Popular A9 mini Wi-Fi camera & the HA challenge

Hardware
352

Maybe you could share that part, so other people are able to follow the same standard. I mean, blocking the internet access. Are those devices on a separated VLAN, on a wifi SSID you created for those devices, or?

353

It is important to recall that, for the most part, it is not enough to isolate the camera from the Internet just like that because it features a heartbeat function (some models?) towards a service in the Internet. See this post: Popular A9 mini Wi-Fi camera & the HA challenge - #13 by Tamadite

354

I have almost exactly this camera, but just with a later version of the board. My board is version J9_001_V1.2_20221222. I’ve managed to dump some startup info when connected with a USB to UART. It askes for a password if you try and send any text to it. Here’s the dump:

[bl ERR] main():629, build:20:38:52
[FD I]: mode: 0x4, freq: 48000000Hz, drv: 0

Password:PMA: mode select:e

wlan information ===================================================
firmware:
    version : R-XR_C10.08.52.64_01.80 Jul  6 2019 20:05:10-P01.46-R
    buffer  : 12
driver:
    version : XR_V02.05
====================================================================

PMA: wlan mode:a

platform information ===============================================
XRADIO Skylark SDK 1.2.0 Apr  7 2023 20:11:14

sram heap space [0x21dc18, 0x25fc00), total size 270312 Bytes
cpu  clock 240000000 Hz
HF   clock  40000000 Hz

sdk option:
    XIP           : enable
    INT LF OSC    : enable

mac address:
    efuse         : a8:f1:b2:8e:88:60
    in use        : 70:33:f6:4b:f3:05
====================================================================

bCheckEncrypt:1
StartupState:0
gpio_grp=0,gpio_bit=21
led drv init
check vol
[mthread]Create task:vbat(stack:2048),prio:3,ret:0 
XXXX task:vbat
[WRN] switch to high speed error, use DS: 25 MHz
[FS INF] mmc init
[FS INF] mount success
SD File System initialized! freespace:155MB
[mthread]Create task:sdcardth(stack:2048),prio:3,ret:0 
XXXX task:sdcardth
err cmd:use_fw_rate_policy
vif=0, rts_threshold = 3000
ssid is NULL. AP 
<wifi>lpdtim:10, lplis:10
[mthread]Create task:wifitask(stack:4096),prio:3,ret:0 
XXXX task:wifitask
[XRADIO_INTERNAL_CODEC] AMIC set volume Level-[7]
[XRADIO_INTERNAL_CODEC] AMIC set volume Gain-[39]
wifi task run
en1: CTRL-EVENT-TERMINATING 
WAR join_status:0

wlan information ===================================================
firmware:
    version : R-XR_C10.08.52.64_01.80 Jul  6 2019 20:05:10-P01.46-R
    buffer  : 12
driver:
    version : XR_V02.05
====================================================================

interface name: en1
Using interface en1 with hwaddr 70:33:f6:4b:f3:05 and ssid "AP-XRADIO"
[XRADIO_INTERNAL_CODEC] AMIC set volume Gain-[39]
[XRADIO_INTERNAL_CODEC] LINEIN set volume Level-[1]
[XRADIO_INTERNAL_CODEC] AUDIO_IN_DEV_ALL set volume Gain-[0]
[XRADIO_INTERNAL_CODEC] Route(cap): amic Enable
en1: interface state UNINITIALIZED->ENABLED
en1: AP-ENABLED 
en1: AP-DISABLED 
[net INF] msg <wlan connected>
[net INF] netif is link up
[net INF] bring up netif
[net INF] netif (IPv4) is up
[net INF] address: 192.168.238.1
[net INF] gateway: 192.168.238.1
[net INF] netmask: 255.255.255.0
WLAN CONNECTED
err cmd:use_fw_rate_policy
vif=0, rts_threshold = 3000
vif0, AP/GO mode THROTTLE=38
[net INF] msg <network up>
NETWORK UP
<L>Cmutex:0
<L>Cmutex:0x229008
<L>lwip_socket(PF_INET, UDP, 17) = SKT_0
en1: interface state ENABLED->DISABLED
[net INF] msg <wlan disconnected>
[net INF] netif is link down
WLAN DISCONNECTED
<L>Cmutex:0
<L>Cmutex:0x224f20
<L>lwip_socket(PF_INET, UDP, 17) = SKT_1
Using interface en1 with hwaddr 70:33:f6:4b:f3:05 and ssid "BATA974044VFLDJ"
---->detect gc0329 
[ERR] BUG at pm_unregister_ops:585 dev:0'O[ERR] BUG at pm_unregister_ops:590 dev:i2c0(0x200090)!
[os E] OS_MutexDelete():54, handle 0
[os E] OS_SemaphoreDelete():67, handle 0
GC0329 chip id read success 0xc0
en1: interface state DISABLED->ENABLED
en1: AP-ENABLED 
[net INF] msg <wlan connected>
[UMAC WARN] net80211_linkoutput():202, ifnet 0x214b90 not valid for tx!
[net INF] netif is link up
[net INF] netif is already up
WLAN CONNECTED
err cmd:use_fw_rate_policy
vif=0, rts_threshold = 3000
lednum:0
--drvled_flash :(0,1,5,5,1,5,5)
<RTW>WiFi ap start ok:BATA974044VFLDJ, 0, 11
wifi task exit
[mthread]vvvthread wifitask, tid:2177724 EXIT
vif0, AP/GO mode THROTTLE=38
GC0329 Init Done 
[mthread]Create task:vtask(stack:3072),prio:3,ret:0 
XXXX task:vtask
[mthread]Create task:atask(stack:3072),prio:3,ret:0 
XXXX task:atask
[mthread]Create task:thdImage(stack:2048),prio:3,ret:0 
XXXX task:thdImage
[mthread]Create task:RT_REC(stack:2048),prio:3,ret:0 
XXXX task:RT_REC
[mthread]Create task:MD_TH(stack:2048),prio:3,ret:0 
XXXX task:MD_TH
task_aenc_stream runing
[mthread]vvvthread thdImage, tid:2176020 EXIT
[mthread]Create task:p2plis(stack:10240),prio:3,ret:0 
XXXX task:p2plis
[mthread]Create task:CameraTest(stack:2048),prio:3,ret:0 
XXXX task:CameraTest
set br:-1--1
/camera_test.txt does not exist!
[mthread]vvvthread CameraTest, tid:2176196 EXIT
fileidx:7
record freespace:155MB 
e[0;32;31m ../../../../project/demo/ilnk_demo_et_1mflash/ilnk_ipc/src/record_ilnk.c RT_RECFILE_Open 265e[m
[IpcP2pStart][  82]p2p starte,bP2pStarted=[0]

DataRW_Init bufferSize=32
<L>lwip_close(0)
<L>lwip_close(0)
<L>mutex D:0x229008
<L>lwip_close(SKT_0),tcp=0
Success[0]--IlnkModP2pStart
IpcSysInit:0
[mthread]vvvthread p2plis, tid:2178548 EXIT
[os E] OS_MutexLock():65, handle 0
semaphore not initialized at line 448 in src/api/tcpip.c
<L>Cmutex:0
<L>Cmutex:0x247ac8
netconn state error at line 1132 in src/api/api_msg.c
<L>Cmutex:0
<L>Cmutex:0x247c10
<L>lwip_socket(PF_INET, UDP, 0) = SKT_0
<L>lwip_socket(PF_INET, UDP, 17) = SKT_2
<L>Cmutex:0
<L>Cmutex:0x247d50
<L>lwip_socket(PF_INET, UDP, 0) = SKT_3
network interface: en (Default)
MTU: 1500
MAC: 70 33 f6 4b f3 05 
FLAGS: UP LINK_UP ETHARP IGMP
ip address: 192.168.238.1
gw address: 192.168.238.1
net mask  : 255.255.255.0

network interface: lo
MTU: 0
MAC: 
FLAGS: UP LINK_UP
ip address: 127.0.0.1
gw address: 127.0.0.1
net mask  : 255.0.0.0

It would seem the password is at least 16 characters long.

Anyway, long story short. I would like to know how you dumped the flash as I would like to do the same.

355

I’ll try it if it works and thank you in advance

356

WOOOOWW!!

After almost a year, this solution works pretty well!
I have a BATA984383XVUQ - I pair and got the video and audio stream via this cam-reverse project in HomeAssistant.

357

Thanks for your C adaptation. I successfully connected with my A9 (DGOA). But cannot integrate with “motion”. Can you show your motion.conf or cameraX.conf file?

358

I had misread this article believing it said the A9 was on the “approved” list:

As I don’t like APP/device dependencies (browser only), and want ZERO internet/cloud usage.

So I placed the order for 5x A9’s at $1.99/ea on 2024-06-14.
https://www.aliexpress.us/item/3256806244753061.html (shows $3.84 even for me).

If anyone cares, they are STILL available at $1.99/ea with free shipping (as of 2024-06-15) when you buy 3 items when you goto AliExpress and click on the annoying popup to shop the $0.99and up items.

So when I discovered my mistake, I came across this forum thread.
I read ever post till I got to 200, then skipped to the very end. So I don’t know where the project/challenge is at the moment.

Hopefully a new china free firmware without “calling home”???

Anyhow, a ways back I bought a “smart video doorbell” for $5
https:/ /www.aliexpress.us/item/3256805773616498.html
----new user allowed one link, remove space between forward slashes----

It used this app:
https:/ /home.naxclow.com/dynamic/dir/347b8f025830d77d7f464bdd8e1ec597/index.html/
----new user allowed one link, remove space between forward slashes----

I tried it for like 5 minutes, didn’t care that it notified you, but didn’t show you the video if you waited more than 60 seconds to respond. Removed the app, factory reset the device, and removed the battery. The little white thing is the indoor “bell” that you plug into a USB charger (no battery in it), that you pair to the camera/doorbell.

I got curious and opened it up. It does indeed have a Beken BK7252UWN48 chip in it.
mic, and IR leds, a coil wire antenna. PCB antenna, and TX and RX solder pads. (uart port?).

—new user only allowed one image - image 1, removed—

IMG_20240615_211213111_HDR
IMG_20240615_211213111_HDR1836×3264 293 KB

—new user only allowed one image - image 3 removed—

No app installed, NOT connected to wifi, I am able to press the doorbell button and it will ring the indoor “bell”. Using a TinySA Ultra spectrum analyzer I was able to see it transmitting at 433MHz. So MAYBE I’ll use it as a wireless doorbell with the camera removed, lol. Other than that, I really don’t care about it.

I probably have a USB2TTL adapter around here somewhere. IF anyone could use information from it, please let me know.

I’d love for someone to be able to turn the A9 into something open source amazing!!!
Copy a bin file to a uSD card, plug it in, reboot and and no more fugliness!
I can dream, can’t I? lol

Thank you all for your work into this challenge!!!

359

Guys, is there any way to convert the “Little Stars” A9 camera into a “Tuya” one?

360

Definitely not. To connect to tuya, you need a tuya chip and firmware.
Also, why would you like to change one china Cloud with an other? Only good solution is to get rid of the cloud and run locally without Internet access.

2 Likes
361

I got two more cameras from Temu:

Store: Wireless Security Camera Three Antennas Wifi Surveillance - Temu
App: https://play.google.com/store/apps/details?id=com.macrovideo.v380pro

Default Hostname: aliosthings
Default AP Hotspot Name: MV84476422
PCAP: cam-reverse-engineering/Wireless Security Camera Three Antennas Wifi Surveillance - Temu/PCAPdroid_06_Aug_17_35_01.pcap at main ¡ Bluscream/cam-reverse-engineering ¡ GitHub

355481559-006a0cc5-7785-4036-81ff-f9a41c724e98
355481559-006a0cc5-7785-4036-81ff-f9a41c724e981090×296 15.9 KB

(cam2 and cam4 are the temu cams)

Telegram_peOcGjZMgU

IMG_20240806_163306
IMG_20240806_1633061920×1440 182 KB

IMG_20240806_163323
IMG_20240806_1633231920×1440 174 KB

Screenshot_2024-08-06_16-37-37
Screenshot_2024-08-06_16-37-371920×1080 84.2 KB

Screenshot_2024-08-06_16-37-14
Screenshot_2024-08-06_16-37-141920×1080 102 KB

Screenshot_2024-08-06_16-36-57
Screenshot_2024-08-06_16-36-571920×1080 103 KB

Screenshot_2024-08-06_16-36-39
Screenshot_2024-08-06_16-36-391920×1080 99.7 KB

Screenshot_2024-08-06_16-36-26
Screenshot_2024-08-06_16-36-261920×1080 67.7 KB

Mirror: cam-reverse-engineering/Wireless Security Camera Three Antennas Wifi Surveillance - Temu at main ¡ Bluscream/cam-reverse-engineering ¡ GitHub

362

Hello!
I have just entered this topic and I am trying the best of A9 camera I have bought already. I am setting a new one (without using and without pairing it using official phone app) with Reverse-cam this
If I don’t think that I have to “do it myself” ( :smiley: ), my camera does an AP named LLM_34A9_00C44C with included pwd on the package “12345678” (there’s FtyCam logo on it). If I try commands like:

node dist/bin.cjs http_server --config_file=“config.yml”

or

node dist/bin.cjs pair --ssid=“LLM_34A9_00C44C” --password=“12345678”

It does an endless loop with searching for a newly added A9 camera, which is broadcasting with 192.168.9.252 (as a gateway).

My config.yml contains:

http_server:
port: 5000

logging:
level: debug
use_color: true

cameras:
LLM_34A9_00C44C:
alias: "TESTOVACIKAMERA"
rotate: 1
mirror: false
fix_packet_loss: yes
audio: true

# If you are crossing broadcast domains (VLANs) then
# you need to specify all IPs as unicast targets
#discovery_ips:
#  - 192.168.40.101
#  - 192.168.40.102
#  - 192.168.40.103
#  - 192.168.40.104
#  - 192.168.40.105

# If you are in the same broadcast domain, then
# it's easier to just use the broadcast address of your network
discovery_ips:
- 192.168.9.255
- 192.168.2.255 #this is a subnet without a VLAN that I want to use to add my camera

#blacklisted_ips:
#  - 192.168.40.102

Is there any solution, please?
Thank you for your kind reply.

363

why was not a single individual able to provide a acceptable solution to this mess

364

I’ve posted some bits about an XF16 A9 here https://www.elektroda.com/rtvforum/topic4074636.html

365

Nice work you done here.

3+ years ago I bought one v380 camera just to try, same looking as A9. But is was working with ceshi.ini file in sd card that enabled rtsp://

Then bought 3 more, and they were A9 type. So they was unusable until I found this thread:)

I got ones with beken chip, and version looks like the initial photo in thread.
But AP SSID name starts with ACCQ*. Was able to use with Little stars app on ios.

So, inspired here with your effort did some checking.

As usual, various requests to china when not in AP mode.
And I believe that one also uses P2P for streaming to phone.
Also it looks like it is using this: https:// github. com/dreibh/hipercontracer/tree/master

Also, it tried to download new firmware:

image
image1316×411 106 KB

URL: http://112.74.76.191/update_jxl_gc0309/rtthread.rbl

Looks like this is being used: GitHub - RT-Thread-packages/ota_downloader: The firmware downloader which using on RT-Thread OTA component.

what if we provided another update file in “controlled environment”?
I got the feeling this product is made in very lousy way so probably there is no proper checking of validity for incoming update…

j.

366

PS

reread the thread again

here is same update url mentioned:

also, revived second camera that I have - it was not working at all - just weirdly flashing - it appears that battery gone bad and shorted. When I removed baterry was able kinda pair with same app.

this camera have had SSID THPC000027ULNEF

it was not turned on for a while, so I paired to special WLAN where tcpdump is operating

it is doing something and rebooting periodically - mayve due to lack of battery or maybe doing some checks

http://112.74.76.191/manageid/index.php?m=Mobile&c=index&a=checkid&dosubmit=1

image
image374×538 21.3 KB

did a post and got false

POST /manageid/index.php?m=Mobile&c=index&a=checkid&dosubmit=1 HTTP/1.1
User-Agent: curl/7.35.0
Host:112.74.76.191
Accept: */*
Content-Length: 24
Content-Type: application/x-www-form-urlencoded

idcard=THPC-000027-ULNEF
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 21 Sep 2024 22:46:39 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: PHPSESSID=27shgm8s8ctcg7o3b57bbr0vk0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache

"false"
367

//cont, was not able to post due to new account saved draft post but somehow I have lost it

image
image609×504 25.6 KB

first camera that I bought of this type. V380 app, was able to enable rtsp and has been using for 3 years
it was placed outside, sticked to corner of the window.

was wondering would it be possible to transfer firmware from this one to a9

image
image698×647 40.9 KB

image
image700×630 36.7 KB

have tried to open it and check the chip. Device has been outside exposed to elements(-20C…+30C) round the year and it kept working. The battery has expanded quite a bit and when I tried to remove it, it has peeled part of the chip, literally. I thought I broke the device.

I’m unable to read chip identifier, so your guess would be as good as mines.

image
image711×573 49.3 KB

compared side by side it looks quite a different device and has lot more components.

my guess would it is not possible to transfer firmware…

368

cool. you’ve inspired me to dig out the XF16 A9 to play some more.

369

which will start with a re-watch of this https://www.youtube.com/watch?v=k134j9E5oZE

370

on a TXW817-810A9 in the dreadful “HD IOT Camera” app by xiaowenyin2021 - YsxLite wouldn’t join/pair whatever properly.

Screenshot_20240922-192351
Screenshot_20240922-192351720×1280 49.1 KB

http://162.14.206.183:8000/rtthread.rbl - dead

371

i got the same camera i couldnt find the uart holes did you managed to find them