Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - admin

Pages: [1] 2 3 ... 27
Site Announcements / Forum, software updates
« on: July 14, 2017, 03:20:24 am »
Updated forum software to 2.0.14, changed default template to the traditional default, as I need to work on the old template to make it compatible.

Added some boards for the XiaoMi camera range, as I have some, and will probably fiddle with them!

Xiaoyi Camera (小蚁) / Region lock fix
« on: July 14, 2017, 03:08:48 am »
From my page here -

Essentially -

Enable telnet.
Kill the watchdog, and kill the camera app.
rename the api call to check the country.

Create a folder named test on an SD card.
Create a plain text file called in that folder, and add the following bash script:

Code: [Select]
# Telnet
if [ ! -f "/etc/init.d/S88telnet" ]; then
echo "#!/bin/sh" > /etc/init.d/S88telnet
echo "telnetd &" >> /etc/init.d/S88telnet
chmod 755 /etc/init.d/S88telnet
dr=`dirname $0`
# fix bootcycle
mv $dr/ $dr/

The script will enable telnet on the camera, and then rename the script so it doesn’t run again on the next boot.

Stick the prepared card into the camera, power on, and it should reboot (twice).
If you check the open ports on the camera ip you should now see port 23 (telnet) is open.

Login with the default user/pass (as below) via telnet

User: root
Password: 1234qwer

Once telnet’d in, enter the following, line by line –

Find and kill the watchdog process

killall watch_process

Find and kill /home/cloud process so we can edit it without the watchdog watch_process restarting it

killall cloud

Change the check within /home/cloud executable to query a fake domain so it never returns a failure, then reboot.

Code: [Select]
sed -i 's|||g' /home/cloud

Hacking & Modding / Re: In over my head/dumb questions
« on: July 14, 2017, 02:13:09 am »
Really depends on the board you have, and what gpio's are available to use, and how much flash / ram (for user space software etc).

Do you have the Hi3518e SoC SDK?

You'll need the SDK to get started, and compile a rom with kernel, userfs etc
Maybe the supplier will give you a ready to use kernel/rom/userfs that you can start from.

You'll need to have a  uBoot on the board.  Hopefully will have one already, otherwise you'll also need an SPI flash programmer to program the uBoot.
You'll need to be able to setup a crosscompiler environment (suggest use Docker or similar virtualized system to setup, then you can migrate easily).
You'll need to unpack the SDK, then be able to compile kernel.
You'll need to learn how to setup rom in flash.

Suggest read the uCLinux posts from 2011 where I talk about similar things.  Its relevant, although not 100% relevant to your particular board.

Also suggest reading other peoples posts, e.g.

Good luck.

Might want to think about using something like an ESP8266 for your gimbal to control sensors, as that has wifi, and they're dirt cheap.

Firmware / Re: Hi3516 Unknown command 'root' - try 'help'
« on: June 24, 2017, 05:00:51 am »
Not an error,  you're in the bootloader - u-boot.
You need to boot past that into the OS.

Hacking & Modding / Re: H3518 / UART TxRx
« on: May 31, 2017, 01:04:49 am »

Look at the data sheet, and see what the RX / TX pins are, then follow those around the board to see if they end up anywhere accessible.

T19 / T18 according to the data sheet

Also look at this -

Help / Re: How to extract a .OV (extention) firmware file?
« on: April 17, 2017, 11:32:08 pm »
First off, you'll need to see what it is internally.

I'd start off with trying to find more info.
Common tools I would use for this are

head  filename.ov | hexdump -C
file filename.ov
strings filename.ov

OSX, Linux have those built in. Windows 10 now has bash/ Ubuntu if you enable it so will have after a bit of work. 
Otherwise a linux live ISO will be fine too.

For dev work, you really want a Mac or Linux box (I'm biased after using Windows for many years and hating it, hehe)

As an example -

Code: [Select]
head | hexdump -C
00000000  50 4b 03 04 0a 00 00 00  00 00 30 0f 91 4a 00 00  |PK........0..J..|
00000010  00 00 00 00 00 00 00 00  00 00 08 00 10 00 63 6f  ||
00000020  6e 66 69 67 73 2f 55 58  0c 00 d6 b0 f3 58 8c b0  |nfigs/UX.....X..|
00000030  f3 58 f5 01 14 00 50 4b  03 04 14 00 08 00 08 00  |.X....PK........|
00000040  56 0f 91 4a 00 00 00 00  00 00 00 00 00 00 00 00  |V..J............|
00000050  11 00 10 00 63 6f 6e 66  69 67 73 2f 2e 44 53 5f  |....configs/.DS_|
00000060  53 74 6f 72 65 55 58 0c  00 d3 b0 f3 58 d3 b0 f3  |StoreUX.....X...|
00000070  58 f5 01 14 00 ed 98 c1  6a c2 40 10 86 ff 89 39  |X.......j.@....9|
00000080  04 0a 65 8f 3d ee 13 48  b5 82 7a 5b 42 7c 82 be  |..e.=..H..z[B|..|
00000090  40 69 3d 0a 1e a4 f7 9c  7c ae 3e 9a 1b e6 b7 0a  |@i=.....|.>.....|
000000a0  31 62 4f 96 f6 ff 60 f8  20 99 99 24 97 dd 9d 00  |1bO...`. ..$....|

You'll see that my file starts with PK, so mine is a zip file (as phil katz invented zip, so zip files use his PK header, more history on that here  -

file will also tell me that though -
Code: [Select]
file Zip archive data, at least v1.0 to extract

For your OV file, you'll need to look at the header, and see if its a standard format, or its a custom format.
Its more likely to be a custom format.  Typically those will have a header with where bits are in the file, and filesize, and maybe crc's.
If you're really unlucky, its also sha1 or similar encryption on the file data.

I've written about decoding custom format files before on here, look through some of my posts on that, or on my under firmware ( )

If you post the output from  head yourovfile.ov | hexdump -C here I can take a cursory look and tell you which its likely to be.

Firmware / Re: Is there such a thing as OpenNVR firmware?
« on: April 17, 2017, 10:06:25 pm »
Not really (opennvr firmware)

What you'll need to do is get hold of the SDK for the chipset, so that you can compile a kernel and app's.
Once you have that, then you can start building firmware and flash.

Issues are that not all hardware is identical, so you will have different NAND types, flash sizes, gpio usage etc.
Not insurmountable, but you'll generally want to pick the same hardware to develop, and port to.

The SDK for the HI3615C is here -

Let me know if you have problems downloading, I can put elsewhere.

Generally speaking, you'll want to open up whatever hardware you have.  Add serial headers, and connect up serial for minimal debugging, and for more serious stuff JTAG.  Boot up the hardware, and see what it tells you.  Hopefully you'll be able to see a boot log and bootloader, and communicate with it.

Developing with just serial is viable though if the hardware isn't too locked.
i.e. hopefully the device will have an accessible bootloader, then you can flash kernels and filesystems without too many headaches.

The flash will generally contain a bootloader (don't overwrite this, otherwise you'll need to use an SPI flasher or similar to rewrite).
The bootloader will load a kernel from the flash into ram, then execute it.
The kernel will then mount a filesystem from flash, and run the OS + programs.

A BSP or SDK allows you to build a kernel and programs (BSP = board support package.  SDK = software development kit).

Thats a brief overview.

Site Announcements / DNS Updates
« on: February 21, 2017, 12:04:01 pm »
The previous DNS servers we use for the site at Peer1 appear to have gone flaky, so we've moved to using digitalocean's nameservers.

Site should be a little more stable.

Firmware / Re: To Find RX TX for Firmware Download
« on: February 10, 2017, 06:14:41 am »
Blurry photos aren't helping  ;D

What you'll need to do is lookup the datasheet for the chipset used (looks like a Hixxx device, so Hisilicon), and see what pins are the rx /tx for the chip, then trace those on the board to see if there are access points.

Looks like the bottom 5 pins are likely ones (from the IMG_1900), but you'll need to buzz out to check.

General Discussion / Re: how to open hexbin convertor hexbin.c
« on: December 01, 2016, 10:59:30 pm »
if its called hexbin.c it should be a c file.
Open with a plain text editor.

If you want to run it, you'll need to compile it first.
something like:

gcc hexbin.c -o hexbin

(on the linux box).

Windows 10 I think has some linux subpinnings now, so gcc or a similar compiler could be used.

Hacking & Modding / Re: Firmware and SSH for F-Series camera
« on: November 11, 2016, 09:08:37 am »
Use nmap to find the ip address of the camera to see what open ports there are.
Unlikely that ssh will be enabled out of the box though, or telnet.

You'll need to find an existing firmware for the box, unpack and look at the filesystem to see what the user accounts are, and see if you can work out any logins.

I've detailed work on that in the past, look through the forum for my old posts on decrypting/unpacking firmware.

You're probably on your own though, unless its a popular camera, and someone else has also done it.

The neknek page references my own blog... hehe.

General Discussion / DVR vulnerabilities
« on: March 24, 2016, 05:48:38 am »
Good writeup on common DVR vulnerability here -

Similar methods can be used on some of the newer Hi Silicon chipset ipcam's.

Site Announcements / Re: Member pruning
« on: January 20, 2016, 03:02:09 pm »
Deleted some of the advertising spam.

Pages: [1] 2 3 ... 27