-
Notifications
You must be signed in to change notification settings - Fork 340
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Creating a version for the XiaoFang 1080p camera #118
Comments
@no1knows good stuff! Not an expert in this but I'd like to check out the fs as well to see what I can do. I've managed to enable telnetd through snx_autorun.sh but changing the root password with |
I originally got in over serial (by soldering leads onto the camera's motherboard) but I managed to brute force the root password yesterday so that should make life easier. It's "ismart12". |
Thanks, great job. This device looks totally different from the Yi if I look at the script placed here. The processes iSC3S (I think for the streams itself) and miio_client (I think for cloud connection) do all the work. The device is constantly connected to a Chinese cloud server even when you are not using it, which is kind of creepy ;) They didn't even bother to try to hide that this is just a iSmartAlarm Spot system with a slightly custom firmware; Even the hostname still is iSmartAlarm. The hardware is based on the Sonix 98600 SoC (http://www.sonix.com.tw/article-en-958-13487) which just seems to be a ARM based embedded linux platform with some webcam streams. I wasn't able to use chpasswd since it's not in the Busybox build; passwd is so that could possibly be used but why bother with the default root password you bruteforced ;) A simple snx_autorun.sh in the root of my SD card with The rtspsrv binary from this project seems to be some kind of live555 media server based server; I tried to run it but it didn't work because of some missing dependancy on this Busybox installation. The iSC3S keeps the /dev/video0 device busy, as soon as I kill the process this resource is available again. Once you kill the iSC3S app the device reboots after a moment, I tried killing iSC3S and test_UP but it still rebooted; So in order to produce a RTSP stream this auto reboot needs to be disabled so the iSC3S app can be killed. The Boa webserver is indeed running on it with just a SoniX seems to have a SDK but of course this doesn't seem to be publicly available. This is where it ends for me now since I don't have any experience with building binaries for embedded systems or decompiling/analysing the existing binaries. Hopefully it can be of some help on your quest to get this device to work; I think the hardware is great for the price if we can fully utilise it without having to rely on a third party app and a Chinese cloud to work. |
Thanks, that's all useful info. It's easy to disable the camera's phone-home and video streaming functionality - simply comment out the last line in /etc/init.d/rcS: ...and then reboot. It'll then happily sit there doing nothing, including not connecting to wifi - so don't do this unless you have serial wires soldered to the board. Looks like the Live555 rtsp server code is here: http://www.live555.com/mediaServer/ but I don't have any experience compiling for Arm systems either so will need to do some digging. Judging by some RPi threads, sounds like ffmpeg, cvlc or avconf could also create rtp streams if we can get them compiled and running on the camera. I suspect the issue will be that these need some grunt so unless we can take advantage of the SoC's hardware encoding, the CPU might struggle. The SoniX SDK would be useful! I found the programming guide here: Paragraph 9.1 looks interesting:
I can't find the SDK or SONiX Galaxy Streaming Sever anywhere... Don't suppose anyone can get their hands on either? |
I've also found the attached "SN98600 Video Codec Programing Guide". |
The iSC3S process interacts with |
I think I found the SN986 SDK here: http://pan.baidu.com/share/link?uk=3981671631&shareid=2974078675#list/path=%2F rehosted on mega https://mega.nz/#!UpUmHDyJ!xGf7OvWNcRp-pXRxQ4e-Ze06WtnimWaB9rhF_ca5ibc |
Great work! I extracted SN986_1.50_037a_20151022_1049/package/app/galaxy-server.tgz to a microSD card. It also needs the following libraries: So I put those in the galaxy-server/rootfs/lib folder alongside the existing libserverlog.so and libxmllib.so. Once the microSD card is in the camera, telnet into it and then stop Xiaomi's streaming/cloud process hogging /dev/video[0-2] (thanks jeffrey-bosma!):
Then cp the Galaxy Server config files from the microSD card into /etc: Then tell the camera where to find the new libraries, since we can't copy them into /lib as the filesystem is read only: Then, at last, ./sonix-proj (in galaxy-server/rootfs/bin/) finally executes and spits out the following:
So close! I have absolutely no idea what the issue is - perhaps a missing app/library? Incorrect config? I haven't looked at the conf files (in galaxy-server/rootfs/root/etc_default/) in detail yet, so suspect they need tailoring to the specific webcam hardware. I attach the folder containing all the necessary files: It would certainly help if we had the "SN986 Serial Galaxy Streaming Server Application Note" that's referred to in the SDK programming guide. @magnets110 - could you work your searching magic on that? p.s. to stop iSC3S starting up in the first place, comment out the last line in /etc/init.d/rcS ("# /usr/bin/iSC3S/iSC3S &"). This will stop wifi starting up as well but you can make that happen by adding the following into /etc/wpa_supplicant.conf:
...and the following into /etc/init.d/rc.local:
|
For some reason the snx_autorun.sh trick doesn't work for me. The script isn't executed or telnetd fails to start, either way I get connection refused when trying to connect over telnet. I still have the 'original' firmware (2.8.0.0, app wants to update to 2.8.3.5 but I'm refusing). How should the sd card be formatted? Are there any instructions available (a photo would be awesome) of the cable connections for serial console? |
@no1knows Good work on getting rid of the running cloud stuff and @magnets110 great work on finding the SDK. Not sure if Galaxy server is going to do us any good for getting a local RTSP stream up and running, it looks like this service just connects the stream to a configurable cloud server. Too bad the documentation of the SDK is a bit lacking, can't find an example for a RTSP server in there without the cloud connect part; Maybe I should look a bit harder ;) @samtap Just a FAT32 formatted card, the file should be in the root of that card containing |
I did the telnet thing so: so after every reboot the script waits 30 seconds and then start the telnet daemon But attention, it will broke by a firmware update. |
I searched in the SDK to and find the SnOnvif executable. It also will have an extra library. i copy the files SnOnvif and libxmllib.so to my card, add the Library Path as described above and start SnOnvif but get the same error: Nothing more. :-/ |
@fijter Thanks, it works when inserting the sd-card after boot. Strange, but anyway it's only needed once, to make the fix in /etc/init.d/rc.local The SDK actually contains live555 rtsp_server! So I have high hopes we'll get somewhere. I was able to build and run it but unfortunately it also segfaults. But gdbserver is available so next step is creating a debug build.
|
I have just purchased a couple of these. I will start by testing the above. This is to let you know there is one more interested party willing to test and contribute. Wish: rtsp streaming, and final hope: Onvif support with events. |
@samtap - can't believe I didn't see that. I'm trying to cross compile it on Ubuntu 16.04 but struggling. Sounds like you know what you're doing rather better than me... keep us posted! |
It's working reasonably well. You'll need to get middleware/_install/lib/libsnx_rc.so from the SDK as well.
Seems to be limited to 10fps? It drops even lower when I move the cam around a bit. |
Hi samtap. I need a hand on xiaomi yi ants 17CN rtspsvr. Can i have your email? Or maybe you can email me on yk_handler@yahoo.com... Thx.. |
@samtap looks promising! can you share the compiled binary for me to test? What system did you compile it on? Any tips/tricks for cross compiling? |
@samtap did you cross compile it for arm? any special parameters or packages needed? i have a ubuntu install with cross compile things for arm to so i can also test and check this. |
@no1knows I built it on Kubuntu 16.10 x64. There're a couple of small issues to resolve when using the SDK. Is there anything particular you're running into? Basicly what I did to build snx_rtsp_server was change a couple of scripts to use bash instead of sh (change #!/bin/sh to #!/bin/bash). Run sdk.unpack. I run setup_env.sh but it's probably safe to omit. Add bin and lib from the toolchain dirs to PATH and LD_LIBRARY_PATH. There's probably a better way to do this with a crosstool command. I had to create an empty file buildscript/include/config/snx_sdk.conf. Also had to mess around in some perl file to make it work with the perl version on my machine. When all is well you should be able to enter the buildscript dir and build the kernel with make oldconfig && make. This builds a kernel image and sets everything up so you'll be able to build the apps using their individual makefiles. Note there's lots of room for tweaking stuff. You can configure the kernel with 'make menuconfig' and there're lots of config files that I didn't touch. I was able to debug with the supplied arm-linux-gdb so that's promising. But eventually you'll probably need knowledge about the low level hardware to tweak the SDK for our specific target. Also the SDK might be a bit outdated (Oct 2015) and not match the latest firmware (though my binaries work on the latest fw). We should also look for a recovery method (I'm sure there's some way to flash it from the sd card, maybe bootloader output gives some clues?). Before messing with the system and risking to brick the device ;-) |
I am currently in the process of aquiring the latest SDK for the platform, is any one sure which of the SN986 versions this is?
|
That would be great to have! It's SN98660(AFG), someone posted a teardown here. |
The teardown is a good find. In case anyone is interested in getting a serial console access, the pads are shown in this photo: http://cdn.geekifix.com/forum/201612/07/172112zf9lv9as3y3kdtzx.jpg (see four empty pads on the right hand side labelled 3.3v, rx, tx, gnd). That's on the back of the motherboard, so you need to remove the two ribbon cables and the motherboard to get at the pads. It's pretty striaghtforward - I've done this on both of my cameras and reassembled them with the wires coming out of the back of the camera through a small hole I cut in the plastic grate section between the speaker and USB port. Baud speed is 115,200. |
@no1knows I assume you hooked it up to a 3.3v ftdi uart adapter? I'll try this evening. A warning for anyone who tries to connect it directly to an USB or serial port: those run on 5V and will probably fry the board... |
RTSP server binaries available here: https://mega.nz/#F!aFZDVAiQ!9DBh2xMR9D_JynwtYSiASQ |
@samtap Thank you for the rtsp server, it works perfect exept one little thing. The IR-Filter lens is not working anymore. I think it's also controlled by the iSC3 bin. The delay is 1 second in my config, so its ok. Now im searching a way to switch the ir-filter lens. |
Hey guys, if you do all right your cam runs the rtsp server ;-) test the stream with attention, after a reboot it needs 1 minute to do all the stuff and start the rtsp server this works all without an sd card ;-) and now i can put this cams into my synology suveilance station! |
Very impressive to see device-hacking happening in real-time. I'm following this thread like a hawk hoping for a howto from your respective successes. Maybe the xiaofang deserves it's own project page? :-) |
Ok, here is a little summary. I merged the Infos from no1knows, samtap, fijter and me. in /etc/init.d/rcS commend out the following lines with an # at the beginning then in /etc/wpa_supplicant.conf remove all in the network section except: make a new dir in /etc called rtsp and copy the 2 files from samtap in (wget is your friend). so the files are not gone after a reboot. don't forget chmod a+x snx_rtsp_server! in /etc/init.d/rc.local remove the last line that begins with "cp "
Check all twice! An error may let your device unusable! |
Well done everyone! I'll try this out tomorrow and once all tested perhaps get started on an snx_autorun.sh (in a new project) that automates everything to make it easier for others to benefit from all our good work! @samtap good point - I should have mentioned, no need to hook up the 3.3v - it works fine with just the RX, TX and gnd wires connected. I'm using a cheap universal USB to serial adapter and Putty. |
Tried again yesterday to set my router to mixed WPA/WPA2 mode. The xiaofang camera wouldn't connect. The Yi ants had no problem connecting. When I set the router to WPA mode only i got an error from the routerv suggesting the wireless devices could only work at A speed, but ignoring that error, and hitting ok, lead the xiaofang camera to immediately connect correctly. There is something about WPA2 this hack does not like. |
I have seen references to vbox image uploaded by dibuti but don't see location for it, if anyone knows can you please post link, thanks update: (.ova file, thanks benji) update2: image referenced above is apparently work in progress for which it is unclear how to build fully functional snx_rtsp_server, would appreciate if anyone has further suggestions |
http://ifotohost.com/pic/325/30muar.jpg I stupidly deleted the time zone and the server - now I can not fix the time, through the web interface, help me fix the file locally |
Managed to pull another bin(v3.0.4.9) but it seems to be an partial update only as it does not contain as many files as previous one. |
Hi! This is a very interesting project. It turns out I received wrong shipments of Original Mainland use only cameras that do not work in the US. I'm interested in hacking these otherwise obsolete cameras. I have some experience writing in Arduino IDE and experience with IoT in general but have two questions.
Thanks! |
Is it all stable by now? Just wondering if I should flash mine, or wait a moment. |
The camera's run linux. older version - 2.6 (at least on the one I checked earlier) wire up Then use a serial terminal to connect to the serial port @ 115200, 8,n,1 telnet is still on the latest firmware, but I think that the Camera software may looks for it now and kill -9's it on startup, as strings camera binary shows that. Once you have telnet running, you can connect remotely. You'll need to setup a crosscospiler environment to develop for it. Download the SDK and setup. Read the notes above about where to get the SDK. You can read my rather old posts on http://www.openipcam.com about doing dev stuff. Its still applicable for this, as its a bog standard embedded environment. I should probably make a new section on there for this actually... |
Hi, is there anybody here that can give a link to download the old firmware 2.8.3.5 for xiaofang camera pls. Many thanks. |
Is there any way to use python in it? |
Hi thanks for the reply. This is a great project to learn more about telnet and SSH. (I've never tried telnet, but have a pretty good experience with SSH) Though I haven't tried connecting via telnet or SSH, I prefer serial connection, so I'll break it apart. http://imgur.com/a/pE739 I included pictures of the boards after I broke apart the camera. Can't seem to find the serial ports. Is it visible to you from these pictures? I was just wondering if it was even possible to write an iOS app to replace the Mi App? This would give me an iOS project to work towards and perhaps build something more usable and flexible than their app. I'll read more about the hack on the website you linked, thanks! |
@andrewtvuong Regarding your question whether or not it's possible to write an iOS app: no idea...... |
@Koffie-Verkeerd Thanks!! Tricky designers hid the ports under the ribbon. I appreciate the picture! |
Hi, can somebody share SN986 chip full datasheet? I need pin-out to find AV out. |
Does anybody know if it is still possible to downgrade via serial connection on this version?.. Thanks |
Looks like an Ingenic T20, so will be MIPS.
T20 is the large black chip.
Pinouts for the Ingenic SOC will be needed to check what the serial i/o pins are.
Cursory google says this should be a datasheet. - ftp://ftp.ingenic.com/SOC/T20/T20_PB.PDF
ftp://ftp.ingenic.com/SOC/T20/ <ftp://ftp.ingenic.com/SOC/T20/> may have some more files if you’re lucky, not loading for me here in China at the moment though.
If they are exposed, then should be straightforward. You’ll need to read the datasheet to see what the serial io pins are, then look at the board to see what that correlates to, then follow to see if they’re easily accessible or not.
https://hackaday.com/tag/ingenic-t20/ <https://hackaday.com/tag/ingenic-t20/> also has some bits n bobs about the T20
Good luck!
… On 20 Jun 2018, at 20:08, juz22 ***@***.***> wrote:
Does anybody know if it is still possible to downgrade via serial connection on this version?..
I bought Xiaofang cameras from DD4.com which came with MAC addresses starting 78; they are region locked to China and the FangHack doesn't work on them (despite hearing the loading sound). I have tried to downgrade via microSD but have been unsuccessful trying many times.
I disassembled one in order to try to solder to serial USB TTL connection, following this guide (https://www.youtube.com/watch?v=OOghPawyIms <https://www.youtube.com/watch?v=OOghPawyIms>) however I cannot see the pins and the board layout appears different.
<https://user-images.githubusercontent.com/40423341/41657070-729ee430-74d5-11e8-8aa9-a4801c2c8fd4.jpg>
Thanks
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub <#118 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ADHTchZpdhBnjaAv8FdhzVkrvnHnZt4rks5t-jsygaJpZM4LbILw>.
|
@juz22, the problem of not downgrading with sdcard, might be because incompatible sdcard. I've create a video that shows that some sdcard might result a different checksum of the firmware, that causing the camera will not flash the firmware, i still dont understand the cause. So,the solution is to change to other sdcard for now, but i still not know yet how to determine a compatible one... |
Thank you both for the great responses and advice. |
@juz22 fyi, i am able to use both sdcard to flash xiaoyi dome camera, but it is failed on xiaofang. |
FWIW I was having trouble restoring original firmware (from here: https://github.com/GrumpyMeow/XiaomiXiaofangFirmware) until I flashed ykhandler's english mod. From there I was able to reflash the original, and then back to fang-hacks. I'm not sure what the difference was but it wasn't the SD Card for me. |
@juz22, now i realize that there are 2 kind of xiaofang, the old version one and 1s one. They use different firmware. @sshaikh, the ykhandler's english mod is based on original firmware. But apparently, xiaomi use multiple combination brand of their component. The reason why i have this conclusion is that, some xiaofang may have error on reading sdcard with firmware version newer than 3.2 (although it can flashing), some xiaofang may have wifi device not working on firmware older than 3.3. I'm still learning why is this happening.
|
Okay. But in my testing with a single camera and single SD card:
Maybe I was doing something wrong, but for me the order in which the flashing attempts were made was significant (it doesn't make sense to me why). |
The firmware can flash multiple times. It means, after you flash the firmware, you can apply it again by turn off the camera then hold the reset button for 10 seconds while turning it on. If you use uart you know what you're doing wrong. Dont worry about your xiaofang, even if you flash a wrong firmware it is still recoverable, even if it is the uboot which only contain on FIRMWARE_660R_F.bin. |
I couldn't find a datasheet for the T20 showing pin out to trace but it appears the designer dropped 3.3V so it's just RX, TX, GND pins as follows (I put a header already): |
I'm trying to hack the XiaoFang 1080p camera (i.e. this: http://www.gearbest.com/ip-cameras/pp_487830.html)
I've got root access over serial and worked out what filename to include on the microSD (that gets launched on insert): "snx_autorun.sh" so I can now easily change the root password and launch telnetd. It already runs boa web server (albeit with no content to serve, yet).
fritz-smh - could you give me some pointers on compiling the rtsp binary so I can create a version for the XiaoFang?
The text was updated successfully, but these errors were encountered: