search

guino / Merkury720

Root and Customization for Merkury 720P and similar cameras
108 stars 20 forks source link

Older variant of Merkury/Geeni 720 camera #7

Open Ne3Mx opened 3 years ago

Ne3Mx commented 3 years ago

I've got an older version of the Merkury 720 camera where the hack does not work, I've successfully applied the hack to a newer Merkury 720 which works perfectly fine. The following is what I have done. image image image

http://admin:056565099@IP/devices/deviceinfo Gives me {"devname":"Smart Home Camera","model":"Mini 7C","serialno":"056xxx85","softwareversion":"2.7.7","hardwareversion":"MINI5C_V12","firmwareversion":"ppstrong-c4-tuya2_geeni-2.7.7.20210207","authkey":"7bNHIuxxxxxxxxxxxxx","deviceid":"mkry2c2xxxxxxxxxx","identity":"18091xxxxxxxxxx","pid":"aaa","WiFi MAC":"0c:8c:24:xx:xx:xx"} The hardware seems to be a MINI5C_V12 instead of a MINI7C

http://admin:056565099@IP/proc/cmdline

I get

mem=23M console=ttyAMA0,115200 loglevel=0 ppsdebug=off mtdparts=hi_sfc:192k(bld)ro,64k(env)ro,64k(enc)ro,64k(sysflg),2240k(sys),5m(app),448k(cfg) ppsAppParts=5 ip=192.168.1.10:::255.255.255.0 eth=08:88:12:3a:22:10

Thus the - ip=30... part is missing. Trying the "hack" also does not do anything, no response from the web browser and nothing on the SD card.

How do I dump the ROM from the UART? I've got a UART cable.

guino commented 3 years ago

@Ne3Mx Your flash chip is the chip on the bottom-left on the last picture posted (if you ever want to mess with it using a programmer).

I would be willing to bet money that your UART can be accessed using the 4 holes above the micro-SD card slot on the last picture. If you have some protoboard wires you can probably just insert RX,TX and Ground on these and connect them to a raspberry pi (or similar) RX/TX/GROUND pins and access the serial port on the device. Alternatively you can use a USB-TTL adapter (3.3v) and connect the RX/TX/Ground to the UART holes. If you have a multimeter you should be able to check which pin is Ground/VCC which would leave only RX/TX to figure out. If y don't have a tester you can basically try to guess the connections with basically zero risk of causing any damage. I would be willing to bet that the "square" hole is ground, and that the 2 middle pins are rx/tx. You can verify the UART is connected correctly by monitoring it with a terminal application when applying power to the device (which should display some boot messages). If you provide the boot messages there is a good chance we can determine the address for this board -- which is what we need so we can modify the hack files to work with this device.

There's no easy way to 'dump the ROM' from the UART but once we have the correct address we can use the process in https://github.com/guino/BazzDoorbell/issues/11 (with modified address) and it would likely work.

guino commented 3 years ago

This is how I accessed the UART on my device (similar holes) -- yellow is Ground in my case, I don't remember which is RX/TX but it's just a matter of trying one way and if doesn't work, switch RX/TX wires and try again:

UART

Ne3Mx commented 3 years ago

Ok! Hooking up to the UART I get the following output.

SPI Nor total size: 8MB
PPS:Apr  3 2018 15:32:05   meari_c4:  0
magic err
ARM Linux Kernel Image (uncompressed)
2054864 Bytes = 2 MiB
   Loading Kernel Image ... magic err
Uncompressing Linux... done, booting the kernel.

Holding in the reset button I get 

SPI Nor total size: 8MB
PPS:Apr  3 2018 15:32:05   meari_c4:  0
button
cmd:fatload mmc 0 0x81000000 ppsMmcTool.txt 1020
cmdBuf:fatload mmc 0 0x81000000 env;env import 81808000;saveenv
envreset - reset env para

Saving Environment to SPI Flash...
Erasing SPI flash, offset 0x00030000 size 64K ...done
Writing to SPI flash, offset 0x00030000 size 64K ...done
size:131
error: Pack header size error!
error: upgrade.bin unpack error!
envreset - reset env para

Saving Environment to SPI Flash...
Erasing SPI flash, offset 0x00030000 size 64K ...done
Writing to SPI flash, offset 0x00030000 size 64K ...done
readLen:131
read err
magic err
ARM Linux Kernel Image (uncompressed)
2054864 Bytes = 2 MiB
   Loading Kernel Image ... magic err
Uncompressing Linux... done, booting the kernel.
guino commented 3 years ago

@Ne3Mx The boot information wasn't very useful but you had a great idea to do the reset button while booting -- that was very helpful. The address for your camera is likely 0x81000000 so I'd like you to try the following:

1-Follow steps normally as if it was a new camera https://github.com/guino/Merkury720#rooting-and-customizng-the-device but STOP after step 2. 2-Unzip this zip file over the files in the SD card: old720phack.zip -- it should overwrite the env and ppsMmcTool.txt files with modified ones with address 81000000 3-Continue with the steps from https://github.com/guino/Merkury720#rooting-and-customizng-the-device from step 3

There's a very good chance this will work.

guino commented 3 years ago

@Ne3Mx if you'd like to 'read' your flash before making any changes (using: https://github.com/guino/BazzDoorbell/issues/11 ) you can follow the steps as listed there and instead of using the 'mini7c.zip' posted in the original instructions you can use this one: mini5c.zip

Ne3Mx commented 3 years ago

Same problem, I'll do a dump of the ROM

SPI Nor total size: 8MB
PPS:Apr  3 2018 15:32:05   meari_c4:  0
button
cmd:fatload mmc 0 0x81000000 ppsMmcTool.txt 1020
cmdBuf:fatload mmc 0 0x81000000 env;env import 81000000;saveenv
envreset - reset env para

Saving Environment to SPI Flash...
Erasing SPI flash, offset 0x00030000 size 64K ...done
Writing to SPI flash, offset 0x00030000 size 64K ...done
size:131
error: Pack header size error!
error: upgrade.bin unpack error!
envreset - reset env para

Saving Environment to SPI Flash...
Erasing SPI flash, offset 0x00030000 size 64K ...done
Writing to SPI flash, offset 0x00030000 size 64K ...done
readLen:131
read err
magic err
ARM Linux Kernel Image (uncompressed)
2054864 Bytes = 2 MiB
   Loading Kernel Image ... magic err
Uncompressing Linux... done, booting the kernel.
Ne3Mx commented 3 years ago

Dump of ROM was unsuccessful. Tried both Mini5C and Mini7C @ 0x81000000 and 0x81808000, no luck. Will try and read flash with programmer tomorrow.

SPI Nor total size: 8MB
PPS:Apr  3 2018 15:32:05   meari_c4:  0
button
cmd:fatload mmc 0 0x81000000 ppsMmcTool.txt 1020
cmdBuf:fatload mmc 0 0x81000000 env;env import 81808000;run fcmd
envreset - reset env para

Unknown command 'run' - try 'help'
size:90
error: Pack header size error!
error: upgrade.bin unpack error!
envreset - reset env para

Unknown command 'run' - try 'help'
readLen:90
read err
magic err
ARM Linux Kernel Image (uncompressed)
2054864 Bytes = 2 MiB
   Loading Kernel Image ... magic err
Uncompressing Linux... done, booting the kernel.

And

SPI Nor total size: 8MB
PPS:Apr  3 2018 15:32:05   meari_c4:  0
button
cmd:fatload mmc 0 0x81000000 ppsMmcTool.txt 1020
cmdBuf:fatload mmc 0 0x81000000 env;env import 81000000;run fcmd
envreset - reset env para

Unknown command 'run' - try 'help'
size:90
error: Pack header size error!
error: upgrade.bin unpack error!
envreset - reset env para

Unknown command 'run' - try 'help'
readLen:90
read err
magic err
ARM Linux Kernel Image (uncompressed)
2054864 Bytes = 2 MiB
   Loading Kernel Image ... magic err
Uncompressing Linux... done, booting the kernel.
guino commented 3 years ago

@Ne3Mx as a form of closure to this issue (or if you are just curious) I posted information on our work in this camera here: https://github.com/guino/Geeni720P

guino commented 3 years ago

It is possible/likely to wipe the mod during a firmware update, because the hack isn’t being done in the boot loader which normally isn’t part of a firmware update.

You would have to reapply to the mod if that happens (I can help patch ppsapp).