BazzDoorbell
BazzDoorbell copied to clipboard
guino
CW017 research
Here's a couple of images. Looks similar to the board in #11 from @swisslegacy
Originally posted by @parkerlreed in https://github.com/guino/BazzDoorbell/issues/2#issuecomment-774789777
:+1: Thanks. Good idea keeping tracking in a separate thread (that's a pain in the ass to expand all the comments in the main)
@parkerlreed yes :) similar but different hardware. The uart pads will likely be on the other side by removing the 4 silver colored screws
Trying the 2.7.x files from #11 here's what I observe
- Light blinks red and blue after holding reset for 5 seconds
- I release, it sits on red for a second, and then goes blue
- Stays solid blue (and never gets to the "Hey Im booted" beep)
- Wait a couple minutes and check SD card
- Looks to be the original MBR
2.9.x on my first try resulted in a corrupted MBR which made me think it worked but was the same result (and subsequent tries the MBR stays in tact)
- Red and blue after 5 seconds
- This time stays red for about 20 seconds
- Proceeds to boot normally
There’s usually data left in the sectors of the card from before doing #11 so if you want to see if the process did anything you would have to zero out the sectors before using #11:
dd if=/dev/zero of=/dev/mmcblkX bs=512 count=32768 seek=1
Serial pins should be the 4 pads on the bottom left of the picture you posted.
You can use the screw hole as ground and test which is ground from the pads, then test which is 3.3v using pin 8 of the flash chip. Or you can just solder wires and swap them until you find what is rx, tx and ground (no need to connect 3.3v). Just make sure you don’t pull hard on wiring after soldering or they will come right out of the board.
I tried zero'ing out beforehand and no difference. (Stayed blank instead of having any data)
Does the device not care that I blew out the MBR?
The MBR is sector 0 (zero) the command I gave was supposed to start zeroing from sector 1 - but I realize I forgot to pass the parameter seek=1, it should have been:
dd if=/dev/zero of=/dev/mmcblkX bs=512 count=32768 seek=1
that was my bad - you would probably have to redo #11 to build a new MBR now.
As for the serial, I have a couple Pi Zeros I can try and get working (They do have 3.3v UART right?)
Thanks for the tips.
@parkerlreed I can’t read the numbers on the chips but based on the previous version of the board the flash may actually be the one on the other side of the board instead of the one I posted above (pin 8 3.3v marked):
Like I said before you don’t need to connect the 3.3v I only marked it as a way to try and determine which pads to use (so you don’t need to solder a wire to the 3.3v pad).
U-Boot 2013.10.0-AK_V3.0.07 (Sep 19 2020 - 14:46:53)
DRAM: 64 MiB
8 MiB
ANYKA SDHC/MMC4.0: 0
PPS:Sep 19 2020 14:46:58 anyka_c3: 0
magic err
magic err
command:setenv bootargs mem=64M console=ttySAK0,115200n8 loglevel=10 mtdparts=spi0.0:256k(bld),64k(env),64k(enc),64k(sysflg),3m(sys),4032k(app),640k(cfg) ppsAppParts=5 ip=192.168.1.99:::255.255.255.0 eth=00:55:7b:b5:7d:f7
## Booting kernel from Legacy Image at 81c08000 ...
Image Name: Linux-3.4.35
Image Type: ARM Linux Kernel Image (uncompressed)
Data Size: 2789360 Bytes = 2.7 MiB
Load Address: 81c08000
Entry Point: 81c08040
Verifying Checksum ... OK
XIP Kernel Image ... OK
Starting kernel ...
Uncompressing Linux... done, booting the kernel.
Anyka Linux Kernel Version: 1.1.12
Also for reference here's the listing for this camera https://www.walmart.com/ip/Merkury-Innovations-Smart-Wifi-Camera-1080p-2-Way-Communication/679786717
Based on the bootargs shown the method used for Merkury 720p (my other repo) should work if you just adjust the load address (looks like 81c08000?)
It should just need the commands in the env file (typed in thr uboot since you can), ideally we figure out the address so that hack would work on it.
If your port 80 is disabled be default you can use the ppsFactoryTool.txt to enable it but that’s not important for the hack to work.
I'm sure I'm probably just being thick here. I am typing this correctly?
Remove the hack= part and only do what is after the = sign .. the hack= part is to set the environment from file which is not needed in uboot.
Actually nevermind that, we need to figure out where the files are loaded, can you execute printenv and post the response ?
Ok so something like this?
setenv bootargs ${bootargs} '- ip=30;/mnt/mmc01/initrun.sh)&:::::;date>/tmp/hack;(sleep
ipaddr=0
bootm 0x81c08000
ipaddr is supposed to be it's own command or part of the first one? (There's a newline in the env so that's what's confusing me)
Without being familiar with uboot it will be easier to just modify the hack for your camera — with the printenv output I can probably do it.
the commands from the env file would have to be like this I think:
setenv hack ‘setenv bootargs ${bootargs} \'- ip=30;/mnt/mmc01/initrun.sh)&:::::;date>/tmp/hack;(sleep’
then another command:
setenv ipaddr ‘0;run hack;bootm 0x81c08000;’
It would be nice if you execute and post the output for printenv and for help so I know what is available
pps # printenv
baudrate=115200
bootargs=mem=64 console=ttySAK0,115200n8 loglevel=10
bootcmd=loadk;bootm 0x81C08000
bootdelay=3
console=ttySAK0,115200n8 loglevel=10
ethaddr=00:55:7b:b5:7d:f7
ipaddr=192.168.1.99
memsize=64M
netmask=255.255.255.0
serverip=192.168.1.1
setcmd=setenv bootargs console=${console} mem=${memsize}
sf_hz=20000000
stderr=serial
stdin=serial
stdout=serial
ver=U-Boot 2013.10.0-AK_V3.0.07 (Sep 19 2020 - 14:46:53)
Environment size: 455/4088 bytes
pps # help
? - alias for 'help'
auth - encrypt product authfile
base - print or set address offset
bootm - boot application image from memory
clearCfg- clearCfg
cmp - memory compare
cp - memory copy
crc32 - checksum calculation
devmem - read or write register, now just read
downimage- downimage - download and write All-Image to FLASH device,partiton table from ENV partition.
downjffs2fs- load usr.jffs2 tftp
downkernel- load uImage tftp
downrootfs- load root.sqsh4 tftp
downsquashfs- load usr.sqsh4 tftp
downuboot- load uboot tftp
env - environment handling commands
envreset- reset env para
erase - erase FLASH memory
fatinfo - print information about filesystem
fatload - load binary file from a dos filesystem
fatls - list files in a directory (default /)
flinfo - print FLASH memory information
format - erase all flash except bootloader part
go - start application at address 'addr'
help - print command description/usage
loadk - load kernel to DRAM
loop - infinite loop on address range
md - memory display
mm - memory modify (auto-incrementing address)
mmc - MMC sub system
mmcboot - from mmc start
mmcinfo - display MMC info
mw - memory write (fill)
nm - memory modify (constant address)
parts - read out partitions table info.
parts_adjust-
adjust parts info. Each part's size,offset etc.
pcbMenu - select Pcb
printenv- print environment variables
protect - enable or disable FLASH write protection
readcfg - read config from config.
reset - Perform RESET of the CPU
run - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv - set environment variables
setloadaddr- set loadaddr to config infor .
sf - spi flash sub-system:
tfdownjffs2fs- load usr.jffs2TF
tfdownkernel- load uImageTF
tfdownrootfs- load root.sqsh4TF
tfdownsquashfs- load usr.sqsh4TF
tfdownuboot- load u-boot.binTF
tfupdateimage- tfupdateimage - download and write All-Image to FLASH device
uartdown- down style 0:tftp 1:uart 2:mmc
upa - update app image appfile
upb - update bootloader bldfile
update - update upgrade.bin
updatecfg- update config from config infor table.
upe - update auth image authfile
upf - update firmware, format and update (factory use upffile)
upk - update uImage kernelfile
upr - update backup.img
version - print monitor, compiler and linker version
After setting those two
bootargs=mem=64 console=ttySAK0,115200n8 loglevel=10 - ip=30;/mnt/mmc01/initrun.sh)&:::::;date>/tmp/hack;(sleep
ipaddr=0;run hack;bootm 0x81c08000;
Should be good to power cycle?
There’s a very good chance that if you just adjust the address in ppsMmcTool.txt and env files from the merkury 720p project to 81c08000 (instead of 81808000) you should be able to install the hack using the steps in that repo - that is what I would try first.