Popular A9 mini Wi-Fi camera & the HA challenge

i’m trying to hack into a tiny A9 camera that have A9_B V1.3_220516
i have menaged to connect to the uart
i want to enable rtsp, connect to telnet and ssh.

You’ve got it? I am very interested I have several

what are the CEN and VUSB pin? i think that VUSB is the “power supply” for the UART but i haven’t
figured out what the CEN pin is, also i’m probably doing something wrong using the uart without proper alimentation but it shouldn’t be a problem, right?

i bought it on aliexpress for 1 cent, i have menaged to get some connection and not having a USB to TTL i used the esp8266 cp2102 to talk with the cam also the baud rate is 115200 if someone was wondering, i’m actually a newby in hardware hacking, i will try to use the bk7231tools to analyze the firmware, i was wondering if someone tried to use the JTAG pin?
sorry for bad english im from Europe and english is not my first lenguage

I tried the JTAG without success. I even bought a FT2232H USB to Serial Board.
I found it easier to deal with the SDK I posted it above although no real success either other than being able to flash the unit with custom firmware.

are you talking about this GitHub - tuya-cloudcutter/bk7231tools: This is a collection of tools to interact with and analyze artifacts for BK7231 MCUs, i’m going to try to extract the firmware tomorrow

yes, you can try that. You can see my try here.

i’m going to make something with this cam, here you can see my github repo on this topic

i even want to complicate my life and try to implement a machine learning alghoritm for face detection , i was thinking to implement the viole/jones alghoritm but for now i will simply create a guide while learning by myself

so after checking the chip on my ip cam pcb i have found out that it doesn’t have a bk7231 but a bk7252 so now i’m a little stuck, cause there is little no resource about it, but i have found some datasheet

Hi guys.
Just to point you, fake-server's issue with incorrect working over the NAT, now is fixed, i would be appreciated if someone test it over the NAT, and give some response.

I am testing the server running in a different subnet from the camera’s, the stream just keeps stopping after 2 or 3 seconds.

This is what i get the moment the stream freezes (then stops)

Exception in thread [email protected]:12275:
Traceback (most recent call last):
  File "/usr/lib/python3.7/threading.py", line 917, in _bootstrap_inner
    self.run()
  File "/usr/lib/python3.7/threading.py", line 865, in run
    self._target(*self._args, **self._kwargs)
  File "/home/pi/a9-v720/src/v720_sta.py", line 234, in __udp_hnd
    self.__on_udp_rcv(self._udp.recv())
  File "/home/pi/a9-v720/src/v720_sta.py", line 243, in __on_udp_rcv
    self._raw_hnd_lst[f'{req.cmd}'](self._udp, data)
  File "/home/pi/a9-v720/src/v720_sta.py", line 458, in __on_mjpg_rcv_hnd
    self._vframe.extend(pkg.payload)
BufferError: Existing exports of data: object cannot be re-sized
1 Like

done, you may try now

CEN is chip enable (like in ESPs), it allow to reset BK. VUSB as you guess it’s from micro-usb 5V. Usually any usb-uart module will work, those have IO at 3.3V unless you buy a special module that can set this via jumper to 5V (I think, on some modules with FT232 this is possible).

You can grab dumped BIN file from my post too, here is link to it: https://1drv.ms/u/s!AuwqzmCQF2wVmkdSQzrai9KzU0o5?e=a0yxS9

I killed my A9 trying to flash it, now it won’t connect at all (even trying chip_info) :sweat_smile:

i prolly killed mine too, the cam don’t stream any video after i changed the ip addr of the device via uart

Hi, would it be possible that you create a docker compose file for the A9 camera. I am running HA in a docker. It seems that the addon is already based on docker it seems to be based on HA addon. But i do not know how to make a docker compose that can be used for just this A9 camera server.

1 Like

I’ve got a similar camera, but with HQ6 printed on the PCB and opening an AP with the name DGOF-123456-LSWJN but the a9-v720 tools doesn’t work with it. The tool I should use is 365Cam

One manufacturer that I found is: Shenzhen Maifeng Trading as can be seen here:
https://fccid.io/2A9GL-A9/User-Manual/User-manual-6243224

here their contact page if someone wants to try:
http://www.maifeng-tech.com/en/contact.php

I took mine apart and found out mine A9 doesnt have BK7231. It has an XF16 NA035EA6CD1 chip which is connected to T25S16 (16 Mbit Flash memory). Despite all my searches I am not able to find what chip XF16 is. But connection with external flash … is it an FPGA? They coudnt possibly have come up with a ASIC for a 2$ camera!! Does any one know what this chip is? Here are some pics:

Taken from Reverse Engineering Amino Communications IPTV CCTV Wifi Cloud Camera · GitHub

Help me reverse engineer a cloud iptv cctv camera so i can use it locally without needing its app or its cloud;

This is the camera: Amazon.de

This is it’s app: https://play.google.com/store/apps/details?id=shix.vi.camera&hl=en&gl=US

This app works aswell: https://play.google.com/store/apps/details?id=shix.cam365.camera&hl=en&gl=US

From what i have seen in traffic logs it connects to a bunch of chinese servers using TCP;

This is info for the camera from Advanced Port Scanner:

  • Hostname: rtthread
  • MAC: 00:02:02:30:40:47
  • Manufacturer: Amino Communications, Ltd.
  • Open Ports:
    • Port 23 (TCP)
    • Port 10002 (TCP)
    • Port 10003 (TCP)

ipcam.pcapng package capture of the android app (Taken with PCAPdroid | User Guide):

Can i use the a9 addon with my camera aswell? And if not, can i modify/improve it to include support for mine?

Here are images from my cam/board:

Chip Markings: BK7252UQN68 AU2406YB
Chip Website: BK7252-Beken Corporation
Chip Datasheet: https://www.ccm99.com/app/discuz.php?mod=act&tid=119111&aid=4277










Screenshot_2023-06-17_22-50-22
Screenshot_2023-06-17_22-50-12
Screenshot_2023-06-17_22-49-44
Screenshot_2023-06-17_22-49-24

Btw, has anyone here found a open source android / windows app that implements this p2p udp tunnel protocol?

EDIT: I now tried replaying my captured packets where i did a bunch of camera actions (pan, zoom, toggled leds) with scapy, but absolutely nothing:

from scapy.all import *

# list all interfaces
print(conf.iface)
print("")
packets = rdpcap("test/ipcam.pcapng")
# sendp(packets)
l = len(packets)
for i, packet in enumerate(packets):
    print(f"Sending packet {i} / {l}: {packet.summary()}")
    # print(packet)
    sendp(packet, iface="Intel(R) Ethernet Connection (11) I219-V")

Sending packet 5942 / 5942: IP / UDP 10.215.173.1:19874 > 192.168.2.72:14414 / Raw

Mirror: cam-reverse-engineering/Kavylany 1080P Dual Band Wireless WiFi Full Color PTZ IP-Kamera Outdoor Nachtsicht Überwachung Dome Kamera at main · Bluscream/cam-reverse-engineering · GitHub

1 Like