-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Smart Solar IP Camera v4.0.117 #14
Comments
I got results with the GND/RX/TX on the bottom left.
When SDCard is inserted I have some lines like this
Interesting readings, sometimes
MQTT ?
key.cfg ?
I don't know how to access any bootloader or anything else. I just have logs. |
Hi, I am fighting with the same device, also without any success so far, also only port 6668:
I performed the update to 4.0.120 (as I had issues on my WIFI on 4.0.117, and also could not convince the camera to record to the MicroSD-Card) - but the update did neither help with those issues, nor it changed anything in regards to the rooting-options I tried so far. After the update, I found an update.bin on the Micro-SD: So far I tried:
Unfortunately, I have no programmer, so I can't provide any flash-dump. Any other hints how I could further analyze? |
BTW: placing a file |
I've ordered a CH341A programmer, I will try to dump the firmware when I receive it. |
I might give it a try with an arduino - but I have no clue yet how to open the camera without damaging it. |
Remove the screw near of SD Card. |
@mihovilkolaric the update file you posted seems to have 'part' of the root file system, but it doesn't seem to include the main application running on the device, settings or startup scripts. So there's not much we can do with it. If you do get a full flash dump I can take a look when I have a chance. Getting into the bootloader should just be a matter of powering on (or power cycling) the device while you're connected to the RX/TX pins and pressing a key to stop the boot process and enter the bootloader. Many devices do have this disabled (it will boot no matter what you press), others have a password (it will ask for a password when you press something), and others just go right into the bootloader -- only way to know is trying. |
When I press any key, I can interact but mixed with log output. It's difficult to deal with it.
Then cleaned :
I've tried passwords I will receive CH341A programmer soon. I hope I can dump flash without desoldering. |
I emailed you with information based on the log you provided, but just for future reference (to anyone else looking at this issue), the logs seem to indicate that this camera is not running Linux, likely it is running RTOS, meaning:a hardware programmer is the only option to make any modifications, and they would be very time consuming and limited to what's already compiled in the main application. |
I have received my CH341A programmer and dumped entire flash : (link removed due to privacy data stored in the flash. sorry) |
@BmdOnline glad to read that you managed to get a flash-dump! However, also with your dump, binwalk seems to recognize a lot of linux-related stuff, but - as for the
@guino with this new information given - do you still think it is RTOS, or are the chances that it is a linux?
|
@mihovilkolaric, I've removed my dump because it contains privacy data in it. 😞 |
Good news! Unblob succeeded in extracting the root-filesystem. |
hi, if you guys need more info on this platform, you can join us here: |
Short update: E.g. the /etc/shadow looks like this:
|
@mihovilkolaric did you try to start a telnet server from that other.sh script ? may need to put a mips busybox on the SD card to try and run telnetd from it. |
The logs I had sees didn't show anything indicating linux but the dump seems to show it's linux, I asked @BmdOnline for a copy of the dump so I can take a look too. |
@guino yes, I was able to start a telnetd (at least according to Next step it to connect my cam to a WIFI, and see whether telnetd still starts. |
@guino I send you a link today. Have you received it ? |
@guino , @BmdOnline : The first two connection-attempts with user root password telnet did not work (camera closed the connection)
but then it worked:
So, the camera is now rooted! |
Can you provide a working package ? |
Sure. |
Now that we have root-access - does anyone know how to enable motion-detection + recording to SD-Card? I guess it has to do with this files:
but changing them has no effect, and after a reboot there are reset to the default. |
And how to enable rtsp stream... |
@mihovilkolaric, I'm trying to reproduce your work, but I'm not familiar to
|
basically I just called
and creates a directory |
Okay, I just have python issues. Will upgrade and try unblob. BTW, root is working, but I have to keep camera connected (tuya app launched with camera preview) to prevent power sleep. Thanks. |
@BmdOnline I have never seen any of the 'linux' devices sleep before, I have heard of the battery operated devices having an automatic sleep to reduce power consumption. Are you guys able to execute anything like |
the platform you guys are working with is the Ingenic "Zeratul" battery platform, pretty common in the battery ip-cam world on the T series platforms... the way it works, theres typically an external MCU controlling power to the SoC, and reading motion input from something like a PIR sensor. When theres no motion, after a timeout the MCU will physically power down the SoC. Theres 2 different processor architectures built in to the SoC. RISC-V, and MIPS. The RISC-V core will perform sensor and ISP initialization as soon as motion is detected, while the linux core boots up, and then takes over. |
judging by the two sets of UART tx/rx pads, there is an external MCU. you should inspect the board chip by chip, and see which one is an MCU |
Regarding "wake up without tuya app":
So, maybe it is possible using an own DNS-Server to redirect m2.tuyaeu.com to the IP of a custom "faked" MQTT-Server, which is then used to trigger the wake-up-messages. But this is (yet) highly theoretical. |
Camera side : Front side : We also have another board inside the camera (last picture below). |
From what you say, the network connection and IP address are still active even when the camera is hibernating ? When camera is active :
When camera is inactive :
|
Tried :
|
Seem to be PUYA PY32 F030... (maybe F030F16) |
for prudynt, you need to make sure another streamer is not running, and second, you need to configure /etc/prudynt.cfg with the sensor info, name, i2c address, etc. then try and run |
yeah that looks like its it. have you tried to read the UART logs of the MCU? that would help. |
|
run |
I have strange behaviour when I'm connecting to GND/TX/RX pins.
Normal usage of camera
Then running prudynt
|
so unless you recompile prudynt with the ancient gcc 4.7.2 ingenic toolchain, not going to work, unless you do a full thingino install. thingino & prudynt are compiled with gcc13/14 |
can you run this too? for reference to get the gpio map for your device:
|
I prefer to recompile prudynt, but I have to create an entire build environment...
|
Seem so be too complicated for me. Building deps : Trying to build prudynt : |
Finally I managed to compile it (with a few modifications), but with the config
I still get following output on stdout:
and following output in logcat:
-> no change. |
Just realized that "my" binary still uses Changed the Output with the same config as before:
and
This is btw. the binary I used:
|
Another step forward. Great 👍 Can you provide a patch file, or explain your changes ? Thanks. |
Static or dynamic binary? Try a static binary and see if it makes a difference |
Of course ... just needed to clean up a bit (I tried many different things, and this is now the bare minimum required to compile Here is what I did: Clone https://github.com/Dafang-Hacks/mips-gcc472-glibc216-64bit somewhere
As seen above, I tried static only, to avoid any troubles with library-path or similar. |
One more thing: |
I manage to compile too, but I had to disable bzip2 ( |
Can you share dmesg logs after segfault? Has anyone tried to install thingino? Much easier to run everything compiled from the same tool chain. |
Sure:
Unfortunately, I have no programmer, so I did not manage to dump the flash. @BmdOnline has one - maybe he can send it to you.
No idea how to do that - especially as it's homepage says that zeratul is not (yet) supported. |
zeratul chips can run just fine in non-zeratul mode, so firmware for non-zeratul devices will work. The worry is the external MCU, forcing the SOC to reset. if you can bypass the MCU resetting the SOC, then another firmware will work fine. a programmer is the best way to install, on development devices, as it turns out |
My firmware dump contains personal data (mac, ssid & passsword).
I prefer avoid to flash a new firmware if possible. |
I've uploaded each partition except config which contains personal data (rename files from dmp to bin).
You can recreate entire firmware
Or extract each partition individually
@mihovilkolaric, can you dump your config partition If you want, you can extract your firmware using |
I managed to get a coredump from the crashing prudynt: |
I'm trying to customize this model.
Connecting with Tuya Smart, the camera is v4.0.117.
An upgrade to v4.0.120 is suggested. I don't install it.
What I've tried, without success :
Each time, only 6668 port is opened :
I'm using a Sandisk 64Gb, FAT32 MicroSD. Each time "DCIM" folder is created on the card, so it doesn't seem to be related to the card.
I don't know what else to do for the moment.
I will try to open the camera, but I don't know how to do without damaging it.
The text was updated successfully, but these errors were encountered: