guino / merkury720 Goto Github PK

Hi,
I succeed to root the camera, big thanks for that.
But there is something that I don't understand and I wanted an answer in order to make my school project's presentation interesting.
I understood that custom initrun.sh in sdcard is certainly loaded in the camera memory (or the device boot from the sdcard?), then run custom.sh, then launch telnet server, httpd server ...
But I am not able to understand what it is specifically done when we boot the camera while pressing reset button, is it turned into another mode that boot in the sdcard or something? Is it mentioned in flash dump?
Sorry if my English sucks :/

Thanks in advance.

Here is an (almost entirely complete) compiled busybox for the armv5 arch. This can be a drop in replacement (after renaming), or leave it as is and run it's commands from telnet/script/etc by calling the binary (/mnt/mmc01/busybox-merkury [options] as needed. Provides much more functionality if you want to hack more together! Examples include, routing, ftpd, etc. I use it for FTP to retrieve images for permanent storage.
shell example: /mnt/mmc01/busybox-merkury tcpsvd -vE 0.0.0.0 21 /mnt/mmc01/busybox-merkury ftpd /mnt/mmc01
will serve /mnt/mmc01/ on all network interfaces

Attached;
busybox-merkury.zip

I have an older model/version of the Merkury/Geeni 720 IP camera (CW015). The Geeni app reports that it is running firmware version 1.3.0. I have tried the steps in the guide at https://github.com/guino/Merkury720 without success. Reference photos included below.

Using nmap, I found the following open ports:

I was able to telnet in but am unable to gain root access (username Default, empty password).

I was also able to access the UART using the 3 holes at the top right of the second picture below. Here is the output I get without an SD card inserted at boot (truncated):

console init done


U-Boot 2012.10 (Jan 26 2018 - 10:37:56) for GK7102S GOS-h62-v1.0 (GOKE)

HAL:   20160804
DRAM:  64 MiB
Flash: [EN25Q128] USE 4X mode read and 4X mode write
16 MiB
NAND:  [No SPI nand]
SD/MMC: 0
SF:    16 MiB [page:256 Bytes] [sector:64 KiB] [count:256] (EN25Q128)
In:    serial
Out:   serial
Err:   serial
Net:   Int PHY
have no userfs
Hit Enter key to stop autoboot:  0
[PROCESS_SEPARATORS] gkupdate all;sf probe;sf read c1000000 0x50000 400000;bootm c1000000
Enable update uboot
MMC: no card present
SF:    16 MiB [page:256 Bytes] [sector:64 KiB] [count:256] (EN25Q128)
put param to memory
mem size (45)
total mem size (64)
bsb size (2)
usr size (0)

the kernel image is zImage or Image
entry = 0xc1000000
## Transferring control to Linux (at address c1000000)...

Starting kernel ...

machid = 3988 r2 = 0xc0000100
Uncompressing Linux... done, booting the kernel.
[    0.000000] Booting Linux on physical CPU 0
[    0.000000] Linux version 3.4.43-gk (root@ubuntu) (gcc version 4.6.1 (crosstool-NG 1.18.0) ) #12 PREEMPT Wed Aug 15 16:01:16 CST 2018
[    0.000000] CPU: ARMv6-compatible processor [410fb767] revision 7 (ARMv7), cr=00c5387d
[    0.000000] CPU: VIPT aliasing data cache, VIPT aliasing instruction cache
[    0.000000] Machine: Goke IPC Board
[    0.000000] Memory policy: ECC disabled, Data cache writeback
[    0.000000] AHB: 0x90000000  0xf2000000  -- 0x1000000
[    0.000000] APB: 0xa0000000  0xf3000000  -- 0x1000000
[    0.000000] PPM: 0xc0000000  0xc0000000  -- 0x200000
[    0.000000] BSB: 0xc2f00000  0xf5000000  -- 0x200000
[    0.000000] DSP: 0xc3100000  0xf6000000  -- 0xef0000
[    0.000000] USR: 0xc3ff0000  0xfe000000  -- 0x10000
[    0.000000] hal version = 20160804
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 11430
[    0.000000] Kernel command line: console=ttySGK0,115200 noinitrd root=/dev/mtdblock3 rootfstype=squashfs mtdparts=gk_flash:256K(boot),64K(env),2560K(kernel),4096K(rootfs),5312K(config),-(userfs) mem=45M phytype=0
[    0.000000] PID hash table entries: 256 (order: -2, 1024 bytes)
[    0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
[    0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
[    0.000000] Memory: 45MB = 45MB total
[    0.000000] Memory: 40892k/40892k available, 5188k reserved, 0K highmem
[    0.000000] Virtual kernel memory layout:
[    0.000000]     vector  : 0xffff0000 - 0xffff1000   (   4 kB)
[    0.000000]     fixmap  : 0xfff00000 - 0xfffe0000   ( 896 kB)
[    0.000000]     DMA     : 0xff600000 - 0xffe00000   (   8 MB)
[    0.000000]     vmalloc : 0x83000000 - 0xff000000   (1984 MB)
[    0.000000]     lowmem  : 0x80000000 - 0x82d00000   (  45 MB)
[    0.000000]     modules : 0x7f000000 - 0x80000000   (  16 MB)
[    0.000000]       .text : 0x80008000 - 0x80418000   (4160 kB)
[    0.000000]       .init : 0x80418000 - 0x80439000   ( 132 kB)
[    0.000000]       .data : 0x8043a000 - 0x80466180   ( 177 kB)
[    0.000000]        .bss : 0x804661a4 - 0x80497e2c   ( 200 kB)
[    0.000000] NR_IRQS:128
[    0.000000] >> gk init irq vic1...
[    0.000000] >> gk init irq vic2...
[    0.000000] gk init vic...
[    0.000000] mach gk init timer...
[    0.000000] sched_clock: 32 bits at 100 Hz, resolution 10000000ns, wraps every 4294967286ms
[    0.000000] Console: colour dummy device 80x30
[    0.000000] console [ttySGK0] enabled
[    0.010000] Calibrating delay loop... 597.60 BogoMIPS (lpj=2988032)
[    0.070000] pid_max: default: 32768 minimum: 301
[    0.070000] Mount-cache hash table entries: 512
[    0.080000] CPU: Testing write buffer coherency: ok
[    0.090000] Setting up static identity map for 0xc05408e8 - 0xc0540920
[    0.100000] NET: Registered protocol family 16
[    0.110000] init timer...
[    0.110000] Init HW timer for DSP communication
[    0.110000] init gpio...
[    0.120000] ###################################
[    0.120000] [BOOT VERSION] GK7102S GOS-h62-v1.0 v1.0
[    0.130000] [NET  INT_CLK] Internal PHY clock
[    0.130000] [GPIO]#############################
[    0.140000] [GPIO] gpio map get from uboot
...

And here is the output I get with the SD card inserted at boot (truncated):

console init done


U-Boot 2012.10 (Jan 26 2018 - 10:37:56) for GK7102S GOS-h62-v1.0 (GOKE)

HAL:   20160804
DRAM:  64 MiB
Flash: [EN25Q128] USE 4X mode read and 4X mode write
16 MiB
NAND:  [No SPI nand]
SD/MMC: 0
SF:    16 MiB [page:256 Bytes] [sector:64 KiB] [count:256] (EN25Q128)
In:    serial
Out:   serial
Err:   serial
Net:   Int PHY
have no userfs
Hit Enter key to stop autoboot:  0
[PROCESS_SEPARATORS] gkupdate all;sf probe;sf read c1000000 0x50000 400000;bootm c1000000
Enable update uboot
            system volume information/
            cgi-bin/
  1109128   busybox
      657   custom.sh
      131   env
      288   hosts
       17   httpd.conf
     1372   index.html
      444   initrun.sh
     7956   jpeg-arm
   257156   mqtt_pub
     1102   offline.sh
       38   passwd
            ipc/
      102   ppsmmctool.txt
      274   set
      166   upload.html

14 file(s), 3 dir(s)

reading gk7101-evb_image_sd_update.cfg
bad gk7101-evb_image_sd_update.cfg,exit update from sd card
gkupdate - Gk_update sub-system

Usage:
gkupdate use gkupdate all to enable uboot update
SF:    16 MiB [page:256 Bytes] [sector:64 KiB] [count:256] (EN25Q128)
put param to memory
mem size (45)
total mem size (64)
bsb size (2)
usr size (0)

the kernel image is zImage or Image
entry = 0xc1000000
## Transferring control to Linux (at address c1000000)...

Starting kernel ...

machid = 3988 r2 = 0xc0000100
Uncompressing Linux... done, booting the kernel.
[    0.000000] Booting Linux on physical CPU 0
[    0.000000] Linux version 3.4.43-gk (root@ubuntu) (gcc version 4.6.1 (crosstool-NG 1.18.0) ) #12 PREEMPT Wed Aug 15 16:01:16 CST 2018
[    0.000000] CPU: ARMv6-compatible processor [410fb767] revision 7 (ARMv7), cr=00c5387d
[    0.000000] CPU: VIPT aliasing data cache, VIPT aliasing instruction cache
[    0.000000] Machine: Goke IPC Board
[    0.000000] Memory policy: ECC disabled, Data cache writeback
[    0.000000] AHB: 0x90000000  0xf2000000  -- 0x1000000
[    0.000000] APB: 0xa0000000  0xf3000000  -- 0x1000000
[    0.000000] PPM: 0xc0000000  0xc0000000  -- 0x200000
[    0.000000] BSB: 0xc2f00000  0xf5000000  -- 0x200000
[    0.000000] DSP: 0xc3100000  0xf6000000  -- 0xef0000
[    0.000000] USR: 0xc3ff0000  0xfe000000  -- 0x10000
[    0.000000] hal version = 20160804
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 11430
[    0.000000] Kernel command line: console=ttySGK0,115200 noinitrd root=/dev/mtdblock3 rootfstype=squashfs mtdparts=gk_flash:256K(boot),64K(env),2560K(kernel),4096K(rootfs),5312K(config),-(userfs) mem=45M phytype=0
[    0.000000] PID hash table entries: 256 (order: -2, 1024 bytes)
[    0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
[    0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
[    0.000000] Memory: 45MB = 45MB total
[    0.000000] Memory: 40892k/40892k available, 5188k reserved, 0K highmem
[    0.000000] Virtual kernel memory layout:
[    0.000000]     vector  : 0xffff0000 - 0xffff1000   (   4 kB)
[    0.000000]     fixmap  : 0xfff00000 - 0xfffe0000   ( 896 kB)
[    0.000000]     DMA     : 0xff600000 - 0xffe00000   (   8 MB)
[    0.000000]     vmalloc : 0x83000000 - 0xff000000   (1984 MB)
[    0.000000]     lowmem  : 0x80000000 - 0x82d00000   (  45 MB)
[    0.000000]     modules : 0x7f000000 - 0x80000000   (  16 MB)
[    0.000000]       .text : 0x80008000 - 0x80418000   (4160 kB)
[    0.000000]       .init : 0x80418000 - 0x80439000   ( 132 kB)
[    0.000000]       .data : 0x8043a000 - 0x80466180   ( 177 kB)
[    0.000000]        .bss : 0x804661a4 - 0x80497e2c   ( 200 kB)
[    0.000000] NR_IRQS:128
[    0.000000] >> gk init irq vic1...
[    0.000000] >> gk init irq vic2...
[    0.000000] gk init vic...
[    0.000000] mach gk init timer...
[    0.000000] sched_clock: 32 bits at 100 Hz, resolution 10000000ns, wraps every 4294967286ms
[    0.000000] Console: colour dummy device 80x30
[    0.000000] console [ttySGK0] enabled
[    0.010000] Calibrating delay loop... 597.60 BogoMIPS (lpj=2988032)
[    0.070000] pid_max: default: 32768 minimum: 301
[    0.070000] Mount-cache hash table entries: 512
[    0.080000] CPU: Testing write buffer coherency: ok
[    0.090000] Setting up static identity map for 0xc05408e8 - 0xc0540920
[    0.100000] NET: Registered protocol family 16
[    0.110000] init timer...
[    0.110000] Init HW timer for DSP communication
[    0.110000] init gpio...
[    0.120000] ###################################
[    0.120000] [BOOT VERSION] GK7102S GOS-h62-v1.0 v1.0
[    0.130000] [NET  INT_CLK] Internal PHY clock
[    0.130000] [GPIO]#############################
[    0.140000] [GPIO] gpio map get from uboot
...

And the contents of /proc/cmdline:

console=ttySGK0,115200 noinitrd root=/dev/mtdblock3 rootfstype=squashfs mtdparts=gk_flash:256K(boot),64K(env),2560K(kernel),4096K(rootfs),5312K(config),-(userfs) mem=45M phytype=0

Let me know if more information or UART output would be helpful. Any assistance or advice would be much appreciated.

Camera:

Internals:

Closeup of flash chip:

I've done so much reading, so much downloading, so much trial and error, and I just can't get this. I followed the relevant sections from the 720 and 1080 guides, and I was able to get the Hack file populated on my card. I can't get Telnet to connect so I can issue the relevant commands (and when I downloaded the HK-Telnet Server and dialed into Localhost, I still couldn't get any connection to my camera), I don't have a tuya_config file in my /home on my card, whenever I click the admin:XXXXXXX links it just tells me I have a typo, and I somehow still don't want to give up. I got Ghidra working and I spent roughly 2 hours trying to find the Main in there using the guide + every sneaky way I could think of to try and get it, but I kept getting nowhere. I found a 3rd party parse section, but it didn't match the content of the Main file in the guide. I'm at my wit's end.

I, due to technical difficulties or incompetency or both, don't have the fancy numbers others have posted via the admin:XXXXXXX utility to try and request a patched file, but the information I have available is

Model: MI-CW217-101WW
FCC ID: 2AG7C-MINI7

My MD5 (I think it was) string didn't match up with any pre-existing patch numbers. I'm very tired now and I apologize for anything where I've misspoken or done anything wrong.

Hello guino , thank you for your work.
I bought a nedis doorbell which uses a board labeled meari bell5s. Here are the relevant information from /devices/deviceinfo
model "Bell 5S"
softwareversion "2.10.6"
hardwareversion "BE5S_H1_V10_433"
firmwareversion "ppstrong-c51-tuya2_teco2-2.10.6.20210824"

I was able to apply the hack (No programmer, No UART, No problem!) and by reading ppsapp I was able to get cgi-bin/mjpeg.cgi, cgi-bin/snap.cgi and cgi-bin/play.cgi running. Busybox and Telnet works. Unfortunately rtsp is not running.
I patched ppsapp to enable RTSP, however after reboot no additional port (8554) is available. I checked with nmap (and with netstat in a telnet session). Please be so kind to have a look, what I did wrong.
Attached you will find a ppsapp (original file) and ppsapp.edit (patched)
Thanks a lot.
Frytz
ppsapp.tar.gz

I seem to have a newer variant of this camera. It's definitely a Tuya camera and looks identical to this one (although it's 1080p).

Specifically, it's an Orion Grid Connect camera from Bunnings and the firmware is 5.2.0.

The only ports it has open are 53 and 6668 and the ppsFactoryTool.txt doesn't appear to work.

The problem with this one is it seems to format and overwrite the SD card on boot. Has anyone else run into this?

Hi,

Would it ever be possible for this to work on older firmwares? I have a Tuya doorbell which obviously works via cloud, no local connection, with Main Module firmware V1.3.8 / MCU Module V1.3.8 - It has no new updates available and it's been like this since I bought it a couple of years ago.

Link to the doorbell here

I can easily open it if you need to see what is inside. I'm just afraid that trying the bootloader for versions above mine might brick the doorbell.

Just wanted to see if there's any flash of hope of ever getting it to at least send me snapshots on motion, without the need of going to the app.

Thanks!

Note: I did try this: http://admin:056565099@IP/devices/deviceinfo but does nothing.

Not an issue, but as a total noob I must be doing something wrong.

I want to use RTSP / Onvif but the web interface keeps asking me for a password when I'm trying to open the commandline. I copied the contents op MMC to the root of an SDHC card formatted as FAT32.

admin:admin works for deviceinfo, but that's it.

{"devname":"Smart Home Camera","model":"Bullet 4S","serialno":"103020868","softwareversion":"4.0.7","hardwareversion":"B4S_V10_A2_2063","firmwareversion":"ppstrong-a3-tuya2_electro-4.0.7.20210624","identity":"M4G0039H5F01206552","authkey":"fJx5w7hCDpAWXJSL0FtNNQgvSr8X2N7z","deviceid":"pp01575076a614a24135","pid":"aaa","WiFi MAC":"84:7a:b6:03:d8:c1","ETH MAC":"84:7a:b6:03:d8:c1"}

I also find the information scattered, what do I need to do (step by step) to make this work?

Thanks!

I'm not sure if this is a me issue, card issue, or issue issue.

This is a "new" device that has never been connected to a capable internet connection or the app. I have connected UART for logging via FTDI USB.

Here is the output from /devices/deviceinfo:

{
"devname":"Smart Home Camera",
"model":"Mini 7C",
"serialno":"1050xxxxx",
"softwareversion":"2.7.10",
"hardwareversion":"M7C_AK_V10_GC4",
"firmwareversion":"ppstrong-a2-tuya2_geeni-2.7.10.20220105",
"authkey":"u1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"deviceid":"tstj4xxxxxxxxxxxxxxx",
"pid":"aaa",
"WiFi MAC":"30:8e:xx:xx:xx:xx"
}

/proc/cpuinfo:

Processor	: ARM926EJ-S rev 5 (v5l)
BogoMIPS	: 199.06
Features	: swp half fastmult edsp java 
CPU implementer	: 0x41
CPU architecture: 5TEJ
CPU variant	: 0x0
CPU part	: 0x926
CPU revision	: 5

Hardware	: SKY39EV2_AK3918E80PIN_MNBD
Revision	: 0000
Serial		: 0000000000000000

/proc/mounts:

rootfs / rootfs rw 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0
tmpfs /dev tmpfs rw,relatime 0 0
devpts /dev/pts devpts rw,relatime,mode=600,ptmxmode=000 0 0
/dev/mtdblock6 /home/cfg jffs2 rw,relatime 0 0
/dev/mmc01 /mnt/mmc01 vfat rw,relatime,fmask=0022,dmask=0022,codepage=cp437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro 0 0

/proc/cmdline (missing exploit content):
mem=64M console=ttySAK0,115200n8 mtdparts=spi0.0:256k(bld)ro,64k(env)ro,64k(enc)ro,64k(sysflg)ro,2496k(sys),4608k(app),640k(cfg) ppsAppParts=5 ip=192.168.1.99:::255.255.255.0 eth=00:55:7b:b5:7d:f7

I have tried multiple env and ppsMmcTool.txt combinations and modifications to addresses and the like.

Following the instructions along, it appears I may be having issues with the SD card not booting, but I want to check for insight.

I've also tried reading the flash with info gathered from BazzDoorbell #2 and BazzDoorbell #11 .

When trying to boot to root the device by holding reset while powering up, I have the following output consistently:

U-Boot 2013.10.0-AK_V2.0.03 (Jan 05 2022 - 14:37:18)

DRAM:  64 MiB
8 MiB
ANYKA SDHC/MMC4.0: 0
PPS:Jan  5 2022 14:37:31   anyka_c2button
cmd:fatload mmc 0 0x81808000 ppsMmcTool.txt 3FC
send cmd 8 error, status = 2004
block rw command 8 is failed!
MMC: ak mmc mmc_send_if_cond Err!
** Bad device mmc 0 **
resetting ...
heartbeat = 1
m▒

U-Boot 2013.10.0-AK_V2.0.03 (Jan 05 2022 - 14:37:18)

DRAM:  64 MiB
8 MiB
ANYKA SDHC/MMC4.0: 0
PPS:Jan  5 2022 14:37:31   anyka_c2magic err
magic err
## Booting kernel from Legacy Image at 81808000 ...
   Image Name:   Linux-3.4.35
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    2084672 Bytes = 2 MiB
   Load Address: 81808000
   Entry Point:  81808040
   Verifying Checksum ... OK
   XIP Kernel Image ... OK

Starting kernel ...

Uncompressing Linux... done, booting the kernel.
Meari Linux Kernel Version: 2.5.02

I'm able to add ppsFactoryTool.txt to the root of the drive and it connects to my AP of choice, so it is able to read the card. However any attempt to make it read the flash or access /proc/self/root/mnt/mmc01/hack with results have been fruitless.

I have tried partitioning and formatting combinations using windows and linux with no change in results.

Would it be safe to assume from the following that the card may be having boot issues and I need to try a different card or is this device one that would require programmer to root? I had seen another issue with what appeared to be the same firmware, and their device was farther along in the process with patching issues.

cmd:fatload mmc 0 0x81808000 ppsMmcTool.txt 3FC
send cmd 8 error, status = 2004
block rw command 8 is failed!
MMC: ak mmc mmc_send_if_cond Err!
** Bad device mmc 0 **
resetting ...

Right now it appears snap and mjpeg are at the lowest supported 16:9 resolution of 640x360 Is it possible to bump it up to something hd, 1280x720 and 1920x1080 for example if wanted?

Being able to repurpose these camera for mjpeg streaming for Octoprint is fantastic, so thanks for all theh ard work!

Do I have to patch my device if onvif is turned off in tuya_config.json file. If not what is needed to edit my config file. Just to turn on onvif as 1 instead of 0.????Need help plz

Hi,

First off, I really appreciate all the work you've put in.

After some trial and error with SD cards, I was finally able to get the hack to work in full. However, I can only access mjpeg/snap and not RTSP. Whenever I attempt to connect, I get "connection refused" (unless there is a password I'm missing and didn't realize?). I followed the instructions for the patch twice, and I can confirm through telnet that it IS indeed using the patched ppsapp (as had been stated in another thread, it's coming from /mnt/mmc01/ppsapp ). I'm not sure at this point if maybe I'm missing something, but all other diagnostic have come up normal. I've included my device info below and will be happy to provide anything else that I can. I confirmed I am using the correct ppsapp that matches my info.

{"devname":"Smart Home Camera","model":"Mini 7C","serialno":"100984223","softwareversion":"2.7.7","hardwareversion":"M7C_AK_V10_1245","firmwareversion":"ppstrong-a2-tuya2_geeni-2.7.7.20210311","authkey":"z--k","deviceid":"p--5","identity":"M--2","pid":"aaa","WiFi MAC":"8--4"}

I did have an MDTNUM that was uncommented, and I attempted to follow the instructions for that, but it still did not remedy the situation. I might just be missing something really simple, so I apologize if I am. Any help would be great. Thank you!

I've been able to troubleshoot my way through the entire process with a Merkury Webcam and there is an existing patch. I can't seem to connect to my feed or change the address through the URLs provided in step 10. Thank you in advance for help!

the "no password" solution for telnet is still working, but generating the hash for the paswd file doesn't work here anymore.
solution:
generate a new password by passwd -a des admin and copy the /etc/passwd and /etc/shadow file to /mnt/mmc01/
change custom.sh to copy them back to /etc/
now telnet and ssh can be used with the new password.

"devname":"Smart Home Camera","model":"Mini 7C","serialno":"XXXXXXXX","softwareversion":"2.7.7","hardwareversion":"MINI5C_V20B_H62","firmwareversion":"ppstrong-c4-tuya2_geeni-2.7.7.20210207"

2.7.7 closed port 80 but your work around to reopen it worked, i just cant get hacks installed.

Any ideas?

software version: 2.7.7
hardware version: M7C_AK_V10_1245
firmware version: ppstrong-a2-tuya2_geeni-2.7.7.20210306

Followed all directions here as well as here. Everything worked as it was described it would. ✔️

However, I'm experiencing several frustrating issues:

1. VLC will show the rtsp stream fine for a while but eventually has problems and will error out and the only way to resolve it is by unplugging and re-plugging in the camera. A number of different errors are shown in the terminal with the most common error that appears having to do with the timing of seconds getting off or something like that and VLC not being able to fix the lag/latency. The video will appear slow and then very fast and then slow and very fast with the timestamp in the watermark lagging and also skipping. Eventually the stream errors out and closes and will not play again without unplugging/re-plugging in the camera and shows the following error:

[00007f556004e310] main decoder error: buffer deadlock prevented
Created new TCP socket 45 for connection
Created new TCP socket 37 for connection
Created new TCP socket 37 for connection
[00007f5564004530] live555 demux error: Failed to connect with rtsp://192.168.1.240:8554
[00007f55640056f0] main stream error: connection failed: Connection refused
[00007f55640056f0] satip stream error: Failed to connect to RTSP server 192.168.1.240:8554
[00007f55640056f0] main stream error: connection failed: Connection refused

Edited: And here is the timestamp error:

00007f782004e410] avcodec decoder error: more than 5 seconds of late video -> dropping frame (computer too slow ?)
[00007f782004e410] avcodec decoder error: more than 5 seconds of late video -> dropping frame (computer too slow ?)
[00007f78201495e0] main decoder error: Timestamp conversion failed (delay 1000000, buffering 0, bound 3000000)
[00007f78201495e0] main decoder error: Could not convert timestamp 285696304434 for g711
[00007f782004e410] avcodec decoder error: more than 5 seconds of late video -> dropping frame (computer too slow ?)
[00007f78201495e0] main decoder error: Timestamp conversion failed (delay 1000000, buffering 0, bound 3000000)
[00007f78201495e0] main decoder error: Could not convert timestamp 285696464434 for g711
[00007f782004e410] avcodec decoder error: more than 5 seconds of late video -> dropping frame (computer too slow ?)
[00007f782004e410] avcodec decoder error: more than 5 seconds of late video -> dropping frame (computer too slow ?)

2. Added -l /bin/sh to the telnetd line in custom.sh (for no password) but receive the following error (and have to once again unplug/reboot the device):

# telnet 192.168.1.240
Trying 192.168.1.240...
Connected to 192.168.1.240.
Escape character is '^]'.
Connection closed by foreign host.
# telnet 192.168.1.240
Trying 192.168.1.240...
telnet: Unable to connect to remote host: Connection refused

Edited: Telnet is working now ✔️ Though I'm not exactly sure what I'm able to use it for... .lol.

3. Followed the directions for the snap.cgi and mjpeg.cgi URLs and both URLs will successfully load but all I see is a little tiny empty square/box symbol in the middle of my screen, similar to this: □ and this: ■

I followed every step closely and exactly. I'm not sure what else to do but where I stand right now I'm not really able to use any of the rooted features because I'm having to unplug and reboot the camera every 10 minutes. Really hoping someone can help.

Am i supposed to copy the files from mmc/cgi-bin/ into the SD Card root directory? Is what my SD card root directory looks like? Also is exFat same as Fat 32? Sorry for all the bad questions. I have attempted instructions but am unsuccessful to this point.

I'm just testing the cameras and I have it running fine.

Is there a folder where you view the recordings (via telnet), I couldn't figure out the folder structure..i wasn't sure if i missed it

and is there a way to copy/paste them out without pulling the SD card?

I've seen that most of the projects revolve around Tuya ecosystem

I've downlaoded Tuya app to discover that the interface is almost the same as many others and the pairing system the same, like Smart Life, or CloudEdge to mention some

I currently have a cam ZS-GX1S which more or less follows the same principles I read (including most of the endponts, port 8090, for latest Tuya firmwares, etc...)

But I'm not able to extract with the files you provided in the MMC the ppsapp file (because, it seems to be a relatetively different model).

I would like to reverse engineer my ZS-GX1S to see if I can get to a similar end like you, but not sure how could you get all those files in MMC which provided the way to get that ppsapp file which helped to introduce the root in the system, and from there enable all the services like RTSP.

I hope you can give me some light, so I can continue in my research to unlock my cam which seems a clone of yours with only some extra features.

I've got an older version of the Merkury 720 camera where the hack does not work, I've successfully applied the hack to a newer Merkury 720 which works perfectly fine. The following is what I have done.

http://admin:056565099@IP/devices/deviceinfo
Gives me
{"devname":"Smart Home Camera","model":"Mini 7C","serialno":"056xxx85","softwareversion":"2.7.7","hardwareversion":"MINI5C_V12","firmwareversion":"ppstrong-c4-tuya2_geeni-2.7.7.20210207","authkey":"7bNHIuxxxxxxxxxxxxx","deviceid":"mkry2c2xxxxxxxxxx","identity":"18091xxxxxxxxxx","pid":"aaa","WiFi MAC":"0c:8c:24:xx:xx:xx"}
The hardware seems to be a MINI5C_V12 instead of a MINI7C

http://admin:056565099@IP/proc/cmdline

I get

mem=23M console=ttyAMA0,115200 loglevel=0 ppsdebug=off mtdparts=hi_sfc:192k(bld)ro,64k(env)ro,64k(enc)ro,64k(sysflg),2240k(sys),5m(app),448k(cfg) ppsAppParts=5 ip=192.168.1.10:::255.255.255.0 eth=08:88:12:3a:22:10

Thus the - ip=30... part is missing.
Trying the "hack" also does not do anything, no response from the web browser and nothing on the SD card.

How do I dump the ROM from the UART? I've got a UART cable.

I have downloaded the zip and the busy box outlined in the instructions. I then copy the contents of "mmc" onto the SD card. I overwrite the busybox file.

My confusion: The only way to get to it is via IP, the only way for it to get an IP is to connect it to wifi, the only way to connect it to wifi is give it the ssid and password of the network. It seems like thats what the "ppsFactoryTool.txt" file is used for, but that is not something that is copied to the SD card?!?

Basically what do I do with the rest of the downloaded files? Are they supposed to go on the SD card as well?
"img" directory "jpeg" directory ".gitattributes" "ppsFactoryTool.txt" are technically not added to the SD based on how I am reading the instuctions.

help lol

IF your ppsapp is not listed HERE, feel free to post your ppsapp patch requests here along with the firmwareversion, hardwareversion information from http://admin:056565099@IP/devices/deviceinfo for your device along with the MODEL (ie merkury 720p or geeni 720p, etc).

I will look at it when I have a chance and post it in the list above (and will remove it from here).

As title states, have redownloaded and reinstalled patched ppsapp Not sure what happened, have also reformatted sd and redone card. Firmware was not updated.
http://admin:[email protected]/proc/self/root/mnt/mmc01/hack also does error 500 when i try to go to it all other diagnostic links look good.

One of my cameras has been offline for 6 months now because I've been facing a problem and just haven't had time to deal with it. If I boot the camera with the Micro SD card inserted It will boot with the root and everything perfectly except after a few moments I get a notification that there's anl firmware update available on the Smart Life app. I don't want to run the update with the SD card installed of course since it's rooted and will mess it up most likely. However when I remove the SD card and boot the camera there are no updates available and is up to date with the latest software. How do I fix this and update the software on the patch/SD card?

Been lurking for a while now, and finally got this to work somewhat. Thing is I copy all the files over, and booted up the camera. go and check the string, It looks just like the one you posted. Go to do the hack link, to see if it was done, nothing comes up. Try to access the camera feed, still can't access it. I'm probaly doing something wrong. but cant seem to get it to work even know if seems it worked. mem=64M console=ttySAK0,115200n8 mtdparts=spi0.0:256k(bld)ro,64k(env)ro,64k(enc)ro,64k(sysflg)ro,2496k(sys),4608k(app),640k(cfg) ppsAppParts=5 ip=0 - ip=30;/mnt/mmc01/initrun.sh)&:::::;date>/tmp/hack;(sleep

Hello, I hacked my camera: (hardwareversion ":" M16S_A2_V10_F37 "," firmwareversion ":" ppstrong-a3-tuya2_lsc-4.0.6.20210311 ")
The rtsp stream is working fine thanks.
I wanted to test telnet and live access to snap.cgi but it doesn't work: I have access denied for snapshot and telnet ..
I modified the http.conf file (without the hash) and passwd (with the hash).
I even added the line not to ask for a password but impossible (custom.sh) and the hardware is ok :

What can I do to make it work ? Thank you

my http.conf :

my passwd :

Merkury 720p mini 7c

https://github.com/originalgoon/grams_hass/blob/main/ppsapp

Known Compatible Cameras
Bell 8S
Mini 11S
Mini 7S
Bullet 4S

Hi @guino, tried your new hack with 2 different SD cards and still having the same behavior, seems the env/hack/all other files are not executed at all.
This is the display of my /proc/cmdline

mem=23M console=ttyAMA0,115200 loglevel=0 ppsdebug=off mtdparts=hi_sfc:192k(bld)ro,64k(env)ro,64k(enc)ro,64k(sysflg),2240k(sys),5m(app),448k(cfg) ppsAppParts=5 ip=192.168.1.10:::255.255.255.0 eth=08:88:xx:xx:xx:xx

I have remarked also that mem=23M is different than yours (which is 64M). Is it possible that I will need to adapt the env file also because of a different hardware?
Not sure about this but your camera looks exactly the same than the one I try to hack too, so should work but it's not executing.

Seems close this time and thanks for all the incredible job you did for this.

@guino - 2.7.6 came out today - and won't allow video stream in the app(s) until it is updated.
The new ppsapp is similar to the last update I posted for the v2.10.x firmware for other cameras, they closed up port 80 on this one as well.
Good news - if the hack is already applied, everything still works fine. I have yet to patch the new 2.7.6 app but booting from SD {and thus launching busybox etc} is still running fine.

I will patch it shortly and update as needed.

attached 2.7.6
--deleted--

Hello,

I've got some issues applying the root hack to a Geeni 720p camera.

/home/ppsapp doesn't appear to be created when needed.

Here's the output of the various addresses :

http://admin:[email protected]/proc/cmdline

mem=64M console=ttySAK0,115200n8 mtdparts=spi0.0:256k(bld)ro,64k(env)ro,64k(enc)ro,64k(sysflg)ro,2496k(sys),4608k(app),640k(cfg) ppsAppParts=5 ip=0 - ip=30;/mnt/mmc01/initrun.sh)&:::::;date>/tmp/hack;(sleep

http://admin:[email protected]/devices/deviceinfo

{"devname":"Smart Home Camera","model":"Mini 7C","serialno":"059104752","softwareversion":"2.7.6","hardwareversion":"M7C_AK_V10_1245","firmwareversion":"ppstrong-a2-tuya2_geeni-2.7.6.20210207","authkey":"CSA5ivaFswFiLAA8QA3ezAmB6rvtErR3","deviceid":"pp011e93f9b47ac32b86","identity":"MR1912030200903034","pid":"aaa","WiFi MAC":"7c:a7:b0:89:ef:b1"}

http://admin:[email protected]/proc/self/root/mnt/mmc01/hack

doesn't return anything (Error 500)

SD CARD

2022-04-27 06:04 PM

Not sure what i'm doing wrong?

Thanks!

Hello,
I tried this Tuya camera and it works perfectly with the Tuya app.
https://www.kruidvat.nl/kruidvat-smart-indoor-ip-camera/p/5314128

Every time I tried the method described in this repo I end up with a sd card with the following content.

Is this a sign that this camera does not work with this repo or is there something I miss?

# ls -l
total 39M
-rw-r--r-- 1 user user    0 Okt 24  2015 dg00000.avs
-rw-r--r-- 1 user user    0 Okt 24  2015 dg00001.avs
-rw-r--r-- 1 user user 5,8M Nov  4  2021 dg00002.avs
-rw-r--r-- 1 user user    0 Okt 24  2015 dg00003.avs
.
.
.
-rw-r--r-- 1 user user    0 Okt 24  2015 dg00221.avs
-rw-r--r-- 1 user user 8,0M Nov  4  2021 index00.bin
-rw-r--r-- 1 user user 8,0M Nov  4  2021 index01.bin
-rw-r--r-- 1 user user 1,2M Okt 24  2015 photo.bin
-rw-r--r-- 1 user user  16M Okt 24  2015 session.log

Oh not to forget I tried with many different sd cards even with a freshly bought EVO select 32 GB.

I have 3 cameras and 1 of them keeps restarting every 13 minutes and it makes my whole security system unreliable. Is it because it is getting overloaded?
Here's what happening to that camera at night

I have my router telnetting into the camera to set the time because I don't like setting the time manually, It does that every 5 minutes.
(I have removed some other sentences because it is not a problem that needs to be fixed, Those issues were user error.)