Victure PC540 360 SmartIP Cam

[antman1455]

I was just curious if I flashed this firmware to this camera using your method would it work? Every time I do a search for custom firmware for this camera it always pulls up your firmware hack. Does anyone know if they can confirm this for me?
https://www.amazon.com/Victure-Wireless-Security-Detection-Surveillance/dp/B07G6Z4Z3K

[burlizzi]

@ioprev mentioned in #1632 he can boot from sd, he didn't specify with which kernel/fs so far I can only load kernel using the device flash,

setenv bootargs console=ttyS1,115200n8 mem=39M@0x0 ispmem=8M@0x2700000 rmem=17M@0x2F00000 init=/bin/sh rootfstype=squashfs root=/dev/mtdblock2 rw mtdparts=jz_sfc:512K(boot),1600k(kernel),2816k(root),1536k(user),832k(web),896k(mtd)
fatload mmc 0:1 0x80600000 t20l.bin
bootm 0x80600000

unfortunately something goes wrong and I don't have the block devices and the fs is ro

~ # df
Filesystem           1K-blocks      Used Available Use% Mounted on
df: /proc/mounts: No such file or directory
~ # ls /dev  -la
drwxrwxr-x    2 1006     1006             3 Sep 29  2017 .
drwxr-xr-x   19 1006     1006           238 Jan 25  2018 ..
~ # ls /proc/ -la
drwxr-xr-x    2 1006     1006             3 May 30  2016 .
drwxr-xr-x   19 1006     1006           238 Jan 25  2018 ..
~ #

I didn't understand how to load the FS from SD though, root=/dev/mtdblock2 doesn't work
I am afraid to flash something which might brick the camera, I'm italian, I'm too lazy to desolder the flash to backup it

[pilfos]

I have the "new model" of Victure PC540 that doesn't support RTSP neither ONVIF protocols. Only works with the Victure Home App.
@burlizzi where you able to boot from the microSD card? If so, can you send me the .bin file? Thanks

[burlizzi]

I bought a new model https://www.amazon.de/dp/B07QPY7XRT too as backup in case something goes wrong, strange to say it's identical to the previous one, even the PCB but the processor isn't the T20L anymore but an Arm one from Anyka I succeeded anyway in accessing both, the second one is even easier.
The password are stored in the mtd position and the onvif software is already there, just launch ak_onvif_demo or something like that.
I will write something more detailed later.
You can find the Anyka SDK here on GitHub

[pilfos]

I bought this one https://www.amazon.es/dp/B07FKJB2ZN. Did you need to pair using a QR or sound? In my case with QR, and doing a network scan no ports are found in the IP assigned to the camera (80, 554, 8080,... )

[burlizzi]

That's the one.
Connect the UART to the board, stop at the u boot pressing enter before boot begins
Enter
setenv bootargs console=ttySAK0,115200n8 root=/dev/mtdblock4 rootfstype=squashfs init=/bin/sh mem=64M memsize=64M

Now you will have the console.
Change the root password, there is already one but I couldn't guess what it is, just create your own.

Now you can mount the sdcard and backup the firmware as described in the documentation.
Note that you can save the whole firmware with mtd0

[root@anyka ~]$ cat /proc/mtd                                             dev:    size   erasesize  name
mtd0: 00800000 00001000 "spi0.0"
mtd1: 00200000 00001000 "KERNEL"
mtd2: 00001000 00001000 "MAC"
mtd3: 00001000 00001000 "ENV"
mtd4: 00180000 00001000 "A"
mtd5: 0007d000 00001000 "B"
mtd6: 003b6000 00001000 "C"
[root@anyka ~]$

Unsquash the mtd4 dump on a Linux pc, modify /etc/init.d/rcS and uncomment telnetd
Squash it and flash
If you want to have just onvif you have to do some work more to connect wifi or Ethernet because the app was taking care of it. I didn't finish myself so you can help me out here

anyka login: root
Password: 
welcome to file system
[root@anyka ~]$ ls /usr/bin/          
-rwxrwxr-x    1 1029     1033          7592 Jul 17  2020 ak_adec_demo
-rwxrwxr-x    1 1029     1033          8492 Jul 17  2020 ak_aec_demo
-rwxrwxr-x    1 1029     1033         10908 Jul 17  2020 ak_aec_ex_demo
-rwxrwxr-x    1 1029     1033          9160 Jul 17  2020 ak_aenc_demo
-rwxrwxr-x    1 1029     1033          5972 Jul 17  2020 ak_ai_demo
-rwxrwxr-x    1 1029     1033          6272 Jul 17  2020 ak_ao_demo
-rwxrwxr-x    1 1029     1033          4376 Jul 17  2020 ak_drv_i2c_demo
-rwxrwxr-x    1 1029     1033          3980 Jul 17  2020 ak_drv_ir_demo
-rwxrwxr-x    1 1029     1033          4340 Jul 17  2020 ak_drv_key_demo
-rwxrwxr-x    1 1029     1033          4860 Jul 17  2020 ak_drv_ptz_demo
-rwxrwxr-x    1 1029     1033          4816 Jul 17  2020 ak_drv_pwm_demo
-rwxrwxr-x    1 1029     1033          3760 Jul 17  2020 ak_drv_wdt_demo
-rwxrwxr-x    1 1029     1033         22612 Jul 17  2020 ak_dvr_record_demo
-rwxrwxr-x    1 1029     1033          6708 Jul 17  2020 ak_effect_demo
-rwxrwxr-x    1 1029     1033          6508 Jul 17  2020 ak_lib_version
-rwxrwxr-x    1 1029     1033          7132 Jul 17  2020 ak_mask_demo
-rwxrwxr-x    1 1029     1033          5740 Jul 17  2020 ak_md_demo
-rwxrwxr-x    1 1029     1033         13384 Jul 17  2020 ak_mt_demo
-rwxrwxr-x    1 1029     1033          5892 Jul 17  2020 ak_od_demo
-rwxrwxr-x    1 1029     1033        172340 Jul 17  2020 ak_onvif_demo
-rwxrwxr-x    1 1029     1033          8576 Jul 17  2020 ak_osd_demo
-rwxrwxr-x    1 1029     1033         16404 Jul 17  2020 ak_rtsp_demo
-rwxrwxr-x    1 1029     1033          5936 Jul 17  2020 ak_tw_demo
-rwxrwxr-x    1 1029     1033         11940 Jul 17  2020 ak_venc_demo
-rwxrwxr-x    1 1029     1033          5752 Jul 17  2020 ak_vi_demo
-rwxrwxr-x    1 1029     1033         10440 Jul 17  2020 ak_vpss_demo
-rwxrwxr-x    1 1029     1033          5932 Jul 17  2020 ak_vpss_md_demo
-rwxrwxr-x    1 1029     1033       2111398 Jul 17  2020 anyka_ipc
-rwxr-xr-x    1 1029     1033          1261 Jul 17  2020 ca.crt.pem
-rwxrwxr-x    1 1029     1033          5724 Jul 17  2020 ccli
-rwxrwxr-x    1 1029     1033          6552 Jul 17  2020 cmd_serverd
-rwxrwxr-x    1 1029     1033         14128 Jul 17  2020 daemon
-rwxrwxr-x    1 1029     1033          6052 Jul 17  2020 disk_repair
-rwxrwxrwx    1 1029     1033         14412 Jul  7  2020 get_device_id
-rwxrwxrwx    1 1029     1033         10542 Jul 17  2020 get_nooie_uid
-rwxr-xr-x    1 1029     1033         15464 Feb  9  2017 getconf
-rwxrwxrwx    1 1029     1033        342376 Jul  7  2020 hostapd
-rwxr-xr-x    1 1029     1033          5504 Feb  9  2017 iconv
-rwxrwxrwx    1 1029     1033         27049 Jul  7  2020 iwconfig
-rwxrwxrwx    1 1029     1033         29901 Jul  7  2020 iwlist
-rwxrwxrwx    1 1029     1033         15220 Jul  7  2020 iwpriv
-rwxr-xr-x    1 1029     1033          7596 Feb  9  2017 ldd
-rwxrwxrwx    1 1029     1033          9416 Jul  7  2020 set_nooie_ssid
-rwxr-xr-x    1 1029     1033         16763 Jul 17  2020 top_thread
-rwxrwxrwx    1 1029     1033         45088 Jul  7  2020 wpa_cli
-rwxrwxrwx    1 1029     1033         24944 Jul  7  2020 wpa_passphrase
-rwxrwxrwx    1 1029     1033        440468 Jul  7  2020 wpa_supplicant
[root@anyka ~]$ service.sh stop &&  ak_onvif_demo

With ak_onvif_demo you start the onvif process but it only works with Ethernet attached
Lot to do, lot of possibilities.

[pilfos]

@burlizzi I can confirm that I have the same Anyka based camera. It was a bit complicated to figure out how to dissassemble the camera, and now I have a small circle rubber that I don't know where it comes from (hehe) but yes, very easy to use 3 wire jumpers and a FTDI adapter with Putty...

U-Boot 2013.10.0-AK_V3.0.05 (Aug 25 2020 - 01:42:22)

DRAM:  64 MiB
8 MiB
Create flash partition table init OK!
ak_sdhsmmc_init:
ANYKA SDHC/MMC4.0: 0
Load Env CRC OK!
In:    serial
Out:   serial
Err:   serial
reset pin value: 1

Hit any key to stop autoboot:  1                                                                                                             0

SF: 1430392 bytes @ 0x39000 Read: OK
## Booting kernel from Legacy Image at 81b08000 ...
   Image Name:   Linux-3.4.35
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    1430328 Bytes = 1.4 MiB
   Load Address: 81b08000
   Entry Point:  81b08040
   Verifying Checksum ... OK
   XIP Kernel Image ... OK

Starting kernel ...

Uncompressing Linux... done, booting the kernel.
Anyka Linux Kernel Version: 1.1.12
Booting Linux on physical CPU 0
Linux version 3.4.35 (lubh@apemans_server) (gcc version 4.8.5 (anyka (gcc-4.8.5 + binutils-2.24 + ulcibc-0.9.33.2)(20170223)) ) #7 Wed Dec 30 08:16:35 UTC 2020
CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00053177
CPU: VIVT data cache, VIVT instruction cache
Machine: CLOUD39EV3_AK3918EV300_MNBD
Memory policy: ECC disabled, Data cache writeback
ANYKA CPU AK3918 (ID 0x20160100)

How did you change the root password? With passwd? Is it the default user when you get to the console?

[antman1455]

Does anyone have a working firmware then I can put on an SD card without having to hack the camera and make it work? I currently am putting this camera on a network that does not have internet and need some help doing this. I'd really appreciate it. This camera is the PC540 from Victure

[burlizzi]

@pilfos yes, passwd, but! You have to stop the bootloader, change the bootargs init to sh
setenv bootargs console=ttySAK0,115200n8 root=/dev/mtdblock4 rootfstype=squashfs init=/bin/sh mem=64M memsize=64M
@antman1455 you have an older version with T20L, right? I have a solution for that too, using the serial console, from the bootlog I see it's looking for a file called update.img in the uboot but I never investigated enough to discover the format of that file, I made too many destructive tests on that camera and I had to desolder it many times, now some pin seems too fragile to afford another test so I need some help

[pilfos]

@burlizzi in my case, after doing the

setenv bootargs console=ttySAK0,115200n8 root=/dev/mtdblock4 rootfstype=squashfs init=/bin/sh mem=64M memsize=64M

I needed to do a reset from the prompt then it boots using the /bin/sh and I can get the console command

U-Boot 2013.10.0-AK_V3.0.05 (Aug 25 2020 - 01:42:22)

DRAM:  64 MiB
8 MiB
Create flash partition table init OK!
ak_sdhsmmc_init:
ANYKA SDHC/MMC4.0: 0
Load Env CRC OK!
In:    serial
Out:   serial
Err:   serial
reset pin value: 1

Hit any key to stop autoboot:  1                                                                                                             0

SF: 1430392 bytes @ 0x39000 Read: OK
## Booting kernel from Legacy Image at 81b08000 ...
   Image Name:   Linux-3.4.35
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    1430328 Bytes = 1.4 MiB
   Load Address: 81b08000
   Entry Point:  81b08040
   Verifying Checksum ... OK
   XIP Kernel Image ... OK

Starting kernel ...

Uncompressing Linux... done, booting the kernel.
Anyka Linux Kernel Version: 1.1.12
Booting Linux on physical CPU 0
Linux version 3.4.35 (lubh@apemans_server) (gcc version 4.8.5 (anyka (gcc-4.8.5 + binutils-2.24 + ulcibc-0.9.33.2)(20170223)) ) #7 Wed Dec 30 08:16:35 UTC 2020
CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00053177
CPU: VIVT data cache, VIVT instruction cache
Machine: CLOUD39EV3_AK3918EV300_MNBD
Memory policy: ECC disabled, Data cache writeback
ANYKA CPU AK3918 (ID 0x20160100)
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 9398
Kernel command line: console=ttySAK0,115200n8 root=/dev/mtdblock4 rootfstype=squashfs init=/bin/sh mem=64M memsize=64M
PID hash table entries: 256 (order: -2, 1024 bytes)
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
Memory: 37MB = 37MB total
Memory: 33240k/33240k available, 4648k reserved, 0K highmem
Virtual kernel memory layout:
    vector  : 0xffff0000 - 0xffff1000   (   4 kB)
    fixmap  : 0xfff00000 - 0xfffe0000   ( 896 kB)
    vmalloc : 0xc2800000 - 0xff000000   ( 968 MB)
    lowmem  : 0xc0000000 - 0xc2500000   (  37 MB)
    modules : 0xbf000000 - 0xc0000000   (  16 MB)
      .text : 0xc0008000 - 0xc03b0000   (3744 kB)
      .init : 0xc03b0000 - 0xc03cb000   ( 108 kB)
      .data : 0xc03cc000 - 0xc03f2118   ( 153 kB)
       .bss : 0xc03f213c - 0xc04130e8   ( 132 kB)
SLUB: Genslabs=13, HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
NR_IRQS:117
sched_clock: 32 bits at 12MHz, resolution 83ns, wraps every 357913ms
AK39 console driver initial
console [ttySAK0] enabled
Calibrating delay loop... 199.06 BogoMIPS (lpj=995328)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
CPU: Testing write buffer coherency: ok
Setting up static identity map for 0x81de1ba0 - 0x81de1bf8
devtmpfs: initialized
NET: Registered protocol family 16
On-chip L2 memory initialized
AK39 clocks: CPU 400MHz, MEM 400MHz, ASIC 120MHz
Anyka platform share gpio locks initialize.
bio: create slab <bio-0> at 0
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
i2c-ak39 i2c-ak39: Unable to achieve desired frequency 300KHz. Lowest achievable 312KHz
i2c-ak39 i2c-ak39: i2c-0: AK39 I2C adapter
Linux video capture interface: v2.00
cfg80211: Calling CRDA to update world regulatory domain
Switching to clocksource ak_timer5 cs
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 2048 (order: 2, 16384 bytes)
TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
TCP: Hash tables configured (established 2048 bind 2048)
TCP: reno registered
UDP hash table entries: 256 (order: 0, 4096 bytes)
UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
NET: Registered protocol family 1
RPC: Registered named UNIX socket transport module.
RPC: Registered udp transport module.
RPC: Registered tcp transport module.
RPC: Registered tcp NFSv4.1 backchannel transport module.
squashfs: version 4.0 (2009/01/31) Phillip Lougher
exFAT: Version 1.2.9
jffs2: version 2.2. © 2001-2006 Red Hat, Inc.
msgmni has been set to 64
io scheduler noop registered
io scheduler cfq registered (default)
AK39xx uart driver init, (c) 2013 ANYKA
ak39-uart.0: ttySAK0 at MMIO 0x20130000 (irq = 10) is a AK39
ion: failed to create debug files.
brd: module loaded
loop: module loaded
AK Motor Driver (c) 2013 ANYKA
init the ak-motor device success.
init the ak-motor device success.
@@@ [akpcm_init]: enter @@@
@@@ [akpcm_probe]: enter @@@
akpcmL0->ak39_codec_probe enter...
akpcm probe: mic on
akpcm_probe: OK

akisp_init
Start to init Anyka SPI Flash...
Start to init Anyka partition table...
AK SPI Driver, (c) 2012 ANYKA
akpi regs: SPICON:00000152, SPISTA:00000015, SPIINT:00000000.
ak-spi ak-spi: master is unqueued, this is deprecated
ak_spi setup the master.
pre-scaler=2 (wanted 20Mhz, got 20Mhz)
ak spiflash probe enter.
pre-scaler=2 (wanted 20Mhz, got 20Mhz)
ak_spi_setupxfer,con:00000252.
akspi flash ID: 0x00a14017
ak-spiflash spi0.0: FM25Q64 (8192 Kbytes)
FHA:partition lib version: V1.1.06
FHA:spiflash init
FHA:boot block num offset:427
FHA:Sflash_Get_Partition_Startpage g_boot_len:880
mtd_part[0]:
name = KERNEL
size = 0x200000
offset = 0x39000
mask_flags = 0x1

mtd_part[1]:
name = MAC
size = 0x1000
offset = 0x239000
mask_flags = 0x1

mtd_part[2]:
name = ENV
size = 0x1000
offset = 0x23a000
mask_flags = 0x1

mtd_part[3]:
name = A
size = 0x180000
offset = 0x23b000
mask_flags = 0x1

mtd_part[4]:
name = B
size = 0x7d000
offset = 0x3bb000
mask_flags = 0x1

mtd_part[5]:
name = C
size = 0x3b6000
offset = 0x438000
mask_flags = 0x1

Creating 6 MTD partitions on "spi0.0":
0x000000039000-0x000000239000 : "KERNEL"
0x000000239000-0x00000023a000 : "MAC"
0x00000023a000-0x00000023b000 : "ENV"
0x00000023b000-0x0000003bb000 : "A"
0x0000003bb000-0x000000438000 : "B"
0x000000438000-0x0000007ee000 : "C"
Init AK SPI Flash finish.
akspi master initialize success, use for DMA mode.
AK39E_MAC Ethernet Driver, V1.0
netdev private = c1d8dba0
Allocataion gmacdev OK
Allocataion mac_info OK
Configed MAC RMII interface!
FHA:part: Sflash_Open file_num:6
FHA:open T:0, R:1, H:0, K:4, S:2330624, N:MAC
FHA:open ex_bin F:21, L:0, B:-1, C:0
FHA:medium_flag:0, medium_type:0
CDH_Success:eth0: ak39E_mac at f0230000 IRQ 16 MAC: 8e:5d:b1:6c:8a:d2
input: akgpio-keys as /devices/platform/akgpio-keys/input/input0
We're Using Internal RC OSC.
AK RTC, (c) 2010 ANYKA
i2c /dev entries driver
AK MCI Driver (c) 2010 ANYKA
akmci_probe : MCI
## MMC Power: GPIO-1 Setup
akmci ak_mci.0: Mci Interface driver.mmc0. using l2dma, sw IRQ. detect mode:GPIO detect.
TCP: cubic registered
NET: Registered protocol family 17
lib80211: common routines for IEEE802.11 drivers
/home/lubh/project/cam_sdk/nooie_ipc_code_base/kernel/drivers/rtc/hctosys.c: unable to open rtc device (rtc0)
VFS: Mounted root (squashfs filesystem) readonly on device 31:4.
devtmpfs: mounted
Freeing init memory: 108K
mmc0: host does not support reading read-only switch. assuming write-enable.
mmc0: new SD card at address 5162
mmcblk0: mmc0:5162 SD02G 1.83 GiB
 mmcblk0: p1
/bin/sh: ca▒▒ɹ▒▒▒z▒▒5R▒ ▒▒
/ #

I can see that the microSD card is mounted but I don't see anything in /proc so I directly copied the firmware with

dd if=/dev/mtd0 of=/dev/mmcblk0

Is this the right way? I didn't change the root password.

I'll try to check later the contents of the microSD and do the Unsquash/Squash

Thanks!

[burlizzi]

I don't have the camera here, I am counting on my faulty memory
execute /etc/init.d/rcS
it will initialize everything and you should have the partitions
then you can change the root password so you don't have to change the bootargs again
I assume you know that you copied the mtd0 in the block device of your smart card, overwriting the partition table/header, to retrieve you should read the same amount of bytes from dev/mmcblk0 on a linux pc
I would suggest to do as I suggested above, mount the sd properly and save all the partitions mtd0-6
the rootfs is mtd4

[pilfos]

@burlizzi I executed what was in /etc/init.d/rcS but last line. So I was able to mount everything and copy the from /dev/mtdblock* as files...
Now learning how to unsquash/squash, but in the meantime I found this page

https://www.programmersought.com/article/20934638572/

I don't know if it could be useful to get the wifi working...

[pilfos]

@burlizzi I was able to squash the modified mtd4 partition but how can I flash it to the camera from the SD card? In case of failure I can flash again the original mtd4 I saved before?

Which files are needed in the SD card to boot from it using the bootargs from #1632 (comment) ?

Thanks!

[burlizzi]

@pilfos
you can restore if you don't touch the mtd0
about the sdcard I would just copy the unsquashed files in an ext3 partition of the sd (I don't know if the kernel would support that, try)
you should then modify the bootargs to
setenv bootargs console=ttySAK0,115200n8 root=/dev/mmcblk0p1 rootfstype=ext3 init=/bin/sh mem=64M memsize=64M

the #1632 refers to a T20 system, the only kernel and filesystem here they come from the camera itself
if you screw up the kernel partition too you can recover with

fatload mmc 0:1 0x80600000 kernel.bin
bootm 0x80600000

kernel.bin being the mtd1 you dumped before
pay attention that fatload would work only for fat partition so you have to create 2 partitions on the SD and modify mmc 0:1 and mmcblk0p1 accordingly

[pilfos]

but @burlizzi, how did you flash the modified mtd4 to the camera?
with e.g. dd if=/mnt/sd/A.bin of=/dev/mtdblock4 ?

[burlizzi]

Yes, that

[burlizzi]

Just curious, did it work?

[pilfos]

didn't check yet... :-/

[pilfos]

tried dd if=/mnt/sd/A.bin of=/dev/mtdblock4

but then...

devtmpfs: mounted
Freeing init memory: 108K
SQUASHFS error: zlib_inflate error, data probably corrupt
SQUASHFS error: squashfs_read_data failed to read block 0xc7a00
SQUASHFS error: Unable to read fragment cache entry [c7a00]
SQUASHFS error: Unable to read page, block c7a00, size 7083
SQUASHFS error: Unable to read fragment cache entry [c7a00]
SQUASHFS error: Unable to read page, block c7a00, size 7083
SQUASHFS error: Unable to read fragment cache entry [c7a00]
SQUASHFS error: Unable to read page, block c7a00, size 7083
SQUASHFS error: Unable to read fragment cache entry [c7a00]
SQUASHFS error: Unable to read page, block c7a00, size 7083
SQUASHFS error: Unable to read fragment cache entry [c7a00]
SQUASHFS error: Unable to read page, block c7a00, size 7083
Failed to execute /bin/sh.  Attempting defaults...
mmc0: host does not support reading read-only switch. assuming write-enable.
mmc0: new SD card at address 5162
mmcblk0: mmc0:5162 SD02G 1.83 GiB
 mmcblk0: p1
SQUASHFS error: Unable to read fragment cache entry [c7a00]
SQUASHFS error: Unable to read page, block c7a00, size 7083
SQUASHFS error: Unable to read fragment cache entry [c7a00]
SQUASHFS error: Unable to read page, block c7a00, size 7083
Kernel panic - not syncing: No init found.  Try passing init= option to kernel. See Linux Documentation/init.txt for guidance.

I think the problem is with mksquashfs. I didn't use any params, only the source dir and des file to create. May be I needed to use the xz compressor instead of the default gzip?

But now, how to try again if the system can't boot from mtd4 ?

I can see with fatls mmc 0:1 the files on the sdcard, so I don't know if can copy back the backup of mtd4 from the U boot.

[burlizzi]

@pilfos you have the backup, right? now the problem is that you can't boot it,
now restore with uboot, put the original squashfs on sdcard (fat formatted)
stop at uboot,
then...
fatls mmc 0:1
fatload mmc 0:1 0x80600000 [original rootfs.squash]
sf probe
sf update 0x80600000 0x23b000 0x180000

[pilfos]

I did it, and tried to boot with bootm 0x80600000 but I get a "Wrong Image Format for bootm command"

anyka$fatls mmc 0:1
                   cdh:use ak mmc cd!
cdh:ak getcd=0
mmc_getcd, cd=0
MMC: detect card present
MMC: no init, start init!
mmc/sd share pin!
want set asic clk = 100000000, wanted sdmmc clk = 400000
asic clk = 100000000, real sdmmc clk = 400000
MMC: ak mmc driver init OK!
want set asic clk = 100000000, wanted sdmmc clk = 400000
asic clk = 100000000, real sdmmc clk = 400000
MMC: default init bus width=1, clock=400khz, OK!
MMC: ak mmc drmmc_go_idle OK!
MMC: ak mmc mmc_send_if_cond OK!
cdh:sd_send_op_cond, mmc->high_capacity=0
MMC: ak mmc sd_send_op_cond OK!
mmc_start_init: init OK!
cdh:MMC_CMD_ALL_SEND_CID OK!
cdh:mmc cid[0]=-1862227708
cdh:mmc cid[1]=1621884633
cdh:mmc cid[2]=1144009287
cdh:mmc cid[3]=39079251
cdh:sd mmc->rca=0x5162
want set asic clk = 100000000, wanted sdmmc clk = 1000000
asic clk = 100000000, real sdmmc clk = 1000000
want set asic clk = 100000000, wanted sdmmc clk = 2000000
asic clk = 100000000, real sdmmc clk = 2000000
cdh:MMC_CMD_SEND_CSD OK!
cmd csdlong response[0]:0x16800090!
cmd csdlong response[1]:0xffffff80!
cmd csdlong response[2]:0x5b5a83a9!
cmd csdlong response[3]:0x2e0032!
cdh:mmc->tran_speed:0x32!
cdh:sd card, mmc->write_bl_len:1024!
cdh:no mmc->high_capacity!
cdh:sd card, mmc->capacity_user:0xea800000 blocks!
cdh:sd card, mmc->write_bl_len2:512!
cdh:MMC_CMD_SELECT_CARD OK!
cdh:MMC_CMD_SET_BLOCKLEN OK!
cdh:mmc->capacity:0xea800000 !
cdh:part_num:0, mmc_set_capacity OK!
cdh:mmc->scr[0]=0x2a58000, mmc->scr[1]=0x26024202
cdh:mmc->version=0x20300
cdh:SD_DATA_4BIT, mmc->card_caps=0x100
cdh:SD_SWITCH_CHECK ready
cdh:MMC Controller mmc->host_caps:0x811, yes support high-speed!
cdh:SD_SWITCH_SWITCH OK!
cdh:mmc->card_caps:0x101, MODE HS OK!
cdh:mmc->tran_speed=50000000
want set asic clk = 100000000, wanted sdmmc clk = 25000000
asic clk = 100000000, real sdmmc clk = 25000000
cdh:test_part_dos read ok!
cdh:test_part_dos DOS_PART_MAGIC_OFFSET ok!
cdh:test_part_dos DOS_MBR ok!
  8388608   spi0.bin
  2097152   kernel.bin
       38   test.txt
     4096   mac.bin
     4096   env.bin
  1572864   a.bin
   512000   b.bin
  3891200   c.bin
  1531904   amodi.bin

9 file(s)

anyka$fatload mmc 0:1 0x80600000 a.bin
                                      reading a.bin
1572864 bytes read in 0 ms

anyka$sf probe

anyka$sf update 0x80600000 0x23b000 0x180000

==Start update FS==
boot block num offset:427
get_upadte_boot_size g_boot_len:225280
parts[0]:
name = KERNEL
size = 0x200000
offset = 0x39000
r_w_flags = 0x1

parts[1]:
name = MAC
size = 0x1000
offset = 0x239000
r_w_flags = 0x1

parts[2]:
name = ENV
size = 0x1000
offset = 0x23a000
r_w_flags = 0x1

parts[3]:
name = A
size = 0x180000
offset = 0x23b000
r_w_flags = 0x1

parts[4]:
name = B
size = 0x7d000
offset = 0x3bb000
r_w_flags = 0x1

parts[5]:
name = C
size = 0x3b6000
offset = 0x438000
r_w_flags = 0x1

find selected part size failed

==End update FS Err!==

anyka$bootm 0x80600000
                      Wrong Image Format for bootm command
ERROR: can't get kernel image!

anyka$reset
           resetting ...

then If I try to reset, I get again the SQUASHFS errors and kernel panic
Do I need to boot in a different way after the "sf update"?
I also tried "run boot_normal" but I get the same as resetting, SQUASHFS errors and kernel panic

[burlizzi]

of course, bootm should find a kernel image at that location you have a filesystem
is a.bin the original backup or the modified one?
I see you have amodi.bin in your sdcard, I assume that was the modified one.
try to reflash partitions B and C as well

[burlizzi]

I apologize, I just read in the uboot help that the parameter for sf update is the name of the partition so the correct command would be:

sf probe
fatload mmc 0:1 0x80600000 a.bin
sf update 0x80600000 A 0x180000

[pilfos]

Yes! It worked with the sf update using the partition name.

But this time I tried again with the rootfs compressed with xz and now

SQUASHFS error: xz_dec_run error, data probably corrupt

this is what I'm using

mksquashfs squashfs-root Amodi2.bin -comp xz

where squashfs-root is the dir containing the modified rootfs
and then I'm extracting with

binwalk -e Amodi2.bin

to confirm that there is the correct rootfs with the modifed rcS

so, how should I use the mksquashfs ?

Thanks @burlizzi !

[pilfos]

I tried to "pad" the file to match the size of the original rootfs backup

dd if=/dev/zero ibs=1 count=1572864 | tr "\000" "\377" > Amodi3.bin
dd if=Amodi2.bin of=Amodi3.bin conv=notrunc

and now there is no compression error but I get a different one:

SQUASHFS error: unable to read id index table
List of all partitions:
1f00            8192 mtdblock0  (driver?)
1f01            2048 mtdblock1  (driver?)
1f02               4 mtdblock2  (driver?)
1f03               4 mtdblock3  (driver?)
1f04            1536 mtdblock4  (driver?)
1f05             500 mtdblock5  (driver?)
1f06            3800 mtdblock6  (driver?)
No filesystem could mount root, tried:  squashfs
Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(31,4)

I also tried to do the dd if=/mnt/sd/A.bin of=/dev/mtdblock4 with the original rootfs backup file and it works so it's a problem with the mksquashfs ...

[pilfos]

Well at the end what I did was to load the modifed rootfs from the u-boot and it boots correctly, Tomorrow I'll check if I can get connected through telnet...

[burlizzi]

try this,
unzip in a sd card and power the camera.
on the card there should be update/update.tar

update.zip

[pilfos]

Ahhh interesting file, the update_check.sh :)

but, it doesn't find the ipc_victure_pc530f37

***************************************
******** cmd server has running! ******
***************************************
[main:200] Success to create TCP socket.
[main:234] Waiting for connect......

### enter update_check.sh ###
stop system service before update.....
############ please wait a moment. And don't remove TFcard or power-off #############
no ipc_victure_pc530f37 signature found
default log level=4
***************************************
*****A monitor daemon has running!*****
***************************************
[watchdog_enable:271] ********** Watch Dog Enabled! **********
[watchdog_enable:282] watchdog timeout = 8(s)
[daemon_pth_func:563] thread id: 429
[monitor_thread:400] thread id: 428
[feed_watchdog:234] thread id: 427
start ipc service......
[monitor_thread:404] interval: 3(sec), fifo[/tmp/daemon_fifo].size=50
start net service......
start net service......
[service.sh] find ssid =
mount: mounting /dev/mmcblk0p1 on /mnt failed: Device or resource busy
[daemon_mount_sd:462] *** mount the sd to /mnt ***

Did you build the update.rar ?

[burlizzi]

Yes but I didn't try, I used dd to update the root fs
Just untar and update manually, I'll fix it later

[maurofilippo]

hello, my name is mauro and I am enthusiastically watching the evolution of this change in the pc540 ... with the hope of being able to watch the rstp streaming from a pc without using the app.
Anyway, in the meantime, I can only say good at having already reached this point!
congratulations!

hello, mauro

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[Arakon]

I'm digging this back up since I got a very similar camera, but no luck with any of the suggestions here.
Here's what I get via UART:

U-Boot 2013.10.0-AK_V2.0.03 (Apr 28 2021 - 23:26:26)

DRAM:  64 MiB
anyka spi flash. bus_width:1
8 MiB
mmc_initialize: ak_sdhsmmc_init OK!
ANYKA SDHC/MMC4.0: 0
anyka spi flash. bus_width:1
 Warning - bad CRC, using default environment
In:    serial
Out:   serial
Err:   serial
load_addr = 0x81808000!
Net:   AKEthernet-0

                   anyka spi flash. bus_width:1

SF: 2097152 bytes @ 0x80000 Read: OK
 kernel: image load address = 0x81808000
 Booting kernel from Legacy Image at 81808000 ...
   Image Name:   Linux-3.4.35
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    1522168 Bytes = 1.5 MiB
   Load Address: 81808000
   Entry Point:  81808040
   Verifying Checksum ... OK
   XIP Kernel Image ... OK

Starting kernel ...

After this, the camera starts and I get no output anymore.

If I abort the boot with Ctrl-C, I can access u-boot and get some info:

anyka$env print
               baudrate=115200
boot_normal=run read_kernel; bootm ${loadaddr}
bootargs=console=ttySAK0,115200n8 root=/dev/mtdblock4 rootfstype=squashfs init=/sbin/init mem=64M memsize=64M mtdparts=spi0.0:384K@0K(boot),64K@3                    84K(ENV),64K@448K(MAC),1536K@512K(KERNEL),1024K@2048K(ROOT),4608K@3072K(USR.SQUASH),512K@7680K(USR.JFFS2)
bootcmd=run boot_normal
bootdelay=3
console=ttySAK0,115200n8
erase_env=sf probe 0:0 ${sf_hz} 0; sf erase 0x20000 0x2000
ethact=AKEthernet-0
ethaddr=00:55:7b:b5:7d:f7
fs_addr=0x370000
init=/sbin/init
ipaddr=192.168.1.99
kernel_addr=0x80000
kernel_size=0x200000
loadaddr=0x81808000
memsize=64M
mtd_root=/dev/mtdblock4
netmask=255.255.255.0
read_kernel=sf probe 0:0 ${sf_hz} 0; sf read ${loadaddr} ${kernel_addr} ${kernel_size}
rootfstype=squashfs
serverip=192.168.1.10
setcmd=setenv bootargs console=${console} root=${mtd_root} rootfstype=${rootfstype} init=${init} mem=${memsize}
sf_hz=20000000
stderr=serial
stdin=serial
stdout=serial
update_flag=0
ver=U-Boot 2013.10.0-AK_V2.0.03 (Apr 28 2021 - 23:26:26)
vram=12M

Environment size: 1088/65528 bytes

Any suggestions? I mostly need RTSP or ONVIF.

[burlizzi]

it seems the same hardware but different firmware.
try to replace the sbin/init with init=/bin/sh in the bootargs, see if you have an UART console.
in your case would be

setenv bootargs=console=ttySAK0,115200n8 root=/dev/mtdblock4 rootfstype=squashfs init=/bin/sh mem=64M memsize=64M mtdparts=spi0.0:384K@0K(boot),64K@3                    84K(ENV),64K@448K(MAC),1536K@512K(KERNEL),1024K@2048K(ROOT),4608K@3072K(USR.SQUASH),512K@7680K(USR.JFFS2)

another possibility is to exploit the factory tests.
in a sdcard create a file agingtest/aging_test
with this content

net_manage.sh &
telnetd&

this should give you access via telnet but you probably couldn't log in because of the root password, in that case you could try this content instead

net_manage.sh &
echo -e "linuxpassword\nlinuxpassword" | passwd
telnetd&

another more complex alternative if this doesn't work:
dump your firmware directly from uboot, you can follow this procedure:
https://cybergibbons.com/hardware-hacking/recovering-firmware-through-u-boot/
I did it in the past but I didn't try this particular one, be careful.
now you can split the firmware in partitions, mount the root squashfs on your computer, modify the init script and the root password and flash it back.
if you do it post it here before flashing it, it would be interesting for us too

[Arakon]

The factory test folder does nothing, it just starts normally with that folder/file.
Trying to upload the firmware dump fails due to apparently missing a tftp transfer function.

anyka$help
          ?       - alias for 'help'
base    - print or set address offset
bootm   - boot application image from memory
bootp   - boot image via network using BOOTP/TFTP protocol
chpart  - change active partition
cmp     - memory compare
cp      - memory copy
crc32   - checksum calculation
downimage- downimage   - download and write All-Image to FLASH device,partiton table from ENV partition.
downjffs2fs- load usr.jffs2 tftp
downkernel- load uImage tftp
downrootfs- load root.sqsh4 tftp
downsquashfs- load usr.sqsh4 tftp
downuboot- load uboot tftp
env     - environment handling commands
erase   - erase FLASH memory
fatinfo - print information about filesystem
fatload - load binary file from a dos filesystem
fatls   - list files in a directory (default /)
flinfo  - print FLASH memory information
format  - erase uboot env
go      - start application at address 'addr'
help    - print command description/usage
loop    - infinite loop on address range
md      - memory display
mm      - memory modify (auto-incrementing address)
mmc     - MMC sub system
mmcinfo - display MMC info
mtdparts- define flash/nand partitions
mw      - memory write (fill)
nm      - memory modify (constant address)
parts   - read out partitions table info.
parts_adjust-
adjust parts info. Each part's size,offset etc.

ping    - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
protect - enable or disable FLASH write protection
readcfg - read config from config.
reset   - Perform RESET of the CPU
run     - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv  - set environment variables
setloadaddr- set loadaddr to  config infor .
sf      - spi flash sub-system:
tfdownjffs2fs- load usr.jffs2TF
tfdownkernel- load uImageTF
tfdownrootfs- load root.sqsh4TF
tfdownsquashfs- load usr.sqsh4TF
tfdownuboot- load u-boot.binTF
tftpboot- boot image via network using TFTP protocol
tfupdateimage- tfupdateimage   - download and write All-Image to FLASH device
updatecfg- update config from config infor table.
version - print monitor, compiler and linker version

[burlizzi]

Try the second method, dumping memory over serial, later in the page. Il Ven 10 Dic 2021, 19:19 Arakon ***@***.***> ha scritto:

…

The factory test folder does nothing, it just starts normally with that folder/file. Trying to upload the firmware dump fails due to apparently missing a tftp transfer function. anyka$help ? - alias for 'help' base - print or set address offset bootm - boot application image from memory bootp - boot image via network using BOOTP/TFTP protocol chpart - change active partition cmp - memory compare cp - memory copy crc32 - checksum calculation downimage- downimage - download and write All-Image to FLASH device,partiton table from ENV partition. downjffs2fs- load usr.jffs2 tftp downkernel- load uImage tftp downrootfs- load root.sqsh4 tftp downsquashfs- load usr.sqsh4 tftp downuboot- load uboot tftp env - environment handling commands erase - erase FLASH memory fatinfo - print information about filesystem fatload - load binary file from a dos filesystem fatls - list files in a directory (default /) flinfo - print FLASH memory information format - erase uboot env go - start application at address 'addr' help - print command description/usage loop - infinite loop on address range md - memory display mm - memory modify (auto-incrementing address) mmc - MMC sub system mmcinfo - display MMC info mtdparts- define flash/nand partitions mw - memory write (fill) nm - memory modify (constant address) parts - read out partitions table info. parts_adjust- adjust parts info. Each part's size,offset etc. ping - send ICMP ECHO_REQUEST to network host printenv- print environment variables protect - enable or disable FLASH write protection readcfg - read config from config. reset - Perform RESET of the CPU run - run commands in an environment variable saveenv - save environment variables to persistent storage setenv - set environment variables setloadaddr- set loadaddr to config infor . sf - spi flash sub-system: tfdownjffs2fs- load usr.jffs2TF tfdownkernel- load uImageTF tfdownrootfs- load root.sqsh4TF tfdownsquashfs- load usr.sqsh4TF tfdownuboot- load u-boot.binTF tftpboot- boot image via network using TFTP protocol tfupdateimage- tfupdateimage - download and write All-Image to FLASH device updatecfg- update config from config infor table. version - print monitor, compiler and linker version — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1672 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAW3WR7FGQNZW2L3PBW5AJDUQJAEJANCNFSM4WMTYNGQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

[Arakon]

Done.. I may have overdumped the file (I think I read the flash at 16 MiB instead of 8), though.
https://drive.google.com/file/d/1SYkadyWdry4OlS1krlKZzaqUy0c_nhUl/view?usp=sharing
However, I'm rather lost at this point what to do.

[burlizzi]

You can split with dd into files with the partition sizes or, much easier give it to binwalk to extract the squashfs root, then you can uncompress, modify and recompress. You can then save the modified squashed filesystem on a sdcard with dd if=file.squashfs of=/dev/mmc....whatever and modify the bootargs to load the root from there If everything runs ok you can then write back in your flash I will play a little tomorrow with the file you shared. Il Ven 10 Dic 2021, 22:51 Arakon ***@***.***> ha scritto:

…

Done.. I may have overdumped the file (I think I read the flash at 16 MiB instead of 8), though. https://drive.google.com/file/d/1SYkadyWdry4OlS1krlKZzaqUy0c_nhUl/view?usp=sharing However, I'm rather lost at this point what to do. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1672 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAW3WR5S5EC2DIIEN647TODUQJY67ANCNFSM4WMTYNGQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

[burlizzi]

so I did this

luca@CORONA:~$  binwalk flash.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
127696        0x1F2D0         CRC32 polynomial table, little endian
524288        0x80000         uImage header, header size: 64 bytes, header CRC: 0x45F54916, created: 2021-08-03 11:26:18, image size: 1522168 bytes, Data Address: 0x81808000, Entry Point: 0x81808040, data CRC: 0x44CB869, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-3.4.35"
538571        0x837CB         xz compressed data
538792        0x838A8         xz compressed data
2097152       0x200000        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 997666 bytes, 220 inodes, blocksize: 131072 bytes, created: 2021-08-09 08:44:41
3145728       0x300000        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 4174840 bytes, 303 inodes, blocksize: 131072 bytes, created: 2021-08-09 08:44:42
7864320       0x780000        JFFS2 filesystem, little endian
8516304       0x81F2D0        CRC32 polynomial table, little endian
8912896       0x880000        uImage header, header size: 64 bytes, header CRC: 0x45F54916, created: 2021-08-03 11:26:18, image size: 1522168 bytes, Data Address: 0x81808000, Entry Point: 0x81808040, data CRC: 0x44CB869, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-3.4.35"
8927179       0x8837CB        xz compressed data
8927400       0x8838A8        xz compressed data
10485760      0xA00000        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 997666 bytes, 220 inodes, blocksize: 131072 bytes, created: 2021-08-09 08:44:41
11534336      0xB00000        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 4174840 bytes, 303 inodes, blocksize: 131072 bytes, created: 2021-08-09 08:44:42
16252928      0xF80000        JFFS2 filesystem, little endian

luca@CORONA:~$ dd if=flash.bin of=root.sqsh skip=2097152   bs=1 count=997666
997666+0 records in
997666+0 records out
997666 bytes (998 kB, 974 KiB) copied, 10.1601 s, 98.2 kB/s
luca@CORONA:~$ dd if=flash.bin of=usr.sqsh skip=3145728   bs=1 count=4174840
4174840+0 records in
4174840+0 records out
4174840 bytes (4.2 MB, 4.0 MiB) copied, 42.361 s, 98.6 kB/s
luca@CORONA:~$ ls
docker  docker-20.10.9.tgz  esp_home_auto  flash.bin  root.sqsh  usr.sqsh
luca@CORONA:~$ unsquashfs root.sqsh
Parallel unsquashfs: Using 8 processors
203 inodes (220 blocks) to write

[===================================================================================================================================================================================================================|] 220/220 100%

created 31 files
created 17 directories
created 172 symlinks
created 0 devices
created 0 fifos
luca@CORONA:~$ ls
flash.bin  root.sqsh  squashfs-root  usr.sqsh
luca@CORONA:~$ mv squashfs-root/ root
luca@CORONA:~$ unsquashfs usr.sqsh
Parallel unsquashfs: Using 8 processors
292 inodes (356 blocks) to write

[===================================================================================================================================================================================================================|] 356/356 100%

created 109 files
created 11 directories
created 183 symlinks
created 0 devices
created 0 fifos
luca@CORONA:~$ ls
flash.bin  root  root.sqsh  squashfs-root  usr.sqsh
luca@CORONA:~$ mv squashfs-root/ usr
luca@CORONA:~$ ls root
bin  dev  etc  init  lib  mnt  proc  sbin  sys  tmp  usr  var
luca@CORONA:~$ ls usr
bin  lib  local  modules  sbin  share
luca@CORONA:~$ ls -l root/etc/passwd
lrwxrwxrwx 1 luca luca 12 Dec 11 13:55 root/etc/passwd -> jffs2/passwd
dd if=flash.bin of=cfg.jffs2 skip=7864320   bs=1 count=131072 # 131072=8MB-7864320
131072+0 records in
131072+0 records out
131072 bytes (131 kB, 128 KiB) copied, 1.38228 s, 94.8 kB/s


luca@CORONA:~$ cat root/etc/inittab
# /etc/inittab

# Copyright (C) 2010 Anyka

# Note: BusyBox init doesn't support runlevels.  The runlevels field is
# completely ignored by BusyBox init. If you want runlevels, use
# sysvinit.
#
# Format for each entry: <id>:<runlevels>:<action>:<process>
#
# id        == tty to run on, or empty for /dev/console
# runlevels == ignored
# action    == one of sysinit, respawn, askfirst, wait, and once
# process   == program to run

# Startup the system
::sysinit:/etc/init.d/rcS

ttySAK0::respawn:/sbin/getty -L ttySAK0 115200 vt100 # GENERIC_SERIAL

::restart:/sbin/init
::ctrlaltdel:/sbin/reboot
::shutdown:/bin/umount -a -r
::shutdown:/sbin/swapoff -a


luca@CORONA:~$ cat root/etc/init.d/rcS
#! /bin/sh

echo "mount all file system..."
mkdir /dev/pts
/bin/mount -av

echo "start telnet......"

runlevel=S
prevlevel=N
umask 022
export runlevel prevlevel

echo "starting mdev..."
/bin/echo /sbin/mdev > /proc/sys/kernel/hotplug
mdev -s

mkdir /var/cache
mkdir /var/run
mkdir /var/log
mkdir /var/spool

echo "**************************"
echo "    Love Linux ! ! ! "
echo "**************************"

/bin/hostname -F /etc/sysconfig/HOSTNAME

#local service
/etc/init.d/rc.local
luca@CORONA:~$ cat root/etc/init.d/rc.local
#!/bin/sh

#print kernel error default
echo 4 > /proc/sys/kernel/printk

# mount usr file-system.
/bin/mount -t squashfs /dev/mtdblock5 /usr

# mount jffs2 file-system.
/bin/mount -t jffs2 /dev/mtdblock6 /etc/jffs2
# note: can't recommend running other app before `mount` command.

#start ftp server, dir=root r/w, -t 600s(timeout)
#/bin/tcpsvd 0 21 ftpd -w / -t 600 &

#start syslogd & klogd, log rotated 3 files(200KB) to /var/log/messages
#syslogd -D -n -O /var/log/messages -s 200 -b 3 & # -l prio

#klogd -n & # -c prio

#create ramdisk
#dd if=/dev/zero of=/tmp/zero bs=512 count=200
#losetup /dev/loop0 /tmp/zero
#mkfs.vfat /dev/loop0
#mkdir /tmp/ramdisk
#mount /dev/loop0 /tmp/ramdisk

ifconfig lo 127.0.0.1
ifconfig eth0 192.168.1.123

mkdir /tmp/lib
##cpoy watchdog.ko to /tmp
cp -rf /sbin/ak39_top_wdt.ko /tmp

##cpoy reboot to /tmp
cp -rf /sbin/reboot /tmp

##cpoy nk_upgrade to /tmp
#cp -rf /sbin/nk_upgarde /tmp

##cpoy nk_upgarde.sh to /tmp
cp -rf /usr/sbin/nk_update.sh /tmp


#load camera module
/usr/sbin/camera.sh setup

dmesg > /tmp/start_message

#echo "/tmp/core_%e_%p_%t" > /proc/sys/kernel/core_pattern
#start system service
#ulimit -s 1024

/usr/sbin/service.sh start &

## set min free reserve bytes
echo 2048 > /proc/sys/vm/min_free_kbytes


luca@CORONA:~$ echo "telnetd&" >> root/etc/init.d/rc.local

luca@CORONA:~$ sudo mount -t jffs2 cfg.jffs2 cfg
mount: unknown filesystem type 'jffs2'
luca@CORONA:~$ apt search jffs2
Sorting... Done
Full Text Search... Done
logfs-tools/oldoldstable 20121013-2+b1 amd64
  Tools to manage logfs filesystems

logfs-tools-dbg/oldoldstable 20121013-2+b1 amd64
  Tools to manage logfs filesystems (debug)

mtd-utils/oldoldstable,now 1:2.0.0-1 amd64 [installed]
  Memory Technology Device Utilities

luca@CORONA:~$ sudo apt install logfs-tools
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  logfs-tools
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 13.7 kB of archives.
After this operation, 41.0 kB of additional disk space will be used.
Get:1 http://deb.debian.org/debian stretch/main amd64 logfs-tools amd64 20121013-2+b1 [13.7 kB]
Fetched 13.7 kB in 0s (45.1 kB/s)
Selecting previously unselected package logfs-tools.
(Reading database ... 32201 files and directories currently installed.)
Preparing to unpack .../logfs-tools_20121013-2+b1_amd64.deb ...
Unpacking logfs-tools (20121013-2+b1) ...
Setting up logfs-tools (20121013-2+b1) ...
luca@CORONA:~$ sudo mount -t jffs2 cfg.jffs2 cfg
mount: unknown filesystem type 'jffs2'

now I can't mount the jffs2 partition on my computer, find a way... you need because you have to change the root password else you won't be able to log in via telnet

alternatively you can use this

echo 'echo -e "linuxpassword\nlinuxpassword" | passwd' >> root/etc/init.d/rc.local

or, even better add this to usr/sbin/anyka_ipc.sh

...
      echo "exist mmcblk0p1"
                        mkdir $MOUNT_DIR
                        mount $MMC_FS $MOUNT_DIR

##################### start #############################

                        if [ -f "$MOUNT_DIR/autostart.sh" ];then
                              . "$MOUNT_DIR/autostart.sh"
                        fi
##################### end #############################

                fi
        fi

        CURTIME=`date +%y%m%d_%H%M%S`
        LOG_FILE=ipc_$CURTIME.log
        echo $LOG_FILE
        ##echo 8 > /proc/sys/kernel/printk
        pid=`pgrep anyka_ipc`
    if [ "$pid" = "" ]
    then
                if [ -f "$DEBUG_INI_PATH" ];then
                        ulimit -c unlimited
                        echo "/mnt/tf/core/%e_%t.core" > /proc/sys/kernel/core_pattern
                        anyka_ipc >> "$MOUNT_DIR/$LOG_FILE" 2>&1
                else
                        echo "no debug ini file"
                        anyka_ipc
                fi
        fi
        echo "error reboot......"
        touch /etc/jffs2/error_reboot
}

restart ()
{
...

then repack everything

 mksquashfs root/ modified_root.sqsh -b 1048576 -comp xz -Xdict-size 100%
Parallel mksquashfs: Using 8 processors
Creating 4.0 filesystem on modified_root.sqsh, block size 1048576.
[=====================================================================================================================================================================================================================-] 31/31 100%

Exportable Squashfs 4.0 filesystem, xz compressed, data block size 1048576
        compressed data, compressed metadata, compressed fragments, compressed xattrs
        duplicates are removed
Filesystem size 915.97 Kbytes (0.89 Mbytes)
        32.69% of uncompressed filesystem size (2802.40 Kbytes)
Inode table size 1046 bytes (1.02 Kbytes)
        13.85% of uncompressed inode table size (7551 bytes)
Directory table size 1958 bytes (1.91 Kbytes)
        56.97% of uncompressed directory table size (3437 bytes)
Number of duplicate files found 0
Number of inodes 220
Number of files 31
Number of fragments 3
Number of symbolic links  172
Number of device nodes 0
Number of fifo nodes 0
Number of socket nodes 0
Number of directories 17
Number of ids (unique uids + gids) 1
Number of uids 1
        luca (1000)
Number of gids 1
        luca (1000)

and flash it with downrootfs I suppose.. but I would write it to a ssd card partition and test it before

[burlizzi]

this should work automatically on older version (not the one @Arakon owns, sorry @Arakon you should modify your etc/init.d scripts to start it)
victure.zip

[Arakon]

Seems my cam is dead, either way.. If I attempt to load any file from SD or tftp, the shell just locks up and I have to reboot the camera.

[burlizzi]

try with this, put the kernel in a sd card and at the UBOOT console

fatload mmc 0:1 0x80600000 kernel.bin
bootm 0x80600000

if your root fs matches this kernel version:
you should see the kernel messages and the login prompt
else:
copy the root attached here on an empty sd card with dd if=root.bin of=/dev/mmc...your_mmc_device and
at the uboot

setenv bootargs console=ttySAK0,115200n8 root=/dev/mmcblk0 rootfstype=squashfs init=/bin/sh mem=64M memsize=64M
fatload mmc 0:1 0x80600000 kernel.bin
bootm 0x80600000

end if;
kernel.zip
root.zip

[Arakon]

Thanks for your continued help, but it fails here for me:

                   MMC: no init, start init!
want set asic clk = 200000000, wanted sdmmc clk = 400000
asic clk = 200000000, real sdmmc clk = 400000
MMC: ak mmc driver init OK!
want set asic clk = 200000000, wanted sdmmc clk = 400000
asic clk = 200000000, real sdmmc clk = 400000
MMC: default init bus width=1, clock=400khz, OK!
MMC: ak mmc drmmc_go_idle OK!
MMC: ak mmc mmc_send_if_cond OK!
cdh:sd_send_op_cond, mmc->high_capacity=1
MMC: ak mmc sd_send_op_cond OK!
mmc_start_init: init OK!
cdh:MMC_CMD_ALL_SEND_CID OK!
cdh:mmc cid[0]=1090606432
cdh:mmc cid[1]=1610612737
cdh:mmc cid[2]=1144205895
cdh:mmc cid[3]=659572819
cdh:sd mmc->rca=0x1
want set asic clk = 200000000, wanted sdmmc clk = 1000000
asic clk = 200000000, real sdmmc clk = 1000000
want set asic clk = 200000000, wanted sdmmc clk = 2000000
asic clk = 200000000, real sdmmc clk = 2000000
cdh:MMC_CMD_SEND_CSD OK!
cmd csdlong response[0]:0xa4000c8!
cmd csdlong response[1]:0xe6e37f80!
cmd csdlong response[2]:0x5b590000!
cmd csdlong response[3]:0x400e0032!
cdh:mmc->tran_speed:0x32!
cdh:sd card, mmc->write_bl_len:512!
cdh:yes mmc->high_capacity!
cdh:sd card, mmc->capacity_user:0x737200000 blocks!
cdh:sd card, mmc->write_bl_len2:512!
cdh:MMC_CMD_SELECT_CARD OK!
cdh:MMC_CMD_SET_BLOCKLEN OK!
cdh:mmc->capacity:0x737200000 !
cdh:part_num:0, mmc_set_capacity OK!
crc error or timeout, status is 2008
ak_mmc_read_data:read data failed!
send cmd 51 error, status = 2004
block rw command 51 is failed!
send cmd 51 error, status = 2004
block rw command 51 is failed!
send cmd 51 error, status = 2004
block rw command 51 is failed!
** Bad device mmc 0 **

This happens with any SD Card I try, from 2 GB to 32 GB, FAT or FAT32. The card is recognized since the detected_capacity changes depending on the card size, it just can't do anything with it, apparently.

[audiophonicz]

Hello Friends
I thought I might share an alternative method. Forgive me if I'm a little verbose, Im new to all this and the little details might make it easier on someone else starting out. I recently purchase 4 different little IoT spycams to play with and every one of them ended up being these CLOUD39EV3_AK3918EV300_MNBD devices, so naturally I ended up finding this thread. My goal was also to turn these into straight RTSP devices without the callhome to china or security holes. You guys gave me some good pointers, but ultimately I ran into the same issue as @Arakon with the SDcard in Uboot, only my error was "send cmd 8 error" instead of 51. So SDcard was out, no eth so tftp was out, had to find another way. Fortunately it looks like the stuff we dont want is all launched by the last line of the rc.local
/usr/sbin/service.sh start &

so we know that the /etc/jffs2 mount is writable, so if we could only just re-point that /usr/sbin/service.sh to a different one on /etc/jffs2/service.sh we could have full control of what we want to do without needing an SD card or network boot, and let the existing setup start everything else like wifi and camera drivers normally.

Enter /sbin/update_image.sh. specifically the beginning lines

if [ ${style} = ${norflash} ];then
        VAR1="uImage"
        VAR2="root.sqsh4"
        VAR3="usr.sqsh4"
        VAR4="usr.jffs2"

        ZMD5="uImage.md5"
        SMD5="usr.sqsh4.md5"
        JMD5="usr.jffs2.md5"
        RMD5="root.sqsh4.md5"
        echo "system file style is squashfs, flash is spi nor flash"

...
fi

DIR1="/tmp"
DIR2="/mnt"

and the last bit

update_rootfs_squash()
{
        echo "check ${VAR2}.........................."
    if [ -e ${DIR1}/${VAR2} ]
    then
            if [ -e ${DIR1}/${RMD5} ];then
                result=`md5sum -c ${DIR1}/${RMD5} | grep OK`
                if [ -z "$result" ];then
                                echo "MD5 check ${VAR2} failed, can't updata"
                                return
                        else
                                echo "MD5 check ${VAR2} success"
                        fi
                fi
        echo "update ${VAR2} under ${DIR1}...."
                if [ ${style} = ${norflash} ];then
                        updater local A=${DIR1}/${VAR2}
                elif [ ${style} = ${nandflash} ];then
                        updater local AK=${DIR1}/${VAR2}
                fi
        fi
}

Now we know this script is looking for a file called root.sqsh4 with an accompanying root.sqsh4.md5 file in the /tmp directory to update the rootfs image. It checks the md5 (not my typo) and then calls the /sbin/updater application to write the rootfs.

My steps from start to finish were:

UART to Uboot and run

setenv init /bin/sh
run setcmd
saveenv
reset

Now you've booted into a prompt as root without login. We change the password

passwd root

which gets written to /etc/jffs2/passwd- [shadow] and is persistent.

Now we manually mount the rest of the filesystem as per /etc/init.d/rcS

mkdir /dev/pts
/bin/mount -av
/bin/echo /sbin/mdev > /proc/sys/kernel/hotplug
mdev -s
mkdir /var/cache
mkdir /var/run
mkdir /var/log
mkdir /var/spool
/bin/mount -t squashfs /dev/mtdblock6 /usr
/bin/mount -t jffs2 /dev/mtdblock5 /etc/jffs2

At this point, if you've already used the app to connect to your wifi, then your SSID, Password, and Security Type is in /etc/jffs2/anyka_cfg.ini. If not, youll want to fill that in. Its plain text, but we can fix all that later. easier to just use whats there for now. Now we start telnet, start ftp, and connect to wifi (dhcp), again as per the rc scripts

telnetd &
/bin/tcpsvd 0 21 /sbin/ftpd -w / -t 600 &
/usr/sbin/wifi_manage.sh start

Now we can FTP to the device, and grab the /dev/mtd4 file and save it to a linux box as mtd4.bin. (Im using Ubuntu 20.04)
Switch over to your linux box and run binwalk against the mtd4.bin

binwalk mtd4.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             Squashfs filesystem, little endian, version 4.0, compression:xz, size: 1362996 bytes, 341 inodes, blocksize: 131072 bytes, created: 2021-12-24 20:15:40

Now we know the blocksize is the default 131072 bytes and the compression is xz. So we can now unsquash mtd4.bin and make that little change to rc.local.

mkdir unsquashed
cd unsquashed
mv ~/Desktop/mtd4.bin mtd4.bin
unsquashed$ unsquashfs -d unsquashed/mtd4 mtd4.bin
ls -l
total 1336
drwxrwxr-x 13 user user    4096 Aug 27 04:09 mtd4
-rw-r--r--  1 user user 1363968 Dec 24 15:15 mtd4.bin

Now we have a directory called mtd4 with the rootfs image expanded to it. We can go in and make our changes to /etc/init.d/rc.local. I personally commented out the ftpd start line, and changed the last line "/usr/sbin/service.sh start &" to read "/etc/jffs2/service.sh start &"

Now we recompress mtd4 back to squashfs using the default 131072 blocksize and xz compression we found above, but this time were going to name it root.sqsh4 like that update_image.sh script wants. back in the unsquashed dir that contains the mtd4 extracted dir

ls -l
total 1336
drwxrwxr-x 13 user user    4096 Aug 27 04:09 mtd4
-rw-r--r--  1 user user 1363968 Dec 24 15:15 mtd4.bin
mksquashfs mtd4 root.sqsh4 -b 131072 -comp xz -Xdict-size 100%
Parallel mksquashfs: Using 4 processors
Creating 4.0 filesystem on root.sqsh4, block size 131072.
[====================================================================================================/] 330/330 100%

Exportable Squashfs 4.0 filesystem, xz compressed, data block size 131072
        compressed data, compressed metadata, compressed fragments,
        compressed xattrs, compressed ids
        duplicates are removed
Filesystem size 1331.05 Kbytes (1.30 Mbytes)
        27.49% of uncompressed filesystem size (4841.71 Kbytes)
Inode table size 2284 bytes (2.23 Kbytes)
        20.34% of uncompressed inode table size (11228 bytes)
Directory table size 2778 bytes (2.71 Kbytes)
        53.31% of uncompressed directory table size (5211 bytes)
Number of duplicate files found 2
Number of inodes 341
Number of files 306
Number of fragments 12
Number of symbolic links  18
Number of device nodes 0
Number of fifo nodes 0
Number of socket nodes 0
Number of directories 17
Number of ids (unique uids + gids) 1
Number of uids 1
        user (1000)
Number of gids 1
        user (1000)
unsquashed$ ls -l
total 2668
drwxrwxr-x 13 user user    4096 Aug 27 04:09 mtd4
-rw-r--r--  1 user user 1363968 Dec 24 15:15 mtd4.bin
-rw-r--r--  1 user user 1363968 Dec 25 13:06 root.sqsh4

Now we take this root.sqsh4 file from our linux box and using FTP we drop it back on the device in /tmp. Remember we're still booted in a console with /bin/sh and all the filesystems mounted. Also remember that we hijacked rc.local to init our /etc/jffs2/service.sh script, so lets create that quick.

vi /etc/jffs2/service.sh

and we add

#! /bin/sh

#start and connect to wifi.  You will need to have your SSID and password in /etc/jffs2/anyka_cfg.ini
/usr/sbin/wifi_manage.sh start

#turn off the annoying blinking LEDs while you tinker (after wifi starts)
sleep 20
/usr/sbin/wifi_led.sh force_off
/usr/sbin/capture_led.sh force_off

#set a hostname
/bin/hostname customfw

#verify we booted the new image
echo "Custom Firmware Open For Business!!!"

Ok, now back to the firmware. cd back to /tmp where you dropped your root.sqsh4 file.
First we have to make the md5

md5sum root.sqsh4 > root.sqsh4.md5

And now for the magic, updating the rootfs from within the rootfs with the update_image.sh script
Note: for some reason the update_image.sh has mnt in the shebang, so we tell it to run using sh

/tmp]$ sh ./sbin/update_image.sh
system file style is squashfs, flash is spi nor flash
############ updater_image.sh  begin#############
check uImage.............................
check usr.jffs2........................
check usr.sqsh4..........................
check root.sqsh4..........................
MD5 check root.sqsh4 success
update root.sqsh4 under /tmp....
partname:A
ALpartition:/tmp/root.sqsh4
FHA:part: Sflash_Open file_num:6
FHA:open T:2, R:1, H:0, K:1536, S:2306048, N:A
FHA:open ex_fs F:1363968, C:0
FHA:medium_flag:0, medium_type:0
Update from local file
Start To Update ASA
open /dev/mtd9 failed
update asa_data 0 failed
Open /dev/mtd4, file name:/tmp/root.sqsh4
Start to erase /dev/mtd4, Don`t halt the system!
.................
Erase done
................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................update mtd4 success
######### Update End! You Should Reboot The System ######!
############ update finished, reboot now #############
Restarting system.

Restarting Linux version 3.4.35 (win@ubuntu) (gcc version 4.8.5 (anyka (gcc-4.8.5 + binutils-2.24 + ulcibc-0.9.33.2)(20170223)) ) #123 Sat Jul 3 16:41:13 CST 2021

and now when you reboot you should see it run thru the normal startup, start and connect to wifi, and the last 3 commands we put into our /etc/jffs2/service.sh script, and be able to login with root and the password you set back at the start of this adventure

/usr/sbin/wifi_led.sh force_off
/usr/sbin/capture_led.sh force_off
Custom Firmware Open For Business!!!
root
Password:
welcome to file system
[root@customfw ~]$

Viola! you can log in via UART console or telnet, wifi connected, camera drivers loaded, leds set to off, a writable parition that runs init scripts, all with no SD card, and no callhome or pesky open ports. Now... to pick apart that /usr/bin/ak_rtsp_demo

[burlizzi]

Good job. Unfortunately ak_rtsp_demo is limited to 720p, no ptz, no IR filter, no IR led, no motion detection.
Try this #1672 (comment)
It's the anyka_ipc with ONVIF and all the features enabled.
Source is here https://github.com/burlizzi/qiwen

[RataDP]

I have bricked my camera. It is not the same firmware. I used to use the app IPCamPro, but with this firmware I cannot login to camera or change the root password. Neither interrupt the uboot process.

Are anybody able to share the SPI flash dump for the firmware you are talking to try to enable the login at least.

Thanks!!

[burlizzi]

The binaries are here #1672 (comment)
But if you cannot stop the uboot process it would be useless, you should remove the flash memory and write with an external programmer

[RataDP]

The binaries are here #1672 (comment) But if you cannot stop the uboot process it would be useless, you should remove the flash memory and write with an external programmer

Yeah, I know. I got an SPI flasher. This is the way I enabled telnet, but cannot change the credentials to login. Playing with this I bricked the firmware and cannot connect to the camara
I got my initial backup, with that the camera is working with the chinese app again, but I will use RTSP for privacy and avoid using data from my 4G plan.