Support Chuangmi 720p camera?

[jymbob]

Just picked up a pair of "Chuangmi" cameras from GearBest - https://www.gearbest.com/ip-cameras/pp_701750.html

They're using the same app, and appear to be very similar in setup.

My FTDI is in the post so I may be able to provide some debugging information if that's helpful.

[VINCE43]

Hi, I just try tonight, and it doesn't work .. :-(

[bernardo-amaral]

I wanna hack this model too

[chris777c]

I have this model too, I can help you if you need anything tell me

[samtap]

• Post teardown pictures
• Intercept firmware update
• Attach serial console to capture boot logs, dump filesystem, crack root passwd etc.
• Find SDK, code examples etc.

[chris777c]

OK I undesstand I am so enthusiastic, in my level :

• Post teardown pictures ==> OK, I can do that

• Intercept firmware update ==> How to do that ? with what tool ?

[jymbob]

I'll see if I can get anything out of the serial console this evening

On Mon, 6 Nov 2017, 15:50 chris777c, notifications@github.com wrote:

OK I undesstand I am so enthusiastic, in my level :

-

Post teardown pictures ==> OK, I can do that

Intercept firmware update ==> How to do that ? with what tool ?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/samtap/fang-hacks/issues/235#issuecomment-342190368, or mute the thread https://github.com/notifications/unsubscribe-auth/AD9NFRQvurIQfJVaFitZ7BvI7v7QDy13ks5szyq4gaJpZM4P4QLa .

[chris777c]

Ok thank you

[jymbob]

Hm. Think I've identified the RX and TX pins but my soldering's appalling, so I haven't got to a console yet. It looks like it's using the same SoC as the Mijia 360 720p, which this project has working, however I couldn't get ssh access working on mine, and reflashing the 360 firmware appears to have left me with a non-functional camera - I still have a working one, so I'll persevere for a bit longer!

[chris777c]

Thank you for you work

[rap1]

Hi, I also have Chuangmi 720p camera and would like to make it work locally, for example through RTSP, without Internet connection. Do you have any update? thank you

[ras31415]

Hi; I also have 3 pcs :-( I was little bit stupid and I didn't think that it is a closed system without open streaming protocolls. Thanks before

[rap1]

the same for me: I found out that it works only through Internet. I hope that, as already done for other Xiaomi cameras, it's possible to load some kind of RTSP server to stream the video locally. I look forward to receiving some good news...

[rap1]

Hi Larry, any news? How did you succeed in connecting serial interface ? thank you

[ras31415]

This is very joyful. Could you share the solution of the hacking with we?

[rap1]

Great ! Could you give us details ? Is it possible to load and run a local RTSP server ?

[sibojia]

@LarryN3t Could you share the solution? I also wish to connect to this camera. Thanks a lot!

[scapman]

Very great news! Could you please share the solution? It looks like you are the only one that made it.

Thanks a lot!

[lilipfem]

Please, please share your solution if one exist :-/

This camera make me crazy ...

[bernardo-amaral]

anyone had solved this?

[ril3y]

I ordered one. I will get FH working on if its possible. However gearbest takes a few weeks to get it.

On Fri, Jan 19, 2018 at 4:17 PM, Bernardo Amaral notifications@github.com wrote:

anyone had solved this?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/samtap/fang-hacks/issues/235#issuecomment-359091370, or mute the thread https://github.com/notifications/unsubscribe-auth/AAOJM-pt6eQuTXcaMIhUarHH8AOxxZK3ks5tMQZegaJpZM4P4QLa .

[chris777c]

Thank you for feedback but I tried telnet with putty, his show me "Connection refused"

[ras31415]

Yes, absolutely same happened with me too. telnet - l root 192.168.3.101 23 telnet: unable to connect to remote host: Connection refused.

[chris777c]

Thank you, it's work, I am extract img from camera.

[lilipfem]

Where do you take the .img ? The link don't work any more :-(

[ras31415]

Where did LarryN3t disappear? His img is working.

[lilipfem]

So please, where can I found it ? I'm a poor newbies completly lost

[ras31415]

This is a link where you can download larryN3t's image for 24 hours. Unfortunetelly my dropbox is full so I can't keep it there.

https://www.dropbox.com/s/qm4squv21ik4bob/tf_recovery.img?dl=0

[lilipfem]

Thank you very much

[jymbob]

Did a quick fork and stuck larryN3t's file here - untested.

[rap1]

Thank you , I 'm reading on your link the procedure to load the new image.
Has anybody tested it ?

[rap1]

@jymbob when you say "For Chuangmi 720 camera download tf_recovery.img, transfer to an SD card and boot" , do you mean to copy " tf_recovery.img" file on the SD without uncompressing it , correct? Should we prepare an sd-card with two partitions as explained below or is not needed ? Could you please clarify? Thank you very much

[jymbob]

I haven't actually tried it yet, just repeating what the OP wrote here. I will endeavour to try it and update the readme. As I said, my main concern was making sure the image was accessible somewhere.

If anyone has any feedback, I'm happy to update the readme.

On Tue, 23 Jan 2018, 09:18 rap1, notifications@github.com wrote:

@jymbob https://github.com/jymbob when you say "For Chuangmi 720 camera download tf_recovery.img, transfer to an SD card and boot" , do you mean to copy " tf_recovery.img" file on the SD without uncompressing it , correct? Should we prepare an sd-card with two partitions as explained below or is not needed ? Could you please clarify? Thank you very much

— You are receiving this because you were mentioned.

Reply to this email directly, view it on GitHub https://github.com/samtap/fang-hacks/issues/235#issuecomment-359728394, or mute the thread https://github.com/notifications/unsubscribe-auth/AD9NFQUCj9S0nuz6wLKWRxyTJ7B3TbLYks5tNaPQgaJpZM4P4QLa .

[lilipfem]

Try https://sourceforge.net/projects/win32diskimag to er/files/latest/download To copy the .img to the SD card Choose the file, the destination, and click write I'm trying to see how tell the cam to boot to the SDcard

[rap1]

Thank you lilipfem ! Let us know if you succeed in booting from the SD card

[lilipfem]

No it's does'nt work. It's not a boutable image :-(

[jymbob]

Found some time. You don't need to unpack the image. Simply put it on the root of an SD card. The camera checks for this file on bootup

Steps to get telnet access:

1. Set up camera with MiHome app
2. Go into details and make a note of camera IP address (e.g. 192.168.1.250)
3. Copy tf_recovery.img to the root of an SD card
4. Unplug camera
5. Insert SD card
6. Plug in camera
7. wait for about 2 minutes until lights go blue
8. telnet 192.168.1.250 (same IP as in step 2) username: root, no password

Given we now have root access, we should hopefully be able to run a local RTSP server.

On Tue, 23 Jan 2018 at 13:57 lilipfem notifications@github.com wrote:

No it's does'nt work. It's not a boutable image :-(

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/samtap/fang-hacks/issues/235#issuecomment-359798144, or mute the thread https://github.com/notifications/unsubscribe-auth/AD9NFb_h2FRTWpOcc7EsI0PscilfLc1eks5tNeVVgaJpZM4P4QLa .

[rap1]

Great news ! Thank you very much for sharing the procedure :) Maybe the RTSP server is already present in the image (url: rtsp://device-ip/unicast) , could it be ?

[lilipfem]

Thank you @jymbob for your help. I can now open tenet on the cam and that's all :-( i answer root for the login and after only a # prompt Everywhere i saw that i would have to connect with a url like http://192.168.1.19/cgi-bin/status

Else i try with VideoStation of Synology and vlc and nothing work

[rap1]

..how did you format the SD ? FAT16, FAT32 or other ?

[lilipfem]

If the question is for me, FAT32 ...

[rap1]

I also have a FAT32 formatted SD and now I can also open telnet on the cam :) Now we should understand how to run a local RTSP server..

[joshdinsdale]

Following this with anticipation! I have gotten telnet working, whats involved in getting an rtsp server running, i know a bit of linux stuff but not so much about these prebuilt firmware images. Happy to help if anyone can point me in the right direction.

[tomsteenbakkers]

I’m also stuck after i got telnet access.

1. I format a SD card with FAT32
2. Put the image tf_recovery.img on it.
3. Switch off the camera.
4. Put the SD card in the camera and power it on.
5. When the blue light stopped blinking I checked with Fing and now the telnet protocol is there on port 23.

Next

1. I removed the card
2. downloaded the Image to write directly to the sd-card using Win32 Disk Imager.
3. The I removed the power from the camera
4. Put the power back on
5. when the blue light stopped blinking I inserted the card.

But when I used http://192.168.1.9/cgi-bin/status nothing happens. Also http://192.168.1.9/cgi-bin/hello.cgi is not doing anything.

However, I can make a telnet connection. Is there a way to activate the hack using telnet? Or I’m doing something wrong. The current firmware on my camera is 3.3.6_2017092810 and the camera is still working using the app

[jymbob]

The fang hack is designed for different firmware. I'm talking with the guys who hacked the mijia 1080 which is similar firmware. It looks like we need to recompile the rtsp library against the SoC SDK. I've had some success getting a few things running manually on the camera (ssh, httpd) but we're still a way off a nice turnkey solution. There are a lot of parts to the process which are new to me, and I've only got limited time available. If anyone has experience creating uboot images that'd be a great help.

On Sun, 28 Jan 2018, 23:08 Tom Steenbakkers, notifications@github.com wrote:

I’m also stuck after i got telnet access. I format a SD card with FAT32 and but the image tf_recovery.img on it. Switch off the camera. Put the SD card in the camera and power it on. When the blue light stopped blinking I checked with Fing and now the telnet protocol is there on port 23. Next I removed the card, and downloaded the Image to write directly to a sd-card using Win32 Disk Imager. The I removed the power from the camera, but the power back on and when the blue light stopped blinking I inserted the card. But when I used http://192.168.1.9/cgi-bin/status nothing happens. Also http://192.168.1.9/cgi-bin/hello.cgi is not doing anything. However, I can make a telnet connection. Is there a way to activate the hack using telnet? Or I’m doing something wrong. The current firmware on my camera is 3.3.6_2017092810 and the camera is still working using the app

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/samtap/fang-hacks/issues/235#issuecomment-361105092, or mute the thread https://github.com/notifications/unsubscribe-auth/AD9NFQmxUink5bNN0pHleQ1Eg3_9jtguks5tPP34gaJpZM4P4QLa .

[rap1]

I noticed that on Fang hacks, they use "snx_rtsp_server", we could try to use the same executable and see if it runs, or if we need to recompile it , where can we find the SoC SDK ? @jymbob did you have any news from the guys who hacked the mijia 1080 ?

[jymbob]

I've found what looks like an SDK for the Grain Media chipset (I don't know any Chinese). A search for "gm813x sdk" should give you some download links. The rtsp server for the mijia 1080p is here

[lilipfem]

Is there any news ? A solution founded ?

[rap1]

not yet, has anyone found a solution for loading RTSP server ?

[kuchy]

Hi any progress with RTSP server?

[scapman]

Hi. Any good news?