Hacking a cheap IP camera

kmcgurty

n3wb
Joined
May 25, 2020
Messages
3
Reaction score
6
Location
UK
Hi Everyone,

Apologies if this is the wrong place to make this thread, but I am at a loss for where to go next. I purchased a cheap IP camera from Amazon. It goes by the name of "JideTech IP Security Camera." The video quality is decent for the price, but that's beside my goal.

Software:

My initial impression of this thing is it's very insecure. Nmap shows 11 ports that are open. I very much would like to get shell access so I can A) mess around with it more than intended and B) actually close these ports and services so it's not so insecure. I'll go down the list and explain everything that I have found/tried.

  • Port 23: Telnet is hosted on this port, when you try connecting you get a prompt that says "ipc login:." I've tried all of the common user/pass combos that I can think of, including the ones that Mirai use.
  • Port 80: The web interface is hosted here, with the default login of admin:admin. The webpage astonishingly uses ActiveX in order for you to view the stream, it literally only works on Internet Explorer, which is just insane to me. I've tried finding pages/fields to perform remote code execution, but I haven't had any luck. I can expand on this more if anyone thinks it would be helpful.
  • Ports 554, 8999, 90, and 8088 are listed here in the web interface. I have no clue what ports 90, and 8088 do, the manual says nothing about them.
  • Port 8000: Nmap shows the service is "Hikvision IPCam control port." I haven't been able to prove that, and so far everything I do to try and interact with it does nothing.
  • Port 10081: Is some sort of web service? I try connecting through the browser and it brings up a 404 error, and netcat pulls a 400 error.
  • Port 20203: I have no clue. netcat does nothing when I interact with it.
  • Port 34567: No clue, I think someone was bored and hit numbers on their keyboard.
  • Port 49000: Again, no clue.

If anyone is able to guide me to find out what these ports are or suggest anything I haven't tried I would love you forever.

Hardware:

This is where the scope of my knowledge isn't very strong. At least as far as hacking via UART/JTAG ports and the like.

There are no USB ports or any other way to interface with the unit, other than over the network.

I've attached a bunch of pictures of the boards inside the unit.

Board 1 - front
  • The pins labeled "VCC USB GND" were interesting at first, so I connected a USB wire to them, plugged them into my Windows PC with the camera powered, and nothing appeared in device manager. I'm not sure how USB is supposed to work when it comes to voltages, but I would assume it would at least appear in device manager? I can try this again, nothing was soldered, just me holding the wires against the connections with my fingers.
  • The 3 pins in the lower left appears to be a UART port at first glance, but both of the first 2 pins are powered at 3.3v, no fluctuation. From what I understand, if it's a Tx/Rx, one of them would be unpowered, and the other would fluctuate in voltage.
  • The processor is labeled as "HI3516" - Google tells me that's a HiSilicon processor.
  • The chip labeled PPT is some sort of network transformer? I don't know why it would need a transformer when there already is a power supply.
Board 1 - back
  • I think the BoyaMicro 25Q64ASSIG chip on the left is the ROM? If I could potentially extract the firmware and get the telnet password, I think this would be the best route, but I'm not sure what I would need in order to do that.
  • I have no clue what the CHMC chip is.
Board 2 - front & back
  • Unless I'm missing something, this board doesn't seem interesting. It appears to just be the power supply for power over ethernet.
I tried emailing the company for a copy of the firmware, but they wouldn't give it up. I even edited the HTML of the version number and they said there wasn't a firmware update (???). They also wouldn't provide the default Telnet password, unsurprisingly.

I think that's everything I've been able to come up with so far. There is very little about this brand online, so If anyone is able to maybe guide me or provide any other information, I would be forever grateful.

Thank you
 

Attachments

As an Amazon Associate IPCamTalk earns from qualifying purchases.

pozzello

Known around here
Joined
Oct 7, 2015
Messages
2,270
Reaction score
1,117
my guess would be that the 4 pads (starting with the square one) are the serial connections. try connecting a UART adapter there (not USB) and fire up a temrinal program (like Putty on windows) you'll only need 3 wires, typically black to ground (already lablled for you), white and green will be your rx/tx, probably the first two on the other end. you can't damage anything probing, so just check all the premutations till you get data as it boots up. then there's most likely a keystroke to inturrupt the linux boot and get you into the Uboot 'shell'. serial access will be your best bet to explore...
 

kmcgurty

n3wb
Joined
May 25, 2020
Messages
3
Reaction score
6
Location
UK
my guess would be that the 4 pads (starting with the square one) are the serial connections. try connecting a UART adapter there (not USB) and fire up a temrinal program (like Putty on windows) you'll only need 3 wires, typically black to ground (already lablled for you), white and green will be your rx/tx, probably the first two on the other end. you can't damage anything probing, so just check all the premutations till you get data as it boots up. then there's most likely a keystroke to inturrupt the linux boot and get you into the Uboot 'shell'. serial access will be your best bet to explore...
If I purchased this with some alligator clips, you reckon that would be good enough? Also which 4 pads are you referring to? The ones labeled USB?
 
As an Amazon Associate IPCamTalk earns from qualifying purchases.

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,779
Location
Scotland
It sound like you are going to have some fun!
This sort of thing can be quite absorbing, and obsessive.

Port 8000: Nmap shows the service is "Hikvision IPCam control port." I haven't been able to prove that, and so far everything I do to try and interact with it does nothing.
Many of the non-main-brand cameras these days have a 'hikserver' daemon that gives a subset of Hikvision API compatibility.
See if Hikvision's SADP tool will find the camera.

Port 34567: No clue, I think someone was bored and hit numbers on their keyboard.
That's the XMeye 'command and control' port, the equivalent of Hikvision's port 8000.

The pins labeled "VCC USB GND" were interesting at first, so I connected a USB wire to them, plugged them into my Windows PC with the camera powered, and nothing appeared in device manager. I'm not sure how USB is supposed to work when it comes to voltages, but I would assume it would at least appear in device manager? I can try this again, nothing was soldered, just me holding the wires against the connections with my fingers.
This is to connect a USB device to the camera - not make the camera appear to be a USB device when connected to a PC.

The 3 pins in the lower left appears to be a UART port at first glance, but both of the first 2 pins are powered at 3.3v, no fluctuation.
RX when not connected will have an internal pullup to 3.3v
TX when idle will stay at 3.3v and will see most activity during startup.
Some firmware is chatty when running - some is pretty quiet, so TX staying at 3.3v with a multimeter is normal enough.

I've tried all of the common user/pass combos that I can think of, including the ones that Mirai use.
You've probably covered quite a lot of ground then.
Presumably including
xmipc
xc3511
helpme
ls123
ls5.1.51
antslq
vizxz

The chip labeled PPT is some sort of network transformer? I don't know why it would need a transformer when there already is a power supply.
That's the standard ethernet signal isolating transformer that all devices with an ethernet interface have.

I think that's everything I've been able to come up with so far.
A screenshot of the login page and the web GUI would likely confirm what brand of firmware it's running.
I'd guess most likely to be Xiongmaitech.
But might be HeroSpeed.
Once you connect to the serial console you will likely have full access to a root shell, from which anything is possible.

I think the BoyaMicro 25Q64ASSIG chip on the left is the ROM? If I could potentially extract the firmware and get the telnet password, I think this would be the best route, but I'm not sure what I would need in order to do that.
That would be easy enough to do, probably even with an 'in-situ' read.
You need a couple of items, both widely available and cheap -
An 8-pin SOIC 'test clip'.
A CH341A flash programmer.
There's a selection of apps that work with these, but there is good support now in 'flashrom' which is quite a comprehensive program.

If I purchased this with some alligator clips, you reckon that would be good enough?
Either that or (cheaper) a PL2303TA - based serial TTL to USB convertor.
And you just need to poke some suitably-sized wires into the PCB pads to make contact.
 
As an Amazon Associate IPCamTalk earns from qualifying purchases.

kmcgurty

n3wb
Joined
May 25, 2020
Messages
3
Reaction score
6
Location
UK
It sound like you are going to have some fun!
This sort of thing can be quite absorbing, and obsessive.


Many of the non-main-brand cameras these days have a 'hikserver' daemon that gives a subset of Hikvision API compatibility.
See if Hikvision's SADP tool will find the camera.


That's the XMeye 'command and control' port, the equivalent of Hikvision's port 8000.


This is to connect a USB device to the camera - not make the camera appear to be a USB device when connected to a PC.


RX when not connected will have an internal pullup to 3.3v
TX when idle will stay at 3.3v and will see most activity during startup.
Some firmware is chatty when running - some is pretty quiet, so TX staying at 3.3v with a multimeter is normal enough.


You've probably covered quite a lot of ground then.
Presumably including
xmipc
xc3511
helpme
ls123
ls5.1.51
antslq
vizxz


That's the standard ethernet signal isolating transformer that all devices with an ethernet interface have.


A screenshot of the login page and the web GUI would likely confirm what brand of firmware it's running.
I'd guess most likely to be Xiongmaitech.
But might be HeroSpeed.
Once you connect to the serial console you will likely have full access to a root shell, from which anything is possible.


That would be easy enough to do, probably even with an 'in-situ' read.
You need a couple of items, both widely available and cheap -
An 8-pin SOIC 'test clip'.
A CH341A flash programmer.
There's a selection of apps that work with these, but there is good support now in 'flashrom' which is quite a comprehensive program.


Either that or (cheaper) a PL2303TA - based serial TTL to USB convertor.
And you just need to poke some suitably-sized wires into the PCB pads to make contact.
You are an absolute legend. You've given me a lot of information to read up on, and yes this absolutely is consuming. It's all I've done for the past 4 days lol. I will definitely come back with an update after I've had some time to try more things and get the appropriate equipment. Thank you!
 

pozzello

Known around here
Joined
Oct 7, 2015
Messages
2,270
Reaction score
1,117
For cross-reference, one of my 'birdhouse' cams has that UI, as indicated by the rather generic "Megapixel IP Camera" logo.
I got it to check out the IMX385 sensor with 6mm CS lens.
purchased here: "US $89.0 |CCDCAM 2MP H.265 Star Light Camera 1/2 inch Sony CMOS IMX385 Sensor 2 Megapixel H.265 IP Camera Module Double Boards|sony cmos|ip camera modulecamera module - AliExpress

But i have yet to find any need to poke at it any further. As for security, my router is set up to not let any of the cams reach the internet, or vice-versa.
So the extra open ports are not a (direct) attack vector... I also try to make sure any/all PnP/platform/cloud services are disabled in the Cams' UI, for good measure.
 
Last edited:

pozzello

Known around here
Joined
Oct 7, 2015
Messages
2,270
Reaction score
1,117
here's the console output from my generic cam module as it boots up:

System startup


U-Boot 2010.06 (Dec 26 2017 - 02:29:36)

Check Flash Memory Controller v100 ... Found
SPI Nor(cs 0) ID: 0xc2 0x20 0x18
Block:64KB Chip:16MB Name:"MX25L128XX"
SPI Nor total size: 16MB
MMC:
EMMC/MMC/SD controller initialization.
Card did not respond to voltage select!
No EMMC/MMC/SD device found !
In: serial
Out: serial
Err: serial
Hit any key to stop autoboot: 0
16384 KiB hi_fmc at 0:0 is now current device

## Booting kernel from Legacy Image at 82000000 ...
Image Name: Linux-3.18.20
Image Type: ARM Linux Kernel Image (uncompressed)
Data Size: 2035426 Bytes = 1.9 MiB
Load Address: 80008000
Entry Point: 80008000
Loading Kernel Image ... OK
OK

Starting kernel ...

Booting Linux on physical CPU 0x0
Initializing cgroup subsys cpu
Linux version 3.18.20 (root@justin) (gcc version 4.9.4 20150629 (prerelease) (Hisilicon_v500_20170922) ) #3 SMP Thu Jan 17 03:16:17 PST 2019
CPU: ARMv7 Processor [410fc075] revision 5 (ARMv7), cr=10c5387d
CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache
Machine model: Hisilicon HI3516AV200 DEMO Board
cmz zone is not set!
cma: Reserved 16 MiB at 0x8b000000
Memory policy: Data cache writealloc
PERCPU: Embedded 9 pages/cpu @cae4e000 s7424 r8192 d21248 u36864
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 48768
Kernel command line: mem=192M console=ttyAMA0,115200 root=/dev/mtdblock2 rootfstype=jffs2 rw mtdparts=hi_sfc:512K(boot),2M(kernel),3584K(rootfs),10M(param)
PID hash table entries: 1024 (order: 0, 4096 bytes)
Dentry cache hash table entries: 32768 (order: 5, 131072 bytes)
Inode-cache hash table entries: 16384 (order: 4, 65536 bytes)
Memory: 172660K/196608K available (3867K kernel code, 167K rwdata, 1048K rodata, 208K init, 302K bss, 23948K reserved, 0K highmem)
Virtual kernel memory layout:
vector : 0xffff0000 - 0xffff1000 ( 4 kB)
fixmap : 0xffc00000 - 0xffe00000 (2048 kB)
vmalloc : 0xcc800000 - 0xff000000 ( 808 MB)
lowmem : 0xc0000000 - 0xcc000000 ( 192 MB)
pkmap : 0xbfe00000 - 0xc0000000 ( 2 MB)
modules : 0xbf000000 - 0xbfe00000 ( 14 MB)
.text : 0xc0008000 - 0xc04d51d4 (4917 kB)
.init : 0xc04d6000 - 0xc050a000 ( 208 kB)
.data : 0xc050a000 - 0xc0533d00 ( 168 kB)
.bss : 0xc0533d00 - 0xc057f58c ( 303 kB)
SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=2, Nodes=1
Hierarchical RCU implementation.
RCU restricting CPUs from NR_CPUS=4 to nr_cpu_ids=2.
RCU: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=2
NR_IRQS:16 nr_irqs:16 16
Architected cp15 timer(s) running at 24.00MHz (phys).
sched_clock: 56 bits at 24MHz, resolution 41ns, wraps every 2863311519744ns
Switching to timer-based delay loop, resolution 41ns
Console: colour dummy device 80x30
Calibrating delay loop (skipped), value calculated using timer frequency.. 48.00 BogoMIPS (lpj=240000)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
CPU: Testing write buffer coherency: ok
CPU0: thread -1, cpu 0, socket 0, mpidr 80000000
Setting up static identity map for 0x803b0fe0 - 0x803b1038
ARM CCI driver probed
CPU1: Booted secondary processor
CPU1: thread -1, cpu 0, socket 1, mpidr 80000100
Brought up 2 CPUs
SMP: Total of 2 processors activated (96.00 BogoMIPS).
CPU: All CPU(s) started in SVC mode.
devtmpfs: initialized
VFP support v0.3: implementor 41 architecture 2 part 30 variant 7 rev 5
regulator-dummy: no parameters
NET: Registered protocol family 16
DMA: preallocated 256 KiB pool for atomic coherent allocations
cpuidle: using governor ladder
cpuidle: using governor menu
Serial: AMBA PL011 UART driver
12100000.uart: ttyAMA0 at MMIO 0x12100000 (irq = 36, base_baud = 0) is a PL011 rev2
console [ttyAMA0] enabled
12101000.uart: ttyAMA1 at MMIO 0x12101000 (irq = 37, base_baud = 0) is a PL011 rev2
12102000.uart: ttyAMA2 at MMIO 0x12102000 (irq = 38, base_baud = 0) is a PL011 rev2
12103000.uart: ttyAMA3 at MMIO 0x12103000 (irq = 39, base_baud = 0) is a PL011 rev2
12104000.uart: ttyAMA4 at MMIO 0x12104000 (irq = 40, base_baud = 0) is a PL011 rev2
SCSI subsystem initialized
ssp-pl022 12120000.spi: ARM PL022 driver, device ID: 0x00800022
ssp-pl022 12120000.spi: mapped registers from 0x12120000 to fea20000
ssp-pl022 12121000.spi: ARM PL022 driver, device ID: 0x00800022
ssp-pl022 12121000.spi: mapped registers from 0x12121000 to fea21000
ssp-pl022 12122000.spi: ARM PL022 driver, device ID: 0x00800022
ssp-pl022 12122000.spi: mapped registers from 0x12122000 to fea22000
ssp-pl022 12123000.spi: ARM PL022 driver, device ID: 0x00800022
ssp-pl022 12123000.spi: mapped registers from 0x12123000 to fea23000
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
cfg80211: Calling CRDA to update world regulatory domain
Switched to clocksource arch_sys_counter
NET: Registered protocol family 2
TCP established hash table entries: 2048 (order: 1, 8192 bytes)
TCP bind hash table entries: 2048 (order: 2, 16384 bytes)
TCP: Hash tables configured (established 2048 bind 2048)
TCP: reno registered
UDP hash table entries: 256 (order: 1, 8192 bytes)
UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)
NET: Registered protocol family 1
RPC: Registered named UNIX socket transport module.
RPC: Registered udp transport module.
RPC: Registered tcp transport module.
RPC: Registered tcp NFSv4.1 backchannel transport module.
futex hash table entries: 512 (order: 3, 32768 bytes)
squashfs: version 4.0 (2009/01/31) Phillip Lougher
jffs2: version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
msgmni has been set to 337
Block layer SCSI generic (bsg) driver version 0.4 loaded (major 254)
io scheduler noop registered
io scheduler deadline registered (default)
io scheduler cfq registered
pl061_gpio 12140000.gpio_chip: PL061 GPIO chip @0x12140000 registered
pl061_gpio 12141000.gpio_chip: PL061 GPIO chip @0x12141000 registered
pl061_gpio 12142000.gpio_chip: PL061 GPIO chip @0x12142000 registered
pl061_gpio 12143000.gpio_chip: PL061 GPIO chip @0x12143000 registered
pl061_gpio 12144000.gpio_chip: PL061 GPIO chip @0x12144000 registered
pl061_gpio 12145000.gpio_chip: PL061 GPIO chip @0x12145000 registered
pl061_gpio 12146000.gpio_chip: PL061 GPIO chip @0x12146000 registered
pl061_gpio 12147000.gpio_chip: PL061 GPIO chip @0x12147000 registered
pl061_gpio 12148000.gpio_chip: PL061 GPIO chip @0x12148000 registered
pl061_gpio 12149000.gpio_chip: PL061 GPIO chip @0x12149000 registered
pl061_gpio 1214a000.gpio_chip: PL061 GPIO chip @0x1214a000 registered
pl061_gpio 1214b000.gpio_chip: PL061 GPIO chip @0x1214b000 registered
pl061_gpio 1214c000.gpio_chip: PL061 GPIO chip @0x1214c000 registered
pl061_gpio 1214d000.gpio_chip: PL061 GPIO chip @0x1214d000 registered
pl061_gpio 1214e000.gpio_chip: PL061 GPIO chip @0x1214e000 registered
pl061_gpio 12150000.gpio_chip: PL061 GPIO chip @0x12150000 registered
brd: module loaded
hisi-sfc hisi_spi_nor.0: all blocks is unlocked.
hisi-sfc hisi_spi_nor.0: mx25l12806e (16384 Kbytes)
4 cmdlinepart partitions found on MTD device hi_sfc
4 cmdlinepart partitions found on MTD device hi_sfc
Creating 4 MTD partitions on "hi_sfc":
0x000000000000-0x000000080000 : "boot"
0x000000080000-0x000000280000 : "kernel"
0x000000280000-0x000000600000 : "rootfs"
0x000000600000-0x000001000000 : "param"
libphy: hisi_gemac_mii_bus: probed
hi_gmac_v200 10050000.ethernet (unnamed net_device) (uninitialized): using random MAC address 2a:b3:f5:55:b4:cb
attached PHY 1 to driver Generic PHY, PHY_ID=0x2430c54
higmac: ETH MAC supporte CCI.
Higmac dma_sg_phy: 0x8aac0000
ETH: rmii, phy_addr=1
xhci-hcd 10180000.xhci: xHCI Host Controller
xhci-hcd 10180000.xhci: new USB bus registered, assigned bus number 1
xhci-hcd 10180000.xhci: irq 54, io mem 0x10180000
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
xhci-hcd 10180000.xhci: xHCI Host Controller
xhci-hcd 10180000.xhci: new USB bus registered, assigned bus number 2
hub 2-0:1.0: USB hub found
hub 2-0:1.0: 1 port detected
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
ehci-platform: EHCI generic platform driver
ehci-platform 10120000.ehci: EHCI Host Controller
ehci-platform 10120000.ehci: new USB bus registered, assigned bus number 3
ehci-platform 10120000.ehci: irq 51, io mem 0x10120000
ehci-platform 10120000.ehci: USB 2.0 started, EHCI 1.00
hub 3-0:1.0: USB hub found
hub 3-0:1.0: 1 port detected
ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
ohci-platform: OHCI generic platform driver
ohci-platform 10110000.ohci: Generic Platform OHCI controller
ohci-platform 10110000.ohci: new USB bus registered, assigned bus number 4
ohci-platform 10110000.ohci: irq 52, io mem 0x10110000
hub 4-0:1.0: USB hub found
hub 4-0:1.0: 1 port detected
usbcore: registered new interface driver usb-storage
mousedev: PS/2 mouse device common for all mice
i2c /dev entries driver
hisi-i2c-v110 12110000.i2c: HISILICON I2C V110 bus driver
hisi-i2c-v110 12110000.i2c: mapped registers from 0x12110000 to 0xfea10000
hisi-i2c-v110 12111000.i2c: HISILICON I2C V110 bus driver
hisi-i2c-v110 12111000.i2c: mapped registers from 0x12111000 to 0xfea11000
hisi-i2c-v110 12112000.i2c: HISILICON I2C V110 bus driver
hisi-i2c-v110 12112000.i2c: mapped registers from 0x12112000 to 0xfea12000
hisi-i2c-v110 12113000.i2c: HISILICON I2C V110 bus driver
hisi-i2c-v110 12113000.i2c: mapped registers from 0x12113000 to 0xfea13000
CPUidle for CPU1 registered
himci: mmc host probe
himci: mmc host probe
himci: mmc host probe
usbcore: registered new interface driver usbhid
usbhid: USB HID core driver
TCP: cubic registered
NET: Registered protocol family 17
bridge: automatic filtering via arp/ip/ip6tables has been deprecated. Update your scripts to load br_netfilter if you need this.
Registering SWP/SWPB emulation handler
VFS: Mounted root (jffs2 filesystem) on device 31:2.
devtmpfs: mounted
Freeing unused kernel memory: 208K (c04d6000 - c050a000)
random: init urandom read with 0 bits of entropy available

_ _ _ _ _ _ _ _ _ _ _ _
\ _ _ _ _ _ ___
/ /__/ \ |_/
/ __ / - _ ___
/ / / / / /
_ _ _ / / / \/ \_ __
\\


[RCS]: /etc/init.d/S00devs
mount ro fs
mount rw fs

[RCS]: /etc/init.d/S01udev
[RCS]: /etc/init.d/S08network
[RCS]: /etc/init.d/S80mounts
mount param fs
brw------- 1 root root 31, 0 Jan 1 00:00 /dev/mtdblock0
brw------- 1 root root 31, 1 Jan 1 00:00 /dev/mtdblock1
brw------- 1 root root 31, 2 Jan 1 00:00 /dev/mtdblock2
brw------- 1 root root 31, 3 Jan 1 00:00 /dev/mtdblock3
romfs has mounted
[RCS]: /etc/init.d/S90decompress
hi_gmac_v200 10050000.ethernet eth0: Link is Up - 100Mbps/Full - flow control rx/tx
real 0m 2.89s
user 0m 1.59s
sys 0m 1.25s
Server files is good
cp: can't stat '/mnt/flash/Server/deviceid.txt': No such file or directory
[RCS]: /etc/init.d/S90hibernate

HI3519V101 login: =================== check usbdev inserted ===================
=================== check sensor type ===================
======== TOTAL[512] OSMEM[192] ========
mmz_start: 0x8c000000, mmz_size: 320M
Module himedia: init ok
Hisilicon Media Memory Zone Manager
The module param setup_allocator is hisi
hi_osal 1.0 init success!
hiwtdg init ok. ver=Dec 27 2017, 19:08:45.
hi3519v101_base: module license 'Proprietary' taints kernel.
Disabling lock debugging due to kernel taint
load sys.ko for Hi3519V101...OK!
load tde.ko ...OK!
load region.ko for Hi3519V101...OK!
load fisheye.ko for Hi3519V101...OK!
load vgs.ko for Hi3519V101...OK!
ISP Mod init!
load viu.ko for Hi3519V101...OK!
load vpss.ko for Hi3519V101...OK!
load vou.ko for Hi3519V101...OK!
load hifb.ko OK!
load rc.ko ...OK!
load venc.ko ...OK!
load chnl.ko for Hi3519V101...OK!
load vedu.ko ...OK!
load h264e.ko ...OK!
load h265e.ko ...OK!
load jpege.ko ...OK!
load ive.ko for Hi3519V101...OK!
load hi_sensor_i2c.ko OK!!
load hi_pwm.ko OK!!
load hi_piris.ko OK!!
exFAT: Version 1.2.9
===kernel=== adc device init finished!
hi3519v101 gpio driver init finished!
Hi3519V101 GpioI2C Init.
/
* Board tools : ver0.0.1_20121120 *
[debug]: {source/utils/cmdshell.c:161}cmdstr:himm
0x12040190: 0x00000000 --> 0x00000002
[END]
* Board tools : ver0.0.1_20121120 *
[debug]: {source/utils/cmdshell.c:161}cmdstr:himm
0x1204018c: 0x00000000 --> 0x00000002
[END]
* Board tools : ver0.0.1_20121120 *
[debug]: {source/utils/cmdshell.c:161}cmdstr:himm
0x1204099c: 0x00000170 --> 0x00000120
[END]
* Board tools : ver0.0.1_20121120 *
[debug]: {source/utils/cmdshell.c:161}cmdstr:himm
0x12040998: 0x00000170 --> 0x00000120
[END]
Got Sensor Type : IMX385
load ai.ko OK!
load ao.ko OK!
load aenc.ko OK!
load adec.ko OK!
load acodec.ko for Hi3519V101...OK!
load hi_mipi driver successful!
load hi_user.ko ...OK!
* Board tools : ver0.0.1_20121120 *
[debug]: {source/utils/cmdshell.c:161}cmdstr:himm
0x1201004c: 0x00000000 --> 0x00094421
[END]
* Board tools : ver0.0.1_20121120 *
[debug]: {source/utils/cmdshell.c:161}cmdstr:himm
0x12010054: 0x00000000 --> 0x00004041
[END]
* Board tools : ver0.0.1_20121120 *
[debug]: {source/utils/cmdshell.c:161}cmdstr:himm
0x12010040: 0x00000018 --> 0x00000018
[END]
* Board tools : ver0.0.1_20121120 *
[debug]: {source/utils/cmdshell.c:161}cmdstr:himm
0x12040190: 0x00000002 --> 0x00000002
[END]
* Board tools : ver0.0.1_20121120 *
[debug]: {source/utils/cmdshell.c:161}cmdstr:himm
0x1204018c: 0x00000002 --> 0x00000002
[END]
* Board tools : ver0.0.1_20121120 *
[debug]: {source/utils/cmdshell.c:161}cmdstr:himm
0x1204099c: 0x00000120 --> 0x00000120
[END]
* Board tools : ver0.0.1_20121120 *
[debug]: {source/utils/cmdshell.c:161}cmdstr:himm
0x12040998: 0x00000120 --> 0x00000120
[END]
* Board tools : ver0.0.1_20121120 *
[debug]: {source/utils/cmdshell.c:161}cmdstr:himm
0x12040184: 0x00000001 --> 0x00000001
[END]
* Board tools : ver0.0.1_20121120 *
[debug]: {source/utils/cmdshell.c:161}cmdstr:himm
0x12040188: 0x00000001 --> 0x00000001
[END]
* Board tools : ver0.0.1_20121120 *
[debug]: {source/utils/cmdshell.c:161}cmdstr:himm
0x12040010: 0x00000002 --> 0x00000002
[END]
* Board tools : ver0.0.1_20121120 *
[debug]: {source/utils/cmdshell.c:161}cmdstr:himm
0x12040014: 0x00000002 --> 0x00000002
[END]
* Board tools : ver0.0.1_20121120 *
[debug]: {source/utils/cmdshell.c:161}cmdstr:himm
0x12010044: 0x00000004 --> 0x00004FF0
[END]
==== Your input Sensor0 type is imx385 ====
==== Your input Sensor1 type is NULL ====
/

hi3518e = 0, hi3516a_board = 0, hi3518ev200 = 0, hi3516cv300 = 0, hi3519V101 = 2
gk7102 = 0
gk7101 = 0
hi3516cv100 = 0
mstar = 0
isvptx0 = 0
ICEtype = 0

device type is V6202IR-IMX385
_HisiTypeCheck multiple = 0
_HisiTypeCheck g_Product_Type: 2 g_Product_Index: 2 Hisi_Type: 1
shared memory size 16
shared memory id:0
ICP204_ChipID_Check____Failure [0x48,0x4b,0x43,0x56,0x01,0x00,0x00]__
ICP204_ChipID_Check____Success__
ICP204_Decryption_Process__start
ICP204_Decryption_Process__compute cipher text
ICP204_Decryption_Process__compute odd check bits
ICP204_Decryption_Process__compute odd check bits
ICP204_Decryption_Process__set parity
ICP204_Decryption_Process__start sw2001 aes decrypt
ICP204_Decryption_Process__wait for sw2001 decrypt complete
ICP204_Decryption_Process__read decrypt result back

verify success!
ICP204____Success__
Open hi_i2c error!
check /mnt/flash/data/NetInfo info success .
dhcp enable = 0
get sensor IMX385
_init_sensor_type sensor type is 12 sensset mipi phy attr successful!
or num is -1

hi3518e = 0, hi3516a_board = 0, hi3518ev200 = 0, hi3516cv300 = 0, hi3519V101 = 2
gk7102 = 0
gk7101 = 0
hi3516cv100 = 0
mstar = 0
isvptx0 = 0
ICEtype = 0

sdk_app : h265[major,minor] = [0,0], wdr_mode = 0, full_60fps = 0
ICR_TYPE = 0
_mw_sysParams_init line 852 GetPicSize width: 1920 hight: 1080
_mw_sysParams_init line 959 GetPicSize width: 640 hight: 480
_mw_sysParams_init line 1037 GetPicSize width: 1280 hight: 720
bufid :0 key :0x142c7a1 shared memory size 5242892
shared memory id:32769
semid :0
semnum has not been set yet,key :21153697
bufid :1 key :0x23e53e1 shared memory size 1048588
shared memory id:65538
semid :32769
semnum has not been set yet,key :37639137
bufid :2 key :0x345de78 shared memory size 4194316
shared memory id:98307
semid :65538
semnum has not been set yet,key :54910584
bufid :5 key :0x61a3253 shared memory size 262156
shared memory id:131076
semid :98307
semnum has not been set yet,key :102380115
shared memory size 1560
shared memory id:163845
shared memory size 20
shared memory id:196614
SAMPLE_COMM_SYS_Init OK!
SAMPLE_COMM_VI_StartVi enViMode: 12
SAMPLE_COMM_VI_StartIspAndVi enViMode: 12
============= MipiDev 0, SetMipiAttr enWDRMode: 0
SAMPLE_COMM_ISP_Sensor_Regiter_callback isp_dev = 0
Func: SAMPLE_COMM_ISP_Init, Line: 700, WDR Mode: 0
stPubAttr (0, 0, 1920, 1080, 25.000000)
linear mode
-------Sony IMX385 Sensor 1080p30 Initial OK!-------
Func: SAMPLE_COMM_ISP_Init, Line: 725 end IspDev:0.
ISP Dev 0 HI_MPI_ISP_Run
SAMPLE_COMM_VI_StartVi Main Sensor OK!
vi width = 1920 hight = 1080
Create Group OK !!!!!!
cvbs type:1, sync:0
u32Width:720, u32Square:1
mw_start_hdmi OK !!!
audioEnable=0, audioFormat=0, audioInput=0
process_client_request start
thread_autoicr Start
hisi chip 35190101
device type is V6202IR-IMX385
WIFI OFF

hi3518e = 0, hi3516a_board = 0, hi3518ev200 = 0, hi3516cv300 = 0, hi3519V101 = 2
gk7102 = 0
gk7101 = 0
hi3516cv100 = 0
mstar = 0
isvptx0 = 0
ICEtype = 0


gSelfAlgType= 0 hisi_ir_flag= 0 gOnlyNetCtrl= 0

____gHardwareversion: 1
rtc: fail while hi3518_get_chip_time!
rtc: fail while hi3518_get_chip_time!
rtc: fail while hi3518_get_chip_time!

got time from RTC: 0
sha_ok is sha_ok
!!!!!! APP : sha_204 check passed !!!!!!
== IR module will not be called in the device. ==
== prepared zoom lens will not be used ==
== prepared zoom lens will not be used ==

=== get device_type:1, device_af:0, device_ir:0, lens_type:4 sensor_type:1 ===

Alarm_In_Num = 2 , Alarm_Out_Num = 1
output IO 28
input IO 30
input IO 29
hiapp audioEnable 0, audioFormat 0, audioInput 0, audioSampleRate 8000
get /mnt/flash/data/SysRebootInfo info failure .
get /mnt/flash/data/AFMoveInfo info failure .
default Zoomspeed 4, iMultiple 0
get /mnt/flash/data/AFMoveInfo info failure .


------buf=HANKVISION : HANKVISION : 6
------



------buf=admin :<password-obscured> : 6
------

Fun:FunInitSystem Line:429 Initialize SysParamInit OK.
!!!!!!ntp timezone change :timezone=4 daylight=1
dhcp flg = 0
dhcp_enable = 0
static IP enabled~~~~~~~~

ip_mask_cfg.ipaddr = 4900a8c0, ip_mask_cfg.netmask = 00ffffff

gw= 0100a8c0, ip_mask_cfg.netmask = 00ffffff
A = 0000a8c0
B = 0000a8c0
------DDNS_config_params
set_setstat
ntpconfig : ip:192.168.0.1
time: 23:59:00
interval:6
enable:1
Fun:FunInitSystem Line:434 [NetParmInit] is OKOKOL.

Action_Record_Set_ManualEnable : stop
======== we are going to init share buff ========
Fun:FunInitSystem Line:445 [InitShBuf] is OKOKOL.


@@@@@@@@@@RS485 /dev/ttyAMA1 BaudRate=2@@@@@@@@@@@@@@@@@

Set Serial Speed : 9600
Set Serial Speed : 9600
One usart will be used.
Fun:FunInitSystem Line:449 [Init_Usart] is OKOKOL.
NetAccess is 1
init alarm module ok!
TH_ProcessAlarm creat ok!
TH_AlarmFromTrigger creat ok!
TH_RecvAN creat ok!
hisi test : mw_server pid = 439
===== Thread_ShareFD thread create =====

======== msgmanage thread start ========

======== msgmanage thread start ========
=========== NetReqProc thread start ===========

video video servport==90
======== Detect echo thread start ========
=========TH_RecvAN========
alarmserver bind OKOK!!!

====== we are going to init image ======
get in init_image_params

====== infrared: change to daytime mode. ======


=== awb_mode:0 ===
stat[0] =1
stat[1] =1
======>>>hiapp set mode: 3

====== we are going to init af params ======

====== we are going to init encode ======

=========in init_video_params: Stream 0 :resolution h:1080 w:1920

=========in init_video_params: Stream 1 :resolution h:0 w:0

=========in init_video_params: Stream 2 :resolution h:0 w:0
Time is invalid !





Init area 6



===app set enable: 0
Thread_statusrecord (514): drop_caches: 3
_check creat ok!
--------ONIVF-------start---


==== >> INIT_PTZPresetList userMode: 1 << ====

TH_AlarmProcess_API creat ok!
_ReadAlarmInCfg fopen /mnt/flash/data/hkalarmincfg failure.
_ReadAlarmInCfgV30 fopen /mnt/flash/data/hkalarmincfgv30 failure.
FunInit_Streaminfo audio is off
FunSetAudioType : PCMU
*INFO*rtsp init main con:3, sub con:5
=================== Thread IR start! ===================
eth0 ok, ntp sync now !
=========== tst_net_request_thread thread start ===========
======== TST Device Search thread start ========
socket connection successful 17

======== ONVIF msgmanage thread start ========
===========>>>>>> HK_NetReq_Thread start <<<<<<===========
ONVIF Starting thread 0
create hk_search_thread here and gBootTimeString: 2013-08-04 16:00:00
wait
ONVIF Starting thread 1
ONVIF Starting thread 2
ONVIF Starting thread 3
ONVIF Starting thread 4
* Board tools : ver0.0.1_20121120 *
[debug]: {source/utils/cmdshell.c:161}cmdstr:himm
0x120401e0: 0x00000000 --> 0x00000000
[END]

FunInitTCPListenPort RtspPort = 554,HttpPort = 8080

@@@@@@@@ Init XM_Global_Info @@@@@@@@
rtp_sink_thrd buff_size = 524288
+++++++++++++++ddns start++++++++++++++
======== Search Device thread start ========

=========== XM_Thread_NetReq_Process thread start ===========

video video servport==34567
Time is invalid !
Create thread <cameramode_task> successful !
Thread_HardwareReset Start
!!!!!! thread ntp_start_thread create sucessfully !!!!!!
mw_img_set_antiflicker_api: *eAntiFlicker=60

====== infrared: change to daytime mode. ======


=== awb_mode:0 ===
* Board tools : ver0.0.1_20121120 *
[debug]: {source/utils/cmdshell.c:161}cmdstr:himm
0x12040090: 0x00000002 --> 0x00000000
[END]
-----mw_img_set_blc_api : value==0------
mw_img_set_brightness_api brightness_s 128, *brightness 128
mw_api_err-mw_img_set_brightness_api:2040 The para being to set is same as before!!
--- mw_img_set_contrast_api pstContrast = 50
mw_api_err-mw_img_set_contrast_api:2128 The para being to set is same as before!!
set max mtcf value = 60
mw_api_err-mw_img_set_mirror_api:3169 The para being to set is same as before!!
mw_api_err-mw_img_set_mirror_api:3169 The para being to set is same as before!!
mw_api_err-mw_img_set_mirror_api:3169 The para being to set is same as before!!

****
Welcome to hankvision ipc webs
****

mw_img_set_brightness_api brightness_s 128, *brightness 128
mw_api_err-mw_img_set_brightness_api:2040 The para being to set is same as before!!
--- mw_img_set_contrast_api pstContrast = 50
mw_api_err-mw_img_set_contrast_api:2128 The para being to set is same as before!!
mw_api_err-mw_img_set_saturation_api:2205 The para being to set is same as before!!
senconds = 3
set c2bwthr = 63*
set bw2cthr = 70*

mw_api_err-mw_img_set_saturation_api:2205 The para being to set is same as before!!
-----mw_img_set_hlc_api : value==2------
-----mw_img_set_AFC_api: set anti false color = 0x0
-----mw_img_set_AFG_api enable = 0
---mw_img_set_LSC_api: --set lsc = 0
----mw_img_set_DIS_api : off ----
Got Rotate status: 0
===>>>sdk_app set multiple: 0
In Func initsocket(): socket OK!!!
===>>>sdk_app set zoom speed: 4

---------webs: listen port=80 ---------
device type is V6202IR-IMX385

hi3518e = 0, hi3516a_board = 0, hi3518ev200 = 0, hi3516cv300 = 0, hi3519V101 = 2
gk7102 = 0
gk7101 = 0
hi3516cv100 = 0
mstar = 0
isvptx0 = 0
ICEtype = 0

===>>>sdk_app set focus speed: 4
set stream 0 resolution:height:1080 width:1920
mw_api_err-mw_enc_set_resolution_api:833 setting resolution : same at all
_mw_enc_set_bitrate_api payload: 96 pBitrate->mode: 1 enRcMode: 1

CBR framerate : In 30, Fps 10, gop 25, statTime 5

CBR gop : In 30, Fps 10, gop 20, statTime 2
mw_api_err-mw_enc_set_quality_api:1948 set quality fail
set stream 1 resolution:height:0 width:0
mw_table_element_get error
set resolution:height:0 width:0
[stream_reader_proc]-459: HI_MPI_VENC_Query chn[1] failed with 0xa0088005!
[stream_reader_proc]-459: HI_MPI_VENC_Query chn[1] failed with 0xa0088005!
[stream_reader_proc]-459: HI_MPI_VENC_Query chn[1] failed with 0xa0088005!
[stream_reader_proc]-459: HI_MPI_VENC_Query chn[1] failed with 0xa0088005!
[stream_reader_proc]-459: HI_MPI_VENC_Query chn[1] failed with 0xa0088005!

those last few line repeat indefinitley once booted for some reason, tho the cm seems to be functioning fine...

here's a (crappy) photo of how i have the UART adapter connected to those 3 pads corresponding to the ones on the lower left of your photo #2 above.
(from the corner, green, whote, and black on the one marked G)
49946131713_92dc780f4e_3k.jpg

and once I stop the OS booting by holding down any key as it starts up:

U-Boot 2010.06 (Dec 26 2017 - 02:29:36)

Check Flash Memory Controller v100 ... Found
SPI Nor(cs 0) ID: 0xc2 0x20 0x18
Block:64KB Chip:16MB Name:"MX25L128XX"
SPI Nor total size: 16MB
MMC:
EMMC/MMC/SD controller initialization.
Card did not respond to voltage select!
No EMMC/MMC/SD device found !
In: serial
Out: serial
Err: serial
Hit any key to stop autoboot: 0
hisilicon #
hisilicon #
hisilicon # help
? - alias for 'help'
base - print or set address offset
bootm - boot application image from memory
bootp - boot image via network using BOOTP/TFTP protocol
cmp - memory compare
cp - memory copy
crc32 - checksum calculation
ddr - ddr training function
fatinfo - print information about filesystem
fatload - load binary file from a dos filesystem
fatls - list files in a directory (default /)
getinfo - print hardware information
go - start application at address 'addr'
help - print command description/usage
loadb - load binary file over serial line (kermit mode)
loady - load binary file over serial line (ymodem mode)
loop - infinite loop on address range
md - memory display
mii - MII utility commands
mm - memory modify (auto-incrementing address)
mmc - MMC sub system
mmcinfo - mmcinfo <dev num>-- display MMC info
mtest - simple RAM read/write test
mw - memory write (fill)
nm - memory modify (constant address)
ping - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
rarpboot- boot image via network using RARP/TFTP protocol
reset - Perform RESET of the CPU
saveenv - save environment variables to persistent storage
setenv - set environment variables
sf - SPI flash sub-system
tftp - tftp - download or upload image via network using TFTP protocol
usb - USB sub-system
usbboot - boot from USB device
version - print monitor version
hisilicon # getinfo
getinfo - print hardware information

hisilicon # getinfo
getinfo - print hardware information

hisilicon # printenv
bootdelay=1
baudrate=115200
ethaddr=00:00:23:34:45:66
bootfile="uImage"
filesize=802320
fileaddr=82000000
netmask=255.255.255.0
ipaddr=192.168.1.191
serverip=192.168.1.251
bootargs=mem=192M console=ttyAMA0,115200 root=/dev/mtdblock2 rootfstype=jffs2 rw mtdparts=hi_sfc:512K(boot),2M(kernel),3584K(rootfs),10M(param)
bootcmd=sf probe 0;sf read 0x82000000 0x80000 0x200000;bootm 0x82000000
stdin=serial
stdout=serial
stderr=serial
verify=n
ver=U-Boot 2010.06 (Dec 26 2017 - 02:29:36)

Environment size: 482/262140 bytes
hisilicon #

So, the usual stuff to play with there, if one wanted to...

edit to obscure admin password in original dump... d'oh! now that's not secure... :)
 
Last edited:

kmcgurty1

n3wb
Joined
May 29, 2020
Messages
3
Reaction score
0
Location
UK
WELP, I had an entire paragraph written out on steps I did to get into the unit and.... I bricked it lol.

I was able to get shell access, but the entire OS was read only. I decided to mess around with some of the boot arguments and totally wiped out the kernel.

It was fun for the short while, now I'm going to buy an actual camera that isn't $30.

Thanks again for your help pozzello and alastairstevenson.

BTW the hash for the root password is $1$0Me7S3z5$.uQ4Pr/QjJQ/0JUZI0w4m.. I spent about 6 hours trying to crack it and gave up.
 

pozzello

Known around here
Joined
Oct 7, 2015
Messages
2,270
Reaction score
1,117
I decided to mess around with some of the boot arguments and totally wiped out the kernel.
if you have a record of what the all the env variables were prior to mucking it up, you should be able to restore it.
That happened to me previously. Luckily, i was able to restore enough of env the variables that i could recover it...
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,779
Location
Scotland
the entire OS was read only.
Some file systems are read-only, such as squashfs and CRAMFS.
These will be used in areas which are not subject to changing data.

I decided to mess around with some of the boot arguments and totally wiped out the kernel.
That does surprise me.
I'm tempted to say it's unlikely that you trashed the kernel.
What's your recollection of what you were doing when this happened?
 

kmcgurty1

n3wb
Joined
May 29, 2020
Messages
3
Reaction score
0
Location
UK
if you have a record of what the all the env variables were prior to mucking it up, you should be able to restore it.
That happened to me previously. Luckily, i was able to restore enough of env the variables that i could recover it...
Some file systems are read-only, such as squashfs and CRAMFS.
These will be used in areas which are not subject to changing data.


That does surprise me.
I'm tempted to say it's unlikely that you trashed the kernel.
What's your recollection of what you were doing when this happened?
I have a copy of the entire putty window so I could look back at what I did wrong. If you look at line #49 of that pastebin, you'll see I set the bootcmd to sf write (it previously said sf read), and then I try to boot on line #73. Line #75 shows it writing over that memory address. In hindsight I should've actually read what the sf command does, because it clearly says in the documentation here.

I've reached out to the manufacturer to maybe get a warranty replacement. I don't feel very bad about doing it since all they have to do is re-flash it and it was in perfect condition otherwise.
 

pozzello

Known around here
Joined
Oct 7, 2015
Messages
2,270
Reaction score
1,117
you should still be able to recover by re-flashing proper FW via tftp.
just need to fond something appropriate for that 'hi3516ev200 ' module...
 

kmcgurty1

n3wb
Joined
May 29, 2020
Messages
3
Reaction score
0
Location
UK
you should still be able to recover by re-flashing proper FW via tftp.
just need to fond something appropriate for that 'hi3516ev200 ' module...
I might. I'll look into that after seeing what the manufacturer says. I need a break from messing with the thing anyway lol
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,779
Location
Scotland
If you look at line #49 of that pastebin, you'll see I set the bootcmd to sf write (it previously said sf read),
Hmm.. I retract my statement that it's unlikely that you trashed the kernel.
You wrote a chunk of memory over the flash area that the kernel resides in.
Oh well.

I've reached out to the manufacturer to maybe get a warranty replacement.
But the bootloader is still fine.
Maybe they would be happier to slip you a copy of the firmware, then you can write back uImage as it originally was.
Using the sf write command ...
But take advice before doing so!
 
Joined
Oct 27, 2020
Messages
4
Reaction score
0
Location
Romania
IP camera 2MP PoE HI3516E V200 Sony IMX307


Hello all,


I bought from Aliexpress, Zosi store (wich I don't recommend), two IP cameras (PoE, card, IR etc).

I have problems with both cameras, one can't connect to web interface and other one it selft restaring

after few seconds from booting.

With "Search tool" cant't upgrade firmware or resetting, just to change IP address.

So, I try to reflash them with UART adapter and TFTP server but nothing happen (I think I am doing

something wrong).


hisilicon # bdinfo
arch_number = 0x00001F40
boot_params = 0x40000100
DRAM bank = 0x00000000
-> start = 0x40000000
-> size = 0x04000000
eth0name = eth0
ethaddr = (not set)
current eth = eth0
ip_addr = <NULL>
baudrate = 115200 bps
TLB addr = 0x43FF0000
relocaddr = 0x43F35000
reloc off = 0x03735000
irq_sp = 0x43E94EE0
sp start = 0x43E94ED0
Early malloc usage: 70 / 2000

___

hisilicon # getinfo spi
Block:64KB Chip:16MB*1
ID:0xC2 0x20 0x18
Name:"MX25L128XX"

___

hisilicon # getinfo bootmode
spi
___

hisilicon # printenv
arch=arm
baudrate=115200
board=hi3516ev200
board_name=hi3516ev200
bootargs=mem=40M console=ttyAMA0,115200 root=/dev/mtdblock2 rootfstype=squashfs

mtdparts=hi_sfc:512K(boot),2M(kernel),1536k(rootfs),9M(app),1M(param),2M(var)
bootcmd=sf probe 0;sf read 0x42000000 0x80000 0x200000;bootm 0x42000000
bootdelay=1
cpu=armv7
ethact=eth0
soc=hi3516ev200
stderr=serial
stdin=serial
stdout=serial
vendor=hisilicon
verify=n
Environment size: 444/262140 bytes
___


hisilicon # version
U-Boot 2016.11 (Jun 24 2019 - 15:12:47 +0800)hi3516ev200
arm-himix100-linux-gcc (HC&C V100R002C00B032_20190114) 6.3.0
GNU ld (GNU Binutils) 2.29

___
___
___


hisilicon # reset
resetting ...


System startup

Uncompress Ok!

U-Boot 2016.11 (Jun 24 2019 - 15:12:47 +0800)hi3516ev200

Relocation Offset is: 03735000
Relocating to 43f35000, new gd at 43e94ef0, sp at 43e94ed0
SPI Nor: NAND: 0 MiB
MMC:
In: serial
Out: serial
Err: serial
Net: eth0
Warning: eth0 (eth0) using random MAC address - e6:a2:ac:b0:66:fe

Hit any key to stop autoboot: 0
device 0 offset 0x80000, size 0x200000

SF: 2097152 bytes @ 0x80000 Read: OK
## Booting kernel from Legacy Image at 42000000 ...
Image Name: Linux-4.9.37
Image Type: ARM Linux Kernel Image (uncompressed)
Data Size: 1956183 Bytes = 1.9 MiB
Load Address: 40008000
Entry Point: 40008000
Loading Kernel Image ... OK

Starting kernel ...

Uncompressing Linux... done, booting the kernel.
Booting Linux on physical CPU 0x0
Linux version 4.9.37 (czw@ubuntu) (gcc version 6.3.0 (Heterogeneous Compiler&Codesign V100R002C00B003)

) #1 Mon Mar 18 18:29:20 PDT 2019
CPU: ARMv7 Processor [410fc075] revision 5 (ARMv7), cr=10c53c7d
CPU: div instructions available: patching division code
CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache
OF: fdt:Machine model: Hisilicon HI3516EV200 DEMO Board
Memory policy: Data cache writeback
CPU: All CPU(s) started in SVC mode.
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 10160
Kernel command line: mem=40M console=ttyAMA0,115200 root=/dev/mtdblock2 rootfstype=squashfs

mtdparts=hi_sfc:512K(boot),2M(kernel),1536k(rootfs),9M(app),1M(param),2M(var)
PID hash table entries: 256 (order: -2, 1024 bytes)
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
Memory: 35084K/40960K available (3831K kernel code, 143K rwdata, 1020K rodata, 156K init, 204K bss,

5876K reserved, 0K cma-reserved)
Virtual kernel memory layout:
vector : 0xffff0000 - 0xffff1000 ( 4 kB)
fixmap : 0xffc00000 - 0xfff00000 (3072 kB)
vmalloc : 0xc3000000 - 0xff800000 ( 968 MB)
lowmem : 0xc0000000 - 0xc2800000 ( 40 MB)
modules : 0xbf000000 - 0xc0000000 ( 16 MB)
.text : 0xc0008000 - 0xc03c61c8 (3833 kB)
.init : 0xc04c7000 - 0xc04ee000 ( 156 kB)
.data : 0xc04ee000 - 0xc0511f20 ( 144 kB)
.bss : 0xc0513000 - 0xc0546340 ( 205 kB)
SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
NR_IRQS:16 nr_irqs:16 16
Gic dist init...
arm_arch_timer: Architected cp15 timer(s) running at 50.00MHz (phys).
clocksource: arch_sys_counter: mask: 0xffffffffffffff max_cycles: 0xb8812736b, max_idle_ns:

440795202655 ns
sched_clock: 56 bits at 50MHz, resolution 20ns, wraps every 4398046511100ns
Switching to timer-based delay loop, resolution 20ns
clocksource: arm,sp804: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 637086815595 ns
Console: colour dummy device 80x30
Calibrating delay loop (skipped), value calculated using timer frequency.. 100.00 BogoMIPS

(lpj=500000)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
CPU: Testing write buffer coherency: ok
Setting up static identity map for 0x40008240 - 0x40008298
VFP support v0.3: implementor 41 architecture 2 part 30 variant 7 rev 5
clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
futex hash table entries: 256 (order: -1, 3072 bytes)
pinctrl core: initialized pinctrl subsystem
NET: Registered protocol family 16
DMA: preallocated 256 KiB pool for atomic coherent allocations
Serial: AMBA PL011 UART driver
12040000.uart: ttyAMA0 at MMIO 0x12040000 (irq = 21, base_baud = 0) is a PL011 rev2
console [ttyAMA0] enabled
SCSI subsystem initialized
ssp-pl022 12070000.spi: ARM PL022 driver, device ID: 0x00800022
ssp-pl022 12070000.spi: mapped registers from 0x12070000 to c3063000
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
Linux video capture interface: v2.00
clocksource: Switched to clocksource arch_sys_counter
NET: Registered protocol family 2
TCP established hash table entries: 1024 (order: 0, 4096 bytes)
TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
TCP: Hash tables configured (established 1024 bind 1024)
UDP hash table entries: 256 (order: 0, 4096 bytes)
UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
NET: Registered protocol family 1
workingset: timestamp_bits=30 max_order=14 bucket_order=0
squashfs: version 4.0 (2009/01/31) Phillip Lougher
jffs2: version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
fuse init (API version 7.26)
Block layer SCSI generic (bsg) driver version 0.4 loaded (major 252)
io scheduler noop registered
io scheduler deadline registered (default)
io scheduler cfq registered
pl061_gpio 120b0000.gpio_chip: PL061 GPIO chip @0x120b0000 registered
pl061_gpio 120b1000.gpio_chip: PL061 GPIO chip @0x120b1000 registered
pl061_gpio 120b2000.gpio_chip: PL061 GPIO chip @0x120b2000 registered
pl061_gpio 120b4000.gpio_chip: PL061 GPIO chip @0x120b4000 registered
pl061_gpio 120b5000.gpio_chip: PL061 GPIO chip @0x120b5000 registered
pl061_gpio 120b6000.gpio_chip: PL061 GPIO chip @0x120b6000 registered
pl061_gpio 120b7000.gpio_chip: PL061 GPIO chip @0x120b7000 registered
pl061_gpio 120b8000.gpio_chip: PL061 GPIO chip @0x120b8000 registered
brd: module loaded
hisi-sfc hisi_spi_nor.0: SPI Nor ID Table Version 1.2
hisi-sfc hisi_spi_nor.0: all blocks is unlocked.
hisi-sfc hisi_spi_nor.0: mx25l12835f (Chipsize 16 Mbytes, Blocksize 64KiB)
6 cmdlinepart partitions found on MTD device hi_sfc
6 cmdlinepart partitions found on MTD device hi_sfc
Creating 6 MTD partitions on "hi_sfc":
0x000000000000-0x000000080000 : "boot"
0x000000080000-0x000000280000 : "kernel"
0x000000280000-0x000000400000 : "rootfs"
0x000000400000-0x000000d00000 : "app"
0x000000d00000-0x000000e00000 : "param"
0x000000e00000-0x000001000000 : "var"
FEPHY:addr=1, la_am=0xc, ldo_am=0x4, r_tuning=0x1b
libphy: hisi_femac_mii_bus: probed
libphy: Fixed MDIO Bus: probed
Generic PHY 10041100.mdio:01: attached PHY driver [Generic PHY] (mii_bus:phy_addr=10041100.mdio:01,

irq=-1)
phy_id=0x20669903, phy_mode=mii
hisi-femac 10040000.ethernet: using random MAC address d2:46:dd:ae:b1:9d
PPP generic driver version 2.4.2
usbcore: registered new interface driver r8152
hibvt_rtc 120e0000.rtc: rtc core: registered 120e0000.rtc as rtc0
hibvt_rtc 120e0000.rtc: RTC driver for hibvt enabled
i2c /dev entries driver
hibvt-i2c 12060000.i2c: hibvt-i2c0@100000hz registered
hibvt-i2c 12061000.i2c: hibvt-i2c1@100000hz registered
hibvt-i2c 12062000.i2c: hibvt-i2c2@100000hz registered
uvcvideo: Unable to create debugfs directory
usbcore: registered new interface driver uvcvideo
USB Video Class driver (1.1.1)
sdhci: Secure Digital Host Controller Interface driver
sdhci: Copyright(c) Pierre Ossman
sdhci-pltfm: SDHCI platform and OF driver helper
mmc0: SDHCI controller on 10010000.sdhci [10010000.sdhci] using ADMA in legacy mode
mmc1: SDHCI controller on 10020000.sdhci [10020000.sdhci] using ADMA in legacy mode
Initializing XFRM netlink socket
NET: Registered protocol family 17
NET: Registered protocol family 15
Key type dns_resolver registered
hibvt_rtc 120e0000.rtc: setting system clock to 1970-01-26 01:02:28 UTC (2163748)
VFS: Mounted root (squashfs filesystem) readonly on device 31:2.
Freeing unused kernel memory: 156K (c04c7000 - c04ee000)
This architecture does not have kernel memory protection.

_ _ _ _ _ _ _ _ _ _ _ _
\ _ _ _ _ _ ___
/ /__/ \ |_/
/ __ / - _ ___
/ / / / / /
_ _ _ / / / \/ \_ __
\\


[RCS]: /etc/init.d/S00devs
[RCS]: /etc/init.d/S01udev
[RCS]: /etc/init.d/S80network
random: S80network: uninitialized urandom read (4 bytes read)
[RCS]: /etc/init.d/S95mount
mount: mounting /dev/mtdblock3 on /opt/app failed: Invalid argument
[RCS]: /etc/init.d/S97setenv
load3516ev200
40M
/var/cfg/env is not exist!!!
console=ttyAMA0,115200 root=/dev/mtdblock2 rootfstype=squashfs mtdparts=hi_sfc:512K(boot),2M

(kernel),1536k(rootfs),9M(app),1M(param),2M(var)
40M
no need to set bootargs
[RCS]: /etc/init.d/S99longse
longse app mtd is not ok!!
no need to change the Ver.ini
[Trace]: CameraDeviceInit 413:
Global value size:7996
ReadGlobal 359: filename = /param/sysenv.cfg
nfilesize=7996 , configsize=7996 MagicNum: 2593849357, MagicNumConfig: 2593849357
ReadGlobal: 0 .......................
[ReadDevConfigFile] Mac = 00:00:1B:09:15:0D



ReadNetConfigFile 262: free_sn = 8801076233667EndEnd



InitNetWork 449: start !
dns=8.8.8.8
[Trace]:


InitNetWork 496: Command cmd = ifconfig eth0 hw ether 00:00:1B:09:15:0D
InitNetWork 502: start !
DEBUG1 DD_StartDiscovery-1919: Start Write DEBUG_ERR File
DEBUG DD_StartDiscoveryThread-1728: Start DevDescovery...

[Trace]: CameraDeviceInit 413:
DEBUG DD_AddNewTask-169: add new task success!

Please press Enter to activate this console. Creat queue id:0
queue id:0
[Trace]: main 196: SOFTVER_PATH /var/cfg/Ver.ini
[Trace]: create tcp connect success 3,start listen...
open /dev/io_dev failed!
[Trace]: SocketThread 457: fd = 3
[Trace]: CameraGetWebPort 730:
[Trace]: Longse protocol starting...


-----------------------------------------------
Longse server is running...
Platform: HI3516EV200
Console: enable
Devname: eth0
Server port: 80
Version: V1.0 Build Mar 18 2019 17:59:43
-----------------------------------------------


[Trace]: Now, starting the server thread...
[Trace]: LongseServerStart 128: port = 80
[Trace]: LSStartNetwork 1167: port = 80
[Trace]: create tcp connect success 6,start listen...
[Trace]: LSListenSocketThread 93: fd = 6


setenv ipaddr 192.168.1.168
setenv serverip 192.168.1.169
saveenv
du=tftp 0x42000000 ff 0x80000;tftp 0x42000000 user-x.cramfs.img;sf probe 0;flwrite
dr=tftp 0x42000000 ff 0x80000;tftp 0x42000000 romfs-x.cramfs.img;sf probe 0;flwrite
dw=tftp 0x42000000 ff 0x80000;tftp 0x42000000 web-x.cramfs.img;sf probe 0;flwrite
dc=tftp 0x42000000 ff 0x80000;tftp 0x42000000 custom-x.cramfs.img;sf probe 0;flwrite
boot


hisilicon # du=tftp 0x42000000 ff 0x80000;tftp 0x42000000 user-x.cramfs.img;sf pUnknown command

'du=tftp' - try 'help'
Hisilicon ETH net controler
MAC address invalid!
Set Random MAC address: b2:97:be:6f:26:ad
eth0 : phy status change : LINK=UP : DUPLEX=FULL : SPEED=100M
Using eth0 device
TFTP from server 192.168.1.169; our IP address is 192.168.1.168
Filename 'user-x.cramfs.img'.
Load address: 0x42000000
Loading: #################################################################
#################################################################
#################################################################
#################################################################
###################################
578.1 KiB/s
done
Bytes transferred = 4325440 (420040 hex)
Unknown command 'flwrite' - try 'help'


[Trace]: LSListenSocketThread 122 : A stupid connect!ip = 192.168.1.169, port = 52234
[Trace]: /LSListenSocketThread 124 : ..........fd = 7
[Trace]: AddLSFd 184: fix_pos = 0 fd 7
[Trace]:

LSSendRecvSocketThread 984: No zuo no die len = -1 ulBufferSize = 168636718! cmd = 0x202F
[Trace]: RemoveLSFd 279: Remove 0 fd 7
[Trace]: LSSendRecvSocketThread 990: Command disconnect

I have tried several firmwares for this HI3516EV200 camera.

Can somebody help me?

Thank you!
 

Attachments

Last edited:
Joined
Nov 15, 2020
Messages
2
Reaction score
0
Location
Canada
Hi,

I have been given some firmware files from JideTech which may assist. This link will expire in 1 week: 3516EV300-200521.bin and 1 more file

It contains these 2 files: 3516EV300-200521.bin and Hi3516EV200_200905_8M_LT.bin

The first one has a hash match to the original poster's root password. This might help bring it back to life.

Edit: The camera linked for Amazon is the same camera I have. I have been having issues with it losing video - that's why I have updated firmware.
 
Joined
Oct 27, 2020
Messages
4
Reaction score
0
Location
Romania
Hello shadow reaper,

Please tell he how to upload your firmware.
Can't acces web interface for this cameras, but I can acces them with Putty by serial interface Rx Tx Gnd.
As you see above, I have some unsuccessful trials for flashing bin files.
Thank you!
 
Joined
Nov 15, 2020
Messages
2
Reaction score
0
Location
Canada
Hello shadow reaper,

Please tell he how to upload your firmware.
Can't acces web interface for this cameras, but I can acces them with Putty by serial interface Rx Tx Gnd.
As you see above, I have some unsuccessful trials for flashing bin files.
Thank you!
Hi,

Not sure as I don't have the root password - I came across this post just by chance by searching for the hash of it.
 

nh1980ro

n3wb
Joined
Aug 1, 2021
Messages
9
Reaction score
1
Location
Romania
Hi,
I ended up here after, of course, bricking my chinese camera.
Hi3516 V200 chip.
It had firmware V20.1.23.6.5 or something.
It did not have "Humanoid alarm" option and I tried to put a different firmware. I renamed the file to be similar to V20.1.23.6..... aaaand...bricked it.
After searching the internet I ended on this forum and managed to get to UART serial port.
I managed to setup TFTP server and I can get files through tftpboot, but not sure what to do with them.
Here is what I have (U boot pass: HI2105CHIP)
reset:
"
System startup

Uncompress Ok!

U-Boot 2016.11 (Apr 03 2019 - 18:54:33 +0800)hi3516ev200

Relocation Offset is: 0375e000
Relocating to 43f5e000, new gd at 43f1def0, sp at 43f1ded0
SPI Nor: Check Flash Memory Controller v100 ... Found
SPI Nor ID Table Version 1.0
SPI Nor(cs 0) ID: 0x20 0x70 0x17
Block:64KB Chip:8MB Name:"XM25QH64AHIG"
SPI Nor total size: 8MB
NAND: 0 MiB
In: serial
Out: serial
Err: serial
Net: eth0
Hit any key to stop autoboot: 0
device 0 offset 0x40000, size 0x1a0000

SF: 1703936 bytes @ 0x40000 Read: OK
Wrong Image Format for bootm command
ERROR: can't get kernel image!
### Please input uboot password: ###
"
printenv:

hisilicon # printenv
arch=arm
baudrate=115200
board=hi3516ev200
board_name=hi3516ev200
bootargs=mem=46M console=ttyAMA0,115200 root=/dev/mtdblock2 rootfstype=jffs2 rw mtdparts=hi_sfc:256K(boot),1664K(kernel),14464K(rootfs)
bootcmd=sf probe 0;sf read 0x42000000 0x40000 0x1A0000;bootm 0x42000000
bootdelay=1
cpu=armv7
ethact=eth0
ethaddr=1a:35:0a:2f:eb:e6
fileaddr=42000000
filesize=8a8b74
ipaddr=192.168.1.10
server=192.168.1.159
serverip=192.168.1.132
soc=hi3516ev200
stderr=serial
stdin=serial
stdout=serial
vendor=hisilicon
verify=n

Environment size: 558/65532 bytes
"

hisilicon # version

U-Boot 2016.11 (Apr 03 2019 - 18:54:33 +0800)hi3516ev200
arm-himix100-linux-gcc (HC&C V100R002C00B032_20190114) 6.3.0
GNU ld (GNU Binutils) 2.29

As far as I can figure out, the Linux does not boot for some reason.
How can I get a working firmware and install it back on the "brick"?
I would need steps "translated" for dummies, please!
 
Top