CW017 research

[guino]

Here's a couple of images. Looks similar to the board in #11 from @swisslegacy

Originally posted by @parkerlreed in #2 (comment)

[parkerlreed]

👍 Thanks. Good idea keeping tracking in a separate thread (that's a pain in the ass to expand all the comments in the main)

[guino]

@parkerlreed yes :) similar but different hardware. The uart pads will likely be on the other side by removing the 4 silver colored screws

[parkerlreed]

Trying the 2.7.x files from #11 here's what I observe

• Light blinks red and blue after holding reset for 5 seconds
• I release, it sits on red for a second, and then goes blue
• Stays solid blue (and never gets to the "Hey Im booted" beep)
• Wait a couple minutes and check SD card
• Looks to be the original MBR
  

2.9.x on my first try resulted in a corrupted MBR which made me think it worked but was the same result (and subsequent tries the MBR stays in tact)

• Red and blue after 5 seconds
• This time stays red for about 20 seconds
• Proceeds to boot normally
  

[parkerlreed]

Inside shot

[guino]

There’s usually data left in the sectors of the card from before doing #11 so if you want to see if the process did anything you would have to zero out the sectors before using #11:

dd if=/dev/zero of=/dev/mmcblkX bs=512 count=32768 seek=1

[guino]

Serial pins should be the 4 pads on the bottom left of the picture you posted.

[guino]

You can use the screw hole as ground and test which is ground from the pads, then test which is 3.3v using pin 8 of the flash chip. Or you can just solder wires and swap them until you find what is rx, tx and ground (no need to connect 3.3v). Just make sure you don’t pull hard on wiring after soldering or they will come right out of the board.

[guino]

This should be pin 8 of the flash (3.3v) :

[parkerlreed]

I tried zero'ing out beforehand and no difference. (Stayed blank instead of having any data)

Does the device not care that I blew out the MBR?

[guino]

The MBR is sector 0 (zero) the command I gave was supposed to start zeroing from sector 1 - but I realize I forgot to pass the parameter seek=1, it should have been:

dd if=/dev/zero of=/dev/mmcblkX bs=512 count=32768 seek=1

that was my bad - you would probably have to redo #11 to build a new MBR now.

[parkerlreed]

As for the serial, I have a couple Pi Zeros I can try and get working (They do have 3.3v UART right?)

Thanks for the tips.

[guino]

Yeah you could wire the serial from a pi zero directly.

[guino]

@parkerlreed I can’t read the numbers on the chips but based on the previous version of the board the flash may actually be the one on the other side of the board instead of the one I posted above (pin 8 3.3v marked):

Like I said before you don’t need to connect the 3.3v I only marked it as a way to try and determine which pads to use (so you don’t need to solder a wire to the 3.3v pad).

[parkerlreed]

U-Boot 2013.10.0-AK_V3.0.07 (Sep 19 2020 - 14:46:53)

DRAM:  64 MiB
8 MiB
ANYKA SDHC/MMC4.0: 0
PPS:Sep 19 2020 14:46:58   anyka_c3:  0 
                                        magic err
magic err
command:setenv bootargs mem=64M console=ttySAK0,115200n8 loglevel=10   mtdparts=spi0.0:256k(bld),64k(env),64k(enc),64k(sysflg),3m(sys),4032k(app),640k(cfg) ppsAppParts=5 ip=192.168.1.99:::255.255.255.0 eth=00:55:7b:b5:7d:f7
## Booting kernel from Legacy Image at 81c08000 ...
   Image Name:   Linux-3.4.35
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    2789360 Bytes = 2.7 MiB
   Load Address: 81c08000
   Entry Point:  81c08040
   Verifying Checksum ... OK
   XIP Kernel Image ... OK

Starting kernel ...

Uncompressing Linux... done, booting the kernel.
Anyka Linux Kernel Version: 1.1.12

[parkerlreed]

Also for reference here's the listing for this camera https://www.walmart.com/ip/Merkury-Innovations-Smart-Wifi-Camera-1080p-2-Way-Communication/679786717

[parkerlreed]

Middle two. TX on right hand side.

[guino]

Send me an email and I can send you something to help out

[parkerlreed]

Sent. Thanks.

[guino]

Based on the bootargs shown the method used for Merkury 720p (my other repo) should work if you just adjust the load address (looks like 81c08000?)

[parkerlreed]

Thanks. Will give it a shot

[parkerlreed]

So do I do the port 80 enable first and then the rest?

[guino]

It should just need the commands in the env file (typed in thr uboot since you can), ideally we figure out the address so that hack would work on it. If your port 80 is disabled be default you can use the ppsFactoryTool.txt to enable it but that’s not important for the hack to work.

[parkerlreed]

I'm sure I'm probably just being thick here. I am typing this correctly?

[guino]

Remove the hack= part and only do what is after the = sign .. the hack= part is to set the environment from file which is not needed in uboot.

[guino]

Actually nevermind that, we need to figure out where the files are loaded, can you execute printenv and post the response ?

[parkerlreed]

Ok so something like this?

setenv bootargs ${bootargs} '- ip=30;/mnt/mmc01/initrun.sh)&:::::;date>/tmp/hack;(sleep
ipaddr=0
bootm 0x81c08000

ipaddr is supposed to be it's own command or part of the first one? (There's a newline in the env so that's what's confusing me)

[guino]

Without being familiar with uboot it will be easier to just modify the hack for your camera — with the printenv output I can probably do it.

the commands from the env file would have to be like this I think:

setenv hack ‘setenv bootargs ${bootargs} \'- ip=30;/mnt/mmc01/initrun.sh)&:::::;date>/tmp/hack;(sleep’

then another command:

setenv ipaddr ‘0;run hack;bootm 0x81c08000;’

It would be nice if you execute and post the output for printenv and for help so I know what is available

[parkerlreed]

pps # printenv
              baudrate=115200
bootargs=mem=64 console=ttySAK0,115200n8 loglevel=10
bootcmd=loadk;bootm 0x81C08000
bootdelay=3
console=ttySAK0,115200n8 loglevel=10 
ethaddr=00:55:7b:b5:7d:f7
ipaddr=192.168.1.99
memsize=64M
netmask=255.255.255.0
serverip=192.168.1.1
setcmd=setenv bootargs console=${console}  mem=${memsize}
sf_hz=20000000
stderr=serial
stdin=serial
stdout=serial
ver=U-Boot 2013.10.0-AK_V3.0.07 (Sep 19 2020 - 14:46:53)

Environment size: 455/4088 bytes
pps # help
          ?       - alias for 'help'
auth    - encrypt product authfile
base    - print or set address offset
bootm   - boot application image from memory
clearCfg- clearCfg
cmp     - memory compare
cp      - memory copy
crc32   - checksum calculation
devmem  - read or write register, now just read
downimage- downimage   - download and write All-Image to FLASH device,partiton table from ENV partition.
downjffs2fs- load usr.jffs2 tftp
downkernel- load uImage tftp
downrootfs- load root.sqsh4 tftp
downsquashfs- load usr.sqsh4 tftp
downuboot- load uboot tftp
env     - environment handling commands
envreset- reset env para
erase   - erase FLASH memory
fatinfo - print information about filesystem
fatload - load binary file from a dos filesystem
fatls   - list files in a directory (default /)
flinfo  - print FLASH memory information
format  - erase all flash except bootloader part
go      - start application at address 'addr'
help    - print command description/usage
loadk   - load kernel to DRAM  
loop    - infinite loop on address range
md      - memory display
mm      - memory modify (auto-incrementing address)
mmc     - MMC sub system
mmcboot - from mmc start
mmcinfo - display MMC info
mw      - memory write (fill)
nm      - memory modify (constant address)
parts   - read out partitions table info.
parts_adjust- 
adjust parts info. Each part's size,offset etc.

pcbMenu - select Pcb
printenv- print environment variables
protect - enable or disable FLASH write protection
readcfg - read config from config.
reset   - Perform RESET of the CPU
run     - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv  - set environment variables
setloadaddr- set loadaddr to  config infor .
sf      - spi flash sub-system:
tfdownjffs2fs- load usr.jffs2TF
tfdownkernel- load uImageTF
tfdownrootfs- load root.sqsh4TF
tfdownsquashfs- load usr.sqsh4TF
tfdownuboot- load u-boot.binTF
tfupdateimage- tfupdateimage   - download and write All-Image to FLASH device
uartdown- down style 0:tftp 1:uart 2:mmc
upa     - update app image appfile
upb     - update bootloader bldfile
update  - update upgrade.bin
updatecfg- update config from config infor table.
upe     - update auth image authfile
upf     - update firmware, format and update (factory use upffile)
upk     - update uImage kernelfile
upr     - update backup.img
version - print monitor, compiler and linker version

[parkerlreed]

After setting those two

bootargs=mem=64 console=ttySAK0,115200n8 loglevel=10 - ip=30;/mnt/mmc01/initrun.sh)&:::::;date>/tmp/hack;(sleep
ipaddr=0;run hack;bootm 0x81c08000;

Should be good to power cycle?

[guino]

There’s a very good chance that if you just adjust the address in ppsMmcTool.txt and env files from the merkury 720p project to 81c08000 (instead of 81808000) you should be able to install the hack using the steps in that repo - that is what I would try first.

[parkerlreed]

onvif (tuyya_config.json) did reset. I forgot 8080 was the hack webserver.

~ # cat /home/cfg/tuya_config.json 
{
        "version":      0,
        "sleep_mode":   0,
        "alarm_fun_onoff":      0,
        "alarm_fun_sensitivity":        1,
        "alarm_fun_mode_switch":        0,
        "alarm_fun_time_start": 0,
        "alarm_fun_time_end":   0,
        "flip_onoff":   0,
        "light_onoff":  1,
        "night_mode":   0,
        "sound_detect_onoff":   0,
        "sound_detect_sensitivity":     0,
        "watermark_onoff":      1,
        "event_record_time":    60,
        "enable_event_record":  2,
        "record_enable":        1,
        "motion_trace": 1,
        "motion_area_switch":   0,
        "motion_area":  "",
        "motion_tracking":      0,
        "cry_detection_switch": 0,
        "humanoid_filter":      0,
        "loudspeaker_vol_pct":  100,
        "onvif_enable": 0,
        "onvif_pwd":    "admin"
}

[parkerlreed]

Ok bit the bullet and took the update. 4.0.6

Hack still works.

New ppsapp
--deleted--

[guino]

The new one looks like the old one too (not in the same format as 2.7.x and 2.9.x) -- the mjpeg/snap address should be: 00375b1c if you want to try play.cgi the address should be: 00376328 I still need more time to look at enabling RTSP/ONVIF (whatever is possible)

[guino]

--deleted--
I made a change to force the onvif_enable setting to 1 -- can you unzip it on the root of SD card, RENAME it to ppsapp and reboot to see if you get anything ? check open ports or even rtsp://IP:8554/Streaming/Channels/101 (may need user passowrd admin:admin) -- I have no idea if this will work but it's worth a shot. Additionally while you do this test, can you create a log file with the ppsapp (it can be helpful locating functions) -- just edit custom.sh so that the line /mnt/mmc01/ppsapp & looks like this: /mnt/mmc01/ppsapp 2>&1 > /mnt/mmc01/ppsapp.log & then after the reboot the file ppsapp.log should be in the SD card (and you can download it with http://user:password@IP:8080/ppsapp.log )

EDIT: Looking a little more in the code the change has good potential to enable onvif, the question is if the onvif implementation works (or if at least RTSP works)

[parkerlreed]

Will check it out and report back. I brought the camera to work but forgot the SD card. Doh.

[parkerlreed]

Do I still need to enable onvif in tuya_config or should that have forced it? Without touching the cfg, it doesn't appear to be open.

ppsapp.log

[parker@wolfcola ~]$ nmap 192.168.1.103
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-12 23:20 EST
Nmap scan report for 063492731.lan (192.168.1.103)
Host is up (0.023s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
23/tcp   open  telnet
6668/tcp open  irc
8080/tcp open  http-proxy

[guino]

You should not need to modify the json file but did you try onvif device manager or something similar anyway? The onvif/rtsp may be udp only and not show up on nmap - I will take a look at the log to see if I can find anything.

[guino]

Nevermind.. from the log it looks like the onvif function did not open as I hoped - either the change I made did not work OR the patched file did not run — since you got a log file I am certain that you placed the file in the right place and rebooted the device so unless it was the wrong file (unlikely) I assume change I made was not enough. I will review and give you something else to try.

[guino]

--deleted--

Can you try this one and make me another log ? I made 3 changes to ensure the onvif setting would be enable in all places that were setting it.

[guino]

@parkerlreed I assume you had no chance to try the new changes yet ?

[parkerlreed]

Have not. Sorry. Been tied up with work. I can test it tonight.

[parkerlreed]

8000 is open this time

What's the onvif username/password? I haven't been able to connect with any combo yet.

Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-17 20:13 EST
Nmap scan report for 063492731.lan (192.168.1.103)
Host is up (0.021s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
23/tcp   open  telnet
6668/tcp open  irc
8000/tcp open  http-alt
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 0.51 seconds

[parkerlreed]

Log
ppsapp.1.log

[guino]

Should be admin/admin - you may want to check onvif device manager (Windows) or some onvif app.

You may want to try rtsp://IP:8554/Streaming/Channels/101 (may need user passowrd admin:admin) and probably only will work on udp since tcp is not open

[parkerlreed]

That worked!

UDP 8554 and admin:admin

Since that worked is there any way to kill the connection to the tuya servers...

[parkerlreed]

[guino]

Awesome!

Offline requires more changes and this being a totally different code it would require more research into it. I wonder also if there’s a time limit in using rtsp (udp) and wonder if tcp may also work (just not detected by nmap). I can take a quick look but no promises on the offline thing.

[guino]

By the way the same url /102 should be low resolution stream.

[parkerlreed]

Ahh yes TCP worked as well

[parkerlreed]

[parkerlreed]

102 is indeed 640x480

[guino]

Cool! I will create/post a patch and probably make another repo with details of this camera just for future reference. If I find something regarding the offline mode I will let you know so you can test it.

[parkerlreed]

Trying with an ONVIF viewer on the computer and the device doesn't seem to be in spec for full operation. Two tools have failed to probe the full info/connect to the camera fully. Manual RTSP viewing is fine.

WSDDThread::probe
addDevice : "http://192.168.1.103:8000/onvif/device_service" , manual: false
wsdd: probe_done
"PPS-IPC\nAddress: 192.168.1.103\nFirmware: ppstrong-a3-tuya2_merkury-4.0.6.20210207\nLocation: Country/China/Hz"
on_listWidget_Devices_currentRowChanged,2323: 0==============================
wsddList.size():1
url: "http://192.168.1.103:8000/onvif/device_service"
initDevice: Bad onvif device
455 ,error: initDevice
on_worker_error ID: 0 ,: ""

[guino]

@parkerlreed New repo is up with details from here and from ghidra work: https://github.com/guino/Merkury1080P

[guino]

@parkerlreed if you'd like to try the device off-cloud you can use this patch:
ppsapp-onvif-offline.zip

Please note that you'll need to block off the tuya servers on your router AND add a call to ntpd like this: #4 (comment) in order to set the time on the device (or it will display incorrect time). Since this is a wifi device it's obvious it has to connect to some network in order to be used but this patch should allow it to start up without waiting 'forever' to connect to the tuya servers so you could use it in an isolated network with access to a local ntp server (or you could just use some other script/way to set the time in it when it boots up).

There may be other information on #4 that could be relevant so it may be worth glancing over.

If you do find the time to test it let me know how that goes.

[mariarti]

how to interrupt U-boot at PPS:Sep 19 2020 14:46:58 anyka_c3: 0
Ctrl+C didn't work
ps
found - "space bar", but asking password
please input password::

[guino]

@mariarti send me an email (it is on my github profile) and I can help you out.