         CRC32 polynomial table, little endian
212992        0x34000         Flattened device tree, size: 39963 bytes, version: 17
262144        0x40000         uImage header, header size: 64 bytes, header CRC: 0x28CA1CD4, created: 2021-07-30 05:38:55, image size: 2644504 bytes, Data Address: 0x80008000, Entry Point: 0x80008040, data CRC: 0x15D3B905, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-4.4.192V2.1"
262208        0x40040         Linux kernel ARM boot executable zImage (little-endian)
277968        0x43DD0         xz compressed data
278200        0x43EB8         xz compressed data
3407872       0x340000        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 4018858 bytes, 77 inodes, blocksize: 131072 bytes, created: 2021-08-04 01:27:22
7798784       0x770000        JFFS2 filesystem, little endian
7873200       0x7822B0        JFFS2 filesystem, little endian
7888136       0x785D08        JFFS2 filesystem, little endian
7888524       0x785E8C        JFFS2 filesystem, little endian
7960448       0x797780        JFFS2 filesystem, little endian
7990676       0x79ED94        JFFS2 filesystem, little endian
7990932       0x79EE94        JFFS2 filesystem, little endian
8034824       0x7A9A08        JFFS2 filesystem, little endian
8058088       0x7AF4E8        JFFS2 filesystem, little endian
8060928       0x7B0000        JFFS2 filesystem, little endian
8068344       0x7B1CF8        JFFS2 filesystem, little endian
8119160       0x7BE378        JFFS2 filesystem, little endian
8119416       0x7BE478        JFFS2 filesystem, little endian
8121592       0x7BECF8        JFFS2 filesystem, little endian
8131688       0x7C1468        JFFS2 filesystem, little endian
8132076       0x7C15EC        JFFS2 filesystem, little endian
8133776       0x7C1C90        JFFS2 filesystem, little endian
8155296       0x7C70A0        JFFS2 filesystem, little endian
8192312       0x7D0138        JFFS2 filesystem, little endian
8201164       0x7D23CC        JFFS2 filesystem, little endian
8211040       0x7D4A60        JFFS2 filesystem, little endian
8213872       0x7D5570        JFFS2 filesystem, little endian
8214128       0x7D5670        JFFS2 filesystem, little endian
8215828       0x7D5D14        JFFS2 filesystem, little endian
8239724       0x7DBA6C        JFFS2 filesystem, little endian
8256336       0x7DFB50        JFFS2 filesystem, little endian

@tosiara were you able to get the device rooted ? if not, can you provide a copy of your flash -- it looks ok from the binwalk above (you can email me directly if you prefer -- my email is on my github profile)? I assume you were not able to get the /proc/cmdline changed even after using 82008000 as the address ?

No, I was not able to root it, injection in cmdline does not appear I can't stop u-boot, however I'm able to execute arbitrary u-boot command using ppsMmcTool.txt. That way I was able to dump flash. I'm attaching it (it may contain my personal info, but I don't care)

squashfs-root.zip

flash.zip

By updating u-boot console variable to console=ttySAK0,115200n8 you can get shell on ttl, but it is password protected. Root hash:

$6$4GbqAXEFqeauykeE$a6dqh2CoO6SucAplB/b4uvS5z0hN1Cb2r1pNWpsXL96vMqrrY42lFylXGNJm6RcY.3Lte/QS2.yyI4/pZDHAa1

Can't find a working password so far.

Full boot log:

U-Boot 2013.10.0-V3.1.27 (Jul 30 2021 - 13:36:36)

DRAM:  64 MiB
efuse_read:0x00000000
8 MiB
sd detect gpio mode:8!
mmc_sd: 0

total partitions: 6
In:    serial
Out:   serial
Err:   serial
enable watchdog

Hit any key to stop autoboot:  2 
..... 1 
..... 0 
sys: size:0x00300000, offset:0x00040000

SF: 3145728 bytes @ 0x40000 Read: OK
## Booting kernel from Legacy Image at 80008000 ...
   Image Name:   Linux-4.4.192V2.1
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    2644504 Bytes = 2.5 MiB
   Load Address: 80008000
   Entry Point:  80008040
   Verifying Checksum ... OK
   XIP Kernel Image ... OK
   kernel loaded at 0x80008000, end = 0x8028da18
using: FDT

Starting kernel ...

Uncompressing Linux... done, booting the kernel.
Booting Linux on physical CPU 0x0
Linux version 4.4.192V2.1 (linye@dell) (gcc version 4.9.4 (Buildroot 2018.02.7_V1.0.03-g9ff3371) ) #1 Fri Jul 30 13:38:50 CST 2021
CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=0005317f
CPU: VIVT data cache, VIVT instruction cache
Machine model: anyka,ak39ev33x dev board
[pps_get_board_mem]  rmem size : 24 MiB
Reserved memory: reserved region for node 'dma_reserved@0x81400000': base 0x81400000, size 24 MiB
Memory policy: Data cache writeback
ANYKA CPU AK39XXEV330 (ID 0x20160101)
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 16256
Kernel command line: console=ttySAK0,115200n8 mtdparts=spi0.0:256K@0x0(BOOT),3072K@0x40000(sys),4288K@0x340000(app),448K@0x770000(cfg),64K@0x7E0000(enc),64K@0x7F0000(sysflg) mem=64M memsize=64M pcbversion=S2S_A5_V10 sensor=soif37mipi model_name=Mini-11S
PID hash table entries: 256 (order: -2, 1024 bytes)
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
Memory: 34340K/65536K available (3302K kernel code, 121K rwdata, 1028K rodata, 1100K init, 192K bss, 31196K reserved, 0K cma-reserved)
Virtual kernel memory layout:
    vector  : 0xffff0000 - 0xffff1000   (   4 kB)
    fixmap  : 0xffc00000 - 0xfff00000   (3072 kB)
    vmalloc : 0xc4800000 - 0xff800000   ( 944 MB)
    lowmem  : 0xc0000000 - 0xc4000000   (  64 MB)
    modules : 0xbf000000 - 0xc0000000   (  16 MB)
      .text : 0xc0008000 - 0xc0442d44   (4332 kB)
      .init : 0xc0443000 - 0xc0556000   (1100 kB)
      .data : 0xc0556000 - 0xc05747b0   ( 122 kB)
       .bss : 0xc05747b0 - 0xc05a4a08   ( 193 kB)
SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
NR_IRQS:126
ak39ev330_clk: CPU(JCLK): 804(Mhz) 
ak39ev330_clk: MEMDDR2(DPHY): 402(Mhz) 
ak39ev330_clk: VCLK: 320(Mhz)
ak-timer: ak_timer_init
clocksource: ak_cs_timer: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 159271703898 ns
sched_clock: 32 bits at 12MHz, resolution 83ns, wraps every 178956970966ns
Calibrating delay loop... 400.58 BogoMIPS (lpj=2002944)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
CPU: Testing write buffer coherency: ok
Setting up static identity map for 0x80008400 - 0x8000843c
devtmpfs: initialized
clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
futex hash table entries: 256 (order: -1, 3072 bytes)
pinctrl core: initialized pinctrl subsystem
NET: Registered protocol family 16
DMA: preallocated 256 KiB pool for atomic coherent allocations
On-chip L2 memory initialized
ak-pinctrl 20170000.gpio: ak_pinctrl_probe 1958
ak_ev330_pinctrl: ak_pinctrl_probe irq: 15
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
media: Linux media interface: v0.10
Linux video capture interface: v2.00
clocksource: Switched to clocksource ak_cs_timer
NET: Registered protocol family 2
TCP established hash table entries: 1024 (order: 0, 4096 bytes)
TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
TCP: Hash tables configured (established 1024 bind 1024)
UDP hash table entries: 256 (order: 0, 4096 bytes)
UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
NET: Registered protocol family 1
squashfs: version 4.0 (2009/01/31) Phillip Lougher
jffs2: version 2.2. © 2001-2006 Red Hat, Inc.
io scheduler noop registered (default)
AKxx uart driver init, (c) 2013 ANYKA
ttySAK0 at MMIO 0x20130000 (irq = 10, base_baud = 10000000) is a AK
console [ttySAK0] enabled
loop: module loaded
Start to init Anyka SPI Flash...
init Anyka SPI Nand Flash driver
spi0 new hz is 10000000, div is 7(change).
ak spiflash probe enter.
akspi flash ID: 0x00522217
ak-spiflash spi0.0: nm25q64ev (8192 Kbytes)
6 cmdlinepart partitions found on MTD device spi0.0
Creating 6 MTD partitions on "spi0.0":
0x000000000000-0x000000040000 : "BOOT"
0x000000040000-0x000000340000 : "sys"
0x000000340000-0x000000770000 : "app"
0x000000770000-0x0000007e0000 : "cfg"
0x0000007e0000-0x0000007f0000 : "enc"
0x0000007f0000-0x000000800000 : "sysflg"
Init AK SPI Flash finish.
akspi master SPI0 initialize success, use for PIO mode.
usbcore: registered new interface driver cdc_wdm
i2c /dev entries driver
ak_wdt_init: watchdog register...
NET: Registered protocol family 17
sctp: Hash tables configured (established 512 bind 1024)
Freeing unused kernel memory: 1100K
sysctl: /etc/sysctl.conf: No such file or directory
[RCS]: /etc/init.d/S90app
--- mount app ---
welcome to file system
[PPS initS]: /opt/pps/app/init/S00load_ko
ifconfig: SIOCSIFADDR: No such device
ifconfig: SIOCGIFFLAGS: No such device

Meari login: ln -s binfiles
ln -s libfiles
xsoif37pmipi
console=ttySAK0,115200n8 mtdparts=spi0.0:256K@0x0(BOOT),3072K@0x40000(sys),4288K@0x340000(app),448K@0x770000(cfg),64K@0x7E0000(enc),64K@0x7F0000(sysflg) mem=64M memsize=64M pcbversion=S2S_A5_V10 sensor=soif37mipi model_name=Mini-11S
get wifi info count:1
vendor:007a, Product:8888
wifi chip is atbm603x
cp: omitting directory '/opt/pps/app/configfiles/etc/config'
cp: omitting directory '/opt/pps/app/configfiles/etc/firmware'
cp: can't stat '/opt/pps/app/appfiles/app/device_tp.conf': No such file or directory
cp: can't stat '/opt/pps/app/appfiles/sound/voice_*': No such file or directory
cp: can't stat '/opt/pps/app/appfiles/config/rec01_*': No such file or directory
cp: can't stat '/opt/pps/app/appfiles/config/rec02_*': No such file or directory
[PPS initS]: /opt/pps/app/init/S20cmd_router
cmd_router start
[PPS initS]: /opt/pps/app/init/S27wpa_supplicant
[PPS initS]: /opt/pps/app/init/S60ppsapp
(INFO) pps_devlink_msg_init(596): init success
==================get t0:122111712076534469, uuid:urn:uuid:853c92c5-d3f4-11b1-a000-847ab6eec64b
Init  core module: [base_init                       ]

[1970-01-01 00:00:08.679 INFO pps_device_base_init.c:80] VERSION: 5.2.1
[1970-01-01 00:00:08.687 INFO pps_device_base_init.c:81] PLATFORM_ID: 30
[1970-01-01 00:00:08.694 INFO pps_device_base_init.c:82] APPLICATION_ID: 999
[1970-01-01 00:00:08.702 INFO pps_device_base_init.c:83] FACTORY_ID: 100
[1970-01-01 00:00:08.710 INFO pps_device_base_init.c:144] hardware inited
[1970-01-01 00:00:08.718 INFO hwl_mtd.c:225] mtd get info mtd num 6
[1970-01-01 00:00:08.725 INFO hwl_mtd.c:230] mtd name BOOT, num 0, eb size 0x1000, data size 0x40000
[1970-01-01 00:00:08.735 INFO hwl_mtd.c:230] mtd name sys, num 1, eb size 0x1000, data size 0x300000
[1970-01-01 00:00:08.745 INFO hwl_mtd.c:230] mtd name app, num 2, eb size 0x1000, data size 0x430000
[1970-01-01 00:00:08.755 INFO hwl_mtd.c:230] mtd name cfg, num 3, eb size 0x1000, data size 0x70000
[1970-01-01 00:00:08.765 INFO hwl_mtd.c:230] mtd name enc, num 4, eb size 0x1000, data size 0x10000
[1970-01-01 00:00:08.775 INFO hwl_mtd.c:230] mtd name sysflg, num 5, eb size 0x1000, data size 0x10000
[2016-01-01 00:00:00.000 INFO pps_device_base_init.c:168] device time initialized
Init  core module: ............................[OK]
Init  core module: [tuya_base_init                  ]
[2016-01-01 00:00:00.019 ERR pps_tuya_ipc_dp_utils.c:847] open /home/cfg/tuya_config.json failed
Init  core module: ............................[OK]
Init  core module: [watchdog_init                   ]
Init  core module: ............................[OK]
Init  core module: [startup_log                     ]
Init  core module: ............................[OK]
Init  core module: [board_init                      ]
ifconfig: SIOCSIFHWADDR: No such device

Init  core module: ............................[OK]
Init  core module: [init_user                       ]
Init  core module: ............................[OK]
Init  core module: [sdcard_factory                  ]
Init  core module: ............................[OK]
Init  core module: [ptz_service_init                ]
Init  core module: ............................[OK]
Init  core module: [media_start                     ]
[PPSMedia][pps_media_early_init][51]: Library pps_media version: 3.4.17.2021-07-30T11:56:07,873616187+08:00 ycx@dell
[PPSMedia][bitmap_font_load][52]: file_path:.GBK
open: No such file or directory
[PPSMedia][pps_media_osd_core_init][488]: font load failed!
[PPSMedia][pps_media_register_intelligent_analyser][147]: Intelligent analyser TYPE(0) NAME(md) registered OK!
[PPSMedia][pps_media_config_init][119]: No config ops registered
[PPSMedia][display_board_info][45]: input vol: 0
[PPSMedia][display_board_info][46]: output vol: 0
[PPSMedia][display_board_info][47]: lens info: 
[PPSMedia][display_board_info][48]: mirror flip: default
[PPSMedia][display_board_info][49]: mmz: 27
[PPSMedia][display_board_info][50]: model: Mini 11S
[PPSMedia][display_board_info][51]: pcb name: M11S_A5_V10_F37
[PPSMedia][display_board_info][52]: sensor name: soif37pmipi
[PPSMedia][MainStreamSizeInit][163]: default main stream size 1920X1080.
[  MEMORY][2016-01-01 00:00:00 365] [ak_mem_dma_pool_activate:379] Get sys reserved memory [0x1800000] bytes!
[PPSMedia][pps_media_find_vi_device][101]: Vi Device ID(0) Anyka-Video-In-Device found!
[PPSMedia][vi_device_init][376]: *****************************************
[PPSMedia][vi_device_init][377]: ** vi demo version: libplat_vi V3.0.02 **
[PPSMedia][vi_device_init][378]: *****************************************

ispsdk_lib version:libplat_isp_sdk V7.0.01 
open isp dev: /dev/isp-param-0
--- AK_ISP_sdk_init g_isp_fd[0]=10 ---
[PPSMedia][vi_device_init][441]: load sensor cfg:/etc/config/isp_f37p_mipi_2lane_h3b.conf
[PPSMedia][vi_device_init][475]: get dev res w:[1920]h:[1080]
[PPSMedia][vi_device_init][528]: vi device set sub channel attribute
[PPSMedia][vi_device_init][559]: vi chn enabled
[PPSMedia][pps_media_find_all_vo_devices][124]: 0 Vo devices found!
adc get gain: 3
set DEV volume 4
[     VQE][2016-01-01 00:00:00 936] [ak_vqe_inner_open:1898] ak_vqe_inner_open entry...ai_vqe = 0x1ac6004, ao_vqe = (nil)
## --AudioFilter Version V1.15.05_patch6770, Echo--
## jitterBuf: 0x1ac5cb8
## _SD_Echo_Open near_path (0x1ac5c08)
## Echo: load NR (enable)
## Echo: set AGC param (enable)
## Echo: load near_Volume
## ASLC OPEN OK ena:1, lookAheadLen:48
[     VQE][2016-01-01 00:00:00 992] [set_ai_veq:1738] aec need to open
 ## Echo: unload VAD
[     VQE][2016-01-01 00:00:01 035] [ak_vqe_inner_open:1983] ak_vqe_inner_open exit...
[     VQE][2016-01-01 00:00:01 087] [ak_vqe_inner_open:1898] ak_vqe_inner_open entry...ai_vqe = (nil), ao_vqe = 0xbef90b1c
## --AudioFilter Version V1.15.05_patch6770, Echo--
## jitterBuf: 0x1ad2ca0
## _SD_Echo_Open far_path (0x1ad5548)
[     VQE][2016-01-01 00:00:01 143] [get_nr_param:1219] nr not open
 ## Echo: load AEC (enable)
osal_loopback_open success
[     VQE][2016-01-01 00:00:01 178] [loopback_start:1156] aec enable, osal_loopback_open ok
 [     VQE][2016-01-01 00:00:01 189] [loopback_thread:1045] thread id: 498
[     VQE][2016-01-01 00:00:01 197] [loopback_start:1165] create capture pcm thread OK
[     VQE][2016-01-01 00:00:01 221] [ak_vqe_inner_open:1983] ak_vqe_inner_open exit...
## sync at ts 9907
-----dac set source
## Echo: load far_Volume
## ASLC OPEN OK ena:1, lookAheadLen:48
## Echo: set AEC param (enable)
[     VQE][2016-01-01 00:00:01 297] [loopback_start:1139] loopback start already
 ## Echo: load far_NR (enable)
-----dac set source
[PPSMedia][audio_aiao_init][825]: audio_aiao_init sucessfully!
########MRD Lib V1.0.06########
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
[PPSMedia][pps_media_find_vi_device][101]: Vi Device ID(0) Anyka-Video-In-Device found!
[PPSMedia][vi_set_image_param][736]: brightness:0,contrast:0,sharpness:0,saturation:0
[PPSMedia][pps_media_find_vi_device][101]: Vi Device ID(0) Anyka-Video-In-Device found!
[PPSMedia][pps_media_find_vi_device][101]: Vi Device ID(0) Anyka-Video-In-Device found!
[PPSMedia][VENC_InitEncodeParam][461]: Unknown RC mode, default to BR_MODE_VBR
[PPSMedia][VENC_InitEncodeParam][471]: only 1920x1080 resolution is supported!
find name video-encoder uio index 0
[     DRV][2016-01-01 00:00:01 610] Found uio0 mapping for 0x20020000
[PPSMedia][VENC_InitEncodeParam][461]: Unknown RC mode, default to BR_MODE_VBR
[PPSMedia][VENC_InitEncodeParam][471]: only 640x360 resolution is supported!
[PPSMedia][VENC_InitSnapParam][576]: only 640x360 resolution is supported!
[PPSMedia][pps_media_osd_unload][631]: OSD already unload!
[PPSMedia][pps_media_osd_unload][631]: OSD already unload!
[PPSMedia][pps_media_osd_unload][631]: OSD already unload!
[PPSMedia][pps_media_find_osd][286]: OSD Render found!
[PPSMedia][pps_media_find_osd][286]: OSD Render found!
[PPSMedia][pps_media_find_osd][286]: OSD Render found!
[PPSMedia][osd_load][251]: snapshot and substream share one vi chn, please set the substream.
[PPSMedia][pps_media_osd_load][598]: OSD load failed!
[      AI][2016-01-01 00:00:02 076] [ak_ai_set_volume:1471] db =3
[     VQE][2016-01-01 00:00:02 134] [loopback_start:1139] loopback start already
 [     VQE][2016-01-01 00:00:02 184] [ak_vqe_inner_set_ai_aec:2183] aec need to open
 [     VQE][2016-01-01 00:00:02 202] [loopback_start:1139] loopback start already
 [PPSMedia][pps_media_register_video_info_handler][321]: [video info type | handler ] : [ 0x00000003 | 0x0015e1d0 ]
[PPSMedia][pps_media_find_vi_device][101]: Vi Device ID(0) Anyka-Video-In-Device found!
[PPSMedia][pps_media_ao_stop_play][828]: DecodeID(786432) context is not inited!
Init  core module: ............................[OK]
Init  core module: [reboot_cb_init                  ]
Init  core module: ............................[OK]
Init  core module: [gpio_event_init                 ]
Init  core module: ............................[OK]
Init  core module: [led_ctrl                        ]
Init  core module: ............................[OK]
Init  core module: [sdcard                          ]
Init  core module: ............................[OK]
Init  core module: [sdcard_factory                  ]
Init  core module: ............................[OK]
Init  core module: [av_recorder_init                ]
Init  core module: ............................[OK]
Init  core module: [shell                           ]
Init  core module: ............................[OK]
Init  user module: [eth net state                   ]
Init  user module: ............................[OK]
Init  user module: [network init                    ]
Init  user module: ............................[OK]
Init  user module: [rtsp_server                     ]
Init  user module: ............................[OK]
Init  user module: [restful_server                  ]
Init  user module: ............................[OK]
Init  user module: [home_away                       ]
[2016-01-01 00:00:04.746 ERR pps_osal_thread_posix.c:505] pthreadSpawn: arg[0] = 0
[2016-01-01 00:00:04.778 ERR pps_tuya_factory.c:130] can't find ircut info from factory tool file: -1
Init  user module: ............................[OK]
Init  user module: [pps_onvif_init                  ]
key_c :MY_WIFI_NETWORK_NAME
key_c :MY_WIFI_NETWORK_PASS
[2016-01-01 00:00:04.811 ERR pps_factory_check_info.c:145] can't find ipaddr= in module=wifi,,ssid=MY_WIFI_NETWORK_NAME,,password=MY_WIFI_NETWORK_PASS,,

Init  user module: ............................[OK]
==================get t0:136627776048326829, uuid:urn:uuid:09cfe8ad-663d-11e5-a000-847ab6eec64b
Init  user module: [prodtest_init                   ]
Init  user module: ............................[OK]
Init  user module: [temp_humidity                   ]
Init  user module: ............................[OK]
Init  user module: [pps_charm                       ]
Init  user module: ............................[OK]
Init  user module: [pps_flight                      ]
Init  user module: ............................[OK]
Init  user module: [pps_white_light                 ]
Init  user module: ............................[OK]
has not white light, return
Init after module: [sdk start                       ]
wpa_supplicant service ... [stop]
wpa_supplicant service ... [stop] ok
 wpa_supplicant stop 
wpa_supplicant service ... [stop]
cat: can't open '/var/run/wpa_supplicant.pid': No such file or directory
sh: you need to specify whom to kill
wpa_supplicant service ... [stop] ok
 wpa_supplicant stop 
wpa_supplicant service ... [stop]
cat: can't open '/var/run/wpa_supplicant.pid': No such file or directory
sh: you need to specify whom to kill
wpa_supplicant service ... [stop] ok
wpa_supplicant service ... [start]
wpa_supplicant service ... [start] ok
cat: can't open '/var/run/udhcpc-wlan0.pid': No such file or directory
sh: you need to specify whom to kill
udhcpc: started, v1.30.1
Setting IP address 0.0.0.0 on wlan0
udhcpc: sending discover
udhcpc: sending select for 192.168.124.143
udhcpc: lease of 192.168.124.143 obtained, lease time 43200
Setting IP address 192.168.124.143 on wlan0
Deleting routers
route: SIOCDELRT: No such process
Adding router 192.168.124.1
Recreating /etc/resolv.conf
 Adding DNS server 192.168.124.1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 

Meari login: Active interface change to wlan0
mcast leave....
IP_DROP_MEMBERSHIP: Cannot assign requested address

Meari login:

By setting bootdelaykey=a uboot variable you can then stop uboot by pressing 'a' key once. Then it asks for the password, it is the same as in previous firmwares

U-Boot 2013.10.0-V3.1.27 (Jul 30 2021 - 13:36:36)

DRAM:  64 MiB
efuse_read:0x00000000
8 MiB
sd detect gpio mode:8!
mmc_sd: 0

total partitions: 6
In:    serial
Out:   serial
Err:   serial
enable watchdog

Hit any key to stop autoboot:  2 
..... 1 
PASSWD :************

anyka$help
?       - alias for 'help'
base    - print or set address offset
bootm   - boot application image from memory
chpart  - change active partition
cmp     - memory compare
cp      - memory copy
crc32   - checksum calculation
env     - environment handling commands
fatinfo - print information about filesystem
fatload - load binary file from a dos filesystem
fatls   - list files in a directory (default /)
fdt     - flattened device tree utility commands
fmt     - erase all flash except bootloader part
format  - erase uboot env
go      - start application at address 'addr'
help    - print command description/usage
kernel_print- open or close kernel print 1:open 2:close (default close)
loop    - infinite loop on address range
md      - memory display
mm      - memory modify (auto-incrementing address)
mmc     - MMC sub system
mmcboot - from mmc start
mmcinfo - display MMC info
mtdparts- define flash/nand partitions
mw      - memory write (fill)
nm      - memory modify (constant address)
printenv- print environment variables
reset   - Perform RESET of the CPU
run     - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv  - set environment variables
sf      - spi flash sub-system:
uartdown- down style 0:tftp 1:uart 2:mmc
upa     - update app image
upb     - update uboot all
upe     - update auth image authfile
upf     - upgrade firmware
upk     - update kernel
upu     - update uboot
version - print monitor, compiler and linker version

anyka$version

U-Boot 2013.10.0-V3.1.27 (Jul 30 2021 - 13:36:36)
arm-anykav500-linux-uclibcgnueabi-gcc.br_real (Buildroot 2018.02.7_V1.0.03-g9ff3371) 4.9.4
GNU ld (GNU Binutils) 2.29.1

@tosiara that is pretty cool, you should be able to write any changes you made to your flash with the bootloader. The question I have for you is how you're modifying the bootloader settings right now ? are you using a flash programmer ?

Yes, I'm able to do anything in u-boot. If you have an easy and fail-safe command to unlock root access - I will be happy to try.

As for modifications - no, I'm not using a programmer. I'm adjusting ppsMmcTool.txt and env hack to run my uboot commands, like: setenv console ttySAK0,115200n8;setenv loglevel 9;setenv ppsdebug on;saveenv

@tosiara you can try adding a boot parameter to see if it works: init=/bin/sh to see if you get a prompt on the serial terminal. If it's really linux it should work, if it's not then it probably won't do anything.

I already tried that, but that did not work as there is still prompt to login:

.
..
Freeing unused kernel memory: 1100K
sysctl: /etc/sysctl.conf: No such file or directory
[RCS]: /etc/init.d/S90app
--- mount app ---
mount: mounting /dev/mtdblock2 on /opt/pps failed: No such file or directory
welcome to file system

Meari login:

I have finally got root on the serial console by patching the app squashfs and flashing it back through the u-boot.

Now, when I'm looking back I see two issues with the original "hack":

Maybe the issue is that the sd card is mounted later?

hack=setenv bootargs ${bootargs} '- ip=30;/mnt/mmc01/initrun.sh)&:::::;date>/tmp/hack;(sleep
/tmp/PPStart: line 4: /mnt/mmc01/initrun.sh: not found
/tmp/PPStart: line 4: /mnt/mmc01/initrun.sh: not found

the busybox file in the Merkury720 repo is strange. When getting it using git clone - it contains this:

$ cat busybox 
version https://git-lfs.github.com/spec/v1
oid sha256:514d3d76e49b9e1ef65fb1a3b3ab838925f026632329a057e2e369a99ca67c78
size 1109128

Will try to clean up everything and re-test the original hack.

You need to download busybox from the web link on my repo — it just won’t clone it correctly.

it does seem like the sd card is mot mounted when initrun.sh is called. If there’s enough boot parameter space you could add a command to mount the sd card first.

Does Telnet show a standard ‘linux’ OS ?

Yep, looks like a regular linux:

[root@Meari /mnt/mmc01]$ ps aux
PID   USER     TIME  COMMAND
    1 root      0:00 init
    2 root      0:00 [kthreadd]
    3 root      0:00 [ksoftirqd/0]
    5 root      0:00 [kworker/0:0H]
    6 root      0:00 [kworker/u2:0]
    7 root      0:00 [kdevtmpfs]
    9 root      0:00 [writeback]
   90 root      0:00 [crypto]
   91 root      0:00 [bioset]
   93 root      0:00 [kblockd]
  117 root      0:05 [kworker/0:1]
  118 root      0:00 [cfg80211]
  137 root      0:00 [kswapd0]
  188 root      0:00 [fsnotify_mark]
  222 root      0:00 [bioset]
  225 root      0:00 [bioset]
  228 root      0:00 [bioset]
  231 root      0:00 [bioset]
  234 root      0:00 [bioset]
  237 root      0:00 [bioset]
  240 root      0:00 [bioset]
  243 root      0:00 [bioset]
  251 root      0:00 [spi0]
  255 root      0:00 [bioset]
  260 root      0:00 [bioset]
  265 root      0:00 [bioset]
  270 root      0:00 [bioset]
  275 root      0:00 [bioset]
  280 root      0:00 [bioset]
  299 root      0:00 [deferwq]
  315 root      0:00 [kworker/0:1H]
  323 root      0:00 {sh} -/etc/init.d/console /etc/init.d/console
  328 root      0:00 /bin/login -- root
  340 root      0:00 [jffs2_gcd_mtd3]
  361 root      0:00 [dma_reserved_he]
  380 root      0:00 [usb_otg_wq]
  389 root      0:00 [kworker/0:2]
  395 root      0:00 [kworker/u2:2]
  404 root      0:00 [bioset]
  405 root      0:00 [mmcqd/0]
  416 root      0:00 [phy0-atbm_wq]
  417 root      0:00 [phy0-usb_atbm_b]
  441 root      0:00 cmd_router
  451 root      0:00 pps_dlink
  467 root      0:00 ./ppsdsry
  469 root      2:49 ./ppsapp
  485 root      0:00 [devmem]
  557 root      0:00 wpa_supplicant -B -Dnl80211 -iwlan0 -c/etc/wpa_supplicant.
  583 root      0:00 udhcpc -b -i wlan0 -s /etc/udhcpc.script -p /var/run/udhcp
  591 root      0:00 -sh
  596 root      0:00 ./busybox telnetd
  606 root      0:00 ps aux

@tosiara you made very good progress with this device. If the SD card isn't mounted when the initrun.sh is called, you could try a longer delay in the boot parameter (ip=60 instead of 30), that may be enough time to allow ppsapp to mount the SD card before the script runs.

After going through once again I can confirm that the hack is not working. The previous /tmp/PPStart: line 4: /mnt/mmc01/initrun.sh: not found was actually coming from the modified initrun.sh of the squashfs partition (I tried to execute it from there), not related to the hack.

Sorry for confusion. If you want me to test something else, I'd be glad to do that.

The final report

The only way to root the camera without soldering a serial console is to dump the flash using this instructions: https://github.com/guino/Merkury1080P/issues/46#issuecomment-1330611120 Then, unpack squashfs and modify it like this:

$ cat squashfs-root/initrun.sh 
#!/bin/sh

echo "Haaaaaaaaaaaaaaaaaaaaaaaaaaaaacked"
echo "root:\$1\$/ewF8LDH\$Iuk5apGN6fAjcOIk63A/M.:0:0::/root:/bin/sh" > /etc/passwd
sleep 60 && /mnt/mmc01/busybox telnetd &
...
.

This will:

set root user password to "root"
start telnet from a plugged microSD card

Pack squashfs back: mksquashfs squashfs-root rootfs_patched.bin -comp xz Flash it back through u-boot:

sf probe
fatload mmc 0 0x82008000 rootfs_patched.bin
sf update 82008000 340000 3D6000

Here 3D6000 is the file size in hex. To flash it back just update env to execute those commands

Since all those steps may be destructive and may brick your device I will not provide the exact steps. Only providing this info for advanced user that would like to try and hack their camera

guino / Merkury1080P

Firmware 5.2.1 OEM device MINI7S-A5MB_F37 REV 1_0 2021-06-11 #46