How to (Mini PTZ V2) - find which sensor, and backup the system.

Thank´s a lot - now I´m able to access my HUISUN sd-card via ftp :-)

Alex
 
alastairstevenson said:
*edit* This proposed method for figuring the sensor may not be accurate - see post #6 and later.
It's looking like Huisun are not necessarily programming correct info in the sensor line of config_hw.ini
But there may be another similar way - keep reading!

This is aimed at helping out over the uncertainty of the
"What sensor is in my Mini PTZ V2' and will it brick if I upgrade with the new firmware?"
quandary.
We know that following the shortage of IMX322 sensors following the Japanese earthquake, Huisun manufactured some Mini PTZ V2 with the IMX122 sensor.
We also know from posts on here that some V2s with the other sensor were bricked when updating with some new firmware.
And it seems that the ordering / delivery timing isn't a reliable way to determine what sensor may be installed.
So this post is aimed at gathering enough info from members that maybe a sticky can be created and maintained about what works with what and what doesn't.
And to protect against any future accidents - it would be good to have a recovery backup.


So how can I find out what sensor is in my Mini PZT V2? @pozzello has already posted about this, but to recap here is how I believe it's possible:
With your favourite telnet client (PuTTY or Linux or Windows telnet) start a telnet session to port 3232 on your Mini PTZ V2.
Rather than expose Huisun's not-very-well-protected root password, those interested can PM me.
We do want to keep Huisun on-side, after all, we're not aiming to enable paid-for locked features, just aiming to make best use of the camera.
This is the /home/config area.
In there are various types of files - those related to user-defined configuration settings, those related to default values, those relating to the camera hardware, written during manufacturing and holding items such as sensor bad pixel map, serial number, MAC address, model code etc - and the sensor installed.
The file of interest for the sensor is config_hw.ini
Code: 
alastair@PC-I5 ~ $ telnet 192.168.1.131 3232
Trying 192.168.1.131...
Connected to 192.168.1.131.
Escape character is '^]'.

Ambarella login: root
Password: 
# cd /home/config
# ls -al
total 532
drwxr-xr-x    4 root     root             0 Jul 23 17:04 .
drwxr-xr-x    4 root     root             0 Jul 23 02:42 ..
-rwsr-sr-t    1 root     root        276480 Apr  7 13:17 badpixel_1080P.bin
-rwxr--r--    1 root     root          7359 Jun 25  2015 boa.conf
-rwxrw-r--    1 root     root           409 Oct 14  2015 capability
-rw-r--r--    1 root     root          1641 Jan  8  1970 config_hw.ini
-rw-r--r--    1 root     root         17129 Jul 23 17:04 config_media.ini
-rwxrw-r--    1 root     root         15904 Mar  1 17:07 config_media_130w.ini
-rwxrw-r--    1 root     root         15816 Mar  1 17:07 config_media_200w.ini
-rwxrw-r--    1 root     root         15811 Mar  1 17:07 config_media_ov4689_200w.ini
-rwxrw-r--    1 root     root         15804 Mar  1 17:07 config_media_ov4689_400w.ini
-rw-r--r--    1 root     root          2760 Jul 20 23:52 config_net.ini
-rw-r--r--    1 root     root         18489 Jan  1  1970 config_onvif.ini
-rw-r--r--    1 root     root            99 Apr  7 13:15 config_strange.ini
-rw-r--r--    1 root     root            99 Jul 23 03:00 config_time.ini
drwxr-xr-x    2 root     root             0 Jan  1  1970 default
-rw-------    1 root     root        101008 Jul 23 18:03 dome_setting.bin
-rwxrwxr-x    1 root     root         37168 Mar  3 18:31 hwconf_server
-rwxrw-r--    1 root     root          1775 Oct 19  2015 ipnc.pem
-rw-r--r--    1 root     root          3072 Jun 20 14:59 ptz_preset_value.bin
-rw-------    1 root     root          6528 Jan  1  1970 ptz_sequence_value.bin
-rw-r--r--    1 root     root           270 Jan  8  1970 qrcode.png
-rwxrw-r--    1 root     root           134 Oct 19  2015 stunnel.conf
-rwxrw-r--    1 root     root          1050 Jan  7  2016 tinyproxy.conf
drwxrwxr-x    2 root     root             0 Mar  3 18:31 upgrade
# cat config_hw.ini
;fixed feature
[mac]                                            
macaddr                        = 58:04:CB:10:C2:D3

checkcode                      = 9689d10aa375fca039eda9414ca5596fcd0b652b
[product]                                        
factoryid                      = 10C2D35702515B63CD
model                          =                
inner_model                    = PCS022C0010AIDAD0A0000
[watchdog]                                       
watchdog                       = 5              

[hardware]                                       
videoin                        = 1              
videoout                       = 0              
audioin                        = 0              
audioout                       = 0              
alarmin                        = 0              
alarmout                       = 0              
comnum                         = 0              
multicam                       = 0              
rotate                         = 0              
peertype                       = 2001           

;---------
alarmsync                      = 1              
rs485                          = 1              
ptzctrl                        = 1              
;-----------
sensor                         = imx122         
lens                           = 3001           ;XXYY XX(zoom) YY(index)  3000 3001 2000 3001 1000 1001 300 301 100 101

[focus]                                          
type                           = 0              ;0 - iris + focus , 1 - only focus , 2 - nothing       
zoomlist                       = 10,40,80,120,160,0,0,0,0,0,0,0,0,0,0,0;size must be 16,0 means invalid.  
#
Check out the value in the line marked 'sensor'. In this case it's imx122
Remembering that the camera I'm connected to was @pozzello 's, which was bricked by a firmware update, and recovered, the observant among you may ask 'Why does it say imx122?'
Good question.
The answer is that the camera was recovered by applying a copy of mtdblock4 that @pozzello provided from his working camera. So this one is now a clone. @pozzello - this implies that the camera you grabbed mtdblock4 from has an imx122 sensor. Do you agree?
And that the bricked one was purchased in a time frame that covered the use of the imx122.

It will be of interest if others could do this check and we can reach a concensus that it works and is vaid.

Now a word about backups - and not just your configuration backups -
OK - so in case I brick the camera in future, how can I back up the flash contents for possible recovery?
That's pretty straightforward. With telnet access, the entire flash storage can be dumped as a backup by taking copies of mtdblock0-4
It's not necessary to have an SMB/CIFS or NFS share on your network, this can conveniently be done using tftp to send the files to a tftp server.
For a Windows PC, an old but good tftp server is the Jounin one here : http://www.jounin.net/tftpd32.html
Here is a session transcript of how to extract the mtdblocks from the camera.
We are using /tmp as the temporary area as it's in RAM and there should be enough space for the 16MB extract.
If there isn't enough space, mounting an NFS share would eliminate that problem.
Code: 
alastair@PC-I5 ~ $ telnet 192.168.1.131 3232
Trying 192.168.1.131...
Connected to 192.168.1.131.
Escape character is '^]'.

Ambarella login: root
Password: 
# df
Filesystem                Size      Used Available Use% Mounted on
/dev/root                13.9M     13.1M    896.0K  94% /
devtmpfs                 60.3M         0     60.3M   0% /dev
tmpfs                    60.4M      4.0K     60.4M   0% /tmp
tmpfs                    60.4M         0     60.4M   0% /dev/shm
tmpfs                    60.4M     60.0K     60.3M   0% /run
none                     60.4M     10.2M     50.2M  17% /ipnc
none                      4.0M         0      4.0M   0% /ipnc/snapshot
none                      2.0M     20.0K      2.0M   1% /ipnc/log
none                      5.0M         0      5.0M   0% /ipnc/ringbuf
# dd if=/dev/mtdblock0 of=/tmp/mtdblock0
128+0 records in
128+0 records out
65536 bytes (64.0KB) copied, 0.016249 seconds, 3.8MB/s
# dd if=/dev/mtdblock1 of=/tmp/mtdblock1
384+0 records in
384+0 records out
196608 bytes (192.0KB) copied, 0.054247 seconds, 3.5MB/s
# dd if=/dev/mtdblock2 of=/tmp/mtdblock2
128+0 records in
128+0 records out
65536 bytes (64.0KB) copied, 0.015964 seconds, 3.9MB/s
# dd if=/dev/mtdblock3 of=/tmp/mtdblock3
3456+0 records in
3456+0 records out
1769472 bytes (1.7MB) copied, 0.488210 seconds, 3.5MB/s
# cd /tmp
# ls -al
total 2052
drwxrwxrwt    2 root     root           140 Jul 23 23:52 .
drwxr-xr-x   20 root     root             0 Jan  1  1970 ..
-rw-r--r--    1 root     root         65536 Jul 23 23:51 mtdblock0
-rw-r--r--    1 root     root        196608 Jul 23 23:51 mtdblock1
-rw-r--r--    1 root     root         65536 Jul 23 23:51 mtdblock2
-rw-r--r--    1 root     root       1769472 Jul 23 23:52 mtdblock3
-rw-r--r--    1 root     root            23 Jul 23 23:49 resolv.conf
# tftp -p -l mtdblock0 192.168.1.21
mtdblock0            100% |*******************************| 65536   0:00:00 ETA
# tftp -p -l mtdblock1 192.168.1.21
mtdblock1            100% |*******************************|   192k  0:00:00 ETA
# tftp -p -l mtdblock2 192.168.1.21
mtdblock2            100% |*******************************| 65536   0:00:00 ETA
# tftp -p -l mtdblock3 192.168.1.21
mtdblock3            100% |*******************************|  1728k  0:00:00 ETA
# rm mtdblock*
# dd if=/dev/mtdblock4 of=/tmp/mtdblock4
28544+0 records in
28544+0 records out
14614528 bytes (13.9MB) copied, 4.074778 seconds, 3.4MB/s
# tftp -p -l mtdblock4 192.168.1.21
mtdblock4            100% |*******************************| 14272k  0:00:00 ETA
# rm mtdblock*
# ls -al
total 4
drwxrwxrwt    2 root     root            60 Jul 23 23:53 .
drwxr-xr-x   20 root     root             0 Jan  1  1970 ..
-rw-r--r--    1 root     root            23 Jul 23 23:49 resolv.conf
# echo "that was easy!"
that was easy!
#
Click to expand...

I managed to extract file from mini PTZ v2 , the procedure outlined by Mr. alastairstevenson ,by tftp.
It is very simple, if you read carefully said by Mr. alastairstevenson
mtdblok0 , mtdblok1 , mtdblok2 , mtdblok3 , mtdblok4, ...... it is necessary for recovery after a bad firmware,
mtdbok4 especially needed for recovery.
 
So I've finally gotten around to trying this out on my V1 10X.....

I'm getting a " sensor = ar0130 "......Which, of course, is not Sony, but an Aptina brand 1.2mp sensor. Very strange, considering these were supposed to have Sony IMX sensors. Anyone else gotten that result?

By the way, any easy instructions to go about transferring to my hard drive on Windows? I know very little about Linux and am getting way confused with the TFTP thing. With Hikvision, it's just a matter of adding a directory on my hard drive as a storage place (NAS) on the web browser user interface of the camera and then it shows up as a location when I telnet into the computer to which I can copy files to and from.
 
So I've finally gotten around to trying this out on my V1 10X
Click to expand...
The firmware operates differently on the V1, I don't have one so had no chance to see how you'd figure the sensor info.

By the way, any easy instructions to go about transferring to my hard drive on Windows?
Click to expand...
Easy enough to a NAS with an NFS share, a bit more variable and fiddly with Windows and an SMB/CIFS share.
But - create a suitable user/password, share out a folder and give that user (or everyone) write permissions:

If you have a NAS with an NFS share:
mount -t nfs -o nolock NAS_IP_address:/NFS_sharename /mnt
If that works, you can just 'cp' the files to /mnt

If you have a NAS or PC with a CIFS/SMB share:
mount -t cifs PC_IP_address/sharename -o username=camuser,password=camuserpassword /mnt
If that works, you can just 'cp' the files to /mnt

But tftp is pretty easy, for almost a one-off activity.

*edit* Looks like I had -f instead of -t (for type) for the CIFS mount. Careless ...
 
Last edited by a moderator:
@alastairstevenson - dito, i need the "Ambarella login:" passwort for user root!
Website of my cerma says "User's name is not exist" no matter what i enter.
You you please PN me the password? thanks!
 
Yes, that saved my life!
my admin-password ended with a ";"
i just found out that the login mechanism is broken if that char (and maybe others?) are at the end.
website says then: "user is not exisit"
i was able to change my pw in /home/config/*net.conf

how did you found out the password? guessing?
i tried som by myself but i was giving up after 50 or so..

thanks so much!
 
Well done for figuring that out, and fixing it.
The telnet password was easily cracked with an optimised brute-force attack, as most of the root passwords can be in IP camera firmware.
I don't know how many guesses there would have been, maybe a couple of billion.
In effect, most default passwords are open for inspection by the world.
With the exception of Hikvision (and I don't know about Dahua), who have customised the security somewhat.
 
TrailRider said:
Also are these 5V TTL level 115,200 baud 8 bit no parity?
Click to expand...
As far as I know - the very common PL2303HX-based USB to TTL serial convertors are wired for 3.3v operation, and all the ones I've used work OK without using any power connection.
Yes to 115,200 baud 8 bits no parity.
TrailRider said:
Would you be so kind as to PM me the root PW.
Click to expand...
Done.
 
  • Like
Reactions: Astaros
I was sent a new board for a mini PTZ v2 after it failed from a bad POE board supply failing voltages.
After replacing the POE board with a new POE adapter, everything works well except the PTZ would only rotate about 180 degrees.
After several firmware upgrades the problem still exists so I am now planning to telnet into the camera and see if this can be corrected.
I would also like to activate the snapshot ability as found in another thread. (yes a lot of reading to this point)

Can someone please PM me the telnet root password ?

Thanks,
 
You must log in or register to reply here.
Top Bottom