Extracted Device Tree and Analysis - Sony Xperia XZ Premium Guides, News, & Discussion

Extracted Device Tree and Analysis - Sony Xperia XZ Premium Guides, News, & Discussion

As someone with an interest in embedded development (also happen to be using the Z5P 4k LCD in another project, but that's another story) and about to receive an XZP, I thought it would be interesting to extract and decompile the device tree from the now downloadable XZP firmware. I've put it online as a Github gist (spaces added because I'm not allowed to post links yet ) :
https : // gist.github.com/daveshah1/52227b83e9a04d6536b784e895293f77
Of particular interest for me and I suspect others is the LCD. I've put the config for the LCD only below (with the big calibration tables removed for clarity and to avoid the post length limit) :
Code:
somc,dual0_6_panel {
somc,mdss-dsi-pcc-enable;
somc,mdss-dsi-uv-command = <0x6010000 0x1da 0x6010000 0x1db>;
somc,mdss-dsi-uv-param-type = <0x4>;
somc,mdss-dsi-pcc-table-size = <0xe2>;
somc,mdss-dsi-pcc-table = ***cut for readability***;
somc,mdss-dsi-srgb-pcc-enable;
somc,mdss-dsi-srgb-pcc-table-size = <0xe2>;
somc,mdss-dsi-srgb-pcc-table = ***cut for readability***;
somc,mdss-dsi-vivid-pcc-enable;
somc,mdss-dsi-vivid-pcc-table-size = <0xe2>;
somc,mdss-dsi-vivid-pcc-table = ***cut for readability***;
somc,mdss-dsi-hdr-pcc-enable;
somc,mdss-dsi-hdr-pcc-table-size = <0xe2>;
somc,mdss-dsi-hdr-pcc-table = ***cut for readability***;
qcom,mdss-dsi-panel-name = [36 00];
qcom,mdss-dsi-panel-type = "dsi_cmd_mode";
qcom,mdss-dsi-panel-controller = <0x1af>;
qcom,mdss-dsi-panel-destination = "display_1";
qcom,mdss-dsi-bpp = <0x18>;
qcom,mdss-pan-physical-width-dimension = <0x44>;
qcom,mdss-pan-physical-height-dimension = <0x79>;
qcom,mdss-dsi-virtual-channel-id = <0x0>;
qcom,mdss-dsi-stream = <0x0>;
qcom,mdss-dsi-h-sync-skew = <0x0>;
qcom,mdss-dsi-h-left-border = <0x0>;
qcom,mdss-dsi-h-right-border = <0x0>;
qcom,mdss-dsi-v-top-border = <0x0>;
qcom,mdss-dsi-v-bottom-border = <0x0>;
qcom,mdss-dsi-underflow-color = <0x0>;
qcom,mdss-dsi-border-color = <0x0>;
qcom,mdss-dsi-h-sync-pulse = <0x1>;
qcom,mdss-dsi-traffic-mode = "non_burst_sync_event";
qcom,mdss-dsi-bllp-eof-power-mode;
qcom,mdss-dsi-bllp-power-mode;
qcom,mdss-dsi-dma-trigger = "trigger_sw";
qcom,mdss-dsi-mdp-trigger = "none";
qcom,mdss-dsi-tx-eot-append;
qcom,mdss-dsi-off-command = <0x5010000 0xa000128 0x5010000 0x96000110>;
qcom,mdss-dsi-off-command-state = "dsi_hs_mode";
qcom,mdss-dsi-te-pin-select = <0x1>;
qcom,mdss-dsi-wr-mem-start = <0x2c>;
qcom,mdss-dsi-wr-mem-continue = <0x3c>;
qcom,mdss-dsi-te-dcs-command = <0x1>;
qcom,mdss-dsi-te-check-enable;
qcom,mdss-dsi-te-using-te-pin;
qcom,mdss-dsi-lane-0-state;
qcom,mdss-dsi-lane-1-state;
qcom,mdss-dsi-lane-2-state;
qcom,mdss-dsi-lane-3-state;
qcom,panel-supply-entries = <0x1b4>;
qcom,mdss-dsi-lp11-init;
qcom,mdss-dsi-bl-min-level = <0x1>;
qcom,mdss-dsi-bl-max-level = <0xfff>;
qcom,mdss-brightness-max-level = <0xfff>;
qcom,mdss-dsi-bl-pmic-control-type = "bl_ctrl_wled";
qcom,mdss-dsi-panel-hdr-enabled;
qcom,mdss-dsi-panel-hdr-color-primaries = <0x3a5c 0x3dae 0x8408 0x3d54 0x2ac6 0x8408 0x1d1a 0x8fc>;
qcom,mdss-dsi-panel-peak-brightness = <0x6acfc0>;
qcom,mdss-dsi-panel-blackness-level = <0x1226>;
somc,dsi-index = <0x0>;
somc,lcd-id-adc = <0x89f08 0x9f6c8>;
somc,mdss-dsi-master;
somc,pw-on-rst-seq = <0x0 0xf 0x1 0xa 0x0 0xf 0x1 0x14>;
somc,pw-off-rst-b-seq = <0x0 0xb>;
somc,pw-wait-after-on-vdd = <0x0>;
somc,pw-wait-after-on-vddio = <0xa>;
somc,pw-wait-after-on-vsp = <0x0>;
somc,pw-wait-after-on-vsn = <0x0>;
somc,pw-wait-after-on-dcdc = <0xa>;
somc,pw-wait-after-off-vdd = <0x0>;
somc,pw-wait-after-off-vddio = <0x1>;
somc,pw-wait-after-off-vsp = <0x5>;
somc,pw-wait-after-off-vsn = <0x5>;
somc,pw-wait-after-off-dcdc = <0x5>;
somc,pw-wait-after-on-touch-avdd = <0x1>;
somc,pw-wait-after-on-touch-vddio = <0x0>;
somc,pw-wait-after-on-touch-reset = <0x0>;
somc,pw-wait-after-on-touch-int-n = <0xa>;
somc,pw-wait-after-off-touch-avdd = <0x0>;
somc,pw-wait-after-off-touch-vddio = <0x0>;
somc,pw-wait-after-off-touch-reset = <0x0>;
somc,pw-wait-after-off-touch-int-n = <0x0>;
somc,pw-down-period = <0x64>;
somc,lab-output-voltage = <0x588040>;
somc,ibb-output-voltage = <0x557300>;
somc,qpnp-lab-limit-maximum-current = <0xc8>;
somc,qpnp-ibb-limit-maximum-current = <0x320>;
somc,qpnp-lab-max-precharge-time = <0x1f4>;
somc,qpnp-lab-soft-start = <0x320>;
somc,qpnp-ibb-discharge-resistor = <0x12c>;
somc,qpnp-lab-pull-down-enable;
somc,qpnp-lab-full-pull-down;
somc,qpnp-ibb-pull-down-enable;
somc,qpnp-ibb-full-pull-down;
somc,ewu-wait-after-touch-reset = <0x28>;
somc,lk-on-skip;
qcom,esd-check-enabled;
qcom,mdss-dsi-panel-status-command = <0x6010001 0x500010a>;
qcom,mdss-dsi-panel-status-command-state = "dsi_lp_mode";
qcom,mdss-dsi-panel-status-check-mode = "reg_read";
qcom,mdss-dsi-panel-status-read-length = <0x1>;
qcom,mdss-dsi-panel-max-error-count = <0x3>;
qcom,mdss-dsi-panel-status-value = <0x9c>;
somc,change-fps-enable;
somc,change-fps-panel-type = "uhd_4k_type";
somc,change-fps-panel-mode = "susres_mode";
somc,change-fps-command = <0x39010000 0x6f0 0x55aa5208 0x390100 0x10 0xbd00ac0c 0xc000159 0x909010e 0xc0c00b4>;
somc,driver-ic-vdisp = <0x780>;
somc,driver-ic-rclk = <0x2625a00>;
somc,driver-ic-total-porch = <0xc>;
somc,change-fps-rtn-adj;
somc,change-fps-rtn-pos = <0x1 0x6>;
qcom,dynamic-mode-switch-enabled;
qcom,dynamic-mode-switch-type = "dynamic-resolution-switch-immediate";
qcom,dcs-cmd-by-left;
qcom,mdss-dsi-display-timings {
1080p {
qcom,mdss-dsi-timing-default;
qcom,mdss-dsi-panel-width = <0x21c>;
qcom,mdss-dsi-panel-height = <0x780>;
qcom,mdss-dsi-h-back-porch = <0x12c>;
qcom,mdss-dsi-h-pulse-width = <0x28>;
qcom,mdss-dsi-h-front-porch = <0x190>;
qcom,mdss-dsi-v-back-porch = <0xa>;
qcom,mdss-dsi-v-pulse-width = <0x2>;
qcom,mdss-dsi-v-front-porch = <0xc>;
qcom,mdss-dsi-panel-framerate = <0x3c>;
qcom,mdss-dsi-panel-timings = <0x1b0606 0xb110507 0x5030400>;
qcom,mdss-dsi-t-clk-post = <0x7>;
qcom,mdss-dsi-t-clk-pre = <0x29>;
qcom,mdss-dsi-on-command = [39 01 00 00 00 00 06 f0 55 aa 52 08 00 15 01 00 00 00 00 02 c9 01 15 01 00 00 00 00 02 90 00 15 01 00 00 00 00 02 58 01 39 01 00 00 00 00 06 f0 55 aa 52 08 07 15 01 00 00 00 00 02 ef 01 39 01 00 00 00 00 06 f0 55 aa 52 08 00 15 01 00 00 00 00 02 b4 01 39 01 00 00 00 00 10 bd 00 ac 0c 0c 00 01 56 09 09 01 01 0c 0c 00 d9 15 01 00 00 00 00 02 35 00 39 01 00 00 00 00 03 44 00 00 39 01 00 00 00 00 06 f0 55 aa 52 08 01 39 01 00 00 00 00 03 d4 88 88 39 01 00 00 00 00 05 ff aa 55 a5 80 15 01 00 00 00 00 02 6f 01 15 01 00 00 00 00 02 f3 10 39 01 00 00 00 00 05 ff aa 55 a5 00];
qcom,mdss-dsi-post-panel-on-command = <0x5010000 0x129 0x5010000 0x43000111>;
qcom,mdss-dsi-on-command-state = "dsi_lp_mode";
qcom,mdss-dsi-timing-switch-command = [39 00 00 00 00 00 06 f0 55 aa 52 08 00 15 00 00 00 00 00 02 c9 01 15 00 00 00 00 00 02 90 00 15 00 00 00 00 00 02 58 01 15 00 00 00 00 00 02 03 00 39 00 00 00 00 00 06 f0 55 aa 52 08 04 15 01 00 00 00 00 02 c0 03];
qcom,mdss-dsi-timing-switch-command-state = "dsi_lp_mode";
qcom,mdss-tear-check-sync-init-val = <0xf00>;
qcom,mdss-tear-check-start-pos = <0xf00>;
qcom,mdss-tear-check-rd-ptr-trigger-intr = <0xf01>;
qcom,config-select = <0x1b5>;
qcom,mdss-dsi-panel-clockrate = <0x3595a6c0>;
};
4k {
qcom,mdss-dsi-panel-width = <0x438>;
qcom,mdss-dsi-panel-height = <0xf00>;
qcom,mdss-dsi-h-back-porch = <0x68>;
qcom,mdss-dsi-h-pulse-width = <0x28>;
qcom,mdss-dsi-h-front-porch = <0x8c>;
qcom,mdss-dsi-v-back-porch = <0xa>;
qcom,mdss-dsi-v-pulse-width = <0x2>;
qcom,mdss-dsi-v-front-porch = <0xc>;
qcom,mdss-dsi-panel-framerate = <0x3c>;
qcom,mdss-dsi-panel-timings = <0x1b0606 0xb110507 0x5030400>;
qcom,mdss-dsi-t-clk-post = <0x7>;
qcom,mdss-dsi-t-clk-pre = <0x29>;
qcom,mdss-dsi-on-command = <0x15010000 0x290 0x3150100 0x2 0x3013901 0x0 0x6f055aa 0x52080415 0x1000000 0x2c003 0x39010000 0x6f0 0x55aa5208 0x7150100 0x2 0xef013901 0x0 0x6f055aa 0x52080015 0x1000000 0x2b401 0x15010000 0x235 0x390100 0x3 0x44000039 0x1000000 0x6f055 0xaa520801 0x39010000 0x3d4 0x88883901 0x0 0x5ffaa55 0xa5801501 0x0 0x26f0115 0x1000000 0x2f310 0x39010000 0x5ff 0xaa55a500>;
qcom,mdss-dsi-post-panel-on-command = <0x5010000 0x129 0x5010000 0x43000111>;
qcom,mdss-dsi-on-command-state = "dsi_lp_mode";
qcom,mdss-dsi-timing-switch-command = [39 00 00 00 00 00 06 f0 55 aa 52 08 00 15 00 00 00 00 00 02 c9 01 15 00 00 00 00 00 02 90 03 15 00 00 00 00 00 02 58 00 15 00 00 00 00 00 02 03 01 39 00 00 00 00 00 06 f0 55 aa 52 08 04 15 01 00 00 00 00 02 c0 03];
qcom,mdss-dsi-timing-switch-command-state = "dsi_lp_mode";
qcom,compression-mode = "dsc";
qcom,config-select = <0x1b6>;
qcom,mdss-tear-check-sync-init-val = <0xf00>;
qcom,mdss-tear-check-start-pos = <0xf00>;
qcom,mdss-tear-check-rd-ptr-trigger-intr = <0xf01>;
qcom,mdss-dsi-panel-clockrate = <0x3595a6c0>;
};
};
};
config0 {
qcom,split-mode = "dualctl-split";
linux,phandle = <0x1b5>;
phandle = <0x1b5>;
};
config1 {
qcom,mdss-dsc-encoders = <0x1>;
qcom,mdss-dsc-slice-height = <0x20>;
qcom,mdss-dsc-slice-width = <0x438>;
qcom,mdss-dsc-slice-per-pkt = <0x1>;
qcom,mdss-dsc-bit-per-component = <0x8>;
qcom,mdss-dsc-bit-per-pixel = <0x8>;
qcom,mdss-dsc-block-prediction-enable;
linux,phandle = <0x1b6>;
phandle = <0x1b6>;
};
A few things to note, although may only be of interest to geeks like me...
- Despite all of the marketing info, as far as I can tell it's still running 8bpc/24bpp, not any kind of 10 bit colour. I think HDR is more a case of a brighter backlight and software filtering rather than anything else.
- Based on the panel setup commands I suspect it uses the same driver chip (NT35950) as the Z5P panel
- Both the Z5P and this panel use compression to fit 4k video in the bandwidth available (not used in 1080p mode). The former uses Qualcomm's proprietary FBC, the latter uses the newer VESA DSC. I think this may lead to slightly better quality in 4k mode, although the difference would probably never be visible.
The device tree only gives limited information about the camera, most of the camera configuration is done in a shared library (libcammw.so) which I'm also investigating. It would certainly be nice if you could tweak it to trade off framerate/resolution/record time like a pro HS camera.

In general is this all bad news?

I wouldn't necessarily say so - the lack of true 10 bit colour is a bit disappointing but I'm not sure how much difference it really makes.

Related

Object Store

Recently, I took a copy of the object store in my PPC. I am trying to figure out the structure to the header:
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
00000000 01 00 00 00 45 4B 49 4D 45 4B 49 4D 00 E0 0A 92 ....EKIMEKIM.à.’
00000010 00 B0 BD 03 00 40 00 00 00 00 00 00 00 00 00 00 .°½[email protected]
00000020 00 00 00 00 00 B0 CA 93 00 D0 6C 95 00 50 00 42 .....°Ê“.Ðl•.P.B
00000030 00 00 00 00 03 00 00 00 CA 00 00 00 00 00 00 00 ........Ê.......
00000040 00 09 04 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 01 00 00 00 54 EE 05 42 96 02 00 00 ........Tî.B–...
00000070 02 00 00 00 01 00 00 00 AC E8 05 42 60 0A 00 50 ........¬è.B`..P
00000080 04 00 00 00 01 00 00 00 C0 EF 5E 42 0D 00 00 00 ........Àï^B....
00000090 04 00 00 00 01 00 00 00 C4 EF 5E 42 00 00 00 00 ........Äï^B....
000000A0 04 00 00 00 01 00 00 00 E4 39 56 42 00 00 00 00 ........ä9VB....
000000B0 04 00 00 00 01 00 00 00 38 31 56 42 00 00 00 00 ........81VB....
000000C0 04 00 00 00 01 00 00 00 3C 31 56 42 77 01 C4 6E ........<1VBw.Än
000000D0 04 00 00 00 01 00 00 00 DC 39 56 42 28 02 9A 9B ........Ü9VB(.š›
000000E0 04 00 00 00 01 00 00 00 E0 39 56 42 33 31 6F 31 ........à9VB31o1
000000F0 04 00 00 00 01 00 00 00 C8 68 41 42 7D E1 55 10 ........ÈhAB}áU.
00000100 04 00 00 00 01 00 00 00 74 3E 4E 42 3D 16 00 00 ........t>NB=...
00000110 04 00 00 00 01 00 00 00 78 3E 4E 42 04 00 0C 00 ........x>NB....
As you can see, there is a structure to it and I don't know where it is defined. Please help.

Did you try comparing it to any of the structures in Platform Builder?

HTC Camera Counter

Good evening again peoples,
Last thing I'm sorting out on the phone after the rom upgrade it the camera. just spent the last two hours sorting out all the file names and order of my images and put them on the phone again.
However the camera's counter is set to 1. I found a tweak on the Polaris forum
schaggo said:
Ok guys, I got a tricky one: how to set the camera image counter to a custom value?
Everytime I hardreset my Polaris the damn application starts counting up from IMG0001.JPG again... HTF can I manually set that to the latest picture taken?
Edit: Was a tricky one but I solved it myself. Under [HKEY_CURRENT_USER\Software\HTC\Camera\5.04\Preferences] you'll find an entry VALUES. Change bit 0068 to the desired value in hex. Example: Mine was 06 and resulted in IMG0006.JPG, I now changed to 74 which equals 116 in hex, my next pic will be named IMG0116.JPG
Got it?
Click to expand...
Click to collapse
But there isn't 5.04 folder on my Nike. Is there anyone that could tell me what to do?!
I've managed to sort out the registry so that the phone saves to Storagecard/mydoc~/mypictures. And also has a prefix of Image_ I just need help with this one last thing!
Thanks in advance!

nowimboard said:
But there isn't 5.04 folder on my Nike.
Click to expand...
Click to collapse
The key will match the camera version in your ROM - for example, I've got a key 5.06. Just look inside whatever key you have.

Thanks!
I cant believe how dim I was! I know that I'm just starting out with flashing roms and editing registries.. but I had a "blonde" moment
"HKEY_CURRENT_USER" isn't listing on my phone, but HKCU is...
Thanks!!!!!
EDIT: Anyone know what the correct HEX for 402 is? On line calculators are telling me 192 however the phone is telling me that "192" isn't a valid string! Isn't it supposed to have letters in?

nowimboard said:
Thanks!
I cant believe how dim I was! I know that I'm just starting out with flashing roms and editing registries.. but I had a "blonde" moment
"HKEY_CURRENT_USER" isn't listing on my phone, but HKCU is...
Thanks!!!!!
EDIT: Anyone know what the correct HEX for 402 is? On line calculators are telling me 192 however the phone is telling me that "192" isn't a valid string! Isn't it supposed to have letters in?
Click to expand...
Click to collapse
I haven't looked at it but I would guess that the reg key is divided up into 2 character bits each of which will go up to a maximum of FF (255 in decimal).
So, yes 192 is hex for 402 but you can't set one bit that high.
Just what I expect to be the case.

randomelements said:
I haven't looked at it but I would guess that the reg key is divided up into 2 character bits each of which will go up to a maximum of FF (255 in decimal).
So, yes 192 is hex for 402 but you can't set one bit that high.
Just what I expect to be the case.
Click to expand...
Click to collapse
Thank you for your help RandomE,
I'll think I'll PM schaggo to see if he can offer any suggestions.
So do you think that you would split up the 192 Hex code to "FF" & "93"?

whoa guys, somebody actually called for my help, yay!
ok, I reflashed my polaris with the Syrius-ROM and didnt look at this issue any longer. I never got over like pic 200 or so, so it never really was an issue to me. But good question, what about numbers higher than 255...?
I'll recheck the registry values and see what I find out. It could very well be that itll turn FF00, ff01, ff02 and so on...

Ok, found out how it works:
Bit 68 is the pic number in hex. Once it reaches 255 eg FF, bit 69 turns one up. So bit 68 is the running number while bit 69 is the index for bit 68. Example:
Code:
Pic 68 69
220 DC 00
221 DD 00
223 DE 00
...
254 FE 00
255 FF 00
256 00 01 <--!
257 01 01
258 02 01
...
510 FF 01 (510 = 255+255 = FF+FF)
511 00 02
...

schaggo said:
Ok, found out how it works:
Bit 68 is the pic number in hex. Once it reaches 255 eg FF, bit 69 turns one up. So bit 68 is the running number while bit 69 is the index for bit 68. Example:
Code:
Pic 68 69
220 DC 00
221 DD 00
223 DE 00
...
254 FE 00
255 FF 00
256 00 01 <--!
257 01 01
258 02 01
...
510 FF 01 (510 = 255+255 = FF+FF)
511 00 02
...
Click to expand...
Click to collapse
You Genius!
So my reg value was:
00 00 00 00 05 00 00 00
05 00 00 00 05 00 00 00
03 00 00 00 03 00 00 00
03 00 00 00 01 00 00 00
03 00 00 00 05 00 00 00
03 00 00 00 03 00 00 00
03 00 00 00 01 00 00 00
03 00 00 00 00 00 00 00
03 00 00 00 03 00 00 00
03 00 00 00 00 00 00 00
90 01 00 00 40 1F 00 00
02 10 00 5A 01 02 01 01
11 00 00 00 01 00 00 00
01 00 00 00 01 00 00 00
01 00 00 00 00 00 00 00
00 02 00 02 09 11 20 00
45 46 00 00 28 00 00 00
05 20 00 00 01 00 00 00
00 00 00 00 C0 27 09 00
01 00 00 00 00 00 00 00
And for the image value to be 415 to get the Hex values I did 415-225=190 which is BE in HEX so I did this:
00 00 00 00 05 00 00 00
05 00 00 00 05 00 00 00
03 00 00 00 03 00 00 00
03 00 00 00 01 00 00 00
03 00 00 00 05 00 00 00
03 00 00 00 03 00 00 00
03 00 00 00 01 00 00 00
03 00 00 00 00 00 00 00
03 00 00 00 03 00 00 00
03 00 00 00 00 00 00 00
90 01 00 00 40 1F 00 00
02 10 00 5A 01 02 01 01
BE 01 00 00 01 00 00 00
01 00 00 00 01 00 00 00
01 00 00 00 00 00 00 00
00 02 00 02 09 11 20 00
45 46 00 00 28 00 00 00
05 20 00 00 01 00 00 00
00 00 00 00 C0 27 09 00
01 00 00 00 00 00 00 00
!!! YAY !!!
EDIT: I set the vale to BD as when the valve was BE the picture came out as 416.
Thank you so much!!!

Damit, judging by the time of posts, it took me half an hour to find something that simple out AAAARRRGH...!
Have fun guys
Hope it helps some others as well...!

schaggo said:
Damit, judging by the time of posts, it took me half an hour to find something that simple out AAAARRRGH...!
Have fun guys
Hope it helps some others as well...!
Click to expand...
Click to collapse
Thank you again!

Help Please!
I have very little knowledge of hex. I was hoping someone here could give me a hand with changing my counter to 92.
Here is my hex for [HKEY_CURRENT_USER\Software\HTC\Camera\5.04\Preferences\Values] as i see it in phm regedit.
00 00 00 00 05 00 00 00 05 00 00
00 05 00 00 00 03 00 00 00 03 00
00 00 03 00 00 00 01 00 00 00 03
00 00 00 05 00 00 00 03 00 00 00
03 00 00 00 03 00 00 00 01 00 00
00 03 00 00 00 00 00 00 00 03 00
00 00 03 00 00 00 03 00 00 00 00
00 00 00 03 00 00 00 90 01 00 00
90 01 00 00 40 1F 00 00 02 10 00
55 04 02 01 01 3C 00 00 00 01 00
00 00 01 00 00 00 01 00 00 00 01
00 00 00 00 00 00 00 00 02 00 02
49 11 20 00 05 46 00 00 28 00 00
00 07 00 00 00 01 00 00 00 01 00
00 00 C0 27 09 00 01 00 00 00 00
00 00 00 01 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 01 00 00
00 00 00 00 00
Advance THANKS

With my Touch Pro2 I found out that byte 109 and 110 are the right ones for this solution.

thanks for this tip !

Obtain Hidden APN Details from Telstra handset

Hi everyone,
A carrier in my country (Telstra) has recently started offering all-you-can-eat activesync plans, however they have placed a limitation on which handsets you can use, by way of a hidden APN in the phone's ROM, meaning you can only use their approved handsets, purchased from them.
What I am hoping is that there is a way to obtain the APN details from the handset or the ROM directly, so I can populate the APN into my 'unsupported' device and take advantage of the offering, as it would suit my needs perfectly. I believe I have located the registry entry under RASBOOK that correlates to the APN, however lack the necessary skills to decrypt it.
Does anyone here know how to, or know a better way to get the APN details from the handset so I can use it in my hardware that I already own, as I do not wish to purchase a new handset just for the sake of utilising the plan. The HEX value of the key is as follows:
00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 07 F5 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7E 00 47 00 50 00 52 00 53 00 21 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F6 D1 93 01 C4 F0 91 0D 4C 14 FB 03 65 00 00 00 4C F5 91 0D 4C F5 91 0D 86 CF 93 01 00 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00 10 00 00 00 04 00 00 00 40 32 23 00 74 21 92 4E 4C DE 01 00 20 26 04 00 F2 F0 BE 8F 00 00 90 4E 00 00 04 00 00 00 00 00 00 00 90 4E 00 00 04 00 00 00 90 4E CC BB F6 03 00 00 00 00 00 00 00 00 E8 72 70 04 00 00 07 04 00 00 6E 04 A0 00 00 00 B0 00 00 00 00 00 00 04 00 00 00 00 BC BE F6 03 00 00 00 00 A0 00 00 00 01 00 00 00 18 72 70 04 68 C1 F6 03 20 72 70 00 A8 F1 91 0D 3A 72 70 00 2A 72 70 00 40 E3 69 00 A0 F3 6F 00 F4 B3 F6 03 B0 D4 69 00 8C 1B F5 03 F0 8E 04 00 E8 72 70 04 68 C1 F6 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 6D 00 6F 00 64 00 65 00 6D 00 00 00 01 00 00 00 AC F1 91 0D F0 72 70 00 00 00 00 00 00 00 00 00 02 00 43 00 65 00 6C 00 6C 00 75 00 6C 00 61 00 72 00 20 00 4C 00 69 00 6E 00 65 00 00 00 00 80 F0 40 05 00 01 00 00 00 C8 67 02 00 10 F2 91 0D 02 00 00 80 02 00 00 00 00 00 00 00 06 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 01 07 00 F0 40 05 00 F4 F2 91 0D 00 00 00 0C 02 00 00 80 15 00 00 00 40 03 00 00 43 03 00 00 43 04 00 00 44 04 00 00 7B 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F0 E1 D2 C3 F0 E1 D2 C3 64 B0 00 00 F8 F2 91 0D 00 00 00 00 F8 F2 91 0D DC 04 6A 03 00 00 00 00 00 00 00 00 78 D7 94 01 94 F7 91 0D E0 7B F9 03 35 F3 91 0D C8 01 00 00 F8 F2 91 0D 42 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 E1 F7 2B 5A 20 1F 00 C3 4D 56 9A 4D 4B EB 77 28 DE DB 0A 30 00 00 28 CA 96 D6 8F 99 03 01 00 00 00 00 00 00 F8 F2 91 0D 54 C6 F8 03 E0 C9 93 01 30 D9 94 01 E8 C1 F3 01 C0 CB F8 03 F8 F2 91 0D 24 21 6A 03 60 14 F7 03 E0 C9 93 01 E0 C9 93 01 5C 21 6A 03 63 00 65 00 6C 00 6C 00 75 00 6C 00 61 00 72 00 20 00 74 00 61 00 70 00 69 00 20 00 73 00 65 00 72 00 76 00 69 00 63 00 65 00 20 00 70 00 72 00 6F 00 76 00 69 00 64 00 65 00 72 00 00 00 6E 04 BC 00 00 00 D0 00 00 00 00 00 00 04 00 00 00 00 BC BE F6 03 00 00 00 00 BC 00 00 00 01 00 00 00 E8 72 70 04 68 C1 F6 03 F0 72 70 00 00 00 00 00 0A 73 70 00 FA 72 70 00 40 E3 69 00 A0 F3 6F 00 F4 B3 F6 03 B0 D4 69 00 8C 1B F5 03 F0 8E 04 00 01 00 00 00 30 01 07 00 00 00 00 00 03 00 00 00 30 01 07 00 00 00 00 00 88 21 92 4E 00 00 00 00 00 00 00 00 30 01 07 00 00 00 00 00 9C 95 04 00 01 00 00 00 C4 F3 91 0D 00 00 00 00 00 00 00 00 03 00 00 00 50 09 6A 03 30 01 07 00 88 21 92 4E 06 00 00 00 02 00 00 00 00 00 00 00 A0 F4 91 0D 84 42 02 00 03 00 00 00 F0 40 05 00 50 09 6A 03 00 00 00 00 10 6C 02 00 28 F4 91 0D 4E 00 00 00 02 00 00 00 00 00 00 00 06 00 00 00 F0 40 05 00 00 00 00 00 00 00 00 00 01 00 00 00 44 DB 94 0D 30 01 07 00 F0 40 05 00 00 00 00 00 00 10 00 00 02 00 00 80 15 00 00 00 40 03 00 00 43 03 00 00 43 04 00 00 44 04 00 00 7B 04 00 00 30 00 92 0D 4E 00 00 00 60 00 00 00 44 DB 94 01 00 00 00 0C CC 9D FE 8F 1A 00 00 00 00 00 00 00 74 71 D4 8E 10 CF 93 01 00 00 00 0C 4C 35 68 8F 0F 00 00 00 00 00 00 00 74 71 D4 8E 10 9D 47 80 20 DD 7E 8E 4C 35 68 8F 0F 00 00 00 38 FE 00 F0 E8 F4 91 0D 38 5A 02 80 0F 00 00 00 10 CF 93 01 C4 B3 00 F0 E8 C1 F3 01 DC 04 6A 03 00 00 00 00
When converted to ascii, it makes no sense to me. Is what I want to do possible?
Cheers

*Shameless Bump*
Can anyone shed any light on this. I have spoken to some other users who are looking for similar info.

[Q] compressed XPRS image and WinCE 6.0 in qemu/emulator ?

Hi,
from the firmware upgrade of an ARM9 Windows Embedded CE 6.0 Device, I was able to extract a number of files, including the kernel image (NK.BIN.COMP).
However, with tools such as osnbtool, ImgfsToDump or ImgFsTools I was unable to decompress the image.
The image starts with:
Code:
00000000 58 50 52 53 e7 8b 26 01 16 89 00 00 05 00 01 00 |XPRS..&.........|
00000010 42 30 30 30 46 46 0a 00 10 36 80 50 10 2b 01 39 |B000FF...6.P.+.9|
00000020 00 04 00 00 00 eb 01 00 00 fe 03 00 ea 40 78 00 |[email protected]|
00000030 08 78 00 00 00 05 00 63 03 00 00 45 43 45 43 7c |.x.....c...ECEC||
00000040 f6 60 81 48 1c 01 8d 18 01 7c e6 2a 01 00 20 36 |.`.H.....|.*.. 6|
00000050 80 64 de 00 00 11 c5 47 00 02 04 00 00 d3 00 a0 |.d.....G........|
00000060 e3 00 f0 21 e1 0c 00 9f e5 10 0f 01 ee 87 15 00 |...!............|
00000070 eb 83 18 00 f8 37 00 ea 78 10 00 c0 b0 01 00 10 |.....7..x.......|
00000080 80 97 0a 7c 75 97 4e 39 00 02 18 00 20 18 00 08 |...|u.N9.... ...|
00000090 66 18 00 5a b8 00 d8 02 b9 00 07 00 0f 0f 6b 65 |f..Z..........ke|
000000a0 72 6e 65 6c 2e 64 6c 6c 7b 00 33 40 00 00 c4 04 |rnel.dll{[email protected]|
000000b0 4b 00 01 41 44 00 50 10 40 09 05 59 00 4c 53 5a |[email protected]|
000000c0 00 78 20 03 59 00 ec 10 29 80 f0 08 04 01 4b 5a |.x .Y...).....KZ|
000000d0 00 5a 03 04 52 54 58 00 39 81 00 00 81 24 0b 90 |.Z..RTX.9....$..|
000000e0 5f 00 c9 d0 5f 00 30 4c e0 5b 00 86 11 00 13 ba |_..._.0L.[......|
000000f0 50 58 00 44 4c 00 0b 10 20 00 cc a0 00 00 05 4e |PX.DL... ......N|
I suppose this is the Xpress compression format that is used in Win CE 6.0 ?
Are there any tools available that can decompress this image ?
Also, I would like to know which emulators you use to test out Win CE images.
I tried qemu-system-arm with the ARM926EJ-S core emulation, but it didn't work so far.
Ultimately, I would like to be able to boot into the image I extracted from the firmware upgrade and start a remote debugger inside the image, so that I can step through the code.
cheers,
knossos2

Hi,
as I already knew that the image was a Windows Embedded CE 6.0 image, I installed Platform Builder and other required development components.
My plan was to find out how the NK.BIN.COMP image is decompressed by the WinCE 6.0 loader.
It turned out, that the file had just been compressed with the WinCE 6.0 bincompress.exe tool (PUBLIC/COMMON/OAK/BIN/I386/bincompress.exe).
Although at least some of the tools I tried previously had compression support by using the WinCE libraries, it didn't work.
My best guess is that the libraries were for older versions of WinCE and thus it didn't work.
So, if you ever see "XPRS" at the start of a WinCE file, it has been compressed with bincompress.exe
I'm now trying to run the decompressed image either in qemu or in the MS Device Emulator.
I guess the Device Emulator will be the easier way.
Cheers,
knossos2

Easily Moddable HDMI Capture box

This looks like one of the most easily moddable/hackable boxes I have ever seen. It is sold by a UK company Maplin and is called a "Maplin Game Capture HD" .
(Sorry in order to get through the new user limitation on posting links I have had to horribly mangle my links)
world wide web dot maplin dot co dot uk /p/maplin-game-capture-hd-a84qu
It is a (cheap) HDMI capture box up to 1080p that has three modes capture to SD card, stream to network and capture to PC via USB. For game play, but can capture any HDMI input (non-HDCP).
The reason it's potentially easily moddable is that a telnet to port 23 in network mode gives you a root shell on it straight away. With a fully writeable root file system.
So far I have used this to start an FTP daemon that lets me FTP files straight from the SD Card though the NIC is a bit slow. Stole the command from their /plbin/start_ftpd.sh file and run "tcpsvd -vE 0.0.0.0 21 ftpd -w /".
There is a also a web interface for debug, that can be started with cd /plbin; ./test_web.sh. I may have had to set the WEBPAGE_LANGUAGE to "en" in nvram, to allow it to start. "/bin/plnvram wr WEBPAGE_LANGUAGE en"
The admin password for the web interface is just blank.
Very interestingly, if you use their app to display the streamed content from this device it allows you to see HDCP content, just not record it. I have so far had no need to look into this.
Lots of other functionality looks just commented out in the configs.
The web interface tells me this device is actually a SIGMA-PL330B,
world wide web marketwired dot com /press-release/sigma-designs-introduces-new-hd-video-encoder-technology-1518168.htm
And may well be the same (or a repackaged) version of this box
world wide web dot maxmediatek dot com pd-page/MM_V.htm
HS602 as they seem to use the same app to display the stream.

{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Here it is!
Your LINK
Ebay LINK
.

Did you come across anything that allowed you to record using software other than VivaStation?

I didn't but I haven't looked to hard, as recording to SD card was all I needed.

Hi - I've been looking for a way to start the streaming on this box by command line when logged into the box via telnet, but no real luck.

joemensor said:
Hi - I've been looking for a way to start the streaming on this box by command line when logged into the box via telnet, but no real luck.
Click to expand...
Click to collapse
I bought this from Maplin, but had to return the first one for a refund as I could not get the software to install on W10 (even with .net 3.5 installed), just kept throwing an error in Chinese! After looking online for replacements that do the same thing, costing between £80-250 (even the used ones, granted they do proper 1080 over Ethernet), I decided in the end to buy the box again, but from ebay...
This time I did manage to get the ShareView software installed on another machine after I spent a day installing windows 7 on it (it's an old machine + 235 updates!)..
Anyway, the commands the shareview software sends (via telnet) to get it to stream over ethernet seem quite straightforward..
First it "uploads" a config file with the contents..
Code:
SystemControl-StreamType ts
SystemControl-StreamData video+audio
SystemControl-Profile extended
SystemControl-Level 4
SysFunction-Function encode
SysFunction-Video h264
SysFunction-Audio audio
PictureResolution-InPicWidth 1920
PictureResolution-InPicHeight 1080
OutPictureResolution-OutPicWidth 640
OutPictureResolution-OutPicHeight 480
SystemControl-XferMode frame
SystemControl-SpsrFreq 1
SystemControl-FFMode frame
SystemControl-VMode cavlc
RateControl-Vbr 0
RateControl-Mode viu
RateControl-AvgBitRate 3000
VbrBitRate-MinBitRate 4285
VbrBitRate-MaxBitRate 3600
GopLoopFilter-IntraPeriod 30
GopLoopFilter-BNum 0
GopLoopFilter-Idr close
InputControl-ScanFormat progressive
InputControl-SrcMode hdmi
InputControl-SyncMode 0
InputControl-DataType raw
InputControl-InFrameRate 60
InputControl-OutFrameRate 30
InputControl-Fmt progressive
InputControl-CkEdge positive
DeInterlace-mode none
FilterControl-StartPixel 0
FilterControl-StartLine 0
SysLink-VideoInput viu
SysLink-VideoOutput host
SysLink-AudioInput aiu
SysLink-AudioOutput host
AudioControlParam-AudioType aac
AudioControlParam-SampleRate 48k
AudioControlParam-ChNum 2
AudioControlParam-LrclkI high
AudioControlEx-AacVer mpeg2
AudioControlEx-HType adts
AudioControlEx-CutoffFreq 18000
AudioControlEx-TNS 1
AudioControlEx-IS 1
AudioControlEx-PNS 1
AudioControlEx-MS 1
to /plbin/hs_enc_ts.cfg
And then launches the following command, three times, not sure why but it does., because when I run it, it only needs to be ran once..
Code:
/plbin/plstrm enc config /plbin/hs_enc_ts.cfg oudp <IP ADDRESS> oport 8085 reduceprintf nouserinput
That's all I know for now, will update if I find anything new to report =D

Hi mpmc - I think it does more than just uploads that file and runs the plstrm executable. Somehow it also passes the stream settings too. I feel I am getting somewhere, but still not able to kick off the streaming via the command line.

joemensor said:
Hi mpmc - I think it does more than just uploads that file and runs the plstrm executable. Somehow it also passes the stream settings too. I feel I am getting somewhere, but still not able to kick off the streaming via the command line.
Click to expand...
Click to collapse
Sorry for such a late reply.
I'm guessing by stream settings you mean the settings that upload to places like youtube? If so, I'm not sure myself as I don't need it for that function, but I will have a go & see if I can figure it out, but hopefully somebody has already worked it out by now.

Sorry for necroposting, but this thread hid me right on the spot. I got this box (in the form of Startech's overpriced variant), mainly for its standalone streaming to RTMP, but also as it has SD recording and HDMI capture (which I needed exactly, and nothing else).
The 720P streaming is horrible - bad codec settings (bitrates and gop probably), which means that 720P looks like 320x240 upscaled. So I opened the box to find a board number, so maybe some hack would pop up.. But telnet? - This is golden
Before I start reverse engineering (I don't really have any experience with telnet or *nix based stuff), maybe someone here worked out the details and would like to share?
TLDR. How do I set up the streaming codec settings via telnet and make them stick?

adomas said:
Sorry for necroposting, but this thread hid me right on the spot. I got this box (in the form of Startech's overpriced variant), mainly for its standalone streaming to RTMP, but also as it has SD recording and HDMI capture (which I needed exactly, and nothing else).
The 720P streaming is horrible - bad codec settings (bitrates and gop probably), which means that 720P looks like 320x240 upscaled. So I opened the box to find a board number, so maybe some hack would pop up.. But telnet? - This is golden
Before I start reverse engineering (I don't really have any experience with telnet or *nix based stuff), maybe someone here worked out the details and would like to share?
TLDR. How do I set up the streaming codec settings via telnet and make them stick?
Click to expand...
Click to collapse
Glad I'm not the only one still playing with this box.
I did have a go at working out the protocol used between the box and the software, I got as far as understanding how they find each other. The software makes a UDP broadcast to 255.255.255.255 on port 8086 with the message "HS602". The box then sends a UDP message ("YES") back, direct to the caller on the same port. The box then opens tcp port 8087 to which the software connects & they converse..
Sample of their conversation goes like this..
Client to box..
Code:
00000000 38 01 af 00 8c e0 af 00 68 54 d1 6b ff ff ff 8....... hT.k...
0000000F 32 01 af 00 00 00 00 00 50 df af 00 8c e0 af 2....... P......
0000001E 01 00 03 00 4c d5 af 00 8c e0 af 00 68 54 d1 ....L... ....hT.
0000002D 32 01 db 02 7c df af 00 3e ee 73 6a 00 00 00 2...|... >.sj...
0000003C 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
0000004B 0f 01 00 00 f0 e6 af 00 bc e8 af 00 68 54 d1 ........ ....hT.
0000005A 04 01 00 00 0c e7 af 00 bc e8 af 00 68 54 d1 ........ ....hT.
00000069 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
00000078 0f 01 ec 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000087 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000096 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000000A5 0f 01 ee 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000000B4 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000000C3 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000000D2 0f 01 ef 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000000E1 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000000F0 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000000FF 0f 01 f0 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000010E 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000011D 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
0000012C 0f 01 f2 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000013B 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000014A 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
00000159 0f 01 f3 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000168 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000177 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
00000186 0f 01 f4 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000195 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000001A4 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000001B3 0f 01 f5 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000001C2 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000001D1 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000001E0 0f 01 f6 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000001EF 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000001FE 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
0000020D 0f 01 f7 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000021C 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000022B 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
0000023A 0f 01 f8 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000249 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000258 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
00000267 0f 01 f9 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000276 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000285 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
00000294 0f 01 fa 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000002A3 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000002B2 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000002C1 0f 01 fb 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000002D0 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000002DF 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000002EE 0f 01 fe 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000002FD 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000030C 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
0000031B 0f 01 ff 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000032A 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000339 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
00000348 0f 01 00 03 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000357 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000366 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
00000375 0f 01 01 03 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000384 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000393 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000003A2 0f 01 02 03 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000003B1 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000003C0 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000003CF 0f 01 03 03 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000003DE 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000003ED 32 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 2....... H...O.t
000003FC 0f 01 ec 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000040B 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000041A 32 01 d9 02 b8 f0 e6 02 48 e7 af 00 4f e7 74 2....... H...O.t
00000429 0f 01 ed 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000438 04 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000447 32 01 d9 02 b8 f0 e6 02 48 e7 af 00 4f e7 74 2....... H...O.t
00000456 0f 01 ee 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
box to client
Code:
00000000 38 01 af 00 8c e0 af 00 68 54 d1 6b ff ff ff 8....... hT.k...
0000000F 01 01 af 00 00 00 00 00 50 df af 00 8c e0 af ........ P......
0000001E 01 00 03 1b 4c d5 af 00 8c e0 af 00 68 54 d1 ....L... ....hT.
0000002D 01 01 db 02 7c df af 00 3e ee 73 6a 00 00 00 ....|... >.sj...
0000003C 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
0000004B 00 01 00 00 f0 e6 af 00 bc e8 af 00 68 54 d1 ........ ....hT.
0000005A 1b 01 00 00 0c e7 af 00 bc e8 af 00 68 54 d1 ........ ....hT.
00000069 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
00000078 00 01 ec 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000087 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000096 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000000A5 00 01 ee 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000000B4 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000000C3 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000000D2 00 01 ef 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000000E1 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000000F0 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000000FF 00 01 f0 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000010E 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000011D 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
0000012C 00 01 f2 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000013B 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000014A 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
00000159 00 01 f3 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000168 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000177 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
00000186 00 01 f4 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000195 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000001A4 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000001B3 00 01 f5 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000001C2 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000001D1 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000001E0 00 01 f6 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000001EF 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000001FE 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
0000020D 00 01 f7 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000021C 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000022B 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
0000023A 00 01 f8 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000249 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000258 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
00000267 00 01 f9 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000276 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000285 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
00000294 00 01 fa 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000002A3 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000002B2 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000002C1 00 01 fb 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000002D0 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000002DF 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000002EE 00 01 fe 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000002FD 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000030C 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
0000031B 00 01 ff 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000032A 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000339 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
00000348 00 01 00 03 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000357 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000366 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
00000375 00 01 01 03 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000384 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000393 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000003A2 00 01 02 03 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000003B1 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000003C0 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000003CF 00 01 03 03 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
000003DE 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
000003ED 01 01 d9 02 14 10 e7 02 48 e7 af 00 4f e7 74 ........ H...O.t
000003FC 00 01 ec 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
0000040B 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
0000041A 01 01 d9 02 b8 f0 e6 02 48 e7 af 00 4f e7 74 ........ H...O.t
00000429 00 01 ed 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
00000438 1b 01 d9 02 98 84 d9 02 00 00 00 00 00 00 00 ........ .......
00000447 01 01 d9 02 b8 f0 e6 02 48 e7 af 00 4f e7 74 ........ H...O.t
00000456 00 01 ee 02 e4 00 0b 00 01 00 00 00 00 00 00 ........ .......
I have no clue as to what this is! Hopefully you'll have better luck trying to decode it!

What I found so far, is that when I set up FTP the way OP posted, I can access the whole file system. I have copied it all, and am trying to find where the stream settings are stored. The mentioned cfg file does not exist though. If that works, I'll just make some custom app, that will telnet to open ftp, and upload my settings every time. However I am currently trying to just work out the basics of telnet controlling a linux system. None of the tutorials online help at all, but I found, that I can execute commands that are compiled packages in the operating folder. So far that helped for nothing I found a qzip thing in it, so maybe I will image the filesystem a little more properly than over ftp.
How could I listen the telnet communication between ShareView and the HS602? Btw - both of your pasted pieces are the same - intentional or mistake?
It also seems, that there is a whole settings web interface in plbin\www\, but I don't yet understand how to set up the webserver.

After finally launching the webserver I found that the website is some sample design and while it saves it's settings, they have no relation to the operation of the device. Going back to searching where ShareView puts it's settings and how to change them.

adomas said:
What I found so far, is that when I set up FTP the way OP posted, I can access the whole file system. I have copied it all, and am trying to find where the stream settings are stored. The mentioned cfg file does not exist though. If that works, I'll just make some custom app, that will telnet to open ftp, and upload my settings every time. However I am currently trying to just work out the basics of telnet controlling a linux system. None of the tutorials online help at all, but I found, that I can execute commands that are compiled packages in the operating folder. So far that helped for nothing I found a qzip thing in it, so maybe I will image the filesystem a little more properly than over ftp.
How could I listen the telnet communication between ShareView and the HS602? Btw - both of your pasted pieces are the same - intentional or mistake?
It also seems, that there is a whole settings web interface in plbin\www\, but I don't yet understand how to set up the webserver.
Click to expand...
Click to collapse
The stream settings aren't stored anywhere as far as I can tell, it gets sent to the running plkw binary, which appears to be the "server" for the software. This is what handles the upload to the receiving rtmp server, receiving of the encoder config, etc.
I used Wireshark to intercept the chatter between the software & the box. Yes, I know they're the same, I'm assuming it's just an echo.
I'd actually bricked mine by disabling the auto.sh scripts & ended up with no network. Thankfully mine has serial/uart pins populated & I was able to reverse the changes! Took me a while to figure the pinout (no meter) and why some chars weren't registering (needs parity set to EVEN).
Code:
Pinout starting from back of the SD card slot (Look underneath for the square pin).
[ 1 ][ 2 ][ 3 ][ 4 ]
1 = VCC (5v) - If not powered by usb it'll crash if ethernet is connected shortly after boot.
2 = TX
3 = RX
4 = GND
Will update if I find anything else out.

mpmc said:
The stream settings aren't stored anywhere as far as I can tell
Click to expand...
Click to collapse
The thing is that it does work as the manual says - set it up, and then it can be used standalone, even after a reboot. Some kind of settings seem to be in the binaries plkw, plstrm and quite a few others, stored in plain text (echo texts maybe?)
mpmc said:
Thankfully mine has serial/uart pins populated & I was able to reverse the changes!
Click to expand...
Click to collapse
Good to know. I thought that looked like some JTAG.. Did you go via telnet there as well?

Could you elaborate on how did you find what file and what command it sends over telnet? (The ones mentioned in #6)

Could you elaborate on how did you find what file and what command it sends over telnet? (The ones mentioned in #6)
Click to expand...
Click to collapse
By killing the already running plkw process on the box & running it again, you get to see what it outputs when they talk. That output is from wireshark.
adomas said:
The thing is that it does work as the manual says - set it up, and then it can be used standalone, even after a reboot. Some kind of settings seem to be in the binaries plkw, plstrm and quite a few others, stored in plain text (echo texts maybe?)
Click to expand...
Click to collapse
Yes, it appears that I was wrong, it does in fact store them, it writes them to memory (I'm guessing to the nvram block (see cat /proc/mtd)). I only found this out after watching the plkw binary via serial & by chance running "plnvram list" which makes the running plkw (not plnvram) print out it's current config.
The values set are
Code:
rd = read
/bin # plnvram rd username
username = http://foo.com
/bin # plnvram rd password
password = ONETWO
Good to know. I thought that looked like some JTAG.. Did you go via telnet there as well?
Click to expand...
Click to collapse
I'm not sure what you mean via telnet. you connect the pins to your ttl/uart serial converter (I used this one) & which drops into sh on tty0.

mpmc said:
Yes, it appears that I was wrong, it does in fact store them, it writes them to memory (I'm guessing to the nvram block (see cat /proc/mtd)). I only found this out after watching the plkw binary via serial & by chance running "plnvram list" which makes the running plkw (not plnvram) print out it's current config.
The values set are
Code:
rd = read
/bin # plnvram rd username
username = http://foo.com
/bin # plnvram rd password
password = ONETWO
Click to expand...
Click to collapse
To be fair, I actually don't really understand what you did here exactly. I don't have an uart usb adapter handy to try. But it brought me some (a lot actually) random pieces of understanding
I am unable to make it list out plnvram contents, only rd exact variables. I found a lot of those in plnvram_default.dat, but those appear to be useless. They are the values stored by the web interface and have nothing to do with ShareView settings, or how the box encodes the stream when its button is pressed. What I really want to find, is what variable names are used for ShareView settings (other than password, username, which are the places I can put RTMP link into).
ShareView has two dropboxes "Outputsize" and "bitrate", which I assume generates a quite few lines to plnvram that include exact encoding settings. Could you by any chance find where those fall into?

adomas said:
To be fair, I actually don't really understand what you did here exactly. I don't have an uart usb adapter handy to try. But it brought me some (a lot actually) random pieces of understanding
I am unable to make it list out plnvram contents, only rd exact variables. I found a lot of those in plnvram_default.dat, but those appear to be useless. They are the values stored by the web interface and have nothing to do with ShareView settings, or how the box encodes the stream when its button is pressed. What I really want to find, is what variable names are used for ShareView settings (other than password, username, which are the places I can put RTMP link into).
ShareView has two dropboxes "Outputsize" and "bitrate", which I assume generates a quite few lines to plnvram that include exact encoding settings. Could you by any chance find where those fall into?
Click to expand...
Click to collapse
As I already said , the plkw binary handles communicating with the software & this is what sets everything up, streamurl, streamkey etc, it is also what does the streaming when triggered by the button or software, unfortunately I've yet to figure out how it actually triggers! When the software connects it sends the encode config (creates the hs_enc_ts.cfg file and client.cfg in /plbin). The plkw then launches the plstrm binary three times (no idea why as one is enough from what I've found).
The outputsize & bitrate are set in the hs_enc_ts.cfg.
Code:
RateControl-AvgBitRate 8000
VbrBitRate-MinBitRate 11428
VbrBitRate-MaxBitRate 10400
Boot from serial.
Code:
Boot loader started
QL330-B0 detected
Entered diagnostic mode
Branching to external diagnostic code
Loading boot loader .....................................done
[ 0.000000] Linux version 2.6.35.8-arm1ql300 ([email protected]) (gcc version 4.3.2 (Sourcery G++ Lite 2008q3-72) ) #994 PREEMPT Tue Jul 29 10:58:16 CST 2014 v1.21
[ 0.000000] CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00053177
[ 0.000000] CPU: VIVT data cache, VIVT instruction cache
[ 0.000000] Machine: 0xc097f798,QL300-EVB Qpixel Artesa Evaluation Board
[ 0.000000]
[ 0.000000] ******************************************************
[ 0.000000] * pl330_ofc_en : 0
[ 0.000000] * pl330_cmos_reset_en : 0
[ 0.000000] * pl330_devid : 0x03300001
[ 0.000000] * pl330_sdio0_en : 1
[ 0.000000] * pl330_sdio1_en : 0
[ 0.000000] * pl330_gpiogrp1_en : 0
[ 0.000000] * pl330_gpiogrp2_en : 0
[ 0.000000] * pl330_swi2c_en : 1
[ 0.000000] * pl330_local_bus_mutex_type : 1
[ 0.000000] * pl330_eth_en : 1
[ 0.000000] * pl330_frondend_type : 14
[ 0.000000] * pl330_userdata0 : 0
[ 0.000000] * pl330_userdata1 : 1
[ 0.000000] * pl330_userdata2 : 2
[ 0.000000] * pl330_userdata3 : 3
[ 0.000000] * pl330_userdata4 : 4
[ 0.000000] * pl330_userdata5 : 5
[ 0.000000] * pl330_userdata6 : 6
[ 0.000000] * pl330_userdata7 : 7
[ 0.000000] * pl330_userstring0 : SIGMA-PL330B
[ 0.000000] * pl330_userstring1 : C4:01:42:00:86:1F
[ 0.000000] * pl330_userstring2 : userstring2
[ 0.000000] * pl330_userstring3 : userstring3
[ 0.000000] * pl330_userstring4 : userstring4
[ 0.000000] * pl330_userstring5 : userstring5
[ 0.000000] * pl330_userstring6 : userstring6
[ 0.000000] * pl330_userstring7 : userstring7
[ 0.000000] * pl330_mtd_partition : mtdparts=QL300_flash:640K(qcamboot),128K(nvram),5504K(linuxImage),1920K(custblk)
[ 0.000000] * pl330_GPIO_strap : 0x0000ffcf
[ 0.000000] ******************************************************
[ 0.000000]
[ 0.000000] vmalloc area is too big, limiting to 4MB
[ 0.000000] Memory policy: ECC disabled, Data cache writeback
[ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 7366
[ 0.000000] Kernel command line: console=ttyS0 vmalloc=7M [email protected] root=/nodev/rootfs mtdparts=QL300_flash:640K(qcamboot),128K(nvram),7040K(linuxImage),8576K(custblk) mtdparts=QL300_flash:640K(qcamboot),128K(nvram),5504K(linuxImage),1920K(custblk)
[ 0.000000] PID hash table entries: 128 (order: -3, 512 bytes)
[ 0.000000] Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
[ 0.000000] Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
[ 0.000000] Memory: 29MB = 29MB total
[ 0.000000] Memory: 19104k/19104k available, 10592k reserved, 0K highmem
[ 0.000000] Virtual kernel memory layout:
[ 0.000000] vector : 0xffff0000 - 0xffff1000 ( 4 kB)
[ 0.000000] fixmap : 0xfff00000 - 0xfffe0000 ( 896 kB)
[ 0.000000] DMA : 0xffc00000 - 0xffe00000 ( 2 MB)
[ 0.000000] vmalloc : 0xc1e00000 - 0xc2400000 ( 6 MB)
[ 0.000000] lowmem : 0xc0000000 - 0xc1d00000 ( 29 MB)
[ 0.000000] modules : 0xbf000000 - 0xc0000000 ( 16 MB)
[ 0.000000] .init : 0xc0008000 - 0xc06fa000 (7112 kB)
[ 0.000000] .text : 0xc06fa000 - 0xc09bb000 (2820 kB)
[ 0.000000] .data : 0xc09d2000 - 0xc09e32a0 ( 69 kB)
[ 0.000000] Hierarchical RCU implementation.
[ 0.000000] RCU-based detection of stalled CPUs is disabled.
[ 0.000000] Verbose stalled-CPUs detection is disabled.
[ 0.000000] NR_IRQS:32
[ 0.000000] console [ttyS0] enabled
[ 0.030000] Calibrating delay loop... 129.84 BogoMIPS (lpj=649216)
[ 0.240000] pid_max: default: 4096 minimum: 301
[ 0.240000] Mount-cache hash table entries: 512
[ 0.250000] CPU: Testing write buffer coherency: ok
[ 0.260000] NET: Registered protocol family 16
[ 0.270000] ql300_init: res=0xc1832740
[ 0.280000]
[ 0.280000] ******************************************************
[ 0.290000] * plgpio_group0_cfg (input/output) : 0x00003000
[ 0.300000] * plgpio_group1_cfg (input only) : 0x0000000f
[ 0.300000] * plgpio_group2_cfg (output only) : 0x0000000e
[ 0.310000] * plgpio_group3_cfg (boot strap input only) : 0x000000c0
[ 0.320000] ******************************************************
[ 0.320000]
[ 0.360000] bio: create slab <bio-0> at 0
[ 0.370000] cfg80211: Calling CRDA to update world regulatory domain
[ 0.390000] NET: Registered protocol family 2
[ 0.390000] IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.400000] TCP established hash table entries: 1024 (order: 1, 8192 bytes)
[ 0.410000] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.420000] TCP: Hash tables configured (established 1024 bind 1024)
[ 0.430000] TCP reno registered
[ 0.430000] NET: Registered protocol family 1
[ 0.440000] RPC: Registered udp transport module.
[ 0.450000] RPC: Registered tcp transport module.
[ 0.450000] RPC: Registered tcp NFSv4.1 backchannel transport module.
[ 0.710000] Loading and setting up QPSOS ...
MAIN FIRMWARE
QPSOS shell
Type 'help' for help
[ 0.730000] Loading and setting up PL330 GPIO ...
[ 0.740000] Loading and setting up PL330 NVRAM ...
[ 0.750000] NTFS driver 2.1.29 [Flags: R/W].
[ 0.760000] JFFS2 version 2.2. (NAND) (SUMMARY) © 2001-2006 Red Hat, Inc.
[ 0.770000] msgmni has been set to 37
[ 0.770000] io scheduler noop registered
[ 0.780000] io scheduler deadline registered
[ 0.780000] io scheduler cfq registered (default)
[ 0.810000] ttyS0 at I/O 0xf0000100 (irq = 17) is a builtin QL300 UART
[ 0.820000] nbd: registered device at major 43
[ 0.870000] init_ql_flash_mtd(),CFI=0,part_nums=3
[ 0.880000] m25p80 spi0.0: w25Q64 (8192 Kbytes)
[ 0.880000] 4 cmdlinepart partitions found on MTD device QL300_flash
[ 0.890000] Creating 4 MTD partitions on "QL300_flash":
[ 0.900000] 0x000000000000-0x0000000a0000 : "qcamboot"
[ 0.910000] 0x0000000a0000-0x0000000c0000 : "nvram"
[ 0.920000] 0x0000000c0000-0x000000620000 : "linuxImage"
[ 0.930000] 0x000000620000-0x000000800000 : "custblk"
0h00m00s007: (T)CODEC_Start HCI Thread
0h00m00s007: (T)CODEC_SYS config:10 SW1 isr
0h00m00s007: (T)CODEC_SYS config:1 dynamic mem alloc
0h00m00s007: (T)CODEC_Start M2M Thread
0h00m00s007: (T)CODEC_Start DTM Thread
0h00m00s007: (T)CODEC_Start VDCM Thread
[ 0.950000] Linux video capture interface: v2.00
[ 0.950000] sdhci: Secure Digital Host Controller Interface driver
[ 0.960000] sdhci: Copyright(c) Pierre Ossman
[ 0.970000] TCP cubic registered
[ 0.970000] NET: Registered protocol family 17
[ 0.980000] lib80211: common routines for IEEE802.11 drivers
[ 0.990000] Freeing init memory: 7112K
mounting proc
mounting sys
mounting pts
starting system loggers
vm.min_free_kbytes = 1024
starting status daemon
setup telnetd
plgpiod: 0x03300001
bring up lo interface
bring up sdio module
[ 1.720000] sdio_init: res=0xc0cc7920
[ 1.800000] sdio_init: SDIO-0 enabled
[ 1.810000] mem_log_init: exit
[ 1.870000] plnvram_data_load_mtd: magic(0x82312033)
[ 1.880000] plnvram_data_load_mtd: version_major(1)
[ 1.880000] plnvram_data_load_mtd: version_minor(0)
[ 1.890000] plnvram_data_load_mtd: checksum(0x00000000)
[ 1.890000] plnvram_data_load_mtd: nums(237)
success
mount: mounting /dev/mtdblock3 on /mnt/custblk failed: Invalid argument
[ 3.250000] JFFS2 notice: (201) jffs2_build_xattr_subsystem: complete building xattr subsystem, 0 of xdatum (0 unchecked, 0 orphan) and 0 of xref (0 dead, 0 orphan) found.
bring up codec driver module
[ 3.480000] CDevice_Constructor()-> config to use Dynamic Memory Allocation for FW
[ 3.540000] CQLCodec_InitDevice() config to use internal Video FW
[ 3.550000] CQLCodec_InitDevice() config to use internal Audio FW
[ 4.610000] CComponent_Open AllocTask(0) hTask(0)
[ 4.610000] CComponent_Close ReleaseTask(0) hTask(0)
lookup_video_device_node()-> bus(4) inst(0) hTask(0) type(0)
lookup_video_device_node()-> Got 0:0
[ 4.640000] CComponent_Open AllocTask(0) hTask(0)
SetVideoFrontend()-> val=0
SetVideoFrontend()-> return 0
Working Mode:0,argc:2
Checking:0
[ 4.650000] CComponent_Close ReleaseTask(0) hTask(0)
do_whether_need_eth_driver: 1
bring up ethernet module (Wired)
[ 4.780000] AX88796C: Power saving disabled
[ 5.010000] ASIX AX88796C Fast Ethernet Adapter:v1.4.0-SDL0.93 16:31:34 Jul 19 2013
[ 5.010000] <6> http://www.asix.com.tw
[ 5.020000] Use random MAC address
[ 5.020000] AX88796C: MAC Address 76-f3-6c-e2-c3-c7
[ 5.040000] eth0: at 0x0 IRQ 4
[ 5.090000] ax88796c_init(): P1_OFFSET0x14=0x0000000f
[ 5.090000] ax88796c_init(): P1_OFFSET0x14=0x0000000e
ifconfig: ath0: error fetching interface information: Device not found
plnetworkchkd: ath0 is not existed or enabled, no need to enable connection backup. exit!
[ 6.870000] eth0: link up, 100Mbps, full-duplex
do_net_init: trying to init eth interface
do_eth_init: trying to load mac address from pl330_userstring1
do_eth_init: trying to use dynamic ip
udhcpc (v1.19.4) started
Setting IP address 0.0.0.0 on eth0
Sending discover...
Sending select for 192.168.1.110...
Lease of 192.168.1.110 obtained, lease time 86400
Setting IP address 192.168.1.110 on eth0
Deleting routers
route: SIOCDELRT: No such process
Adding router 192.168.1.1
Recreating /etc/resolv.conf
Adding DNS server 192.168.1.1
Adding DNS server 0.0.0.0
[ 8.080000] CComponent_Open AllocTask(0) hTask(0)
[ 8.090000] CComponent_Close ReleaseTask(0) hTask(0)
lookup_video_device_node()-> bus(4) inst(0) hTask(0) type(0)
lookup_video_device_node()-> Got 0:0
[ 8.110000] CComponent_Open AllocTask(0) hTask(0)
SetVideoFrontend()-> val=0
SetVideoFrontend()-> return 0
Working Mode:0,argc:1
name flag IP broadcastaddr
eth0 4163 192.168.1.110 192.168.1.255
Src:3,Res:12
recv:48,53,36,30,32
recv:43,6e,1,a8,c0
The client is: 192.168.1.40,2801a8c0
socket:8
Capture
[ 19.970000] CComponent_Open AllocTask(0) hTask(1)
[ 19.980000] CComponent_Close ReleaseTask(0) hTask(1)
lookup_video_device_node()-> bus(4) inst(0) hTask(1) type(0)
lookup_video_device_node()-> Got 0:0
[ 20.000000] CComponent_Open AllocTask(0) hTask(1)
****** Executing script file /plbin/hs_enc_ts.cfg
SystemControl-StreamType = ts
SystemControl-StreamData = video+audio
SystemControl-Profile = extended
SystemControl-Level = 4
SysFunction-Function = encode
SysFunction-Video = h264
SysFunction-Audio = audio
PictureResolution-InPicWidth = 1920
PictureResolution-InPicHeight = 1080
OutPictureResolution-OutPicWidth = 1920
OutPictureResolution-OutPicHeight = 1080
SystemControl-XferMode = frame
SystemControl-SpsrFreq = 1
SystemControl-FFMode = frame
SystemControl-VMode = cavlc
RateControl-Vbr = 0
RateControl-Mode = viu
RateControl-AvgBitRate = 15000
VbrBitRate-MinBitRate = 18000
VbrBitRate-MaxBitRate = 13000
GopLoopFilter-IntraPeriod = 30
GopLoopFilter-BNum = 0
GopLoopFilter-Idr = close
InputControl-ScanFormat = progressive
InputControl-SrcMode = hdmi
InputControl-SyncMode = 0
InputControl-DataType = raw
InputControl-InFrameRate = 60
InputControl-OutFrameRate = 30
InputControl-Fmt = progressive
InputControl-CkEdge = positive
DeInterlace-mode = none
FilterControl-StartPixel = 0
FilterControl-StartLine = 0
SysLink-VideoInput = viu
SysLink-VideoOutput = host
SysLink-AudioInput = aiu
SysLink-AudioOutput = host
AudioControlParam-AudioType = aac
AudioControlParam-SampleRate = 48k
AudioControlParam-ChNum = 2
AudioControlParam-LrclkI = high
AudioControlEx-AacVer = mpeg2
AudioControlEx-HType = adts
AudioControlEx-CutoffFreq = 18000
AudioControlEx-TNS = 1
AudioControlEx-IS = 1
AudioControlEx-PNS = 1
AudioControlEx-MS = 1
ioctl(PLDEV_STRM_IOCTL_PORT_OPEN) component(0) type(0) succeed
0h00m19s609: (T)CODEC_Start MUX Thread (channel 1)
0h00m19s609: (T)CODEC_Start VEN Thread (channel 1)
0h00m19s609: (T)AIO Record enter
acquire(0) hDev(11)
start(0) hDev(11)
0h00m19s722: (T)CODEC_Start VIU Thread (input channel 1)
0h00m19s722: (E)VIU OSD FontsStartAddr 34401500 !
0h00m19s722: (E)VIU OSD TextListStartAddr 34400100 !
0h00m19s722: (E)VIU OSD TimeInfoAddr 34401300 !
0h00m19s724: (E)CODEC_get misc_rate_control interval(80) activity_on/off(0)
0h00m19s724: (E)HCI: chInfo (0x10) phy_in(60) rec_in(30) outrate(30)
0h00m19s728: (E)VIU: (ch 1) (in 1920x1080) (out 1920x1080) (rate =30,30),(buf_num 3)
test_streamout() [
9024 t=20
VI-OSD 0
VI-OSD font_addr(0xd1005400) txtAddr(0xd1000400) timeAddr(0xd1004c00)
0h00m19s803: (E)VIU osd addr 0x34400100 0x34401500 0x34401300)
376 t=22
376 t=24
I've attached a screenshot of how I got the plnvram config to output (COM8 = serial connection).
---
I've also managed to build a test "hello world" binary & have it run on the box, so I might be able to build a better rtmp server. I may have to rely on the plstrm to get the output though :/

Some good news.. I think. I managed to "decompile" the android "Shareview" app source code using javadecompilers.com With any luck I should be able to figure it out!
If you're any good with java (I'm not) download the shareview apk from here: https://apkpure.com/shareview/com.asdfghjkl20203.hs602player/download?from=details.
And upload it to http://www.javadecompilers.com/.

mpmc said:
If you're any good with java
Click to expand...
Click to collapse
I'm also not, but I have a friend who does have some experience. Thanks for the idea.
The variable name thing threw me off, since it makes no sense to me, that it stores "password" and "username" straight to nvram, and the rest go through hs_enc_ts.cfg. I tried to manually change hs_enc_ts.cfg parameters, but they had no effect to the output stream, which is why I assumed, that it sends some other settings.
Could you save the whole putty printout somewhere? It does contain different parameters and variables than those in hs_enc_ts.cfg and plnvram_defaults.dat

Database Users

welcome