i prolly killed mine too, the cam don’t stream any video after i changed the ip addr of the device via uart
Hi, would it be possible that you create a docker compose file for the A9 camera. I am running HA in a docker. It seems that the addon is already based on docker it seems to be based on HA addon. But i do not know how to make a docker compose that can be used for just this A9 camera server.
1 Like
I’ve got a similar camera, but with HQ6 printed on the PCB and opening an AP with the name DGOF-123456-LSWJN but the a9-v720 tools doesn’t work with it. The tool I should use is 365Cam
One manufacturer that I found is: Shenzhen Maifeng Trading as can be seen here:
https://fccid.io/2A9GL-A9/User-Manual/User-manual-6243224
here their contact page if someone wants to try:
http://www.maifeng-tech.com/en/contact.php
I took mine apart and found out mine A9 doesnt have BK7231. It has an XF16 NA035EA6CD1 chip which is connected to T25S16 (16 Mbit Flash memory). Despite all my searches I am not able to find what chip XF16 is. But connection with external flash … is it an FPGA? They coudnt possibly have come up with a ASIC for a 2$ camera!! Does any one know what this chip is? Here are some pics:
Taken from Reverse Engineering Amino Communications IPTV CCTV Wifi Cloud Camera · GitHub
Help me reverse engineer a cloud iptv cctv camera so i can use it locally without needing its app or its cloud;
This is the camera: Amazon.de
This is it’s app: https://play.google.com/store/apps/details?id=shix.vi.camera&hl=en&gl=US
This app works aswell: https://play.google.com/store/apps/details?id=shix.cam365.camera&hl=en&gl=US
From what i have seen in traffic logs it connects to a bunch of chinese servers using TCP;
This is info for the camera from Advanced Port Scanner:
- Hostname: rtthread
- MAC: 00:02:02:30:40:47
- Manufacturer: Amino Communications, Ltd.
- Open Ports:
- Port 23 (TCP)
- Port 10002 (TCP)
- Port 10003 (TCP)
ipcam.pcapng package capture of the android app (Taken with PCAPdroid | User Guide):
- Parsed: 🔍 Online pcap files viewer for analyze HTTP, DNS, other network traffic
- Alternative: 🔍 Online pcap files viewer for analyze HTTP, DNS, other network traffic
- Raw: https://apackets.com/api/v1/pcaps/public/download/647c19eceb8027d775b1cc37a85ce833.pcapng/ipcam.pcapng
Can i use the a9 addon with my camera aswell? And if not, can i modify/improve it to include support for mine?
Here are images from my cam/board:
Chip Markings: BK7252UQN68 AU2406YB
Chip Website: BK7252-Beken Corporation
Chip Datasheet: https://www.ccm99.com/app/discuz.php?mod=act&tid=119111&aid=4277
Btw, has anyone here found a open source android / windows app that implements this p2p udp tunnel protocol?
EDIT: I now tried replaying my captured packets where i did a bunch of camera actions (pan, zoom, toggled leds) with scapy, but absolutely nothing:
from scapy.all import *
# list all interfaces
print(conf.iface)
print("")
packets = rdpcap("test/ipcam.pcapng")
# sendp(packets)
l = len(packets)
for i, packet in enumerate(packets):
print(f"Sending packet {i} / {l}: {packet.summary()}")
# print(packet)
sendp(packet, iface="Intel(R) Ethernet Connection (11) I219-V")
Sending packet 5942 / 5942: IP / UDP 10.215.173.1:19874 > 192.168.2.72:14414 / Raw
1 Like
We have almost the same. What did you end up doing with it?
Nope, it works only with v720 app, you may try scripts from the begging of the thread. Could be nice to capture communication from camera, not from Android app. (you may use fake Wi-Fi AP with NAT and capture what happens in the middle)
Also on my side, only second link with PCAP is working
@WakMun I have such camera on this chip, as you, i didn’t find any mentions in web what is it. And what is more important, i didn’t test it yet. But maybe in the future i will do this.
Hello everyone, with the hope that you will provide an update to the challenge, I made a compilation of command captures in the communication between Little_Stars and a TT-Mini spy camera, in my case the WF-A9-V3 model.
The AP mode address be always 192.168.4.153 on that model
- Send a datagram packet on AP mode to port 8090 with this structure: f[ESSID]&&&[ESSID]###[Pass][RndNumber]
(sends in the AP mode of the camera, the ESSID and password of the router to connect to, so that they are saved and changed to station mode) - Note: send without []
if reply is: 66 00 01 00 00 00 01 99 or 66 00 01 00 00 00 01 FF DD - ( reply OK) - In AP mode and depending on the camera, it might only be necessary to send two packets and not 3 as in most of the examples present online, it will be enough to send: 42 76 to port 8080 or if you want to initialize more options , send 30 67 30 66 to port 8070 and then 42 76 to 8080 to capture real-time video, JFIF (JPEG) format.
- It is curious that in all the transactions carried out, a kind of handshake is established between the application and the device, regardless of which it is, I list the following sequence:
– send: 5d a8 0e f4
– reply: 5d a9 63 94
– send: 5d a8 0e f4
– relpy: 5d a8 0e f4
– send: 5d a9 63 94
– reply: 5d a9 63 94
– send: 5d b8 78 28
and the latter always have the same pattern.
Once the WF-A9-V3 is in station mode, the only open UDP ports are: 12476, 21664 and 32108
There is much more data, but until I can understand the behavior, there is no point in sharing the information.
To obtain the information, I used the PacketCapture application and LittleStars itself. Netbeans for sending test datagrams.
1 Like
This is a snippet of my code written in Java to change the AP mode to Station of WF-A9-V3:
private boolean setStationMode(String essid, String pass) {
try (DatagramSocket socket = new DatagramSocket()) {
int rport = 8090;
String data = "f" + essid + "&&&" + essid + "###" + pass + "";
byte[] buffer = data.getBytes();
System.out.println("Sending data and waiting for response...");
DatagramPacket packet = new DatagramPacket(buffer, buffer.length, InetAddress.getByName("192.168.4.153"), rport);
socket.send(packet);
byte[] responseBuffer = new byte[Byte.MAX_VALUE];
DatagramPacket responsePacket = new DatagramPacket(responseBuffer, responseBuffer.length);
socket.receive(responsePacket);
String response = new String(responsePacket.getData(), 0, responsePacket.getLength());
if (!response.isEmpty()) {
System.out.println("Data acquired: ");
System.out.println("Response: " + response);
//System.out.println("ASCII response: " + asciiToHex(response));
if (response.equals("f�����")) {
return true;
}
}
} catch (IOException ex) {
System.out.println("IOException : "+ex.getMessage());
}
return false;
}
in the string to send there is a special character that apparently has no visibility but is present in the code, be very careful, it is important that it is not removed from the string otherwise it will not be effective
I am creating a Java solution for the WF-A9-V3, this is my github GitHub - aayes89/JCam: Java application to handle a TT-Mini Spy Camera
1 Like
Hi, Is it possible to write to the SD card when the power is cut and wifi no longer works?
It will always write to SD as far as I know, but without power, it needs a quite large battery pack to keep working
He probably meant if the cam can finish the current recording without corrupting it when the power cuts off
Sadly i have no setup for that
i want to buy this cam, is there a safe apk which is not spying on me?
Unfortunately no, you have to use the one that comes with the manual or wait for the java version that I am still implementing to be ready to migrate it to Android
3 Likes
hi, I correctly configured 3 mini A9 cameras in HA, but only 2 work together at a time, I think I need to increase the memory of the “A9 server” application but I didn’t understand how to do it, kindly can someone help me, thank you very much.
P.S: only two live on Server A9 at the same time, if I restart the other one, it goes live, but another one disappears.
I’m happy with my A9 camera.
made sure it isnt connected to the internet 100%.
also usable for reconfiguring because with 2 clicks. it has internet and no local hostname resolve. so i can use the app to configure the camera.
Can you explain in detail how you did that, please? Thanks in advance!