remote_install.sh RuntimeError

[yqin]

Wyze Cam v2 with FW: 4.9.6.241 Failed with wyze_hacks_0_5_07 and wyze_hacks_0_5_08

Pushing firmware to this device? [y/N]:y INFO:root:Serving firmware file './firmware.bin' as 'http://192.168.0.1:11808/firmware.bin', md5=11567104604de4f4cc8f4633bc6c33f4 Traceback (most recent call last): File "./wyze_updater.py", line 362, in args.action(creds, args) File "./wyze_updater.py", line 260, in update_devices push_update(creds, dev_info['product_model'], mac, url, md5) File "./wyze_updater.py", line 163, in push_update return run_action(creds, model, "upgrade", mac, {"url": update_url, "md5": md5, "model": model}) File "./wyze_updater.py", line 160, in run_action custom_string="", action_params=params) File "./wyze_updater.py", line 140, in device_api raise RuntimeError('Request failed, error %s:%s' % (rsp['code'], rsp['msg'])) RuntimeError: Request failed, error 3005:UnauthorizedOperation

[47bob47]

Downgrading firmware is easy but I thought that previously in this thread it was stated that there is now strict checking of SSL certificates so DNS spoofing no longer works. Let us know if the hack installation works for you or if this is just an exercise in futility. When the hack was working it was a great enhancement to the core Wyze features.

[mpatton125]

Downgrading firmware is easy but I thought that previously in this thread it was stated that there is now strict checking of SSL certificates so DNS spoofing no longer works. Let us know if the hack installation works for you or if this is just an exercise in futility. When the hack was working it was a great enhancement to the core Wyze features.

The certificate checking is in the later firmware, which is why you downgrade - so the spoofing will work.

[famewolf]

Downgrading firmware is easy but I thought that previously in this thread it was stated that there is now strict checking of SSL certificates so DNS spoofing no longer works. Let us know if the hack installation works for you or if this is just an exercise in futility. When the hack was working it was a great enhancement to the core Wyze features.

The certificate checking is in the later firmware, which is why you downgrade - so the spoofing will work.

Thank you. I was just grasping at straws hoping to avoid climbing up a ladder for 2 of my cams and trying to swap sd cards because the are mounted in "outside cases". So then firmware.bin should be pointing to the FIRMWARE660R.bin that comes with wyze hacks. With spoofing in place and url = edited it ACTS like it works when I selected EITHER firmware but doesn't actually do anything..ie no telnet is available on the firmware ending in .798. I skipped my front doorbell which probably would have worked. Both wyze hacks and "wyze bridge" which provides rtsp, hls and a few other things require the .241 firmware so I suppose I'll have to upgrade them one by one and then lock down the firmware upgrade in the app.

[evanheckert]

Any guides for spoofing? I currently have AdGuard Home plugin for OpnSense handling DNS. I've tried using the Dnsmasq plugin, and here's what I've entered.:

Host: amazonaws Domain: s3-us-west-2.amazonaws.com IP Address: 192.168.1.101 <- ip address of laptop running script Description: for WyzeHacks Aliases: none

Save, apply changes, still UnauthorizedOperation.

[virmaior]

@evanheckert two thoughts. First, try doing sudo at the front of your command. On my mac, I could not spoof to port 80 without it. Second, I'm not entirely sure what the current situation is on spoofing as I hacked all of the wyze cameras I own (in back july), but judging by more recente reports people can no longer hack cameras using spoofing. The spoofing involves sending a request to wyze's api (on the internet -- not the device itself) and then the api telling the camera to try to download the firmware from the indicated api and going into a new firmware receptive state. the api checked (used to check?) the url for validity against known good lists, but if spoofed it would go through anyway. I believe they updated the checking to make it more thorough or something and this broke the spoof method.

[evanheckert]

Ah, I see @virmaior - so does that mean we're SOL on the V3 cam?

[virmaior]

i thought i saw some people mentioning that they downgraded the firmware version to a few versions back and were able to get something functional from that. But again, I'm not messing with my functioning setup. For me, my main goal was to set it up so that I can get clear video of the flying squirrel onto my raspberry pi.

Also HClX was/is cooking up a way to do it from an SD card supposedly.

[47bob47]

I successfully updated several v3 and pancam cameras back around July. When I went to update another set of cameras in September and October every camera failed to update. Rolling back the camera firmware did not help. Since part of the WyzeHack process involves communicating with the Wyze server, logging in and downloading camera info I'm assuming that they made a modification somewhere on their server that prevents the WyzeHack process from loading the WyzeHack firmware. Rolling back the Wyze firmware on my cameras to the suggested or even much earlier versions did not help. Wasted many hours on this. If anybody has gotten this to actually work during the last month I'd be interested in knowing. I ended up installing the official Wyze RTSP firmware on the v3 and pancams and saving the video stream using ffmpeg. This is nowhere near as good as the WyzeHack but it at least gives me a camera that somewhat fulfills my needs (though any off the shelf amazon/ebay $50 bullet camera would actually work better in this regard).

[ghagiel]

I successfully updated several v3 and pancam cameras back around July. When I went to update another set of cameras in September and October every camera failed to update. Rolling back the camera firmware did not help. Since part of the WyzeHack process involves communicating with the Wyze server, logging in and downloading camera info I'm assuming that they made a modification somewhere on their server that prevents the WyzeHack process from loading the WyzeHack firmware. Rolling back the Wyze firmware on my cameras to the suggested or even much earlier versions did not help. Wasted many hours on this. If anybody has gotten this to actually work during the last month I'd be interested in knowing. I ended up installing the official Wyze RTSP firmware on the v3 and pancams and saving the video stream using ffmpeg. This is nowhere near as good as the WyzeHack but it at least gives me a camera that somewhat fulfills my needs (though any off the shelf amazon/ebay $50 bullet camera would actually work better in this regard).

I tried multiple versions of the firmware (reflashing with SD card) and hack (from the original that supported v3's to most recent) on my v3 while spoofing a couple weeks ago, nothing worked. Afaict we're currently sol.

[Semag]

I got my v3 in Sept (sept 2) and flashed it. I had to use the SD card recovery method to get it to 4.36.2.5 and then use the dns spoof to actually do the Wyze hack update.

[genevera]

@mandusm's method works but here are some missing details. IP address of Mac I used was 192.168.11.4. IP Address of DNS serving raspberry pi was 192.168.11.11 (adjust according to your method and values).

1. run dnsmasq or some other DNS server and spoof s3-us-west-2.amazonaws.com to the computer you will run the script from. In my case, I used a rasbperry pi for dns serving. This involved (1) adding a line to hosts of s3-us-west-2.amazonaws.com 192.168.11.4 (2) changing the DNS server choice on the DHCP server to the ip of your spoofing DNS server (in my case 192.168.11.11)
2. Manually set the url to http://s3-us-west-2.amazonaws.com/wuv2/upgrade/WLPP1/firmware/1.2.0.80a.bin
3. The port used must be port 80 (since it's checking urls I doubt it will work with another port). Note that the default port if you use remote_install.sh is not 80 On OSX, I had to use sudo to avoid getting "PermissionError: [Errno 13] Permission Denied"

So at least on my OSX computer the functioning command was: sudo python3 ./wyze_updater.py --token ~/.wyze_token --debug update -m WYZEC1-JZ -m WYZECP1_JEF -m WYZE_CAKP2JFUS -m WYZEDB3 -f ./firmware.bin -p 80

This worked for me on my WYZECP1_JEF! Thanks.

[47bob47]

@genevera Which version of Wyze firmware were you running on your camera before installing the hacked firmware?

[evanheckert]

Any situation that would cause the sd card firmware recovery method not to work? I'm on stock RSTP firmware, but when I put an older standard firmware on the microSD, name it properly, power it on with setup pressed, it just boots up per normal and ignores the SD card.

[virmaior]

@evanheckert have what size / format is your SD card? The support for larger sizes is a bit buggy and may not be present at the stage where an SD firmware recovery occurs. It needs to be fat32 and not exfat to work.

[Vendo232]

As of December 28 2021 the WyzeCameraLiveStream still works

just downgraded from RTSP firmare to 4.36.0.228 to go back to WyzeCameraLiveStream which in my opinion works better than RTSP

installed DNS server using Dnsmasq following this guide: dnsmasq spoofing

my dns server: 192.168.1.245 ( raspberry pi 4 using raspbian lite ) running script: 192.168.1.143 ( Ubuntu in VM ) here I installed wyze_hacks_0_5_08.zip

run dnsmasq or some other DNS server and spoof s3-us-west-2.amazonaws.com to the computer you will run the script from. In my case, I used a rasbperry pi for dns serving. This involved (1) adding a line to hosts of s3-us-west-2.amazonaws.com 192.168.11.4 (2) changing the DNS server choice on the DHCP server to the ip of your spoofing DNS server (in my case 192.168.11.11)

Manually set the url inside the to http://s3-us-west-2.amazonaws.com/wuv2/upgrade/WLPP1/firmware/1.2.0.80a.bin

The port used must be port 80 (since it's checking urls I doubt it will work with another port). Note that the default port if you use remote_install.sh is not 80 On OSX, I had to use sudo to avoid getting "PermissionError: [Errno 13] Permission Denied"

Flashing command: sudo python3 ./wyze_updater.py --token ~/.wyze_token --debug update -m WYZEC1-JZ -m WYZECP1_JEF -m WYZE_CAKP2JFUS -m WYZEDB3 -f ./firmware.bin -p 80

[xMrMurderx]

As of December 28 2021 the WyzeCameraLiveStream still works

just downgraded from RTSP firmare to 4.36.0.228 to go back to WyzeCameraLiveStream which in my opinion works better than RTSP....

I am having so much trouble with this lol.

I have a wyzecam v3. My camera has been downgraded to 4.36.3.19 to attempt the hack.

After 3 days of attempting, I thought I had it. Running the command you gave pushed the update to my camera. After it rebooted and connected back to my wifi I attempted a telnet, it was refused...so the hack did not successfully install.

I see that everyone says to use 4.36.0.280 to install the hack, then upgrade..but here's the kicker. When installing anything below 4.36.3.19, my cameras absolutely REFUSE to connect to my wifi network.

I have left the cameras alone after the firmware downgrade, I have pressed the setup button to try and force it to reconnect, nada.

I do have dualband running on my router, which I had hoped setting it to seperate ssids would solve the issue..attempted to connect it to the 2.4ghz network, no dice. The camera just continues flashing red and blue lights attempting to connect to a network. So now even if I am on an exploitable firmware, I cannot connect to it to run the script and push the hack to the camera...

I have even plugged in a usb wireless adapter, set up a 2.4ghz hotspot on my laptop and the camera does not even attempt to connect..

Any help is appreciated

[JJWatMyself]

I have a suspicion that Wyze would be using a wyze CNAME and not the underlying AWS URL. I have not done a packet capture to verify this, but it isn't hard to do and verify. So, although using the AWS URL spoof is working, verifying the original DNS request would likely be the most future-proof. I finished upgrades earlier today so need to wait, or downgrade one, to get that detail.

[gtxaspec]

@HclX would you happen to have a copy of mtdblock0 with the md5 of 5cd21257d6a23da5833caf37e1971e2c (got this from your v2 branch)? None of my camera's have this bootloader... trying to flash modified rootfs from sd.