Commit d4deae18 authored by Chipp Jansen's avatar Chipp Jansen
Browse files

edited control system image

parent 730df80d
figures/control-system.png

607 KB | W: | H:

figures/control-system.png

93.7 KB | W: | H:

figures/control-system.png
figures/control-system.png
figures/control-system.png
figures/control-system.png
  • 2-up
  • Swipe
  • Onion skin
......@@ -392,7 +392,7 @@ Also, an important thing to consider here is the operating voltages of the board
\centering
\begin{tabular}{c|c|c|c|c}
On RPI & RPI Pin Name & Cable Color & On NEOS & NEOS Pin Name \\
Pin 6 & Ground (GND) & black & bottom (3rd from corner) & Ground (GND) \\
Pin 6 & Ground (GND) & black & bottom (3rd from corner) & Ground (GND) \\
Pin 8 & TX (GPIO14) & grey & top (1st from corner) & RX Pin \\
Pin 10 & RX (GPIO15) & white & center (2nd from corner) & TX Pin \\
\end{tabular}
......@@ -505,7 +505,7 @@ isvp_t20#
Typing in \texttt{help} gives you the menu of options available to you:
\begin{verbatim}
isvp_t20# help
isvp_t20# help
? - alias for 'help'
base - print or set address offset
boot - boot default, i.e., run 'bootcmd'
......@@ -523,7 +523,7 @@ Typing in \texttt{help} gives you the menu of options available to you:
fatload - load binary file from a dos filesystem
fatls - list files in a directory (default /)
gettime - get timer val elapsed,
go - start application at address 'addr'
help - print command description/usage
loadb - load binary file over serial line (kermit mode)
......@@ -557,7 +557,7 @@ For instance, U-Boot can have \textit{sub-systems}, a kind of plug-in, that prov
\begin{verbatim}
isvp_t20# help sf
sf - SPI flash sub-system
Usage:
sf probe [[bus:]cs] [hz] [mode] - init flash device on given SPI bus
and chip select
......@@ -581,7 +581,7 @@ And you can see what chip is attached via \verb|sf probe|:
\end{verbatim}
On the NEOS, the main processor is connected to a FM25Q64 flash memory chip\footnote{Remember the flash chip on the Tour of the Board - \url{http://eng.fmsh.com/nvm/FM25Q64_ds_eng.pdf}}, which stores the system's operating system and file system. This provides a way, via U-Boot to read/write portions of the flash chip via the system memory.
help
help
We can gather more information about how the NEOS starts up, by looking at the bootloader's environment variables, via the \verb|printenv| command:
\begin{verbatim}
......@@ -599,7 +599,7 @@ We can gather more information about how the NEOS starts up, by looking at the b
stderr=serial
stdin=serial
stdout=serial
Environment size: 596/16380 bytes
\end{verbatim}
......@@ -609,14 +609,14 @@ We can modify the \texttt{bootargs} variable and change \texttt{init} portion to
\begin{verbatim}
setenv bootargs console=ttyS1,115200n8 mem=104M@0x0 ispmem=8M@0x6800000
rmem=16M@0x7000000 init=/bin/sh rootfstype=squashfs root=/dev/mtdblock2
rmem=16M@0x7000000 init=/bin/sh rootfstype=squashfs root=/dev/mtdblock2
rw mtdparts=jz_sfc:256k(boot),2048k(kernel),3392k(root),640k(driver),
4736k(appfs),2048k(backupk),640k(backupd),2048k(backupa),256k(config),
256k(para),-(flag)
\end{verbatim}
% TODO - verify this WITHOUT a modified device
You can verify that the change took place by running the \texttt{printenv} command again. Check that the \verb|bootargs| variable has a modified \verb|init| option.
You can verify that the change took place by running the \texttt{printenv} command again. Check that the \verb|bootargs| variable has a modified \verb|init| option.
Run the command \texttt{boot} to continue the boot process with your modified \texttt{bootargs}. If you reset or switch the device off, the changes will be lost and you will have to go through the editing process again.
......@@ -651,14 +651,14 @@ Insert the SD-CARD with the custom firmware into the NEOS camera. Before you tu
Hold the ``Set-up'' button and then turn the NEOS camera back on (you might want to have someone help you). Keep the button pressed, the status LED should turn from a solid yellow to a solid blue color. After 20-30 seconds, you release the button. Eventually the LED will blink rapidly to indicate a success, this takes about 3 minutes. This video shows what should be expected: \\
\url{https://www.youtube.com/watch?v=F-MnpGf6Iss}.
If the device is not loading \verb|demo.bin|, double check the SD-CARD card again for files or folders created by the stock firmware. Sometimes if your timing is off with the pressing the ``Set-up'', the camera will create default folders (such as \verb|record| and \verb|time_stamp|. Mount the SD-CARD on the Raspbery Pi and delete all files except for \verb|demo.bin| and try again.
If the device is not loading \verb|demo.bin|, double check the SD-CARD card again for files or folders created by the stock firmware. Sometimes if your timing is off with the pressing the ``Set-up'', the camera will create default folders (such as \verb|record| and \verb|time_stamp|. Mount the SD-CARD on the Raspbery Pi and delete all files except for \verb|demo.bin| and try again.
\paragraph{Running our own Custom Firmware}
Now, the default behaviour of this new firmware is to first look on the SD-CARD to see if there is a valid firmware in form of a Linux file-system. If so, it will boot off of the SD-CARD, otherwise, the device boots off of the default factory firmware.
Now, the default behaviour of this new firmware is to first look on the SD-CARD to see if there is a valid firmware in form of a Linux file-system. If so, it will boot off of the SD-CARD, otherwise, the device boots off of the default factory firmware.
Now, we will prepare the SD-CARD with our own modified firmware. Turn off the NEOS, and mount the SD-CARD back on the Raspberry Pi. In a Terminal, use \verb|git| to clone the Xiaomi-Dafang-Hacks repository:
\begin{verbatim}
pi@raspberry:~ $ git clone https://github.com/EliasKotlyar/Xiaomi-Dafang-Hacks.git
pi@raspberry:~ $ git clone https://github.com/EliasKotlyar/Xiaomi-Dafang-Hacks.git
\end{verbatim}
Remove the current contents of the SD-CARD (i.e. the \verb|demo.bin| and any other files, such as the \verb|record| directory etc...). Note: the name of the mounted SD-CARD will be different than what's below, \verb|CA05-A412|.
......@@ -696,7 +696,7 @@ Now you can eject the SD-CARD, insert it in the NEOS and on start-up you can see
Starting run.sh from sdcard
\end{verbatim}
Note that the messages printed out on the debug port are a mixture of multiple output streams: standard out, or the messages that programs intend to output to the user; and the debug logging from the Linux.
Note that the messages printed out on the debug port are a mixture of multiple output streams: standard out, or the messages that programs intend to output to the user; and the debug logging from the Linux.
You will see that when the SD-CARD mounts, then it executes a \verb|run.sh| script located on the SD-CARD. If you wanted to modify what is started on the NEOS, you can edit this script (it is a Unix shell script) on the SD-CARD.
......@@ -704,7 +704,7 @@ Once the NEOS has booted, you can hit enter a few times, and you will have the l
\begin{verbatim}
DAFANG login: root
Password:
Password:
Jan 1 00:14:28 login[822]: root login on 'console'
[root@DAFANG:~]#
\end{verbatim}
......@@ -724,7 +724,7 @@ Once in, you can take a tour of the system. Looking at the file-system root, th
bin etc mnt root system var
\end{verbatim}
However, this is the ``normal'' default firmware for the NEOS. The system that is live is running off of the SD-CARD, which is located at \verb|/system/sdcard|. That means the configuration files and the programs to use are not in the typical Unix places.
However, this is the ``normal'' default firmware for the NEOS. The system that is live is running off of the SD-CARD, which is located at \verb|/system/sdcard|. That means the configuration files and the programs to use are not in the typical Unix places.
\begin{verbatim}
[root@DAFANG:sdcard]# cd /system/sdcard
......@@ -752,7 +752,7 @@ Initially, the SD-CARD might be in a read-only state, and that the file system d
\begin{verbatim}
dosfsck -a /dev/mmcblk0p1
[root@DAFANG:sdcard]# dosfsck -a /dev/mmcblk0p1
[root@DAFANG:sdcard]# dosfsck -a /dev/mmcblk0p1
CP850//TRANSLIT: Invalid argument
CP850: Invalid argument
fsck.fat 4.1+git (2017-01-24)
......@@ -768,10 +768,10 @@ Next, we'll remount the SD-CARD (note, there is no output from this command):
\begin{verbatim}
[root@DAFANG:sdcard]# mount -o remount,rw /system/sdcard
[root@DAFANG:sdcard]#
[root@DAFANG:sdcard]#
\end{verbatim}
Finally, we'll use the \verb|autoupdate.sh| script on the SD-CARD to update the system from the Xiami-Dafang-Hacks github repository.
Finally, we'll use the \verb|autoupdate.sh| script on the SD-CARD to update the system from the Xiami-Dafang-Hacks github repository.
\begin{verbatim}
[root@DAFANG:sdcard]# /system/sdcard/autoupdate.sh
......@@ -787,8 +787,8 @@ You can run \verb|autoupdate.sh| multiple times. But bear in mind that once you
[root@DAFANG:sdcard]# /system/sdcard/autoupdate.sh
jq: error: Could not open file /tmp/.lastcommit: No such file or directory
jq: error: Could not open file /tmp/.lastcommit: No such file or directory
You are currently on the latest version
You are currently on the latest version
You are currently on the latest version
You are currently on the latest version
\end{verbatim}
% https://github.com/EliasKotlyar/Xiaomi-Dafang-Hacks/issues/880
......@@ -797,7 +797,7 @@ You can run \verb|autoupdate.sh| multiple times. But bear in mind that once you
Now, we are ready to connect the device to the local Wi-Fi network. First, a really important thing to do now, is to re-connect the Wi-Fi antenna, which is what the black wire that runs from the outer case is connected to. This is the wire with the golden plug that you unplugged right after you openned the case. Plug the wire in again, and you can balance the internals on the case.
Because there might be multiple NEOS cameras on the same network, we want to set-up a unique hostname. By default it is \verb|dafang|.
Because there might be multiple NEOS cameras on the same network, we want to set-up a unique hostname. By default it is \verb|dafang|.
We can modify the hostname with the \verb|hostname.conf| file in \verb|config|. Using \verb|echo| we can replace the contents of the file with our own hostname:
......@@ -821,11 +821,11 @@ Then, you'll want to edit the file. You can use \verb|vi|. Replace SSID with t
\begin{verbatim}
# For more configuration option please see:
# https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
ap_scan=1
network={
ssid="SSID"
# Uncomment to connect to Hidden SSIDs
......@@ -841,7 +841,7 @@ Then, you'll want to edit the file. You can use \verb|vi|. Replace SSID with t
The NEOS has a watchdog process that checks for the \verb|wpa_supplicant.conf| file, so it will attempt to connect right away! You might already see kernel debug messages being printed. You can check the \verb|wifi.log| in \verb|/system/sdcard/log/wifi.log|, using tail to see the most recent messages:
\begin{verbatim}
[root@DAFANG:sdcard]# tail log/wifi.log
[root@DAFANG:sdcard]# tail log/wifi.log
01/01/70 02:55:16 Starting wpa_supplicant
01/01/70 02:55:22 Starting wpa_action watchdog
01/01/70 02:55:22 Starting wpa_cli
......@@ -858,20 +858,20 @@ We can check if the device has an ip address, but running \verb|ifconfig|, and l
\begin{verbatim}
[root@DAFANG:sdcard]# ifconfig
lo Link encap:Local Loopback
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:729 errors:0 dropped:0 overruns:0 frame:0
TX packets:729 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
collisions:0 txqueuelen:0
RX bytes:55362 (54.0 KiB) TX bytes:55362 (54.0 KiB)
wlan0 Link encap:Ethernet HWaddr A8:3F:A1:83:46:AC
wlan0 Link encap:Ethernet HWaddr A8:3F:A1:83:46:AC
inet addr:192.168.1.249 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:992 errors:0 dropped:325 overruns:0 frame:0
TX packets:37 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
collisions:0 txqueuelen:1000
RX bytes:192047 (187.5 KiB) TX bytes:5146 (5.0 KiB)
\end{verbatim}
......@@ -881,11 +881,17 @@ Now we see if the device available via the web-interface.
If you reboot your NEOS, then the new host-name that you set-up will be active. You can access the web interface (if you are on the same local network), via \verb|https://YOURHOSTNAME.local|. Or you can access via the ip address, such as \verb|https:/192.168.1.249| (your browser might freak out, but you can accept the security risk and continue).
You'll login with the same default user, login: \verb|root| and password: \verb|ismart12|.
You'll login with the same default user, login: \verb|root| and password: \verb|ismart12|.
If everything is working, you should see an image from the camera in the browser that updates periodically. The interface already provides a rich number of features. Remember that this web-interface and the firmware was created by the hardware hacking community, so it provides alot of detailed information and control of the device from the web-interface.
For instance, under the Control settings, (the third button in the top left), you can manage services such as a SSH server or video servers such as ONVIF.
For instance, under the Control settings, (the third button in the top left -- see Figure \label{fig:control-system}), you can manage services such as a SSH server or video servers such as ONVIF.
Even though these services are listed in the web-interface, these services are also available to run from the command-line through the command-line.
% TODO - check URL
Listed on the Xiaomi-Dafang-Hack repository\footnote{\url{https://github.com/EliasKotlyar/Xiaomi-Dafang-Hacks/tree/master/hacks/faq}}, are a list of services:
% TODO - copy services
\begin{figure}[h!]
\centering
......@@ -894,30 +900,37 @@ For instance, under the Control settings, (the third button in the top left), yo
\label{fig:control-system}
\end{figure}
For instance, with the SSH server enabled, you can now access the device via the internet, instead of the debug port. For example, from the Raspberry Pi, you can connect:
\begin{verbatim}
ssh root@YOURHOSTNAME.local
\end{verbatim}
\section{Streaming your own Video}
Once you have the camera set-up to stream video, you can stream to an online broadcasting service. Autistici (\url{https://www.autistici.org}) is a video hacking collective with an open re-broadcasting server at \url{https://live.autistici.org/}
Once you have the camera set-up to stream video, you can experiment with streaming the video to an online broadcasting service. \textit{Autistici} \footnote{\url{https://www.autistici.org}} is a video hacking collective with an open re-broadcasting server at \url{https://live.autistici.org/}.
Here is an alternative system that you can install. It's development is geared towards making things set-up easier. % https://github.com/openmiko/openmiko/
You can use the RTMP tool to forward the stream from the NEOS the the live \textit{Autistici} service.
\section*{Day 2}
\begin{verbatim}
rtmp
\end{verbatim}
\section{Creating your own Firmware}
% https://github.com/EliasKotlyar/Xiaomi-Dafang-Hacks/tree/master/hacks/firmware
In this device's case, creating your own firmware is a matter of bundling a linux file-system together. We do this by getting the original firmware, un-squashing it, add the bits we want, and resquash it.
% TODO - Can you broadcast video to another device?
A security issure here might be that the device expect a signed firmware - a secure method of guaranteeing that the firmware is not modified. But, in this devices case, there is no check being done. This security oversight is to our advantage, and it allows us the ability to create our own set-up.
\section{Onward Routes}
\subsection{Adding new Software to the Device}
In this workshop, we covered an introduction to hardware hacking of an IoT device and setting up a custom firmware. These approaches are good first steps when looking at reusing a new (``old'') device in new ways. One thing that is evident is that hardware hacking, while it seems like it would be a solitarty activity actually happens online in a collaborative setting. With almost any device that you want to reuse, repurpose or are just curious about, there will be a community out there to engage with, such at the Xiamo-Dafang-Hacks github repository.
Here we are going to load Python, CircuitPython, or MicroPython.
\\
\\
Other ideas:
\begin{itemize}
\item Flashing new firmware / setting-up CircuitPython
\item OpenOCD on Raspberry PI
\end{itemize}
Online you will find many more things and experiments that folks have done with the NEOS device. For instance, OpenMiko is alternative firmware system that you can install on the NEOS, in the same manner as we did today. % TODO - It is... . % https://github.com/openmiko/openmiko/
You might also realise that the NEOS camera was pretty open and accessible. Other devices, especially from larger more resourced companies, will have more security and be more invovled to access. The computer security community has many examples of more in depth reverse engineering -- conferences such as DefCon and HackaDay often have online tutorials with a wealth of information.
Finally, you might be interested in adding your own code to the NEOS device. Or perhaps there is an open-source tool, that you want to run on the device. Often, this requires
\section*{Day 2}
\section{Cross-compiling}
......@@ -930,6 +943,25 @@ Dafang-Hacks has the cross-compile set-up for the build environment.
Information and Documentation about the Ingenic-T10 and 20 chips.
% https://github.com/Dafang-Hacks/Ingenic-T10_20
% \section{Creating your own Firmware}
% % https://github.com/EliasKotlyar/Xiaomi-Dafang-Hacks/tree/master/hacks/firmware
% In this device's case, creating your own firmware is a matter of bundling a linux file-system together. We do this by getting the original firmware, un-squashing it, add the bits we want, and resquash it.
%
% A security issure here might be that the device expect a signed firmware - a secure method of guaranteeing that the firmware is not modified. But, in this devices case, there is no check being done. This security oversight is to our advantage, and it allows us the ability to create our own set-up.
%
% \subsection{Adding new Software to the Device}
%
% Here we are going to load Python, CircuitPython, or MicroPython.
% \\
% \\
% Other ideas:
% \begin{itemize}
% \item Flashing new firmware / setting-up CircuitPython
% \item OpenOCD on Raspberry PI
% \end{itemize}
% \section{Using CircuitPython or MicroPython}
% - Reading/Writing I/O - Buttons and Blinking LEDs
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment