-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Paid Patch Request #48
Comments
Seems it still has IPC functionality: /mnt/mmc01/home/app # LD_TRACE_LOADED_OBJECTS=1 ./ppsapp --> libplat_ipcsrv.so => /lib/libplat_ipcsrv.so (0xb6cab000) <--
-rwxr--r-- 1 1000 1000 17958 Mar 9 2020 /lib/libplat_ipcsrv.so TUYA IOT SDK V:4.1.1 BS:30.01_PT:2.2_LAN:3.3_CAD:1.0.1_CD:1.0.0 > Also, I still see references to EchoShow in various places... |
One last thing... Interesting: I have noticed different parameters get to different sections of code, utilizing different libraries which is evident from the output. Looking through Ghidra I've come up with this, but no idea if it's right or what params belong to which functions: Some extra info I've collected: TUYA IOT SDK V:4.1.1 BS:30.01_PT:2.2_LAN:3.3_CAD:1.0.1_CD:1.0.0 > ppsapp LDD:
LAB_0005ddf8 XREF[1]: 0005dd80(j) Also, this custom.sh script will make life a little easier: #!/bin/sh cp /mnt/mmc01/busybox /bin/busybox ln -s /bin/busybox /bin/du mkdir /local if [ ! -e /tmp/customrun ]; then |
I'm downloading the ppsapp files to take a look right now -- I am assuming that setting onvif_enable in tuya_config.json wasn't enough to get it to enable ONVIF/RTPS (most 4.x firmware work with that setting). |
Nope, I've tried a lot of different things and nothing so far has worked, although I've learned a lot. It says in the Geeni app that the firmware is up to date, but I'm extremely skeptical, since I've had these off for years and it's reporting a build of 20200911? Around 3 years ago? |
Here is the config JSON: /home/cfg # /mnt/mmc01/set ovnif_enable 1 After a reboot, no 8554: |
Well, looking at your files -- it does NOT have any RTSP or ONVIF support at all. Seems like an in-between version where in 2.9/2.10 they had the old RTSP code and in 4.0.6+ they removed the RTSP code and added ONVIF but your 4.0.0 firmware had the RTSP code removed and the ONVIF code was not yet added. Have you ran it thru the phone app to see if there's any firmware update available ? Maybe try the merkury app specifically or the tuya app (generic) because I see we have these versions patched which match your hardware exactly:
My recommendation would be to try to update it with the phone app. If for some reason that doesn't work, the best I can do is see if I can find the 4.0.2 update so you can try running the ppsapp from it directly -- I highly advise against it unless you have a backup of the firmware (i.e. guino/BazzDoorbell#11 ) and can restore it later if something goes wrong (i.e. guino/BazzDoorbell#12 or hardware programmer) because a new firmware version might make changes to settings/data in the device which may prevent it from fully booting up. Let me know what find out / decide. |
You're awesome! |
@AppXprt |
@AppXprt additionally, you should not need to 'root' the device again. you should be able to boot without the SD card, update the firmware, delete the 'home' folder from the SD card and insert and boot it -- It should l stay rooted like before and the home folder should have the new ppsapp. |
That's cool, I removed them from Geeni and adding them directly to the Merkury app after a reset. |
See if you can find a firmware, because nothing I've tried can force an update. I can only sync to Geeni and tuya app, not the Merkury App, but the Tuya app behaves identically to Geeni. I also tried setting the time to midnight with the date command and appropriate unix timestamp. Going to let it sit for a while the wrong time and see if it will trigger a version check since it says it checks during off hours. |
@AppXprt the closest I found is this
Like I said, there's a chance you can brick your device so I hope you made a backup first (or don't care about it). I would run it 'as-is' first (just place it in the root of the SD card) and see if it works at all (with the standard app) -- if it does then you can try patching it the normal way. |
That triggered an update prompt in the Tuya app to v.4.0.6! One of them is upgrading! |
Brick LOL BUT... I think I figured something out.. 4.0.2 must actually have checks for newer versions, then when trying to upgrade to 4.0.6 through the Tuya app, it was patching as though it was 4.0.2 (since it was running that version from the SD.) I have multiple JTAG programmers and a usb serial to UART as well as this other Mini S11 with identical firmware / version so I can probably restore that way and maybe try again a different route. |
Also it still has some logic, so I know it's not completely bricked. Otherwise solid red light forever. I'll dump the firmware of the other, flash it back to this one and see what happens. |
Did the original root hack use an alternative boot process by holding the reset button while powering and if so, what do you know about that process and do you think there is a way to flash through that since it still presents some logic during this process? |
Reading this and going to try a few things: |
@AppXprt sorry to hear you bricked it. If you can get a copy of the firmware of both cameras (the one working and the bricked one) I should be able to prepare a firmware file with just the rootfs restored (to use with guino/BazzDoorbell#12). If 4.0.2 'worked' (until you told it to update), we could just modify the version in the ppsapp file to say 4.0.0 (so it doesn't ask to update it) and you could then see if the app works normally (and if RTSP/ONVIF works after patching). You don't want to just load the entire firmware from one device onto the other as that would copy the cloud certificates and prevent them from being online at the same time. |
Following your Firmware backup for the working one and then the Firmware Write for the bricked one, I can definitely tell it's writing, because I get new behavior on write, solid blue light. Regardless of failed writes, this still seems to be working for now, but still bricked trying to write flash.bin. Attaching multiple dumps with various start addresses for the working one: |
Oops, you know... Edit: |
It looks like all 3 attempts had the same result which may not even be actually reading from the device itself (could be just data left over in the SD card). Either the update attempt corrupted the flash to the point of the boot loader no longer loading or something didn't work with the 'read' process. Unfortunately I don't have any device with 4.x firmware to try the steps to read the flash myself and see if they need any tweaking. If you have tools (flash programmer and/or TTL-uart adapter) you could open the device and try to read it that way (either way would involve some soldering). The ca.crt, ASC16 are the same for all devices, the files you need are tuya_user.db and tuya_enckey.db under /home/cfg (which should be unique to each camera). If you don't have a backup of those, you could still use the device 'offline' (assuming we can get RTSP working), by copying the whole flash from the other device and either disabling internet access, removing the tuya_enckey.db and tuya_user.db files or just making an offline patch. It sounds like tuya probably knows that there's an issue with updating firmware on these 4.0.0 devices and that's likely the reason they don't offer any updates to it -- probably some bug or missing tool in the existing firmware required to perform the firmware update correctly. Did you try to get a firmware copy of your working camera for comparison ? the address should be 81C08000. |
6-12 Pack of Beer for a Patch :-D
Need RTSP ASAP for a hybrid Solar / PoE / USB Battery bank powered Raspberry Pi 4 b rev 1.1 Mobile OBS Studio streaming machine.
Raspberry pi 4 model b rev 1.1 with 2 of these Merkury 1080P's already rooted:
mem=64M console=ttySAK0,115200n8 loglevel=10 mtdparts=spi0.0:256k(bld),64k(env),64k(enc),64k(sysflg),3m(sys),4032k(app),640k(cfg) ppsAppParts=5 ip=0 - ip=30;/mnt/mmc01/initrun.sh)&:::::;date>/tmp/hack;(sleep
{"devname":"Smart Home Camera","model":"Mini 11S","serialno":"","softwareversion":"4.0.0","hardwareversion":"M11S_A2_V10_F37","firmwareversion":"ppstrong-a3-tuya2_merkury-4.0.0.20200911","identity":"MR2008250201450521","authkey":"","deviceid":"pp01cccb6aa97251fa7d","pid":"aaa","WiFi MAC":"*","ETH MAC":"00:00:00:00:00:00"}
user 1256 S /mnt/mmc01/busybox telnetd -l /bin/sh
user 1252 S /mnt/mmc01/busybox httpd -c /mnt/mmc01/httpd.conf -h
tcp 0 0 0.0.0.0:6668 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8090 0.0.0.0:* LISTEN
-kernel_build_svn 20190403 -kernel_version 197667 -flash 8 -total 64 -hw_id 0 -sensor soif23mipi -osmem 37 -mmz:27 -pcbname M11S_A2_V10_F37 -factoryname PPSTRONG -platform A3 -btnup 0 -btndown 0 -btnpresstime 0 -pcbversion SB2S_A2_V10 -viewmirror vertical_horizontal -inputvolumn none -ouputvolumn none -micphonemode none -distortion none -modename Mini^11S -lensinfo f3.6A -halinfo 3619ev200/
ppsapp.txt
ppsapp2.txt
If you want you can teamview where I already have everything connected and Ghidra open.
The text was updated successfully, but these errors were encountered: