Firmware version 5.2.0? #12
Comments
|
@dehness I have not seen any 5.x firmware before so I can’t tell much from experience. That said it makes sense for the camera to format the SD card once during boot (to ensure it is ready to be used), but it makes no sense for it to format the SD card on every boot otherwise you would lose previous recordings. I would let it boot up/format once then reboot (without changes) to verify it doesn’t reformat it, then only add the files and see if it reformats (I would expect it should not format it). Then you can try the hack to see if it works, if the hardware is the same I would expect it to work but it is possible for the camera to look the same and have different hardware inside, so unless you opened and took some pictures I can’t say for sure. Alternatively if you can get the /devices/deviceinfo URL to work on this camera it should say the hardware model without having to open it. |
|
Hello, I got a newer version camera here (Same as the OP) currently being sold as "LSC Outdoor camera"
/devices/deviceinfo
/proc/cmdline:
/proc/self/root/home/cfg/tuya_config.json
Only port open by default was 6668 but cant get any of the rest to work, anyone got an idea? |
|
@damiantof7 que the fact you got /proc/xxxxx to work is a good sign. You could try guino/BazzDoorbell#13 and/or guino/BazzDoorbell#11 to see if it works. If it doesn’t the only way to move forward would be opening the device and connecting a UART-TTL adapter or a hardware programmer. |
|
Yeah it's a sub-brand from the store itself, They sell all kinds of Tuya Products under "LSC", I got a LSC Doorbell here aswell that worked perfectly with the Bazz Doorbell hack I tried most methods but it doesnt seem to want to execute the ssh file in any way or form, the /proc/cmdline is way different aswell |
|
@damiantof7 it’s a different hardware so likely different bootloader, different OS, different drivers but the application is likely similar so it may be possible to enable rtsp/onvif if we can get access to it. There are probably similar cameras here with different brand name but it would be hard to spot it. |
|
Do u think i would be able to do guino/BazzDoorbell#11 with windows? as it seems to be just formatting to fat? i got no linux box laying around |
|
@damiantof7 you may be able to find the same tools for windows but it would be way easier to boot from a live USB/CD/DVD and do it from there than trying to figure it out in windows. If you have a raspberry pi or similar it should also work (you may need a usb-SD card adapter). |
|
Oh and this one guino/BazzDoorbell#13 i couldn't really try as none of it seems to match up with the firmware on my camera, such as /proc/self/root/etc/init.d/S90PPStrong doesnt return anything and the bootargs part etc is nowhere near the same |
|
@damiantof7 it sounds like we would have to use something entirely new on that firmware (or may be they just moved files around and we just need to find the new locations). Only way to find out is to open and connect to UART or use hardware programmer to read the firmware. |
|
Never done it before haha, Maybe it's time to learn |
|
So, I opened up the camera (It was really tough to put it back together) This is what the board looks like, There are multiple unused connections on the board
Does it look like anything usefull to you? |
|
@damiantof7 UART is likely the four pads on the bottom left above the hole. I would discourage you from doing any solder work if you’re not experienced with it (fragile board). The flash chip is probably on the other side of the board (not pictured). |
|
Hmm what do you think is the smartest thing to do in this case as i've never done this before haha |
|
and what would be the best way to connect to the UART port? |
|
@damiantof7 there's no 'best' way, just one way: soldering wires into a TTL-UART adapter (USB or SERIAL) -- I do not recommend this unless you're familiar with this type of thing OR have someone familiar to help you with it -- these boards are very fragile so the lightest tug/pull on the wire will get the pads right off the board. |
|
i'm always willing to learn :) + i've soldered in the past (The good old Xbox 360 RGH Days) |
|
and this might be a really stupid question but wouldn't wire clamps work instead of soldering it to the board? |
|
@damiantof7 as long as you can connect wires to pads and into the UART-TTL adapter it should work. The pads are tiny so I have never seen anything that could connect to that without soldering but I'm sure that's possible. PS: Learning is always a good thing I just make a point to warn people about potentially damaging their hardware. |
|
Good thing i got 2 ;) |
|
I checked the pads which you mentioned with a multimeter and all of them seem to be giving off 3.27-3.33v which makes me think it's not the UART port |
|
@damiantof7 usually out of 4 pads one of the outside ones is ground (which you can check by testing resistance/continuity between the pad and a ground point like one of the screw holes). Out of the other 3 one is RX, another TX and one is 3.3v — from ground ALL 3 will measure 3.3v with a multimeter (which is normal). You don’t need to solder anything to the 3.3v pad but it may be difficult to determine which one that is. Assuming you connect ground correctly you will not damage anything by mixing RX, TX or 3.3v on the TTL-UART adapter — you’ll only get output when it’s connected correctly (RX side on host) and you’re only going to be able to send data to the terminal if connected correctly (TX side on host). The bootloader on these boards usually shows a countdown where you can press a key to stop it and will prompt for a password - that could be used to determine the connections are correct. if you do get to that point let me know and I can send you a few things to try. |
|
Hmm, So the one in the top (On the picture) is the ground, I've tried each pad to look for output, no output is being given |
|
@damiantof7 When I talked about the boot counter I should have been more specific: these boards only output anything on the UART during power on (while booting). So you have to turn it off, connect the pins and turn it on. If it doesn’t show anything you have to turn off, connect it a different way and try again. |
|
Which baudrate did you use? (Just to be sure before i start trying again) |
|
@damiantof7 pretty sure I use 115200 8N1 |
|
Hmm, Either i'm doing something wrong or something is wrong with putty or my TTL adapter |
|
I am constantly pinging the device so i know it's actually booting and not broken but yet no output |
|
So if you got any other idea i would love to hear it |
|
@damiantof7 I have done some work with another user on guino/BazzDoorbell#34 and on that camera there’s no output to the UART except for a few lines during power up — I am saying this to make sure you try to see if you get any output during power up as after that it goes completely silent (unlike other cameras). It was also discovered on the other camera there’s a /sys/console URL which allows the UART to receive a few basic ‘console’ terminals - tou should definitely try it. You may also want to try powering up with the reset button pressed to see if you get any output. The camera I mentioned above does NOT run Linux and instead runs RTOS so the only way to customize it is by writing a modded flash - the fact that your camera returns something for /proc/cmdline suggests it runs linux (better) but we won’t know much you get the UART working or use a programmer to read the flash. |
|
Update: Tried everything with the UART Ports to no avail, no output at all (Litteraly tried it all) /sys/console isn't present on this device. Put it back together, LED Stays red, Connection through the app doesnt work anymore, Device does still connect when the Micro SD Card is in with the PPSFactory text file, Guess it's kind of dead |
|
@damiantof7 that seems like the reason why you aren't getting any output.. in any case if this device has a battery you should most definitely make sure you remove it to force a full power off then power it back on again to see. Do any of the URLs like /proc/cmdline and such (which you posted earler) still work (even if with ppsFactoryTool.txt) ? you may want to try to factory reset your device and re-do the enrollment process to see if it does anything. |
|
with the ppsfactorytool.txt all the urls etc work, Did a full factory reset to try and get it to connect to the app again (Hear all the tones, reset, connecting and the such) it's simply not doing anything (almost like it's blocked from using cloud services) device doesnt have a battery |
|
As there's no visual damage i might just return it to the store, get a new one and retry the process -_-' |
|
and right as i type that the camera connected to the app again, guess it's not dead yet |
|
could have just been coincidence with the timeing and some connectivity issues with their server. |
|
Yeah could be, Btw, Quick update on the doorbell, They released an update to enable onvif (It's now a setting in the menu to enable it) Same manufacturer
|
|
But well, You got any idea why the device would include the OEM UID and the OEM Authkey? |
|
If only there was an URL to backup the currenty image/firmware on the device, that would make all of this a lot easier |
|
or to have the "Firmware Update" feature turn into an RCE for a reverse shell |
|
Wait a second The question is, Does it execute and where does it save the file + can the path where it saves be modified? |
|
there are only 2 ways to backup firmware: 1-getting UART to work and use the commands to backup to SD card. 2-Using a hardware programmer (which may require moving the flash chip from the device). Tuya makes the platform (servers, api, interface, app) and sells that to product manufacturers, each of them gets licenses to use the Tuya platform so they have to be identified somehow (likely OEM ID/KEY(). If you got the UART working you'd be able to log the ppsapp output during the firmware update which displays the URL to download the firmware update (which can be downloaded directly if you know the URL). That said the firmware update file has a specific format required for the device to read/accept it, so we can't just modify it and flash it as it would fail validation. Reverse engineering the format would only be a matter of patience and time but it is way faster to go in with UART/Programmer and use bootloader options to mod the device (it's just different for every device). The upgrade URL most definitely checks the format of the file and validates the data like I mentioned above, so it will probably allow you to upload anything but just ignore invalid format data. |
|
After some googling i believe i did the find the chip used I dont speak or read chinese but from what i can understand the chip actually has 2 UART Ports |
|
@damiantof7 |
|
@FringeScientist unfortunately not |
|
@damiantof7 Any new progress ? |
|
I have got OEM |
|
I accidentally found your another repo and seems like this is exactly similar device. Going to read that one |
|
@tosiara that is the repo that has worked for some 5.2.x firmware, let us know if it worked for you. |
|
Moved discussion here: guino/Merkury1080P#46 |
I seem to have a newer variant of this camera. It's definitely a Tuya camera and looks identical to this one (although it's 1080p).
Specifically, it's an Orion Grid Connect camera from Bunnings and the firmware is 5.2.0.
The only ports it has open are 53 and 6668 and the ppsFactoryTool.txt doesn't appear to work.
The problem with this one is it seems to format and overwrite the SD card on boot. Has anyone else run into this?
The text was updated successfully, but these errors were encountered: