In this blog post we will take a look inside the Wyze Outdoor Base Station and see whats going on. Many people were very excited to hop on board the Wyze train when they announced the outdoor camera – however it has mostly been met with bad reviews and buggy, half baked features.
Lets get this thing out of the plastic case to take a closer look, carefully removing the RF1.13 IPX connectors for the antenna signal wire.
We can see that the board is labeled 9531_HL_CORE_AM7
Qualcomm marketing says:
The QCA9531 is a highly integrated and feature-rich IEEE 802.11n 2×2 2.4 GHz System-on-a-Chip (SoC) for advanced WLAN platforms.
https://www.qualcomm.com/products/qca9531
The Specifications sheet on Qualcomms website is very light on details, but this looks like a common SoC for low end networking and cheapo wireless routers.
Specifications:
CPU Clock Speed: Up to 650 MHz
Wi-Fi Standards: 802.11a/b/g, 802.11n
Peak Speed: 300 Mbps
Channel Utilization: 20/40 MHz
MIMO Configuration: 2×2 (2-stream)
Ethernet Standards: IEEE 802.3
Ethernet Network: 10/100
Supported Ports: 5 ports
USB Version: USB 2.0
Memory speed: 300MHz, 200MHz
Memory Type: DDR1, DDR2
Supported Interfaces: JTAG, SPI, UART, USB 2.0, PCIe 1.1
General Purpose I/Os: 17x
Package Type: DRQFN
Package Size: 12 x 12 mm
It seems like this might be a board built by Nova Electronics that Wyze is putting into a nice package. Looks Familiar right?
The 3 pins on the right side of the board look like they could be SPI – so we tried to solder some pins on and get a terminal open
I guessed the TX / RX pins, and the ground was labeled nicely on the board. For Reference:
- Ground to GND (Duh!)
- TX is L1
- RX is L2
I connected with a cheapo CP2102 USB to UART adapter, set the baud rate to 115200 and was off to the races… kinda
Well this is interesting, this little guy is running OpenWRT. I guessed all of the normal user / password combos I could think of and didn’t get anywhere – If anyone has any ideas on how to get into this shoot me a message / comment!
Lets watch it boot up and see if there is anything interesting going on here:
U-Boot 1.1.4-gf13eb91d-dirty (Apr 2 2020 - 14:39:10) ap147 - Honey Bee 2.0DRAM: sri Honey Bee 2.0 ath_ddr_initial_config(195): (16bit) ddr2 init tap = 0x00000003 Tap (low, high) = (0x6, 0x21) Tap values = (0x13, 0x13, 0x13, 0x13) 128 MB Top of RAM usable for U-Boot at: 88000000 Reserving 201k for U-Boot at: 87fcc000 Reserving 192k for malloc() at: 87f9c000 Reserving 44 Bytes for Board Info at: 87f9bfd4 Reserving 36 Bytes for Global Data at: 87f9bfb0 Reserving 128k for boot params() at: 87f7bfb0 Stack Pointer at: 87f7bf98 Now running in RAM - U-Boot at: 87fcc000 Flash Manuf Id 0x1c, DeviceId0 0x70, DeviceId1 0x18 flash size 16MB, sector count = 256 Flash: 16 MB *** Warning *** : PCIe WLAN Module not found !!! In: serial Out: serial Err: serial Net: ath_gmac_enet_initialize... No valid address in Flash. Using fixed address No valid address in Flash. Using fixed address ath_gmac_enet_initialize: reset mask:c02200 Scorpion ---->S27 PHY* S27 reg init : cfg1 0x800c0000 cfg2 0x7114 eth0:athrs27_phy_setup ATHR_PHY_CONTROL 4 :1000 athrs27_phy_setup ATHR_PHY_SPEC_STAUS 4 :10 eth0 up Honey Bee ----> MAC 1 S27 PHY * S27 reg init ATHRS27: resetting s27 ATHRS27: s27 reset done : cfg1 0x800c0000 cfg2 0x7214 eth1: athrs27_phy_setup ATHR_PHY_CONTROL 0 :1000 athrs27_phy_setup ATHR_PHY_SPEC_STAUS 0 :10 athrs27_phy_setup ATHR_PHY_CONTROL 1 :1000 athrs27_phy_setup ATHR_PHY_SPEC_STAUS 1 :10 athrs27_phy_setup ATHR_PHY_CONTROL 2 :1000 athrs27_phy_setup ATHR_PHY_SPEC_STAUS 2 :10 athrs27_phy_setup ATHR_PHY_CONTROL 3 :1000 athrs27_phy_setup ATHR_PHY_SPEC_STAUS 3 :10 eth1 up eth0, eth1 Setting 0x181162c0 to 0x50a1a100 update_flag:000 ===== fythons! ==== Hit any key to stop autoboot: 0 ## Booting image at 9f050000 ... Image Name: MIPS Linux-3.3.8 Created: 2020-04-02 6:39:26 UTC Image Type: MIPS Linux Multi-File Image (lzma compressed) Data Size: 1137996 Bytes = 1.1 MB Load Address: 80060000 Entry Point: 80060000 Contents: Image 0: 1137988 Bytes = 1.1 MB Verifying Checksum at 0x9f050040 ...OK Uncompressing Multi-File Image ... OK No initrd ## Transferring control to Linux (at address 80060000) ... ## Giving linux memsize in bytes, 134217728 Starting kernel ... [ 0.000000] Linux version 3.3.8 ([email protected]) (gcc version 4.6.3 20120201 (prerel ease) (Linaro GCC 4.6-2012.02) ) #39 Tue Mar 31 13:44:16 CST 2020 [ 0.000000] bootconsole [early0] enabled [ 0.000000] CPU revision is: 00019374 (MIPS 24Kc) [ 0.000000] SoC: Qualcomm Atheros QCA9531 rev 2 [ 0.000000] Clocks: CPU:650.000MHz, DDR:597.607MHz, AHB:216.666MHz, Ref:25.00 0MHz [ 0.000000] Determined physical RAM map: [ 0.000000] memory: 08000000 @ 00000000 (usable) [ 0.000000] Initrd not found or empty - disabling initrd [ 0.000000] Zone PFN ranges: [ 0.000000] Normal 0x00000000 -> 0x00008000 [ 0.000000] Movable zone start PFN for each node [ 0.000000] Early memory PFN ranges [ 0.000000] 0: 0x00000000 -> 0x00008000 [ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pag es: 32512 [ 0.000000] Kernel command line: board=AP147 console=ttyS0,115200 mtdparts=s pi0.0:256k(u-boot)ro,64k(u-boot-env),1280k(kernel),6336k(rootfs),2176k(driver),1 536k(app),2176k(backd),1536k(backa),256K(config),640k(para),64k(flag),64k(art),1 [email protected](firmware) rootfstype=squashfs,jffs2 noinitrd [ 0.000000] PID hash table entries: 512 (order: -1, 2048 bytes) [ 0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes) [ 0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes) [ 0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes. [ 0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes [ 0.000000] Writing ErrCtl register=00000000 [ 0.000000] Readback ErrCtl register=00000000 [ 0.000000] Memory: 126020k/131072k available (2396k kernel code, 5052k reser ved, 662k data, 224k init, 0k highmem) [ 0.000000] SLUB: Genslabs=9, HWalign=32, Order=0-3, MinObjects=0, CPUs=1, No des=1 [ 0.000000] NR_IRQS:83 [ 0.000000] Calibrating delay loop... 432.53 BogoMIPS (lpj=2162688) [ 0.060000] pid_max: default: 32768 minimum: 301 [ 0.060000] Mount-cache hash table entries: 512 [ 0.070000] Performance counters: mips/24K PMU enabled, 2 32-bit counters ava ilable to each CPU, irq 13 [ 0.080000] Initialized recycle list for cpu 0. [ 0.080000] NET: Registered protocol family 16 [ 0.090000] gpiochip_add: registered GPIOs 0 to 17 on device: ath79 [ 0.090000] ath79_jtag_function_disable [ 0.100000] MIPS: machine is Qualcomm Atheros AP147 reference board [ 0.110000] ar724x-pci ar724x-pci.0: PCIe link is down [ 0.110000] registering PCI controller with io_map_base unset [ 0.120000] ar71xx: invalid MDIO id 1 [ 0.330000] bio: create slab at 0 [ 0.330000] PCI host bridge to bus 0000:00 [ 0.340000] pci_bus 0000:00: root bus resource [mem 0x10000000-0x11ffffff] [ 0.340000] pci_bus 0000:00: root bus resource [io 0x0000] [ 0.350000] Switching to clocksource MIPS [ 0.350000] NET: Registered protocol family 2 [ 0.360000] IP route cache hash table entries: 1024 (order: 0, 4096 bytes) [ 0.360000] TCP established hash table entries: 4096 (order: 3, 32768 bytes) [ 0.370000] TCP bind hash table entries: 4096 (order: 2, 16384 bytes) [ 0.370000] TCP: Hash tables configured (established 4096 bind 4096) [ 0.380000] TCP reno registered [ 0.380000] UDP hash table entries: 256 (order: 0, 4096 bytes) [ 0.390000] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes) [ 0.390000] NET: Registered protocol family 1 [ 0.410000] squashfs: version 4.0 (2009/01/31) Phillip Lougher [ 0.420000] JFFS2 version 2.2 (NAND) (SUMMARY) (ZLIB) (LZO) (LZMA) (RTIME) (C MODE_PRIORITY) (c) 2001-2006 Red Hat, Inc. [ 0.430000] msgmni has been set to 246 [ 0.430000] io scheduler noop registered [ 0.430000] io scheduler deadline registered (default) [ 0.440000] Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled [ 0.470000] serial8250.0: ttyS0 at MMIO 0x18020000 (irq = 11) is a 16550A [ 0.470000] console [ttyS0] enabled, bootconsole disabled [ 0.470000] console [ttyS0] enabled, bootconsole disabled [ 0.490000] m25p80 spi0.0: found en25qh128a, expected m25p80 [ 0.490000] m25p80 spi0.0: en25qh128a (16384 Kbytes) [ 0.500000] 13 cmdlinepart partitions found on MTD device spi0.0 [ 0.500000] Creating 13 MTD partitions on "spi0.0": [ 0.510000] 0x000000000000-0x000000040000 : "u-boot" [ 0.520000] 0x000000040000-0x000000050000 : "u-boot-env" [ 0.520000] 0x000000050000-0x000000190000 : "kernel" [ 0.530000] 0x000000190000-0x0000007c0000 : "rootfs" [ 0.540000] mtd: partition "rootfs" set to be root filesystem [ 0.540000] mtd: partition "rootfs_data" created automatically, ofs=6C0000, l en=100000 [ 0.550000] 0x0000006c0000-0x0000007c0000 : "rootfs_data" [ 0.560000] 0x0000007c0000-0x0000009e0000 : "driver" [ 0.560000] 0x0000009e0000-0x000000b60000 : "app" [ 0.570000] 0x000000b60000-0x000000d80000 : "backd" [ 0.580000] 0x000000d80000-0x000000f00000 : "backa" [ 0.580000] 0x000000f00000-0x000000f40000 : "config" [ 0.590000] 0x000000f40000-0x000000fe0000 : "para" [ 0.590000] 0x000000fe0000-0x000000ff0000 : "flag" [ 0.600000] 0x000000ff0000-0x000001000000 : "art" [ 0.610000] 0x000000050000-0x000000aa0000 : "firmware" [ 0.640000] ag71xx_mdio: probed [ 0.770000] ag71xx_mdio: probed [ 0.780000] eth0: Atheros AG71xx at 0xb9000000, irq 4 [ 1.330000] ag71xx ag71xx.0: eth0: connected to PHY at ag71xx-mdio.1:04 [uid= 004dd042, driver=Generic PHY] [ 1.350000] TCP cubic registered [ 1.350000] NET: Registered protocol family 17 [ 1.350000] 8021q: 802.1Q VLAN Support v1.8 [ 1.360000] ### of_selftest(): No testcase data in device tree; not running t ests [ 1.370000] VFS: Mounted root (squashfs filesystem) readonly on device 31:3. [ 1.380000] Freeing unused kernel memory: 224k freed - preinit - [ 3.290000] leds-gpio: probe of leds-gpio failed with error -16 - regular preinit - [ 3.500000] JFFS2 notice: (674) jffs2_build_xattr_subsystem: complete buildin g xattr subsystem, 1 of xdatum (1 unchecked, 0 orphan) and 14 of xref (0 dead, 0 orphan) found. switching to jffs2 - init - Please press Enter to activate this console. [ 13.290000] ssdk_plat_init start [ 13.290000] chip_version:0x0 [ 13.300000] chip_version:0x2 [ 13.300000] Register QCA PHY driver [ 13.310000] unexpect switch ssdk probe [ 13.410000] qca-ssdk module init succeeded! [ 13.580000] NET: Registered protocol family 10 [ 13.950000] SCSI subsystem initialized [ 14.040000] usbcore: registered new interface driver usbfs [ 14.050000] usbcore: registered new interface driver hub [ 14.050000] usbcore: registered new device driver usb [ 14.120000] usbcore: registered new interface driver usbhid [ 14.120000] usbhid: USB HID core driver [ 14.270000] Button Hotplug driver version 0.4.1 [ 14.550000] NTFS driver 2.1.30 [Flags: R/O MODULE]. [ 14.840000] PPP generic driver version 2.4.2 [ 14.920000] NET: Registered protocol family 24 [ 15.150000] bonding: Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011) [ 15.360000] ip_tables: (C) 2000-2006 Netfilter Core Team [ 15.590000] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver [ 15.590000] ehci-platform ehci-platform.0: Generic Platform EHCI Controller [ 15.600000] ehci-platform ehci-platform.0: new USB bus registered, assigned bus number 1 [ 15.640000] ehci-platform ehci-platform.0: irq 3, io mem 0x1b000000 [ 15.660000] ehci-platform ehci-platform.0: USB 2.0 started, EHCI 1.00 [ 15.660000] hub 1-0:1.0: USB hub found [ 15.670000] hub 1-0:1.0: 1 port detected [ 15.740000] nf_conntrack version 0.5.0 (1972 buckets, 7888 max) [ 16.130000] xt_time: kernel timezone is -0000 [ 16.500000] nf_conntrack_rtsp v0.6.21 loading [ 16.510000] nf_nat_rtsp v0.6.21 loading [ 16.690000] Initializing USB Mass Storage driver... [ 16.700000] usbcore: registered new interface driver usb-storage [ 16.710000] USB Mass Storage support registered. [ 16.780000] fuse init (API version 7.18) [ 18.520000] JFFS2 notice: (895) jffs2_build_xattr_subsystem: complete building xattr subsystem, 0 of xdatum (0 unchecked, 0 orph an) and 0 of xref (0 dead, 0 orphan) found. [ 18.570000] JFFS2 notice: (897) jffs2_build_xattr_subsystem: complete building xattr subsystem, 0 of xdatum (0 unchecked, 0 orph an) and 0 of xref (0 dead, 0 orphan) found. [ 19.500000] ADDRCONF(NETDEV_UP): eth0: link is not ready [ 24.790000] asf: module license 'Proprietary' taints kernel. [ 24.790000] Disabling lock debugging due to kernel taint [ 24.820000] ****Address of trace_timer :86b06610 [ 25.140000] ath_hal: 0.9.17.1 (AR5416, AR9380, REGOPS_FUNC, WRITE_EEPROM, TX_DATA_SWAP, RX_DATA_SWAP, 11D) [ 25.160000] ath_rate_atheros: Copyright (c) 2001-2005 Atheros Communications, Inc, All Rights Reserved [ 25.180000] ath_dfs: Version 2.0.0 [ 25.180000] Copyright (c) 2005-2006 Atheros Communications, Inc. All Rights Reserved [ 25.210000] ath_spectral: Version 2.0.0 [ 25.210000] Copyright (c) 2005-2009 Atheros Communications, Inc. All Rights Reserved [ 25.220000] SPECTRAL module built on Mar 31 2020 19:45:12 [ 25.240000] ath_tx99: Version 2.0 [ 25.240000] Copyright (c) 2010 Atheros Communications, Inc, All Rights Reserved [ 25.430000] ath_dev: Copyright (c) 2001-2007 Atheros Communications, Inc, All Rights Reserved [ 27.460000] __ath_attach: Set global_scn[0] [ 27.460000] *** All the minfree values should be <= ATH_TXBUF-32, otherwise default value will be used instead *** [ 27.470000] ACBKMinfree = 48 [ 27.480000] ACBEMinfree = 32 [ 27.480000] ACVIMinfree = 16 [ 27.480000] ACVOMinfree = 0 [ 27.490000] CABMinfree = 48 [ 27.490000] UAPSDMinfree = 0 [ 27.490000] ATH_TXBUF=540 [ 27.500000] Enterprise mode: 0x03fc0000 [ 27.510000] Restoring Cal data from DRAM [ 27.510000] [ 27.510000] ART Version : -48.0.0 [ 27.520000] SW Image Version : -48.0.0.0.0 [ 27.520000] Board Revision : [ 27.520000] ar9300_attach: nf_2_nom -110 nf_2_max -60 nf_2_min -125 [ 27.530000] SPECTRAL : get_capability not registered [ 27.540000] HAL_CAP_PHYDIAG : Capable [ 27.540000] SPECTRAL : Need to fix the capablity check for RADAR (spectral_attach : 231) [ 27.550000] SPECTRAL : get_capability not registered [ 27.550000] HAL_CAP_RADAR : Capable [ 27.560000] SPECTRAL : Need to fix the capablity check for SPECTRAL [ 27.560000] (spectral_attach : 236) [ 27.570000] SPECTRAL : get_capability not registered [ 27.570000] HAL_CAP_SPECTRAL_SCAN : Capable [ 27.580000] SPECTRAL : get_tsf64 not registered [ 27.580000] spectral_init_netlink 65 NULL SKB [ 27.590000] SPECTRAL : No ADVANCED SPECTRAL SUPPORT [ 27.590000] SPECTRAL :----- module attached [ 27.600000] Green-AP : Green-AP : Attached [ 27.600000] [ 27.610000] ath_get_caps[6169] rx chainmask mismatch actual 3 sc_chainmak 0 [ 27.610000] ath_get_caps[6144] tx chainmask mismatch actual 3 sc_chainmak 0 [ 27.630000] band steering initialized for direct attach hardware [ 27.630000] ieee80211_bsteering_attach: Band steering initialized [ 27.640000] ath_attach_dfs[12687] dfsdomain 1 [ 27.650000] SPECTRAL : module already attached [ 27.660000] osif_wrap_attach:296 osif wrap attached [ 27.660000] osif_wrap_devt_init:916 osif wrap dev table init done [ 27.670000] ath_tx_paprd_init sc 852e8000 PAPRD disabled in HAL [ 27.680000] wifi0: Atheros ???: mem=0xb8100000, irq=47 [ 27.690000] ath_pci: SmartAntenna-DRT-0.1 (Atheros/multi-bss) [ 27.840000] wlan_vap_create : enter. devhandle=0x86480380, opmode=IEEE80211_M_HOSTAP, flags=0x1 [ 27.850000] wlan_vap_create : exit. devhandle=0x86480380, opmode=IEEE80211_M_HOSTAP, flags=0x1. [ 27.860000] VAP device ath0 created osifp: (8729b380) os_if: (864d4000) [ 27.980000] Set freq vap 0 stop send + 864d4000 [ 27.980000] Set freq vap 0 stop send -864d4000 [ 28.120000] Set wait done --864d4000 [ 28.160000] [ 28.160000] DES SSID SET= [ 28.170000] [ 28.170000] DES SSID SET=WYZE_ [ 28.390000] 8021q: adding VLAN 0 to HW filter on device ath0 [ 28.680000] ADDRCONF(NETDEV_UP): br-lan: link is not ready [ 28.740000] device ath0 entered promiscuous mode [ 28.740000] br-lan: port 1(ath0) entered forwarding state [ 28.750000] br-lan: port 1(ath0) entered forwarding state [ 28.760000] ADDRCONF(NETDEV_CHANGE): br-lan: link becomes ready [ 29.280000] ieee80211_ioctl_siwmode: imr.ifm_active=393856, new mode=3, valid=1 [ 29.300000] _ieee80211_scan_unregister_event_handler: Failed to unregister evhandler=85063900 arg=86660000 [ 29.310000] Scan in progress.. Cancelling it [ 29.370000] br-lan: port 1(ath0) entered disabled state [ 29.390000] DEVICE IS DOWN ifname=ath0 [ 29.390000] DEVICE IS DOWN ifname=ath0 [ 29.950000] br-lan: port 1(ath0) entered forwarding state [ 29.950000] br-lan: port 1(ath0) entered forwarding state [ 29.960000] 8021q: adding VLAN 0 to HW filter on device ath0 [ 31.950000] br-lan: port 1(ath0) entered forwarding state [ 43.700000] usb 1-1: new high-speed USB device number 2 using ehci-platform [ 43.850000] hub 1-1:1.0: USB hub found [ 43.850000] hub 1-1:1.0: 4 ports detected [ 47.040000] DCS for CW interference mitigation: 0 [ 47.040000] DCS for WLAN interference mitigation: 0
Keep following along in Part 2