Popular A9 mini Wi-Fi camera & the HA challenge

I just found out that I have ftdi232rl in my collection of adapters. bk7231_spi_flasher.py is only 200 lines of code and it creation has been documented. Here is exchange I had with GPT https://chat.openai.com/c/a60720aa-02f0-4a84-9963-011c804743cb . Basically what is left to be done is merge these code blocks with bk7231_spi_flasher.py .

I always though aliexpress shipped globally at a flat rate. I hope you have access to a Linux system I could not imagine trying to hack into anything using windows just waste of time.

EDIT:
Actually GPT is making quite a bit of mistakes. Also ftdi232rl has no MPSSE so you cannot use any library. I am trying to figure out from the datasheet if this chip is usable or not. We need MISO as input MOSI as output, SCK as output, CS as output and yet another output to reset the chip. FT232H would be a much better choice but not so common.

EDIT2:
Here is code I came up so far: beken spi ftdi232rl - Pastebin.com
I could not find enough output pins on ftdi232rl so the only option is to either tie CS high or low from VIO or GND. I do not know if it is active high or low. For now it does not seem to be working I get somewhat random output from it but with CS tied low there is some consistency in the output. Who knows what the cause is at this early point.

I am happy to let you know that I have been able to set the chip to spi mode, check the flash id and read data from 0x11000 app area and the data I get from it matches what I know is there. First page of bootloader is gone, I have checked that. bk7252 ftdi232rl spi flash - Pastebin.com . This is still very finicky have to re-plug power and start my program like 10 times before it works. I am not sure yet if it is possible to make this more reliable.

@Bluscream I believe you and I have the same, or a very similar, camera. My UID starts with DGOD.

I have had some success using the script found here GitHub - datenstau/A9_PPPP: HDWiFiCam Pro (DGOA WiFi Prefix) JS-Api which was created by @datajam and posted to this forum about a year ago. (I just arrived here and have been trying to read through all posts to get up to speed).

The “speaker” module did not work on my mac, so I had to remove it from package.json. But then I got my device detected, and the video output stream properly presented on http://localhost:3000/.

If you’re like me a bit of a node.js noob, you can get this started by running npm install to install dependencies, and then node run.js.

As far as I can tell, the “A9 V720 Naxclow” repo that’s been doing the rounds in the posts for the last few months is not applicable to these cameras. The Naxclow cameras seem to have a simpler API that you can access if you can fool the cameras to access your computer instead of naxclow.com. Our cameras only use the “PPPP” or cs2_P2P protocol.

My camera uses an app called “vi365”. I downloaded the APK and started dissecting it. I found some interesting leads on how the camera is controlled from the app, using HTTP-like requests, apparently sent as PPPP packets. I’ll try to write down a gist with my findings at least, when I have cleaned them up enough so that I can understand them myself. Then I think basically all pieces are in place for actually making something that works with Home Assistant.

And, oh, also, see the recommendation about blocking the outgoing UDP port 32100 in your firewall from https://hacked.camera/.

@freeser any chance of downloading this one please?
https://pan.baidu.com/s/12ZpJO0Hn_D9_ZtAiXe2TQQ

(6fpj）

Let me see if I recall what I did and how I got there because I cannot figure out what you are talking about…

I got hooked on reverse engineering this cr*p. My first delivery in this venture is a working WireShark dissector for “encrypted” PPPP traffic.

I hope it can be useful for others as well.

I have successfully unbricked the A9 camera which bootloader I messed up. Problem is that the python program I am using is kind of slow: it takes about 6 hours to flash the entire firmware. 2 and half hours to read entire flash contents. I had to read in the firmware to see where flashing made mistakes like 4 times before fixing all the errors.

I am able to run PinScan of libretiny.eu now via wifi. This is actually pretty great and HA support is already there so all that is left to do is figure out how to gain access to video.

I have opened issue with libretiny about this:

Here is the entire firmware that was on my a9 camera:
https://file.io/lejNjefeY19G

And latest version of ftdi282rl spi flasher:

Ok, finally I am able to compile again. Just let me know if you have found or know about a repository that has a code I can compile and try.

Does this datasheet helps with pins and a few details?

And it is a programmer for other chips from taixin-semi [dot] com (you can do a free account to download it anyway), maybe it works for this chip, too.
Sadly I know nothing about fiddeling with this.

https://file.io/LAPHdANbzd6s

Hi everyone.
I have 3 cameras of 2 kinds. One camera uses 365cam apk, two cameras - V720 apk. 365cam works with datenstau/A9_PPPP solution (thanks to author btw). 365cam camera have FinSH with a lot of useful commands. One of them is fal, second - flash_dump. flash_dump just prints hexdump of whatever you want address up to 256 bytes. fal requires probe to partition and then allows to read/write probed partition. fal should prints a list of partitions, but developers broke this function. Anyway i found a names of all partitions when experimented with flash_dump.

There is one important thing I known from my experiments - bekken chips have two kinds of how address flash memory: physical - is how cpu see memory, app starts at 0x00010000, virtual - mixed with 2 bytes of crc after every 32 bytes of real bytes, app starts at 0x00011000. I read about it on a russian website.

fal command works with physical memory
flash_dump command works with virtual memory

Here is examples:

msh />fal read 0 64
Read data success. Start from 0x00000000, size is 64. The data is:
Offset (h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
[00000000] C5 00 00 EA 14 F0 9F E5 14 F0 9F E5 14 F0 9F E5 ................
[00000010] 14 F0 9F E5 14 F0 9F E5 14 F0 9F E5 14 F0 9F E5 ................
[00000020] 24 06 00 00 B8 05 00 00 34 06 00 00 44 06 00 00 $.......4...D...
[00000030] 54 06 00 00 C8 05 00 00 D8 05 00 00 EF BE AD DE T...............

msh />flash_dump 0 64
flash_dump 0x00000000 64
00000000: C5 00 00 EA 14 F0 9F E5 14 F0 9F E5 14 F0 9F E5  ................
00000010: 14 F0 9F E5 14 F0 9F E5 14 F0 9F E5 14 F0 9F E5  ................
00000020: 38 DA 24 06 00 00 B8 05 00 00 34 06 00 00 44 06  8.$.......4...D.
00000030: 00 00 54 06 00 00 C8 05 00 00 D8 05 00 00 EF BE  ..T.............

I wrote a tool in python which uses fal command and saves a dump of partition.
Here is partitions table of 365cam camera

--------------------------------------------------------------
| addr       | last addr  | len        |  partition          |
--------------------------------------------------------------
| 0x00000000 | 0x0000efff |      61440 |  bootloader         |
| 0x00010000 | 0x0018ffff |    1572864 |  app                |
| 0x00132000 | 0x001fdfff |     835584 |  download           |
| 0x001fe000 | 0x001fefff |       4096 |  EasyFlash          |
| 0x001ff000 | 0x001fffff |       4096 |  param2             |
--------------------------------------------------------------

I tried to disassemble bootloader+app using ghidra. Found encryption table used in A9_PPPP, encrypt/decrypt functions. I had an idea - this encryption is just xor operation, if i replace table by zeros encryption will be disabled. Cheked this idea and have failed with fal command. fal write is not working.

Later I start experiments with uartprogram from OpenBekenIOT/hid_download_py. And this tool works great with both types of my cameras. This tool works with virtual addresses, created dump includes crc bytes. And bin file you want to flash should contain crc bytes. Partition app starts from 0x00011000. This tool can extract bin without crc bytes. I did not understand that fact, i thought that address 0x00011000 is a mistake, or my camera is unique and flash my dump into 0x00010000, camera got bricked.
uartprogram works simple. It awaits that bekken chip starts in bootloader. When bekken start OS rtthread this tool sends command reboot to FinSH. If tool can’t reboot chip you need to do it manually - connect CEN pin to ground or just turn off and on power supply (in my case i pressed a button on the power bank). If bootloader partition is ok chip can be flashed by this tool.
When I realized my mistake with addresses i simply restore app partition from backup. I tried to flash bootloader partition from backup made by fal.
Previously I flashed backup of app to virtual address 0x00010000. It writes to physical addresses 0x0000f000-0x00010000. In partitions this area is unused but looks like it stores some calibrations. Now my 365cam camera starts with strange wifi config, i have to configure mac and wifi in terminal on every restart.
I tried to flash modified (without encryption) app_crc.bin - camera starts but, apk/A9_PPPP can’t connect.
I tried to flash app_365cam_crc.bin to V720 camera - bootloader starts, os not (I didn’t check second uart interface, 365cam have only one uart pins). Restored app from backup - works fine.

There is one more tool which adds crc bytes to binary file: https ://github.com/ghsecuritylab/tysdk_for_bk7231/tree/master/toolchain/encrypt_crc

My backups: https://file.io/Kf0iUTWo3VqA

Just adding this Info (in case not already known)

I’m using Cam Version with Print “A9_B V1.3_220516”

I tried getting terminal connected via USB Connector, which did not work.
By inspecting the PCB I spotted the two Resistors for the Data lines not placed.
I will install two 22 Ohm Resistors and try again.

fr_50691099×996 209 KB

…i did not have 22 Ohm in 0603 package and had to use 0805 instead. But its working fine!

fr_5070981×688 173 KB

V(0.1.3)
CPSR:0x000000D3
R0:0x60E1E2A4
R1:0x9414EADC
R2:0x9F4D8D83
R3:0xBD77FFE9
R4:0x6B322B04
R5:0xE3F4BB7E
R6:0x14E8AF78
R7:0xA5726451
R8:0x7115E80A
R9:0xAC4412AC
R10:0xBD77FFE9
R11:0xFCF675FE
R12:0x32B66BD8
R13:0x5DE897A2
R14(LR):0x8EE40012
[I/FAL] Fal(V0.4.0)success
[I/OTA] RT-Thread OTA package(V0.2.4) initialize success.
[E/OTA] (ota_main:290) App verify failed! Need to recovery factory firmware.

go os_addr(0x10000)…

\ | /
RT - Thread Operating System
/ | \ 3.1.0 build May 30 2023
2006 - 2018 Copyright by rt-thread team
test_flash_read_for_mac
No TLV header found in flash
[FUNC]rwnxl_init
[bk]tx_txdesc_flush
[FUNC]calibration_main
get rfcali_mode:0
tssi_th:b-120, g-115
fit n20 tab with dist:2
fit n20 tab with dist:2
fit n20 tab with dist:2
txpwr table for ble ch0/19/39 inused
NO TXID found in flash, use lpf i&q:14, 13
NO TXID found in flash, use def xtal:24
xtal in flash is:24
xtal_cali:24
rwnx_tpc_pa_map_init
[FUNC]ps_init
[FUNC]func_init_extended OVER!!!

Does anybody try to compile with SCons by instruction provided in SDK? Reply in PM please.

I tried to build daniel-dona/beken7252-opencam with minor changes (image size is too big), flash it to device and nothing happened, no logs to terminal.

I successfully ran my code on the camera. GitHub - Apache02/a9-hello-world
This is just a proof of concept. Now i can move on with rtthread.

V(0.1.3)
CPSR:0x000000D3
R0:0x9DDBEADF
R1:0xFDFF5FE7
R2:0xC02953C8
R3:0xBCD6EFFD
R4:0xFF7FFD7B
R5:0xFEF8FE71
R6:0xDF8FFFA3
R7:0xD6DBDEB9
R8:0xC31698E1
R9:0xFEFFDEBE
R10:0xBCD6EFFD
R11:0xB9D03D45
R12:0xFFAF7F4F
R13:0xFFB2BFFC
R14(LR):0xFB6EF7FB
[I/FAL] Fal(V0.4.0)success
[I/OTA] RT-Thread OTA package(V0.2.4) initialize success.
[E/OTA] (ota_main:290) App verify failed! Need to recovery factory firmware.


go os_addr(0x10000)..........
Hello, World!!1
Hello UART2
Hello UART2
Hello UART2
Hello UART2
Hello UART2
Hello UART1
Hello UART1
Hello UART2
Hello UART2
Hello UART2
Hello UART2

Oh yeah! Read all 300+ messages before…

This is the exact same version I got from temu.com for 3.7 euro. I do believe this is the latest and cheapest version being mass produced. Daniel Dona’s opencam is essentially at the same stage as bk7252 camera interface and mjpeg · Issue #206 · libretiny-eu/libretiny · GitHub . I favor libretiny over opencam because I do not want to be a maintainer of any of this code, and well looking at opencam he seems to be already falling behind maintaining his project. Anyway, cut the story shorter than short: both projects have the Beken SDK for interfacing with the camera interface no one just has not yet been able to make use of the said interface code.

So, I bought two cameras from temu, cant remember how much they cost, i will check to see if i can find exact links if still available in my purchase history. My camera, has port 23 open, and i am able to telnet to it with no password needed.

\ | /

• RT - Thread Operating System
  / | \ 3.1.0 build May 15 2023
  2006 - 2018 Copyright by rt-thread team
  current firmware name: app, version: 7252_CY_IPC_2305171919, timestamp: 1684408518

I was able to locate the firmware at the site which was listed earlier and i mirrored it to a new github repo to keep the files safe.

These are the commands that are compiled into the version my camera is running,
RT-Thread shell commands:
start_ap_direct - This is start_ap_direct
testLedDemo - This is testLedDemo
mac - set_or_read_mac
rxsens - do_rx_sens
txevm - do_tx_evm
video - video
wifi_demo - wifi_demo command
rfcali_show_data - rfcali show data
rfcali_cfg_tssi_g - rfcali cfg tssi
rfcali_cfg_rate_dist - rfcali cfg rate_dist
rfcali_cfg_mode - rfcali cfg mode
rfcali_cfg_tssi_b - rfcali cfg tssi
camera_param_test - camera_param_test
camera_anti_flicker_test - camera_fps_test
camera_fps_test - camera_fps_test
camera_ppi_test - camera_ppi_test
camera_effect_test - camera_effect_test
camera_contrast_test - camera_contrast_test
camera_flip_test - camera_flip_test
camera_bringtness_test - camera_bringtness_test
camera_inf_write_reg_value - camera_inf_write_reg_value
camera_inf_read_reg_value - camera_inf_read_reg_value
camera_reg_read_test - camera_reg_read_test
video_test - This is video_test
registAudioLiveStream - This is registAudioLiveStream
batteryDemo - This is batteryDemo
buttonServiceInit - This is buttonServiceInit
VideoTransferTcpStart - This is VideoTransferTcpStart
testFlash - This is testFlash
testBurn - This is testBurn
testFatctor - This is testFatctor
getPHParamAndSetItFromSDTest - getPHParamAndSetItFromSDTest
photoresistorGetTest - photoresistorGetTest
photoresistorSetTest - photoresistorSetTest
testOtaDemo - This is testOtaDemo
testTFCardOta - This is testTFCardOta
gpio_test - gpio_test
testSetMotorDirection - testSetMotorDirection
motorInit - motorInit
apMatchCancel - apMatchCancel
apMatchStart - apMatchStart
reBleConfigNet - reBleConfigNet command
destroyBle - destroyBle command
registerBle - registerBle command
PHDemo - This is PHDemo
testDevice - This is testDevice
ringtonePlayerTest - ring tone Player Play
startUpTonePlay - startUpTonePlay
tonePlayerServiceInit - tonePlayerServiceInit
testAppCheckOta - this is testAppCheckOta
testDeviceSearch - This is testDeviceSearch
registVideoLiveStream - This is registVideoLiveStream
registVideoRealTimeStream - This is registVideoRealTimeStream
setFirstBuy - This is setFirstBuy
read_sensitive - read_sensitive
set_sensitive - set_sensitive
audio_dump - audio_dump
wdg_stop - wdg_stop
wdg_refresh - wdg_refresh
wdg_start - wdg_start
reboot - reboot system
set_log - set_log on or off
stack - rt_hw_stack_print
resetenv - Reset all envrionment variable to default.
getvalue - Get an envrionment variable by name.
saveenv - Save all envrionment variables to flash.
printenv - Print all envrionment variables.
setenv - Set an envrionment variable.
iperf - the network bandwidth measurement tool
netio_init - netio server
ntp_sync - Update time by NTP(Network Time Protocol)
ping - ping network host
telnet_server - startup telnet server
ble_command - ble_command
bk_ble_netconfig_stop - bk_ble_netconfig_stop
bk_ble_netconfig_start - bk_ble_netconfig_start
ble_netconfig_sample - ble_netconfig_sample
button_test - button test
http_ota - OTA by http client: http_ota [url]
memtrace - dump memory trace information
list_fd - list file descriptor
list_device - list device in system
list_timer - list timer in system
list_mempool - list memory pool in system
list_memheap - list memory heap in system
list_msgqueue - list message queue in system
list_mailbox - list mail box in system
list_mutex - list mutex in system
list_event - list event in system
list_sem - list semaphore in system
list_thread - list thread
version - show RT-Thread version information
help - RT-Thread shell help.
free - Show the memory usage in the system.
time - Execute command with time.
ps - List threads in the system.
netstat - list the information of TCP / IP
dns - list the information of dns
ifconfig - list the information of network interfaces
echo - echo string to file
df - disk free
mkfs - format disk with file system
mkdir - Create the DIRECTORY.
pwd - Print the name of the current working directory.
cd - Change the shell working directory.
rm - Remove(unlink) the FILE(s).
cat - Concatenate FILE(s)
mv - Rename SOURCE to DEST.
cp - Copy SOURCE to DEST.
ls - List information about the FILEs.
fal - FAL (Flash Abstraction Layer) operate.
date - get date and time or set [year month day hour min sec]
wifi - wifi command
play_audio_init - play_audio_init
stopAudioEncoderStream - This is stopAudioEncoderStream
startAudioEncoderStream - This is startAudioEncoderStream
testTFCard - This is testTFCard
stopVideoEncoderStream - This is stopVideoEncoderStream
startVideoEncoderStream - This is startVideoEncoderStream

Netstat output
Listen PCB states:
#0 local port 23 state: LISTEN
#1 local port 10003 state: LISTEN
#2 local port 10002 state: LISTEN
TIME-WAIT PCB states:
Active UDP PCB states:
#0 0 0.0.0.0:32108 <==> 0.0.0.0:0
#1 0 0.0.0.0:18581 <==> 0.0.0.0:0
#2 4 0.0.0.0:68 <==> 0.0.0.0:67
#3 0 0.0.0.0:8600 <==> 0.0.0.0:0

output from printenv
user=user
factoryflag=0
cchipupdate=0
language=2
led_onoff=1
ir_led=2
alarm_type=0
Audio_alarm_param=NULL
Video_alarm_param=NULL
alarm_switch=0
video_detect_sensitive=0
audio_detect_sensitive=0
alarm_beep=0
alarm_interval_time=0
speaking=0
WhiteLight=2
systemvolume=86
username0=admin
recmode=1
restartTone=1
isPushPic=0
isPushVideo=0
pirenable=0
pirPush=1
pirvideo=0
pirvideotime=10
pirsensitive=3
pirDelayTime=120
AalarmInterval=2
pirCloudUpCount=50
flashOrTf=1
uploadType=0
creatTime=00000000
days=0
buyType=1
cyToken=0
check_pwd=046798
airkissflag=1
userpasswd0=6666
pushIp=47.106.144.32
pushPort=9093
pushInterval=30
cyAdmin=admin
cyPwd=admin123
ssid0=testlan
passwd0=password123
workmode=sta
fistMatchNet=0

Not sure if would be useful but the documentation for rtthread which is the os being used has an ipcam example and they have a demo for rtsp in there, havent had a chance to play with it, just got done reading this long thread https://github.com/RT-Thread/IoT_Camera/tree/master/firmware/platform

firmware files backup copy

not sure if mine im using is the release or debug version but its the one that matches the date posted above in the hb66 folders

Do you have link/name to the shop that you bought it from?
I am sure there are people who would be interested in this version

If we can find version with rtsp demo working, then we can just write esphome plugin or whatever to enable it.