search

SirLouen / zs-gx1s

19 stars 1 forks source link

Possible backdoor found #1

Open programmingPug opened 1 year ago

programmingPug commented 1 year ago

Hi, have been trying to find a way into the system seems if you trigger the reset button and boot you can get into uboot. going to see if I can find anything in the binwalk you have. image

SirLouen commented 1 year ago

Don't understand how you got exactly into uboot

programmingPug commented 1 year ago

I can write up a step by step after I finish setting up my Cygwin env. I don't have my Linux laptop on hand to play around with the binwalk image to see if I can find the password (get lucky)

programmingPug commented 1 year ago

Do you happen to have the bin file for the firmware?

SirLouen commented 1 year ago

Do you happen to have the bin file for the firmware?

ppstrong-b6-neutral_std-1.4.0.20211102-upgrade.bin.gz

SirLouen commented 1 year ago

I can write up a step by step after I finish setting up my Cygwin env. I don't have my Linux laptop on hand to play around with the binwalk image to see if I can find the password (get lucky)

Have you tried the PpStRoNg user?

programmingPug commented 1 year ago

Sorry kids have been sick, I have tried that and so far no luck

dixnor commented 1 year ago

Hi, any progress on a possible hack/backdoor for this camera? I found one in an overstock for a small price and really would like to integrate it to my smart home setup.

If there is anything I can do to help to have a backdoor found for an rtsp feed, please let me know.

SirLouen commented 1 year ago

Now that I have my full electronic setup I may try to do the UART part as @programmingPug did. Lets see if I can access the U-Boot and dump the partitions. Anyway, since we already have the firmware, I don't think it would be amazing at all, nothing that the bin I already upload may not have.

I'm not very good at reverse engineering machine code from a bin file. Anyway I don't think this cams will be useful to be used with RTSP since the battery will not stand to it. They are meant to wake up only under certain conditions (activity), and record on that demand. Nothing else.

dixnor commented 1 year ago

I came to the same point: that it is an on-battery camera and I understand why Cloudedge / Iegeek never added any RTSP option that will kill the battery so fast that it could not even last 1 to 2 hours a day. Thanks for confirming what seemed to be evident.