This file documents the current firmware findings and a practical SD-card flow to boot custom scripts and keep local services.
This findings belongs to version 6.2863.123 but it should work on any version, as long as you teak the config files.
Huge thanks to guino/LSCOutdoor1080P because their findings allowed me to create this toolkit.
If this project was useful to you, please consider supporting me.
- Boot chain:
init -> /etc/init.d/rcS -> /etc/init.d/rc.local -> /usr/sbin/main.sh. main.shlaunches/tmp/service.sh start(copied from/usr/sbin/service.sh).service.shmounts TF card and checks marker files under/mnt.- If
_ht_ap_mode.confexists, firmware copies/mnt/hostapdto/tmp/hostapdand wifi scripts execute it. This is where we hijack the system. Because this is run before really starting the daemon/anyka_ipc, we can modify the system, and then allow normal startup with poisoned scripts. - If
_ht_get_log.confexists, firmware won't unmount our SD card from/mntand will also dump debug logs into/ht_logfolder - If
_ht_av_mode.confexists, an Audio/Video test will begin, booting up a FTP server to unknown purposes. - If
ak39_factory.iniexists, the system will boot in factory testing mode
This is the startup hijack point we keep using.
Use sd_card/ as the SD card root content:
_ht_ap_mode.conf- required marker to trigger customhostapdexecution._ak39_factory.ini- required marker to trigger factory test mode.hostapd- launcher (executed by firmware; runshack.sh).hack.sh- tiny bootstrap called byhostapd.logs/- persistent logs written to SD.custom/- all custom scripts/configs/binaries.
On this firmware, an empty factory marker file enables a Factory Testing Mode with a ready to use RTSP server.
This is really all what you need if you only want a RTSP camera, without PTZ, just video.
- Create an empty
_ak39_factory.inion the SD root (this repo includes an emptysd_card/_ak39_factory.ini). - Reboot.
- RTSP listens on port
554. - The working URL on this device is:
rtsp://CAMERA_IP:554/main_ch
If you get
RTSP/1.0 454 Session Not Foundon/videoMain, try/main_ch.
Factory mode also plays loud startup prompt audio by default. In this SD payload you can disable it with:
MUTE_FACTORY_PROMPT=1insd_card/root_system/custom/configs/hack.conf
From Ghidra analysis of anyka_ipc:
- Factory mode is detected by
access("/tmp/_ak39_factory.ini", 0). - The file is parsed using
iniparser_load("/tmp/_ak39_factory.ini"). - The code looks up keys in the
section:keyform (iniparser style), e.g.:wifi_station:ssidwifi_station:passphrasewifi_station:ipwifi_station:netmaskwifi_station:gatewayaging_test:aging_value
Note: boot service.sh copies only the first 1024 bytes from SD (dd ... bs=1024 count=1), so keep this file small.
The Factory Test mode, enables a Telnet service by default on port 23, we inject /etc/shadow with root / telnet
But you can also enable an alternative userless telnet by switching TELNET=1 in sd_card/custom/configs/hack.conf
This firmware includes an ONVIF mini stack:
/usr/local/bin/mini_onvif_service.shstartslighttpd,wsd_simple_server, andonvif_notify_server.- In the SD payload, set
ONVIF=1insd_card/custom/configs/hack.confto start it.
Notes:
- ONVIF uses port
8080on this firmware (lighttpd).- When `ONVIF=1`, the scripts write `logs/onvif_status.txt` on the SD card with process/port probes.
You can also enable ONVIF with the stock Tuya APP by setting
bool_onvif_switch = 1in_ht_sw_settings.ini
The ONVIF service uses /usr/local/etc/onvif_simple_server.conf.
In this SD payload we can override it (non-flash) via a bind mount:
- SD file:
sd_card/custom/configs/onvif_simple_server.conf - Mounted to:
/usr/local/etc/onvif_simple_server.conf
Some firmware builds advertise PTZ via ONVIF but do not ship the expected helper commands in /usr/local/bin.
This payload provides replacements from SD:
/tmp/sd/custom/scripts/ptz_move/tmp/sd/custom/scripts/get_position/tmp/sd/custom/scripts/is_moving/tmp/sd/custom/scripts/ptz_presets.sh
The PTZ wrappers call:
/tmp/sd/custom/bin/ptzctl
ptzctl reads PTZ settings directly from:
sd_card/custom/configs/ptz.conf
Key tuning fields in ptz.conf:
PAN_FD_ADDR,TILT_FD_ADDR,IOCTL_MOVEPAN_INVERT,TILT_INVERT,STEP_MULT,STEP_REPEATDEBUG_LOG(set1to writeptz.log,0to disable PTZ logging)
The ONVIF config points directly to these SD scripts when:
ONVIF=1ONVIF_PTZ=1
If PTZ actions fail in clients (for example Home Assistant), check:
logs/ptz.log
./build_ptzctl.sh
Docker-based isolated ARM build (recommended):
./docker/build_binaries.sh
This uses a containerized ARM GCC toolchain and copies built artifacts back with docker cp.
Default output path:
sd_card/custom/bin/ptzctl
All custom behavior is controlled by custom/configs/hack.conf (strict shell KEY=value).
Important toggles:
DUMP_FORCE=1forces dump to run again even if done flag exists.
- Format SD card as FAT32.
- Tweak the config files in
sd_card/custom/configs/folder. - Copy everything from
sd_card/to SD root. - Boot camera with SD inserted.
- Connect via telnet to
YOUR_IP:23orYOUR_IP:24if you enableTELNET=1inhack.confas an alternative Telnet service - Enjoy
- Dumps the entire filesystem from your device into
sd_card/dumpsas a backup - Injects some payloads to prevent regular boot.
- Creates
/etc/shadowwith an userrootwith passwordtelnet
You can create your own password replacing
sd_card/shadowfile
For normal behavior:
- Do not use the SD Card :)
You should use sd_card/_ak39_factory.ini to setup your Wi-Fi settings to allow Anyka IPC to set it up for you.
You can leave ip, netmask and gateway blank to use DHCP
If you do not want to use this (whatever), ensure _ak39_factory.ini is empty and edit sd_card/custom/configs/wifi.conf.
This will start wpa_supplicant with the settings provided in wifi.conf
Notes:
WIFI_MODE=noneleaves networking unchanged (stock firmware manages it).- The scripts use
wpa_supplicant+wpa_clivia/usr/sbin/station_connect.sh.
All custom logs are written to the SD card under SD_DIR/logs/ (where SD_DIR is /tmp/sd on-device).
Open an Issue or PR anytime.
If you used the Toolkit to dump your camera filesystem (you should have a dump/ directory on the SD card) and your firmware is not 6.2863.123, please share the dump (or a link) in this repo so we can add support for your version. If the dump contains secrets (Wi-Fi credentials/keys), remove them before uploading.