Closed ydjzx closed 11 months ago
I took it apart and connect uart port to my Arduino. Here is the uboot log:
U-Boot 2013.10.0-V3.1.28_bchV1.0.00 (Mar 02 2022 - 15:49:00)
DRAM: 64 MiB
efuse_read:0x00000004
8 MiB
sd detect gpio mode:8!
mmc_sd: 0
total partitions: 6
In: serial
Out: serial
Err: serial
enable watchdog
Hit any key to stop autoboot: 2
..... 1
..... 0
mmc power off ...
sys: size:0x00300000, offset:0x00040000
SF: 3145728 bytes @ 0x40000 Read: OK
## Booting kernel from Legacy Image at 80008000 ...
Image Name: Linux-4.4.192V2.1
Image Type: ARM Linux Kernel Image (uncompressed)
Data Size: 2652496 Bytes = 2.5 MiB
Load Address: 80008000
Entry Point: 80008040
Verifying Checksum ... OK
XIP Kernel Image ... OK
kernel loaded at 0x80008000, end = 0x8028f950
using: FDT
Starting kernel ...
Uncompressing Linux... done, booting the kernel.
I changed the addresses in the env and ppsMmcTool.txt to 80008000 but I got some errers:
U-Boot 2013.10.0-V3.1.28_bchV1.0.00 (Mar 02 2022 - 15:49:00)
DRAM: 64 MiB
efuse_read:0x00000004
8 MiB
sd detect gpio mode:8!
mmc_sd: 0
total partitions: 6
In: serial
Out: serial
Err: serial
enable watchdog
reset key pressed!
cmd:fatload mmc 0 0x82008000 ppsMmcTool.txt
mmc/sd share pin!
reading ppsMmcTool.txt
102 bytes read in 0 ms
cmdBuf:fatload mmc 0 0x82008000 env;env import 80008000;saveenv
reading env
131 bytes read in 0 ms
## Warning: defaulting to text format
## Warning: Input data exceeds 1048576 bytes - truncated
## Info: input data size = 1048578 = 0x100002
Writing to SPI flash...
total partitions: 6
size:131
error: Pack header size error!
error: upgrade.bin unpack error!
Hit any key to stop autoboot: 2
..... 1
..... 0
mmc power off ...
sys: size:0x00300000, offset:0x00040000
SF: 3145728 bytes @ 0x40000 Read: OK
## Booting kernel from Legacy Image at 80008000 ...
Image Name: Linux-4.4.192V2.1
Image Type: ARM Linux Kernel Image (uncompressed)
Data Size: 2652496 Bytes = 2.5 MiB
Load Address: 80008000
Entry Point: 80008040
Verifying Checksum ... OK
XIP Kernel Image ... OK
kernel loaded at 0x80008000, end = 0x8028f950
using: FDT
Starting kernel ...
Uncompressing Linux... done, booting the kernel.
Its behavior is very similar to the device in this thread: https://github.com/guino/Merkury1080P/issues/46. So I tried the method suggested by tosiara but I couldn't get the firmware dumped. Here is the log:
U-Boot 2013.10.0-V3.1.28_bchV1.0.00 (Mar 02 2022 - 15:49:00)
DRAM: 64 MiB
efuse_read:0x00000004
8 MiB
sd detect gpio mode:8!
mmc_sd: 0
total partitions: 6
In: serial
Out: serial
Err: serial
enable watchdog
reset key pressed!
cmd:fatload mmc 0 0x82008000 ppsMmcTool.txt
mmc/sd share pin!
reading ppsMmcTool.txt
128 bytes read in 1 ms (125 KiB/s)
cmdBuf:fatload mmc 0 0x82008000 0;sf probe;sf read 82008000 0;mmc write 0 82008000 1 8000
reading 0
** Unable to read file 0 **
sf - spi flash sub-system:
Usage:
sf probe [[bus:]cs] [hz] [mode] - init flash device on given SPI bus
and chip select
sf read addr offset len - read `len' bytes starting at
`offset' to memory at `addr'
sf write addr offset len - write `len' bytes from memory
at `addr' to flash at `offset'
sf erase offset [+]len - erase `len' bytes from `offset'
`+len' round up `len' to block size
sf update addr offset len - erase and write `len' bytes from memory
at `addr' to flash at `offset'
sf test offset len - run a very basic destructive test
mmc - MMC sub system
Usage:
mmc read addr blk# cnt
mmc write addr blk# cnt
mmc erase blk# cnt
mmc rescan
mmc part - lists available partition on current mmc device
mmc dev [dev] [part] - show or set current mmc device [partition]
mmc list - lists available devices
Hit any key to stop autoboot: 2
..... 1
..... 0
mmc power off ...
sys: size:0x00300000, offset:0x00040000
SF: 3145728 bytes @ 0x40000 Read: OK
## Booting kernel from Legacy Image at 80008000 ...
Image Name: Linux-4.4.192V2.1
Image Type: ARM Linux Kernel Image (uncompressed)
Data Size: 2652496 Bytes = 2.5 MiB
Load Address: 80008000
Entry Point: 80008040
Verifying Checksum ... OK
XIP Kernel Image ... OK
kernel loaded at 0x80008000, end = 0x8028f950
using: FDT
Starting kernel ...
Uncompressing Linux... done, booting the kernel.
Not sure what else I can try.
Hello! Did you check whether you can enable onvif directly in the app? I have a similar camera, called Bullet 6s, running firmware 5.2.2, and it has a broken Onvif readily available. With Onvif enabled, I can get to the RTSP streams (rtsp://username>:<password>@<IP:8554/Streaming/Channels/101 and rtsp://username>:<password>@<IP:8554/Streaming/Channels/102).
The app I am using is the Tuya app called "Smart Life". I know some Tuya devices are designed to use customized versions of this app. which may limit the options.
Hello! Did you check whether you can enable onvif directly in the app? I have a similar camera, called Bullet 6s, running firmware 5.2.2, and it has a broken Onvif readily available. With Onvif enabled, I can get to the RTSP streams (rtsp://:@:8554/Streaming/Channels/101 and rtsp://:@:8554/Streaming/Channels/102).
The app I am using is the Tuya app called "Smart Life". I know some Tuya devices are designed to use customized versions of this app. which may limit the options.
I tried several different apps. The options are all same. I didn't see the option of onvif. Where is it located for your camera in case I missed it?
In my app, it is actually the eighth setting from the top, right after "Detection Alarm Settings".
I seem dumped the firmware by changing the sf commands in the ppsMmcTool.txt to "sf read 82008000 0 1000000;mmc write 82008000 1 8000". From what I read both sf read and write commands take 3 parameters. I'm not sure how the original ppsMmcTool.txt can work on other cameras.
The strucure in the binwalk looks strange though:
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
107824 0x1A530 device tree image (dtb)
123040 0x1E0A0 CRC32 polynomial table, little endian
212992 0x34000 device tree image (dtb)
262144 0x40000 uImage header, header size: 64 bytes, header CRC: 0x39B6A799, created: 2022-02-10 07:45:24, image size: 2652496 bytes, Data Address: 0x80008000, Entry Point: 0x80008040, data CRC: 0xED5D7FCB, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-4.4.192V2.1"
262208 0x40040 Linux kernel ARM boot executable zImage (little-endian)
277968 0x43DD0 xz compressed data
278200 0x43EB8 xz compressed data
3407872 0x340000 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 3678930 bytes, 101 inodes, blocksize: 131072 bytes, created: 2022-03-10 07:31:07
7798784 0x770000 JFFS2 filesystem, little endian
7811316 0x7730F4 JFFS2 filesystem, little endian
7823912 0x776228 JFFS2 filesystem, little endian
7824168 0x776328 JFFS2 filesystem, little endian
7825836 0x7769AC JFFS2 filesystem, little endian
7826092 0x776AAC JFFS2 filesystem, little endian
7856508 0x77E17C JFFS2 filesystem, little endian
7856764 0x77E27C JFFS2 filesystem, little endian
7858428 0x77E8FC JFFS2 filesystem, little endian
7858684 0x77E9FC JFFS2 filesystem, little endian
7917836 0x78D10C JFFS2 filesystem, little endian
7919368 0x78D708 JFFS2 filesystem, little endian
7919756 0x78D88C JFFS2 filesystem, little endian
7921272 0x78DE78 JFFS2 filesystem, little endian
7921664 0x78E000 JFFS2 filesystem, little endian
7934044 0x79105C JFFS2 filesystem, little endian
7935432 0x7915C8 JFFS2 filesystem, little endian
7935968 0x7917E0 JFFS2 filesystem, little endian
7937552 0x791E10 JFFS2 filesystem, little endian
7938048 0x792000 JFFS2 filesystem, little endian
7987292 0x79E05C JFFS2 filesystem, little endian
7987548 0x79E15C JFFS2 filesystem, little endian
7989064 0x79E748 JFFS2 filesystem, little endian
7989468 0x79E8DC JFFS2 filesystem, little endian
7990984 0x79EEC8 JFFS2 filesystem, little endian
7992308 0x79F3F4 JFFS2 filesystem, little endian
8039000 0x7AAA58 JFFS2 filesystem, little endian
8039256 0x7AAB58 JFFS2 filesystem, little endian
8053732 0x7AE3E4 JFFS2 filesystem, little endian
8054076 0x7AE53C JFFS2 filesystem, little endian
8054948 0x7AE8A4 JFFS2 filesystem, little endian
8065264 0x7B10F0 JFFS2 filesystem, little endian
8066100 0x7B1434 JFFS2 filesystem, little endian
8066932 0x7B1774 JFFS2 filesystem, little endian
8080588 0x7B4CCC JFFS2 filesystem, little endian
8081408 0x7B5000 JFFS2 filesystem, little endian
8133340 0x7C1ADC JFFS2 filesystem, little endian
8175856 0x7CC0F0 JFFS2 filesystem, little endian
8176112 0x7CC1F0 JFFS2 filesystem, little endian
8177780 0x7CC874 JFFS2 filesystem, little endian
8178036 0x7CC974 JFFS2 filesystem, little endian
8179712 0x7CD000 JFFS2 filesystem, little endian
8185520 0x7CE6B0 JFFS2 filesystem, little endian
8186056 0x7CE8C8 JFFS2 filesystem, little endian
8187916 0x7CF00C JFFS2 filesystem, little endian
8198648 0x7D19F8 JFFS2 filesystem, little endian
8214836 0x7D5934 JFFS2 filesystem, little endian
8496432 0x81A530 device tree image (dtb)
8511648 0x81E0A0 CRC32 polynomial table, little endian
8601600 0x834000 device tree image (dtb)
8650752 0x840000 uImage header, header size: 64 bytes, header CRC: 0x39B6A799, created: 2022-02-10 07:45:24, image size: 2652496 bytes, Data Address: 0x80008000, Entry Point: 0x80008040, data CRC: 0xED5D7FCB, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-4.4.192V2.1"
8650816 0x840040 Linux kernel ARM boot executable zImage (little-endian)
8666576 0x843DD0 xz compressed data
8666808 0x843EB8 xz compressed data
11796480 0xB40000 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 3678930 bytes, 101 inodes, blocksize: 131072 bytes, created: 2022-03-10 07:31:07
16187392 0xF70000 JFFS2 filesystem, little endian
16199924 0xF730F4 JFFS2 filesystem, little endian
16212520 0xF76228 JFFS2 filesystem, little endian
16212776 0xF76328 JFFS2 filesystem, little endian
16214444 0xF769AC JFFS2 filesystem, little endian
16214700 0xF76AAC JFFS2 filesystem, little endian
16245116 0xF7E17C JFFS2 filesystem, little endian
16245372 0xF7E27C JFFS2 filesystem, little endian
16247036 0xF7E8FC JFFS2 filesystem, little endian
16247292 0xF7E9FC JFFS2 filesystem, little endian
16306444 0xF8D10C JFFS2 filesystem, little endian
16307976 0xF8D708 JFFS2 filesystem, little endian
16308364 0xF8D88C JFFS2 filesystem, little endian
16309880 0xF8DE78 JFFS2 filesystem, little endian
16310272 0xF8E000 JFFS2 filesystem, little endian
16322652 0xF9105C JFFS2 filesystem, little endian
16324040 0xF915C8 JFFS2 filesystem, little endian
16324576 0xF917E0 JFFS2 filesystem, little endian
16326160 0xF91E10 JFFS2 filesystem, little endian
16326656 0xF92000 JFFS2 filesystem, little endian
16375900 0xF9E05C JFFS2 filesystem, little endian
16376156 0xF9E15C JFFS2 filesystem, little endian
16377672 0xF9E748 JFFS2 filesystem, little endian
16378076 0xF9E8DC JFFS2 filesystem, little endian
16379592 0xF9EEC8 JFFS2 filesystem, little endian
16380916 0xF9F3F4 JFFS2 filesystem, little endian
16427608 0xFAAA58 JFFS2 filesystem, little endian
16427864 0xFAAB58 JFFS2 filesystem, little endian
16442340 0xFAE3E4 JFFS2 filesystem, little endian
16442684 0xFAE53C JFFS2 filesystem, little endian
16443556 0xFAE8A4 JFFS2 filesystem, little endian
16453872 0xFB10F0 JFFS2 filesystem, little endian
16454708 0xFB1434 JFFS2 filesystem, little endian
16455540 0xFB1774 JFFS2 filesystem, little endian
16469196 0xFB4CCC JFFS2 filesystem, little endian
16470016 0xFB5000 JFFS2 filesystem, little endian
16521948 0xFC1ADC JFFS2 filesystem, little endian
16564464 0xFCC0F0 JFFS2 filesystem, little endian
16564720 0xFCC1F0 JFFS2 filesystem, little endian
16566388 0xFCC874 JFFS2 filesystem, little endian
16566644 0xFCC974 JFFS2 filesystem, little endian
16568320 0xFCD000 JFFS2 filesystem, little endian
16574128 0xFCE6B0 JFFS2 filesystem, little endian
16574664 0xFCE8C8 JFFS2 filesystem, little endian
16576524 0xFCF00C JFFS2 filesystem, little endian
16587256 0xFD19F8 JFFS2 filesystem, little endian
16603444 0xFD5934 JFFS2 filesystem, little endian
I don't know if I made some mistake. I wanted to dump from the other unit but it cannot be activated no matter how I try. I decided to return the cameras.
@ydjzx sorry I had not had a chance to check your attempts yet. Yes, there's a different bootloader on different devices -- yours requires the offiset and length parameters on the sf recommand, other devices read the entire flash if those are not provided (that's why it works).
Since you got the flash dump, if you can send me a copy I can take a look to see why it may not have worked (my email is in my github profile).
In any case, the only thing I can suggest you try is using these values for env/ppsMmcTool:
env (80008000 as shown in your kernel log):
hack=setenv bootargs ${bootargs} '- ip=30;/mnt/mmc01/initrun.sh)&:::::;date>/tmp/hack;(sleep
ipaddr=0;run hack;bootm 0x80008000;
ppsMmcTool.txt (82008000 as shown by your attempts):
style=upgrade,,writeAddr=0,,password=nothing,,writeLen=0,,fileName=env;env import 82008000;saveenv,,
If that doesn't work, you should also try the env file with 82008000. This seems to be the first time I see the load address for the kernel (80008000) and for the update file (82008000) be different.
@guino Hi guino I emailed you the firmware last Friday. Just want to check if you received it.
@ydjzx I took a look at your firmware file -- it looks like they have changed the file system so even if we got to change the boot settings it still would not root it with the existing process (I wonder if your attempts changed the /proc/cmdline at all).
This device runs linux and uses ppsapp like other devices we've seen, but I think it will be nearly impossible for me to work on a process to root this camera without it available for testing (to mess with the boot loader). Even if I had a similar device in hands, it may just as well turn out that the only solution would be to modify the flash dump and flash it back (which requires opening, hardware tools, etc).
I can probably patch the start script in the firmware if you want to play with it but like I said, you would need tools to open, desolder flash chip, flash it, solder it back -- In which case I would do another flash dump with a hardware programmer (as a backup) then load a modified version to mess with it (knowing you can restore the backup).
In theory we could modify https://github.com/guino/BazzDoorbell/issues/12 to work with your device but any mistake would easily brick your device, so I wouldn't do it without hardware tools either.
Have you checked if your camera supports webrtc? https://www.reddit.com/r/smartlife/comments/oyqvdv/webrtc_stream_terminal_for_tuya_smartlife_cameras/
If it supports webrtc, you could use something like scripted to convert the webrtc feed into rtsp -- I have done it for testing and it works as long as your camera supports webrtc
Thank you. I got it working by modifying and flashing the Squashfs partition. I copied the content of the initrun.sh of your hack to the Squashfs initrun.sh. I flashed the modified Squashfs to the camera and telnet worked. But the "set onvif_enable 1" command in the custom.sh didn't work I had to manually edit the tuya_config.json to enable onvif.
The hosts file doesn't work. The Greeni app still sees the camera. I can live with it but I'm just worried that they may force update firmware silently. I'll play with it a little bit.
I'm not sure if it's normal that most of the commands returned no output in telnet. Fortunately vi worked normally.
I got this camera from Walmart. The link is: https://www.walmart.ca/en/ip/merkury-smart-wi-fi-outdoor-security-camera-2-pack-black/PRD3CMY8UL9W0QE The hack doesn't work for it. The results from different urls of its web server are: proc/cmdline
console=/dev/null mtdparts=spi0.0:256K@0x0(BOOT),3072K@0x40000(sys),4288K@0x340000(app),448K@0x770000(cfg),64K@0x7E0000(enc),64K@0x7F0000(sysflg) mem=64M memsize=64M pcbversion=S2S_A5_V10 sensor=gc2063mipi model_name=Bullet-4S
devices/deviceinfo
cfg/tuya_config.json
{"version":1,"sleep_mode":0,"alarm_fun_onoff":0,"alarm_fun_sensitivity":1,"alarm_fun_mode_switch":0,"alarm_fun_time_start":0,"alarm_fun_time_end":0,"flip_onoff":0,"light_onoff":1,"night_mode":0,"sound_detect_onoff":0,"sound_detect_sensitivity":0,"watermark_onoff":1,"event_record_time":60,"enable_event_record":2,"record_enable":1,"motion_trace":1,"motion_area_switch":0,"motion_area":"","motion_tracking":0,"cry_detection_switch":0,"humanoid_filter":0,"loudspeaker_vol_pct":100,"flight_main_mode":0,"static_ip_enable":0,"onvif_enable":0,"onvif_pwd":"admin","pan_default":-1,"tilt_default":-1,"sound_light_switch":0}