-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Victure PC540 360 SmartIP Cam #1672
Comments
@ioprev mentioned in #1632 he can boot from sd, he didn't specify with which kernel/fs so far I can only load kernel using the device flash,
unfortunately something goes wrong and I don't have the block devices and the fs is ro
I didn't understand how to load the FS from SD though, root=/dev/mtdblock2 doesn't work |
I have the "new model" of Victure PC540 that doesn't support RTSP neither ONVIF protocols. Only works with the Victure Home App. |
I bought a new model https://www.amazon.de/dp/B07QPY7XRT too as backup in case something goes wrong, strange to say it's identical to the previous one, even the PCB but the processor isn't the T20L anymore but an Arm one from Anyka I succeeded anyway in accessing both, the second one is even easier. |
I bought this one https://www.amazon.es/dp/B07FKJB2ZN. Did you need to pair using a QR or sound? In my case with QR, and doing a network scan no ports are found in the IP assigned to the camera (80, 554, 8080,... ) |
That's the one. Now you will have the console. Now you can mount the sdcard and backup the firmware as described in the documentation.
Unsquash the mtd4 dump on a Linux pc, modify /etc/init.d/rcS and uncomment telnetd
With ak_onvif_demo you start the onvif process but it only works with Ethernet attached |
@burlizzi I can confirm that I have the same Anyka based camera. It was a bit complicated to figure out how to dissassemble the camera, and now I have a small circle rubber that I don't know where it comes from (hehe) but yes, very easy to use 3 wire jumpers and a FTDI adapter with Putty...
How did you change the root password? With passwd? Is it the default user when you get to the console? |
Does anyone have a working firmware then I can put on an SD card without having to hack the camera and make it work? I currently am putting this camera on a network that does not have internet and need some help doing this. I'd really appreciate it. This camera is the PC540 from Victure |
@pilfos yes, passwd, but! You have to stop the bootloader, change the bootargs init to sh |
@burlizzi in my case, after doing the
I needed to do a reset from the prompt then it boots using the /bin/sh and I can get the console command
I can see that the microSD card is mounted but I don't see anything in /proc so I directly copied the firmware with
Is this the right way? I didn't change the root password. I'll try to check later the contents of the microSD and do the Unsquash/Squash Thanks! |
I don't have the camera here, I am counting on my faulty memory |
@burlizzi I executed what was in /etc/init.d/rcS but last line. So I was able to mount everything and copy the from /dev/mtdblock* as files... https://www.programmersought.com/article/20934638572/ I don't know if it could be useful to get the wifi working... |
@burlizzi I was able to squash the modified mtd4 partition but how can I flash it to the camera from the SD card? In case of failure I can flash again the original mtd4 I saved before? Which files are needed in the SD card to boot from it using the bootargs from #1632 (comment) ? Thanks! |
@pilfos the #1632 refers to a T20 system, the only kernel and filesystem here they come from the camera itself
kernel.bin being the mtd1 you dumped before |
but @burlizzi, how did you flash the modified mtd4 to the camera? |
Yes, that
|
Just curious, did it work? |
didn't check yet... :-/ |
tried dd if=/mnt/sd/A.bin of=/dev/mtdblock4 but then...
I think the problem is with mksquashfs. I didn't use any params, only the source dir and des file to create. May be I needed to use the xz compressor instead of the default gzip? But now, how to try again if the system can't boot from mtd4 ? I can see with fatls mmc 0:1 the files on the sdcard, so I don't know if can copy back the backup of mtd4 from the U boot. |
@pilfos you have the backup, right? now the problem is that you can't boot it, |
I did it, and tried to boot with bootm 0x80600000 but I get a "Wrong Image Format for bootm command"
then If I try to reset, I get again the SQUASHFS errors and kernel panic |
of course, bootm should find a kernel image at that location you have a filesystem |
I apologize, I just read in the uboot help that the parameter for
|
Yes! It worked with the sf update using the partition name. But this time I tried again with the rootfs compressed with xz and now
this is what I'm using
where squashfs-root is the dir containing the modified rootfs
to confirm that there is the correct rootfs with the modifed rcS so, how should I use the mksquashfs ? Thanks @burlizzi ! |
I tried to "pad" the file to match the size of the original rootfs backup
and now there is no compression error but I get a different one:
I also tried to do the dd if=/mnt/sd/A.bin of=/dev/mtdblock4 with the original rootfs backup file and it works so it's a problem with the mksquashfs ... |
Well at the end what I did was to load the modifed rootfs from the u-boot and it boots correctly, Tomorrow I'll check if I can get connected through telnet... |
try this, |
Ahhh interesting file, the update_check.sh :) but, it doesn't find the ipc_victure_pc530f37
Did you build the update.rar ? |
Yes but I didn't try, I used dd to update the root fs |
hello, my name is mauro and I am enthusiastically watching the evolution of this change in the pc540 ... with the hope of being able to watch the rstp streaming from a pc without using the app. hello, mauro |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
I'm digging this back up since I got a very similar camera, but no luck with any of the suggestions here.
After this, the camera starts and I get no output anymore. If I abort the boot with Ctrl-C, I can access u-boot and get some info:
Any suggestions? I mostly need RTSP or ONVIF. |
it seems the same hardware but different firmware.
another possibility is to exploit the factory tests.
this should give you access via telnet but you probably couldn't log in because of the root password, in that case you could try this content instead
another more complex alternative if this doesn't work: |
The factory test folder does nothing, it just starts normally with that folder/file.
|
Try the second method, dumping memory over serial, later in the page.
Il Ven 10 Dic 2021, 19:19 Arakon ***@***.***> ha scritto:
… The factory test folder does nothing, it just starts normally with that
folder/file.
Trying to upload the firmware dump fails due to apparently missing a tftp
transfer function.
anyka$help
? - alias for 'help'
base - print or set address offset
bootm - boot application image from memory
bootp - boot image via network using BOOTP/TFTP protocol
chpart - change active partition
cmp - memory compare
cp - memory copy
crc32 - checksum calculation
downimage- downimage - download and write All-Image to FLASH device,partiton table from ENV partition.
downjffs2fs- load usr.jffs2 tftp
downkernel- load uImage tftp
downrootfs- load root.sqsh4 tftp
downsquashfs- load usr.sqsh4 tftp
downuboot- load uboot tftp
env - environment handling commands
erase - erase FLASH memory
fatinfo - print information about filesystem
fatload - load binary file from a dos filesystem
fatls - list files in a directory (default /)
flinfo - print FLASH memory information
format - erase uboot env
go - start application at address 'addr'
help - print command description/usage
loop - infinite loop on address range
md - memory display
mm - memory modify (auto-incrementing address)
mmc - MMC sub system
mmcinfo - display MMC info
mtdparts- define flash/nand partitions
mw - memory write (fill)
nm - memory modify (constant address)
parts - read out partitions table info.
parts_adjust-
adjust parts info. Each part's size,offset etc.
ping - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
protect - enable or disable FLASH write protection
readcfg - read config from config.
reset - Perform RESET of the CPU
run - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv - set environment variables
setloadaddr- set loadaddr to config infor .
sf - spi flash sub-system:
tfdownjffs2fs- load usr.jffs2TF
tfdownkernel- load uImageTF
tfdownrootfs- load root.sqsh4TF
tfdownsquashfs- load usr.sqsh4TF
tfdownuboot- load u-boot.binTF
tftpboot- boot image via network using TFTP protocol
tfupdateimage- tfupdateimage - download and write All-Image to FLASH device
updatecfg- update config from config infor table.
version - print monitor, compiler and linker version
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1672 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAW3WR7FGQNZW2L3PBW5AJDUQJAEJANCNFSM4WMTYNGQ>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
Done.. I may have overdumped the file (I think I read the flash at 16 MiB instead of 8), though. |
You can split with dd into files with the partition sizes or, much easier
give it to binwalk to extract the squashfs root, then you can uncompress,
modify and recompress.
You can then save the modified squashed filesystem on a sdcard with
dd if=file.squashfs of=/dev/mmc....whatever
and modify the bootargs to load the root from there
If everything runs ok you can then write back in your flash
I will play a little tomorrow with the file you shared.
Il Ven 10 Dic 2021, 22:51 Arakon ***@***.***> ha scritto:
… Done.. I may have overdumped the file (I think I read the flash at 16 MiB
instead of 8), though.
https://drive.google.com/file/d/1SYkadyWdry4OlS1krlKZzaqUy0c_nhUl/view?usp=sharing
However, I'm rather lost at this point what to do.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1672 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAW3WR5S5EC2DIIEN647TODUQJY67ANCNFSM4WMTYNGQ>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
so I did this
now I can't mount the jffs2 partition on my computer, find a way... you need because you have to change the root password else you won't be able to log in via telnet alternatively you can use this
or, even better add this to usr/sbin/anyka_ipc.sh
then repack everything
and flash it with |
this should work automatically on older version (not the one @Arakon owns, sorry @Arakon you should modify your etc/init.d scripts to start it) |
Seems my cam is dead, either way.. If I attempt to load any file from SD or tftp, the shell just locks up and I have to reboot the camera. |
try with this, put the kernel in a sd card and at the UBOOT console
if your root fs matches this kernel version:
end if; |
Thanks for your continued help, but it fails here for me:
This happens with any SD Card I try, from 2 GB to 32 GB, FAT or FAT32. The card is recognized since the detected_capacity changes depending on the card size, it just can't do anything with it, apparently. |
Hello Friends so we know that the /etc/jffs2 mount is writable, so if we could only just re-point that /usr/sbin/service.sh to a different one on /etc/jffs2/service.sh we could have full control of what we want to do without needing an SD card or network boot, and let the existing setup start everything else like wifi and camera drivers normally. Enter /sbin/update_image.sh. specifically the beginning lines
and the last bit
Now we know this script is looking for a file called root.sqsh4 with an accompanying root.sqsh4.md5 file in the /tmp directory to update the rootfs image. It checks the md5 (not my typo) and then calls the /sbin/updater application to write the rootfs. My steps from start to finish were:UART to Uboot and run
Now you've booted into a prompt as root without login. We change the password
which gets written to /etc/jffs2/passwd- [shadow] and is persistent. Now we manually mount the rest of the filesystem as per /etc/init.d/rcS
At this point, if you've already used the app to connect to your wifi, then your SSID, Password, and Security Type is in /etc/jffs2/anyka_cfg.ini. If not, youll want to fill that in. Its plain text, but we can fix all that later. easier to just use whats there for now. Now we start telnet, start ftp, and connect to wifi (dhcp), again as per the rc scripts
Now we can FTP to the device, and grab the /dev/mtd4 file and save it to a linux box as mtd4.bin. (Im using Ubuntu 20.04)
Now we know the blocksize is the default 131072 bytes and the compression is xz. So we can now unsquash mtd4.bin and make that little change to rc.local.
Now we have a directory called mtd4 with the rootfs image expanded to it. We can go in and make our changes to /etc/init.d/rc.local. I personally commented out the ftpd start line, and changed the last line "/usr/sbin/service.sh start &" to read "/etc/jffs2/service.sh start &" Now we recompress mtd4 back to squashfs using the default 131072 blocksize and xz compression we found above, but this time were going to name it root.sqsh4 like that update_image.sh script wants. back in the unsquashed dir that contains the mtd4 extracted dir
Now we take this root.sqsh4 file from our linux box and using FTP we drop it back on the device in /tmp. Remember we're still booted in a console with /bin/sh and all the filesystems mounted. Also remember that we hijacked rc.local to init our /etc/jffs2/service.sh script, so lets create that quick.
and we add
Ok, now back to the firmware. cd back to /tmp where you dropped your root.sqsh4 file.
And now for the magic, updating the rootfs from within the rootfs with the update_image.sh script
and now when you reboot you should see it run thru the normal startup, start and connect to wifi, and the last 3 commands we put into our /etc/jffs2/service.sh script, and be able to login with root and the password you set back at the start of this adventure
Viola! you can log in via UART console or telnet, wifi connected, camera drivers loaded, leds set to off, a writable parition that runs init scripts, all with no SD card, and no callhome or pesky open ports. Now... to pick apart that /usr/bin/ak_rtsp_demo |
Good job. Unfortunately ak_rtsp_demo is limited to 720p, no ptz, no IR filter, no IR led, no motion detection. |
I have bricked my camera. It is not the same firmware. I used to use the app IPCamPro, but with this firmware I cannot login to camera or change the root password. Neither interrupt the uboot process. Are anybody able to share the SPI flash dump for the firmware you are talking to try to enable the login at least. Thanks!! |
The binaries are here #1672 (comment) |
Yeah, I know. I got an SPI flasher. This is the way I enabled telnet, but cannot change the credentials to login. Playing with this I bricked the firmware and cannot connect to the camara |
I was just curious if I flashed this firmware to this camera using your method would it work? Every time I do a search for custom firmware for this camera it always pulls up your firmware hack. Does anyone know if they can confirm this for me?
https://www.amazon.com/Victure-Wireless-Security-Detection-Surveillance/dp/B07G6Z4Z3K
The text was updated successfully, but these errors were encountered: