Attempting to enable Telnet on a IPC 18 M V2.0 (Hi3516) IP Camera Board

bxdobs

n3wb
Joined
Aug 29, 2020
Messages
23
Reaction score
0
Location
Canada
IP Camera ($200) e/w PTZF failed (Zoom and Focus motors stopped moving) shortly after 90 days ... Seller refused to replace or refund the purchase

Ultimately, I want this camera to work again ... $200 for 3 months of use is just a bit hard to take ... I have tried to get support from the manufacturer but they were only willing to sell me a sub-board and calibration procedure plus provide me with some firmware updates ... having failed all that, I am now attempting to get root access to the camera with the goal of hopefully overriding their failed AUTO-FOCUS mode.

The manufacturer sold me a replacement sub-board ($50) ... while resolving the control issue for both the Zoom and Focus motors, the camera appears to be stuck in some kind of out of calibration AUTO-FOCUS mode ... manufacturer provided an English (translated) calibration process with this control board ... perhaps something is missing in the translation because following the procedure has not resulted in a focused camera. The manufacturer has been repeatedly asked if it is possible to turn off the AUTO-FOCUS feature but they keep referring me to this calibration process.

The manufacturer also sent me several firmware updates (.pkg) files (file header starts with zip prefix PK) ... expanding these files shows they contain mostly Web-Based Server Files (HTML) ... plus ... they contain some shell scripts, one of which contains startup logic relating to telnetd services. Specifically, this shell file has a flag currently set to 0 restricting telnetd startup ... comparing these pkg files there is no indication that any of the files contained within them are being checked for CRC ... so ... I modified the script file, recreated the pkg file (zip) and uploaded it to the camera ... rebooting the camera but telnet port 23 is still mia ... nmap still only shows 4 active ports ... there is no way to determine if the modified script was rejected or if telnetd is just missing from the kernel filesystem

The Camera Motherboard has a 4 pin unpopulated header ... there is obvious TX activity at 115200 bits/sec on pin 1 and GND on pin 2 (measured with a scope), pin 3 and pin 4 are sitting at 3.3V ... Pin 3 measures 9k4 ohms to the 3.3V rail, pin 4 measures 4k7 ohms to the 3.3V rail, and measures 4k7 ohms between pins 3 and 4 ... expecting that Pin 3 is likely the RX pin ... using a 3.3V UART at 115200 Baud 8n1, I was able to capture the camera's uboot process ... after bootup it doesn't provide a login prompt ... even if I were able to stop the uboot process (uboot dialog suggests any key stops uboot process), would I have any expectation to be able to enable the telnetd process from uboot? Wasn't able to stop the uboot process ... need to make a proper uart connection as I found the ground connection I made was intermittent. (Explains the noise captured on the TX pin)
 

bxdobs

n3wb
Joined
Aug 29, 2020
Messages
23
Reaction score
0
Location
Canada
The "attach files" option didn't appear to work for me so I have pasted the uboot text below

Code:
[TABLE]
[TR]
[TD]U-Boot 2010.06 (May 23 2014 - 08:55:45)[/TD]
[/TR]
[TR]
[TD]NAND:  Special Nand id table Version 1.35[/TD]
[/TR]
[TR]
[TD]Nand ID: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00[/TD]
[/TR]
[TR]
[TD]No NAND device found!!![/TD]
[/TR]
[TR]
[TD]0 MiB[/TD]
[/TR]
[TR]
[TD]Check spi flash controller v350... Found[/TD]
[/TR]
[TR]
[TD]Spi(cs1) ID: 0xC2 0x20 0x18 0xC2 0x20 0x18[/TD]
[/TR]
[TR]
[TD]Spi(cs1): Block:64KB Chip:16MB Name:"MX25L128XX"[/TD]
[/TR]
[TR]
[TD]In:    serial[/TD]
[/TR]
[TR]
[TD]Out:   serial[/TD]
[/TR]
[TR]
[TD]Err:   serial[/TD]
[/TR]
[TR]
[TD][/TD]
[/TR]
[TR]
[TD]Hit any key to stop autoboot:  0[/TD]
[/TR]
[TR]
[TD][/TD]
[/TR]
[TR]
[TD]16384 KiB hi_sfc at 0:0 is now current device[/TD]
[/TR]
[TR]
[TD]## Booting kernel from Legacy Image at 82000000 ...[/TD]
[/TR]
[TR]
[TD]   Image Name:   Linux-3.0.8[/TD]
[/TR]
[TR]
[TD]   Image Type:   ARM Linux Kernel Image (uncompressed)[/TD]
[/TR]
[TR]
[TD]   Data Size:    2521708 Bytes = 2.4 MiB[/TD]
[/TR]
[TR]
[TD]   Load Address: 80008000[/TD]
[/TR]
[TR]
[TD]   Entry Point:  80008000[/TD]
[/TR]
[TR]
[TD]   Loading Kernel Image ... OK[/TD]
[/TR]
[TR]
[TD]OK[/TD]
[/TR]
[TR]
[TD][/TD]
[/TR]
[TR]
[TD]Starting kernel ...[/TD]
[/TR]
[TR]
[TD]Uncompressing Linux... done, booting the kernel.[/TD]
[/TR]
[TR]
[TD][/TD]
[/TR]
[TR]
[TD]Linux version 3.0.8 (root@localhost.localdomain) (gcc version 4.4.1 (Hisilicon_v100(gcc4.4-290+uclibc_0.9.32.1+eabi+linuxpthread)) ) #3 Fri May 23 17:16:42 HKT 2014[/TD]
[/TR]
[TR]
[TD][/TD]
[/TR]
[TR]
[TD]CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00053177[/TD]
[/TR]
[TR]
[TD]CPU: VIVT data cache, VIVT instruction cache[/TD]
[/TR]
[TR]
[TD]Machine: hi3518[/TD]
[/TR]
[TR]
[TD]Memory policy: ECC disabled, Data cache writeback[/TD]
[/TR]
[TR]
[TD]AXI bus clock 220000000.[/TD]
[/TR]
[TR]
[TD]Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 40640[/TD]
[/TR]
[TR]
[TD][/TD]
[/TR]
[TR]
[TD]Kernel command line: mem=160M console=ttyAMA0,115200 root=/dev/mtdblock2 rootfstype=jffs2 mtdparts=hi_sfc:512K(boot),2560K(kernel),13M(rootfs)[/TD]
[/TR]
[TR]
[TD][/TD]
[/TR]
[TR]
[TD]PID hash table entries: 1024 (order: 0, 4096 bytes)[/TD]
[/TR]
[TR]
[TD]Dentry cache hash table entries: 32768 (order: 5, 131072 bytes)[/TD]
[/TR]
[TR]
[TD]Inode-cache hash table entries: 16384 (order: 4, 65536 bytes)[/TD]
[/TR]
[TR]
[TD]Memory: 160MB = 160MB total[/TD]
[/TR]
[TR]
[TD]Memory: 157592k/157592k available, 6248k reserved, 0K highmem[/TD]
[/TR]
[TR]
[TD]Virtual kernel memory layout:[/TD]
[/TR]
[TR]
[TD]    vector  : 0xffff0000 - 0xffff1000   (   4 kB)[/TD]
[/TR]
[TR]
[TD]    fixmap  : 0xfff00000 - 0xfffe0000   ( 896 kB)[/TD]
[/TR]
[TR]
[TD]    DMA     : 0xffc00000 - 0xffe00000   (   2 MB)[/TD]
[/TR]
[TR]
[TD]    vmalloc : 0xca800000 - 0xfe000000   ( 824 MB)[/TD]
[/TR]
[TR]
[TD]    lowmem  : 0xc0000000 - 0xca000000   ( 160 MB)[/TD]
[/TR]
[TR]
[TD]    modules : 0xbf000000 - 0xc0000000   (  16 MB)[/TD]
[/TR]
[TR]
[TD]      .init : 0xc0008000 - 0xc0021000   ( 100 kB)[/TD]
[/TR]
[TR]
[TD]      .text : 0xc0021000 - 0xc046d000   (4400 kB)[/TD]
[/TR]
[TR]
[TD]      .data : 0xc046e000 - 0xc048bd40   ( 120 kB)[/TD]
[/TR]
[TR]
[TD]       .bss : 0xc048bd64 - 0xc049eeb0   (  77 kB)[/TD]
[/TR]
[TR]
[TD][/TD]
[/TR]
[TR]
[TD]SLUB: Genslabs=13, HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1[/TD]
[/TR]
[TR]
[TD]NR_IRQS:32 nr_irqs:32 32[/TD]
[/TR]
[TR]
[TD]sched_clock: 32 bits at 110MHz, resolution 9ns, wraps every 39045ms[/TD]
[/TR]
[TR]
[TD]Console: colour dummy device 80x30[/TD]
[/TR]
[TR]
[TD]Calibrating delay loop... 218.72 BogoMIPS (lpj=1093632)[/TD]
[/TR]
[TR]
[TD]pid_max: default: 32768 minimum: 301[/TD]
[/TR]
[TR]
[TD]Mount-cache hash table entries: 512[/TD]
[/TR]
[TR]
[TD]CPU: Testing write buffer coherency: ok[/TD]
[/TR]
[TR]
[TD]NET: Registered protocol family 16[/TD]
[/TR]
[TR]
[TD]Serial: AMBA PL011 UART driver[/TD]
[/TR]
[TR]
[TD]uart:0: ttyAMA0 at MMIO 0x20080000 (irq = 5) is a PL011 rev2[/TD]
[/TR]
[TR]
[TD]console [ttyAMA0] enabled[/TD]
[/TR]
[TR]
[TD]uart:1: ttyAMA1 at MMIO 0x20090000 (irq = 5) is a PL011 rev2[/TD]
[/TR]
[TR]
[TD]bio: create slab <bio-0> at 0[/TD]
[/TR]
[TR]
[TD]usbcore: registered new interface driver usbfs[/TD]
[/TR]
[TR]
[TD]usbcore: registered new interface driver hub[/TD]
[/TR]
[TR]
[TD]usbcore: registered new device driver usb[/TD]
[/TR]
[TR]
[TD]cfg80211: Calling CRDA to update world regulatory domain[/TD]
[/TR]
[TR]
[TD]Switching to clocksource timer1[/TD]
[/TR]
[TR]
[TD]NET: Registered protocol family 2[/TD]
[/TR]
[TR]
[TD]IP route cache hash table entries: 2048 (order: 1, 8192 bytes)[/TD]
[/TR]
[TR]
[TD]TCP established hash table entries: 8192 (order: 4, 65536 bytes)[/TD]
[/TR]
[TR]
[TD]TCP bind hash table entries: 8192 (order: 3, 32768 bytes)[/TD]
[/TR]
[TR]
[TD]TCP: Hash tables configured (established 8192 bind 8192)[/TD]
[/TR]
[TR]
[TD]TCP reno registered[/TD]
[/TR]
[TR]
[TD]UDP hash table entries: 256 (order: 0, 4096 bytes)[/TD]
[/TR]
[TR]
[TD]UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)[/TD]
[/TR]
[TR]
[TD]NET: Registered protocol family 1[/TD]
[/TR]
[TR]
[TD]RPC: Registered named UNIX socket transport module.[/TD]
[/TR]
[TR]
[TD]RPC: Registered udp transport module.[/TD]
[/TR]
[TR]
[TD]RPC: Registered tcp transport module.[/TD]
[/TR]
[TR]
[TD]RPC: Registered tcp NFSv4.1 backchannel transport module.[/TD]
[/TR]
[TR]
[TD]JFFS2 version 2.2. (NAND) © 2001-2006 Red Hat, Inc.[/TD]
[/TR]
[TR]
[TD]fuse init (API version 7.16)[/TD]
[/TR]
[TR]
[TD]msgmni has been set to 307[/TD]
[/TR]
[TR]
[TD]Block layer SCSI generic (bsg) driver version 0.4 loaded (major 253)[/TD]
[/TR]
[TR]
[TD]io scheduler noop registered[/TD]
[/TR]
[TR]
[TD]io scheduler deadline registered (default)[/TD]
[/TR]
[TR]
[TD]io scheduler cfq registered[/TD]
[/TR]
[TR]
[TD]Spi id table Version 1.22[/TD]
[/TR]
[TR]
[TD]Spi(cs1) ID: 0xC2 0x20 0x18 0xC2 0x20 0x18[/TD]
[/TR]
[TR]
[TD]SPI FLASH start_up_mode is 3 Bytes[/TD]
[/TR]
[TR]
[TD]Spi(cs1):[/TD]
[/TR]
[TR]
[TD]Block:64KB[/TD]
[/TR]
[TR]
[TD]Chip:16MB[/TD]
[/TR]
[TR]
[TD]Name:"MX25L128XX"[/TD]
[/TR]
[TR]
[TD]spi size: 16MB[/TD]
[/TR]
[TR]
[TD]chip num: 1[/TD]
[/TR]
[TR]
[TD]3 cmdlinepart partitions found on MTD device hi_sfc[/TD]
[/TR]
[TR]
[TD]Creating 3 MTD partitions on "hi_sfc":[/TD]
[/TR]
[TR]
[TD]0x000000000000-0x000000080000 : "boot"[/TD]
[/TR]
[TR]
[TD]0x000000080000-0x000000300000 : "kernel"[/TD]
[/TR]
[TR]
[TD]0x000000300000-0x000001000000 : "rootfs"[/TD]
[/TR]
[TR]
[TD]Fixed MDIO Bus: probed[/TD]
[/TR]
[TR]
[TD]himii: probed[/TD]
[/TR]
[TR]
[TD]ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver[/TD]
[/TR]
[TR]
[TD]hiusb-ehci hiusb-ehci.0: HIUSB EHCI[/TD]
[/TR]
[TR]
[TD]hiusb-ehci hiusb-ehci.0: new USB bus registered, assigned bus number 1[/TD]
[/TR]
[TR]
[TD]hiusb-ehci hiusb-ehci.0: irq 15, io mem 0x100b0000[/TD]
[/TR]
[TR]
[TD]hiusb-ehci hiusb-ehci.0: USB 0.0 started, EHCI 1.00[/TD]
[/TR]
[TR]
[TD]hub 1-0:1.0: USB hub found[/TD]
[/TR]
[TR]
[TD]hub 1-0:1.0: 1 port detected[/TD]
[/TR]
[TR]
[TD]ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver[/TD]
[/TR]
[TR]
[TD]hiusb-ohci hiusb-ohci.0: HIUSB OHCI[/TD]
[/TR]
[TR]
[TD]hiusb-ohci hiusb-ohci.0: new USB bus registered, assigned bus number 2[/TD]
[/TR]
[TR]
[TD]hiusb-ohci hiusb-ohci.0: irq 16, io mem 0x100a0000[/TD]
[/TR]
[TR]
[TD]hub 2-0:1.0: USB hub found[/TD]
[/TR]
[TR]
[TD]hub 2-0:1.0: 1 port detected[/TD]
[/TR]
[TR]
[TD]usbcore: registered new interface driver usbhid[/TD]
[/TR]
[TR]
[TD]usbhid: USB HID core driver[/TD]
[/TR]
[TR]
[TD]TCP cubic registered[/TD]
[/TR]
[TR]
[TD]Initializing XFRM netlink socket[/TD]
[/TR]
[TR]
[TD]NET: Registered protocol family 10[/TD]
[/TR]
[TR]
[TD]NET: Registered protocol family 17[/TD]
[/TR]
[TR]
[TD]NET: Registered protocol family 15[/TD]
[/TR]
[TR]
[TD]lib80211: common routines for IEEE802.11 drivers[/TD]
[/TR]
[TR]
[TD]Registering the dns_resolver key type[/TD]
[/TR]
[TR]
[TD]registered taskstats version 1[/TD]
[/TR]
[TR]
[TD]drivers/rtc/hctosys.c: unable to open rtc device (rtc0)[/TD]
[/TR]
[TR]
[TD]mmc0: new SDHC card at address 0001[/TD]
[/TR]
[TR]
[TD]mmcblk0: mmc0:0001 2B16 14.5 GiB[/TD]
[/TR]
[TR]
[TD]mmcblk0: p1[/TD]
[/TR]
[TR]
[TD]usb 1-1: new high speed USB device number 2 using hiusb-ehci[/TD]
[/TR]
[TR]
[TD]VFS: Mounted root (jffs2 filesystem) on device 31:2.[/TD]
[/TR]
[TR]
[TD]Freeing init memory: 100K[/TD]
[/TR]
[TR]
[TD]            _ _ _ _ _ _ _ _ _ _ _ _[/TD]
[/TR]
[TR]
[TD]            \  _  _   _  _ _ ___[/TD]
[/TR]
[TR]
[TD]            / /__/ \ |_/[/TD]
[/TR]
[TR]
[TD]           / __   /  -  _ ___[/TD]
[/TR]
[TR]
[TD]          / /  / /  / /[/TD]
[/TR]
[TR]
[TD]  _ _ _ _/ /  /  \_/  \_ ______[/TD]
[/TR]
[TR]
[TD]___________\___\__________________[/TD]
[/TR]
[TR]
[TD][/TD]
[/TR]
[TR]
[TD][RCS]: /etc/init.d/S00devs[/TD]
[/TR]
[TR]
[TD][RCS]: /etc/init.d/S01udev[/TD]
[/TR]
[TR]
[TD]udevd (401): /proc/401/oom_adj is deprecated, please use /proc/401/oom_score_adj instead.[/TD]
[/TR]
[TR]
[TD][RCS]: /etc/init.d/S80network[/TD]
[/TR]
[TR]
[TD]ADDRCONF(NETDEV_UP): eth0: link is not ready[/TD]
[/TR]
[TR]
[TD]dosfsck 3.0.0, 28 Sep 2008, FAT32, LFN[/TD]
[/TR]
[TR]
[TD](none) login: /dev/mmcblk0p1: 2 files, 3/477192 clusters[/TD]
[/TR]
[TR]
[TD]Check sd card OK![/TD]
[/TR]
[TR]
[TD]sd[/TD]
[/TR]
[TR]
[TD]sd[/TD]
[/TR]
[TR]
[TD]/lib/libxqun.so[/TD]
[/TR]
[TR]
[TD]/lib/libXqAPILib.so[/TD]
[/TR]
[TR]
[TD]/lib/libNetLib.so[/TD]
[/TR]
[TR]
[TD]sinit driver init successful![/TD]
[/TR]
[TR]
[TD]mt7601Usta: module license 'unspecified' taints kernel.[/TD]
[/TR]
[TR]
[TD]Disabling lock debugging due to kernel taint[/TD]
[/TR]
[TR]
[TD]rtusb init rtusbSTA --->[/TD]
[/TR]
[TR]
[TD]=== pAd = caab4000, size = 899480 ===[/TD]
[/TR]
[TR]
[TD]<-- RTMPAllocTxRxRingMemory, Status=0[/TD]
[/TR]
[TR]
[TD]<-- RTMPAllocAdapterBlock, Status=0[/TD]
[/TR]
[TR]
[TD]RTMP_COM_IoctlHandle():pAd->BulkOutEpAddr=0x8[/TD]
[/TR]
[TR]
[TD]RTMP_COM_IoctlHandle():pAd->BulkOutEpAddr=0x4[/TD]
[/TR]
[TR]
[TD]RTMP_COM_IoctlHandle():pAd->BulkOutEpAddr=0x5[/TD]
[/TR]
[TR]
[TD]RTMP_COM_IoctlHandle():pAd->BulkOutEpAddr=0x6[/TD]
[/TR]
[TR]
[TD]RTMP_COM_IoctlHandle():pAd->BulkOutEpAddr=0x7[/TD]
[/TR]
[TR]
[TD]RTMP_COM_IoctlHandle():pAd->BulkOutEpAddr=0x9[/TD]
[/TR]
[TR]
[TD]NVM is EFUSE[/TD]
[/TR]
[TR]
[TD]Endpoint(8) is for In-band Command[/TD]
[/TR]
[TR]
[TD]Endpoint(4) is for WMM0 AC0[/TD]
[/TR]
[TR]
[TD]Endpoint(5) is for WMM0 AC1[/TD]
[/TR]
[TR]
[TD]Endpoint(6) is for WMM0 AC2[/TD]
[/TR]
[TR]
[TD]Endpoint(7) is for WMM0 AC3[/TD]
[/TR]
[TR]
[TD]Endpoint(9) is for WMM1 AC0[/TD]
[/TR]
[TR]
[TD]Endpoint(84) is for Data-In[/TD]
[/TR]
[TR]
[TD]Endpoint(85) is for Command Rsp[/TD]
[/TR]
[TR]
[TD]usbcore: registered new interface driver rtusbSTA[/TD]
[/TR]
[TR]
[TD]extalarm driver init successful  ![/TD]
[/TR]
[TR]
[TD]Hisilicon Watchdog Timer: 0.01 initialized. default_margin=60 sec (nowayout= 0, nodeamon= 0)[/TD]
[/TR]
[TR]
[TD]encript driver init successful![/TD]
[/TR]
[TR]
[TD]relay driver init successful![/TD]
[/TR]
[TR]
[TD]reset driver init successful![/TD]
[/TR]
[TR]
[TD]rled driver init successful![/TD]
[/TR]
[TR]
[TD]ircut driver init successful![/TD]
[/TR]
[TR]
[TD]saradc driver init successful![/TD]
[/TR]
[TR]
[TD]wifikey driver init successful![/TD]
[/TR]
[TR]
[TD]light driver init successful  ![/TD]
[/TR]
[TR]
[TD]audioin driver init successful![/TD]
[/TR]
[TR]
[TD]rs485 driver init successful![/TD]
[/TR]
[TR]
[TD]Hisilicon Media Memory Zone Manager[/TD]
[/TR]
[TR]
[TD]Hisilicon UMAP device driver interface: v3.00[/TD]
[/TR]
[TR]
[TD]pa:8b400000, va:cac40000[/TD]
[/TR]
[TR]
[TD]load sys.ko for Hi3518...OK![/TD]
[/TR]
[TR]
[TD]load viu.ko for Hi3518...OK![/TD]
[/TR]
[TR]
[TD]ISP Mod init![/TD]
[/TR]
[TR]
[TD]load vpss.ko ....OK![/TD]
[/TR]
[TR]
[TD]load venc.ko for Hi3518...OK![/TD]
[/TR]
[TR]
[TD]load group.ko for Hi3518...OK![/TD]
[/TR]
[TR]
[TD]load chnl.ko for Hi3518...OK![/TD]
[/TR]
[TR]
[TD]load h264e.ko for Hi3518...OK![/TD]
[/TR]
[TR]
[TD]load jpege.ko for Hi3518...OK![/TD]
[/TR]
[TR]
[TD]load rc.ko for Hi3518...OK![/TD]
[/TR]
[TR]
[TD]load region.ko ....OK![/TD]
[/TR]
[TR]
[TD]load vda.ko ....OK![/TD]
[/TR]
[TR]
[TD]hi_i2c init is ok![/TD]
[/TR]
[TR]
[TD]Kernel: ssp initial ok![/TD]
[/TR]
[TR]
[TD]Kernel: ssp initial ok![/TD]
[/TR]
[TR]
[TD]acodec inited![/TD]
[/TR]
[TR]
[TD]insert audio[/TD]
[/TR]
[TR]
[TD]==== Your input Sensor type is ov2710 ====[/TD]
[/TR]
[TR]
[TD]Archive:  /mnt/mtd/ipc/ipc_server[/TD]
[/TR]
[TR]
[TD]  inflating: ipc_server[/TD]
[/TR]
[TR]
[TD]Archive:  /mnt/mtd/ipc/onvif[/TD]
[/TR]
[TR]
[TD]  inflating: onvif[/TD]
[/TR]
[TR]
[TD]1. LDO_CTR0(6c) = a64799, PMU_OCLEVEL 6[/TD]
[/TR]
[TR]
[TD]2. LDO_CTR0(6c) = a6478d, PMU_OCLEVEL 6[/TD]
[/TR]
[TR]
[TD]FW Version:0.1.00 Build:7640[/TD]
[/TR]
[TR]
[TD]Build Time:201308222153____[/TD]
[/TR]
[TR]
[TD]ILM Length = 47000(bytes)[/TD]
[/TR]
[TR]
[TD]DLM Length = 0(bytes)[/TD]
[/TR]
[TR]
[TD]Loading FW....[/TD]
[/TR]
[TR]
[TD]#[/TD]
[/TR]
[TR]
[TD]RTMP_TimerListAdd: add timer obj cab3e1ac![/TD]
[/TR]
[TR]
[TD]RTMP_TimerListAdd: add timer obj cab3e1c4![/TD]
[/TR]
[TR]
[TD]RTMP_TimerListAdd: add timer obj cab3e1dc![/TD]
[/TR]
[TR]
[TD]RTMP_TimerListAdd: add timer obj cab3e194![/TD]
[/TR]
[TR]
[TD]RTMP_TimerListAdd: add timer obj cab3e14c![/TD]
[/TR]
[TR]
[TD]RTMP_TimerListAdd: add timer obj cab3e164![/TD]
[/TR]
[TR]
[TD]RTMP_TimerListAdd: add timer obj caad2fe4![/TD]
[/TR]
[TR]
[TD]RTMP_TimerListAdd: add timer obj caab61e0![/TD]
[/TR]
[TR]
[TD]RTMP_TimerListAdd: add timer obj caab61fc![/TD]
[/TR]
[TR]
[TD]RTMP_TimerListAdd: add timer obj caad303c![/TD]
[/TR]
[TR]
[TD]RTMP_TimerListAdd: add timer obj caab8bb4![/TD]
[/TR]
[TR]
[TD]RTMP_TimerListAdd: add timer obj caab8264![/TD]
[/TR]
[TR]
[TD]RTMP_TimerListAdd: add timer obj caab8b98![/TD]
[/TR]
[TR]
[TD]RTMP_TimerListAdd: add timer obj caab8dd8![/TD]
[/TR]
[TR]
[TD]RTMP_TimerListAdd: add timer obj caab8bd0![/TD]
[/TR]
[TR]
[TD]RTMP_TimerListAdd: add timer obj caab8bec![/TD]
[/TR]
[TR]
[TD]RTMP_TimerListAdd: add timer obj caab8c08![/TD]
[/TR]
[TR]
[TD]RTMP_TimerListAdd: add timer obj caad2fb4![/TD]
[/TR]
[TR]
[TD]RTMP_TimerListAdd: add timer obj caad3024![/TD]
[/TR]
[TR]
[TD]RTMP_TimerListAdd: add timer obj caab8e08![/TD]
[/TR]
[TR]
[TD]RTMP_TimerListAdd: add timer obj caab8e20![/TD]
[/TR]
[TR]
[TD]RTMP_TimerListAdd: add timer obj caab8e38![/TD]
[/TR]
[TR]
[TD]RTMP_TimerListAdd: add timer obj caab8e50![/TD]
[/TR]
[TR]
[TD]cfg_mode=9[/TD]
[/TR]
[TR]
[TD]wmode_band_equal(): Band Equal![/TD]
[/TR]
[TR]
[TD]Key1Str is Invalid key length(0) or Type(0)[/TD]
[/TR]
[TR]
[TD]Key2Str is Invalid key length(0) or Type(0)[/TD]
[/TR]
[TR]
[TD]Key3Str is Invalid key length(0) or Type(0)[/TD]
[/TR]
[TR]
[TD]Key4Str is Invalid key length(0) or Type(0)[/TD]
[/TR]
[TR]
[TD]1. Phy Mode = 14[/TD]
[/TR]
[TR]
[TD]2. Phy Mode = 14[/TD]
[/TR]
[TR]
[TD]NVM is Efuse and its size =1d[1e0-1fc][/TD]
[/TR]
[TR]
[TD]3. Phy Mode = 14[/TD]
[/TR]
[TR]
[TD]AntCfgInit: primary/secondary ant 0/1[/TD]
[/TR]
[TR]
[TD]---> InitFrequencyCalibration[/TD]
[/TR]
[TR]
[TD]InitFrequencyCalibrationMode:Unknow mode = 3[/TD]
[/TR]
[TR]
[TD]InitFrequencyCalibration: frequency offset in the EEPROM = 120(0x78)[/TD]
[/TR]
[TR]
[TD]<--- InitFrequencyCalibration[/TD]
[/TR]
[TR]
[TD]RTMPSetPhyMode: channel is out of range, use first channel=1[/TD]
[/TR]
[TR]
[TD]MCS Set = ff 00 00 00 00[/TD]
[/TR]
[TR]
[TD]<==== rt28xx_init, Status=0[/TD]
[/TR]
[TR]
[TD]0x1300 = 00064300[/TD]
[/TR]
[TR]
[TD]RTMPDrvOpen(1):Check if PDMA is idle![/TD]
[/TR]
[TR]
[TD]RTMPDrvOpen(2):Check if PDMA is idle![/TD]
[/TR]
[TR]
[TD]motor driver init successful![/TD]
[/TR]
[TR]
[TD]ADDRCONF(NETDEV_UP): eth0: link is not ready[/TD]
[/TR]
[TR]
[TD]BusyBox v1.16.1 (2013-09-09 21:19:37 HKT) multi-call binary.[/TD]
[/TR]
[TR]
[TD]Usage: route [{add|del|delete}][/TD]
[/TR]
[TR]
[TD]Edit kernel routing tables[/TD]
[/TR]
[TR]
[TD]Options:[/TD]
[/TR]
[TR]
[TD]        -n      Don't resolve names[/TD]
[/TR]
[TR]
[TD]        -e      Display other/more information[/TD]
[/TR]
[TR]
[TD]        -A inet Select address family[/TD]
[/TR]
[TR]
[TD][/TD]
[/TR]
[TR]
[TD]Warning: Driver for device ra0 has been compiled with version 22[/TD]
[/TR]
[TR]
[TD]of Wireless Extension, while this program supports up to version 20.[/TD]
[/TR]
[TR]
[TD]Some things may be broken...[/TD]
[/TR]
[TR]
[TD]1[/TD]
[/TR]
[TR]
[TD]2[/TD]
[/TR]
[TR]
[TD][/TD]
[/TR]
[TR]
[TD] RTC time 2021-03-03 16:43:24[/TD]
[/TR]
[TR]
[TD]Set system time as date -s 2021.03.03-16:43:24[/TD]
[/TR]
[TR]
[TD]Wed Mar  3 16:43:24 STD 2021[/TD]
[/TR]
[TR]
[TD]umount: can't forcibly umount /mnt/mtd/ipc/tmpfs/sd: Invalid argument[/TD]
[/TR]
[TR]
[TD]PeerBeaconAtJoinAction(): HT-CtrlChannel=1, CentralChannel=>3[/TD]
[/TR]
[TR]
[TD]killall: gerddns: no process killed[/TD]
[/TR]
[TR]
[TD]RTMP_TimerListAdd: add timer obj cab8a5e0![/TD]
[/TR]
[TR]
[TD]killall: upnp_map: no process killed[/TD]
[/TR]
[TR]
[TD]killall: arping: no process killed[/TD]
[/TR]
[TR]
[TD]killall: upnp_map: no process killed[/TD]
[/TR]
[TR]
[TD]killall: ddns_update: no process killed[/TD]
[/TR]
[TR]
[TD]workthread: log init succeed.[/TD]
[/TR]
[TR]
[TD]workthread: timer init succeed.[/TD]
[/TR]
[TR]
[TD]libs_initnettype(WiFi): succeed.[/TD]
[/TR]
[TR]
[TD]timer: proc start.[/TD]
[/TR]
[TR]
[TD]macaddr: XX:XX:XX:XX:XX:XX[/TD]
[/TR]
[TR]
[TD]macflag: 1[/TD]
[/TR]
[TR]
[TD]videocomm(0): 9(9) 1920 1080[/TD]
[/TR]
[TR]
[TD]videocomm(1): 7(7) 640 352[/TD]
[/TR]
[TR]
[TD]videocomm(2): 8(8) 320 176[/TD]
[/TR]
[TR]
[TD]TimeZone: 8[/TD]
[/TR]
[TR]
[TD]workthread: init ini succeed.[/TD]
[/TR]
[TR]
[TD]workthread: ntpsvr init succeed.[/TD]
[/TR]
[TR]
[TD]workthread: timerreboot init succeed.[/TD]
[/TR]
[TR]
[TD]ptz type: motor[/TD]
[/TR]
[TR]
[TD]ptz[rs485]: goto preset(1)...[/TD]
[/TR]
[TR]
[TD]workthread: ptz init succeed.[/TD]
[/TR]
[TR]
[TD]HI_Media_SDKInit: efreq=60,maxchn=3,resolution=41,maxresolution=9,maxwidth=1920,maxheight=1080[/TD]
[/TR]
[TR]
[TD]timerreboot: enable=0, day=1, time=00:00:00[/TD]
[/TR]
[TR]
[TD]ntp: enable=1, svr=time.nist.gov, interval=1[/TD]
[/TR]
[TR]
[TD]Rcv Wcid(1) AddBAReq[/TD]
[/TR]
[TR]
[TD]Start Seq = 00000000[/TD]
[/TR]
[TR]
[TD]RTMP_TimerListAdd: add timer obj cab8b9f4![/TD]
[/TR]
[TR]
[TD]-------------ov2710 720p 30fps  init start![/TD]
[/TR]
[TR]
[TD] -----------------------------ov2710 720p 30fps  init ok![/TD]
[/TR]
[TR]
[TD] ----------------timesvr: get svrtime(1) succeed.[/TD]
[/TR]
[TR]
[TD]timesvr: svrtime: 1614819760[/TD]
[/TR]
[TR]
[TD]ntp: update succeed, utc_time=1614819760[/TD]
[/TR]
[TR]
[TD]ntp: update succeed, local_time=2021-03-03 17:02:40[/TD]
[/TR]
[TR]
[TD]ntp: start time rewrite succeed.[/TD]
[/TR]
[TR]
[TD]setrtctime: succeed(2021-03-03 17:02:40).[/TD]
[/TR]
[TR]
[TD]HI_Media_SDKInit: sensor: 81[/TD]
[/TR]
[TR]
[TD]HI_Media_SDKInit: display mode: blackwhite[/TD]
[/TR]
[TR]
[TD]extalarm: off open[/TD]
[/TR]
[TR]
[TD]color(ini): f=0xffffff, b=0x000000, trans=64[/TD]
[/TR]
[TR]
[TD]ldc: enable=0, ratio=0, xoffset=0, yoffset=0[/TD]
[/TR]
[TR]
[TD]initaudio: inputtype=1, input=80, output=95, aec=0[/TD]
[/TR]
[TR]
[TD]encode(chn=0): profile=1,resolution=9,cbr=0,bitrate=6144,frame=25,iframe=50,quality=0,minq=23,maxq=38[/TD]
[/TR]
[TR]
[TD]encode(chn=0): audioenable=0, audiotype=1[/TD]
[/TR]
[TR]
[TD]encode(chn=1): profile=1,resolution=7,cbr=0,bitrate=1024,frame=25,iframe=50,quality=0,minq=23,maxq=38[/TD]
[/TR]
[TR]
[TD]encode(chn=1): audioenable=0, audiotype=1[/TD]
[/TR]
[TR]
[TD]encode(chn=2): profile=1,resolution=8,cbr=0,bitrate=256,frame=25,iframe=50,quality=0,minq=23,maxq=38[/TD]
[/TR]
[TR]
[TD]encode(chn=2): audioenable=0, audiotype=1[/TD]
[/TR]
[TR]
[TD]OSD(area=0): show=1, pos=0, format=0, x=1616, y=0, str=YYYY-MM-DD hh:mm:ss[/TD]
[/TR]
[TR]
[TD]OSD(area=1): show=1, pos=0, format=0, x=0, y=0, str=IP Camera[/TD]
[/TR]
[TR]
[TD]audio: denoise=1[/TD]
[/TR]
[TR]
[TD]audiovol: 1 80 95[/TD]
[/TR]
[TR]
[TD]audioalarm: off 85[/TD]
[/TR]
[TR]
[TD]HI_Media_SDKInit: HI_SDK_StartEncode(chn=0) succeed.[/TD]
[/TR]
[TR]
[TD]HI_Media_SDKInit: HI_SDK_StartEncode(chn=1) succeed.[/TD]
[/TR]
[TR]
[TD]HI_Media_SDKInit: HI_SDK_StartEncode(chn=2) succeed.[/TD]
[/TR]
[TR]
[TD]sdkmgr: init succeed, max channel=3[/TD]
[/TR]
[TR]
[TD]HI_Media_LiveStreamInit: alarmsound: enable=0, dalaytime=5[/TD]
[/TR]
[TR]
[TD]HI_Record_Stop[/TD]
[/TR]
[TR]
[TD]SPS[2]=Z00AFJWoUF5A[/TD]
[/TR]
[TR]
[TD]PPS[2]=aO48gA==[/TD]
[/TR]
[TR]
[TD]SPS[1]=Z00AHpWoKAtk[/TD]
[/TR]
[TR]
[TD]PPS[1]=aO48gA==[/TD]
[/TR]
[TR]
[TD]SPS[0]=Z00AKpWoHgCJ+VA=[/TD]
[/TR]
[TR]
[TD]PPS[0]=aO48gA==[/TD]
[/TR]
[TR]
[TD]sdkmgr: build sps/pps succeed.[/TD]
[/TR]
[TR]
[TD]HI_Media_RecInit: HI_Record_Start(chn=1) succeed.[/TD]
[/TR]
[TR]
[TD]HI_Websvr_Init: init media succeed.[/TD]
[/TR]
[TR]
[TD]HI_Websvr_Init: PBServer start.[/TD]
[/TR]
[TR]
[TD]HI_Websvr_Init: httpport=80, snapchn=2[/TD]
[/TR]
[TR]
[TD]R:/mnt/mtd/ipc/tmpfs/sd/20210303/record000/(0)[/TD]
[/TR]
[TR]
[TD]S:/mnt/mtd/ipc/tmpfs/sd/20210303/images000/(0)[/TD]
[/TR]
[TR]
[TD]ircut: c2b_value=950, b2c_value=900[/TD]
[/TR]
[TR]
[TD]ircut: switch, imagetype=1.[/TD]
[/TR]
[TR]
[TD]rled: close.[/TD]
[/TR]
[TR]
[TD]ircut: switch, imagetype=0.[/TD]
[/TR]
[TR]
[TD]rled: open.[/TD]
[/TR]
[TR]
[TD]workthread: ircut init succeed.[/TD]
[/TR]
[TR]
[TD]rled: auto.[/TD]
[/TR]
[TR]
[TD]workthread: infrared init succeed.[/TD]
[/TR]
[TR]
[TD]HI_Reset_Init: smart: enable=0[/TD]
[/TR]
[TR]
[TD]HI_Reset_Init: light: enable=1[/TD]
[/TR]
[TR]
[TD]HI_Reset_Init: apmode: status=0[/TD]
[/TR]
[TR]
[TD]workthread: reset init succeed.[/TD]
[/TR]
[TR]
[TD]workthread: wifikey init succeed.[/TD]
[/TR]
[TR]
[TD]workthread: netdetect init succeed.[/TD]
[/TR]
[TR]
[TD]ios_init: enable=0, interval=60[/TD]
[/TR]
[TR]
[TD]workthread: ios init succeed.[/TD]
[/TR]
[TR]
[TD]workthread: search start.[/TD]
[/TR]
[TR]
[TD]p2p: xqun disable.[/TD]
[/TR]
[TR]
[TD]workthread: p2p start.[/TD]
[/TR]
[TR]
[TD]netdetect: WiFi (Enable).[/TD]
[/TR]
[TR]
[TD]netdetect: netflag(WiFi).[/TD]
[/TR]
[TR]
[TD]workthread: wdt init succeed.[/TD]
[/TR]
[TR]
[TD]p2p: xqun disable.[/TD]
[/TR]
[TR]
[TD]workthrRTMP_TimerListAdd: add timer obj cab8a608![/TD]
[/TR]
[TR]
[TD]ead: p2p start.[/TD]
[/TR]
[TR]
[TD]workthread: wdt init succeed.[/TD]
[/TR]
[TR]
[TD]wdt: default timeout: 60 sec.[/TD]
[/TR]
[TR]
[TD]wdt: default timeout: 5 sec.[/TD]
[/TR]
[TR]
[TD]===================================================[/TD]
[/TR]
[TR]
[TD]ipc_server RTMP_TimerListAdd: add timer obj cab8a608![/TD]
[/TR]
[TR]
[TD]start  : 2021-03-03 17:02:42[/TD]
[/TR]
[TR]
[TD]ipc_server version: V6.6.11.1.1-20171212[/TD]
[/TR]
[TR]
[TD]===================================================[/TD]
[/TR]
[TR]
[TD]wdt: default timeout: 60 sec.[/TD]
[/TR]
[TR]
[TD]wdt: default timeout: 5 sec.[/TD]
[/TR]
[TR]
[TD]ircut: switch(color) on.[/TD]
[/TR]
[TR]
[TD]ircut: switch, imagetype=1.[/TD]
[/TR]
[TR]
[TD]rled: close.[/TD]
[/TR]
[TR]
[TD]ircut: display switch(blackwhite -> color).[/TD]
[/TR]
[TR]
[TD]ircut: switch status off.[/TD]
[/TR]
[TR]
[TD]sh: 1: unknown operand[/TD]
[/TR]
[TR]
[TD]onvif: TZ: STD+8:0:0[/TD]
[/TR]
[TR]
[TD]onvif: TZInterval: -28800[/TD]
[/TR]
[TR]
[TD]onvif: login dev success! handle=28045320[/TD]
[/TR]
[TR]
[TD]onvif: login dev success! handle[alarm]=28047640[/TD]
[/TR]
[TR]
[TD]++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++[/TD]
[/TR]
[TR]
[TD]HI_Media_LiveStreamRegisterMediaLink: cntindex=0,onlinenum=0[/TD]
[/TR]
[TR]
[TD]onvif: start stream succeed(ret=0x0)! handle(alarm)=28047640[/TD]
[/TR]
[TR]
[TD]HI_Media_LiveStreamParseStream: cntindex=0,sock=56,avchn=0,mediatype=4[/TD]
[/TR]
[TR]
[TD]SendMediaDataThread(entry): cntindex=0,avchn=0,af=1,sock=56,rbhandle=24927784[/TD]
[/TR]
[TR]
[TD]onvif: devmgmt_proc ok.[/TD]
[/TR]
[TR]
[TD]onvif: V2.04-20170421[/TD]
[/TR]
[TR]
[TD]onvif: start: 2021-03-03 17:02:55[/TD]
[/TR]
[TR]
[TD]onvif: searcher svr monitor start.[/TD]
[/TR]
[TR]
[TD]onvif: timg: productid=##############[/TD]
[/TR]
[TR]
[TD]onvif: searcher svr start.[/TD]
[/TR]
[TR]
[TD]motor: selfdet stop.[/TD]
[/TR]
[TR]
[TD]motor: preset stop.[/TD]
[/TR]
[/TABLE]
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
even if I were able to stop the uboot process (uboot dialog suggests any key stops uboot process), would I have any expectation to be able to enable the telnetd process from uboot?
It depends on whether the included version of busybox has the telnetd applet.
You should be able to interrupt the bootloader - maybe because you haven't connected to the RX pin.
If you want to avoid damaging the TX of the serial TTL convertor - speculatively connect it via a 1K or so resistor.
Presumably you're keeping Control-C or <space> or * pressed before power on so it autorepeats.

When you do get at the bootloader, try appending
init=/bin/sh single
to the bootargs variable to get a root shell so you can explore.
setenv bootargs mem=160M console=ttyAMA0,115200 root=/dev/mtdblock2 rootfstype=jffs2 mtdparts=hi_sfc:512K(boot),2560K(kernel),13M(rootfs) init=/bin/sh single
saveenv
 

bxdobs

n3wb
Joined
Aug 29, 2020
Messages
23
Reaction score
0
Location
Canada
After reworking my uart interface I was able to halt and capture the following information ... the printenv shows the bootargs ... but ... no devices, nand, or usb info is available

adding sh provides a root shell on "THIS" terminal or via telnet? How | when will root shell become available?

Code:
hisilicon # printenv
bootdelay=1
baudrate=115200
bootfile="uImage"
phyaddru=0
phyaddrd=1
mdio_intf=rmii
ethaddr=xx xx xx xx xx
filesize=25F000
fileaddr=82000000
netmask=255.255.255.0
bootargs=mem=160M console=ttyAMA0,115200 root=/dev/mtdblock2 rootfstype=jffs2 mtdparts=hi_sfc:512K(boot),2560K(kernel),13M(rootfs)
bootcmd=sf probe 0;sf read 0x82000000 0x80000 0x280000;bootm 0x82000000
ipaddr=192.168.8.88
serverip=192.168.8.8
stdin=serial
stdout=serial
stderr=serial
verify=n
ver=U-Boot 2010.06 (May 23 2014 - 08:55:45)

Environment size: 503/262140 bytes
hisilicon # nand info

hisilicon # mii device
MII devices:
hisilicon # usb storage
USB is stopped. Please issue 'usb start' first.
[/CODE
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
adding sh provides a root shell on "THIS" terminal or via telnet? How | when will root shell become available?
The root shell should be available after the kernel boots, if the kernel has not been coded to avoid this trick.

If you've modified bootargs to append
init=/bin/sh single
and issued a
saveenv
then use the command
reset
to initiate the boot process.
 

bxdobs

n3wb
Joined
Aug 29, 2020
Messages
23
Reaction score
0
Location
Canada
Without nand and device info, is it possible to back up this device? ... some forums suggest there can be several "FILES" involved as in : Boot Loader (u-boot), Kernel (OS), Application (camera-related logic)

Perhaps I should connect to this device using a unix based device instead of using putty ... expecting that a Pi 4 with FTP services should be able to pull down any files from Flash and or Nand (1 in the same?) ? Not sure if the hi3516 contains internal flash/nand memory or RAM

The IPC18 board contains the following memory chips:
K4B2G1646F-BYMA000 DDR32Gb as 128M x 16b DDR3 RAM
MXIC MX 25L12835P M2I 10G128M SPI Flash
AT88SC 0104CA H 7CAJ Y1kb Secure Flash

Here is a snippit from one forum which looks to be just copying an entire 256M Flash memory block (0x10000000)? Possibly relating to a complete sector-by-sector disk copy?

As the SPI flash on the IPC18 is only 128M (bits, bytes, or words?) suspect this block would be 0x8000000?

sf probe 0
mw.b 0x82000000 ff 1000000
sf read 0x82000000 0x0 0x1000000
tftp 0x82000000 fullflash.img 0x1000000
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Without nand and device info, is it possible to back up this device?
Yes - you can see from the bootcmd value where a safe place to load into RAM would be.
And with sf and tftp commands you can extract all / some of the flash, and also import all / some (with much care ...)
Your snippet above should work just fine.

You might have to set IP addresses to something different, just for convenience
serverip and ipaddr
 

bxdobs

n3wb
Joined
Aug 29, 2020
Messages
23
Reaction score
0
Location
Canada
It depends on whether the included version of busybox has the telnetd applet.
You should be able to interrupt the bootloader - maybe because you haven't connected to the RX pin.
If you want to avoid damaging the TX of the serial TTL convertor - speculatively connect it via a 1K or so resistor.
Presumably you're keeping Control-C or <space> or * pressed before power on so it autorepeats.

When you do get at the bootloader, try appending
init=/bin/sh single
to the bootargs variable to get a root shell so you can explore.
setenv bootargs mem=160M console=ttyAMA0,115200 root=/dev/mtdblock2 rootfstype=jffs2 mtdparts=hi_sfc:512K(boot),2560K(kernel),13M(rootfs) init=/bin/sh single
saveenv
 

bxdobs

n3wb
Joined
Aug 29, 2020
Messages
23
Reaction score
0
Location
Canada
So ... init=/bin/sh single faulted out
the console came to a full stop
camera didn't do its startup sequences
looks and feels like a linux core dump event with a full stop halt

Code:
Freeing init memory: 100K
/bin/sh: can't open 'single'
Kernel panic - not syncing: Attempted to kill init!
Backtrace:
[<c002571c>] (dump_backtrace+0x0/0x10c) from [<c037e1c8>] (dump_stack+0x18/0x1c)
 r6:00000049 r5:c048c010 r4:c048c010 r3:0000000a
[<c037e1b0>] (dump_stack+0x0/0x1c) from [<c037e230>] (panic+0x64/0x190)
[<c037e1cc>] (panic+0x0/0x190) from [<c0035ad4>] (do_exit+0x640/0x700)
 r3:60000013 r2:c9828000 r1:c9826120 r0:c0421afc
 r7:c9826000
[<c0035494>] (do_exit+0x0/0x700) from [<c0035bd8>] (do_group_exit+0x44/0xc4)
 r7:000000f8
[<c0035b94>] (do_group_exit+0x0/0xc4) from [<c0035c70>] (sys_exit_group+0x18/0x24)
 r4:00000000 r3:0000ffff
[<c0035c58>] (sys_exit_group+0x0/0x24) from [<c0022140>] (ret_fast_syscall+0x0/0x2c)
 

bxdobs

n3wb
Joined
Aug 29, 2020
Messages
23
Reaction score
0
Location
Canada
yes ... that was my understanding from your post ... was this supposed to be by itself?
 

bxdobs

n3wb
Joined
Aug 29, 2020
Messages
23
Reaction score
0
Location
Canada
yes ... that was my understanding from your post ... was this supposed to be by itself?
setenv bootargs mem=160M console=ttyAMA0,115200 root=/dev/mtdblock2 rootfstype=jffs2 mtdparts=hi_sfc:512K(boot),2560K(kernel),13M(rootfs) init=/bin/sh single
saveenv
reset
 

bxdobs

n3wb
Joined
Aug 29, 2020
Messages
23
Reaction score
0
Location
Canada
Might be overthinking the backup process ... can you confirm the concept ... the IP settings along with tftp dialog suggests this file transfer requires a wired network connection where the block of ram loaded from flash will be transferred as a file via FTP over the Network to a FTP Server addressed on the network
ipaddr=192.168.8.88 (camera address)
serverip=192.168.8.8 (ftp server address)
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
an you confirm the concept ... the IP settings along with tftp dialog suggests this file transfer requires a wired network connection where the block of ram loaded from flash will be transferred as a file via FTP over the Network to a FTP Server addressed on the network
Yes, that's correct, you've properly understood the method.
But it's a tftp server, not an FTP server.
 

bxdobs

n3wb
Joined
Aug 29, 2020
Messages
23
Reaction score
0
Location
Canada
Ok ... finally have an image ... used a PI python pyserial to connect to the IPC18 serial port ... then after connecting a network cable, captured the TFTP file using TFTPD64 for windows

uboot claims to be version 2010.06 ... downloaded 90000852 uboot ref manual but note there are numerous differences ... also downloaded the 2010.06 source

was able to transfer 0x1000000 from sf probe 0 (16MB) with the following blocks populated
0x00000 - 0x3FFFF appears to be uboot image
0x40000 - 0x7FFFF uboot ENV space
0x80000 - 0x2FFFFF Linux-3.0.8 (Kernel?)
0x300000 - 0x76FFFF ? many busybox references
0x770000 - 0x89FFFF ?
0x8A0000 - 0x90FFFF ?
0x910000 - 0xAAFFFF ?
0xAB0000 - 0xFDFFFF ?
0xFE0000 - 0xFFFFFFF ?

One of the 3518 hack blogs suggests there should be 5 blocks; Boot, Kernel, Rootfs, Config, and Key ... Boot, Kernel, and Config appear to be straight forward but the remaining blocks are truly a mystery

Being the IPC 18 only has a 128Mb (/8 = 16MB) flash it would seem that this 16M image should contain the entire contents of the Camera's FW ... yet ... when I go looking for the contents of the two FW update images within this 16M image, they appear to be mia ... the expectation was that I would be able to find the startup sh file contents within this 16MB blob ... very curious ... unless there is more flash memory hiding on the Hi3516 chip itself?

Back to uboot
  • getinfo returns nothing ... no devices found
  • mii device reports 2 devices 0:0 and 0:1 ... expecting these are Wifi and Eth0
  • was expecting fatls to provide more info on the flash storage but if I do a fatls or fatinfo uboot is requesting an <interface> and <device>
  • sf probe 0 returns 16384 KiB hi_sfc at 0:0 is now current device, which suggests hi_sfc might be the interface and 0:0 the device but this isn't accepted by the fat commands

The uboot ref manual doesn't list any info for the SF command ... however the source code lists SF as an SPI flash command with the following subcommands; probe, read, write and erase. So perhaps the SPI isn't linked to the FAT commands ... perhaps FAT is related to the SD Card?
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
One of the 3518 hack blogs suggests there should be 5 blocks; Boot, Kernel, Rootfs, Config, and Key ... Boot, Kernel, and Config appear to be straight forward but the remaining blocks are truly a mystery
Zip it up and attach so we can take a look.

when I go looking for the contents of the two FW update images within this 16M image, they appear to be mia ... the expectation was that I would be able to find the startup sh file contents within this 16MB blob
Depending on the specific filesystems in use, the data will most likely be compressed, so you're not likely to see recognisable plaintext strings.
The serial console log shows that rootfs is a JFFS2 filesystem :
Code:
VFS: Mounted root (jffs2 filesystem) on device 31:2.
From your serial console listing, the partition layout can be determined as follows :
Code:
Kernel command line: mem=160M console=ttyAMA0,115200 root=/dev/mtdblock2 rootfstype=jffs2 mtdparts=hi_sfc:512K(boot),2560K(kernel),13M(rootfs)

0x000000000000-0x000000080000 : "boot"
0x000000080000-0x000000300000 : "kernel"
0x000000300000-0x000001000000 : "rootfs"
The kernel will hold the 'initramfs' - the initial file system - that will have the startup scripts within it.
 

bxdobs

n3wb
Joined
Aug 29, 2020
Messages
23
Reaction score
0
Location
Canada
Here is the 16MB image with plain text mac, wifi, and server credentials scrubbed
 

Attachments

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Here is the 16MB image with plain text mac, wifi, and server credentials scrubbed
And here is an unpacker script, and a copy of the rootfs contents.

Code:
#!/bin/sh
# This script holds the steps to unpack the contents of the IPC-18-M flash dump provided by @bxdobs.
#
# The partition boundaries are taken from the info as shown in the serial console on bootup.
#0x000000000000-0x000000080000 : "boot"
#0x000000080000-0x000000300000 : "kernel"
#0x000000300000-0x000001000000 : "rootfs"
#
# First of all we copy out the bootloader
dd if=p0x.img of=bootloader bs=512 count=$((0x80000/512))
#
# Then the kernel
dd if=p0x.img of=kernel bs=1 skip=$((0x80000)) count=$((0x300000 - 0x80000))
#
# Extract the zImage
tail -c +$((0x41)) kernel > zImage
#
# The head of the zImage holds the 'uncompressor' sized at 22,544 bytes. We can skip over this and uncompress the kernel mainbody
dd ibs=1 if=zImage of=mainbody.gz skip=22544
gunzip -k mainbody.gz
strings -8 mainbody > strings_mainbody.txt
#
# Now to split out the rootfs
dd if=p0x.img of=rootfs.jffs2 bs=1 skip=$((0x300000)) count=$((0x1000000 - 0x300000))
#
# And extract the filesystem contents.
[ ! -d tmp ] && mkdir tmp
sudo modprobe  mtdram total_size=32768
sudo modprobe  mtdblock
sudo chmod 777 /dev/mtdblock0
sudo cat rootfs.jffs2 > /dev/mtdblock0
sudo mount -t jffs2 /dev/mtdblock0 tmp
#
# And make a copy of all including special files  so that we can make the files permanent and clean up by unmounting
[ ! -d rootfs_contents ] && mkdir rootfs_contents
sudo cp -r -p tmp/* rootfs_contents
#
sudo umount tmp
rmdir tmp
#
# Ends
 

Attachments

bxdobs

n3wb
Joined
Aug 29, 2020
Messages
23
Reaction score
0
Location
Canada
Thanks for the unpacker image ... I actually was able to do the same thing in Ubuntu 16.04 using modprobe commands to mount the image as a jffs2 filesystem ... Sadly Pi Rasbian was missing something so wouldn't complete these modprobe commands

The /etc/shadow file suggests there are two logins; root and admin (different pws) ... seems the UART Port does present a login prompt so will need to either replace the shadow file and reload the modified camera image ... or ... see if some hash cracking s/w can break these 2 hashes

root:$1$kEm.07pW$y2WwEr/YemT7wTMj7.2f81:15955:0:99999:7:::
admin:$1$qdKJQB2U$LVS9LJmC8lEDtHXIv4i3u0:15955:0:99999:7:::

Was looking at a site that offers open source Camera images OpenIPC.org but not sure which image file might work with this camera
 
Top