Apply hack prior to upgrading to 2.7.6 for new users #6
Comments
|
@russinnes After you posted this I opened the tuya app and while it shows the video it also shows a popup asking to update firmware (clicking cancel also closes the video feed). That being said, if I open the multi-camera view there's no popup and I can watch the video feed for the individual camera without limitations (just no playback features). I am going to take one last snapshot of the firmware before updating then another after updating to compare. Thanks for posting your ppsapp so I can look at it -- I would ask the devices/deviceinfo but port 80 is closed now so that won't work. |
|
guino/ppsapp-rtsp#1 (comment) has the patch addresses for the 2.7.6 ppsapp -- I also patched it to open port 80 again. |
|
It should be possible to apply the hack on 2.7.6 because we only use port 80 for 'confirmation' -- plus the generation of the /home/app/ppsapp on the SD card should be enough confirmation to apply the hack. |
|
I have an vanilla camera still in a box, I may try to update it from stock to 2.7.6, and then do a blind flash using {env} on an SD card. It would be nice to confirm so if folks land here and know exactly which camera they have, they can blindly flash it, even if they have missed the boat prior to this latest firmware update. |
|
That's cool, but there's no harm in you using guino/BazzDoorbell#11 to copy the flash before updating so that if all else fails you can use guino/BazzDoorbell#12 to put it back to 2.7.3 and install the hack before updating (again). |
|
I got a copy of my latest 2.7.3 fw, updated to 2.7.6 and got a copy of that fw as well to compare. It seems the update flashed a new kernel and new ppsapp partition (kernel is different but same version). I also saved the log of the firmware download process from ppsapp which includes a download link to the latest firmware update (which I downloaded for future reference -- could be used to verify/inspect/build a custom firmware update file). |
|
@russinnes so good news, I did some digging in the code and found a way to open port 80 on 2.7.6 -- I updated the instructions in https://github.com/guino/Merkury720 with a step to download/edit the ppsFactoryTool.txt file which allows opening port 80 (like it was before). I tested it on my device with 2.7.6 (without the hack) and port 80 opened like it was before. As long as that file is in the SD card port 80 should stay open from what I can tell. |
I tried performing guino/BazzDoorbell#12 to downgrade my mini7C (Mercury 720p) from 2.7.6 to 2.7.3. I used the flash dump that I created performing guino/BazzDoorbell#11 before the upgrade to 2.7.6. I modified the write address in the ppsMmcTool.txt #12 to match the read address in #11 but I can't seem to get it to work. It doesn't seem to perform the commands in the ppsMmcTool.txt as far as I can tell. It does not brick my device or seem to do anything. It just boots and runs 2.7.6 just like nothing happened. I've tried numerous times and went as far as zeroing out the sdcard before repartitioning and formatting to make sure there wasn't some remnant of anything on there but still no luck. I know that there's no issue with my sdCard works since I was able to read my flash using #11 for both 2.7.3 and 2.7.6. Both binwalked just fine and everything looks like it's where it's supposed to be. I can also use it to record the video on it while it's in the camera. Is it possible that flash write (#12) for the mini7C requires an env file just like the flash read (#11) does? Here is the ppsMmcTool.txt file that I used unsuccessfully for #12. Thanks for your awesome work! It's been super useful and instructive. |
|
@jjsmisbye Depending what's on your SD card, if you have not moved a patched version of ppsapp into the SD card root, it will keep running the stock version. Also this new version blocks :80 so the first steps dont work any longer. Try editing your custom.sh on the SD card to ensure telnetd is running end enabled (/mnt/mmc01/busybox telnetd -l /bin/sh &) and try telnetting to its IP. |
|
@jjsmisbye the comments from @russinnes are valid but I wrote guino/BazzDoorbell#12 for the 2.9.x bootloader and I did not try it on 2.7.x hardware to verify if it would work. Just as guino/BazzDoorbell#11 required different commands to read 2.7.x hardware I assume that different commands would also be required to write 2.7.x firmware. The main question is why would you want to run 2.7.3 firmware instead of 2.7.6 which is fully working now. I would be uncomfortable testing the 2.7.x flash write process without a hot-air-soldering-gun to remove the flash chip (properly) and be able to restore it in case I did something wrong. As I don't do a lot of soldering work with SMD chips it doesn't justify buying $90 worth of equipment to use every now and then. |
|
Thanks for your answers @guino and @russinnes. I guess I'm mostly interested in the upgrade process, trying to map out what and how things happen. How the upgrade file is packaged, etc. I managed to also grab a copy of an upgrade file through some hooking on the phone app. I'm digging around with ghidra and trying to figure some things. This is an extra camera that I got for dirt cheap on sale so I won't cry if I brick it in the end but I'd rather not if I can help it because I'm enjoying spending time reversing this stuff. The flashing process/bootloaders are kind of outside of my wheelhouse a bit unfortunately.
Seeing that the versions in the above comment matched the ones on my mini7c I was hopeful that this process would be as simple as the process for guino/BazzDoorbell#11 was. I backed up my flash and then made sure it was all good before proceeding with the upgrade and now I was hoping to be able to repeat the upgrade process. Any help, hints, pointers would be appreciated. |
|
@jjsmisbye having the 2.7.3 flash as a backup is always a good idea. If you by any chance 'brick' the device you can use a hardware programmer or the UART to restore the flash backup -- both processes will require opening and soldering work to make it work but would restore operation of the firmware in case it got bricked. If you do connect the UART and want to play with that I can give you some pointers/commands to execute so we know what's missing but my very best guess is that your ppsMmcTool.txt would have to look like this (should not need the env file): (and do NOT forget to add a new line character at the end of the line + 0x00 character at the end of the file) Additionally I would make sure the flash.bin file is exactly 8Mb in size as the instructions I provided grab a 16Mb file by default for devices with 16Mb flash and who knows if the bootloader/hardware would be ok with loading a 16Mb file into memory. Again, I am just trying to be helpful but it's not something I would do without willing to open the device and do the soldering work in case I bricked it. If you think it may be helpful you can send me an email I can send you a copy of the upgrade file and the log I got during the upgrade process. |
|
So good news/bad news. I tried Binwalk of original dump flash.bin of 2.7.3 using issue #11: (Looks fine and extracts well so I used this file to try to downgrade) Binwalk after downgrade attempt from 2.7.6 to 2.7.3 through flash write using issue#12, then dumped again using issue #11: The CRCs were off, the date was wrong and the size of the data was wrong in the uImage header. A number of other odd entries popped up also. The cramfs looks off also. Obviously does not look good and produces sad results on extraction. e.g. The app.tar.gz is 0 bytes long After spending a few days in this state trying various things I pushed the upgrade file that I downloaded from the phone app side after renaming it to upgrade.bin and I was finally able to boot back into 2.7.6. So I think I may have stumbled on way to do my downgrade using the sdcard and a repackaged upgrade file. I'll probably keep digging through that angle unless you have some other suggestions for the flash write method. Thanks for the help, I'll email you soon about the upgrade stuff and some other tidbits if the offer still stands. Cheers! |
|
@jjsmisbye Well I am glad you didn't brick your camera, I mean, technically you did but got it restored. If you do figure out the upgrade.bin format that would be a good way to apply the hack to the cramfs without putting the bootloader in danger -- hopefully without requiring specifics of the device format (like partition sizes and such) ? Additionally this would allow the hack to work without a SD card for those that just want RTSP and nothing else. |
@guino - 2.7.6 came out today - and won't allow video stream in the app(s) until it is updated.
The new ppsapp is similar to the last update I posted for the v2.10.x firmware for other cameras, they closed up port 80 on this one as well.
Good news - if the hack is already applied, everything still works fine. I have yet to patch the new 2.7.6 app but booting from SD {and thus launching busybox etc} is still running fine.
I will patch it shortly and update as needed.
attached 2.7.6
--deleted--
The text was updated successfully, but these errors were encountered: