Popular A9 mini Wi-Fi camera & the HA challenge

I am trying to hook the popular A9 mini Wi-Fi camera to HA. The problem I find is that this camera does not offer direct customized configuration. The configuration of the camera is limited to be done via a mobile phone using freeware app (no manufacture specific). Out of the box It offers two Wi-Fi connection modes known as hot-spot (direct link between camera and phone) and via Wi-Fi network, e.g. home Wi-Fi network. When using the Wi-Fi network mode I find that the stream is set between the phone and an Internet cloud service, e.g. AWS when using iPhone app Little Stars. Coming to this point I don’t like the idea of having my video stream getting out of my LAN domain.
This is what I have found so far:
-. It makes use of a Beken BK7252 chip
-. The board features JTAG track points
-. It makes use of UDP and interesting enough QUIC too.
-. Sending UDP datagram with payload “Bv” to port 8080 or “0f” to port 8070 triggers the video stream when using the camera in hot-spot mode.
Any one that has reached the goal I’m pursuing or can shed some light on how to move forward?
A9

14 Likes

Googling tells me this camera is crap. Good luck.

3 Likes

I have not been able to prove this sending any data out of LAN on UDP or TCP either. In fact, it looks like it’s clearly p2p traffic.
My take was to pair this up with a phone (unfortunately I managed to do this with Android only as their iOS app ended up being too difficult to work) and see what’s happening.

So here’s what I’ve got going (long, sorry), which I believe is the app init, auth and load up the first few frames:

.417   928  6646 I ActivityTaskManager: START u0 {act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] flg=0x10200000 cmp=com.jxl.littlestars.project/shix.ihdbell.project.MainActivity bnds=[237,84][439,337]} from uid 10032
.426   653   653 D QCOM PowerHAL: LAUNCH HINT: ON
.431   653   653 D QCOM PowerHAL: Activity launch hint handled
.469   626   626 D Zygote  : Forked child process 31457
.470   928  1012 I ActivityManager: Start proc 31457:com.jxl.littlestars.project/u0a12 for activity {com.jxl.littlestars.project/shix.ihdbell.project.MainActivity}
.484 31457 31457 E lestars.projec: Not starting debugger since process cannot load the jdwp agent.
.542   928   961 I system_server: Background young concurrent copying GC freed 358994(12MB) AllocSpace objects, 0(0B) LOS objects, 30% free, 27MB/39MB, paused 227us total 104.027ms
.552 29742 29798 I MicroDetectionState: Should stop hotword detection immediately - false
.553 31457 31457 D FirebaseApp: com.google.firebase.auth.FirebaseAuth is not linked. Skipping initialization.
.557 31457 31457 D FirebaseApp: Initialized class com.google.firebase.iid.FirebaseInstanceId.
.557 31457 31457 D FirebaseApp: com.google.firebase.crash.FirebaseCrash is not linked. Skipping initialization.
.558 31457 31457 D FirebaseApp: com.google.android.gms.measurement.AppMeasurement is not linked. Skipping initialization.
.558 31457 31457 D FCM     : FirebaseAPP初始化完
.558 31457 31457 E App     : ####onCreate
.654 31457 31457 E PermissionHelper: request camera success!
.656   928  1322 I ActivityTaskManager: START u0 {act=android.content.pm.action.REQUEST_PERMISSIONS pkg=com.google.android.permissioncontroller cmp=com.google.android.permissioncontroller/com.android.packageinstaller.permission.ui.GrantPermissionsActivity (has extras)} from uid 10012
.657   653   653 D QCOM PowerHAL: LAUNCH HINT: ON
.663 31457 31457 E test    : ContentCommon.TIME_UTC222:CET
.670   928  1322 W ActivityTaskManager: Bad activity token: android.os.BinderProxy@2750cb2
.670   928  1322 W ActivityTaskManager: java.lang.ClassCastException: android.os.BinderProxy cannot be cast to com.android.server.wm.ActivityRecord$Token
.670   928  1322 W ActivityTaskManager: 	at com.android.server.wm.ActivityRecord.forTokenLocked(ActivityRecord.java:913)
.670   928  1322 W ActivityTaskManager: 	at com.android.server.wm.ActivityRecord.isInStackLocked(ActivityRecord.java:2558)
.670   928  1322 W ActivityTaskManager: 	at com.android.server.wm.ActivityRecord.getStackLocked(ActivityRecord.java:2563)
.670   928  1322 W ActivityTaskManager: 	at com.android.server.wm.ActivityTaskManagerService.getActivityDisplayId(ActivityTaskManagerService.java:2014)
.670   928  1322 W ActivityTaskManager: 	at android.app.IActivityTaskManager$Stub.onTransact(IActivityTaskManager.java:2321)
.670   928  1322 W ActivityTaskManager: 	at android.os.Binder.execTransactInternal(Binder.java:1021)
.670   928  1322 W ActivityTaskManager: 	at android.os.Binder.execTransact(Binder.java:994)
.674   928  1322 W ActivityTaskManager: Bad activity token: android.os.BinderProxy@2750cb2
.674   928  1322 W ActivityTaskManager: java.lang.ClassCastException: android.os.BinderProxy cannot be cast to com.android.server.wm.ActivityRecord$Token
.674   928  1322 W ActivityTaskManager: 	at com.android.server.wm.ActivityRecord.forTokenLocked(ActivityRecord.java:913)
.674   928  1322 W ActivityTaskManager: 	at com.android.server.wm.ActivityRecord.isInStackLocked(ActivityRecord.java:2558)
.674   928  1322 W ActivityTaskManager: 	at com.android.server.wm.ActivityTaskManagerService.setTaskDescription(ActivityTaskManagerService.java:2935)
.674   928  1322 W ActivityTaskManager: 	at android.app.IActivityTaskManager$Stub.onTransact(IActivityTaskManager.java:2560)
.674   928  1322 W ActivityTaskManager: 	at android.os.Binder.execTransactInternal(Binder.java:1021)
.674   928  1322 W ActivityTaskManager: 	at android.os.Binder.execTransact(Binder.java:994)
.692 31457 31482 E SHIX-jni: doorbell-init-ret:0
.692 31457 31482 E MainActivity: run: onCreate PPPPInitial
.722 31457 31457 E IpcamClientActivity1: oncreate IpcamClientActivity1
.723 31457 31457 E test    : ContentCommon.TIME_UTC111:CET
.727 31457 31457 E DataBaseHelper: create database
.728 31457 31457 E LOG     : NNN--setBmp
.732 31457 31483 E SHIX-jni: doorbell-init-ret:-2
.732 31457 31483 D test    : PPPPInitial run thread
.736 31457 31457 E LOG     : NNN--zhaogenghuaiPush1==0  SystemValue.BELL_UDID:
.738   928  2727 W ActivityTaskManager: Bad activity token: android.os.BinderProxy@2750cb2
.738   928  2727 W ActivityTaskManager: java.lang.ClassCastException: android.os.BinderProxy cannot be cast to com.android.server.wm.ActivityRecord$Token
.738   928  2727 W ActivityTaskManager: 	at com.android.server.wm.ActivityRecord.forTokenLocked(ActivityRecord.java:913)
.738   928  2727 W ActivityTaskManager: 	at com.android.server.wm.ActivityRecord.isInStackLocked(ActivityRecord.java:2558)
.738   928  2727 W ActivityTaskManager: 	at com.android.server.wm.ActivityTaskManagerService.getActivityOptions(ActivityTaskManagerService.java:2950)
.738   928  2727 W ActivityTaskManager: 	at android.app.IActivityTaskManager$Stub.onTransact(IActivityTaskManager.java:2569)
.738   928  2727 W ActivityTaskManager: 	at android.os.Binder.execTransactInternal(Binder.java:1021)
.738   928  2727 W ActivityTaskManager: 	at android.os.Binder.execTransact(Binder.java:994)
.739 31457 31457 D IpcamClientActivity: onStart()
.746 31457 31457 D IpcamClientActivity: onResume()
.757 31457 31457 D tag     : BridgeService onCreate()
.758 31457 31457 E WiFiCAM : MjpegToMp4::MjpegToMp4 start 
.758 31457 31457 E WiFiCAM : MjpegToMp4::MjpegToMp4 end 
.758 31457 31457 E WiFiCAM : iCameraInit
.759 31457 31457 E BridgeService: #### onStartCommand start
.759 31457 31457 E BridgeService: #### onStartCommand stop
.773   626   626 D Zygote  : Forked child process 31487
.739   928  2727 W ActivityTaskManager: Bad activity token: android.os.BinderProxy@2750cb2
.739   928  2727 W ActivityTaskManager: java.lang.ClassCastException: android.os.BinderProxy cannot be cast to com.android.server.wm.ActivityRecord$Token
.739   928  2727 W ActivityTaskManager: 	at com.android.server.wm.ActivityRecord.forTokenLocked(ActivityRecord.java:913)
.739   928  2727 W ActivityTaskManager: 	at com.android.server.wm.ActivityRecord.isInStackLocked(ActivityRecord.java:2558)
.739   928  2727 W ActivityTaskManager: 	at com.android.server.wm.ActivityTaskManagerService.getActivityOptions(ActivityTaskManagerService.java:2950)
.739   928  2727 W ActivityTaskManager: 	at android.app.IActivityTaskManager$Stub.onTransact(IActivityTaskManager.java:2569)
.739   928  2727 W ActivityTaskManager: 	at android.os.Binder.execTransactInternal(Binder.java:1021)
.739   928  2727 W ActivityTaskManager: 	at android.os.Binder.execTransact(Binder.java:994)
.775   928  1012 I ActivityManager: Start proc 31487:com.google.android.permissioncontroller/u0a208 for activity {com.google.android.permissioncontroller/com.android.packageinstaller.permission.ui.GrantPermissionsActivity}
.786 31487 31487 E ssioncontrolle: Not starting debugger since process cannot load the jdwp agent.
.790 31457 31457 E LOG     : NNN--setBmp
.795 31457 31457 E LOG     : NNN--getBmp
.800   469   469 I hwservicemanager: getTransport: Cannot find entry [email protected]::IMapper/default in either framework or device manifest.
.800 31457 31457 W Gralloc3: mapper 3.x is not supported
.861 31457 31457 E BridgeService: #### onStartCommand start
.861 31457 31457 E BridgeService: #### onStartCommand stop
.863 31457 31457 D test    : ------------------------------------videFram = 15-----------------------------
.863 31457 31457 E test    : zhaogenghuai --���ֹ㲥
.875   928  1009 I ActivityTaskManager: Displayed com.google.android.permissioncontroller/com.android.packageinstaller.permission.ui.GrantPermissionsActivity: +447ms
.966  1548  1548 D zz      : UtWallpaperService$UtEngine.onVisibilityChanged() false
.970  1548  1548 D zz      : UtRenderer.onNotVisible() 
.974 31457 31483 D SHIX-jni: Java_object_p2pipcam_nativecaller_NativeCaller_Init:enter
.974 31457 31483 E SHIX-jni: ===============>>Java_object_p2pipcam_nativecaller_NativeCaller_Init, 
.974 31457 31483 E SHIX-jni: CPPPPChannelManagement init mLock
.975 31457 31483 D SHIX-jni: Java_object_p2pipcam_nativecaller_NativeCaller_Init:leave
.982   500   500 E Layer   : [Surface(name=AppWindowToken{c0a6377 token=Token{8de2176 ActivityRecord{7182c11 u0 com.jxl.littlestars.project/shix.ihdbell.project.MainActivity t903}}})/@0xcf94c5a - animation-leash#0] No local sync point found
.982   500   500 E Layer   : [Surface(name=AppWindowToken{465cff2 token=Token{67d6fd ActivityRecord{a9eb754 u0 com.google.android.apps.nexuslauncher/.NexusLauncherActivity t859}}})/@0x25909de - animation-leash#0] No local sync point found
.010 31487 31487 I SystemConfig: Adding association: com.google.android.as <- com.android.providers.contacts
.010 31487 31487 I SystemConfig: Adding association: com.google.android.as <- com.android.providers.media
.010 31487 31487 I SystemConfig: Adding association: com.google.android.as <- com.android.providers.telephony
.010 31487 31487 I SystemConfig: Adding association: com.google.android.as <- com.android.systemui
.010 31487 31487 I SystemConfig: Adding association: com.google.android.as <- com.google.android.gms
.010 31487 31487 I SystemConfig: Adding association: com.google.android.as <- com.google.android.gsf
.024 31487 31487 W SystemConfig: No directory /product_services/etc/sysconfig, skipping
.024 31487 31487 W SystemConfig: No directory /product_services/etc/permissions, skipping
.026   473 25432 D vold    : Remounting 10012 as mode write
.044   473 25432 D vold    : Found matching PID 31457
.047 29742 29798 I PBSessionCacheImpl: Deleted sessionId[130808311789605681] from persistence.
.049   473 25432 D vold    : Remounting 10012 as mode write
.061   473 25432 D vold    : Found matching PID 31457
.068 31487 31487 V GrantPermissionsActivity: Permission grant result requestId=4638116479992864049 callingUid=10012 callingPackage=com.jxl.littlestars.project permission=android.permission.READ_EXTERNAL_STORAGE isImplicit=false result=5
.070   804   844 E statsd  : Found dropped events: 1 error -19 last atom tag 83 from uid 10208
.070   473 25432 D vold    : Remounting 10012 as mode write
.081   473 25432 D vold    : Found matching PID 31457
.088   473 25420 D vold    : Remounting 10012 as mode write
.104   473 25420 D vold    : Found matching PID 31457
.108 31487 31487 V GrantPermissionsActivity: Permission grant result requestId=4638116479992864049 callingUid=10012 callingPackage=com.jxl.littlestars.project permission=android.permission.WRITE_EXTERNAL_STORAGE isImplicit=false result=5
.110   473 11976 D vold    : Remounting 10012 as mode write
.110 29742 29798 W SearchServiceCore: Abort, client detached.
.118 29742 29798 I A       : cleanUpControllerScope(nowcards-15-e60dc4-b5f6)
.121   473 11976 D vold    : Found matching PID 31457
.126   473 11884 D vold    : Remounting 10012 as mode write
.139 29742 29798 I MicroDetectionState: Should stop hotword detection immediately - false
.140   473 11884 D vold    : Found matching PID 31457
.144 31487 31487 V GrantPermissionsActivity: Permission grant result requestId=4638116479992864049 callingUid=10012 callingPackage=com.jxl.littlestars.project permission=android.permission.READ_EXTERNAL_STORAGE isImplicit=false result=5
.149 31487 31487 V GrantPermissionsActivity: Permission grant result requestId=4638116479992864049 callingUid=10012 callingPackage=com.jxl.littlestars.project permission=android.permission.ACCESS_COARSE_LOCATION isImplicit=false result=5
.155 31487 31487 V GrantPermissionsActivity: Permission grant result requestId=4638116479992864049 callingUid=10012 callingPackage=com.jxl.littlestars.project permission=android.permission.ACCESS_FINE_LOCATION isImplicit=false result=5
.159 31487 31487 V GrantPermissionsActivity: Permission grant result requestId=4638116479992864049 callingUid=10012 callingPackage=com.jxl.littlestars.project permission=android.permission.ACCESS_COARSE_LOCATION isImplicit=false result=5
.163 31487 31487 V GrantPermissionsActivity: Permission grant result requestId=4638116479992864049 callingUid=10012 callingPackage=com.jxl.littlestars.project permission=android.permission.ACCESS_BACKGROUND_LOCATION isImplicit=false result=5
.190 31457 31457 D IpcamClientActivity: onResume()
.214 31457 31457 E LOG     : NNN--setBmp
.214 31457 31457 E LOG     : NNN--getBmp
.247  1849  1849 I GoogleInputMethodService: GoogleInputMethodService.onFinishInput():3341 
.248  1849  1849 I GoogleInputMethodService: GoogleInputMethodService.onStartInput():1906 
.274   653   653 D QCOM PowerHAL: LAUNCH HINT: OFF
.310   928  1627 D ConnectivityService: ConnectivityService NetworkRequestInfo binderDied(NetworkRequest [ TRACK_DEFAULT id=329, [ Capabilities: INTERNET&NOT_RESTRICTED&TRUSTED Uid: 10137] ], android.os.BinderProxy@27fe31a)
.310   928  6646 D ConnectivityService: ConnectivityService NetworkRequestInfo binderDied(NetworkRequest [ LISTEN id=324, [ Capabilities: INTERNET&NOT_RESTRICTED&TRUSTED&NOT_VPN&FOREGROUND Uid: 10137] ], android.os.BinderProxy@7c1ce4b)
.310   928  1322 D ConnectivityService: ConnectivityService NetworkRequestInfo binderDied(NetworkRequest [ TRACK_DEFAULT id=325, [ Capabilities: INTERNET&NOT_RESTRICTED&TRUSTED Uid: 10137] ], android.os.BinderProxy@361e028)
.310   928  1375 D ConnectivityService: releasing NetworkRequest [ TRACK_DEFAULT id=329, [ Capabilities: INTERNET&NOT_RESTRICTED&TRUSTED Uid: 10137] ] (release request)
.311   626   626 I Zygote  : Process 30269 exited due to signal 9 (Killed)
.312   928  1375 D ConnectivityService: releasing NetworkRequest [ TRACK_DEFAULT id=325, [ Capabilities: INTERNET&NOT_RESTRICTED&TRUSTED Uid: 10137] ] (release request)
.319   928  1013 I libprocessgroup: Successfully killed process cgroup uid 10137 pid 30269 in 42ms
.485 31457 31483 D ###test : server:ACC did:ACCQXXXXXXXXXXX user:admin pwd:admin
.486 31457 31483 E SHIX-jni: ===============>>Java_object_p2pipcam_nativecaller_NativeCaller_StartPPPP, 
.486 31457 31483 D SHIX-jni: Start:enter
.486 31457 31483 E SHIX-jni: CPPPPChannelManagement Start lock
.486 31457 31483 E SHIX-jni: CCircleBuf CREATE
.486 31457 31483 E SHIX-jni: CCircleBuf CREATE
.486 31457 31483 E SHIX-jni: ####CPPPPChannel CREATE
.486 31457 31483 E SHIX-jni: CCircleBuf CREATE
.486 31457 31483 I chatty  : uid=10012(com.jxl.littlestars.project) Thread-3 identical 1 line
.486 31457 31483 E SHIX-jni: CCircleBuf CREATE
.486 31457 31483 E SHIX-jni: CPPPPChannelManagement Start unlock
.486 31457 31483 D SHIX-jni: Start:leave
.486 31457 31483 E SHIX-jni: ===============>>Java_object_p2pipcam_nativecaller_NativeCaller_StartPPPP, EXIT
.487 31457 31519 D SHIX-jni: PPPP_Connect begin...ACCQXXXXXXXXXXX
.487 31457 31519 D SHIX-jni: -------------------------1:ACCQXXXXXXXXXXX
.487 31457 31519 D SHIX-jni: -------------------------2
.487 31457 31519 E BridgeService: ###PPPPMsgNotify  did:ACCQXXXXXXXXXXX type:0 param:0
.487 31457 31519 D IpcamClientActivity: type:0 param:0
.487 31457 31519 D SHIX-jni: -------------------------3
.487 31457 31519 D SHIX-jni: -------------------------4
.487 31457 31519 D SHIX-jni: -------------------------5:ACCQXXXXXXXXXXX
.487 31457 31519 D SHIX-jni: -------------------------6
.487 31457 31519 D test_four_2: MessageNotify did: ACCQXXXXXXXXXXX msgType: 0 param: 0
.487 31457 31519 D SHIX-jni: -------------------------7
.487 31457 31457 D test    : did==ACCQXXXXXXXXXXX  msgType=0
.487 31457 31519 D SHIX-jni: -------------------------8
.487 31457 31519 D SHIX-jni: PPPP_Connect begin. MsgNotify..ACCQXXXXXXXXXXX
.523 31457 31457 E LOG     : NNN--setBmp
.524 31457 31457 E LOG     : NNN--getBmp
.059 31457 31519 D SHIX-jni: PPPP_ConnectByServer m_hSessionHandle:1,szDID:ACCQXXXXXXXXXXX
.059 31457 31519 D SHIX-jni: testzhao1 m_hSessionHandle:1,szDID:ACCQXXXXXXXXXXX
.059 31457 31519 D SHIX-jni: test_sd_format:admin,admin
.059 31457 31519 D SHIX-jni: DID: ACCQXXXXXXXXXXX, cgi_get_common: GET /check_user.cgi?loginuse=admin&loginpas=admin&user=admin&pwd=admin&
.060 31457 31519 E SHIX-jni: ####start write video data:47 00 0 0 95
.060 31457 31519 D SHIX-jni: ###StartCommandRecvThread
.065 31457 31523 E SHIX-jni: ###StartCommandRecvThread start!
.065 31457 31523 E SHIX-jni: ###StartCommandRecvThread 1
.065 31457 31523 E SHIX-jni: ###CommandRecvProcess 9999999999999999
.071 31457 31526 D SHIX-jni: ===============AlarmProcess==========================
.072 31457 31527 D SHIX-jni: zhao1==================PlaybackProcess==============
.351 31457 31523 E SHIX-jni: ###收据长度收完
.351 31457 31523 E SHIX-jni: ###StartCommandRecvThread PPPP_IndeedRead!111
.351 31457 31523 E SHIX-jni: ###收据长度收完
.351 31457 31523 E SHIX-jni: ###StartCommandRecvThread PPPP_IndeedRead!60a0 12 
.351 31457 31523 D SHIX-jni: ###Call ProcessCommand cmd: 24736, pbuf: result= 0;
.351 31457 31523 E SHIX-jni: ###zhaogenghuai---ProcessCheckUser result[0] type[0]
.352 31457 31523 E BridgeService: ###PPPPMsgNotify  did:ACCQXXXXXXXXXXX type:0 param:2
.352 31457 31523 D IpcamClientActivity: type:0 param:2
.353 31457 31523 E LOG     : NNN--zhaogenghuai devtype:0
.353 31457 31523 D SHIX-jni: ###Command recv: result= 0;
.353 31457 31523 E SHIX-jni: ###CommandRecvProcess 9999999999999999
.353 31457 31457 D test    : did==ACCQXXXXXXXXXXX  msgType=0
.359   654   853 I nanohub : osLog: [AR_CHRE] still: 100
.360 31457 31457 E SHIX-jni: ===============>>Java_object_p2pipcam_nativecaller_NativeCaller_PPPPGetSystemParams, START
.360 31457 31457 D SHIX-jni: PPPPSetSystemParams:enter
.360 31457 31457 D SHIX-jni: test_sd_format:admin,admin
.360 31457 31457 D SHIX-jni: DID: ACCQXXXXXXXXXXX, cgi_get_common: GET /get_status.cgi?loginuse=admin&loginpas=admin&user=admin&pwd=admin&
.360 31457 31457 E SHIX-jni: ####start write video data:47 00 95 95 95
.360 31457 31457 D SHIX-jni: PPPPSetSystemParams:leave
.360 31457 31457 E SHIX-jni: ===============>>Java_object_p2pipcam_nativecaller_NativeCaller_PPPPGetSystemParams, STOP
.361   654   853 I nanohub : osLog: [AR_CHRE] ON => IDLE
.415 31457 31523 E SHIX-jni: ###收据长度收完
.415 31457 31523 E SHIX-jni: ###StartCommandRecvThread PPPP_IndeedRead!111
.415 31457 31523 E SHIX-jni: ###收据长度收完
.415 31457 31523 E SHIX-jni: ###StartCommandRecvThread PPPP_IndeedRead!6001 66 
.415 31457 31523 D SHIX-jni: ###Call ProcessCommand cmd: 24577, pbuf: var deviceid="ACCQ-XXXXXX-XXXXX";
.415 31457 31523 D SHIX-jni: var sdtotal=0;
.415 31457 31523 D SHIX-jni: var sdfree=0;
.415 31457 31523 D SHIX-jni: szResult: ACCQ-XXXXXX-XXXXX
.416 31457 31523 D ddd     : CallBack_CameraStatusParams
.416 31457 31523 E LOG     : NNN--sysver:
.416 31457 31523 D SHIX-jni: ###Command recv: var deviceid="ACCQ-XXXXXX-XXXXX";
.416 31457 31523 D SHIX-jni: var sdtotal=0;
.416 31457 31523 D SHIX-jni: var sdfree=0;
.417 31457 31523 E SHIX-jni: ###CommandRecvProcess 9999999999999999
.362 31457 31457 I Choreographer: Skipped 59 frames!  The application may be doing too much work on its main thread.
.427 31457 31457 E LOG     : NNN--setBmp
.428 31457 31457 E LOG     : NNN--getBmp
.499 31457 31457 D test    : did==null  msgType=1021
.877 31457 31457 E MainActivity: 消失
.852 31487 31506 I ssioncontrolle: Waiting for a blocking GC ProfileSaver
.866 31487 31506 I ssioncontrolle: WaitForGcToComplete blocked ProfileSaver on AddRemoveAppImageSpace for 13.734ms
.618   663   663 E VibratorService: Setting amplitude  to: 3596
.619 31457 31457 E test    : 00000000
.619 31457 31457 E test    : 22222222
.619 31457 31457 D test    : 4444444444
.619 31457 31457 E LOG     : NNN--devType:0
.620 31457 31457 E LOG     : NNN--bean.getDevType():0
.621   928  2727 I ActivityTaskManager: START u0 {cmp=com.jxl.littlestars.project/com.tzh.ipcamera.view.VC.CameraPlayAty (has extras)} from uid 10012
.624   653   653 D QCOM PowerHAL: LAUNCH HINT: ON
.626   653   653 D QCOM PowerHAL: Activity launch hint handled
.629   928  2727 W ActivityTaskManager: Bad activity token: android.os.BinderProxy@2750cb2
.629   928  2727 W ActivityTaskManager: java.lang.ClassCastException: android.os.BinderProxy cannot be cast to com.android.server.wm.ActivityRecord$Token
.629   928  2727 W ActivityTaskManager: 	at com.android.server.wm.ActivityRecord.forTokenLocked(ActivityRecord.java:913)
.629   928  2727 W ActivityTaskManager: 	at com.android.server.wm.ActivityRecord.isInStackLocked(ActivityRecord.java:2558)
.629   928  2727 W ActivityTaskManager: 	at com.android.server.wm.ActivityTaskManagerService.overridePendingTransition(ActivityTaskManagerService.java:1870)
.629   928  2727 W ActivityTaskManager: 	at android.app.IActivityTaskManager$Stub.onTransact(IActivityTaskManager.java:2394)
.629   928  2727 W ActivityTaskManager: 	at android.os.Binder.execTransactInternal(Binder.java:1021)
.629   928  2727 W ActivityTaskManager: 	at android.os.Binder.execTransact(Binder.java:994)
.655 31457 31457 W ActivityThread: handleWindowVisibility: no activity for token android.os.BinderProxy@8d12d4f
.658 31457 31457 E LOG     : NNN--samper:8000
.659 31457 31457 D SHIX-jni: Java_object_p2pipcam_nativecaller_NativeCaller_StartPPPPLivestream:enter
.659 31457 31457 E SHIX-jni: ===============>>Java_object_p2pipcam_nativecaller_NativeCaller_StartPPPPLivestream, START
.659 31457 31457 E SHIX-jni: szFilename: 577
.659 31457 31457 D SHIX-jni: StartPPPPLivestream:enter
.659 31457 31457 D SHIX-jni: test_sd_format:admin,admin
.659 31457 31457 D SHIX-jni: DID: ACCQXXXXXXXXXXX, cgi_get_common: GET /livestream.cgi?streamid=20&filename=577&framerate=15&loginuse=admin&loginpas=admin&user=admin&pwd=admin&
.659 31457 31457 E SHIX-jni: ####start write video data:6d 00 190 190 133
.659 31457 31457 D SHIX-jni: StartPPPPLivestream:leave
.659 31457 31457 E SHIX-jni: ===============>>Java_object_p2pipcam_nativecaller_NativeCaller_StartPPPPLivestream, EXIT
.659 31457 31457 D SHIX-jni: Java_object_p2pipcam_nativecaller_NativeCaller_StartPPPPLivestream:leave
.758 31457 31457 E CameraPlayAty: cameraPlayAty  onCreate 
.759 31457 31457 E CameraPlayAty: lysurface height:810
.765   803   803 D NuPlayerDriver: NuPlayerDriver(0xf223b580) created, clientPid(31457)
.766   803   803 I Codec2Client: Creating a Codec2 client to service "software"
.767   803   803 I Codec2Client: Client to Codec2 service "software" created
.768   803   803 E AudioSystem: invalid attributes { Content type: AUDIO_CONTENT_TYPE_UNKNOWN Usage: AUDIO_USAGE_UNKNOWN Source: -1 Flags: 0x800 Tags:  } when converting to stream
.770   803 31535 D GenericSource: FileSource remote
.771   803 31535 E GenericSource: initFromDataSource, cannot create extractor!
.771   803 31535 E GenericSource: Failed to init from data source!
.772 31457 31475 E MediaPlayerNative: error (1, -2147483648)
.772 31457 31457 D MediaPlayer: create failed:
.772 31457 31457 D MediaPlayer: java.io.IOException: Prepare failed.: status=0x1
.772 31457 31457 D MediaPlayer: 	at android.media.MediaPlayer._prepare(Native Method)
.772 31457 31457 D MediaPlayer: 	at android.media.MediaPlayer.prepare(MediaPlayer.java:1274)
.772 31457 31457 D MediaPlayer: 	at android.media.MediaPlayer.create(MediaPlayer.java:977)
.772 31457 31457 D MediaPlayer: 	at android.media.MediaPlayer.create(MediaPlayer.java:948)
.772 31457 31457 D MediaPlayer: 	at com.tzh.ipcamera.presenter.Media.<init>(Media.java:16)
.772 31457 31457 D MediaPlayer: 	at com.tzh.ipcamera.view.VC.CameraPlayAty.widget_init(CameraPlayAty.java:559)
.772 31457 31457 D MediaPlayer: 	at com.tzh.ipcamera.view.VC.CameraPlayAty.onCreate(CameraPlayAty.java:428)
.772 31457 31457 D MediaPlayer: 	at android.app.Activity.performCreate(Activity.java:7802)
.772 31457 31457 D MediaPlayer: 	at android.app.Activity.performCreate(Activity.java:7791)
.772 31457 31457 D MediaPlayer: 	at android.app.Instrumentation.callActivityOnCreate(Instrumentation.java:1306)
.772 31457 31457 D MediaPlayer: 	at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:3245)
.772 31457 31457 D MediaPlayer: 	at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:3409)
.772 31457 31457 D MediaPlayer: 	at android.app.servertransaction.LaunchActivityItem.execute(LaunchActivityItem.java:83)
.772 31457 31457 D MediaPlayer: 	at android.app.servertransaction.TransactionExecutor.executeCallbacks(TransactionExecutor.java:135)
.772 31457 31457 D MediaPlayer: 	at android.app.servertransaction.TransactionExecutor.execute(TransactionExecutor.java:95)
.772 31457 31457 D MediaPlayer: 	at android.app.ActivityThread$H.handleMessage(ActivityThread.java:2016)
.772 31457 31457 D MediaPlayer: 	at android.os.Handler.dispatchMessage(Handler.java:107)
.772 31457 31457 D MediaPlayer: 	at android.os.Looper.loop(Looper.java:214)
.772 31457 31457 D MediaPlayer: 	at android.app.ActivityThread.main(ActivityThread.java:7356)
.772 31457 31457 D MediaPlayer: 	at java.lang.reflect.Method.invoke(Native Method)
.772 31457 31457 D MediaPlayer: 	at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:492)
.772 31457 31457 D MediaPlayer: 	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:930)
.782 31457 31457 E CameraPlayAty: CameraPlayActivity  OnCreate width:1080
.783 31457 31457 E SHIX-jni: ===============>>Java_object_p2pipcam_nativecaller_NativeCaller_PPPPGetSystemParams, START
.783 31457 31457 D SHIX-jni: PPPPSetSystemParams:enter
.783 31457 31457 D SHIX-jni: test_sd_format:admin,admin
.783 31457 31457 D SHIX-jni: DID: ACCQXXXXXXXXXXX, cgi_get_common: GET /get_params.cgi?loginuse=admin&loginpas=admin&user=admin&pwd=admin&
.783 31457 31457 E SHIX-jni: ####start write video data:47 00 323 323 95
.783 31457 31457 D SHIX-jni: PPPPSetSystemParams:leave
.784 31457 31457 E SHIX-jni: ===============>>Java_object_p2pipcam_nativecaller_NativeCaller_PPPPGetSystemParams, STOP
.784 31457 31457 E SHIX-jni: ===============>>Java_object_p2pipcam_nativecaller_NativeCaller_PPPPGetSystemParams, START
.784 31457 31457 D SHIX-jni: PPPPSetSystemParams:enter
.784 31457 31457 D SHIX-jni: test_sd_format:admin,admin
.784 31457 31457 D SHIX-jni: DID: ACCQXXXXXXXXXXX, cgi_get_common: GET /get_camera_params.cgi?loginuse=admin&loginpas=admin&user=admin&pwd=admin&
.784 31457 31457 E SHIX-jni: ####start write video data:4e 00 418 323 102
.784 31457 31457 D SHIX-jni: PPPPSetSystemParams:leave
.784 31457 31457 E SHIX-jni: ===============>>Java_object_p2pipcam_nativecaller_NativeCaller_PPPPGetSystemParams, STOP
.786 31457 31457 E CameraPlayAty: cameraPlayAty  onResume 
.788 31457 31457 E LOG     : NNN--HeatThread start 
.789 31457 31536 E LOG     : NNN--HeatThread 
.789 31457 31536 E SHIX-jni: ===============>>Java_object_p2pipcam_nativecaller_NativeCaller_TransferMessage, START
.789 31457 31536 D SHIX-jni: TransferMessage:enter
.789 31457 31536 D SHIX-jni: TransferMessage: GET /{"pro":"dev_control","cmd":102,"user":"admin","pwd":"admin","heart":1}
.789 31457 31536 E SHIX-jni: ####start write video data:4b 00 520 520 99
.789 31457 31536 D SHIX-jni: TransferMessage:leave
.789 31457 31536 E SHIX-jni: ===============>>Java_object_p2pipcam_nativecaller_NativeCaller_TransferMessage, STOP
.791 31457 31457 E SHIX-jni: ===============>>Java_object_p2pipcam_nativecaller_NativeCaller_TransferMessage, START
.791 31457 31457 D SHIX-jni: TransferMessage:enter
.791 31457 31457 D SHIX-jni: TransferMessage: GET //decoder_control.cgi?command=12&onestep=1&user=admin&pwd=admin
.791 31457 31457 E SHIX-jni: ####start write video data:43 00 619 520 91
.791 31457 31457 D SHIX-jni: TransferMessage:leave
.791 31457 31457 E SHIX-jni: ===============>>Java_object_p2pipcam_nativecaller_NativeCaller_TransferMessage, STOP
.791 31457 31457 E SHIX-jni: ===============>>Java_object_p2pipcam_nativecaller_NativeCaller_TransferMessage, START
.791 31457 31457 D SHIX-jni: TransferMessage:enter
.791 31457 31457 D SHIX-jni: TransferMessage: GET //decoder_control.cgi?command=17&onestep=1&user=admin&pwd=admin
.791 31457 31457 E SHIX-jni: ####start write video data:43 00 710 520 91
.791 31457 31457 D SHIX-jni: TransferMessage:leave
.791 31457 31457 E SHIX-jni: ===============>>Java_object_p2pipcam_nativecaller_NativeCaller_TransferMessage, STOP
.791 31457 31457 E SHIX-jni: ===============>>Java_object_p2pipcam_nativecaller_NativeCaller_PPPPGetSystemParams, START
.791 31457 31457 D SHIX-jni: PPPPSetSystemParams:enter
.791 31457 31457 D SHIX-jni: PPPPSetSystemParams:leave
.791 31457 31457 E SHIX-jni: ===============>>Java_object_p2pipcam_nativecaller_NativeCaller_PPPPGetSystemParams, STOP
.833 31457 31524 E SHIX-jni: ###收据长度收完
.833 31457 31524 E SHIX-jni: avhead.type
.834 31457 31538 D SHIX-jni: PlayThread:enter
.834 31457 31538 D SHIX-jni: videobuf is empty...
.841 31457 31538 I chatty  : uid=10012(com.jxl.littlestars.project) Thread-12 identical 10 lines
.842 31457 31538 D SHIX-jni: videobuf is empty...
.842  1849  1849 I GoogleInputMethodService: GoogleInputMethodService.onFinishInput():3341 
.843 31457 31538 D SHIX-jni: videobuf is empty...
.843 31457 31538 D SHIX-jni: videobuf is empty...
.843  1849  1849 I GoogleInputMethodService: GoogleInputMethodService.onStartInput():1906 
.844 31457 31538 D SHIX-jni: videobuf is empty...
.852 31457 31538 I chatty  : uid=10012(com.jxl.littlestars.project) Thread-12 identical 15 lines
.853 31457 31538 D SHIX-jni: videobuf is empty...
.853   653   653 D QCOM PowerHAL: LAUNCH HINT: OFF
.854 31457 31538 D SHIX-jni: videobuf is empty...
.854 31457 31524 E SHIX-jni: ###收据长度收完
.854 31457 31524 E SHIX-jni: ###videoFrame Num: 10500
.854 31457 31524 E SHIX-jni: ####start write video data:ff d8 0 0 7552
.854 31457 31538 E SHIX-jni: ###recive frame:ff ff d9 00 00 00 7532
.854 31457 31538 E CameraPlayAty: Call VideoData...h264Data: 0 len: 7532 videobuf len: 7532
.855 31457 31538 D SHIX-jni: videobuf is empty...

Now that looks like a traditional http get call, but I wasn’t able to capture any traffic with Charles that’d prove that correct.

Maybe someone looking at more logcats can help making one more step :smiley:

1 Like

After some further examination, this device is indeed sending some data out to a “cloud”.
It looks like there’s an UDP tunnel created, and communicates with HTTP calls inside that.

While it’s not sending the stream out as is, but it clearly has the capability to do so.

Short traffic dump:

.566746 ethertype IPv4, IP ec2-13-52-88-103.us-west-1.compute.amazonaws.com.32100 > 192.168.0.1.28607: UDP, length 12
.566746 IP ec2-13-52-88-103.us-west-1.compute.amazonaws.com.32100 > 192.168.0.1.28607: UDP, length 12
.568836 IP ec2-13-52-88-103.us-west-1.compute.amazonaws.com.32100 > cam.iot.thevoid.28607: UDP, length 12
.569849 IP ec2-13-52-88-103.us-west-1.compute.amazonaws.com.32100 > cam.iot.thevoid.28607: UDP, length 12
.405371 ethertype IPv4, IP cam.iot.thevoid.28607 > 120.77.151.67.32100: UDP, length 48
.405371 IP cam.iot.thevoid.28607 > 120.77.151.67.32100: UDP, length 48
.405371 IP cam.iot.thevoid.28607 > 120.77.151.67.32100: UDP, length 48
.408891 IP 192.168.0.1.28607 > 120.77.151.67.32100: UDP, length 48
.410559 ethertype IPv4, IP cam.iot.thevoid.28607 > ec2-13-52-88-103.us-west-1.compute.amazonaws.com.32100: UDP, length 48
.410559 IP cam.iot.thevoid.28607 > ec2-13-52-88-103.us-west-1.compute.amazonaws.com.32100: UDP, length 48
.410567 ethertype IPv4, IP cam.iot.thevoid.28607 > ec2-18-132-184-248.eu-west-2.compute.amazonaws.com.32100: UDP, length 48
.410567 IP cam.iot.thevoid.28607 > ec2-18-132-184-248.eu-west-2.compute.amazonaws.com.32100: UDP, length 48
.410559 IP cam.iot.thevoid.28607 > ec2-13-52-88-103.us-west-1.compute.amazonaws.com.32100: UDP, length 48
.416339 IP 192.168.0.1.28607 > ec2-13-52-88-103.us-west-1.compute.amazonaws.com.32100: UDP, length 48
.410567 IP cam.iot.thevoid.28607 > ec2-18-132-184-248.eu-west-2.compute.amazonaws.com.32100: UDP, length 48
.418974 IP 192.168.0.1.28607 > ec2-18-132-184-248.eu-west-2.compute.amazonaws.com.32100: UDP, length 48
.462972 ethertype IPv4, IP ec2-18-132-184-248.eu-west-2.compute.amazonaws.com.32100 > 192.168.0.1.28607: UDP, length 12
.462972 IP ec2-18-132-184-248.eu-west-2.compute.amazonaws.com.32100 > 192.168.0.1.28607: UDP, length 12
.465071 IP ec2-18-132-184-248.eu-west-2.compute.amazonaws.com.32100 > cam.iot.thevoid.28607: UDP, length 12
.466088 IP ec2-18-132-184-248.eu-west-2.compute.amazonaws.com.32100 > cam.iot.thevoid.28607: UDP, length 12
.596576 ethertype IPv4, IP ec2-13-52-88-103.us-west-1.compute.amazonaws.com.32100 > 192.168.0.1.28607: UDP, length 12
.596576 IP ec2-13-52-88-103.us-west-1.compute.amazonaws.com.32100 > 192.168.0.1.28607: UDP, length 12
.598665 IP ec2-13-52-88-103.us-west-1.compute.amazonaws.com.32100 > cam.iot.thevoid.28607: UDP, length 12
.599681 IP ec2-13-52-88-103.us-west-1.compute.amazonaws.com.32100 > cam.iot.thevoid.28607: UDP, length 12

The app connects p2p indeed, and runs this sequence:

  • Am I a valid user?
  • Are you alive camera?
  • Give me stream.

Also, ran into this research: https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html#cloud - while not a full match (given like 4 years passed since), what I’m seeing is very similar.

2 Likes

What a bounty! My intention has been to figure out how to trigger the streaming towards a specific LAN host. This information you have provided is very useful. In my case, I will obviously block the camera for reaching out the public Internet (firewall).

We share the goal of getting this disconnected.
I haven’t tried blocking the connection - does it still work on your phone regardless?

I’m pursuing two options:
a) connect to the stream directly
The option to use anything standard seems to be lost, the longer route is still open however: building a custom client based on the decompiled APK Classes DEX. The resulting code is massive and difficult for me to interpret at the moment.
b) spoof online services - this however may not work as the data going out is not the stream from what it looks like.

When the camera is set in AP mode the stream is sent directly to the phone as both, the phone and camera, are on same Wi-Fi network that is, no stream goes out to the public Internet however, when the camera is hooked to another LAN, then the camera tries to reach out an Amazon service and then the stream gets mirrored down to the phone; the phone will not get the stream if the traffic does not leave the LAN (firewall). It is a shame I did not share all those captures and published them as you did. I’ll try to get something done/sniffed this weekend. I have also tried the jtag option but that area turned out to be extremely experimental to me, no straight reverse engineering method I found.

1 Like

Oh cool - I haven’t considered the AP mode a viable option on my end as I can hardly see that scale. My idea is to hook this up in front of electricity and gas meters so I can automate a daily reading & actions to nudge the family to be more cautious and think about the environment (lol).

From what I understand there’s auth and device info sent out - that I may be able to spoof around to make the cam believe it’s getting a legit “yeah right” response, but that still leaves grabbing the stream itself hanging.

I’ll be sniffing some more and post details as they come around - while this definitely comes with a terrible ROI for one, the motivation is that should we be able to solve this puzzle, people can save cash as this looks like a great cheap general purpose device.

The Inside: I


Looks like this is an A9 v2 board - is this by any chance what you’re looking at on your end?
The chip matches to the description in your initial post - not sure how far we can go with an MCU like this though.

1 Like

Yours is V2 whilst mine is V1. Layout is similar although no 100% identical. The Belken chip is the same although it seems yours is a newer batch than mine.

I looked into these in January, the only discussion I found of them was on a forum for another home automation product, so I put my findings there: https://www.domoticz.com/forum/viewtopic.php?p=264890#p264890 as well as some code on gitlab: https://gitlab.com/bettse/fake_hopeway

2 Likes

Hi Eric! Welcome to the Home Assistant community.

Do you find opened ports when running nmap? I don’t on mine.

I have found a couple of interesting things:

  1. It seems the camera makes an OTA upgrade. When it boots it requests a rtthread.rbl from http://112.74.76.191/update_jxl_gc0309/rtthread.rbl More info on OTA Downloader: https://github.com/RT-Thread-packages/ota_downloader.
  2. The solution (cam + mobile app) makes use of an external service on the public Internet to bridge the two. Once they get bridged the communication becomes p2p between the two devices. If both are on the same LAN, the camera can be blocked on the firewall and the solution still works.
  3. The camera keeps a heartbeat signal with an external service. If the heartbeat is lost (e.g. camera blocked in the firewall) the camera automatically restarts every third minute. The solution still works.
  4. It seems the purpose of the external service is to configure the application on the phone.
  5. Access to the external service is not necessary once the solution gets bridged. This happens even if the phone and camera have no Internet access (both blocked on the firewall)
  6. If both devices are on the same LAN they communicate using local IP.
  7. All communication between app and cam is UDP.
    8) The cam starts with an ARP request searching for the peer.
    9) Although the app shows Connecting when initiated, it is actually waiting for a sort of “hello” package from the cam sent to port 26807.
  8. The phone starts with a UDP initiation package sent to the camera.

So it seems the key here is to find a way to inform the cam about the IP address to peer with.

The frustration so far:

  1. I do not know the streaming protocol.
  2. The payload is encrypted so I do not know how to simulate the communication with the external service to configure an alternative local IP and to simulate a heartbeat so the camera does not restart.
2 Likes

Hey all! Sorry to wake up such an old post, but I came across this thread while doing some related searches, and I can provide some light in the darkness here:

These cameras use the “PPPP” protocol. You can find a pretty thorough description [here]. Incidentally, that code will also let you examine the packets in human-readable format in wireshark.
Newer cameras use a form of encryption on top of this, using a relatively simple encryption scheme. While I do have full details on how this works, I promised the owner of that git repo (a security researcher) not to disclose that info until he publishes about it first. Older cameras should be using the protocol in plaintext.
If you want to learn more about the protocol (and its security problems), I can recommend [this site + talk]. It also contains some advice on how to use these (and similar) cameras without exposing it to the internet entirely.

I’m writing an extension to some open source software I work on, which will add support for both the encrypted and non-encrypted cameras, both over local network mode and “global P2P” modes, pretty soon! I already have auth, discovery, basic stream settings and retrieving an MJPEG stream completely operational, and am hoping to also get H264 mode working before I release this.

In short: stay tuned, using these without the annoying semi-chinese phone app will be a lot simpler soon. :slightly_smiling_face:

2 Likes

Still not much use for an open source community.

I don’t see how giving the complete documentation of the protocol as well as saying an open source implementation will be landing soon is “not much use”. Perhaps you’re using some obscure definition of “use” that I am not familiar with…?

2 Likes

HI all,
I recently acquired the camera and started to explore the possibilities to add it to HA.
I used Wireshark to check the traffic. Unfortunately, it does not catch it all the time, it depends on the network config. So once Wireshark detected DTLS traffic from the cam. The camera communicates to 4 addresses on the internet, one is NTP server, two are ad advertisements, and don’t know what is the fourth Alibaba IP. Anyway, the fw will prevent that traffic, so I am not worried a lot.
Anyway, I am stuck and I am sharing the Wireshark files in the hope it will help.
Succeeding in connecting this cam to HA will mean a lot to the community.
You can get the Wireshark files in here on Google Drive. If you need more info or help pls contact me

2 Likes
hi guys, some info that I was able to extract from these A9 cameras: if it can help someone smarter than me ....

so to start I have two different cameras, but almost identical with the BK7252 chip which use the "little stars" and "xiaodou" apk.
the printed circuits are slightly different and one of them has RX TX inscriptions. the other D0, CEN, VIO etc ...
I connected a USB-UART converter to RX / TX and launched a terminal (putty or others): I have lots of things displayed!
the system is RT-Thread and I managed to do some cool experiments.
the command "Help" gives all the commands available:

>help

RT-Thread shell commands:
start_ap_direct - This is start_ap_direct
testLedDemo - This is testLedDemo
mac - set_or_read_mac
rxsens - do_rx_sens
txevm - do_tx_evm
video - video
wifi_demo - wifi_demo command
rfcali_show_data - rfcali show data
rfcali_cfg_tssi_g - rfcali cfg tssi
rfcali_cfg_rate_dist - rfcali cfg rate_dist
rfcali_cfg_mode - rfcali cfg mode
rfcali_cfg_tssi_b - rfcali cfg tssi
camera_param_test - camera_param_test
camera_anti_flicker_test - camera_fps_test
camera_fps_test - camera_fps_test
camera_ppi_test - camera_ppi_test
camera_effect_test - camera_effect_test
camera_contrast_test - camera_contrast_test
camera_flip_test - camera_flip_test
camera_bringtness_test - camera_bringtness_test
camera_inf_write_reg_value - camera_inf_write_reg_value
camera_inf_read_reg_value - camera_inf_read_reg_value
camera_reg_read_test - camera_reg_read_test
stopAudioEncoderStream - This is stopAudioEncoderStream
startAudioEncoderStream - This is startAudioEncoderStream
registAudioLiveStream - This is registAudioLiveStream
batteryDemo - This is batteryDemo
buttonServiceInit - This is buttonServiceInit
VideoTransferTcpStart - This is VideoTransferTcpStart
testFlash - This is testFlash
testBurn - This is testBurn
testFatctor - This is testFatctor
testOtaDemo - This is testOtaDemo
testTFCardOta - This is testTFCardOta
apMatchCancel - apMatchCancel
apMatchStart - apMatchStart
reBleConfigNet - reBleConfigNet command
destroyBle - destroyBle command
registerBle - registerBle command
testDevice - This is testDevice
testAppCheckOta - this is testAppCheckOta
testDeviceSearch - This is testDeviceSearch
testTFCard - This is testTFCard
stopVideoEncoderStream - This is stopVideoEncoderStream
startVideoEncoderStream - This is startVideoEncoderStream
registVideoLiveStream - This is registVideoLiveStream
audio_dump - audio_dump
wdg_stop - wdg_stop
wdg_refresh - wdg_refresh
wdg_start - wdg_start
reboot - reboot system
set_log - set_log on or off
stack - rt_hw_stack_print
resetenv - Reset all envrionment variable to default.
getvalue - Get an envrionment variable by name.
saveenv - Save all envrionment variables to flash.
printenv - Print all envrionment variables.
setenv - Set an envrionment variable.
netio_init - netio server
ntp_sync - Update time by NTP(Network Time Protocol)
ping - ping network host
ble_command - ble_command
bk_ble_netconfig_stop - bk_ble_netconfig_stop
bk_ble_netconfig_start - bk_ble_netconfig_start
ble_netconfig_sample - ble_netconfig_sample
button_test - button test
http_ota - OTA by http client: http_ota [url]
memtrace - dump memory trace information
list_fd - list file descriptor
list_device - list device in system
list_timer - list timer in system
list_mempool - list memory pool in system
list_memheap - list memory heap in system
list_msgqueue - list message queue in system
list_mailbox - list mail box in system
list_mutex - list mutex in system
list_event - list event in system
list_sem - list semaphore in system
list_thread - list thread
version - show RT-Thread version information
help - RT-Thread shell help.
free - Show the memory usage in the system.
time - Execute command with time.
ps - List threads in the system.
netstat - list the information of TCP / IP
dns - list the information of dns
ifconfig - list the information of network interfaces
echo - echo string to file
df - disk free
mkfs - format disk with file system
mkdir - Create the DIRECTORY.
pwd - Print the name of the current working directory.
cd - Change the shell working directory.
rm - Remove(unlink) the FILE(s).
cat - Concatenate FILE(s)
mv - Rename SOURCE to DEST.
cp - Copy SOURCE to DEST.
ls - List information about the FILEs.
fal - FAL (Flash Abstraction Layer) operate.
date - get date and time or set [year month day hour min sec]
wifi - wifi command
wifi help - Help information
wifi cfg SSID PASSWORD - Setting your router AP ssid and pwd
wifi - Do the default wifi action
wifi wlan_dev scan
wifi wlan_dev join SSID PASSWORD
wifi wlan_dev bjoin BSSID PASSWORD
wifi wlan_dev ap SSID [PASSWORD]
wifi wlan_dev up
wifi wlan_dev down
wifi wlan_dev rssi
wifi wlan_dev status

>printenv

user=user
ssid0=pdtest
passwd0=123456789
factoryflag=0
cchipupdate=0
workmode=ap
lowpower_onoff=0
systemvolume=86
username0=admin
userpasswd0=6666
username1=admin
userpasswd1=6666
recmode=1
airkissflag=1
reboot_reason=0
led_onoff=1

>netstat

0 0 0.0.0.0:32108 <==> 0.0.0.0:0
#1 0 0.0.0.0:17650 <==> 0.0.0.0:0
#2 4 0.0.0.0:68 <==> 0.0.0.0:67
#3 0 0.0.0.0:8600 <==> 0.0.0.0:0

>reboot

reboot system
\ | /
- RT - Thread Operating System
/ | \ 3.1.0 build Mar 6 2021
2006 - 2018 Copyright by rt-thread team
[FUNC]rwnxl_init
[bk]tx_txdesc_flush
[FUNC]calibration_main
get rfcali_mode:0
tssi_th:b-125, g-100
fit n20 tab with dist:2
fit n20 tab with dist:2
fit n20 tab with dist:2
txpwr table for ble ch0/19/39 inused
lpf_i & q in flash is:9, 10
xtal in flash is:25
xtal_cali:25
rwnx_tpc_pa_map_init
[FUNC]ps_init
[FUNC]func_init_extended OVER!!!
lwIP-2.0.2 initialized!
set dac vol:65 - indx:11,dig:30,ana:1a
set adc vol: 80 - 80
igmp_mac_filter add 224.0.0.1 01:00:5E:00:00:01
register station wlan device sucess!
igmp_mac_filter add 224.0.0.1 01:00:5E:00:00:01
register soft-ap wlan device sucess!
beken wlan hw init
drv_pm_init
[D/FAL] (fal_flash_init:63) Flash device | beken_onchip | addr: 0x00000000 | len: 0x00400000 | blk_size: 0x00001000 |initialized finish.
[D/FAL] (fal_flash_init:63) Flash device | beken_onchip_crc | addr: 0x00000000 | len: 0x00400000 | blk_size: 0x00001000 |initialized finish.
[D/FAL] (fal_partition_init:176) Find the partition table on ‘beken_onchip_crc’ offset @0x0000ed94.
[32;22m[I/FAL] ==================== FAL partition table ==================== [0m
[32;22m[I/FAL] | name | flash_dev | offset | length | [0m
[32;22m[I/FAL] ------------------------------------------------------------- [0m
[32;22m[I/FAL] | bootloader | beken_onchip_crc | 0x00000000 | 0x0000f000 | [0m
[32;22m[I/FAL] | app | beken_onchip_crc | 0x00010000 | 0x00180000 | [0m
[32;22m[I/FAL] | download | beken_onchip | 0x001a9000 | 0x00253000 | [0m
[32;22m[I/FAL] | EasyFlash | beken_onchip | 0x003fc000 | 0x00002000 | [0m
[32;22m[I/FAL] | param2 | beken_onchip | 0x003fe000 | 0x00001000 | [0m
[32;22m[I/FAL] ============================================================= [0m
[32;22m[I/FAL] RT-Thread Flash Abstraction Layer (V0.4.0) initialize success. [0m
tc_entity_init
ROMFS File System initialized!
current app image name: app, version: 7252_CY_IPC_2103061400, timestamp: 1615010409
===sd card open:0===
msh />cmd 1:3
sdcard cmd 8 timeout,cmdresp_int_reg:0x84
cmd8 noresp, voltage mismatch or Ver1.X SD or not SD
sdcard cmd 37 timeout,cmdresp_int_reg:0x84
send cmd55 err:3
send cmd55&cmd41 err, quite loop
cmd 1:3
sdcard cmd 8 timeout,cmdresp_int_reg:0x84
cmd8 noresp, voltage mismatch or Ver1.X SD or not SD
sdcard cmd 37 timeout,cmdresp_int_reg:0x84
send cmd55 err:3
send cmd55&cmd41 err, quite loop
cmd 1:3
sdcard cmd 8 timeout,cmdresp_int_reg:0x84
cmd8 noresp, voltage mismatch or Ver1.X SD or not SD
sdcard cmd 37 timeout,cmdresp_int_reg:0x84
send cmd55 err:3
send cmd55&cmd41 err, quite loop
sdcard_open err
SD File System initialzation failed!
Enter normal mode…
app_init finished
[Flash]EasyFlash V3.0.4 is initialize success.
[Flash]You can get the latest version on GitHub - armink/EasyFlash: Lightweight IoT device information storage solution: KV/IAP/LOG. | 轻量级物联网设备信息存储方案:参数存储、在线升级及日志存储 ,全新一代版本请移步至 https://github.com/armink/FlashDB .
#

*
* Welcome to C-chip P2P IPC…
*
*
* C-chip AIOT Team
* Project Name : K9-IP-CAMERA
* Version : 0.0.2
* Date : Mar 6 2021 13:57:51

network interface: ap
MTU: 1500
MAC: fc 58 4a 05 a0 b1
FLAGS: UP LINK_DOWN ETHARP BROADCAST IGMP
ip address: 0.0.0.0
gw address: 0.0.0.0
net mask : 0.0.0.0
network interface: w0 (Default)
MTU: 1500
MAC: fc 58 4a 05 a0 b0
FLAGS: UP LINK_DOWN ETHARP BROADCAST IGMP
ip address: 0.0.0.0
gw address: 0.0.0.0
net mask : 0.0.0.0
dns server #0: 0.0.0.0
dns server #1: 0.0.0.0
[DRV_WLAN]drivers\wlan\drv_wlan.c L902 beken_wlan_control cmd: case WIFI_INIT!
_wifi_easyjoin: ssid:Livebox-LPG bssid:00:00:00:00:00:00 key:vanille01
start watch dog
rt_hw_wdg_start time=10000 threshold=5000
net 0 not ip up
[31;22m[E/NTP]: ERROR no such host [0m
[31;22m[E/NTP]: ERROR no such host [0m
[31;22m[E/NTP]: ERROR no such host [0m
1041 [ [1;31mERROR [0m cc_midware\tfcard_manage\tfcard_manage.c-isSdCardInserted:63]: [0m TFCard not inserted!
1051 [ [1;31mERROR [0m cc_midware\hardware\manageOta\tfcardOta.c-tfcardOtaServiceTask:311]: [0m TFCard is not inserted, no ota!
fast_connect
lr:2d681
1382: [sa_sta]MM_RESET_REQ
[bk]tx_txdesc_flush
[sa_sta]ME_CONFIG_REQ
rw_msg_send_me_config_req ps_on is 1
set_ps_mode_cfm:911 1 0 0
[sa_sta]ME_CHAN_CONFIG_REQ
[sa_sta]MM_START_REQ
bssid 8c-f8-13-49-63-ba
security2cipher 2 3 24 8 security=6
cipher2security 2 3 24 8
mm_add_if_req_handler:0
hapd_intf_add_vif,type:2, s:0, id:0
wpa_dInit
wpa_supplicant_req_scan
Setting scan request: 0.100000 sec
MANUAL_SCAN_REQ
wpa_supplicant_scan
Cancelling scan request
wpa_driver_associate
scan_start_req_handler
me_set_ps_disable:795 1 0 1 0 1
me_set_ps_disable_req_handler 1!!
me_set_ps_disable 0 1
me_set_ps_disable2 1 1
set_ps_mode_cfm:911 1 5 0
exit dtim ps!
sm_auth_send:1
sm_auth_handler
sm_assoc_rsp_handler
rc_init: station_id=0 format_mod=2 pre_type=0 short_gi=1 max_bw=0
rc_init: nss_max=0 mcs_max=7 r_idx_min=0 r_idx_max=3 no_samples=10
mm_set_vif_state_req_handler
chan_bcn_detect_start
---------SM_CONNECT_IND_ok
Not associated - Delay processing of received EAPOL frame (state=ASSOCIATING bssid=00:00:00:00:00:00 )
wpa_driver_assoc_cb
get_scan_rst_null
Cancelling scan request
get_scan_rst_null
hapd_intf_add_key CCMP
add sta_mgmt_get_sta
sta:0, vif:0, key:0
sta_mgmt_add_key
add hw key idx:24
add TKIP
add is_broadcast_ether_addr
sta:255, vif:0, key:2
add hw key idx:2
ctrl_port_hdl:1
me_set_ps_disable:795 0 1 0 0 4
dis set ps 4!!
sta_ip_start
configuring interface mlan (with DHCP client)
dhcp_check_status_init_timer
new dtim period:3
new ie: 0 : 4c 69 76 65 62 6f 78 2d 4c 50 47
new ie: 1 : 82 84 8b 96 c 12 18 24
new ie: 3 : 6
new ie: 2d : ad 1 1b ff ff 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 4 6 e4 a7 c 0
new ie: 30 : 1 0 0 f ac 2 2 0 0 f ac 4 0 f ac 2 1 0 0 f ac 2 c 0
IP UP: 192.168.17.168
[ip_up]:start tick = 1017, ip_up tick = 2222, total = 1205
------start enter ps mode—
first enable sleep
power_save_me_ps_first_set_state:582
me_send_ps_req 2 0 0
ps_keep_timer init
set_ps_mode_cfm:911 1 4 0
set listen dtim:1
enter 0 ps,p:3 m:1 int:100 l:1!
power_save_dtim_ps_init
* Create preload thread for 1 sessions
prevent sleep is 0
prevent sleep is 0
prevent sleep is 0
sleep_first 0
dtim period:3 multi:1
Battery voltage 4140mv 95%
video_transfer_init 3
video_transfer_main entry
video transfer send type:3
open I2C2
status:0
vbuf opened
ejpeg_hdl is DD_HANDLE_UNVALID
adc-buf:009011e8, adc-buf-len:5120, ch:1
audio_device_mic_opened
adc-buf:009011e8, adc-buf-len:5120, ch:1
set adc channel 1
audio_device_mic_set_channel:1
set adc sample rate 8000
audio_device_mic_set_rate:8000
set QVGA
GC0309 init finish
camera_intfer_init,a5a50003-a5a50005

using "setenv" i put my SSID and password, and the camera connected to my network!
 (after a "saveenv" and a reboot.)
  
 On the other hand, still impossible to interact with the camera. an analysis of the TCP / UDP ports does not return anything and Wireshark does not see any frame.
 
 I then created an AP with an ESP8266, to which I added a DNS server which responds to all requests by the IP of my PC.
 I then put the SSID of the AP in the camera + reboot but again I was disappointed because even if the camera considers my PC as its gateway, I do not see any frame with wireshark.
 
 in short, I haven't made much progress and I publish these discoveries for those who, unlike me, know what to do and how to do !!!
 
 sorry for the google translation but i'm french and as you know french only can speak french ...
 
 Tuyau2poil
7 Likes

Merci beaucoup, @Tuyau2poil !!

Bon chance, mon amis. :slight_smile:

1 Like

I’m just here to say thank you to you wonderful smart people for doing this! Bravo! :relaxed:

I’m not technically proficient at all but I so much appreciate and would so much like to have a third party safe app to see this camera from my PC or phone. I want to use it to monitor stuff like faucets or wind drafts etc!) but I don’t like the very weird apps “Little Stars” that makes it operate! Who knows where its sending the feed to! :stuck_out_tongue_closed_eyes:

I got an A9 camera. It has following written on the circuit board (yes I did open and looked so my expertise ends there :grin:)

A9_L2-V5
210226

9-A9-V1
A8-GC030

Thank you again and I look forward to your continued efforts!

I mean I get the technical challenge of reverse engineering stuff, but why do you guys waste your time on garbage like that ?

If you need a small camera that works with RTSP out of the box without RE anything, take a look at these Revotech ones. They look pretty nice, RTSP, ONVIF, PoE, decent lenses, 3MP. Haven’t tried them yet, but thinking of getting the pinhole one as a hidden doorcam.

1 Like

Please provide objective comments that contribute to the topic. Your proposal deviates from it.

3 Likes