- Install the app "Sports DV" and change WiFi SSID and password
- Wifi and Cam settings are seperated and have different port numbers.
- Wifi-Settings (just login withoug username and password): http://192.168.25.1
- Cam LiveStream: http://192.168.25.1:8080/?action=stream
- Not sure how the configuration is made really... Would need a Man-In-The-Middle-Attack or send the initial ICMP package
- Log into http://192.168.25.1 without entering user and password
- Go to the second tab, there you can change the access mode vom "AP" to "Station", enter the SSID of your home WiFi, Encryption mode and password (works with Windows 10 mobile hotspot, too, just notice it only works with 2.4 GHz networks). The cam will guess the channel when you saved the settings.
- Don't worry, if the connection fails, the camera will offer you the configured AP again
- Better give it a fixed IP through your router (identified by MAC address)
- The connection between the app and the cam is made through an initial ICMP package with the payload "99 bottles of beer on the wall"
- looks like "MJPG-Streamer" was used when googleing for the url structure
- Reset: Press Mode first and then On/Off
This seems to be gold, this user has multiple repositories which seem to be almost the exact firmware that is running on my device and I have figured out some interesting and/or useful stuff by examining the source code. There seem to be project files (for Source Insight 4.0) and even some build tools, but not enough info to actually compile the projects.
Recovering a bricked device
Out of curiosity I have flashed a firmware from one of the repositories and my camera wasn't able to boot anymore. To recover from this, you have to put a firmware update file on the SD card and plug in the device to flash it (but this will probably not work if you flash complete garbage on your device). The filename has to follow this formula: JH_[product]_[checksum].bin (see ap_storage_service.c). The product is your camera type (e.g. 7668, but be aware that if you flash the firmware of a different camera, it will be the product number of that firmware), and the checksum can be calculated with the jh_sum_tools.exe utility (can be found in the tools directory).
Sending/receiving commands
It's a simple TCP based binary communication, nothing special. Every request starts with GPSOCKET and then it's followed by the command type and some parameters. It's pretty easy to understand (see socket_cmd.c and socket_cmd.h) but it seems to be missing some features of the camera (e.g. no clear way to enable the night vision mode).
DefSet.cfg
No matter what you put into this file, it's not going to read anything from it. It only checks if the file exists, and if it does, it restores the default configuration (see ap_storage_service.c and ap_state_config.c). However, there is an interesting line inside the ap_state_config_restore function: the ap_state_config_store function call is commented out, but it seems to be able to store every setting that the camera has somewhere (nvram maybe?). I think it can't be invoked without recompiling the firmware. However, investigating this might be a good direction.
Firmware structure
In the tools project, there is a ComBin,exe file with the corresponding INI that is able to combine parts of the firmware into the final binary file. Basically, it consists of a header and two separate ROM files. The software is based on uC/OS.
Fun but not very useful things
You can put different strings into the time.txt file and the camera will write some information to the SD card (see ap_storage_service.c):
(Yes, some strings are weird, but this is how it is. Also, exclude the quotation marks)
"COPYFIGHT MESSAGE? " writes "CopyrightMSG.txt" with some chinese copyright text
"VERSION_NUMBER??" writes "version.txt" with the firmware version
"SENSOR?" writes "sensor.txt" with the sensor type
"WIFI STATUS?" is also present in some versions of the source code but doesn't do anything on my camera