Xiaomi console access

The russians are having fun with it, there's a RAW shooting script I can't download for some reason (google translate fails me):
http://translate.googleusercontent....647390&usg=ALkJrhjegmqP8WgvmaV_mimXEwzl5GACGA
I telnet'd in and poked about. Looks to be running similar stuff as gopro and sjcams on the ambarella a7. Runs http://cherokee-project.com/ for the web server. The IP address (.42.1) is hard-coded in several places.

The / partition mounts read-only.
Code:
/etc/init.d # mount
rootfs on / type rootfs (rw)
ubi0:linux on / type ubifs (ro,relatime)
devtmpfs on /dev type devtmpfs (rw,relatime,size=18816k,nr_inodes=4704,mode=755)
none on /dev type tmpfs (rw,relatime)
proc on /proc type proc (rw,relatime)
devpts on /dev/pts type devpts (rw,relatime,gid=5,mode=620)
tmpfs on /dev/shm type tmpfs (rw,relatime,mode=777)
tmpfs on /tmp type tmpfs (rw,relatime)
sysfs on /sys type sysfs (rw,relatime)
a on /tmp/fuse_a type fuse.a (rw,nosuid,nodev,relatime,user_id=0,group_id=0)
1 on /tmp/fuse_d type fuse.1 (rw,nosuid,nodev,relatime,user_id=0,group_id=0)
z on /tmp/fuse_z type fuse.z (rw,nosuid,nodev,relatime,user_id=0,group_id=0)
a on /pref type fuse.a (rw,nosuid,nodev,relatime,user_id=0,group_id=0)
none on /sys/kernel/debug type debugfs (rw,relatime)
tmpfs on /var/www/live type tmpfs (rw,relatime)
tmpfs on /var/www/mjpeg type tmpfs (rw,relatime)
1 on /var/www/DCIM type fuse.1 (rw,nosuid,nodev,relatime,user_id=0,group_id=0)

processes...
Code:
  574 root       0:00 [mtdblock11]
  579 root       0:00 [mtdblock12]
  584 root       0:00 [mtdblock13]
  596 root       0:00 [ubi_bgt0d]
  608 root       0:00 [lkvfs_bh 0]
  651 root       0:00 vffs /tmp/fuse_a -l a -o big_writes -o atomic_o_trunc -s
  654 root       0:00 vffs /tmp/fuse_d -l d -C 1 -o big_writes -s
  657 root       0:00 vffs /tmp/fuse_z -l z -s
  672 root       0:00 ombra
  678 root       0:00 amba_mq_handler
  679 root       0:00 /usr/bin/AmbaStreamSVC
  681 root       0:00 /usr/bin/lu_lnxfio_stream
  685 root       0:00 /usr/bin/amba_qrconfig
  695 root       0:00 [kworker/0:2]
  696 root       0:00 [cfg80211]
  722 root       0:00 [mmcqd/0]
  742 root       0:00 telnetd
  745 root       0:00 network_message_daemon
  759 root       0:00 cgiBridge
  825 root       0:00 [wl_event_handle]
  829 root       0:00 [dhd_watchdog_th]
  830 root       0:00 [dhd_dpc]
  831 root       0:00 [dhd_sysioc]
  832 root       0:04 [ksdioirqd/mmc1]
  879 nobody     0:00 dnsmasq --nodns -5 -K -R -n --dhcp-range=192.168.42.2,192.168.42.6,infinite
  956 root       0:00 cherokee-worker -a -C /etc/cherokee.conf -j -s -d
 1208 root       0:01 -sh
 1854 root       0:00 [sh]
 1855 root       0:00 ps fax
 1856 root       0:00 more

netstat
Code:
/etc/init.d # netstat -pltn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:7878            0.0.0.0:*               LISTEN      745/network_message
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      956/cherokee-worker
tcp        0      0 0.0.0.0:8787            0.0.0.0:*               LISTEN      745/network_message
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      879/dnsmasq
tcp        0      0 0.0.0.0:23              0.0.0.0:*               LISTEN      742/telnetd
netstat: /proc/net/tcp6: No such file or directory

The amba_mq_handler I suspect is what will need to be tweaked to be able to trigger things.

All the good things happen on startup in the /etc/init.d/S50network script...
Code:
#enable Network daemon      
[ -x /usr/bin/ombra ] && (ombra > /dev/null 2>&1)
                            
#enable Webupload daemon    
[ -x /usr/bin/dvf2web ] && dvf2web --daemon
                            
#enable AmbaStreamer        
if [ -f /usr/bin/AmbaStreamSVC ]; then
        /usr/bin/AmbaStreamSVC &
fi                          
                            
#enable AmbaMqueue daemon   
if [ -x /usr/bin/amba_mq_handler ]; then
        amba_mq_handler     
fi                          
                            
#enable lnxfio_stream daemon
if [ -x /usr/bin/lu_lnxfio_stream ]; then
        nice -n -20 /usr/bin/lu_lnxfio_stream
fi                          
                            
#enable amba_qrconfig daemon
if [ -x /usr/bin/amba_qrconfig ]; then
        /usr/bin/amba_qrconfig
fi                          
                            
#for bootup speed, some modules are preloaded before hibernate
if [ -x /usr/local/share/script/preload.sh ]; then
        /usr/local/share/script/preload.sh
fi                          
if [ -x /usr/local/share/script/bt_preload.sh ]; then
        /usr/local/share/script/bt_preload.sh
fi                          
                            
#for ar6004 WoWLAN          
mount -t debugfs none /sys/kernel/debug/
                            
#Apply TCP tuning parameters
if [ -x /usr/local/share/script/tcp_script.sh ]; then
        /usr/local/share/script/tcp_script.sh

Will look more later, if anyone can read Russian, see if you can download that RAW shooting script...
 
Actually that IP is not hardcoded at all, only place where i saw it defined was in /pref/wifi.conf which is RW filesystem and you can easily change the IP range. And yes, i did it already, but it cannot hook to your network. Yet.
 
The russians are having fun with it, there's a RAW shooting script I can't download for some reason

Oh yeah we are ) Here is the script aimed to get max from the cam. It enables both JPEG+RAW still capture and 1296p30 @30Mbits video. There is also a script for auto RAW capture.
 

Attachments

  • yimax-autoexec.zip
    186 bytes · Views: 72
Nutsey - what's the script for auto raw capture?

And anyone know which raw decoder works for these ambarella raw files?

I also saw a HDR script on the russian site but could not download it.. anyone been able to download the attachments from that forum?
 
Files attached.
Mike
 

Attachments

  • 1.0.12_autoexec.ash.zip
    445 bytes · Views: 31
  • autoexec-RAW-v2.zip
    250 bytes · Views: 45
Nutsey - what's the script for auto raw capture?

And anyone know which raw decoder works for these ambarella raw files?

I also saw a HDR script on the russian site but could not download it.. anyone been able to download the attachments from that forum?

Neither did I... any russian friend here? for downloading the scripts? :)
 
And anyone know which raw decoder works for these ambarella raw files?

I also saw a HDR script on the russian site but could not download it.. anyone been able to download the attachments from that forum?

Use raw2dng tool to convert RAW files to Adobe DNG format. Drag&drop RAW files to its window.

Here is HDR script. It generates 6 JPEG files with various shutter and ISO fixed to 100. Join them to HDR in any suitable soft.
 

Attachments

  • raw2dng.zip
    83.1 KB · Views: 47
  • hdr6-autoexec.zip
    312 bytes · Views: 44
I can read in Russian :)
Good luck.
Mike
 
Use raw2dng tool to convert RAW files to Adobe DNG format. Drag&drop RAW files to its window.

Here is HDR script. It generates 6 JPEG files with various shutter and ISO fixed to 100. Join them to HDR in any suitable soft.

Emm...nutsey, what is the meaning of the parameter in "raw2nef.ini" configuration file? Can I adjust it?
 
nutsey, what is the meaning of the parameter in "raw2nef.ini" configuration file? Can I adjust it?
It describes format of our RAW file (frame size, bayer byte order etc.), nothing really to adjust there.
 
The sleep function is in seconds. I managed to modify it to millisecond from a script, just to make led blinking and beeping better. The sleep funcion basically works by taking the number you typed and multiplies it by 1000, so I just NOPed the multiply by 1000 line ;)

I will post it later for 1.0.12 fw if you want. For now I have it only for 1.0.9 which I'm experimenting on.
 
No, it doesn't from an autoexec script.

Code:
#convert sleep to milliseconds hack
writew 0xC0155712 0x0000

Then how could I change back to normal 1 second, within the same ash code?

added:
I've tested, the first sleep 100 doesnot work as MS, but as S, so the Yi Cam wait for a long time (100s) then blink the red & blue.
Code:
#beep and blink front LED
#LEDs
#12 shutter
#114 WIFI
#6 front blue
#54 front red
sleep 100      <---- here run as Second, not Milisecond.
t gpio 6 sw out0
t gpio 54 sw out1

so after I changed it to
Code:
sleep 1
the rest part of the code works well.
 
Last edited:
Back
Top