search

guino / Merkury720

Root and Customization for Merkury 720P and similar cameras
106 stars 20 forks source link

Assistance with Older Merkury/Geeni 720p Camera (GN-CW015) #33

Open tyleracopeland opened 9 months ago

tyleracopeland commented 9 months ago

I have an older model/version of the Merkury/Geeni 720 IP camera (CW015). The Geeni app reports that it is running firmware version 1.3.0. I have tried the steps in the guide at https://github.com/guino/Merkury720 without success. Reference photos included below.

Using nmap, I found the following open ports:

Service Port Proto Info
telnet 23 tcp BusyBox telnetd
? 5552 tcp
irc 6668 tcp
tcpwrapped 7101 tcp
tcpwrapped 7103 tcp

I was able to telnet in but am unable to gain root access (username Default, empty password).

I was also able to access the UART using the 3 holes at the top right of the second picture below. Here is the output I get without an SD card inserted at boot (truncated):

console init done

U-Boot 2012.10 (Jan 26 2018 - 10:37:56) for GK7102S GOS-h62-v1.0 (GOKE)

HAL:   20160804
DRAM:  64 MiB
Flash: [EN25Q128] USE 4X mode read and 4X mode write
16 MiB
NAND:  [No SPI nand]
SD/MMC: 0
SF:    16 MiB [page:256 Bytes] [sector:64 KiB] [count:256] (EN25Q128)
In:    serial
Out:   serial
Err:   serial
Net:   Int PHY
have no userfs
Hit Enter key to stop autoboot:  0
[PROCESS_SEPARATORS] gkupdate all;sf probe;sf read c1000000 0x50000 400000;bootm c1000000
Enable update uboot
MMC: no card present
SF:    16 MiB [page:256 Bytes] [sector:64 KiB] [count:256] (EN25Q128)
put param to memory
mem size (45)
total mem size (64)
bsb size (2)
usr size (0)

the kernel image is zImage or Image
entry = 0xc1000000
## Transferring control to Linux (at address c1000000)...

Starting kernel ...

machid = 3988 r2 = 0xc0000100
Uncompressing Linux... done, booting the kernel.
[    0.000000] Booting Linux on physical CPU 0
[    0.000000] Linux version 3.4.43-gk (root@ubuntu) (gcc version 4.6.1 (crosstool-NG 1.18.0) ) #12 PREEMPT Wed Aug 15 16:01:16 CST 2018
[    0.000000] CPU: ARMv6-compatible processor [410fb767] revision 7 (ARMv7), cr=00c5387d
[    0.000000] CPU: VIPT aliasing data cache, VIPT aliasing instruction cache
[    0.000000] Machine: Goke IPC Board
[    0.000000] Memory policy: ECC disabled, Data cache writeback
[    0.000000] AHB: 0x90000000  0xf2000000  -- 0x1000000
[    0.000000] APB: 0xa0000000  0xf3000000  -- 0x1000000
[    0.000000] PPM: 0xc0000000  0xc0000000  -- 0x200000
[    0.000000] BSB: 0xc2f00000  0xf5000000  -- 0x200000
[    0.000000] DSP: 0xc3100000  0xf6000000  -- 0xef0000
[    0.000000] USR: 0xc3ff0000  0xfe000000  -- 0x10000
[    0.000000] hal version = 20160804
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 11430
[    0.000000] Kernel command line: console=ttySGK0,115200 noinitrd root=/dev/mtdblock3 rootfstype=squashfs mtdparts=gk_flash:256K(boot),64K(env),2560K(kernel),4096K(rootfs),5312K(config),-(userfs) mem=45M phytype=0
[    0.000000] PID hash table entries: 256 (order: -2, 1024 bytes)
[    0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
[    0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
[    0.000000] Memory: 45MB = 45MB total
[    0.000000] Memory: 40892k/40892k available, 5188k reserved, 0K highmem
[    0.000000] Virtual kernel memory layout:
[    0.000000]     vector  : 0xffff0000 - 0xffff1000   (   4 kB)
[    0.000000]     fixmap  : 0xfff00000 - 0xfffe0000   ( 896 kB)
[    0.000000]     DMA     : 0xff600000 - 0xffe00000   (   8 MB)
[    0.000000]     vmalloc : 0x83000000 - 0xff000000   (1984 MB)
[    0.000000]     lowmem  : 0x80000000 - 0x82d00000   (  45 MB)
[    0.000000]     modules : 0x7f000000 - 0x80000000   (  16 MB)
[    0.000000]       .text : 0x80008000 - 0x80418000   (4160 kB)
[    0.000000]       .init : 0x80418000 - 0x80439000   ( 132 kB)
[    0.000000]       .data : 0x8043a000 - 0x80466180   ( 177 kB)
[    0.000000]        .bss : 0x804661a4 - 0x80497e2c   ( 200 kB)
[    0.000000] NR_IRQS:128
[    0.000000] >> gk init irq vic1...
[    0.000000] >> gk init irq vic2...
[    0.000000] gk init vic...
[    0.000000] mach gk init timer...
[    0.000000] sched_clock: 32 bits at 100 Hz, resolution 10000000ns, wraps every 4294967286ms
[    0.000000] Console: colour dummy device 80x30
[    0.000000] console [ttySGK0] enabled
[    0.010000] Calibrating delay loop... 597.60 BogoMIPS (lpj=2988032)
[    0.070000] pid_max: default: 32768 minimum: 301
[    0.070000] Mount-cache hash table entries: 512
[    0.080000] CPU: Testing write buffer coherency: ok
[    0.090000] Setting up static identity map for 0xc05408e8 - 0xc0540920
[    0.100000] NET: Registered protocol family 16
[    0.110000] init timer...
[    0.110000] Init HW timer for DSP communication
[    0.110000] init gpio...
[    0.120000] ###################################
[    0.120000] [BOOT VERSION] GK7102S GOS-h62-v1.0 v1.0
[    0.130000] [NET  INT_CLK] Internal PHY clock
[    0.130000] [GPIO]#############################
[    0.140000] [GPIO] gpio map get from uboot
...

And here is the output I get with the SD card inserted at boot (truncated):

console init done

U-Boot 2012.10 (Jan 26 2018 - 10:37:56) for GK7102S GOS-h62-v1.0 (GOKE)

HAL:   20160804
DRAM:  64 MiB
Flash: [EN25Q128] USE 4X mode read and 4X mode write
16 MiB
NAND:  [No SPI nand]
SD/MMC: 0
SF:    16 MiB [page:256 Bytes] [sector:64 KiB] [count:256] (EN25Q128)
In:    serial
Out:   serial
Err:   serial
Net:   Int PHY
have no userfs
Hit Enter key to stop autoboot:  0
[PROCESS_SEPARATORS] gkupdate all;sf probe;sf read c1000000 0x50000 400000;bootm c1000000
Enable update uboot
            system volume information/
            cgi-bin/
  1109128   busybox
      657   custom.sh
      131   env
      288   hosts
       17   httpd.conf
     1372   index.html
      444   initrun.sh
     7956   jpeg-arm
   257156   mqtt_pub
     1102   offline.sh
       38   passwd
            ipc/
      102   ppsmmctool.txt
      274   set
      166   upload.html

14 file(s), 3 dir(s)

reading gk7101-evb_image_sd_update.cfg
bad gk7101-evb_image_sd_update.cfg,exit update from sd card
gkupdate - Gk_update sub-system

Usage:
gkupdate use gkupdate all to enable uboot update
SF:    16 MiB [page:256 Bytes] [sector:64 KiB] [count:256] (EN25Q128)
put param to memory
mem size (45)
total mem size (64)
bsb size (2)
usr size (0)

the kernel image is zImage or Image
entry = 0xc1000000
## Transferring control to Linux (at address c1000000)...

Starting kernel ...

machid = 3988 r2 = 0xc0000100
Uncompressing Linux... done, booting the kernel.
[    0.000000] Booting Linux on physical CPU 0
[    0.000000] Linux version 3.4.43-gk (root@ubuntu) (gcc version 4.6.1 (crosstool-NG 1.18.0) ) #12 PREEMPT Wed Aug 15 16:01:16 CST 2018
[    0.000000] CPU: ARMv6-compatible processor [410fb767] revision 7 (ARMv7), cr=00c5387d
[    0.000000] CPU: VIPT aliasing data cache, VIPT aliasing instruction cache
[    0.000000] Machine: Goke IPC Board
[    0.000000] Memory policy: ECC disabled, Data cache writeback
[    0.000000] AHB: 0x90000000  0xf2000000  -- 0x1000000
[    0.000000] APB: 0xa0000000  0xf3000000  -- 0x1000000
[    0.000000] PPM: 0xc0000000  0xc0000000  -- 0x200000
[    0.000000] BSB: 0xc2f00000  0xf5000000  -- 0x200000
[    0.000000] DSP: 0xc3100000  0xf6000000  -- 0xef0000
[    0.000000] USR: 0xc3ff0000  0xfe000000  -- 0x10000
[    0.000000] hal version = 20160804
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 11430
[    0.000000] Kernel command line: console=ttySGK0,115200 noinitrd root=/dev/mtdblock3 rootfstype=squashfs mtdparts=gk_flash:256K(boot),64K(env),2560K(kernel),4096K(rootfs),5312K(config),-(userfs) mem=45M phytype=0
[    0.000000] PID hash table entries: 256 (order: -2, 1024 bytes)
[    0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
[    0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
[    0.000000] Memory: 45MB = 45MB total
[    0.000000] Memory: 40892k/40892k available, 5188k reserved, 0K highmem
[    0.000000] Virtual kernel memory layout:
[    0.000000]     vector  : 0xffff0000 - 0xffff1000   (   4 kB)
[    0.000000]     fixmap  : 0xfff00000 - 0xfffe0000   ( 896 kB)
[    0.000000]     DMA     : 0xff600000 - 0xffe00000   (   8 MB)
[    0.000000]     vmalloc : 0x83000000 - 0xff000000   (1984 MB)
[    0.000000]     lowmem  : 0x80000000 - 0x82d00000   (  45 MB)
[    0.000000]     modules : 0x7f000000 - 0x80000000   (  16 MB)
[    0.000000]       .text : 0x80008000 - 0x80418000   (4160 kB)
[    0.000000]       .init : 0x80418000 - 0x80439000   ( 132 kB)
[    0.000000]       .data : 0x8043a000 - 0x80466180   ( 177 kB)
[    0.000000]        .bss : 0x804661a4 - 0x80497e2c   ( 200 kB)
[    0.000000] NR_IRQS:128
[    0.000000] >> gk init irq vic1...
[    0.000000] >> gk init irq vic2...
[    0.000000] gk init vic...
[    0.000000] mach gk init timer...
[    0.000000] sched_clock: 32 bits at 100 Hz, resolution 10000000ns, wraps every 4294967286ms
[    0.000000] Console: colour dummy device 80x30
[    0.000000] console [ttySGK0] enabled
[    0.010000] Calibrating delay loop... 597.60 BogoMIPS (lpj=2988032)
[    0.070000] pid_max: default: 32768 minimum: 301
[    0.070000] Mount-cache hash table entries: 512
[    0.080000] CPU: Testing write buffer coherency: ok
[    0.090000] Setting up static identity map for 0xc05408e8 - 0xc0540920
[    0.100000] NET: Registered protocol family 16
[    0.110000] init timer...
[    0.110000] Init HW timer for DSP communication
[    0.110000] init gpio...
[    0.120000] ###################################
[    0.120000] [BOOT VERSION] GK7102S GOS-h62-v1.0 v1.0
[    0.130000] [NET  INT_CLK] Internal PHY clock
[    0.130000] [GPIO]#############################
[    0.140000] [GPIO] gpio map get from uboot
...

And the contents of /proc/cmdline:

console=ttySGK0,115200 noinitrd root=/dev/mtdblock3 rootfstype=squashfs mtdparts=gk_flash:256K(boot),64K(env),2560K(kernel),4096K(rootfs),5312K(config),-(userfs) mem=45M phytype=0

Let me know if more information or UART output would be helpful. Any assistance or advice would be much appreciated.

Camera: Geeni_CW015

Internals: CW015_Internals

Closeup of flash chip: CW015_Flash_Chip

guino commented 9 months ago

@tyleracopeland were you able to 'pause' the bootloader when it shows that message 'Hit Enter key to stop autoboot: X' ? if so, send me an email (posted on my github profile) and I can try to give you some pointers on messing with the bootloader.

If you're unable to pause/enter into the bootloader the only way to make any progress would be to dump the firmware with a hardware programmer (which may require removing the chip from the board) -- even then there's no guarantee of making any useful modifications.

tyleracopeland commented 9 months ago

@guino I was able to pause the bootloader, but U-Boot is asking for a password. I tried the obvious ones (empty, root, admin, etc.) without success.

guino commented 9 months ago

@tyleracopeland send me an email (my address is on my github profile) and I can give you some pointers on getting into the bootloader.

tyleracopeland commented 9 months ago

@tyleracopeland send me an email (my address is on my github profile) and I can give you some pointers on getting into the bootloader.

Thank you, sir. Just sent an email to your hotmail adress.