Popular A9 mini Wi-Fi camera & the HA challenge

We share the goal of getting this disconnected.
I haven’t tried blocking the connection - does it still work on your phone regardless?

I’m pursuing two options:
a) connect to the stream directly
The option to use anything standard seems to be lost, the longer route is still open however: building a custom client based on the decompiled APK Classes DEX. The resulting code is massive and difficult for me to interpret at the moment.
b) spoof online services - this however may not work as the data going out is not the stream from what it looks like.

When the camera is set in AP mode the stream is sent directly to the phone as both, the phone and camera, are on same Wi-Fi network that is, no stream goes out to the public Internet however, when the camera is hooked to another LAN, then the camera tries to reach out an Amazon service and then the stream gets mirrored down to the phone; the phone will not get the stream if the traffic does not leave the LAN (firewall). It is a shame I did not share all those captures and published them as you did. I’ll try to get something done/sniffed this weekend. I have also tried the jtag option but that area turned out to be extremely experimental to me, no straight reverse engineering method I found.

Oh cool - I haven’t considered the AP mode a viable option on my end as I can hardly see that scale. My idea is to hook this up in front of electricity and gas meters so I can automate a daily reading & actions to nudge the family to be more cautious and think about the environment (lol).

From what I understand there’s auth and device info sent out - that I may be able to spoof around to make the cam believe it’s getting a legit “yeah right” response, but that still leaves grabbing the stream itself hanging.

I’ll be sniffing some more and post details as they come around - while this definitely comes with a terrible ROI for one, the motivation is that should we be able to solve this puzzle, people can save cash as this looks like a great cheap general purpose device.

The Inside: I

image3024×4032 2.3 MB

Yours is V2 whilst mine is V1. Layout is similar although no 100% identical. The Belken chip is the same although it seems yours is a newer batch than mine.

I looked into these in January, the only discussion I found of them was on a forum for another home automation product, so I put my findings there: https://www.domoticz.com/forum/viewtopic.php?p=264890#p264890 as well as some code on gitlab: https://gitlab.com/bettse/fake_hopeway

Hi Eric! Welcome to the Home Assistant community.

Do you find opened ports when running nmap? I don’t on mine.

I have found a couple of interesting things:

1. It seems the camera makes an OTA upgrade. When it boots it requests a rtthread.rbl from http://112.74.76.191/update_jxl_gc0309/rtthread.rbl More info on OTA Downloader: https://github.com/RT-Thread-packages/ota_downloader.
2. The solution (cam + mobile app) makes use of an external service on the public Internet to bridge the two. Once they get bridged the communication becomes p2p between the two devices. If both are on the same LAN, the camera can be blocked on the firewall and the solution still works.
3. The camera keeps a heartbeat signal with an external service. If the heartbeat is lost (e.g. camera blocked in the firewall) the camera automatically restarts every third minute. The solution still works.
4. It seems the purpose of the external service is to configure the application on the phone.
5. Access to the external service is not necessary once the solution gets bridged. This happens even if the phone and camera have no Internet access (both blocked on the firewall)
6. If both devices are on the same LAN they communicate using local IP.
7. All communication between app and cam is UDP.
   8) The cam starts with an ARP request searching for the peer.
   9) Although the app shows Connecting when initiated, it is actually waiting for a sort of “hello” package from the cam sent to port 26807.
8. The phone starts with a UDP initiation package sent to the camera.

So it seems the key here is to find a way to inform the cam about the IP address to peer with.

The frustration so far:

1. I do not know the streaming protocol.
2. The payload is encrypted so I do not know how to simulate the communication with the external service to configure an alternative local IP and to simulate a heartbeat so the camera does not restart.

Hey all! Sorry to wake up such an old post, but I came across this thread while doing some related searches, and I can provide some light in the darkness here:

These cameras use the “PPPP” protocol. You can find a pretty thorough description [here]. Incidentally, that code will also let you examine the packets in human-readable format in wireshark.
Newer cameras use a form of encryption on top of this, using a relatively simple encryption scheme. While I do have full details on how this works, I promised the owner of that git repo (a security researcher) not to disclose that info until he publishes about it first. Older cameras should be using the protocol in plaintext.
If you want to learn more about the protocol (and its security problems), I can recommend [this site + talk]. It also contains some advice on how to use these (and similar) cameras without exposing it to the internet entirely.

I’m writing an extension to some open source software I work on, which will add support for both the encrypted and non-encrypted cameras, both over local network mode and “global P2P” modes, pretty soon! I already have auth, discovery, basic stream settings and retrieving an MJPEG stream completely operational, and am hoping to also get H264 mode working before I release this.

In short: stay tuned, using these without the annoying semi-chinese phone app will be a lot simpler soon.

Still not much use for an open source community.

I don’t see how giving the complete documentation of the protocol as well as saying an open source implementation will be landing soon is “not much use”. Perhaps you’re using some obscure definition of “use” that I am not familiar with…?

HI all,
I recently acquired the camera and started to explore the possibilities to add it to HA.
I used Wireshark to check the traffic. Unfortunately, it does not catch it all the time, it depends on the network config. So once Wireshark detected DTLS traffic from the cam. The camera communicates to 4 addresses on the internet, one is NTP server, two are ad advertisements, and don’t know what is the fourth Alibaba IP. Anyway, the fw will prevent that traffic, so I am not worried a lot.
Anyway, I am stuck and I am sharing the Wireshark files in the hope it will help.
Succeeding in connecting this cam to HA will mean a lot to the community.
You can get the Wireshark files in here on Google Drive. If you need more info or help pls contact me

hi guys, some info that I was able to extract from these A9 cameras: if it can help someone smarter than me ....

so to start I have two different cameras, but almost identical with the BK7252 chip which use the "little stars" and "xiaodou" apk.
the printed circuits are slightly different and one of them has RX TX inscriptions. the other D0, CEN, VIO etc ...
I connected a USB-UART converter to RX / TX and launched a terminal (putty or others): I have lots of things displayed!
the system is RT-Thread and I managed to do some cool experiments.
the command "Help" gives all the commands available:

>help

_{RT-Thread shell commands:
start_ap_direct - This is start_ap_direct
testLedDemo - This is testLedDemo
mac - set_or_read_mac
rxsens - do_rx_sens
txevm - do_tx_evm
video - video
wifi_demo - wifi_demo command
rfcali_show_data - rfcali show data
rfcali_cfg_tssi_g - rfcali cfg tssi
rfcali_cfg_rate_dist - rfcali cfg rate_dist
rfcali_cfg_mode - rfcali cfg mode
rfcali_cfg_tssi_b - rfcali cfg tssi
camera_param_test - camera_param_test
camera_anti_flicker_test - camera_fps_test
camera_fps_test - camera_fps_test
camera_ppi_test - camera_ppi_test
camera_effect_test - camera_effect_test
camera_contrast_test - camera_contrast_test
camera_flip_test - camera_flip_test
camera_bringtness_test - camera_bringtness_test
camera_inf_write_reg_value - camera_inf_write_reg_value
camera_inf_read_reg_value - camera_inf_read_reg_value
camera_reg_read_test - camera_reg_read_test
stopAudioEncoderStream - This is stopAudioEncoderStream
startAudioEncoderStream - This is startAudioEncoderStream
registAudioLiveStream - This is registAudioLiveStream
batteryDemo - This is batteryDemo
buttonServiceInit - This is buttonServiceInit
VideoTransferTcpStart - This is VideoTransferTcpStart
testFlash - This is testFlash
testBurn - This is testBurn
testFatctor - This is testFatctor
testOtaDemo - This is testOtaDemo
testTFCardOta - This is testTFCardOta
apMatchCancel - apMatchCancel
apMatchStart - apMatchStart
reBleConfigNet - reBleConfigNet command
destroyBle - destroyBle command
registerBle - registerBle command
testDevice - This is testDevice
testAppCheckOta - this is testAppCheckOta
testDeviceSearch - This is testDeviceSearch
testTFCard - This is testTFCard
stopVideoEncoderStream - This is stopVideoEncoderStream
startVideoEncoderStream - This is startVideoEncoderStream
registVideoLiveStream - This is registVideoLiveStream
audio_dump - audio_dump
wdg_stop - wdg_stop
wdg_refresh - wdg_refresh
wdg_start - wdg_start
reboot - reboot system
set_log - set_log on or off
stack - rt_hw_stack_print
resetenv - Reset all envrionment variable to default.
getvalue - Get an envrionment variable by name.
saveenv - Save all envrionment variables to flash.
printenv - Print all envrionment variables.
setenv - Set an envrionment variable.
netio_init - netio server
ntp_sync - Update time by NTP(Network Time Protocol)
ping - ping network host
ble_command - ble_command
bk_ble_netconfig_stop - bk_ble_netconfig_stop
bk_ble_netconfig_start - bk_ble_netconfig_start
ble_netconfig_sample - ble_netconfig_sample
button_test - button test
http_ota - OTA by http client: http_ota [url]
memtrace - dump memory trace information
list_fd - list file descriptor
list_device - list device in system
list_timer - list timer in system
list_mempool - list memory pool in system
list_memheap - list memory heap in system
list_msgqueue - list message queue in system
list_mailbox - list mail box in system
list_mutex - list mutex in system
list_event - list event in system
list_sem - list semaphore in system
list_thread - list thread
version - show RT-Thread version information
help - RT-Thread shell help.
free - Show the memory usage in the system.
time - Execute command with time.
ps - List threads in the system.
netstat - list the information of TCP / IP
dns - list the information of dns
ifconfig - list the information of network interfaces
echo - echo string to file
df - disk free
mkfs - format disk with file system
mkdir - Create the DIRECTORY.
pwd - Print the name of the current working directory.
cd - Change the shell working directory.
rm - Remove(unlink) the FILE(s).
cat - Concatenate FILE(s)
mv - Rename SOURCE to DEST.
cp - Copy SOURCE to DEST.
ls - List information about the FILEs.
fal - FAL (Flash Abstraction Layer) operate.
date - get date and time or set [year month day hour min sec]
wifi - wifi command
wifi help - Help information
wifi cfg SSID PASSWORD - Setting your router AP ssid and pwd
wifi - Do the default wifi action
wifi wlan_dev scan
wifi wlan_dev join SSID PASSWORD
wifi wlan_dev bjoin BSSID PASSWORD
wifi wlan_dev ap SSID [PASSWORD]
wifi wlan_dev up
wifi wlan_dev down
wifi wlan_dev rssi
wifi wlan_dev status}

>printenv

_{user=user
ssid0=pdtest
passwd0=123456789
factoryflag=0
cchipupdate=0
workmode=ap
lowpower_onoff=0
systemvolume=86
username0=admin
userpasswd0=6666
username1=admin
userpasswd1=6666
recmode=1
airkissflag=1
reboot_reason=0
led_onoff=1}

>netstat

_{0 0 0.0.0.0:32108 <==> 0.0.0.0:0
#1 0 0.0.0.0:17650 <==> 0.0.0.0:0
#2 4 0.0.0.0:68 <==> 0.0.0.0:67
#3 0 0.0.0.0:8600 <==> 0.0.0.0:0}

>reboot

<sub>reboot system
\ | /
- RT - Thread Operating System
/ | \ 3.1.0 build Mar 6 2021
2006 - 2018 Copyright by rt-thread team
[FUNC]rwnxl_init
[bk]tx_txdesc_flush
[FUNC]calibration_main
get rfcali_mode:0
tssi_th:b-125, g-100
fit n20 tab with dist:2
fit n20 tab with dist:2
fit n20 tab with dist:2
txpwr table for ble ch0/19/39 inused
lpf_i & q in flash is:9, 10
xtal in flash is:25
xtal_cali:25
rwnx_tpc_pa_map_init
[FUNC]ps_init
[FUNC]func_init_extended OVER!!!
lwIP-2.0.2 initialized!
set dac vol:65 - indx:11,dig:30,ana:1a
set adc vol: 80 - 80
igmp_mac_filter add 224.0.0.1 01:00:5E:00:00:01
register station wlan device sucess!
igmp_mac_filter add 224.0.0.1 01:00:5E:00:00:01
register soft-ap wlan device sucess!
beken wlan hw init
drv_pm_init
[D/FAL] (fal_flash_init:63) Flash device | beken_onchip | addr: 0x00000000 | len: 0x00400000 | blk_size: 0x00001000 |initialized finish.
[D/FAL] (fal_flash_init:63) Flash device | beken_onchip_crc | addr: 0x00000000 | len: 0x00400000 | blk_size: 0x00001000 |initialized finish.
[D/FAL] (fal_partition_init:176) Find the partition table on ‘beken_onchip_crc’ offset @0x0000ed94.
[32;22m[I/FAL] ==================== FAL partition table ==================== [0m
[32;22m[I/FAL] | name | flash_dev | offset | length | [0m
[32;22m[I/FAL] ------------------------------------------------------------- [0m
[32;22m[I/FAL] | bootloader | beken_onchip_crc | 0x00000000 | 0x0000f000 | [0m
[32;22m[I/FAL] | app | beken_onchip_crc | 0x00010000 | 0x00180000 | [0m
[32;22m[I/FAL] | download | beken_onchip | 0x001a9000 | 0x00253000 | [0m
[32;22m[I/FAL] | EasyFlash | beken_onchip | 0x003fc000 | 0x00002000 | [0m
[32;22m[I/FAL] | param2 | beken_onchip | 0x003fe000 | 0x00001000 | [0m
[32;22m[I/FAL] ============================================================= [0m
[32;22m[I/FAL] RT-Thread Flash Abstraction Layer (V0.4.0) initialize success. [0m
tc_entity_init
ROMFS File System initialized!
current app image name: app, version: 7252_CY_IPC_2103061400, timestamp: 1615010409
===sd card open:0===
msh />cmd 1:3
sdcard cmd 8 timeout,cmdresp_int_reg:0x84
cmd8 noresp, voltage mismatch or Ver1.X SD or not SD
sdcard cmd 37 timeout,cmdresp_int_reg:0x84
send cmd55 err:3
send cmd55&cmd41 err, quite loop
cmd 1:3
sdcard cmd 8 timeout,cmdresp_int_reg:0x84
cmd8 noresp, voltage mismatch or Ver1.X SD or not SD
sdcard cmd 37 timeout,cmdresp_int_reg:0x84
send cmd55 err:3
send cmd55&cmd41 err, quite loop
cmd 1:3
sdcard cmd 8 timeout,cmdresp_int_reg:0x84
cmd8 noresp, voltage mismatch or Ver1.X SD or not SD
sdcard cmd 37 timeout,cmdresp_int_reg:0x84
send cmd55 err:3
send cmd55&cmd41 err, quite loop
sdcard_open err
SD File System initialzation failed!
Enter normal mode…
app_init finished
[Flash]EasyFlash V3.0.4 is initialize success.
[Flash]You can get the latest version on GitHub - armink/EasyFlash: Lightweight IoT device information storage solution: KV/IAP/LOG. | 轻量级物联网设备信息存储方案：参数存储、在线升级及日志存储 ，全新一代版本请移步至 https://github.com/armink/FlashDB .
#

*
* Welcome to C-chip P2P IPC…
*
*
* C-chip AIOT Team
* Project Name : K9-IP-CAMERA
* Version : 0.0.2
* Date : Mar 6 2021 13:57:51

network interface: ap
MTU: 1500
MAC: fc 58 4a 05 a0 b1
FLAGS: UP LINK_DOWN ETHARP BROADCAST IGMP
ip address: 0.0.0.0
gw address: 0.0.0.0
net mask : 0.0.0.0
network interface: w0 (Default)
MTU: 1500
MAC: fc 58 4a 05 a0 b0
FLAGS: UP LINK_DOWN ETHARP BROADCAST IGMP
ip address: 0.0.0.0
gw address: 0.0.0.0
net mask : 0.0.0.0
dns server #0: 0.0.0.0
dns server #1: 0.0.0.0
[DRV_WLAN]drivers\wlan\drv_wlan.c L902 beken_wlan_control cmd: case WIFI_INIT!
_wifi_easyjoin: ssid:Livebox-LPG bssid:00:00:00:00:00:00 key:vanille01
start watch dog
rt_hw_wdg_start time=10000 threshold=5000
net 0 not ip up
[31;22m[E/NTP]: ERROR no such host [0m
[31;22m[E/NTP]: ERROR no such host [0m
[31;22m[E/NTP]: ERROR no such host [0m
1041 [ [1;31mERROR [0m cc_midware\tfcard_manage\tfcard_manage.c-isSdCardInserted:63]: [0m TFCard not inserted!
1051 [ [1;31mERROR [0m cc_midware\hardware\manageOta\tfcardOta.c-tfcardOtaServiceTask:311]: [0m TFCard is not inserted, no ota!
fast_connect
lr:2d681
1382: [sa_sta]MM_RESET_REQ
[bk]tx_txdesc_flush
[sa_sta]ME_CONFIG_REQ
rw_msg_send_me_config_req ps_on is 1
set_ps_mode_cfm:911 1 0 0
[sa_sta]ME_CHAN_CONFIG_REQ
[sa_sta]MM_START_REQ
bssid 8c-f8-13-49-63-ba
security2cipher 2 3 24 8 security=6
cipher2security 2 3 24 8
mm_add_if_req_handler:0
hapd_intf_add_vif,type:2, s:0, id:0
wpa_dInit
wpa_supplicant_req_scan
Setting scan request: 0.100000 sec
MANUAL_SCAN_REQ
wpa_supplicant_scan
Cancelling scan request
wpa_driver_associate
scan_start_req_handler
me_set_ps_disable:795 1 0 1 0 1
me_set_ps_disable_req_handler 1!!
me_set_ps_disable 0 1
me_set_ps_disable2 1 1
set_ps_mode_cfm:911 1 5 0
exit dtim ps!
sm_auth_send:1
sm_auth_handler
sm_assoc_rsp_handler
rc_init: station_id=0 format_mod=2 pre_type=0 short_gi=1 max_bw=0
rc_init: nss_max=0 mcs_max=7 r_idx_min=0 r_idx_max=3 no_samples=10
mm_set_vif_state_req_handler
chan_bcn_detect_start
---------SM_CONNECT_IND_ok
Not associated - Delay processing of received EAPOL frame (state=ASSOCIATING bssid=00:00:00:00:00:00 )
wpa_driver_assoc_cb
get_scan_rst_null
Cancelling scan request
get_scan_rst_null
hapd_intf_add_key CCMP
add sta_mgmt_get_sta
sta:0, vif:0, key:0
sta_mgmt_add_key
add hw key idx:24
add TKIP
add is_broadcast_ether_addr
sta:255, vif:0, key:2
add hw key idx:2
ctrl_port_hdl:1
me_set_ps_disable:795 0 1 0 0 4
dis set ps 4!!
sta_ip_start
configuring interface mlan (with DHCP client)
dhcp_check_status_init_timer
new dtim period:3
new ie: 0 : 4c 69 76 65 62 6f 78 2d 4c 50 47
new ie: 1 : 82 84 8b 96 c 12 18 24
new ie: 3 : 6
new ie: 2d : ad 1 1b ff ff 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 4 6 e4 a7 c 0
new ie: 30 : 1 0 0 f ac 2 2 0 0 f ac 4 0 f ac 2 1 0 0 f ac 2 c 0
IP UP: 192.168.17.168
[ip_up]:start tick = 1017, ip_up tick = 2222, total = 1205
------start enter ps mode—
first enable sleep
power_save_me_ps_first_set_state:582
me_send_ps_req 2 0 0
ps_keep_timer init
set_ps_mode_cfm:911 1 4 0
set listen dtim:1
enter 0 ps,p:3 m:1 int:100 l:1!
power_save_dtim_ps_init
* Create preload thread for 1 sessions
prevent sleep is 0
prevent sleep is 0
prevent sleep is 0
sleep_first 0
dtim period:3 multi:1
Battery voltage 4140mv 95%
video_transfer_init 3
video_transfer_main entry
video transfer send type:3
open I2C2
status:0
vbuf opened
ejpeg_hdl is DD_HANDLE_UNVALID
adc-buf:009011e8, adc-buf-len:5120, ch:1
audio_device_mic_opened
adc-buf:009011e8, adc-buf-len:5120, ch:1
set adc channel 1
audio_device_mic_set_channel:1
set adc sample rate 8000
audio_device_mic_set_rate:8000
set QVGA
GC0309 init finish
camera_intfer_init,a5a50003-a5a50005</sub>

using "setenv" i put my SSID and password, and the camera connected to my network!
 (after a "saveenv" and a reboot.)
  
 On the other hand, still impossible to interact with the camera. an analysis of the TCP / UDP ports does not return anything and Wireshark does not see any frame.
 
 I then created an AP with an ESP8266, to which I added a DNS server which responds to all requests by the IP of my PC.
 I then put the SSID of the AP in the camera + reboot but again I was disappointed because even if the camera considers my PC as its gateway, I do not see any frame with wireshark.
 
 in short, I haven't made much progress and I publish these discoveries for those who, unlike me, know what to do and how to do !!!
 
 sorry for the google translation but i'm french and as you know french only can speak french ...
 
 Tuyau2poil

Merci beaucoup, @Tuyau2poil !!

Bon chance, mon amis.

I’m just here to say thank you to you wonderful smart people for doing this! Bravo!

I’m not technically proficient at all but I so much appreciate and would so much like to have a third party safe app to see this camera from my PC or phone. I want to use it to monitor stuff like faucets or wind drafts etc!) but I don’t like the very weird apps “Little Stars” that makes it operate! Who knows where its sending the feed to!

I got an A9 camera. It has following written on the circuit board (yes I did open and looked so my expertise ends there )

A9_L2-V5
210226

9-A9-V1
A8-GC030

Thank you again and I look forward to your continued efforts!

I mean I get the technical challenge of reverse engineering stuff, but why do you guys waste your time on garbage like that ?

If you need a small camera that works with RTSP out of the box without RE anything, take a look at these Revotech ones. They look pretty nice, RTSP, ONVIF, PoE, decent lenses, 3MP. Haven’t tried them yet, but thinking of getting the pinhole one as a hidden doorcam.

Please provide objective comments that contribute to the topic. Your proposal deviates from it.

I also have a camera like yours, but it seems to be a different version. It connects to the “Little Stars” android app, and I can’t seem to get a local RTSP stream to make any use of it.
I can see the following on the board: “E-WF-19-V1.3”. The chip has no identification, and its wifi AP starts with “ACCQ”.
I tried the “.ini” file method with no success.

I was wondering if it is possible to reflash it with a more customizable firmware (and one that does not go to their weird cloud)

image960×1280 102 KB

image960×1280 104 KB

I’m watching this thread for any good ideas on that. Thank you!

If your cam use “little stars” I’m afraid there’s no solution (at this time). it’s typicaly A9 series with only cloud and phone connexion.
For those looking for a camera directly connected to the PC, there is a model
which uses the HD WIFICAM PRO application. It is identical to the cameras mentioned in this post,
but does not use the same chipset or the same firmware, moreover it costs the same price!
(ex: Mini caméra de surveillance IP WiFi HD 1080P, avec Vision nocturne, détection de mouvement, moniteur à distance avec support magnétique | AliExpress )
to retrieve the stream in a file, the easiest way is to use FFMPEG with the following syntax:
ffmpeg.exe -i “http://192.168.xxx.yyy:81/livestream.cgi?user=xxxxxxx&pwd=yyyyyyy&streamid=0&audio=0” -c:v libx264 -f matroska “c:\temp\outFile.mkv”
the problem is that the camera films continuously: the alarms only concern the storage on the SD card.
we would have to find a way to listen to the notifications of the camera and launch the capture accordingly.
I will look into the subject … If somebody knows a soft (for windows) to accomplish that thanks to share !
for the IP address, you can look at the DHCP of your Wifi router, possibly configure a reservation (dhcp lease) in order to have the same IP all the time.
otherwise use “advanced IP Scanner” and you should find your camera in the list quickly. (mine has a MAC 44: 01: BB: XX: YY: ZZ which corresponds to “SHENZHEN BILIAN ELECTRONIC CO. ， LTD”)
once the IP is known I recommend the “AnyCam” software which will do all the work for you by trying all possible and imaginable URLs!
note that these tools are free and you can use them for any type of camera.
hope this help…

If your cam use “little stars” I’m afraid there’s no solution

I think that is why they are calling this the “challenge”

If it was easy then well even I could do it as you’ve posted

why do you guys waste your time on garbage like that

Sorry but I don’t get how describing anything that you cannot hack into as “garbage” is helpful?

How do you define “garbage” hardware? Just because something is “cheap” to someone does not mean it’s garbage

Hardware that doesn’t work for its intended purpose. I had one of these camera things years ago. Not the exact same brand as discussed here, but they’re all based on the same cloned base anyway give or take a few variations. It was complete garbage. The image quality was worse than some 10 year old 720p DLink I still had around and that was already low end. It was a useless pixelated mess. And after a week or so it died.

This is not about being able to hack it or not, it’s just that the quality of these things is abysmal. The sensors they use are from the bottom of the scrap barrel: QA rejected devices (that would otherwise go to the landfill), stocks of unsold last-last-last-generation chips they bought in bulk for cheap, rebranded ‘scrapware’ chips (unsoldered from discarded old devices), etc. These cameras are basically trojan horses. They sell these for ‘cheap’ (they’re not actually that cheap if you think about it) to get you to install their malware ridden phone app. Sure, if you want to hack them and somehow get a local stream out of them, go ahead. I won’t tell you how to spend your free time. It will be a stream of crappy quality video though. And you can get decent RTSP / ONVIF cameras for the same price or slightly above.

OT I know, but you asked for my opinion, here it is.