Works on IL-HIP291G-2M-AI from INQMEGA

[paus56]

readonlyhack-v0.1 прекрасно заработал на камере IL-HIP291G-2M-AI

• Версия прошивки: 3.3.0.0817

rtsp://admin:passwd@iP-addr:554/0/av0 - видео со звуком с высоким разрешением (1920х1088) rtsp://admin:passwd@iP-addr:8001/0/av0 - видео со звуком с высоким разрешением (1920х1088) !!!

-для работы PTZ в tyniCam необходимо в настройки программы tyniCam добавить файл GK7102_CloudCam_vendors.xml со следующим содержанием:

<?xml version="1.0" encoding="UTF-8"?>
<vendors>
    <vendor name="GK7102_CloudCam_Hacks">
        <model name="GK7102_CloudCam" defaultPort="8080" defaultRtspPort="8001">
            <request name="RTSP">/0/av0</request>
            <request name="PtzMoveRelLeft">/cgi-bin/webui?command=ptzl</request>
            <request name="PtzMoveRelRight">/cgi-bin/webui?command=ptzr</request>
            <request name="PtzMoveRelUp">/cgi-bin/webui?command=ptzu</request>
            <request name="PtzMoveRelDown">/cgi-bin/webui?command=ptzd</request>
        </model>
    </vendor>
</vendors>

были выявлены следующие настройки камеры в файле: hwcfg.ini

• passwd = 12345678 - установка - изменение пароля для ONVIF
• support_mp4record = 1 - запись видео в формате .MP4 на SD карту с оригинальной прошивкой
• main_bps = 768 - битрейт video
• main_fps = 12 - fps video

[paus56]

Список всех параметров камеры IL-HIP291G-2M-AI из файла: p2pcam для записи в файл hwcfg.ini `
"model" "main_bps" "sensor_position" "support_eth" "ir_detect_type" "adc_setting_max" "adc_setting_min" "support_ptz" "support_allid" "support_onvif" "passwd"

"auto_reboot" "ptz_one_step" "main_fps" "sub_bps" "sub_fps" "support_fisheye" "local_quality_auto" "voice_prompt" "sound_detect" "sound_level" "motion_level" "support_twoway_speech" "adc_chan" "buzzer_time" "cds_lvl_night" "ircut_reverse" "ircut1_lvl" "ircut2_lvl" "ir_light_lvl" "white_light_lvl" "smart_ai_mode" "support_433" "support_smartfeed", "buzzer_mode" "support_pir" "support_onekeycall" "show_logo" "support_syncledtime "support_wifikit" "support_doublelight "ptz_mic_mode" "support_mp4record", "voice_volume" "hisi_redCastGain" "standard_definition "talk_volume" "support_autosaturation" "fisheye_mode" "support_breakpointrecord" "night_smear" "support_mdzone" "agcnight_value" "agcday_value" "mic_value" "power_freq" "wifikit_passwd" - "12345678" "wifikit_ssid" - "CLOUD_WIFIKIT" `

[aHVzY2g]

I can confirm, the hack ist working. Thank you very much

[McGr3g0r]

I can confirm it too. However I was able to brick it immediatelly, curious me. After that decided to open it up and located the 3.3V UART for debuging - [ image ]

U-boot output:

U-Boot 2012.10 (Dec 26 2017 - 18:17:43) for GK7102 rb-sc1045-v2.0 (GOKE)

HAL:   20160913 
DRAM:  64 MiB
Flash: 8 MiB
NAND:  [No SPI nand] 
SD/MMC: 0
SF:    8 MiB [page:256 Bytes] [sector:64 KiB] [count:128] (XM25QH64)
In:    serial
Out:   serial
Err:   serial
Net:   Int PHY 
Hit any key to stop autoboot:  0 
GK7102 # 
GK7102 # 
GK7102 # printenv
[PROCESS_SEPARATORS] printenv
arm_freq=0x00112032
baudrate=115200
bootargs=console=ttySGK0,115200 mem=36M rootfstype=squashfs root=/dev/mtdblock2 init=linuxrc mtdparts=gk_flash:320K(U),1664K(K),1152K(R),2560K(A),-(H)
bootcmd=sf probe;sf read 0xc1000000 0x50000 0x1A0000;bootm 0xc1000000;
bootdelay=1
bootfile=zImage
bsbsize=1M
consoledev=ttySGK0
ethact=gk7101
ethaddr=xx:xx:xx:xx:xx:xx  <-- this is not real value
filesize=256D78
gatewayip=192.168.0.1
hostname="gk7102s"
ipaddr=192.168.0.27
loadaddr=0xC1000000
mem=36M
netdev=eth0
netmask=255.255.255.0
nfsserver=11.1.4.19
phytype=0
rootfstype=ubi.mtd=3 rootfstype=ubifs root=ubi0:rootfs
rootpath=/opt/work
serverip=192.168.0.29
sfboot=setenv bootargs console=${consoledev},${baudrate} noinitrd mem=${mem} rw ${rootfstype} init=linuxrc ip=${ipaddr}:${serverip}:${gatewayip}:${netmask}:${hostname}:${netdev} mac=${ethaddr} phytype=${phytypem
sfkernel=0x50000
stderr=serial
stdin=serial
stdout=serial
tftpboot=setenv bootargs root=/dev/nfs nfsroot=${nfsserver}:${rootpath},proto=tcp,nfsvers=3,nolock ip=${ipaddr}:${serverip}:${gatewayip}:${netmask}:${hostname}:${netdev} mac=${ethaddr} phytype=${phytype} consolm

Environment size: 1290/65532 bytes
GK7102 # 

So anyone can easily dump the SPI FLASH by issuing commands:

sf probe;
sf read 0xc1000000 0x0 0x800000
mmc init
mmc parts
fatwrite mmc 0:1 0xc1000000 partall.raw 0x800000

it is initializing SPI flash and MMC driver, then reads entire SPI flash to the RAM memory and then writes it to MMC into first partition that has to be FAT type.

Later using the mtdparts=gk_flash:320K(U),1664K(K),1152K(R),2560K(A),-(H) values I was able to split the large dump into the chunks and mount partitions 3(root), 4(app), 5(home). The root and app parition type is squashfs and home partition is jffs2 type.

For my case I had to remove /home/etc/wpa_supplicant.conf file otherwise the app could not connect to the wifi router.

Best regards, McGr3g0r

[paus56]

How did you manage to execute these commands?

[McGr3g0r]

These commands where issued in U-boot bootloader not the Linux console. You can stop U-boot from booting the kernel by: Hit any key to stop autoboot: 0

[paus56]

and so the received files are different?

# dd if=/dev/mtd0 of=/media/mtd0.img
640+0 records in
640+0 records out
327680 bytes (320.0KB) copied, 0.146524 seconds, 2.1MB/s
# dd if=/dev/mtd1 of=/media/mtd1.img
3328+0 records in
3328+0 records out
1703936 bytes (1.6MB) copied, 0.746780 seconds, 2.2MB/s
# dd if=/dev/mtd2 of=/media/mtd2.img
1792+0 records in
1792+0 records out
917504 bytes (896.0KB) copied, 0.405942 seconds, 2.2MB/s
# dd if=/dev/mtd3 of=/media/mtd3.img
10624+0 records in
10624+0 records out
5439488 bytes (5.2MB) copied, 5.101560 seconds, 1.0MB/s

mtd2.img - squashfs mtd3.img - jffs2 (Home)

but mtd0 and mtd1 can not be opened, it is unclear what file system ?

[McGr3g0r]

mtd0 is U-Boot bootloader and mtd1 Linux Kernel, both are plain ARM binaries so mounting of these partitions is impossible.

[paus56]

IL-HIP291G-2M-AI
firmware ver. 3.3.0.0817
#
# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00050000 00010000 "U"
mtd1: 001a0000 00010000 "K"
mtd2: 000e0000 00010000 "R"
mtd3: 00530000 00010000 "A"
#

IL-HIP291G-2M-AI
firmware ver. 3.4.0.1031
#
# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00050000 00010000 "U"
mtd1: 001a0000 00010000 "K"
mtd2: 00120000 00010000 "R"
mtd3: 00280000 00010000 "A"
mtd4: 00270000 00010000 "H"
#

[paus56]

в камере IL-HIP291G-2M-AI для вывода OSD даты и времени добавить строку: show_osd_time = 1 в файл: hwcfg.ini в папке /home/ камеры

[gymnae]

@McGr3g0r, you seem to have the same flash chip as I do. I managed to brick my camera when trying to flash a new firmware: https://github.com/ant-thomas/zsgx1hacks/issues/96 - the 8MBiT Flash chip doesn't seem to be so common.

Do you have a backup of your flash you could share with me, so I can bring my camera back to live by flashing the version you have? Of course, if your camera is in a working state at the moment :)

@paus56, I used deepl.com to translate pages from the thread you are active in on http://4pda.ru - You seem to be pretty deep into the matter, do you have a firmware or flash package for cameras with 8MBiT flash?

[paus56]

• это прошивка от моей камеры на GK7102,
• размер флеш моей камеры 8 мегабайт
• с этой прошивкой камера не будет подключаться к облаку
• как прошивать описано там:
• как подключать, описано там:

Firmware for IL-HIP291G-2M-AI.zip

[gymnae]

Thanks, @paus56, I guess then I need to order a programmer. The flash chip of my guudgo gd-c03 carries the marking of md25q64cs16 and reports as gd25q64. I have a hot air solder station, so taking out the chip and replacing it should be doable. Do you think using a SOP 8 clamp instead of de-soldering would work as well? And is the resistor mod necessary?

Спасибо, @paus56, наверное, тогда мне нужно заказать программиста. Микросхема моего гуудго gd-c03 имеет маркировку md25q64cs16 и сообщает как gd25q64. У меня есть паяльная станция горячего воздуха, поэтому достать чип и заменить его можно. Как вы думаете, сработает ли бы использование хомута SOP 8 вместо снятия пайки? Нужен ли мод резистора?

[paus56]

если у вас камера отличается от IL-HIP291G-2M-AI, то прошивка может не заработать

Google translate if your camera is different from IL-HIP291G-2M-AI, then the firmware may not work

[gymnae]

I'm aware, but it's worth a try, I hope. I have no comparable package for the GD-C03.

Я знаю, но, надеюсь, стоит попробовать. У меня нет похожего пакета для GD-C03.

[gymnae]

@paus56, I tried your flash just now. It successfully flashed and booted, but you are correct, the GD-SC03 is different and it doesn't work. Also, it really only properly flashes when de-soldering the chip, not when using the SOP8 clamp. Now my hope is to find a .bin or collection of mtd fitting to the gd25q64 and/or 8MB Flash from a GD-SC03

deepl.com translate: @paus56, я только что попробовал твою вспышку. Он успешно прошит и загрузится, но вы правы, GD-SC03 отличается и не работает. Кроме того, он действительно правильно мигает только при депайке чипа, а не при использовании хомута SOP8. Теперь я надеюсь найти .bin или коллекцию mtd, подходящую для gd25q64 и/или 8MB Flash от GD-SC03.

[slydiman]

I have INQMEGA IL-HIP291L-2M-AI (Ethernet + Wi-Fi version) firmware 3.4.1.1212 I have updated the script /media/hack/www/cgi-bin/webui

1. I used the following command to detect IP address using ifconfig and grep only ipadd=/sbin/ifconfig eth0 | grep -oE "inet addr:.*.B" | grep -oE "([0-9]{1,3}\.){3}[0-9]{1,3}" because there is no cut and ip commands. Note replace wlan0 with eth0 in case of Wi-Fi only.

2. The file /home/hardinfo.bin contains the line <IrCtrl>12_0x00000000_0_1</IrCtrl> So I have updated /media/hack/www/cgi-bin/webui (changed 46 -> 12) if [ "$command" = "iron" ]; then /bin/gio -s 12 1 > /dev/null fi if [ "$command" = "iroff" ]; then /bin/gio -s 12 0 > /dev/null fi

3. Please update ptz.md: I have figured out the following commands 0x71 arg0 - zoom in (arg0 ignored) 0x72 arg0 - zoom out (arg0 ignored) 0x73 arg0 - setPSP (arg0) - store position preset# 0..0x10 0x74 arg0 - callPSP (arg0) - restore position preset# 0..0x10 0x74 arg0 - startScan(arg0) - scan, arg0 must be 0x40..0xFC 0x74 0xFD - resetPTZ(0) 0x74 0xFE - resetPTZ(1) 0x74 0xFF - resetPTZ(0) 0x75 arg0 - deletePSP(arg0) - delete position preset# 0..0x10 0x79 arg0 - calltrack(arg0) 0x7C arg0 - startScan(0x43) - arg0 ignored 0x81 getRange(ptr) 0x82 getPosition(ptr) 0x84 arg0 - resetPTZ(0) - arg0 ignored 0x83 arg0 - gotoPos(ptr) 0x86 arg0 - setSpeed(ptr) 0x87 arg0 - getSpeed(ptr) 0x89 arg0 - setSavePos() 0x8A arg0 - resetPSP0(0, arg0) 0xFF arg0 - set_pps(arg0) - motor pulse per second 0x3EA arg0 - printPos() 0x3EC arg0 - switch_dbg(arg0) - 0 or 1 - set 0x40 to other_flags

There is an internal function driveMotor(direction, hspeed, vspeed, scan); direction is a set of bit flags: 0x00 - stop 0x02 - right 0x04 - left 0x08 - up 0x10 - down 0x20 - zoom in 0x40 - zoom out

/home/ptz.cfg params: other_flags: 0x08 - ignore setPSP / callPSP / deletePSP 0x10 - use hspd_slfck and vspd_slfck instead of arg0 0x20 - use hmotor_upbound and vmotor_upbound (position may be -upbound..+upbound), otherwise 0..4000 and 0..400 or 0..max if test_max_pos =1 is set. 0x40 - call setPSP(0) to save position after each stop

xchg_dir flags: 1 - swap left/right 2 - swap up/down 4 - swap zoom in/out

More details here https://4pda.ru/forum/index.php?s=&showtopic=928641&view=findpost&p=82742427

[slydiman]

Re: [ant-thomas/zsgx1hacks] Works on IL-HIP291G-2M-AI from INQMEGA (#90)

Hello

Unpack the attached file to the root of the SD card. I have added the file /hack/hosts.new and added the following line to the file debug_cmd.sh

mount --bind /media/hack/hosts.new /etc/hosts

Thanks, Dmitry

Friday, June 14, 2019 12:16:03 AM You wrote:

Firmware for IL-HIP291G-2M-AI.zip

I also own an IL-HIP291G-2M-AI. I really want to close the cloud connection, but I do not understand the steps required for that. Is there some manual that explains the steps I should take? — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[ejalal]

Hi all,

Is there a chance for this to work on other cameras with same external design but from different brands ? I guess it's the same manufacturer (same hardware inside) but with different branding depending on each seller.

I got this one from Amazon as Mamicam brand https://www.amazon.fr/gp/product/B07P1MN2ZJ/ref=ppx_yo_dt_b_asin_title_o02_s00?ie=UTF8&psc=1, but can find plenty of them on Aliexpress using different brands.

[ejalal]

Well I guess there's only one way to find out.

[thiagosouza2000]

• это прошивка от моей камеры на GK7102,
• размер флеш моей камеры 8 мегабайт
• с этой прошивкой камера не будет подключаться к облаку
• как прошивать описано там:
• как подключать, описано там:

Firmware for IL-HIP291G-2M-AI.zip

How can I use this file to restore my bricked camera via sdcard?

[Catalin84]

Hi, I have a big problem. I also tried to get rid of CLOUD from the IP CAMERA and now I believe I was left with a brick. When I turn on the camera (IL-HIP291G-2M-AI) it tells me I'm waiting for CONFIGURATION. After pressing 2 seconds on the reset button it tells me to enter AP mode. When I log on to the ip on the camera I do not receive any video images. I got USB-UART, because I thought I would need it if I broke it. Can anyone help me with a solution? i tried to enter it with putty user: root and password cxlinux but it does not allow me to enter HOME. from what I have noticed I have no space on it anymore, and it does not let me delete that it tells me it is just for reading.

[Catalin84]

• это прошивка от моей камеры на GK7102,
• размер флеш моей камеры 8 мегабайт
• с этой прошивкой камера не будет подключаться к облаку
• как прошивать описано там:
• как подключать, описано там:

Firmware for IL-HIP291G-2M-AI.zip

How can I use this file to restore my bricked camera via sdcard?

Did you managed to fix it ? I have a same problem to restore from SD card but it tells that is READ ONLY the home folder.

[paus56]

• у вас установлена модифицированная прошивка для камеры
• установите Android приложение Ysee или SAP HD и после фразы waiting for CONFIGURATION подключите камеру в приложении Ysee...
• подробнее об этом прочитайте там: http://4pda.ru/forum/index.php?s=&showtopic=928641&view=findpost&p=89274008

[Catalin84]

• у вас установлена ​​модифицированная прошивка для камеры
• установите Android приложение Ysee или SAP HD și после фразы în așteptarea CONFIGURĂRII SUPODIMENTARE
• подробнее об этом прочитайте там: http://4pda.ru/forum/index.php?s=&showtopic=928641&view=findpost&p=89274008

I have a problem. Can i delete some files from home ?

df -h | grep home

/dev/mtdblock4 3.4M 3.4M 0 100% /home /dev/mmcblk0p1 252.0M 8.0M 244.0M 3% /home/hd1 /dev/mmcblk0p1 252.0M 8.0M 244.0M 3% /home/web/sd

Is read only ... :(

[paus56]

нельзя удалять файлы из home... нужно полностью перепрошивать камеру оригинальной прошивкой из вашего бэкапа

[Catalin84]

нельзя удалять файлы из home... нужно полностью перепрошивать камеру оригинальной прошивкой из вашего бэкапа

Yes but the problem is i dont have backup. on the flash it say GK7102 . with what tool i can write from a backup that i found on internet?

[paus56]

какую прошивку вы заливали в камеру перед этим ?

[thiagosouza2000]

• у вас установлена модифицированная прошивка для камеры
• установите Android приложение Ysee или SAP HD и после фразы waiting for CONFIGURATION подключите камеру в приложении Ysee...
• подробнее об этом прочитайте там: http://4pda.ru/forum/index.php?s=&showtopic=928641&view=findpost&p=89274008

The ZIP files are not available anymore - error 404 Any ideia where to find them?

Google Translation: ZIP-файлы больше не доступны - ошибка 404 Есть идеи, где их найти?

[paus56]

надо зарегистрироваться и войти на 4PDA, тогда файлы будут доступны...

некоторые файлы есть там: https://github.com/ant-thomas/zsgx1hacks/issues/129

[Catalin84]

какую прошивку вы заливали в камеру перед этим ?

i dont remember. i just want to get back the video of camera. Command are working i can open the page local but i dont see video