search

guino / Merkury1080P

Merkury1080P (CW017) Rooting and Customization
77 stars 16 forks source link

Merkury MIC-CW220-101W #49

Closed ydjzx closed 11 months ago

ydjzx commented 1 year ago

I got this camera from Walmart. The link is: https://www.walmart.ca/en/ip/merkury-smart-wi-fi-outdoor-security-camera-2-pack-black/PRD3CMY8UL9W0QE The hack doesn't work for it. The results from different urls of its web server are: proc/cmdline console=/dev/null mtdparts=spi0.0:256K@0x0(BOOT),3072K@0x40000(sys),4288K@0x340000(app),448K@0x770000(cfg),64K@0x7E0000(enc),64K@0x7F0000(sysflg) mem=64M memsize=64M pcbversion=S2S_A5_V10 sensor=gc2063mipi model_name=Bullet-4S

devices/deviceinfo

devname "Smart Home Camera"
model   "Bullet 4S"
serialno    "106055558"
softwareversion "5.2.8"
hardwareversion "B4S_A6_V10_GC1"
firmwareversion "ppstrong-a5-tuya2_general-5.2.8.20220310"
identity    "N340021H3N02001994"
authkey "LaXypACcZZq4utpYdf5dwiReAPvdWAnr"
deviceid    "akwd2e638247320a81e0"
pid "aaa"
WiFi MAC    "d4:a6:51:ef:28:20"
ETH MAC "d4:a6:51:ef:28:20"

cfg/tuya_config.json {"version":1,"sleep_mode":0,"alarm_fun_onoff":0,"alarm_fun_sensitivity":1,"alarm_fun_mode_switch":0,"alarm_fun_time_start":0,"alarm_fun_time_end":0,"flip_onoff":0,"light_onoff":1,"night_mode":0,"sound_detect_onoff":0,"sound_detect_sensitivity":0,"watermark_onoff":1,"event_record_time":60,"enable_event_record":2,"record_enable":1,"motion_trace":1,"motion_area_switch":0,"motion_area":"","motion_tracking":0,"cry_detection_switch":0,"humanoid_filter":0,"loudspeaker_vol_pct":100,"flight_main_mode":0,"static_ip_enable":0,"onvif_enable":0,"onvif_pwd":"admin","pan_default":-1,"tilt_default":-1,"sound_light_switch":0}

ydjzx commented 1 year ago

I took it apart and connect uart port to my Arduino. Here is the uboot log:

U-Boot 2013.10.0-V3.1.28_bchV1.0.00 (Mar 02 2022 - 15:49:00)

DRAM:  64 MiB
efuse_read:0x00000004
8 MiB
sd detect gpio mode:8!
mmc_sd: 0

total partitions: 6
In:    serial
Out:   serial
Err:   serial
enable watchdog

Hit any key to stop autoboot:  2 
..... 1 
..... 0 
mmc power off ...
sys: size:0x00300000, offset:0x00040000

SF: 3145728 bytes @ 0x40000 Read: OK
 ## Booting kernel from Legacy Image at 80008000 ...
   Image Name:   Linux-4.4.192V2.1
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    2652496 Bytes = 2.5 MiB
   Load Address: 80008000
   Entry Point:  80008040
   Verifying Checksum ... OK
   XIP Kernel Image ... OK
   kernel loaded at 0x80008000, end = 0x8028f950
using: FDT

Starting kernel ...

Uncompressing Linux... done, booting the kernel.
ydjzx commented 1 year ago

I changed the addresses in the env and ppsMmcTool.txt to 80008000 but I got some errers:

U-Boot 2013.10.0-V3.1.28_bchV1.0.00 (Mar 02 2022 - 15:49:00)

DRAM:  64 MiB
efuse_read:0x00000004
8 MiB
sd detect gpio mode:8!
mmc_sd: 0

total partitions: 6
In:    serial
Out:   serial
Err:   serial
enable watchdog
reset key pressed!
cmd:fatload mmc 0 0x82008000 ppsMmcTool.txt
mmc/sd share pin!
reading ppsMmcTool.txt
102 bytes read in 0 ms
cmdBuf:fatload mmc 0 0x82008000 env;env import 80008000;saveenv
reading env
131 bytes read in 0 ms
## Warning: defaulting to text format
## Warning: Input data exceeds 1048576 bytes - truncated
## Info: input data size = 1048578 = 0x100002
Writing to SPI flash...
total partitions: 6
size:131
error: Pack header size error!
error: upgrade.bin unpack error!

Hit any key to stop autoboot:  2 
..... 1 
..... 0 
mmc power off ...
sys: size:0x00300000, offset:0x00040000

SF: 3145728 bytes @ 0x40000 Read: OK
## Booting kernel from Legacy Image at 80008000 ...
   Image Name:   Linux-4.4.192V2.1
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    2652496 Bytes = 2.5 MiB
   Load Address: 80008000
   Entry Point:  80008040
   Verifying Checksum ... OK
   XIP Kernel Image ... OK
   kernel loaded at 0x80008000, end = 0x8028f950
using: FDT

Starting kernel ...

Uncompressing Linux... done, booting the kernel.
ydjzx commented 1 year ago

Its behavior is very similar to the device in this thread: https://github.com/guino/Merkury1080P/issues/46. So I tried the method suggested by tosiara but I couldn't get the firmware dumped. Here is the log:

U-Boot 2013.10.0-V3.1.28_bchV1.0.00 (Mar 02 2022 - 15:49:00)

DRAM:  64 MiB
efuse_read:0x00000004
8 MiB
sd detect gpio mode:8!
mmc_sd: 0

total partitions: 6
In:    serial
Out:   serial
Err:   serial
enable watchdog
reset key pressed!
cmd:fatload mmc 0 0x82008000 ppsMmcTool.txt
mmc/sd share pin!
reading ppsMmcTool.txt
128 bytes read in 1 ms (125 KiB/s)
cmdBuf:fatload mmc 0 0x82008000 0;sf probe;sf read 82008000 0;mmc write 0 82008000 1 8000
reading 0
** Unable to read file 0 **
sf - spi flash sub-system:

Usage:
sf probe [[bus:]cs] [hz] [mode] - init flash device on given SPI bus
                                  and chip select
sf read addr offset len - read `len' bytes starting at
                                  `offset' to memory at `addr'
sf write addr offset len        - write `len' bytes from memory
                                  at `addr' to flash at `offset'
sf erase offset [+]len          - erase `len' bytes from `offset'
                                  `+len' round up `len' to block size
sf update addr offset len       - erase and write `len' bytes from memory
                                  at `addr' to flash at `offset'
sf test offset len              - run a very basic destructive test
                                                                   mmc - MMC sub system

Usage:
mmc read addr blk# cnt
mmc write addr blk# cnt
mmc erase blk# cnt
mmc rescan
mmc part - lists available partition on current mmc device
mmc dev [dev] [part] - show or set current mmc device [partition]
mmc list - lists available devices

Hit any key to stop autoboot:  2
..... 1
..... 0
mmc power off ...
sys: size:0x00300000, offset:0x00040000

SF: 3145728 bytes @ 0x40000 Read: OK
## Booting kernel from Legacy Image at 80008000 ...
   Image Name:   Linux-4.4.192V2.1
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    2652496 Bytes = 2.5 MiB
   Load Address: 80008000
   Entry Point:  80008040
   Verifying Checksum ... OK
   XIP Kernel Image ... OK
   kernel loaded at 0x80008000, end = 0x8028f950
using: FDT

Starting kernel ...

Uncompressing Linux... done, booting the kernel.

Not sure what else I can try.

oklona commented 12 months ago

Hello! Did you check whether you can enable onvif directly in the app? I have a similar camera, called Bullet 6s, running firmware 5.2.2, and it has a broken Onvif readily available. With Onvif enabled, I can get to the RTSP streams (rtsp://username>:<password>@<IP:8554/Streaming/Channels/101 and rtsp://username>:<password>@<IP:8554/Streaming/Channels/102).

The app I am using is the Tuya app called "Smart Life". I know some Tuya devices are designed to use customized versions of this app. which may limit the options.

ydjzx commented 12 months ago

Hello! Did you check whether you can enable onvif directly in the app? I have a similar camera, called Bullet 6s, running firmware 5.2.2, and it has a broken Onvif readily available. With Onvif enabled, I can get to the RTSP streams (rtsp://:@:8554/Streaming/Channels/101 and rtsp://:@:8554/Streaming/Channels/102).

The app I am using is the Tuya app called "Smart Life". I know some Tuya devices are designed to use customized versions of this app. which may limit the options.

I tried several different apps. The options are all same. I didn't see the option of onvif. Where is it located for your camera in case I missed it?

oklona commented 12 months ago

In my app, it is actually the eighth setting from the top, right after "Detection Alarm Settings".

ydjzx commented 12 months ago

I seem dumped the firmware by changing the sf commands in the ppsMmcTool.txt to "sf read 82008000 0 1000000;mmc write 82008000 1 8000". From what I read both sf read and write commands take 3 parameters. I'm not sure how the original ppsMmcTool.txt can work on other cameras.

The strucure in the binwalk looks strange though:

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
107824        0x1A530         device tree image (dtb)
123040        0x1E0A0         CRC32 polynomial table, little endian
212992        0x34000         device tree image (dtb)
262144        0x40000         uImage header, header size: 64 bytes, header CRC: 0x39B6A799, created: 2022-02-10 07:45:24, image size: 2652496 bytes, Data Address: 0x80008000, Entry Point: 0x80008040, data CRC: 0xED5D7FCB, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-4.4.192V2.1"
262208        0x40040         Linux kernel ARM boot executable zImage (little-endian)
277968        0x43DD0         xz compressed data
278200        0x43EB8         xz compressed data
3407872       0x340000        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 3678930 bytes, 101 inodes, blocksize: 131072 bytes, created: 2022-03-10 07:31:07
7798784       0x770000        JFFS2 filesystem, little endian
7811316       0x7730F4        JFFS2 filesystem, little endian
7823912       0x776228        JFFS2 filesystem, little endian
7824168       0x776328        JFFS2 filesystem, little endian
7825836       0x7769AC        JFFS2 filesystem, little endian
7826092       0x776AAC        JFFS2 filesystem, little endian
7856508       0x77E17C        JFFS2 filesystem, little endian
7856764       0x77E27C        JFFS2 filesystem, little endian
7858428       0x77E8FC        JFFS2 filesystem, little endian
7858684       0x77E9FC        JFFS2 filesystem, little endian
7917836       0x78D10C        JFFS2 filesystem, little endian
7919368       0x78D708        JFFS2 filesystem, little endian
7919756       0x78D88C        JFFS2 filesystem, little endian
7921272       0x78DE78        JFFS2 filesystem, little endian
7921664       0x78E000        JFFS2 filesystem, little endian
7934044       0x79105C        JFFS2 filesystem, little endian
7935432       0x7915C8        JFFS2 filesystem, little endian
7935968       0x7917E0        JFFS2 filesystem, little endian
7937552       0x791E10        JFFS2 filesystem, little endian
7938048       0x792000        JFFS2 filesystem, little endian
7987292       0x79E05C        JFFS2 filesystem, little endian
7987548       0x79E15C        JFFS2 filesystem, little endian
7989064       0x79E748        JFFS2 filesystem, little endian
7989468       0x79E8DC        JFFS2 filesystem, little endian
7990984       0x79EEC8        JFFS2 filesystem, little endian
7992308       0x79F3F4        JFFS2 filesystem, little endian
8039000       0x7AAA58        JFFS2 filesystem, little endian
8039256       0x7AAB58        JFFS2 filesystem, little endian
8053732       0x7AE3E4        JFFS2 filesystem, little endian
8054076       0x7AE53C        JFFS2 filesystem, little endian
8054948       0x7AE8A4        JFFS2 filesystem, little endian
8065264       0x7B10F0        JFFS2 filesystem, little endian
8066100       0x7B1434        JFFS2 filesystem, little endian
8066932       0x7B1774        JFFS2 filesystem, little endian
8080588       0x7B4CCC        JFFS2 filesystem, little endian
8081408       0x7B5000        JFFS2 filesystem, little endian
8133340       0x7C1ADC        JFFS2 filesystem, little endian
8175856       0x7CC0F0        JFFS2 filesystem, little endian
8176112       0x7CC1F0        JFFS2 filesystem, little endian
8177780       0x7CC874        JFFS2 filesystem, little endian
8178036       0x7CC974        JFFS2 filesystem, little endian
8179712       0x7CD000        JFFS2 filesystem, little endian
8185520       0x7CE6B0        JFFS2 filesystem, little endian
8186056       0x7CE8C8        JFFS2 filesystem, little endian
8187916       0x7CF00C        JFFS2 filesystem, little endian
8198648       0x7D19F8        JFFS2 filesystem, little endian
8214836       0x7D5934        JFFS2 filesystem, little endian
8496432       0x81A530        device tree image (dtb)
8511648       0x81E0A0        CRC32 polynomial table, little endian
8601600       0x834000        device tree image (dtb)
8650752       0x840000        uImage header, header size: 64 bytes, header CRC: 0x39B6A799, created: 2022-02-10 07:45:24, image size: 2652496 bytes, Data Address: 0x80008000, Entry Point: 0x80008040, data CRC: 0xED5D7FCB, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-4.4.192V2.1"
8650816       0x840040        Linux kernel ARM boot executable zImage (little-endian)
8666576       0x843DD0        xz compressed data
8666808       0x843EB8        xz compressed data
11796480      0xB40000        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 3678930 bytes, 101 inodes, blocksize: 131072 bytes, created: 2022-03-10 07:31:07
16187392      0xF70000        JFFS2 filesystem, little endian
16199924      0xF730F4        JFFS2 filesystem, little endian
16212520      0xF76228        JFFS2 filesystem, little endian
16212776      0xF76328        JFFS2 filesystem, little endian
16214444      0xF769AC        JFFS2 filesystem, little endian
16214700      0xF76AAC        JFFS2 filesystem, little endian
16245116      0xF7E17C        JFFS2 filesystem, little endian
16245372      0xF7E27C        JFFS2 filesystem, little endian
16247036      0xF7E8FC        JFFS2 filesystem, little endian
16247292      0xF7E9FC        JFFS2 filesystem, little endian
16306444      0xF8D10C        JFFS2 filesystem, little endian
16307976      0xF8D708        JFFS2 filesystem, little endian
16308364      0xF8D88C        JFFS2 filesystem, little endian
16309880      0xF8DE78        JFFS2 filesystem, little endian
16310272      0xF8E000        JFFS2 filesystem, little endian
16322652      0xF9105C        JFFS2 filesystem, little endian
16324040      0xF915C8        JFFS2 filesystem, little endian
16324576      0xF917E0        JFFS2 filesystem, little endian
16326160      0xF91E10        JFFS2 filesystem, little endian
16326656      0xF92000        JFFS2 filesystem, little endian
16375900      0xF9E05C        JFFS2 filesystem, little endian
16376156      0xF9E15C        JFFS2 filesystem, little endian
16377672      0xF9E748        JFFS2 filesystem, little endian
16378076      0xF9E8DC        JFFS2 filesystem, little endian
16379592      0xF9EEC8        JFFS2 filesystem, little endian
16380916      0xF9F3F4        JFFS2 filesystem, little endian
16427608      0xFAAA58        JFFS2 filesystem, little endian
16427864      0xFAAB58        JFFS2 filesystem, little endian
16442340      0xFAE3E4        JFFS2 filesystem, little endian
16442684      0xFAE53C        JFFS2 filesystem, little endian
16443556      0xFAE8A4        JFFS2 filesystem, little endian
16453872      0xFB10F0        JFFS2 filesystem, little endian
16454708      0xFB1434        JFFS2 filesystem, little endian
16455540      0xFB1774        JFFS2 filesystem, little endian
16469196      0xFB4CCC        JFFS2 filesystem, little endian
16470016      0xFB5000        JFFS2 filesystem, little endian
16521948      0xFC1ADC        JFFS2 filesystem, little endian
16564464      0xFCC0F0        JFFS2 filesystem, little endian
16564720      0xFCC1F0        JFFS2 filesystem, little endian
16566388      0xFCC874        JFFS2 filesystem, little endian
16566644      0xFCC974        JFFS2 filesystem, little endian
16568320      0xFCD000        JFFS2 filesystem, little endian
16574128      0xFCE6B0        JFFS2 filesystem, little endian
16574664      0xFCE8C8        JFFS2 filesystem, little endian
16576524      0xFCF00C        JFFS2 filesystem, little endian
16587256      0xFD19F8        JFFS2 filesystem, little endian
16603444      0xFD5934        JFFS2 filesystem, little endian

I don't know if I made some mistake. I wanted to dump from the other unit but it cannot be activated no matter how I try. I decided to return the cameras.

guino commented 12 months ago

@ydjzx sorry I had not had a chance to check your attempts yet. Yes, there's a different bootloader on different devices -- yours requires the offiset and length parameters on the sf recommand, other devices read the entire flash if those are not provided (that's why it works).

Since you got the flash dump, if you can send me a copy I can take a look to see why it may not have worked (my email is in my github profile).

In any case, the only thing I can suggest you try is using these values for env/ppsMmcTool:

env (80008000 as shown in your kernel log):

hack=setenv bootargs ${bootargs} '- ip=30;/mnt/mmc01/initrun.sh)&:::::;date>/tmp/hack;(sleep
ipaddr=0;run hack;bootm 0x80008000;

ppsMmcTool.txt (82008000 as shown by your attempts):

style=upgrade,,writeAddr=0,,password=nothing,,writeLen=0,,fileName=env;env import 82008000;saveenv,,

If that doesn't work, you should also try the env file with 82008000. This seems to be the first time I see the load address for the kernel (80008000) and for the update file (82008000) be different.

ydjzx commented 11 months ago

@guino Hi guino I emailed you the firmware last Friday. Just want to check if you received it.

guino commented 11 months ago

@ydjzx I took a look at your firmware file -- it looks like they have changed the file system so even if we got to change the boot settings it still would not root it with the existing process (I wonder if your attempts changed the /proc/cmdline at all).

This device runs linux and uses ppsapp like other devices we've seen, but I think it will be nearly impossible for me to work on a process to root this camera without it available for testing (to mess with the boot loader). Even if I had a similar device in hands, it may just as well turn out that the only solution would be to modify the flash dump and flash it back (which requires opening, hardware tools, etc).

I can probably patch the start script in the firmware if you want to play with it but like I said, you would need tools to open, desolder flash chip, flash it, solder it back -- In which case I would do another flash dump with a hardware programmer (as a backup) then load a modified version to mess with it (knowing you can restore the backup).

In theory we could modify https://github.com/guino/BazzDoorbell/issues/12 to work with your device but any mistake would easily brick your device, so I wouldn't do it without hardware tools either.

Have you checked if your camera supports webrtc? https://www.reddit.com/r/smartlife/comments/oyqvdv/webrtc_stream_terminal_for_tuya_smartlife_cameras/

If it supports webrtc, you could use something like scripted to convert the webrtc feed into rtsp -- I have done it for testing and it works as long as your camera supports webrtc

ydjzx commented 11 months ago

Thank you. I got it working by modifying and flashing the Squashfs partition. I copied the content of the initrun.sh of your hack to the Squashfs initrun.sh. I flashed the modified Squashfs to the camera and telnet worked. But the "set onvif_enable 1" command in the custom.sh didn't work I had to manually edit the tuya_config.json to enable onvif.

The hosts file doesn't work. The Greeni app still sees the camera. I can live with it but I'm just worried that they may force update firmware silently. I'll play with it a little bit.

I'm not sure if it's normal that most of the commands returned no output in telnet. Fortunately vi worked normally.