Popular A9 mini Wi-Fi camera & the HA challenge

I also have a camera like yours, but it seems to be a different version. It connects to the “Little Stars” android app, and I can’t seem to get a local RTSP stream to make any use of it.
I can see the following on the board: “E-WF-19-V1.3”. The chip has no identification, and its wifi AP starts with “ACCQ”.
I tried the “.ini” file method with no success.

I was wondering if it is possible to reflash it with a more customizable firmware (and one that does not go to their weird cloud)

image960×1280 102 KB

image960×1280 104 KB

I’m watching this thread for any good ideas on that. Thank you!

If your cam use “little stars” I’m afraid there’s no solution (at this time). it’s typicaly A9 series with only cloud and phone connexion.
For those looking for a camera directly connected to the PC, there is a model
which uses the HD WIFICAM PRO application. It is identical to the cameras mentioned in this post,
but does not use the same chipset or the same firmware, moreover it costs the same price!
(ex: Mini caméra de surveillance IP WiFi HD 1080P, avec Vision nocturne, détection de mouvement, moniteur à distance avec support magnétique | AliExpress )
to retrieve the stream in a file, the easiest way is to use FFMPEG with the following syntax:
ffmpeg.exe -i “http://192.168.xxx.yyy:81/livestream.cgi?user=xxxxxxx&pwd=yyyyyyy&streamid=0&audio=0” -c:v libx264 -f matroska “c:\temp\outFile.mkv”
the problem is that the camera films continuously: the alarms only concern the storage on the SD card.
we would have to find a way to listen to the notifications of the camera and launch the capture accordingly.
I will look into the subject … If somebody knows a soft (for windows) to accomplish that thanks to share !
for the IP address, you can look at the DHCP of your Wifi router, possibly configure a reservation (dhcp lease) in order to have the same IP all the time.
otherwise use “advanced IP Scanner” and you should find your camera in the list quickly. (mine has a MAC 44: 01: BB: XX: YY: ZZ which corresponds to “SHENZHEN BILIAN ELECTRONIC CO. ， LTD”)
once the IP is known I recommend the “AnyCam” software which will do all the work for you by trying all possible and imaginable URLs!
note that these tools are free and you can use them for any type of camera.
hope this help…

If your cam use “little stars” I’m afraid there’s no solution

I think that is why they are calling this the “challenge”

If it was easy then well even I could do it as you’ve posted

why do you guys waste your time on garbage like that

Sorry but I don’t get how describing anything that you cannot hack into as “garbage” is helpful?

How do you define “garbage” hardware? Just because something is “cheap” to someone does not mean it’s garbage

Hardware that doesn’t work for its intended purpose. I had one of these camera things years ago. Not the exact same brand as discussed here, but they’re all based on the same cloned base anyway give or take a few variations. It was complete garbage. The image quality was worse than some 10 year old 720p DLink I still had around and that was already low end. It was a useless pixelated mess. And after a week or so it died.

This is not about being able to hack it or not, it’s just that the quality of these things is abysmal. The sensors they use are from the bottom of the scrap barrel: QA rejected devices (that would otherwise go to the landfill), stocks of unsold last-last-last-generation chips they bought in bulk for cheap, rebranded ‘scrapware’ chips (unsoldered from discarded old devices), etc. These cameras are basically trojan horses. They sell these for ‘cheap’ (they’re not actually that cheap if you think about it) to get you to install their malware ridden phone app. Sure, if you want to hack them and somehow get a local stream out of them, go ahead. I won’t tell you how to spend your free time. It will be a stream of crappy quality video though. And you can get decent RTSP / ONVIF cameras for the same price or slightly above.

OT I know, but you asked for my opinion, here it is.

For my case I don’t want it for any super quality video surveillance, it is just for a pet project to watch a utility meter display. So a basic crappy device with somewhat night vision is enough. I just needed a Rtsp local stream.

Just arrived, however the http url does not respond and there is no open port Have you done anything to enable the streaming url?
I also can’t find a way to set the username and password as I don’t know what the default value is.

Did you order it from same link to Aliexpress Tuyau2poil posted above?

yes, same link

Good to know because I was about to order one from it. Now I will not since I’d get one same as yours and I suspect it’s similar to the one I already have.

Yep, wait a bit, let’s see if @Tuyau2poil sees my question and point out if something else needs to be done before getting access to the stream.

The AnyCam app suggested has found that port 10002 is open however it couldn’t find any stream on that port. Connecting to it via telnet hangs.

My personal drive is to find something dirt cheap that I can use to automate meter readings (until my providers do that) - and this thing is dirt cheap (I’m seeing a deal for $2 on Ali Express today).

I actually love that everybody is adding small bits and pieces of their investigations and we are getting more and more information collectively - and maybe one day we have enough to find a quick solution to accessing this.

Can this not be done with a ESP32-CAM?
I have seen solutions with a RPi and maybe with the new Zero 2 and a camera board if the ESP32 cannot do this and you have full control.

It surely can.

It can be done probably at least a hundred ways. The $2 bit makes this particular device much more interesting tho.

I tried, on my experience is that ESP32 out of the box are not powerful enough, and lacks IR for dark environments. I get very bad images. Specially worse if you need to OCR.

So there isn’t any possible way to configure an a9 camera to make my own P2P server for my camera? Y have an A9_L2_V7

I bought this camera in the hope I could make a cheap security system out of it. I first tried ESP32’s but the image quality was horrible. I’m not talking resolution, but it had green and magenta stripes that flickered randomly to the point it wasn’t worth looking at.

Anyways, here is the good stuff:

The camera I am operating on is A9-L2-V7 and is running Thread Operating System 3.1.0 build Aug 19 2021

I was able to communicate with the device over the micro USB port and connect it to a USB to TTL

I am an amateur on hacking devices but I was able to dump part of the flash using the in-device command fal probe. The output of this command gave me a table.

[I/FAL] | name       | flash_dev        |   offset   |    length  |
[I/FAL] -------------------------------------------------------------
[I/FAL] | bootloader | beken_onchip_crc | 0x00001f00 | 0x0000e000 |
[I/FAL] | app        | beken_onchip_crc | 0x00010000 | 0x00110000 |
[I/FAL] | download   | beken_onchip     | 0x00132000 | 0x000cc000 |
[I/FAL] =============================================================

With this information, I used the commands fal probe bootloader then fal read *address *length. These commands made it read and paste the output of the flash memory. As this command didn’t give me the ability to write to a file, I had to copy and paste from the putty terminal. This is of itself isn’t horrible, but the device was only able to print out 12KB of data at a time, or else it crashed.

With some copy and paste magic, with along sprinkle of programming to format files, I was able to make some .bin files.

Here are the files:
https://cdn.discordapp.com/attachments/755599394182660136/934028339864297532/A9_cam_dump.zip

I haven’t had the chance to error-check the files, so it might be possible that I didn’t copy and paste a section. I added the raw text so you can check to make sure that the address is in the correct order and without gaps.

Of the three available partitions, the download partition kept just giving errors, so there was no luck of me recovering it. Also, the other partitions that I did get, the end of the partition read was acting weird, It was giving errors such as out of bounds of partition when I know for a fact I was inside. Therefore, the trailing end of the dumps might be missing or incorrect.

I was able to do a binwalk of the files:

unknown946×254 8.49 KB

P.S. To stop the device from constantly looking for an AP, type rxsens it shuts it up for some reason.
also, as per the console, the resolution of this device is 640x480, don’t believe any China marketing lies that say it is HD.

I hope this helps someone!

Very interesting indeed! Can you please elaborate the USB to TTL thing? I cannot figure out how you did it.

The USB to TTL is this device Amazon.com
and how you connect to it, is with this cable 4 Core Mobile Data Cable Micro Usb Type B Extension Cable Male To Dupont 2.54 4pin Connector - Buy Micro Usb Type B Cable,Right Angle 90 Degree,Micro B Extension Cable Product on Alibaba.com

Personally, I just cut up a normal micro USB cable and hooked it up to the USB to TTL, it’s cheaper and faster with the cost of looking nice and ease of use.

Do your own research on where to buy these, I just picked random links to show you. Don’t pay more than $8 for the USB to TTL.