Saturday, July 18, 2020

Eufy HomeBase2 teardown

I picked up a battery-powered Eufy video doorbell because it claims to use only local storage, although I hear rumors about it phoning home to suspicious places in China.  Here's the HomeBase2 that lives inside the house and stores the data.  The three sticks are antennas, two for wifi, one labeled Sub 1G-V1.



I believe the deal is that it uses this CC1310 as a low power way to stream video clips from the doorbell camera, since the doorbell is battery powered and needs to conserve energy.  (Whereas the HomeBase2 plugs into the wall and bridges to wifi and wired ethernet).





Looks like the CPU is a MediaTek MT7628NN:


Here you can see labeled GND, TxD, RxD, 3V3 pins providing handy access to a 115200 baud UART:


And here are the eMMC and flash chips:


And here it looks like we have a JTAG port:



The serial port helpfully dumps the linux boot messages:


[04030C0D][04030C0C]
DDR Calibration DQS reg = 00008788


U-Boot 1.1.3 (Nov  6 2018 - 17:19:03)

Board: Ralink APSoC DRAM:  128 MB
relocate_code Pointer at: 87fa0000
flash manufacture id: c2, device id 20 19
find flash: MX25L25635E
raspi_read: from:40035 len:1 
raspi_read: from:40036 len:1 
raspi_read: from:30000 len:1000 
*** Warning - bad CRC, using default environment

============================================ 
Ralink UBoot Version: 5.0.0.0
-------------------------------------------- 
ASIC 7628_MP (Port5<->None)
DRAM component: 1024 Mbits DDR, width 16
DRAM bus: 16 bit
Total memory: 128 MBytes
Flash component: SPI Flash
Date:Nov  6 2018  Time:17:19:03
============================================ 
icache: sets:512, ways:4, linesz:32 ,total:65536
dcache: sets:256, ways:4, linesz:32 ,total:32768 

 ##### The CPU freq = 575 MHZ #### 
 estimate memory size =128 Mbytes
RESET MT7628 PHY!!!!!!
Please choose the operation: 
   1: Load system code to SDRAM via TFTP. 
   2: Load system code then write to Flash via TFTP. 
   3: Boot system code via Flash (default).
   4: Entr boot command line interface.
   7: Load Boot Loader code then write to Flash via Serial. 
   9: Load Boot Loader code then write to Flash via TFTP. 

   m: Load mini system code then write to Flash via TFTP. 
   u: enter mini system for upgrade normal system. 
1 0 

normal mode. 


  ** send data to uart2 **
FE 01 21 58 00 78 


 ++ read from uart2 data:
FE 02 61 58 00 10 2B 

 success to get respance.
get response from app. code:0x00.
in normal mode.
  ** send data to uart2 **
FE 01 21 51 00 71 


 ++ read from uart2 data:
FE 01 61 51 00 31 

 success to get respance.

   
3: System Boot system code via Flash.
## Booting image at bc050000 ...
raspi_read: from:50000 len:40 
   Image Name:   Linux Kernel Image
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    13185677 Bytes = 12.6 MB
   Load Address: 80000000
   Entry Point:  805e9280
raspi_read: from:50040 len:2902cd 
   Uncompressing Kernel Image ... OK lzmaBuffToBuffDecompress() at 812.
OK
No initrd
## Transferring control to Linux (at address 805e9280) ...
## Giving linux memsize in MB, 128

Starting kernel ...


LINUX started...

 THIS IS ASIC

SDK 5.0.S.0
[    0.000000] Linux version 3.10.14y (root@yuxw-git-server) (gcc version 4.6.3 (Buildroot 2012.11.1) ) #107 Fri May 8 14:07:15 CST 2020
[    0.000000] 
[    0.000000]  The CPU feqenuce set to 575 MHz
[    0.000000] call early_serial_setup(&serial_req[0]);
[    0.000000] CPU0 revision is: 00019655 (MIPS 24KEc)
[    0.000000] Software DMA cache coherency
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 08000000 @ 00000000 (usable)
[    0.000000] Zone ranges:
[    0.000000]   Normal   [mem 0x00000000-0x07ffffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x00000000-0x07ffffff]
[    0.000000] Primary instruction cache 64kB, 4-way, VIPT, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 32512
[    0.000000] Kernel command line: console=ttyS1,115200n8 root=/dev/mtdblock5 lpj=764928 rootfstype=squashfs,jffs2
[    0.000000] PID hash table entries: 512 (order: -1, 2048 bytes)
[    0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
[    0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
[    0.000000] Writing ErrCtl register=0000000f
[    0.000000] Readback ErrCtl register=0000000f
[    0.000000] Memory: 121684k/131072k available (6099k kernel code, 9388k reserved, 1623k data, 212k init, 0k highmem)
[    0.000000] NR_IRQS:128
[    0.000000] console [ttyS1] enabled
[    0.080000] Calibrating delay loop (skipped) preset value.. 382.46 BogoMIPS (lpj=764928)
[    0.084000] pid_max: default: 32768 minimum: 301
[    0.088000] Mount-cache hash table entries: 512
[    0.092000] NET: Registered protocol family 16
[    0.168000] bio: create slab <bio-0> at 0
[    0.172000] gpio1_mode:0x530500C4.
[    0.176000] gpio1_mode2:0x05540551.before set to gpio mode.
[    0.180000] gpio1_mode2:0x05540551. after set to gpio mode.
[    0.200000] 
[    0.200000] 
[    0.200000] [zx]Board is eufycam2.
[    0.200000] 
[    0.204000] Ralink gpio driver initialized
[    0.208000] SCSI subsystem initialized
[    0.212000] usbcore: registered new interface driver usbfs
[    0.216000] usbcore: registered new interface driver hub
[    0.220000] usbcore: registered new device driver usb
[    0.224000] Advanced Linux Sound Architecture Driver Initialized.
[    0.228000] cfg80211: Calling CRDA to update world regulatory domain
[    0.232000] Switching to clocksource MIPS
[    0.236000] NET: Registered protocol family 2
[    0.244000] TCP established hash table entries: 1024 (order: 1, 8192 bytes)
[    0.252000] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
[    0.256000] TCP: Hash tables configured (established 1024 bind 1024)
[    0.264000] TCP: reno registered
[    0.268000] UDP hash table entries: 256 (order: 0, 4096 bytes)
[    0.272000] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[    0.280000] NET: Registered protocol family 1
[    0.284000] RPC: Registered named UNIX socket transport module.
[    0.292000] RPC: Registered udp transport module.
[    0.296000] RPC: Registered tcp transport module.
[    0.300000] RPC: Registered tcp NFSv4.1 backchannel transport module.
[    0.308000] MTK/Ralink EHCI/OHCI init.
[    0.312000] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.320000] Installing knfsd (copyright (C) 1996 okir@monad.swb.de).
[    0.328000] NTFS driver 2.1.30 [Flags: R/O].
[    0.332000] jffs2: version 2.2. (NAND) (SUMMARY)  (ZLIB) (RTIME) (c) 2001-2006 Red Hat, Inc.
[    0.340000] msgmni has been set to 237
[    0.344000] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 253)
[    0.352000] io scheduler noop registered (default)
[    0.368000] Serial: 8250/16550 driver, 2 ports, IRQ sharing disabled
[    0.376000] serial8250: ttyS0 at MMIO 0x10000e00 (irq = 22) is a 16550A
[    0.380000] serial8250: ttyS1 at MMIO 0x10000c00 (irq = 20) is a 16550A
[    0.388000] i2cdrv_major = 218
[    0.404000] brd: module loaded
[    0.412000] 
[    0.412000] 
[    0.412000]  ---- call raspi_probe() ----- 
[    0.412000] 
[    0.420000] flash manufacture id: c2, device id 20 19
[    0.424000] MX25L25635E(c2 2019c220) (32768 Kbytes)
[    0.432000] mtd .name = raspi, .size = 0x02000000 (32M) .erasesize = 0x00010000 (64K) .numeraseregions = 0
[    0.440000] MX25L25635E(c2 2019c220) (32768 Kbytes)
[    0.444000] mtd .name = raspi2, .size = 0x02000000 (32M) .erasesize = 0x00010000 (64K) .numeraseregions = 0
[    0.456000] Concatenating MTD devices:
[    0.460000] (0): "raspi"
[    0.460000] (1): "raspi2"
[    0.464000] into device "Ralink Merged Flash"
[    0.468000] 30000,10000,10000, offs:0x50000.
[    0.472000] Creating 12 MTD partitions on "raspi":
[    0.480000] 0x000000000000-0x000002000000 : "ALL"
[    0.484000] 0x000000000000-0x000000030000 : "Bootloader"
[    0.492000] 0x000000030000-0x000000040000 : "Config"
[    0.500000] 0x000000040000-0x000000050000 : "Factory"
[    0.504000] 0x000000050000-0x0000002e02cd : "Kernel"
[    0.512000] mtd: partition "Kernel" doesn't end on an erase block -- force read-only
[    0.520000] 0x0000002e02cd-0x000000e50000 : "RootFS"
[    0.524000] mtd: partition "RootFS" doesn't start on an erase block boundary -- force read-only
[    0.536000] 0x000000050000-0x000000e50000 : "Kernel_RootFS"
[    0.544000] 0x000000e50000-0x000000e60000 : "device_info"
[    0.552000] 0x000000e60000-0x000000e70000 : "ocean_custom"
[    0.560000] 0x000000e70000-0x000000f40000 : "Kernel2"
[    0.564000] 0x000000f40000-0x000001440000 : "RootFS2"
[    0.572000] 0x000001440000-0x000002000000 : "user_fs_jffs2"
[    0.580000] Creating 1 MTD partitions on "raspi2":
[    0.584000] 0x000000000000-0x000002000000 : "spi2"
[    0.592000] test_netlink_init
[    0.596000] PPP generic driver version 2.4.2
[    0.600000] PPP BSD Compression module registered
[    0.604000] PPP Deflate Compression module registered
[    0.612000] PPP MPPE Compression module registered
[    0.616000] NET: Registered protocol family 24
[    0.620000] [wifi_fwd_alloc_tbl] size of WiFiFwdBase = 600bytes
[    0.624000] [wifi_fwd_alloc_tbl] size of pkt_src = 1200bytes
[    0.632000] [wifi_fwd_alloc_tbl] size of tx_src_tbl = 400bytes
[    0.644000] 
[    0.644000] 
[    0.644000] === pAd = c0051000, size = 1467736 ===
[    0.644000] 
[    0.656000] <-- RTMPAllocTxRxRingMemory, Status=0, ErrorValue=0x
[    0.664000] <-- RTMPAllocAdapterBlock, Status=0
[    0.668000] RtmpChipOpsHook(492): Not support for HIF_MT yet!
[    0.672000] mt7628_init()-->
[    0.676000] mt7628_init(FW(8a00), HW(8a01), CHIPID(7628))
[    0.680000] e2.bin mt7628_init(1141)::(2), pChipCap->fw_len(63888)
[    0.688000] mt_bcn_buf_init(218): Not support for HIF_MT yet!
[    0.692000] <--mt7628_init()
[    0.700000] rdm_major = 273
[    0.700000] GMAC1_MAC_ADRH -- : 0x00008c85
[    0.704000] GMAC1_MAC_ADRL -- : 0x8036a593
[    0.708000] Ralink APSoC Ethernet Driver Initilization. v3.1  512 rx/tx descriptors allocated, mtu = 1500!
[    0.720000] GMAC1_MAC_ADRH -- : 0x00008c85
[    0.724000] GMAC1_MAC_ADRL -- : 0x8036a593
[    0.728000] PROC INIT OK!
[    0.732000] usbcore: registered new interface driver asix
[    0.736000] usbcore: registered new interface driver ax88179_178a
[    0.744000] usbcore: registered new interface driver cdc_ether
[    0.752000] usbcore: registered new interface driver net1080
[    0.756000] usbcore: registered new interface driver rndis_host
[    0.764000] usbcore: registered new interface driver cdc_subset
[    0.768000] usbcore: registered new interface driver zaurus
[    0.776000] usbcore: registered new interface driver cdc_ncm
[    0.780000] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[    0.788000] ehci-pci: EHCI PCI platform driver
[    0.792000] ehci-platform: EHCI generic platform driver
[    0.820000] ******MT7628 mtk phy
[    0.820000] *****run project phy.
[    0.832000] FM_OUT value: u4FmOut = 0(0x00000000)
[    0.844000] FM_OUT value: u4FmOut = 134(0x00000086)
[    0.848000] FM detection done! loop = 1
[    0.860000] SR calibration value u1SrCalVal = 6
[    0.864000] *********Execute mt7628_phy_init!!
[    0.868000] ehci-platform ehci-platform: EHCI Host Controller
[    0.872000] ehci-platform ehci-platform: new USB bus registered, assigned bus number 1
[    0.880000] ehci-platform ehci-platform: irq 18, io mem 0x101c0000
[    0.900000] ehci-platform ehci-platform: USB 2.0 started, EHCI 1.00
[    0.904000] usb usb1: New USB device found, idVendor=1d6b, idProduct=0002
[    0.912000] usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[    0.920000] usb usb1: Product: EHCI Host Controller
[    0.924000] usb usb1: Manufacturer: Linux 3.10.14y ehci_hcd
[    0.928000] usb usb1: SerialNumber: ehci-platform
[    0.936000] hub 1-0:1.0: USB hub found
[    0.940000] hub 1-0:1.0: 1 port detected
[    0.944000] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
[    0.972000] *********Execute mt7628_phy_init!!
[    0.976000] ohci-platform ohci-platform: Generic Platform OHCI Controller
[    0.984000] ohci-platform ohci-platform: new USB bus registered, assigned bus number 2
[    0.992000] ohci-platform ohci-platform: irq 18, io mem 0x101c1000
[    1.056000] usb usb2: New USB device found, idVendor=1d6b, idProduct=0001
[    1.060000] usb usb2: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[    1.068000] usb usb2: Product: Generic Platform OHCI Controller
[    1.076000] usb usb2: Manufacturer: Linux 3.10.14y ohci_hcd
[    1.080000] usb usb2: SerialNumber: ohci-platform
[    1.088000] hub 2-0:1.0: USB hub found
[    1.092000] hub 2-0:1.0: 1 port detected
[    1.096000] usbcore: registered new interface driver usb-storage
[    1.104000] usbcore: registered new interface driver usbserial
[    1.108000] usbcore: registered new interface driver option
[    1.116000] usbserial: USB Serial support registered for GSM modem (1-port)
[    1.636000] i8042: i8042 controller selftest timeout
[    1.640000] mousedev: PS/2 mouse device common for all mice
[    1.648000] i2c /dev entries driver
[    1.656000] MTK AES Engine Module, HW verson: 04
[    1.660000] AES Engine: register cbc(aes) crypto api
[    1.664000] AES Engine: register ecb(aes) crypto api
[    1.672000] cryptodev: driver 1.9 loaded.
[    1.676000] hidraw: raw HID events driver (C) Jiri Kosina
[    1.684000] usbcore: registered new interface driver usbhid
[    1.688000] usbhid: USB HID core driver
[    1.692000] usbcore: registered new interface driver snd-usb-audio
[    1.700000] oprofile: using mips/24K performance monitoring.
[    1.704000] Mirror/redirect action on
[    1.708000] u32 classifier
[    1.712000]     input device check on
[    1.716000]     Actions configured
[    1.720000] Netfilter messages via NETLINK v0.30.
[    1.724000] nf_conntrack version 0.5.0 (1901 buckets, 7604 max)
[    1.732000] xt_time: kernel timezone is -0000
[    1.736000] ip_tables: (C) 2000-2006 Netfilter Core Team
[    1.740000] Type=Linux
[    1.744000] TCP: cubic registered
[    1.748000] NET: Registered protocol family 10
[    1.752000] sit: IPv6 over IPv4 tunneling driver
[    1.760000] NET: Registered protocol family 17
[    1.764000] l2tp_core: L2TP core driver, V2.0
[    1.768000] l2tp_ppp: PPPoL2TP kernel driver, V2.0
[    1.772000] 8021q: 802.1Q VLAN Support v1.8
[    1.780000] registered taskstats version 1
[    1.784000] ALSA device list:
[    1.788000]   No soundcards found.
[    1.792000] VFS: Mounted root (squashfs filesystem) readonly on device 31:5.
[    1.804000] Freeing unused kernel memory: 212K (8078b000 - 807c0000)
init started: BusyBox v1.12.1 (2019-06-20 20:54:48 CST)
setrlimit(RLIMIT_CORE, &limit); 
starting pid 440, tty '': '/etc_ro/rcS'
[    2.816000] Algorithmics/MIPS FPU Emulator v1.5
mount: no /etc/mtab
mount: no /etc/mtab
mount: no /etc/mtab
mount: mounting none on /dev/pts failed: No such file or directory
mount: mounting none on /proc/bus/usb failed: No such file or directory
mknod: /dev/pts/0: Operation not permitted
mknod: /dev/pts/1: Operation not permitted
mknod: /dev/pts/2: Operation not permitted
mknod: /dev/pts/3: Operation not permitted
Welcome to
--------------------------------------------------------

OCEANWING

--------------------------------------------------------



[    3.624000] +++++++ crc of index:1. read crc: 0xE4F703B2, len:16380. 
[    3.636000] +++++++ crc of index:2. read crc: 0x775248EC, len:8188. 
[    3.644000] +++++++ crc of index:3. read crc: 0xE1174F33, len:8188. 
[    3.656000] bad crc of index:4. name:cert, calc_crc:0x6E909C7C, read crc: 0xFFFFFFFF, len:4092. 
[    3.668000] bad crc of index:5. name:ocean, calc_crc:0x6E909C7C, read crc: 0xFFFFFFFF, len:4092. 
fopen: No such file or directory
Init gpio in init_system.sh
work_mode:normal_mode, def_mode:
In normal mode.
[    5.016000] usb 1-1: new high-speed USB device number 2 using ehci-platform
[    5.216000] usb 1-1: New USB device found, idVendor=05e3, idProduct=0608
[    5.224000] usb 1-1: New USB device strings: Mfr=0, Product=1, SerialNumber=0
[    5.232000] usb 1-1: Product: USB2.0 Hub
nvram is OK
[    5.256000] hub 1-1:1.0: USB hub found
[    5.260000] hub 1-1:1.0: 4 ports detected
[    5.332000] @@@@@ crc of index:1. calc_crc:0x9FCA785F. len:16380. 
[    6.224000] usb 1-1.2: new full-speed USB device number 3 using ehci-platform
[    6.292000] @@@@@ crc of index:1. calc_crc:0xC6F63563. len:16380. 
[    6.356000] usb 1-1.2: New USB device found, idVendor=0d8c, idProduct=0014
[    6.364000] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[    6.372000] usb 1-1.2: Product: USB Audio Device
[    6.376000] usb 1-1.2: Manufacturer: C-Media Electronics Inc.
[    6.384000] ALSA sound/usb/stream.c:687 3:1:1: add audio endpoint 0x1
[    6.392000] ALSA sound/usb/stream.c:687 3:2:1: add audio endpoint 0x82
[    6.400000] ALSA sound/usb/mixer.c:1311 [13] FU [Mic Playback Switch] ch = 1, val = 0/1/1
[    6.412000] ALSA sound/usb/mixer.c:474 cannot set ctl value: req = 0x4, wValue = 0x200, wIndex = 0xd00, type = 4, data = 0x80/0x0
[    6.424000] ALSA sound/usb/mixer.c:1311 [13] FU [Mic Playback Volume] ch = 1, val = -5888/2048/256
[    6.432000] ALSA sound/usb/mixer.c:1311 [9] FU [Speaker Playback Switch] ch = 1, val = 0/1/1
[    6.444000] ALSA sound/usb/mixer.c:474 cannot set ctl value: req = 0x4, wValue = 0x201, wIndex = 0x900, type = 4, data = 0x80/0x0
[    6.460000] ALSA sound/usb/mixer.c:1311 [9] FU [Speaker Playback Volume] ch = 2, val = -9472/0/256
[    6.468000] ALSA sound/usb/mixer.c:1311 [10] FU [Mic Capture Switch] ch = 1, val = 0/1/1
[    6.480000] ALSA sound/usb/mixer.c:474 cannot set ctl value: req = 0x4, wValue = 0x200, wIndex = 0xa00, type = 4, data = 0x80/0x0
[    6.492000] ALSA sound/usb/mixer.c:1311 [10] FU [Mic Capture Volume] ch = 1, val = -3072/5888/256
[    6.500000] ALSA sound/usb/mixer.c:1311 [10] FU [Auto Gain Control] ch = 1, val = 0/1/1
[    6.520000] input: C-Media Electronics Inc. USB Audio Device as /devices/platform/ehci-platform/usb1/1-1/1-1.2/1-1.2:1.3/input/input0
[    6.532000] hid-generic 0003:0D8C:0014.0001: input,hidraw0: USB HID v1.00 Device [C-Media Electronics Inc. USB Audio Device] on usb-ehci-platform-1.2/input3
[    8.456000] TX_BCN DESC a7f2b000 size = 320
[    8.460000] RX[0] DESC a7f2d000 size = 3584
[    8.468000] RX[1] DESC a7f2e000 size = 1024
[    8.480000] E2pAccessMode=0
[    8.480000] found CountryRegion:0, by US.
[    8.484000] mt7628_set_ed_cca: TURN OFF EDCCA  mac 0x10618 = 0xd7083f0f, EDCCA_Status=0
[    8.496000] cfg_mode=9
[    8.496000] cfg_mode=9
[    8.500000] wmode_band_equal(): Band Equal!
[    8.504000] AndesSendCmdMsg: Could not send in band command due to diable fRTMP_ADAPTER_MCU_SEND_IN_BAND_CMD
[    8.516000] APSDCapable[0]=0
[    8.520000] APSDCapable[1]=0
[    8.524000] APSDCapable[2]=0
[    8.528000] APSDCapable[3]=0
[    8.528000] APSDCapable[4]=0
[    8.532000] APSDCapable[5]=0
[    8.536000] APSDCapable[6]=0
[    8.540000] APSDCapable[7]=0
[    8.540000] APSDCapable[8]=0
[    8.544000] APSDCapable[9]=0
[    8.548000] APSDCapable[10]=0
[    8.548000] APSDCapable[11]=0
[    8.552000] APSDCapable[12]=0
[    8.556000] APSDCapable[13]=0
[    8.560000] APSDCapable[14]=0
[    8.560000] APSDCapable[15]=0
[    8.564000] default ApCliAPSDCapable[0]=0
[    9.032000] Key1Str is Invalid key length(0) or Type(0)
[    9.036000] Key1Str is Invalid key length(0) or Type(0)
[    9.044000] Key2Str is Invalid key length(0) or Type(0)
[    9.048000] Key2Str is Invalid key length(0) or Type(0)
[    9.056000] Key3Str is Invalid key length(0) or Type(0)
[    9.060000] Key3Str is Invalid key length(0) or Type(0)
[    9.064000] Key4Str is Invalid key length(0) or Type(0)
[    9.072000] Key4Str is Invalid key length(0) or Type(0)
[    9.128000] RTMPSetDefaultChannel() : default channel to 1 
[    9.136000] load fw image from fw_header_image
[    9.140000] AndesMTLoadFwMethod1(2182)::pChipCap->fw_len(63888)
[    9.144000] FW Version:20151201
[    9.148000] FW Build Date:20151201183641
[    9.152000] CmdAddressLenReq:(ret = 0)
[    9.156000] CmdFwStartReq: override = 1, address = 1048576
[    9.164000] CmdStartDLRsp: WiFI FW Download Success
[    9.168000] MtAsicDMASchedulerInit(): DMA Scheduler Mode=0(LMAC)
[    9.176000] efuse_probe: efuse = 10000012
[    9.180000] RtmpChipOpsEepromHook::e2p_type=0, inf_Type=4
[    9.184000] RtmpEepromGetDefault::e2p_dafault=2
[    9.188000] RtmpChipOpsEepromHook: E2P type(2), E2pAccessMode = 2, E2P default = 2
[    9.196000] NVM is FLASH mode
[    9.200000] 1. Phy Mode = 14
[    9.360000] Country Region from e2p = ffff
[    9.364000] tssi_1_target_pwr_g_band = 46
[    9.368000] 2. Phy Mode = 14
[    9.372000] 3. Phy Mode = 14
[    9.376000] NICInitPwrPinCfg(11): Not support for HIF_MT yet!
[    9.380000] NICInitializeAsic(651): Not support rtmp_mac_sys_reset () for HIF_MT yet!
[    9.388000] mt_mac_init()-->
[    9.392000] MtAsicInitMac()-->
[    9.396000] mt7628_init_mac_cr()-->
[    9.400000] MtAsicSetMacMaxLen(1275): Set the Max RxPktLen=1024!
[    9.404000] <--mt_mac_init()
[    9.408000] WTBL Segment 1 info:
[    9.412000] MemBaseAddr/FID:0x28000/0
[    9.416000] EntrySize/Cnt:32/128
[    9.420000] WTBL Segment 2 info:
[    9.420000] MemBaseAddr/FID:0x40000/0
[    9.424000] EntrySize/Cnt:64/128
[    9.428000] WTBL Segment 3 info:
[    9.432000] MemBaseAddr/FID:0x42000/64
[    9.436000] EntrySize/Cnt:64/128
[    9.440000] WTBL Segment 4 info:
[    9.444000] MemBaseAddr/FID:0x44000/128
[    9.448000] EntrySize/Cnt:32/128
[    9.452000] AntCfgInit(2940): Not support for HIF_MT yet!
[    9.456000] CountryCode(2.4G/5G)=0/7, RFIC=23, PHY mode=14, support 11 channels
[    9.464000] MCS Set = ff ff 00 00 01
[    9.468000] MtAsicSetChBusyStat(860): Not support for HIF_MT yet!
[   10.076000] CmdSlotTimeSet:(ret = 0)
[   11.680000] SYNC - BBP R4 to 20MHz.l
[   11.984000] SYNC - BBP R4 to 20MHz.l
[   12.288000] SYNC - BBP R4 to 20MHz.l
[   12.592000] SYNC - BBP R4 to 20MHz.l
[   12.896000] SYNC - BBP R4 to 20MHz.l
[   13.200000] SYNC - BBP R4 to 20MHz.l
[   13.504000] SYNC - BBP R4 to 20MHz.l
[   13.808000] SYNC - BBP R4 to 20MHz.l
[   14.112000] [PMF]ap_pmf_init:: apidx=0, MFPC=0, MFPR=0, SHA256=0
[   14.116000] [PMF]RTMPMakeRsnIeCap: RSNIE Capability MFPC=0, MFPR=0
[   14.124000] [PMF]ap_pmf_init:: apidx=1, MFPC=0, MFPR=0, SHA256=0
[   14.128000] [PMF]RTMPMakeRsnIeCap: RSNIE Capability MFPC=0, MFPR=0
[   14.136000] MtAsicSetRalinkBurstMode(3050): Not support for HIF_MT yet!
[   14.140000] MtAsicSetPiggyBack(795): Not support for HIF_MT yet!
[   14.164000] reload DPD from flash , 0x9F = [c600] doReload bit7[0]
[   14.172000] CmdLoadDPDDataFromFlash: Channel = 1, DoReload = 0
[   14.176000] MtAsicSetTxPreamble(3029): Not support for HIF_MT yet!
[   14.188000] MtAsicAddSharedKeyEntry(1342): Not support for HIF_MT yet!
[   14.200000] MtAsicAddSharedKeyEntry(1342): Not support for HIF_MT yet!
[   14.204000] MtAsicSetPreTbtt(): bss_idx=0, PreTBTT timeout = 0xf0
[   14.212000] Main bssid = 8c:85:80:39:34:f8
[   14.216000] <==== rt28xx_init, Status=0
[   14.224000] @@@ ed_monitor_exit : ===>
[   14.228000] @@@ ed_monitor_exit : <===
[   14.232000] mt7628_set_ed_cca: TURN OFF EDCCA  mac 0x10618 = 0xd7083f0f, EDCCA_Status=0
[   14.240000] WiFi Startup Cost (ra0): 5.784s
[   14.908000] format daemon start,pid:1087
[   14.916000] FFFFFF8C:FFFFFF85:FFFFFF80:36:FFFFFFA5:FFFFFF93
[   14.924000] Raeth v3.1 (Workqueue)
[   14.928000] 
[   14.928000] phy_tx_ring = 0x070b8000, tx_ring = 0xa70b8000
[   14.932000] 
[   14.932000] phy_rx_ring0 = 0x070ba000, rx_ring[0] = 0xa70ba000
[   14.940000] 
[   14.940000] phy_rx_ring0 = 0x070ba000, rx_ring[0] = 0xa70ba000
[   14.964000] GMAC1_MAC_ADRH -- : 0x00008c85
[   14.968000] GMAC1_MAC_ADRL -- : 0x8036a593
[   14.972000] RT305x_ESW: Link Status Changed
board is eufycam2
load mmc driver
[   15.356000] MTK MSDC device init.
[   15.380000] storage is EMMC.
[   15.420000] hw->flags:0x00C2.
[   15.440000] msdc0 -> ================ <- msdc_set_mclk() : L<697> PID<insmod><0x47a>
[   15.448000] msdc0 -> !!! Set<400KHz> Source<48000KHz> -> sclk<400KHz> <- msdc_set_mclk() : L<698> PID<insmod><0x47a>
[   15.456000] msdc0 -> ================ <- msdc_set_mclk() : L<699> PID<insmod><0x47a>
[   15.480000] msdc0 -> XXX CMD<52> MSDC_INT_CMDTMO <- msdc_irq() : L<2478>
[   15.488000] mtk-sd: MediaTek MT6575 MSDC Driver
[   15.500000] msdc0 -> XXX CMD<52> MSDC_INT_CMDTMO <- msdc_irq() : L<2478>
[   15.508000] msdc0 -> XXX CMD<8> MSDC_INT_CMDTMO <- msdc_irq() : L<2478>
[   15.516000] msdc0 -> XXX CMD<5> MSDC_INT_CMDTMO <- msdc_irq() : L<2478>
[   15.524000] msdc0 -> XXX CMD<5> MSDC_INT_CMDTMO <- msdc_irq() : L<2478>
[   15.532000] msdc0 -> XXX CMD<5> MSDC_INT_CMDTMO <- msdc_irq() : L<2478>
[   15.540000] msdc0 -> XXX CMD<5> MSDC_INT_CMDTMO <- msdc_irq() : L<2478>
[   15.548000] msdc0 -> XXX CMD<55> MSDC_INT_CMDTMO <- msdc_irq() : L<2478>
[   15.552000] msdc0 -> XXX CMD<55> MSDC_INT_CMDTMO <- msdc_irq() : L<2478>
[   15.564000] msdc0 -> XXX CMD<55> MSDC_INT_CMDTMO <- msdc_irq() : L<2478>
[   15.572000] msdc0 -> XXX CMD<55> MSDC_INT_CMDTMO <- msdc_irq() : L<2478>
[   15.712000] 1970-01-01 00:00:15 mmc.sh: /dev/mmcblk0p1 not exit. try_count:1, sleep 2
[   15.736000] mmc0: BKOPS_EN bit is not set
[   15.744000] msdc0 -> SD data latch edge<1> <- msdc_ops_set_ios() : L<2261> PID<kworker/u2:2><0x273>
[   15.756000] msdc0 -> ================ <- msdc_set_mclk() : L<697> PID<kworker/u2:2><0x273>
[   15.764000] msdc0 -> !!! Set<48000KHz> Source<48000KHz> -> sclk<48000KHz> <- msdc_set_mclk() : L<698> PID<kworker/u2:2><0x273>
[   15.776000] msdc0 -> ================ <- msdc_set_mclk() : L<699> PID<kworker/u2:2><0x273>
[   15.836000] mmc0: new high speed MMC card at address 0001
[   15.848000] mmcblk0: mmc0:0001 AJTD4R 14.5 GiB 
[   15.852000] mmcblk0boot0: mmc0:0001 AJTD4R partition 1 4.00 MiB
[   15.860000] mmcblk0boot1: mmc0:0001 AJTD4R partition 2 4.00 MiB
[   15.868000]  mmcblk0: p1
[   15.892000]  mmcblk0boot1: unknown partition table
[   15.908000]  mmcblk0boot0: unknown partition table
[   16.192000] 1970-01-01 00:00:16 set sd state to 1
[   16.204000] 1970-01-01 00:00:16 get current_state:0
[   16.280000] 1970-01-01 00:00:16 default state.
[   16.344000] 1970-01-01 00:00:16 add main partition. send signal 35 to proc.
[   16.392000] 1970-01-01 00:00:16 fdisk result show below
[   16.396000] cat: can't open '/var/run/home_sec.pid': No such file or directory
[   16.416000] 
[   16.416000] The number of cylinders for this disk is set to 477120.
[   16.416000] There is nothing wrong with that, but this is larger than 1024,
[   16.416000] and could in certain setups cause problems with:
[   16.416000] 1) software that runs at boot time (e.g., old versions of LILO)
[   16.416000] 2) booting and partitioning software from other OSs
[   16.416000]    (e.g., DOS FDISK, OS/2 FDISK)
[   16.416000] 
[   16.416000] Anker_Part
[   16.480000] 1970-01-01 00:00:16 the proc home_security not run, drop signal 35
[   16.508000] 1970-01-01 00:00:16 fdisk result end
[   16.564000] 1970-01-01 00:00:16 file system is ext4. IS_ANKER_PART=1
[   16.600000] 1970-01-01 00:00:16 get current_state:0
[   16.624000] 1970-01-01 00:00:16 default state.
[   16.708000] 1970-01-01 00:00:16 sd_state_file:1
[   16.744000] 1970-01-01 00:00:16 DISK_LABEL:[Anker_Security]
[   16.780000] 1970-01-01 00:00:16 ANKER_LABEL:Anker_
[   16.808000] 1970-01-01 00:00:16 disk label is Anker_ == Anker_
[   16.844000] 1970-01-01 00:00:16 normal sd card insert. set sd fsm to 1.
[   16.872000] 1970-01-01 00:00:16 current_state:1
[   16.900000] 1970-01-01 00:00:16 g_anker_format_state:1
[   16.924000] 1970-01-01 00:00:16 file system and label is OK. mount it.
add mmcblk0p1, mount it.
[   19.988000] 1970-01-01 00:00:19 ( echo y ) | e2fsck -y /dev/mmcblk0p1
[   20.564000] e2fsck 1.45.4 (23-Sep-2019)
[   20.664000] device ra0 entered promiscuous mode
[   20.704000] AddTxSType: already registered TxSType (PID = 32, Format = 0
[   20.712000] ##### mbss_cr_enable, BssId = 1
[   20.728000] device ra1 entered promiscuous mode
[   21.156000]  1381 eufycame  1256 R    e2fsck -y /dev/mmcblk0p1 
[   22.032000] br0: port 2(ra1) entered forwarding state
[   22.036000] br0: port 2(ra1) entered forwarding state
[   22.040000] br0: port 1(ra0) entered forwarding state
[   22.044000] br0: port 1(ra0) entered forwarding state
[   22.392000]  1381 eufycame  1456 R    e2fsck -y /dev/mmcblk0p1 
[   23.036000] br0: port 2(ra1) entered forwarding state
[   23.044000] br0: port 1(ra0) entered forwarding state
[   23.648000] 1970-01-01 00:00:23 execute e2fsck complete
[   23.700000] 1970-01-01 00:00:23 execute e2fsck cost 2
[   23.804000] Anker_Security was not cleanly unmounted, check forced.
[   23.804000] Pass 1: Checking inodes, blocks, and sizes
[   23.804000] Pass 2: Checking directory structure
[   23.804000] Pass 3: Checking directory connectivity
[   23.804000] Pass 4: Checking reference counts
[   23.804000] Pass 5: Checking group summary information
[   23.804000] Free blocks count wrong (3747256, counted=3747252).
[   23.804000] Fix? yes
[   23.804000] 
[   23.804000] 
[   23.804000] Anker_Security: ***** FILE SYSTEM WAS MODIFIED *****
[   23.804000] Anker_Security: 19/954720 files (21.1% non-contiguous), 69706/3816958 blocks
[   23.948000] 1970-01-01 00:00:23 e2fsck_err is
[   24.064000] EXT4-fs (mmcblk0p1): mounted filesystem without journal. Opts: (null)
[   25.160000] @@@@@ crc of index:1. calc_crc:0xC6F63563. len:16380. 
[   26.128000] 1970-01-01 00:00:26 Add /media/mmcblk0p1
[   26.284000] 1970-01-01 00:00:26 check_tfcard_rw result: 0
[   26.348000] cat: can't open '/var/run/home_sec.pid': No such file or directory
[   26.376000] cat: can't open '/var/run/collector.pid': No such file or directory
[   26.440000] 1970-01-01 00:00:26 the proc mips_collector not run, drop signal 37
[   26.544000] 1970-01-01 00:00:26 the proc home_security not run, drop signal 37
[   27.512000] Set_ed_chk_proc()::ed_chk=0
[   27.516000] mt7628_set_ed_cca: TURN OFF EDCCA  mac 0x10618 = 0xd7083f0f, EDCCA_Status=0
set gpio 19 to low to turn off alarm led.
setrlimit(RLIMIT_CORE, &limit); 
starting pid 5290, tty '/dev/ttyS1': '/bin/login'
Oceanwing login: [   28.784000] AddTxSType: already registered TxSType (PID = 32, Format = 0
[   28.792000] br0: port 2(ra1) entered disabled state
[   29.128000] cfg_mode=6
[   29.128000] wmode_band_equal(): Band Equal!
[   29.136000] CountryCode(2.4G/5G)=0/7, RFIC=23, PHY mode=8, support 11 channels
[   29.140000] AddTxSType: already registered TxSType (PID = 32, Format = 0
[   29.156000] ==>SetSCSEnable_Proc (ON)
[   29.240000] cfg_mode=6
[   29.244000] wmode_band_equal(): Band Equal!
[   29.248000] CountryCode(2.4G/5G)=0/7, RFIC=23, PHY mode=8, support 11 channels
[   29.256000] AddTxSType: already registered TxSType (PID = 32, Format = 0
[   29.268000] ==>SetSCSEnable_Proc (ON)
[   29.280000] Set_ed_chk_proc()::ed_chk=0
[   29.284000] mt7628_set_ed_cca: TURN OFF EDCCA  mac 0x10618 = 0xd7083f0f, EDCCA_Status=0
[   31.404000]  arg:1.- cpu_to_le32:1 
[   31.408000] set g_PA_ctrl_by_AI = 1 
normal.sh current_year:1970
normal.sh fail to get system time. ignore ...
[   50.488000] ####Set_SignalUserPid_Proc,5897

Login timed out process '/bin/login' (pid 5290) exited. Scheduling for restart.
setrlimit(RLIMIT_CORE, &limit); 
starting pid 6382, tty '/dev/ttyS1': '/bin/login'
Oceanwing login: 

You can interrupt U-Boot by hitting a menu option right away.  Note that the bootargs environment variable is ignored by the kernel.  If you hit "u", you get a recovery image with busybox. 

Note the flash partition info from the logs above:

[    0.472000] Creating 12 MTD partitions on "raspi":
[    0.480000] 0x000000000000-0x000002000000 : "ALL"
[    0.484000] 0x000000000000-0x000000030000 : "Bootloader"
[    0.492000] 0x000000030000-0x000000040000 : "Config"
[    0.500000] 0x000000040000-0x000000050000 : "Factory"
[    0.504000] 0x000000050000-0x0000002e02cd : "Kernel"
[    0.512000] mtd: partition "Kernel" doesn't end on an erase block -- force read-only
[    0.520000] 0x0000002e02cd-0x000000e50000 : "RootFS"
[    0.524000] mtd: partition "RootFS" doesn't start on an erase block boundary -- force read-only
[    0.536000] 0x000000050000-0x000000e50000 : "Kernel_RootFS"
[    0.544000] 0x000000e50000-0x000000e60000 : "device_info"
[    0.552000] 0x000000e60000-0x000000e70000 : "ocean_custom"
[    0.560000] 0x000000e70000-0x000000f40000 : "Kernel2"
[    0.564000] 0x000000f40000-0x000001440000 : "RootFS2"
[    0.572000] 0x000001440000-0x000002000000 : "user_fs_jffs2"
[    0.580000] Creating 1 MTD partitions on "raspi2":
[    0.584000] 0x000000000000-0x000002000000 : "spi2"

My HomeBase 2 is factory pristine -- never been online to phone home and get firmware updates.

The 32MB spi2 partition was empty on my device.

There's a watchdog timer somewhere that makes life annoying.  At the U-Boot command prompt you've only got 15 seconds before it reboots.  But then about every third or fourth time it'll give you a full minute.  I found a stopwatch handy for being ready to catch the 1 second window after the reboot to choose a menu option and avoid the default boot path.

If you drop to the recovery mode busybox the watchdog resets every 60 seconds, but if you manage to hit "u" again about three times in a row, the watchdog goes to an hour and you'll actually have some time to get things done.

I managed to brick my device, unfortunately, I think by foolishly trying to mount the mtdblock partitions in recovery mode (and not even using -o ro).  But before that I spent several days and hundreds of successful reboots.

The ethernet port is live in recovery mode, so you can telnet in and tftp files in and out.  Username: admin, password: admin.  Alas, although you get a login: prompt during the default boot process, that username/password doesn't work in that mode.

My biggest disappointment is not being able to mount the filesystems in the flash.  binwalk shows tons of "xz compressed data":

$ binwalk mtd0 |head

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
83600         0x14690         U-Boot version string, "U-Boot 1.1.3 (Nov  6 2018 - 17:19:03)"
327680        0x50000         uImage header, header size: 64 bytes, header CRC: 0xD3931108, created: 2020-05-09 09:54:47, image size: 13185677 bytes, Data Address: 0x80000000, Entry Point: 0x805E9280, data CRC: 0x62435970, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "Linux Kernel Image"
327744        0x50040         LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 8125672 bytes
3015469       0x2E032D        xz compressed data
3064741       0x2EC3A5        xz compressed data
3112893       0x2F7FBD        xz compressed data
3164133       0x3047E5        xz compressed data
...

$ binwalk mtd0 |grep -v xz

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
83600         0x14690         U-Boot version string, "U-Boot 1.1.3 (Nov  6 2018 - 17:19:03)"
327680        0x50000         uImage header, header size: 64 bytes, header CRC: 0xD3931108, created: 2020-05-09 09:54:47, image size: 13185677 bytes, Data Address: 0x80000000, Entry Point: 0x805E9280, data CRC: 0x62435970, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "Linux Kernel Image"
327744        0x50040         LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 8125672 bytes
15138816      0xE70000        uImage header, header size: 64 bytes, header CRC: 0xC169B1AA, created: 2019-08-14 07:20:06, image size: 3431736 bytes, Data Address: 0x80000000, Entry Point: 0x802E0540, data CRC: 0xA1E70F6B, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "Linux Kernel Image"
15138880      0xE70040        LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 6187252 bytes

21233664      0x1440000       JFFS2 filesystem, little endian

I did manage to mount the JFFS2 at the bottom using mtd_ram and mtdblock, but it just has a few random files, not the root filesystems I was looking for.  

Here's the contents of mtd0, which appears to subsume all the other partitions: https://anonymousfiles.io/Ve9y3cL4/

Here are the scripts from /sbin/ in the recovery image: https://anonymousfiles.io/NifBHDsO/

And here are the etc files from the recovery image: https://anonymousfiles.io/q9T5w46A/

2 comments:

  1. I wonder if I can remove the EMMC chip and replace with a larger capacity one. Has anyone tried this?

    ReplyDelete
  2. Is there any usb connection? I go the Eufy Floodlight thinking the same thing and I am working to take it apart like you are here. On the floodlight there is a hidden USB plug but it doesn't result in any USB connection when used.Only a "Cannot enable. Maybe the USB cable is bad" message.

    ReplyDelete