The camera shown in the picture is a new design based on YI IoT software and ANYKA AK3918 SoC.

[rleyden559]

          The camera shown in the picture is a new design based on YI IoT software and ANYKA AK3918 SoC. 

I have just hacked access to the camera via Wi-Fi but because the camera does not Xiaomi Hi3518ev200 Chipset, thus I am not sure that you would be interested in the tarball of the camera system files. Please let me know
More information about AK3918 development, you can find in the following git repositories:
• ricardojlrufino/anyka_v380ipcam_experiments
• mucephi/anyka_ak3918_kernel
• ricardojlrufino/arm-anykav200-crosstool

Originally posted by @haps-basset in #195 (comment)

[rleyden559]

I have a very similar IP Cam to one in the closed thread. The layout of the PCB is similar but has a different rev # and date. I had been able to access it by FTP and telnet. Telnet required a simple hack,
Startup text:
Linux version 3.4.35 (zhaofeihong@dell-PowerEdge-R740) (gcc version 4.8.5 (anyka (gcc-4.8.5 + binutils-2.24 + ulcibc-0.9.33.2)(20170223)) ) #1 Mon Aug 1 19:43:47 CST 2022
CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00053177.

The flash is read only except for a small jffs2 partition that stores local WIFI settings, etc.
I backed up the partitions to a SD card. But, I'm unsure if I can change U-Boot from telnet to boot from the SD card, thereby making the file system R/W. There is an update script but I'm not sure how to exploit it.
The PCB does not have UART RX and TX labeled. UART seems the standard why of accessing U-Boot.
I'd be happy to share what I have and would be interested in any tips. My main goals is to stream to a web browser instead of the Android app.

[rleyden559]

I'm adding 3 more photos;

1. SOC side showing more clearly board label: Y20GC_DF_MB_V1_1 , date: 20220708
2. Sensor -view of UART test points
3. Sensor side, portion obscured in 2.
   It seems I have no choice but to use the UART to interrupt u-boot. There are 7 read-only partitions on the flash memory reported by Linux but only 2 seem to be mounted, mtdblock4 and mtdblock5. Could one of the others hold u-boot?
   diskstats:
   1 0 ram0 0 0 0 0 0 0 0 0 0 0 0
   1 1 ram1 0 0 0 0 0 0 0 0 0 0 0
   7 0 loop0 0 0 0 0 0 0 0 0 0 0 0
   7 1 loop1 0 0 0 0 0 0 0 0 0 0 0
   31 0 mtdblock0 0 0 0 0 0 0 0 0 0 0 0
   31 1 mtdblock1 0 0 0 0 0 0 0 0 0 0 0
   31 2 mtdblock2 0 0 0 0 0 0 0 0 0 0 0
   31 3 mtdblock3 0 0 0 0 0 0 0 0 0 0 0
   31 4 mtdblock4 91 2432 5046 17000 0 0 0 0 0 15350 17000
   31 5 mtdblock5 126 3840 7932 27360 0 0 0 0 0 24450 27360
   31 6 mtdblock6 0 0 0 0 0 0 0 0 0 0 0
   179 0 mmcblk0 118 8512 8638 3000 2296 987 182831 594630 0 48210 597590
   179 1 mmcblk0p1 117 8512 8630 2990 2296 987 182831 594630 0 48200 597580
   
   
   

[hovercraft-github]

I have a very similar cam too. I wonder - what is "a simple hack" you used to telnet into it?

[kaaduu]

I have a very similar cam too. I wonder - what is "a simple hack" you used to telnet into it?

root password on telnet should be "yunyi666" - i decrypted by using hashcat

[rleyden559]

I'm not normally so cagey but I thought broadcasting the hack might cause back door to be closed. I'm now pretty sure the developer wouldn't care.
First, I noticed FTP was open on the cam. The android app conveniently tells you its IP address on the local network. Login: root, password: root, I think I just guessed.
The only writeable directory is /etc/fffs2, which contains local configuration files. Among the files is "time_zone.sh"
Normally this script has only one line as for example, " export TZ=GMT+08:00".
Add a second line, "/bin/telnetd &" to this file and copy/replace it in /etc/jffs2. After reboot, telnet in using root as the password.
Note that the original script is back so you would will have to to fix it again before rebooting again.
I was inspired by noting that service.sh (called in rc.local) does a "killall telnetd"
I hope this helps you.
Other progress: I used dd to copy all of the partitions to a SD card. Partition mtd1 looks like it contains the u_boot executable and partition mtd3 contains the boot.ini configuration. It seems like booting off the SD card could done by using the updater program. I looked at the instructions to do this and they appear to require commands, squasfs related that are not natively on my cam. Perhaps, I don't understand the method. Alternatively, perhaps the necessary tools could added to the SD card and run from there.

[ghost]

I am not sure that my hack will work for your camera, so as any ULA says use this recipe “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. In my case, I have found that the services.sh is invoked by sequences of the scripts started by inittab executing config.sh file at /mnt/debug/ if that one exists. To start telnetd service, you have to use SD card formatted as FAT32. Next step, create debug sub-dir and config.sh file on SD. My config.sh has got the following script: #! /bin/sh # /mnt/debug/config.sh telnetd & # comment out the rest of the lines if you don’t want to connect the camera to YI services. #killall -9 daemon #killall -9 cmd_serverd #killall -9 anyka_ipc #killall -9 service.sh #bind to your WiFi #/bin/sh /usr/sbin/wifi_run.sh #/bin/sh /usr/sbin/wpa_supplicant -B -iwlan0 -Dwext -f /tmp/wpa_log -c #/etc/jffs2/wpa_supplicant.conf #/bin/sh /usr/share/udhcpc -i wlan0 #sleep 3 I don’t want any connectivity to the YI services, thus my script kills all services invoked by the service.sh including anyka_ipc. Unfortunately, I don’t know how to initiate the camera’s video drivers, which I guess are initiated by YI server. I noticed some transaction in-out between anyka_ipc, but I was not able to fetch any controls. Without it, any attempt to read the video stream from /dev/video ends with a stack overflow error. I decided to use this method because it is easy to return to the factory setup just by removing sd card.

…

________________________________ From: rleyden559 ***@***.***> Sent: Monday, 20 March 2023 10:05 AM To: alienatedsec/yi-hack-v5 ***@***.***> Cc: Haps ***@***.***>; Mention ***@***.***> Subject: Re: [alienatedsec/yi-hack-v5] The camera shown in the picture is a new design based on YI IoT software and ANYKA AK3918 SoC. (Discussion #236) I'm not normally so cagey but I thought broadcasting the hack might cause back door to be closed. I'm now pretty sure the developer wouldn't care. First, I noticed FTP was open on the cam. The android app conveniently tells you its IP address on the local network. Login: root, password: root, I think I just guessed. The only writeable directory is /etc/fffs2, which contains local configuration files. Among the files is "time_zone.sh" Normally this script has only one line as for example, " export TZ=GMT+08:00". Add a second line, "/bin/telnetd &" to this file and copy/replace it in /etc/jffs2. After reboot, telnet in using root as the password. Note that the original script is back so you would will have to to fix it again before rebooting again. I was inspired by noting that service.sh (called in rc.local) does a "killall telnetd" I hope this helps you. Other progress: I used dd to copy all of the partitions to a SD card. Partition mtd1 looks like it contains the u_boot executable and partition mtd3 contains the boot.ini configuration. It seems like booting off the SD card could done by using the updater program. I looked at the instructions to do this and they appear to require commands, squasfs related that are not natively on my cam. Perhaps, I don't understand the method. Alternatively, perhaps the necessary tools could added to the SD card and run from there. — Reply to this email directly, view it on GitHub<#236 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AE7LCLBDA2P4J6GLYCPPV3LW46J3HANCNFSM6AAAAAAWAJJVPU>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[filder35]

log
[root@anyka ~]$ dmesg
Booting Linux on physical CPU 0
Linux version 3.4.35 (zhaofeihong@dell-PowerEdge-R740) (gcc version 4.8.5 (anyka (gcc-4.8.5 + binutils-2.24 + ulcibc-0.9.33.2)(20170223)) ) #1 Mon Aug 1 19:43:47 CST 2022
CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00053177
CPU: VIVT data cache, VIVT instruction cache
Machine: Cloud39EV2_AK3918E80PIN_MNBD
Memory policy: ECC disabled, Data cache writeback
ANYKA CPU AK3918 (ID 0x20150200)

telnet

My actions
go to ftp /etc/jffs2/time_zone.sh
add a second line to this file «/bin/telnetd &»
reload

go to telnet
mount
[root@anyka ~]$ mount /dev/mmcblk0p1 /mnt/mmc
[root@anyka ~]$ cd /mnt/mmc/mmc
[root@anyka /mnt/mmc/mmc]$ mkdir dump
copy the firmware
[root@anyka /mnt/mmc/mmc]$ cat /dev/mtd0 > /mnt/mmc/mmc/dump/mtd0.bin
[root@anyka /mnt/mmc/mmc]$ cat /dev/mtd1 > /mnt/mmc/mmc/dump/mtd1.bin
[root@anyka /mnt/mmc/mmc]$ cat /dev/mtd2 > /mnt/mmc/mmc/dump/mtd2.bin
[root@anyka /mnt/mmc/mmc]$ cat /dev/mtd3 > /mnt/mmc/mmc/dump/mtd3.bin
[root@anyka /mnt/mmc/mmc]$ cat /dev/mtd4 > /mnt/mmc/mmc/dump/mtd4.bin
[root@anyka /mnt/mmc/mmc]$ cat /dev/mtd5 > /mnt/mmc/mmc/dump/mtd5.bin
[root@anyka /mnt/mmc/mmc]$ cat /dev/mtd6 > /mnt/mmc/mmc/dump/mtd6.bin

We do not turn off the camera all this time so that our installed telnet does not fly off
extract from the mmc device and further actions on the computer with linux

take mtd5.bin

filder@filder-G31:~$ unsquashfs mtd5.bin
Parallel unsquashfs: Using 2 processors
311 inodes (384 blocks) to write

[===============================================================/] 384/384 100%

created 130 files
created 12 directories
created 181 symlinks
created 0 devices
created 0 fifos
filder@filder-G31:~$

folder will appear squashfs-root we go into it /sbin/service.sh

start_service ()
{
cmd_serverd

close_white_led

#ulimit -c unlimited
killall telnetd
echo "1" > /proc/sys/kernel/core_uses_pid
echo "/mnt/core_%e_%p_%t" > /proc/sys/kernel/core_pattern

and remove the line <> save

now we pack everything back

filder@filder-G31:~$ mksquashfs squashfs-root usr.sqsh4 -b 131072 -comp xz -Xdict-size 100%

file name usr.sqsh4 the firmware asks for it
meaning -b 131072 look from the original file that was saved on mmc

filder@filder-G31:~$ binwalk -t mtd5.bin

DECIMAL HEXADECIMAL DESCRIPTION

0 0x0 Squashfs filesystem, little endian, version 4.0,
compression:xz, size: 4689528 bytes, 323 inodes,
blocksize: 131072 bytes, created: 2022-11-09
02:40:49
we pack

filder@filder-G31:~$ mksquashfs squashfs-root usr.sqsh4 -b 131072 -comp xz -Xdict-size 100%
Parallel mksquashfs: Using 2 processors
Creating 4.0 filesystem on usr.sqsh4, block size 131072.
[===============================================================] 203/203 100%

Exportable Squashfs 4.0 filesystem, xz compressed, data block size 131072
compressed data, compressed metadata, compressed fragments,
compressed xattrs, compressed ids
duplicates are removed
Filesystem size 4579.62 Kbytes (4.47 Mbytes)
37.46% of uncompressed filesystem size (12225.29 Kbytes)
Inode table size 2164 bytes (2.11 Kbytes)
17.54% of uncompressed inode table size (12337 bytes)
Directory table size 2882 bytes (2.81 Kbytes)
53.47% of uncompressed directory table size (5390 bytes)
Number of duplicate files found 1
Number of inodes 323
Number of files 130
Number of fragments 17
Number of symbolic links 181
Number of device nodes 0
Number of fifo nodes 0
Number of socket nodes 0
Number of directories 12
Number of ids (unique uids + gids) 1
Number of uids 1
filder (1000)
Number of gids 1
filder (1000)
filder@filder-G31:~/IP_camera_project/remove_ipcam_my/xxx$

put the resulting file in mmc and paste it into the camera

By telnet

[root@anyka ~]$ cd /sbin
[root@anyka /sbin]$ updater local B=/mnt/mmc/mmc/usr.sqsh4

the system is updated, reboot and you have a permanent telnet with root

do everything at your own peril and risk carefully
here are the links where the guys worked with cameras, I studied with them, thanks a lot to them
EliasKotlyar/Xiaomi-Dafang-Hacks#1672

[filder35]

and remove the line killall telnetd save

[filder35]

Question
How to run RTSP on this camera?

[rleyden559]

Great work filder35.
I noticed that the following is in both anyka_cfg.ini (/etc/jffs2) and factory_cfg.in (/usr/bin/local)
..........
[cloud]
dana = 1
onvif = 0
rtsp = 0
,.......
changing rtsp = 1 in jffs2 seems to have no effect. Perhaps changing factory.cfg.ini would result in a rtsp stream.

In the factory configuration;
........
[root@anyka ~]$ netstat -l -enWp
udp 0 0 0.0.0.0:23106 0.0.0.0:*
413/anyka_ipc
udp 0 0 0.0.0.0:32108 0.0.0.0:*
413/anyka_ipc
udp 0 0 0.0.0.0:11671 0.0.0.0:*
413/anyka_ipc
udp 0 0 0.0.0.0:29613 0.0.0.0:*
413/anyka_ipc
.........
It looks like the executable anyka_ipc controls all the communication/streaming.

[filder35]

Perhaps changing factory.cfg.ini would result in a rtsp stream.

; cloud supported current, 1 -> supported, 0 -> unsupported
[cloud]
dana = 1
onvif = 1
rtsp = 1

Does not work. I will try other options.

[filder35]

Thanks for the tip.
I will try to change in factory.cfg.ini .
With full access and ftp , telnet changes can be made neatly. The only thing I have uboot does not stop. "Hit any key to stop autoboot: 0"
But it seems you can stop by pressing Ctrl + C more often. I'll post the results.

[rleyden559]

I tried to Ubuntu cross-compile a test program to run on the Anyka CPU under as;

arm-linux-gnueabi-gcc hello.c -o hello

I moved the executable to /mnt (SD card) and attempted to run through telnet as root. I got a “file not found”, which is because the default linker was not found.. The linker on the camera appears to be “/lib/ld-uClibc-0.9.33.2.so” so I tried’

arm-linux-gnueabi-gcc -Wl,--dynamic-linker -Wl,/lib/ld-uClibc-0.9.33.2.so -o hello hello.c

Which gives
./hello: can't load library 'libc.so.6'
The camera may use “/lib/ libuClibc-0.9.33.2.so” but including that also did not work.

Has anyone had success cross compiling programs? Or, better yet, found the Anyka toolchain and compiled programs natively,
OpenIPC has a tempting section of packages to cross-compile with seemingly detailed instructions. https://github.com/OpenIPC/camerasrnd/blob/master/crosscompile/index.md However, the ones I’ve tried don’t work as written.

UPDATE:
I have successfully cross-compiled an updated/expanded busybox that run without issues from /mnt (SD card) without issue.
I think the error was had above was not compiling with the "static" option. A complete and helpful guide is https://www.youtube.com/watch?v=KfktWz4Ko3A[](url).
Although some of the added busybox commands may be useful, this was just a proof of concept. I am exploring best next steps. I have my doubts whether openipc can easily interface with the camera sensors,

[ghost]

As I wrote before, yes I have. You can build your own sdk and toolchain for 3918 using rootbuilder. I was able to successfully create development environment for 3918 and kernel 3.4.35.

…

________________________________ From: rleyden559 ***@***.***> Sent: Wednesday, 26 April 2023 7:16 AM To: alienatedsec/yi-hack-v5 ***@***.***> Cc: Haps ***@***.***>; Mention ***@***.***> Subject: Re: [alienatedsec/yi-hack-v5] The camera shown in the picture is a new design based on YI IoT software and ANYKA AK3918 SoC. (Discussion #236) I tried to Ubuntu cross-compile a test program to run on the Anyka CPU under as; arm-linux-gnueabi-gcc hello.c -o hello I moved the executable to /mnt (SD card) and attempted to run through telnet as root. I got a “file not found”, which is because the default linker was not found.. The linker on the camera appears to be “/lib/ld-uClibc-0.9.33.2.so” so I tried’ arm-linux-gnueabi-gcc -Wl,--dynamic-linker -Wl,/lib/ld-uClibc-0.9.33.2.so -o hello hello.c Which gives ./hello: can't load library 'libc.so.6' The camera may use “/lib/ libuClibc-0.9.33.2.so” but including that also did not work. Has anyone had success cross compiling programs? Or, better yet, found the Anyka toolchain and compiled programs natively, OpenIPC has a tempting section of packages to cross-compile with seemingly detailed instructions. https://github.com/OpenIPC/camerasrnd/blob/master/crosscompile/index.md However, the ones I’ve tried don’t work as written. — Reply to this email directly, view it on GitHub<#236 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AE7LCLFKVYHACN36FZF5SX3XDBA33ANCNFSM6AAAAAAWAJJVPU>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[rleyden559]

Haps-basset wrote As I wrote before, yes I have. You can build your own sdk and toolchain for 3918 using rootbuilder.
I must have missed it, but great!
Could you post a step-by-step procedure that you used?
Since my last post, I came to realize that my plan to compile a replacement for anyka_ipc had a serious problem. It seems that OpenIPC, despite its suggestive name, does not publish open source code to run an IP webcam. All I can find are scripts to modify systems or perhaps precompiled binaries for other SOC's than Anyka. So, my first real targets for cross compiling are reverse engineering tools, ltrace and strace, for example.
I would be happy if I could get the camera to sent out a rtsp video stream that I could manipulate on an external system. Externally, I would do motion detection and file management. I found the motion detection on the existing system is useless for me. It spits out constant false alarms (even at sensitivity "low") and seems to miss massive movement. As a test, I've run it side-by-side with a Raspberry PI setup with PiKrellcam. There is no real comparison.
I am curious about your goals and progress beyond building a toolchain.

[ghost]

I am happy to help you. As you have pointed out, there are many sdk/toolchains pretending that work with 3918 therefore before sending you the “recipe”, I would like to ask you to check that an image developed in my 3918 environments will work for you. I don’t want to create any confusion in case if my sdk does not support your particular HW. The image is linked as static and does not use any libraries. I am not sure that I would be able to attach the image to github post so in the worst scenario please point me, to where shall I send the image and source code. So far I was able to compile ffmpeg, ffmprobe and strace. You are asking me, what is the rationale or goal of my anyka cameras' studies. Well, A few months ago I bought a few cameras to secure my house and after 2-3 weeks, the cameras refused to connect to my Wi-Fi. The seller blamed everything but not his products, so I decided to hack them in order to get what I want. Furthermore, I am not interested to share with China spyware servers pictures from my backyard :) Like you, I would like to implement a set of services that will suit my security system built up on Home Assistant. So an implementation of RTPS, ONVIF etc is paramount for me. I have also considered OpenIPC, but it looks like some developers do not understand the open-source concept. Sorry for this digression. I am more than happy to cooperate, define some scope of work etc. [https://res-h3.public.cdn.office.net/assets/mail/file-icon/png/generic_16x16.png]helloworld<https://1drv.ms/u/s!Aqt-FGTf78f4ilW53S4uvpMlCcub> [https://res-h3.public.cdn.office.net/assets/mail/file-icon/png/generic_16x16.png]helloworld.c<https://1drv.ms/u/s!Aqt-FGTf78f4ilZZORvFV9K_KQap>

…

________________________________ From: rleyden559 ***@***.***> Sent: Sunday, 30 April 2023 10:40 AM To: alienatedsec/yi-hack-v5 ***@***.***> Cc: Haps ***@***.***>; Mention ***@***.***> Subject: Re: [alienatedsec/yi-hack-v5] The camera shown in the picture is a new design based on YI IoT software and ANYKA AK3918 SoC. (Discussion #236) Haps-basset wrote As I wrote before, yes I have. You can build your own sdk and toolchain for 3918 using rootbuilder. I must have missed it, but great! Could you post a step-by-step procedure that you used? Since my last post, I came to realize that my plan to compile a replacement for anyka_ipc had a serious problem. It seems that OpenIPC, despite its suggestive name, does not publish open source code to run an IP webcam. All I can find are scripts to modify systems or perhaps precompiled binaries for other SOC's than Anyka. So, my first real targets for cross compiling are reverse engineering tools, ltrace and strace, for example. I would be happy if I could get the camera to sent out a rtsp video stream that I could manipulate on an external system. Externally, I would do motion detection and file management. I found the motion detection on the existing system is useless for me. It spits out constant false alarms (even at sensitivity "low") and seems to miss massive movement. As a test, I've run it side-by-side with a Raspberry PI setup with PiKrellcam. There is no real comparison. I am curious about your goals and progress beyond building a toolchain. — Reply to this email directly, view it on GitHub<#236 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AE7LCLEDXJYCEGXXRSD6HI3XDW3WZANCNFSM6AAAAAAWAJJVPU>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[rleyden559]

Thank you haps-basset for your quick reply.
Your links did not work for me as-is and using the trailing URL resulted only in the source for helloworld.c ,
Github says you can drag and drop files to attached to comments. For example, attached is the ldd output for anyka_ipc which I will get to below.
I am still interested in your recipe for building the toolchain, but it is not a high priority right now. I found a repository of arm static binaries that appear to work on the 3918 and include gdb.
https://github.com/therealsaumil/static-arm-bins
Here is the partial output from ltrace (0.7.91)
[root@anyka /mnt]$ ./ltrace.91 -r /usr/bin/anyka_ipc

0.000000 __uClibc_main(0x43e78, 1, 0xbe98ce24, 0x18db4 <unfinished ...>
 0.023523 memset(0xbfd90, 0, 324, 0)                                                           = 0xbfd90
 0.009747 pthread_rwlockattr_init(0xbe98cbe0, 0x3ffeac, 0x52574c4b, 0xbe98cbe0)                = 0
 0.027645 pthread_rwlockattr_setkind_np(0xbe98cbe0, 2, 0x52574c4b, 0xbe98cbe0)                 = 0 

OK, needs filtering and other work. Also, aborts after spitting out 250k of output. Perhaps, out of memory.
I did a little hacking years ago to change a free trial program to full release, but that was as simple as changing jmp to nop. The case at hand requires some strategic planning if I want to have any chance at all.
The ldd dump is one piece of the puzzle. libakmedia.so and libakstreamenc.so are called by anyka_ipc. However, it doesn't call akcamera.ko or the sensors( /usr/modules/sensor_gc1034.ko, /usr/modules/sensor_gc1054.ko, /usr/modules/sensor_h62.ko, /usr/modules/sensor_h63.ko ).
So might it be possible to invoke the camera output with a simple one line command and pipe it to something like ffmpeg (yet to be compiled)?
Any ideas or comments would be appreciated.

anyka_ipc_ldd.txt

[ghost]

Sorry for the link, I will try to fix it. I must admit I was lazy, and I responded to your post via Outlook, perhaps that is a reason for this "hiccup".
I will send you the How-To get a workable SDK and toolchain, but I have to warn you. The rootbuilder (rb) is quite demanding, and fussy, requiring a particular version of development tools thus getting support for Linux 3.4.35 environment was or is quite painful. The rb was developed by hackers for hackers and does not give a damn about previous releases. In order to get appropriate, clib and sdk for Anyka I had to use a particular version of rb. I am using an Ubuntu on wsl2 version 23.04 using rb 2022-11. I was not able to compile sdk using a newer version of rb because they do not support 3.4.35 kernel headers files. Using this version of rb, you will be able to reconstruct all apps such as strace,ltrace ffmpeg etc. I thought to send you a tarball of it sdk and rb but sdk is ~900M and rb 8.8GB !. If you wish, I am happy to send you as is. Just point me to the best suitable dump spot for you.
Even so, please give me a few days to write the recipe. I’ll verify all steps before sending you the How-To.
With regard to camera issues. My camera should use YI services and when I execute anyka-ipc I noticed that the app wanted to talk to some odd Chinese servers, but they don’t respond and after 2-3 minutes the app reboots the system. I was able to dump from strace log and anyka-ipc messages into files. As you will see, a lot of things are going on. It looks that the app somehow interacts with anyka camera kernel driver, but what is used to activate and control it, no idea. Please find attached tarball with dumps from strace, anyka_ipc and tops. Note, the tops dump is a set of the top dumps taken every second showing what happens during the init face of the os.
I would say that camera uses /dev/video device which is created by anyka camera drive akcamera
lsmod
Tainted: G
ssv6x5x 414810 0 - Live 0xbf025000 (O)
otg_hs 13846 0 - Live 0xbf01d000
ak_info_dump 1227 0 - Live 0xbf019000
akcamera 14136 2 ak_info_dump, Live 0xbf011000
sensor_H63 4066 0 - Live 0xbf00d000 (O)
sensor_h62 3136 0 - Live 0xbf009000
sensor_gc1054 4313 0 - Live 0xbf004000 (O)
sensor_gc1034 3813 0 - Live 0xbf000000
As I wrote before in my previous post, I compiled ffprobe with all libs (static). it runs on my camera but anytime when I request to show me driver/device info I am getting “Segmentation fault”. I have tried to run the ffprobe when anyka_ipc is running, but then I am getting the message that the device is busy, so it means that anyka_ipc does something to activate the drivers and concurs with your observations.
I would like to know your opinion on this matter.
I envy your attempt to hack/debug the anyka_ipc code. Furthermore, I am too lazy and too old fart to learn another CPU architecture. After Intel, Sparc, Alpha, M68, Power-PC and archaic VAX/Transputer I said to myself enough is enough, and it is time to rest (in peace.) 😊 but … If you wish, what do you think about ghirda from github. It is a pretty good toolkit that I used to hack my old router.
I had to follow github recommendation and I tar-ed up all files into one tar file.

dumps.tar.gz

[filder35]

Hello.
I join your thread. I also want to transfer the cameras to work on the home network using the onvif and rtsp protocols. I'm trying https://github.com/burlizzi/qiwen with no results so far. I'm still weak in programming but I'm learning. Here are some more links that I used to collect information
https://github.com/Nemobi/Anyka
but I understood this for ak3918ev300v18 and I have ak3918ev200. Here is https://github.com/burlizzi/anyka.
On the Chinese site I saw that they collect all the drivers on Ubuntu 16. I installed it myself and will try it. here is the log from loading Linux version 3.4.35 (longjiacheng2006@163.com@anyka) (gcc version 4.8.5 (anyka (gcc-4.8.5 + binutils-2.24 + ulcibc-0.9.33.2)(20170223))
gcc version 4.8.5
binutils-2.24
ulcibc-0.9.33.2
work better on earlier versions of Ubuntu.
If I get you right. Here is the compiler https://github.com/ricardojlrufino/arm-anykav200-crosstool . There is another Buildroot option.

[ghost]

aimer39_ak3918_defconfig.txt
CONFIG.txt

I had little free time and I wrote the procedure. Overall, the most time consuming was to recrieate the .config file.

1. Development enviorment
   uname -r
   5.15.90.1-microsoft-standard-WSL2
2. Download buildroot version 2022-11
   wget https://buildroot.org/downloads/buildroot-2022.11.tar.gz
3. Un-tar buildroot-2022.11.tar.gz at /opt (or whatever you like)
4. Install the following applications:
   apt-get install -y git unzip build-essential libtool bison bisonc++ libbison-dev autoconf
   apt-get install -y aptautotools-dev automake libssl-dev
   apt-get install -y zlib1g zlib1g-dev
   apt-get install -y libzzip-dev flex libfl-dev yui-compressor closure-compiler optipng jpegoptim
   apt-get install -y libtidy5deb1 node-less sassc sass-spec libhtml-tidy-perl libxml2-utils rsync
5. Copy attached CONFIG to /opt/buildroot-2022.11/.config
   cp CONFIG.txt /opt/buildroot-2022.11/.config
6. Copy attached aimer39_ak3918_defconfig to /opt/buildroot-2022.11/configs
   cp aimer39_ak3918_defconfig.txt /opt/buildroot-2022.11
7. cd /opt/buildroot-2011.11
8. (optional) make manuconfig // just to familiarize with setting
9. Run make
10. Wait
    …
11. Wait
12. If you lucky, you should get toolchain and sdk ready to use
13. Run make sdk
14. Wait
15. cp or un-tar /opt/buildroot-2022.11/output/images/arm-ak3918-linux-uclibcgnueabi_sdk-buildroot.tar.gz into /opt
16. set your PATH pointing to /opt/ /bin
17. done, you can compile your source code.
    Note: Some apps use libs from /opt/arm-ak3918-linux-uclibcgnueabi_sdk-buildroot/usr/lib and those you have to add to your Makefile.

[ghost]

Hi, filder35, thanks for your support. In the last 6 months, I have browsed and reviewed all those sdk/tool-kits or tool-chins with minimal success. I have always found something missing e.g., config files or toolkit was compiled for a 32-bit host, too old Linux version etc. I wasted a lot of time only to find that some links were dead, or the owners did not respond to my requests or insisted on using the software "as is", which was pointless because the compilers crashed. So that is the reason why I decided to build another toolkit chain.
But having the toolchain is only 30-40% of success.
My camera HW has got a very small footprint, therefore, soldering tx/rx links is not an option for me. I don't have a suitable soldering station, so I am not keen to change the OS image because, in case of a mistake, I would not get access to the system via telnet.
I decided to use the OS as is, just adding missing components such as onvif/rtps servers to the configuration via SD card, but in this approach, I need to use OS drivers. I think, my camera's driver uses /dev/video0 link to communicate with apps. Most reviewed solutions on GitHub use a shared memory mechanism, therefore it was pointless for me to copy or compile existing apps or source code. Furthermore, the driver is somehow activated by anyka_ipc remotely. I am going to snoop the transmission using Wireshark, but I need a Wi-Fi USB adaptor with monitor mode enabled, and it will take a few weeks to get it. Could you do me a favour, please?
Can you verify a mechanism that is used by your camera?
I wanted to send you ffmpeg/ffprobe but those images are too big for github. I need to find another method to send 80MB tarball :(

[filder35]

https://cloud.mail.ru/public/Rkwb/HThdw8EvF Try to drop it here.

[rleyden559]

haps-basset: Your note inspired me to look more closely at /dev/video0 on the running system. I downloaded ffmpeg Static Builds, https://johnvansickle.com/ffmpeg/ , (armel version) and they run OK from /mnt (SD card).
But, ffprobe reported “device video0 busy” which I suppose is no surprise giving anyka_ipc is running. “killall anyka_ipc” runs but checking “ps -A” it immediately returns with a new process ID. I also tried killing off “watchdog” with similar results.
It's possible that ffmpeg could still tee a stream from video0 but v4l2-utils may be required. This site gives a good tutorial https://4youngpadawans.com/stream-camera-video-and-audio-with-ffmpeg/.
First find the stream name;
v4l2-ctl --list-devices
then
ffmpeg -i video="ak_camera" -i hw:0 ........
Except "ak_camera" is apparently incorrect.
I got it by code below since I don't have v4l2-ctl yet;
root@anyka /dev]$ for I in /sys/class/video4linux/*; do cat $I/name; done
So, v2l2-ctl is my next step along this path.
I installed the toolchain according to your directions. Using it is another matter, the learning curve seems step. More to follow.

[ghost]

If you wish to build your own copy of v4l2, download source code from https://github.com/gjasny/v4l-utils
I hope that the sdk will work 4 you...

[ghost]

rleyden559: it means that we have got the same HW:)
I have the same problem, when the init script starts anyka_ipc it is almost impossible to kill it. Again, it is just a guess, but it looks like the anyka_ipc starts a watchdog thread which in the end reboots the camera if the camera does not connect to Chinese services.
I solved it by running the following script:

#! /bin/sh
telnetd &
#exit
killall -9 daemon
killall -9 cmd_serverd
killall -9 service.sh
/bin/sh -x /usr/sbin/wifi_run.sh
/bin/sh -x /usr/sbin/wpa_supplicant -B -iwlan0 -Dwext -f /tmp/wpa_log -c /etc/jffs2/wpa_supplicant.conf
/bin/sh -x /usr/share/udhcpc -i wlan0
sleep 3

As I wrote before, the script is invoked by init executing on my sd card script called config.sh @ /mnt/debug directory. As a result of it the service.sh is killed and as such, stops the execution of service.sh which calls anyka_ipc image.

Now, having OS running with WiFi service, you might start anyka_ipc via Telnet and observe all messages. I am quite sure that the anyka_ipc tries to connect to some services but what is needed to enable driver no idea.
Without anyka_ipc, any attempt to read from /dev/video0 just crashes the reader, giving a segmentation fault.
In my previous attachments in dump tars, I attached v4l2grab and yavta. Unfortunately, in my case any time when I point the driver to those apps, the apps hang... e.g. ffmpeg -i /dev/video0
When anyka_ipc is running, then ffmpeg/ffprobe shows the message "device is busy".

I will dump a copy of my ffmpeg and ffprob to the proposed dump

[rleyden559]

haps-basset: I'm having no success with your scripts. I put the above config.sh in the /mnt/debug directory. It does not seem to run on startup. I added a diagnostic line;
time > /etc/jff2s/success.txt
But the file in /etc/ff2s isn't created.
Moreover, I can't even run the script manually through telnet.
[root@anyka /mnt]$ ./config.sh
/bin/sh: ./config.sh: not found
Running ;
[root@anyka /mnt]$ /bin/ash ./config.sh
It comes back line-by-line with either file not found or "can't open .."
On a slightly more encouraging note, I generated ffmpeg and v4l2-ctl on the build root you pointed me to. Similar result as before. v4l2-ctl found "AK_CAMERA ()" but ffmpeg can't find it. I'm not sure if it's a syntax/ffmpeg usage error. I suspect, as you have said before, that anyka_ipc needs to killed.
This could be done by modify the Squashfs startup scripts as described by filder35 but I haven't had the guts to try that yet.
UPDATE:
I noticed in service.sh (on my cam anyway);
if [ $FACTORY_TEST = 1 ]; then /mnt/Factory/config.sh
I will try it with config.sh in /mnt/Factory but I I understand the script correctly I need to
# /usr/sbin/service.sh FACTORY_TEST = 1 start
I don't think that will work from telnet.

[ghost]

Hello there, I am sorry that I did not respond to your queries, but it looks like that is a quite big difference between your and my time zone.
Hmm, sorry that my hack did not work for you, perhaps I will explain how I found how to get the script to run on my camera. I am afraid that your OS setup is slightly different to mine.

Using FTP, I listed the top level of the OS and I found an image called “init”. Knowing that the init will invoke /etc/inittab I just follow the set of actions scripted on my camera during init phase of the boot.

The init invokes the following scripts in this particular order:

1. /etc/inittab and inittab calls for sysinit /etc/init.d/rcS
   Note: in my case
   #ttySAK0::respawn:/sbin/getty -L ttySAK0 115200 vt100 is commented so I cannot use UART !
2. /etc/init.d.rcS creates all system directory and mounts “echo “mount all file system…”” 😊
   At the end the init.d.rcS calls /etc/init.d/rc.local
3. /etc/init.d/rc.local mounts all partitions:

` # mount usr file-system.

/bin/mount -t squashfs /dev/mtdblock5 /usr

# mount jffs2 file-system. 

/bin/mount -t jffs2 /dev/mtdblock6 /etc/jffs2

#Creates ramdisk

#Load cameras’ driver module using /usr/sbin/camera.sh setup and 
   calls /usr/sbin/service.sh start `

4. /etc/sbin/service.sh defines PATH, setup running modes etc. and verifies

`if test -f /etc/jffs2/yi.conf ; then
PUSHID_MODE=0
else
TEST_MODE=1
fi

if [ ! -e "/etc/jffs2/time_zone.sh" ];then
echo "export TZ=GMT-08:00" > /etc/jffs2/time_zone.sh
chmod 777 /etc/jffs2/time_zone.sh
fi

if test -e /dev/mmcblk0p1 ;then
mount -rw /dev/mmcblk0p1 /mnt
elif test -e /dev/mmcblk0 ;then
mount -rw /dev/mmcblk0 /mnt
fi #That is a SD mounting procedure. The /dev/mmcblk0 is SD device

if test -d /mnt/Factory ;then
#check if Factory dir exists then FACTORY_TEST=1
FACTORY_TEST=1
else
FACTORY_TEST=0
fi

if test -d /mnt/debug ;then
DEBUG_MODE=1
else
DEBUG_MODE=0
fi
if test -d /mnt/update ;then
UPDATE_MODE=1
else
UPDATE_MODE=0
fi
`
next

if [ $FACTORY_TEST = 1 ]; then
/mnt/Factory/config.sh #execute first {sd}/Factory
#insmod /mnt/usbnet/udc.ko
#insmod /mnt/usbnet/g_ether.ko
#sleep 1
#ifconfig eth0 up
#sleep 1
#/usr/sbin/eth_manage.sh start
echo "######start yunyi product test."
# /mnt/usbnet/product_test &
fi

if [ $DEBUG_MODE = 1 ]; then
echo "#################debug mode##############"
/mnt/debug/config.sh
#debug script
fi
`
Note due to unknown for me reasons I was not able to run config.sh script using Factory mode. Somehow my camera only accepts DEBUG mode and as such the
config.sh must be in /mnt/debug/directory.
As you can see that is a secret how my camera executes script on SD 😊
I cannot guarantee you that this set of actions is executed on your machine. If your ftp still works, dump inittab and follow executions of the scripts.

Now, what does my script,

#! /bin/sh
telnetd & #starts telnetd daemon
#exit
killall -9 daemon #no idea, but I am killing unknown YI daemons ?
killall -9 cmd_serverd #ditto
killall -9 service.sh #kill the parent script
/bin/sh -x /usr/sbin/wifi_run.sh #start wi-fi
/bin/sh -x /usr/sbin/wpa_supplicant -B -iwlan0 -Dwext -f /tmp/wpa_log -c /etc/jffs2/wpa_supplicant.conf
/bin/sh -x /usr/share/udhcpc -i wlan0
sleep 3

That is all
I hope that will help you

PS. I am aware that the formatting is awful, so I will appreciate if you could help me to correct it. Many thanks

[ghost]

I have tried to dump ffmpeg/ffprobe to recommended dump spot but I am getting the following message
"Only registered users can download files..." Unfortunately, I don't speak Russian and I don't know how to register myself.

[filder35]

https://cloud.mail.ru/public/Rkwb/HThdw8EvF

[ghost]

Sorry , I am getting the same message, "Only ..."

[filder35]

https://drive.google.com/drive/folders/1N6rPFDEV9BO5zbuOiiXrotl19G-zuO1h?usp=sharing

[ghost]

Done

[filder35]

Thank you. Link will be made available

[filder35]

I'm studying anyka_ipc in Ghidra, here are the screenshots. While I'm studying. Maybe someone will lead to the right thoughts.

[ghost]

Whoow, you are an incredibly brave man. I am too old and too lazy to learn another bloody assembler, :) so sorry I would not be able to help you ... If you don't mind, what do you think about the study of anyka_ipc output? You could use text messages as references to your code. Furthermore, strace dump shows all system calls read/write and those could be used to find what and when the app accessing drivers. Overall all the best!
The dumps from strace and anyka_ip's output are attached in the first dump.tar.. :)

[ghost]

I used famous AI and I got the following response:

The AI points to
https://github.com/torvalds/linux/blob/master/drivers/media/platform/qcom/venus/venc.c
and
https://developer.qualcomm.com/comment/5624
Good luck

[filder35]

https://github.com/burlizzi/qiwen/blob/main/platform/libmpi/src/venc/ak_venc.c
https://github.com/grangerecords/anyka/tree/master
here are two resources. All this is going to ubuntu-16.04.6-desktop-i386 . Installed the system I will try.

[ghost]

Following your recommendation, I have installed Ubuntu version 18:04.6 32-bits on my laptop as a VM of VirtualBox

The kernel is:
uname -r
4.15.0-210-generic

Os release:
#more /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.6 LTS"

I have used a gcc compiler for ARM from recommended by your site:
./arm-none-linux-gnueabi-gcc-4.4.1 --version
arm-none-linux-gnueabi-gcc-4.4.1 (Sourcery G++ Lite 2009q3-67) 4.4.1
Copyright (C) 2009 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Unfortunately, attempt to compile “qiwen” gave me the following error:

make
make[1]: Entering directory '/root/development/dev_tests/qiwen/platform/rootfs'
Do Nothing for rootfs, exit...
make[1]: Leaving directory '/root/development/dev_tests/qiwen/platform/rootfs'
make[1]: Entering directory '/root/development/dev_tests/qiwen/platform/libplat'
make[2]: Entering directory '/root/development/dev_tests/qiwen/platform/libplat/src'
make[3]: Entering directory '/root/development/dev_tests/qiwen/platform/libplat/src/common'
arm-none-linux-gnueabi-gcc -fno-strict-aliasing -Os -Wall -D_GNU_SOURCE -std=c99 -fms-extensions -I/root/development/dev_tests/qiwen/platform/libplat/include -I/root/development/dev_tests/qiwen/platform/libplat/include_inner -I/root/development/dev_tests/qiwen/platform/libplat/src/include -c ak_common.c -o ak_common.o
ak_common.c: In function 'ak_get_ostime':
ak_common.c:527: warning: implicit declaration of function 'clock_gettime'
ak_common.c:527: error: 'CLOCK_MONOTONIC' undeclared (first use in this function)
ak_common.c:527: error: (Each undeclared identifier is reported only once
ak_common.c:527: error: for each function it appears in.)
ak_common.c: In function 'ak_get_localdate':
ak_common.c:548: error: storage size of 'value' isn't known
ak_common.c:550: warning: implicit declaration of function 'localtime_r'
ak_common.c:548: warning: unused variable 'value'
ak_common.c: In function 'ak_set_localdate':
ak_common.c:573: error: storage size of 'value' isn't known
ak_common.c:585: warning: implicit declaration of function 'mktime'
ak_common.c:573: warning: unused variable 'value'
ak_common.c: In function 'ak_seconds_to_string':
ak_common.c:631: error: storage size of 'value' isn't known
ak_common.c:631: warning: unused variable 'value'
ak_common.c: In function 'ak_seconds_to_date':
ak_common.c:654: error: storage size of 'value' isn't known
ak_common.c:654: warning: unused variable 'value'
ak_common.c: In function 'ak_date_to_seconds':
ak_common.c:680: error: storage size of 'tmp' isn't known
ak_common.c:680: warning: unused variable 'tmp'
Makefile:19: recipe for target 'ak_common.o' failed
make[3]: *** [ak_common.o] Error 1
make[3]: Leaving directory '/root/development/dev_tests/qiwen/platform/libplat/src/common'
Makefile:20: recipe for target 'all' failed
make[2]: *** [all] Error 1
make[2]: Leaving directory '/root/development/dev_tests/qiwen/platform/libplat/src'
Makefile:28: recipe for target 'all' failed
make[1]: *** [all] Error 1
make[1]: Leaving directory '/root/development/dev_tests/qiwen/platform/libplat'
Makefile:106: recipe for target 'all' failed
make: *** [all] Error 1

Some headers are missing but what?

The much better result I got when I compiled samples from anyka repository:
I would say that I compile all applications of anyka repo including the system kernel but my attempt to run some of them on camera was unsuccessful.

[root@anyka /mnt/tests]$ ./iwlist
-sh: ./iwlist: not found
[root@anyka /mnt/tests]$ ldd ./iwlist
checking sub-depends for 'not found'
checking sub-depends for '/lib/libgcc_s.so.1'
checking sub-depends for 'not found'
checking sub-depends for '/lib/libc.so.0'
ld-uClibc.so.0 => /lib/ld-uClibc.so.0 (0xb6f5b000)
libm.so.6 => not found (0x00000000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x00000000)
libc.so.6 => not found (0x00000000)
libc.so.0 => /lib/libc.so.0 (0x00000000)
/lib/ld-uClibc.so.0 => /lib/ld-uClibc.so.0 (0x00000000)
[root@anyka /mnt/tests]$ ./akipcserver
-sh: ./akipcserver: not found
[root@anyka /mnt/tests]$ ldd ./akipcserver
checking sub-depends for 'not found'
checking sub-depends for 'not found'
checking sub-depends for '/usr/lib/libakaudiocodec.so'
checking sub-depends for '/usr/lib/libakaudiofilter.so'
checking sub-depends for 'not found'
checking sub-depends for 'not found'
checking sub-depends for 'not found'
checking sub-depends for '/lib/libstdc++.so.6'
checking sub-depends for 'not found'
checking sub-depends for '/lib/libgcc_s.so.1'
checking sub-depends for 'not found'
checking sub-depends for '/lib/libpthread.so.0'
ld-uClibc.so.0 => /lib/ld-uClibc.so.0 (0xb6fa6000)
libdl.so.0 => /lib/libdl.so.0 (0xb6f9a000)
libc.so.0 => /lib/libc.so.0 (0xb6f37000)
checking sub-depends for '/lib/libm.so.0'
libc.so.0 => /lib/libc.so.0 (0xb6f55000)
ld-uClibc.so.0 => /lib/ld-uClibc.so.0 (0xb6fb8000)
checking sub-depends for '/lib/libc.so.0'
ld-uClibc.so.0 => /lib/ld-uClibc.so.0 (0xb6f3e000)
libakuio.so => not found (0x00000000)
libakmedialib.so => not found (0x00000000)
libakaudiocodec.so => /usr/lib/libakaudiocodec.so (0x00000000)
libakaudiofilter.so => /usr/lib/libakaudiofilter.so (0x00000000)
libakstreamenclib.so => not found (0x00000000)
libasound.so.2 => not found (0x00000000)
libakmotiondetectlib.so => not found (0x00000000)
libstdc++.so.6 => /lib/libstdc++.so.6 (0x00000000)
libm.so.6 => not found (0x00000000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x00000000)
libc.so.6 => not found (0x00000000)
libpthread.so.0 => /lib/libpthread.so.0 (0x00000000)
libm.so.0 => /lib/libm.so.0 (0x00000000)
libc.so.0 => /lib/libc.so.0 (0x00000000)
/lib/ld-uClibc.so.0 => /lib/ld-uClibc.so.0 (0x00000000)
/lib/ld-uClibc.so.0 => /lib/ld-uClibc.so.0 (0x00000000)
[root@anyka /mnt/tests]$

Perhaps you will have more luck.

[filder35]

filder@filder:$ uname -a
Linux filder 4.15.0-142-generic #14616.04.1-Ubuntu SMP Tue Apr 13 09:26:57 UTC 2021 i686 i686 i686 GNU/Linux
ubuntu-16.04.6-desktop-i386 https://drive.google.com/drive/folders/1HnJP7MLhmdTpXNJiwrXa_bqu_8NXy9F0?usp=sharing
1.filder@filder:$ cd /opt
2.filder@filder:$ git clone https://github.com/ricardojlrufino/arm-anykav200-crosstool.git
3.filder@filder:$ root@filder:/opt/sourse# cd /opt/sourse/arm-anykav200-crosstool
4.filder@filder:$ unzip arm-anykav200-crosstool.zip
5.filder@filder:$ sudo apt-get install gcc-4.8
6.filder@filder:$ cd /opt/sourse/
7.filder@filder:$ git clone https://github.com/burlizzi/qiwen
8.filder@filder:$ cd /opt/sourse/qiwen/platform
9. export ARH=arm
10. export CROSS_COMPILE=/opt/sourse/arm-anykav200-crosstool/arm-anykav200-crosstool/usr/bin/arm-anykav200-linux-uclibcgnueabi-
11.make

[ghost]

filder35, many thanks for the links. I tried to compile the qiwen but I have got a problem with gcc version. I would say that gcc version 4 2 was used to compile the kernel 3.4.35 and on the 32-bit platform. The rootbuild selected by me builds an arm compiler but version 12.
As a result of it, some old code style is perceived as an error by the new version of the compiler e.g.

ak_common.c:631:19: warning: unused variable ‘value’ [-Wunused-variable]
ak_common.c: In function ‘ak_seconds_to_date’:
ak_common.c:654:19: error: storage size of ‘value’ isn’t known
654 | struct tm value;
| ^~~~~

I got the following warning messages:
[-Wimplicit-function-declaration]
[-Wunused-variable]
[-Wreturn-type]

and I don't know how to force the compiler to pass those warnings.
I was not able to select a lower version of the compiler during building the ARM SDK/toolchain.

Perhaps you will have more luck, complaining about the code on an old version of the Ubuntu.
Unfortunately, I cannot downgrade my PC to this version of Ubuntu. :(

[filder35]

You can try an early version of Buildroot there in the GCC 4.5 selection settings

[filder35]

Now I collect according to your instructions above. On ubuntu-16.04.6-desktop-i386 I'll unsubscribe what happens.

[filder35]

My story is like this.
They gave the camera. They said the firmware crashed during the update. Having unsoldered the flash and read it on the programmer. The firmware cannot be restored. I found a dump on the Internet for a similar device and out of three I assembled one that started with WiFi for my module. But the problem arose. The sensor in my SC_1345 found the driver, the system picked it up by adding a module. I was interested in running RTCP onvif because I wanted to use it on my home network. I also ordered the same cameras, two pieces, but specially from different sellers. Came cameras for different services. One works with Yoosee, the second is YI Iot, the third is with HD IOT. It got me interested. For me, these cameras are like debug boards. To start the stream to the network on the DVR. Now I'm trying to create a universal system for my cameras, so that I can add modules and assemble them inside the system. qiwen built on his old computer by installing ubuntu-16.04.6-desktop-i386 on Ubuntu 18 and 20 errors constantly got out. It's easier to install ubuntu-16.04 and build . Haven't tried it on my cameras yet. The only thing I don’t have sd on any of the cameras is until the camera is fully started and I can’t find who launches sd. I work only with UART WiFI FTP. I wish sd worked. SD works when the camera connects to the service. In some ways, maybe I don’t understand, I’m learning.

[rleyden559]

filder35- Interesting story. Having a SD card and a writable storage definitely makes hacking easier. Do you see /dev/mmcblk0 or /dev/mmcblkop1 on your camera(s)? If they are present, you could try to mount them. I think the kernel will list them in /dev if the hardware is present.
Another thought; I bought my ipcams on Aliexpress for $22.34. https://www.aliexpress.us/item/3256804878943501.html?spm=a2g0o.order_list.order_list_main.31.68551802JXs1P7&gatewayAdapt=glo2usa&_randl_shipto=US (5 mp version-currently $24.89). I have considered buying a second for "high risk" hacking. Admittedly, there is no model number listed on Aliexpress so there is no guarantee that successive orders from the same listing give the exact same part. I wish there were a way to order a specific model with certainty.

[ghost]

Gentlemen, just a thought. We are using yi-hack-… repository posting plenty irrelevant to the repository posts. Perhaps is time to set up a repository e.g., E27-hack or whatever. We should not abuse the hospitality of our friends.

[filder35]

I don't mind

[rleyden559]

OK, can you set it up and point us there?

[ghost]

I am working on it :)

[filder35]

Dear haps-basset rleyden559, don't risk your cameras much, you can get a brick. I have a soldering station and I can solder and solder the flash as much as I can and I have flash drives in reserve. I can take risks. If you collect something, I can test it. And what kind of hardware do you have? I have SC_1345 sensor, rtl8188fu WiFi.

[rleyden559]

Thanks for the advice. Yesterday I was trying to kill anyka_ipc and associated programs when the camera "locked up". On power cycle the app no longer can find the camera but I could ftp in. The SD card had been reformatted (yikes!!!). I'm guessing a hard reset will re-establish the app but I haven't tried yet. Nothing I did could possibly have commanded the reformat, The SD card had a lot of dumps and tools so it's a hassle put it together again.
I ordered a pogo pin clamp 4 pins 2 mm pitch. https://www.aliexpress.us/item/3256801519242023.html?spm=a2g0o.new_account_index.0.0.506b25b9KYGKUw&gatewayAdapt=glo2usa I hope 2 mm is correct, I estimated from the photos.
I think the only way to move forward is to replace one or more startup scripts. I want to make the script conditional on a file either on the SD card or /etc/jffs2 . So I could control what gets loaded. A longer range objective would be direct the boot loader to boot off a system image (r/w) on the SD card.

[ghost]

With regard to your query about HW, I am not sure. The lsmod show modules/drivers for the following devices:
ssv6x5x 414810 0 - Live 0xbf025000 (O)
sensor_H63 4066 0 - Live 0xbf00d000 (O)
sensor_h62 3136 0 - Live 0xbf009000
sensor_gc1054 4313 0 - Live 0xbf004000 (O)
sensor_gc1034 3813 0 - Live 0xbf000000
It seems to me that ssv6x5x is a WiFi supporting 2.4 and 5GHz.,

[rleyden559]

Update on SD card crash: The SD card wasn't reformatted as I thought but corrupted. I was able to re-establish communication with the Android app only by removing the card. I had already done the hardware reset so I can't say what the state of system was. This is an issue only because I had run from telnet with /mnt/Factory/config.sh present.
/usr/sbin/service.sh FACTORY_TEST = 1 stop
I'll wait for my UART setup before exploring this further. Right now this was inconclusive because I had power cycled the system several times in quick succession while the Factory test potentially could have run.

[filder35]

I killed the camera again. I will program the flash drive. There is a dump. Collected qiwen . And I can’t figure out how to introduce it into the camera. I solved it by changing files. Updated . Now the camera won't play my . Writes /etc/init.d/rc.local: line 29: /usr/sbin/camera.sh: Permission d
enied , /etc/jffs2/service.sh: line 2: /usr/sbin/wifi_manage.sh: Permission denied. But no matter what I will go on.

[ghost]

I am not keen to update the flash. I am thinking to create a root for the platform on my SD card and then use chroot to point it as a root of the system.
I know that is a horrible hack, but why not :). What do you think about ?

[filder35]

https://ricardojlrufino.wordpress.com/2022/02/15/hack-ipcam-anyka-booting-rootfs-from-sdcard/
The idea is not bad here is not a big instruction. Work on an external device without touching the main one.

[rleyden559]

I had the same idea. Leaving the read only flash memory as a safe harbor that one can always fall back to makes sense. I'm not sure why you call it a horrible hack. It seems like there are many commercial products that have an analogous concept.

[filder35]

rleyden559 I agree with you about working with SD. We just change the algorithm of the device. External flash, broadcast to the network, recording to the DVR. And the internal flush is like a reserve airfield.

[ghost]

Well, perhaps we have got the different work experience and as such we got different view. I spent 40 years with Unix (Xenix, Solaris, HP-UX,DEC True Unix and, well... Linux.) I was lucky because, people who trained me and explained me Unix internals knew the topic in depth, mostly because they were not typical “trainers” but OS designers. Yes, I was lucky unfortunately SUN,DEC,HP and IBM Unix is dead. The chrood was always presented and used as a maintenance tool. It should not be used for production!. I think we should focus on the camera project, not judgment ideas. For me, usage of chrood will always be a horrible hack as the camera's os.

[ghost]

Cool idea, but I don't have UART console. I don't have tools to solder TX/RX cables to URAT -USB adaptor :( and as such I cannot control the boot process. My only access to the camera is telnet and ftp...
Did you recreate the root file system of the platform?

[filder35]

Not yet. I'm working on it. I'm trying to build the system in Buildroot 2017 using your config files. So far there are no errors. And I'm looking for a way to run on the SD card camera, I don't even have mmcblk0p1 in / dev. I don't understand the reasons yet. I'll post the results right away.
PS. The truth is somewhere near.

[ghost]

Be careful, my config may point to gcc ver 12... I was not able to change it. Check current config using make menuconfig.
Would you be able to dump for me /etc/inittab, /etc/init.d/rcS, /etc/init.d/rc.local and /usr/sbin/service.sh of your camera.
In my case small progress, I reconstructed root file system of the plafrom but most apps pointing to old root so I am working how to change old /root to newone at /mnt/mg_root on fly. The chroot should do it ,but how to reconstruct the /dev/ :)

[filder35]

https://drive.google.com/file/d/1fXXvbx84P6AQcOkuNvievrHEPRU9hFvT/view?usp=sharing
/etc/init.d/rc.local last line changed. I did the upload myself.

#start system service
/etc/jffs2/service.sh start &

[ghost]

Many thanks, your init files are exactly as mine with rc,local exception. I know that you move service.sh to jffs2 partition ,but the jffes2 in your dump is empty. Is it a problem with jffs2 or was not mounted?
I am surprised because I can see mmcblk0 and mmcblk0p1
Just a thought, did you format the sd as fat32 or Linux ext3?
I did something stupid in the past, destroying the sd. Can you read your card on PC and reformat? Just a thought!

[e27-camera-hack]

Hello,
I created a new project/repository for our discussion
e27-camera-hack/E27-Camera-Hack
I should get an invitation from the repo soon.
Haps

[e27-camera-hack]

I posted the first message from qiwen studies there.