No programmer, No UART, No problem! #2
Comments
|
Thank you so much for sharing this! Could you please take a look at my env file? Here it is |
|
@solidssss That basically means that it did not work for you. I was just trying it out on my Nedis camera (Also Tuya) with the same result. The ppsMmcTool.txt way has eider been patched out or the different cameras are using a different format. I'll try to hook up my reader to the UART port to see if it shows some kind of error. Just for notes, my cmdline is similar to yours but still different: |
|
Great effort 👌🏻👌🏻👍🏻👍🏻 |
|
My cmd line is same as @guino, just instead of mem=36 I have mem=37M. Please notice the additional "M". Could this be your problem @rkkoszewski, @solidssss ? I will also try, but have to find a uSD card. Btw., which fw do you guys have on your cams ? |
|
can you please hack my ppsapp? |
I tried without the "M", but it still isn't working. |
|
@guino would it be possible for you to send me the dump of your flash chip? It seems that my readout is corrupted in the part before u-boot which contains the magic part. This is due to my clip not being stable enough. I've removed the chip from the board and get stable readouts now. |
@solidssss I sent a request to access the file in google, I'll wait for access or you can just attach the env file here. But I'll tell you right now that if the line didn't change at all, it can only be: |
@rkkoszewski I would expect any device that has that ppsAppParts=5 to work, but I only have looked at 2 firmware files so I have no way of knowing. If you have a UART/TTL 3.3V and can get to the serial terminal it may be helpful if you send me the terminal output while you're powering it on with the reset button pressed (with the 3 files in place). Chances are it will show whatever it is not liking. You can also post the http://admin:056565099@IP/devices/deviceinfo so I have an idea. |
Mine is 2.9.6 if I didn't post it before. |
I will take a look today. |
This looks like older firmware which should be simpler to get into, I'm going to send you a few links to see if you can provide more information. It is possible your booloader may not even have a password in which case the UART route could be an easy option. |
|
@guino |
I will zero my cfg partition and post it since the fw.bin has serial/key info which could cause problems if passed around. Or you can provide me a way to send it privately (email, url, etc). |
Do you have discord? LouD#4930 |
@adwiraguna Here's the patched ppsapp to enable RTSP: |
@LouDnl Sorry don't have discord, I barely have skype/whatsapp. Here's my bin file with the enc and cfg partitions zeroed out: If your enc and cfg partitions are the same size (or smaller than mine) I would expect you could just copy them into this bin file and flash it to your device. All enc partitions I've seen are 64k and if your cfg partition is bigger there's a good chance most of it is empty which would allow you to just copy the used part into the bin file. Something to try at least. |
Thanks, both my partitions seem in tact. Will try 👍🏻👍🏻 |
|
@solidssss your env file appears to be fine. Can you open this http://admin:056565099@IP/proc/self/root/etc/init.d/S90PPStrong and post the response here -- it seems like the bootloader is different (older) and that may be causing the difference. Only way for me to find out would be if you connected onto the UART and provided the output while doing step 5 of the install. If you have a way to plug into the UART email me and we can try a few things. |
|
Well I think I indeed completely bricked my camera 💸 the led doesn't even come on anymore. Everything gets power but thats about it. This happened before I took off the chip from the pcb when I turned it on but forgot to take off the pcb clip 🤦🏻♂️ some power must have gone somewhere it shouldnt have. Gonna check my uart wiring tomorrow because they have power at the pcb. I hope thats it but I dont think so as the led wont even light up. But as this is really searching for a needle in a haystack I might aswell buy a new one. |
|
@LouDnl sorry to hear that - I am assuming you saw my warning about making the 3.3v mod to the programmer. On the UART front I always connect GND, TX and RX (leave power disconnected) and power the camera by normal means (usb or doorbell wiring) - again UART ttl level is 3.3v |
Yea my uart vcc isnt connected either, I meant the rx/tx have power from the chip like they should but something else isnt working. I didn't mod my ch341a board, havent had any problems in the past but I should have been more carefull. All other times I took the clip straight off, if it even stayed on as they usually dont. But this time it did and I forgot about it when I turned it on. So something backfired and I dont know what. |
thank you very much @guino, but different from your original ppsapp-rtsp it doesn't open rtsp stream on port 8554. |
I will run it on mine and see what the log shows - if you enabled Telnet on yours you should be able to kill the running ppsapp and run this one from the terminal and see it it starts rtsp on a different port or if it shows an error. |
I'm having trouble login to telnet, because I don't know the correct hash to use in passwd file |
Do a passwordless telnet , just run telnetd like this: /mnt/mmc01/busybox tenetd -l /bin/sh |
|
Hello, can you please help me, I can't get any further. I have this model. This comes out when I enter this url http://admin:[email protected]/proc/cmdline
What should I do next? My English isn't that good either. |
|
I have problem with accessing:
after boot with initrun.sh. My camera details:
[edit] |
|
I really like the time you spend to make this happen, but the manual along this site i one big mess. Thanks guys |
|
@alcomys can you post a picture of your device and check the version of the firmware using the phone app ? You can usually check the firmware version by clicking on the 'device update' option in the settings of the camera. I can point you to the instructions based on the version. If you know the model of the doorbell that may help as well. |
|
Absolutely love the amount of effort you've put into documenting this!! |
@RGlintmeijer Maybe you can point me to the right direction? because i got mad and confused. Thanks |
|
@alcomys feel free to post a zip (on github issue) of your SD card contents (without SDT folder) for review. |
and others
(Side comment you can skip -- Based on the interest in this project I went ahead and spent some more time (a lot actually) in ghidra looking at the boot loader code and managed to get the ppsMmcTool.txt file format figured out and found a way to use it to modify the boot settings in order to run a script in the SD card during boot process of the camera)
I assume the steps below can be used for any device using this PPStrong boot loader (Tuya cameras/doorbells like Geeni, Merkury, Bazz, Meari, etc).
Please check your device firmware version in the phone App OR with http://admin:[email protected]/devices/deviceinfo .
For 2.7.x firmware you should use the information on this project instead: https://github.com/guino/Merkury720
Special note for 2.9.0 firmware: this firmware is a bit trickier to get RTSP working (mjpeg/snap work the same), so if you have that version you need to use #13 along with the files/steps provided by @DanTLehman here: https://github.com/DanTLehman/orion_sc008ha
For 2.9.x you should be able to use the steps here or in #13 (either method should work).
Special note for 2.10.0 firmwae: This firmware (and newer) have port 80 closed by default -- so to use the http://admin:05656... links below you have to RIGHT CLICK this link: https://github.com/guino/Merkury720/raw/main/ppsFactoryTool.txt select "Save as.." and save this file to the root of the SD card. EDIT the file (avoid copy/paste the contents of it) and modify only the ssid and password as the file requires specific format to work. When the device detects the file (in the right format) it will disconnect and re-connect the wifi (to the ssid specified) and will OPEN port 80 so the http://admin:05656... links work.
Special note for 4.0.x firmwae: This firmware (and newer) have port 80 closed by default -- so to use the http://admin:05656... links below you have to RIGHT CLICK this link: https://github.com/guino/Merkury720/raw/main/ppsFactoryTool.txt select "Save as.." and save this file to the root of the SD card. EDIT the file (avoid copy/paste the contents of it) and modify only the ssid and password as the file requires specific format to work. When the device detects the file (in the right format) it will disconnect and re-connect the wifi (to the ssid specified) and will OPEN port 8090 so the http://admin:05656... links work but you have to add :8090 to every URL, for instance: http://admin:[email protected]:8090/devices/deviceinfo. Depending on the device you have you may need to use the information and files from https://github.com/guino/Merkury1080P#conclusion
WARNING: The process below will require a SD card with initrun.sh to always be present during power-on or the device WILL NOT BOOT. If you modify/remove this file the device may not boot. The process is always reversible but keep that in mind. You may choose to use #13 as it does not require a SD card to boot the device (it is a new/improved method).
These are the steps to hack (root) your device:
1-Verify your camera/doorbell is compatible using its local IP address (i.e. 192.168.x.x, etc) -- this is NOT the public IP displayed in the TUYA app (and likely other apps), if you're reading this there's a good chance you know how to find the IP from your router. Open a web browser and load this address: http://admin:[email protected]/proc/cmdline the result (kernel command line) should be something like this:
Copy/save that response (kernel command line) as we'll need it next (and also in case you want to restore original settings) -- If you get no response, or some very different response, please stop now -- chances are you're using the wrong IP or this won't work for your device (advanced users can still check/try #11 and #12) . Feel free to post your kernel command line if you have questions.
1.1 ADDENDUM-I highly recommend you get a backup of your flash memory using #11 -- there's no risk or side-effect from trying. It's better to have a backup and not need it than needing the backup and not having it.
1.2 ADDENDUM-Open this URL http://admin:056565099@ip/proc/self/root/etc/init.d/S90PPStrong and check if you have these lines:
If your MTDNUM line does not have a # in front you must use #13. If your line has # in front or you don't have that line, you can proceed with the steps below.
2-Edit the provided 'env' so it has the below contents (following details below):
VERY IMPORTANT DETAILS ABOUT THIS FILE:
-The part after bootargs= should be the same as you got on step 1 (from your device) with the ppsAppParts=0 (instead of ppsAppParts=5).
-The file has one single line "bootargs=..." and a new line (enter) at the end. It is a long line (on purpose) so it may show up as multiple lines in a browser so please account for it. A sample env file is attached for your conveninence.
-The single line MUST have the same exact size as I posted above (924 characters + new line). Your kernel command line may be different which may require you to adjust (remove or add) to the ThankYou... text so that you match the size of the line.
-There's a 0x00 (Zero character) at the end of the file -- if this is removed by your text editor (ie notepad, etc) you'll need to be sure it is there (or the process will not work). You may need to use a hex editor to change the last character to a "00" making sure there's at least a new line (0A) at the end of the line before the "00". Again the sample env file is a good reference.
3-Copy these 3 files (attached) to the root of a fat32 formatted SD card (do not place them in any 'folders'): env, ppsMmcTool.txt and initrun.sh -- MAKE SURE there's no 'upgrade.bin' file in the SD card or this could cause problems. Be sure to properly 'eject' (or unmount) the SD card before removing it from the computer.
4-Power off your device and insert the SD card with the 3 files in the SD card slot.
5-Press-and-hold the reset button, then power on the device (i.e. power wires/USB cable) and continue holding the reset button for 5 seconds after power on then let the device boot. It will take longer than usual (precisely 10 seconds longer) for it to fully boot up as that's part of the initial boot script.
6-Repeat step 1, this time your kernel command line should look like this:
(Notice how the 'ppsAppPart' is cut off at the end -- that's the intention and as long as it doesn't say ppsAppParts=n it should work)
7-Now browse to this address: http://admin:[email protected]/proc/self/root/tmp/hack -- it should say "done" which is the indication everything is working as designed.
8-You can now delete ppsMmcTool.txt and env files from the SD card but there's no harm leaving them there. You MUST always have initrun.sh in the SD card during boot or the device WILL NOT BOOT.
9-Download the mmc files and place them in the SD card (root directory). SEPARATELY download busybox from https://github.com/guino/BazzDoorbell/blob/master/mmc/busybox?raw=true and place it on the SD card (root directory). Your SD card should look like this:
NOTES:
-l /bin/shto thetelnetdline in custom.shIMPORTANT: The main application on the device will delete the SD card contents when free space is low so backup your files and either disable recording OR let it run the provided cleanup.cgi to prevent your files from being deleted. The last 5 lines of the custom.sh file will run cleanup.cgi once-a-day by default. You can remove the last 5 lines of custom.sh if you don't want that to run OR you can disable recording entirely by removing the # from the
#/mnt/mmc01/set record_enable 0in custom.sh. If your device/app doesn't have a motion-only recording (event recording) option you can enable it by removing the # from the line#/mnt/mmc01/set enable_event_record 1in custom.sh — there are more details here: #2 (comment)10-For RTSP: DO NOT run a different version of ppsapp on your device or you may brick it. Your original ppsapp can be found under /home/app/ppsapp of the SD card. Please check guino/ppsapp-rtsp#1 to see if your ppsapp has already been patched -- use the site in the first post of the link to patch your own ppsapp file (double check that the md5 matches when patching it) and place it on the root of your SD card with the name ppsapp then reboot. There's a full guide on https://github.com/guino/ppsapp-rtsp if you're computer savvy and want to try patching ppsapp yourself. I prefer that you post (create a new issue) your ppsapp (along with http://admin:[email protected]/devices/deviceinfo information) so I patch it than get your flash corrupted by using a corrupt/wrong ppsapp.
NOTE 1: It has also been reported that VLC for MAC has issues playing the RTSP streams from these devices (so try different devices/applications if you have issues with VLC on MAC).
NOTE 2: It has also been reported that the default VLC playback is over UDP and causes the camera to use a lot of CPU/resources and causes it to reboot in about 13 minutes of viewing the RTSP feed. You can fix this by starting VLC like this:
OR you can go into VLC settings and selecting RTP over RTSP (TCP) : in 'Simple' mode click 'Tools > Preferences > Input / Codecs and select 'RTP over RTSP (TCP)' at the bottom, them click 'Save'. In 'Advanced' mode click 'Tools > Preferences > Input / Codecs > Demuxers > RTP/RTSP and select 'RTP over RTSP (TCP)' then click 'Save'
TROUBLESHOOTING / RESTORE
If you wish to 'restore' the operation of your camera with SD card (remove the 'hack'):
1-Edit/create the env file to be this:
NOTE: You should match the mem and console parameters as they were originally (step 1 of install process) and the env file must also have the new line (0x0A) and 0x00 (Zero character) at the end.
2-Copy ppsMmcTool.txt and env to the root of SD card (initrun.sh is NOT needed).
3-Follow steps 4, 5 and 6 of the install process, on step 6 the kernel command line should look like it was originally (before any changes).
If for some reason you can't get the the initrun.sh script to run please post a copy of your env file (zip format so I can verify it) and your kernel command line (before and after install attempt) so I can take a look.
If you'd like to buy me a beer/coffee in appreciation of the effort I put in to make the above possible, feel free to:
http://paypal.me/wbbo
cash app: $wbbo
Enjoy!
ppshack.zip
The text was updated successfully, but these errors were encountered: