Popular A9 mini Wi-Fi camera & the HA challenge

mb_EQNvD3CjP · February 6, 2021, 3:33pm

We share the goal of getting this disconnected.
I haven’t tried blocking the connection - does it still work on your phone regardless?

I’m pursuing two options:
a) connect to the stream directly
The option to use anything standard seems to be lost, the longer route is still open however: building a custom client based on the decompiled APK Classes DEX. The resulting code is massive and difficult for me to interpret at the moment.
b) spoof online services - this however may not work as the data going out is not the stream from what it looks like.

Tamadite · February 6, 2021, 4:20pm

When the camera is set in AP mode the stream is sent directly to the phone as both, the phone and camera, are on same Wi-Fi network that is, no stream goes out to the public Internet however, when the camera is hooked to another LAN, then the camera tries to reach out an Amazon service ~~and then the stream gets mirrored down to the phone; the phone will not get the stream if the traffic does not leave the LAN (firewall)~~. It is a shame I did not share all those captures and published them as you did. I’ll try to get something done/sniffed this weekend. I have also tried the jtag option but that area turned out to be extremely experimental to me, no straight reverse engineering method I found.

mb_EQNvD3CjP · February 6, 2021, 7:49pm

Oh cool - I haven’t considered the AP mode a viable option on my end as I can hardly see that scale. My idea is to hook this up in front of electricity and gas meters so I can automate a daily reading & actions to nudge the family to be more cautious and think about the environment (lol).

From what I understand there’s auth and device info sent out - that I may be able to spoof around to make the cam believe it’s getting a legit “yeah right” response, but that still leaves grabbing the stream itself hanging.

I’ll be sniffing some more and post details as they come around - while this definitely comes with a terrible ROI for one, the motivation is that should we be able to solve this puzzle, people can save cash as this looks like a great cheap general purpose device.

The Inside: I

Looks like this is an A9 v2 board - is this by any chance what you’re looking at on your end?
The chip matches to the description in your initial post - not sure how far we can go with an MCU like this though.

Tamadite · February 7, 2021, 2:48pm

Yours is V2 whilst mine is V1. Layout is similar although no 100% identical. The Belken chip is the same although it seems yours is a newer batch than mine.

bettse · March 13, 2021, 4:14am

I looked into these in January, the only discussion I found of them was on a forum for another home automation product, so I put my findings there: https://www.domoticz.com/forum/viewtopic.php?p=264890#p264890 as well as some code on gitlab: https://gitlab.com/bettse/fake_hopeway

Tamadite · March 14, 2021, 11:22am

Hi Eric! Welcome to the Home Assistant community.

Do you find opened ports when running nmap? I don’t on mine.

I have found a couple of interesting things:

It seems the camera makes an OTA upgrade. When it boots it requests a rtthread.rbl from http://112.74.76.191/update_jxl_gc0309/rtthread.rbl More info on OTA Downloader: https://github.com/RT-Thread-packages/ota_downloader.
The solution (cam + mobile app) makes use of an external service on the public Internet to bridge the two. Once they get bridged the communication becomes p2p between the two devices. If both are on the same LAN, the camera can be blocked on the firewall and the solution still works.
The camera keeps a heartbeat signal with an external service. If the heartbeat is lost (e.g. camera blocked in the firewall) the camera automatically restarts every third minute. The solution still works.
It seems the purpose of the external service is to configure the application on the phone.
Access to the external service is not necessary once the solution gets bridged. This happens even if the phone and camera have no Internet access (both blocked on the firewall)
If both devices are on the same LAN they communicate using local IP.
All communication between app and cam is UDP.
~~8) The cam starts with an ARP request searching for the peer.~~
~~9) Although the app shows Connecting when initiated, it is actually waiting for a sort of “hello” package from the cam sent to port 26807.~~
The phone starts with a UDP initiation package sent to the camera.

So it seems the key here is to find a way to inform the cam about the IP address to peer with.

The frustration so far:

I do not know the streaming protocol.
The payload is encrypted so I do not know how to simulate the communication with the external service to configure an alternative local IP and to simulate a heartbeat so the camera does not restart.

Thulinma · May 17, 2021, 11:28pm

Hey all! Sorry to wake up such an old post, but I came across this thread while doing some related searches, and I can provide some light in the darkness here:

These cameras use the “PPPP” protocol. You can find a pretty thorough description [here]. Incidentally, that code will also let you examine the packets in human-readable format in wireshark.
Newer cameras use a form of encryption on top of this, using a relatively simple encryption scheme. While I do have full details on how this works, I promised the owner of that git repo (a security researcher) not to disclose that info until he publishes about it first. Older cameras should be using the protocol in plaintext.
If you want to learn more about the protocol (and its security problems), I can recommend [this site + talk]. It also contains some advice on how to use these (and similar) cameras without exposing it to the internet entirely.

I’m writing an extension to some open source software I work on, which will add support for both the encrypted and non-encrypted cameras, both over local network mode and “global P2P” modes, pretty soon! I already have auth, discovery, basic stream settings and retrieving an MJPEG stream completely operational, and am hoping to also get H264 mode working before I release this.

In short: stay tuned, using these without the annoying semi-chinese phone app will be a lot simpler soon.

nickrout · May 18, 2021, 2:26am

Still not much use for an open source community.

Thulinma · May 18, 2021, 11:09am

I don’t see how giving the complete documentation of the protocol as well as saying an open source implementation will be landing soon is “not much use”. Perhaps you’re using some obscure definition of “use” that I am not familiar with…?

11125 · September 12, 2021, 3:58pm

HI all,
I recently acquired the camera and started to explore the possibilities to add it to HA.
I used Wireshark to check the traffic. Unfortunately, it does not catch it all the time, it depends on the network config. So once Wireshark detected DTLS traffic from the cam. The camera communicates to 4 addresses on the internet, one is NTP server, two are ad advertisements, and don’t know what is the fourth Alibaba IP. Anyway, the fw will prevent that traffic, so I am not worried a lot.
Anyway, I am stuck and I am sharing the Wireshark files in the hope it will help.
Succeeding in connecting this cam to HA will mean a lot to the community.
You can get the Wireshark files in here on Google Drive. If you need more info or help pls contact me

Tuyau2poil · November 18, 2021, 9:16am

hi guys, some info that I was able to extract from these A9 cameras: if it can help someone smarter than me ....

so to start I have two different cameras, but almost identical with the BK7252 chip which use the "little stars" and "xiaodou" apk.
the printed circuits are slightly different and one of them has RX TX inscriptions. the other D0, CEN, VIO etc ...
I connected a USB-UART converter to RX / TX and launched a terminal (putty or others): I have lots of things displayed!
the system is RT-Thread and I managed to do some cool experiments.
the command "Help" gives all the commands available:

>help

_{RT-Thread shell commands:}
_{start_ap_direct - This is start_ap_direct}
_{testLedDemo - This is testLedDemo}
_{mac - set_or_read_mac}
_{rxsens - do_rx_sens}
_{txevm - do_tx_evm}
_{video - video}
_{wifi_demo - wifi_demo command}
_{rfcali_show_data - rfcali show data}
_{rfcali_cfg_tssi_g - rfcali cfg tssi}
_{rfcali_cfg_rate_dist - rfcali cfg rate_dist}
_{rfcali_cfg_mode - rfcali cfg mode}
_{rfcali_cfg_tssi_b - rfcali cfg tssi}
_{camera_param_test - camera_param_test}
_{camera_anti_flicker_test - camera_fps_test}
_{camera_fps_test - camera_fps_test}
_{camera_ppi_test - camera_ppi_test}
_{camera_effect_test - camera_effect_test}
_{camera_contrast_test - camera_contrast_test}
_{camera_flip_test - camera_flip_test}
_{camera_bringtness_test - camera_bringtness_test}
_{camera_inf_write_reg_value - camera_inf_write_reg_value}
_{camera_inf_read_reg_value - camera_inf_read_reg_value}
_{camera_reg_read_test - camera_reg_read_test}
_{stopAudioEncoderStream - This is stopAudioEncoderStream}
_{startAudioEncoderStream - This is startAudioEncoderStream}
_{registAudioLiveStream - This is registAudioLiveStream}
_{batteryDemo - This is batteryDemo}
_{buttonServiceInit - This is buttonServiceInit}
_{VideoTransferTcpStart - This is VideoTransferTcpStart}
_{testFlash - This is testFlash}
_{testBurn - This is testBurn}
_{testFatctor - This is testFatctor}
_{testOtaDemo - This is testOtaDemo}
_{testTFCardOta - This is testTFCardOta}
_{apMatchCancel - apMatchCancel}
_{apMatchStart - apMatchStart}
_{reBleConfigNet - reBleConfigNet command}
_{destroyBle - destroyBle command}
_{registerBle - registerBle command}
_{testDevice - This is testDevice}
_{testAppCheckOta - this is testAppCheckOta}
_{testDeviceSearch - This is testDeviceSearch}
_{testTFCard - This is testTFCard}
_{stopVideoEncoderStream - This is stopVideoEncoderStream}
_{startVideoEncoderStream - This is startVideoEncoderStream}
_{registVideoLiveStream - This is registVideoLiveStream}
_{audio_dump - audio_dump}
_{wdg_stop - wdg_stop}
_{wdg_refresh - wdg_refresh}
_{wdg_start - wdg_start}
_{reboot - reboot system}
_{set_log - set_log on or off}
_{stack - rt_hw_stack_print}
_{resetenv - Reset all envrionment variable to default.}
_{getvalue - Get an envrionment variable by name.}
_{saveenv - Save all envrionment variables to flash.}
_{printenv - Print all envrionment variables.}
_{setenv - Set an envrionment variable.}
_{netio_init - netio server}
_{ntp_sync - Update time by NTP(Network Time Protocol)}
_{ping - ping network host}
_{ble_command - ble_command}
_{bk_ble_netconfig_stop - bk_ble_netconfig_stop}
_{bk_ble_netconfig_start - bk_ble_netconfig_start}
_{ble_netconfig_sample - ble_netconfig_sample}
_{button_test - button test}
_{http_ota - OTA by http client: http_ota [url]}
_{memtrace - dump memory trace information}
_{list_fd - list file descriptor}
_{list_device - list device in system}
_{list_timer - list timer in system}
_{list_mempool - list memory pool in system}
_{list_memheap - list memory heap in system}
_{list_msgqueue - list message queue in system}
_{list_mailbox - list mail box in system}
_{list_mutex - list mutex in system}
_{list_event - list event in system}
_{list_sem - list semaphore in system}
_{list_thread - list thread}
_{version - show RT-Thread version information}
_{help - RT-Thread shell help.}
_{free - Show the memory usage in the system.}
_{time - Execute command with time.}
_{ps - List threads in the system.}
_{netstat - list the information of TCP / IP}
_{dns - list the information of dns}
_{ifconfig - list the information of network interfaces}
_{echo - echo string to file}
_{df - disk free}
_{mkfs - format disk with file system}
_{mkdir - Create the DIRECTORY.}
_{pwd - Print the name of the current working directory.}
_{cd - Change the shell working directory.}
_{rm - Remove(unlink) the FILE(s).}
_{cat - Concatenate FILE(s)}
_{mv - Rename SOURCE to DEST.}
_{cp - Copy SOURCE to DEST.}
_{ls - List information about the FILEs.}
_{fal - FAL (Flash Abstraction Layer) operate.}
_{date - get date and time or set [year month day hour min sec]}
_{wifi - wifi command}
_{wifi help - Help information}
_{wifi cfg SSID PASSWORD - Setting your router AP ssid and pwd}
_{wifi - Do the default wifi action}
_{wifi wlan_dev scan}
_{wifi wlan_dev join SSID PASSWORD}
_{wifi wlan_dev bjoin BSSID PASSWORD}
_{wifi wlan_dev ap SSID [PASSWORD]}
_{wifi wlan_dev up}
_{wifi wlan_dev down}
_{wifi wlan_dev rssi}
_{wifi wlan_dev status}

>printenv

_user=user
_ssid0=pdtest
_{passwd0=123456789}
_{factoryflag=0}
_{cchipupdate=0}
_workmode=ap
_{lowpower_onoff=0}
_{systemvolume=86}
_{username0=admin}
_{userpasswd0=6666}
_{username1=admin}
_{userpasswd1=6666}
_recmode=1
_{airkissflag=1}
_{reboot_reason=0}
_{led_onoff=1}

>netstat

_{0 0 0.0.0.0:32108 <==> 0.0.0.0:0}
_{#1 0 0.0.0.0:17650 <==> 0.0.0.0:0}
_{#2 4 0.0.0.0:68 <==> 0.0.0.0:67}
_{#3 0 0.0.0.0:8600 <==> 0.0.0.0:0}

>reboot

_{reboot system}
_{\ | /}
_{- RT - Thread Operating System}
_{/ | \ 3.1.0 build Mar 6 2021}
_{2006 - 2018 Copyright by rt-thread team}
_{[FUNC]rwnxl_init}
_{[bk]tx_txdesc_flush}
_{[FUNC]calibration_main}
_{get rfcali_mode:0}
_{tssi_th:b-125, g-100}
_{fit n20 tab with dist:2}
_{fit n20 tab with dist:2}
_{fit n20 tab with dist:2}
_{txpwr table for ble ch0/19/39 inused}
_{lpf_i & q in flash is:9, 10}
_{xtal in flash is:25}
_{xtal_cali:25}
_{rwnx_tpc_pa_map_init}
_{[FUNC]ps_init}
_{[FUNC]func_init_extended OVER!!!}
_{lwIP-2.0.2 initialized!}
_{set dac vol:65 - indx:11,dig:30,ana:1a}
_{set adc vol: 80 - 80}
_{igmp_mac_filter add 224.0.0.1 01:00:5E:00:00:01}
_{register station wlan device sucess!}
_{igmp_mac_filter add 224.0.0.1 01:00:5E:00:00:01}
_{register soft-ap wlan device sucess!}
_{beken wlan hw init}
_{drv_pm_init}
_{[D/FAL] (fal_flash_init:63) Flash device | beken_onchip | addr: 0x00000000 | len: 0x00400000 | blk_size: 0x00001000 |initialized finish.}
_{[D/FAL] (fal_flash_init:63) Flash device | beken_onchip_crc | addr: 0x00000000 | len: 0x00400000 | blk_size: 0x00001000 |initialized finish.}
_{[D/FAL] (fal_partition_init:176) Find the partition table on ‘beken_onchip_crc’ offset @0x0000ed94.}
_{[32;22m[I/FAL] ==================== FAL partition table ==================== [0m}
_{[32;22m[I/FAL] | name | flash_dev | offset | length | [0m}
_{[32;22m[I/FAL] ------------------------------------------------------------- [0m}
_{[32;22m[I/FAL] | bootloader | beken_onchip_crc | 0x00000000 | 0x0000f000 | [0m}
_{[32;22m[I/FAL] | app | beken_onchip_crc | 0x00010000 | 0x00180000 | [0m}
_{[32;22m[I/FAL] | download | beken_onchip | 0x001a9000 | 0x00253000 | [0m}
_{[32;22m[I/FAL] | EasyFlash | beken_onchip | 0x003fc000 | 0x00002000 | [0m}
_{[32;22m[I/FAL] | param2 | beken_onchip | 0x003fe000 | 0x00001000 | [0m}
_{[32;22m[I/FAL] ============================================================= [0m}
_{[32;22m[I/FAL] RT-Thread Flash Abstraction Layer (V0.4.0) initialize success. [0m}
_{tc_entity_init}
_{ROMFS File System initialized!}
_{current app image name: app, version: 7252_CY_IPC_2103061400, timestamp: 1615010409}
_{===sd card open:0===}
_{msh />cmd 1:3}
_{sdcard cmd 8 timeout,cmdresp_int_reg:0x84}
_{cmd8 noresp, voltage mismatch or Ver1.X SD or not SD}
_{sdcard cmd 37 timeout,cmdresp_int_reg:0x84}
_{send cmd55 err:3}
_{send cmd55&cmd41 err, quite loop}
_{cmd 1:3}
_{sdcard cmd 8 timeout,cmdresp_int_reg:0x84}
_{cmd8 noresp, voltage mismatch or Ver1.X SD or not SD}
_{sdcard cmd 37 timeout,cmdresp_int_reg:0x84}
_{send cmd55 err:3}
_{send cmd55&cmd41 err, quite loop}
_{cmd 1:3}
_{sdcard cmd 8 timeout,cmdresp_int_reg:0x84}
_{cmd8 noresp, voltage mismatch or Ver1.X SD or not SD}
_{sdcard cmd 37 timeout,cmdresp_int_reg:0x84}
_{send cmd55 err:3}
_{send cmd55&cmd41 err, quite loop}
_{sdcard_open err}
_{SD File System initialzation failed!}
_{Enter normal mode…}
_{app_init finished}
_{[Flash]EasyFlash V3.0.4 is initialize success.}
_{[Flash]You can get the latest version on GitHub - armink/EasyFlash: Lightweight IoT device information storage solution: KV/IAP/LOG. | 轻量级物联网设备信息存储方案：参数存储、在线升级及日志存储，全新一代版本请移步至 https://github.com/armink/FlashDB .}
_#

_*
_{* Welcome to C-chip P2P IPC…}
_*
_*
_{* C-chip AIOT Team}
_{* Project Name : K9-IP-CAMERA}
_{* Version : 0.0.2}
_{* Date : Mar 6 2021 13:57:51}

_{network interface: ap}
_{MTU: 1500}
_{MAC: fc 58 4a 05 a0 b1}
_{FLAGS: UP LINK_DOWN ETHARP BROADCAST IGMP}
_{ip address: 0.0.0.0}
_{gw address: 0.0.0.0}
_{net mask : 0.0.0.0}
_{network interface: w0 (Default)}
_{MTU: 1500}
_{MAC: fc 58 4a 05 a0 b0}
_{FLAGS: UP LINK_DOWN ETHARP BROADCAST IGMP}
_{ip address: 0.0.0.0}
_{gw address: 0.0.0.0}
_{net mask : 0.0.0.0}
_{dns server #0: 0.0.0.0}
_{dns server #1: 0.0.0.0}
_{[DRV_WLAN]drivers\wlan\drv_wlan.c L902 beken_wlan_control cmd: case WIFI_INIT!}
_{_wifi_easyjoin: ssid:Livebox-LPG bssid:00:00:00:00:00:00 key:vanille01}
_{start watch dog}
_{rt_hw_wdg_start time=10000 threshold=5000}
_{net 0 not ip up}
_{[31;22m[E/NTP]: ERROR no such host [0m}
_{[31;22m[E/NTP]: ERROR no such host [0m}
_{[31;22m[E/NTP]: ERROR no such host [0m}
_{1041 [ [1;31mERROR [0m cc_midware\tfcard_manage\tfcard_manage.c-isSdCardInserted:63]: [0m TFCard not inserted!}
_{1051 [ [1;31mERROR [0m cc_midware\hardware\manageOta\tfcardOta.c-tfcardOtaServiceTask:311]: [0m TFCard is not inserted, no ota!}
_{fast_connect}
_lr:2d681
_{1382: [sa_sta]MM_RESET_REQ}
_{[bk]tx_txdesc_flush}
_{[sa_sta]ME_CONFIG_REQ}
_{rw_msg_send_me_config_req ps_on is 1}
_{set_ps_mode_cfm:911 1 0 0}
_{[sa_sta]ME_CHAN_CONFIG_REQ}
_{[sa_sta]MM_START_REQ}
_{bssid 8c-f8-13-49-63-ba}
_{security2cipher 2 3 24 8 security=6}
_{cipher2security 2 3 24 8}
_{mm_add_if_req_handler:0}
_{hapd_intf_add_vif,type:2, s:0, id:0}
_{wpa_dInit}
_{wpa_supplicant_req_scan}
_{Setting scan request: 0.100000 sec}
_{MANUAL_SCAN_REQ}
_{wpa_supplicant_scan}
_{Cancelling scan request}
_{wpa_driver_associate}
_{scan_start_req_handler}
_{me_set_ps_disable:795 1 0 1 0 1}
_{me_set_ps_disable_req_handler 1!!}
_{me_set_ps_disable 0 1}
_{me_set_ps_disable2 1 1}
_{set_ps_mode_cfm:911 1 5 0}
_{exit dtim ps!}
_{sm_auth_send:1}
_{sm_auth_handler}
_{sm_assoc_rsp_handler}
_{rc_init: station_id=0 format_mod=2 pre_type=0 short_gi=1 max_bw=0}
_{rc_init: nss_max=0 mcs_max=7 r_idx_min=0 r_idx_max=3 no_samples=10}
_{mm_set_vif_state_req_handler}
_{chan_bcn_detect_start}
_{---------SM_CONNECT_IND_ok}
_{Not associated - Delay processing of received EAPOL frame (state=ASSOCIATING bssid=00:00:00:00:00:00 )}
_{wpa_driver_assoc_cb}
_{get_scan_rst_null}
_{Cancelling scan request}
_{get_scan_rst_null}
_{hapd_intf_add_key CCMP}
_{add sta_mgmt_get_sta}
_{sta:0, vif:0, key:0}
_{sta_mgmt_add_key}
_{add hw key idx:24}
_{add TKIP}
_{add is_broadcast_ether_addr}
_{sta:255, vif:0, key:2}
_{add hw key idx:2}
_{ctrl_port_hdl:1}
_{me_set_ps_disable:795 0 1 0 0 4}
_{dis set ps 4!!}
_{sta_ip_start}
_{configuring interface mlan (with DHCP client)}
_{dhcp_check_status_init_timer}
_{new dtim period:3}
_{new ie: 0 : 4c 69 76 65 62 6f 78 2d 4c 50 47}
_{new ie: 1 : 82 84 8b 96 c 12 18 24}
_{new ie: 3 : 6}
_{new ie: 2d : ad 1 1b ff ff 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 4 6 e4 a7 c 0}
_{new ie: 30 : 1 0 0 f ac 2 2 0 0 f ac 4 0 f ac 2 1 0 0 f ac 2 c 0}
_{IP UP: 192.168.17.168}
_{[ip_up]:start tick = 1017, ip_up tick = 2222, total = 1205}
_{------start enter ps mode—}
_{first enable sleep}
_{power_save_me_ps_first_set_state:582}
_{me_send_ps_req 2 0 0}
_{ps_keep_timer init}
_{set_ps_mode_cfm:911 1 4 0}
_{set listen dtim:1}
_{enter 0 ps,p:3 m:1 int:100 l:1!}
_{power_save_dtim_ps_init}
_{* Create preload thread for 1 sessions}
_{prevent sleep is 0}
_{prevent sleep is 0}
_{prevent sleep is 0}
_{sleep_first 0}
_{dtim period:3 multi:1}
_{Battery voltage 4140mv 95%}
_{video_transfer_init 3}
_{video_transfer_main entry}
_{video transfer send type:3}
_{open I2C2}
_status:0
_{vbuf opened}
_{ejpeg_hdl is DD_HANDLE_UNVALID}
_{adc-buf:009011e8, adc-buf-len:5120, ch:1}
_{audio_device_mic_opened}
_{adc-buf:009011e8, adc-buf-len:5120, ch:1}
_{set adc channel 1}
_{audio_device_mic_set_channel:1}
_{set adc sample rate 8000}
_{audio_device_mic_set_rate:8000}
_{set QVGA}
_{GC0309 init finish}
_{camera_intfer_init,a5a50003-a5a50005}

using "setenv" i put my SSID and password, and the camera connected to my network!
 (after a "saveenv" and a reboot.)
  
 On the other hand, still impossible to interact with the camera. an analysis of the TCP / UDP ports does not return anything and Wireshark does not see any frame.
 
 I then created an AP with an ESP8266, to which I added a DNS server which responds to all requests by the IP of my PC.
 I then put the SSID of the AP in the camera + reboot but again I was disappointed because even if the camera considers my PC as its gateway, I do not see any frame with wireshark.
 
 in short, I haven't made much progress and I publish these discoveries for those who, unlike me, know what to do and how to do !!!
 
 sorry for the google translation but i'm french and as you know french only can speak french ...
 
 Tuyau2poil

FredTheFrog · November 18, 2021, 6:28pm

Merci beaucoup, @Tuyau2poil !!

Bon chance, mon amis.

ruijgrl · November 24, 2021, 9:10am

I’m just here to say thank you to you wonderful smart people for doing this! Bravo!

I’m not technically proficient at all but I so much appreciate and would so much like to have a third party safe app to see this camera from my PC or phone. I want to use it to monitor stuff like faucets or wind drafts etc!) but I don’t like the very weird apps “Little Stars” that makes it operate! Who knows where its sending the feed to!

I got an A9 camera. It has following written on the circuit board (yes I did open and looked so my expertise ends there )

A9_L2-V5
210226

9-A9-V1
A8-GC030

Thank you again and I look forward to your continued efforts!

HeyImAlex · November 26, 2021, 11:02am

I mean I get the technical challenge of reverse engineering stuff, but why do you guys waste your time on garbage like that ?

If you need a small camera that works with RTSP out of the box without RE anything, take a look at these Revotech ones. They look pretty nice, RTSP, ONVIF, PoE, decent lenses, 3MP. Haven’t tried them yet, but thinking of getting the pinhole one as a hidden doorcam.

Tamadite · November 26, 2021, 1:43pm

Please provide objective comments that contribute to the topic. Your proposal deviates from it.

junalmeida · November 26, 2021, 3:05pm

I also have a camera like yours, but it seems to be a different version. It connects to the “Little Stars” android app, and I can’t seem to get a local RTSP stream to make any use of it.
I can see the following on the board: “E-WF-19-V1.3”. The chip has no identification, and its wifi AP starts with “ACCQ”.
I tried the “.ini” file method with no success.

I was wondering if it is possible to reflash it with a more customizable firmware (and one that does not go to their weird cloud)

I’m watching this thread for any good ideas on that. Thank you!

Tuyau2poil · December 1, 2021, 10:02am

If your cam use “little stars” I’m afraid there’s no solution (at this time). it’s typicaly A9 series with only cloud and phone connexion.
For those looking for a camera directly connected to the PC, there is a model
which uses the HD WIFICAM PRO application. It is identical to the cameras mentioned in this post,
but does not use the same chipset or the same firmware, moreover it costs the same price!
(ex: Mini caméra de surveillance IP WiFi HD 1080P, avec Vision nocturne, détection de mouvement, moniteur à distance avec support magnétique | AliExpress )
to retrieve the stream in a file, the easiest way is to use FFMPEG with the following syntax:
ffmpeg.exe -i “http://192.168.xxx.yyy:81/livestream.cgi?user=xxxxxxx&pwd=yyyyyyy&streamid=0&audio=0” -c:v libx264 -f matroska “c:\temp\outFile.mkv”
the problem is that the camera films continuously: the alarms only concern the storage on the SD card.
we would have to find a way to listen to the notifications of the camera and launch the capture accordingly.
I will look into the subject … If somebody knows a soft (for windows) to accomplish that thanks to share !
for the IP address, you can look at the DHCP of your Wifi router, possibly configure a reservation (dhcp lease) in order to have the same IP all the time.
otherwise use “advanced IP Scanner” and you should find your camera in the list quickly. (mine has a MAC 44: 01: BB: XX: YY: ZZ which corresponds to “SHENZHEN BILIAN ELECTRONIC CO. ， LTD”)
once the IP is known I recommend the “AnyCam” software which will do all the work for you by trying all possible and imaginable URLs!
note that these tools are free and you can use them for any type of camera.
hope this help…

ruijgrl · December 1, 2021, 12:49pm

If your cam use “little stars” I’m afraid there’s no solution

I think that is why they are calling this the “challenge”

If it was easy then well even I could do it as you’ve posted

ruijgrl · December 1, 2021, 12:53pm

why do you guys waste your time on garbage like that

Sorry but I don’t get how describing anything that you cannot hack into as “garbage” is helpful?

How do you define “garbage” hardware? Just because something is “cheap” to someone does not mean it’s garbage

HeyImAlex · December 1, 2021, 2:08pm

Hardware that doesn’t work for its intended purpose. I had one of these camera things years ago. Not the exact same brand as discussed here, but they’re all based on the same cloned base anyway give or take a few variations. It was complete garbage. The image quality was worse than some 10 year old 720p DLink I still had around and that was already low end. It was a useless pixelated mess. And after a week or so it died.

This is not about being able to hack it or not, it’s just that the quality of these things is abysmal. The sensors they use are from the bottom of the scrap barrel: QA rejected devices (that would otherwise go to the landfill), stocks of unsold last-last-last-generation chips they bought in bulk for cheap, rebranded ‘scrapware’ chips (unsoldered from discarded old devices), etc. These cameras are basically trojan horses. They sell these for ‘cheap’ (they’re not actually that cheap if you think about it) to get you to install their malware ridden phone app. Sure, if you want to hack them and somehow get a local stream out of them, go ahead. I won’t tell you how to spend your free time. It will be a stream of crappy quality video though. And you can get decent RTSP / ONVIF cameras for the same price or slightly above.

OT I know, but you asked for my opinion, here it is.