czietz/wifimicroscope

Sources of libjh_wifi.so

raenye opened this issue · 15 comments

This is the Java source code of a similar(?) app. But that user's Github is indeed interesting, because https://github.com/aivenlau/JH-Libary_N_FFMPEG/tree/master/JH-Libary a native library, albeit for Apple iOS. It doesn't match exactly the libjh_wifi.so that I reverse-engineered, but for sure, the code will provide valuable insight when I continue the work on my USB microscope.

Thank you for that find!

You are right, this is the (objective c) source of the iOS port.

It seems like a direct port, so everything is in JH_WifiCamera.[m,h].
For instance, nICtype == 8 is called IC_GPRTPB, and there are all the commands binding ports 10900 and 20000, and creating and sending the JHCMD packets.

Are you planning to get back to this sometime?
Did you try to get the microscope join a WiFi network as a client? (will break official apps, but we shouldn't care).

Thanks!

edent commented

If it helps your investigation, the JH seems to stand for http://www.joyhonest.com/

They're the people who make this camera / Wi-Fi combination. And, I guess, write the software.

Are you planning to get back to this sometime?

It's on my list - like so many other projects. Thus, please don't expect any new findings from me soon. I'll update the website, though, with pointers to the source code you found. Maybe someone else will investigate.

Did you try to get the microscope join a WiFi network as a client? (will break official apps, but we shouldn't care).

Iirc, I tried the respective setting in the microscope's web interface, but it didn't do anything. Maybe support WiFi client support is missing from the software/firmware on the microscope?

Too many projects, too little time. Same here, same here :)

Two functions in the RTPB protocol that caught my eye are naWriteData2Flash and naReadDataFromFlash.
Maybe these are for OTA?
I'll try to implement the read function, and if it spits out the firmware, there's a chance to get new code on the device...

Any idea what MCU is inside, BTW?
nmap says that the http server is lwIP/1.3.1 (http://savannah.nongnu.org/projects/lwip)

No idea about the MCU. (lwIP can be easily ported to many architectures.) And since I'm using my microscope regularly (albeit over USB), I'm not too tempted to crack it open.

Most of the protocol is laid down in the functions F_Read20000_27Lenght and F_RevData20000.
The three commands naInit sends out mean (1) Get flags, (2) Get Module Info, (3) Start video.
Flags include low battery warning, recording, take picture, SD card not ready and SD card full.
Maybe ROM is only 510 bytes? since this is the amount of data requested by the read flash command.

Any idea what MCU is inside, BTW?

Only reverence i can find is: https://github.com/rooterkyberian/syma

There they mention a "Marvell 88W8801 Camera daughter board" from Joyhonest.
Maybe they use similar boards for their microscopes?

Hey there,

I have one such camera here, and here's what I figured out so far. I haven't cracked it open (yet) either; seems a bit more robust than other things I had in my hands. The manual says "Model: F210". According to the package, the manufacturer is supposedly Shenzhen Pingqu Information Technology Co., Ltd., and the website www.wel-van.com (exposing an ERP system login and a link to a deleted eBay forum or whatever; dead end, likely). The device is the one in https://www.youtube.com/watch?v=t91ZPrh9BIw with the flexible mount.

There is a web interface on port 80, with the login admin/admin (which you can even ignore if you know the addresses of the pages from the menu, as it seems). It offers changing the Wi-fi settings, DHCP, etc., but not much more. There is a logo at the top from "South Silicon Valley" and a link at the bottom: http://www.southsv.com.cn/cn/
However, that is now a 404. Removing the /cn/ redirects to http://www.icomm-semi.com/, who seem to provide other IoT and whatever solutions as per the menu. It's all Chinese though, and I can only translate parts with Google. From a post a pasted into Google Translate, it appears that their expertise is somewhere in low-power Wi-fi chips (they describe low power consumption etc).
Anyway, by now I am starting to lose count on the number of vendors involved.

I followed your suggestion regarding the Syma camera, which looks like it is this one:
https://fccid.io/2ANNK-JH2969V2/External-Photos/External-Photos-3800106
And seemingly, the same as this one:
https://fccid.io/2ANNK-WD8C25V3/External-Photos/External-photo-4487878
I am not too sure if that is the same that we have. I have taken apart a bunch of devices (wifi storages and cameras), and I did encounter Marvell MCUs in a few. It looks to me like this one here is only for Wi-fi, and the main SoC something else. Checking for lwIP, I do find a port suitable for RTOS though: https://github.com/phoenix-rtos/lwip

The .so file is full of things (I ran strings over it). It includes the IP address that we have (192.168.29.1) plus others in the 192.168 ranges (192.168.28.1 etc), and something like, for example, http://192.168.234.1/web/cgi-bin/hi3510/getsdcareInfo.cgi. The HI3xxx SoCs are Arm SoCs from HiSilicon, which are quite common in IP cameras. I would assume that the library supports a range of devices based on different chips, even potentially entirely different architectures and OSs. I tried to run these CGI scripts (presumably) to no avail. I originally wanted to get the RTSP stream, but that didn't work either.

nmap told me that there is also something running on port 8081. I could not figure out what it is. Thanks to your links though, I can see that it is likely used for yet another protocol: https://github.com/aivenlau/JH-Libary_N_FFMPEG/blob/f61ec630330918ba2ea16aaed8e0c88f54901d8f/JH-Libary/JH_WifiCamera.m#L5175
I haven't tried that, but yea... those devices are like Pandora's boxes, and matryoshkas at the same time. 🙃

Some more: A very, very similar microscope - https://fccid.io/2AYBY-W04/External-Photos/External-Photos-5046768 (oh look at the internal photos, an exposed UART) - sadly shows a blank SoC only (maybe the camera perspective didn't allow for revealing it). Yet another very similar device - https://fcc.report/FCC-ID/2AC5ZUM018/2415713 - is based on a Ralink RT5350F SoC (common MIPS thing found in consumer routers; Ralink now belongs to MediaTek).

I hope there were some interesting ideas in this lengthy comment. Here is a last one; but first: Kudos for the Python script, it works for me as well and I could successfully dump images. :) I have seen a similar custom protocol in the KTC (Key Tech Corp) wireless storage devices, which essentially push out raw sectors from SD cards through UDP packets when asked nicely (https://github.com/orangecms/wsd-cuse/blob/master/pkg/client/client.go#L54 is my PoC).

For what it's worth, by using your code as a starting point I was able to get a live stream on my computer screen over wifi. I'm on Linux, so I had to import getch and change the msvcrt.kbhit line to "while True;". I moved the open() above the while loop using /dev/stdout as the output, and commented out other unneccissary lines. When running the script I piped the output to vlc reading /dev/stdin and got a live stream of the microscope video. The quality doesn't look any worse than via USB, but it does lag a bit so focusing and positioning can be a pain, but no wire!

I'm not a coder so my code is a mess, so not sharing, but the idea works so maybe someone more skilled can do it properly.

Hi. I'm not a coder but came here after a google of the IP address referenced in the article. Oddly or maybe not so oddly here in the UK the Draper Wi-fi endoscope uses software wifi check but is essentially the same unit behind the scenes as even the other app worked.

I used the code and added the cv2 library in Python to add a datetimestamp to the image. I struggled a bit to get video working. What I did is fire the Jpegs into a directory updating one file and forced that through the Cv2 library to get video with datetimestamps. It was quite choppy Live video though but I get timestamps which is useful. Alternatively I was building a video file from the images and that was decent but not live.

I was thinking that presumably other usb cameras can be installed so considered whether could hook up a cctv system with timestamps, and whatever other bits and bobs in the cv2 library. Edit: If we could get access to other stream types that would be interesting.

@ashman-777 you can take a look at my code: https://gist.github.com/TheCrazyT/364ff5d6e893905af9d950f70daa2f29 (no file output needed there)

Most of the protocol is laid down in the functions F_Read20000_27Lenght and F_RevData20000. The three commands naInit sends out mean (1) Get flags, (2) Get Module Info, (3) Start video. Flags include low battery warning, recording, take picture, SD card not ready and SD card full. Maybe ROM is only 510 bytes? since this is the amount of data requested by the read flash command.

@raenye @czietz I'm unable to get battery level using the available method in the aivenlau JH library SDK. Can you suggest which way I have to go for?

If it helps your investigation, the JH seems to stand for http://www.joyhonest.com/

They're the people who make this camera / Wi-Fi combination. And, I guess, write the software.

yep,link here:
https://github.com/joyhonest