├── .gitignore
├── LICENSE
├── README.md
├── analytics
    └── vendor.md
├── busybox
    └── build.md
├── compat.md
├── crosscompile
    ├── curl.md
    ├── elfutils.md
    ├── gdb.md
    ├── gettext.md
    ├── index.md
    ├── libargp.md
    ├── micropython.md
    ├── openssl.md
    ├── tcpdump.md
    └── zlib.md
├── debug
    └── ltrace.md
├── doc
    ├── XM-FAQ-en.md
    ├── XM-FAQ-ru.md
    ├── flash.md
    ├── links.md
    └── urls.md
├── hacking
    └── nfs.md
├── images
    ├── hisilicon_families.jpg
    └── preometheus_node_graphana_example.jpg
├── kernel
    ├── build.md
    ├── hi3516ev200
    │   └── 0001-Add-support-for-XM_XT25F64B-S-flash.patch
    └── modules.md
├── mini
    ├── ov9712.md
    └── Модуль-работы-с-SDK.md
├── patches
    └── openssl
    │   └── openssl-1.0.2l-hisilicon.patch
├── qemu
    └── userspace.md
├── reverse
    ├── ABI.md
    ├── approach.md
    ├── hitool.md
    ├── images
    │   ├── IDA_original_blob.png
    │   ├── IDA_original_load.png
    │   ├── IDA_original_opcodes.png
    │   ├── IDA_original_sections.png
    │   └── IDA_reference_start.png
    ├── kernel.md
    └── sofia.md
├── sensors
    ├── README.md
    └── sony_sensors.jpg
├── streaming
    └── youtube.md
├── toolchains.md
├── tricks
    └── romounts.md
├── uboot
    ├── CV300-Fix-network-broken-transfers.patch
    ├── README.md
    ├── images
    │   ├── 12attempts.png
    │   └── 34attempts.png
    └── reg_info
    │   └── reg_info_hi3516cv300.bin
├── utils
    └── add_xmuart.sh
├── wishlist.md
└── xm_get_telnet.md


/.gitignore:
--------------------------------------------------------------------------------
1 | .DS_Store
2 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 |                     GNU GENERAL PUBLIC LICENSE
  2 |                        Version 3, 29 June 2007
  3 | 
  4 |  Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
  5 |  Everyone is permitted to copy and distribute verbatim copies
  6 |  of this license document, but changing it is not allowed.
  7 | 
  8 |                             Preamble
  9 | 
 10 |   The GNU General Public License is a free, copyleft license for
 11 | software and other kinds of works.
 12 | 
 13 |   The licenses for most software and other practical works are designed
 14 | to take away your freedom to share and change the works.  By contrast,
 15 | the GNU General Public License is intended to guarantee your freedom to
 16 | share and change all versions of a program--to make sure it remains free
 17 | software for all its users.  We, the Free Software Foundation, use the
 18 | GNU General Public License for most of our software; it applies also to
 19 | any other work released this way by its authors.  You can apply it to
 20 | your programs, too.
 21 | 
 22 |   When we speak of free software, we are referring to freedom, not
 23 | price.  Our General Public Licenses are designed to make sure that you
 24 | have the freedom to distribute copies of free software (and charge for
 25 | them if you wish), that you receive source code or can get it if you
 26 | want it, that you can change the software or use pieces of it in new
 27 | free programs, and that you know you can do these things.
 28 | 
 29 |   To protect your rights, we need to prevent others from denying you
 30 | these rights or asking you to surrender the rights.  Therefore, you have
 31 | certain responsibilities if you distribute copies of the software, or if
 32 | you modify it: responsibilities to respect the freedom of others.
 33 | 
 34 |   For example, if you distribute copies of such a program, whether
 35 | gratis or for a fee, you must pass on to the recipients the same
 36 | freedoms that you received.  You must make sure that they, too, receive
 37 | or can get the source code.  And you must show them these terms so they
 38 | know their rights.
 39 | 
 40 |   Developers that use the GNU GPL protect your rights with two steps:
 41 | (1) assert copyright on the software, and (2) offer you this License
 42 | giving you legal permission to copy, distribute and/or modify it.
 43 | 
 44 |   For the developers' and authors' protection, the GPL clearly explains
 45 | that there is no warranty for this free software.  For both users' and
 46 | authors' sake, the GPL requires that modified versions be marked as
 47 | changed, so that their problems will not be attributed erroneously to
 48 | authors of previous versions.
 49 | 
 50 |   Some devices are designed to deny users access to install or run
 51 | modified versions of the software inside them, although the manufacturer
 52 | can do so.  This is fundamentally incompatible with the aim of
 53 | protecting users' freedom to change the software.  The systematic
 54 | pattern of such abuse occurs in the area of products for individuals to
 55 | use, which is precisely where it is most unacceptable.  Therefore, we
 56 | have designed this version of the GPL to prohibit the practice for those
 57 | products.  If such problems arise substantially in other domains, we
 58 | stand ready to extend this provision to those domains in future versions
 59 | of the GPL, as needed to protect the freedom of users.
 60 | 
 61 |   Finally, every program is threatened constantly by software patents.
 62 | States should not allow patents to restrict development and use of
 63 | software on general-purpose computers, but in those that do, we wish to
 64 | avoid the special danger that patents applied to a free program could
 65 | make it effectively proprietary.  To prevent this, the GPL assures that
 66 | patents cannot be used to render the program non-free.
 67 | 
 68 |   The precise terms and conditions for copying, distribution and
 69 | modification follow.
 70 | 
 71 |                        TERMS AND CONDITIONS
 72 | 
 73 |   0. Definitions.
 74 | 
 75 |   "This License" refers to version 3 of the GNU General Public License.
 76 | 
 77 |   "Copyright" also means copyright-like laws that apply to other kinds of
 78 | works, such as semiconductor masks.
 79 | 
 80 |   "The Program" refers to any copyrightable work licensed under this
 81 | License.  Each licensee is addressed as "you".  "Licensees" and
 82 | "recipients" may be individuals or organizations.
 83 | 
 84 |   To "modify" a work means to copy from or adapt all or part of the work
 85 | in a fashion requiring copyright permission, other than the making of an
 86 | exact copy.  The resulting work is called a "modified version" of the
 87 | earlier work or a work "based on" the earlier work.
 88 | 
 89 |   A "covered work" means either the unmodified Program or a work based
 90 | on the Program.
 91 | 
 92 |   To "propagate" a work means to do anything with it that, without
 93 | permission, would make you directly or secondarily liable for
 94 | infringement under applicable copyright law, except executing it on a
 95 | computer or modifying a private copy.  Propagation includes copying,
 96 | distribution (with or without modification), making available to the
 97 | public, and in some countries other activities as well.
 98 | 
 99 |   To "convey" a work means any kind of propagation that enables other
100 | parties to make or receive copies.  Mere interaction with a user through
101 | a computer network, with no transfer of a copy, is not conveying.
102 | 
103 |   An interactive user interface displays "Appropriate Legal Notices"
104 | to the extent that it includes a convenient and prominently visible
105 | feature that (1) displays an appropriate copyright notice, and (2)
106 | tells the user that there is no warranty for the work (except to the
107 | extent that warranties are provided), that licensees may convey the
108 | work under this License, and how to view a copy of this License.  If
109 | the interface presents a list of user commands or options, such as a
110 | menu, a prominent item in the list meets this criterion.
111 | 
112 |   1. Source Code.
113 | 
114 |   The "source code" for a work means the preferred form of the work
115 | for making modifications to it.  "Object code" means any non-source
116 | form of a work.
117 | 
118 |   A "Standard Interface" means an interface that either is an official
119 | standard defined by a recognized standards body, or, in the case of
120 | interfaces specified for a particular programming language, one that
121 | is widely used among developers working in that language.
122 | 
123 |   The "System Libraries" of an executable work include anything, other
124 | than the work as a whole, that (a) is included in the normal form of
125 | packaging a Major Component, but which is not part of that Major
126 | Component, and (b) serves only to enable use of the work with that
127 | Major Component, or to implement a Standard Interface for which an
128 | implementation is available to the public in source code form.  A
129 | "Major Component", in this context, means a major essential component
130 | (kernel, window system, and so on) of the specific operating system
131 | (if any) on which the executable work runs, or a compiler used to
132 | produce the work, or an object code interpreter used to run it.
133 | 
134 |   The "Corresponding Source" for a work in object code form means all
135 | the source code needed to generate, install, and (for an executable
136 | work) run the object code and to modify the work, including scripts to
137 | control those activities.  However, it does not include the work's
138 | System Libraries, or general-purpose tools or generally available free
139 | programs which are used unmodified in performing those activities but
140 | which are not part of the work.  For example, Corresponding Source
141 | includes interface definition files associated with source files for
142 | the work, and the source code for shared libraries and dynamically
143 | linked subprograms that the work is specifically designed to require,
144 | such as by intimate data communication or control flow between those
145 | subprograms and other parts of the work.
146 | 
147 |   The Corresponding Source need not include anything that users
148 | can regenerate automatically from other parts of the Corresponding
149 | Source.
150 | 
151 |   The Corresponding Source for a work in source code form is that
152 | same work.
153 | 
154 |   2. Basic Permissions.
155 | 
156 |   All rights granted under this License are granted for the term of
157 | copyright on the Program, and are irrevocable provided the stated
158 | conditions are met.  This License explicitly affirms your unlimited
159 | permission to run the unmodified Program.  The output from running a
160 | covered work is covered by this License only if the output, given its
161 | content, constitutes a covered work.  This License acknowledges your
162 | rights of fair use or other equivalent, as provided by copyright law.
163 | 
164 |   You may make, run and propagate covered works that you do not
165 | convey, without conditions so long as your license otherwise remains
166 | in force.  You may convey covered works to others for the sole purpose
167 | of having them make modifications exclusively for you, or provide you
168 | with facilities for running those works, provided that you comply with
169 | the terms of this License in conveying all material for which you do
170 | not control copyright.  Those thus making or running the covered works
171 | for you must do so exclusively on your behalf, under your direction
172 | and control, on terms that prohibit them from making any copies of
173 | your copyrighted material outside their relationship with you.
174 | 
175 |   Conveying under any other circumstances is permitted solely under
176 | the conditions stated below.  Sublicensing is not allowed; section 10
177 | makes it unnecessary.
178 | 
179 |   3. Protecting Users' Legal Rights From Anti-Circumvention Law.
180 | 
181 |   No covered work shall be deemed part of an effective technological
182 | measure under any applicable law fulfilling obligations under article
183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or
184 | similar laws prohibiting or restricting circumvention of such
185 | measures.
186 | 
187 |   When you convey a covered work, you waive any legal power to forbid
188 | circumvention of technological measures to the extent such circumvention
189 | is effected by exercising rights under this License with respect to
190 | the covered work, and you disclaim any intention to limit operation or
191 | modification of the work as a means of enforcing, against the work's
192 | users, your or third parties' legal rights to forbid circumvention of
193 | technological measures.
194 | 
195 |   4. Conveying Verbatim Copies.
196 | 
197 |   You may convey verbatim copies of the Program's source code as you
198 | receive it, in any medium, provided that you conspicuously and
199 | appropriately publish on each copy an appropriate copyright notice;
200 | keep intact all notices stating that this License and any
201 | non-permissive terms added in accord with section 7 apply to the code;
202 | keep intact all notices of the absence of any warranty; and give all
203 | recipients a copy of this License along with the Program.
204 | 
205 |   You may charge any price or no price for each copy that you convey,
206 | and you may offer support or warranty protection for a fee.
207 | 
208 |   5. Conveying Modified Source Versions.
209 | 
210 |   You may convey a work based on the Program, or the modifications to
211 | produce it from the Program, in the form of source code under the
212 | terms of section 4, provided that you also meet all of these conditions:
213 | 
214 |     a) The work must carry prominent notices stating that you modified
215 |     it, and giving a relevant date.
216 | 
217 |     b) The work must carry prominent notices stating that it is
218 |     released under this License and any conditions added under section
219 |     7.  This requirement modifies the requirement in section 4 to
220 |     "keep intact all notices".
221 | 
222 |     c) You must license the entire work, as a whole, under this
223 |     License to anyone who comes into possession of a copy.  This
224 |     License will therefore apply, along with any applicable section 7
225 |     additional terms, to the whole of the work, and all its parts,
226 |     regardless of how they are packaged.  This License gives no
227 |     permission to license the work in any other way, but it does not
228 |     invalidate such permission if you have separately received it.
229 | 
230 |     d) If the work has interactive user interfaces, each must display
231 |     Appropriate Legal Notices; however, if the Program has interactive
232 |     interfaces that do not display Appropriate Legal Notices, your
233 |     work need not make them do so.
234 | 
235 |   A compilation of a covered work with other separate and independent
236 | works, which are not by their nature extensions of the covered work,
237 | and which are not combined with it such as to form a larger program,
238 | in or on a volume of a storage or distribution medium, is called an
239 | "aggregate" if the compilation and its resulting copyright are not
240 | used to limit the access or legal rights of the compilation's users
241 | beyond what the individual works permit.  Inclusion of a covered work
242 | in an aggregate does not cause this License to apply to the other
243 | parts of the aggregate.
244 | 
245 |   6. Conveying Non-Source Forms.
246 | 
247 |   You may convey a covered work in object code form under the terms
248 | of sections 4 and 5, provided that you also convey the
249 | machine-readable Corresponding Source under the terms of this License,
250 | in one of these ways:
251 | 
252 |     a) Convey the object code in, or embodied in, a physical product
253 |     (including a physical distribution medium), accompanied by the
254 |     Corresponding Source fixed on a durable physical medium
255 |     customarily used for software interchange.
256 | 
257 |     b) Convey the object code in, or embodied in, a physical product
258 |     (including a physical distribution medium), accompanied by a
259 |     written offer, valid for at least three years and valid for as
260 |     long as you offer spare parts or customer support for that product
261 |     model, to give anyone who possesses the object code either (1) a
262 |     copy of the Corresponding Source for all the software in the
263 |     product that is covered by this License, on a durable physical
264 |     medium customarily used for software interchange, for a price no
265 |     more than your reasonable cost of physically performing this
266 |     conveying of source, or (2) access to copy the
267 |     Corresponding Source from a network server at no charge.
268 | 
269 |     c) Convey individual copies of the object code with a copy of the
270 |     written offer to provide the Corresponding Source.  This
271 |     alternative is allowed only occasionally and noncommercially, and
272 |     only if you received the object code with such an offer, in accord
273 |     with subsection 6b.
274 | 
275 |     d) Convey the object code by offering access from a designated
276 |     place (gratis or for a charge), and offer equivalent access to the
277 |     Corresponding Source in the same way through the same place at no
278 |     further charge.  You need not require recipients to copy the
279 |     Corresponding Source along with the object code.  If the place to
280 |     copy the object code is a network server, the Corresponding Source
281 |     may be on a different server (operated by you or a third party)
282 |     that supports equivalent copying facilities, provided you maintain
283 |     clear directions next to the object code saying where to find the
284 |     Corresponding Source.  Regardless of what server hosts the
285 |     Corresponding Source, you remain obligated to ensure that it is
286 |     available for as long as needed to satisfy these requirements.
287 | 
288 |     e) Convey the object code using peer-to-peer transmission, provided
289 |     you inform other peers where the object code and Corresponding
290 |     Source of the work are being offered to the general public at no
291 |     charge under subsection 6d.
292 | 
293 |   A separable portion of the object code, whose source code is excluded
294 | from the Corresponding Source as a System Library, need not be
295 | included in conveying the object code work.
296 | 
297 |   A "User Product" is either (1) a "consumer product", which means any
298 | tangible personal property which is normally used for personal, family,
299 | or household purposes, or (2) anything designed or sold for incorporation
300 | into a dwelling.  In determining whether a product is a consumer product,
301 | doubtful cases shall be resolved in favor of coverage.  For a particular
302 | product received by a particular user, "normally used" refers to a
303 | typical or common use of that class of product, regardless of the status
304 | of the particular user or of the way in which the particular user
305 | actually uses, or expects or is expected to use, the product.  A product
306 | is a consumer product regardless of whether the product has substantial
307 | commercial, industrial or non-consumer uses, unless such uses represent
308 | the only significant mode of use of the product.
309 | 
310 |   "Installation Information" for a User Product means any methods,
311 | procedures, authorization keys, or other information required to install
312 | and execute modified versions of a covered work in that User Product from
313 | a modified version of its Corresponding Source.  The information must
314 | suffice to ensure that the continued functioning of the modified object
315 | code is in no case prevented or interfered with solely because
316 | modification has been made.
317 | 
318 |   If you convey an object code work under this section in, or with, or
319 | specifically for use in, a User Product, and the conveying occurs as
320 | part of a transaction in which the right of possession and use of the
321 | User Product is transferred to the recipient in perpetuity or for a
322 | fixed term (regardless of how the transaction is characterized), the
323 | Corresponding Source conveyed under this section must be accompanied
324 | by the Installation Information.  But this requirement does not apply
325 | if neither you nor any third party retains the ability to install
326 | modified object code on the User Product (for example, the work has
327 | been installed in ROM).
328 | 
329 |   The requirement to provide Installation Information does not include a
330 | requirement to continue to provide support service, warranty, or updates
331 | for a work that has been modified or installed by the recipient, or for
332 | the User Product in which it has been modified or installed.  Access to a
333 | network may be denied when the modification itself materially and
334 | adversely affects the operation of the network or violates the rules and
335 | protocols for communication across the network.
336 | 
337 |   Corresponding Source conveyed, and Installation Information provided,
338 | in accord with this section must be in a format that is publicly
339 | documented (and with an implementation available to the public in
340 | source code form), and must require no special password or key for
341 | unpacking, reading or copying.
342 | 
343 |   7. Additional Terms.
344 | 
345 |   "Additional permissions" are terms that supplement the terms of this
346 | License by making exceptions from one or more of its conditions.
347 | Additional permissions that are applicable to the entire Program shall
348 | be treated as though they were included in this License, to the extent
349 | that they are valid under applicable law.  If additional permissions
350 | apply only to part of the Program, that part may be used separately
351 | under those permissions, but the entire Program remains governed by
352 | this License without regard to the additional permissions.
353 | 
354 |   When you convey a copy of a covered work, you may at your option
355 | remove any additional permissions from that copy, or from any part of
356 | it.  (Additional permissions may be written to require their own
357 | removal in certain cases when you modify the work.)  You may place
358 | additional permissions on material, added by you to a covered work,
359 | for which you have or can give appropriate copyright permission.
360 | 
361 |   Notwithstanding any other provision of this License, for material you
362 | add to a covered work, you may (if authorized by the copyright holders of
363 | that material) supplement the terms of this License with terms:
364 | 
365 |     a) Disclaiming warranty or limiting liability differently from the
366 |     terms of sections 15 and 16 of this License; or
367 | 
368 |     b) Requiring preservation of specified reasonable legal notices or
369 |     author attributions in that material or in the Appropriate Legal
370 |     Notices displayed by works containing it; or
371 | 
372 |     c) Prohibiting misrepresentation of the origin of that material, or
373 |     requiring that modified versions of such material be marked in
374 |     reasonable ways as different from the original version; or
375 | 
376 |     d) Limiting the use for publicity purposes of names of licensors or
377 |     authors of the material; or
378 | 
379 |     e) Declining to grant rights under trademark law for use of some
380 |     trade names, trademarks, or service marks; or
381 | 
382 |     f) Requiring indemnification of licensors and authors of that
383 |     material by anyone who conveys the material (or modified versions of
384 |     it) with contractual assumptions of liability to the recipient, for
385 |     any liability that these contractual assumptions directly impose on
386 |     those licensors and authors.
387 | 
388 |   All other non-permissive additional terms are considered "further
389 | restrictions" within the meaning of section 10.  If the Program as you
390 | received it, or any part of it, contains a notice stating that it is
391 | governed by this License along with a term that is a further
392 | restriction, you may remove that term.  If a license document contains
393 | a further restriction but permits relicensing or conveying under this
394 | License, you may add to a covered work material governed by the terms
395 | of that license document, provided that the further restriction does
396 | not survive such relicensing or conveying.
397 | 
398 |   If you add terms to a covered work in accord with this section, you
399 | must place, in the relevant source files, a statement of the
400 | additional terms that apply to those files, or a notice indicating
401 | where to find the applicable terms.
402 | 
403 |   Additional terms, permissive or non-permissive, may be stated in the
404 | form of a separately written license, or stated as exceptions;
405 | the above requirements apply either way.
406 | 
407 |   8. Termination.
408 | 
409 |   You may not propagate or modify a covered work except as expressly
410 | provided under this License.  Any attempt otherwise to propagate or
411 | modify it is void, and will automatically terminate your rights under
412 | this License (including any patent licenses granted under the third
413 | paragraph of section 11).
414 | 
415 |   However, if you cease all violation of this License, then your
416 | license from a particular copyright holder is reinstated (a)
417 | provisionally, unless and until the copyright holder explicitly and
418 | finally terminates your license, and (b) permanently, if the copyright
419 | holder fails to notify you of the violation by some reasonable means
420 | prior to 60 days after the cessation.
421 | 
422 |   Moreover, your license from a particular copyright holder is
423 | reinstated permanently if the copyright holder notifies you of the
424 | violation by some reasonable means, this is the first time you have
425 | received notice of violation of this License (for any work) from that
426 | copyright holder, and you cure the violation prior to 30 days after
427 | your receipt of the notice.
428 | 
429 |   Termination of your rights under this section does not terminate the
430 | licenses of parties who have received copies or rights from you under
431 | this License.  If your rights have been terminated and not permanently
432 | reinstated, you do not qualify to receive new licenses for the same
433 | material under section 10.
434 | 
435 |   9. Acceptance Not Required for Having Copies.
436 | 
437 |   You are not required to accept this License in order to receive or
438 | run a copy of the Program.  Ancillary propagation of a covered work
439 | occurring solely as a consequence of using peer-to-peer transmission
440 | to receive a copy likewise does not require acceptance.  However,
441 | nothing other than this License grants you permission to propagate or
442 | modify any covered work.  These actions infringe copyright if you do
443 | not accept this License.  Therefore, by modifying or propagating a
444 | covered work, you indicate your acceptance of this License to do so.
445 | 
446 |   10. Automatic Licensing of Downstream Recipients.
447 | 
448 |   Each time you convey a covered work, the recipient automatically
449 | receives a license from the original licensors, to run, modify and
450 | propagate that work, subject to this License.  You are not responsible
451 | for enforcing compliance by third parties with this License.
452 | 
453 |   An "entity transaction" is a transaction transferring control of an
454 | organization, or substantially all assets of one, or subdividing an
455 | organization, or merging organizations.  If propagation of a covered
456 | work results from an entity transaction, each party to that
457 | transaction who receives a copy of the work also receives whatever
458 | licenses to the work the party's predecessor in interest had or could
459 | give under the previous paragraph, plus a right to possession of the
460 | Corresponding Source of the work from the predecessor in interest, if
461 | the predecessor has it or can get it with reasonable efforts.
462 | 
463 |   You may not impose any further restrictions on the exercise of the
464 | rights granted or affirmed under this License.  For example, you may
465 | not impose a license fee, royalty, or other charge for exercise of
466 | rights granted under this License, and you may not initiate litigation
467 | (including a cross-claim or counterclaim in a lawsuit) alleging that
468 | any patent claim is infringed by making, using, selling, offering for
469 | sale, or importing the Program or any portion of it.
470 | 
471 |   11. Patents.
472 | 
473 |   A "contributor" is a copyright holder who authorizes use under this
474 | License of the Program or a work on which the Program is based.  The
475 | work thus licensed is called the contributor's "contributor version".
476 | 
477 |   A contributor's "essential patent claims" are all patent claims
478 | owned or controlled by the contributor, whether already acquired or
479 | hereafter acquired, that would be infringed by some manner, permitted
480 | by this License, of making, using, or selling its contributor version,
481 | but do not include claims that would be infringed only as a
482 | consequence of further modification of the contributor version.  For
483 | purposes of this definition, "control" includes the right to grant
484 | patent sublicenses in a manner consistent with the requirements of
485 | this License.
486 | 
487 |   Each contributor grants you a non-exclusive, worldwide, royalty-free
488 | patent license under the contributor's essential patent claims, to
489 | make, use, sell, offer for sale, import and otherwise run, modify and
490 | propagate the contents of its contributor version.
491 | 
492 |   In the following three paragraphs, a "patent license" is any express
493 | agreement or commitment, however denominated, not to enforce a patent
494 | (such as an express permission to practice a patent or covenant not to
495 | sue for patent infringement).  To "grant" such a patent license to a
496 | party means to make such an agreement or commitment not to enforce a
497 | patent against the party.
498 | 
499 |   If you convey a covered work, knowingly relying on a patent license,
500 | and the Corresponding Source of the work is not available for anyone
501 | to copy, free of charge and under the terms of this License, through a
502 | publicly available network server or other readily accessible means,
503 | then you must either (1) cause the Corresponding Source to be so
504 | available, or (2) arrange to deprive yourself of the benefit of the
505 | patent license for this particular work, or (3) arrange, in a manner
506 | consistent with the requirements of this License, to extend the patent
507 | license to downstream recipients.  "Knowingly relying" means you have
508 | actual knowledge that, but for the patent license, your conveying the
509 | covered work in a country, or your recipient's use of the covered work
510 | in a country, would infringe one or more identifiable patents in that
511 | country that you have reason to believe are valid.
512 | 
513 |   If, pursuant to or in connection with a single transaction or
514 | arrangement, you convey, or propagate by procuring conveyance of, a
515 | covered work, and grant a patent license to some of the parties
516 | receiving the covered work authorizing them to use, propagate, modify
517 | or convey a specific copy of the covered work, then the patent license
518 | you grant is automatically extended to all recipients of the covered
519 | work and works based on it.
520 | 
521 |   A patent license is "discriminatory" if it does not include within
522 | the scope of its coverage, prohibits the exercise of, or is
523 | conditioned on the non-exercise of one or more of the rights that are
524 | specifically granted under this License.  You may not convey a covered
525 | work if you are a party to an arrangement with a third party that is
526 | in the business of distributing software, under which you make payment
527 | to the third party based on the extent of your activity of conveying
528 | the work, and under which the third party grants, to any of the
529 | parties who would receive the covered work from you, a discriminatory
530 | patent license (a) in connection with copies of the covered work
531 | conveyed by you (or copies made from those copies), or (b) primarily
532 | for and in connection with specific products or compilations that
533 | contain the covered work, unless you entered into that arrangement,
534 | or that patent license was granted, prior to 28 March 2007.
535 | 
536 |   Nothing in this License shall be construed as excluding or limiting
537 | any implied license or other defenses to infringement that may
538 | otherwise be available to you under applicable patent law.
539 | 
540 |   12. No Surrender of Others' Freedom.
541 | 
542 |   If conditions are imposed on you (whether by court order, agreement or
543 | otherwise) that contradict the conditions of this License, they do not
544 | excuse you from the conditions of this License.  If you cannot convey a
545 | covered work so as to satisfy simultaneously your obligations under this
546 | License and any other pertinent obligations, then as a consequence you may
547 | not convey it at all.  For example, if you agree to terms that obligate you
548 | to collect a royalty for further conveying from those to whom you convey
549 | the Program, the only way you could satisfy both those terms and this
550 | License would be to refrain entirely from conveying the Program.
551 | 
552 |   13. Use with the GNU Affero General Public License.
553 | 
554 |   Notwithstanding any other provision of this License, you have
555 | permission to link or combine any covered work with a work licensed
556 | under version 3 of the GNU Affero General Public License into a single
557 | combined work, and to convey the resulting work.  The terms of this
558 | License will continue to apply to the part which is the covered work,
559 | but the special requirements of the GNU Affero General Public License,
560 | section 13, concerning interaction through a network will apply to the
561 | combination as such.
562 | 
563 |   14. Revised Versions of this License.
564 | 
565 |   The Free Software Foundation may publish revised and/or new versions of
566 | the GNU General Public License from time to time.  Such new versions will
567 | be similar in spirit to the present version, but may differ in detail to
568 | address new problems or concerns.
569 | 
570 |   Each version is given a distinguishing version number.  If the
571 | Program specifies that a certain numbered version of the GNU General
572 | Public License "or any later version" applies to it, you have the
573 | option of following the terms and conditions either of that numbered
574 | version or of any later version published by the Free Software
575 | Foundation.  If the Program does not specify a version number of the
576 | GNU General Public License, you may choose any version ever published
577 | by the Free Software Foundation.
578 | 
579 |   If the Program specifies that a proxy can decide which future
580 | versions of the GNU General Public License can be used, that proxy's
581 | public statement of acceptance of a version permanently authorizes you
582 | to choose that version for the Program.
583 | 
584 |   Later license versions may give you additional or different
585 | permissions.  However, no additional obligations are imposed on any
586 | author or copyright holder as a result of your choosing to follow a
587 | later version.
588 | 
589 |   15. Disclaimer of Warranty.
590 | 
591 |   THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
592 | APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
596 | PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
597 | IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
599 | 
600 |   16. Limitation of Liability.
601 | 
602 |   IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
610 | SUCH DAMAGES.
611 | 
612 |   17. Interpretation of Sections 15 and 16.
613 | 
614 |   If the disclaimer of warranty and limitation of liability provided
615 | above cannot be given local legal effect according to their terms,
616 | reviewing courts shall apply local law that most closely approximates
617 | an absolute waiver of all civil liability in connection with the
618 | Program, unless a warranty or assumption of liability accompanies a
619 | copy of the Program in return for a fee.
620 | 
621 |                      END OF TERMS AND CONDITIONS
622 | 
623 |             How to Apply These Terms to Your New Programs
624 | 
625 |   If you develop a new program, and you want it to be of the greatest
626 | possible use to the public, the best way to achieve this is to make it
627 | free software which everyone can redistribute and change under these terms.
628 | 
629 |   To do so, attach the following notices to the program.  It is safest
630 | to attach them to the start of each source file to most effectively
631 | state the exclusion of warranty; and each file should have at least
632 | the "copyright" line and a pointer to where the full notice is found.
633 | 
634 |     <one line to give the program's name and a brief idea of what it does.>
635 |     Copyright (C) <year>  <name of author>
636 | 
637 |     This program is free software: you can redistribute it and/or modify
638 |     it under the terms of the GNU General Public License as published by
639 |     the Free Software Foundation, either version 3 of the License, or
640 |     (at your option) any later version.
641 | 
642 |     This program is distributed in the hope that it will be useful,
643 |     but WITHOUT ANY WARRANTY; without even the implied warranty of
644 |     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
645 |     GNU General Public License for more details.
646 | 
647 |     You should have received a copy of the GNU General Public License
648 |     along with this program.  If not, see <https://www.gnu.org/licenses/>.
649 | 
650 | Also add information on how to contact you by electronic and paper mail.
651 | 
652 |   If the program does terminal interaction, make it output a short
653 | notice like this when it starts in an interactive mode:
654 | 
655 |     <program>  Copyright (C) <year>  <name of author>
656 |     This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
657 |     This is free software, and you are welcome to redistribute it
658 |     under certain conditions; type `show c' for details.
659 | 
660 | The hypothetical commands `show w' and `show c' should show the appropriate
661 | parts of the General Public License.  Of course, your program's commands
662 | might be different; for a GUI interface, you would use an "about box".
663 | 
664 |   You should also get your employer (if you work as a programmer) or school,
665 | if any, to sign a "copyright disclaimer" for the program, if necessary.
666 | For more information on this, and how to apply and follow the GNU GPL, see
667 | <https://www.gnu.org/licenses/>.
668 | 
669 |   The GNU General Public License does not permit incorporating your program
670 | into proprietary programs.  If your program is a subroutine library, you
671 | may consider it more useful to permit linking proprietary applications with
672 | the library.  If this is what you want to do, use the GNU Lesser General
673 | Public License instead of this License.  But first, please read
674 | <https://www.gnu.org/licenses/why-not-lgpl.html>.
675 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Research & Development repository about cheap cameras (mainly XM manufactured)
  2 | 
  3 | PRs with additional information and corrections are welcome.
  4 | 
  5 | ## Where to begin?
  6 | 
  7 | - [OpenIPC wiki](https://openipc.org/wiki)
  8 | - [English XM FAQ](doc/XM-FAQ-en.md). Thanks to @vbelov42 for translation from Russian.
  9 | - [Russian XM FAQ](doc/XM-FAQ-ru.md).
 10 | - [How to get telnet on XM camera](xm_get_telnet.md)
 11 | 
 12 | ## Articles/books for newbies
 13 | 
 14 | - [George Hilliard. Mastering Embedded Linux, series of articles](https://www.thirtythreeforty.net/posts/2019/08/mastering-embedded-linux-part-1-concepts/)
 15 | - [Frank Vasquez, Chris Simmonds. Mastering Embedded Linux Programming, 3rd Edition](https://www.google.com/books/edition/Mastering_Embedded_Linux_Programming/K4ApEAAAQBAJ)
 16 | - [Linux Inside. A book-in-progress about the linux kernel and its insides](https://0xax.gitbooks.io/linux-insides/content/)
 17 | - [Alberto Liberal de los Ríos. Linux Driver Development for Embedded Processors, 2nd Edition](https://www.amazon.com/Linux-Driver-Development-Embedded-Processors-ebook/dp/B07L512BHG/)
 18 | - [Bootlin. Linux Kernel training materials](https://bootlin.com/doc/training/linux-kernel/)
 19 | - [Introducing ARM assembly language](http://www.cburch.com/books/arm/)
 20 | 
 21 | ## Telegram groups
 22 | 
 23 | - [OpenIPC English](https://t.me/openipc)
 24 | - [OpenIPC Russian, русская группа](https://t.me/joinchat/DJ_qFkdXU2CquZhdsVKlzg)
 25 | - [OpenIPC Iranian, یم OpenIpc برای کاربران ایرانی](https://t.me/joinchat/EgJJ10_xsEGEL1pnV4kKig)
 26 | 
 27 | ## Chip families information
 28 | 
 29 | Hardware structuring ([courtesy of OpenHisiIpCam project](https://github.com/OpenHisiIpCam/br-hisicam/blob/master/README.md#chip-families-information)):
 30 | 
 31 | | Chips                                              | shortcode   |
 32 | | -------------------------------------------------- | ----------- |
 33 | | [hi3516cv100, hi3518cv100, hi3518ev100, hi3518av100](https://drive.google.com/file/d/1XA5IqVb-mUvmYl_77TMnoNonvNgkq473/view) | hi3516cv100 |
 34 | | [hi3516dv100, hi3516av100](https://drive.google.com/file/d/1hwCMnwQ_nKL-weH3onGZ1njogz0cPKsK/view) | hi3516av100 |
 35 | | [hi3518ev200, hi3518ev201, hi3516cv200](https://drive.google.com/file/d/1nv-m7WFhhfAZ6xgynfZQh1ijtwmmf1UX/view) | hi3516cv200 |
 36 | | [hi3519v101](https://drive.google.com/file/d/1DMpPAnUBnijmC9u08I_D4nYpSZC2f4jx/view), [hi3516av200](https://drive.google.com/file/d/1j_3e2PaDu_j5Jy9f7ptRMN5IOwQft6iI/view) | hi3519v100 |
 37 | | [hi3516ev100, hi3516cv300](https://drive.google.com/file/d/1xZf-YiYSmB8sn9Lnj3obsR-x4AqDPa4D/view) | hi3516cv300 |
 38 | | hi3516dv300, hi3516av300, hi3516cv500              | hi3516cv500 |
 39 | | [hi3516ev200](https://drive.google.com/file/d/1zGBJ_SIazFqJ8d8bguURVVwIvF4ybFs1/view), hi3516dv200, hi3518ev300, [hi3516ev300](https://drive.google.com/file/d/1vjAQSrFoxioPq7OhL5taIyi2D0D_3WKc/view) | hi3516ev200 |
 40 | | hi3519av100                                        | hi3519av100 |
 41 | | hi3559av100                                        | hi3559av100 |
 42 | | gk7205v200, gk7605v100, gk7202v300, gk7205v300     | gk7205v300(*) |
 43 | | nt98562, nt98566                                   | nt9856x     |
 44 | | ssc337, ssc335                                     | ssc335      |
 45 | | xm510                                              | xm510       |
 46 | | xm550, xm530                                       | xm530       |
 47 | 
 48 | 
 49 | If you know about newer versions of full datasheets or can share them for different
 50 | camera types don't hesitate to make a PR.
 51 | 
 52 | (*) Successors of Hisilicon chips
 53 | 
 54 | | Hisilicon   | Goke       |
 55 | | ----------- | ---------- |
 56 | | hi3516ev200 | gk7205v200 |
 57 | | hi3516dv200 | gk7605v100 |
 58 | | hi3516ev300 | gk7205v300 |
 59 | | hi3518ev300 | gk7202v300 |
 60 | 
 61 | ## Performance and sensors
 62 | 
 63 | | Chip        | CPU                      | Encoder                             | JPEG substream | Sensors                                        |
 64 | |-------------|--------------------------|-------------------------------------|----------------|------------------------------------------------|
 65 | | hi3516av100 | A7 600MHz                | 5MP@30fps, 1080p@60fps, 1080p@30fps | 5MP@8fps       | IMX178, IMX385, IMX290, IMX185, OV4689, AR0237 |
 66 | | hi3516dv100 | A7 600MHz                | 5MP@15fps, 3MP@30fps, 1080p@30fps   | 5MP@8fps       | IMX178, IMX385, IMX290, IMX185, OV4689, AR0237 |
 67 | | hi3519v101  | A17 1.25GHz + A7 800MHz  | 12MP@15fps, 8MP@30fps               | 8MP@30fps      | IMX226, IMX274                                 |
 68 | | hi3516av200 | A17 1.25GHz + A7 800MHz  | 8MP@15fps, 6MP@30fps                | 8MP@30fps      | IMX274, OS08A10                                |
 69 | | hi3516dv300 | A7 900MHz (NNIE 1.0Tops) | 5MP@20fps, 1080p@30fps              | 16MP@10fps     | IMX385, IMX327                                 |
 70 | | hi3516cv500 | A7 900MHz (NNIE 0.5Tops) | 3MP@20fps, 1080p@30fps              | 16MP@10fps     | IMX327                                         |
 71 | | hi3518ev200 | ARM926 540MHz            | 720p@30fps                          | 2MP@5fps       | AR0130, OV9732, OV9712, F02                    |
 72 | | hi3516ev100 | ARM926 800MHz            | 1080p@20fps                         | 2MP@5fps       | IMX291, IMX323, SC3235                         |
 73 | | hi3516cv300 | ARM926 800MHz            | 1080p@30fps                         | 2MP@5fps       | IMX291, IMX323, SC3235                         |
 74 | | hi3516ev300 | A7 900MHz                | 4MP@15fps, 3MP@30fps                | 4MP@5fps       | IMX335                                         |
 75 | | hi3516ev200 | A7 900MHz                | 3MP@20fps, 1080p@30fps              | 3MP@5fps       | SC3235, IMX307                                 |
 76 | 
 77 | ![](images/hisilicon_families.jpg/?raw=true)
 78 | 
 79 | ## Hardware
 80 | 
 81 | - [Sensors information](sensors/README.md)
 82 | 
 83 | ### How to add new hardware support
 84 | 
 85 | - [Your new ARM SoC Linux support check-list](https://elinux.org/images/a/ad/Arm-soc-checklist.pdf)
 86 | - Sensor
 87 | - Flash
 88 | 
 89 | ## SDKs
 90 | 
 91 | ### HiSilicon
 92 | 
 93 | | Family      | Kernel  | U-Boot            | MPP    |
 94 | | ----------- | ------- | ----------------- | ------ |
 95 | | hi3516av100 | 3.4.35  |                   | v2     |
 96 | | hi3516av200 | 3.18.20 |                   | v3     |
 97 | | hi3516cv100 | 3.0.8   | 2010.06-svn       | v1     |
 98 | | hi3516cv200 | 3.4.35  |                   | v2     |
 99 | | hi3516cv300 | 3.18.20 | 2010.06-svn1098   | v3     |
100 | | hi3516cv500 | 4.9.37  |                   | v4     |
101 | | hi3516ev200 | 4.9.37  | 2016.11-g2fc5f58  | v4     |
102 | | hi3516ev300 | 4.9.37  |                   | v4     |
103 | | hi3519av100 | 4.9.37  |                   | v4     |
104 | | hi3559av100 | 4.9.37  |                   | v4     |
105 | 
106 | HiSilicon SDK naming principles:
107 | 
108 | `Hi35xxVxxxRxxxCxxSPCxxy`
109 | 
110 | Each field is explained as follows:
111 | 
112 | * `Hi35xx`, segment contains chip type
113 | * `Vxxx` segment contains the type of chip version
114 | * `Rxxx` segment contains the release package type:
115 |   - `R001`: Linux SDK
116 |   - `R002`: Huawei LiteOS SDK
117 |   - `R003`: Linux RDK reference design
118 |   - other R bit is not used
119 | * `Cxx` segment contains compiler specific environment
120 |   - `C00`: FPGA-based
121 |   - `C01`: type A compiler (e.g. `uclibc` based sysroot)
122 |   - `C02`: type B compiler (e.g. `glibc` based sysroot)
123 |   - `C03` and `C04` are reserved
124 |   - `C05`: Huawei LiteOS
125 |   - `C09`: based on Demo version
126 | * `SPCxxy` segment shows current version
127 |   - `xx` for each next release will be incremented by 1 (releases with fixed errors, additional features, etc)
128 |   - `xx0` indicates normal version, for temporary versions last character could be incremented by 1 in range from `1-9` and `A-z`.
129 | 
130 | ### XiongmaiTech
131 | 
132 | | Platform | Version    | Update time | Download link |
133 | | -------- | ---------- | ----------- | ------------- |
134 | | Windows  | V4.0.8.80	| 2020-02-27  | [link](https://obs-xm-pub.obs.cn-south-1.myhuaweicloud.com/openPlat/20200227/NetSDK_20200227.zip) |
135 | | Mac      |            | 2018-12-17  | [link](https://obs-xm-pub.obs.cn-south-1.myhuaweicloud.com/openPlat/20191221/MAC(20181217).zip) |
136 | | Linux    | V1.0.2.0	| 2020-01-10  | [link](https://obs-xm-pub.obs.cn-south-1.myhuaweicloud.com/openPlat/20200110/XNetSDK_20200110.zip) |
137 | 
138 | Latest versions were taken from [official site](https://oppf.xmcsrv.com/#/download?md=netSDK)
139 | 
140 | * [NetSDK client example](https://github.com/dimerr/xmconfigtool)
141 | 
142 | ## Sophisticated usage
143 | 
144 | [YouTube streaming](streaming/youtube.md)
145 | 
146 | ## Development
147 | 
148 | ### Low level programming
149 | 
150 | * [ARM9EJ-S Technical Reference Manual](http://infocenter.arm.com/help/topic/com.arm.doc.ddi0222b/DDI0222.pdf)
151 | * [PrimeCell UART (PL011) Technical Reference Manual](http://infocenter.arm.com/help/topic/com.arm.doc.ddi0183f/DDI0183.pdf)
152 | 
153 | ### Cross-compilation
154 | 
155 | - [Known toolchains](toolchains.md)
156 | - [Instructions for cross-compilation for different common software](crosscompile/index.md)
157 | 
158 | ### Development using SDK
159 | 
160 | - [Building custom kernel](kernel/build.md)
161 | - [Building Busybox](busybox/build.md)
162 | - [Hacking camera using NFS](hacking/nfs.md)
163 | 
164 | ### Debugging
165 | 
166 | - Debugging on board using gdbserver
167 | - [Ltrace debug](debug/ltrace.md)
168 | 
169 | ### Development tricks
170 | 
171 | - [Running ARM binaries using QEMU on dev host](qemu/userspace.md)
172 | - [Changing files on readonly volumes](tricks/romounts.md)
173 | 
174 | ### RE
175 | 
176 | - [Reverse binary Linux kernel](reverse/kernel.md)
177 | - [Reverse HiTool](reverse/hitool.md)
178 | - [Reverse Sofia](reverse/sofia.md)
179 | 


--------------------------------------------------------------------------------
/analytics/vendor.md:
--------------------------------------------------------------------------------
  1 | **Only vendors that have SoC in production state.**
  2 | 
  3 | **Only SoCs that used in chinese CCTV 38x38mm modules standard.**
  4 | 
  5 | 
  6 | ## Allwinner
  7 | 
  8 | http://www.allwinnertech.com/
  9 | 
 10 | https://github.com/linux-sunxi
 11 | 
 12 | * Allwinner V3
 13 | * Allwinner V3s
 14 | * Allwinner V5 - http://files.lindeni.org/lindenis-v5/ there is a lot of information on the chip for starting development in open sources (@Gatchenko) 
 15 | * Allwinner V40
 16 | * Allwinner V66
 17 | * Allwinner V316
 18 | * Allwinner V536 - http://files.lindeni.org/lindenis-v536/
 19 | 
 20 | 
 21 | ## Ambarella
 22 | 
 23 | http://www.ambarella.com
 24 | 
 25 | * ?
 26 | * ?
 27 | 
 28 | 
 29 | ## Anyka
 30 | 
 31 | http://www.anyka.com/en/
 32 | 
 33 | * AK3918EV200
 34 | * ?
 35 | 
 36 | 
 37 | ## Fullhan
 38 | 
 39 | https://www.fullhan.com/en/
 40 | 
 41 | * FH8852
 42 | * ?
 43 | 
 44 | 
 45 | ## GOKE
 46 | 
 47 | http://www.gokemicro.com/en/index.php?g=home&m=products&a=index&id=9
 48 | 
 49 | * GK7102C / GK7102S
 50 | * GK7101
 51 | 
 52 | 
 53 | ## GrainMedia
 54 | 
 55 | http://www.grain-media.com/
 56 | 
 57 | * GM8139
 58 | * GM8138 / GM8138S
 59 | * GM8136S / GM8135S
 60 | 
 61 | ## Hisilicon
 62 | 
 63 | http://www.hisilicon.com/en/
 64 | 
 65 | * ?
 66 | * ?
 67 | 
 68 | 
 69 | ## Ingenic
 70 | 
 71 | http://www.ingenic.com.cn/en/
 72 | 
 73 | * T31
 74 | * T21
 75 | * T20
 76 | * T10
 77 | 
 78 | 
 79 | ## MStar / Sigmastar
 80 | 
 81 | http://www.sigmastarsemi.com/en/index.aspx
 82 | 
 83 | http://linux-chenxing.org/
 84 | https://github.com/roleoroleo/yi-hack-MStar
 85 | https://github.com/borodiliz/docker-yi-hack
 86 | https://github.com/fifteenhex/linux-chenxing/blob/master/index.md
 87 | 
 88 | * SSC335
 89 | * MSC316DM
 90 | * MSC313E
 91 | 
 92 | ## Novatek
 93 | https://www.novatek.com.tw/
 94 | #### IPC
 95 | * NT98562
 96 | * NT98566
 97 | 
 98 | #### IPC+AI:
 99 | * NT98520
100 | * NT98525
101 | * NT98528
102 | * NT98529
103 | 
104 | ## TI
105 | 
106 | * DM368
107 | * DM365
108 | 
109 | 
110 | ## VATICS
111 | 
112 | http://www.vatics.com
113 | 
114 | * ?
115 | * ?
116 | 
117 | 
118 | ## XM
119 | 
120 | http://www.xiongmaitech.com/en/
121 | 
122 | * XM550
123 | * XM530
124 | * XM510
125 | 
126 | 


--------------------------------------------------------------------------------
/busybox/build.md:
--------------------------------------------------------------------------------
 1 | # Building Busybox
 2 | 
 3 | ```sh
 4 | cd $SDK_DIR/osdrv/opensource/busybox
 5 | tar xvf busybox-1.20.2.tgz
 6 | cd busybox-1.20.2
 7 | make ARCH=arm CROSS_COMPILE=arm-hisiv500-linux- defconfig
 8 | # use in case you need specify custom configuration for Busybox
 9 | # else just skip it:
10 | make ARCH=arm CROSS_COMPILE=arm-hisiv500-linux- menuconfig
11 | LDFLAGS="--static" make ARCH=arm CROSS_COMPILE=arm-hisiv500-linux- install CONFIG_PREFIX=./_rootfs
12 | ```
13 | 
14 | ## Building Busybox-only rootfs (Rescue mode) <a name="rescue"></a>
15 | 
16 | ```sh
17 | pushd _rootfs
18 | mkdir -p proc sys dev etc/init.d usr/lib new
19 | cat <<EOF > etc/init.d/rcS
20 | #!/bin/sh
21 | export PATH=/bin:/sbin:/usr/bin:/usr/sbin
22 | mount -t proc none /proc
23 | mount -t sysfs none /sys
24 | /sbin/mdev -s
25 | EOF
26 | chmod +x etc/init.d/rcS 
27 | popd
28 | 
29 | mksquashfs _rootfs busybox.squash -comp xz
30 | # get filesize to use it later in kernel params
31 | stat -c %s busybox.squash
32 | sudo mv busybox.squash /srv/atftp
33 | ```
34 | 


--------------------------------------------------------------------------------
/compat.md:
--------------------------------------------------------------------------------
 1 | ## SigmaStar and HiSilicon SoCs
 2 | 
 3 | This table has been [translated by CNX Software](
 4 | https://www.cnx-software.com/2021/05/05/sigmastar-ssc33x-camera-soc-pin-to-pin-compatible-hisilicon-hi3516-hi3518/),
 5 | originally taken from [16RD.com BBS](http://bbs.16rd.com/thread-568161-1-1.html).
 6 | 
 7 | 
 8 | Processor | Cortex A7 | Emb. RAM | Camera (res@FPS) | AI Accel | Proc | Compat. SoC |
 9 | --------- | --------- | -------- | ---------------- | -------- | ---- | ----------- |
10 | SSC333    | 1x        | 512 Mbit | 1080p@30, 3MP@20 |   None   | 28nm | Hi3518EV300 |
11 | SSC335    | 1x        | 512 Mbit |     3MP@30       |   None   | 28nm | Hi3518EV200 |
12 | SSC333D   | 1x        |   1 Gbit | 1080p@30, 3MP@20 |   None   | 28nm |             |
13 | SSC335D   | 1x        |   1 Gbit |     3MP@30       |   None   | 28nm |             |
14 | SSC337D   | 1x        |   1 Gbit | 1080p@60, 5MP@20 |   None   | 28nm | Hi3516EV300 |
15 | SSC336D   | 2x        |   1 Gbit |     3MP@30       | 0.5 TOPS | 22nm | Hi3516CV500 |
16 | SSC336Q   | 2x        |   2 Gbit |     3MP@30       | 0.5 TOPS | 22nm | Hi3516CV500 |
17 | SSC338Q   | 2x  (TBC) |   2 Gbit |      4K@20       | 0.5 TOPS | 22nm | Hi3516DV300 |
18 | SSC338G   | 2x  (TBC) |   None   |      4K@20       |   1 TOPS | 22nm | Hi3516DV300 |
19 | SSC339G   | 2x  (TBC) |   None   |      4K@30       |   1 TOPS | 22nm |             |
20 | 


--------------------------------------------------------------------------------
/crosscompile/curl.md:
--------------------------------------------------------------------------------
 1 | # Crosscompiling Curl
 2 | 
 3 | ## Dependencies
 4 | 
 5 | mbedTLS in case you need TLS support
 6 | 
 7 | ## Source
 8 | 
 9 | Curl (7.70.0)
10 | 
11 | Home page: https://curl.haxx.se
12 | Download: https://curl.haxx.se/download/curl-7.70.0.tar.xz
13 | 
14 | Home page: https://tls.mbed.org/
15 | Download: https://tls.mbed.org/code/releases/mbedtls-2.16.6-gpl.tgz
16 | 
17 | ## Instructions
18 | 
19 | ```sh
20 | # Download mbedTLS
21 | MBEDDIR=$(pwd)/_insall
22 | cmake -H. -Bbuild -DCMAKE_C_COMPILER=arm-hisiv500-linux-gcc \
23 |     -DCMAKE_EXPORT_COMPILE_COMMANDS=ON -DCMAKE_INSTALL_PREFIX=$MBEDDIR
24 | cmake --build build --target install
25 | 
26 | # Download curl
27 | CURLDIR=$(pwd)/_intall
28 | ./configure --host=arm-hisiv500-linux --prefix=$CURLDIR --without-ssl \
29 |     --with-mbedtls=$MBEDDIR
30 | make
31 | make install
32 | ```
33 | 


--------------------------------------------------------------------------------
/crosscompile/elfutils.md:
--------------------------------------------------------------------------------
 1 | # Crosscompiling Libelf from Elfutils
 2 | 
 3 | ## Dependencies
 4 | 
 5 | [Gettext](gettext.md)
 6 | 
 7 | [libargp](libargp.md)
 8 | 
 9 | [Zlib](zlib.md)
10 | 
11 | ## Source
12 | 
13 | Elfutils (0.178) - 8,797 KB:
14 | 
15 | Home page: https://sourceware.org/ftp/elfutils/
16 | 
17 | Download: https://sourceware.org/ftp/elfutils/0.178/elfutils-0.178.tar.bz2
18 | 
19 | MD5 sum: 5480d0b7174446aba13a6adde107287f
20 | 
21 | ## Instructions
22 | 
23 | ```sh
24 | $ ./configure --host=arm-hisiv500-linux \
25 |     --prefix=/opt/hisi-linux/x86-arm/arm-hisiv500-linux/usr \
26 |     LDFLAGS=-L/opt/hisi-linux/x86-arm/arm-hisiv500-linux/usr/lib \
27 |     --disable-debuginfod
28 | ```
29 | 
30 | Install only Libelf:
31 | 
32 | ```sh
33 | $ make -C libelf install
34 | $ install -vm644 config/libelf.pc /usr/lib/pkgconfig
35 | $ rm /usr/lib/libelf.a
36 | ```
37 | 
38 | ## Known problems
39 | 
40 | `posix_fallocate` issue on uClibc:
41 | 
42 | ```
43 | Making all in libelf
44 |   CC       elf_update.o
45 | elf_update.c: In function ‘write_file’:
46 | elf_update.c:98:4: error: implicit declaration of function ‘posix_fallocate’ [-Werror=implicit-function-declaration]
47 |     if (unlikely (posix_fallocate (elf->fildes, 0, size) != 0))
48 |     ^
49 | ```
50 | 


--------------------------------------------------------------------------------
/crosscompile/gdb.md:
--------------------------------------------------------------------------------
 1 | # Crosscompiling Gbb
 2 | 
 3 | ## Source
 4 | 
 5 | ## Instructions
 6 | 
 7 | ### Build full Gdb package
 8 | 
 9 | ```console
10 | $ tar xvf gdb-9.1.tar.xz
11 | $ mkdir build
12 | $ cd build
13 | $ ./configure --host=arm-buildroot-linux-uclibcgnueabihf
14 | $ make
15 | ```
16 | 
17 | ### Build only Gdbserver
18 | 
19 | ```console
20 | $ cd gdb-9.1/gdb/gdbserver
21 | $ ./configure --host=arm-buildroot-linux-uclibcgnueabihf
22 | $ make
23 | ```
24 | 


--------------------------------------------------------------------------------
/crosscompile/gettext.md:
--------------------------------------------------------------------------------
 1 | # Crosscompiling Gettext
 2 | 
 3 | ## Dependencies
 4 | 
 5 | No
 6 | 
 7 | ## Source
 8 | 
 9 | Gettext (0.20.1) - 9,128 KB:
10 | 
11 | Home page: http://www.gnu.org/software/gettext/
12 | 
13 | Download: http://ftp.gnu.org/gnu/gettext/gettext-0.20.1.tar.xz
14 | 
15 | MD5 sum: 9ed9e26ab613b668e0026222a9c23639
16 | 
17 | ## Instructions
18 | 
19 | ```sh
20 | $ ./configure --host=arm-hisiv500-linux --prefix=/opt/hisi-linux/x86-arm/arm-hisiv500-linux/usr
21 | $ make
22 | $ sudo make install
23 | ```
24 | 


--------------------------------------------------------------------------------
/crosscompile/index.md:
--------------------------------------------------------------------------------
 1 | # How to cross-compile packages
 2 | 
 3 | * [curl](curl.md)
 4 | 
 5 | * [elfutils](elfutils.md)
 6 | 
 7 | * [gettext](gettext.md)
 8 | 
 9 | * [gdb](gdb.md)
10 | 
11 | * [libargp](libargp.md)
12 | 
13 | * [micropython](micropython.md)
14 | 
15 | * [OpenSSL](openssl.md)
16 | 
17 | * [ZLib](zlib.md)
18 | 


--------------------------------------------------------------------------------
/crosscompile/libargp.md:
--------------------------------------------------------------------------------
 1 | # Crosscompiling libargp
 2 | 
 3 | ## Source
 4 | 
 5 | libargp is available from https://github.com/alexreg/libargp.
 6 | 
 7 | ## Instructions
 8 | 
 9 | ```sh
10 | $ git clone https://github.com/alexreg/libargp
11 | $ cd libargp
12 | $ sed -i 's/configure\"/configure\" --host=arm-hisiv500-linux --prefix=\/opt\/hisi-linux\/x86-arm\/arm-hisiv500-linux\/usr/g' build
13 | $ ./update-source
14 | $ ./build
15 | $ sudo cp gllib/libargp.a /opt/hisi-linux/x86-arm/arm-hisiv500-linux/usr/lib
16 | $ sudo cp include/argp.h /opt/hisi-linux/x86-arm/arm-hisiv500-linux/usr/include
17 | ```
18 | 


--------------------------------------------------------------------------------
/crosscompile/micropython.md:
--------------------------------------------------------------------------------
 1 | # Crosscompiling Micropython
 2 | 
 3 | ## Dependencies
 4 | 
 5 | No
 6 | 
 7 | ## Source
 8 | 
 9 | GitHub repo: https://github.com/micropython/micropython
10 | 
11 | ## Instructions
12 | 
13 | ```sh
14 | $ cd mpy-cross
15 | $ make
16 | $ cd ../ports/unix
17 | $ make submodules
18 | $ make CROSS_COMPILE=arm-hisiv500-linux- deplibs
19 | $ make CROSS_COMPILE=arm-hisiv500-linux- MICROPY_PY_FFI=0
20 | ```
21 | 
22 | ## Known problems
23 | 
24 | To use FFI features you'll need to crosscompile libffi first accoring
25 | [suggestion](https://forum.micropython.org/viewtopic.php?t=1648)
26 | 


--------------------------------------------------------------------------------
/crosscompile/openssl.md:
--------------------------------------------------------------------------------
 1 | # Crosscompiling OpenSSL
 2 | 
 3 | ## Dependencies
 4 | 
 5 | No
 6 | 
 7 | ## Versions
 8 | 
 9 | Use `openssl-1.0.2l` for Hisilicon patch compatibility
10 | 
11 | ## Source
12 | 
13 | Latest:
14 | 
15 | OpenSSL (1.1.1d) - 8,639 KB:
16 | 
17 | Home page: https://www.openssl.org/
18 | 
19 | Download: https://www.openssl.org/source/openssl-1.1.1d.tar.gz
20 | 
21 | MD5 sum: 3be209000dbc7e1b95bcdf47980a3baa
22 | 
23 | [Old releases](https://www.openssl.org/source/old/)
24 | 
25 | ## More information
26 | 
27 | [Official Compilation and Installation on ARM](https://wiki.openssl.org/index.php/Compilation_and_Installation#ARM)
28 | 
29 | ## Instructions
30 | 
31 | By default (without `shared` option in `./Configure` it's built as static
32 | library).
33 | 
34 | ```sh
35 | $ export LOCAL_OPENSSL_DIR=$(pwd)
36 | $ export CC=arm-hisiv500-linux-gcc
37 | $ export AR=arm-hisiv500-linux-ar
38 | $ export LD=arm-hisiv500-linux-ld
39 | $ ./Configure --prefix=$LOCAL_OPENSSL_DIR/install shared linux-armv4
40 | $ make build_crypto
41 | ```
42 | 
43 | ## Build custom Hisilicon engine
44 | 
45 | ```sh
46 | $ vim +17 demos/engines/hisilicon/Makefile
47 | ```
48 | 
49 | Fix to `CFLAGS += -I$(EV200SDK)/drv/interdrv/cipher/include -I$(EV200SDK)/mpp/include` 
50 | and add `LDFLAGS += -L$(EV200SDK)/mpp/lib` next line
51 | 
52 | ```sh
53 | $ make -C demos/engines/hisilicon gnu
54 | $ make intall
55 | $ cp demos/engines/hisilicon/libhisilicon.so install/lib/engines
56 | ```
57 | 
58 | ## Known issue
59 | 
60 | Linking errors like this:
61 | 
62 | ```sh
63 | ../libcrypto.a(x86_64cpuid.o): In function `OPENSSL_cleanse':
64 | (.text+0x1a0): multiple definition of `OPENSSL_cleanse'
65 | ```
66 | 
67 | Make additional `make clean` just before `./Configure`. Courtesy of [SO](https://stackoverflow.com/questions/16488629/undefined-references-when-building-openssl)
68 | 
69 | ## Benchmarks
70 | 
71 | ### Without acceleration
72 | 
73 | ```sh
74 | # ./openssl speed aes-128-cbc aes-192-cbc aes-256-cbc
75 | 
76 | # cv300 plain
77 | type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
78 | aes-128 cbc       8782.56k     9651.24k     9898.35k     9960.70k     9971.92k
79 | aes-192 cbc       7585.03k     8269.25k     8417.72k     8491.35k     8500.57k
80 | aes-256 cbc       6753.14k     7241.99k     7379.86k     7414.64k     7421.79k
81 | 
82 | # ev200 plain
83 | type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
84 | aes-128 cbc      14043.98k    15148.14k    15562.92k    15593.72k    15627.40k
85 | aes-192 cbc      12074.57k    12978.03k    13278.46k    13301.11k    13363.88k
86 | aes-256 cbc      10676.81k    11381.65k    11546.79k    11590.59k    11649.02k
87 | 
88 | # ev300 plain
89 | type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
90 | aes-128 cbc      14005.78k    15155.09k    15510.03k    15652.52k    15621.95k
91 | aes-192 cbc      12083.39k    12976.05k    13240.05k    13344.09k    13322.21k
92 | aes-256 cbc      10714.63k    11352.36k    11545.51k    11634.35k    11607.60k
93 | ```
94 | 


--------------------------------------------------------------------------------
/crosscompile/tcpdump.md:
--------------------------------------------------------------------------------
 1 | # Crosscompiling Tcpdump
 2 | 
 3 | ## Dependencies
 4 | 
 5 | Libnl
 6 | 
 7 | Libpcap
 8 | 
 9 | ## Source
10 | 
11 | 
12 | 
13 | ## Instructions
14 | 
15 | [Download](https://github.com/thom311/libnl/releases/download/libnl3_2_27/libnl-3.2.27.tar.gz)
16 | and build libnl first (static version):
17 | 
18 | ```sh
19 | ./configure CFLAGS="-static" --host=arm-hisiv500-linux \
20 |     --prefix=/opt/hisi-linux/x86-arm/arm-hisiv500-linux/usr
21 | make && sudo make install
22 | ```
23 | 
24 | Build libpcap:
25 | 
26 | ```sh
27 | ./configure --host=arm-hisiv500-linux \
28 |     --prefix=/opt/hisi-linux/x86-arm/arm-hisiv500-linux/usr \
29 |     LDFLAGS=-L/opt/hisi-linux/x86-arm/arm-hisiv500-linux/usr/lib
30 | make && sudo make install
31 | ```
32 | 
33 | Build tcpdump (static version):
34 | 
35 | ```sh
36 | ./configure "CFLAGS=-pthread -lm" --host=arm-hisiv500-linux \
37 |     --prefix=/opt/hisi-linux/x86-arm/arm-hisiv500-linux/usr \
38 |     LDFLAGS=-L/opt/hisi-linux/x86-arm/arm-hisiv500-linux/usr/lib
39 | make && sudo make install
40 | ```
41 | 


--------------------------------------------------------------------------------
/crosscompile/zlib.md:
--------------------------------------------------------------------------------
 1 | # Crosscompiling ZLib
 2 | 
 3 | ## Dependencies
 4 | 
 5 | No
 6 | 
 7 | ## Source
 8 | 
 9 | Zlib (1.2.11) - 457 KB:
10 | 
11 | Home page: https://www.zlib.net/
12 | 
13 | Download: https://zlib.net/zlib-1.2.11.tar.xz
14 | 
15 | MD5 sum: 85adef240c5f370b308da8c938951a68
16 | 
17 | ## Instructions
18 | 
19 | ```sh
20 | $ ./configure --prefix=/opt/hisi-linux/x86-arm/arm-hisiv500-linux/usr
21 | $ sudo make install
22 | ```
23 | 
24 | ## Known problems
25 | 
26 | To allow build static and shared library at the same time [use instructions from
27 | LFS project](http://www.linuxfromscratch.org/clfs/view/svn/ppc/final-system/zlib.html)
28 | 


--------------------------------------------------------------------------------
/debug/ltrace.md:
--------------------------------------------------------------------------------
 1 | # Use ltrace for debug
 2 | 
 3 | ## Known issues
 4 | 
 5 | ```sh
 6 | Ltrace fails with:
 7 | PTRACE_SINGLESTEP: Input/output error
 8 | ```
 9 | 
10 | See the [bug](https://code.kodo.org.uk/dom/buildroot/commit/efee851c614926dd9ed0f49c4808a6d9b4f64eb0)
11 | 


--------------------------------------------------------------------------------
/doc/XM-FAQ-en.md:
--------------------------------------------------------------------------------
  1 | # FAQ
  2 | 
  3 | This collection is compiled from messages found in Telegram channels `OpenIPC
  4 | software` and `OpenIPC modding`.
  5 | 
  6 | ## Contents
  7 | 
  8 | ### Original firmware
  9 | 
 10 | - [How to activate Telnet server?](#activate_telnet)
 11 | 
 12 | - [How to set password for Telnet?](#telnet_pwd)
 13 | 
 14 | - [How to deal with locked parameters in U-Boot?](#setenv)
 15 | 
 16 | - [What is Sofia?](#Sofia)
 17 | 
 18 | - [Is there any way to control camera using private Chinese protocol?](#netsdk)
 19 | 
 20 | - [How to encode sound for the camera?](#sound)
 21 | 
 22 | ### Hacking
 23 | 
 24 | - [After killing Sofia camera reboots](#watchdog)
 25 | 
 26 | - [How to do a full-scale webcapture?](#fullcapture)
 27 | 
 28 | ### Software
 29 | 
 30 | - [How to measure chip temperature?](#temperature)
 31 | 
 32 | ### Hardware
 33 | 
 34 | - [What connector type to use for the board?](#jack)
 35 | 
 36 | - [Using PoE](#poe)
 37 | 
 38 | - [How does IR illumination works?](#ir)
 39 | 
 40 | - [How to use Ethernet from U-Boot?](#mii)
 41 | 
 42 | - [Why there is a sponge bush on lens?](#lenss)
 43 | 
 44 | ---
 45 | 
 46 | ## How to activate Telnet server? <a name="activate_telnet"></a>
 47 | 
 48 | The easiest way is to utilize any serial USB-UART adapter. You need to connect
 49 | it to camera's UART connector, reboot the device by power down, during boot
 50 | press Ctrl-C to reach U-Boot console, and enter command:
 51 | 
 52 | ```
 53 | setenv telnetctrl 1; saveenv
 54 | ```
 55 | 
 56 | Of course, this will require camera disassembly, a practice with serial console,
 57 | and wiring skills. Alternative method need no disassembly, but demand firmware
 58 | modification, hence it isn't suitable for novice users. It can be found
 59 | [here](https://github.com/OpenIPC/camerasrnd/blob/master/get_telnet.md).
 60 | 
 61 | ## How to set password for Telnet? <a name="telnet_pwd"></a>
 62 | 
 63 | 
 64 | One can't do this with stock firmware. Yet, Telnet in XM camers can be considered
 65 | safe, except someone nasty will reach local network. Of course, all my installed
 66 | cameras have firmware modified and passwords changed. :)
 67 | 
 68 | (c) Dmitry Ermakov
 69 | 
 70 | ## How to deal with locked parameters in U-Boot? <a name="setenv"></a>
 71 | 
 72 | Sometimes manufacturer locks certain parameters in U-Boot, i.e. on some XM
 73 | cameras one can't change `xmuart`. To unlock it I dump current parameters
 74 | using `printenv`, save results to file (env.txt), add my parameters there
 75 | (`xmuart=0`). Then command `mkenvimage -s 0x10000 -o u-boot.env.img env.txt`
 76 | converts parameters file to image, that can be loaded using `loady` or any
 77 | other way, which will alter env.
 78 | 
 79 | (c) Dmitry Ermakov
 80 | 
 81 | ## What is Sofia? <a name="Sofia"></a>
 82 | 
 83 | This is thick executable file that contains _entire_ camera functionality
 84 | starting from DHCP client, till RTSP server and private control protocol.
 85 | Originally Chinese shamelessly copied all that from Dahua, where it was
 86 | called Sonia, now in XM cameras it became Sofia.
 87 | 
 88 | (c) Max
 89 | 
 90 | ## Is there any way to control camera using private Chinese protocol? <a name="netsdk"></a>
 91 | 
 92 | There are some tools:
 93 | 
 94 | * [Python-DVR](https://github.com/NeiroNx/python-dvr), supports firmware updates
 95 | 
 96 | * [SofiaCtl](https://github.com/667bdrm/sofiactl)
 97 | 
 98 | * [DVRip](https://github.com/alexshpilkin/dvrip)
 99 | 
100 | * [numenworld-ipcam](https://github.com/johndoe31415/numenworld-ipcam/blob/master/nwipcam)
101 | 
102 | * [NetSDK for C#](https://github.com/QuantMad/WinNetSDK)
103 | 
104 | ## After `killall Sofia` camera reboots <a name="watchdog"></a>
105 | 
106 | One should unload watchdog kernel module, i.e. `rmmod xm_watchdog`.
107 | 
108 | (c) Sergey Sharshunov
109 | 
110 | ## How to do a full-scale webcapture? <a name="fullcapture"></a>
111 | 
112 | Use the following:
113 | ```diff
114 | --- ./orig/HI3516EV300_IPC_85H50AI_LIBXMCAP.json        2020-06-11 16:58:06.446462210 +0300
115 | +++ ./HI3516EV300_IPC_85H50AI_LIBXMCAP.json     2020-06-11 21:45:16.978003244 +0300
116 | @@ -230,8 +230,8 @@
117 |                                 "VencMode":
118 |                                 [
119 |                                         {
120 | -                                               "VpssChn": 2,
121 | -                                               "EncCapSizeSrcs": ["HD1"],
122 | +                                               "VpssChn": 1,
123 | +                                               "EncCapSizeSrcs": ["720P"],
124 |                                         }
125 |                                 ]
126 |                         },
127 | ```
128 | Now webcapture sends picture of 2592x1944, tested with EV300+IMX335.
129 | 
130 | (c) Dmitry Ermakov
131 | 
132 | ## What is Crypto data?
133 | 
134 | That's XM cameras specific. Previously private settings (sensor type, run modes
135 | table, MAC address) were stored in a separate Crypto-memory chip, hence the
136 | name. Later, Crypto-memory was changed to EEPROM, and lately a dedicated chip
137 | was removed, and all data was moved to the main flash storage.
138 | 
139 | The problem is, that if this information is lost (erased), then camera will
140 | forget what it is. Ethernet card will drop to default MAC address, as well as
141 | native soft will stop coding video, since it won't know the run mode. The
142 | encryption algorithm is known, yet structure and contents remain a mystery.
143 | The MAC address was located and there is description how to change it.
144 | 
145 | Before any experiments with firmware one can do configuration export using
146 | CMS or IE. In resulting file locate `__tempinfo`, everything after that can be
147 | deleted. This would be a backup copy of Crypto data, but one needs to subtract
148 | 9 from every byte to get magic value "D2 D4".
149 | 
150 | In flash memory Crypto is located in the last 1024 bytes of boot partition
151 | (before env). Crypto's signature is 2 bytes 0xD2D4. Upon updating U-Boot for
152 | another (i.e. the latest) version, there will be no way back. With U-Boot
153 | flashed you will loose Crypto, which is stored at the very end of bootloader
154 | before env. One needs to flash bootloader in such a way to keep Crypto, or
155 | to make dedicated backup.
156 | 
157 | (c) Igor Zorin
158 | 
159 | > What uses Crypto data? Sofia?
160 | 
161 | One can say it happens before lauch of Sofia, because shared memory with HWID
162 | is alreay initialized by kernel modules. And that memory contains main useful
163 | information from Crypto to date.
164 | 
165 | There is a way to [generate Crypto data with new MAC address](https://github.com/nikitos1550/XM_ipcam_crypto_generator)
166 | (tested with Hi3516cv100/Hi3518cv100).
167 | 
168 | ## How to reset camera's password from Telnet?
169 | 
170 | Remove accounting data with:
171 | `rm /mnt/mtd/Config/Account*`
172 | 
173 | ## How to dump native firmware?
174 | 
175 | See advices [here (in Russian)](https://zftlab.org/pages/2018020100.html).
176 | 
177 | The method above doesn't work for new U-boot version 2016, which have firmware
178 | dump functionality removed. See advice below.
179 | 
180 | ## How to dump firmware from running system?
181 | 
182 | The system doesn't protect its own flash, so when you're inside, you can simply
183 | read corresponding block devices with `cat /dev/mtdblock[x] > /tmp/mtdx` and
184 | have entire image.
185 | 
186 | A script to build full flash image in one file:
187 | 
188 | ```sh
189 | mount -t nfs -o nolock serverip:/srv/nfs
190 | cd /utils
191 | MAX=$(ls -1r /dev/mtdblock* | head -n 1 | sed 's/[^0-9]*//g')
192 | echo -ne >ff.img
193 | i=0
194 | while [ "$i" -le "$MAX" ]; do
195 |     echo "Dump $i part"
196 |     cat /dev/mtdblock$i >> ff.img
197 |     i=$((i+1))
198 | done
199 | sync
200 | ```
201 | 
202 | The same, but saving partitions to separate files:
203 | 
204 | ```sh
205 | mount -t nfs -o nolock serverip:/srv/nfs
206 | cd /utils
207 | MAX=$(ls -1r /dev/mtdblock* | head -n 1 | sed 's/[^0-9]*//g')
208 | i=0
209 | while [ "$i" -le "$MAX" ]; do
210 |     NAME=`grep mtd$i: /proc/mtd | awk '{gsub(/"/, "", $4); print $4}'`   
211 |     echo "Dump $NAME"
212 |     cat /dev/mtdblock$i >> $NAME.img
213 |     i=$((i+1))
214 | done
215 | sync
216 | ```
217 | 
218 | ## How to restore original firmware?
219 | 
220 | Find and download the latest firmware for your device. Full procedure is
221 | described [here](https://www.cctvsp.ru/articles/vosstanovlenie-proshivki-i-sbros-parolya)
222 | (in Russian, also with some links to firmware). Another good place to look for
223 | firmware is [here](https://www.cctvsp.ru/articles/obnovlenie-proshivok-dlya-ip-kamer-ot-xiong-mai).
224 | 
225 | Long story short. Unpack firmware archive (usually it's a ZIP file internally)
226 | and put resulting files on TFTP server. Connect the camera to network and run
227 | commands:
228 | 
229 | ```
230 | setenv serverip 192.168.1.254; sf probe 0; sf lock 0; run dc; run dr; run du; run dw; reset
231 | ```
232 | 
233 | ## How to measure chip temperature? <a name="temperature"></a>
234 | 
235 | This is very specific for each chip. Here are some known methods.
236 | 
237 | `Hi3516CV200 / Hi3518EV200 / Hi3518EV201`:
238 | ```sh
239 | devmem 0x20270110 32 0x60FA0000 ; devmem 0x20270114 8  | awk '{print "CPU temperature: " ((($1)*180)/256)-40}'
240 | ```
241 | 
242 | `Hi3516CV300 / Hi3518EV100`:
243 | ```sh
244 | devmem 0x1203009C 32 0x60FA0000 ; devmem 0x120300A4 16 | awk '{print "CPU temperature: " (((($1)-125.0)/806)*165)-40}'
245 | ```
246 | 
247 | `Hi3516EV200 / Hi3516EV300`:
248 | ```sh
249 | devmem 0x120280B4 32 0xC3200000 ; devmem 0x120280BC 16 | awk '{print "CPU temperature: " (((($1)-117)/798)*165)-40}'
250 | ```
251 | 
252 | `Hi3536D`:
253 | ```sh
254 | himm 0x0120E0110 0x60320000 > /dev/null; himm 0x120E0118 | awk '{print $4}' | dd skip=1 bs=7 2>/dev/null | awk '{print "0x"$1}' | awk '{print "CPU temperature: " (($1*180)/256)-40}'
255 | ```
256 | 
257 | `Hi3536CV100`:
258 | ```sh
259 | himm 0x0120E0110 0x60320000 > /dev/null; himm 0x120E0118 | awk '{print $4}' | dd skip=1 bs=7 2>/dev/null | awk '{print "0x"$1}' | awk '{print "CPU temperature: " (($1-125)/806)*165-40}'
260 | ```
261 | 
262 | `HI3520DV200 `:
263 | ```sh
264 | devmem 20060020 32
265 | ```
266 | 
267 | `Hi3516AV200`:
268 | ```sh
269 | #PERI_PMC68 0x120a0110 (disable-->enable)
270 | himm 0x120a0110 0 > /dev/null;
271 | himm 0x120a0110 0x40000000 > /dev/null;
272 | 
273 | usleep 100000
274 | #PERI_PMC70 0x120a0118 read temperature
275 | DATA0=$(himm 0x120a0118 0 | grep 0x120a0118)
276 | DATA1=$(printf "$DATA0" | sed 's/0x120a0118: //')
277 | DATA2=$(printf "$DATA1" | sed 's/ --> 0x00000000//')
278 | 
279 | let "var=$DATA2&0x3ff"
280 | if [ $var -ge 125 -a $var -le 931 ]; then
281 |     echo `awk -v x="$var" 'BEGIN{printf "chip temperature: %f\n",(x-125)*10000/806*165/10000-40}'`
282 | else
283 |     echo "$var ---> invalid. [125,931]"
284 | fi
285 | ```
286 | 
287 | ## What connector type to use for the board? <a name="jack"></a>
288 | 
289 | Molex has nice `PicoBlade` series with 1.25mm pitch for camera's boards and with
290 | 2.0mm pitch for LED illumination. It is also known as `JST 1.25` at Ali/Tao,
291 | which originates from Chinese manufacturer that copied PicoBlade (to be more
292 | precise Japan company with factory in China). In fact Chinese shops sell
293 | Ckmtw (Shenzhen Cankemeng) and HR (Joint Tech Elec). Original connectors
294 | JST and Molex cost 10 times as Chinese compatible ones.
295 | 
296 | (c) Maxim Gatchenko
297 | 
298 | > Can I crimp those connectors myself?
299 | 
300 | Working crimper is enormously expensive, it is cheaper to buy cables directly.
301 | If I need it real hard, I simply solder some wires, since crimper won't last for
302 | long. If size allows, I press it a little and only then solder.
303 | 
304 | (c) Dmitry Ermakov
305 | 
306 | ## How to enable DHCP during firmware update?
307 | 
308 | `echo 1 > /mnt/mtd/Config/dhcp.cfg`
309 | 
310 | One doesn't need to reboot the camera, since Sofia should take it on the fly and
311 | store it for future use.
312 | 
313 | ## How to reset all the setting to default?
314 | 
315 | Simply remove all files with setting using `rm -rf /mnt/mtd/*` and reboot.
316 | 
317 | ## How to read encoder logs?
318 | 
319 | Ask camera to be more verbose:
320 | ```
321 | echo "all=5" > /proc/umap/logmpp
322 | ```
323 | 
324 | Now simply read it all:
325 | ```
326 | cat /dev/logmpp
327 | cat /proc/umap/sys
328 | cat /proc/umap/vi
329 | cat /proc/umap/vpss
330 | cat /proc/umap/venc
331 | cat /proc/umap/logmpp
332 | cat /proc/umap/isp
333 | cat /proc/media-mem
334 | ```
335 | 
336 | If one needs it real-time:
337 | 
338 | ```
339 | echo "all=9" > /proc/umap/logmpp
340 | cat /dev/logmpp
341 | ```
342 | 
343 | For a detailed description of data in those files read section `12 Proc
344 | Debugging Information` from `HiMPP IPC V3.0 Media Processing Software
345 | Development Reference` manual.
346 | 
347 | ## How to mount jffs2 flash image on regular system?
348 | 
349 | ```
350 | sudo modprobe mtdram total_size=131072 erase_size=128
351 | sudo modprobe mtdblock
352 | sudo dd if=rootfs_hi3516cv300_128k.jffs2 of=/dev/mtdblock0
353 | sudo mount -t jffs2 /dev/mtdblock0 /mnt
354 | ```
355 | 
356 | ## How to encode sound for the camera? <a name="sound"></name>
357 | 
358 | ```
359 | sox input.mp3 -t al -r 8000 -c 1 -b 8 output.alaw
360 | ```
361 | 
362 | (с) Dmitry Ermakov
363 | 
364 | ## Using PoE <a name="poe"></a>
365 | 
366 | I strongly advise to use 48V power adapters instead of 12V with RJ-45
367 | connectors, since it is quite possible to damage connectors by high current.
368 | 
369 | ## How does IR illumination works? <a name="ir"></a>
370 | 
371 | Actually IR light controls the camera instead of vice versa. When it becomes
372 | dark enough in around for photosensor, IR LEDs are turned on and a dedicated
373 | signal goes to camera, which in turn switches filter. To switch day/night
374 | camera mode from this sensor, find setting "IR-filter" and change it to
375 | "IR-sync" instead of "auto".
376 | 
377 | ## How to use Ethernet from U-Boot? <a name="mii"></a>
378 | 
379 | Good introduction [article](https://gahcep.github.io/blog/2012/07/24/u-boot-mii/)
380 | on the topic.
381 | 
382 | Please note, that the command `mii device` to U-Boot could result in empty list.
383 | In this case try to ping _any_ address, this will initialize network device and
384 | all should work after.
385 | 
386 | ## Why there is a sponge bush on lens? <a name="lenss"></a>
387 | 
388 | It protects lens from extra light, one can make it using any type of sponge in
389 | hand.
390 | 
391 | ## How to use YouTube as DVR for your live video
392 | 
393 | Vasiliy, [21 Feb 2020 at 18:57:36]:
394 | Here's the stuff:
395 | 1. You use ffmpeg to send video stream from camera to YouTube
396 | 2. But if there is no watchers, YouTube drops the stream
397 | 3. The upper limit for stream is 12 hours on YouTube (and one can benefit from
398 | it!)
399 | 4. So YouTube begins recording if there is at least 1 watcher on channel and run
400 | it for 30 minutes after last user stopped
401 | 5. There is a script that emulates 5 second watch and then YouTube continues to
402 | run for another 30 minutes
403 | 6. You write to your crontab a command to get from
404 | http://cloud.vixand.com/service/youtube/stream.php?key=ххххххххх and execute it
405 | every 28 minutes
406 | 7. Profit
407 | 
408 | ## Known problems
409 | 
410 | ### After firmware update camera uses default MAC address and reboots constantly
411 | 
412 | Exploring camera with Telnet shows that `Sofia` is stopped, and even crashes
413 | after manual launch:
414 | 
415 | ```
416 | CMedia::start() $Rev: 972 $>>>>>
417 | sched set 98, 2
418 | src/HiSystem.c(1461) [HisiSysInit]: LibHicap Compiled Date: Nov 26 2018, Time: 15:49:09.
419 | src/HiSystem.c(1474) [HisiSysInit]: g_stDevParam.bVpssOnline:0 [0 offline; 1 online].
420 | Segmentation fault
421 | ```
422 | 
423 | Using strace to have a closer look on`Sofia` we find:
424 | 
425 | ```
426 | open("/mnt/mtd/Config/SensorType.bat", O_WRONLY|O_CREAT|O_TRUNC, 0666) = -1 ENOENT (No such file or directory)
427 | --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x48} ---
428 | +++ killed by SIGSEGV +++
429 | Segmentation fault
430 | ```
431 | 
432 | It turns out that partition /mnt/mtd isn't mounted:
433 | 
434 | ```
435 | $ mount|grep /mnt/mtd
436 | ```
437 | 
438 | Trying to mount it manually:
439 | 
440 | ```
441 | $ mount -t jffs2 /dev/mtdblock5 /mnt/mtd
442 | mount: mounting /dev/mtdblock5 on /mnt/mtd failed: Input/output error
443 | ```
444 | 
445 | And  dmesg` is full of something like:
446 | 
447 | ```
448 | fs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000000: 0xd4c5 instead
449 | jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000004: 0x3f7c instead
450 | jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000008: 0x37fc instead
451 | jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x0000000c: 0x5d6b instead
452 | jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000010: 0xc45b instead
453 | jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000014: 0x9a6f instead
454 | jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000018: 0x80df instead
455 | jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x0000001c: 0x7cb7 instead
456 | jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000020: 0xf5cd instead
457 | jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000024: 0xe587 instead
458 | jffs2: Further such events for this erase block will not be printed
459 | jffs2: Old JFFS2 bitmask found at 0x00001ee4
460 | ```
461 | 
462 | This partition is damaged, the solution is to erase it completely and fill it with 0xff. See next question.
463 | 
464 | (с) Dmitry Ermakov
465 | 
466 | ### How to erase partition on flash
467 | 
468 | Check  /proc/cmdline` to find out partition size:
469 | 
470 | ```
471 | # cat /proc/cmdline
472 | init=linuxrc mem=56M console=ttyAMA0,115200 root=/dev/mtdblock1 rootfstype=squashfs mtdparts=hi_sfc:0x30000(boot),0x2E0000(romfs),0x300000(user),0x160000(web),0x40000(custom),0x50000(mtd)
473 | ```
474 | 
475 | For our "mtd" partition `0x50000` is the correct value.
476 | 
477 | Now need to calculate start address. Given 8Mb flash size (0x800000) and taking
478 | "mtd" partition to be the last one, we calculate offset as `0x800000-0x50000 = 0x7b0000`.
479 | 
480 | Now get to U-Boot and execute command `sf probe 0; sf lock 0; sf erase 7b0000
481 | 50000` to erase weird partition content.
482 | 
483 | (с) Dmitry Ermakov
484 | 
485 | If you can reach kernel boot log, it actually prints calculated addresses for
486 | partitions:
487 | 
488 | ```
489 | [    0.813360] Creating 5 MTD partitions on "hi_sfc":
490 | 0x000000000000-0x000000080000 : "boot"
491 | 0x000000080000-0x0000000c0000 : "env"
492 | 0x0000000c0000-0x0000004c0000 : "kernel"
493 | 0x0000004c0000-0x0000009c0000 : "rootfs"
494 | 0x0000009c0000-0x000001000000 : "rootfs_data"
495 | ```
496 | 
497 | (c) Sergey Sharshunov
498 | 
499 | If you don't have access to U-Boot (got Telnet, but no UART), you can build
500 | `flash_eraseall` using SDK `package/board_uclibc` and then erase partition
501 | with command `/utils/flash_erase /dev/mtd5 0 0`, where`/dev/mtd5` is partition
502 | name you determined earlier.
503 | 


--------------------------------------------------------------------------------
/doc/XM-FAQ-ru.md:
--------------------------------------------------------------------------------
  1 | # FAQ
  2 | 
  3 | Составлен по материалам Telegram каналов `OpenIPC software` и
  4 | `OpenIPC modding`
  5 | 
  6 | ## Cодержание
  7 | 
  8 | ### Оригинальная прошивка камер Xiongmai
  9 | 
 10 | - [Как включить Telnet сервер?](#activate_telnet)
 11 | 
 12 | - [Как установить пароль на Telnet?](#telnet_pwd)
 13 | 
 14 | - [Как установить заблокированный setenv в U-Boot](#setenv)
 15 | 
 16 | - [Что такое Sofia?](#Sofia)
 17 | 
 18 | - [Если ли способы управлять камерой с помощью закрытого китайского
 19 |     протокола?](#netsdk)
 20 | 
 21 | - [В каком формате записывать звук для камеры?](#sound)
 22 | 
 23 | ### Хакинг
 24 | 
 25 | - [Делаю killall Sofia, через некоторое время камера уходит в reboot](#watchdog)
 26 | 
 27 | - [Как сделать полноразмерный webcapture?](#fullcapture)
 28 | 
 29 | ### Софт
 30 | 
 31 | - [Как измерить температуру чипа](#temperature)
 32 | 
 33 | ### Железо
 34 | 
 35 | - [Подскажите тип разъемов на плате для подключения кабелей?](#jack)
 36 | 
 37 | - [Советы по PoE](#poe)
 38 | 
 39 | - [Как работает инфракрасная подсветка?](#ir)
 40 | 
 41 | - [Как работать с Ethernet из U-Boot?](#mii)
 42 | 
 43 | - [Зачем нужна поролоновая втулка на объективе?](#lenss)
 44 | 
 45 | ## Как включить Telnet сервер? <a name="activate_telnet"></a>
 46 | 
 47 | Самый простой вариант: подключить любой serial USB-UART адаптер к камере к UART
 48 | коннектору, перегрузить ее по питанию, нажать Ctrl-C для выхода
 49 | в консоль U-Boot и ввести команду:
 50 | 
 51 | ```
 52 | setenv telnetctrl 1; saveenv
 53 | ```
 54 | 
 55 | Конечно, это потребует разбора корпуса камеры, наличия адаптера и необходимости
 56 | работы с проводами. Есть альтернативный способ с модификацией прошивки без
 57 | разбора камеры (но тем не менее не предназначенный для новичков), [описанный в
 58 | англоязычной
 59 | статье](https://github.com/OpenIPC/camerasrnd/blob/master/get_telnet.md).
 60 | 
 61 | ## Как установить пароль на Telnet? <a name="telnet_pwd"></a>
 62 | 
 63 | Без перепрошивки этого сделать нельзя, но Telnet в камерах XM уже практически
 64 | безопасный, за исключением того, что кто-то попадет в локалку.
 65 | Но на своих камерах, конечно же везде мод прошивка и поменяны все пароли :)
 66 | 
 67 | (c) Dmitry Ermakov
 68 | 
 69 | ## Как установить заблокированный параметр setenv в U-Boot? <a name="setenv"></a>
 70 | 
 71 | Иногда случается, что на уровне U-Boot производитель блокирует установку тех или
 72 | иных параметров (например, на камерах XM иногда нельзя изменить `xmuart`).
 73 | 
 74 | Для включения, я, например, делаю `printenv`, сохраняю в файл, добавляю туда
 75 | `xmuart=0`. Потом `mkenvimage -s 0x10000 -o u-boot.env.img env.txt` и через
 76 | `loady` или любым способом заливаю и подменяю энв.
 77 | 
 78 | (c) Dmitry Ermakov
 79 | 
 80 | ## Что такое Sofia? <a name="Sofia"></a>
 81 | 
 82 | Это жирный исполняемый файл, который в лучших традициях статей про антипаттерны
 83 | программирования поддерживает весь функционал камеры, начиная со встроенного
 84 | DHCP клиента, заканчивая RTSP сервером и собственным протоколом управления.
 85 | 
 86 | Изначально китайцы скопипастили все с Dahua, у них этот бинарник назывался
 87 | Sonia, у XM стал Sofia.
 88 | 
 89 | (c) Max
 90 | 
 91 | ## Если ли способы управлять камерой с помощью закрытого китайского протокола?
 92 | <a name="netsdk"></a>
 93 | 
 94 | Есть ряд наработок:
 95 | 
 96 | * [Python-DVR](https://github.com/NeiroNx/python-dvr), поддерживает обновление прошивок
 97 | 
 98 | * https://github.com/667bdrm/sofiactl
 99 | 
100 | * https://github.com/alexshpilkin/dvrip
101 | 
102 | * [github.com/johndoe31415/numenworld-ipcam](https://github.com/johndoe31415/numenworld-ipcam/blob/master/nwipcam)
103 | 
104 | * [NetSDK для C#](https://github.com/QuantMad/WinNetSDK)
105 | 
106 | ## Делаю killall Sofia, через некоторое время камера уходит в reboot
107 | <a name="watchdog"></a>
108 | 
109 | Ты можешь просто выгрузить модуль watchdoga, например `rmmod xm_watchdog`
110 | 
111 | (c) Sergey Sharshunov
112 | 
113 | ## Как сделать полноразмерный webcapture? <a name="fullcapture"></a>
114 | 
115 | ```diff
116 | --- ./orig/HI3516EV300_IPC_85H50AI_LIBXMCAP.json        2020-06-11 16:58:06.446462210 +0300
117 | +++ ./HI3516EV300_IPC_85H50AI_LIBXMCAP.json     2020-06-11 21:45:16.978003244 +0300
118 | @@ -230,8 +230,8 @@
119 |                                 "VencMode":
120 |                                 [
121 |                                         {
122 | -                                               "VpssChn": 2,
123 | -                                               "EncCapSizeSrcs": ["HD1"],
124 | +                                               "VpssChn": 1,
125 | +                                               "EncCapSizeSrcs": ["720P"],
126 |                                         }
127 |                                 ]
128 |                         },
129 | ```
130 | Теперь с webcapture.jpg отдает картинку 2592х1944, тестировалось на
131 | EV300+IMX335.
132 | 
133 | (c) Dmitry Ermakov
134 | 
135 | ## Что такое крипта?
136 | 
137 | Это применительно к камерам от XM. Раньше персональные настройки (тип сенсора,
138 | таблица режимов, MAC адрес) хранились в отдельной микросхеме - крипто-памяти,
139 | отсюда и название.
140 | 
141 | Потом криптопамять заменили на EEPROM, а в последнее время вообще отказались от
142 | отдельной микросхемы, храня "крипту" прямо в основной флешке.
143 | 
144 | Если эту инфу затереть, то у камеры станет дефолтный MAC адрес, а также родной
145 | софт не будет кодировать видео, так как не знает, в каком режиме нужно работать.
146 | По структуре крипты известно пока мало, есть алгоритм её шифрования, известно,
147 | где хранится MAC и как его поменять. А про остальные параметры есть только
148 | догадки.
149 | 
150 | Перед экспериментами с прошивкой можно также сделать через в CMS или IE
151 | экспорт конфигурации, в полученном файле найти `__tempinfo` и дальше
152 | можно спокойно все стирать. Это резервная копия крипты, но здесь нужно от
153 | каждого байта отнять "9", чтобы в итоге было D2 D4.
154 | 
155 | Крипта находится в последних 1024 байтах boot раздела (до env). Сигнатура крипты
156 | 2 байта 0xD2D4.  При обновлении U-Boot на другую (например, последнюю версию),
157 | вы не оставите пользователю дороги обратно: затерев U-Boot вы потеряете
158 | "крипту", которая сейчас хранится в самом конце загрузчика перед env. Надо или
159 | прописывать загрузчик так, чтобы возвращать "крипту" на место, или где-то её
160 | бэкапить.
161 | 
162 | (c) Igor Zorin
163 | 
164 | > А кем она используется? Софией?
165 | 
166 | Можно сказать, что до запуска Софии, там уже есть shared mem с HWID -
167 | практически основной полезной информацией из крипты на сегодняшний день, все это
168 | делают вкомпиленные ядрённые модули
169 | 
170 | Существует возможность [сгенерировать крипту, задав новый MAC
171 | адрес](https://github.com/nikitos1550/XM_ipcam_crypto_generator) (тестировалось
172 | на hi3516cv100/hi3518cv100).
173 | 
174 | ## Как из телнета сбросить пароль на камеру?
175 | 
176 | `rm /mnt/mtd/Config/Account*`
177 | 
178 | ## Как сделать дамп оригинальной прошивки?
179 | 
180 | https://zftlab.org/pages/2018020100.html
181 | 
182 | Совет по ссылке выше не подходит для новых U-boot версии 2016 года, у которых
183 | удалена возможность выгрузки прошивки. См. совет ниже
184 | 
185 | ## Можно ли слить образ при запущенной системе?
186 | 
187 | `cat /dev/mtdblock[x] > /tmp/mtdx`
188 | и тд
189 | у вас будет энное количество разделов, все сохранить и получите образ всего
190 | 
191 | Скрипт для получения полного образа flash в одном файле:
192 | 
193 | ```sh
194 | mount -t nfs -o nolock serverip:/srv/nfs
195 | cd /utils
196 | MAX=$(ls -1r /dev/mtdblock* | head -n 1 | sed 's/[^0-9]*//g')
197 | echo -ne >ff.img
198 | i=0
199 | while [ "$i" -le "$MAX" ]; do
200 |     echo "Dump $i part"
201 |     cat /dev/mtdblock$i >> ff.img
202 |     i=$((i+1))
203 | done
204 | sync
205 | ```
206 | 
207 | То же самое, но сохранить в разные файлы для разных разделов:
208 | 
209 | ```sh
210 | mount -t nfs -o nolock serverip:/srv/nfs
211 | cd /utils
212 | MAX=$(ls -1r /dev/mtdblock* | head -n 1 | sed 's/[^0-9]*//g')
213 | i=0
214 | while [ "$i" -le "$MAX" ]; do
215 |     NAME=`grep mtd$i: /proc/mtd | awk '{gsub(/"/, "", $4); print $4}'`   
216 |     echo "Dump $NAME"
217 |     cat /dev/mtdblock$i >> $NAME.img
218 |     i=$((i+1))
219 | done
220 | sync
221 | ```
222 | 
223 | ## Как восстановить оригинальную прошивку?
224 | 
225 | Найдите последнюю прошивку для своей платы с сайта
226 | https://www.cctvsp.ru/articles/vosstanovlenie-proshivki-i-sbros-parolya скачайте
227 | Распакуйте на отдельные файлы. Прошивка - это zip архив
228 | Положите их на TFTP и выполните команды, приведенные ниже:
229 | 
230 | ```
231 | setenv serverip 192.168.1.254; sf probe 0; sf lock 0; run dc; run dr; run du; run dw; reset
232 | ```
233 | 
234 | Еще один источник прошивок https://www.cctvsp.ru/articles/obnovlenie-proshivok-dlya-ip-kamer-ot-xiong-mai
235 | 
236 | ## Как измерить температуру чипа <a name="temperature"></a>
237 | 
238 | `Hi3516CV200 / Hi3518EV200 / Hi3518EV201`
239 | ```sh
240 | devmem 0x20270110 32 0x60FA0000 ; devmem 0x20270114 8  | awk '{print "CPU temperature: " ((($1)*180)/256)-40}'
241 | ```
242 | 
243 | `Hi3516CV300 / Hi3518EV100`
244 | ```sh
245 | devmem 0x1203009C 32 0x60FA0000 ; devmem 0x120300A4 16 | awk '{print "CPU temperature: " (((($1)-125.0)/806)*165)-40}'
246 | ```
247 | 
248 | `Hi3516EV200 / Hi3516EV300`
249 | ```sh
250 | devmem 0x120280B4 32 0xC3200000 ; devmem 0x120280BC 16 | awk '{print "CPU temperature: " (((($1)-117)/798)*165)-40}'
251 | ```
252 | 
253 | `Hi3536D`
254 | ```sh
255 | himm 0x0120E0110 0x60320000 > /dev/null; himm 0x120E0118 | awk '{print $4}' | dd skip=1 bs=7 2>/dev/null | awk '{print "0x"$1}' | awk '{print "CPU temperature: " (($1*180)/256)-40}'
256 | ```
257 | 
258 | `Hi3536CV100`
259 | ```sh
260 | himm 0x0120E0110 0x60320000 > /dev/null; himm 0x120E0118 | awk '{print $4}' | dd skip=1 bs=7 2>/dev/null | awk '{print "0x"$1}' | awk '{print "CPU temperature: " (($1-125)/806)*165-40}'
261 | ```
262 | 
263 | `HI3520DV200 `
264 | ```sh
265 | devmem 20060020 32
266 | ```
267 | 
268 | `Hi3516AV200`
269 | ```sh
270 | #PERI_PMC68 0x120a0110 (disable-->enable)
271 | himm 0x120a0110 0 > /dev/null;
272 | himm 0x120a0110 0x40000000 > /dev/null;
273 | 
274 | usleep 100000
275 | #PERI_PMC70 0x120a0118 read temperature
276 | DATA0=$(himm 0x120a0118 0 | grep 0x120a0118)
277 | DATA1=$(printf "$DATA0" | sed 's/0x120a0118: //')
278 | DATA2=$(printf "$DATA1" | sed 's/ --> 0x00000000//')
279 | 
280 | let "var=$DATA2&0x3ff"
281 | if [ $var -ge 125 -a $var -le 931 ];then
282 |     echo `awk -v x="$var" 'BEGIN{printf "chip temperature: %f\n",(x-125)*10000/806*165/10000-40}'`
283 | else
284 |     echo "$var ---> invalid. [125,931]"
285 | fi
286 | ```
287 | 
288 | ## Подскажите тип разъемов на плате для подключения кабелей? <a name="jack"></a>
289 | 
290 | У Molex - это серия `PicoBlade` с шагом 1.25 мм для коннекторов на платах камер
291 | и 2.0 мм для коннекторов на LED подсветке. На Али/Тао они также известны как
292 | разъемы `JST 1.25`, это китайский производитель и они в свое время скопировали
293 | PicoBlade (Точнее японская компания с производством в Китае). Фактически
294 | китайские продавцы выставляют Ckmtw(Shenzhen Cankemeng)  и HR(Joint Tech Elec).
295 | JST и Molex оригинал стоят один как 10 шт. разъемов на Али.
296 | 
297 | (c) Maxim Gatchenko
298 | 
299 | > Можно ли самостоятельно обжимать такие коннекторы?
300 | 
301 | Инструмент стоит очень дорого, проще тысячу таких кабелей купить. Когда очень
302 | сильно надо - я напаиваю, т.к. вручную все эти обжимки долго не живут.  Если
303 | размер позволяет - то сначала зажимаю вручную хоть как-то, а потом уже паяю.
304 | 
305 | (c) Dmitry Ermakov
306 | 
307 | ## Как сразу включить DHCP при обновлении?
308 | 
309 | `echo 1 > /mnt/mtd/Config/dhcp.cfg`
310 | 
311 | Камеру перезагружать не надо и Sofia подхватит настройки и запомнит
312 | 
313 | ## Как грохнуть все настройки в дефолт?
314 | 
315 | ...надо зайти на камеру телнетом и грохнуть все настройки в дефолт
316 | 
317 | rm -rf /mnt/mtd/*
318 | 
319 | и перезагрузить
320 | 
321 | # Как посмотреть логи энкодера?
322 | 
323 | ```
324 | echo "all=5" > /proc/umap/logmpp # более детальный лог
325 | 
326 | cat /dev/logmpp
327 | cat /proc/umap/sys
328 | cat /proc/umap/vi
329 | cat /proc/umap/vpss
330 | cat /proc/umap/venc
331 | cat /proc/umap/logmpp
332 | cat /proc/umap/isp
333 | cat /proc/media-mem
334 | ```
335 | 
336 | Если хочется реалтаймовые логи:
337 | 
338 | ```
339 | echo "all=9" > /proc/umap/logmpp
340 | cat /dev/logmpp
341 | ```
342 | 
343 | За подробным описанием данных в этих файлах обратитесь к разделу `12 Proc
344 | Debugging Information` из `HiMPP IPC V3.0 Media Processing Software Development
345 | Reference`.
346 | 
347 | ## Как примонтировать образ jffs2 системы на машине разработки?
348 | 
349 | ```
350 | sudo modprobe mtdram total_size=131072 erase_size=128
351 | sudo modprobe mtdblock
352 | sudo dd if=rootfs_hi3516cv300_128k.jffs2 of=/dev/mtdblock0
353 | sudo mount -t jffs2 /dev/mtdblock0 /mnt
354 | ```
355 | 
356 | ## В каком формате записывать звук для камеры? <a name="sound"></name>
357 | 
358 | ```
359 | sox input.mp3 -t al -r 8000 -c 1 -b 8 output.alaw
360 | ```
361 | 
362 | (с) Dmitry Ermakov
363 | 
364 | ## Советы по PoE <a name="poe"></a>
365 | 
366 | На 12В лучше не использовать коннекторы RJ-45, пригорят - токи в 4 раза больше, чем на 48В
367 | 
368 | ## Как работает инфракрасная подсветка? <a name="ir"></a>
369 | 
370 | Камера ИК подсветкой не управляет, подсветка управляет камерой. Т.е. по третьему
371 | проводу на камеру сигнал идёт, что темно стало, когда фоторезюк затемняется и
372 | включается подсветка, а на камере в свою очередь фильтр переключается.
373 | 
374 | Для переключения режима ночь/день по датчику на подсветке следует в настройках
375 | включить пункт "ИК-фильтр" в режим "ИК-синхронизация" вместо "автоматически"
376 | 
377 | ## Как работать с Ethernet из U-Boot? <a name="mii"></a>
378 | 
379 | Годная вводная [статья](https://gahcep.github.io/blog/2012/07/24/u-boot-mii/) по
380 | теме.
381 | 
382 | Обратите внимание, что если на команду `mii device` U-Boot не выдает никаких
383 | устройств, то достаточно сделать `ping` на любой адрес (неважно существует он
384 | или нет), это приведет к инициализации устройства и после этого команды должны
385 | заработать.
386 | 
387 | ## Зачем нужна поролоновая втулка на объективе? <a name="lenss"></a>
388 | 
389 | Защищает его от засветки, нарезать можно от теплоизоляции для трубок
390 | кондиционера, да хоть из губки кухонной.
391 | 
392 | ## Трансляция видео в YouTube через ffmpeg и использование его как DVR
393 | 
394 | Vasiliy, [21 Feb 2020 at 18:57:36]:
395 | Кароче суть такая:
396 | 1. ФФмпег транслирует видео
397 | 2. Если никто не смотрит - ютуб не пишет.
398 | 3. Максимальное время записи ютуба - 12 часов (глупо это время не использовать!)
399 | 4. Ютуб начинает писать если есть хоть 1 юзер на канале. И прекращает после 30 минут после того как последний вышел
400 | 5. Есть скрипт - который по вставке ссылки с ютуба - эмулирует просмотр 5 секундный и ютуб продолжает писать следующие 30 минут
401 | 6. Вы в своей системе в кронтабе прописываете команду курл - или аналогично которое открывает эту страничку: http://cloud.vixand.com/service/youtube/stream.php?key=ххххххххх и выполняете ее раз в 28 минут
402 | 
403 | профит
404 | 
405 | ## Известные проблемы
406 | 
407 | ### После обновления камера получила дефолтный адрес и постоянно перезапускается
408 | 
409 | Заход на камеру через telnet показал, что `Sofia` не запущена, более того, при
410 | ручном запуске из консоли она падает с ошибкой:
411 | 
412 | ```
413 | CMedia::start() $Rev: 972 $>>>>>
414 | sched set 98, 2
415 | src/HiSystem.c(1461) [HisiSysInit]: LibHicap Compiled Date: Nov 26 2018, Time: 15:49:09.
416 | src/HiSystem.c(1474) [HisiSysInit]: g_stDevParam.bVpssOnline:0 [0 offline; 1 online].
417 | Segmentation fault
418 | ```
419 | 
420 | Запускаем `Sofia` под strace и находим:
421 | 
422 | ```
423 | open("/mnt/mtd/Config/SensorType.bat", O_WRONLY|O_CREAT|O_TRUNC, 0666) = -1 ENOENT (No such file or directory)
424 | --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x48} ---
425 | +++ killed by SIGSEGV +++
426 | Segmentation fault
427 | ```
428 | 
429 | Проверяем и оказывается, что раздел /mnt/mtd не смонтирован:
430 | 
431 | ```
432 | $ mount|grep /mnt/mtd
433 | ```
434 | 
435 | Пробуем смонтировать вручную:
436 | 
437 | ```
438 | $ mount -t jffs2 /dev/mtdblock5 /mnt/mtd
439 | mount: mounting /dev/mtdblock5 on /mnt/mtd failed: Input/output error
440 | ```
441 | 
442 | В выводе `dmesg` будет нечто подобное:
443 | 
444 | ```
445 | fs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000000: 0xd4c5 instead
446 | jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000004: 0x3f7c instead
447 | jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000008: 0x37fc instead
448 | jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x0000000c: 0x5d6b instead
449 | jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000010: 0xc45b instead
450 | jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000014: 0x9a6f instead
451 | jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000018: 0x80df instead
452 | jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x0000001c: 0x7cb7 instead
453 | jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000020: 0xf5cd instead
454 | jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000024: 0xe587 instead
455 | jffs2: Further such events for this erase block will not be printed
456 | jffs2: Old JFFS2 bitmask found at 0x00001ee4
457 | ```
458 | 
459 | Решение: нужно стереть этот раздел на флеш или заполнить его 0xff. См. следующий
460 | вопрос
461 | 
462 | (с) Dmitry Ermakov
463 | 
464 | ## Как стереть раздел на flash
465 | 
466 | Смотрим `/proc/cmdline` и определяем размер раздела, например
467 | 
468 | ```
469 | # cat /proc/cmdline 
470 | init=linuxrc mem=56M console=ttyAMA0,115200 root=/dev/mtdblock1 rootfstype=squashfs mtdparts=hi_sfc:0x30000(boot),0x2E0000(romfs),0x300000(user),0x160000(web),0x40000(custom),0x50000(mtd)
471 | ```
472 | 
473 | `0x50000` - искомое значение
474 | 
475 | Теперь надо посчитать адрес его начала. При условии, что у нас флеш 8Mb
476 | (0x800000) и mtd раздел находится в самом конце носителя искомое смещение будет
477 | `0x800000-0x50000 = 0x7b0000`
478 | 
479 | Нужно будет в U-Boot выполнить команду `sf probe 0; sf lock 0; sf erase 7b0000
480 | 50000` для удаления содержимого раздела.
481 | 
482 | (с) Dmitry Ermakov
483 | 
484 | Если есть лог загрузки ядра там можно подсмотреть смещения разделов:
485 | 
486 | ```
487 | [    0.813360] Creating 5 MTD partitions on "hi_sfc":
488 | 0x000000000000-0x000000080000 : "boot"
489 | 0x000000080000-0x0000000c0000 : "env"
490 | 0x0000000c0000-0x0000004c0000 : "kernel"
491 | 0x0000004c0000-0x0000009c0000 : "rootfs"
492 | 0x0000009c0000-0x000001000000 : "rootfs_data"
493 | ```
494 | 
495 | (c) Sergey Sharshunov
496 | 
497 | Если нет доступа к U-Boot (есть telnet, но нет UART), можно собрать
498 | `flash_eraseall` из состава SDK `package/board_uclibc` и выполнить очистку
499 | раздела командой:
500 | 
501 | ```sh
502 | /utils/flash_erase /dev/mtd5 0 0
503 | ```
504 | 
505 | , где `/dev/mtd5` - определенный ранее раздел.
506 | 


--------------------------------------------------------------------------------
/doc/flash.md:
--------------------------------------------------------------------------------
 1 | # Explore flash
 2 | 
 3 | ## U-Boot commands
 4 | 
 5 | ### SPI flash
 6 | 
 7 | `sf` just mounts the SPI flash. The only verb I can find is `sf probe` , which
 8 | seems to test for the presence of a device and/or make it available:
 9 | 
10 | ```
11 | xmtech # sf probe 0
12 | 16384 KiB hi_fmc at 0:0 is now current device
13 | xmtech # sf probe 1
14 | 16384 KiB hi_fmc at 0:1 is now current device
15 | ```
16 | 
17 | I use 'sf read' and it works pretty good. It can be called as follows
18 | `sf read [addr] [offset] [len]`
19 | 
20 | So for your case, reading romfs would look like this:
21 | `sf probe 0;sf read 0x82000000 0x40000 0x370000`
22 | 
23 | Then you can transfer the file to tftp server:
24 | `tftp 0x82000000 romfs.cramfs 0x370000`
25 | 
26 | ## Flash memory partitions layout
27 | 
28 | ```sh
29 | # cat /proc/mtd
30 | dev:    size   erasesize  name
31 | mtd0: 00030000 00010000 "boot"
32 | mtd1: 00550000 00010000 "romfs"
33 | mtd2: 00740000 00010000 "user"
34 | mtd3: 00180000 00010000 "web"
35 | mtd4: 00080000 00010000 "custom"
36 | mtd5: 00140000 00010000 "mtd"
37 | 
38 | # ls -la /dev/mtdblock*
39 | brw-------    1 root     root       31,   0 Jan  1  1970 /dev/mtdblock0
40 | brw-------    1 root     root       31,   1 Jan  1  1970 /dev/mtdblock1
41 | brw-------    1 root     root       31,   2 Jan  1  1970 /dev/mtdblock2
42 | brw-------    1 root     root       31,   3 Jan  1  1970 /dev/mtdblock3
43 | brw-------    1 root     root       31,   4 Jan  1  1970 /dev/mtdblock4
44 | brw-------    1 root     root       31,   5 Jan  1  1970 /dev/mtdblock5
45 | 
46 | # mount |grep mtdblock
47 | /dev/mtdblock2 on /usr type cramfs (ro,relatime)
48 | /dev/mtdblock3 on /mnt/web type squashfs (ro,relatime)
49 | /dev/mtdblock4 on /mnt/custom type cramfs (ro,relatime)
50 | /dev/mtdblock5 on /mnt/mtd type jffs2 (rw,relatime)
51 | /dev/mtdblock2 on /mnt/custom/data/Fonts type cramfs (ro,relatime)
52 | ```
53 | 
54 | Further [information](https://felipe.astroza.cl/hacking-hi3518-based-ip-camera/)
55 | and some useful [in Russian](https://zftlab.org/pages/2018020100.html)
56 | 


--------------------------------------------------------------------------------
/doc/links.md:
--------------------------------------------------------------------------------
1 | # Similar repos
2 | 
3 | [Main page and large source it information](https://zftlab.org/pages/2018020900.html)
4 | 
5 | [Experiments with OpenWrt + Hi35xx and other SoC's](https://github.com/ZigFisher/chaos_calmer)
6 | 


--------------------------------------------------------------------------------
/doc/urls.md:
--------------------------------------------------------------------------------
 1 | # Access URL for cameras
 2 | 
 3 | ## XM-based cameras
 4 | 
 5 | For capturing one-shot picture:
 6 | 192.168.1.10/webcapture.jpg?user=admin&password=PWD&command=snap&channel=1
 7 | 
 8 | For capturing video (RTSP):
 9 | rtsp://192.168.1.10/user=admin&password=&channel=1&stream=0
10 | 
11 | ## Ruision
12 | 
13 | For capturing video (RTSP):
14 | rtsp://192.168.26.65/live/0/MAIN
15 | 
16 | ## JVT
17 | 
18 | For capturing video (RTSP):
19 | rtsp://%s/view/%d
20 | 
21 | For capturing one-shot picture:
22 | http://%s/capture/webCapture.jpg?channel=1&FTpsend=0&checkinfo=0
23 | 


--------------------------------------------------------------------------------
/hacking/nfs.md:
--------------------------------------------------------------------------------
 1 | # NFS
 2 | 
 3 | ## Dump camera rootfs from flash to NFS server
 4 | 
 5 | Create separate exported NFS folder on your server like `/srv/cv300`, mount it
 6 | to empty dir (`/utils` in our example) and copy directories:
 7 | 
 8 | ```sh
 9 | cp -a /bin /utils/
10 | cp -a /boot /utils/
11 | cp -a /etc /utils/
12 | cp -a /home /utils/
13 | cp -a /lib /utils/
14 | cp -a /linuxrc /utils/
15 | cp -a /mnt /utils/
16 | cp -a /opt /utils/
17 | cp -a /root /utils/
18 | cp -a /sbin /utils/
19 | cp -a /usr /utils/
20 | cp -a /var /utils/
21 | 
22 | mkdir /utils/dev
23 | mkdir /utils/proc
24 | mkdir /utils/sys
25 | mkdir /utils/tmp
26 | ```
27 | 
28 | Goto U-Boot and change params like this:
29 | 
30 | ```
31 | setenv bootargs ip=192.168.26.178 root=/dev/nfs nfsroot=192.168.26.219:/srv/cv300,tcp,v3 init=/linuxrc mem=\${osmem} console=ttyAMA0,115200 panic=20
32 | ```
33 | 
34 | If you have error message like this after kernel loads, that your original
35 | kernel doesn't support NFS root. Let's try workaround with initramfs:
36 | 
37 | ## Workaround absent NFS support in original kernel
38 | 
39 | Navigate to new NFS root made in previous step and copy `/boot/uImage` to your
40 | tftp server. Fell free to rename file for simplifying usage (like
41 | `uImage.cv300` in our example).
42 | 
43 | Build special Busybox version (like [Rescue mode](../busybox/build.md#rescue), but with
44 | modified `/etc/init.d/rcS` file):
45 | 
46 | ```sh
47 | cat <<'EOF' > etc/init.d/rcS
48 | #!/bin/sh
49 | export PATH=/bin:/sbin:/usr/bin:/usr/sbin
50 | echo "Waiting for network..."
51 | sleep 5
52 | mount -t nfs -o nolock 192.168.26.219:/srv/cv300 /new
53 | mkdir -p /new/mnt/old_root/
54 | pivot_root /new /new/mnt/old_root/
55 | . /etc/init.d/dnode
56 | mkdir /dev/.udev
57 | udevd --daemon
58 | udevadm trigger
59 | 
60 | # original firmware init code substitution from /etc/init.d/rcS
61 | mount -t ramfs  /dev/mem  /var/
62 | mkdir -p /var/tmp
63 | # skipped net
64 | mkdir -p /mnt/mtd/Config /mnt/mtd/Log /mnt/mtd/Config/ppp /mnt/mtd/Config/Json
65 | ulimit -s 4096
66 | /sbin/ifconfig eth0 hw ether `sed -n "s/ethaddr:\(.*\).*/\1\n/p" /proc/xm/xminfo`
67 | /usr/etc/loadmod
68 | dvrHelper /lib/modules /usr/bin/Sofia 127.0.0.1 9578 1
69 | EOF
70 | ```
71 | 
72 | Use U-Boot to temporary load dev environment (adjust `mem` param to your actual
73 | board):
74 | 
75 | ```
76 | setenv bootargs mem=56M console=ttyAMA0,115200 panic=20 root=/dev/ram0 ro initrd=0x81220000,626688 rdinit=/bin/sh ip=192.168.26.178:192.168.26.1:192.168.26.1:255.255.255.0:camera1::off\\;
77 | 
78 | setenv ipaddr 192.168.26.178
79 | setenv serverip 192.168.26.219
80 | tftp 0x82000000 uImage.cv300
81 | tftp 0x81220000 busybox.squash
82 | bootm 0x82000000
83 | ```
84 | 
85 | where:
86 | 
87 |  - `626688` is a determined on previous step size of squashfs ramdisk image
88 | 
89 |  - `192.168.26.178` static camera IP
90 | 
91 |  - `192.168.26.219` NFS server (also the same address as TFTP server in our
92 |      example)
93 | 
94 |  - `192.168.26.1` default gw
95 | 


--------------------------------------------------------------------------------
/images/hisilicon_families.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OpenIPC/camerasrnd/d6007c45963999e4fc9237ba641d41d626d39309/images/hisilicon_families.jpg


--------------------------------------------------------------------------------
/images/preometheus_node_graphana_example.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OpenIPC/camerasrnd/d6007c45963999e4fc9237ba641d41d626d39309/images/preometheus_node_graphana_example.jpg


--------------------------------------------------------------------------------
/kernel/build.md:
--------------------------------------------------------------------------------
  1 | # Custom kernel build guide
  2 | 
  3 | ## FAQ
  4 | 
  5 | ### How to build kernel from source and apply patch from SDK
  6 | 
  7 | #### CV300
  8 | 
  9 | Navigate to `osdrv/opensource/kernel` directory of SDK and check in
 10 | `readme_en.txt` which proper vanilla kernel you will need to download from
 11 | `kernel.org`.
 12 | 
 13 | In particular case of `Hi3516CV300_SDK_V1.0.3.0` you will need to get
 14 | `v3.18.20` kernel:
 15 | 
 16 | ```
 17 | wget -qO- \
 18 |     https://mirrors.edge.kernel.org/pub/linux/kernel/v3.x/linux-3.18.20.tar.xz \
 19 |     | tar xvfJ -
 20 | cd linux-3.18.20
 21 | patch -p1 < ../hi3516cv300_for_linux_v3.18.y.patch
 22 | ls -l arch/arm/configs/ | grep hi   # check all options
 23 | cp arch/arm/configs/hi3516cv300_full_defconfig .config
 24 | make ARCH=arm CROSS_COMPILE=arm-hisiv500-linux- \
 25 |     LOADADDR=0x80008000 -j$(nproc) uImage
 26 | ```
 27 | 
 28 | `arm-hisiv500-linux-` is cross-tools prefix for your SDK.
 29 | 
 30 | At the end to need to check that you get something like this:
 31 | 
 32 | ```
 33 |   UIMAGE  arch/arm/boot/uImage
 34 | Image Name:   Linux-3.18.20
 35 | Created:      Wed Feb 26 11:42:22 2020
 36 | Image Type:   ARM Linux Kernel Image (uncompressed)
 37 | Data Size:    2992152 Bytes = 2922.02 KiB = 2.85 MiB
 38 | Load Address: 80008000
 39 | Entry Point:  80008000
 40 |   Image arch/arm/boot/uImage is ready
 41 | ```
 42 | 
 43 | #### EV200
 44 | 
 45 | ```
 46 | wget -qO- \
 47 |     https://mirrors.edge.kernel.org/pub/linux/kernel/v4.x/linux-4.9.37.tar.xz \
 48 |     | tar xvfJ -
 49 | cd linux-4.9.37
 50 | patch -p1 < ../linux-4.9.37.patch
 51 | patch -p1 < ../0001-Add-support-for-XM_XT25F64B-S-flash.patch
 52 | ls -l arch/arm/configs/ | grep hi   # check all options
 53 | cp arch/arm/configs/hi3516ev200_full_defconfig .config
 54 | make ARCH=arm CROSS_COMPILE=arm-himix100-linux- \
 55 |     -j$(nproc) uImage
 56 | ```
 57 | 
 58 | ### Test compiled kernel image
 59 | 
 60 | Place `uImage` to tftp directory of your TFTP server, reset camera and on
 61 | booting process press Ctrl-C to interrupt normal load process.
 62 | 
 63 | You will see something like this:
 64 | 
 65 | ```
 66 | hi3516cv300 System startup
 67 | 
 68 | Uncompress.......Ok
 69 | 
 70 | 
 71 | hi3516cv300 System startup
 72 | 
 73 | 
 74 | U-Boot 2010.06-svn1098 (Jun 11 2018 - 13:17:42)
 75 | 
 76 | Check Flash Memory Controller v100 ... Found
 77 | SPI Nor(cs 0) ID: 0xef 0x40 0x17
 78 | spi_general_qe_enable(291): Error: Disable Quad failed! reg: 0x2
 79 | Block:64KB Chip:8MB Name:"W25Q64FV"
 80 | CONFIG_CLOSE_SPI_8PIN_4IO = y.
 81 | at hifmc100_setTB() mid:0xef,chipsize:0x800000 <no>.
 82 | lk[6 => 0x400000]
 83 | SPI Nor total size: 8MB
 84 | MMC:   
 85 | EMMC/MMC/SD controller initialization.
 86 | Card did not respond to voltage select!
 87 | No EMMC/MMC/SD device found !
 88 | In:    serial
 89 | Out:   serial
 90 | Err:   serial
 91 | Press Ctrl+C to stop autoboot
 92 | xmtech # <INTERRUPT>
 93 | xmtech #
 94 | ```
 95 | 
 96 | In this example we use addresses `192.168.26.208` for camera and
 97 | `192.168.26.219` for TFTP server. Adjust them for your case and network
 98 | settings.
 99 | 
100 | ```
101 | xmtech # setenv ipaddr 192.168.26.208
102 | xmtech # setenv serverip 192.168.26.219
103 | xmtech # tftp 0x82000000 uImage
104 | Hisilicon ETH net controler
105 | MAC:   00-12-17-B6-AE-4B
106 | eth0 : phy status change : LINK=UP : DUPLEX=FULL : SPEED=100M
107 | TFTP from server 192.168.26.219; our IP address is 192.168.26.208
108 | Download Filename 'uImage'.
109 | Download to address: 0x82000000
110 | Downloading: #################################################
111 | done
112 | Bytes transferred = 2992216 (2da858 hex)
113 | xmtech # bootm 0x82000000
114 | ## Booting kernel from Legacy Image at 82000000 ...
115 |    Image Name:   Linux-3.18.20
116 |    Image Type:   ARM Linux Kernel Image (uncompressed)
117 |    Data Size:    2992152 Bytes = 2.9 MiB
118 |    Load Address: 80008000
119 |    Entry Point:  80008000
120 |    Loading Kernel Image ... OK
121 | OK
122 | 
123 | ```
124 | 
125 | ### U-Boot shows 'Starting kernel ...' and then hangs
126 | 
127 | In case of `3516cv300` board you might use convenient list of options to add
128 | them into kernel config to get debug from UART console:
129 | 
130 | ```
131 | CONFIG_DEBUG_LL=y
132 | CONFIG_EARLY_PRINTK=y
133 | CONFIG_DEBUG_LL_UART_PL01X=y
134 | CONFIG_DEBUG_UART_PHYS=0x12100000
135 | CONFIG_DEBUG_UART_VIRT=0x0
136 | ```
137 | 
138 | Add to `.config` and re-run `make` with same parameters.
139 | 
140 | In this example `0x12100000` got from chip datasheet as `The base address of
141 | UART0 registers is 0x1210_0000`
142 | 
143 | ### Get an error 'Error: unrecognized/unsupported machine ID'
144 | 
145 | Full possible output like
146 | 
147 | ```
148 | Error: unrecognized/unsupported machine ID (r1 = 0x00001f40).
149 | 
150 | Available machine support:
151 | 
152 | ID (hex)        NAME
153 | ffffffff        Generic DT based system
154 | ffffffff        Hisilicon Hi3516cv300 (Flattened Device Tree)
155 | ffffffff        Hisilicon HiP04 (Flattened Device Tree)
156 | ffffffff        Hisilicon HIX5HD2 (Flattened Device Tree)
157 | ffffffff        Hisilicon Hi3620 (Flattened Device Tree)
158 | 
159 | Please check your kernel config and/or bootloader.
160 | ```
161 | 
162 | You have no Device tree files included for given hardware. You can use fresh
163 | U-boot with included support for Device Tree files or just append Device tree
164 | BLOB into kernel image. Use guide on page 11 of
165 | [presentation](https://bootlin.com/pub/conferences/2014/elc/petazzoni-device-tree-dummies/petazzoni-device-tree-dummies.pdf)
166 | with command like this:
167 | 
168 | ```
169 | cat arch/arm/boot/zImage arch/arm/boot/dts/myboard.dtb > my-zImage
170 | mkimage ... -d my-zImage my-uImage
171 | ```
172 | 
173 | You might like to use simple build script to make all build steps and final
174 | image copying like this:
175 | 
176 | ```
177 | make ARCH=arm CROSS_COMPILE=arm-hisiv500-linux- \
178 |   -j$(nproc) zImage || exit 2
179 | 
180 | cat arch/arm/boot/zImage Hi3516CV300_DEMO_Board.dtb > my-zImage
181 | /bin/sh ./scripts/mkuboot.sh -A arm -O linux -C none  -T kernel \
182 |   -a 0x80008000 -e 0x80008000 -n 'devLinux-3.18.20' \
183 |   -d my-zImage uImage
184 | sudo mv uImage /srv/atftp/
185 | ```
186 | 
187 | ### How to decompile extracted binary dtb file back to source code?
188 | 
189 | Use the same kernel `dtc` compiler, e.g.:
190 | 
191 | ```
192 | ./scripts/dtc/dtc -I dtb -O dts -o Hi3516CV300_DEMO_Board.dts \
193 |     Hi3516CV300_DEMO_Board.dtb
194 | ```
195 | 
196 | Or if `/sys/firmware/devicetree/base` directory is available on camera use
197 | advice on p.15 of [presentation](https://bootlin.com/pub/conferences/2014/elc/petazzoni-device-tree-dummies/petazzoni-device-tree-dummies.pdf)
198 | 
199 | ### Kernel hangs at "Uncompressing Linux... done, booting the kernel."
200 | 
201 | It seems you forgot pass proper console command line argument to kernel.
202 | 
203 | Try this:
204 | 
205 | ```
206 | setenv bootargs console=ttyAMA0,115200 earlyprintk panic=20 <other args>...
207 | ```
208 | 
209 | ### System crashes while loading application which linked with SDK
210 | 
211 | It turns out that at least in CV300 kernel next configuration options are
212 | crucial:
213 | 
214 | ```diff
215 | -# CONFIG_CGROUPS is not set
216 | +CONFIG_CGROUPS=y
217 | +# CONFIG_CGROUP_DEBUG is not set
218 | +# CONFIG_CGROUP_FREEZER is not set
219 | +# CONFIG_CGROUP_DEVICE is not set
220 | +# CONFIG_CPUSETS is not set
221 | +# CONFIG_CGROUP_CPUACCT is not set
222 | +# CONFIG_RESOURCE_COUNTERS is not set
223 | +CONFIG_CGROUP_SCHED=y
224 | +CONFIG_FAIR_GROUP_SCHED=y
225 | +# CONFIG_CFS_BANDWIDTH is not set
226 | +# CONFIG_RT_GROUP_SCHED is not set
227 | +# CONFIG_BLK_CGROUP is not set
228 |  # CONFIG_CHECKPOINT_RESTORE is not set
229 | ```
230 | 
231 | ## Deal with original flash image
232 | 
233 | ### How to backup full flash image without loading to U-Boot
234 | 
235 | Mount /utils directory to NFS server as usual:
236 | 
237 | ```
238 | mount -t nfs -o nolock serverip:/srv/nfs
239 | ```
240 | 
241 | and then
242 | 
243 | ```
244 | cd /utils
245 | MAX=`ls -lr /dev/mtdblock* | head -1 | awk '{print $10}' | sed 's/[^0-9]*//g'`
246 | echo -ne >ff.img
247 | i=0
248 | while [ "$i" -le "$MAX" ]; do
249 |     echo "Dump $i part"
250 |     cat /dev/mtdblock$i >> ff.img
251 |     i=$((i+1))
252 | done
253 | sync
254 | ```
255 | 
256 | ### How to mount original flash volumes with custom built kernel
257 | 
258 | Find and change:
259 | 
260 | ```
261 | # CONFIG_SQUASHFS is not set
262 | ```
263 | 
264 | to next block:
265 | 
266 | ```
267 | CONFIG_SQUASHFS=y
268 | CONFIG_SQUASHFS_FILE_CACHE=y
269 | # CONFIG_SQUASHFS_FILE_DIRECT is not set
270 | CONFIG_SQUASHFS_DECOMP_SINGLE=y
271 | # CONFIG_SQUASHFS_DECOMP_MULTI is not set
272 | # CONFIG_SQUASHFS_DECOMP_MULTI_PERCPU is not set
273 | # CONFIG_SQUASHFS_XATTR is not set
274 | # CONFIG_SQUASHFS_ZLIB is not set
275 | # CONFIG_SQUASHFS_LZO is not set
276 | CONFIG_SQUASHFS_XZ=y
277 | # CONFIG_SQUASHFS_4K_DEVBLK_SIZE is not set
278 | # CONFIG_SQUASHFS_EMBEDDED is not set
279 | CONFIG_SQUASHFS_FRAGMENT_CACHE_SIZE=3
280 | ```
281 | 
282 | kernel parameters enabled. Otherwise you will get messages like this:
283 | 
284 | ```
285 | List of all partitions:
286 | 1f00             192 mtdblock0  (driver?)
287 | 1f01            2944 mtdblock1  (driver?)
288 | 1f02            3072 mtdblock2  (driver?)
289 | 1f03            1408 mtdblock3  (driver?)
290 | 1f04             256 mtdblock4  (driver?)
291 | 1f05             320 mtdblock5  (driver?)
292 | ```
293 | 
294 | ## Deal with NFS
295 | 
296 | To avoid too many device reboots and get smooth development experience it's
297 | highly recommended at early stages use NFS as root volume. Make sure that you
298 | have `CONFIG_ROOT_NFS` kernel parameter turned on.
299 | 


--------------------------------------------------------------------------------
/kernel/hi3516ev200/0001-Add-support-for-XM_XT25F64B-S-flash.patch:
--------------------------------------------------------------------------------
  1 | From bb9e9dee8216672fcf711664467ee52c5ee317aa Mon Sep 17 00:00:00 2001
  2 | From: Dmitry Ilyin <dima@doty.ru>
  3 | Date: Sat, 4 Jul 2020 18:01:00 +0300
  4 | Subject: [PATCH 1/2] Add support for XM_XT25F64B-S flash
  5 | 
  6 | ---
  7 |  drivers/mtd/spi-nor/spi-nor.c | 12 +++++++++---
  8 |  1 file changed, 9 insertions(+), 3 deletions(-)
  9 | 
 10 | diff --git a/drivers/mtd/spi-nor/spi-nor.c b/drivers/mtd/spi-nor/spi-nor.c
 11 | index 638c9ca..f23441e 100644
 12 | --- a/drivers/mtd/spi-nor/spi-nor.c
 13 | +++ b/drivers/mtd/spi-nor/spi-nor.c
 14 | @@ -1041,8 +1041,9 @@ static const struct spi_nor_basic_flash_parameter micron_4k_params = {
 15 |  	.erase_types[1]		= SNOR_OP_ERASE_4K(SPINOR_OP_BE_4K),
 16 |  };
 17 |  
 18 | +
 19 |  static const struct spi_nor_basic_flash_parameter xtx_params = {
 20 | -	.rd_modes		= SNOR_RD_MODES,
 21 | +	.rd_modes		= SNOR_EON_RD_MODES,
 22 |  	.reads[SNOR_MIDX_SLOW]	= SNOR_OP_READ(0, 0, SPINOR_OP_READ),
 23 |  	.reads[SNOR_MIDX_1_1_1]	= SNOR_OP_READ(0, 8, SPINOR_OP_READ_FAST),
 24 |  	.reads[SNOR_MIDX_1_1_2]	= SNOR_OP_READ(0, 8, SPINOR_OP_READ_1_1_2),
 25 | @@ -1050,7 +1051,7 @@ static const struct spi_nor_basic_flash_parameter xtx_params = {
 26 |  	.reads[SNOR_MIDX_1_1_4]	= SNOR_OP_READ(0, 8, SPINOR_OP_READ_1_1_4),
 27 |  	.reads[SNOR_MIDX_1_4_4]	= SNOR_OP_READ(0, 24, SPINOR_OP_READ_1_4_4),
 28 |  
 29 | -	.wr_modes		= SNOR_WR_MODES,
 30 | +	.wr_modes		= SNOR_EON_WR_MODES,
 31 |  	.page_programs[SNOR_MIDX_1_1_1]	= SPINOR_OP_PP,
 32 |  	.page_programs[SNOR_MIDX_1_1_4]	= SPINOR_OP_PP_1_1_4,
 33 |  
 34 | @@ -2046,6 +2047,7 @@ static void hisi_get_spi_lock_info(struct spi_nor *nor, const struct flash_info
 35 |  		nor->level = hisi_bp_to_level(nor, info, BP_NUM_3);
 36 |  		break;
 37 |  	case SNOR_MFR_WINBOND:
 38 | +	case SNOR_MFR_XTX:
 39 |  		/* BP bit convert to lock level */
 40 |  		if (chipsize <= _16M)
 41 |  			nor->level = hisi_bp_to_level(nor, info, BP_NUM_3);
 42 | @@ -2442,8 +2444,10 @@ int spi_nor_scan(struct spi_nor *nor, const char *name,
 43 |  		/* If we were instantiated by DT, use it */
 44 |  		if (of_property_read_bool(np, "m25p,fast-read"))
 45 |  			modes->rd_modes |= SNOR_MODE_1_1_1;
 46 | -		else
 47 | +		else {
 48 | +			printk("@spi_nor_scan(), no \"m25p,fast-read\".\n");
 49 |  			modes->rd_modes &= ~SNOR_MODE_1_1_1;
 50 | +		}
 51 |  	} else {
 52 |  		/* If we weren't instantiated by DT, default to fast-read */
 53 |  		modes->rd_modes |= SNOR_MODE_1_1_1;
 54 | @@ -2453,6 +2457,8 @@ int spi_nor_scan(struct spi_nor *nor, const char *name,
 55 |  	if (info->flags & SPI_NOR_NO_FR)
 56 |  		modes->rd_modes &= ~SNOR_MODE_1_1_1;
 57 |  
 58 | +	printk("@spi_nor_scan(), modes->rd_modes:0x%x.\n", modes->rd_modes);
 59 | +
 60 |  	nor->program_opcode = SPINOR_OP_PP;
 61 |  
 62 |  	/*
 63 | -- 
 64 | 2.27.0
 65 | 
 66 | 
 67 | From 9abe0b5031dd68fdff142a620a379ee74e4bf212 Mon Sep 17 00:00:00 2001
 68 | From: Dmitry Ilyin <dima@doty.ru>
 69 | Date: Sat, 4 Jul 2020 18:23:22 +0300
 70 | Subject: [PATCH 2/2] Add more XM-like debug
 71 | 
 72 | ---
 73 |  drivers/mtd/spi-nor/spi-nor.c | 6 ++++--
 74 |  1 file changed, 4 insertions(+), 2 deletions(-)
 75 | 
 76 | diff --git a/drivers/mtd/spi-nor/spi-nor.c b/drivers/mtd/spi-nor/spi-nor.c
 77 | index f23441e..39d4545 100644
 78 | --- a/drivers/mtd/spi-nor/spi-nor.c
 79 | +++ b/drivers/mtd/spi-nor/spi-nor.c
 80 | @@ -1462,7 +1462,7 @@ static const struct flash_info spi_nor_ids[] = {
 81 |  	{ "xt25f128b", INFO(0x0b4018, 0, 64 * 1024,  256,
 82 |  		SPI_NOR_QUAD_READ), PARAMS(xtx), CLK_MHZ_2X(70) },
 83 |  
 84 | -	{ "xt25f64b", INFO(0x0b4017, 0, 64 * 1024,  128,
 85 | +	{ "xm_xt25f64b-s", INFO(0x0b4017, 0, 64 * 1024,  128,
 86 |  		SPI_NOR_QUAD_READ), PARAMS(xtx), CLK_MHZ_2X(70) },
 87 |  	{ },
 88 |  };
 89 | @@ -2208,7 +2208,7 @@ static int spi_nor_setup(struct spi_nor *nor, const struct flash_info *info,
 90 |  	 */
 91 |  	nor->erase_proto = SNOR_PROTO_1_1_1;
 92 |  
 93 | -	dev_dbg(nor->dev,
 94 | +	dev_info(nor->dev,
 95 |  		"(Fast) Read:  opcode=%02Xh, protocol=%03x, mode=%u, wait=%u\n",
 96 |  		nor->read_opcode, nor->read_proto,
 97 |  		read->num_mode_clocks, read->num_wait_states);
 98 | @@ -2500,6 +2500,8 @@ int spi_nor_scan(struct spi_nor *nor, const char *name,
 99 |  		return -EINVAL;
100 |  	}
101 |  
102 | +	dev_info(dev, "nor->read_opcode[3: Read; 0B: Fast Read; 3B: Dual; BB: Dual IO"
103 | +		"; 6B: Quad; EB: Quad IO]: 0x%x.\n", nor->read_opcode);
104 |  	dev_info(dev, "%s (Chipsize %lld Mbytes, Blocksize %uKiB)\n",
105 |  		info->name, (long long)mtd->size >> 20, mtd->erasesize / 1024);
106 |  
107 | -- 
108 | 2.27.0
109 | 
110 | 


--------------------------------------------------------------------------------
/kernel/modules.md:
--------------------------------------------------------------------------------
 1 | # How to use modules to quickly debug driver changes
 2 | 
 3 | On example of `spi-nor` driver for `EV200` kernel
 4 | 
 5 | ## Make code external module
 6 | 
 7 | * In `.config` set
 8 | 
 9 |     ```
10 |     CONFIG_MTD_SPI_NOR=m
11 |     CONFIG_SPI_HISI_SFC=m
12 |     ```
13 | 
14 |   which will produce new kernel modules `spi-nor.ko` and `hisi-sfc.ko`
15 | 
16 | * Try to compile and find all unresolved symbols, find their definitions and
17 |     prepend them with `EXPORT_SYMBOL`
18 | 
19 | * Compile again and make sure that the issue gone. Try to load new kernel and
20 |     then load and unload both modules in appropriate order:
21 | 
22 |     ```
23 |     insmod spi-nor.ko
24 |     insmod hisi-sfc.ko
25 |     rmmod hisi_sfc
26 |     rmmod spi_nor
27 |     ```
28 | 
29 | * In `rmmod hisi_sfc` you probably will get issue with backtrace messages in
30 |   `dmesg`. Most likely it's double free issue as [described
31 |   here](https://patchwork.kernel.org/patch/9270545/). I fixed it by commenting
32 |   out line:
33 | 
34 |   ```c
35 |   static int hisi_spi_nor_remove(struct platform_device *pdev)
36 |     {
37 |     	struct hifmc_host *host = platform_get_drvdata(pdev);
38 |     
39 |     	hisi_spi_nor_unregister_all(host);
40 |     	//clk_disable_unprepare(host->clk);           // Double free?
41 |     	return 0;
42 |     }
43 |   ```
44 | 
45 | * Test load/unload process again and you'll find that driver initialized only
46 |   once (also check messages in `dmesg`). In my case I disabled all NAND drivers
47 |   in kernel and moved `hifmc_cs_user` definition straight into
48 |   `drivers/mtd/spi-nor/hisi-sfc.c` file.
49 | 


--------------------------------------------------------------------------------
/mini/ov9712.md:
--------------------------------------------------------------------------------
 1 | ```C
 2 | /*OV9712 DC 10bit输入*/
 3 | VI_DEV_ATTR_S DEV_ATTR_OV9712_DC_720P =
 4 | /* 典型时序3:7441 BT1120 720P@60fps典型时序 (对接时序: 时序)*/
 5 | {
 6 |     /*接口模式*/
 7 |     VI_MODE_DIGITAL_CAMERA,
 8 |     /*1、2、4路工作模式*/
 9 |     VI_WORK_MODE_1Multiplex,
10 |     /* r_mask    g_mask    b_mask*/
11 |     {0xFFC00000,    0x0},
12 |     /*逐行or隔行输入*/
13 |     VI_SCAN_PROGRESSIVE,
14 |     /*AdChnId*/
15 |     {-1, -1, -1, -1},
16 |     /*enDataSeq, 仅支持YUV格式*/
17 |     VI_INPUT_DATA_YUYV,
18 | 
19 |     /*同步信息，对应reg手册的如下配置, --bt1120时序无效*/
20 |     {
21 |     /*port_vsync   port_vsync_neg     port_hsync        port_hsync_neg        */
22 |     VI_VSYNC_PULSE, VI_VSYNC_NEG_HIGH, VI_HSYNC_VALID_SINGNAL,VI_HSYNC_NEG_HIGH,VI_VSYNC_NORM_PULSE,VI_VSYNC_VALID_NEG_HIGH,
23 |     
24 |     /*timing信息，对应reg手册的如下配置*/
25 |     /*hsync_hfb    hsync_act    hsync_hhb*/
26 |     {408,            1280,        0,
27 |     /*vsync0_vhb vsync0_act vsync0_hhb*/
28 |      6,            720,        6,
29 |     /*vsync1_vhb vsync1_act vsync1_hhb*/ 
30 |      0,            0,            0}
31 |     },
32 |     /*使用内部ISP*/
33 |     VI_PATH_ISP,
34 |     /*输入数据类型*/
35 |     VI_DATA_TYPE_RGB
36 | };
37 | ```


--------------------------------------------------------------------------------
/mini/Модуль-работы-с-SDK.md:
--------------------------------------------------------------------------------
 1 | Интерфейс между модулем работы с sdk и основным/вспомогательным приложением должен быть осуществлен средствами межпроцессорного взаимодействия.
 2 | В силу того что использование интерфейса SDK требует линковки специфических библиотек необходимо вынести минимальное количество кода для реализации необходимого функционала в отдельный бинарник. 
 3 | Этот бинарник должен обеспечивать интерфейс коммуникации посредство unix domain socket с другими приложениями.
 4 | Таким образом основной код приложения не будет зависеть от платформы и типа sdk. Позволит легко портировать практически весь функционал приложения на другие камеры, мобильные телефоны и т.д.
 5 | Использование стандартного интерфейса для доступа к SDK позволяет обеспечит легкое тестирование большей части функционала приложений без задействования аппаратной части.
 6 | Также стандартный интерфейс доступа к SDK позволяет легко использовать приложения на разных языках программирования.
 7 | 
 8 | Модуль работы с SDK должен обеспечивать следующие функции:
 9 | - [ ] Настройка SDK, конфигурирования подсистем, их запуск и остановка.
10 | - [ ] Конфигурирование сенсора.
11 | - [ ] Настройка параметров отображения OSD.
12 | - [ ] Конфигурирование каналов энкодера.
13 | - [ ] Передача видеопотока, изображений.
14 | - [ ] Настройка подсистемы детектора движения.
15 | - [ ] Передача данных детектора движения.
16 | - [ ] Настройка подсистемы видеоаналитики.
17 | - [ ] Передача данных видеоаналитики.


--------------------------------------------------------------------------------
/qemu/userspace.md:
--------------------------------------------------------------------------------
 1 | # Running ARM binaries on x86 host system
 2 | 
 3 | Straightforward example:
 4 | 
 5 | ```
 6 | $ qemu-arm -L /srv/nfsroot sample_venc
 7 | [SAMPLE_VENC_Usage]-27: Usage : sample_venc <index>
 8 | [SAMPLE_VENC_Usage]-28: index:
 9 | [SAMPLE_VENC_Usage]-29: 	0) 720p classic H264 encode.
10 | [SAMPLE_VENC_Usage]-30: 	1) 720p H264 encode with Title.
11 | [SAMPLE_VENC_Usage]-31: 	2) 1*720p JPEG snap.
12 | ```
13 | 
14 | Your also can set `QEMU_LD_PREFIX` environment variable to emulated device
15 | sysroot for more convenient use:
16 | 
17 | ```
18 | $ export QEMU_LD_PREFIX=/srv/nfsroot
19 | ```
20 | 
21 | ## With rootfs using unpacked flash image from camera
22 | 
23 | ```
24 | $ sudo chroot nfsroot /bin/sh
25 | ```
26 | 
27 | ## With rootfs based on Debian
28 | 
29 | ```
30 | $ sudo debootstrap --arch=armhf buster debarm
31 | $ sudo cp /usr/bin/qemu-arm-static debarm/usr/bin
32 | 
33 | $ sudo mount -t proc proc     debarm/proc/
34 | $ sudo mount -t sysfs sys     debarm/sys/
35 | $ sudo mount -o bind /dev     debarm/dev/
36 | $ sudo mount -o bind /dev/pts debarm/dev/pts
37 | $ sudo chroot debarm /bin/echo "hello world"
38 | ```
39 | 
40 | Ideas were given from [article](https://web.archive.org/web/20220531113945/https://ownyourbits.com/2018/06/13/transparently-running-binaries-from-any-architecture-in-linux-with-qemu-and-binfmt_misc/) (archived snapshot)
41 | 


--------------------------------------------------------------------------------
/reverse/ABI.md:
--------------------------------------------------------------------------------
1 | # Platform ABI
2 | 
3 | Only Linux ABI described
4 | 
5 | |---|---|---|---|
6 | | Ops | x86 | x86_64 | ARM32 |
7 | | Registers usage | | | `r0` to `r3`: used to hold argument values passed to a subroutine, and also hold results returned from a subroutine.
8 |  |
9 | 


--------------------------------------------------------------------------------
/reverse/approach.md:
--------------------------------------------------------------------------------
1 | # A little bit about reversing process
2 | 
3 | ## Dealing with C++ RTTI
4 | 
5 | [Reversing C++ Virtual Functions: Part 1](https://alschwalm.com/blog/static/2016/12/17/reversing-c-virtual-functions/)
6 | 


--------------------------------------------------------------------------------
/reverse/hitool.md:
--------------------------------------------------------------------------------
 1 | # Reverse engineering HiTool
 2 | 
 3 | [Main page](https://wiki.openipc.org/wiki/RE-HiTool)
 4 | 
 5 | ## Contents
 6 | 
 7 | * Extracting system specific registers and closed data
 8 | 
 9 | * Boot protocol (unbrick procedure) description
10 | 
11 | * CI for U-Boot built on top of it
12 | 
13 | Information is available only for core team members. If you're interested in RE
14 | services please [contact us](https://www.linkedin.com/in/dmitry-ilyin-4b9aa2174).
15 | 


--------------------------------------------------------------------------------
/reverse/images/IDA_original_blob.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OpenIPC/camerasrnd/d6007c45963999e4fc9237ba641d41d626d39309/reverse/images/IDA_original_blob.png


--------------------------------------------------------------------------------
/reverse/images/IDA_original_load.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OpenIPC/camerasrnd/d6007c45963999e4fc9237ba641d41d626d39309/reverse/images/IDA_original_load.png


--------------------------------------------------------------------------------
/reverse/images/IDA_original_opcodes.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OpenIPC/camerasrnd/d6007c45963999e4fc9237ba641d41d626d39309/reverse/images/IDA_original_opcodes.png


--------------------------------------------------------------------------------
/reverse/images/IDA_original_sections.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OpenIPC/camerasrnd/d6007c45963999e4fc9237ba641d41d626d39309/reverse/images/IDA_original_sections.png


--------------------------------------------------------------------------------
/reverse/images/IDA_reference_start.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OpenIPC/camerasrnd/d6007c45963999e4fc9237ba641d41d626d39309/reverse/images/IDA_reference_start.png


--------------------------------------------------------------------------------
/reverse/kernel.md:
--------------------------------------------------------------------------------
  1 | # How to reverse binary Linux kernel
  2 | 
  3 | ## Contents
  4 | 
  5 | - [Extract a piggy](#piggy)
  6 | 
  7 | - [Examine a procedure](#kallsyms)
  8 | 
  9 | - [Disable built-in driver](#disable-builtin)
 10 | 
 11 | ## Extract a piggy <a name="piggy"></a>
 12 | 
 13 | The term `piggy` was originally used to describe a "piggy-back" concept. In this
 14 | case, the binary kernel image is piggy-backed onto the bootstrap loader to
 15 | produce the composite kernel image.
 16 | 
 17 | Recall that one of the common files built for every architecture is the ELF
 18 | binary named `vmlinux`. This binary file is the monolithic kernel itself, or
 19 | what we have been calling the `kernel proper`. In fact, when we looked at its
 20 | construction in the link stage of vmlinux, we pointed out where we might look to
 21 | see where the first line of code might be found. In most architectures, it is
 22 | found in an assembly language source file called `head.S` or similar.
 23 | 
 24 | ```sh
 25 | $ make ARCH=arm CROSS_COMPILE=arm-hisiv500-linux- zImage
 26 | ...   < many build steps omitted for clarity>
 27 |   LD      vmlinux
 28 |   SORTEX  vmlinux
 29 |   SYSMAP  System.map
 30 |   OBJCOPY arch/arm/boot/Image
 31 |   Kernel: arch/arm/boot/Image is ready
 32 |   AS      arch/arm/boot/compressed/head.o
 33 |   GZIP    arch/arm/boot/compressed/piggy.gzip
 34 |   AS      arch/arm/boot/compressed/piggy.gzip.o
 35 |   CC      arch/arm/boot/compressed/misc.o
 36 |   CC      arch/arm/boot/compressed/decompress.o
 37 |   AS      arch/arm/boot/compressed/debug.o
 38 |   CC      arch/arm/boot/compressed/string.o
 39 |   CC      arch/arm/boot/compressed/fdt_rw.o
 40 |   CC      arch/arm/boot/compressed/fdt_ro.o
 41 |   CC      arch/arm/boot/compressed/fdt_wip.o
 42 |   CC      arch/arm/boot/compressed/fdt.o
 43 |   CC      arch/arm/boot/compressed/atags_to_fdt.o
 44 |   AS      arch/arm/boot/compressed/lib1funcs.o
 45 |   AS      arch/arm/boot/compressed/ashldi3.o
 46 |   AS      arch/arm/boot/compressed/bswapsdi2.o
 47 |   LD      arch/arm/boot/compressed/vmlinux
 48 |   OBJCOPY arch/arm/boot/zImage
 49 |   Kernel: arch/arm/boot/zImage is ready
 50 |   Building modules, stage 2.
 51 | ```
 52 | 
 53 | In the third line of listing, the `vmlinux` image (the kernel proper) is linked.
 54 | Following that, a number of additional object modules are processed. These
 55 | include `head.o`, `piggy.o`, and the architecture-specific among others.
 56 | 
 57 | | Component    | Function/Description                                                                                                                                                                                                                                                                   |
 58 | | ------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 59 | | `vmlinux`    | Kernel proper, in ELF format, including symbols, comments, debug info (if compiled with `-g`) and architecture-generic components.                                                                                                                                                     |
 60 | | `System.map` | Text-based kernel symbol table for `vmlinux module`.                                                                                                                                                                                                                                   |
 61 | | `Image`      | Binary kernel module, stripped of symbols, notes, and comments.                                                                                                                                                                                                                        |
 62 | | `head.o`     | ARM-specific startup code generic to ARM processors. It is this object that is passed control by the bootloader.                                                                                                                                                                       |
 63 | | `piggy.gz`   | The file `Image` compressed with gzip.                                                                                                                                                                                                                                                 |
 64 | | `piggy.o`    | The file `piggy.gz` in assembly language format so it can be linked with a subsequent object, `misc.o` (see the text).                                                                                                                                                                 |
 65 | | `misc.o`     | Routines used for decompressing the kernel image (`piggy.gz`), and the source of the familiar boot message: "Uncompressing Linux … Done" on some architectures.                                                                                                                        |
 66 | | `vmlinux`    | Composite kernel image. Note this is an unfortunate choice of names, because it duplicates the name for the kernel proper; the two are not the same. This binary image is the result when the kernel proper is linked with the objects in this table. See the text for an explanation. |
 67 | | `zImage`     | Final composite kernel image loaded by bootloader. See the following text.                                                                                                                                                                                                             |
 68 | 
 69 | In case of U-Boot based systems we need to go deeper and place the final
 70 | `zImage` into `uImage` file (with special header for U-Boot).
 71 | 
 72 | Simple algorithm to extract original `vmlinux` kernel suitable for reversing:
 73 | 
 74 | - Extract uImage (zImage with U-Boot header) from camera firmware. In my case best
 75 |   method to login to camera to upload `/boot/uImage` somewhere
 76 | 
 77 | - Use `binwalk -re uImage` to extract all useful data from the image
 78 | 
 79 | - Check all produced files using `strings` utility and special pattern from XM
 80 |   violated GPL code:
 81 | 
 82 | ```sh
 83 | $ grep -rn xm_select_FlashProtMgr _uImage.extracted
 84 | Binary file _uImage.extracted/6000 matches
 85 | ```
 86 | 
 87 | It's the `vmlinux` image from firmware.
 88 | 
 89 | - Build same version kernel with same toolchain as original with config as close
 90 |   to given hardware as possible, save `System.map` and `vmlinux`. You will need
 91 |   it as a `reference` to study sections and functions in `original` one.
 92 | 
 93 | - Open `reference` in your favorite disassembler, check first function start
 94 |   offset (in my case this is `0xC0008000`) and several opcodes from the
 95 |   beginning (`D3 F0 21 F3 10 9F 10 EE`):
 96 | 
 97 |   ![](images/IDA_reference_start.png?raw=true)
 98 | 
 99 | - Open `original` in your favorite disassembler. I like IDA, so let me show the
100 |   example:
101 | 
102 |   1. Select `Processor type` as `ARM Little-endian [ARM]`
103 | 
104 |   2. Set `Loading offset` to `0xC0008000` (same number as found in previous step)
105 | 
106 |   3. `Do you want to change the processor type to ARM` -> `Yes`
107 | 
108 |   ![](images/IDA_original_load.png?raw=true)
109 | 
110 |   4. Select `Create RAM section` instead `Create ROM section` and copy-paste our
111 |      suggested addresses as shown on image:
112 | 
113 |   ![](images/IDA_original_sections.png?raw=true)
114 | 
115 |   5. Wait while analysis runs. It will end when bottom bar will show `AU: idle`
116 | 
117 |   6. Check that you have same window as shown:
118 | 
119 |   ![](images/IDA_original_blob.png?raw=true)
120 | 
121 |   7. Type `C` and convert first instruction to assembly code
122 | 
123 |   8. Go to menu `Options` -> `General` and set `Number of opcode bytes` to `4`.
124 | 
125 |   9. Check out that you have same byte sequence as in `original` image:
126 | 
127 |   ![](images/IDA_original_opcodes.png?raw=true)
128 | 
129 | ## Examine a procedure <a name="kallsyms"></a>
130 | 
131 | Use `/proc/kallsyms` to find address of concrete kernel symbol like this:
132 | 
133 | ```sh
134 | $ cat /proc/kallsyms | grep ' T ' | grep hisi_spi_nor_driver
135 | ```
136 | 
137 | While using IDA to inspect kernel code you can find ton of autogenerated subroutines
138 | like `sub_C006758C` and due to absense of System.map it's near impossible to
139 | understand what's going on. But most of the functions are opensourced and their
140 | sources can be finded in original kernel source tree.
141 | 
142 | Use technique:
143 | 
144 | - find unknown subroutine like `C00CA1E4`
145 | 
146 | - grep same address in `/proc/kallsyms` (in lowercase)
147 | 
148 | - find name and rename subroutine to proper name
149 | 
150 | - repeat
151 | 
152 | TODO: write a script to mass-convert all kernel code to appropriate name (change
153 | data type to code too and automark as subroutine).
154 | 
155 | ## More automation
156 | 
157 | Write a program to check differences between original and opensource builded
158 | kernels (w/o loaded modules) with filters on types (functions, structs and so
159 | on).
160 | 
161 | ## Disable built-in driver <a name=disable-builtin></a>
162 | 
163 | Advice was proposed on [SO](https://unix.stackexchange.com/a/474552/364571).
164 | 
165 | To do this, you'll need to add `initcall_blacklist=<driver_init>` as a kernel
166 | boot option where `driver_init` is the driver initialization function - you'll
167 | have to look through your kernel's sources to figure out what name needs to be
168 | used. As a concrete example, `initcall_blacklist=hisi_spi_nor_driver_init` could
169 | be used to blacklist internal flash driver on original kernel to test its some
170 | opensource improvements.
171 | 
172 | | Driver     | Init entrypoint          | What was disabled        | Remark                                        |
173 | | ---------- | ------------------------ | ------------------------ | --------------------------------------------- |
174 | | hisi_spi   | hisi_spi_nor_driver_init | Disable SPI Flash driver |
175 | | hisi-femac | hisi_femac_driver_init   | Disable Ethernet driver  |
176 | | hibvt-i2c  | hibvt_i2c_driver_init    | Disable I2C driver       | Crash on `hi_piris.ko` module load w/o driver |
177 | | himci      | himci_init               | Disable SD/eMMC driver   |
178 | 


--------------------------------------------------------------------------------
/reverse/sofia.md:
--------------------------------------------------------------------------------
 1 | # Reverse engineering Sofia
 2 | 
 3 | [Main page](https://wiki.openipc.org/wiki/Reverse-engineering-Sofia.md)
 4 | 
 5 | ## Contents
 6 | 
 7 | * Reversing different parts and functions of the binary
 8 | 
 9 | * Undocumented parts of NETSDK protocol
10 | 
11 | * `cloudid` generation
12 | 
13 | * Several `CRC` custom algorithms description
14 | 
15 | Information is available only for core team members. If you're interested in RE
16 | services please [contact us](https://www.linkedin.com/in/dmitry-ilyin-4b9aa2174).
17 | 


--------------------------------------------------------------------------------
/sensors/README.md:
--------------------------------------------------------------------------------
 1 | # Sensor information
 2 | 
 3 | ## Producers
 4 | 
 5 | ### Sony
 6 | 
 7 | ![Sensor diagram](sony_sensors.jpg?raw=true)
 8 | 
 9 | Also available on [official page](https://www.sony-semicon.co.jp/e/products/IS/security/product.html)
10 | 
11 | About [Starvis technology](https://www.sony-semicon.co.jp/e/products/IS/security/technology.html)
12 | 
13 | #### Datasheets
14 | 
15 | | Sensor | Datasheet |
16 | |---|---|
17 | | IMX185 | [link](https://drive.google.com/file/d/1FSKvuVIksOqt3hpi7GcVyhwddNfkFNUS/view?usp=sharing)
18 | | IMX222 | [link](https://drive.google.com/file/d/1pw9lW7Fn00ihB2sPszEi7WfM1N0BonCg/view?usp=sharing)
19 | | IMX224 | [link](https://drive.google.com/file/d/1vgIiAgVh4uShICfPypTqZRzJQtCdf0LX/view?usp=sharing)
20 | | IMX225 | [link](https://drive.google.com/file/d/1aNWiM1V8eykAPOLm_xq1FTz0kglbz8sQ/view?usp=sharing)
21 | | IMX226 |
22 | | IMX238 | [link](https://drive.google.com/file/d/1NwTbpz41D5w2ZPZ71STblf_moybL4TZm/view?usp=sharing)
23 | | IMX290 | [link](https://drive.google.com/file/d/1wlnU33pOqqfJqtWPccjj73QFotzRHe4Z/view?usp=sharing)
24 | | IMX291 | [link](https://drive.google.com/file/d/1skyWSEPuAQ4dRwa2rmR67g1yBdU0iIY9/view?usp=sharing)
25 | | IMX322 | [link](https://drive.google.com/file/d/1x78YOhSBgikryVE_C5JsReoW0YevpPxY/view?usp=sharing)
26 | | IMX323 | [link](https://drive.google.com/file/d/16OYbmSyHPLMbZyxP-1JpxtCKgzbnuHkP/view?usp=sharing)
27 | | IMX327 | [link](https://drive.google.com/file/d/1uVdGNVjjt0bsaSwUdH_wiukE0Kqcwgjy/view?usp=sharing)
28 | | IMX307 |
29 | | IMX335 | [link](https://drive.google.com/file/d/1RM23VCHMuaxBQzVlaLLv9rk6jdOa4uij/view?usp=sharing)
30 | | IMX385 |
31 | | IMX415 | [link](https://drive.google.com/file/d/1U7PwxAbJjVv-MA8FvXVRtVU5kZb3NHl8/view?usp=sharing)
32 | 
33 | All listed datasheets were taken from open sources.
34 | 
35 | If you know about newer versions of full datasheets or can share them for different
36 | sensor types don't hesitate to make a PR.
37 | 
38 | ## Sensors in XM cameras
39 | 
40 | | Last numbers in camera model | Sensor  |
41 | | ---------------------------- | ------- |
42 | | 044100                       | F22     |
43 | | 043700                       | IMX323  |
44 | | 042800                       | IMX291  |
45 | | 047500                       | SC2235P |
46 | | 046900                       | SC2235  |
47 | | 049200                       | IMX307  |
48 | | 142600                       | AR130   |
49 | 
50 | ## Sensors comparison
51 | 
52 | [Cctvsp.ru comparison table, Russian](https://www.cctvsp.ru/articles/obzor-i-sravnenie-matrits-dlya-kamer-videonablyudeniya)
53 | 
54 | ## Opensource code
55 | 
56 | - [HiSilison sensor support code from OpenIPC project](https://github.com/ZigFisher/Glutinium/tree/master/hisi-sensors/src)
57 | 
58 | - [Sensor drivers from Dafang Hacking](https://github.com/EliasKotlyar/Xiaomi-Dafang-Software/tree/master/drivers/sensors)
59 | 


--------------------------------------------------------------------------------
/sensors/sony_sensors.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OpenIPC/camerasrnd/d6007c45963999e4fc9237ba641d41d626d39309/sensors/sony_sensors.jpg


--------------------------------------------------------------------------------
/streaming/youtube.md:
--------------------------------------------------------------------------------
 1 | # YouTube streaming
 2 | 
 3 | ## HLS + H.265
 4 | 
 5 | Follow up [Delivering Content via HLS](https://developers.google.com/youtube/v3/live/guides/hls-ingestion) for more information.
 6 | 
 7 | ### Create new stream
 8 | 
 9 | - Navigate https://developers.google.com/youtube/v3/live/code_samples page
10 | 
11 | - Select Resource 'liveStreams' and Method 'insert'
12 | 
13 | - In table below click on 'insert' use case
14 | 
15 | - Fill on right side on the page:
16 |   - in 'cdn' object change "frameRate" from "60fps" to "variable", "resolution" from "1080p" to "variable" and "ingestionType" from "rtmp" to "hls":
17 | 
18 | ```
19 |     "cdn": {
20 |     "ingestionType": "hls",
21 |     "frameRate": "variable",
22 |     "resolution": "variable"
23 |     }
24 | ```
25 | 
26 | - in Credentials section make sure you've selected 'Google OAuth 2.0' and 'https://www.googleapis.com/auth/youtube' scope (use 'Show scopes') and deselect 'API Key' option, then press 'Execute' button below
27 | 
28 | - Authorize yourself using your Youtube connected account
29 | 
30 | - Make sure that you got 200 response otherwise check errors and repeat
31 | 
32 | - Save "channelId" from the response (it looks like this "UCPJRjbxYlq6h2cCqy8RCRjg")
33 | 
34 | ### Create new broadcast:
35 | 
36 | - Navigate https://developers.google.com/youtube/v3/live/code_samples page
37 | 
38 | - Select Resource 'liveBroadcast' and Method 'insert'
39 | 
40 | - In table below click on 'insert' use case
41 | 
42 | - Fill on right side on the page:
43 | 
44 |   - 'title' field for your broadcast like 'My Hometown Camera'
45 | 
46 |   - 'scheduledStartTime' like '2020-04-21T00:00:00.000Z' (ensure that this time in the future),
47 | 
48 |   - 'scheduledEndTime' like '2020-04-21T01:00:00.000Z' (scheduled end time should be after the scheduled start time)
49 | 
50 |   - also press blue plus button inside "snippet" block and add "channelId" with given from stream step value
51 | 
52 |   - in Credentials section make sure you've selected 'Google OAuth 2.0' and 'https://www.googleapis.com/auth/youtube' scope (use 'Show scopes') and deselect 'API Key' option, then press 'Execute' button below
53 | 
54 | - Authorize yourself using your Youtube connected account
55 | 
56 | - Make sure that you got 200 response otherwise check errors and repeat
57 | 
58 | ### Bind the broadcast to the stream:
59 | 
60 | - Navigate https://developers.google.com/youtube/v3/live/code_samples page
61 | 
62 | - Select Resource 'liveBroadcast' and Method 'bind'
63 | 
64 | - In table below click on 'Bind a broadcast to a stream' use case
65 | 
66 | - Fill on right side on the page:
67 | 
68 |   - 'id' - ID of the broadcast (can be found in server response in step 'Create new broadcast', field 'id')
69 | 
70 |   - 'streamId' - ID of the stream (can be found in server response in step 'Create new stream', field 'id')
71 | 
72 |   - in Credentials section make sure you've selected 'Google OAuth 2.0' and 'https://www.googleapis.com/auth/youtube' scope (use 'Show scopes') and deselect 'API Key' option, then press 'Execute' button below
73 | 
74 | - Authorize yourself using your Youtube connected account
75 | 
76 | - Make sure that you got 200 response otherwise check errors and repeat
77 | 
78 | ### Go live!
79 | 
80 | Navigate https://studio.youtube.com/
81 | 
82 | On right side click on 'CREATE' button and then 'Go live'
83 | 
84 | credits (c) Victor
85 | 


--------------------------------------------------------------------------------
/toolchains.md:
--------------------------------------------------------------------------------
 1 | # Toolchains
 2 | 
 3 | ## Version Mapping of the Toolchains
 4 | 
 5 | | SDK Version               | Toolchain          |
 6 | | ------------------------- | ------------------ |
 7 | | Hi3516C V300R001C01SPC040 | arm-hisiv500-linux |
 8 | | Hi3516C V300R001C02SPC040 | arm-hisiv600-linux |
 9 | 
10 | ## Toolchain details
11 | 
12 | Used `crosstools-ng` params
13 | 
14 | | Toolchain | arm-hisiv500-linux | arm-hisiv600-linux | arm-himix100-linux |
15 | |---|---|---|---|
16 | | CT_TARGET_VENDOR | hisiv500 | hisiv600 | himix100 |
17 | | CT_LIBC | CT_LIBC_UCLIBC | CT_LIBC_GLIBC | CT_LIBC_UCLIBC |
18 | | CT_TOOLCHAIN_PKGVERSION | Hisilicon_v500_20170922 | Hisilicon_v600_20170615 | HC&C V100R002C00B032_20190114 |
19 | 
20 | ### arm-hisiv500-linux
21 | 
22 | uClibc-based:
23 | 
24 | ```sh
25 | $ arm-hisiv500-linux-gcc -v
26 | Using built-in specs.
27 | COLLECT_GCC=arm-hisiv500-linux-gcc
28 | COLLECT_LTO_WRAPPER=/opt/hisi-linux/x86-arm/arm-hisiv500-linux/bin/../libexec/gcc/arm-hisiv500-linux-uclibcgnueabi/4.9.4/lto-wrapper
29 | Target: arm-hisiv500-linux-uclibcgnueabi
30 | Configured with: ../gcc-linaro-4.9-2015.06/configure --host=x86_64-linux-gnu --build=x86_64-linux-gnu --target=arm-hisiv500-linux-uclibcgnueabi --prefix=/home/sying/toolchain_ljhui/gcc4_9/arm-hisiv500-linux/gcc-uclibc/install/arm-hisiv500-linux --enable-threads --disable-libmudflap --disable-libssp --disable-libstdcxx-pch --with-arch=armv5te --with-gnu-as --with-gnu-ld --enable-languages=c,c++ --enable-shared --enable-lto --enable-symvers=gnu --enable-__cxa_atexit --enable-nls --enable-clocale=gnu --enable-extra-hisi-multilibs --with-sysroot=/home/sying/toolchain_ljhui/gcc4_9/arm-hisiv500-linux/gcc-uclibc/install/arm-hisiv500-linux/target --with-build-sysroot=/home/sying/toolchain_ljhui/gcc4_9/arm-hisiv500-linux/gcc-uclibc/install/arm-hisiv500-linux/target --with-gmp=/home/sying/toolchain_ljhui/gcc4_9/arm-hisiv500-linux/gcc-uclibc/install/host_lib --with-mpfr=/home/sying/toolchain_ljhui/gcc4_9/arm-hisiv500-linux/gcc-uclibc/install/host_lib --with-mpc=/home/sying/toolchain_ljhui/gcc4_9/arm-hisiv500-linux/gcc-uclibc/install/host_lib --with-ppl=/home/sying/toolchain_ljhui/gcc4_9/arm-hisiv500-linux/gcc-uclibc/install/host_lib --with-cloog=/home/sying/toolchain_ljhui/gcc4_9/arm-hisiv500-linux/gcc-uclibc/install/host_lib --with-libelf=/home/sying/toolchain_ljhui/gcc4_9/arm-hisiv500-linux/gcc-uclibc/install/host_lib --enable-libgomp --disable-libitm --disable-libsanitizer --enable-poison-system-directories --with-libelf=/home/sying/toolchain_ljhui/gcc4_9/arm-hisiv500-linux/gcc-uclibc/install/host_lib --with-pkgversion=Hisilicon_v500_20170922 --with-bugurl=http://www.hisilicon.com/cn/service/claim.html
31 | Thread model: posix
32 | gcc version 4.9.4 20150629 (prerelease) (Hisilicon_v500_20170922)
33 | ```
34 | 
35 | ### arm-hisiv600-linux
36 | 
37 | Glibc-based:
38 | 
39 | ```sh
40 | $ arm-hisiv600-linux-gcc -v
41 | Using built-in specs.
42 | COLLECT_GCC=arm-hisiv600-linux-gcc
43 | COLLECT_LTO_WRAPPER=/opt/hisi-linux/x86-arm/arm-hisiv600-linux/bin/../libexec/gcc/arm-hisiv600-linux-gnueabi/4.9.4/lto-wrapper
44 | Target: arm-hisiv600-linux-gnueabi
45 | Configured with: ../gcc-linaro-4.9-2015.06/configure --host=x86_64-linux-gnu --build=x86_64-linux-gnu --target=arm-hisiv600-linux-gnueabi --prefix=/home/sying/toolchain_ljhui/gcc4_9/build-toolchain/gcc-glibc/install/arm-hisiv600-linux --enable-threads --disable-libmudflap --disable-libssp --disable-libstdcxx-pch --with-arch=armv5te --with-gnu-as --with-gnu-ld --enable-languages=c,c++ --enable-shared --enable-lto --enable-symvers=gnu --enable-__cxa_atexit --enable-nls --enable-clocale=gnu --enable-extra-hisi-multilibs --with-sysroot=/home/sying/toolchain_ljhui/gcc4_9/build-toolchain/gcc-glibc/install/arm-hisiv600-linux/target --with-build-sysroot=/home/sying/toolchain_ljhui/gcc4_9/build-toolchain/gcc-glibc/install/arm-hisiv600-linux/target --with-gmp=/home/sying/toolchain_ljhui/gcc4_9/build-toolchain/gcc-glibc/install/host_lib --with-mpfr=/home/sying/toolchain_ljhui/gcc4_9/build-toolchain/gcc-glibc/install/host_lib --with-mpc=/home/sying/toolchain_ljhui/gcc4_9/build-toolchain/gcc-glibc/install/host_lib --with-ppl=/home/sying/toolchain_ljhui/gcc4_9/build-toolchain/gcc-glibc/install/host_lib --with-cloog=/home/sying/toolchain_ljhui/gcc4_9/build-toolchain/gcc-glibc/install/host_lib --with-libelf=/home/sying/toolchain_ljhui/gcc4_9/build-toolchain/gcc-glibc/install/host_lib --enable-libgomp --disable-libitm --enable-poison-system-directories --with-libelf=/home/sying/toolchain_ljhui/gcc4_9/build-toolchain/gcc-glibc/install/host_lib --with-pkgversion=Hisilicon_v600_20170615 --with-bugurl=http://www.hisilicon.com/cn/service/claim.html
46 | Thread model: posix
47 | gcc version 4.9.4 20150629 (prerelease) (Hisilicon_v600_20170615)
48 | ```
49 | 
50 | ### arm-hisiv500-linux
51 | uClibc-based:
52 | 
53 | 
54 | ```sh
55 | $ arm-himix100-linux-gcc -v
56 | Using built-in specs.
57 | COLLECT_GCC=arm-himix100-linux-gcc
58 | COLLECT_LTO_WRAPPER=/opt/hisi-linux/x86-arm/arm-himix100-linux/host_bin/../libexec/gcc/arm-linux-uclibceabi/6.3.0/lto-wrapper
59 | Target: arm-linux-uclibceabi
60 | Configured with: /home/sying/SDK_CPU_UNIFIED/build/script/arm-himix100-linux/arm_himix100_build_dir/src/gcc-6.3.0/configure --host=i386-redhat-linux --build=i386-redhat-linux --target=arm-linux-uclibceabi --prefix=/home/sying/SDK_CPU_UNIFIED/build/script/arm-himix100-linux/arm_himix100_build_dir/install --enable-threads --disable-libmudflap --disable-libssp --disable-libstdcxx-pch --with-gnu-as --with-gnu-ld --enable-languages=c,c++ --enable-shared --enable-lto --enable-symvers=gnu --enable-__cxa_atexit --disable-libatomic --disable-nls --enable-clocale=gnu --enable-extra-hisi-multilibs --with-sysroot=/home/sying/SDK_CPU_UNIFIED/build/script/arm-himix100-linux/arm_himix100_build_dir/install/target --with-build-sysroot=/home/sying/SDK_CPU_UNIFIED/build/script/arm-himix100-linux/arm_himix100_build_dir/install/target --with-gmp=/home/sying/SDK_CPU_UNIFIED/build/script/arm-himix100-linux/arm_himix100_build_dir/obj/host-libs/usr --with-mpfr=/home/sying/SDK_CPU_UNIFIED/build/script/arm-himix100-linux/arm_himix100_build_dir/obj/host-libs/usr --with-mpc=/home/sying/SDK_CPU_UNIFIED/build/script/arm-himix100-linux/arm_himix100_build_dir/obj/host-libs/usr --disable-libgomp --disable-libquadmath --disable-fixed-point --disable-libsanitizer --disable-libitm --enable-poison-system-directories --with-pkgversion='HC&C V100R002C00B032_20190114'
61 | Thread model: posix
62 | gcc version 6.3.0 (HC&C V100R002C00B032_20190114)
63 | ```
64 | 


--------------------------------------------------------------------------------
/tricks/romounts.md:
--------------------------------------------------------------------------------
 1 | # Dealing with readonly filesystem on camera
 2 | 
 3 | ## mount -bind approach
 4 | 
 5 | In this example we override `etc` directory using ramdisk and `mount -bind`.
 6 | Make sure that you have enough memory. In case of shortage RAM you can use NFS
 7 | share for copying files.
 8 | 
 9 | ```
10 | $ mount | grep "type ramfs"
11 | /dev/mem on /var type ramfs (rw,relatime)
12 | /dev/mem2 on /utils type ramfs (rw,relatime)
13 | $ cp -arv /etc/ /var
14 | $ mount -o bind /var/etc /etc
15 | $ passwd
16 | Changing password for root
17 | New password:
18 | Retype password:
19 | Password for root changed by root
20 | $ cp /etc/passwd /etc/xmtelnetdpw
21 | ```
22 | 
23 | Now you can login via telnet using nonstandard root password.
24 | 
25 | ## OverlayFS
26 | 
27 | Make sure that you're using kernel `3.18` version or upper
28 | 
29 | ```
30 | # insmod overlay.ko
31 | # mkdir -p /tmp/upper /tmp/work
32 | # mount -t overlay none \
33 |     -o lowerdir=/mnt/custom,upperdir=/tmp/upper,workdir=/tmp/work /mnt/custom
34 | # touch /mnt/custom/test
35 | ```
36 | 
37 | ## Overlay rootfs on boot
38 | 
39 | Good
40 | [example](https://mark4h.blogspot.com/2018/04/hi3518-camera-module-part-5-filesystem.html)
41 | showed common case of setting up both main and additional overlay system with
42 | bootparams like this:
43 | 
44 | `mem=42M console=ttyAMA0,115200 root=/dev/mtdblock2 rootfstype=cramfs mtdparts=hi_sfc:256K(boot),1472K(uImage),5760K(rootfs),512K(overlay) overlay=/dev/mtdblock3 overlayfstype=jffs2 init=/init`
45 | 
46 | 


--------------------------------------------------------------------------------
/uboot/CV300-Fix-network-broken-transfers.patch:
--------------------------------------------------------------------------------
  1 | diff --git a/net/bootp.c b/net/bootp.c
  2 | index e679f8b..b57d2ff 100644
  3 | --- a/net/bootp.c
  4 | +++ b/net/bootp.c
  5 | @@ -20,7 +20,7 @@
  6 |  
  7 |  #define BOOTP_VENDOR_MAGIC	0x63825363	/* RFC1048 Magic Cookie		*/
  8 |  
  9 | -#define TIMEOUT		5000UL	/* Milliseconds before trying BOOTP again */
 10 | +#define TIMEOUT		5UL	/* Seconds before trying BOOTP again */
 11 |  #ifndef CONFIG_NET_RETRY_COUNT
 12 |  # define TIMEOUT_COUNT	5		/* # of timeouts before giving up  */
 13 |  #else
 14 | @@ -345,7 +345,7 @@ BootpTimeout(void)
 15 |  		puts ("\nRetry count exceeded; starting again\n");
 16 |  		NetStartAgain ();
 17 |  	} else {
 18 | -		NetSetTimeout (TIMEOUT, BootpTimeout);
 19 | +		NetSetTimeout(TIMEOUT * CONFIG_SYS_HZ, BootpTimeout);
 20 |  		BootpRequest ();
 21 |  	}
 22 |  }
 23 | @@ -631,7 +631,7 @@ BootpRequest (void)
 24 |  	bp->bp_htype = HWT_ETHER;
 25 |  	bp->bp_hlen = HWL_ETHER;
 26 |  	bp->bp_hops = 0;
 27 | -	bp->bp_secs = htons(get_timer(0) / 1000);
 28 | +	bp->bp_secs = htons(get_timer(0) / CONFIG_SYS_HZ);
 29 |  	NetWriteIP(&bp->bp_ciaddr, 0);
 30 |  	NetWriteIP(&bp->bp_yiaddr, 0);
 31 |  	NetWriteIP(&bp->bp_siaddr, 0);
 32 | @@ -665,7 +665,7 @@ BootpRequest (void)
 33 |  	pktlen = ((int)(pkt-NetTxPacket)) + BOOTP_HDR_SIZE - sizeof(bp->bp_vend) + ext_len;
 34 |  	iplen = BOOTP_HDR_SIZE - sizeof(bp->bp_vend) + ext_len;
 35 |  	NetSetIP(iphdr, 0xFFFFFFFFL, PORT_BOOTPS, PORT_BOOTPC, iplen);
 36 | -	NetSetTimeout(SELECT_TIMEOUT, BootpTimeout);
 37 | +	NetSetTimeout(SELECT_TIMEOUT * CONFIG_SYS_HZ, BootpTimeout);
 38 |  
 39 |  #if defined(CONFIG_CMD_DHCP)
 40 |  	dhcp_state = SELECTING;
 41 | @@ -888,7 +888,7 @@ DhcpHandler(uchar * pkt, unsigned dest, unsigned src, unsigned len)
 42 |  			if (NetReadLong((ulong*)&bp->bp_vend[0]) == htonl(BOOTP_VENDOR_MAGIC))
 43 |  				DhcpOptionsProcess((u8 *)&bp->bp_vend[4], bp);
 44 |  
 45 | -			NetSetTimeout(TIMEOUT, BootpTimeout);
 46 | +			NetSetTimeout(TIMEOUT * CONFIG_SYS_HZ, BootpTimeout);
 47 |  			DhcpSendRequestPkt(bp);
 48 |  #ifdef CONFIG_SYS_BOOTFILE_PREFIX
 49 |  		}
 50 | diff --git a/net/net.c b/net/net.c
 51 | index eabf69b..8f970f8 100644
 52 | --- a/net/net.c
 53 | +++ b/net/net.c
 54 | @@ -260,7 +260,7 @@ void ArpTimeoutCheck(void)
 55 |  	t = get_timer(0);
 56 |  
 57 |  	/* check for arp timeout */
 58 | -	if ((t - NetArpWaitTimerStart) > ARP_TIMEOUT) {
 59 | +	if ((t - NetArpWaitTimerStart) > ARP_TIMEOUT * CONFIG_SYS_HZ/10) {
 60 |  		NetArpWaitTry++;
 61 |  
 62 |  		if (NetArpWaitTry >= ARP_TIMEOUT_COUNT) {
 63 | @@ -584,7 +584,7 @@ void NetStartAgain (void)
 64 |  	NetTryCount++;
 65 |  
 66 |  #ifndef CONFIG_NET_MULTI
 67 | -	NetSetTimeout (10000UL, startAgainTimeout);
 68 | +	NetSetTimeout(10UL * CONFIG_SYS_HZ, startAgainTimeout);
 69 |  	NetSetHandler (startAgainHandler);
 70 |  #else	/* !CONFIG_NET_MULTI*/
 71 |  	eth_halt ();
 72 | @@ -595,7 +595,7 @@ void NetStartAgain (void)
 73 |  	if (NetRestartWrap) {
 74 |  		NetRestartWrap = 0;
 75 |  		if (NetDevExists) {
 76 | -			NetSetTimeout (10000UL, startAgainTimeout);
 77 | +			NetSetTimeout(10UL * CONFIG_SYS_HZ, startAgainTimeout);
 78 |  			NetSetHandler (startAgainHandler);
 79 |  		} else {
 80 |  			NetState = NETLOOP_FAIL;
 81 | @@ -794,7 +794,7 @@ static void PingStart(void)
 82 |  #if defined(CONFIG_NET_MULTI)
 83 |  	printf ("Using %s device\n", eth_get_name());
 84 |  #endif	/* CONFIG_NET_MULTI */
 85 | -	NetSetTimeout (10000000UL, PingTimeout);/*FIXME*/
 86 | +	NetSetTimeout(10UL * CONFIG_SYS_HZ, PingTimeout);
 87 |  	NetSetHandler (PingHandler);
 88 |  
 89 |  	PingSend();
 90 | @@ -817,7 +817,7 @@ static void PingStart(void)
 91 |  #define CDP_SYSOBJECT_TLV		0x0015
 92 |  #define CDP_MANAGEMENT_ADDRESS_TLV	0x0016
 93 |  
 94 | -#define CDP_TIMEOUT			250UL	/* one packet every 250ms */
 95 | +#define CDP_TIMEOUT			(CONFIG_SYS_HZ/4)  /* one packet every 250ms */
 96 |  
 97 |  static int CDPSeq;
 98 |  static int CDPOK;
 99 | diff --git a/net/nfs.c b/net/nfs.c
100 | index d11bb4c..016b0cb 100644
101 | --- a/net/nfs.c
102 | +++ b/net/nfs.c
103 | @@ -31,7 +31,7 @@
104 |  
105 |  #define HASHES_PER_LINE 65	/* Number of "loading" hashes per line	*/
106 |  #define NFS_RETRY_COUNT 30
107 | -#define NFS_TIMEOUT 2000UL
108 | +#define NFS_TIMEOUT 2UL		/* Seconds */
109 |  
110 |  static int fs_mounted = 0;
111 |  static unsigned long rpc_id = 0;
112 | @@ -574,7 +574,7 @@ NfsTimeout (void)
113 |  		NetStartAgain ();
114 |  	} else {
115 |  		puts("T ");
116 | -		NetSetTimeout (NFS_TIMEOUT, NfsTimeout);
117 | +		NetSetTimeout(NFS_TIMEOUT * CONFIG_SYS_HZ, NfsTimeout);
118 |  		NfsSend ();
119 |  	}
120 |  }
121 | @@ -653,7 +653,7 @@ NfsHandler (uchar *pkt, unsigned dest, unsigned src, unsigned len)
122 |  
123 |  	case STATE_READ_REQ:
124 |  		rlen = nfs_read_reply (pkt, len);
125 | -		NetSetTimeout (NFS_TIMEOUT, NfsTimeout);
126 | +		NetSetTimeout(NFS_TIMEOUT * CONFIG_SYS_HZ, NfsTimeout);
127 |  		if (rlen > 0) {
128 |  			nfs_offset += rlen;
129 |  			NfsSend ();
130 | diff --git a/net/rarp.c b/net/rarp.c
131 | index 9444c03..e4ff270 100644
132 | --- a/net/rarp.c
133 | +++ b/net/rarp.c
134 | @@ -29,7 +29,7 @@
135 |  #include "rarp.h"
136 |  #include "tftp.h"
137 |  
138 | -#define TIMEOUT		5000UL	/* Milliseconds before trying BOOTP again */
139 | +#define TIMEOUT		5L	/* Seconds before trying BOOTP again */
140 |  #ifndef	CONFIG_NET_RETRY_COUNT
141 |  # define TIMEOUT_COUNT	5		/* # of timeouts before giving up  */
142 |  #else
143 | @@ -76,7 +76,7 @@ RarpTimeout(void)
144 |  		puts ("\nRetry count exceeded; starting again\n");
145 |  		NetStartAgain ();
146 |  	} else {
147 | -		NetSetTimeout (TIMEOUT, RarpTimeout);
148 | +		NetSetTimeout(TIMEOUT * CONFIG_SYS_HZ, RarpTimeout);
149 |  		RarpRequest ();
150 |  	}
151 |  }
152 | @@ -111,6 +111,6 @@ RarpRequest (void)
153 |  
154 |  	NetSendPacket(NetTxPacket, (pkt - NetTxPacket) + ARP_HDR_SIZE);
155 |  
156 | -	NetSetTimeout(TIMEOUT, RarpTimeout);
157 | +	NetSetTimeout(TIMEOUT * CONFIG_SYS_HZ, RarpTimeout);
158 |  	NetSetHandler(RarpHandler);
159 |  }
160 | diff --git a/net/sntp.c b/net/sntp.c
161 | index 76c10ec..2438fb6 100644
162 | --- a/net/sntp.c
163 | +++ b/net/sntp.c
164 | @@ -12,7 +12,7 @@
165 |  
166 |  #include "sntp.h"
167 |  
168 | -#define SNTP_TIMEOUT 10000UL
169 | +#define SNTP_TIMEOUT 10UL	/* Seconds */
170 |  
171 |  static int SntpOurPort;
172 |  
173 | @@ -80,7 +80,7 @@ SntpStart (void)
174 |  {
175 |  	debug("%s\n", __func__);
176 |  
177 | -	NetSetTimeout (SNTP_TIMEOUT, SntpTimeout);
178 | +	NetSetTimeout(SNTP_TIMEOUT * CONFIG_SYS_HZ, SntpTimeout);
179 |  	NetSetHandler(SntpHandler);
180 |  	memset (NetServerEther, 0, 6);
181 |  
182 | diff --git a/net/tftp.c b/net/tftp.c
183 | index bc5a44b..35107e0 100644
184 | --- a/net/tftp.c
185 | +++ b/net/tftp.c
186 | @@ -11,7 +11,7 @@
187 |  #include "bootp.h"
188 |  
189 |  #define WELL_KNOWN_PORT	69		/* Well known TFTP port #		*/
190 | -#define TIMEOUT	 	1000		/* Seconds to timeout for a lost pkt	*/
191 | +#define TIMEOUT	 	1UL		/* Seconds to timeout for a lost pkt	*/
192 |  #ifndef	CONFIG_NET_RETRY_COUNT
193 |  # define TIMEOUT_COUNT	10		/* # of timeouts before giving up  */
194 |  #else
195 | @@ -35,7 +35,7 @@
196 |  #define STATE_WRQ	6
197 |  #define STATE_ACK	7
198 |  
199 | -static ulong TftpTimeoutMSecs = TIMEOUT;
200 | +static ulong TftpTimeoutMSecs = TIMEOUT * 1000;
201 |  static int TftpTimeoutCountMax = TIMEOUT_COUNT;
202 |  
203 |  /*
204 | @@ -383,7 +383,7 @@ TftpHandler (uchar * pkt, unsigned dest, unsigned src, unsigned len)
205 |  			tftp_show_transferd(TftpBlock, TftpBlockWrapOffset);
206 |  		}
207 |  		TftpLastBlock = TftpBlock;
208 | -		NetSetTimeout (TftpTimeoutMSecs * CFG_HZ, TftpTimeout);
209 | +		NetSetTimeout(TIMEOUT * CONFIG_SYS_HZ, TftpTimeout);
210 |  
211 |  		if((TftpBlockWrapOffset + TftpBlkSize*TftpBlock) > upload_size )
212 |  		{
213 | @@ -511,7 +511,7 @@ TftpHandler (uchar * pkt, unsigned dest, unsigned src, unsigned len)
214 |  
215 |  		TftpLastBlock = TftpBlock;
216 |  		TftpTimeoutCountMax = TIMEOUT_COUNT;
217 | -		NetSetTimeout (TftpTimeoutMSecs * CFG_HZ, TftpTimeout);
218 | +		NetSetTimeout(TIMEOUT * CONFIG_SYS_HZ, TftpTimeout);
219 |  
220 |  		store_block (TftpBlock - 1, pkt + 2, len);
221 |  
222 | @@ -613,7 +613,7 @@ TftpTimeout (void)
223 |  		NetStartAgain ();
224 |  	} else {
225 |  		puts ("T ");
226 | -		NetSetTimeout (TftpTimeoutMSecs * CFG_HZ, TftpTimeout);
227 | +		NetSetTimeout(TIMEOUT * CONFIG_SYS_HZ, TftpTimeout);
228 |  		TftpSend ();
229 |  	}
230 |  }
231 | @@ -729,7 +729,7 @@ TftpStart (void)
232 |  	}
233 |  	TftpTimeoutCountMax = TftpRRQTimeoutCountMax;
234 |  
235 | -	NetSetTimeout (TftpTimeoutMSecs * CFG_HZ, TftpTimeout);
236 | +	NetSetTimeout (TftpTimeoutMSecs * CONFIG_SYS_HZ / 1000, TftpTimeout);
237 |  	NetSetHandler (TftpHandler);
238 |  
239 |  	TftpServerPort = WELL_KNOWN_PORT;
240 | 


--------------------------------------------------------------------------------
/uboot/README.md:
--------------------------------------------------------------------------------
 1 | # U-Boot stuff
 2 | 
 3 | ## Links for helpful resources
 4 | 
 5 | [Original documentation](http://www.denx.de/wiki/view/DULG/U-Boot)
 6 | 
 7 | ## Access to U-Boot console
 8 | 
 9 | Make sure that `F - Hardware Flow Control : No  ` in `Serial port setup` in
10 | `cOnfigure Minicom` if you use `Minicom`
11 | 
12 | Or use `screen` to set proper mode from command line:
13 | 
14 | ```sh
15 | screen /dev/ttyUSB0 115200 -crtscts
16 | ```
17 | 
18 | ## Compile your own version
19 | 
20 | Use `readme_en.txt` from SDK directory `osdrv` for reference.
21 | 
22 | ### CV300
23 | 
24 | ```sh
25 | tar xvf u-boot-2010.06.tgz
26 | cd u-boot-2010.06
27 | # Find and copy mkboot.sh script
28 | #???cp ../../../tools/pc/uboot_tools/mkboot.sh .
29 | # Copy reg-init-table for CV300
30 | wget https://github.com/OpenIPC/camerasrnd/raw/master/uboot/reg_info/reg_info_hi3516cv300.bin \
31 |     -O hi3516cv300.reg
32 | # Apply fix for network issue
33 | wget https://raw.githubusercontent.com/OpenIPC/camerasrnd/master/uboot/CV300-Fix-network-broken-transfers.patch
34 | patch -p1 < CV300-Fix-network-broken-transfers.patch
35 | # Compilation phase
36 | make ARCH=arm CROSS_COMPILE=arm-hisiv500-linux- hi3516cv300_config
37 | make ARCH=arm CROSS_COMPILE=arm-hisiv500-linux-
38 | # Make compressed U-Boot image
39 | cp u-boot.bin full-boot.bin
40 | make CPU=hi3516cv300 ARCH=arm CROSS_COMPILE=arm-hisiv500-linux- mini-boot.bin
41 | # The generated mini-boot.bin is available for u-boot image
42 | ```
43 | 
44 | ## Known issues
45 | 
46 | ### U-Boot hangs while communicating with TFTP server
47 | 
48 | The issue was found on CV300 cameras with U-Boot 2010.06. Everything works fine
49 | when use straight patchcord between camera and TFTP server but adding network
50 | switch in the middle leads data transfers which never ends.
51 | 
52 | ![](images/12attempts.png/?raw=true)
53 | ![](images/34attempts.png/?raw=true)
54 | 
55 | The root cause is described [in an unaccepted
56 | patch](https://patchwork.ozlabs.org/patch/167085/). It turns out that in CV300
57 | U-Boot has `CONFIG_SYS_HZ == 195312` that breaks timeouts in the network stack.
58 | 
59 | I used
60 | [a patch](https://github.com/mrchapp/arago-da830/blob/master/recipes/u-boot/u-boot-omap3-psp/omap3evm/2.1.0.4/0006-Fix-for-timeout-issues-on-U-Boot.patch)
61 | to make [my own patch](CV300-Fix-network-broken-transfers.patch) to fix the issue.
62 | 
63 | ### Rebuilded U-Boot from SDK reads garbage on XM-based IPC EV200/EV300 series
64 | 
65 | This happens due to hardware issue, when producer doesn't use all lines between
66 | flash IC and controller and it needs to be set in `Dual` mode rather than `Quad`.
67 | Apply [patch](https://github.com/dimerr/stuff/blob/master/0001-uboot_xm_ev200_ev300.patch)
68 | before U-Boot compilation to fix it.
69 | 
70 | ## Tips and tricks
71 | 
72 | ### CI tests against builded U-boot
73 | 
74 | I use small `build.sh` script which make build, reboots both USB UART adapter and IPC
75 | itself, then upload fresh U-boot using `burn` tool via UART:
76 | 
77 | ```sh
78 | set -e
79 | 
80 | # In case of buggy USB UART adapter
81 | sudo usbreset /dev/bus/usb/005/007
82 | 
83 | make ARCH=arm CROSS_COMPILE=arm-hisiv500-linux- -j$(nproc)
84 | cp u-boot.bin full-boot.bin
85 | make CPU=hi3516cv300 ARCH=arm CROSS_COMPILE=arm-hisiv500-linux- mini-boot.bin
86 | 
87 | cp mini-boot.bin ~/git/burn
88 | cd ~/git/burn
89 | # Custom script to power reset camera via network switch
90 | ./restart_eth8.sh
91 | ./hi35xx-tool --chip hi3516cv300 --file=mini-boot.bin
92 | screen /dev/ttyUSB0 115200
93 | ```
94 | 
95 | Sample workflow [is shown here](https://asciinema.org/a/felzD9YIwcD13lBewCaQe3XjK)
96 | 


--------------------------------------------------------------------------------
/uboot/images/12attempts.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OpenIPC/camerasrnd/d6007c45963999e4fc9237ba641d41d626d39309/uboot/images/12attempts.png


--------------------------------------------------------------------------------
/uboot/images/34attempts.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OpenIPC/camerasrnd/d6007c45963999e4fc9237ba641d41d626d39309/uboot/images/34attempts.png


--------------------------------------------------------------------------------
/uboot/reg_info/reg_info_hi3516cv300.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OpenIPC/camerasrnd/d6007c45963999e4fc9237ba641d41d626d39309/uboot/reg_info/reg_info_hi3516cv300.bin


--------------------------------------------------------------------------------
/utils/add_xmuart.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | #
 3 | # Add telnetctrl to u-boot unvironment
 4 | # sudo apt-get install u-boot-tools
 5 | 
 6 | origimg="u-boot.env.img"
 7 | tmpimg="u-boot.env.old"
 8 | rm ${tmpimg}
 9 | mv ${origimg} ${tmpimg}
10 | rm env
11 | rm u-boot.env
12 | #
13 | 
14 | #dd bs=1 skip=68 if=${tmpimg} of=u-boot.env
15 | tail -c+69 "${tmpimg}" > "u-boot.env"
16 | loadaddr=$(mkimage -l ${tmpimg} | grep Load | awk {'print $3'})
17 | entaddr=$(mkimage -l ${tmpimg} | grep Entry | awk {'print $3'})
18 | cat u-boot.env | strings > env
19 | echo "xmuart=1">> env
20 | echo "telnetctrl=1">> env
21 | 
22 | imagesize=$(( 0x${entaddr} - 0x${loadaddr} ))
23 | mkenvimage -s ${imagesize} -o u-boot.env env
24 | mkimage -A arm -O linux -T firmware -n linux -a ${loadaddr} -e ${entaddr} -d u-boot.env u-boot.env.img
25 | 
26 | echo "Run:"
27 | echo "zip -u General_IPC_HI3516EV300_85H50AI.Nat.dss.OnvifS.HIK_V5.00.R02.20200108_all.bin u-boot.env.img"
28 | 


--------------------------------------------------------------------------------
/wishlist.md:
--------------------------------------------------------------------------------
 1 | ## Wishlist: Control software analogue (writed by Sergey Sharshunov)
 2 | 
 3 | 
 4 | * Watchdog ()
 5 | * Wi-Fi support (kernel, settings manager)
 6 | * SD-card support (formating, read-write)
 7 | * Network (settings manager)
 8 | * Settings for Main/Additional streams (H264/H265 codec), 
 9 |   * resolution
10 |   * fps
11 |   * bitrate
12 |   * cbr/vbr
13 | * Image quality
14 |   * brightness
15 |   * sharpness
16 |   * contrast
17 |   * WDR (if support)
18 | * Privacy zone (mask)
19 | * Region of interest (if support)
20 | * Cloud support (S3, Yandex, Google, etc)
21 | * Motion detection
22 |   * region on interest
23 |   * sensitivity
24 |   * get info by trigger from Onvif protocol
25 | * Front-end without Activex components
26 | * HTTP, CGI methods for auto tuning (SMTP, motion detection, microphone, bitrate, codecs)
27 | * Volume control (IN-OUT, MIC GAIN, BOOST, select MIC-p/Line-in input)
28 | * OSD
29 |   * base futures of IP cam
30 |   * change osd text from http-request (temperature, ACS, cashbox, etc)
31 | * Update any module without reboot system
32 | * Day/Night profile for image
33 | * AWB, AE, ANR support
34 | * PWM/TTL (IR control)
35 | * Customizable password hint in the web interface
36 | * Preview the image immediately at the login stage in the web interface
37 | 
38 | **Killer-feature: WebRTC support**
39 | 


--------------------------------------------------------------------------------
/xm_get_telnet.md:
--------------------------------------------------------------------------------
 1 | # How to login inside original firmware
 2 | 
 3 | Information applicable only for XM-based camera (and partially DVR/NVR)
 4 | firmwares.
 5 | 
 6 | In recent versions of XM firmwares, telnet is not enabled by default,
 7 | and most of backdoors allowing to easily (remotely) enable it are
 8 | fixed/closed.
 9 | 
10 | ## Enable telnet server
11 | 
12 | In U-Boot console:
13 | 
14 | ```
15 | setenv telnetctrl 1; saveenv
16 | ```
17 | 
18 | Note that `saveenv` is mandatory, otherwise Linux side (which analyzes
19 | this setting) simply won't see it.
20 | 
21 | ## Connect with telnet
22 | 
23 | In some case, telnetctrl variable does not start telnet automatically and it have to be started manually.
24 | 
25 | ```
26 | telnetd
27 | sleep 1
28 | touch /var/Telnetd_WanCheckFlag
29 | ```
30 | The creation of the flag file /var/Telnetd_WanCheckFlag allow connection from lan. It has to be created after the starting of telnetd.
31 | 
32 | Then, to log in, use the following
33 | 
34 | ```
35 | LocalHost login: root
36 | Password: xmhdipc
37 | Welcome to HiLinux.
38 | ```
39 | 
40 | Also can try [other login/passwd pairs](https://gist.github.com/gabonator/74cdd6ab4f733ff047356198c781f27d)
41 | In recent NVR firmware versions, you may need to login with the actual
42 | admin password which you set up in the UI (static predefined password
43 | won't work).
44 | 
45 | ## Optional: enable Linux kernel verbose boot
46 | 
47 | if armbenv exists
48 | 
49 | ```
50 | # armbenv -s xmuart 0
51 | # reboot
52 | ```
53 | 
54 | Or in case where XmEnv exists:
55 | 
56 | ```
57 | # XmEnv -s xmuart 0
58 | # reboot
59 | ```
60 | 
61 | Note that while this setting modifies U-Boot environment, it should be
62 | done from Linux. At least some vendor U-Boot versions don't allow to
63 | set this from U-Boot console itself (attempt to set a variable of such
64 | name is ignored). But you can try with the -f option from U-Boot.
65 | 
66 | In U-Boot console:
67 | 
68 | ```
69 | setenv -f xmuart 0; saveenv
70 | ```
71 | 
72 | Note that `saveenv` is mandatory, otherwise Linux side (which analyzes
73 | this setting) simply won't see it.
74 | 
75 | ## Enable telnet without even open your camera (remotely)
76 | 
77 | * Find proper zip with recent firmware update using [link](https://translate.google.com/translate?hl=en&sl=ru&tl=en&u=https%3A%2F%2Fwww.cctvsp.ru%2Farticles%2Fobnovlenie-proshivok-dlya-ip-kamer-ot-xiong-mai) and download it.
78 | 
79 | * Unzip it and choose proper `bin` file from several options.
80 | 
81 | * It's recommended update your camera using this stock firmware without
82 |     modifying it. It will help understand possible issues. Use `General...` if
83 |     not sure which option you want.
84 | 
85 | * Unzip `bin` file as it would be ordinary zip archive.
86 | 
87 | * Copy `add_xmuart.sh` from `utils` directory of the repository inside directory
88 |     with unpacked files.
89 | 
90 | * Run `./add_xmaurt.sh` and then ensure that `u-boot.env.img` has
91 |     `xmuart=1telnetctrl=1` near the end of file.
92 | 
93 | * Repack `bin` file adding changed `u-boot.env.img` there like this: `zip -u General_IPC_HI3516EV200_85H30AI_S38.Nat.dss.OnvifS.HIK_V5.00.R02.20200507_all.bin u-boot.env.img`
94 | 
95 | * Upgrade camera using new `bin` file
96 | 


--------------------------------------------------------------------------------