News:

Re-organized the forum to more cleanly delineate the development section, as the end user support side appears to have taken a life of its own!

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - VorlonFrog

Pages: [1] 2
1
Hacking & Modding / Re: 3516C IMX322 X 6.1.6.1 password
« on: August 27, 2016, 09:24:19 am »
try  root:xmhdipc

2
Firmware / Re: XMeye Hi3518E-based camera module
« on: September 06, 2015, 11:56:40 am »
Best / most humorous string found inside the executable file /usr/bin/Sofia :

Sorry, there are legal restrictions on arithmetic coding



3
Firmware / Re: XMeye Hi3518E-based camera module
« on: August 10, 2015, 09:54:10 am »
Thanks again for the always-helpful information, Don. 8) After re-defining IE security settings and establishing "local config" settings using their web page, I was able to save a bitmap image file to my local hard drive in the specified directory.

I spent some time reviewing the NetSurveillance.OCX ActiveX object yesterday. The Online Disassembler identified it as compressed code in the PECompact 2.0 format. Uncompressing the OCX yielded the underlying code for reverse engineering.  Together with Wireshark captures of the TCP/IP communications between IE and the camera, it should be possible to determine what else might be possible. ;)

5
Firmware / Re: XMeye Hi3518E-based camera module
« on: August 09, 2015, 12:59:51 pm »
No false hopes here, just optimistic hacking.  If you browse the URL <camera IP>:<camera port>/index.htm after logging into the camera, you'll receive a toolbar across the bottom of the screen, where the fifth option is 'snapshot'.  Here are the lines of HTML code behind that button:

<div style="margin: 0 0 0 5px;">
    <a title='snap' id='snap' class="p8" href="javascript:;" onclick='ocx.BMPCapturePicture("C:\\BMP")'>
    </a>
</div>


This is a call to their ActiveX module, which immediately returns a failure/error response. Unfortunately, it doesn't explain WHY it failed, but I presume they've removed the BMPCapturePicture() code from their ActiveX object.  Also, who stores a BMP file when PNG and JPG are so much more effective?


6
Firmware / Re: XMeye Hi3518E-based camera module
« on: August 09, 2015, 08:15:01 am »
Xiong Mai elects not to support JPEG snapshots, but Foscam does (using larger NAND flash ram and DRAM sizes) and there is a HiSilicon JPEG encoder kernel module loaded. 

Module                  Size  Used by
hi3518_jpege           48265  1

Submitting this module to the Online Disassembler provided a peek inside.  The Sofia program is too large to submit to the ODA, but I'd wager there are callouts from Sofia's 'snap' functionality to this JPEG Encoder kernel module, and they will illustrate its use to generate JPEG snapshot files.

7
Firmware / Re: XMeye Hi3518E-based camera module
« on: August 08, 2015, 03:52:28 pm »
I went digging through the SDK directories, and found there are two separate sets of drivers for the imaging:

/Hi3518_SDK_V1.0.7.0/mpp
/Hi3518_SDK_V1.0.7.0/mpp2

These represent old and new interfaces from HiSilicon, as described in their image processing documents (attached).  Unfortunately, they don't lead any closer to grabbing a JPEG snapshot from the sensor (yet).

8
Firmware / Re: XMeye Hi3518E-based camera module
« on: August 08, 2015, 09:47:35 am »

/usr/lib/modules/load3518 performs the following commands for the OV9712 image sensor:

        ov9712|soih22|ov2710)
            himm 0x20030030 0x1;              #Sensor clock 24 MHz
            insmod extdrv/ssp_ad9020.ko;;



0x20030030 is the memory location of the video sensor clock rate. 
For other models of sensors, these are the clock rate values:

            himm 0x20030030 0x1;              # Sensor clock 24 MHz
            himm 0x20030030 0x5;              # Sensor clock 27 MHz
            himm 0x20030030 0x6;              # Sensor clock 37.125 MHz
            himm 0x2003002c 0x6a;             # VI input associated clock phase reversed



/usr/lib/modules/clkcfg_hi3518.sh reveals these memory locations:

            himm 0x2003002c 0x2a;           # VICAP, ISP unreset & clock enable
            himm 0x20030034 0x510;          # VDP  unreset & HD clock enable
            himm 0x20030040 0x2;            # VEDU unreset
            himm 0x20030048 0x2;            # VPSS unreset, code also config
            himm 0x20030058 0x2;            # TDE  unreset
            himm 0x20030060 0x2;            # JPEG unreset
            himm 0x20030068 0x2;            # MDU  unreset



/usr/lib/modules/lowpower.sh reveals these memory locations:

            himm 0x20050080 0x000121a8      # USB PHY [12]bit
            himm 0x20050084 0x005d2188      # USB PHY [22]bit
            himm 0x200300D0 0x5             # NANDC
            himm 0x200f00c8 0x1             # NANDC gpio
            himm 0x200f00cc 0x1
            himm 0x200f00d0 0x1
            himm 0x200f00d4 0x1
            himm 0x200f00d8 0x1
            himm 0x200f00dc 0x1
            himm 0x200f00e0 0x1
            himm 0x200f00e4 0x1
            himm 0x200f00e8 0x1
            himm 0x200f00ec 0x1
            himm 0x200f00f4 0x1
            himm 0x200f00f8 0x1
            himm 0x20030080 0x1             # SAR ADC
            himm 0x200b0008 0x1             # SAR ADC
            himm 0x20030038 0x2             # PWM
            himm 0x20070000 0x0             # IR
            himm 0x200f00c4 0x1             # IR gpio
            himm 0x200A0030 0x0             # UART2 [9][8][0]bit
            himm 0x200f0108 0x0             # UART2 gpio
            himm 0x200f010c 0x0             # UART2 gpio
            himm 0x200C0004 0x7F00          # SPI0
            himm 0x200E0004 0x7F00          # SPI1
            himm 0x200f000c 0x0             # SPI0 gpio
            himm 0x200f0010 0x0
            himm 0x200f0014 0x0
            himm 0x200f0110 0x0             # SPI1 gpio
            himm 0x200f0114 0x0
            himm 0x200f0118 0x0
            himm 0x200f011c 0x0


9
Firmware / Re: XMeye Hi3518E-based camera module
« on: August 08, 2015, 08:41:53 am »
Continuing with the Linux startup sequencing...

Here are the relevant lines from /etc/inittab, the BusyBox startup configuration file. Notice they've disabled the 'dnode' script, because they've embedded a call to it within the /etc/init.d/rcS startup script. They also create a root shell on the serial console port ttyS000. 

#::sysinit:/etc/init.d/dnode
::sysinit:/etc/init.d/rcS
::respawn:/sbin/getty -L ttyS000 115200 vt100 -n root -I "Auto login as root ..."
::restart:/sbin/init
::ctrlaltdel:/sbin/reboot
::shutdown:/bin/umount -a -r
::shutdown:/sbin/swapoff -a



And here is the script /etc/init.d/rcS which brings up the system.  They start the udev software, mount the file systems from MTD flash ram, load additional kernel modules, and begin starting daemon processes. The final action performed is to load/start the Sofia camera executable.

#! /bin/sh

/etc/init.d/dnode

udevd --daemon
udevstart

mount -t squashfs /dev/mtdblock2 /usr
mount -t squashfs /dev/mtdblock3 /mnt/web
mount -t squashfs /dev/mtdblock4 /mnt/custom
mount -t jffs2 /dev/mtdblock5 /mnt/mtd

mount -t ramfs  /dev/mem        /var/
mkdir -p /var/tmp
mount -t ramfs  /dev/mem2       /utils
mount -t usbfs usbfs /proc/bus/usb/

mkdir -p /mnt/mtd/Config /mnt/mtd/Log /mnt/mtd/Config/ppp /mnt/mtd/Config/Json
if [ -f /mnt/mtd/Config/ppp/3gdigal ]; then
        chmod 777 /mnt/mtd/Config/ppp/3gdigal
fi

/usr/etc/loadmod
netinit
cp /bin/upgraded /utils/ -f
/utils/upgraded &
telnetd &
sysinit &
searchIp &
wlandaemon &
route_switch &

/bin/pppd pty /etc/ppp/pppoe-start file /etc/ppp/pppoe-options &
if [ -f /mnt/custom/extapp.sh ];then
        /mnt/custom/extapp.sh &
fi
dvrHelper /lib/modules /usr/bin/Sofia 127.0.0.1 9578 1 &



Here's the script /usr/lib/modules/loadmod  It calls /usr/lib/modules/load3518, a lengthy shell script that installs/removes all the necessary kernel modules. In this case, it loads the OV9712 sensor module.  It can also load modules for an AR0130 sensor instead.  Then it calls /usr/etc/loadpublic, which loads the USB wireless network module.  This script loads any of the RT3070, 8188EU, MT7601U, or AW8733A modules, if they are present in the file system.

./load3518 -i ov9712
himm 0x200f00bc 0x00

insmod mb88347.ko

. /usr/etc/loadpublic

himm  0x20050068  0x50002c2c
cd /


After working through this exercise of tracing the system startup, it's evident they're bit-banging several memory locations of the Hi3518E SoC.  It will be interesting to investigate/map all of these calls to the 'himm' executable, mainly because they've commented many of them to indicate exactly which hardware interfaces are being impacted.

10
Firmware / Re: XMeye Hi3518E-based camera module
« on: August 08, 2015, 07:08:27 am »
I'm not certain what any of that has to do with 'Firmware', but nevertheless...

hi3518_base            43364 19 hi3518_adec, hi3518_aenc, hi3518_ao, hi3518_ai, hi3518_sio, hi3518_vda,
                                hi3518_region, hi3518_rc, hi3518_jpege, hi3518_h264e, hi3518_chnl,
                                hi3518_group, hi3518_venc, hi3518_vpss, hi3518_isp, hi3518_viu,
                                hi3518_dsu, hi3518_sys
mmz                    19713  5 hi3518_aenc, hi3518_h264e, hi3518_tde, hi3518_base


and from the 'dmesg' output:

Hisilicon Media Memory Zone Manager
hi3518_base: module license 'Proprietary' taints kernel.
Disabling lock debugging due to kernel taint


So HiSilicon's 'mmz' module manages memory in some way, several key Hi3518 encoder kernel objects depend on it (memory mapping the OV712 CMOS sensor, probably), and then many, many other kernel objects depend on the proprietary module 'hi3518_base' to access their kernel-to-hardware interfaces.


11
Firmware / Re: XMeye Hi3518E-based camera module
« on: August 07, 2015, 08:35:45 pm »
Interesting things in the /usr/lib/modules directory are some shell scripts:

# cd /usr/lib/modules
# ls -la *.sh
-rwxr-xr-x    1 556      556           1815 Mar 17 01:44 clkcfg_hi3518.sh
-rwxr-xr-x    1 556      556           1137 Mar 17 01:44 lowpower.sh
-rwxr-xr-x    1 556      556           4115 Mar 17 01:44 pinmux_hi3518.sh
-rwxr-xr-x    1 556      556           1462 Mar 17 01:44 sysctl_hi3518.sh
#


Each of these call specialized utilities that are wrapped within the file /usr/bin/btools:

# cd /bin
# ls -la | grep btools
-rwxr-xr-x    1 556      44           12616 Jan  1  1970 btools
lrwxrwxrwx    1 556      44               6 Jan  1  1970 himc -> btools
lrwxrwxrwx    1 556      44               6 Jan  1  1970 himd -> btools
lrwxrwxrwx    1 556      44               6 Jan  1  1970 himd.l -> btools
lrwxrwxrwx    1 556      44               6 Jan  1  1970 himm -> btools
#




12
Firmware / Re: XMeye Hi3518E-based camera module
« on: August 07, 2015, 08:21:02 pm »
One of the things I like about this camera is the kernel modules are all external files, and not embedded within the kernel.  Here's a listing from directory /usr/lib/modules:


# cd /usr/lib/modules
# ls -la
drwxrwxr-x    3 556      556            734 Mar 17 01:44 .
drwxrwxr-x    3 556      556             67 Mar 17 01:44 ..
-rwxr-xr-x    1 556      556          11658 Mar 17 01:44 acodec.ko
-rwxr-xr-x    1 556      556          11401 Mar 17 01:44 at24c.ko
-rwxr-xr-x    1 556      556           5723 Mar 17 01:44 aw8733a.ko
-rwxr-xr-x    1 556      556           1815 Mar 17 01:44 clkcfg_hi3518.sh
drwxr-xr-x    2 556      556            179 Mar 17 01:44 extdrv
-rwxr-xr-x    1 556      556          11996 Mar 17 01:44 hi3518_adec.ko
-rwxr-xr-x    1 556      556          35343 Mar 17 01:44 hi3518_aenc.ko
-rwxr-xr-x    1 556      556          52436 Mar 17 01:44 hi3518_ai.ko
-rwxr-xr-x    1 556      556          49004 Mar 17 01:44 hi3518_ao.ko
-rwxr-xr-x    1 556      556          56220 Mar 17 01:44 hi3518_base.ko
-rwxr-xr-x    1 556      556          49593 Mar 17 01:44 hi3518_chnl.ko
-rwxr-xr-x    1 556      556          76550 Mar 17 01:44 hi3518_dsu.ko
-rwxr-xr-x    1 556      556          72408 Mar 17 01:44 hi3518_group.ko
-rwxr-xr-x    1 556      556         155732 Mar 17 01:44 hi3518_h264e.ko
-rwxr-xr-x    1 556      556          11957 Mar 17 01:44 hi3518_isp.ko
-rwxr-xr-x    1 556      556          44686 Mar 17 01:44 hi3518_ive.ko
-rwxr-xr-x    1 556      556          56886 Mar 17 01:44 hi3518_jpege.ko
-rwxr-xr-x    1 556      556         172805 Mar 17 01:44 hi3518_rc.ko
-rwxr-xr-x    1 556      556          57777 Mar 17 01:44 hi3518_region.ko
-rwxr-xr-x    1 556      556          20523 Mar 17 01:44 hi3518_sio.ko
-rwxr-xr-x    1 556      556          51046 Mar 17 01:44 hi3518_sys.ko
-rwxr-xr-x    1 556      556         142216 Mar 17 01:44 hi3518_tde.ko
-rwxr-xr-x    1 556      556          74372 Mar 17 01:44 hi3518_vda.ko
-rwxr-xr-x    1 556      556          86354 Mar 17 01:44 hi3518_venc.ko
-rwxr-xr-x    1 556      556         224270 Mar 17 01:44 hi3518_viu.ko
-rwxr-xr-x    1 556      556         190851 Mar 17 01:44 hi3518_vpss.ko
-rwxr-xr-x    1 556      556           9126 Mar 17 01:44 hi_rtc.ko
-rwxr-xr-x    1 556      556          18680 Mar 17 01:44 hidmac.ko
-rwxr-xr-x    1 556      556          84712 Mar 17 01:44 hifb.ko
-rwxr-xr-x    1 556      556           2547 Mar 17 01:44 hiuser.ko
-rwxr-xr-x    1 556      556           5314 Mar 17 01:44 load3518
-rwxr-xr-x    1 556      556           1137 Mar 17 01:44 lowpower.sh
-rwxr-xr-x    1 556      556          30133 Mar 17 01:44 mmz.ko
-rwxr-xr-x    1 556      556           4115 Mar 17 01:44 pinmux_hi3518.sh
-rwxr-xr-x    1 556      556           1462 Mar 17 01:44 sysctl_hi3518.sh
-rwxr-xr-x    1 556      556          10089 Mar 17 01:44 wdt.ko
#

Here's the output of lsmod which shows the inter-relationships among these modules:

# lsmod
Module                  Size  Used by
aw8733a                 1481  0
hi_rtc                  4371  0
rt3070sta             655530  0
wdt                     4229  2
hi3518_adec            15867  2
hi3518_aenc            43404  3
hi3518_ao              39007  2
hi3518_ai              41050  2
hi3518_sio             12310  3 hi3518_ao, hi3518_ai
hidmac                 13241  2 hi3518_ao, hi3518_ai
acodec                  7444  0
ssp_ad9020              4993  0
pwm                     1489  0
hi_i2c                  3792  0
hi3518_vda            172345  1
hi3518_region          51475  2
hi3518_rc             158631  1
hi3518_jpege           48265  1
hi3518_h264e          132627  1
hi3518_chnl            39893  1
hi3518_group          178678  4
hi3518_venc            77916  7 hi3518_jpege, hi3518_h264e
hi3518_vpss           208726  4
hi3518_isp              6366  4 ssp_ad9020, hi_i2c
hi3518_viu            177568  3
hi3518_dsu            129270  1
hi3518_tde            117632  1 hi3518_dsu
hi3518_sys             40801  3 hi3518_viu
hi3518_base            43364 19 hi3518_adec, hi3518_aenc, hi3518_ao, hi3518_ai, hi3518_sio, hi3518_vda,
                                hi3518_region, hi3518_rc, hi3518_jpege, hi3518_h264e, hi3518_chnl,
                                hi3518_group, hi3518_venc, hi3518_vpss, hi3518_isp, hi3518_viu,
                                hi3518_dsu, hi3518_sys
mmz                    19713  5 hi3518_aenc, hi3518_h264e, hi3518_tde, hi3518_base
#


Since they unnecessarily load the USB wifi module, we can unload it to free up some memory:

# free
              total         used         free       shared      buffers
  Mem:        38948        37692         1256            0         1580
 Swap:            0            0            0
Total:        38948        37692         1256
#
#
# rmmod rt3070sta
#
# free
              total         used         free       shared      buffers
  Mem:        38948        37056         1892            0         1580
 Swap:            0            0            0
Total:        38948        37056         1892
#


13
Firmware / Re: XMeye Hi3518E-based camera module
« on: August 06, 2015, 01:27:39 pm »
While the stock mini-camera 6510 hardware version boards produced by this manufacturer don't have a formal connector where P5 is. Some camera builders who use the 6510 camera module in their cameras which use the 6510 camera module they sell. May have added a connector for P5. In any case, even with the formal connector missing for P5. All the pins of P5 work as shown above.

Some camera builders that sell their own cameras using one of the camera modules produced by this manufacturer might not even externally expose all or any of these connections on their cameras. But that doesn't mean that you can't access or customize that camera simply because they chose not to expose those connections on the outside of their camera housings when you purchased your camera.

The P5 connector and matching cable are available from CylonG at AliExpress.com.

14
Firmware / Re: XMeye Hi3518E-based camera module
« on: August 04, 2015, 08:41:06 am »
Quote
You can also build and make your own custom Network IP Cameras by using the this Hi3518E camera module or other camera modules and boards manufactured by this same manufacturer. Which can support IR-CUT and PoE. See the links above for more details.

The possibilities are endless for designing and building your own custom Network IP Cameras using this manufacturers Network IP Camera modules and boards while doing it extremely cheap!

Don
Thanks for that extremely helpful and informational post, Don!!  I agree, these little jewels are limited not by the hardware, but only by the default firmware provided.  I'll have to grab one of the TOP-201 cams to see how the firmware differs from the bare modules available.  I understand they removed the wifi drivers in a later release of the firmware, but my OEM firmware was built in March 2015 and still includes them.

15
Firmware / Re: XMeye Hi3518E-based camera module
« on: August 03, 2015, 10:02:08 pm »
Output from /usr/bin/Sofia executable when an invalid option is entered:

# /usr/bin/Sofia --help
LibCrypto : g_cryptotype = 2
**********************************************************************
|                      SYSTEM INFO
|                 ID:           8043420004048425
|       product type:           50H10L
|            product:           HI3518E_50H10L_S39
|      video channel:           1
|      audio channel:           1
|           alarm in:           1
|          alarm out:           1
| forward video chip:           OV9712
|           DSP chip:           HI3518E
|  analog audio mode:           voice codec
|           talkback:           voice codec
|    back video chip:           no chip
|    store interface:           SDIO
|    matrix surpport:           No
| wireless interface:           USB
|    hardware encode:           encode chip
|   hardware version:           1
|    video_interface:           BNC
|      net_interface:           Ethernet
|  hardware info len:           8
**********************************************************************
LIBDVR: Complied at Mar 12 2015 10:06:50 SVN:953
LIBFVIDEO: Complied at Mar 16 2015 09:35:48 SVN:1186
LIBHICAP: Complied at Feb  4 2015 15:57:10 SVN:2311
GENERATION: 0, PRODUCTION: 2, MAIN_SERIES: 0, HYPO_SERIES: 5, OEM_TYPE: 0
SLAVE_CHIP_NUM is 0
VI_CHN_NUM_HOST_CHIP is 1
VI_CHN_NUM_PER_SLAVE_CHIP is 0
AI_CHN_NUM_HOST_CHIP is 1
AI_CHN_NUM_PER_SLAVE_CHIP is 0
======================
VIDEO_SAMPLE_CHIP_1 = 0,VIDEO_SAMPLE_CHIP_2 = 0,
HWID_MAIN_SERIES_TYPE = 0
DVR/MVR info: TOTAL_VI_CHN_NUM: 1, HDEC_CHN_NUM: 4, HVR_TOTAL_CHN_NUM: 1, VDEC_CHN_NUM: 4
AVdec - PlayDecodeInit(5413): enter
SampleSysInit enter, Feb  4 2015, 15:57:10
=>ibwlan version: 1.0.0 - Complie time Mar  5 2015 15:17:57, wpa-psk
LIBISP:50H10L: Complied at Jan 20 2015 19:16:49 SVN:61

Command not found

Here are all of the commands:

Sofia --upgrade [file]        upgrade with file 'file'
Sofia --burnHWID [id]         burn hwid
Sofia                         start the Sofia

#


Finally, running strings against /usr/bin/Sofia and searching for 'snap' reveals these embedded commands / help.  I suspect these are artifacts of some earlier snapshot functionality or maybe Hi3516 features?

snap -s show snap status
snap -d 0 set debug status[0] or [1]
snap -p path set debug path
snap -g chn path get a pic
set snap debug status:%s
set snap debug path:%s
snap
=====>>snap fps:%d
snap_%d.jpg
AVenc - %s(%d): save snap picture failed!


Pages: [1] 2