BazzDoorbell
BazzDoorbell copied to clipboard
guino
Avidsen Homecam 360
Hi. I recently bought this camera https://www.avidsen.com/?view=product&lang=en_US&product_id=630. Which is basically a smartlife(tuya) camera running firmware 2.9.1 Port 80 is open but when i try to http i get prompt to login with username and password which i was not able to find. Is there any other way that i might be able to flash it or do i need the kernel from your step 1?
@myrulezzz try user admin and password 056565099 -- such as this link (replace IP with the local network IP of the camera): http://admin:056565099@IP/devices/deviceinfo -- if it shows the firmware information then #13 probably will work for you (based on the version).
@myrulezzz Additionally if the user admin and password 056565099 doesn't work (keeps asking for the prompt), please post a screenshot of the popup, but you may be able to use #11 to read the flash of the camera and then (if you post that) I may be able to determine the user/password so you can then use #13 on it. Without the kernel command line there's no easy way to be sure the process will work without causing problems for your device (specially being a different hardware like yours).
Hi. I was able to get this with #13:
#!/bin/sh
export PATH=/usr/bin:/sbin/:/usr/sbin:/bin
RED=" [1;31m" NORMAL=" [0;39m"
echo "${GREEN} 2015 PPStrong Tech Cop.Ltd.${NORMAL}"
mkdir -p /opt/pps
MTDNUM=cat /proc/cmdline | sed 's/.*ppsAppParts=\([0-9]\).*/\1/'
debug
MTDNUM=5
case $MTDNUM in 5) mount -t cramfs /dev/mtdblock$MTDNUM /opt/pps break ;; 7) mount -t cramfs /dev/mtdblock$MTDNUM /opt/pps break ;; 0) sleep 10 mount -t vfat /dev/mmcblk0p1 /opt/pps break ;; *) MTDNUM=5 mount -t cramfs /dev/mtdblock$MTDNUM /opt/pps ;; esac
echo "/opt/pps/" > /tmp/PPStrong.runpath [ -e /opt/pps/initrun.sh ] && cp /opt/pps/initrun.sh /tmp/PPStart && chmod +x /tmp/PPStart && /tmp/PPStart
Does it make any sense?
@myrulezzz that response looks right -- #13 is the method that will work on your device (#11 likely can be used to backup your firmware if you wish to do so). I would expect you should also be able to get http://admin:056565099@IP/proc/cmdline for it too (replacing the IP as you did to get the response you posted).
I was able to do everything but when i http://admin:[email protected]/proc/self/root/mnt/mmc01/hack i don’t get any response at all.
@myrulezzz you may have to wait 1-2 mins after boot and retry http://admin:[email protected]/proc/self/root/mnt/mmc01/hack -- in any case, if everything else worked, you should remove the card and see if you got a /home/app/ppsapp in the SD card -- if so it means the hack worked and camera is rooted, just need to continue with the steps.
Wanger i was not able to get the folder in the sd card. Here is my device info file. From what i understood i was able to proceed with step after 1 and go to step 6 because i used your file. But now i am removing the sd card and i am trying to run the kernel url to get my kernel but i don't get something new. Here is my device info results if they are helping: {"devname":"Smart Home Camera","model":"Speed 4S","serialno":"059011004","softwareversion":"2.9.1","hardwareversion":"S4S_H1_V10_F23","firmwareversion":"ppstrong-c51-tuya2_shf-2.9.1.20190907","authkey":"—","deviceid":"—","identity":"MR190821110","pid":"aaa","WiFi MAC":"c4:3a:—:8a"}
On Wed, Feb 17, 2021 at 10:20 PM Wagner [email protected] wrote:
@myrulezzz https://github.com/myrulezzz you may have to wait 1-2 mins after boot and retry http://admin:[email protected]/proc/self/root/mnt/mmc01/hack -- in any case, if everything else worked, you should remove the card and see if you got a /home/app/ppsapp in the SD card -- if so it means the hack worked and camera is rooted, just need to continue with the steps.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/guino/BazzDoorbell/issues/22#issuecomment-780828162, or unsubscribe https://github.com/notifications/unsubscribe-auth/AKIY77LKS63XL4TAEBV6BFTS7QQKLANCNFSM4XY6BZYA .
@myrulezzz I knew your camera was going to have the MTDNUM=5 uncommented because of the version (2.9.1). I would like you to do this:
1- post the results of http://admin:[email protected]/proc/cmdline (using the IP of the camera)
2- make sure the initrun.sh file is in the SD card (if not unzip it from #13) . Then insert the SD card while the camera is powered off, then power the camera on normally. Wait at least 2 minutes after the boot sound, then power it off.
3- check (on the computer) if your sd card has a folder/directory called home - if so check if you have a ppsapp file under home/app/ppsapp - if so, zip it and post it here so it can be patched.
Based on the response from 1 and if you had anything on step 3 I may ask you to do one thing or another, but I can guide you thru it.
From the device information you provided you should be able to enable rtsp (even if I have to help a little bit).
This is my information from step 1:
mem=37M console=ttyAMA0,115200n8 mtdparts=hi_sfc:192k(bld)ro,64k(env)ro,64k(enc)ro,64k(sysflg)ro,3136k(sys),4224k(app),448k(cfg) ppsAppParts=5 ppsWatchInitEnd
On Thu, Feb 18, 2021 at 12:44 AM Wagner [email protected] wrote:
@myrulezzz https://github.com/myrulezzz I knew your camera was going to have the MTDNUM=5 uncommented because of the version (2.9.1). I would lime you to do this:
1- post the results of http://admin:[email protected]/proc/cmdline (using the IP of the camera)
2- make sure the initrun.sh file is in the SD card (if not unzip it from #13 https://github.com/guino/BazzDoorbell/issues/13) . Then insert the SD card while the camera is powered off, then power the camera on normally. Wait at least 2 minutes after the boot sound, then power it off.
3- check (on the computer) if your sd card has a folder/directory called home - if so check if you have a ppsapp file under home/app/ppsapp - if so, zip it and post it here so it can be patched.
Based on the response from 1 and if you had anything on step 3 I may ask you to do one thing or another, but I can guide you thru it.
From the device information you provided you should be able to enable rtsp (even if I have to help a little bit).
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/guino/BazzDoorbell/issues/22#issuecomment-780903714, or unsubscribe https://github.com/notifications/unsubscribe-auth/AKIY77O6KDHCWLHSDJPFE23S7RBFPANCNFSM4XY6BZYA .
I have copied initrun.sh on the sd card followed your instructions but i am not able to get folder home on it.
@myrulezzz ok, so the hack is not installed (steps 2 and 3 are irrelevant now).
Please do this: 1-Format your SD card -- make sure it is formatted as FAT32 -- if you don't see an option for FAT32 you may want to check this page: https://www.howtogeek.com/316977/how-to-format-usb-drives-larger-than-32gb-with-fat32-on-windows/
2-Unzip this myrulezzz.zip into the SD card -- it should only have 3 files (env, initrun.sh and ppsMmcTool.txt)
3-Eject the SD card (properly) using the windows system tray icons -- to prevent corrupting data on it
4-Power off camera, insert SD card, HOLD the reset button and power it on while holding the reset button for 5 seconds. After 5 seconds, let go of the reset button, wait for the camera to make the boot sound, then wait 2 minutes and check http://admin:[email protected]/proc/cmdline -- post the response.
Wagner, I have followed your steps except that the camera does not have any button so i switched off the camera inserted the sd card with the files after formatting the sd card to fat 32, i know that the micro sd is ok because the camera is creating the folder structure to save videos and pictures.
The result is the same:
mem=37M console=ttyAMA0,115200n8 mtdparts=hi_sfc:192k(bld)ro,64k(env)ro,64k(enc)ro,64k(sysflg)ro,3136k(sys),4224k(app),448k(cfg) ppsAppParts=5 ppsWatchInitEnd
The camera absolutely has a reset button - it may be called setup and may even be just a tiny hole that you have to push into with a paper clip. Worst case scenario you may have to open it to locate the button but it has to be there.
If you don’t push the button while powering on then all effort is useless.
I did not see a manual for that camera or I would have looked it up.
I am pressing the reset button for 5 seconds and power on the camera the same time. but the url is still the same. Is that possible?
On Thu, Feb 18, 2021 at 2:04 AM Wagner [email protected] wrote:
I am expecting it to be something like this: [image: Screenshot_2021-02-17_19-02-59] https://user-images.githubusercontent.com/4961810/108284254-dfbe9c00-7152-11eb-93d5-8db7abbbf148.png
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/guino/BazzDoorbell/issues/22#issuecomment-780935983, or unsubscribe https://github.com/notifications/unsubscribe-auth/AKIY77JSPE367P4SWR6VOMLS7RKQJANCNFSM4XY6BZYA .
It is possible but unlikely - do you feel a button being pressed when pushing into it at all? I have seen only one other user (different device) which could not get the hack installed - it could be the SD card format or a problem with the actual hardware. One user reported that it only worked after partitioning and formatting the sd card in linux.
Yes I feel the button. I don't think it is hardware because as from serial number it seems that this camera was produced in 2019. I have tried the whole process from mac os. I will try tomorrow from linux and also. try a different sd card ad i will let you know. Thanks
On Thu, Feb 18, 2021 at 2:21 AM Wagner [email protected] wrote:
It is possible but unlikely - do you feel a button being pressed when pushing into it at all? I have seen only one other user (different device) which could not get the hack installed - it could be the SD card format or a problem with the actual hardware. One user reported that it only worked after partitioning and formatting the sd card in linux.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/guino/BazzDoorbell/issues/22#issuecomment-780942627, or unsubscribe https://github.com/notifications/unsubscribe-auth/AKIY77N2OPA6PHBOHYF57ELS7RMSPANCNFSM4XY6BZYA .
@myrulezzz this being a different hardware it may have a different load address which is the case for older hardware on 2.7.x and also #21. The problem is figuring out the address which right now requires opening and connecting to the serial port.
Hi Wagner i was trying redo the the steps provided for the camera but still not able to get the url. what do you mean opening and connecting to serial port?
@myrulezzz It means litteraly opening the device (physically) and connecting (possibly soldering) a TTL-Serial adapter to the Serial port pins on the device. This is the kind of thing you should only do if you have some experience with soldering/electronics (and you would need to have/buy a serial-ttl adapter for 3.3v).
I have the serial ttl adapter but the board where is located? Inside the len cover?
@myrulezzz I don/t have a device like yours so the only way to figure out where is the uart/board is for someone to open the device (wherever it may open), disassemble it and take pictures of the boards and post them so I can tell you. You always have the option to wait for someone else (with more experience) to get a similar camera so it can be taken appart, but if you're willing (and confident) to do the manual work I can help you like I helped in #21 with a different camera.
Hi Wagner i was able to get this url after retrying the files:
mem=37M console=ttyAMA0,115200n8 mtdparts=hi_sfc:192k(bld)ro,64k(env)ro,64k(enc)ro,64k(sysflg)ro,3136k(sys),4224k(app),448k(cfg) ppsAppParts=5 ppsWatchInitEnd - ip=${T///$'\x20'}:::::;T="sleep_5;mkdir-p_/mnt/mmc01;mount_-t_vfat_/dev/mmcblk0p1_/mnt/mmc01;/mnt/mmc01/initrun.sh&";eval mtdparts=hi_sfc:192k(bld)ro,64k(env)ro,64k(enc)ro,64k(sysflg)ro,3136k(sys),4224k(app),448k(cfg) ppsAppParts=5 ppsWatchInitEnd
it looks better now?
On Mon, Mar 1, 2021 at 4:20 PM Andreas Stylianou [email protected] wrote:
Hi Wagner i was trying redo the the steps provided for the camera but still not able to get the url. what do you mean opening and connecting to serial port?
On Thu, Feb 18, 2021 at 3:09 AM Wagner [email protected] wrote:
@myrulezzz https://github.com/myrulezzz this being a different hardware it may have a different load address which is the case for older hardware on 2.7.x and also #21 https://github.com/guino/BazzDoorbell/issues/21. The problem is figuring out the address which right now requires opening and connecting to the serial port.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/guino/BazzDoorbell/issues/22#issuecomment-780962734, or unsubscribe https://github.com/notifications/unsubscribe-auth/AKIY77NFOCIFGRW7FHVIZ3TS7RSENANCNFSM4XY6BZYA .
@myrulezzz That looks correct -- you should check if you have ppsapp under /home/app/ppsapp in the SD card and if so we should be able to patch it.
@myrulezzz you have to go into github and post a ZIP of the file -- just replying an email with the file attached does not attach it to github and you'be been replying into the thread's email. You can alternatively email me the directly (my email is on my github profile).