Reolink RLC-410-5MP IP camera
Preamble
The Reolink RLC-410-5MP is a 2560x1920 pixel IP camera with infrared night vision, motion detection and PoE support.
The hardware of the camera is quite good (well designed metal casing, multi-layer PCB with high soldering quality).
The software is bad (requiring Flash Player is not acceptable under any circumstances) ok-ish, but not as bad as other cameras I've seen before.
The camera offers
RTMP and RTSP video
streams. The RTSP stream suffers from various problems ("melting" and "smearing")
when used with non-Reolink video players.
Hardware
The camera uses a Novatek NV98515 SoC (MIPS 24KEc V5.5 architecture, dual core with MMU, 640MHz, H.264/265 video encoding, encryption engine) with a Omnivision OS05A10M image sensor. The firmware is stored on a 16 MiB GD25Q127C SPI NOR flash.
There probably exist different hardware versions (image sensors) of this
camera (if ${SENSOR} == "CMOS_SC5035M" .. elif .. "CMOS_OV4689M" .. elif .. "CMOS_OS05A10M"
- The OV4689
ist a 4MP sensor).
Serial port
There is a 115200 8-N-1
serial port accessible via J9
:
Firmware
The firmware is based on Novatek's NA51023 NVT evaluation board SDK (U-Boot 2014.07
,
kernel 4.1.0
and a Linux base system based on Buildroot 2015.11.1-00003-gfd1edb1).
See U-Boot bootloader and Linux misc logfiles for more details.
There is a ยตITRON-compatible
eCos-RTOS running on CPU1 (image capturing and video encoding),
and Linux running on CPU2 (networking and web frontend application).
The eCos firmware is stored in binary files FW98515A.bin FW98515T.bin FW98515A.ext.bin
.
Communication between the two cores is orchestrated by the NVT IPC
framework and shared memory.
Boot process: CPU1 runs the loader
image from partition 0 and initializes
basic I/O and RAM. CPU1 reads uboot image from partition 3 and triggers CPU2
to execute the uboot boot process. When the linux kernel image has been
started, CPU2 signals CPU1 to start image capturing.
Novatek does not release any information about their products. One can find some brief datasheet of the NT96650 and some discussion and tools at GoPrawn forum.
Reolink Camera API
One can disable the OSD watermark (without flash interface) with this small script.
Alano Terblanche has more complete Python API implementation.
Unpack firmware
Firmware RLC-410-5MP_448_19061407
is available from Reolink's support website.
With unpack-novatek-firmware.pl (Update: pakler probably is a better option) one can download the firmware file
and extract bootloader, kernel and root filesystem:
$ wget -q https://reolink-storage.s3.amazonaws.com/website/firmware/20190614firmware/RLC-410-5MP_448_19061407.zip
$ unzip RLC-410-5MP_448_19061407.zip
Archive: RLC-410-5MP_448_19061407.zip
inflating: IPC_51516M5M.448_19061407.RLC-410-5MP.OV05A10.5MP.REOLINK.pak
$ md5sum RLC-410-5MP_448_19061407.zip IPC_51516M5M.448_19061407.RLC-410-5MP.OV05A10.5MP.REOLINK.pak
e67454a79bcd538fb96d7c8b8a742956 RLC-410-5MP_448_19061407.zip
39c51f59a94a55e0656644a6a0cfea20 IPC_51516M5M.448_19061407.RLC-410-5MP.OV05A10.5MP.REOLINK.pak
$
$ ./unpack-novatek-firmware.pl -w IPC_51516M5M.448_19061407.RLC-410-5MP.OV05A10.5MP.REOLINK.pak
Partition 0 name: loader
Partition 0 version: v1.0.0.1
Partition 0 offset: 1552
Partition 0 length: 32768
Writing output file 'IPC_51516M5M.448_19061407.RLC-410-5MP.OV05A10.5MP.REOLINK-partition-0-loader.bin'
Partition 1 name: ext
Partition 1 version: v1.0.0.1
Partition 1 offset: 34320
Partition 1 length: 2856
Writing output file 'IPC_51516M5M.448_19061407.RLC-410-5MP.OV05A10.5MP.REOLINK-partition-1-ext.bin'
Partition 2 name: uitron
Partition 2 version: v1.0.0.1
Partition 2 offset: 37176
Partition 2 length: 3200936
Writing output file 'IPC_51516M5M.448_19061407.RLC-410-5MP.OV05A10.5MP.REOLINK-partition-2-uitron.bin'
Partition 3 name: uboot
Partition 3 version: v1.0.0.1
Partition 3 offset: 3238112
Partition 3 length: 262664
Writing output file 'IPC_51516M5M.448_19061407.RLC-410-5MP.OV05A10.5MP.REOLINK-partition-3-uboot.bin'
Partition 4 name:
Partition 4 version:
Partition 4 offset: 3500776
Partition 4 length: 0
Partition 5 name: kernel
Partition 5 version: v1.0.0.1
Partition 5 offset: 3500776
Partition 5 length: 1634625
Writing output file 'IPC_51516M5M.448_19061407.RLC-410-5MP.OV05A10.5MP.REOLINK-partition-5-kernel.bin'
Partition 6 name: fs
Partition 6 version: v1.0.0.1
Partition 6 offset: 5135401
Partition 6 length: 6242304
Writing output file 'IPC_51516M5M.448_19061407.RLC-410-5MP.OV05A10.5MP.REOLINK-partition-6-fs.bin'
Partition 7 name:
Partition 7 version:
Partition 7 offset: 11377705
Partition 7 length: 0
Partition 8 name:
Partition 8 version:
Partition 8 offset: 11377705
Partition 8 length: 0
Partition 9 name:
Partition 9 version:
Partition 9 offset: 11377705
Partition 9 length: 0
Partition 10 name:
Partition 10 version:
Partition 10 offset: 11377705
Partition 10 length: 0
$ unsquashfs -d rootfs/ IPC_51516M5M.448_19061407.RLC-410-5MP.OV05A10.5MP.REOLINK-partition-6-fs.bin
Parallel unsquashfs: Using 4 processors
551 inodes (622 blocks) to write
[===========================================================/] 622/622 100%
created 416 files
created 82 directories
created 135 symlinks
created 0 devices
created 0 fifos
$ ls rootfs/
bin dev etc home lib linuxrc mnt proc root sbin sys tmp usr var
$ head rootfs/etc/firmware.info
SDK_VER="NVT_NT96660_Linux_V0.4.8"
BUILDDATE="Tue Mar 1 18:25:28 CST 2016"
Compile additional software
Download Buildroot 2015.11.1
(Novatek's SDK uses this version and newer Buildroot releases use a newer/incompatible uClibc).
Exec make menuconfig
, select Target options
, change Target Architecture
to MIPS (little endian)
and Target Architecture Variant
to mips 32
.
Select Target packages
in the main menu and select packages as needed.
Exit and make
.
Modify rootfs / add SSH daemon
Use repack-reolink-rootfs.sh to repack the (read-only) rootfs on flash partition 6.
Dump squashfs with cat /dev/mtdblock6 > /mnt/sda/mtdblock6.bin
to SD card
first. Then execute the script on your Linux workstation like this:
$ ./repack-reolink-rootfs.sh
551 inodes (622 blocks) to write
created 416 files
created 82 directories
created 135 symlinks
created 0 devices
created 0 fifos
'./contrib/dropbear' -> 'rootfs/usr/sbin/dropbear'
'./contrib/S99dropbear' -> 'rootfs/etc/init.d/S99dropbear'
changed ownership of 'rootfs/usr/sbin/dropbear' from root:root to 1004:1004
changed ownership of 'rootfs/etc/init.d/S99dropbear' from root:root to 1004:1004
Found a valid SQUASHFS 4:0 superblock on mtdblock6-NEW.bin.
Creation or last append time Mon Jan 27 16:42:00 2020
Filesystem size 6201.27 Kbytes (6.06 Mbytes)
Compression xz
Block size 262144
Filesystem is exportable via NFS
Inodes are compressed
Data is compressed
Fragments are compressed
Always-use-fragments option is not specified
Xattrs are compressed
Duplicates are removed
Number of fragments 23
Number of inodes 635
Number of ids 1
-rw-r--r-- 1 8650752 Jan 27 13:01 mtdblock6.bin
-rw-r--r-- 1 6352896 Jan 27 16:36 mtdblock6-NEW.bin
mtdblock6-NEW.bin file size (65536-byte aligned): 0x610000
Execute the following commands within u-boot:
fatload mmc 0 0x1000000 mtdblock6-NEW.bin
sf erase 0x6e0000 0x610000
sf write 0x1000000 0x6e0000 0x610000
reset
Then write the modified squashfs to NOR flash of your camera as shown in script output:
v3.0.0.65_20071000
the flash layout has changed, you have to change start offset from 0x6e0000
to 0x620000
. Double-check first, otherwise you'll brick your device!
NA51023> fatload mmc 0 0x1000000 mtdblock6-NEW.bin
reading mtdblock6-NEW.bin
6352896 bytes read in 0 ms
NA51023> sf erase 0x6e0000 0x610000
SF: 6356992 bytes @ 0x6e0000 Erased: OK
NA51023> sf write 0x1000000 0x6e0000 0x610000
SF: 6356992 bytes @ 0x6e0000 Written: OK
NA51023> reset
There's something broken within dropbear's key initial exchange (causing a segfault). You
might need to login using ssh -oHostKeyAlgorithms=ssh-rsa root@ipaddress
for the very first time. I don't have time to debug this odd behaviour.
Enjoy logging in to your camera with SSH.
Firmware versions
-
v3.0.0.136_20121100, released 2020/12/11, with GUI v1.0.266.
-
v3.0.0.116_20103100, released 2020/10/31, with GUI v1.0.266.
Major GUI Update, no flash player anymore, hoorayy! Many parts of the HTML GUI have been rewritten. Live stream preview without flash player (Uses the bilibili flv.js HTML5 player). -
v3.0.0.65_20071000, released 2020/07/10, with GUI v1.0.261.
RTSP encoderliblive555 Version[NT98513]:2019-09-02
. Flash partition layout has been changed (linux rootfs start offset relocated from0x6e0000
to0x620000
, linux kernel partition size has been decreased accordingly). -
v3.0.0.20_20052300, released 2020/05/23, with GUI v1.0.261.
The monolithicdvr
app has been replaced by smaller apps (netserver
,onvif
,rtsp
, ...). RTSP encoderliblive555 Version[NT98513]:2019-09-02
. -
v2.0.0.647_20031401, released 2020/03/14, with GUI v1.0.261.
RTSP encoderliblive555 Version[NT9851X]:2020-03-14
. -
v2.0.0.448_19061407, released 2019/06/14, with GUI v1.0.242.
RTSP encoderliblive555 Version[NT9851X]:2019-06-14
. -
209_18093004 and probably many older versions for which no download link is known
Wishlist / Help
-
If you find time to reverse engineer the
rtsp
application and figure out how the video stream is internally sourced from the eCos-RTOS, please let me know. One final goal would be to re-implement thertsp
application with an up to date live555 library. -
If you have access to the
NA51023
board support package (BSP) withIPCAM
support, please let me know. The file is probably namedNA51023_BSP_20180223_IPCAM_V1.0.01.tar.bz2
or the like. -
The OpenIPC project might be a good starting point for an alternative firmware, they have kernel support for other Novatek SoCs and the OS05A10 image sensor seems to be known as well.
Misc
-
Reolink is a brand name of the chinese company Shenzhen Baichuan Security Technology Co., Ltd..
-
With
get_sysinfo
debug information about the various video streams is displayed, see sample output. -
The camera uses nginx as web server. The RTMP stream is orchestrated by the rtmp-module.
-
The LIVE555 Media Server is used for RTSP streaming.
-
One can find various info about the NT98515 on Lxnicks's chinese website.
-
George Hillard has some very interesting hard- and software findings on the Reolink B800.
-
Vincent Mallet has an advanced tool to work with .pak-files.
-
AT0myks has a comprehensive archive of Reolink firmware files.