HardwareΒ Β Β |Β Β Β What Was DoneΒ Β Β |Β Β Β WiringΒ Β Β |Β Β Β UsageΒ Β Β |Β Β Β Flash LayoutΒ Β Β |Β Β Β Lessons LearnedΒ Β Β |Β Β Β References
| Component | Detail |
|---|---|
| SoC | Anyka AK3918EV330, ARM926EJ-S, 64MiB RAM |
| Flash | 8MiB SPI NOR (kh25l64), 9 MTD partitions |
| Sensor | SC1345 (1280x720 native, upscaled to 1920x1080) |
| WiFi | RTL8188FU (USB 0bda:f179) |
| Board | JORTAN A03AK1H1N_JW GS23 V1.0 |
| Kernel | Linux 4.4.192V2.1 (Aug 23 2022) |
| UART | 115200 8N1, console ttySAK0 |
| Credentials | root with empty password |
- Soldered UART pads on the camera board
- Used Arduino Uno (CH340) as SoftwareSerial bridge (pins 2/3)
- Logged in as root via UART (no password)
- Installed persistent hack in
/rom/(jffs2 RW partition) - Telnet enabled on ports 23 and 2323
- Dumped all system files to SD card
# /rom/hack.sh (survives reboots)
#!/bin/sh
(while true;do echo V>/dev/watchdog 2>/dev/null;sleep 1;done)&
telnetd -l /bin/sh 2>/dev/null &
telnetd -l /bin/sh -p 2323 2>/dev/null &Injected into /rom/time_zone.sh which runs on every boot.
Camera TX (3.3V) --> Arduino Pin 2 (SoftwareSerial RX)
Camera RX <-- Arduino Pin 3 (SoftwareSerial TX)
Camera GND --- Arduino GND
Voltage divider on Pin 3 -> Camera RX (5V to 3.3V):
Pin 3 --[1K]--+--[2K]-- GND
|
+--> Camera RX
Warning
Camera operates at 3.3V, Arduino at 5V. Without the voltage divider it may work but can damage the camera long-term.
- Python 3.x +
pyserial(pip install pyserial) - Arduino CLI (
arduino-cli) - Arduino Uno with CH340
# 1. Upload serial bridge to Arduino
arduino-cli compile -b arduino:avr:uno arduino/serial_bridge/
arduino-cli upload -b arduino:avr:uno -p /dev/ttyUSB0 arduino/serial_bridge/
# 2. Run the hack (camera can already be powered on)
sudo python3 hack_final2.py| Partition | Size | Mount | FS | RW |
|---|---|---|---|---|
| UBOOT (mtd0) | 200K | - | - | - |
| ENV (mtd1) | 4K | - | - | - |
| ENVBK (mtd2) | 4K | - | - | - |
| DTB (mtd3) | 48K | - | - | - |
| KERNEL (mtd4) | 1664K | - | - | - |
| ROOTFS (mtd5) | 1536K | / |
squashfs | RO |
| CONFIG (mtd6) | 512K | /rom |
jffs2 | RW |
| APP (mtd7) | 4224K | /ipc, /usr |
squashfs | RO |
/rom(CONFIG) is the only writable partition β this is where persistence lives.
| # | Lesson | Detail |
|---|---|---|
| 1 | CH340 RESET+GND trick | RX works but TX does NOT. Use SoftwareSerial bridge instead. |
| 2 | Arduino resets on serial open | CH340 sends DTR pulse. Fix: DTR=False + stty -hupcl. |
| 3 | SoftwareSerial at 115200 | Drops bytes. Send char-by-char with 4ms delay. |
| 4 | Don't need U-Boot | Direct login works fine. Getty respawns on ttySAK0. |
| 5 | Persist BEFORE killing IPC | IPC holds watchdog, killing it may trigger reboot in ~10s. |
| 6 | SD card path | Mounts at /mnt/disc1, NOT /mnt/tf/. Only processes SD on boot if RESET button is held. |
hack_final2.py # Main hack script (the one that worked)
arduino/serial_bridge/ # SoftwareSerial bridge sketch
scripts/ # Previous attempts and utilities
βββ hack_v3.py # V3 - kills IPC before persist (wrong order)
βββ hack_slow.py # One command at a time, long delays
βββ uboot_hack.py # U-Boot intercept + init=/bin/sh
βββ reactive_hack.ino # Arduino auto-detect "autoboot" + inject
βββ test_rxtx.py # RX/TX diagnostic tool
dumps/ # System file dumps from camera
- t-rekttt/yoosee-exploit β Full Yoosee firmware
- Lawliet95/ANYKA-Tuya-Hacking-Journey β Complete analysis
- ricardojlrufino/anyka_v380ipcam_experiments β GPIO, Python, NodeJS
- blog.catsheavy.com β Jennov/Anyka hack walkthrough
MIT β Gabriel Maia (@gabrielmaialva33)