As I wrote few months ago, I bought tiny WiFi camera, advertised as a spy camera or nannycam. This week, I decided to work on the topic a bit. However, due to some serious failure, I alarmed on Twitter, I was not able to connect to its WiFi hotspot anymore. Therefore I had to use UART to recover it from backup. Below you can find parameters needed to connect to this cam. At first however I want to present any identification numbers, that might be useful to confirm it is the same device, as it has no real name.
Identification
As can be seen in picture on the right, the device consists of main PCB, camera with tape cable, battery pack and optional USB cable for charging. To be able to reach UART header, I had to strip the rubber package from main board. Below I was able to see two identification strings:
- HB-WIFI-Z6 – this is most likely the name of the board, unfortunately neither Google or even Taobao does not know it
- MS-ME198407 – this is very interesting, as it seems to mean some internal name of laptop computer (don’t know who is the vendor)
Furthermore on camera tape there is one more magic string – HY-OV9712-6. After first dash it seems to be oh – not to be confused with zero). How do I know it? Because OV9712 is model name of camera optics made by OmniVision and it more or less matches the parameters of the camera.
Last batch of IDs is, at first processor name and vendor, which is quite unusual at least outside China – T10 made by Ingenic, which appear to produce MIPS cores and dev boards for it. Also I can see in logs the board should be called ISVP, which is not necessarily true – see Google. At last cpuinfo says that system type is mango, which appear to be fairly common in cheap Chinese cameras.
UART pinout
It can be found on the back of the board, near its edge.
| Num. | Function |
|---|---|
| 1 | UART0 RX |
| 2 | UART0 TX |
| 3 | UART1 RX |
| 4 | UART1 TX |
| 5 | GND |
Note: UART0 seem to be inactive, UART1 is where uboot and Linux can be accessed.
Software
To connect to UART above, you have to use 115200 bauds in 8N1 mode. During the powerup, you can see it utilizes custom uboot as bootloader. It should be possible to interrupt it in one second timeslot. After that Linux is loaded and it asks for login (you most likely will not see it because of the amount of messages printed). root account is present and does not ask for password.
UART log
Below you can find full log of system startup, after I successfully recovered the board to working state.
U-Boot SPL 2013.07 (Jul 31 2017 - 17:53:34) pll_init:347 l2cache_clk = 450000000 pll_cfg.pdiv = 8, pll_cfg.h2div = 4, pll_cfg.h0div = 4, pll_cfg.cdiv = 1, pll_cfg.l2div = 2 nf=36 nr = 1 od0 = 1 od1 = 1 cppcr is 02404900 CPM_CPAPCR 0470890d nf=50 nr = 1 od0 = 1 od1 = 1 cppcr is 03204900 CPM_CPMPCR 0320490d cppcr 0x9a7b5510 apll_freq 860160000 mpll_freq 1200000000 ddr sel mpll, cpu sel apll ddrfreq 400000000 cclk 860160000 l2clk 430080000 h0clk 300000000 h2clk 300000000 pclk 150000000 CPM_DDRCDR(0000002c) = a0000002 DDRC_DLP:0000f003 CPM_SSICDR(00000074) = e0000011 U-Boot 2013.07 (Jul 31 2017 - 17:53:34) Board: ISVP (Ingenic XBurst T10 SoC) DRAM: 64 MiB Top of RAM usable for U-Boot at: 84000000 Reserving 435k for U-Boot at: 83f90000 Reserving 32784k for malloc() at: 81f8c000 Reserving 32 Bytes for Board Info at: 81f8bfe0 Reserving 124 Bytes for Global Data at: 81f8bf64 Reserving 128k for boot params() at: 81f6bf64 Stack Pointer at: 81f6bf48 Now running in RAM - U-Boot at: 83f90000 MMC: msc: 0 CPM_SSICDR(74) = e000000b the manufacturer ef SF: Detected W25Q64JV *** Warning - bad CRC, using default environment In: serial Out: serial Err: serial Net: CPM_MACCDR(54) = a0000017 Jz4775-9161 Hit any key to stop autoboot: 1 ^H^H^H 0 CPM_SSICDR(74) = e000000b the manufacturer ef SF: Detected W25Q64JV --->probe spend 7 ms SF: 2621440 bytes @ 0x40000 Read: OK --->read spend 422 ms ## Booting kernel from Legacy Image at 80600000 ... Image Name: Linux-3.10.14 Image Type: MIPS Linux Kernel Image (lzma compressed) Data Size: 1807916 Bytes = 1.7 MiB Load Address: 80010000 Entry Point: 803c83e0 Verifying Checksum ... OK Uncompressing Kernel Image ... OK Starting kernel ... [ 0.000000] Initializing cgroup subsys cpu [ 0.000000] Initializing cgroup subsys cpuacct [ 0.000000] Linux version 3.10.14 (root@tang-virtual-machine) (gcc version 4.7.2 (Ingenic 2015.02) ) #36 PREEMPT Mon Jul 31 18:07:54 CST 2017 [ 0.000000] bootconsole [early0] enabled [ 0.000000] CPU0 RESET ERROR PC:77A8D951 [ 0.000000] CPU0 revision is: 00d00100 (Ingenic Xburst) [ 0.000000] FPU revision is: 00b70000 [ 0.000000] CCLK:860MHz L2CLK:430Mhz H0CLK:200MHz H2CLK:200Mhz PCLK:100Mhz [ 0.000000] Determined physical RAM map: [ 0.000000] memory: 004f8000 @ 00010000 (usable) [ 0.000000] memory: 00038000 @ 00508000 (usable after init) [ 0.000000] User-defined physical RAM map: [ 0.000000] memory: 02700000 @ 00000000 (usable) [ 0.000000] Zone ranges: [ 0.000000] Normal [mem 0x00000000-0x026fffff] [ 0.000000] Movable zone start for each node [ 0.000000] Early memory node ranges [ 0.000000] node 0: [mem 0x00000000-0x026fffff] [ 0.000000] Primary instruction cache 32kB, 8-way, VIPT, linesize 32 bytes. [ 0.000000] Primary data cache 32kB, 8-way, VIPT, no aliases, linesize 32 bytes [ 0.000000] pls check processor_id[0x00d00100],sc_jz not support! [ 0.000000] MIPS secondary cache 128kB, 8-way, linesize 32 bytes. [ 0.000000] Built 1 zonelists in Zone order, mobility grouping off. Total pages: 9906 [ 0.000000] Kernel command line: console=ttyS1,115200n8 mem=39M@0x0 ispmem=5M@0x2700000 rmem=20M@0x2c00000 init=/linuxrc rootfstype=squashfs root=/dev/mtdblock2 rw mtdparts=jz_sfc:256k(boot),2560k(kernel),2048k(root),-(appfs) [ 0.000000] PID hash table entries: 256 (order: -2, 1024 bytes) [ 0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes) [ 0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes) [ 0.000000] Memory: 33568k/39936k available (3846k kernel code, 6368k reserved, 1240k data, 224k init, 0k highmem) [ 0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1 [ 0.000000] Preemptible hierarchical RCU implementation. [ 0.000000] NR_IRQS:418 [ 0.000000] clockevents_config_and_register success. [ 0.000022] Calibrating delay loop... 858.52 BogoMIPS (lpj=4292608) [ 0.087751] pid_max: default: 32768 minimum: 301 [ 0.092717] Mount-cache hash table entries: 512 [ 0.097836] Initializing cgroup subsys debug [ 0.102102] Initializing cgroup subsys freezer [ 0.109059] regulator-dummy: no parameters [ 0.113321] NET: Registered protocol family 16 [ 0.131170] bio: create slab <bio-0> at 0 [ 0.137467] jz-dma jz-dma: JZ SoC DMA initialized [ 0.142541] usbcore: registered new interface driver usbfs [ 0.148164] usbcore: registered new interface driver hub [ 0.153600] usbcore: registered new device driver usb [ 0.158885] i2c-gpio i2c-gpio.0: using pins 12 (SDA) and 13 (SCL) [ 0.165094] i2c-gpio i2c-gpio.1: using pins 57 (SDA) and 58 (SCL) [ 0.171233] media: Linux media interface: v0.10 [ 0.175840] Linux video capture interface: v2.00 [ 0.182570] Switching to clocksource jz_clocksource [ 0.187532] cfg80211: Calling CRDA to update world regulatory domain [ 0.194598] jz-dwc2 jz-dwc2: cgu clk gate get error [ 0.199537] jz-dwc2 jz-dwc2: regulator vbus get error [ 0.204665] DWC IN OTG MODE [ 0.359287] sft id =========================off [ 0.363879] dwc2 dwc2: Keep PHY ON [ 0.367266] dwc2 dwc2: Using Buffer DMA mode [ 0.571405] dwc2 dwc2: Core Release: 3.00a [ 0.575540] dwc2 dwc2: DesignWare USB2.0 High-Speed Host Controller [ 0.581856] dwc2 dwc2: new USB bus registered, assigned bus number 1 [ 0.589252] hub 1-0:1.0: USB hub found [ 0.593008] hub 1-0:1.0: 1 port detected [ 0.597161] dwc2 dwc2: DWC2 Host Initialized [ 0.601649] NET: Registered protocol family 2 [ 0.606620] TCP established hash table entries: 512 (order: 0, 4096 bytes) [ 0.613544] TCP bind hash table entries: 512 (order: -1, 2048 bytes) [ 0.620030] TCP: Hash tables configured (established 512 bind 512) [ 0.626318] TCP: reno registered [ 0.629516] UDP hash table entries: 256 (order: 0, 4096 bytes) [ 0.635474] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes) [ 0.642066] NET: Registered protocol family 1 [ 0.646882] freq_udelay_jiffys[0].max_num = 10 [ 0.651312] cpufreq udelay loops_per_jiffy [ 0.655774] 12000 59885 59885 [ 0.658994] 24000 119771 119771 [ 0.662437] 60000 299428 299428 [ 0.665895] 120000 598857 598857 [ 0.669412] 200000 998095 998095 [ 0.672944] 300000 1497142 1497142 [ 0.676673] dwc2 dwc2: ID PIN CHANGED! [ 0.680480] init DWC as A_HOST [ 0.683568] 600000 2994285 2994285 [ 0.687265] 792000 3952457 3952457 [ 0.690956] 1008000 5030400 5030400 [ 0.694861] 1200000 5988571 5988571 [ 0.705327] squashfs: version 4.0 (2009/01/31) Phillip Lougher [ 0.711433] jffs2: version 2.2. © 2001-2006 Red Hat, Inc. [ 0.717452] msgmni has been set to 65 [ 0.722563] io scheduler noop registered [ 0.726611] io scheduler cfq registered (default) [ 0.733011] jz-uart.0: ttyS0 at MMIO 0x10030000 (irq = 59) is a uart0 [ 0.739735] jz-uart.1: ttyS1 at MMIO 0x10031000 (irq = 58) is a uart1 [ 0.748058] console [ttyS1] enabled, bootconsole disabled [ 0.748058] console [ttyS1] enabled, bootconsole disabled [ 0.763085] brd: module loaded [ 0.768461] loop: module loaded [ 0.771812] logger: created 256K log 'log_main' [ 0.777230] jz SADC driver registeres over! [ 0.782520] jz TCU driver register completed [ 0.787739] the id code = ef7017, the flash name is W25Q64JV [ 0.793621] JZ SFC Controller for SFC channel 0 driver register [ 0.799851] 4 cmdlinepart partitions found on MTD device jz_sfc [ 0.806011] Creating 4 MTD partitions on "jz_sfc": [ 0.810989] 0x000000000000-0x000000040000 : "boot" [ 0.816543] 0x000000040000-0x0000002c0000 : "kernel" [ 0.822190] 0x0000002c0000-0x0000004c0000 : "root" [ 0.827798] 0x0000004c0000-0x000000800000 : "appfs" [ 0.833367] SPI NOR MTD LOAD OK [ 0.836753] tun: Universal TUN/TAP device driver, 1.6 [ 0.841993] tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com> [ 0.848551] Bus Mode Reg after reset: 0x00020101, cnt=0 [ 0.854998] Bus Mode Reg after reset: 0x00020101, cnt=1 [ 0.861417] Bus Mode Reg after reset: 0x00020101, cnt=2 [ 0.867894] Bus Mode Reg after reset: 0x00020101, cnt=3 [ 0.874335] Bus Mode Reg after reset: 0x00020101, cnt=4 [ 0.880755] Bus Mode Reg after reset: 0x00020101, cnt=5 [ 0.887183] Bus Mode Reg after reset: 0x00020101, cnt=6 [ 0.893608] Bus Mode Reg after reset: 0x00020101, cnt=7 [ 0.900037] Bus Mode Reg after reset: 0x00020101, cnt=8 [ 0.906483] Bus Mode Reg after reset: 0x00020101, cnt=9 [ 0.912904] func:jz_mii_bus_probe, synopGMAC_reset failed [ 0.918531] jz_mii_bus: probe of jz_mii_bus.0 failed with error -1 [ 0.925033] =======>gmacdev = 0x819e0100<================ [ 0.930638] =========>gmacdev->MacBase = 0xb34b0000 DmaBase = 0xb34b1000 [ 0.937610] Bus Mode Reg after reset: 0x00020101, cnt=0 [ 0.944091] Bus Mode Reg after reset: 0x00020101, cnt=1 [ 0.950511] Bus Mode Reg after reset: 0x00020101, cnt=2 [ 0.956946] Bus Mode Reg after reset: 0x00020101, cnt=3 [ 0.963367] Bus Mode Reg after reset: 0x00020101, cnt=4 [ 0.969799] Bus Mode Reg after reset: 0x00020101, cnt=5 [ 0.976227] Bus Mode Reg after reset: 0x00020101, cnt=6 [ 0.982643] Bus Mode Reg after reset: 0x00020101, cnt=7 [ 0.989070] Bus Mode Reg after reset: 0x00020101, cnt=8 [ 0.995499] Bus Mode Reg after reset: 0x00020101, cnt=9 [ 1.001915] func:jz_mac_probe, synopGMAC_reset failed [ 1.007181] jz_mac: probe of jz_mac.0 failed with error -1 [ 1.012984] usbcore: registered new interface driver zd1201 [ 1.019181] jzmmc_v1.2 jzmmc_v1.2.0: vmmc regulator missing [ 1.064100] jzmmc_v1.2 jzmmc_v1.2.0: register success! [ 1.069499] jzmmc_v1.2 jzmmc_v1.2.1: vmmc regulator missing [ 1.115007] jzmmc_v1.2 jzmmc_v1.2.1: register success! [ 1.120429] ------------ init codec driver start! [ 1.125425] jz_codec_probe: probe() start [ 1.129594] jz_codec_probe, codec iomem is :0xb0021000 [ 1.134993] usb 1-1: new high-speed USB device number 2 using dwc2 [ 1.141517] jz_codec_probe: probe() done [ 1.145744] i2s global init [ 1.148657] current codec is :819e5f00 [ 1.152823] i2s init success. [ 1.584430] u32 classifier [ 1.587248] Actions configured [ 1.590951] TCP: cubic registered [ 1.594452] NET: Registered protocol family 17 [ 1.599135] Key type dns_resolver registered [ 1.604566] input: gpio-keys as /devices/platform/gpio-keys/input/input0 [ 1.611726] drivers/rtc/hctosys.c: unable to open rtc device (rtc0) [ 1.622873] VFS: Mounted root (squashfs filesystem) readonly on device 31:2. [ 1.630788] Freeing unused kernel memory: 224K (80508000 - 80540000) mdev is ok...... [ 3.517407] name : i2c-gpio0 nr : 0 [ 3.585119] sensor_read: addr=0xa value = 0xa0 Ingenic-g1_1 login: [ 3.651413] error: sensor_read,172 ret = -6 [ 3.655785] sensor_read: addr=0x300a value = 0x0 [ 3.660665] err sensor read addr = 0x300a, value = 0x0 [ 3.727009] error: sensor_read,172 ret = -6 [ 3.731351] sensor_read: addr=0x300b value = 0x0 [ 3.736247] err sensor read addr = 0x300b, value = 0x0 [ 3.802303] sensor_read: addr=0xa value = 0xa0 [ 3.807705] sensor_read: addr=0xb value = 0x62 [ 3.873357] sensor_read: addr=0x580b value = 0xb [ 3.939198] sensor_read: addr=0x580b value = 0xb [ 4.005004] sensor_read: addr=0x3107 value = 0x7 [ 4.070807] sensor_read: addr=0x3107 value = 0x7 [ 4.136670] error: sensor_read,172 ret = -6 [ 4.141009] sensor_read: addr=0x3000 value = 0x0 [ 4.145920] err sensor read addr = 0x3000, value = 0x0 [ 4.212024] sensor_read: addr=0xa value = 0xa0 [ 4.217422] sensor_read: addr=0xb value = 0x62 [ 4.283047] error: sensor_read,172 ret = -6 [ 4.287416] sensor_read: addr=0xf0 value = 0x0 [ 4.292123] err sensor read addr = 0xf0, value = 0x0 [ 4.358106] error: sensor_read,172 ret = -6 [ 4.362445] sensor_read: addr=0xf0 value = 0x0 [ 4.367158] err sensor read addr = 0xf0, value = 0x0 [ 4.433244] error: sensor_read,172 ret = -6 [ 4.437614] sensor_read: addr=0xf0 value = 0x0 [ 4.442320] err sensor read addr = 0xf0, value = 0x0 [ 4.508532] error: sensor_read,172 ret = -6 [ 4.512874] sensor_read: addr=0xfc value = 0x0 [ 4.517630] err sensor read addr = 0xfc, value = 0x0 [ 4.583799] error: sensor_read,172 ret = -6 [ 4.588158] sensor_read: addr=0x3004 value = 0x0 [ 4.593040] err sensor read addr = 0x3004, value = 0x0 [ 4.659320] error: sensor_read,172 ret = -6 [ 4.663663] sensor_read: addr=0x300a value = 0x0 [ 4.668561] err sensor read addr = 0x300a, value = 0x0 [ 4.734784] error: sensor_read,172 ret = -6 [ 4.739124] sensor_read: addr=0x31f3 value = 0x0 [ 4.744035] err sensor read addr = 0x31f3, value = 0x0 [ 4.810301] sensor_read: addr=0x3107 value = 0x7 [ 4.876141] error: sensor_read,172 ret = -6 [ 4.880481] sensor_read: addr=0x4 value = 0x0 [ 4.885118] err sensor read addr = 0x4, value = 0x0 [ 4.950948] sensor_read: addr=0xa value = 0xa0 [ 4.956347] sensor_read: addr=0xb value = 0x62 [ 4.961053] info: success sensor find : jxh62 [ 4.965603] name : i2c-gpio1 nr : 1 sensor :jxh62 [ 5.167844] register all isp device successfully! [ 5.179531] @@@@ tx-isp-probe ok @@@@@ Search Module ver 1.0 ssid_in-->ME[2] rotuepwd_in-->cfans1234.[3] dhcp_in-->1[4] ipcip_in-->192.168.0.10[5] alias_de-->IPC-1234redf6qwe[1] AliasLen =16,AliasBuf=IPC-1234redf6qwe ioctl() error:No such device! pwd on ioctl() error:No such device! ioctl() error:No such device! ioctl() error:No such device! **v ok gpio CLOSE---== MB wifiModel=1 AP model [ 9.185769] RTL871X: module init start [ 9.189694] RTL871X: rtl8188eu v4.3.0.8_13968.20150417 [ 9.195158] RTL871X: build time: Jul 31 2017 19:15:26 [ 9.200509] RTL871X: [ 9.200509] usb_endpoint_descriptor(0): [ 9.206961] RTL871X: bLength=7 [ 9.210144] RTL871X: bDescriptorType=5 [ 9.214141] RTL871X: bEndpointAddress=81 [ 9.218221] RTL871X: wMaxPacketSize=512 [ 9.222195] RTL871X: bInterval=0 [ 9.225621] RTL871X: RT_usb_endpoint_is_bulk_in = 1 [ 9.230691] RTL871X: [ 9.230691] usb_endpoint_descriptor(1): [ 9.237099] RTL871X: bLength=7 [ 9.240275] RTL871X: bDescriptorType=5 [ 9.244237] RTL871X: bEndpointAddress=2 [ 9.248221] RTL871X: wMaxPacketSize=512 [ 9.252195] RTL871X: bInterval=0 [ 9.255607] RTL871X: RT_usb_endpoint_is_bulk_out = 2 [ 9.260764] RTL871X: [ 9.260764] usb_endpoint_descriptor(2): [ 9.267151] RTL871X: bLength=7 [ 9.270321] RTL871X: bDescriptorType=5 [ 9.274266] RTL871X: bEndpointAddress=3 [ 9.278251] RTL871X: wMaxPacketSize=512 [ 9.282226] RTL871X: bInterval=0 [ 9.285627] RTL871X: RT_usb_endpoint_is_bulk_out = 3 [ 9.290786] RTL871X: nr_endpoint=3, in_num=1, out_num=2 [ 9.290786] [ 9.297803] RTL871X: USB_SPEED_HIGH [ 9.301486] RTL871X: CHIP TYPE: RTL8188E [ 9.305706] RTL871X: register rtw_netdev_ops to netdev_ops [ 9.311747] RTL871X: Chip Version Info: CHIP_8188E_Normal_Chip_TSMC_D_CUT_1T1R_RomVer(0) [ 9.320215] RTL871X: RF_Type is 3!! [ 9.323836] RTL871X: _ConfigNormalChipOutEP_8188E OutEpQueueSel(0x05), OutEpNumber(2) [ 9.332219] RTL871X: EEPROM type is E-FUSE [ 9.336496] RTL871X: ====> _ReadAdapterInfo8188EU [ 9.341479] RTL871X: Boot from EFUSE, Autoload OK ! [ 9.348703] RTL871X: SetHwReg8188EU: bMacPwrCtrlOn=1 [ 9.354039] bFWReady == _FALSE call reset 8051... [ 9.359331] RTL871X: =====> _8051Reset88E(): 8051 reset success . [ 9.384347] RTL871X: efuse_read_phymap_from_txpktbuf bcnhead:0 [ 9.390877] RTL871X: efuse_read_phymap_from_txpktbuf len:165, lenbak:165, aaa:165, aaabak:165 [ 9.405179] RTL871X: efuse_read_phymap_from_txpktbuf read count:163 [ 9.411928] RTL871X: EEPROM ID=0x8129 [ 9.415759] RTL871X: VID = 0x0BDA, PID = 0x0179 [ 9.420461] RTL871X: Customer ID: 0x00, SubCustomer ID: 0xCD [ 9.426396] RTL871X: Hal_ReadPowerSavingMode88E...bHWPwrPindetect(0)-bHWPowerdown(0) ,bSupportRemoteWakeup(1) [ 9.436715] RTL871X: ### PS params=> power_mgnt(1),usbss_enable(0) ### [ 9.443583] RTL871X: ======= Path 0, Channel 1 ======= [ 9.448961] RTL871X: Index24G_CCK_Base[0][1] = 0x2e [ 9.454045] RTL871X: Index24G_BW40_Base[0][1] = 0x2e [ 9.459196] RTL871X: ======= Path 0, Channel 2 ======= [ 9.464585] RTL871X: Index24G_CCK_Base[0][2] = 0x2e [ 9.469653] RTL871X: Index24G_BW40_Base[0][2] = 0x2e [ 9.474863] RTL871X: ======= Path 0, Channel 3 ======= [ 9.480200] RTL871X: Index24G_CCK_Base[0][3] = 0x2e [ 9.485317] RTL871X: Index24G_BW40_Base[0][3] = 0x2d [ 9.490473] RTL871X: ======= Path 0, Channel 4 ======= [ 9.495864] RTL871X: Index24G_CCK_Base[0][4] = 0x2e [ 9.500932] RTL871X: Index24G_BW40_Base[0][4] = 0x2d [ 9.506139] RTL871X: ======= Path 0, Channel 5 ======= [ 9.511699] RTL871X: Index24G_CCK_Base[0][5] = 0x2e [ 9.520016] RTL871X: Index24G_BW40_Base[0][5] = 0x2d ioctl() error:No such device! [ 9.528508] RTL871X: ======= Path 0, Channel 6 ======= [ 9.536656] RTL871X: Index24G_CCK_Base[0][6] = 0x2e [ 9.541727] RTL871X: Index24G_BW40_Base[0][6] = 0x2c [ 9.546959] RTL871X: ======= Path 0, Channel 7 ======= [ 9.552301] RTL871X: Index24G_CCK_Base[0][7] = 0x2e [ 9.557487] RTL871X: Index24G_BW40_Base[0][7] = 0x2c [ 9.562652] RTL871X: ======= Path 0, Channel 8 ======= [ 9.568062] RTL871X: Index24G_CCK_Base[0][8] = 0x2e [ 9.573135] RTL871X: Index24G_BW40_Base[0][8] = 0x2c [ 9.578358] RTL871X: ======= Path 0, Channel 9 ======= [ 9.583699] RTL871X: Index24G_CCK_Base[0][9] = 0x2e [ 9.588844] RTL871X: Index24G_BW40_Base[0][9] = 0x2c [ 9.594019] RTL871X: ======= Path 0, Channel 10 ======= [ 9.599440] RTL871X: Index24G_CCK_Base[0][10] = 0x2e [ 9.604651] RTL871X: Index24G_BW40_Base[0][10] = 0x2c [ 9.609898] RTL871X: ======= Path 0, Channel 11 ======= [ 9.615379] RTL871X: Index24G_CCK_Base[0][11] = 0x2e [ 9.620536] RTL871X: Index24G_BW40_Base[0][11] = 0x2c [ 9.625833] RTL871X: ======= Path 0, Channel 12 ======= [ 9.631262] RTL871X: Index24G_CCK_Base[0][12] = 0x2e [ 9.636465] RTL871X: Index24G_BW40_Base[0][12] = 0x2b [ 9.641712] RTL871X: ======= Path 0, Channel 13 ======= [ 9.647241] RTL871X: Index24G_CCK_Base[0][13] = 0x2e [ 9.652404] RTL871X: Index24G_BW40_Base[0][13] = 0x2b [ 9.657715] RTL871X: ======= Path 0, Channel 14 ======= [ 9.663147] RTL871X: Index24G_CCK_Base[0][14] = 0x2e [ 9.668360] RTL871X: Index24G_BW40_Base[0][14] = 0x2b [ 9.673608] RTL871X: ======= TxCount 0 ======= [ 9.678280] RTL871X: CCK_24G_Diff[0][0]= 0 [ 9.682537] RTL871X: OFDM_24G_Diff[0][0]= 1 [ 9.686956] RTL871X: BW20_24G_Diff[0][0]= 0 [ 9.691304] RTL871X: BW40_24G_Diff[0][0]= 0 [ 9.695704] RTL871X: EEPROMRegulatory = 0x0 [ 9.700056] RTL871X: mlmepriv.ChannelPlan = 0x20 [ 9.704897] RTL871X: CrystalCap: 0x21 [ 9.708704] RTL871X: EEPROM Customer ID: 0x 0 [ 9.713222] RTL871X: EEPROM : AntDivCfg = 0, TRxAntDivType = 3 [ 9.719322] RTL871X: Board Type: 0x 0 [ 9.723130] RTL871X: ThermalMeter = 0x1a [ 9.727259] RTL871X: <==== _ReadAdapterInfo8188EU in 390 ms [ 9.733280] RTL871X: init_channel_set ChannelPlan ID 20 Chan num:13 [ 9.741201] RTL871X: rtw_macaddr_cfg MAC Address = 28:f3:66:96:42:76 [ 9.748088] RTL871X: bDriverStopped:1, bSurpriseRemoved:0, bup:0, hw_init_completed:0 [ 9.756282] RTL871X: rtw_ndev_init(wlan0) [ 9.774511] RTL871X: _rtw_drv_register_netdev, MAC Address (if1) = 28:f3:66:96:42:76 [ 9.787120] usbcore: registered new interface driver rtl8188eu [ 9.793186] RTL871X: module init ret=0 ioctl() error:Cannot assign requested address! [ 10.808642] RTL871X: +871x_drv - drv_open, bup=0 [ 10.813449] RTL871X: Set RF Chip ID to RF_6052 and RF type to 1T1R. [ 10.820328] RTL871X: rtl8188e_FirmwareDownload fw:NIC, size: 13904 [ 10.826790] RTL871X: rtl8188e_FirmwareDownload: fw_ver=b fw_subver=0001 sig=0x88e1, Month=11, Date=27, Hour=30, Minute=36 [ 10.848184] RTL871X: polling_fwdl_chksum: Checksum report OK! (1, 0ms), REG_MCUFWDL:0x00030005 [ 10.857829] RTL871X: =====> _8051Reset88E(): 8051 reset success . [ 10.864268] RTL871X: _FWFreeToGo: Polling FW ready OK! (1, 10ms), REG_MCUFWDL:0x000300c6 [ 10.872666] RTL871X: FWDL success. write_fw:1, 30ms [ 11.134222] ==> rtl8188e_iol_efuse_patch [ 11.206956] RTL871X: pDM_Odm TxPowerTrackControl = 1 [ 11.387605] RTL871X: rtl8188eu_hal_init in 580ms [ 11.392697] RTL871X: hw_var_set_opmode()-4042 mode = 2 [ 11.400673] RTL871X: MAC Address = 28:f3:66:96:42:76 [ 11.406114] RTL871X: -871x_drv - drv_open, bup=1 Configuration file: /system/spdisk/rtl_hostapd_2G.conf drv->ifindex=2 mask: 255.255.255.0 NetGetMask ra0 nret=0 mask0=ffffffff wlan0--192.179.8.1 eth0--0.0.0.0 ioctl() error:No such device! NetGetMask eth0 nret=ffffffff mask1=0 --MAC: 28:f3:66:96:42:76 readuid fail l2_sock_recv==l2_sock_xmit=0x0x46f640[ 11.554280] RTL871X: set_mode = IW_MODE_MASTER Failed to request a scan of neighboring BSSes[ 11.562594] RTL871X: hw_var_set_opmode()-4042 mode = 3 [ 11.572028] RTL871X: rtw_hostapd_sta_flush [ 11.576762] RTL871X: rtw_sta_flush(wlan0) [ 11.580932] RTL871X: issue_deauth to ff:ff:ff:ff:ff:ff +rtl871x_sta_deauth_ops, ff:ff:ff:ff:ff:ff is deauth, reason=2[ 11.586743] RTL871X: rtw_set_encryption rtl871x_set_key_ops [ 11.595940] RTL871X: clear default encryption keys, keyid=0 rtl871x_set_key_ops [ 11.603845] RTL871X: rtw_set_encryption [ 11.609598] RTL871X: clear default encryption keys, keyid=1 rtl871x_set_key_ops [ 11.615478] RTL871X: rtw_set_encryption [ 11.621271] RTL871X: clear default encryption keys, keyid=2 rtl871x_set_key_ops [ 11.627119] RTL871X: rtw_set_encryption [ 11.632923] RTL871X: clear default encryption keys, keyid=3 Using interface wlan0 with hwaddr 28:f3:66:96:42:76 and ssid 'CM[ 11.639027] RTL871X: rtw_set_wps_assoc_resp, len=14 4A1CF-28f366964276c' rtl871x_set_wps_assoc_resp_ie [ 11.649743] RTL871X: rtw_set_wps_beacon, len=14 rtl871x_set_wps_beacon_ie rtl871x_set_wps_probe_resp_ie[ 11.658844] RTL871X: rtw_set_wps_probe_resp, len=14 rtl871x_set_beacon_ops [ 11.669249] RTL871X: rtw_set_beacon, len=149 [ 11.675748] RTL871X: rtw_check_beacon_data, len=135 [ 11.680824] RTL871X: [HT] Support STBC = 0x01 [ 11.685388] RTL871X: update_hw_ht_param [ 11.690032] RTL871X: update_hw_ht_param(): WLAN_HT_CAP_SM_PS_STATIC [ 11.703461] RTL871X: CH=4, BW=1, offset=1 [ 11.708214] RTL871X: HW_VAR_BASIC_RATE: 0x15f -> 0x15f -> 0x15f [ 11.715501] RTL871X: ### Set STA_(1) info [ 11.719669] RTL871X: update_bmc_sta=> mac_id:1 , raid:6 , bitmap=0xf [ 11.726289] RTL871X: rtl8188e_Add_RateATid=> mac_id:1 , raid:6 , ra_bitmap=0xf, shortGIrate=0x00 [ 11.735429] RTL871X: ### MacID(1),Set Max Tx RPT MID(2) [ 11.740967] RTL871X: ### rtl8188e_set_FwMediaStatus_cmd: MStatus=1 MACID=1 [ 11.748906] RTL871X: assoc success rtl871x_set_hidden_ssid ignore_broadcast_ssid:0, CM4A1CF-28f3669[ 11.752825] RTL871X: rtw_set_hidden_ssid(wlan0) ignore_broadcast_ssid:0, CM4A1CF-28f366964276c,21 64276c,21 rtl871x_set_acl Selected interface 'wlan0' Selected interface 'wlan0' OK udhcp server (v0.9.8) started 'val:192.179.8.1' 'val:(null)' 'val:255.255.255.0' 'val:192.179.8.1' 'val:(null)' 'val:local' 'val:864000' Unable to open /var/lib/misc/udhcpd.leases for reading Install AP OK! --MAC: 28:f3:66:96:42:76 get mac ad[ 12.986166] set sensor gpio as PA-low-10bit dr DeviceID=CM4A1CF-28f366964276-HBWY8f366964276EA read ssid : CM4A1CF-28f366964276c genssid cret = 1 [ 13.019612] jxh62 0-0030: jxh62 chip found @ 0x30 (i2c-gpio0) [ 13.025617] tx_isp: Registered sensor subdevice jxh62 0-0030 [ 13.767042] ###### image_tuning_v4l2_open 3905 ####### i264e[info]: profile Main, level 3.1 i264e[info]: profile Main, level 2.2 [ 13.793938] &&& chan0 scaler.max_width = 0 max_height = 0 min_width = 0 min_height = 0 &&& [ 13.806811] &&& chan1 scaler.max_width = 640 max_height = 480 min_width = 128 min_height = 128 &&& [chn1] scaler->outwidth = 640 scaler->outheight = 480, sscaler.o[ 13.818572] ------ come to i2s_enable utwidth = 640 sscaler.outheight = 480 enc init end DealH264en[ 13.826951] dma dma0chan24: Channel 24 have been requested.(phy id 7,type 0x06 desc a2276000) cThread FiRecRecordInit :0 mask: 255.255.255.0 end RTP init ch(0) WReFileThFlag:690ff4a0 will get uid readuid fail read ppconf fail [ 13.852470] dp->filter convert_16bits_stereo2mono [ 13.862218] codec_set_device 13 [ 13.865746] codec_set_device: set device: MIC... sh: /mnt/sdpp2sys: not found V V1 V V1 V V1
Edit 06/10/2019: I added functions for pins 1 and 2 (thanks CasperX!).
Hi, I have this wifi camera which worked fine for one day only. The day after, I wasn’t able to connect to my wifi network anymore, and I couldn’t even reset the board to restart wifi configuration.
I was doing some research and came across this website, however, all I could figure out is how to proceed with a uart connection, but didn’t understand how to get this board to work again.
Do I need to upload a new firmware? please give me more detailed information.
Many thanks.
Andre Soares
When playing with the device I came across similar problem. In my case few crucial daemons turned out to be overwritten with zeros. I don’t know what the reason for this is. From my experience, working UART is the key to diagnose the problem. Contact me via email, maybe I can give you few hints.
Hey, I’m pulling my hair out to have this camera working without the android application, with a generic RTSP address or something like that. I connected it with telnet and wandered into the files, I also tried to sniff the wifi communication, but I can’t seem to find something. Do you have a clue for that ?
That was also my goal. Unfortunately it seems to be harder than I thought. The problems I have is lack of working toolchain for compilation able to produce executables that just works with built in linker and also that camera driver does not follow video 4 linux standard. Because of that client application is mapping arbitrary memory areas into its process and does its stuff probably directly to hardware. Not a nice thing to analyze.
Maybe I will find some time to get back to it again, because the camera is quite interesting considering its price and capabilities.
Were you able to figure this out? I also have one of these and happened across this thread. In my case it worked fine but I lost the app when my phone crashed and can’t find another app that works it.
how do you identify uart pinout. I have the same problem but when i wire up uart adapter with pinout you specified. it shows nothing. nothing send, nothing received.
all 5 pin seems to reflect any data it received.
There are couple of resources teaching that. As far as I remember I used devttys0.com. I don’t know if it is still there. Generally you have to observe voltage and resistance on pins and then you make educated guess.
Are you sure you have your setup working and connection speed set to correct value?
Don’t forget to tell if you figured it out! It may happen that pinout is different on similarly looking board. Who knows what Chinese guys did.
Your “educated guess” pin out is correct 🙂 I have desolder the SoC and these UART pad is connected to UART1. Your unidentified 2 pins is UART0 RX and TX respectively. Maybe my u-boot is damaged so it can’t boot up anymore. Thanks for sharing.
Do you know which one is RX and which TX? I would update the post if they can be identified.
From your pinout,
1 is U0RX (TDI)
2 is U0TX (TDO)
3 is U1RX (TMS)
4 is U1TX (TCK)
5 is TRST // i don’t know why this pin is tied to ground directly. i tested it by measuring connectivity from known ground pin such as WiFi module and SPI Flash ground pin.
These pinout is from tracing the PCB trace visually and map it to SoC pinout.
I am not sure about these pin is working or not because I have been fried up the board when I solder the SoC back. It might be not friend up but in the state that can boot anymore.
I updated the post with information you provided. Thanks!
Hi, please send my link where are buy this module, i looked for on aliexpress and amazon but i cant find.
Thanks 🙂
I can’t help much, like with most of the offers on Chinese portals. You can never be sure if the item you buy is the one you looked for. Maybe these are no longer manufactured? If so, it would not be very surprising. They are constantly inventing something new and stop making the old thing. I bought the camera more than a year ago and in China its like a whole era.
Hi Kamil. I am sorry you cant hepl me. But hmmm, i tests cams from amazon (cca. 8 models), but dont have HW UART port, and open ports is only 80, 10213(unknown, not ssh, not telnet, …) 🙁 … Do you have experience whith this port 10213 ?
Did anyone figure this out?