Notes on Quelima R3 WiFi Camera

readme.md

First

• Install the app "Sports DV" and change WiFi SSID and password

URLs

• Wifi and Cam settings are seperated and have different port numbers.
• Wifi-Settings (just login withoug username and password): http://192.168.25.1
• Cam LiveStream: http://192.168.25.1:8080/?action=stream
• Not sure how the configuration is made really... Would need a Man-In-The-Middle-Attack or send the initial ICMP package

Change AP (Cam is the access point) to Station (Cam is a normal WiFi Client)

• Log into http://192.168.25.1 without entering user and password
• Go to the second tab, there you can change the access mode vom "AP" to "Station", enter the SSID of your home WiFi, Encryption mode and password (works with Windows 10 mobile hotspot, too, just notice it only works with 2.4 GHz networks). The cam will guess the channel when you saved the settings.
• Don't worry, if the connection fails, the camera will offer you the configured AP again
• Better give it a fixed IP through your router (identified by MAC address)

Other Information

• The connection between the app and the cam is made through an initial ICMP package with the payload "99 bottles of beer on the wall"
• looks like "MJPG-Streamer" was used when googleing for the url structure

Button configuration

• Reset: Press Mode first and then On/Off

I have tried the DefSet.cfg but it looks that is not recognized. Probably, if we can use a file to write
a configuration for the wifi, it will be something like the "time.txt" that the camera uses to set the time.
I don't know how to find out which, if any, file should be added to the SD card.

Thank you for trying. Since i do not have such a camera it is very hard for me to find out where an how the data should be stored. It was worth a try.

So, I found these paths in this file.

C:\time.txt
--> setting time
C:\DCIM
--> contains pictures, videos
C:\JH_*.bin
-->
C:\DefSet.cfg
-->
C:\CopyrightMSG.txt
--> Builder information?
C:\Version.txt
-->
C:\sensor.txt
-->
C:\index0.tmp
-->

maybe the bold paths will be interesting for this job. I don't know anything about this things, but I will help, if I can. I also want to use this camera onto my Octopi.

I don't know, if it's interesting, but there is so much information about JH...

E:\GP15_PRO\JH76XX\JH7668\Code\v005\program\host\init.c

Try to connecting CABRIO via %s...

==============================

Please Insert %S wifi device

So, I found these paths in this file.

C:\time.txt
--> setting time
C:\DCIM
--> contains pictures, videos
C:\JH_*.bin
-->
C:\DefSet.cfg
-->
C:\CopyrightMSG.txt
--> Builder information?
C:\Version.txt
-->
C:\sensor.txt
-->
C:\index0.tmp
-->

maybe the bold paths will be interesting for this job. I don't know anything about this things, but I will help, if I can. I also want to use this camera onto my Octopi.

I don't know, if it's interesting, but there is so much information about JH...

E:\GP15_PRO\JH76XX\JH7668\Code\v005\program\host\init.c

Try to connecting CABRIO via %s...

==============================

Please Insert %S wifi device

Hello,
i haven't yet tried octopi, but at another ubuntu based distro that i use i am able to use it as usb camera.
I had some issues after installing some libraries that basically broke the UVC drivers ( broke is not the correct term to be exact ) so i could not use it as a usb camera for skype out of the box. I can share the workaround if you don't get video output, i didn't bother to fix the issue to tell you the truth.
But the thing is, manually, after connecting through USB to the camera and switching to camera mode from card reader mode, you can use it as web camera for Octopi.

As for the paths in bold, i came to the same conclusion after checking the provided dump from @TumeSai and it seems that if we can somehow find out where those files are decoded, we might be able to use DefSet.cfg to initialise the camera in the mode we need when it's connected to a power source, not a PC ( or "computer" in general ) USB.

Does anyone know what kind of MCU this camera uses so someone might try to "decode","disassemble" or whatever the process is called?

Here you have the firmware that is avaible now. Please, add it to the readme text.

https://gofile.io/d/GQ3UdD

I will try to find defset file info.

I just want to thanks for all the research. I will try to analyze firmware, java source (i'm not good at it) and sniff some transmition between app and camera. It looks like this is very promising hardware with some hack and tricks. One trick i found: If You want to enable IR during wifi mode turn on recording to SD card and then push mode button for 3 seconds :)

My results:
port :80 - just for trivial http interface, when You can switch from AP to Station, and do some IP configuration
port :8080 - only to serve /?action=stream - but when i tried to acces it in "Station" mode i get no packets - maybe some initialization is required (via :8081) or maybe some additional http headers - i'll try it later
port :8081 - it's where whole communication with Android app is located. It is some form of binary talk - but every message starst with "GPSOCKET" string. - first application asks about something like "Menu" - this is an XML data with all fields that app can display in settings. it looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<Menu version="1.0">
	<Categories>
		<Category>
			<Name>Record</Name>
			<Settings>
				<Setting>
					<Name>Resolution</Name>
					<ID>0x0000000</ID>
					<Type>0x00</Type>
					<Default>0x01</Default>
					<Values>
						<Value>
							<Name>1080FHD 1920x1080 30fps</Name>
							<ID>0x00</ID>
						</Value>
						<Value>
							<Name>1080P 1440x1080 30fps</Name>
							<ID>0x01</ID>
						</Value>
						<Value>
							<Name>720P 1280x720 30fps</Name>
							<ID>0x02</ID>
						</Value>
					</Values>
				</Setting>
				<Setting>
					<Name>Loop Recording</Name>
					<ID>0x0000003</ID>
					<Type>0x00</Type>
					<Default>0x02</Default>					
					<Values>
						<Value>
							<Name>Off</Name>
							<ID>0x00</ID>
						</Value>
						<Value>
							<Name>3 Minutes</Name>
							<ID>0x01</ID>
						</Value>
						<Value>
							<Name>5 Minutes</Name>
							<ID>0x02</ID>
						</Value>
						<Value>
							<Name>10 Minutes</Name>
							<ID>0x03</ID>
						</Value>
					</Values>
				</Setting>
				<Setting>
					<Name>Record Audio</Name>
					<ID>0x0000005</ID>
					<Type>0x00</Type>
					<Default>0x00</Default>					
					<Values>
						<Value>
							<Name>Off</Name>
							<ID>0x00</ID>
						</Value>
						<Value>
							<Name>On</Name>
							<ID>0x01</ID>
						</Value>
					</Values>
				</Setting>
				<Setting>
					<Name>Date Stamp</Name>
					<ID>0x0000006</ID>
					<Type>0x00</Type>
					<Default>0x00</Default>					
					<Values>
						<Value>
							<Name>Off</Name>
							<ID>0x00</ID>
						</Value>
						<Value>
							<Name>On</Name>
							<ID>0x01</ID>
						</Value>
					</Values>
				</Setting>
			</Settings>
		</Category>
		<Category>
			<Name>Capture</Name>
			<Settings>
				<Setting>
					<Name>Resolution</Name>
					<ID>0x00000100</ID>
					<Type>0x00</Type>
					<Default>0x01</Default>					
					<Values>
						<Value>
							<Name>12M (4032x3024)</Name>
							<ID>0x00</ID>
						</Value>
						<Value>
							<Name>10M (3648x2736)</Name>
							<ID>0x01</ID>
						</Value>
						<Value>
							<Name>8M (3264x2448)</Name>
							<ID>0x02</ID>
						</Value>
						<Value>
							<Name>5M (2592x1944)</Name>
							<ID>0x03</ID>
						</Value>
						<Value>
							<Name>3M (2048x1536)</Name>
							<ID>0x04</ID>
						</Value>
						<Value>
							<Name>2MHD (1920x1080)</Name>
							<ID>0x05</ID>
						</Value>
						<Value>
							<Name>1.3M (1280x960)</Name>
							<ID>0x06</ID>
						</Value>
						<Value>
							<Name>VGA (640x480)</Name>
							<ID>0x07</ID>
						</Value>
					</Values>
				</Setting>
				<Setting>
					<Name>Date/Time</Name>
					<ID>0x00000107</ID>
					<Type>0x00</Type>
					<Default>0x02</Default>					
					<Values>
						<Value>
							<Name>Off</Name>
							<ID>0x00</ID>
						</Value>
						<Value>
							<Name>Date</Name>
							<ID>0x01</ID>
						</Value>
						<Value>
							<Name>Date/Time</Name>
							<ID>0x02</ID>
						</Value>
					</Values>
				</Setting>
			</Settings>
		</Category>
		<Category>
			<Name>System</Name>
			<Settings>
				<Setting>
					<Name>Auto Power Off</Name>
					<ID>0x00000202</ID>
					<Type>0x00</Type>
					<Default>0x00</Default>					
					<Values>
						<Value>
							<Name>Off</Name>
							<ID>0x00</ID>
						</Value>
						<Value>
							<Name>1 Minute</Name>
							<ID>0x01</ID>
						</Value>
						<Value>
							<Name>2 Minutes</Name>
							<ID>0x02</ID>
						</Value>
						<Value>
							<Name>5 Minutes</Name>
							<ID>0x03</ID>
						</Value>
					</Values>
				</Setting>
				<Setting>
					<Name>Date/Time</Name>
					<ID>0x00000205</ID>
					<Type>0x00</Type>
					<Default>0x00</Default>
					<Values>
						<Value>
							<Name>YY/MM/DD</Name>
							<ID>0x00</ID>
						</Value>
						<Value>
							<Name>MM/DD/YY</Name>
							<ID>0x01</ID>
						</Value>
						<Value>
							<Name>DD/MM/YY</Name>
							<ID>0x02</ID>
						</Value>
					</Values>				
				</Setting>
				<Setting>
					<Name>Language</Name>
					<ID>0x00000FF</ID>
					<Type>0x00</Type>
					<Default>0x00</Default>					
					<Values>
						<Value>
							<Name>English</Name>
							<ID>0x00</ID>
						</Value>
						<Value>
							<Name>............</Name>
							<ID>0x01</ID>
						</Value>
					</Values>
				</Setting>
				<Setting>
					<Name>Format</Name>
					<ID>0x00000207</ID>
					<Type>0x01</Type>
					<Default>0x00</Default>
				</Setting>
				<Setting>
					<Name>Default Setting</Name>
					<ID>0x00000208</ID>
					<Type>0x01</Type>
                    <Reflash>0x01</Reflash>
					<Default>0x00</Default>
				</Setting>
				<Setting>
					<Name>Menu  Version</Name>
					<ID>0x00000209</ID>
					<Type>0x03</Type>
					<Default>0x00</Default>
					<Values>
						<Value>
							<Name>20170602 V1.1.2</Name>
							<ID>0x00</ID>
						</Value>
					</Values>				
				</Setting>
				<Setting>
					<Name>Firmware Version</Name>
					<ID>0x0000020B</ID>
					<Type>0x03</Type>
					<Default>0x00</Default>
					<Values>
						<Value>
							<Name>ver</Name>
							<ID>0x00</ID>
						</Value>
					</Values>				
				</Setting>
			</Settings>
			</Category>
		<Category>
			<Name>Wireless Network</Name>
			<Settings>
				<Setting>
					<Name>WifiName</Name>
					<ID>0x00000300</ID>
					<Type>0x02</Type>
					<Default>GoPlusCam</Default>					
				</Setting>
				<Setting>
					<Name>Password</Name>
					<ID>0x00000301</ID>
					<Type>0x02</Type>
				</Setting>
			</Settings>
		</Category>
	</Categories>
</Menu>

this looks like some memory mapping, or instructions mapping (maybe instructions because WifiName is 0x00000300 and Password is 0x00000301). then transmission goes more binary again. Downloading files, movies etc works this way.

Lots of work ahead :). I'll try to launch the stream in "Station" mode. Maybe look for some strings in firmware.

I just picked up a couple SQ23 from the post office yesterday... They were ordered them from Aliexpress about 2 months ago.... after looking at the manual,happy that I googled and found this!

Very interesting reading... It would be really nice be able to have a way to store a persistent configuration for the WIFI on the SD card.

Anyway, seems that a certain user has some interesting reps on github that could be helpful for reverse engineering the firmware.
Searching the other repos could also be interesting.

https://github.com/yilanjueding123/7801/blob/master/host/init.c#L146

• "(C) Copyright 2014-2016 Shenzhen South Silicon Valley microelectronics co.,limited"

https://github.com/yilanjueding123/7801/blob/master/application/task_ameba/app/src/gp_socket_cmd.c#L31

• "Copyright Generalplus Corp. ALL RIGHTS RESERVED."

And a circuit diagram too! Well it could be for any camera base on this chip.
https://github.com/yilanjueding123/mypdf/blob/master/pdf/JH_7612%20V1_SCH.pdf

For now, to do a hardcoded is a good idea.
How to build a new firmware with a fixed configuration and upload that?

https://github.com/yilanjueding123

This seems to be gold, this user has multiple repositories which seem to be almost the exact firmware that is running on my device and I have figured out some interesting and/or useful stuff by examining the source code. There seem to be project files (for Source Insight 4.0) and even some build tools, but not enough info to actually compile the projects.

Recovering a bricked device
Out of curiosity I have flashed a firmware from one of the repositories and my camera wasn't able to boot anymore. To recover from this, you have to put a firmware update file on the SD card and plug in the device to flash it (but this will probably not work if you flash complete garbage on your device). The filename has to follow this formula: JH_[product]_[checksum].bin (see ap_storage_service.c). The product is your camera type (e.g. 7668, but be aware that if you flash the firmware of a different camera, it will be the product number of that firmware), and the checksum can be calculated with the jh_sum_tools.exe utility (can be found in the tools directory).

Sending/receiving commands
It's a simple TCP based binary communication, nothing special. Every request starts with GPSOCKET and then it's followed by the command type and some parameters. It's pretty easy to understand (see socket_cmd.c and socket_cmd.h) but it seems to be missing some features of the camera (e.g. no clear way to enable the night vision mode).

DefSet.cfg
No matter what you put into this file, it's not going to read anything from it. It only checks if the file exists, and if it does, it restores the default configuration (see ap_storage_service.c and ap_state_config.c). However, there is an interesting line inside the ap_state_config_restore function: the ap_state_config_store function call is commented out, but it seems to be able to store every setting that the camera has somewhere (nvram maybe?). I think it can't be invoked without recompiling the firmware. However, investigating this might be a good direction.

Firmware structure
In the tools project, there is a ComBin,exe file with the corresponding INI that is able to combine parts of the firmware into the final binary file. Basically, it consists of a header and two separate ROM files. The software is based on uC/OS.

Fun but not very useful things
You can put different strings into the time.txt file and the camera will write some information to the SD card (see ap_storage_service.c):
(Yes, some strings are weird, but this is how it is. Also, exclude the quotation marks)
"COPYFIGHT MESSAGE? " writes "CopyrightMSG.txt" with some chinese copyright text
"VERSION_NUMBER??" writes "version.txt" with the firmware version
"SENSOR?" writes "sensor.txt" with the sensor type
"WIFI STATUS?" is also present in some versions of the source code but doesn't do anything on my camera

Good evening to all.
I also have a problem with the sq23 camera. when I register on the mobile (ios, iphone) photo or video, I can not find the files on the mobile. does anyone know where I find them?

Has anyone found out if the SQ13 can be streamed via USB at 1080p?
When plugged to the PC it automatically creates a UVC driver but all camera programs can only use it as 720p. is that the real native format?

FYI about getting SQ23 video stream from a PC in Wi-Fi :

• First connect the PC to the SQ23_XXXX Wi-Fi. By default, it seems only 1 PC can be connected to it at a time. The camera acts as a DHCP server 192.168.33.1/24 and appears to provide an IP similar to 192.168.33.101. In case you try to play with eth/Wi-Fi bridges between the PC and the camera, it appears that the DHCP server only gives an IP to 1 interface at a time (and only that one will be used as destination of the UDP video stream packets), so you might have to use static IP for the intermediate devices if you need them.
• A Wireshark network capture during a communication between a smartphone with the Sports Camera app and the camera showed that 2 UDP control links need to be established and maintain the stream alive, see sq23control sample code for that on https://www.ensta-bretagne.fr/lebars/Share/sq23.zip . Unfortunately, the video stream appears to not be fully supported by OpenCV, see mjpeg.py, which gives partial images on Windows with Python 3.8.2 and pip install opencv-contrib-python==4.2.0.34 . It appears to be some kind of MJPEG over UDP 10900 (images of 640x384), start of packets appears to have this hex format : lowbytefilenumberrstartingfrom1 highbytefilenumberrstartingfrom1 nbofpackets packetnumberstartingfrom0 31 14 00 00 varyingbytes, see sq23video for an attempt to decode it a little bit better…

I have SQ23 camera and can see interface at http://192.168.33.1/, but I have refuse connection at http://192.168.33.1:8080/?action=stream .
There is even no 8080 port in nmap output

Nmap scan report for 192.168.33.1
Host is up (0.0097s latency).
Not shown: 997 closed tcp ports (reset)
PORT      STATE SERVICE
80/tcp    open  http
8081/tcp  open  blackice-icecap
30000/tcp open  ndmps

How can I access stream?

I have SQ23 camera
...
How can I access stream?

The code I propose in the previous comment might be what you want?

I have SQ23 camera
...
How can I access stream?

The code I propose in the previous comment might be what you want?

I tried your code(Python and exe) and it doesn't work too.

If I remember well, assuming only your PC is connected to the camera Wi-Fi (and without firewall, antivirus, etc.), first you need to run sq23control.exe (and leave it running, it keeps the stream alive through UDP 20000 and 20001 communication), then sq23video.exe (the Python code was not working well and also needs sq23control.exe to be running), which should display something (through another communication on UDP port 10900)...

If I remember well, assuming only your PC is connected to the camera Wi-Fi (and without firewall, antivirus, etc.), first you need to run sq23control.exe (and leave it running, it keeps the stream alive through UDP 20000 and 20001 communication), then sq23video.exe (the Python code was not working well and also needs sq23control.exe to be running), which should display something (through another communication on UDP port 10900)...

It works! Thanks!

Does anyone know how to start recording or turn on IR via wifi?

i'm not a pro at reverse engineering, i've just followed some tutorials and stuff, and got a 17k lines with some mix of assembly, xml and some funny comments mentioning stack overflow, i think some of the broken characters appearing is because of some language pack missing (MAYBE), i'm looking after some commands to toggle recording and toogle IR through the wifi.

wishin i could understand more about the code, i would love to create a better interface, the need to download a individual app on my phone just looks wrong, even my own router has a web interface thats sound perfectly fine, why create another step when you currently trying to configure your camera?

@WilliamD-s
this content is coming from a chip dump, right?

@vinibali not exatly, what really happens was that a friend come to me with this sq camera that he changed the password and could not remember it, then found this post with the equivalent model firmware, i tried and it worked fine , my friend doe's not have interest on the camera then i can freely try some improvement

the comment with the firmware i've used is:
kdevkdev commented on Apr 14, 2020

this week i'll try to find a compatible charset to the one that were broken on my previous screenshots.

I made a video about how to reset the camera a while back if anyone is still struggling
https://youtu.be/oDpBJmrp2FU

@WilliamD-s
I though you would like to spend some time to develop a new FW, based on this:
https://gist.github.com/gitfvb/09085fd0cd4993549feb7470430d40e9?permalink_comment_id=3356708#gistcomment-3356708

I'll take a closer look on those codes, but this may take a while, for now i'm kinda of focusing into other priorities, but i'm surely coming back help with this project.
My career it's all focused on web development and process automation, then i' would be another study charge to remove the rusty from my c skills, or even if i dare to use C# or Java to the new version this totally different from what i'm used to, not impossible.
But for the next 2 months i cant promise to starting something beyond reading the code you mentioned

Hello there again!
I've spent some time with my SQ23 camera. According to the labels on the PCB, 7668A is the project/product name for which we should search for.
Unfortunately none of repos are having that string at https://github.com/yilanjueding123
There is also a SV6030P single-chip WLAN board can be found, so if we want to do something with the sources we need to lift over some code from other repos, as some of them at yilanjueding's repo are having WIFI set up.
I walked trough all the Generalplus datasheets and according to the specifications, like:

• LQFP64 package
• JPEG codec
• MMC and CMOS interface
• MIC interface
  and according to that SQ23 is supposed to have a GP327902B processor, but the physical wiring not matches.
  I've found two other projects and this pinout for GPCV1247A_64PIN is more likely matches to the 7668A PCB.
  Wiring diagram can be found here:
  https://github.com/lionyhw/JHDH-8412_1247/blob/master/8412/JHDH-8412_1247.pdf
  https://github.com/yilanjueding123/mypdf/blob/master/pdf/JH_7612%20V1_SCH.pdf
  I was also trying to compile the firmware and added some steps to do it with Linux and arm-none-eabi-gcc package:
  https://gitlab.com/vinibali/7682-v010/
  So if we found something which is a bit more close to the SQ23, that shouldn't be a big deal to play with the sources.

This small camera is really interesting, as you could see I damaged the small 0 Ohm fuse for the wifi module while I was disassembling it.
The functions of the buttons literally have gone at all, the only thing I could do was to power it up and reset with the two button combination. Sometime the switch to the WIFI mode was working, but nothing really else.
I also spent some time with searching for all the sources, but it seems only those two can be used. Nothing really else contains the code.
Another thing is that GPCV1248 is the closest chip to the GPCV1247A, which might be a lower pin count chip.

I have SQ23 camera and can see interface at http://192.168.33.1/, but I have refuse connection at http://192.168.33.1:8080/?action=stream . There is even no 8080 port in nmap output

Nmap scan report for 192.168.33.1
Host is up (0.0097s latency).
Not shown: 997 closed tcp ports (reset)
PORT      STATE SERVICE
80/tcp    open  http
8081/tcp  open  blackice-icecap
30000/tcp open  ndmps

How can I access stream?

run this

import requests

url = "http://192.168.25.1:8080/?action=stream"
headers = {
    "User-Agent": "Lavf/58.12.100",
    "Accept": "*/*",
    "Range": "bytes=0-",
    "Connection": "close",
    "Icy-MetaData": "1"
}

response = requests.get(url, headers=headers)
print(response)

and then you will get a 200 as a response and the stream will work
but i don't it think it does anything. if you don't have a stream a thing to do is to restart it over and over till it works

I have SQ23 camera and can see interface at http://192.168.33.1/, but I have refuse connection at http://192.168.33.1:8080/?action=stream . There is even no 8080 port in nmap output

Nmap scan report for 192.168.33.1
Host is up (0.0097s latency).
Not shown: 997 closed tcp ports (reset)
PORT      STATE SERVICE
80/tcp    open  http
8081/tcp  open  blackice-icecap
30000/tcp open  ndmps

How can I access stream?

run this

import requests

url = "http://192.168.25.1:8080/?action=stream"
headers = {
    "User-Agent": "Lavf/58.12.100",
    "Accept": "*/*",
    "Range": "bytes=0-",
    "Connection": "close",
    "Icy-MetaData": "1"
}

response = requests.get(url, headers=headers)
print(response)

and then you will get a 200 as a response and the stream will work but i don't it think it does anything. if you don't have a stream a thing to do is to restart it over and over till it works

That's Python, right?

Pakete mithilfe von "Packet Manager" auf Android analysiert.

@lebarsfa @vinibali

Hello

I bought a SQ 13,23 as a wireless camera to use on my Raspberry Pi.
I have a problem with the camera not connecting to wifi on my laptop, so I can't access the strwam url either.
But can connect on my cell phone.