How to (Mini PTZ V2) - find which sensor, and backup the system.

akrypth · Aug 17, 2016

Thank´s a lot - now I´m able to access my HUISUN sd-card via ftp

Alex

alastairstevenson · Aug 17, 2016

Excellent!

vasycara · Aug 17, 2016

alastairstevenson said:
*edit* This proposed method for figuring the sensor may not be accurate - see post #6 and later.
It's looking like Huisun are not necessarily programming correct info in the sensor line of config_hw.ini
But there may be another similar way - keep reading!

This is aimed at helping out over the uncertainty of the
"What sensor is in my Mini PTZ V2' and will it brick if I upgrade with the new firmware?"
quandary.
We know that following the shortage of IMX322 sensors following the Japanese earthquake, Huisun manufactured some Mini PTZ V2 with the IMX122 sensor.
We also know from posts on here that some V2s with the other sensor were bricked when updating with some new firmware.
And it seems that the ordering / delivery timing isn't a reliable way to determine what sensor may be installed.
So this post is aimed at gathering enough info from members that maybe a sticky can be created and maintained about what works with what and what doesn't.
And to protect against any future accidents - it would be good to have a recovery backup.

So how can I find out what sensor is in my Mini PZT V2? @pozzello has already posted about this, but to recap here is how I believe it's possible:
With your favourite telnet client (PuTTY or Linux or Windows telnet) start a telnet session to port 3232 on your Mini PTZ V2.
Rather than expose Huisun's not-very-well-protected root password, those interested can PM me.
We do want to keep Huisun on-side, after all, we're not aiming to enable paid-for locked features, just aiming to make best use of the camera.
This is the /home/config area.
In there are various types of files - those related to user-defined configuration settings, those related to default values, those relating to the camera hardware, written during manufacturing and holding items such as sensor bad pixel map, serial number, MAC address, model code etc - and the sensor installed.
The file of interest for the sensor is config_hw.ini

Code:

alastair@PC-I5 ~ $ telnet 192.168.1.131 3232 Trying 192.168.1.131... Connected to 192.168.1.131. Escape character is '^]'. Ambarella login: root Password: # cd /home/config # ls -al total 532 drwxr-xr-x 4 root root 0 Jul 23 17:04 . drwxr-xr-x 4 root root 0 Jul 23 02:42 .. -rwsr-sr-t 1 root root 276480 Apr 7 13:17 badpixel_1080P.bin -rwxr--r-- 1 root root 7359 Jun 25 2015 boa.conf -rwxrw-r-- 1 root root 409 Oct 14 2015 capability -rw-r--r-- 1 root root 1641 Jan 8 1970 config_hw.ini -rw-r--r-- 1 root root 17129 Jul 23 17:04 config_media.ini -rwxrw-r-- 1 root root 15904 Mar 1 17:07 config_media_130w.ini -rwxrw-r-- 1 root root 15816 Mar 1 17:07 config_media_200w.ini -rwxrw-r-- 1 root root 15811 Mar 1 17:07 config_media_ov4689_200w.ini -rwxrw-r-- 1 root root 15804 Mar 1 17:07 config_media_ov4689_400w.ini -rw-r--r-- 1 root root 2760 Jul 20 23:52 config_net.ini -rw-r--r-- 1 root root 18489 Jan 1 1970 config_onvif.ini -rw-r--r-- 1 root root 99 Apr 7 13:15 config_strange.ini -rw-r--r-- 1 root root 99 Jul 23 03:00 config_time.ini drwxr-xr-x 2 root root 0 Jan 1 1970 default -rw------- 1 root root 101008 Jul 23 18:03 dome_setting.bin -rwxrwxr-x 1 root root 37168 Mar 3 18:31 hwconf_server -rwxrw-r-- 1 root root 1775 Oct 19 2015 ipnc.pem -rw-r--r-- 1 root root 3072 Jun 20 14:59 ptz_preset_value.bin -rw------- 1 root root 6528 Jan 1 1970 ptz_sequence_value.bin -rw-r--r-- 1 root root 270 Jan 8 1970 qrcode.png -rwxrw-r-- 1 root root 134 Oct 19 2015 stunnel.conf -rwxrw-r-- 1 root root 1050 Jan 7 2016 tinyproxy.conf drwxrwxr-x 2 root root 0 Mar 3 18:31 upgrade # cat config_hw.ini ;fixed feature [mac] macaddr = 58:04:CB:10:C2:D3 checkcode = 9689d10aa375fca039eda9414ca5596fcd0b652b [product] factoryid = 10C2D35702515B63CD model = inner_model = PCS022C0010AIDAD0A0000 [watchdog] watchdog = 5 [hardware] videoin = 1 videoout = 0 audioin = 0 audioout = 0 alarmin = 0 alarmout = 0 comnum = 0 multicam = 0 rotate = 0 peertype = 2001 ;--------- alarmsync = 1 rs485 = 1 ptzctrl = 1 ;----------- sensor = imx122 lens = 3001 ;XXYY XX(zoom) YY(index) 3000 3001 2000 3001 1000 1001 300 301 100 101 [focus] type = 0 ;0 - iris + focus , 1 - only focus , 2 - nothing zoomlist = 10,40,80,120,160,0,0,0,0,0,0,0,0,0,0,0;size must be 16,0 means invalid. #

Check out the value in the line marked 'sensor'. In this case it's imx122
Remembering that the camera I'm connected to was @pozzello 's, which was bricked by a firmware update, and recovered, the observant among you may ask 'Why does it say imx122?'
Good question.
The answer is that the camera was recovered by applying a copy of mtdblock4 that @pozzello provided from his working camera. So this one is now a clone. @pozzello - this implies that the camera you grabbed mtdblock4 from has an imx122 sensor. Do you agree?
And that the bricked one was purchased in a time frame that covered the use of the imx122.

It will be of interest if others could do this check and we can reach a concensus that it works and is vaid.

Now a word about backups - and not just your configuration backups -
OK - so in case I brick the camera in future, how can I back up the flash contents for possible recovery?
That's pretty straightforward. With telnet access, the entire flash storage can be dumped as a backup by taking copies of mtdblock0-4
It's not necessary to have an SMB/CIFS or NFS share on your network, this can conveniently be done using tftp to send the files to a tftp server.
For a Windows PC, an old but good tftp server is the Jounin one here : http://www.jounin.net/tftpd32.html
Here is a session transcript of how to extract the mtdblocks from the camera.
We are using /tmp as the temporary area as it's in RAM and there should be enough space for the 16MB extract.
If there isn't enough space, mounting an NFS share would eliminate that problem.

Code:

alastair@PC-I5 ~ $ telnet 192.168.1.131 3232 Trying 192.168.1.131... Connected to 192.168.1.131. Escape character is '^]'. Ambarella login: root Password: # df Filesystem Size Used Available Use% Mounted on /dev/root 13.9M 13.1M 896.0K 94% / devtmpfs 60.3M 0 60.3M 0% /dev tmpfs 60.4M 4.0K 60.4M 0% /tmp tmpfs 60.4M 0 60.4M 0% /dev/shm tmpfs 60.4M 60.0K 60.3M 0% /run none 60.4M 10.2M 50.2M 17% /ipnc none 4.0M 0 4.0M 0% /ipnc/snapshot none 2.0M 20.0K 2.0M 1% /ipnc/log none 5.0M 0 5.0M 0% /ipnc/ringbuf # dd if=/dev/mtdblock0 of=/tmp/mtdblock0 128+0 records in 128+0 records out 65536 bytes (64.0KB) copied, 0.016249 seconds, 3.8MB/s # dd if=/dev/mtdblock1 of=/tmp/mtdblock1 384+0 records in 384+0 records out 196608 bytes (192.0KB) copied, 0.054247 seconds, 3.5MB/s # dd if=/dev/mtdblock2 of=/tmp/mtdblock2 128+0 records in 128+0 records out 65536 bytes (64.0KB) copied, 0.015964 seconds, 3.9MB/s # dd if=/dev/mtdblock3 of=/tmp/mtdblock3 3456+0 records in 3456+0 records out 1769472 bytes (1.7MB) copied, 0.488210 seconds, 3.5MB/s # cd /tmp # ls -al total 2052 drwxrwxrwt 2 root root 140 Jul 23 23:52 . drwxr-xr-x 20 root root 0 Jan 1 1970 .. -rw-r--r-- 1 root root 65536 Jul 23 23:51 mtdblock0 -rw-r--r-- 1 root root 196608 Jul 23 23:51 mtdblock1 -rw-r--r-- 1 root root 65536 Jul 23 23:51 mtdblock2 -rw-r--r-- 1 root root 1769472 Jul 23 23:52 mtdblock3 -rw-r--r-- 1 root root 23 Jul 23 23:49 resolv.conf # tftp -p -l mtdblock0 192.168.1.21 mtdblock0 100% |*******************************| 65536 0:00:00 ETA # tftp -p -l mtdblock1 192.168.1.21 mtdblock1 100% |*******************************| 192k 0:00:00 ETA # tftp -p -l mtdblock2 192.168.1.21 mtdblock2 100% |*******************************| 65536 0:00:00 ETA # tftp -p -l mtdblock3 192.168.1.21 mtdblock3 100% |*******************************| 1728k 0:00:00 ETA # rm mtdblock* # dd if=/dev/mtdblock4 of=/tmp/mtdblock4 28544+0 records in 28544+0 records out 14614528 bytes (13.9MB) copied, 4.074778 seconds, 3.4MB/s # tftp -p -l mtdblock4 192.168.1.21 mtdblock4 100% |*******************************| 14272k 0:00:00 ETA # rm mtdblock* # ls -al total 4 drwxrwxrwt 2 root root 60 Jul 23 23:53 . drwxr-xr-x 20 root root 0 Jan 1 1970 .. -rw-r--r-- 1 root root 23 Jul 23 23:49 resolv.conf # echo "that was easy!" that was easy! #

I managed to extract file from mini PTZ v2 , the procedure outlined by Mr. alastairstevenson ,by tftp.
It is very simple, if you read carefully said by Mr. alastairstevenson
mtdblok0 , mtdblok1 , mtdblok2 , mtdblok3 , mtdblok4, ...... it is necessary for recovery after a bad firmware,
mtdbok4 especially needed for recovery.

wxman · Sep 16, 2016

So I've finally gotten around to trying this out on my V1 10X.....

I'm getting a " sensor = ar0130 "......Which, of course, is not Sony, but an Aptina brand 1.2mp sensor. Very strange, considering these were supposed to have Sony IMX sensors. Anyone else gotten that result?

By the way, any easy instructions to go about transferring to my hard drive on Windows? I know very little about Linux and am getting way confused with the TFTP thing. With Hikvision, it's just a matter of adding a directory on my hard drive as a storage place (NAS) on the web browser user interface of the camera and then it shows up as a location when I telnet into the computer to which I can copy files to and from.

alastairstevenson · Sep 16, 2016

So I've finally gotten around to trying this out on my V1 10X

The firmware operates differently on the V1, I don't have one so had no chance to see how you'd figure the sensor info.

By the way, any easy instructions to go about transferring to my hard drive on Windows?

Easy enough to a NAS with an NFS share, a bit more variable and fiddly with Windows and an SMB/CIFS share.
But - create a suitable user/password, share out a folder and give that user (or everyone) write permissions:

If you have a NAS with an NFS share:
mount -t nfs -o nolock NAS_IP_address:/NFS_sharename /mnt
If that works, you can just 'cp' the files to /mnt

If you have a NAS or PC with a CIFS/SMB share:
mount -t cifs PC_IP_address/sharename -o username=camuser,password=camuserpassword /mnt
If that works, you can just 'cp' the files to /mnt

But tftp is pretty easy, for almost a one-off activity.

*edit* Looks like I had -f instead of -t (for type) for the CIFS mount. Careless ...

s.decken · Sep 23, 2016

@alastairstevenson - sorry for posting in here instead PM, but I'm new here and have no PM permission - yet.

could you please send via PM the root-password?

Thanks in advance!

trisse · Oct 31, 2016

@alastairstevenson - dito, i need the "Ambarella login:" passwort for user root!
Website of my cerma says "User's name is not exist" no matter what i enter.
You you please PN me the password? thanks!

alastairstevenson · Oct 31, 2016

Done.
Be careful!

trisse · Oct 31, 2016

Yes, that saved my life!
my admin-password ended with a ";"
i just found out that the login mechanism is broken if that char (and maybe others?) are at the end.
website says then: "user is not exisit"
i was able to change my pw in /home/config/*net.conf

how did you found out the password? guessing?
i tried som by myself but i was giving up after 50 or so..

thanks so much!

alastairstevenson · Oct 31, 2016

Well done for figuring that out, and fixing it.
The telnet password was easily cracked with an optimised brute-force attack, as most of the root passwords can be in IP camera firmware.
I don't know how many guesses there would have been, maybe a couple of billion.
In effect, most default passwords are open for inspection by the world.
With the exception of Hikvision (and I don't know about Dahua), who have customised the security somewhat.

AsX · Oct 31, 2016

Can somebody PM me telnet root password?

alastairstevenson · Oct 31, 2016

Not yet - as you don't have the requisite 5 posts minimum requirement ...

TrailRider · Dec 25, 2016

@alastairstevenson Would you be so kind as to PM me the root PW. I have a bricked Huisun X10 V2 I am going to try a TTL interface to.
Also are these 5V TTL level 115,200 baud 8 bit no parity?

alastairstevenson · Dec 26, 2016

TrailRider said:
Also are these 5V TTL level 115,200 baud 8 bit no parity?

As far as I know - the very common PL2303HX-based USB to TTL serial convertors are wired for 3.3v operation, and all the ones I've used work OK without using any power connection.
Yes to 115,200 baud 8 bits no parity.

TrailRider said:
Would you be so kind as to PM me the root PW.

Done.

TrailRider · Dec 26, 2016

@alastairstevenson Thank you for your help. I am new to working on IP cameras, so I probably know just enough to be considered a menace to society

autochampion · Aug 14, 2017

Please root password. Please...

EyePeeKamz · Aug 16, 2017

Can I get the password too?

Thanx in advance!

sumett · Nov 30, 2017

Hello!

I want to make a backup copy of my system.

Please share the telnet password

bzzeke · Jan 14, 2018

Hi, could you share a telnet root password with me?

Thanks,

lumen0 · Apr 17, 2018

I was sent a new board for a mini PTZ v2 after it failed from a bad POE board supply failing voltages.
After replacing the POE board with a new POE adapter, everything works well except the PTZ would only rotate about 180 degrees.
After several firmware upgrades the problem still exists so I am now planning to telnet into the camera and see if this can be corrected.
I would also like to activate the snapshot ability as found in another thread. (yes a lot of reading to this point)

Can someone please PM me the telnet root password ?

Thanks,

Search

How to (Mini PTZ V2) - find which sensor, and backup the system.

akrypth

n3wb

alastairstevenson

vasycara

Getting the hang of it

wxman

Pulling my weight

alastairstevenson

s.decken

n3wb

trisse

n3wb

alastairstevenson

trisse

n3wb

alastairstevenson

AsX

n3wb

alastairstevenson

TrailRider

n3wb

alastairstevenson

TrailRider

n3wb

autochampion

n3wb

EyePeeKamz

Young grasshopper

sumett

n3wb

bzzeke

n3wb

lumen0

n3wb