Radiofisik
my knowledge base
my knowledge base
Для экспериментов купил это устройство https://www.dns-shop.ru/product/28bb5ca162d6ed20/ip-kamera-xiaomi-mi-camera-2k-magnetic-mount/ Вскрыл корпус, нашел флешку, выпаял и считал прошивку. Начал ее исследование с помощью binwalk
binwalkv3 ./EN25QH128@SOP8afterupdate.BIN
/mnt/d/Seafile/Cloud/Devices/MiCameraMagneticMount/EN25QH128@SOP8afterupdate.BIN
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
DECIMAL HEXADECIMAL DESCRIPTION
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
208236 0x32D6C CRC32 polynomial table, little endian
216084 0x34C14 Android boot image, kernel size: 0 bytes, kernel load address: 0x70657250, ramdisk size: 543519329 bytes, ramdisk load address: 0x6E72656B
236804 0x39D04 U-Boot version string: 2013.07-g8581847-dirty (Aug 09 2021 - 18:07:12)
262144 0x40000 uImage firmware image, header size: 64 bytes, data size: 1590203 bytes, compression: lzma, CPU: MIPS32, OS: Linux, image type: OS Kernel Image, load address: 0x80010000, entry point: 0x80367840,
creation time: 2021-07-11 18:42:35, image name: "Linux-3.10.14__isvp_swan_1.0__"
2293760 0x230000 SquashFS file system, little endian, version: 4.0, compression: xz, inode count: 433, block size: 131072, image size: 3976360 bytes, created: 2021-11-03 10:37:54
6291456 0x600000 SquashFS file system, little endian, version: 4.0, compression: xz, inode count: 106, block size: 131072, image size: 3835466 bytes, created: 2022-08-23 05:20:36
10289152 0x9D0000 SquashFS file system, little endian, version: 4.0, compression: xz, inode count: 3, block size: 131072, image size: 1038613 bytes, created: 2021-11-03 10:37:55
12320768 0xBC0000 SquashFS file system, little endian, version: 4.0, compression: xz, inode count: 106, block size: 131072, image size: 3835466 bytes, created: 2022-08-23 05:20:36
16318464 0xF90000 JFFS2 filesystem, little endian, nodes: 96, total size: 361368 bytes
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
вывод старого binwalk несколько отличается
root@RfMainPc:/mnt/d/Seafile/Cloud/Devices/MiCameraMagneticMount# /usr/bin/binwalk --signature --term EN25QH128@SOP8afterupdate.BIN
DECIMAL HEXADECIMAL DESCRIPTION
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
208236 0x32D6C CRC32 polynomial table, little endian
212616 0x33E88 LZO compressed data
216084 0x34C14 Android bootimg, kernel size: 0 bytes, kernel addr: 0x70657250, ramdisk size: 543519329 bytes, ramdisk addr: 0x6E72656B, product name: "mem boot start"
262144 0x40000 uImage header, header size: 64 bytes, header CRC: 0x58AB0988, created: 2021-07-11 18:42:35, image size: 1590203 bytes, Data Address: 0x80010000, Entry Point: 0x80367840, data CRC: 0xB7D95A14, OS: Linux, CPU: MIPS, image type: OS Kernel
Image, compression type: lzma, image name: "Linux-3.10.14__isvp_swan_1.0__"
262208 0x40040 LZMA compressed data, properties: 0x5D, dictionary size: 67108864 bytes, uncompressed size: -1 bytes
2293760 0x230000 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 3976360 bytes, 433 inodes, blocksize: 131072 bytes, created: 2021-11-03 10:37:54
6291456 0x600000 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 3835466 bytes, 106 inodes, blocksize: 131072 bytes, created: 2022-08-23 05:20:36
10289152 0x9D0000 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 1038613 bytes, 3 inodes, blocksize: 131072 bytes, created: 2021-11-03 10:37:55
12320768 0xBC0000 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 3835466 bytes, 106 inodes, blocksize: 131072 bytes, created: 2022-08-23 05:20:36
16318464 0xF90000 JFFS2 filesystem, little endian
16318600 0xF90088 Zlib compressed data, compressed
16318844 0xF9017C JFFS2 filesystem, little endian
поищем конфигурацию команды загрузки
root@RfMainPc:/mnt/d/Seafile/Cloud/Devices/MiCameraMagneticMount# strings EN25QH128@SOP8afterupdate.BIN | grep bootcmd -b1
-bootargs=console=ttyS1,115200n8 mem=42M@0x0 rmem=22M@0x2A00000 init=/linuxrc rootfstype=squashfs root=/dev/mtdblock2 rw mtdparts=jz_sfc:256K(boot),1984K(kernel),3904K(rootfs),3904K(app),1984K(kback),3904K(aback),384K(cfg),64K(para)
bootcmd=mw 0xb0011134 0x300 1;sdstart;sdupdate;sf probe;sf read 0x80600000 0x40000 0x1F0000; bootm 0x80600000
итого с 0x40000 начинается ядро его загружает в память uboot
sf read 0x80600000 0x40000 0x1F0000:
0x80600000 (RAM).0x40000.0x1F0000.bootm 0x80600000:
0x80600000.**Эти строчки
-bootargs=console=ttyS1,115200n8 mem=42M@0x0 rmem=22M@0x2A00000 init=/linuxrc rootfstype=squashfs root=/dev/mtdblock2 rw mtdparts=jz_sfc:256K(boot),1984K(kernel),3904K(rootfs),3904K(app),1984K(kback),3904K(aback),384K(cfg),64K(para)
передаются ядру, и оно знает о структуре разделов
jz_sfc: The flash device name.256K(boot): Bootloader partition (256 KB).1984K(kernel): Kernel partition (1984 KB or ~1.94 MB).3904K(rootfs): Root filesystem partition (3904 KB or ~3.81 MB).3904K(app): Application partition.1984K(kback): Backup kernel partition.3904K(aback): Backup application partition.384K(cfg): Configuration data partition.64K(para): Parameters partition.| Partition Name | Size (KB) | Offset (KB) | Size (Bytes) | Offset (Bytes) |
|---|---|---|---|---|
boot |
256 | 0 | 262144 | 0 |
kernel |
1984 | 256 | 2031616 | 262144 |
rootfs |
3904 | 2240 | 3997696 | 2293760 |
app |
3904 | 6144 | 3997696 | 6283264 |
kback |
1984 | 10048 | 2031616 | 10280960 |
aback |
3904 | 12032 | 3997696 | 12312576 |
cfg |
384 | 15936 | 393216 | 16310272 |
para |
64 | 16320 | 65536 | 16703488 |
можно извлечь boot раздел и другие так
dd if=EN25QH128@SOP8afterupdate.BIN of=boot.bin bs=1 skip=0 count=262144
dd if=EN25QH128@SOP8afterupdate.BIN of=rootfs.bin bs=1 skip=2293760 count=3997696
dd if=EN25QH128@SOP8afterupdate.BIN of=cfg.bin bs=1 skip=16310272 count=393216
dd if=EN25QH128@SOP8afterupdate.BIN of=para.bin bs=1 skip=16703488 count=65536
и об инициализационном скрипте init=/linuxrc. Если распаковать раздел увидим что это символическая ссылка
ls -la ./EN25QH128@SOP8afterupdate.BIN.extracted/230000/squashfs-root/linuxrc
lrwxrwxrwx 1 root root 11 Nov 2 2021 ./EN25QH128@SOP8afterupdate.BIN.extracted/230000/squashfs-root/linuxrc -> bin/busybox
то есть после загрузки ядра запускаем busybox, который в своей инициализации использует файл /etc/inittab
/mnt/d/Seafile/Cloud/Devices/MiCameraMagneticMount/extractions# cat ./EN25QH128@SOP8afterupdate.BIN.extracted/230000/squashfs-root/etc/inittab
# /etc/inittab
#
# Copyright (C) 2001 Erik Andersen <andersen@codepoet.org>
#
# Note: BusyBox init doesn't support runlevels. The runlevels field is
# completely ignored by BusyBox init. If you want runlevels, use
# sysvinit.
#
# Format for each entry: <id>:<runlevels>:<action>:<process>
#
# id == tty to run on, or empty for /dev/console
# runlevels == ignored
# action == one of sysinit, respawn, askfirst, wait, and once
# process == program to run
# Startup the system
::sysinit:/sbin/swapoff -a
::sysinit:/bin/mount -t tmpfs tmpfs /dev
::sysinit:/bin/mkdir -p /dev/pts
::sysinit:/bin/mkdir -p /dev/shm
::sysinit:/bin/mount -a
::sysinit:/bin/hostname -F /etc/hostname
# now run any rc scripts
::sysinit:/etc/init.d/rcS
# Put a getty on the serial port
#去除控制台
#console::respawn:/sbin/getty -L console 115200 vt100 # GENERIC_SERIAL
# Stuff to do for the 3-finger salute
#::ctrlaltdel:/sbin/reboot
# Stuff to do before rebooting
::shutdown:/bin/umount -a -r
тут видно почему не работает взаимодействие с пользователем через консоль после загрузки, так же видно что дальше запускается скрипт /etc/init.d/rcS
cat ./EN25QH128@SOP8afterupdate.BIN.extracted/230000/squashfs-root/etc/init.d/rcS
#!/bin/sh
#/bin/mount -a
#echo " __________________________________
#| |
#| |
#| |
#| |
#| _ _ _ _ |
#|| | | |_ _ __ _| | __ _(_) |
#|| |_| | | | |/ _| | | _ / _| | | |
#|| _ | |_| | (_| | |_| | (_| | | |
#||_| |_|\__,_|\__,_|_____|\__,_|_| |
#| |
#| |
#|___________________HuaLai_Fw...___|
#"
#for initscript in /etc/init.d/S[0-9][0-9]*
#do
# if [ -x $initscript ] ;
# then
# echo "[RCS]: $initscript"
# $initscript
# fi
#done
echo /sbin/mdev > /proc/sys/kernel/hotplug
/sbin/mdev -s && echo "mdev is ok......"
#echo "Start mount rootfs..."
#echo "mount -t squashfs /dev/mtdblock3 /usr/app"
mount -t squashfs /dev/mtdblock3 /system/
#echo "mount -t squashfs /dev/mtdblock4 /backk"
mount -t squashfs /dev/mtdblock4 /kback
#echo "mount -t squashfs /dev/mtdblock5 /backa"
mount -t squashfs /dev/mtdblock5 /aback
#echo "mount -t jffs2 /dev/mtdblock6 /configs"
mount -t jffs2 /dev/mtdblock6 /configs
#echo "LD_LIBRARY_PATH=/lib:/usr/lib:/usr/app/lib"
LD_LIBRARY_PATH=/lib:/usr/lib:/system/lib
#echo "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/app/bin:/usr/app/sbin"
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/system/bin:/system/sbin
#echo "export LD_LIBRARY_PATH=/thirdlib:$LD_LIBRARY_PATH"
export LD_LIBRARY_PATH=/thirdlib:$LD_LIBRARY_PATH
#echo "export LD_LIBRARY_PATH PATH"
export LD_LIBRARY_PATH PATH
#echo "/usr/app/bin/init_app.sh"
/system/bin/init_app.sh
#禁用内核打印
#echo 0 > /proc/sys/kernel/printk
далее запускается /system/bin/init_app.sh
cat ./EN25QH128@SOP8afterupdate.BIN.extracted/600000/squashfs-root/bin/init_app.sh
#!/bin/sh
mkdir -p /tmp/modules/3.10.14__isvp_swan_1.0__
#insmod /system/driver/tx-isp-t31.ko isp_clk=150000000
insmod /system/driver/exfat.ko
insmod /system/driver/audio.ko spk_gpio=-1
insmod /system/driver/sinfo.ko
insmod /system/driver/speaker_ctl.ko
insmod /system/driver/sample_pwm_core.ko
insmod /system/driver/sample_pwm_hal.ko
MOTOR_FLAG=/system/driver/motor_flag
if [ -f "$MOTOR_FLAG" ];then
insmod /system/driver/atbm603x_wifi_sdio_24M.ko
insmod /system/driver/sample_motor.ko
else
insmod /system/driver/rtl8189ftv.ko
fi
#insmod /system/driver/avpu.ko avpu_clk=600000000
insmod /system/driver/avpu.ko avpu_clk=500000000
insmod /system/driver/tx-isp-t31.ko isp_ch0_pre_dequeue_time=14 isp_ch0_pre_dequeue_interrupt_process=0 isp_ch0_pre_dequeue_valid_lines=540 isp_memopt=1
#insmod /system/driver/tx-isp-t31.ko isp_memopt=1 isp_clk=150000000
#enable zram swap
echo 16777216 > /sys/block/zram0/disksize
mkswap /dev/zram0
swapon /dev/zram0
echo 100 > /proc/sys/vm/swappiness
#清掉对PB04的驱动能力设置(最低驱动能力)
#devmem 0x10011138 32 0x300
#设置PB04的驱动能力(4mA)
devmem 0x10011138 32 0xfff
devmem 0x10011134 32 0x100
#设置PA15的2mA驱动能力
devmem 0x10010138 32 0xc0000000
devmem 0x10010134 32 0x00000000
#4mA
#devmem 0x10010138 32 0xc0000000
#devmem 0x10010134 32 0x40000000
#wifi mmc1中的PB10默认是下拉的状态,需要将它设置成高阻态
devmem 0x10011128 32 0x400
#wifi mmc1 clk驱动能力改到8mA
devmem 0x10011134 32 0x20000
touch /tmp/resolv.conf
################## Up wifi lo port at first ##################
#echo "ifconfig lo up"
ifconfig lo up > /dev/null
##################### Run app process (1) ####################
#telnetd
/system/bin/ver-comp > /dev/null
############## Select user mode or factroy mode ##############
FACTORY_TEST='/configs/.factory_flag'
DEBUG_STATUS='/configs/.debug_flag'
MOTOR_STATUS='/configs/.motor_flag'
#小米安全芯片
echo 10 > /sys/class/gpio/export
echo out > /sys/class/gpio/gpio10/direction
#EN LANGUAGE
#touch /configs/.EN
if [ ! -f $DEBUG_STATUS ]; then
if [ ! -f $FACTORY_TEST ]; then
#echo "#######################"
#echo "# IS USER PROCESS #"
#echo "#######################"
#/usr/app/bin/assis > /dev/null &
/system/init/factory.sh &
/system/bin/factorycheck
if [ -f /tmp/factory ]; then
exit
fi
/system/bin/assis &
#ulimit -c unlimited
#mount /dev/mmcblk0p1 /mnt
#echo "/mnt/core-%e-%p-%t" > /proc/sys/kernel/core_pattern
#/mnt/iCamera_app &
/system/bin/iCamera_app &
#telnetd
else
echo "#######################"
echo "# IS TEST PROCESS #"
echo "#######################"
/backk/singleBoadTest
/backk/factoryTest &
fi
else
echo "#######################"
echo "# IS DEBUG STATUS #"
echo "#######################"
fi
#touch /configs/.motor_flag
#if [ -f $MOTOR_STATUS ]; then
#/system/bin/motortest &
#fi
#rm /mnt/logcat.log
#rm /mnt/dmeg.log
#mount /dev/mmcblk0p1 /mnt
#logcat > /mnt/logcat.log &
#dmesg > /mnt/dmeg.log &
тут запускаются бинарники камеры /system/bin/assis и /system/bin/iCamera_app
Первое что хочется сделать чтобы не выпаивать микросхему при каждом эксперименте - получить доступ к консоли uboot. попробую увеличить bootdelay=0 до bootdelay=9 что позволило получить доступ к загрузчику
Hit any key to stop autoboot: 9 8 7 0
isvp_t31#
isvp_t31# ?
? - alias for 'help'
base - print or set address offset
boot - boot default, i.e., run 'bootcmd'
boota - boot android system
bootd - boot default, i.e., run 'bootcmd'
bootm - boot application image from memory
chpart - change active partition
cmp - memory compare
coninfo - print console devices and information
cp - memory copy
crc32 - checksum calculation
echo - echo args to console
env - environment handling commands
fatinfo - print information about filesystem
fatload - load binary file from a dos filesystem
fatls - list files in a directory (default /)
go - start application at address 'addr'
help - print command description/usage
loadb - load binary file over serial line (kermit mode)
loads - load S-Record file over serial line
loady - load binary file over serial line (ymodem mode)
loop - infinite loop on address range
md - memory display
mm - memory modify (auto-incrementing address)
mmc - MMC sub system
mmcinfo - display MMC info
mtdparts- define flash/nand partitions
mw - memory write (fill)
nm - memory modify (constant address)
printenv- print environment variables
reset - Perform RESET of the CPU
sdstart - auto sd start!
sdupdate- auto upgrade file!
setenv - set environment variables
sf - SPI flash sub-system
sleep - delay execution for some time
version - print monitor, compiler and linker version
isvp_t31#
следующий шаг попробуем получить доступ к консоли после загрузки. Раскоментим строчку console::respawn:/sbin/getty -L console 115200 vt100 # GENERIC_SERIAL по модификации есть хорошее видео https://www.youtube.com/watch?v=m3iXNUa-OA8
dd if=EN25QH128@SOP8afterupdate.BIN of=rootfs.bin bs=1 skip=2293760 count=3997696
binwalk ./rootfs.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 3976360 bytes, 433 inodes, blocksize: 131072 bytes, created: 2021-11-03 10:37:54
unsquashfs ./rootfs.bin
nano ./squashfs-root/etc/inittab
mksquashfs ./squashfs-root/ newrootfs.bin
mksquashfs ./squashfs-root/ newrootfs.bin -comp xz
cp moddelay.BIN moddelayandconsole.bin
dd if=newrootfs.bin of=moddelayandconsole.bin bs=1 seek=2293760 conv=notrunc
после moddelayandconsole.bin можно шить программатором, но есть же uboot. по этому есть хорошая статья https://www.synacktiv.com/publications/i-hack-u-boot
isvp_t31# mmc rescan
isvp_t31# mmc list
msc: 0
isvp_t31# mmc dev 0
mmc0(part 0) is current device
isvp_t31# fatls mmc 0:1
system volume information/
3977216 newrootfs.bin
16777216 moddelayandconsole.bin
# 0x80600000 адрес в памяти куда грузим
fatload mmc 0:1 0x80600000 rootfs.bin
sf probe
#3D0000 это старый размер из dd 3997696
sf erase 0x230000 0x3D0000
# 0x230000 смещение как в dd 2293760, 0x3CB000 - новый размер 3977216
sf write 0x80600000 0x230000 0x3CB000
reset
После чего получем доступ к консоли, логин и пароль root и ismart12 легко гуглятся по хешу в shadow. Можно посмотреть список процессов и загрузку.
Mem: 35776K used, 1620K free, 0K shrd, 436K buff, 11912K cached
CPU0: 100% usr 0.0% sys 0.0% nic 0.0% idle 0.0% io 0.0% irq 0.0% sirq
Load average: 2.91 2.90 2.90 1/124 9674
PID PPID USER STAT VSZ %VSZ CPU %CPU COMMAND
9674 127 root S 1584 4.2 0 0.0 sleep 1
9664 188 root S 1584 4.2 0 0.0 sleep 5
9023 149 root R 1600 4.2 0100.0 top
8924 2 root SW 0 0.0 0 0.0 [kworker/0:0]
8328 2 root SW 0 0.0 0 0.0 [kworker/0:2]
5517 2 root SW 0 0.0 0 0.0 [kworker/0:3]
680 300 root S 956 2.5 0 0.0 /etc/miio_client/miio_recv_line
530 1 root S 1604 4.2 0 0.0 udhcpc -i wlan0 -p /var/run/udhcpc
426 1 root S 5308 14.1 0 0.0 wpa_supplicant -D nl80211 -i wlan0
300 1 root S 1652 4.4 0 0.0 {miio_client_hel} /bin/sh /etc/mii
297 1 root S 51600137.9 0 0.0 /etc/miio_client/miio_client -D -L
259 2 root SW 0 0.0 0 0.0 [RTWHALXT]
258 2 root SW 0 0.0 0 0.0 [RTW_CMD_THREAD]
257 2 root SW 0 0.0 0 0.0 [RTW_XMIT_THREAD]
210 2 root DW 0 0.0 0 0.0 [isp_fw_process]
188 1 root S 1592 4.2 0 0.0 {sysMonitor.sh} /bin/sh /system/bi
152 1 root S 63776170.4 0 0.0 /system/bin/assis
149 1 root S 1604 4.2 0 0.0 -sh
148 1 root S 601m1647.1 0 0.0 /system/bin/iCamera_app
127 1 root S 1592 4.2 0 0.0 {factory.sh} /bin/sh /system/init/
pstree
linuxrc-+-assis-+-3*[{-}]
| |-{assis}
| |-{exec-shell-pool}
| |-{log-serv}
| `-{rcv-msg}
|-factory.sh---sleep
|-iCamera_app-+-15*[{-}]
| |-{ENC(0)-update_f}
| |-{ENC(1)-update_f}
| |-{ENC(2)-update_f}
| |-{Encoder-0}
| |-{Encoder-1}
| |-{FS(0)-tick}
| |-{FS(1)-tick}
| |-{Framesource-0}
| |-{Framesource-1}
| |-{IVS(0)-ivs_proc}
| |-{IVS-0}
| |-{OSD-0}
| |-{OSD-1}
| |-{ai-_ai_record_t}
| |-{ao-_ao_play_thr}
| |-{audio-stream-0}
| |-{continue-rec}
| |-{enc-stream-0}
| |-{enc-stream-1}
| |-{event-pool}
| |-4*[{iCamera_app}]
| |-{isp_tuning_deam}
| |-{log-work}
| |-{mi-log}
| |-13*[{miot-serv}]
| |-{miot_auth_threa}
| |-{miss_listen}
| |-{miss_login}
| |-{monitor_cpu}
| |-{motion-thread}
| |-{net-serv}
| |-{platform_thread}
| |-{shm_thread}
| |-{timer-pool}
| `-{upload_thread}
|-miio_client---6*[{miio_client}]
|-miio_client_hel---miio_recv_line
|-sh---pstree
|-sysMonitor.sh---sleep
|-udhcpc
`-wpa_supplicant
[root@Ingenic-uc1_1:bin]# df -h
Filesystem Size Used Available Use% Mounted on
/dev/root 3.9M 3.9M 0 100% /
tmpfs 18.3M 8.0K 18.3M 0% /dev
tmpfs 18.3M 140.0K 18.1M 1% /tmp
tmpfs 18.3M 4.0K 18.3M 0% /run
media 18.3M 0 18.3M 0% /media
/dev/mtdblock3 3.8M 3.8M 0 100% /system
/dev/mtdblock4 1.0M 1.0M 0 100% /kback
/dev/mtdblock5 3.8M 3.8M 0 100% /aback
/dev/mtdblock6 384.0K 164.0K 220.0K 43% /configs
/dev/mmcblk0p1 7.5G 87.2M 7.4G 1% /media/mmc
netstat -tulnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:54322 0.0.0.0:* LISTEN 297/miio_client
tcp 0 0 127.0.0.1:54323 0.0.0.0:* LISTEN 297/miio_client
udp 0 0 0.0.0.0:54321 0.0.0.0:* 297/miio_client
udp 0 0 0.0.0.0:32108 0.0.0.0:* 148/iCamera_app
udp 0 0 0.0.0.0:25526 0.0.0.0:* 148/iCamera_app
[root@Ingenic-uc1_1:www]# netstat -p
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 192.168.1.11:42647 124.251.34.212:443 ESTABLISHED 297/miio_client
tcp 0 0 localhost:33829 localhost:54322 ESTABLISHED 680/miio_recv_line
tcp 0 0 localhost:54322 localhost:33829 ESTABLISHED 297/miio_client
tcp 0 0 localhost:33814 localhost:54322 ESTABLISHED 148/iCamera_app
tcp 0 0 localhost:54322 localhost:33814 ESTABLISHED 297/miio_client
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 4 [ ] DGRAM 860 426/wpa_supplicant /var/run/wpa_supplicant/wlan0
unix 2 [ ] DGRAM 898 297/miio_client /tmp/miio_unix_297-2
unix 2 [ ] DGRAM 900 297/miio_client /tmp/miio_unix_297-3
[root@Ingenic-uc1_1:www]# [assis]WDG_CMD_FEED_DOG!!!!
[assis]WDG_CMD_FEED_DOG!!!!
lsof -i -P -n
1 /bin/busybox /dev/console
1 /bin/busybox /dev/console
1 /bin/busybox /dev/console
127 /bin/busybox /dev/null
127 /bin/busybox /dev/console
127 /bin/busybox /dev/console
127 /bin/busybox /system/init/factory.sh
148 /system/bin/iCamera_app /dev/null
148 /system/bin/iCamera_app /tmp/miss.log
148 /system/bin/iCamera_app /dev/console
148 /system/bin/iCamera_app anon_inode:[eventpoll]
148 /system/bin/iCamera_app /dev/pwm
148 /system/bin/iCamera_app /dev/log_main
148 /system/bin/iCamera_app /dev/tx-isp
148 /system/bin/iCamera_app /dev/rmem
148 /system/bin/iCamera_app /dev/shm/imp_deubg_shm
148 /system/bin/iCamera_app /dev/avpu
148 /system/bin/iCamera_app /dev/isp-m0
148 /system/bin/iCamera_app /dev/mem
148 /system/bin/iCamera_app anon_inode:[eventfd]
148 /system/bin/iCamera_app /dev/framechan0
148 /system/bin/iCamera_app anon_inode:[eventfd]
148 /system/bin/iCamera_app anon_inode:[eventfd]
148 /system/bin/iCamera_app /dev/framechan1
148 /system/bin/iCamera_app /dev/dsp
148 /system/bin/iCamera_app /dev/speakerctl
148 /system/bin/iCamera_app /dev/dsp
148 /system/bin/iCamera_app socket:[634]
148 /system/bin/iCamera_app /dev/ipu
148 /system/bin/iCamera_app /tmp/miss.log
148 /system/bin/iCamera_app /dev/urandom
148 /system/bin/iCamera_app /tmp/1801.mp4
148 /system/bin/iCamera_app socket:[29757]
148 /system/bin/iCamera_app socket:[29758]
148 /system/bin/iCamera_app /dev/urandom
149 /bin/busybox /dev/console
149 /bin/busybox /dev/console
149 /bin/busybox /dev/console
149 /bin/busybox /dev/tty
152 /system/bin/assis /dev/null
152 /system/bin/assis /dev/console
152 /system/bin/assis /dev/console
152 /system/bin/assis /dev/watchdog
188 /bin/busybox /dev/null
188 /bin/busybox /dev/console
188 /bin/busybox /dev/console
188 /bin/busybox /dev/watchdog
188 /bin/busybox /system/bin/sysMonitor.sh
297 /system/iot/miio_client/miio_client /dev/null
297 /system/iot/miio_client/miio_client /dev/console
297 /system/iot/miio_client/miio_client /dev/console
297 /system/iot/miio_client/miio_client /dev/watchdog
297 /system/iot/miio_client/miio_client /tmp/miio_log.txt
297 /system/iot/miio_client/miio_client socket:[623]
297 /system/iot/miio_client/miio_client socket:[624]
297 /system/iot/miio_client/miio_client socket:[898]
297 /system/iot/miio_client/miio_client socket:[637]
297 /system/iot/miio_client/miio_client /dev/i2c-1
297 /system/iot/miio_client/miio_client /sys/devices/virtual/gpio/gpio10/value
297 /system/iot/miio_client/miio_client anon_inode:[timerfd]
297 /system/iot/miio_client/miio_client socket:[1189]
297 /system/iot/miio_client/miio_client socket:[900]
297 /system/iot/miio_client/miio_client socket:[1247]
297 /system/iot/miio_client/miio_client socket:[1351]
300 /bin/busybox /dev/null
300 /bin/busybox /dev/null
300 /bin/busybox /dev/null
300 /bin/busybox /dev/watchdog
300 /bin/busybox pipe:[1345]
300 /bin/busybox /system/iot/miio_client/miio_client_helper_nomqtt.sh
426 /sbin/wpa_supplicant /dev/null
426 /sbin/wpa_supplicant /dev/null
426 /sbin/wpa_supplicant /dev/null
426 /sbin/wpa_supplicant /dev/watchdog
426 /sbin/wpa_supplicant socket:[3230]
426 /sbin/wpa_supplicant socket:[840]
426 /sbin/wpa_supplicant socket:[841]
426 /sbin/wpa_supplicant socket:[842]
426 /sbin/wpa_supplicant socket:[843]
426 /sbin/wpa_supplicant socket:[847]
426 /sbin/wpa_supplicant socket:[848]
426 /sbin/wpa_supplicant socket:[849]
426 /sbin/wpa_supplicant /dev/urandom
426 /sbin/wpa_supplicant socket:[860]
530 /bin/busybox /dev/null
530 /bin/busybox /dev/null
530 /bin/busybox /dev/null
530 /bin/busybox /dev/watchdog
530 /bin/busybox pipe:[1013]
530 /bin/busybox pipe:[1013]
680 /system/iot/miio_client/miio_recv_line /dev/null
680 /system/iot/miio_client/miio_recv_line pipe:[1345]
680 /system/iot/miio_client/miio_recv_line /dev/null
680 /system/iot/miio_client/miio_recv_line /dev/watchdog
680 /system/iot/miio_client/miio_recv_line socket:[1346]
11614 /bin/busybox /dev/null
11614 /bin/busybox /dev/console
11614 /bin/busybox /dev/console
11614 /bin/busybox /dev/watchdog
11625 /bin/busybox /dev/null
11625 /bin/busybox /dev/console
11625 /bin/busybox /dev/console
по камере есть мануал https://github.com/OpenIPC/device-mjsxj03hl/blob/master/Manual_ru.md
gpio clear 54 ; mmcinfo
mmc rescan
mmc dev 0
fatls mmc 0:1
16777216 openipc-t31l-lite-16mb.bin
mw.b 0x80600000 ff 0x1000000 # это пропустил, возможно поэтому не завелось
# 0x80600000 адрес в памяти куда грузим
#fatload mmc 0:1 0x80600000 openipc-t31l-lite-16mb.bin
fatload mmc 0:1 0x80600000 openipc-t31n-ultimate-16mb.bin
sf probe
sf erase 0x0 0x1000000
sf write 0x80600000 0x0 0x1000000
reset
тут что-то пошло не так и пришлось шить через программатор. после проверил эту инструкцию еще раз и все сработало root/12345
после прошивки
fw_setenv ethaddr=c8:5c:cc:8b:ea:f8
#RTL871X: rtl8189ftv
#https://github.com/OpenIPC/firmware/blob/master/general/overlay/etc/wireless/sdio
fw_setenv wlandev rtl8189fs-generic
fw_setenv wlanssid RFNet
fw_setenv wlanpass 'password_here'
firstboot
если что-то пошло отлаживать можно так
killall -q wpa_supplicant
wpa_supplicant -i wlan0 -c /tmp/wpa_supplicant.conf -D wext -dd
сеть заработала, подключился к камере, осталось понять почему сама камера не работает. В dmesg ошибка по памяти.
По сути openipc заработало все кроме камеры, которой не хватало памяти, подвернулся проект https://thingino.com/ С прошивками https://github.com/Andrik45719/MJSXJ03HL/tree/main залил аналогично оpenipc хотя ее можно лить без разборки.
fw_setenv wlanmac c8:5c:cc:8b:ea:f8;
fw_setenv wlanssid RFNet
fw_setenv wlanpass 'password_here'
fw_setenv osmem 52M@0x0; fw_setenv rmem 12M@0x3400000; reboot
sysupgrade -p
fw_setenv osmem 32M@0x0; fw_setenv rmem 32M@0x2000000; reboot
backup на всякий случай
mw.b 0x80600000 0xff 0x1000000
sf probe 0; sf read 0x80600000 0x0 0x1000000
fatwrite mmc 0:1 0x80600000 backup-thingino.bin 0x1000000