Popular A9 mini Wi-Fi camera & the HA challenge

intx82 · February 12, 2023, 11:00am

Yes, need to understand what server sends to start a transmission.

To start a transmission, mobile APP do a POST request to the ‘/app/api/ApiServer/watching’ and then server invokes a transmission. To do this it sends some magic to the camera, and would be nice to capture this magic.

Right now, there are three channels from which the camera could be controlled.

HTTP is not an option, it used only for initial configuring servers. TCP port 80. Host v720.naxclow.com
TCP connection is used to send MJPEG/G711 stream, but on default commands similar to AP commands it didn’t respond. Various TCP port and host, gets from bootstrap HTTP request answer.
MQTT is used for controlling entire camera, but there are no information inside app source what need to do to start a transmission. Host: v720.p2p.naxclow.com:1883

elMan · February 12, 2023, 2:24pm

Hey guys,
My recently bought camera from cafago ( www .cafago .com/ en/p-d12029.html) - uses the same BK7252 chip. Doing a tcpdump I saw it is going to a specific chinese site to look for updated firmware. The connection to the site is plain HTTP and it seems like that the site appart from the firmware for my camera (it looks in folder HB66) contains firmware for other models mentioned in this thread, including the A9 camera. The firmware url is http://120.77.233.10/BK7252_P2P_IPC_FW/
The firmware files seem to be in the “OTA downloader” format for RT-Thread. more details can be foud here: GitHub - RT-Thread-packages/ota_downloader: The firmware downloader which using on RT-Thread OTA component.
I did not have the time to do a binwalk on these files yet.
Finally, an nmap on my camera reveals port 23 open (but no responses when you telnet to it) and ports 10002 and 10003. But no streams available there.
Hope that info could help somehow.

Cheers,
Elias

DarkPhoinix · February 14, 2023, 11:37am

classic nbit reply !

DarkPhoinix · February 14, 2023, 11:38am

classic nbit reply ! PLEASE ANYONE STOP THIS TROLL!

DarkPhoinix · February 14, 2023, 12:55pm

Does anyone have a wiring diagram for STLINK interfaces? i see rx and tx points on the board and USB have only one 3 points soldered!

nickrout · February 14, 2023, 9:13pm

You joined here just to post abuse? Good one. And oh so wounding!

RuneKyndal · February 15, 2023, 1:38am

my board looks different than this. and I’m not sure its STlink used for Beken chips ?
i have an STLink but I’m not sure what you are trying to do? do you have alternative firmware`?

intx82 · February 17, 2023, 12:24pm

It’s a microphone, JTAG from other side, check bk7252 datasheet

RuneKyndal · February 17, 2023, 5:49pm

I’m wondering if the camera can be reprogrammed with the reference design.
eliminate the china firmware completely
my hardware has TMS,TDI,TDO,TCK under the camera

jinjerbredman · February 19, 2023, 1:07am

rt thread keeps showing on my home network. i use Wyze and blurams cams, but none of these small A9’s. I suspect someone has planted cams in my home and I want to find the cams & introduce them to the heel of my boot. I am not a programmer, I found this site by researching on line. If anybody would help me with tips on how to find the illegally placed cams in my home, and /or who placed them, i will be grateful and gladly reward anyone if i am successful in making that ‘introduction’ thanks,
J

virtaz · February 19, 2023, 3:52pm

It would be awesome just to flash spy-china-free firmware in to these and just use them with HA and other systems…

RuneKyndal · February 19, 2023, 8:37pm

right??
as with a lot of these devices. i think they are made quite similar to the reference designs
DE-CHINA these cameras would be awesome

Tamadite · February 19, 2023, 8:38pm

that is what I tried with the “reference” code I posted above. It can be flashed but the code needs some tweaking.

GermanDZ · February 21, 2023, 8:48am

Great work! I have it running in my lab now.

I’ll try to setup a TCP-proxy in my workstation and to a man-in-the-middle to understand which comms are happening between the camera and the server.

GermanDZ · February 21, 2023, 12:46pm

I’ve dumped some info using the app and getting the stream, maybe we could work from that to get the streaming working locally using the fake_server.

github.com/intx82/a9-v720

Streaming from cam to app

opened 12:45PM - 21 Feb 23 UTC

GermanDZ

# Handshake for streaming with Naxclow server I've setup Wireshark over a ded…icated WIFI connection and dumped the communications between the mobile app, the cam and the servers ## Communication The cam was already registered in the app (with naxclow server) and the app connected to the server. I've started the transmission from the app and this is the description of what happened. ### Nodes APP: local ip addr 192.168.2.14 (private ip address of the mobile phone with the v720 app) CAM: local ip addr 192.168.2.13 (private ip address of the camera) STREAM: ip addr 43.240.74.95 (the remote "streaming" server, `host` returned by `v720.naxclow.com` in endpoint `/getA9ConfCheck`) (a.b.c.d is my public ip address in internet, my home internet router WAN ip) ### "Channels" port 29942: the `tcpPort` returned by `v720.naxclow.com` in endpoint `/getA9ConfCheck` APP-to-STREAM-TCP: APP TCP (port 51733) to STREAM on port 29942 APP-to-STREAM-UDP: APP UDP (port 58763) to STREAM on port 29942 STREAM-to-CAM-TCP: STREAM TCP (port 29942) to CAM on port 13761 APP-to-CAM-TCP: APP UDP (port 58763) to CAM on port 18297 ### Sequence of messages `devTarget`, `devToken`, `cliTarget`, `cliId` and `target` are redacted. APP-to-STREAM-TCP: {"cliNatPort":51733,"devTarget":"0800c000XYZW","code":10,"cliPort":45426,"cliIp":"a.b.c.d","devToken":"XJ0af899","cliNatIp":"192.168.2.14"} {"code":100,"uid":"0003fb965495XXXXYYYYXZZ618febAB","domain":"v720.naxclow.com","token":"55ABfb77"} APP-to-STREAM-UDP: {"code":20} # (UDP hole-punch?) APP-to-STREAM-TCP: {"cliNatPort":51733,"devTarget":"0800c000XYZW","code":10,"cliPort":45426,"cliIp":"a.b.c.d","devToken":"XJ0af899","cliNatIp":"192.168.2.14"} STREAM-to-CAM-TCP: {"code":11,"cliTarget":"0003fb965495XXXXYYYYXZZ618febAB","cliToken":"55ABfb77","cliIp":"a.b.c.d","cliPort":45426,"cliNatIp":"192.168.2.14","cliNatPort":51733} STREAM UDP (port 29942) to CAM on port 18297: {"code":21,"ip":"a.b.c.d","port":45412} APP-to-CAM-TCP: {"code":50,"cliToken":"55ABfb77","devTarget":"0800c000XYZW","cliId":"0003fb965495XXXXYYYYXZZ618febAB","devToken":"XJ0af899"} APP-to-STREAM-TCP: {"code":52,"status":1,"devTarget":"0800c000XYZW","devToken":"XJ0af899"} STREAM-to-CAM-TCP: {"code":53,"target":"0003fb965495XXXXYYYYXZZ618febAB","status":1} APP-to-STREAM-TCP: {"target":"0800c000XYZW","content":{"code":298},"code":301} APP-to-CAM-TCP: {"timeStamp":"1676971368690","code":54} STREAM-to-CAM-TCP: {"code":301,"target":"0003fb965495XXXXYYYYXZZ618febAB","content":{"code":298}} APP-to-STREAM-TCP: {"target":"0800c000XYZW","content":{"unixTimer":1676974968,"code":4},"code":301} STREAM-to-CAM-TCP: {"code":301,"target":"0003fb965495XXXXYYYYXZZ618febAB","content":{"unixTimer":1676974968,"code":4}} APP-to-STREAM-TCP: {"target":"0800c000XYZW","content":{"code":3},"code":301} APP-to-CAM-TCP: {"timeStamp":"1676971370691","code":54} STREAM-to-CAM-TCP: {"code":301,"target":"0003fb965495XXXXYYYYXZZ618febAB","content":{"code":3}} The CAM sent 1024 bytes UDP packets from port 18297 to APP (port 58763) during the transmission, and the APP "responded" UDP 72 bytes packets.

intx82 · February 21, 2023, 10:23pm

Nice! Thanks a lot, will continue

winqdev · February 22, 2023, 7:38pm

guys is there a way to ssh into it using a USB cable, instead of wires with pins?

intx82 · March 7, 2023, 1:52am

Good news, everyone, ‘Fake server’ v0 is released.

Github repo still the same: GitHub - intx82/a9-v720: A9 V720 (naxclow) camera tool

To use it, run:

python3 src/a9_naxclow.py -s

To properly work ‘fake server’, user must make DNS redirect on own (home) router domains ‘v720,naxclow,com’ and ‘p2p,v720.naxclow,com’ to own server IP

Also, on the server must be installed any MQTT broker or ‘p2p[v720.naxclow]com’ should be redirected to any public MQTT broker

After this part, fake server up the http web server and listening for camera incoming messages. The list of available cameras will be available at http://[FAKE_SRV_IP]/dev/list (now as JSON array)

After connection camera, MJPEG video stream could be found at http://[FAKE_SRV_IP]/dev/[CAM_ID]/live, snapshot - http://[FAKE_SRV_IP]/dev/[CAM_ID]/snapshot

alberto-villar · March 10, 2023, 10:47am

I realize that adding replies to ‘waste your time blah blah’ may be a true waste of time, but express my agreement on @mb_EQNvD3CjP’s personal drive. @HeyImAlex is suggesting we substitute a $5 cam by a $40 one. He/she/it missed the point of low cost, and also confuses price with quality.
18 months ago I worked with my A9, but didn’t have enough time to use a direct connection to the AP generated by the CAM. That was the way I was trying.

HeyImAlex · March 10, 2023, 1:07pm

You joined this community only to attack a two year old post of mine ? I feel honored ! Of course you’re probably the same troll as the one before, but you know what ? Yes you’re right ! I don’t understand the point of buying cheap low quality crap. It’s a waste of your time, of your money, it increases e-waste and depletes the limited resources of the planet for - well - crap.

Hopefully this new account of yours may become a productive member of the community now ! Looking forward to it