Smart Solar IP Camera v4.0.117

[BmdOnline]

I'm trying to customize this model.

Connecting with Tuya Smart, the camera is v4.0.117.
An upgrade to v4.0.120 is suggested. I don't install it.

What I've tried, without success :

• option 3 from this repository
• method from Merkury720/Merkury1080P repository

Each time, only 6668 port is opened :

$ nmap -p- 192.168.0.155
Starting Nmap 7.94 ( https://nmap.org ) at 2024-05-20 00:26 CEST
Nmap scan report for 192.168.0.155
Host is up (0.041s latency).
Not shown: 65534 closed tcp ports (conn-refused)
PORT STATE SERVICE
6668/tcp open irc

Nmap done: 1 IP address (1 host up) scanned in 13.59 seconds

I'm using a Sandisk 64Gb, FAT32 MicroSD. Each time "DCIM" folder is created on the card, so it doesn't seem to be related to the card.

I don't know what else to do for the moment.
I will try to open the camera, but I don't know how to do without damaging it.

[BmdOnline]

I've successfully opened the cam.
We have two sets of GND/TX/RX pins. I've checked they're not linked.
I will try both of them and see what happens.

[BmdOnline]

I got results with the GND/RX/TX on the bottom left.

Ver:20220425-T31ZC

vol=>60
curr pir sens:2
curr dev volume:8 

spk_vol:45
func switch 0x4
[tuya] night mode:0   night_mode:0
low_power_value:10
[tuya] low_power_value 10 
reconnect times:0;
[1B][m[-][ INFO][ZRT_WIFI_Get_Config][428] get ssid:(removed) pwd:(removed)
[1B][m[1B][m[-][ INFO][cadc_open][41] adc open success.
[1B][madc:239
[-][ INFO][system][243] echo 59 > /sys/class/gpio/export, ret: 0, target: 127.0.0.1:58878
[-][ INFO][system][243] echo out > /sys/class/gpio/gpio59/direction, ret: 0, target: 127.0.0.1:48597
[-][ INFO][system][243] echo 0 > /sys/class/gpio/gpio59/value, ret: 0, target: 127.0.0.1:34384
auto
chn[0] 264
chn[1] 264
chn->0,r:1.000000, b=1152
chn->1,r:1.000000, b=480
jpg:0, 0
snap_delay 2
[1B][1;32;40mINFO(jzdl): jzdl version:1.4.0(00010400_4e61bfb)  built:20230907-1222(4.7.2 c)[1B][0m
[1B][m[-][ INFO][hal_init_slip][853] chn 0 set horizontal and vertical flip.
[1B][m[1B][1;32;40mINFO(persondet): Ingenic DL PersonDet Promotion Version:0.0.3(00000003_111fcc8)  built:20231102-2000(4.7.2 simd)[1B][0m
param frameWidth: 640 frameHeight: 360  sense: -1 score: 0.400000 detdist: 1 ptime: 1 count: 0 mod: 1 enable_perm: 0 enable_move: 0 track_mode: 0 observation_period: 0 active_count: 0 move_scale: 1.000000
warn: shm_init,53shm init already
[1B][m[-][ INFO][__uart_rev_process][920] battery:b 6a = 2922, fxg:04, rtc:19,t:9746
[1B][mAA hwinfo.battery=100 

cur adc 2922.000000 

[1B][m[-][ INFO][hal_ai_start][328] ai start success.
[1B][mwarn: shm_init,53shm init already
[__sensor_process] line:1841
rtc_cnt=5
[frame_pooling_thread--419 Channel:1 ]:1126(ms)
[IMP_Encoder_GetStream_Impl--2558 Channel:1 ]:1129(ms)
[1B][m[-][ INFO][hal_ao_start][288] ao start success.
[1B][m[1B][m[-][ INFO][mdevinfo_set_timezone][335] set timezone [8][CST-08:00]
[1B][maac_len=2
15 88 

Init aac encoder success :AAC max_out_buffer_len[768], input_pcm_frame_len[2048]
[1B][m[-][ INFO][__uart_rev_process][920] battery:b 5d = 2909, fxg:33, rtc:19,t:9747
[1B][mAA hwinfo.battery=100 

cur adc 2909.000000 

>power on<
audio_ready=1, cnt=0
[1B][m[-][ INFO][maudio_change_mode][217] change audio mode -1->0.
[1B][m[1B][m[-][ INFO][__uart_rev_process][920] battery:b 5e = 2910, fxg:30, rtc:7e,t:9747
[1B][mAA hwinfo.battery=100 

cur adc 2910.000000 

[1B][m[-][ INFO][_speak_process][74] start play audio:/system/voice/power_on(1).
[1B][m[1B][m[-][ INFO][hal_ao_set_volume][440] set volume 45
[1B][m[1B][m[-][ INFO][ZRT_WIFI_Get_Config][428] get ssid:(removed) pwd:(removed)
[1B][m[_led_process] line:377 pir，红�亮1秒
[1B][m[-][ INFO][__uart_rev_process][920] battery:b 5e = 2910, fxg:30, rtc:7e,t:9747
[1B][mAA hwinfo.battery=100 

cur adc 2910.000000 

===value:218.[night<200, day>250]
[1B][m[-][ INFO][sample_change_daynight][2005] turn day mode.
[1B][m[1B][m[-][ INFO][hal_gpio_cut_readlight][139] cut flag:0
[1B][mbiao debug msnapshot_get_file 40 

person_detect_switch = 1 

[frame_pooling_thread--419 Channel:0 ]:1593(ms)
[IMP_Encoder_GetStream_Impl--2558 Channel:5 ]:1597(ms)
[IMP_Encoder_GetStream_Impl--2558 Channel:0 ]:1608(ms)
snap file size:7518 limit:102400
snapshot file  end!
len:7518, snap ok.
_person_detect_handle 740 w=640 h360 

[1B][m[-][ INFO][zrt_wifi_set_sleep][3058] set wlc hostsleep 0
[1B][m[1B][m[-][ INFO][zrt_wifi_set_pm_mode][3102] wlc pm 0
[1B][m[1B][m[-][ INFO][zrt_wifi_set_deepsleep][3066] set wlc deepsleep 0
[1B][m[1B][m[-][ INFO][bcmwlan_get_wakeup_flag][2071] wlc wowl_wakeind 0
[1B][m[1B][m[-][ INFO][bcmwlan_get_wakeup_flag][2073] wlc wowl_wakeind clear
[1B][m[1B][m[-][ INFO][bcmwlan_get_wakeup_flag][2071] wlc wowl_wakeind 0
[1B][m[1B][m[-][ INFO][bcmwlan_get_wakeup_flag][2073] wlc wowl_wakeind clear
[1B][m[1B][m[-][ INFO][ZRT_CAM_Show_Wakeup_Source][1164] wifi wakeup flag: 0
[1B][m[1B][m[-][ INFO][ZRT_WIFI_Get_Config][428] get ssid:(removed) pwd:(removed)
[1B][m[1B][m[-][ INFO][mnet_init][1275] wifi config ready, get config.
[1B][m[1B][m[-][ INFO][set_wifi_status][90] WIFI_CONNECTING
[1B][m[1B][m[-][ INFO][wlc_checkstatus][1004] x
[1B][m[1B][m[-][ INFO][set_wifi_status][90] WIFI_CONNECTING
[1B][m[1B][m[-][ INFO][ZRT_WIFI_Get_Config][428] get ssid:(removed) pwd:(removed)
[1B][m[1B][m[-][ INFO][ZRT_WIFI_Get_Config][428] get ssid:(removed) pwd:(removed)
[1B][m[_led_process] line:384 pir，红��，��亮1
[1B][m[-][ INFO][__uart_rev_process][920] battery:b 5f = 2911, fxg:31, rtc:7e,t:9747
[1B][mAA hwinfo.battery=100 

cur adc 2911.000000 

adc_val_avg 2910, max 2922,min 2909
Setting up swapspace version 1, size = 16773120 bytes
UUID=eb2c7587-1246-42de-8485-0a484a5b6368
[-][ INFO][system][243] touch /tmp/battery_ready, ret: 0, target: 127.0.0.1:60625
bat_adc_dg2=100
count: 0
person detect time: 882ms

person_detect_switch = 1 

_person_detect_handle 740 w=640 h360 

count: 0
person detect time: 458ms

person_detect_switch = 1 

_person_detect_handle 740 w=640 h360 

[1B][m[-][ INFO][ZRT_WIFI_Fast_Connect][698] ssid=(removed) mac:b8:ec:a3:dc:fa:2e channel=6, signal=-60
[1B][m[1B][m[-][ INFO][wifi_join_ap][2690] wifi(1) join ap ssid:(removed) pwd:(removed) auth:00400004
[1B][m[1B][m[-][ INFO][wlc_wowl_status][1741] status of wakeup: 0x0
[1B][m[1B][m[-][ INFO][bcmwlan_join_ap_specific][1571] start join (removed).
[1B][m[1B][m[-][ INFO][bcmwlan_join_ap_specific][1593] try scan and join ap: (removed)
[1B][m[1B][m[-][ INFO][ZRT_WIFI_Get_Config][428] get ssid:(removed) pwd:(removed)
[1B][m[_led_process] line:384 pir，红��，��亮2
count: 0
person detect time: 702ms

person_detect_switch = 1 

_person_detect_handle 740 w=640 h360 
(and so on...)

When SDCard is inserted I have some lines like this

curr sd total:62336000 used:0 empty:62336000 

log_lxh_dbg01
curr sd_status:1 

[tuya_ipc_sd_get_status] line:147	curr sd_status:2 total:60875

sd capacity: total: 62336272 KB, used 64 KB, free 62336208 KB
[1B][m[-][ INFO][_storage_init_process][395] found store dev /dev/mmcblk0.

Interesting readings, sometimes

Show arguments:
  create=false
  update=true
  tag_path=/dev/mtdblock1
  cmdline=
  sensor_init=
  env=senv;[HW];init_vw=1920;init_vh=1080;nrvbs=2;mode=0;[SDK];fmode=0;[WIFI];SSID2=47616c617830;PASS2=575041304f5349524953;MAC=b8:ec:a3:dc:fa:2e;IP=192.168.0.155;CHANNEL=0;DNS1=192.168.0.1;IPSERVER=0.0.0.0;IPMASK=255.255.255.0;GATEWAY=192.168.0.1;LEASETIME=86400;dhcpc_ip_addr=192.168.0.155;dhcpc_ip_mask=255.255.255.0;dhcpc_gateway=192.168.0.1;dhcpc_dns_server=192.168.0.1;dhcpc_lease_time=86400;eenv;
  g_bootinfo=
  g_fwinfo=

MQTT ?

[1B][m[-][ INFO][_get_ip][18] local address 192.168.0.155:59521
[1B][m[1B][m[-][ INFO][_get_ip][24] server address 3.120.92.134:1883
[1B][m[1B][m[-][ INFO][mnet_scrab_start][331] svr ip:3.120.92.134 port:1883
[1B][mscrab start ok

key.cfg ?

[1B][0;32;31m[-][ERROR][muart_get_key][202] open key.cfg error!

I don't know how to access any bootloader or anything else. I just have logs.
I don't see anything referring to /mnt, sdcard, reading / writing.

[mihovilkolaric]

Hi,

I am fighting with the same device, also without any success so far, also only port 6668:

Nmap scan report for 10.42.0.240
Host is up (0.045s latency).
Not shown: 999 closed ports
PORT     STATE SERVICE
6668/tcp open  irc

I performed the update to 4.0.120 (as I had issues on my WIFI on 4.0.117, and also could not convince the camera to record to the MicroSD-Card) - but the update did neither help with those issues, nor it changed anything in regards to the rooting-options I tried so far.

After the update, I found an update.bin on the Micro-SD:
update.bin.zip
but could not find anything useful yet (using binwalk).

So far I tried:

• https://github.com/guino/LSCOutdoor1080P?tab=readme-ov-file#root-access
• https://github.com/guino/Merkury1080P?tab=readme-ov-file#conclusion

Unfortunately, I have no programmer, so I can't provide any flash-dump.

Any other hints how I could further analyze?

[mihovilkolaric]

BTW: placing a file _ak39_factory.ini on the SD-Card does not lead to the effect described in guino/Merkury1080P#42 (comment) .

[BmdOnline]

I've ordered a CH341A programmer, I will try to dump the firmware when I receive it.
Without desoldering the chip (like this) if it works.

[mihovilkolaric]

I might give it a try with an arduino - but I have no clue yet how to open the camera without damaging it.
Do you have any hints?

[BmdOnline]

Remove the screw near of SD Card.
Then pull gently around the front of the camera.
Use a thin accessory that won't scratch. Possibly with your fingernails 😉
The black side should start to emerge from the white frame.
Watch out for the cable used to connect the speaker.

[guino]

@mihovilkolaric the update file you posted seems to have 'part' of the root file system, but it doesn't seem to include the main application running on the device, settings or startup scripts. So there's not much we can do with it. If you do get a full flash dump I can take a look when I have a chance.

Getting into the bootloader should just be a matter of powering on (or power cycling) the device while you're connected to the RX/TX pins and pressing a key to stop the boot process and enter the bootloader. Many devices do have this disabled (it will boot no matter what you press), others have a password (it will ask for a password when you press something), and others just go right into the bootloader -- only way to know is trying.

[BmdOnline]

When I press any key, I can interact but mixed with log output. It's difficult to deal with it.
I have to keep camera connected to tuya to prevent it to suspend.

Zeratul login: [1B][m[-][ INFO][set_wifi_status][96] WIFI_CONNECTED
[1B][m===value:169.[night<200, day>250]
[tuya_ipc_sd_get_status] line:147	curr sd_status:2 total:60875

count: 0
person detect time: 789ms

person_detect_switch = 1 
(...)


root
Password: [1B][m[tuya_ipc_sd_get_status] line:147	curr sd_status:2 total:60875

count: 0
person detect time: 790ms
(...)


dgiot010

count: 0
person detect time: 511ms

person_detect_switch = 1 

_person_detect_handle 740 w=640 h360 

(...)
Login incorrect

Then cleaned :

Zeratul login:
root (echoed)
Password:
dgiot010 (not echoed)
Login incorrect

I've tried passwords dgiot010, telnet and root without success.

I will receive CH341A programmer soon. I hope I can dump flash without desoldering.

[guino]

I emailed you with information based on the log you provided, but just for future reference (to anyone else looking at this issue), the logs seem to indicate that this camera is not running Linux, likely it is running RTOS, meaning:a hardware programmer is the only option to make any modifications, and they would be very time consuming and limited to what's already compiled in the main application.

[BmdOnline]

I have received my CH341A programmer and dumped entire flash : (link removed due to privacy data stored in the flash. sorry)

[mihovilkolaric]

@BmdOnline glad to read that you managed to get a flash-dump!
(I tried with flashrom on a raspberry pi, but as I have no SOP8-Clip (and bad soldering skills), the results were not stable/reproducible).

However, also with your dump, binwalk seems to recognize a lot of linux-related stuff, but - as for the update.bin posted earlier, it fails to extract a "full" root-filesystem.

binwalk -e XMC.bin 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
29048         0x7178          CRC32 polynomial table, little endian
30468         0x7704          LZO compressed data
31288         0x7A38          LZO compressed data
202000        0x31510         CRC32 polynomial table, little endian
206248        0x325A8         LZO compressed data
209836        0x333AC         Android bootimg, kernel size: 0 bytes, kernel addr: 0x70657250, ramdisk size: 543519329 bytes, ramdisk addr: 0x6E72656B, product name: "mem boot start"
622592        0x98000         uImage header, header size: 64 bytes, header CRC: 0x1A3A734D, created: 2023-11-22 06:28:42, image size: 5226788 bytes, Data Address: 0x80010000, Entry Point: 0x803CDE70, data CRC: 0xA7939E61, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: none, image name: "Linux-3.10.14-Archon"
2327946       0x23858A        bix header, header size: 64 bytes, header CRC: 0x628E0400, created: 2031-03-22 02:20:47, image size: 1048576 bytes, Data Address: 0x50A40000, Entry Point: 0x628E0400, data CRC: 0x73260000, image name: ""
3752610       0x3942A2        PGP RSA encrypted session key - keyid: 822CC2 401020 RSA (Encrypt or Sign) 1024b
4591776       0x4610A0        Linux kernel version 3.10.1
4657616       0x4711D0        DES SP2, little endian
4658128       0x4713D0        DES SP1, little endian
4676064       0x4759E0        LZO compressed data
4726848       0x482040        CRC32 polynomial table, little endian
5052572       0x4D189C        xz compressed data
5277248       0x508640        CRC32 polynomial table, little endian
5483462       0x53ABC6        PARity archive data - file number 21057
5844156       0x592CBC        ASCII cpio archive (SVR4 with no CRC), file name: "dev", file name length: "0x00000004", file size: "0x00000000"
5844272       0x592D30        ASCII cpio archive (SVR4 with no CRC), file name: "dev/console", file name length: "0x0000000C", file size: "0x00000000"
5844396       0x592DAC        ASCII cpio archive (SVR4 with no CRC), file name: "root", file name length: "0x00000005", file size: "0x00000000"
5844512       0x592E20        ASCII cpio archive (SVR4 with no CRC), file name: "TRAILER!!!", file name length: "0x0000000B", file size: "0x00000000"
7260836       0x6ECAA4        mcrypt 2.5 encrypted data, algorithm: "-=", keysize: 11527 bytes, mode: "=",
8825076       0x86A8F4        Unix path: /var/lib/jenkins/workspace/Release_IPC_SDK/src/tuya_ipc_sdk/ai_detect_storage(x
8852370       0x871392        Unix path: /var/lib/jenkins/workspace/Release_IPC_SDK/src/tuya_iot_sdk/wifi_cfg_serv/ez_mc.c
8877037       0x8773ED        AES Inverse S-Box
8888152       0x879F58        Certificate in DER format (x509 v3), header length: 4, sequence length: 1998
8901279       0x87D29F        AES S-Box
8907262       0x87E9FE        SHA256 hash constants, little endian
8932186       0x884B5A        AES Inverse S-Box
8932442       0x884C5A        AES S-Box
9115411       0x8B1713        Copyright string: "Copyright (C) 2J"
9171891       0x8BF3B3        ELF, 32-bit LSB processor-specific, ("")
9499250       0x90F272        Unix path: /sys/class/gpio/export
9539057       0x918DF1        mcrypt 2.5 encrypted data, algorithm: "^", keysize: 3934 bytes, mode: " ",
11069460      0xA8E814        mcrypt 2.5 encrypted data, algorithm: "", keysize: 26905 bytes, mode: "o",
12156928      0xB98000        uImage header, header size: 64 bytes, header CRC: 0xBA260EE2, created: 2021-08-07 09:15:35, image size: 2087483 bytes, Data Address: 0x80010000, Entry Point: 0x802EB500, data CRC: 0x247FD390, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "Linux-3.10.14-Immortal"
12156992      0xB98040        LZMA compressed data, properties: 0x5D, dictionary size: 67108864 bytes, uncompressed size: -1 bytes
14778368      0xE18000        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 1155118 bytes, 52 inodes, blocksize: 131072 bytes, created: 2023-11-26 07:45:12
16252928      0xF80000        JFFS2 filesystem, little endian

@guino with this new information given - do you still think it is RTOS, or are the chances that it is a linux?
The few extracted files at least look like linux ELF-binaries:

squashfs-root/bin/logcat: ELF 32-bit LSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, stripped

[BmdOnline]

@mihovilkolaric, I've removed my dump because it contains privacy data in it. 😞
@guino, I can mail you access to the dump.

[mihovilkolaric]

Good news!

Unblob succeeded in extracting the root-filesystem.
app_init.sh looks promising.

[gtxaspec]

hi, if you guys need more info on this platform, you can join us here:
https://discord.gg/xDmqS944zr
we are experienced ingenic developers from the thingino project. have fun!

[mihovilkolaric]

Short update:
The camera executes a shellscript called other.sh when it is placed on the root-folder of the MicroSD-card.
With the path /tmp/mnt/sdcard/ you can access the SD-Card itself, and copy stuff from the "running filesystem" to the card.

E.g. the /etc/shadow looks like this:

root:dY6MT354.O2K.:0:0:root:/:/bin/sh

[guino]

@mihovilkolaric did you try to start a telnet server from that other.sh script ? may need to put a mips busybox on the SD card to try and run telnetd from it.

[guino]

@BmdOnline
@guino with this new information given - do you still think it is RTOS, or are the chances that it is a linux? The few extracted files at least look like linux ELF-binaries:

The logs I had sees didn't show anything indicating linux but the dump seems to show it's linux, I asked @BmdOnline for a copy of the dump so I can take a look too.

[mihovilkolaric]

@guino yes, I was able to start a telnetd (at least according to ps and netstat). But until now I did all my tests with a factory-reset camera, so I could not try to connect.
This is the script I used:
other.sh.txt
And this is the output it produced:
myhack.log.txt
(needed to rename both files to .txt as github neither allows .sh, nor .log)

Next step it to connect my cam to a WIFI, and see whether telnetd still starts.

[BmdOnline]

I asked @BmdOnline for a copy of the dump so I can take a look too.

@guino I send you a link today. Have you received it ?

[mihovilkolaric]

@guino , @BmdOnline :
Also after connecting to WIFI, the other.sh is executed.
So I replaced /etc/passwd and /etc/shadow with a version containing the hash from https://github.com/guino/LSCOutdoor1080P?tab=readme-ov-file#root-access and afterwards start telnetd.

The first two connection-attempts with user root password telnet did not work (camera closed the connection)

$ telnet 10.0.0.9
Trying 10.0.0.9...
Connected to 10.0.0.9.
Escape character is '^]'.

Zeratul login: root
Password: Connection closed by foreign host.

but then it worked:

$ telnet 10.0.0.9
Trying 10.0.0.9...
Connected to 10.0.0.9.
Escape character is '^]'.

Zeratul login: root
Password: 
Hello Zeratul!
[root@Zeratul:~]# 

So, the camera is now rooted!

[BmdOnline]

Can you provide a working package ?

[mihovilkolaric]

Sure.
Extract
root_v1.zip
to the SD-card, and boot with the card inserted.

[mihovilkolaric]

Now that we have root-access - does anyone know how to enable motion-detection + recording to SD-Card?
(This is actually the reason why I started the investigation).

I guess it has to do with this files:

[root@Zeratul:tuya]# cat tuya_sd_record_on_off
1[root@Zeratul:tuya]# cat tuya_sd_record_mode
0[root@Zeratul:tuya]#

but changing them has no effect, and after a reboot there are reset to the default.

[BmdOnline]

And how to enable rtsp stream...

[BmdOnline]

@mihovilkolaric, I'm trying to reproduce your work, but I'm not familiar to binwalk and unblob
How are you extracting the root partition :

5844396       0x592DAC        ASCII cpio archive (SVR4 with no CRC), file name: "root", file name length: "0x00000005", file size: "0x00000000"

[mihovilkolaric]

basically I just called
$ unblob XMC.bin which outputs

╭───────────────────────────────────────────────────────────────────────────────────────────────────── unblob (24.4.5) ─────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Extracted files: 75                                                                                                                                                                                                       │
│ Extracted directories: 38                                                                                                                                                                                                 │
│ Extracted links: 147                                                                                                                                                                                                      │
│ Extraction directory size: 24.17 MB                                                                                                                                                                                       │
│ Chunks identification ratio: 33.79%                                                                                                                                                                                       │
╰───────────────────────────────────────────────────────────────────────────────────────────────────────── Summary ─────────────────────────────────────────────────────────────────────────────────────────────────────────╯
            Chunks distribution             
┏━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━┳━━━━━━━━┓
┃ Chunk type          ┃   Size    ┃ Ratio  ┃
┡━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━╇━━━━━━━━┩
│ UNKNOWN             │ 15.69 MB  │ 66.21% │
│ CPIO_PORTABLE_ASCII │  2.27 MB  │ 9.58%  │
│ LZMA                │  1.99 MB  │ 8.40%  │
│ ELF32               │  1.84 MB  │ 7.77%  │
│ SQUASHFS_V4_LE      │  1.11 MB  │ 4.66%  │
│ JFFS2_NEW           │ 512.00 KB │ 2.11%  │
│ PADDING             │ 308.00 KB │ 1.27%  │
│ LZO                 │ 917.00 B  │ 0.00%  │
└─────────────────────┴───────────┴────────┘
               Encountered errors                
┏━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Severity         ┃ Name                       ┃
┡━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ Severity.WARNING │ ExtractCommandFailedReport │
└──────────────────┴────────────────────────────┘

and creates a directory XMC.bin_extract/ and a lot of sub-folders, one of it being the root-filesystem.

[BmdOnline]

Okay, I just have python issues. Will upgrade and try unblob.

BTW, root is working, but I have to keep camera connected (tuya app launched with camera preview) to prevent power sleep.

Thanks.

[guino]

@BmdOnline I have never seen any of the 'linux' devices sleep before, I have heard of the battery operated devices having an automatic sleep to reduce power consumption.

Are you guys able to execute anything like ls -laR / or ps -w to identify the main application file ?

[gtxaspec]

the platform you guys are working with is the Ingenic "Zeratul" battery platform, pretty common in the battery ip-cam world on the T series platforms... the way it works, theres typically an external MCU controlling power to the SoC, and reading motion input from something like a PIR sensor. When theres no motion, after a timeout the MCU will physically power down the SoC. Theres 2 different processor architectures built in to the SoC. RISC-V, and MIPS. The RISC-V core will perform sensor and ISP initialization as soon as motion is detected, while the linux core boots up, and then takes over.

[BmdOnline]

[gtxaspec]

judging by the two sets of UART tx/rx pads, there is an external MCU. you should inspect the board chip by chip, and see which one is an MCU

[mihovilkolaric]

Regarding "wake up without tuya app":
From my wireshark-traces, I understand following:

• after startup, MCU of the camera connects to the WIFI, requests an IP using DHCP
• then queries the IPs of "a2.tuyaeu.com" and "m2.tuyaeu.com" (using DNS)
• then there are several encrypted TCP connections: 1 to m2.tuyaeu.com:8883 (Secure MQTT) and 4 to a2.tuyaeu.com:443 (HTTPS)
• finally, the MCU opens an unencrypted MQTT-Connection to m2.tuyaeu.com:1883 and subscribes for the topics "d", "w" and a string, that is also used as client-ID in "Connect Command"
  => This connection remains open, and the camera "refreshes" it every 30s with an "Authentication Exchange".
  This connection is used for waking up the camera: When selecting it in the LSC-App, the camera receives a "Publish Message" for the topic "w" (and some unknown string as value). This triggers that the MQTT-Connection is closed, and the linux boots.

So, maybe it is possible using an own DNS-Server to redirect m2.tuyaeu.com to the IP of a custom "faked" MQTT-Server, which is then used to trigger the wake-up-messages. But this is (yet) highly theoretical.

[BmdOnline]

judging by the two sets of UART tx/rx pads, there is an external MCU. you should inspect the board chip by chip, and see which one is an MCU

Camera side :
NS4152M : NS4152X Series 3.0W Mono Class D Audio Power Amplifier

Front side :
XMC chip
Ingenic T31
4057AN : Lithium-Ion Battery Management Chip
PUYA chip
on first picture below, we can follow tracks from TX (2nd) / RX (3rd) to this chip
on second picture, we can read PUYA, but I can't read the chip reference.

We also have another board inside the camera (last picture below).
I assume it was for motion and IR sensors.

[BmdOnline]

  This connection is used for waking up the camera: When selecting it in the LSC-App, the camera receives a "Publish Message" for the topic "w" (and some unknown string as value). This triggers that the MQTT-Connection is closed, and the linux boots.

From what you say, the network connection and IP address are still active even when the camera is hibernating ?
I thought there would only be an sort of a wake on lan.

When camera is active :

# nmap -p- 192.168.0.155
Starting Nmap 7.95 ( https://nmap.org ) at 2024-06-20 23:44 CEST
Nmap scan report for 192.168.0.155
Host is up (0.036s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE
23/tcp   open  telnet
6668/tcp open  irc
MAC Address: A8:41:xx:xx:xx:xx (AzureWave Technology)

When camera is inactive :

# nmap -p- 192.168.0.155
Starting Nmap 7.95 ( https://nmap.org ) at 2024-06-20 23:47 CEST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 1.51 seconds

[BmdOnline]

you can download precompiled prudynt binaries from: https://github.com/gtxaspec/prudynt-t/

Tried :

• Kill main, replace with watchdog feeder.
• Kill / don't kill alps

# ./prudynt-T31-static
[INFO:main.cpp]: PRUDYNT Video Daemon: Apr 24 2024 05:12:27_cf065ef
[INFO:main.cpp]: Starting Prudynt Video Server.
[INFO:IMP.cpp]: LIBIMP Version IMP-1.1.6
[INFO:IMP.cpp]: SYSUTILS Version: SYSUTILS-1.1.6
[INFO:IMP.cpp]: CPU Information: T31-ZC
[INFO:IMP.cpp]: Sensor:
[ERROR:IMP.cpp]: System Init Failed
[ERROR:main.cpp]: IMP initialization failed.

[BmdOnline]

PUYA chip
on first picture below, we can follow tracks from TX (2nd) / RX (3rd) to this chip on second picture, we can read PUYA, but I can't read the chip reference.

Seem to be PUYA PY32 F030... (maybe F030F16)
https://www.puyasemi.com/en/py32_series.html#common
https://py32.org/en/mcu/PY32F030xx.html

[gtxaspec]

you can download precompiled prudynt binaries from: https://github.com/gtxaspec/prudynt-t/

Tried :

• Kill main, replace with watchdog feeder.
• Kill / don't kill alps

# ./prudynt-T31-static
[INFO:main.cpp]: PRUDYNT Video Daemon: Apr 24 2024 05:12:27_cf065ef
[INFO:main.cpp]: Starting Prudynt Video Server.
[INFO:IMP.cpp]: LIBIMP Version IMP-1.1.6
[INFO:IMP.cpp]: SYSUTILS Version: SYSUTILS-1.1.6
[INFO:IMP.cpp]: CPU Information: T31-ZC
[INFO:IMP.cpp]: Sensor:
[ERROR:IMP.cpp]: System Init Failed
[ERROR:main.cpp]: IMP initialization failed.

for prudynt, you need to make sure another streamer is not running, and second, you need to configure /etc/prudynt.cfg with the sensor info, name, i2c address, etc. then try and run

[gtxaspec]

PUYA chip
on first picture below, we can follow tracks from TX (2nd) / RX (3rd) to this chip on second picture, we can read PUYA, but I can't read the chip reference.

Seem to be PUYA PY32 F030... (maybe F030F16) https://www.puyasemi.com/en/py32_series.html#common https://py32.org/en/mcu/PY32F030xx.html

yeah that looks like its it. have you tried to read the UART logs of the MCU? that would help.

[BmdOnline]

• Sensor is jxf37p

# cat /proc/jz/isp/isp-m0
****************** ISP INFO **********************
Software Version : H20220209a
SENSOR NAME : jxf37p
SENSOR OUTPUT WIDTH : 1920
SENSOR OUTPUT HEIGHT : 1080
ISP OUTPUT FPS : 15 / 1
SENSOR OUTPUT RAW PATTERN : BGGR
ISP Top Value : 0xb4742009
ISP Runing Mode : Day
ISP Custom Mode : Disable
ISP WDR Mode : Disable
SENSOR Integration Time : 34 lines
SENSOR Max Integration Time : 2246 lines
SENSOR analog gain : 0
MAX SENSOR analog gain : 158
SENSOR digital gain : 0
MAX SENSOR digital gain : 0
ISP digital gain : 0
MAX ISP digital gain : 64
ISP Tgain DB : 0
ISP EV value: 34
ISP EV value log2: 333411
ISP EV value us: 1007
ISP EV min int: 2
ISP EV min again: 1024
ISP WB weighted rgain: 350
ISP WB weighted bgain: 451
ISP WB color temperature: 4191
ISP AWB Start rgain 262: bgain 290
Saturation : 128
Saturation : 128
Sharpness : 128
Contrast : 128
Brightness : 124
Antiflicker : 0
Mirror: Enable, Flip: Enable
debug : ch0 done 4137,ip done 4157,0,0,0,0,0,0
debug1 : 0,0,900

• i2c address is 0x40

# ./busybox i2cdetect 0
i2cdetect: WARNING! This program can confuse your I2C bus
Continue? [y/N] y
     0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f
00:          -- -- -- -- -- -- -- -- -- -- -- -- --
10: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
20: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
30: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
40: UU -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
50: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
60: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
70: -- -- -- -- -- -- -- --

• cat prudynt.cfg

general: {
        loglevel: "DEBUG";  # Logging level. Options: DEBUG, INFO, WARNING, ERROR.
};

sensor: {
        model: "jxf37p";  # Sensor model.
        i2c_address: 0x40;  # I2C address of the sensor.
        fps: 24;  # Frames per second captured by the sensor.
        width: 1920;  # Width of the sensor's image (in pixels).
        height: 1080;  # Height of the sensor's image (in pixels).
};

• prudynt-T31-static output

# ./prudynt-T31-static
[INFO:main.cpp]: PRUDYNT Video Daemon: Apr 24 2024 05:12:27_cf065ef
[DEBUG:Logger.cpp]: Logger Init.
[INFO:main.cpp]: Starting Prudynt Video Server.
[INFO:IMP.cpp]: LIBIMP Version IMP-1.1.6
[INFO:IMP.cpp]: SYSUTILS Version: SYSUTILS-1.1.6
[INFO:IMP.cpp]: CPU Information: T31-ZC
[DEBUG:IMP.cpp]: IMP_OSD_SetPoolSize == 131072
[DEBUG:IMP.cpp]: ISP Opened!
[INFO:IMP.cpp]: Sensor: jxf37p
[DEBUG:IMP.cpp]: Sensor Added
[DEBUG:IMP.cpp]: Sensor Enabled
---- FPGA board is ready ----
  Board UID : 30AB6E51
  Board HW ID : 72000460
  Board rev.  : 5DE5A975
  Board date  : 20190326
-----------------------------
[DEBUG:IMP.cpp]: IMP System Initialized
[DEBUG:IMP.cpp]: IMP_ISP_EnableTuning enabled
[DEBUG:IMP.cpp]: ISP Tuning Defaults set
[DEBUG:IMP.cpp]: IMP_ISP_Tuning_SetSensorFPS == 24
[DEBUG:IMP.cpp]: IMP_ISP_Tuning_SetISPRunningMode == 0
[DEBUG:IMP.cpp]: IMP_FrameSource_SetChnRotate == 0
[DEBUG:IMP.cpp]: IMP_FrameSource_CreateChn created
[DEBUG:IMP.cpp]: IMP_FrameSource_SetChnAttr set
[DEBUG:IMP.cpp]: IMP_FrameSource_GetChnFifoAttr set
[DEBUG:IMP.cpp]: IMP_FrameSource_SetChnFifoAttr set
[DEBUG:IMP.cpp]: IMP_FrameSource_SetFrameDepth set
[DEBUG:Encoder.cpp]: Encoder Group created
[ERROR:Encoder.cpp]: IMP_Encoder_SetbufshareChn(1, 0) enabled
[DEBUG:Encoder.cpp]: Encoder Channel 0 created
[DEBUG:Encoder.cpp]: Encoder Channel 0 registered
[DEBUG:Encoder.cpp]: OSD enabled
[DEBUG:OSD.cpp]: OSD init begin
[DEBUG:OSD.cpp]: FREETYPE init failed.
[ERROR:Encoder.cpp]: OSD Init Failed
[ERROR:main.cpp]: Encoder initialization failed.

• OSD disabled in cfg

# ./prudynt-T31-static
[INFO:main.cpp]: PRUDYNT Video Daemon: Apr 24 2024 05:12:27_cf065ef
[DEBUG:Logger.cpp]: Logger Init.
[INFO:main.cpp]: Starting Prudynt Video Server.
[INFO:IMP.cpp]: LIBIMP Version IMP-1.1.6
[INFO:IMP.cpp]: SYSUTILS Version: SYSUTILS-1.1.6
[INFO:IMP.cpp]: CPU Information: T31-ZC
[DEBUG:IMP.cpp]: IMP_OSD_SetPoolSize == 131072
[DEBUG:IMP.cpp]: ISP Opened!
[INFO:IMP.cpp]: Sensor: jxf37p
[DEBUG:IMP.cpp]: Sensor Added
[DEBUG:IMP.cpp]: Sensor Enabled
---- FPGA board is ready ----
  Board UID : 30AB6E51
  Board HW ID : 72000460
  Board rev.  : 5DE5A975
  Board date  : 20190326
-----------------------------
[DEBUG:IMP.cpp]: IMP System Initialized
[DEBUG:IMP.cpp]: IMP_ISP_EnableTuning enabled
[DEBUG:IMP.cpp]: ISP Tuning Defaults set
[DEBUG:IMP.cpp]: IMP_ISP_Tuning_SetSensorFPS == 24
[DEBUG:IMP.cpp]: IMP_ISP_Tuning_SetISPRunningMode == 0
[DEBUG:IMP.cpp]: IMP_FrameSource_SetChnRotate == 0
[DEBUG:IMP.cpp]: IMP_FrameSource_CreateChn created
[DEBUG:IMP.cpp]: IMP_FrameSource_SetChnAttr set
[DEBUG:IMP.cpp]: IMP_FrameSource_GetChnFifoAttr set
[DEBUG:IMP.cpp]: IMP_FrameSource_SetChnFifoAttr set
[DEBUG:IMP.cpp]: IMP_FrameSource_SetFrameDepth set
[DEBUG:Encoder.cpp]: Encoder Group created
[ERROR:Encoder.cpp]: IMP_Encoder_SetbufshareChn(1, 0) enabled
[DEBUG:Encoder.cpp]: Encoder Channel 0 created
[DEBUG:Encoder.cpp]: Encoder Channel 0 registered
[DEBUG:Encoder.cpp]: OSD disabled
[DEBUG:Encoder.cpp]: IMP_System_Bind(FS, ENC)
[ERROR:Encoder.cpp]: IMP_FrameSource_EnableChn() == -1
[ERROR:main.cpp]: Encoder initialization failed.

[gtxaspec]

run logcat and share the output please

[BmdOnline]

yeah that looks like its it. have you tried to read the UART logs of the MCU? that would help.

I have strange behaviour when I'm connecting to GND/TX/RX pins.
Camera doesn't starts correctly, finally camera fully resets (lost all parameters).
I have no console output.

run logcat and share the output please

Normal usage of camera

# logcat
I/OSD     (   91): IMP_OSD_SetPoolSize:524288
D/Sample-Common(   91): sample_system_init start
D/IMP-ISP (   91): ~~~~~~ IMP_ISP_Open[331] ~~~~~~~
D/IMP-ISP (   91): sensor:jxf37p, widht = 1920, height = 1080
I/IMP-ISP (   91): IMP_ISP_AddSensor,487: paddr = 0x0, size = 0x477e70
I/Alloc Manager(   91): MEM Alloc Method is kmalloc
D/KMEM Method(   91): CMD Line Rmem Size:25165824, Addr:0x02800000
D/KMEM Method(   91): alloc->mem_alloc.method = kmalloc
D/KMEM Method(   91):                   alloc->mem_alloc.vaddr = 0x73a3c000
D/KMEM Method(   91):                   alloc->mem_alloc.paddr = 0x02800000
D/KMEM Method(   91):                   alloc->mem_alloc.length = 25165824
I/Alloc Manager(   91): MEM Manager Method is continuous
I/IMP Alloc APIs(   91): Sensor Width:1920 Height:1080 init_vw:1920 init_vh:1080
I/IMP Alloc APIs(   91): FASTSTART_EN width:1920 height:1080 nrvbs:2 ncubuf_len:4685424 wdrbuf_len:0
I/IMP Alloc APIs(   91): ncubuf alloc use g_ncubuf_alloc
D/System  (   91): IMP_System_Init Zeratul SDK Version:1.1.5-667713c9-Tue Aug 30 16:27:21 2022 +0800, built: Aug 31 2022 10:14:25
D/System  (   91): system_init()
D/System  (   91): Calling DSystem
D/System  (   91): Calling FrameSource
D/System  (   91): [ignored]read /proc/cpuinfo ret is NULL
D/System  (   91): Calling IVS
D/System  (   91): Calling OSD
D/System  (   91): Calling Encoder
D/System  (   91): Calling FB
I/FB      (   91): FB device open error:No such file or directory
I/FB      (   91): FB is unavailable
D/Sample-Common(   91): ImpSystemInit success
E/MemPool (   91): IMP_Encoder_GetPool(64):chnNum: 0 not bind pool
I/Encoder (   91): encChn=0,srcFrameCnt=3,srcFrameSize=3133440
I/Encoder (   91): encChn=0,srcStreamCnt=2,enc_chn->stream_frame_size=949248
E/MemPool (   91): IMP_Encoder_GetPool(64):chnNum: 1 not bind pool
I/Encoder (   91): encChn=1,srcFrameCnt=3,srcFrameSize=353280
I/Encoder (   91): encChn=1,srcStreamCnt=2,enc_chn->stream_frame_size=119808
W/Encoder (   91): Jpeg channel will not share buff
E/MemPool (   91): IMP_Encoder_GetPool(64):chnNum: 5 not bind pool
I/Encoder (   91): encChn=5,srcFrameCnt=2,srcFrameSize=353280
I/Encoder (   91): encChn=5,srcStreamCnt=1,enc_chn->stream_frame_size=287104
D/System  (   91): system_bind(): bind DST-OSD-0(4.0.0) to SRC-Framesource-0(0.0.0)
D/System  (   91): system_bind(): bind DST-Encoder-0(1.0.0) to SRC-OSD-0(4.0.0)
D/System  (   91): system_bind(): bind DST-OSD-1(4.1.0) to SRC-Framesource-1(0.1.0)
D/System  (   91): system_bind(): bind DST-Encoder-1(1.1.0) to SRC-OSD-1(4.1.0)
I/OSD     (   91): IMP_OSD_CreateRgn(1202) create handle=0 success
I/OSD     (   91): IMP_OSD_CreateRgn(1202) create handle=1 success
I/Framesource(   91): [chn1]: width = 640 height = 360
E/VBM     (   91): VBMCreatePool()-1: w=640 h=360 f=842094158
E/VBM     (   91): VBMCreatePool()-1: pool->config.fmt.fmt.pix.sizeimage=353280 sizeimage=353280
E/Framesource(   91): IMP_FrameSource_GetPool(3296):chnNum: 1 not bind pool
E/VBM     (   91): VBMCreatePool()-1: sizeimage=353280
I/VBM     (   91): PoolId:1, frame=0x13be680, frame->priv=0x13be6a8, frame[0].virAddr=74f0b000, frame[0].phyAddr=3ccf000
I/VBM     (   91): PoolId:1, frame=0x13beaa0, frame->priv=0x13beac8, frame[1].virAddr=74f61400, frame[1].phyAddr=3d25400
I/Framesource(   91): [chn0]: width = 1920 height = 1080
E/VBM     (   91): VBMCreatePool()-0: w=1920 h=1080 f=842094158
E/VBM     (   91): VBMCreatePool()-0: pool->config.fmt.fmt.pix.sizeimage=0 sizeimage=3133440
E/Framesource(   91): IMP_FrameSource_GetPool(3296):chnNum: 0 not bind pool
I/IMP Alloc APIs(   91): VBMPool0 alloc use g_VBMPool0_alloc
E/VBM     (   91): VBMCreatePool()-0: sizeimage=3133440
I/VBM     (   91): PoolId:0, frame=0x140be40, frame->priv=0x140be68, frame[0].virAddr=73eb4000, frame[0].phyAddr=2c78000
I/VBM     (   91): PoolId:0, frame=0x140c260, frame->priv=0x140c288, frame[1].virAddr=741b1000, frame[1].phyAddr=2f75000
I/ai      (   91): AI Enable: 1
I/ai      (   91): AI Enable Chn: 1-0
I/ai      (   91): EXIT AI Enable Chn: 1-0
I/ai      (   91): AI Set Vol: 90
I/ai      (   91): AI Set Gain: 30
I/ai      (   91): AI NS ENABLE: mode = 2
I/ai      (   91): AI HPF Enable
I/ai      (   91): HPF version is: Ingenic High Pass Filter 1.1.0
I/ai      (   91): AI AGC ENABLE: targetLevelDbfs = 12, compressionGaindB = 41, limiterEnable =1
I/ao      (   91): AO Enable: 0
I/ao      (   91): AO Ch Enable: 0:0
I/ao      (   91): EXIT AO Ch Enable: 0:0
I/ao      (   91): AO Set Vol: 45
I/ao      (   91): AO Get Gain: 28
I/TTFF    (   91): [frame_pooling_thread--419 Channel:1 ]:1086(ms)
I/Encoder (   91): framePriv->i_fps_num=15, framePriv->i_fps_den=1
D/Encoder (   91): enc_chn->index=1, gopAttr->uGopCtrlMode=2, gopAttr->uGopLength=30, gopAttr->uNotifyUserLTInter=0, gopAttr->uMaxSameSenceCnt=2, gopAttr->bEnableLT=0, gopAttr->uFreqLT=0, gopAttr->bLTRC=0
D/Encoder (   91): enc_chn->index=1, enc_chn->chnFpsMask=1, enc_chn->inFrmRate.frmRateNum=15, enc_chn->inFrmRate.frmRateDen=1, enc_chn->setFrmRate.frmRateNum=15, enc_chn->setFrmRate.frmRateDen=1, rcAttr->outFrmRate.frmRateNum=15, rcAttr->outFrmRate.frmRateDen=1
D/Encoder (   91): do_day_night_change(672):enc_chn->inStat.is_day=1
I/TTFF    (   91): [IMP_Encoder_GetStream_Impl--2558 Channel:1 ]:1089(ms)
I/ao      (   91): AO Set Vol: 45
D/Encoder (   91): IMP_Encoder_SetChnFrmRate:encChn=0, enc_chn->setFrmRate.frmRateNum=15, enc_chn->setFrmRate.frmRateDen=1
D/Encoder (   91): IMP_Encoder_SetChnFrmRate:encChn=1, enc_chn->setFrmRate.frmRateNum=15, enc_chn->setFrmRate.frmRateDen=1
I/TTFF    (   91): [frame_pooling_thread--419 Channel:0 ]:1554(ms)
I/Encoder (   91): framePriv->i_fps_num=15, framePriv->i_fps_den=1
D/Encoder (   91): enc_chn->index=0, gopAttr->uGopCtrlMode=2, gopAttr->uGopLength=30, gopAttr->uNotifyUserLTInter=0, gopAttr->uMaxSameSenceCnt=2, gopAttr->bEnableLT=0, gopAttr->uFreqLT=0, gopAttr->bLTRC=0
D/Encoder (   91): enc_chn->index=0, enc_chn->chnFpsMask=1, enc_chn->inFrmRate.frmRateNum=15, enc_chn->inFrmRate.frmRateDen=1, enc_chn->setFrmRate.frmRateNum=15, enc_chn->setFrmRate.frmRateDen=1, rcAttr->outFrmRate.frmRateNum=15, rcAttr->outFrmRate.frmRateDen=1
D/Encoder (   91): do_day_night_change(672):enc_chn->inStat.is_day=1
I/Encoder (   91): framePriv->i_fps_num=15, framePriv->i_fps_den=1
D/Encoder (   91): enc_chn->index=5, gopAttr->uGopCtrlMode=2, gopAttr->uGopLength=0, gopAttr->uNotifyUserLTInter=0, gopAttr->uMaxSameSenceCnt=1, gopAttr->bEnableLT=0, gopAttr->uFreqLT=0, gopAttr->bLTRC=0
D/Encoder (   91): enc_chn->index=5, enc_chn->chnFpsMask=1, enc_chn->inFrmRate.frmRateNum=15, enc_chn->inFrmRate.frmRateDen=1, enc_chn->setFrmRate.frmRateNum=15, enc_chn->setFrmRate.frmRateDen=1, rcAttr->outFrmRate.frmRateNum=15, rcAttr->outFrmRate.frmRateDen=1
D/Encoder (   91): do_day_night_change(672):enc_chn->inStat.is_day=1
I/TTFF    (   91): [IMP_Encoder_GetStream_Impl--2558 Channel:5 ]:1559(ms)
I/TTFF    (   91): [IMP_Encoder_GetStream_Impl--2558 Channel:0 ]:1569(ms)
W/Framesource(   91): IMP_FrameSource_EnableChn(1868):chn=1, channel->state is run
I/VBM     (   91): fval[0].frame=0x13be680
I/VBM     (   91): fval[0].vaddr=0x74f0b000
I/VBM     (   91): fval[0].paddr=0x3ccf000
I/VBM     (   91): fval[0].ref=0
I/VBM     (   91): fval[1].frame=0x13beaa0
I/VBM     (   91): fval[1].vaddr=0x74f61400
I/VBM     (   91): fval[1].paddr=0x3d25400
I/VBM     (   91): fval[1].ref=0
I/VBM     (   91): fval[2].frame=0x140be40
I/VBM     (   91): fval[2].vaddr=0x73eb4000
I/VBM     (   91): fval[2].paddr=0x2c78000
I/VBM     (   91): fval[2].ref=0
I/VBM     (   91): fval[3].frame=0x140c260
I/VBM     (   91): fval[3].vaddr=0x741b1000
I/VBM     (   91): fval[3].paddr=0x2f75000
I/VBM     (   91): fval[3].ref=0
I/VBM     (   91): fval[4].frame=(nil)
I/VBM     (   91): fval[4].vaddr=0x0
I/VBM     (   91): fval[4].paddr=0x0
I/VBM     (   91): fval[4].ref=0
I/VBM     (   91): fval[5].frame=(nil)
I/VBM     (   91): fval[5].vaddr=0x0
I/VBM     (   91): fval[5].paddr=0x0
I/VBM     (   91): fval[5].ref=0
I/VBM     (   91): fval[6].frame=(nil)
I/VBM     (   91): fval[6].vaddr=0x0
I/VBM     (   91): fval[6].paddr=0x0
I/VBM     (   91): fval[6].ref=0
I/VBM     (   91): fval[7].frame=(nil)
I/VBM     (   91): fval[7].vaddr=0x0
I/VBM     (   91): fval[7].paddr=0x0
I/VBM     (   91): fval[7].ref=0
I/VBM     (   91): fval[8].frame=(nil)
I/VBM     (   91): fval[8].vaddr=0x0
I/VBM     (   91): fval[8].paddr=0x0
I/VBM     (   91): fval[8].ref=0
I/VBM     (   91): fval[9].frame=(nil)
I/VBM     (   91): fval[9].vaddr=0x0
I/VBM     (   91): fval[9].paddr=0x0
I/VBM     (   91): fval[9].ref=0
I/VBM     (   91): fval[10].frame=(nil)
I/VBM     (   91): fval[10].vaddr=0x0
I/VBM     (   91): fval[10].paddr=0x0
I/VBM     (   91): fval[10].ref=0
I/VBM     (   91): fval[11].frame=(nil)
I/VBM     (   91): fval[11].vaddr=0x0
I/VBM     (   91): fval[11].paddr=0x0
I/VBM     (   91): fval[11].ref=0
I/VBM     (   91): fval[12].frame=(nil)
I/VBM     (   91): fval[12].vaddr=0x0
I/VBM     (   91): fval[12].paddr=0x0
I/VBM     (   91): fval[12].ref=0
I/VBM     (   91): fval[13].frame=(nil)
I/VBM     (   91): fval[13].vaddr=0x0
I/VBM     (   91): fval[13].paddr=0x0
I/VBM     (   91): fval[13].ref=0
I/VBM     (   91): fval[14].frame=(nil)
I/VBM     (   91): fval[14].vaddr=0x0
I/VBM     (   91): fval[14].paddr=0x0
I/VBM     (   91): fval[14].ref=0
I/VBM     (   91): fval[15].frame=(nil)
I/VBM     (   91): fval[15].vaddr=0x0
I/VBM     (   91): fval[15].paddr=0x0
I/VBM     (   91): fval[15].ref=0
I/VBM     (   91): fval[16].frame=(nil)
I/VBM     (   91): fval[16].vaddr=0x0
I/VBM     (   91): fval[16].paddr=0x0
I/VBM     (   91): fval[16].ref=0
I/VBM     (   91): fval[17].frame=(nil)
I/VBM     (   91): fval[17].vaddr=0x0
I/VBM     (   91): fval[17].paddr=0x0
I/VBM     (   91): fval[17].ref=0
I/VBM     (   91): fval[18].frame=(nil)
I/VBM     (   91): fval[18].vaddr=0x0
I/VBM     (   91): fval[18].paddr=0x0
I/VBM     (   91): fval[18].ref=0
I/VBM     (   91): fval[19].frame=(nil)
I/VBM     (   91): fval[19].vaddr=0x0
I/VBM     (   91): fval[19].paddr=0x0
I/VBM     (   91): fval[19].ref=0
I/VBM     (   91): fval[20].frame=(nil)
I/VBM     (   91): fval[20].vaddr=0x0
I/VBM     (   91): fval[20].paddr=0x0
I/VBM     (   91): fval[20].ref=0
I/VBM     (   91): fval[21].frame=(nil)
I/VBM     (   91): fval[21].vaddr=0x0
I/VBM     (   91): fval[21].paddr=0x0
I/VBM     (   91): fval[21].ref=0
I/VBM     (   91): fval[22].frame=(nil)
I/VBM     (   91): fval[22].vaddr=0x0
I/VBM     (   91): fval[22].paddr=0x0
I/VBM     (   91): fval[22].ref=0
I/VBM     (   91): fval[23].frame=(nil)
I/VBM     (   91): fval[23].vaddr=0x0
I/VBM     (   91): fval[23].paddr=0x0
I/VBM     (   91): fval[23].ref=0
I/VBM     (   91): fval[24].frame=(nil)
I/VBM     (   91): fval[24].vaddr=0x0
I/VBM     (   91): fval[24].paddr=0x0
I/VBM     (   91): fval[24].ref=0
I/VBM     (   91): fval[25].frame=(nil)
I/VBM     (   91): fval[25].vaddr=0x0
I/VBM     (   91): fval[25].paddr=0x0
I/VBM     (   91): fval[25].ref=0
I/VBM     (   91): fval[26].frame=(nil)
I/VBM     (   91): fval[26].vaddr=0x0
I/VBM     (   91): fval[26].paddr=0x0
I/VBM     (   91): fval[26].ref=0
I/VBM     (   91): fval[27].frame=(nil)
I/VBM     (   91): fval[27].vaddr=0x0
I/VBM     (   91): fval[27].paddr=0x0
I/VBM     (   91): fval[27].ref=0
I/VBM     (   91): fval[28].frame=(nil)
I/VBM     (   91): fval[28].vaddr=0x0
I/VBM     (   91): fval[28].paddr=0x0
I/VBM     (   91): fval[28].ref=0
I/VBM     (   91): fval[29].frame=(nil)
I/VBM     (   91): fval[29].vaddr=0x0
I/VBM     (   91): fval[29].paddr=0x0
I/VBM     (   91): fval[29].ref=0
W/Framesource(   91): IMP_FrameSource_EnableChn(1868):chn=1, channel->state is run
W/Framesource(   91): IMP_FrameSource_EnableChn(1868):chn=1, channel->state is run
W/Framesource(   91): IMP_FrameSource_EnableChn(1868):chn=1, channel->state is run
W/Framesource(   91): IMP_FrameSource_EnableChn(1868):chn=1, channel->state is run
W/Framesource(   91): IMP_FrameSource_EnableChn(1868):chn=1, channel->state is run
W/Framesource(   91): IMP_FrameSource_EnableChn(1868):chn=1, channel->state is run
W/Framesource(   91): IMP_FrameSource_EnableChn(1868):chn=1, channel->state is run
W/Framesource(   91): IMP_FrameSource_EnableChn(1868):chn=1, channel->state is run
W/Framesource(   91): IMP_FrameSource_EnableChn(1868):chn=1, channel->state is run
W/Framesource(   91): IMP_FrameSource_EnableChn(1868):chn=1, channel->state is run
W/Framesource(   91): IMP_FrameSource_EnableChn(1868):chn=1, channel->state is run
W/Framesource(   91): IMP_FrameSource_EnableChn(1868):chn=1, channel->state is run
W/Framesource(   91): IMP_FrameSource_EnableChn(1868):chn=1, channel->state is run
W/Framesource(   91): IMP_FrameSource_EnableChn(1868):chn=1, channel->state is run
W/Framesource(   91): IMP_FrameSource_EnableChn(1868):chn=1, channel->state is run
W/Framesource(   91): IMP_FrameSource_EnableChn(1868):chn=1, channel->state is run
W/Framesource(   91): IMP_FrameSource_EnableChn(1868):chn=1, channel->state is run

Then running prudynt

I/OSD     ( 3700): IMP_OSD_SetPoolSize:131072
D/IMP-ISP ( 3700): ~~~~~~ IMP_ISP_Open[331] ~~~~~~~
I/IMP-ISP ( 3700): IMP_ISP_AddSensor,480: paddr = 0x0, size = 0x477e70
I/Alloc Manager( 3700): MEM Alloc Method is kmalloc
D/KMEM Method( 3700): CMD Line Rmem Size:25165824, Addr:0x02800000
D/KMEM Method( 3700): alloc->mem_alloc.method = kmalloc
D/KMEM Method( 3700):                   alloc->mem_alloc.vaddr = 0x75f0a000
D/KMEM Method( 3700):                   alloc->mem_alloc.paddr = 0x02800000
D/KMEM Method( 3700):                   alloc->mem_alloc.length = 25165824
I/Alloc Manager( 3700): MEM Manager Method is continuous
D/System  ( 3700): IMP_System_Init SDK Version:1.1.6-a6394f42-Mon Dec 5 14:39:51 2022 +0800, built: Dec 29 2022 15:38:51
D/System  ( 3700): system_init()
D/System  ( 3700): Calling DSystem
D/System  ( 3700): Calling FrameSource
D/System  ( 3700): [ignored]read /proc/cpuinfo ret is NULL
D/System  ( 3700): Calling IVS
D/System  ( 3700): Calling OSD
D/System  ( 3700): Calling Encoder
D/System  ( 3700): Calling FB
D/Encoder ( 3700): IMP_Encoder_SetbufshareChn: encChn:1, shareChn:0
E/MemPool ( 3700): IMP_Encoder_GetPool(64):chnNum: 0 not bind pool
I/Encoder ( 3700): encChn=0,srcFrameCnt=3,srcFrameSize=3133440
I/Encoder ( 3700): encChn=0,srcStreamCnt=2,enc_chn->stream_frame_size=949248
D/System  ( 3700): system_bind(): bind DST-Encoder-0(1.0.0) to SRC-Framesource-0(0.0.0)
E/Framesource( 3700): [chn0]: VIDIOC_S_FMT error
E/Framesource( 3700): [chn0]: chn_attr.picWidth=1920, chn_attr.picHeight=1080, chn_attr.pixFmt=10
E/Framesource( 3700): [chn0]: chn_attr.crop.enable=0, chn_attr.crop.top=0, chn_attr.crop.left=0, chn_attr.crop.width=1920, chn_attr.crop.height=1080
E/Framesource( 3700): [chn0]: chn_attr.fcrop.enable=0, chn_attr.fcrop.top=0, chn_attr.fcrop.left=0, chn_attr.fcrop.width=0, chn_attr.fcrop.height=0
E/Framesource( 3700): [chn0]: chn_attr.scaler.enable=0, chn_attr.scaler.outwidth=640, chn_attr.scaler.outheight=360
E/Framesource( 3700): IMP_FrameSource_EnableChn(): chn 0 reset channel attr error

[gtxaspec]

E/Framesource( 3700): [chn0]: VIDIOC_S_FMT error indicates that there is a toolchain version mismatch between the modern prudynt streamer and the built-in kernel + kernel modules for the ISP and sensor.

so unless you recompile prudynt with the ancient gcc 4.7.2 ingenic toolchain, not going to work, unless you do a full thingino install. thingino & prudynt are compiled with gcc13/14

[gtxaspec]

can you run this too? for reference to get the gpio map for your device:

mount -t debugfs none /sys/kernel/debug
cat /sys/kernel/debug/gpio

[BmdOnline]

E/Framesource( 3700): [chn0]: VIDIOC_S_FMT error indicates that there is a toolchain version mismatch between the modern prudynt streamer and the built-in kernel + kernel modules for the ISP and sensor.

so unless you recompile prudynt with the ancient gcc 4.7.2 ingenic toolchain, not going to work, unless you do a full thingino install. thingino & prudynt are compiled with gcc13/14
thingino means reflash camera.

I prefer to recompile prudynt, but I have to create an entire build environment...

can you run this too? for reference to get the gpio map for your device:

[root@Zeratul:~]# mount -t debugfs none /sys/kernel/debug
[root@Zeratul:~]# cat /sys/kernel/debug/gpio
GPIOs 0-31, GPIO A:

GPIOs 32-63, GPIO B:
 gpio-41  (sysfs               ) out lo
 gpio-43  (sysfs               ) out lo
 gpio-50  (oob irq             ) in  lo
 gpio-52  (home key            ) in  lo
 gpio-53  (mmc_detect          ) in  lo
 gpio-59  (sysfs               ) out lo
 gpio-60  (IR_N                ) out lo
 gpio-61  (IR_P                ) out lo
 gpio-62  (sysfs               ) out lo
 gpio-63  (sysfs               ) out lo

GPIOs 64-95, GPIO C:

[gtxaspec]

try https://github.com/Dafang-Hacks/mips-gcc472-glibc216-64bit

[BmdOnline]

try https://github.com/Dafang-Hacks/mips-gcc472-glibc216-64bit

Seem so be too complicated for me.
too many dependencies, errors...

Building deps :
Right from the start, to compile freetype.
fatal error: bzlib.h: No such file or directory

Trying to build prudynt :
unrecognized command line option '-std=c++20'

[mihovilkolaric]

try https://github.com/Dafang-Hacks/mips-gcc472-glibc216-64bit

Finally I managed to compile it (with a few modifications),

but with the config

general: {
        loglevel: "DEBUG";  # Logging level. Options: DEBUG, INFO, WARNING, ERROR.
};

sensor: {
        model: "jxf37p";  # Sensor model.
        i2c_address: 0x40;  # I2C address of the sensor.
        fps: 24;  # Frames per second captured by the sensor.
        width: 1920;  # Width of the sensor's image (in pixels).
        height: 1080;  # Height of the sensor's image (in pixels).
};

osd: {
        enabled: false;  # Enable or disable the OSD (On-Screen Display).
};

I still get following output on stdout:

[root@Zeratul:sdcard]# ./prudynt
[INFO:main.cpp]: PRUDYNT Video Daemon: Jul 12 2024 21:21:49_ba49bec
[DEBUG:Logger.cpp]: Logger Init.
[INFO:main.cpp]: Starting Prudynt Video Server.
[INFO:IMP.cpp]: LIBIMP Version IMP-1.1.6
[INFO:IMP.cpp]: SYSUTILS Version: SYSUTILS-1.1.6
[INFO:IMP.cpp]: CPU Information: T31-ZC
[DEBUG:IMP.cpp]: IMP_OSD_SetPoolSize == 131072
[DEBUG:IMP.cpp]: ISP Opened!
[INFO:IMP.cpp]: Sensor: jxf37p
[DEBUG:IMP.cpp]: Sensor Added
[DEBUG:IMP.cpp]: Sensor Enabled
---- FPGA board is ready ----
  Board UID : 30AB6E51
  Board HW ID : 72000460
  Board rev.  : 5DE5A975
  Board date  : 20190326
-----------------------------
[DEBUG:IMP.cpp]: IMP System Initialized
[DEBUG:IMP.cpp]: IMP_ISP_EnableTuning enabled
[DEBUG:IMP.cpp]: ISP Tuning Defaults set
[DEBUG:IMP.cpp]: IMP_ISP_Tuning_SetSensorFPS == 24
[DEBUG:IMP.cpp]: IMP_ISP_Tuning_SetISPRunningMode == 0
[DEBUG:IMP.cpp]: IMP_FrameSource_SetChnRotate == 0
[DEBUG:IMP.cpp]: IMP_FrameSource_CreateChn created
[DEBUG:IMP.cpp]: IMP_FrameSource_SetChnAttr set
[DEBUG:IMP.cpp]: IMP_FrameSource_GetChnFifoAttr set
[DEBUG:IMP.cpp]: IMP_FrameSource_SetChnFifoAttr set
[DEBUG:IMP.cpp]: IMP_FrameSource_SetFrameDepth set
[DEBUG:Encoder.cpp]: Encoder Group created
[DEBUG:Encoder.cpp]: IMP_Encoder_SetbufshareChn(1, 0) enabled
[DEBUG:Encoder.cpp]: Encoder Channel 0 created
[DEBUG:Encoder.cpp]: Encoder Channel 0 registered
[DEBUG:Encoder.cpp]: OSD disabled
[DEBUG:Encoder.cpp]: IMP_System_Bind(FS, ENC)
[ERROR:Encoder.cpp]: IMP_FrameSource_EnableChn() == -1
[ERROR:main.cpp]: Encoder initialization failed.
Segmentation fault
[root@Zeratul:sdcard]# 

and following output in logcat:

I/OSD     ( 7192): IMP_OSD_SetPoolSize:131072
D/IMP-ISP ( 7192): ~~~~~~ IMP_ISP_Open[331] ~~~~~~~
I/IMP-ISP ( 7192): IMP_ISP_AddSensor,480: paddr = 0x0, size = 0x477e70
I/Alloc Manager( 7192): MEM Alloc Method is kmalloc
D/KMEM Method( 7192): CMD Line Rmem Size:25165824, Addr:0x02800000
D/KMEM Method( 7192): alloc->mem_alloc.method = kmalloc
D/KMEM Method( 7192):                   alloc->mem_alloc.vaddr = 0x7591a000
D/KMEM Method( 7192):                   alloc->mem_alloc.paddr = 0x02800000
D/KMEM Method( 7192):                   alloc->mem_alloc.length = 25165824
I/Alloc Manager( 7192): MEM Manager Method is continuous
D/System  ( 7192): IMP_System_Init SDK Version:1.1.6-a6394f42-Mon Dec 5 14:39:51 2022 +0800, built: Dec 29 2022 15:38:51
D/System  ( 7192): system_init()
D/System  ( 7192): Calling DSystem
D/System  ( 7192): Calling FrameSource
D/System  ( 7192): [ignored]read /proc/cpuinfo ret is NULL
D/System  ( 7192): Calling IVS
D/System  ( 7192): Calling OSD
D/System  ( 7192): Calling Encoder
D/System  ( 7192): Calling FB
D/Encoder ( 7192): IMP_Encoder_SetbufshareChn: encChn:1, shareChn:0
E/MemPool ( 7192): IMP_Encoder_GetPool(64):chnNum: 0 not bind pool
I/Encoder ( 7192): encChn=0,srcFrameCnt=3,srcFrameSize=3133440
I/Encoder ( 7192): encChn=0,srcStreamCnt=2,enc_chn->stream_frame_size=949248
D/System  ( 7192): system_bind(): bind DST-Encoder-0(1.0.0) to SRC-Framesource-0(0.0.0)
E/Framesource( 7192): [chn0]: VIDIOC_S_FMT error
E/Framesource( 7192): [chn0]: chn_attr.picWidth=1920, chn_attr.picHeight=1080, chn_attr.pixFmt=10
E/Framesource( 7192): [chn0]: chn_attr.crop.enable=0, chn_attr.crop.top=0, chn_attr.crop.left=0, chn_attr.crop.width=1920, chn_attr.crop.height=1080
E/Framesource( 7192): [chn0]: chn_attr.fcrop.enable=0, chn_attr.fcrop.top=0, chn_attr.fcrop.left=0, chn_attr.fcrop.width=0, chn_attr.fcrop.height=0
E/Framesource( 7192): [chn0]: chn_attr.scaler.enable=0, chn_attr.scaler.outwidth=640, chn_attr.scaler.outheight=360
E/Framesource( 7192): IMP_FrameSource_EnableChn(): chn 0 reset channel attr error

-> no change.

[mihovilkolaric]

Just realized that "my" binary still uses
IMP_System_Init SDK Version:1.1.6-a6394f42-Mon Dec 5 14:39:51 2022 +0800, built: Dec 29 2022 15:38:51
while the original stone/main logs:
IMP_System_Init Zeratul SDK Version:1.1.5-667713c9-Tue Aug 30 16:27:21 2022 +0800, built: Aug 31 2022 10:14:25

Changed the Makefile to use:
cp ingenic-lib/$1/lib/1.1.5/uclibc/4.7.2/* $TOP/3rdparty/install/lib
when building the deps.
(and needed to comment out the call to IMP_FrameSource_SetChnRotate in IMP.cpp in order to compile)

Output with the same config as before:

[root@Zeratul:sdcard]# ./prudynt
[INFO:main.cpp]: PRUDYNT Video Daemon: Jul 12 2024 22:39:36_ba49bec
[DEBUG:Logger.cpp]: Logger Init.
[INFO:main.cpp]: Starting Prudynt Video Server.
[INFO:IMP.cpp]: LIBIMP Version IMP-1.1.5
[INFO:IMP.cpp]: SYSUTILS Version: SYSUTILS-1.1.5
[INFO:IMP.cpp]: CPU Information: T31-ZC
[DEBUG:IMP.cpp]: IMP_OSD_SetPoolSize == 131072
[DEBUG:IMP.cpp]: ISP Opened!
[INFO:IMP.cpp]: Sensor: jxf37p
[DEBUG:IMP.cpp]: Sensor Added
[DEBUG:IMP.cpp]: Sensor Enabled
---- FPGA board is ready ----
  Board UID : 30AB6E51
  Board HW ID : 72000460
  Board rev.  : 5DE5A975
  Board date  : 20190326
-----------------------------
[DEBUG:IMP.cpp]: IMP System Initialized
[DEBUG:IMP.cpp]: IMP_ISP_EnableTuning enabled
[DEBUG:IMP.cpp]: ISP Tuning Defaults set
[DEBUG:IMP.cpp]: IMP_ISP_Tuning_SetSensorFPS == 24
[DEBUG:IMP.cpp]: IMP_ISP_Tuning_SetISPRunningMode == 0
[DEBUG:IMP.cpp]: DISABLED IMP_FrameSource_SetChnRotate() for IMP 1.1.5
[DEBUG:IMP.cpp]: IMP_FrameSource_CreateChn created
[DEBUG:IMP.cpp]: IMP_FrameSource_SetChnAttr set
[DEBUG:IMP.cpp]: IMP_FrameSource_GetChnFifoAttr set
[DEBUG:IMP.cpp]: IMP_FrameSource_SetChnFifoAttr set
[DEBUG:IMP.cpp]: IMP_FrameSource_SetFrameDepth set
[DEBUG:Encoder.cpp]: Encoder Group created
[DEBUG:Encoder.cpp]: IMP_Encoder_SetbufshareChn(1, 0) enabled
[DEBUG:Encoder.cpp]: Encoder Channel 0 created
[DEBUG:Encoder.cpp]: Encoder Channel 0 registered
[DEBUG:Encoder.cpp]: OSD disabled
[DEBUG:Encoder.cpp]: IMP_System_Bind(FS, ENC)
[DEBUG:Encoder.cpp]: Frame Source Channel 0 enabled
Segmentation fault
[root@Zeratul:sdcard]#

and logcat says:

I/OSD     ( 3205): IMP_OSD_SetPoolSize:131072
D/IMP-ISP ( 3205): ~~~~~~ IMP_ISP_Open[331] ~~~~~~~
I/IMP-ISP ( 3205): IMP_ISP_AddSensor,480: paddr = 0x0, size = 0x477e70
I/Alloc Manager( 3205): MEM Alloc Method is kmalloc
D/KMEM Method( 3205): CMD Line Rmem Size:25165824, Addr:0x02800000
D/KMEM Method( 3205): alloc->mem_alloc.method = kmalloc
D/KMEM Method( 3205):                   alloc->mem_alloc.vaddr = 0x765d3000
D/KMEM Method( 3205):                   alloc->mem_alloc.paddr = 0x02800000
D/KMEM Method( 3205):                   alloc->mem_alloc.length = 25165824
I/Alloc Manager( 3205): MEM Manager Method is continuous
D/System  ( 3205): IMP_System_Init SDK Version:1.1.5-83df8b7-Thu May 12 17:34:01 2022 +0800, built: May 14 2022 13:51:32
D/System  ( 3205): system_init()
D/System  ( 3205): Calling DSystem
D/System  ( 3205): Calling FrameSource
D/System  ( 3205): [ignored]read /proc/cpuinfo ret is NULL
D/System  ( 3205): Calling IVS
D/System  ( 3205): Calling OSD
D/System  ( 3205): Calling Encoder
D/System  ( 3205): Calling FB
D/Encoder ( 3205): IMP_Encoder_SetbufshareChn: encChn:1, shareChn:0
E/MemPool ( 3205): IMP_Encoder_GetPool(64):chnNum: 0 not bind pool
I/Encoder ( 3205): encChn=0,srcFrameCnt=3,srcFrameSize=3133440
I/Encoder ( 3205): encChn=0,srcStreamCnt=2,enc_chn->stream_frame_size=949248
D/System  ( 3205): system_bind(): bind DST-Encoder-0(1.0.0) to SRC-Framesource-0(0.0.0)
I/Framesource( 3205): [chn0]: width = 1920 height = 1080
E/VBM     ( 3205): VBMCreatePool()-0: w=1920 h=1080 f=842094158
E/VBM     ( 3205): VBMCreatePool()-0: pool->config.fmt.fmt.pix.sizeimage=3133440 sizeimage=3133440
E/Framesource( 3205): IMP_FrameSource_GetPool(3245):chnNum: 0 not bind pool
E/VBM     ( 3205): VBMCreatePool()-0: sizeimage=3133440
I/VBM     ( 3205): PoolId:0, frame=0xcb3a20, frame->priv=0xcb3a48, frame[0].virAddr=772cff00, frame[0].phyAddr=34fcf00
I/VBM     ( 3205): PoolId:0, frame=0xcb3e40, frame->priv=0xcb3e68, frame[1].virAddr=775ccf00, frame[1].phyAddr=37f9f00

This is btw. the binary I used:
prudynt.zip

dmesg logs:

[   85.377041] probe ok ------->jxf37p
[   85.377082] jxf37p chip found @ 0x40 (i2c0)
[   85.377089] sensor driver version H20231024a
[   85.377401] Calibration len = 159736
[   85.377457] Calibration len = 159736
[   85.377469] Load Sensor Setting DATE:calibration mode 0 MD5:calibration crc 4018056183
[   85.377477] Calibration len = 159736
[   85.537312] jxf37p stream on
[   85.636508] do_page_fault() #2: sending SIGSEGV to prudynt for invalid read access from
[   85.636508] 00000000 (epc == 00000000, ra == 00415438)
[   85.713035] jxf37p stream off

[BmdOnline]

try https://github.com/Dafang-Hacks/mips-gcc472-glibc216-64bit

Finally I managed to compile it (with a few modifications),

Another step forward. Great 👍

Can you provide a patch file, or explain your changes ?
So we can compile it ourselves.

Thanks.

[gtxaspec]

Just realized that "my" binary still uses IMP_System_Init SDK Version:1.1.6-a6394f42-Mon Dec 5 14:39:51 2022 +0800, built: Dec 29 2022 15:38:51 while the original stone/main logs: IMP_System_Init Zeratul SDK Version:1.1.5-667713c9-Tue Aug 30 16:27:21 2022 +0800, built: Aug 31 2022 10:14:25

Changed the Makefile to use: cp ingenic-lib/$1/lib/1.1.5/uclibc/4.7.2/* $TOP/3rdparty/install/lib when building the deps. (and needed to comment out the call to IMP_FrameSource_SetChnRotate in IMP.cpp in order to compile)

Output with the same config as before:

[root@Zeratul:sdcard]# ./prudynt
[INFO:main.cpp]: PRUDYNT Video Daemon: Jul 12 2024 22:39:36_ba49bec
[DEBUG:Logger.cpp]: Logger Init.
[INFO:main.cpp]: Starting Prudynt Video Server.
[INFO:IMP.cpp]: LIBIMP Version IMP-1.1.5
[INFO:IMP.cpp]: SYSUTILS Version: SYSUTILS-1.1.5
[INFO:IMP.cpp]: CPU Information: T31-ZC
[DEBUG:IMP.cpp]: IMP_OSD_SetPoolSize == 131072
[DEBUG:IMP.cpp]: ISP Opened!
[INFO:IMP.cpp]: Sensor: jxf37p
[DEBUG:IMP.cpp]: Sensor Added
[DEBUG:IMP.cpp]: Sensor Enabled
---- FPGA board is ready ----
  Board UID : 30AB6E51
  Board HW ID : 72000460
  Board rev.  : 5DE5A975
  Board date  : 20190326
-----------------------------
[DEBUG:IMP.cpp]: IMP System Initialized
[DEBUG:IMP.cpp]: IMP_ISP_EnableTuning enabled
[DEBUG:IMP.cpp]: ISP Tuning Defaults set
[DEBUG:IMP.cpp]: IMP_ISP_Tuning_SetSensorFPS == 24
[DEBUG:IMP.cpp]: IMP_ISP_Tuning_SetISPRunningMode == 0
[DEBUG:IMP.cpp]: DISABLED IMP_FrameSource_SetChnRotate() for IMP 1.1.5
[DEBUG:IMP.cpp]: IMP_FrameSource_CreateChn created
[DEBUG:IMP.cpp]: IMP_FrameSource_SetChnAttr set
[DEBUG:IMP.cpp]: IMP_FrameSource_GetChnFifoAttr set
[DEBUG:IMP.cpp]: IMP_FrameSource_SetChnFifoAttr set
[DEBUG:IMP.cpp]: IMP_FrameSource_SetFrameDepth set
[DEBUG:Encoder.cpp]: Encoder Group created
[DEBUG:Encoder.cpp]: IMP_Encoder_SetbufshareChn(1, 0) enabled
[DEBUG:Encoder.cpp]: Encoder Channel 0 created
[DEBUG:Encoder.cpp]: Encoder Channel 0 registered
[DEBUG:Encoder.cpp]: OSD disabled
[DEBUG:Encoder.cpp]: IMP_System_Bind(FS, ENC)
[DEBUG:Encoder.cpp]: Frame Source Channel 0 enabled
Segmentation fault
[root@Zeratul:sdcard]#

and logcat says:

I/OSD     ( 3205): IMP_OSD_SetPoolSize:131072
D/IMP-ISP ( 3205): ~~~~~~ IMP_ISP_Open[331] ~~~~~~~
I/IMP-ISP ( 3205): IMP_ISP_AddSensor,480: paddr = 0x0, size = 0x477e70
I/Alloc Manager( 3205): MEM Alloc Method is kmalloc
D/KMEM Method( 3205): CMD Line Rmem Size:25165824, Addr:0x02800000
D/KMEM Method( 3205): alloc->mem_alloc.method = kmalloc
D/KMEM Method( 3205):                   alloc->mem_alloc.vaddr = 0x765d3000
D/KMEM Method( 3205):                   alloc->mem_alloc.paddr = 0x02800000
D/KMEM Method( 3205):                   alloc->mem_alloc.length = 25165824
I/Alloc Manager( 3205): MEM Manager Method is continuous
D/System  ( 3205): IMP_System_Init SDK Version:1.1.5-83df8b7-Thu May 12 17:34:01 2022 +0800, built: May 14 2022 13:51:32
D/System  ( 3205): system_init()
D/System  ( 3205): Calling DSystem
D/System  ( 3205): Calling FrameSource
D/System  ( 3205): [ignored]read /proc/cpuinfo ret is NULL
D/System  ( 3205): Calling IVS
D/System  ( 3205): Calling OSD
D/System  ( 3205): Calling Encoder
D/System  ( 3205): Calling FB
D/Encoder ( 3205): IMP_Encoder_SetbufshareChn: encChn:1, shareChn:0
E/MemPool ( 3205): IMP_Encoder_GetPool(64):chnNum: 0 not bind pool
I/Encoder ( 3205): encChn=0,srcFrameCnt=3,srcFrameSize=3133440
I/Encoder ( 3205): encChn=0,srcStreamCnt=2,enc_chn->stream_frame_size=949248
D/System  ( 3205): system_bind(): bind DST-Encoder-0(1.0.0) to SRC-Framesource-0(0.0.0)
I/Framesource( 3205): [chn0]: width = 1920 height = 1080
E/VBM     ( 3205): VBMCreatePool()-0: w=1920 h=1080 f=842094158
E/VBM     ( 3205): VBMCreatePool()-0: pool->config.fmt.fmt.pix.sizeimage=3133440 sizeimage=3133440
E/Framesource( 3205): IMP_FrameSource_GetPool(3245):chnNum: 0 not bind pool
E/VBM     ( 3205): VBMCreatePool()-0: sizeimage=3133440
I/VBM     ( 3205): PoolId:0, frame=0xcb3a20, frame->priv=0xcb3a48, frame[0].virAddr=772cff00, frame[0].phyAddr=34fcf00
I/VBM     ( 3205): PoolId:0, frame=0xcb3e40, frame->priv=0xcb3e68, frame[1].virAddr=775ccf00, frame[1].phyAddr=37f9f00

This is btw. the binary I used: prudynt.zip

dmesg logs:

[   85.377041] probe ok ------->jxf37p
[   85.377082] jxf37p chip found @ 0x40 (i2c0)
[   85.377089] sensor driver version H20231024a
[   85.377401] Calibration len = 159736
[   85.377457] Calibration len = 159736
[   85.377469] Load Sensor Setting DATE:calibration mode 0 MD5:calibration crc 4018056183
[   85.377477] Calibration len = 159736
[   85.537312] jxf37p stream on
[   85.636508] do_page_fault() #2: sending SIGSEGV to prudynt for invalid read access from
[   85.636508] 00000000 (epc == 00000000, ra == 00415438)
[   85.713035] jxf37p stream off

Static or dynamic binary? Try a static binary and see if it makes a difference

[mihovilkolaric]

Can you provide a patch file, or explain your changes ?

Of course ... just needed to clean up a bit (I tried many different things, and this is now the bare minimum required to compile prudynt).

Here is what I did:
make_unique.TXT
-> rename to make_unique.hpp and copy to src
LSC_solar_changes.TXT
-> rename to .patch, and apply

Clone https://github.com/Dafang-Hacks/mips-gcc472-glibc216-64bit somewhere
Build with:
PRUDYNT_CROSS=<FULL_PATH_TO>/mips-gcc472-glibc216-64bit/bin/mips-linux-gnu- ./build.sh deps T31 -static
followed by
PRUDYNT_CROSS=<FULL_PATH_TO>/mips-gcc472-glibc216-64bit/bin/mips-linux-gnu- ./build.sh prudynt T31 -static

Static or dynamic binary? Try a static binary and see if it makes a difference

As seen above, I tried static only, to avoid any troubles with library-path or similar.

[mihovilkolaric]

One more thing:
I just realized that some logs are lost, such as:
LOG_INFO("Loaded configuration from " + cfgFilePath);
which I don't find neither on stdout, nor in logcat - are there other places to search for, or other logging-settings beyond loglevel: "DEBUG"; ?

[BmdOnline]

I manage to compile too, but I had to disable bzip2 (--without-bzip2) when I build freetype2.
Now I have the same error as you.

[gtxaspec]

Can you share dmesg logs after segfault?
Also, a firmware dump would help.

Has anyone tried to install thingino? Much easier to run everything compiled from the same tool chain.

[mihovilkolaric]

Can you share dmesg logs after segfault?

Sure:

[  470.786608] probe ok ------->jxf37p
[  470.786645] jxf37p chip found @ 0x40 (i2c0)
[  470.786653] sensor driver version H20231024a
[  470.786961] Calibration len = 159736
[  470.787017] Calibration len = 159736
[  470.787029] Load Sensor Setting DATE:calibration mode 0 MD5:calibration crc 4018056183
[  470.787037] Calibration len = 159736
[  470.936217] jxf37p stream on
[  470.974654] do_page_fault() #2: sending SIGSEGV to prudynt for invalid read access from
[  470.974654] 00000000 (epc == 00000000, ra == 00415438)
[  470.993099] jxf37p stream off

Also, a firmware dump would help.

Unfortunately, I have no programmer, so I did not manage to dump the flash. @BmdOnline has one - maybe he can send it to you.

Has anyone tried to install thingino? Much easier to run everything compiled from the same tool chain.

No idea how to do that - especially as it's homepage says that zeratul is not (yet) supported.

[gtxaspec]

zeratul chips can run just fine in non-zeratul mode, so firmware for non-zeratul devices will work. The worry is the external MCU, forcing the SOC to reset.

if you can bypass the MCU resetting the SOC, then another firmware will work fine.

a programmer is the best way to install, on development devices, as it turns out

[BmdOnline]

Also, a firmware dump would help.

My firmware dump contains personal data (mac, ssid & passsword).
I can share specific parts (I've extracted all parts) if you want, or I can try to wipe personal data using an hex editor.

Has anyone tried to install thingino? Much easier to run everything compiled from the same tool chain.

I prefer avoid to flash a new firmware if possible.
I like idea to use sdcard without altering original firmware.

[BmdOnline]

I've uploaded each partition except config which contains personal data (rename files from dmp to bin).

partition	Size	Designation	Format	Donwload
mtdblock0	256 Ko	boot		mtdblock0.dmp
mtdblock1	352 Ko	tag		mtdblock1.dmp
mtdblock2	5 Mo	kernel	uimage	mtdblock2.dmp
mtdblock3	6 Mo	rootfs	lzo	mtdblock3.dmp
mtdblock4	2.5 Mo	recovery	lzma	mtdblock4.dmp
mtdblock5	1.4 Mo	system	squashfs	mtdblock5.dmp
mtdblock6	512 Ko	config	jffs2	mtdblock6.sha256sum.txt (contains personal data)
mtdblock7	16 Mo	all

You can recreate entire firmware

cat mtdblock0.bin mtdblock1.bin mtdblock2.bin mtdblock3.bin \
mtdblock4.bin mtdblock5.bin mtdblock6.bin > firmware.bin

Or extract each partition individually

• rootfs

mv mtdblock3.bin rootfs_camera.cpio.lzo
echo -ne \\x89\\x4C\\x5A\\x4F | dd conv=notrunc count=1 of=rootfs_camera.cpio.lzo
lzop -d rootfs_camera.cpio.lzo
mkdir rootfs_camera && cd rootfs_camera
cpio -idmv < ../rootfs_camera.cpio

• recovery

dd if=mtdblock4.bin skip=1 bs=64 of=recovery.lzma
7z e recovery.lzma
mv recovery recovery.img
mkdir recovery && cd recovery
7z x ../recovery.img

• system

mv mtdblock5.bin system.squashfs
mkdir system && cd system
unsquashfs ../system.squashfs

• config

mv mtdblock6.bin config.jffs2
mkdir config && cd config
jefferson ../config.jffs2

@mihovilkolaric, can you dump your config partition
dd if=/dev/mtdblock6 of=/tmp/mnt/sdcard/mtdblock6.bin
Then extract its contents and calculate all sha256sum
find . -type f -exec sha256sum {} \;
So we can compare yours and mine and identify generic files and personal data.

If you want, you can extract your firmware using
dd if=/dev/mtdblock7 of=/tmp/mnt/sdcard/firmware.bin
mtdblock7 means entire firmware. The same as when I dumped XMC directly.

[mihovilkolaric]

I managed to get a coredump from the crashing prudynt:
prudynt-coredump.zip
(but was not able to find analyze it - does someone have an idea how to get useful information out of the dump?)