So a couple of years ago I bought some KK-SP3 (from ikonke). They are ‘wireless smart plugs’, and despite their pretty-sketch appearance, work.

Its a tiny little white box that plus into your electrical outlet, and contains a relay and small linux board.

The only real issue that i had initially was that it came with Chinese power pins (angled). So I did what you would expect, gave them a twist with some pliers, and, well, it works (see below, twisty!). The ground pin was in the wrong spot, but, well, after checking it wasn’t connected internally anyway, so I didn’t feel bad about making that disappear.

OK, so we ran that for a while. I integrated these w/ home-assistant in a very simple way, by putting a bash-script cgi/json file in /www/cgi-bin. Life was good. (Did i mention the hacking of the device initially was trivial: turn it on, it exposes a WiFi SSID as OK-SP3. Connect, ssh as root, the password is ‘p9z34c’.

A couple of other minor changes (enable wifi on ‘wwan’, etc), and we were golden. Lights were automated, everyone was happy.

When suddenly a wild vulnerability appeared. Dropbear is cracked wide open. CVE-2016-7406. OK, no problem, let me just go back to the manuf… crap. That didn’t work.

OK, next step is, we’re already pretty much in, lets just rebuild it all from upstream OSS.

It turns out this wasn’t that bad. If we use the WR703N config from Lede (the fork of OpenWRT), it just works. Enable it, add uhttpd, and build away.

Now, one thing to watch out for, there is no Ethernet port, and the image by default disables WiFi. So, when running sysupgrade, edit /etc/sysupgrade.conf first. Or, put the files u want in files/… dir in the build-root before you build.

Now, one minor niggle, the original image has this nicely named GPIO ‘relay’ to toggle the relay. But this is not defined in the BSP for the WR703N. So, well, lets hunt it down. Turns out its GPIO 26.

So we can just use it as-is w/o the nice name.

echo 26 > /sys/class/gpio/export 
echo out > /sys/class/gpio/gpio26/direction 
echo 1 > /sys/class/gpio/gpio26/value # on
echo 0 > /sys/class/gpio/gpio26/value # off

And we are done! Now we are back to fully secure on this device.

Oh yeah, want to see the wild interior of this ‘highly safe’ device? Here it is, de-spudged. Its a tiny board (removed here) w/ the SOC/radio on it, an a 120V-3.3V power supply wedged around the plug.

So yeah, after ~2 hours of playing w/ this to get it fixed, uh, do you think the original $15 price was worth it?


When I was a kid my pride and joy was a TRS-80 Model III. It was used when it came to me, and I didn’t have floppy drives (although the cassette interface was fast).

It spent a lot of its life w/ the top off (tipped sideways) to get at its glorious internals, where it was integrated to various hackeries of my early teen mind, the pièce de résistance being an integration to the Radio Shack Mobile Armatron (below).

Now, one of the key debugging techniques I used to use (other than the common ‘debug print’) was an AM radio. Yes you heard that right. It turns out that you could construct ‘spin’ loops that would make tones on a nearby AM radio, and you could use those to figure out where your code was (this predates debuggers, I had no printer, nothing else with a serial port, etc). This predates me having a modem, but it was the same sort of glorious 8-bit noise. Lots of distortion and static, but glorious.

Fast forward in my career a three decades, and the AM radio is no longer commonly used. Or is it?

You see, this technique can still be useful. First, lets talk about Van Eck Phreaking. Its like science fiction, but in fact was what I was using in the very early 80’s. You see, people can ‘sniff’ the inadvertent radio emissions of nearby devices. You can use it to figure out keystrokes, even what is showing on a monitor. Here’s a bit of an example, through 2 walls, someone viewed a monitor.

OK, great, but, what else can it do? Well, have you considered covert exfiltration? What if you have a computer on an isolated network. Maybe its where you store the caramilk secret in your manufacturing process (go on, if you are a child of the 80’s click that link for some sweet nostalgia). But you feel pretty secure since that machine is not on the Internet. But what if i showed you a way that it could send data outside the building, as-is, with no wires, no wifi, using only JavaScript?

Here’s an implementation of an AM radio tone-system, just like back in my TRS-80 days. All in JavaScript. And now you can send info to a listener that is nearby, but difficult to find. From that mission-impossible air-gapped network.

sim phish

Another day another data breach. (Have you checked yourself on https://haveibeenpwned.com/? I’m thinking of making “have i not been pwned” and the answer is NO). OK, we are getting inured to this by now. Yawn, change the password on that site, we are good right?

Well, no. The media reporting always has the same things in it “they didn’t get financial information” so we don’t worry. After all, with today’s Bell Canada breach, what could anyone use my ExpressVu info for? So we go down this logical fallacy path of “did i share that password with other sites” etc. And the advice we are always given causes us to keep going the wrong way… “no financial info”… “only email + name + phone number + address + account number”. Who cares what my ExpressVu account number is? I make my phone number available to people, so…

OK, here’s where they get you. Ever switched carriers? You go to carrier B, buy a sim, and the number is ported over. Or maybe you’ve lost a phone/sim, get a new one, and they move it. What info did u provide to make that happen? What? the same info as in the breach? Oh, this means someone could ‘take over’ my sim (maybe with a little social engineering hacks). Hmm. OK, that would be an irritant but… Wait, I use that phone number as a 2-factor-authentication w/ SMS on another site. And, the phone number is the ‘backup’ for ‘I forgot my password’ at my bank.

And then the penny drops. You see, the mundane info of your phone company relationship is not interesting. But, it can be used to take over something that is interesting, like your banking. You see, it likely needs very little info to have a bank rep call you on the number on file, or SMS you, with a new password. So if I can get your SIM, I can get your life. And phone company info is prime for that, but also lots of sites have those ‘mundane’ details.

One defence which you would think would work would be to call the mobile company and have them put a note on your file “do not port out this sim”. Well, it turns out, that doesn’t always work. The scammer will keep calling the call centre until someone is busy, or doesn’t notice. Check this thread for this happening w/ t-mobile (t-mobile has this page about how to protect yourself, and tons of threads of angry people who didn’t read it.). Want to know more? Click here. This is an excellent blog post on the subject and motivations, and the blogger actually tests the UK carriers (hint, they fail).

So, next time you see a data breach, and a bunch of text about how some low-level risk can be mitigated, ask yourself, what about the risks they are not mentioning? Social engineering is powerful, and getting that account info makes it not too hard.

And maybe look into with your carrier how to put a lock on porting your sim out (or adding a second line).

I’m a big fan of “the invisible hand“, an economics concept coined by Adam Smith. The concept is that your individual selfish action can cause (good) social benefits elsewhere. An example would be putting a $0.05 tax on a plastic grocery bag. You being the cheapskate you are now reuse bags, and that causes a huge benefit for the environment and society. It was’t about raising that $0.05/bag for revenue, it was about people suddenly seeing that bag as a cost.

Now, lets talk about two of my favourite domains… the security (or lack thereof) on the army of IoT devices that inhabit our lives, and, the huge ongoing maintenance effort associated with them. Could we apply an invisible hand to make society safer and more efficient?

Look around your house, do a nose-count. How many devices are somewhat Internet-enabled? Smart-tv? Tablet? Receiver? Stereo? Thermostat? Alarm? Various kids toys? Drone? Cat-feeder? Dog-treat-launcher? Car? Smart-Speaker? Security Camera? It doesn’t take long to get 30+.

Now, ask yourself, honestly. When you bought all that, did you look at each vendor critically from a lens of:

  1. which has better security practises (and thus is likely to be more secure in the long run)
  2. which was easier to manage/upgrade in the long run

Of course you didn’t. Instead you used ‘features’ and ‘cost’. You have no means of even evaluating those other items.

Now, what if, there were some way you could evaluate those two things, and, vote with your wallet? This would have a dramatic affect on the manufacturers.

First, lets talk about one of the extremely inconvenient truths about the consumer IoT gadget space. The business model. As a consumer, you want to buy it once, own it for life, and not have an ongoing fee.  And this is a huge disincentive to stick around and make a device secure for life. it creates the flip-side behaviour of ‘develop it fast, get it to market, and move on while selling it’. Any development post initial sale is seen as a waste of time, a cost.

Now lets talk about that second inconvenient truth. Management. Its hard to make things easy to manage. That same business problem above, as a manufacturer, I can just shift all the costs to you with complex upgrade approaches.

Now, lets look at a device which has a pretty good track record here. The Nest Thermostat. Or its better cousin, the Ecobee. They are pretty strong in the 2nd category (they upgrade themselves automatically). And, we have not yet seen them be hacked, so presumably strong in the first categoy. One of the ‘bellwether’ things I look for is how often things are upgraded, and, if we look at my Nest, it was upgraded 2 hours ago! All by itself.

So why black out the serial/mac? Well, its because the security is somewhat opaque. Yes I think Google cares about security, yes I think they have strong practises. But, no one really knows how this device works, perhaps there is some backdoor that uses something calculated from the two.

So how would I score these devices? 9/10 on management, and 6/10 on security. How would I make that 6 be a 10? Well, transparency, a published policy on ‘what will we do when we give up patching’, ‘how long will we patch’, etc.

So, could we construct a score, something the typical consumer could internalise, and allow them to vote with their wallet? E.g. if two similar price/feature devices, one is cheaper to run and more secure, that manufacturer would be rewarded? Many say this is too complex to understand. But, well, nutrition labels took off, and they are not simple. EnergyStar took off. So yes, voluntary labelling, and consumer awareness, have had positive affects in other complex areas of industry.

Any input on what factors one would look for?

  • Lifecycle policy (how many years will this be supported)
  • End-of-life policy (will it be open-sourced? bricked?)
  • Update cycle (how often, how quickly in response to problems)
  • Is the firmware signed? How are the keys managed? Is there an external ‘ca’ that manages? Is that audited? Is there ‘transparency’ on the keys issued?
  • Versions of software installed, is there a list made available of all the components?
  • ISO 27001 facility?
  • Secure-by-default? Or well-known initial password?

And for ease-of-use (which is coupled with security in my mind, after all, how often do you update the complex devices? Not often you lazy sod!)

  • Is it automatic update, on-by-default?
  • Warning if updates fail?
  • Does it work the same way ‘the other devices’ do, or is it different?

Others?

I think there are some business opportunities here:

  • CA/signing authority for 3rd party firmware
  • Blockchain… sign the chain of software (e.g. linux-kernel->libc->libssl->nginx->camera app)
  • Standardised ‘update as a service’, some modular method each piece can be independently upgraded (e.g. upgrade OS vs app)
  • Standardised ‘get initial WiFi SSID and password’ configured instead of all the weird and wonderful apps to ‘find’ your new device
  • 3rd party monitoring/audit/certification

Others? The next stage in this grand-master plan would be, after launch of the score, and consumer education, we’d start to charge a ‘tax’ for the weak products. And then Darwin would take over!

The Xiaomi XiaoFang. Its a cheap IP camera (~$20-$30) that delivers decent quality. Is it a candidate to be ‘improved’ with a bit of hacking? You betcha!.

Spurred on by some external impetus, I acquired a WyzeCam. And of course, before turning it on, we took it apart!

A bit of squeezing, prying, and a small Philips screwdriver, and the contents were revealed. We can see the RX/TX/GND for the serial port, so lets assume its TTL and solder it up. I’m going to route the cables externally, so I hot-glue a header to the side of the USB-A connector and reach for the dremmel to expand the hole a little bit.

Inside, we have two PCB (the CPU etc board, and the camera board) connected by a pair of ribbon cables. Tweeze them out, and we are left with the individuals ready for the solder.

OK, reassemble, you can’t even tell the mod is there, the headers just peak through the case above the USB port.

Hacking it is embarrassingly simple. Place a SD card in, and it sells you its looking for a script to run. Or, you can just modify files in /etc since its jffs2 mounted overtop of the rootfs. OK, well that was simple.

Now. I’m not super interested in the embedded app, so we apply fang-hacks. These are very basic, and zero security (not even a thin patina of guessable password), so we’ll have to address that in a bit. The fang-hacks revectors the snx_rtsp_server to send a single stream locally. So i guess that’s better. But I really would prefer this have multiple streams, save to the NAS when there is motion, and have a snapshot interface for home-assistant. So, naively, I assume there will be a great OSS project that has something, perhaps from the Raspberry Pi folks. Something w/a simple web interface, and exposing the uvc video endpoints (the hardware does support multiple simultaneously). Sadly, this was not to be, closest i can find is mjpg-streamer which is somewhat out of date.

So, I’ll dive in and create a cross-compilation environment, get libjpeg going etc, and see where this ends up. If you know of anything (I mean anything) as an OSS project that would handle a HTTP snapshot interface, an RTSP streaming interface, and a simple web UI, let me know (maybe I’ll see if vlc can fit?)

PS, the default method of config for this device is a ‘novel’ concept. You press a button on the bottom, it says something in Chinese, you run the Mi home app, it then gives you a QR code, you hold that in front of the camera, and it reads it. Um, novel, but not that convenient for me. So I think putting the initial password/wifi info on the sdcard will be the way I go. Or, maybe, pressing the button starts a WiFi AP for the next minute and connect via web interface.

pps for you u-boot /dmesg junkies:

U-Boot 2011.09 (Sep 15 2017 - 20:19:00)                                                                                                  
                                                                                                                                         
DRAM:  64 MiB                                                                                                                            
MMC:   MMC: 0                                                                                                                            
SPI FLASH: 16 MB                                                                                                                         
In:    serial                                                                                                                            
Out:   serial                                                                                                                            
Err:   serial                                                                                                                            
GPIO[2] is high                                                                                                                          
Hit any key to stop autoboot:  0                                                                                                         
roofsr size = 0x6d3070                                                                                                                   
## Booting kernel from Legacy Image at 00008000 ...                                                                                      
   Image Name:   Linux-2.6.35.12                                                                                                         
   Image Type:   ARM Linux Kernel Image (uncompressed)                                                                                   
   Data Size:    3038112 Bytes = 2.9 MiB                                                                                                 
   Load Address: 00008000                                                                                                                
   Entry Point:  00008040                                                                                                                
   Verifying Checksum ... OK                                                                                                             
   XIP Kernel Image ... OK                                                                                                               
OK                                                                                                                                       
                                                                                                                                         
Starting kernel ...                                                                                                                      
                                                                                                                                         
Uncompressing Linux... done, booting the kernel.                                                                                         
Linux version 2.6.35.12 (fedora@localhost.localdomain) (gcc version 4.5.2 (SONiX GCC-4.5.2 Release 2011-12-06) ) #27 Thu Dec 22 18:48:16 6
CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00057177                                                                            
CPU: VIVT data cache, VIVT instruction cache                                                                                             
Machine: SONiX SN98600 Development Platform                                                                                              
Memory policy: ECC disabled, Data cache writeback                                                                                        
CPU: found ITCM 16k @ ffff4000, enabled                                                                                                  
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 16256                                                               
Kernel command line: console=ttyS0,115200 root=/dev/mtdblock2 init=/linuxrc mem=64M isp=10M vc=12M vo=0M mtdparts=snx-spi:768k(uboot),307)
PID hash table entries: 256 (order: -2, 1024 bytes)                                                                                      
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)                                                                            
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)                                                                             
Memory: 64MB = 64MB total                                                                                                                
Memory: 36836k/36836k available, 28700k reserved, 0K highmem                                                                             
Virtual kernel memory layout:                                                                                                            
    vector  : 0xffff0000 - 0xffff1000   (   4 kB)                                                                                        
    fixmap  : 0xfff00000 - 0xfffe0000   ( 896 kB)                                                                                        
    DMA     : 0xffa00000 - 0xffe00000   (   4 MB)                                                                                        
    vmalloc : 0xc4800000 - 0xe0000000   ( 440 MB)                                                                                        
    lowmem  : 0xc0000000 - 0xc4000000   (  64 MB)                                                                                        
    modules : 0xbf000000 - 0xc0000000   (  16 MB)                                                                                        
      .init : 0xc0008000 - 0xc0026000   ( 120 kB)                                                                                        
      .text : 0xc0026000 - 0xc04ec000   (4888 kB)                                                                                        
      .data : 0xc050a000 - 0xc0535440   ( 174 kB)                                                                                        
SLUB: Genslabs=11, HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1                                                                  
Hierarchical RCU implementation.                                                                                                         
        RCU-based detection of stalled CPUs is disabled.                                                                                 
        Verbose stalled-CPUs detection is disabled.                                                                                      
NR_IRQS:96                                                                                                                               
Console: colour dummy device 80x30                                                                                                       
console [ttyS0] enabled                                                                                                                  
Calibrating delay loop... 200.29 BogoMIPS (lpj=1001472)                                                                                  
pid_max: default: 32768 minimum: 301                                                                                                     
Mount-cache hash table entries: 512                                                                                                      
CPU: Testing write buffer coherency: ok                                                                                                  
NET: Registered protocol family 16                                                                                                       
0x00a00000 bytes system memory reserved for isp device at 0x005ec000                                                                     
0x00c00000 bytes system memory reserved for vc device at 0x00fec000                                                                      
bio: create slab  at 0                                                                                                            
SCSI subsystem initialized                                                                                                               
usbcore: registered new interface driver usbfs                                                                                           
usbcore: registered new interface driver hub                                                                                             
usbcore: registered new device driver usb                                                                                                
Linux media interface: v0.10                                                                                                             
Linux video capture interface: v2.00                                                                                                     
Advanced Linux Sound Architecture Driver Version 1.0.23.                                                                                 
cfg80211: Calling CRDA to update world regulatory domain                                                                                 
Switching to clocksource ft_clocksource                                                                                                  
NET: Registered protocol family 2                                                                                                        
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)                                                                           
TCP established hash table entries: 2048 (order: 2, 16384 bytes)                                                                         
TCP bind hash table entries: 2048 (order: 1, 8192 bytes)                                                                                 
TCP: Hash tables configured (established 2048 bind 2048)                                                                                 
TCP reno registered                                                                                                                      
UDP hash table entries: 256 (order: 0, 4096 bytes)                                                                                       
UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)                                                                                  
NET: Registered protocol family 1                                                                                                        
RPC: Registered udp transport module.                                                                                                    
RPC: Registered tcp transport module.                                                                                                    
RPC: Registered tcp NFSv4.1 backchannel transport module.                                                                                
exFAT: Version 1.2.9                                                                                                                     
JFFS2 version 2.2. (NAND)  2001-2006 Red Hat, Inc.                                                                                       
fuse init (API version 7.14)                                                                                                             
msgmni has been set to 71                                                                                                                
async_tx: api initialized (async)                                                                                                        
io scheduler noop registered (default)                                                                                                   
SONIX UART driver, (c) 2013 Sonix                                                                                                        
snx_uart.0: ttyS0 at MMIO 0x98a00000 (irq = 8) is a SONiX                                                                                
snx_uart.1: ttyS1 at MMIO 0x98b00000 (irq = 10) is a SONiX                                                                               
brd: module loaded                                                                                                                       
loop: module loaded                                                                                                                      
6 cmdlinepart partitions found on MTD device snx-spi                                                                                     
Creating 6 MTD partitions on "snx-spi":                                                                                                  
0x000000000000-0x0000000c0000 : "uboot"                                                                                                  
0x0000000c0000-0x0000003c0000 : "kernel"                                                                                                 
0x0000003c0000-0x000000ac0000 : "rootfs"                                                                                                 
0x000000ac0000-0x000000ec0000 : "rescue"                                                                                                 
0x000000ec0000-0x000000fc0000 : "etc"                                                                                                    
0x000000fc0000-0x000001000000 : "userconfig"                                                                                             
snx_spi_init register                                                                                                                    
PPP generic driver version 2.4.2                                                                                                         
PPP Deflate Compression module registered                                                                                                
PPP BSD Compression module registered                                                                                                    
usbcore: registered new interface driver zd1211rw                                                                                        
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver                                                                               
snx_ehci snx_ehci.0: snx_ehci                                                                                                            
snx_ehci snx_ehci.0: new USB bus registered, assigned bus number 1                                                                       
snx_ehci snx_ehci.0: irq 24, io mem 0x90800000                                                                                           
snx_ehci snx_ehci.0: USB 0.0 started, EHCI 0.96                                                                                          
usb usb1: New USB device found, idVendor=1d6b, idProduct=0002                                                                            
usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1                                                                       
usb usb1: Product: snx_ehci                                                                                                              
usb usb1: Manufacturer: Linux 2.6.35.12 ehci_hcd                                                                                         
usb usb1: SerialNumber: sonix-ehci                                                                                                       
hub 1-0:1.0: USB hub found                                                                                                               
hub 1-0:1.0: 1 port detected                                                                                                             
Initializing USB Mass Storage driver...                                                                                                  
usbcore: registered new interface driver usb-storage                                                                                     
USB Mass Storage support registered.                                                                                                     
usbcore: registered new interface driver usbserial                                                                                       
USB Serial support registered for generic                                                                                                
usbcore: registered new interface driver usbserial_generic                                                                               
usbserial: USB Serial Driver core                                                                                                        
USB Serial support registered for GSM modem (1-port)                                                                                     
usbcore: registered new interface driver option                                                                                          
option: v0.7.2:USB Driver for GSM modems                                                                                                 
mice: PS/2 mouse device common for all mice                                                                                              
i2c /dev entries driver                                                                                                                  
SONIX SNX I2C adapter driver, (c) 2012 Sonix                                                                                             
snx_i2c.0: SNX I2C0 controller at 0x98300000 (irq = 1)                                                                                   
I2C GPIO driver INIT                                                                                                                     
snx_i2c.1: SNX I2C1 controller at 0x98400000 (irq = 2)                                                                                   
snx_hdma snx_hdma: SNX AHB DMA Controller (memcpy memset), 4 channels                                                                    
SNX AHB DMA driver register                                                                                                              
usbcore: registered new interface driver usbhid                                                                                          
usbhid: USB HID core driver                                                                                                              
usbcore: registered new interface driver snd-usb-audio                                                                                   
ALSA device list:                                                                                                                        
  No soundcards found.                                                                                                                   
Netfilter messages via NETLINK v0.30.                                                                                                    
nf_conntrack version 0.5.0 (575 buckets, 2300 max)                                                                                       
CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Please use                                                                     
nf_conntrack.acct=1 kernel parameter, acct=1 nf_conntrack module option or                                                               
sysctl net.netfilter.nf_conntrack_acct=1 to enable it.                                                                                   
ctnetlink v0.93: registering with nfnetlink.                                                                                             
xt_time: kernel timezone is -0000                                                                                                        
IPv4 over IPv4 tunneling driver                                                                                                          
GRE over IPv4 tunneling driver                                                                                                           
ip_tables: (C) 2000-2006 Netfilter Core Team                                                                                             
arp_tables: (C) 2002 David S. Miller                                                                                                     
TCP cubic registered                                                                                                                     
NET: Registered protocol family 10                                                                                                       
lo: Disabled Privacy Extensions                                                                                                          
tunl0: Disabled Privacy Extensions                                                                                                       
IPv6 over IPv4 tunneling driver                                                                                                          
sit0: Disabled Privacy Extensions                                                                                                        
ip6tnl0: Disabled Privacy Extensions                                                                                                     
NET: Registered protocol family 17                                                                                                       
lib80211: common routines for IEEE802.11 drivers                                                                                         
VFS: Mounted root (cramfs filesystem) readonly on device 31:2.                                                                           
Freeing init memory: 120K                                                                                                                
hub 1-0:1.0: /run/media/fedora/software/SN986_1.50_P2P_TUTK_050a_20160921_1712/snx_sdk/kernel/linux-2.6.35.12/src/drivers/usb/core/hub.c 0
hub 1-0:1.0: port 1, status 0503, change 0000, 480 Mb/s                                                                                  
Create device file                                                                                                                       
snx_crypto driver loaded.                                                                                                                
sonix crypto diver register                                                                                                              
sonix_nvram_init                                                                                                                         
Init nvram id: 1303281516                                                                                                                
Init nvram_crc id: 0x65535                                                                                                               
nvram_check crc = 64197 crc_ref = 65535                                                                                                  
[nvram_check:725] CRC error                                                                                                              
SONIX Kernel NVRAM initialized                                                                                                           
starting pid 529, tty '': '/etc/init.d/rcS'                                                                                              
Load drivers...                                                                                                                          
usb 1-1: new high speed USB device using snx_ehci and address 2                                                                          
Sonix GPIO Driver                                                                                                                        
driver loaded.                                                                                                                           
sonix snx_aud_gpio diver register                                                                                                        
usb 1-1: New USB device found, idVendor=0bda, idProduct=0179                                                                             
usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3                                                                        
usb 1-1: Product: 802.11n NIC                                                                                                            
usb 1-1: Manufacturer: Realtek                                                                                                           
usb 1-1: SerialNumber: C06D1AFB799D                                                                                                      
Load audio drivers...                                                                                                                    
Load video drivers...                                                                                                                    
SNX_AUDIO: driver register.                                                                                                              
SNX_SIGMA: adc submod driver init ok.                                                                                                    
snx_isp snx_isp.0: [ISP] isp_camera_probe                                                                                                
soc-camera-pdrv soc-camera-pdrv.0: Probing soc-camera-pdrv.0                                                                             
scan:sc2135                                                                                                                              
SNX_R2R: dac submod driver init ok.                                                                                                      
sc2135 stop streaming                                                                                                                    
0x0103 = 0x00                                                                                                                            
0x0100 = 0x00                                                                                                                            
0x3e03 = 0x03                                                                                                                            
0x3e01 = 0x46                                                                                                                            
0x3e08 = 0x00                                                                                                                            
0x3e09 = 0x10                                                                                                                            
0x3416 = 0x11                                                                                                                            
0x3300 = 0x20                                                                                                                            
0x3301 = 0x08                                                                                                                            
0x3303 = 0x30                                                                                                                            
0x3306 = 0x78                                                                                                                            
0x330b = 0xd0                                                                                                                            
0x3309 = 0x30                                                                                                                            
0x3308 = 0x0a                                                                                                                            
0x331e = 0x26                                                                                                                            
0x331f = 0x26                                                                                                                            
0x3320 = 0x2c                                                                                                                            
0x3321 = 0x2c                                                                                                                            
0x3322 = 0x2c                                                                                                                            
0x3323 = 0x2c                                                                                                                            
0x330e = 0x20                                                                                                                            
0x3f05 = 0xdf                                                                                                                            
0x3f01 = 0x04                                                                                                                            
0x3626 = 0x04                                                                                                                            
0x3312 = 0x06                                                                                                                            
0x3340 = 0x03                                                                                                                            
0x3341 = 0x68                                                                                                                            
0x3342 = 0x02                                                                                                                            
0x3343 = 0x20                                                                                                                            
0x3333 = 0x10                                                                                                                            
0x3334 = 0x20                                                                                                                            
0x3621 = 0x18                                                                                                                            
modprobe: module 'mt7601Ust0x3626 = 0x04                                                                                                 
a' not found                                                                                                                             
0x3635 = 0x34                                                                                                                            
0x3038 = 0xa4                                                                                                                            
0x3630 = 0x84                                                                                                                            
0x3622 = 0x0e                                                                                                                            
0x3620 = 0x62                                                                                                                            
0x3627 = 0x08                                                                                                                            
0x3637 = 0x87                                                                                                                            
0x3638 = 0x86                                                                                                                            
0x3034 = 0xd2                                                                                                                            
0x5780 = 0xff                                                                                                                            
0x5781 = 0x0c                                                                                                                            
0x5785 = 0x10                                                                                                                            
0x3d08 = 0x01                                                                                                                            
0x3640 = 0x00                                                                                                                            
0x3662 = 0x82                                                                                                                            
0x335d = 0x00                                                                                                                            
0x4501 = 0xa4                                                                                                                            
0x3333 = 0x00                                                                                                                            
0x3627 = 0x02                                                                                                                            
0x3620 = 0x62                                                                                                                            
0x5781 = 0x04                                                                                                                            
0x3333 = 0x10                                                                                                                            
0x3306 = 0x69                                                                                                                            
0x3635 = 0x52                                                                                                                            
0x3636 = 0x7c                                                                                                                            
0x3631 = 0x84                                                                                                                            
0x3637 = 0x88                                                                                                                            
0x3306 = 0x6b                                                                                                                            
0x330b = 0xd0                                                                                                                            
0x3630 = 0x84                                                                                                                            
0x303a = 0x07                                                                                                                            
0x3039 = 0x76                                                                                                                            
0x3343 = 0x40                                                                                                                            
0x3f04 = 0x02                                                                                                                            
0x3f05 = 0x04                                                                                                                            
0x3340 = 0x03                                                                                                                            
0x3341 = 0xe5                                                                                                                            
0x3207 = 0x4e                                                                                                                            
0x335d = 0x20                                                                                                                            
0x3368 = 0x02                                                                                                                            
0x3369 = 0x00                                                                                                                            
0x336a = 0x04                                                                                                                            
0x336b = 0x65                                                                                                                            
0x330e = 0x20                                                                                                                            
0x3367 = 0x05                                                                                                                            
0x3620 = 0x92                                                                                                                            
0x3634 = 0xd2                                                                                                                            
0x3633 = 0x17                                                                                                                            
0x3315 = 0x02                                                                                                                            
0x3334 = 0xa0                                                                                                                            
0x3312 = 0x00                                                                                                                            
0x335e = 0x02                                                                                                                            
0x335f = 0x0a                                                                                                                            
0x3306 = 0x60                                                                                                                            
0x3f04 = 0x01                                                                                                                            
0x3f05 = 0xf7                                                                                                                            
0x303a = 0x15                                                                                                                            
0x3039 = 0x2e                                                                                                                            
0x3035 = 0x25                                                                                                                            
0x3034 = 0x2e                                                                                                                            
0x3036 = 0x00                                                                                                                            
0x320c = 0x04                                                                                                                            
0x320d = 0x65                                                                                                                            
0x320e = 0x04                                                                                                                            
0x320f = 0xb0                                                                                                                            
0x3368 = 0x02                                                                                                                            
0x3369 = 0x4b                                                                                                                            
0x363a = 0x04                                                                                                                            
0x336b = 0xb0                                                                                                                            
0x3306 = 0x70                                                                                                                            
0x3640 = 0x01                                                                                                                            
0x3034 = 0x2e                                                                                                                            
0x3633 = 0x16                                                                                                                            
0x3211 = 0x14                                                                                                                            
sensor:sc2135 (id:0x2135) driver loadded                                                                                                 
sc2135 start streaming                                                                                                                   
IQ.bin OK!                                                                                                                               
ubIdx = 6, fps = 25                                                                                                                      
priv->uwMaxExpL = 1440, info->frame_rate = 25                                                                                            
snx_isp snx_isp.0: ISP Camera driver loaded                                                                                              
snx_sd_initial:1289: SD initialisation done.                                                                                             
mmc_rescan:1159 = 0                                                                                                                      
mmc0: new high speed SDHC card at address e624                                                                                           
mmc_add_card:259 = 0                                                                                                                     
mmcblk0: mmc0:e624 ACLCF 119 GiB                                                                                                         
 mmcblk0: p1 p2                                                                                                                          
mmc_add_card:265 = 0                                                                                                                     
snx_vc snx_vc: sonix_vc device registered as /dev/video1                                                                                 
snx_vc snx_vc: sonix_vc device registered as /dev/video1                                                                                 
snx_vc snx_vc: sonix_vc device registered as /dev/video2                                                                                 
snx_vc snx_vc: sonix_vc device registered as /dev/video2                                                                                 
RTL871X: module init start                                                                                                               
RTL871X: rtl8188eu v4.3.24_16705.20160509                                                                                                
RTL871X: build time: Jan 19 2017 06:53:17                                                                                                
RTL871X:                                                                                                                                 
usb_endpoint_descriptor(0):                                                                                                              
RTL871X: bLength=7                                                                                                                       
RTL871X: bDescriptorType=5                                                                                                               
RTL871X: bEndpointAddress=81                                                                                                             
RTL871X: wMaxPacketSize=512                                                                                                              
RTL871X: bInterval=0                                                                                                                     
RTL871X: RT_usb_endpoint_is_bulk_in = 1                                                                                                  
RTL871X:                                                                                                                                 
usb_endpoint_descriptor(1):                                                                                                              
RTL871X: bLength=7                                                                                                                       
RTL871X: bDescriptorType=5                                                                                                               
RTL871X: bEndpointAddress=2                                                                                                              
RTL871X: wMaxPacketSize=512                                                                                                              
RTL871X: bInterval=0                                                                                                                     
RTL871X: RT_usb_endpoint_is_bulk_out = 2                                                                                                 
RTL871X:                                                                                                                                 
usb_endpoint_descriptor(2):                                                                                                              
RTL871X: bLength=7                                                                                                                       
RTL871X: bDescriptorType=5                                                                                                               
RTL871X: bEndpointAddress=3                                                                                                              
RTL871X: wMaxPacketSize=512                                                                                                              
RTL871X: bInterval=0                                                                                                                     
RTL871X: RT_usb_endpoint_is_bulk_out = 3                                                                                                 
RTL871X: nr_endpoint=3, in_num=1, out_num=2                                                                                              
                                                                                                                                         
RTL871X: USB_SPEED_HIGH                                                                                                                  
RTL871X: CHIP TYPE: RTL8188E                                                                                                             
RTL871X: rtw_hal_config_rftype RF_Type is 3 TotalTxPath is 1                                                                             
RTL871X: Chip Version Info: CHIP_8188E_Normal_Chip_TSMC_D_CUT_1T1R_RomVer(0)                                                             
RTL871X: _ConfigNormalChipOutEP_8188E OutEpQueueSel(0x05), OutEpNumber(2)                                                                
RTL871X: EEPROM type is E-FUSE                                                                                                           
RTL871X: Boot from EFUSE, Autoload OK !                                                                                                  
RTL871X: SetHwReg8188E: bMacPwrCtrlOn=1                                                                                                  
bFWReady == _FALSE call reset 8051...                                                                                                    
RTL871X: =====> _8051Reset88E(): 8051 reset success .                                                                                    
RTL871X: efuse_read_phymap_from_txpktbuf bcnhead:0                                                                                       
RTL871X: efuse_read_phymap_from_txpktbuf len:111, lenbak:111, aaa:111, aaabak:111                                                        
RTL871X: efuse_read_phymap_from_txpktbuf read count:109                                                                                  
RTL871X: EEPROM ID=0x8129                                                                                                                
RTL871X: VID = 0x0BDA, PID = 0x0179                                                                                                      
RTL871X: Customer ID: 0x00, SubCustomer ID: 0xCD                                                                                         
RTL871X: Hal_ReadPowerSavingMode88E...bHWPwrPindetect(0)-bHWPowerdown(0) ,bSupportRemoteWakeup(1)                                        
RTL871X: ### PS params=>  power_mgnt(0),usbss_enable(0) ###                                                                              
RTL871X: ======= Path 0, Channel 1 =======                                                                                               
RTL871X: Index24G_CCK_Base[0][1] = 0x2e                                                                                                  
RTL871X: Index24G_BW40_Base[0][1] = 0x30                                                                                                 
RTL871X: ======= Path 0, Channel 2 =======                                                                                               
RTL871X: Index24G_CCK_Base[0][2] = 0x2e                                                                                                  
RTL871X: Index24G_BW40_Base[0][2] = 0x30                                                                                                 
RTL871X: ======= Path 0, Channel 3 =======                                                                                               
RTL871X: Index24G_CCK_Base[0][3] = 0x2d                                                                                                  
RTL871X: Index24G_BW40_Base[0][3] = 0x2f                                                                                                 
RTL871X: ======= Path 0, Channel 4 =======                                                                                               
RTL871X: Index24G_CCK_Base[0][4] = 0x2d                                                                                                  
RTL871X: Index24G_BW40_Base[0][4] = 0x2f                                                                                                 
RTL871X: ======= Path 0, Channel 5 =======                                                                                               
RTL871X: Index24G_CCK_Base[0][5] = 0x2d                                                                                                  
RTL871X: Index24G_BW40_Base[0][5] = 0x2f                                                                                                 
RTL871X: ======= Path 0, Channel 6 =======                                                                                               
RTL871X: Index24G_CCK_Base[0][6] = 0x2c                                                                                                  
RTL871X: Index24G_BW40_Base[0][6] = 0x2e                                                                                                 
RTL871X: ======= Path 0, Channel 7 =======                                                                                               
RTL871X: Index24G_CCK_Base[0][7] = 0x2c                                                                                                  
RTL871X: Index24G_BW40_Base[0][7] = 0x2e                                                                                                 
RTL871X: ======= Path 0, Channel 8 =======                                                                                               
RTL871X: Index24G_CCK_Base[0][8] = 0x2c                                                                                                  
RTL871X: Index24G_BW40_Base[0][8] = 0x2e                                                                                                 
RTL871X: ======= Path 0, Channel 9 =======                                                                                               
RTL871X: Index24G_CCK_Base[0][9] = 0x2c                                                                                                  
RTL871X: Index24G_BW40_Base[0][9] = 0x2e                                                                                                 
RTL871X: ======= Path 0, Channel 10 =======                                                                                              
RTL871X: Index24G_CCK_Base[0][10] = 0x2c                                                                                                 
RTL871X: Index24G_BW40_Base[0][10] = 0x2e                                                                                                
RTL871X: ======= Path 0, Channel 11 =======                                                                                              
RTL871X: Index24G_CCK_Base[0][11] = 0x2c                                                                                                 
RTL871X: Index24G_BW40_Base[0][11] = 0x2e                                                                                                
RTL871X: ======= Path 0, Channel 12 =======                                                                                              
RTL871X: Index24G_CCK_Base[0][12] = 0x2c                                                                                                 
RTL871X: Index24G_BW40_Base[0][12] = 0x2e                                                                                                
RTL871X: ======= Path 0, Channel 13 =======                                                                                              
RTL871X: Index24G_CCK_Base[0][13] = 0x2c                                                                                                 
RTL871X: Index24G_BW40_Base[0][13] = 0x2e                                                                                                
RTL871X: ======= Path 0, Channel 14 =======                                                                                              
RTL871X: Index24G_CCK_Base[0][14] = 0x2c                                                                                                 
RTL871X: Index24G_BW40_Base[0][14] = 0x2e                                                                                                
RTL871X: EEPROMRegulatory = 0x0                                                                                                          
RTL871X: hal_com_config_channel_plan chplan:0x20                                                                                         
RTL871X: CrystalCap: 0x21                                                                                                                
RTL871X: EEPROM Customer ID: 0x 0                                                                                                        
RTL871X: EEPROM : AntDivCfg = 0, TRxAntDivType = 3                                                                                       
RTL871X: Board Type: 0x 0                                                                                                                
RTL871X: ThermalMeter = 0xf                                                                                                              
RTL871X: rtw_hal_read_chip_info in 270 ms                                                                                                
RTL871X: init_channel_set((null)) ChannelPlan ID:0x20, ch num:13                                                                         
RTL871X: NR_RECVBUFF: 8                                                                                                                  
RTL871X: MAX_RECVBUF_SZ: 4000                                                                                                            
RTL871X: NR_PREALLOC_RECV_SKB: 16                                                                                                        
RTL871X: Enable CONFIG_FIX_NR_BULKIN_BUFFER                                                                                              
RTL871X: rtw_alloc_macid((null)) if1, hwaddr:ff:ff:ff:ff:ff:ff macid:1                                                                   
RTL871X: rtw_macaddr_cfg mac addr:c0:6d:1a:fb:79:9d                                                                                      
RTL871X: bDriverStopped:True, bSurpriseRemoved:False, bup:0, hw_init_completed:0                                                         
RTL871X: rtw_ndev_init(wlan0) if1 mac_addr=c0:6d:1a:fb:79:9d                                                                             
usbcore: registered new interface driver rtl8188eu                                                                                       
RTL871X: module init ret=0                                                                                                               
Set hostname ...                                                                                                                         
Executing script (enabled: 1)                                                                                                            
Cloud apps are disabled                                                                                                                  
Mounting /media/mmcblk0p1                                                                                                                
Starting boa webserver...                                                                                                                
1:0: SD power up.                                                                                                                        
right_count=3  value=0 last_value=0                                                                                                      
1:0: SD power up.                                                                                                                        
1:0: SD power up.                                                                                                                        
Linking /media/mmcblk0p1/bootstrap/www/action -> /tmp/www/cgi-bin/action                                                                 
right_count=3  value=0 last_value=0                                                                                                      
ln: /tmp/www/cgi-bin/action: No such file or directory                                                                                   
Linking /media/mmcblk0p1/bootstrap/www/func.cgi -> /tmp/www/cgi-bin/func.cgi                                                             
ln: /tmp/www/cgi-bin/func.cgi: No such file or directory                                                                                 
right_count=3  value=0 last_value=0                                                                                                      
Linking /media/mmcblk0p1/bootstrap/www/network -> /tmp/www/cgi-bin/network                                                               
ln: /tmp/www/cgi-bin/network: No such file or directory                                                                                  
Linking /media/mmcblk0p1/bootstrap/www/scripts -> /tmp/www/cgi-bin/scripts                                                               
ln: /tmp/www/cgi-bin/scripts: No such file or directory                                                                                  
right_count=3  value=0 last_value=0                                                                                                      
Linking /media/mmcblk0p1/bootstrap/www/status -> /tmp/www/cgi-bin/status                                                                 
ln: /tmp/www/cgi-bin/status: No such file or directory                                                                                   
Failed to find hacks in /media/mmcblk0p2/data!                                                                                           
0:0: SD power up.                                                                                                                        
0:0: SD power up.                                                                                                                        
0:0: SD power up.                                                                                                                        
EXT2-fs (mmcblk0p2): warning: mounting unchecked fs, running e2fsck is recommended                                                       
right_count=3  value=0 last_value=0                                                                                                      
Mounted /media/mmcblk0p2/data                                                                                                            
Running startup scripts                                                                                                                  
right_count=3  value=0 last_value=0                                                                                                      
find snx_autorun.sh                                                                                                                      
Cloud is disabled                                                                                                                        
Welcome to XiaoFang Hacks :-)                                                                                                            
Starting Network...                                                                                                                      
WiFi Client mode: using wpa_supplicant.conf                                                                                              
right_count=3  value=0 last_value=0                                                                                                      
right_count=3  value=0 last_value=0                                                                                                      
right_count=3  value=0 last_value=0                                                                                                      
right_count=3  value=0 last_value=0                                                                                                      
rfkill: Cannot open RFKILL conRTL871X: +871x_drv - drv_open, bup=0                                                                       
trol device                                                                                                                              
RTL871X: Set RF Chip ID to RF_6052 and RF type to 3.                                                                                     
RTL871X: rtl8188e_FirmwareDownload fw:NIC, size: 15414                                                                                   
RTL871X: rtl8188e_FirmwareDownload: fw_ver=16 fw_subver=0000 sig=0x88e1, Month=11, Date=58, Hour=16, Minute=3c                           
RTL871X: polling_fwdl_chksum: Checksum report OK! (1, 0ms), REG_MCUFWDL:0x00030005                                                       
RTL871X: =====> _8051Reset88E(): 8051 reset success .                                                                                    
RTL871X: _FWFreeToGo: Polling FW ready OK! (1, 10ms), REG_MCUFWDL:0x000300c6                                                             
RTL871X: FWDL success. write_fw:1, 80ms                                                                                                  
not in singleboard test                                                                                                                  
starting pid 734, tty '/dev/ttyS0': '/sbin/getty -L ttyS0 115200 vt100'                                                                  
                                                                                                                                         
iSmartAlarm login: ==> rtl8188e_iol_efuse_patch                                                                                          
RTL871X: pDM_Odm TxPowerTrackControl = 1                                                                                                 
RTL871X: pDM_Odm TxPowerTrackControl = 1                                                                                                 
RTL871X: rtl8188eu_hal_init in 1070ms                                                                                                    
RTL871X: wlan0Port-0  set opmode = 2                                                                                                     
RTL871X: MAC Address = c0:6d:1a:fb:79:9d                                                                                                 
RTL871X: -871x_drv - drv_open, bup=1                                                                                                     
ADDRCONF(NETDEV_UP): wlan0: link is not ready                                                                                            
RTL871X: [rtw_wx_set_pmkid] IW_PMKSA_FLUSH!                                                                                              
RTL871X: set_mode = IW_MODE_INFRA                                                                                                        
RTL871X: wlan0Port-0  set opmode = 2                                                                                                     
RTL871X: set bssid:00:00:00:00:00:00                                                                                                     
ioctl[SIOCSIWAP]: Operation not permitted                                                                                                
RTL871X: [rtw_wx_set_pmkid] IW_PMKSA_FLUSH!                                                                                              
udhcpc (v1.22.1) started                                                                                                                 
Sending discover...                                                                                                                      
RTL871X: SetHwReg8188E:(HW_VAR_CHECK_TXBUF)TXBUF Empty(1) in 0 ms                                                                        
RTL871X: survey done event(42) band:0 for wlan0                                                                                          
RTL871X: rtw_indicate_scan_done(wlan0)                                                                                                   
RTL871X: wpa_set_auth_algs, AUTH_ALG_OPEN_SYSTEM                                                                                         
RTL871X: set_mode = IW_MODE_INFRA                                                                                                        
RTL871X: wlan0Port-0  set opmode = 2                                                                                                     
RTL871X:                                                                                                                                 
 wpa_ie(length:22):                                                                                                                      
RTL871X: 0x30 0x14 0x01 0x00 0x00 0x0f 0xac 0x04                                                                                         
RTL871X: 0x01 0x00 0x00 0x0f 0xac 0x04 0x01 0x00                                                                                         
RTL871X: 0x00 0x0f 0xac 0x02 0x00 0x00 0x42 0x42                                                                                         
RTL871X: SetHwReg8188E, 4840, RCR= 700060ca                                                                                              
RTL871X: rtw_wx_set_freq: set to channel 11                                                                                              
RTL871X: =>rtw_wx_set_essid                                                                                                              
RTL871X: ssid=197mohawk-iot, len=13                                                                                                      
RTL871X: set ssid [197mohawk-iot] fw_state=0x00000008                                                                                    
RTL871X: Set SSID under fw_state=0x00000008                                                                                              
RTL871X: [by_bssid:0][assoc_ssid:197mohawk-iot][to_roam:0] new candidate: 197mohawk-iot(f0:b4:29:d9:9e:98, ch1) rssi:-76                 
RTL871X: [by_bssid:0][assoc_ssid:197mohawk-iot][to_roam:0] new candidate: 197mohawk-iot(06:25:9c:13:d4:36, ch11) rssi:-42                
RTL871X: rtw_select_and_join_from_scanned_queue: candidate: 197mohawk-iot(06:25:9c:13:d4:36, ch:11)                                      
RTL871X: link to new AP                                                                                                                  
RTL871X: <=rtw_wx_set_essid, ret 0                                                                                                       
RTL871X: rtw_chk_start_clnt_join(wlan0) req: 11,0,0                                                                                      
RTL871X: rtw_chk_start_clnt_join(wlan0) union: 11,0,0                                                                                    
RTL871X: set bssid:06:25:9c:13:d4:36                                                                                                     
RTL871X: Set BSSID under fw_state=0x00000088                                                                                             
RTL871X: OnBeacon: beacon keys ready                                                                                                     
RTL871X: link to new AP                                                                                                                  
RTL871X: start auth                                                                                                                      
RTL871X: issue_auth                                                                                                                      
RTL871X: OnAuthClient                                                                                                                    
RTL871X: auth success, start assoc                                                                                                       
RTL871X: network.SupportedRates[0]=82                                                                                                    
RTL871X: network.SupportedRates[1]=84                                                                                                    
RTL871X: network.SupportedRates[2]=8B                                                                                                    
RTL871X: network.SupportedRates[3]=96                                                                                                    
RTL871X: network.SupportedRates[4]=2C                                                                                                    
RTL871X: network.SupportedRates[5]=0C                                                                                                    
RTL871X: network.SupportedRates[6]=12                                                                                                    
RTL871X: network.SupportedRates[7]=18                                                                                                    
RTL871X: network.SupportedRates[8]=24                                                                                                    
RTL871X: network.SupportedRates[9]=30                                                                                                    
RTL871X: network.SupportedRates[10]=48                                                                                                   
RTL871X: network.SupportedRates[11]=60                                                                                                   
RTL871X: network.SupportedRates[12]=6C                                                                                                   
RTL871X: issue_assocreq(): the rate[4]=2C is not supported by STA!                                                                       
RTL871X: bssrate_len = 12                                                                                                                
RTL871X: OnAssocRsp                                                                                                                      
RTL871X: report_join_res(5)                                                                                                              
RTL871X: rtw_joinbss_update_network                                                                                                      
RTL871X: rtw_alloc_macid(wlan0) if1, hwaddr:06:25:9c:13:d4:36 macid:0                                                                    
RTL871X: rtw_joinbss_update_stainfo                                                                                                      
RTL871X: supp_mcs_set = 00, 00, 00, rf_type=195, tx_ra_bitmap=0000000000000fff                                                           
RTL871X: ### Set STA_(0) info ###                                                                                                        
RTL871X: assoc success                                                                                                                   
RTL871X: recv eapol packet                                                                                                               
ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready                                                                                       
RTL871X: send eapol packet                                                                                                               
RTL871X: ODM_Get_Rate_Bitmap ==> rssi_level:0x01, WirelessMode:0x03, rate_bitmap:0x00000f00                                              
RTL871X: UpdateHalRAMask8188E => mac_id:0, rate_id:4, networkType:0x03, mask:0x00000fff                                                  
         ==> rssi_level:1, rate_bitmap:0x00000f00                                                                                        
RTL871X: HW_VAR_BASIC_RATE: 0x15f -> 0x15f -> 0x15f                                                                                      
RTL871X: WMM(0): 0, a446                                                                                                                 
RTL871X: WMM(1): 0, a496                                                                                                                 
RTL871X: WMM(2): 0, 5e4332                                                                                                               
RTL871X: WMM(3): 0, 2f3232                                                                                                               
RTL871X: wmm_para_seq(0): 0                                                                                                              
RTL871X: wmm_para_seq(1): 1                                                                                                              
RTL871X: wmm_para_seq(2): 2                                                                                                              
RTL871X: wmm_para_seq(3): 3                                                                                                              
RTL871X: HTOnAssocRsp                                                                                                                    
RTL871X: ODM_Get_Rate_Bitmap ==> rssi_level:0x01, WirelessMode:0x03, rate_bitmap:0x00000f00                                              
RTL871X: UpdateHalRAMask8188E => mac_id:0, rate_id:4, networkType:0x03, mask:0x00000fff                                                  
         ==> rssi_level:1, rate_bitmap:0x00000f00                                                                                        
RTL871X: ### MacID(31),Set Max Tx RPT MID(32)                                                                                            
RTL871X: SetHwReg8188E(wlan0): [HW_VAR_MACID_WAKEUP] macid=0, org reg_0x48c=0x00000000                                                   
RTL871X: rtl8188e_set_FwJoinBssReport_cmd mstatus(1)                                                                                     
RTL871X: rtw_hal_set_fw_rsvd_page PageSize: 128, RsvdPageNUm: 8                                                                          
RTL871X: LocPsPoll: 2                                                                                                                    
RTL871X: LocNullData: 3                                                                                                                  
RTL871X: LocQosNull: 4                                                                                                                   
RTL871X: rtw_hal_set_fw_rsvd_page PageNum(5), pktlen(578)                                                                                
RTL871X: rtw_hal_set_fw_rsvd_page: Set RSVD page location to Fw ,TotalPacketLen(578), TotalPageNum(5)                                    
RTL871X: RsvdPageLoc: ProbeRsp=0 PsPoll=2 Null=3 QoSNull=4 BTNull=0                                                                      
RTL871X: wlan0: 1 DL RSVD page success! DLBcnCount:1, poll:1                                                                             
RTL871X: Set RSVD page location to Fw.                                                                                                   
RTL871X: =>mlmeext_joinbss_event_callback - End to Connection without 4-way                                                              
RTL871X: phydm_rssi_report mac_id:0, mac:06:25:9c:13:d4:36, rssi:61                                                                      
RTL871X: phydm_rssi_report RAINFO - TP:UL, TxBF:DIS, STBC:DIS, Noisy:True, Firstcont:True                                                
RTL871X: recv eapol packet                                                                                                               
RTL871X: send eapol packet                                                                                                               
RTL871X: recv eapol packet                                                                                                               
RTL871X: send eapol packet                                                                                                               
RTL871X:  ~~~~set sta key:unicastkey                                                                                                     
RTL871X: set pairwise key camid:4, addr:06:25:9c:13:d4:36, kid:0, type:AES                                                               
RTL871X:  ~~~~set sta key:groupkey                                                                                                       
RTL871X: ==> rtw_set_key algorithm(4),keyid(2),key_mask(0)                                                                               
RTL871X: set group key camid:5, addr:06:25:9c:13:d4:36, kid:2, type:AES                                                                  
RTL871X: SetHwReg8188E, 4836, RCR= 700060ce                                                                                              
Sending discover...                                                                                                                      
Sending select for 10.255.254.108...                                                                                                     
Lease of 10.255.254.108 obtained, lease time 7200                                                                                        
deleting routers                                                                                                                         
route: SIOCDELRT: No such process                                                                                                        
adding dns 10.255.254.1                                                                                                                  
Starting ntpd...                                                                                                                         
Starting dropbear on port 22...                                                                                                          
Starting RTSP server...                                                                                                                  
Starting IR script...                                                                                                                    
Finished                                                                                                                                 
channel 0 buffer count=2, size=3133440                                                                                                   
snx_vc snx_vc: snx_vc_open: Created instance c339a000, m2m_ctx: c3346800                                                                 
snx_vc snx_vc: snx_vidioc_s_parm: snx_vidioc_s_parm: OUTPUT fps == 30                                                                    
snx_vc snx_vc: snx_vidioc_s_parm: snx_vidioc_s_parm: CAPTURE fps == 30                                                                   
snx_vc snx_vc: s_fmt: Setting format for type 2, wxh: 1920x1080, fmt: 808596563                                                          
snx_vc snx_vc: s_fmt: Setting format for type 1, wxh: 1920x1080, fmt: 875967048                                                          
<<>> alloc size=6266880 reduce size=3133440                                                                               
sc2135 start streaming