Help

[Derweis]

there is a tapo camera with 110. It doesn’t start, there’s something strange in the logs, what can I do? eth+tapo_c110v1.txt

MAC AND OEM REMOVED FOR PRIVACY

[JayFoxRox]

Looks like it's booting fine? It simply doesn't seem to reach the internet. If you are desperate, you could hold the reset button for 5 seconds to reset the camera to factory state (that's what they claim.. effectively it doesn't go that far and it only resets a couple of config values) - it should open its own AP again then

1. What's the problem here (and how did it end up in this state)?
2. Did you see "> Please press Enter to activate this console." ?

I'm not sure about the uhttpd issues (which might be normal), but you could try reflashing / firmware upgrading.

[Derweis]

She starts the automatic recovery ( auto cloud recovery) herself. So it doesn't start properly, the MINI os doesn't help. Forcing Httpd does not help. Restoring the operating system as a whole will only help here.

[JayFoxRox]

You can't just flash the images you find to your chip (without going through software) though, because you'd also be overwriting the configuration partition. You'd lose your pairing with the tplink cloud which could cause all sort of issues, even if you plan to stay offline.

You can try https://github.com/nervous-inhuman/tplink-tapo-c200-re/issues/1#issuecomment-1027194068 for the SD card method. It should work even without uhttpd on older firmwares / devices. I'd suggest to grab a C110v1 firmware dump and check the shell scripts to make sure this functionality exists and works without uhttpd.

You'll have to make sure that the new firmware is for the right device model, OEM (region or hardware specific WiFi firmware probably?). Alternatively you could attempt to install uhttpd from a firmware dump (again, matching hardware and firmware version), but I assume there's more broken stuff on your device. You can also check if chmod +x /usr/sbin/uhttpd would work, although I suggest to check the state of /usr/sbin/uhttpd before.

The steps you should take also depend on how it got into this state. Did this just happen randomly, or did you mess with the firmware yourself?

MAC AND OEM REMOVED FOR PRIVACY

I believe your still leaked your MAC. The OEM is probably the same per firmware per hardware in the same region. The hwId and deviceId are also to be kept secret (and fortunately you didn't leak them, but we don't know if they can be derived.. yet?).

[Derweis]

I don’t know how cameras get into such a situation, it’s not mine and I won’t be able to find out for sure. It won't work to chmod, at least I don't know what the username and password for the camera are. If you don’t touch the camera launcher, then when you press it you can see “c110 login”. If you force httpd to start through a stopped bootloader and load the matching firmware, you get data abort. There is no reaction to the micro CD card (fat32 + factory_up_boot.bin). The only way that I have found to restore is to record a full dump from a working camera at factory settings with a replacement block of camera secrets.

[JayFoxRox]

Correction to what I said above: The hwId is the same for all devices with the same hardware.

record a full dump from a working camera at factory settings with a replacement block of camera secrets

I'd advise against that, but whatever floats your boat.

It won't work to chmod, at least I don't know what the username and password for the camera are

These root passwords have been found so far:

• slprealtek
• slplzgjipc (found by me yesterday in C310v1 firmware, untested / unconfirmed)
• slpmstar

There might be more.

There is no reaction to the micro CD card (fat32 + factory_up_boot.bin)

That sounds bad.

You can manually trigger the update using the /sbin/slpupgrade utility. The original scripts runs it like this (in different situations):

• slpupgrade -n "/tmp/sdcard/factory_up_boot.bin" to flash (?)
• slpupgrade -c $UPFILE && up_check_ok=1 to check (?)
• slpupgrade $UPFILE to flash (done after checking) (?)
• slpupgrade -b /etc/factory_boot.bin to flash.. but probably dangerous (?)

If you force httpd to start through a stopped bootloader and load the matching firmware, you get data abort.

I suspect the bootloader just writes a raw image (which you won't find anywhere) to flash, but the slpupgrade actually parses (and optionally decrypts) the firmware image that you find on tplink servers.

[Derweis]

I'm not an expert on all this, but why can't I restore it with a dump? All the secrets of the camera from the mac to the keys are collected in one section. There are already hardware versions where there is no ETH port and there the possibilities are narrowed

[Derweis]

By taking secrets from a faulty camera and applying them to the same addresses in the dump from a working camera, we actually do not change anything

[Derweis]

I tried it, it’s a mistake, the temp folder is empty, although the file is on the card

will try again after 30 second sdcard/factory_up_boot.bin" [slpupgrade] *** error: stat failed on /tmp/sdcard/factory_up_boot.bin

[DrmnSamoLiu]

@Derweis See my comment here: https://github.com/nervous-inhuman/tplink-tapo-c200-re/issues/4#issuecomment-1030106533

I suspect you are using the same SD card formatted by the cam before. In the models I've checked, SD cards formatted by the cam and not by the cam are mounted at different places upon boot.

So please zero out the first few MB of data on the SD card and format it again into FAT32 with gparted or something, Put factory_up_boot.bin in it and try again the firmware rescue process.

[Derweis]

@DrmnSamoLiu I formatted from PC using Panasonic SDFormatter application. From what you posted I didn’t understand what to do

[DrmnSamoLiu]

@Derweis To be specific, I think tapo cam will write special data to SD card partition table to identify if the SD card is formatted or not. But not much Windows based partition tool will let you modify partition table.

So here are some options for you:

1. If you are not familiar with using Linux for partioning, maybe just try to find an SD card that has never been used in your tapo cam before.

2. Look for windows tools that can let you "rebuild" partition table and create FAT32 partition. Here the partition table rebuilding is the key.

[Derweis]

I wrote down zeros for the entire length of the flash drive and then formatted it to fat32 - it’s still not visible from under the system

[BGuldhammer]

If you have one of the latest firmware there breaks the camera (C200) sd metod will never work. The sdcard recovery requires part of the firmware to work, and the firmware is broken with the update, and we are left with a u-boot shell

We might be able to recover with wired network, the C200 have a internal pins for wired network, it does not work with wireless.

For my own it is not worth using more time on, and ended it life in the trash today, but it might help other. https://github.com/nervous-inhuman/tplink-tapo-c200-re/issues/4#issuecomment-1850502744

[Derweis]

@BGuldhammer httpd has no effect

Data will be downloaded at 0x21000000 in RAM Upload file size: 8128512 bytes Loading: ################################################################# ################################################################# ################################################################# ################################################################# ################################################################# ################################################################# ################################################################# ################################################################# ################################################################# ################################################################# ################################################################# ################################################################# ################################################################# ################################################################# ################################################################# ################################################################# ################################################################# ################################################################# ################################################################# ################################################################# ################################################################# ################################################################# ################################################################# ################################################################# ################################################################# ################################################################# ################################################################# ################################################################# ###############################################

data abort pc : [<23f93480>] lr : [<007a0600>] sp : 23b3f768 ip : 5ffffff8 fp : 23fece9c r10: 23fece90 r9 : 23b3fef8 r8 : 23fec800 r7 : 00000001 r6 : 21020800 r5 : 23fecf74 r4 : 21000000 r3 : 55555555 r2 : 0f43e64e r1 : 003e0000 r0 : 093e0800 Flags: nzCv IRQs off FIQs off Mode SVC_32

[Derweis]

Dump fix