Hack not workin with Merkury 720p

[dixnor]

Hi @guino, tried your new hack with 2 different SD cards and still having the same behavior, seems the env/hack/all other files are not executed at all.
This is the display of my /proc/cmdline

mem=23M console=ttyAMA0,115200 loglevel=0 ppsdebug=off mtdparts=hi_sfc:192k(bld)ro,64k(env)ro,64k(enc)ro,64k(sysflg),2240k(sys),5m(app),448k(cfg) ppsAppParts=5 ip=192.168.1.10:::255.255.255.0 eth=08:88:xx:xx:xx:xx

I have remarked also that mem=23M is different than yours (which is 64M). Is it possible that I will need to adapt the env file also because of a different hardware?
Not sure about this but your camera looks exactly the same than the one I try to hack too, so should work but it's not executing.

Seems close this time and thanks for all the incredible job you did for this.

[guino]

@dixnor can you post your http://admin:056565099@IP/devices/deviceinfo ? it does loook like your firmware is different than mine.
BTW: my cmdline shows 64M but the device itself only has 36M of RAM.

Also did you try the new steps to extract firmware file:
guino/BazzDoorbell#11 (I added a different zip file that works on these cameras, or at least on mine)

[guino]

@dixnor was any of the SD cards you tried a Samsung brand ? (I know that worked on mine)

[dixnor]

@guino
yes used a Samsung 64GB and a cheap 2GB sd card, same result. Will try the other option to dump the ppsapp.
This is my deviceinfo:
**{"devname":"Smart Home Camera","model":"Mini 7C","serialno":"056938109","softwareversion":"2.7.2","hardwareversion":"MINI5C_V12","firmwareversion":"ppstrong-c4-tuya2_geeni-2.7.2.20190520"...

[guino]

@dixnor that is even older than the one I have, though it also says Mini 7C hardware. The only reasons I can think of it not working are: 1-older/different bootloader with a different load address/commands OR 2-The SD card isn't being recognized by the bootloader (which happened with one of my SD cards).

This is kind of hail mary but may help if the issue is the bootloader address (and the bootloader still has the required commands), so assuming you still have the files on your SD card, please try and UNZIP this ppsMmcTool.zip over the one on your SD card and re-do step 4 forward. Please also try both SD cards if it doesn't work with one.
If the issue is the SD card (like I had) I'm afraid you'd have to try other cards -- please note this is just to 'install' the hack and once it is installed you should be able to replace the card for other brands. This is because the bootloader SD card driver seems buggy and a different driver is used once the device boots up (likely better).

[StuDaBaiker]

I am also having this issue and have the same hardware revision. I tried the other ppsMmcTool and it did not work. I am also running firmware 2.7.2.

[guino]

@StuDaBaiker did you also try dfferent brand SD cards ?

Without a device and without seeing a UART boot log when installing the patch I have no way of helping. Feel free to email me directly if you get UART access (requires opening+soldering+hardware) as I could give you some pointers.

[StuDaBaiker]

@guino I only have Samsung Evo available atm. I do have a second one I could try but I haven't opened the package yet.

Do you know of a repository of firmware so I can upgrade to a specific version?

What hardware do I need if I want to take a look at the log?

If it's beyond me I would consider shipping you one. I really want to get rtsp working

[guino]

There’s no firmware files available that I have seen for this device. All you can do is check for updates in whatever app you’re using (or try different apps) such as tuya, smart life, geeni, etc

If you want to look at the log you will need a TTL level serial adapter, soldering iron and likely be familiar enough to solder the wires and such. I would not mind taking a look if you shipped me a device (and I can send it back when done) - I am in Canada so if you want to arrange it just send me an email (my email is on my github profile).

[jjsmisbye]

I have an ancient (early 2018) firmware for the c4 (MINI5C).
Is it possible that the load address for the c4-tuya2_geeni devices could be 0x80008000? My c4 cam is out of commission so I can't confirm but for my a2-tuya2_geeni cam, the Data address in the uImage section matched the load address that I had to use in the ppsMmcTool.txt scripts.

Binwalk of the old firmware:

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
152           0x98            uImage header, header size: 64 bytes, header CRC: 0x2DD06C63, created: 2018-01-02 07:20:02, image size: 2258976 bytes, Data Address: 0x80008000, Entry Point: 0x80008000, data CRC: 0xC25C6FAF, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-3.4.35"
216           0xD8            Linux kernel ARM boot executable zImage (little-endian)
16559         0x40AF          gzip compressed data, maximum compression, from Unix, last modified: 1970-01-01 00:00:00 (null date)
2259192       0x2278F8        JFFS2 filesystem, little endian

[guino]

@jjsmisbye the binwalk seems like it's missing an area for the boot loader so I assume this is just an update file ? If it's an update file the binwalk may be ok -- you should be able to try loading it by placing it in the SD card as upgrade.bin and adjusting ppsMmcTool.txt to have file=updgade.bin (then boot holding reset for 5 seconds). This should not cause problems -- it may not work if the address is wrong but it won't damage the bootloader. The only way to know the address (for sure) would be to use a serial port. You can try to 'guess' the address using guino/BazzDoorbell#11 to see if you can 'read' the firmware -- if the address is correct it should get you a copy of current contents in the firmware (and binwalk should show stuff). There's no other option I know to figure out the address. Addresses we have seen so far are 42000000 (newer devices), 81808000 and 81C08000. It is entirely possible to have an address 80008000 as pointed by your binwalk information (so you should definitely try it).

[guino]

@jjsmisbye I just checked the few upgrade files I have managed to get and the ones that have the kernel do have matching address so chances are high the correct address is 80008000. In fact one of the files I have is: 1530687241-ppstrong-c4-tuya2-geeni-1.10.2.bin and also shows 80008000 as the address. It is usually pretty hard to get a copy of the upgrade file (without hacking it first) but this does seem to be a valid way to get the load address (IF it contains a kernel update in it).

[jjsmisbye]

Oops, you are absolutely right about it being an upgrade file. Unfortunately, I seem to have previously messed up my device beyond the point where I can bring it back. Simply changing the address did not work for me but that's my fault for jumping in the deep end without knowing how to swim first. I'm hoping the address can be verified by someone with a working c4 to dump out their firmware and get them going with the hack.

[Ne3Mx]

Hi @guino, tried your new hack with 2 different SD cards and still having the same behavior, seems the env/hack/all other files are not executed at all.
This is the display of my /proc/cmdline

mem=23M console=ttyAMA0,115200 loglevel=0 ppsdebug=off mtdparts=hi_sfc:192k(bld)ro,64k(env)ro,64k(enc)ro,64k(sysflg),2240k(sys),5m(app),448k(cfg) ppsAppParts=5 ip=192.168.1.10:::255.255.255.0 eth=08:88:xx:xx:xx:xx

I have remarked also that mem=23M is different than yours (which is 64M). Is it possible that I will need to adapt the env file also because of a different hardware?
Not sure about this but your camera looks exactly the same than the one I try to hack too, so should work but it's not executing.

Seems close this time and thanks for all the incredible job you did for this.

I think it's because you may have an older Geeni 720 camera, I bought a new camera and the hack was successful. The hack does not work on my older 720 cameras. I've opened a new issue and hopefully we'll get it working!