This looks like one of the most easily moddable/hackable boxes I have ever seen. It is sold by a UK company Maplin and is called a "Maplin Game Capture HD" .
(Sorry in order to get through the new user limitation on posting links I have had to horribly mangle my links)
world wide web dot maplin dot co dot uk /p/maplin-game-capture-hd-a84qu
It is a (cheap) HDMI capture box up to 1080p that has three modes capture to SD card, stream to network and capture to PC via USB. For game play, but can capture any HDMI input (non-HDCP).
The reason it's potentially easily moddable is that a telnet to port 23 in network mode gives you a root shell on it straight away. With a fully writeable root file system.
So far I have used this to start an FTP daemon that lets me FTP files straight from the SD Card though the NIC is a bit slow. Stole the command from their /plbin/start_ftpd.sh file and run "tcpsvd -vE 0.0.0.0 21 ftpd -w /".
There is a also a web interface for debug, that can be started with cd /plbin; ./test_web.sh. I may have had to set the WEBPAGE_LANGUAGE to "en" in nvram, to allow it to start. "/bin/plnvram wr WEBPAGE_LANGUAGE en"
The admin password for the web interface is just blank.
Very interestingly, if you use their app to display the streamed content from this device it allows you to see HDCP content, just not record it. I have so far had no need to look into this.
Lots of other functionality looks just commented out in the configs.
The web interface tells me this device is actually a SIGMA-PL330B,
world wide web marketwired dot com /press-release/sigma-designs-introduces-new-hd-video-encoder-technology-1518168.htm
And may well be the same (or a repackaged) version of this box
world wide web dot maxmediatek dot com pd-page/MM_V.htm
HS602 as they seem to use the same app to display the stream.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Here it is!
Your LINK
Ebay LINK
.
Did you come across anything that allowed you to record using software other than VivaStation?
I didn't but I haven't looked to hard, as recording to SD card was all I needed.
Hi - I've been looking for a way to start the streaming on this box by command line when logged into the box via telnet, but no real luck.
joemensor said:
Hi - I've been looking for a way to start the streaming on this box by command line when logged into the box via telnet, but no real luck.
Click to expand...
Click to collapse
I bought this from Maplin, but had to return the first one for a refund as I could not get the software to install on W10 (even with .net 3.5 installed), just kept throwing an error in Chinese! After looking online for replacements that do the same thing, costing between £80-250 (even the used ones, granted they do proper 1080 over Ethernet), I decided in the end to buy the box again, but from ebay...
This time I did manage to get the ShareView software installed on another machine after I spent a day installing windows 7 on it (it's an old machine + 235 updates!)..
Anyway, the commands the shareview software sends (via telnet) to get it to stream over ethernet seem quite straightforward..
First it "uploads" a config file with the contents..
Code:
SystemControl-StreamType ts
SystemControl-StreamData video+audio
SystemControl-Profile extended
SystemControl-Level 4
SysFunction-Function encode
SysFunction-Video h264
SysFunction-Audio audio
PictureResolution-InPicWidth 1920
PictureResolution-InPicHeight 1080
OutPictureResolution-OutPicWidth 640
OutPictureResolution-OutPicHeight 480
SystemControl-XferMode frame
SystemControl-SpsrFreq 1
SystemControl-FFMode frame
SystemControl-VMode cavlc
RateControl-Vbr 0
RateControl-Mode viu
RateControl-AvgBitRate 3000
VbrBitRate-MinBitRate 4285
VbrBitRate-MaxBitRate 3600
GopLoopFilter-IntraPeriod 30
GopLoopFilter-BNum 0
GopLoopFilter-Idr close
InputControl-ScanFormat progressive
InputControl-SrcMode hdmi
InputControl-SyncMode 0
InputControl-DataType raw
InputControl-InFrameRate 60
InputControl-OutFrameRate 30
InputControl-Fmt progressive
InputControl-CkEdge positive
DeInterlace-mode none
FilterControl-StartPixel 0
FilterControl-StartLine 0
SysLink-VideoInput viu
SysLink-VideoOutput host
SysLink-AudioInput aiu
SysLink-AudioOutput host
AudioControlParam-AudioType aac
AudioControlParam-SampleRate 48k
AudioControlParam-ChNum 2
AudioControlParam-LrclkI high
AudioControlEx-AacVer mpeg2
AudioControlEx-HType adts
AudioControlEx-CutoffFreq 18000
AudioControlEx-TNS 1
AudioControlEx-IS 1
AudioControlEx-PNS 1
AudioControlEx-MS 1
to /plbin/hs_enc_ts.cfg
And then launches the following command, three times, not sure why but it does., because when I run it, it only needs to be ran once..
Code:
/plbin/plstrm enc config /plbin/hs_enc_ts.cfg oudp <IP ADDRESS> oport 8085 reduceprintf nouserinput
That's all I know for now, will update if I find anything new to report =D
Hi mpmc - I think it does more than just uploads that file and runs the plstrm executable. Somehow it also passes the stream settings too. I feel I am getting somewhere, but still not able to kick off the streaming via the command line.
joemensor said:
Hi mpmc - I think it does more than just uploads that file and runs the plstrm executable. Somehow it also passes the stream settings too. I feel I am getting somewhere, but still not able to kick off the streaming via the command line.
Click to expand...
Click to collapse
Sorry for such a late reply.
I'm guessing by stream settings you mean the settings that upload to places like youtube? If so, I'm not sure myself as I don't need it for that function, but I will have a go & see if I can figure it out, but hopefully somebody has already worked it out by now.
Sorry for necroposting, but this thread hid me right on the spot. I got this box (in the form of Startech's overpriced variant), mainly for its standalone streaming to RTMP, but also as it has SD recording and HDMI capture (which I needed exactly, and nothing else).
The 720P streaming is horrible - bad codec settings (bitrates and gop probably), which means that 720P looks like 320x240 upscaled. So I opened the box to find a board number, so maybe some hack would pop up.. But telnet? - This is golden
Before I start reverse engineering (I don't really have any experience with telnet or *nix based stuff), maybe someone here worked out the details and would like to share?
TLDR. How do I set up the streaming codec settings via telnet and make them stick?
adomas said:
Sorry for necroposting, but this thread hid me right on the spot. I got this box (in the form of Startech's overpriced variant), mainly for its standalone streaming to RTMP, but also as it has SD recording and HDMI capture (which I needed exactly, and nothing else).
The 720P streaming is horrible - bad codec settings (bitrates and gop probably), which means that 720P looks like 320x240 upscaled. So I opened the box to find a board number, so maybe some hack would pop up.. But telnet? - This is golden
Before I start reverse engineering (I don't really have any experience with telnet or *nix based stuff), maybe someone here worked out the details and would like to share?
TLDR. How do I set up the streaming codec settings via telnet and make them stick?
Click to expand...
Click to collapse
Glad I'm not the only one still playing with this box.
I did have a go at working out the protocol used between the box and the software, I got as far as understanding how they find each other. The software makes a UDP broadcast to 255.255.255.255 on port 8086 with the message "HS602". The box then sends a UDP message ("YES") back, direct to the caller on the same port. The box then opens tcp port 8087 to which the software connects & they converse..
Sample of their conversation goes like this..
Client to box..
Code:
00000000 38 01 af 00 8c e0 af 00 68 54 d1 6b ff ff ff 8....... hT.k...
0000000F 32 01 af 00 00 00 00 00 50 df af 00 8c e0 af 2....... P......
0000001E 01 00 03 00 4c d5 af 00 8c e0 af 00 68 54 d1 ....L... ....hT.
0000002D 32 01 db 02 7c df af 00 3e ee 73 6a 00 00 00 2...|... >.sj...
0000003C 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
0000004B 0f 01 00 00 f0 e6 af 00 bc e8 af 00 68 54 d1 ........ ....hT.
0000005A 04 01 00 00 0c e7 af 00 bc e8 af 00 68 54 d1 ........ ....hT.
00000069 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
00000078 0f 01 ec 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000087 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000096 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000000A5 0f 01 ee 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000000B4 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000000C3 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000000D2 0f 01 ef 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000000E1 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000000F0 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000000FF 0f 01 f0 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000010E 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000011D 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
0000012C 0f 01 f2 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000013B 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000014A 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
00000159 0f 01 f3 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000168 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000177 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
00000186 0f 01 f4 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000195 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000001A4 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000001B3 0f 01 f5 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000001C2 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000001D1 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000001E0 0f 01 f6 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000001EF 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000001FE 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
0000020D 0f 01 f7 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000021C 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000022B 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
0000023A 0f 01 f8 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000249 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000258 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
00000267 0f 01 f9 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000276 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000285 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
00000294 0f 01 fa 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000002A3 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000002B2 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000002C1 0f 01 fb 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000002D0 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000002DF 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000002EE 0f 01 fe 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000002FD 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000030C 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
0000031B 0f 01 ff 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000032A 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000339 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
00000348 0f 01 00 03 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000357 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000366 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
00000375 0f 01 01 03 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000384 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000393 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000003A2 0f 01 02 03 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000003B1 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000003C0 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000003CF 0f 01 03 03 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000003DE 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000003ED 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000003FC 0f 01 ec 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000040B 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000041A 32 01 d9 02 b8 f0 e6 02 48 e7 af 00 4f e7 74 2....... H...O.t
00000429 0f 01 ed 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000438 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000447 32 01 d9 02 b8 f0 e6 02 48 e7 af 00 4f e7 74 2....... H...O.t
00000456 0f 01 ee 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
box to client
Code:
00000000 38 01 af 00 8c e0 af 00 68 54 d1 6b ff ff ff 8....... hT.k...
0000000F 01 01 af 00 00 00 00 00 50 df af 00 8c e0 af ........ P......
0000001E 01 00 03 1b 4c d5 af 00 8c e0 af 00 68 54 d1 ....L... ....hT.
0000002D 01 01 db 02 7c df af 00 3e ee 73 6a 00 00 00 ....|... >.sj...
0000003C 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
0000004B 00 01 00 00 f0 e6 af 00 bc e8 af 00 68 54 d1 ........ ....hT.
0000005A 1b 01 00 00 0c e7 af 00 bc e8 af 00 68 54 d1 ........ ....hT.
00000069 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
00000078 00 01 ec 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000087 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000096 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000000A5 00 01 ee 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000000B4 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000000C3 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000000D2 00 01 ef 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000000E1 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000000F0 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000000FF 00 01 f0 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000010E 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000011D 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
0000012C 00 01 f2 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000013B 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000014A 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
00000159 00 01 f3 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000168 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000177 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
00000186 00 01 f4 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000195 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000001A4 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000001B3 00 01 f5 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000001C2 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000001D1 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000001E0 00 01 f6 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000001EF 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000001FE 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
0000020D 00 01 f7 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000021C 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000022B 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
0000023A 00 01 f8 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000249 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000258 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
00000267 00 01 f9 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000276 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000285 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
00000294 00 01 fa 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000002A3 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000002B2 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000002C1 00 01 fb 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000002D0 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000002DF 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000002EE 00 01 fe 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000002FD 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000030C 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
0000031B 00 01 ff 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000032A 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000339 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
00000348 00 01 00 03 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000357 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000366 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
00000375 00 01 01 03 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000384 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000393 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000003A2 00 01 02 03 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000003B1 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000003C0 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000003CF 00 01 03 03 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000003DE 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000003ED 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000003FC 00 01 ec 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000040B 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000041A 01 01 d9 02 b8 f0 e6 02 48 e7 af 00 4f e7 74 ........ H...O.t
00000429 00 01 ed 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000438 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000447 01 01 d9 02 b8 f0 e6 02 48 e7 af 00 4f e7 74 ........ H...O.t
00000456 00 01 ee 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
I have no clue as to what this is! Hopefully you'll have better luck trying to decode it!
What I found so far, is that when I set up FTP the way OP posted, I can access the whole file system. I have copied it all, and am trying to find where the stream settings are stored. The mentioned cfg file does not exist though. If that works, I'll just make some custom app, that will telnet to open ftp, and upload my settings every time. However I am currently trying to just work out the basics of telnet controlling a linux system. None of the tutorials online help at all, but I found, that I can execute commands that are compiled packages in the operating folder. So far that helped for nothing I found a qzip thing in it, so maybe I will image the filesystem a little more properly than over ftp.
How could I listen the telnet communication between ShareView and the HS602? Btw - both of your pasted pieces are the same - intentional or mistake?
It also seems, that there is a whole settings web interface in plbin\www\, but I don't yet understand how to set up the webserver.
After finally launching the webserver I found that the website is some sample design and while it saves it's settings, they have no relation to the operation of the device. Going back to searching where ShareView puts it's settings and how to change them.
adomas said:
What I found so far, is that when I set up FTP the way OP posted, I can access the whole file system. I have copied it all, and am trying to find where the stream settings are stored. The mentioned cfg file does not exist though. If that works, I'll just make some custom app, that will telnet to open ftp, and upload my settings every time. However I am currently trying to just work out the basics of telnet controlling a linux system. None of the tutorials online help at all, but I found, that I can execute commands that are compiled packages in the operating folder. So far that helped for nothing I found a qzip thing in it, so maybe I will image the filesystem a little more properly than over ftp.
How could I listen the telnet communication between ShareView and the HS602? Btw - both of your pasted pieces are the same - intentional or mistake?
It also seems, that there is a whole settings web interface in plbin\www\, but I don't yet understand how to set up the webserver.
Click to expand...
Click to collapse
The stream settings aren't stored anywhere as far as I can tell, it gets sent to the running plkw binary, which appears to be the "server" for the software. This is what handles the upload to the receiving rtmp server, receiving of the encoder config, etc.
I used Wireshark to intercept the chatter between the software & the box. Yes, I know they're the same, I'm assuming it's just an echo.
I'd actually bricked mine by disabling the auto.sh scripts & ended up with no network. Thankfully mine has serial/uart pins populated & I was able to reverse the changes! Took me a while to figure the pinout (no meter) and why some chars weren't registering (needs parity set to EVEN).
Code:
Pinout starting from back of the SD card slot (Look underneath for the square pin).
[ 1 ][ 2 ][ 3 ][ 4 ]
1 = VCC (5v) - If not powered by usb it'll crash if ethernet is connected shortly after boot.
2 = TX
3 = RX
4 = GND
Will update if I find anything else out.
mpmc said:
The stream settings aren't stored anywhere as far as I can tell
Click to expand...
Click to collapse
The thing is that it does work as the manual says - set it up, and then it can be used standalone, even after a reboot. Some kind of settings seem to be in the binaries plkw, plstrm and quite a few others, stored in plain text (echo texts maybe?)
mpmc said:
Thankfully mine has serial/uart pins populated & I was able to reverse the changes!
Click to expand...
Click to collapse
Good to know. I thought that looked like some JTAG.. Did you go via telnet there as well?
Could you elaborate on how did you find what file and what command it sends over telnet? (The ones mentioned in #6)
Could you elaborate on how did you find what file and what command it sends over telnet? (The ones mentioned in #6)
Click to expand...
Click to collapse
By killing the already running plkw process on the box & running it again, you get to see what it outputs when they talk. That output is from wireshark.
adomas said:
The thing is that it does work as the manual says - set it up, and then it can be used standalone, even after a reboot. Some kind of settings seem to be in the binaries plkw, plstrm and quite a few others, stored in plain text (echo texts maybe?)
Click to expand...
Click to collapse
Yes, it appears that I was wrong, it does in fact store them, it writes them to memory (I'm guessing to the nvram block (see cat /proc/mtd)). I only found this out after watching the plkw binary via serial & by chance running "plnvram list" which makes the running plkw (not plnvram) print out it's current config.
The values set are
Code:
rd = read
/bin # plnvram rd username
username = http://foo.com
/bin # plnvram rd password
password = ONETWO
Good to know. I thought that looked like some JTAG.. Did you go via telnet there as well?
Click to expand...
Click to collapse
I'm not sure what you mean via telnet. you connect the pins to your ttl/uart serial converter (I used this one) & which drops into sh on tty0.
mpmc said:
Yes, it appears that I was wrong, it does in fact store them, it writes them to memory (I'm guessing to the nvram block (see cat /proc/mtd)). I only found this out after watching the plkw binary via serial & by chance running "plnvram list" which makes the running plkw (not plnvram) print out it's current config.
The values set are
Code:
rd = read
/bin # plnvram rd username
username = http://foo.com
/bin # plnvram rd password
password = ONETWO
Click to expand...
Click to collapse
To be fair, I actually don't really understand what you did here exactly. I don't have an uart usb adapter handy to try. But it brought me some (a lot actually) random pieces of understanding
I am unable to make it list out plnvram contents, only rd exact variables. I found a lot of those in plnvram_default.dat, but those appear to be useless. They are the values stored by the web interface and have nothing to do with ShareView settings, or how the box encodes the stream when its button is pressed. What I really want to find, is what variable names are used for ShareView settings (other than password, username, which are the places I can put RTMP link into).
ShareView has two dropboxes "Outputsize" and "bitrate", which I assume generates a quite few lines to plnvram that include exact encoding settings. Could you by any chance find where those fall into?
adomas said:
To be fair, I actually don't really understand what you did here exactly. I don't have an uart usb adapter handy to try. But it brought me some (a lot actually) random pieces of understanding
I am unable to make it list out plnvram contents, only rd exact variables. I found a lot of those in plnvram_default.dat, but those appear to be useless. They are the values stored by the web interface and have nothing to do with ShareView settings, or how the box encodes the stream when its button is pressed. What I really want to find, is what variable names are used for ShareView settings (other than password, username, which are the places I can put RTMP link into).
ShareView has two dropboxes "Outputsize" and "bitrate", which I assume generates a quite few lines to plnvram that include exact encoding settings. Could you by any chance find where those fall into?
Click to expand...
Click to collapse
As I already said , the plkw binary handles communicating with the software & this is what sets everything up, streamurl, streamkey etc, it is also what does the streaming when triggered by the button or software, unfortunately I've yet to figure out how it actually triggers! When the software connects it sends the encode config (creates the hs_enc_ts.cfg file and client.cfg in /plbin). The plkw then launches the plstrm binary three times (no idea why as one is enough from what I've found).
The outputsize & bitrate are set in the hs_enc_ts.cfg.
Code:
RateControl-AvgBitRate 8000
VbrBitRate-MinBitRate 11428
VbrBitRate-MaxBitRate 10400
Boot from serial.
Code:
Boot loader started
QL330-B0 detected
Entered diagnostic mode
Branching to external diagnostic code
Loading boot loader .....................................done
[ 0.000000] Linux version 2.6.35.8-arm1ql300 ([email protected]) (gcc version 4.3.2 (Sourcery G++ Lite 2008q3-72) ) #994 PREEMPT Tue Jul 29 10:58:16 CST 2014 v1.21
[ 0.000000] CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00053177
[ 0.000000] CPU: VIVT data cache, VIVT instruction cache
[ 0.000000] Machine: 0xc097f798,QL300-EVB Qpixel Artesa Evaluation Board
[ 0.000000]
[ 0.000000] ******************************************************
[ 0.000000] * pl330_ofc_en : 0
[ 0.000000] * pl330_cmos_reset_en : 0
[ 0.000000] * pl330_devid : 0x03300001
[ 0.000000] * pl330_sdio0_en : 1
[ 0.000000] * pl330_sdio1_en : 0
[ 0.000000] * pl330_gpiogrp1_en : 0
[ 0.000000] * pl330_gpiogrp2_en : 0
[ 0.000000] * pl330_swi2c_en : 1
[ 0.000000] * pl330_local_bus_mutex_type : 1
[ 0.000000] * pl330_eth_en : 1
[ 0.000000] * pl330_frondend_type : 14
[ 0.000000] * pl330_userdata0 : 0
[ 0.000000] * pl330_userdata1 : 1
[ 0.000000] * pl330_userdata2 : 2
[ 0.000000] * pl330_userdata3 : 3
[ 0.000000] * pl330_userdata4 : 4
[ 0.000000] * pl330_userdata5 : 5
[ 0.000000] * pl330_userdata6 : 6
[ 0.000000] * pl330_userdata7 : 7
[ 0.000000] * pl330_userstring0 : SIGMA-PL330B
[ 0.000000] * pl330_userstring1 : C4:01:42:00:86:1F
[ 0.000000] * pl330_userstring2 : userstring2
[ 0.000000] * pl330_userstring3 : userstring3
[ 0.000000] * pl330_userstring4 : userstring4
[ 0.000000] * pl330_userstring5 : userstring5
[ 0.000000] * pl330_userstring6 : userstring6
[ 0.000000] * pl330_userstring7 : userstring7
[ 0.000000] * pl330_mtd_partition : mtdparts=QL300_flash:640K(qcamboot),128K(nvram),5504K(linuxImage),1920K(custblk)
[ 0.000000] * pl330_GPIO_strap : 0x0000ffcf
[ 0.000000] ******************************************************
[ 0.000000]
[ 0.000000] vmalloc area is too big, limiting to 4MB
[ 0.000000] Memory policy: ECC disabled, Data cache writeback
[ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 7366
[ 0.000000] Kernel command line: console=ttyS0 vmalloc=7M [email protected] root=/nodev/rootfs mtdparts=QL300_flash:640K(qcamboot),128K(nvram),7040K(linuxImage),8576K(custblk) mtdparts=QL300_flash:640K(qcamboot),128K(nvram),5504K(linuxImage),1920K(custblk)
[ 0.000000] PID hash table entries: 128 (order: -3, 512 bytes)
[ 0.000000] Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
[ 0.000000] Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
[ 0.000000] Memory: 29MB = 29MB total
[ 0.000000] Memory: 19104k/19104k available, 10592k reserved, 0K highmem
[ 0.000000] Virtual kernel memory layout:
[ 0.000000] vector : 0xffff0000 - 0xffff1000 ( 4 kB)
[ 0.000000] fixmap : 0xfff00000 - 0xfffe0000 ( 896 kB)
[ 0.000000] DMA : 0xffc00000 - 0xffe00000 ( 2 MB)
[ 0.000000] vmalloc : 0xc1e00000 - 0xc2400000 ( 6 MB)
[ 0.000000] lowmem : 0xc0000000 - 0xc1d00000 ( 29 MB)
[ 0.000000] modules : 0xbf000000 - 0xc0000000 ( 16 MB)
[ 0.000000] .init : 0xc0008000 - 0xc06fa000 (7112 kB)
[ 0.000000] .text : 0xc06fa000 - 0xc09bb000 (2820 kB)
[ 0.000000] .data : 0xc09d2000 - 0xc09e32a0 ( 69 kB)
[ 0.000000] Hierarchical RCU implementation.
[ 0.000000] RCU-based detection of stalled CPUs is disabled.
[ 0.000000] Verbose stalled-CPUs detection is disabled.
[ 0.000000] NR_IRQS:32
[ 0.000000] console [ttyS0] enabled
[ 0.030000] Calibrating delay loop... 129.84 BogoMIPS (lpj=649216)
[ 0.240000] pid_max: default: 4096 minimum: 301
[ 0.240000] Mount-cache hash table entries: 512
[ 0.250000] CPU: Testing write buffer coherency: ok
[ 0.260000] NET: Registered protocol family 16
[ 0.270000] ql300_init: res=0xc1832740
[ 0.280000]
[ 0.280000] ******************************************************
[ 0.290000] * plgpio_group0_cfg (input/output) : 0x00003000
[ 0.300000] * plgpio_group1_cfg (input only) : 0x0000000f
[ 0.300000] * plgpio_group2_cfg (output only) : 0x0000000e
[ 0.310000] * plgpio_group3_cfg (boot strap input only) : 0x000000c0
[ 0.320000] ******************************************************
[ 0.320000]
[ 0.360000] bio: create slab <bio-0> at 0
[ 0.370000] cfg80211: Calling CRDA to update world regulatory domain
[ 0.390000] NET: Registered protocol family 2
[ 0.390000] IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.400000] TCP established hash table entries: 1024 (order: 1, 8192 bytes)
[ 0.410000] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.420000] TCP: Hash tables configured (established 1024 bind 1024)
[ 0.430000] TCP reno registered
[ 0.430000] NET: Registered protocol family 1
[ 0.440000] RPC: Registered udp transport module.
[ 0.450000] RPC: Registered tcp transport module.
[ 0.450000] RPC: Registered tcp NFSv4.1 backchannel transport module.
[ 0.710000] Loading and setting up QPSOS ...
MAIN FIRMWARE
QPSOS shell
Type 'help' for help
[ 0.730000] Loading and setting up PL330 GPIO ...
[ 0.740000] Loading and setting up PL330 NVRAM ...
[ 0.750000] NTFS driver 2.1.29 [Flags: R/W].
[ 0.760000] JFFS2 version 2.2. (NAND) (SUMMARY) © 2001-2006 Red Hat, Inc.
[ 0.770000] msgmni has been set to 37
[ 0.770000] io scheduler noop registered
[ 0.780000] io scheduler deadline registered
[ 0.780000] io scheduler cfq registered (default)
[ 0.810000] ttyS0 at I/O 0xf0000100 (irq = 17) is a builtin QL300 UART
[ 0.820000] nbd: registered device at major 43
[ 0.870000] init_ql_flash_mtd(),CFI=0,part_nums=3
[ 0.880000] m25p80 spi0.0: w25Q64 (8192 Kbytes)
[ 0.880000] 4 cmdlinepart partitions found on MTD device QL300_flash
[ 0.890000] Creating 4 MTD partitions on "QL300_flash":
[ 0.900000] 0x000000000000-0x0000000a0000 : "qcamboot"
[ 0.910000] 0x0000000a0000-0x0000000c0000 : "nvram"
[ 0.920000] 0x0000000c0000-0x000000620000 : "linuxImage"
[ 0.930000] 0x000000620000-0x000000800000 : "custblk"
0h00m00s007: (T)CODEC_Start HCI Thread
0h00m00s007: (T)CODEC_SYS config:10 SW1 isr
0h00m00s007: (T)CODEC_SYS config:1 dynamic mem alloc
0h00m00s007: (T)CODEC_Start M2M Thread
0h00m00s007: (T)CODEC_Start DTM Thread
0h00m00s007: (T)CODEC_Start VDCM Thread
[ 0.950000] Linux video capture interface: v2.00
[ 0.950000] sdhci: Secure Digital Host Controller Interface driver
[ 0.960000] sdhci: Copyright(c) Pierre Ossman
[ 0.970000] TCP cubic registered
[ 0.970000] NET: Registered protocol family 17
[ 0.980000] lib80211: common routines for IEEE802.11 drivers
[ 0.990000] Freeing init memory: 7112K
mounting proc
mounting sys
mounting pts
starting system loggers
vm.min_free_kbytes = 1024
starting status daemon
setup telnetd
plgpiod: 0x03300001
bring up lo interface
bring up sdio module
[ 1.720000] sdio_init: res=0xc0cc7920
[ 1.800000] sdio_init: SDIO-0 enabled
[ 1.810000] mem_log_init: exit
[ 1.870000] plnvram_data_load_mtd: magic(0x82312033)
[ 1.880000] plnvram_data_load_mtd: version_major(1)
[ 1.880000] plnvram_data_load_mtd: version_minor(0)
[ 1.890000] plnvram_data_load_mtd: checksum(0x00000000)
[ 1.890000] plnvram_data_load_mtd: nums(237)
success
mount: mounting /dev/mtdblock3 on /mnt/custblk failed: Invalid argument
[ 3.250000] JFFS2 notice: (201) jffs2_build_xattr_subsystem: complete building xattr subsystem, 0 of xdatum (0 unchecked, 0 orphan) and 0 of xref (0 dead, 0 orphan) found.
bring up codec driver module
[ 3.480000] CDevice_Constructor()-> config to use Dynamic Memory Allocation for FW
[ 3.540000] CQLCodec_InitDevice() config to use internal Video FW
[ 3.550000] CQLCodec_InitDevice() config to use internal Audio FW
[ 4.610000] CComponent_Open AllocTask(0) hTask(0)
[ 4.610000] CComponent_Close ReleaseTask(0) hTask(0)
lookup_video_device_node()-> bus(4) inst(0) hTask(0) type(0)
lookup_video_device_node()-> Got 0:0
[ 4.640000] CComponent_Open AllocTask(0) hTask(0)
SetVideoFrontend()-> val=0
SetVideoFrontend()-> return 0
Working Mode:0,argc:2
Checking:0
[ 4.650000] CComponent_Close ReleaseTask(0) hTask(0)
do_whether_need_eth_driver: 1
bring up ethernet module (Wired)
[ 4.780000] AX88796C: Power saving disabled
[ 5.010000] ASIX AX88796C Fast Ethernet Adapter:v1.4.0-SDL0.93 16:31:34 Jul 19 2013
[ 5.010000] <6> http://www.asix.com.tw
[ 5.020000] Use random MAC address
[ 5.020000] AX88796C: MAC Address 76-f3-6c-e2-c3-c7
[ 5.040000] eth0: at 0x0 IRQ 4
[ 5.090000] ax88796c_init(): P1_OFFSET0x14=0x0000000f
[ 5.090000] ax88796c_init(): P1_OFFSET0x14=0x0000000e
ifconfig: ath0: error fetching interface information: Device not found
plnetworkchkd: ath0 is not existed or enabled, no need to enable connection backup. exit!
[ 6.870000] eth0: link up, 100Mbps, full-duplex
do_net_init: trying to init eth interface
do_eth_init: trying to load mac address from pl330_userstring1
do_eth_init: trying to use dynamic ip
udhcpc (v1.19.4) started
Setting IP address 0.0.0.0 on eth0
Sending discover...
Sending select for 192.168.1.110...
Lease of 192.168.1.110 obtained, lease time 86400
Setting IP address 192.168.1.110 on eth0
Deleting routers
route: SIOCDELRT: No such process
Adding router 192.168.1.1
Recreating /etc/resolv.conf
Adding DNS server 192.168.1.1
Adding DNS server 0.0.0.0
[ 8.080000] CComponent_Open AllocTask(0) hTask(0)
[ 8.090000] CComponent_Close ReleaseTask(0) hTask(0)
lookup_video_device_node()-> bus(4) inst(0) hTask(0) type(0)
lookup_video_device_node()-> Got 0:0
[ 8.110000] CComponent_Open AllocTask(0) hTask(0)
SetVideoFrontend()-> val=0
SetVideoFrontend()-> return 0
Working Mode:0,argc:1
name flag IP broadcastaddr
eth0 4163 192.168.1.110 192.168.1.255
Src:3,Res:12
recv:48,53,36,30,32
recv:43,6e,1,a8,c0
The client is: 192.168.1.40,2801a8c0
socket:8
Capture
[ 19.970000] CComponent_Open AllocTask(0) hTask(1)
[ 19.980000] CComponent_Close ReleaseTask(0) hTask(1)
lookup_video_device_node()-> bus(4) inst(0) hTask(1) type(0)
lookup_video_device_node()-> Got 0:0
[ 20.000000] CComponent_Open AllocTask(0) hTask(1)
****** Executing script file /plbin/hs_enc_ts.cfg
SystemControl-StreamType = ts
SystemControl-StreamData = video+audio
SystemControl-Profile = extended
SystemControl-Level = 4
SysFunction-Function = encode
SysFunction-Video = h264
SysFunction-Audio = audio
PictureResolution-InPicWidth = 1920
PictureResolution-InPicHeight = 1080
OutPictureResolution-OutPicWidth = 1920
OutPictureResolution-OutPicHeight = 1080
SystemControl-XferMode = frame
SystemControl-SpsrFreq = 1
SystemControl-FFMode = frame
SystemControl-VMode = cavlc
RateControl-Vbr = 0
RateControl-Mode = viu
RateControl-AvgBitRate = 15000
VbrBitRate-MinBitRate = 18000
VbrBitRate-MaxBitRate = 13000
GopLoopFilter-IntraPeriod = 30
GopLoopFilter-BNum = 0
GopLoopFilter-Idr = close
InputControl-ScanFormat = progressive
InputControl-SrcMode = hdmi
InputControl-SyncMode = 0
InputControl-DataType = raw
InputControl-InFrameRate = 60
InputControl-OutFrameRate = 30
InputControl-Fmt = progressive
InputControl-CkEdge = positive
DeInterlace-mode = none
FilterControl-StartPixel = 0
FilterControl-StartLine = 0
SysLink-VideoInput = viu
SysLink-VideoOutput = host
SysLink-AudioInput = aiu
SysLink-AudioOutput = host
AudioControlParam-AudioType = aac
AudioControlParam-SampleRate = 48k
AudioControlParam-ChNum = 2
AudioControlParam-LrclkI = high
AudioControlEx-AacVer = mpeg2
AudioControlEx-HType = adts
AudioControlEx-CutoffFreq = 18000
AudioControlEx-TNS = 1
AudioControlEx-IS = 1
AudioControlEx-PNS = 1
AudioControlEx-MS = 1
ioctl(PLDEV_STRM_IOCTL_PORT_OPEN) component(0) type(0) succeed
0h00m19s609: (T)CODEC_Start MUX Thread (channel 1)
0h00m19s609: (T)CODEC_Start VEN Thread (channel 1)
0h00m19s609: (T)AIO Record enter
acquire(0) hDev(11)
start(0) hDev(11)
0h00m19s722: (T)CODEC_Start VIU Thread (input channel 1)
0h00m19s722: (E)VIU OSD FontsStartAddr 34401500 !
0h00m19s722: (E)VIU OSD TextListStartAddr 34400100 !
0h00m19s722: (E)VIU OSD TimeInfoAddr 34401300 !
0h00m19s724: (E)CODEC_get misc_rate_control interval(80) activity_on/off(0)
0h00m19s724: (E)HCI: chInfo (0x10) phy_in(60) rec_in(30) outrate(30)
0h00m19s728: (E)VIU: (ch 1) (in 1920x1080) (out 1920x1080) (rate =30,30),(buf_num 3)
test_streamout() [
9024 t=20
VI-OSD 0
VI-OSD font_addr(0xd1005400) txtAddr(0xd1000400) timeAddr(0xd1004c00)
0h00m19s803: (E)VIU osd addr 0x34400100 0x34401500 0x34401300)
376 t=22
376 t=24
I've attached a screenshot of how I got the plnvram config to output (COM8 = serial connection).
---
I've also managed to build a test "hello world" binary & have it run on the box, so I might be able to build a better rtmp server. I may have to rely on the plstrm to get the output though :/
Some good news.. I think. I managed to "decompile" the android "Shareview" app source code using javadecompilers.com With any luck I should be able to figure it out!
If you're any good with java (I'm not) download the shareview apk from here: https://apkpure.com/shareview/com.asdfghjkl20203.hs602player/download?from=details.
And upload it to http://www.javadecompilers.com/.
mpmc said:
If you're any good with java
Click to expand...
Click to collapse
I'm also not, but I have a friend who does have some experience. Thanks for the idea.
The variable name thing threw me off, since it makes no sense to me, that it stores "password" and "username" straight to nvram, and the rest go through hs_enc_ts.cfg. I tried to manually change hs_enc_ts.cfg parameters, but they had no effect to the output stream, which is why I assumed, that it sends some other settings.
Could you save the whole putty printout somewhere? It does contain different parameters and variables than those in hs_enc_ts.cfg and plnvram_defaults.dat
Hey everyone. This is not tested but I would like input. On the LG G3, I could flash partitions in fastboot mode which allowed me to change the device from an AS990 to a US990 or LS990. Would it be possible to flash the H918/H830 bin files through the patched LGUP partition DL to change the device type? Again just a brainstorm thread. Please post below.
Reserved
reserved
What could we gain from changing the device type? (Some have incompatible hardware if i'm right)
Also Aren't partitions checked by the bootloader( or kernel i dunno much) for any modification?
Sent from my LG-H860 using Tapatalk
abol_fa said:
What could we gain from changing the device type? (Some have incompatible hardware if i'm right)
Also Aren't partitions checked by the bootloader( or kernel i dunno much) for any modification?
Sent from my LG-H860 using Tapatalk
Click to expand...
Click to collapse
I'm not sure about the hardware but I think the RS998 might be close enough that a custom Rom would run
I'm interested in this. I have a us992 and it's the same hardware than rs998 but I can't root or unlock bootloader. It could be cool if there's a way to change it...
thjubeck said:
Hey everyone. This is not tested but I would like input. On the LG G3, I could flash partitions in fastboot mode which allowed me to change the device from an AS990 to a US990 or LS990. Would it be possible to flash the H918/H830 bin files through the patched LGUP partition DL to change the device type? Again just a brainstorm thread. Please post below.
Click to expand...
Click to collapse
By attaching a debugger to LGUP I found a couple of new commands
INFOSPRO is called 4 times which by reading is setting some sort of properties
SIGN
SIGN is called twice before anything begins to work such as the OPEN or WRTE command and the response should be something like success cmd SIGN
I think this is the missing link as after this all commands are given with 2 kilocent commands then 2 kilometr commands in that order so possibly the SIGN command is important but also the fact that the kilocent command is given twice then the 2 kilometr responses are sent but that's just speculation. Let me know what you guys think
also two other commands that were found are
OPCMCHEK
MISCWRTE
EDIT: I think CHCKCLER is our missing link. Disclaimer I am on the LG G5 but it has the same issue. Also the INFOSPRO may also need to be set [/B]
.
.
Debugged application message: [00:22:968] [T0002856] 49 4E 46 4F 47 50 52 4F 00 00 00 00 00 00 00 00 00 00 00 00 08 0B 00 00 43 D0 00 00 B6 B1 B9 B0 INFOGPRO................C.......
.
Debugged application message: [00:23:062] [R0000032] 49 4E 46 4F 47 50 52 4F 00 00 00 00 00 00 00 00 00 00 00 00 08 0B 00 00 00 00 00 00 B6 B1 B9 B0 INFOGPRO........................
.
Debugged application message: [00:23:062] [T0002856] 49 4E 46 4F 53 50 52 4F 00 00 00 00 00 00 00 00 00 00 00 00 08 0B 00 00 32 CF 00 00 B6 B1 B9 B0 INFOSPRO................2.......
.
Debugged application message: [00:23:187] [R0000032] 49 4E 46 4F 53 50 52 4F 00 00 00 00 00 00 00 00 00 00 00 00 08 0B 00 00 00 00 00 00 B6 B1 B9 B0 INFOSPRO........................
.
Debugged application message: [00:23:187] usb speed is high speed.
.
Debugged application message: [00:23:187] Not Support Fail Safe
.
Debugged application message: [00:23:187] Progress sleep for 1000 9 11
.
Debugged application message: [00:23:203] Set Progress 9
.
Debugged application message: [00:23:703] Set Progress 10
.
Debugged application message: [00:24:203] [T0000032] 43 48 43 4B 43 4C 45 52 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8C BA 00 00 BC B7 BC B4 CHCKCLER........................
.
Debugged application message: [00:24:203] [R0000032] 43 48 43 4B 43 4C 45 52 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 BC B7 BC B4 CHCKCLER........................
.
Debugged application message: [00:24:203] LAF_CMD_SUB_CLER.
.
Debugged application message: [00:24:203] DATA CHECK SUM ERROR device = 0 tool = 0
.
Debugged application message: [00:24:203] ==============Start Direct Download 2485MB ==============
.
Debugged application message: [00:24:218] umount system (/system)
.
Debugged application message: [00:24:218] [T0000032] 4B 49 4C 4F 43 45 4E 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E3 7B 00 00 B4 B6 B3 B0 KILOCENT.................{......
.
Debugged application message: [00:24:218] [R0000032] 4B 49 4C 4F 43 45 4E 54 90 A9 25 4A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B4 B6 B3 B0 KILOCENT..%J....................
.
Debugged application message: [00:24:218] [T0000048] 4B 49 4C 4F 4D 45 54 52 00 00 00 00 02 00 00 00 00 00 00 00 10 00 00 00 A3 07 00 00 B4 B6 B3 B0 KILOMETR........................
F4 7C 31 45 4C FF 58 73 0A D6 CB 7D 23 7B F0 17 .|1EL.Xs...}#{..
.
Debugged application message: [00:24:218] [R0000032] 4B 49 4C 4F 4D 45 54 52 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B4 B6 B3 B0 KILOMETR........................
.
Debugged application message: [00:24:218] [T0000047] 45 58 45 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0F 00 00 00 57 EC 00 00 BA A7 BA BC EXEC....................W.......
75 6D 6F 75 6E 74 20 2F 73 79 73 74 65 6D 00 umount./system.
.
Debugged application message: [00:24:234] [R0000032] 45 58 45 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0F 00 00 00 00 00 00 00 BA A7 BA BC EXEC............................
.
Debugged application message: [00:24:234] [T0000032] 4B 49 4C 4F 43 45 4E 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E3 7B 00 00 B4 B6 B3 B0 KILOCENT.................{......
.
Debugged application message: [00:24:234] [R0000032] 4B 49 4C 4F 43 45 4E 54 CA DB 0F 21 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B4 B6 B3 B0 KILOCENT...!....................
.
Debugged application message: [00:24:234] [T0000048] 4B 49 4C 4F 4D 45 54 52 00 00 00 00 02 00 00 00 00 00 00 00 10 00 00 00 6D 6D 00 00 B4 B6 B3 B0 KILOMETR................mm......
CB 74 3A 1A 43 2F 7D F9 DF 11 42 DC 7E 09 0A 8C .t:.C/}...B.....
.
Debugged application message: [00:24:234] [R0000032] 4B 49 4C 4F 4D 45 54 52 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 B4 B6 B3 B0 KILOMETR........................
.
Debugged application message: [00:24:234] [T0000060] 45 58 45 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1C 00 00 00 17 2E 00 00 BA A7 BA BC EXEC............................
6D 6F 75 6E 74 20 2D 6F 20 72 65 6D 6F 75 6E 74 2C 72 6F 20 2F 73 79 73 74 65 6D 00 mount.-o.remount,ro./system.
.
Debugged application message: [00:24:234] [R0000032] 45 58 45 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 23 00 00 00 00 00 00 00 BA A7 BA BC EXEC................#...........
.
Debugged application message: [00:24:234] /system Unmount Success.
.
Debugged application message: [00:24:234] Erase Partition name : system, sector addr : 0xE886, size(sector count) : 0x120000
thjubeck said:
....
Click to expand...
Click to collapse
It's nice that you're looking into this, there is another guy in the V20 section, @runningnak3d who is also looking into making partition dl work.
BUT.... don't try to flash T-Mobile bootloader on any other variant phone. You will hard brick. T-Mobile uses a different key to sign it's files, and that key is programmed into the read-only-memory of a TMO phone.
Edit: Besides, he is looking into a different way of unlocking, by flashing a modified persistent partition with LGUP I believe.
askermk2000 said:
BUT.... don't try to flash T-Mobile bootloader on any other variant phone. You will hard brick. T-Mobile uses a different key to sign it's files, and that key is programmed into the read-only-memory of a TMO phone.
Click to expand...
Click to collapse
Don't worry I'm not an idiot I did my research like the thread says Brainstorm. Sometimes crazy ideas lead people to start thinking. Which reminds me.... Ooo look Squirrel. Be sure to post your ha's when you read that. Anyways in all seriousness checking with the other persons and who knows possibly sometime may have a solution.
thjubeck said:
Don't worry I'm not an idiot I did my research like the thread says Brainstorm. Sometimes crazy ideas lead people to start thinking. Which reminds me.... Ooo look Squirrel. Be sure to post your ha's when you read that. Anyways in all seriousness checking with the other persons and who knows possibly sometime may have a solution.
Click to expand...
Click to collapse
I see. So you where offended, and you're subtly calling me an idiot.
You must be a proud person.
And you couldn't have "done your research" at the time of posting, as why then would you ask about flashing TMO bootloader on a non-TMO device?
Would it be possible to flash the H918/H830 bin files through the patched LGUP partition DL to change the device type?
Click to expand...
Click to collapse
Also your reply reeks of utter nonsense.
askermk2000 said:
I see. So you where offended, and you're subtly calling me an idiot.
You must be a proud person.
And you couldn't have "done your research" at the time of posting, as why then would you ask about flashing TMO bootloader on a non-TMO device?
Also your reply reeks of utter nonsense.
Click to expand...
Click to collapse
Seriously man no harm intended and as for utter nonsense yes,yes it was.....partially. Also, like how you quoted me saying bootloader... wait you didn't. Missed that somewhere. Not necessarily pointing to that you could flash a system partition that was already rooted or something like that again emphasizing brainstorm thread here.
thjubeck said:
Seriously man no harm intended and as for utter nonsense yes,yes it was.....partially. Also, like how you quoted me saying bootloader... wait you didn't. Missed that somewhere. Not necessarily pointing to that you could flash a system partition that was already rooted or something like that again emphasizing brainstorm thread here.
Click to expand...
Click to collapse
Well how else would you change your "device type"?
Maybe I don't understand what you mean by that. I may have jumped to wrong conclusion, if so then I guess you where right to be slightly offended.
Anyway, persistent.bin seems to be where it's at. You should work with @runningnak3d he was looking earlier for some help.
I recently acquired a Verizon-branded LG V20 (VS995) and I my eventual goal is to put TWRP and LineageOS on it like my last phone. The first step is to downgrade it to a vulnerable stock image using UPPERCUT. However, I'm finding that LGUP is unable to begin to perform the flash.
My setup/procedure is as such:
1. Fresh Windows 7 x64 installation in Virtualbox 5.2.16 on Arch Linux
1a. USB filter setup so that USB 1004:633a is always passed through to Windows 7
2. Installed drivers: LGMobileDriver_WHQL_Ver_4.2.0.exe
3. Installed LGUP 1.14: LGUP_Store_Frame_Ver_1_14_3.msi
4. Insert battery into LG V20 VS995
5. Insert USB into computer
6. Hold VOLUP while inserting USB-C into V20
7. Wait as "download mode" message appears and then changes to "Firmware Update" screen.
8. Wait for Windows to install all drivers, ensuring devmgmt.msc shows COM port
9. Launch UPPERCUT v1.0.0.0, granting admin permissions
10. Wait for LGUP to launch, initialize, and show a VS9951CA device
11. Select the December 2016 KDZ: VS99512A_06_1114_ARB00.kdz
12. Select UPGRADE and hit Start
After waiting for the 15 second initialization period, LGUP displays the error "Cannot decide device boot mode. set Unknown". If left in this state for several minutes, LGUP will eventually bring up a dialog saying "Error: 0x2000, Port open error (COMX)". LGUP sometimes says it is on a step which I have not transcribed correctly but resembles "_prepareAndDL" before showing the "Cannot decide device boot mode. set Unknown" error, but I've only seen this step once or twice.
SHA1 sums of the files I'm using:
eac54e3e0cfe6e8d7cd395e245170e13de4fcd67 lgmobiledriver_whql_ver_4.2.0.exe
f7b41f77047698bc8e030dddf4ef6fbdb5c3af41 lgup_store_frame_ver_1_14_3.msi
46c9a349d62287d81c94ce7148233c0922604273 uppercut_1.0.0.0.zip
3104b93b7243e3274932b2c56b8383cdecf7ede3 vs99512a_06_1114_arb00.kdz
Is UPPERCUT still the recommended tool to flash stock firmware for this model? Should I be installing it via fastboot instead (if so, is there a thread to follow)? Is the 1CA update no longer downgradable?
--------------------
I tried to use the patched LGUP tool instead of UPPERCUT to see if that helped at all. I did not try to flash the KDZ, but rather just tried to DUMP the existing partitions. I ran into the same error as the post title again.
Procedure:
0. In the LGUP program files directory:
1. Copy the original LGUP.exe to LGUP.original.exe
2. Copy the patched LGUP.exe into it's place
3. Copy in the 'model/common' directory from the patched LGUP zip
4. Steps 4->8 from above
9. Launch patched LGUP (no UPPERCUT)
10. Same as above
11. Select DUMP, hit start, select dump location
SHA1 sum of additional files:
242640ddb023308b9a103e0a767f27511c9a2db0 lgup_v20dll_patched.zip
I captured a trace of the USB communication with wireshark. I used the LG LAF protocol plugin (can't post links yet: github com/Lekensteyn/lglaf/blob/master/lglaf.lua) and it didn't find any USB frames that matched the protocol. I'm no USB wire protocol expert, but it looks like the phone is sending a response:
Code:
0000 1b 00 10 b0 62 03 80 fa ff ff 00 00 00 00 09 00 ...°b..úÿÿ......
0010 01 02 00 01 00 83 03 97 00 00 00 ef a0 00 00 00 ...........ï*...
0020 00 00 56 53 39 39 35 00 00 00 00 00 56 53 39 39 ..VS995.....VS99
0030 35 31 43 41 00 00 00 00 00 00 00 00 00 00 00 00 51CA............
0040 00 00 00 00 00 00 00 00 00 00 01 33 35 39 39 36 ...........35996
0050 38 30 37 32 39 39 39 30 37 36 00 00 00 00 00 60 8072999076.....`
0060 1e 41 6e 64 72 6f 69 64 00 00 00 37 2e 30 00 00 .Android...7.0..
0070 00 00 00 00 00 3X 3X 3X 3X 3X 3X 3X 3X 3X X9 00 .....XXXXXXXXXX.
0080 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ................
0090 00 00 00 00 00 00 31 63 6f 6d 6d 6f 6e 00 00 00 ......1common...
00a0 56 5a 57 31 00 00 00 00 00 00 00 00 00 00 7d 5d VZW1..........}]
00b0 86 7e .~
There were five such frames, all essentially identical less a byte or two. I suspect if I had let the capture go they would have continued to arrive at an interval. So it's possible the LGUP tool just is not recognizing the ping that the phone is sending?
Install the VirtualBox extension pack and set your USB config for that VM to 2.0 or 3.1, and you should be good.
1CA is definitely downgradable. This is a USB communication problem.
-- Brian
I re-confirmed that I had the guest extensions installed (VM has no nic and all files were transferred in via shared folders, which requires guest extensions). But it turns out I did have the USB bus set to USB 2.0. After setting that to USB 3.0 and installing the Intel USB3 drivers for Windows, LGUP started the download without issue. This is still the patched LGUP (no UPPERCUT) and using the UPGRADE option with the KDZ mentioned in the OP. Oddly enough, it did not clear my data, as it asked for my encryption passphrase when it rebooted. It did successfully downgrade me, so I just did a factory reset to clear my old data and apps. As a reminder, the LG out-of-the-box experience starts checking for OTA updates as soon as the phone starts up, so remove your SIM before you start.
1. Remove SIM
2. Do one of the following:
CLI:
Code:
vboxmanage modifyvm $vmname --usbehci off && vboxmanage modifyvm $vmname --usbxhci on
UI: Right click VM > Settings > USB > USB 3.0 (XHCI) Controller