Attempting to hack Mini 9S #48
Comments
|
#13 should work on this camera, just make sure to follow the steps correctly and make sure to try formatting/partitioning the SD card in windows/linux/app and possibly try different SD cards. |
|
i think this address (ENV partition) for my camera is different (but what?) |
|
There’s always a chance of different addresses, but the only way to know would be to dump the firmware or using UART. Did you try #11? You could try the hack for Merkury1080 to see - it will not hurt if the address is wrong. |
|
my dump contains garbage SYS_Init++ off513,temp24 p2p0,ap0,active0 p2p0,ap0,active0 StartUp_Indication() normalScan directScan ch 7,type0,2442M. ch 7,type0,2442M. ch 7,type0,2442M. off513,temp29 ch 1,type0,2412M. agcrevert ScanWdt,gain40 ch1,noise-79. ch 2,type0,2417M. nodBm-80. ScanWdt,gain40 ch2,noise-80. ch 3,type0,2422M. ScanWdt,gain40 ch3,noise-80. ch 4,type0,2427M. ScanWdt,gain40 ch4,noise-71. ch 5,type0,2432M. ScanWdt,gain40 ch5,noise-81. ch 6,type0,2437M. ScanWdt,gain40 ch6,noise-81. ch 7,type0,2442M. ScanWdt,gain40 ch7,noise-81. ch 8,type0,2447M. ScanWdt,gain40 ch8,noise-81. ch 9,type0,2452M. ScanWdt,gain40 ch9,noise-81. ch 10,type0,2457M. TPC1 nodBm-81. Iter0,i(0),q(0),g(-2),p(138) power982085,60(dB),agc idx-2,up0. Iter1,i(-24),q(-60),g(-2),p(126) Iter2,i(-23),q(-59),g(-2),p(126) Iter2,i:-23,q:-59,g:-2,p126 ch 10,type0,2457M. |
|
@almirus do you get a prompt/countdown right after power on? Did you try pressing enter during the countdown? If you get a password prompt send me an email. |
|
@guino no any prompts L876:Bus suspend CPU: 0% 5s rssi-43,cnt50. gain[42->36] CPU: 0% SYS_Init++ off513,temp40 p2p0,ap0,active0 p2p0,ap0,active0 StartUp_Indication() normalScan directScan ch 7,type0,2442M. ch 7,type0,2442M. ch 7,type0,2442M. off513,temp39 ch 1,type0,2412M. agcrevert ScanWdt,gain40 ch1,noise-90. ch 2,type0,2417M. |
|
@almirus you may need to press 'reset' while powering on to get the prompt to show up -- if you get to the prompt send me an email and I can send you a few things to try. |
|
@guino with or without sd? |
|
without SD and pressed reset button: L876:Bus suspend CPU: 0% CPU: 0% CPU: 0% CPU: 0% CPU: 0% CPU: 0% CPU: 0% CPU: 0% CPU: 0% CPU: 0% CPU: 0% camera not load with red light :( |
|
@almirus If a countdown is going to show it will show regardless of SD card being present (with/without). If it doesn't show it suggests the bootloader may be different or you may not be doing it correctly (less likely). |
|
@guino ---deleted |
|
@almirus from the flash bin - the mod that should work with this camera is https://github.com/guino/Merkury1080P#conclusion -- as the load address appears to be 81C08000. I had suggested you tried it before (#48 (comment)) but I don't know if you did, can you confirm you tried it ? |
|
@almirus extracting your ppsapp I get: You may want to try guino/Merkury1080P#9 (comment) to see if you can enable onvif by just editing tuya_config.json (assuming you can use the Merkury1080P instructions to access the device). |
|
@guino for this #48 (comment)
and this file ppsMmcTool.txt (2.9.x firmware) nothing to happen, I've garbage flash.bin
this file mini7c.zip nothing to happen, I've garbage flash.bin
|
I haven't telnet access |
|
I tried #13 but my default proc/cmdline like this "setenv bootargs mem=64M console=ttySAK0,115200n8 loglevel=10 mtdparts=spi0.0:256k(bld),64k(env),64k(enc),64k(sysflg),3m(sys),4032k(app),640k(cfg) ppsAppParts=5 ip=192.168.1.99:::255.255.255.0 eth=00:55:7b:b5:7d:f7" and MTDNUM=5 (without #) If i copy 3 files, i can't access via web, if i copy 4 files, i get old file "setenv bootargs mem=64M console=ttySAK0,115200n8 loglevel=10 mtdparts=spi0.0:256k(bld),64k(env),64k(enc),64k(sysflg),3m(sys),4032k(app),640k(cfg) ppsAppParts=5 ip=192.168.1.99:::255.255.255.0 eth=00:55:7b:b5:7d:f7" |
|
@almirus can you make a zip of your SD card contents when trying https://github.com/guino/Merkury1080P#conclusion ? The instructions are clear that you need to copy 3 specific files OVER the files from https://github.com/guino/Merkury720/tree/main/mmc - which is a lot more than 4 (four) files. If I double check your files and it still doesn't work then I would suggest doing exactly what I did in https://github.com/guino/BazzDoorbell which is to modify the initrun.sh file so it runs custom.sh from the SD card and flash it to the chip directly (and I can help you with the changes). |
|
@guino |
|
@almirus glad it worked! Thanks for the coffee! Please try guino/Merkury1080P#9 (comment) to see if you can get RTSP/ONVIF working, if not let me know if you need help patching ppsapp. |
|
success !!! 🎉 |
|
@guino |
|
@almirus whatever user/password you used with ONVIF should work with the above. |
|
@guino do you have any idea how to make the motion detector work? |
|
@almirus it all depends on what you’re trying to do with motion detection/events. Are you trying to notify a client? If so, what client (home assist, domoticz, custom server, etc) I assume you’re not talking about motion recording as that’s an option you should be able to control in the phone app to set recording to: off, on or motion-activated. If you’re looking for something else you need to explain it. |
|
Yes. I want to get events motion) for home assistant (without video analyze on raspberry) |
hi! I have new camera with firmware 4.0.2
{ "devname": "Smart Home Camera", "model": "Mini 9S", "serialno": "062713209", "softwareversion": "4.0.2", "hardwareversion": "M9S_A2_V10_F37", "firmwareversion": "ppstrong-a3-tuya2_laxi-4.0.2.20201008", "identity": "MR2008240200901278", "authkey": "███████████", "deviceid": "pp01c██████1a4f9", "pid": "aaa", "WiFi MAC": "dc:29:19:94:57:cc", "ETH MAC": "00:00:00:00:00:00" }#!/bin/sh export PATH=/usr/bin:/sbin/:/usr/sbin:/bin RED="�[1;31m" NORMAL="�[0;39m" echo "${GREEN} 2015 PPStrong Tech Cop.Ltd.${NORMAL}" mkdir -p /opt/pps MTDNUM=`cat /proc/cmdline | sed 's/.*ppsAppParts=\([0-9]\).*/\1/'` # debug MTDNUM=5 case $MTDNUM in 5) mount -t cramfs /dev/mtdblock$MTDNUM /opt/pps break ;; 7) mount -t cramfs /dev/mtdblock$MTDNUM /opt/pps break ;; 0) sleep 10 mount -t vfat /dev/mmcblk0p1 /opt/pps break ;; *) MTDNUM=5 mount -t cramfs /dev/mtdblock$MTDNUM /opt/pps ;; esac echo "/opt/pps/" > /tmp/PPStrong.runpath [ -e /opt/pps/initrun.sh ] && cp /opt/pps/initrun.sh /tmp/PPStart && chmod +x /tmp/PPStart && /tmp/PPStarttried this #13 and this https://github.com/guino/Merkury720 - unsuccessfully
any idea? my goal is ONVIF support
The text was updated successfully, but these errors were encountered: