Getting Anran 2K Q01 Camera RTSP Stream into HA - Advice request

grex23 · December 19, 2022, 10:45am

Hi,

I recently purchased the above camera as I thought it looked like I could integrate it with my existing Smart Life setup (and it was super cheap). The app is clearly a Tuya white label, however the setup QR code will not be recognised by SL so I resorted to using their own CloudEdge app.

Everything about the camera is great, and I would now like to integrate the RTSP feed to our wall mounted tablet so people can check in on the camera before opening the door without having to get their phone out.

After many days of tinkering I’m starting to think it’s just not possible but would really appreciate a sanity check or some guidance as to other options I could try as this is not really my area of expertise.

Steps I have taken so far…

I contacted their customer service team about accessing the rtsp feed locally and was given this information.

"Unfortunately we don’t recommend setting up the camera that way or accessing the camera that way as it will not basically work as the camera is not designed anymore to work that way, however, if you really want to try, here are the details below.
rtsp://user:password@ipaddr:port/chN_M.264
User: The username defaults to admin
Password: Password is empty by default
ipaddr: IP address of the device
Port port: 80 or 554
N is the channel number: IPC is 0, 4-way NVR is 0~3, 8-way is 0~7 and so on
M is the code stream number: the main code stream is 0, the secondary code stream is 1;"

I tried using this info in the Generic Camera integration as Stream Source rtsp://192.168.0.xxx:554/ch0_0.264 (I also tried port 80) I used the Username and Password option at the bottom of the setup instead of putting it in the stream source as both admin and blank password and also my CloudEdge username and password, I checked the UDP transport protocol as I can see it transmitting on that, but I always get a URL time out.

I have an M1 MacBook so I was able to run the iOS app and watch traffic. I can see the camera transmitting over UDP on port 50720 and then being received on the laptop on port 16685. (Traffic goes via an azure instance in eastus2) so I tried those two ports as well but nothing going doing.

If anyone has any other ideas I would be super grateful to try them out. Or if there is some other info I need I can also try finding that (fairly competent IT person)

MP_Essex · January 21, 2023, 12:26pm

Got the same camera and by the sounds of the same setup with the same issues.
I’ve also got the same advice from the support chat and also have tried various variation on the username/password. No luck so far
Also tried via the browser on ubuntu however also getting a timeout on the media player

Dvalin21 · March 2, 2023, 5:34am

I have a Anran camera that is Solar powered with the same issue. They blocked all the port. Tried using Zenmap on it. I wonder if or since they wont let us access the camera via rtsp, if they will allow us to do a api service from the app that would allow us to integrate the stream into homeassistant

This is I believe the same camera https://www.amazon.com/gp/product/B09XV1RD9N/ref=ppx_yo_dt_b_asin_title_o02_s00?ie=UTF8&psc=1

grex23 · March 6, 2023, 5:11am

Yeah, thats the camera I have. I wouldn’t know where to start with an API so it just exists now, patiently watching the front door and waiting for me to occasionally check my cats butt as she hops over the fence!

If anyone does have any luck getting Cloudedge and HA to play nicely that would be ace!

Dvalin21 · March 10, 2023, 7:19am

So I may have found something, but I need some folks smarter than I to take a look.

github.com/guino/BazzDoorbell

No programmer, No UART, No problem!

opened 06:03AM - 05 Dec 20 UTC

closed 07:03PM - 14 Apr 21 UTC

guino

(Side comment you can skip -- Based on the interest in this project I went ahead… and spent some more time (a lot actually) in ghidra looking at the boot loader code and managed to get the ppsMmcTool.txt file format figured out and found a way to use it to modify the boot settings in order to run a script in the SD card during boot process of the camera) I assume the steps below can be used for any device using this PPStrong boot loader (Tuya cameras/doorbells like Geeni, Merkury, Bazz, Meari, etc). Please check your device firmware version in the phone App OR with http://admin:[email protected]/devices/deviceinfo . For 2.7.x firmware you should use the information on this project instead: https://github.com/guino/Merkury720 **Special note for 2.9.0 firmware**: this firmware is a bit trickier to get RTSP working (mjpeg/snap work the same), so if you have that version you need to use #13 along with the files/steps provided by @DanTLehman here: https://github.com/DanTLehman/orion_sc008ha For 2.9.x you should be able to use the steps here or in #13 (either method should work). **Special note for 2.10.0 firmwae**: This firmware (and newer) have port 80 closed by default -- so to use the http://admin:05656... links below you have to RIGHT CLICK this link: https://github.com/guino/Merkury720/raw/main/ppsFactoryTool.txt select "Save as.." and save this file to the root of the SD card. **EDIT** the file (avoid copy/paste the contents of it) and **modify only the ssid and password** as the file requires specific format to work. When the device detects the file (in the right format) it will disconnect and re-connect the wifi (to the ssid specified) and will OPEN port 80 so the http://admin:05656... links work. **Special note for 4.0.x firmwae**: This firmware (and newer) have port 80 closed by default -- so to use the http://admin:05656... links below you have to RIGHT CLICK this link: https://github.com/guino/Merkury720/raw/main/ppsFactoryTool.txt select "Save as.." and save this file to the root of the SD card. **EDIT** the file (avoid copy/paste the contents of it) and **modify only the ssid and password** as the file requires specific format to work. When the device detects the file (in the right format) it will disconnect and re-connect the wifi (to the ssid specified) and will OPEN port **8090** so the http://admin:05656... links work but you have to add **:8090** to every URL, for instance: http://admin:[email protected]:8090/devices/deviceinfo. Depending on the device you have you may need to use the information and files from https://github.com/guino/Merkury1080P#conclusion WARNING: The process below will **require** a SD card with initrun.sh to always be present during power-on or the device **WILL NOT BOOT**. If you modify/remove this file the device **may not boot**. The process is always reversible but keep that in mind. You may **choose** to use #13 as it **does not require** a SD card to boot the device (it is a new/improved method). These are the steps to hack (root) your device: **1**-Verify your camera/doorbell is compatible using its local IP address (i.e. 192.168.x.x, etc) -- this is NOT the public IP displayed in the TUYA app (and likely other apps), if you're reading this there's a good chance you know how to find the IP from your router. Open a web browser and load this address: http://admin:[email protected]/proc/cmdline the result (kernel command line) should be something like this: ``` mem=36 console=ttyAMA0,115200n8 mtdparts=hi_sfc:192k(bld)ro,64k(env)ro,64k(enc)ro,64k(sysflg)ro,3136k(sys),4352k(app),320k(cfg) ppsAppParts=5 ppsWatchInitEnd ``` Copy/save that response (kernel command line) as we'll need it next (and also in case you want to restore original settings) -- If you get no response, or some very different response, please stop now -- chances are you're using the wrong IP or this won't work for your device (advanced users can still check/try #11 and #12) . Feel free to post your kernel command line if you have questions. **1.1 ADDENDUM**-I highly recommend you get a backup of your flash memory using #11 -- there's no risk or side-effect from trying. It's better to have a backup and not need it than needing the backup and not having it. **1.2 ADDENDUM**-Open this URL http://admin:056565099@ip/proc/self/root/etc/init.d/S90PPStrong and check if you have these lines: ``` # debug #MTDNUM=5 ``` If your MTDNUM line does not have a **#** in front you **must** use #13. If your line has **#** in front or you don't have that line, you can proceed with the steps below. **2**-Edit the provided 'env' so it has the below contents (following details below): ``` bootargs=mem=36 console=ttyAMA0,115200n8 mtdparts=hi_sfc:192k(bld)ro,64k(env)ro,64k(enc)ro,64k(sysflg)ro,3136k(sys),4352k(app),320k(cfg) ppsAppParts=0 ppsWatchInitEnd ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,T ``` VERY IMPORTANT DETAILS ABOUT THIS FILE: -The part after bootargs= should be the same as you got on step 1 (from your device) with the **ppsAppParts=0** (instead of ppsAppParts=5). -The file has **one single line** "bootargs=..." and a new line (enter) at the end. It is a long line (on purpose) so it may show up as multiple lines in a browser so please account for it. A sample env file is attached for your conveninence. -The single line **MUST** have the same exact size as I posted above (924 characters + new line). Your kernel command line may be different which may require you to adjust (remove or add) to the ThankYou... text so that you match the size of the line. -There's a 0x00 (Zero character) at the end of the file -- if this is removed by your text editor (ie notepad, etc) you'll need to be sure it is there (or the process will not work). You may need to use a hex editor to change the last character to a "00" making sure there's at least a new line (0A) at the end of the line before the "00". Again the sample env file is a good reference. **3**-Copy these 3 files (attached) to the root of a fat32 formatted SD card (do not place them in any 'folders'): env, ppsMmcTool.txt and initrun.sh -- **MAKE SURE** there's no 'upgrade.bin' file in the SD card or this could cause problems. Be sure to properly 'eject' (or unmount) the SD card before removing it from the computer. **4**-Power off your device and insert the SD card with the 3 files in the SD card slot. **5**-Press-and-hold the reset button, then power on the device (i.e. power wires/USB cable) and **continue holding the reset button for 5 seconds after power on** then let the device boot. It will take longer than usual (precisely 10 seconds longer) for it to fully boot up as that's part of the initial boot script. **6**-Repeat step 1, this time your kernel command line should look like this: ``` mem=36 console=ttyAMA0,115200n8 mtdparts=hi_sfc:192k(bld)ro,64k(env)ro,64k(enc)ro,64k(sysflg)ro,3136k(sys),4352k(app),320k(cfg) ppsAppParts=0 ppsWatchInitEnd ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,ThankYouGuino,T mtdparts=hi_sfc:192k(bld)ro,64k(env)ro,64k(enc)ro,64k(sysflg)ro,3136k(sys),4352k(app),320k(cfg) ppsAppPart ``` (Notice how the 'ppsAppPart' is cut off at the end -- that's the intention and as long as it doesn't say ppsAppParts=n it should work) **7**-Now browse to this address: http://admin:[email protected]/proc/self/root/tmp/hack -- it should say "done" which is the indication everything is working as designed. **8**-You can now delete ppsMmcTool.txt and env files from the SD card but there's no harm leaving them there. You **MUST** always have initrun.sh in the SD card during boot or the device WILL NOT BOOT. **9**-Download the [mmc files](https://github.com/guino/BazzDoorbell/tree/master/mmc) and place them in the SD card (root directory). **SEPARATELY** download busybox from https://github.com/guino/BazzDoorbell/blob/master/mmc/busybox?raw=true and place it on the SD card (root directory). Your SD card should look like this: ``` drwxr-xr-x 2 wagner root 8192 Dec 31 1979 bin drwxr-xr-x 2 wagner root 8192 Dec 31 1979 lib -rwxr-xr-x 1 wagner root 263 Jan 27 11:29 set -rwxr-xr-x 1 wagner root 7956 Jan 15 16:47 jpeg-arm drwxr-xr-x 8 wagner root 8192 Dec 31 1979 home -rwxr-xr-x 1 wagner root 102 Dec 4 15:31 ppsMmcTool.txt -rwxr-xr-x 1 wagner root 927 Dec 4 18:00 env -rwxr-xr-x 1 wagner root 1115 Dec 5 00:15 initrun.sh -rwxr-xr-x 1 wagner root 40 Nov 24 15:28 passwd -rwxr-xr-x 1 wagner root 1152216 Nov 23 18:50 busybox drwxr-xr-x 2 wagner root 8192 Jan 14 23:13 cgi-bin -rwxr-xr-x 1 wagner root 1327 Nov 24 00:28 index.html -rwxr-xr-x 1 wagner root 18 Nov 24 00:22 httpd.conf -rwxr-xr-x 1 wagner root 539 Dec 2 16:46 custom.sh drwxr-xr-x 3 wagner root 8192 Aug 30 12:10 SDT ``` **NOTES**: * SDT is created by the device. home, lib and bin are created by the hack once it is installed. * busybox should have 1152216 bytes (download link listed above) * for telnet access either set the password hash in passwd file (get a hash [here](https://unix4lyfe.org/crypt/) usin the calculate 'DES' button and copy the value) OR add ```-l /bin/sh``` to the ```telnetd``` line in custom.sh * enter a user:password in httpd.conf -- these are **plain text** values (no hashes). * for mjpeg/snap.cgi support you have to adjust the address for JPEG address in snap.cgi and mjpeg.cgi as posted with your ppsapp patch (or found with ghidra) -- this should work even if you don't patch ppsapp (on step below). The URL should be like this: http://user:password@IP:8080/cgi-bin/snap.cgi (with user:password from httpd.conf) IMPORTANT: The main application on the device will delete the SD card contents when free space is low so backup your files and either disable recording OR let it run the provided cleanup.cgi to prevent your files from being deleted. The last 5 lines of the custom.sh file will run cleanup.cgi once-a-day by default. You can remove the last 5 lines of custom.sh if you don't want that to run OR you can disable recording entirely by removing the # from the `#/mnt/mmc01/set record_enable 0` in custom.sh. If your device/app doesn't have a motion-only recording (event recording) option you can enable it by removing the # from the line `#/mnt/mmc01/set enable_event_record 1` in custom.sh — there are more details here: https://github.com/guino/BazzDoorbell/issues/2#issuecomment-808117844 **10**-For RTSP: **DO NOT** run a different version of ppsapp on your device or you may brick it. Your original ppsapp can be found under /home/app/ppsapp of the SD card. Please check https://github.com/guino/ppsapp-rtsp/issues/1 to see if your ppsapp has already been patched -- use the site in the first post of the link to patch your own ppsapp file (double check that the md5 matches when patching it) and place it on the root of your SD card with the name **ppsapp** then reboot. There's a full guide on https://github.com/guino/ppsapp-rtsp if you're computer savvy and want to try patching ppsapp yourself. I prefer that you post (create a new issue) your ppsapp (along with http://admin:[email protected]/devices/deviceinfo information) so I patch it than get your flash corrupted by using a corrupt/wrong ppsapp. **NOTE 1**: It has also been reported that VLC for MAC has issues playing the RTSP streams from these devices (so try different devices/applications if you have issues with VLC on MAC). **NOTE 2**: It has also been reported that the default VLC playback is over UDP and causes the camera to use a lot of CPU/resources and causes it to reboot in about 13 minutes of viewing the RTSP feed. You can fix this by starting VLC like this: ``` vlc --rtsp-tcp rtsp://ip:8554 ``` OR you can go into VLC settings and selecting RTP over RTSP (TCP) : in 'Simple' mode click 'Tools > Preferences > Input / Codecs and select 'RTP over RTSP (TCP)' at the bottom, them click 'Save'. In 'Advanced' mode click 'Tools > Preferences > Input / Codecs > Demuxers > RTP/RTSP and select 'RTP over RTSP (TCP)' then click 'Save' ## TROUBLESHOOTING / RESTORE If you wish to 'restore' the operation of your camera with SD card (remove the 'hack'): **1**-Edit/create the env file to be this: ``` bootargs=mem=36 console=ttyAMA0,115200n8 ``` NOTE: You should match the mem and console parameters as they were originally (step 1 of install process) and the env file **must** also have the new line (0x0A) and 0x00 (Zero character) at the end. **2**-Copy ppsMmcTool.txt and env to the root of SD card (initrun.sh is NOT needed). **3**-Follow steps 4, 5 and 6 of the install process, on step 6 the kernel command line should look like it was originally (before any changes). If for some reason you can't get the the initrun.sh script to run please post a copy of your env file (zip format so I can verify it) and your kernel command line (before and after install attempt) so I can take a look. If you'd like to buy me a beer/coffee in appreciation of the effort I put in to make the above possible, feel free to: http://paypal.me/wbbo cash app: $wbbo Enjoy! [ppshack.zip](https://github.com/guino/BazzDoorbell/files/5754698/ppshack.zip)

Found all of this on an original post in reddit

Dvalin21 · March 10, 2023, 8:00am

@grex23 OH! And it looks like they just created a facebook page. Maybe if we can get enough people to bug them, maybe we can make something happen

grex23 · March 17, 2023, 2:29pm

Looks like you are already on their case. I saw your note in the comments

The rest of it is a bit too far past my capabilities as well. Nice hunting though

MarkAC007 · April 22, 2023, 8:11am

just a heads up for you all. I have also run into the same issue but left them a bad review on Amazon marketplace. They seem pretty keen to engage in dialogue to help me remove the negative reviews even going as far too far for me additional cameras for free

Stasmin · September 15, 2023, 12:52pm

Hi! Try it

k1lerbee · February 22, 2024, 4:53am

did you guys manage to get a rtsp feed?

k1lerbee · February 22, 2024, 5:03am

Do these cameras have a web interface with a video feed?

Dvalin21 · February 24, 2024, 5:53am

DO NOT BUY THESE CAMERAS!! You can’t access the RTSP and you are not able to access a web gui. Only through the app. If your looking for a good solar powered wifi camera go to LS Vision.