Littlelf 1080p camera. Looks like a Tuya

[frankol]

i need some help getting root and/or telnet running here. Can you take a look at the SPI dump? I guess this peace has a version of 1.3.1 as i have seen

im able to extract the filesystem und read the files, but im unable to squash it again. always different file size.

https://mega.nz/file/65kDiJoZ#OhMY9ewLdqlNyxwipeGVNkq9kr_k1tG8UPUNFkJC7EU firmware dump

and here a peace of the serial output:

` U-Boot 2014.01-v1.2 (Nov 29 2019 - 20:40:59)

Board: IPCAM RTS3903 CPU: 500M :rx5281 prid=0xdc02

force spi nor mode

DRAM: 64 MiB @ 1066 MHz

Skipping flash_init

Flash: 0 Bytes

flash status is 0, 0, 0

SF: Detected GD25Q64C with page size 256 Bytes, erase size 64 KiB, total 8 MiB

Using default environment

In: serial

Out: serial

Err: serial

MMC: rtsmmc: 0

flash status is 0, 0, 0

SF: Detected GD25Q64C with page size 256 Bytes, erase size 64 KiB, total 8 MiB

KERNEL & DRV IS OK

USER IS OK

missing target file or read failed

tuya verify failed

boot kernel

flash status is 0, 0, 0

SF: Detected GD25Q64C with page size 256 Bytes, erase size 64 KiB, total 8 MiB

SF: 1507328 bytes @ 0x100000 Read: OK

Booting kernel from Legacy Image at 80100000 ...

get header OKimage_get_kernel check hcrc

image_get_kernel print contents

Image Name: linux_3.10

Created: 2019-05-11 8:41:43 UTC

Image Type: MIPS Linux Kernel Image (uncompressed)

Data Size: 1349581 Bytes = 1.3 MiB

Load Address: 80401510

Entry Point: 80401510

Verifying Checksum ... OK

Loading Kernel Image ... OK

Starting kernel ...

Linux version 3.10.27 (wenhe@embed) (gcc version 4.8.5 20150209 (prerelease) (Realtek RSDK-4.8.5p1 Build 2521) ) #2 PREEMPT Sat May 11 15:40:25 CST 2019 prom cpufreq = 500000000 prom memsize = 67108864 hw_ver: 0x2, hw_rev: 0x1, isp_ver: 0x1 prom eth mac = 00:00:00:00:00:00 bootconsole [early0] enabled CPU revision is: 0000dc02 FPU revision is: 01730001 Determined physical RAM map: memory: 04000000 @ 00000000 (usable) Reserved contiguous memory at 0x423000(0x1618000) Zone ranges: Normal [mem 0x00000000-0x03ffffff] Movable zone start for each node Early memory node ranges node 0: [mem 0x00000000-0x03ffffff] icache: 32kB/32B, dcache: 16kB/32B, scache: 0kB/0B Built 1 zonelists in Zone order, mobility grouping on. Total pages: 16256 Kernel command line: console=ttyS1,57600 root=/dev/mtdblock2 rts_hconf.hconf_mtd_idx=1 rts-quadspi.channels=dual mtdparts=m25p80:8192k@0(global),128k@0k(boot),896k@128k(rootfs),1472k@1024k(kernel),704k@2496k(drv),2304k@3200k(user),2304k@5504k(backup),320k@7808k(mtd),64k@8128k(factory) PID hash table entries: 256 (order: -2, 1024 bytes) Dentry cache hash table entries: 8192 (order: 3, 32768 bytes) Inode-cache hash table entries: 4096 (order: 2, 16384 bytes) Memory: 38072k/65536k available (3321k kernel code, 27464k reserved, 581k data, 192k init, 0k highmem) SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1 Preemptible hierarchical RCU implementation. NR_IRQS:57 Calibrating delay loop... 497.66 BogoMIPS (lpj=995328) pid_max: default: 32768 minimum: 301 Mount-cache hash table entries: 512 pinctrl core: initialized pinctrl subsystem NET: Registered protocol family 16 Init force reset registers rtsxb2 registered with IRQs INFO: initializing ISP memory ... INFO: initializing ISP device ... ISP camera platform devices added INFO: initializing SD controller ... INFO: initializing snd device ... snd resvd mem size : 1048576 INFO: initializing USB host ... INFO: initializing spi host ...0 spi platform id is ffffffff INFO: initializing I2C master ... INFO: initializing DMA controller ... INFO: initializing pinctrl device ... pinctrl_platform rts3903-pinctrl: rtspc registered with IRQs INFO: initializing ethernet devices ... INFO: initializing USB phy ... INFO: initializing watchdog controller ... INFO: initializing crypto device ... INFO: initializing cpu dvfs device ... bio: create slab at 0 rts_dmac rts3903-dmac: DesignWare DMA Controller, 4 channels INFO: realtek DMA engine inited usbcore: registered new interface driver usbfs usbcore: registered new interface driver hub usbcore: registered new device driver usb usbphy-platform usbphy-platform: Initialized Realtek IPCam USB Phy module Linux video capture interface: v2.00 Advanced Linux Sound Architecture Driver Initialized. NET: Registered protocol family 2 TCP established hash table entries: 512 (order: 0, 4096 bytes) TCP bind hash table entries: 512 (order: -1, 2048 bytes) TCP: Hash tables configured (established 512 bind 512) TCP: reno registered UDP hash table entries: 256 (order: 0, 4096 bytes) UDP-Lite hash table entries: 256 (order: 0, 4096 bytes) NET: Registered protocol family 1 RPC: Registered named UNIX socket transport module. RPC: Registered udp transport module. RPC: Registered tcp transport module. RPC: Registered tcp NFSv4.1 backchannel transport module. squashfs: version 4.0 (2009/01/31) Phillip Lougher NFS: Registering the id_resolver key type Key type id_resolver registered Key type id_legacy registered jffs2: version 2.2. (NAND) © 2001-2006 Red Hat, Inc. msgmni has been set to 74 NET: Registered protocol family 38 Block layer SCSI generic (bsg) driver version 0.4 loaded (major 253) io scheduler noop registered io scheduler deadline registered io scheduler cfq registered (default) Serial: 8250/16550 driver, 3 ports, IRQ sharing disabled serial8250: ttyS0 at MMIO 0x18810000 (irq = 6) is a 16550A console [ttyS1] enabled, bootconsole disabled console [ttyS1] enabled, bootconsole disabled serial8250: ttyS1 at MMIO 0x18810100 (irq = 6) is a 16550A serial8250: ttyS2 at MMIO 0x18810200 (irq = 6) is a 16550A dbg_iomem initialized! rts-quadspi rts3903-qspi: force to set channels from quad mode to dual mode rts-quadspi rts3903-qspi: request 60000000 Hz, force to set 41666666 Hz rts-quadspi rts3903-qspi: found gd25q64c, expected mx25l12835f rts-quadspi rts3903-qspi: gd25q64c (8192 Kbytes) 9 cmdlinepart partitions found on MTD device m25p80 Creating 9 MTD partitions on "m25p80": 0x000000000000-0x000000800000 : "global" 0x000000000000-0x000000020000 : "boot" 0x000000020000-0x000000100000 : "rootfs" 0x000000100000-0x000000270000 : "kernel" 0x000000270000-0x000000320000 : "drv" 0x000000320000-0x000000560000 : "user" 0x000000560000-0x0000007a0000 : "backup" 0x0000007a0000-0x0000007f0000 : "mtd" 0x0000007f0000-0x000000800000 : "factory" rts-quadspi rts3903-qspi: Realtek QSPI Controller at 0x18030000 (irq 5) rtl8168 Gigabit Ethernet driver 8.038.00-NAPI loaded rtl8168 rts3903-r8168 (unregistered net_device): Get invalid MAC address from flash! eth%d: 0xb8400000, 00:00:00:00:00:00, IRQ 10 ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver ehci-rts: ehci-rts platform driver ehci-platform ehci-platform: EHCI Host Controller ehci-platform ehci-platform: new USB bus registered, assigned bus number 1 ehci-platform ehci-platform: irq 11, io mem 0x18100000 ehci-platform ehci-platform: USB 2.0 started, EHCI 1.00 usb usb1: New USB device found, idVendor=1d6b, idProduct=0002 usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1 usb usb1: Product: EHCI Host Controller usb usb1: Manufacturer: Linux 3.10.27 ehci_hcd usb usb1: SerialNumber: ehci-platform hub 1-0:1.0: USB hub found hub 1-0:1.0: 1 port detected ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver ohci-platform ohci-platform: Generic Platform OHCI Controller ohci-platform ohci-platform: new USB bus registered, assigned bus number 2 ohci-platform ohci-platform: irq 11, io mem 0x18180000 usb usb2: New USB device found, idVendor=1d6b, idProduct=0001 usb usb2: New USB device strings: Mfr=3, Product=2, SerialNumber=1 usb usb2: Product: Generic Platform OHCI Controller usb usb2: Manufacturer: Linux 3.10.27 ohci_hcd usb usb2: SerialNumber: ohci-platform hub 2-0:1.0: USB hub found hub 2-0:1.0: 1 port detected i2c /dev entries driver Stopped watchdog timer timer margin: 8 sec TCP: cubic registered NET: Registered protocol family 17 Key type dns_resolver registered mtd1 name is boot hconf init failed ALSA device list: No soundcards found. VFS: Mounted root (squashfs filesystem) readonly on device 31:2. Freeing unused kernel memory: 192K (803e0000 - 80410000) usb 1-1: new high-speed USB device number 2 using ehci-platform usb 1-1: New USB device found, idVendor=0bda, idProduct=f179 usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 usb 1-1: Product: 802.11n usb 1-1: Manufacturer: Realtek usb 1-1: SerialNumber: 508A06A1942C Sat Oct 24 10:24:00 UTC 2015

---

| | | | | |
| | _ | |_ | |_ | | / | ' \/ | / \ '| | || () | |) __ \ || / |
|_____/|_._/|/____||

ntpclient: can't load library 'libsysconf.so' jffs2: notice: (268) jffs2_build_xattr_subsystem: complete building xattr subsystem, 0 of xdatum (0 unchecked, 0 orphan) and 0 of xref (0 dead, 0 orphan) found. rlx snd internal codec init soc-audio soc-audio.0.auto: ASoC: machine RLX_INTERN_CARD should use snd_soc_register_card() soc-audio soc-audio.0.auto: rlx-codec-digital <-> pcm-platform mapping ok soc-audio soc-audio.0.auto: rlx-codec-analog <-> pcm-platform mapping ok RTW: module init start RTW: rtl8188fu v5.3.0.1_28034.20180525 RTW: build time: May 11 2019 15:41:23 RTW: HW EFUSE RTW: 0x000: 29 81 00 CC 0B 00 00 00 00 0C 04 4C 10 0C 00 00
RTW: 0x010: 25 24 24 27 27 27 26 26 26 29 29 02 FF FF FF FF
RTW: 0x020: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x030: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x040: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x050: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x060: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x070: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x080: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x090: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x0A0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x0B0: FF FF FF FF FF FF FF FF 20 2A 20 00 00 00 00 FF
RTW: 0x0C0: FF 11 00 10 00 FF 00 FF 00 00 FF FF FF FF FF FF
RTW: 0x0D0: DA 0B 79 F1 42 66 40 50 8A 06 A1 94 2C 09 03 52
RTW: 0x0E0: 65 61 6C 74 65 6B 09 03 38 30 32 2E 31 31 6E 00
RTW: 0x0F0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x100: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x110: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x120: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x130: C1 AE FF FF FF FF FF FF FF FF 00 11 FF FF FF FF
RTW: 0x140: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x150: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x160: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x170: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x180: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x190: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x1A0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x1B0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x1C0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x1D0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x1E0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x1F0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: hal_com_config_channel_plan chplan:0x20 RTW: rtw_regsty_chk_target_tx_power_valid return _FALSE for band:0, path:0, rs:0, t:-1 RTW: rtw_ndev_init(wlan0) if1 mac_addr=50:8a:06:a1:94:2c RTW: rtw_ndev_init(wlan1) if2 mac_addr=52:8a:06:a1:94:2c usbcore: registered new interface driver rtl8188fu RTW: module init ret=0 rtscam:isp resvd mem addr : 0x00523000, size : 0x1518000 rtscam:rtscam_mem_init v:0xa0523000 p:0x00523000 s:0x00001518 rtscam:rtscam_lock_init rtscam:rtscam_soc_probe rtscam:rtscam_hx280_probe rtscam:hx280enc:HW at base <0x18060000> with ID <0x48317011> rtscam:rtscam_jpgenc_probe rtscam:rtscam_osd2_probe rtscam:rtstream_init (none) login: status: active CC: excute rts3903 platform script..rtscam:begin to load fw from isp.fw `

[cjj25]

Could you provide a picture of what this camera looks like (for curiosity)?

• What's the current pairing status (is it paired to Tuya or simply connected via Ethernet / WiFi)?
• Have you tried running the payload from this repo? If so, is the log you attached related to it booting with this payload on the SD?

It looks like telnetd is starting on boot but is then immediately killed by ty_monitor.sh, I can see the typical method we use to has been disabled / commented out

 #[ -x ${SDCARDDIR}/ty_sdcard_check_upgrade.sh ] && ${SDCARDDIR}/ty_sdcard_check_upgrade.sh ${destdir_sd}

However, ty_sign still references this bash script and is executed at the point of mounting the sdcard.

I've had a quick look. Basically ty_sign looks for /mnt/sdcard/sc002wa2v5.zip and /mnt/sdcard/sc002wa2v5.zip.sign and verifies its hash, then calls the ty_sdcard_check_upgrade script.

Could you try create a dummy sc002wa2v5.zip and sc002wa2v5.zip.sign and put them on the root of your sdcard, then give me the output serial log?

It doesn't look too difficult to crack the hashing / signing (my initial impression). This is the first time I've actually seen the ty_sign binary being used.

[frankol]

attached you can find the images of the board and the cam. UART: yellow [TX], orange[RX] and red [GND] the cam is paired and connected to my wifi but i block internet access for it.

SDCard plugged in with sc002wa2v5.zip and sc002wa2v5.zip.sign (nothing special happens. After a reboot with plugged sdcard the same):

_mmc0: new high speed SDHC card at address 5048 mmcblk0: mmc0:5048 SD32G 28.8 GiB mmcblk0: p1

/dev/mmcblk0 /dev/mmcblk0p1 /dev/mmcblk0 /dev/mmcblk0p1 MemTotal: 38264 kB MemFree: 13080 kB Buffers: 436 kB Cached: 7296 kB SwapCached: 0 kB Active: 5288 kB Inactive: 6996 kB Active(anon): 4552 kB Inactive(anon): 0 kB Active(file): 736 kB Inactive(file): 6996 kB Unevictable: 0 kB Mlocked: 0 kB SwapTotal: 0 kB SwapFree: 0 kB Dirty: 0 kB Writeback: 0 kB AnonPages: 4568 kB Mapped: 3168 kB Shmem: 0 kB Slab: 6636 kB SReclaimable: 764 kB SUnreclaim: 5872 kB KernelStack: 520 kB PageTables: 200 kB NFS_Unstable: 0 kB Bounce: 0 kB WritebackTmp: 0 kB CommitLimit: 19132 kB Committed_AS: 54928 kB VmallocTotal: 1048372 kB VmallocUsed: 3684 kB VmallocChunk: 1038272 kB drop_caches [2015-10-24 10:27:31.668 tid(481) tycam_devcom_inf.c tycam_log_monitor(463) Debug] start log moniot... MemTotal: 38264 kB MemFree: 13600 kB Buffers: 324 kB Cached: 6888 kB SwapCached: 0 kB Active: 5184 kB Inactive: 6580 kB Active(anon): 4552 kB Inactive(anon): 0 kB Active(file): 632 kB Inactive(file): 6580 kB Unevictable: 0 kB Mlocked: 0 kB SwapTotal: 0 kB SwapFree: 0 kB Dirty: 0 kB Writeback: 0 kB AnonPages: 4568 kB Mapped: 3168 kB Shmem: 0 kB Slab: 6636 kB SReclaimable: 764 kB SUnreclaim: 5872 kB KernelStack: 520 kB PageTables: 200 kB NFS_Unstable: 0 kB Bounce: 0 kB WritebackTmp: 0 kB CommitLimit: 19132 kB Committed_AS: 54928 kB VmallocTotal: 1048372 kB VmallocUsed: 3684 kB VmallocChunk: 1038272 kB drop_caches [2015-10-24 10:27:41.676 tid(481) tycam_devcom_inf.c tycam_log_monitor(463) Debug] start log moniot... total used free shared buffers Mem: 38264 24656 13608 0 312 -/+ buffers: 24344 13920 Swap: 0 0 0 ip_addr: inet addr:192.168.200.10 Bcast:192.168.200.255 Mask:255.255.255.0 wifi_ssid:wlan0 IEEE 802.11bgn ESSID:"SH" Nickname:"WIFI@REALTEK" route_info:default 192.168.200.254 0.0.0.0 UG 0 0 0 wlan0 192.168.200.0 bin dev drv etc init lib mnt opt proc root sys tmp usr var 255.255.255.0 U 0 0 0 wlan0 network ok MemTotal: 38264 kB MemFree: 13532 kB Buffers: 312 kB Cached: 6952 kB SwapCached: 0 kB Active: 5232 kB Inactive: 6584 kB Active(anon): 4552 kB Inactive(anon): 0 kB Active(file): 680 kB Inactive(file): 6584 kB Unevictable: 0 kB Mlocked: 0 kB SwapTotal: 0 kB SwapFree: 0 kB Dirty: 0 kB Writeback: 0 kB AnonPages: 4568 kB Mapped: 3168 kB Shmem: 0 kB Slab: 6636 kB SReclaimable: 764 kB SUnreclaim: 5872 kB KernelStack: 536 kB PageTables: 200 kB NFS_Unstable: 0 kB Bounce: 0 kB WritebackTmp: 0 kB CommitLimit: 19132 kB Committed_AS: 54928 kB VmallocTotal: 1048372 kB VmallocUsed: 3684 kB VmallocChunk: 1038272 kB drop_caches [2015-10-24 10:27:51.684 tid(481) tycam_devcom_inf.c tycam_log_monitor(463) Debug] start log moniot... MemTotal: 38264 kB MemFree: 13608 kB Buffers: 312 kB Cached: 6892 kB SwapCached: 0 kB Active: 5216 kB Inactive: 6540 kB Active(anon): 4552 kB Inactive(anon): 0 kB Active(file): 664 kB Inactive(file): 6540 kB Unevictable: 0 kB Mlocked: 0 kB SwapTotal: 0 kB SwapFree: 0 kB Dirty: 0 kB Writeback: 0 kB AnonPages: 4568 kB Mapped: 3168 kB Shmem: 0 kB Slab: 6636 kB SReclaimable: 764 kB SUnreclaim: 5872 kB KernelStack: 520 kB PageTables: 204 kB NFS_Unstable: 0 kB Bounce: 0 kB WritebackTmp: 0 kB CommitLimit: 19132 kB Committed_AS: 54928 kB VmallocTotal: 1048372 kB VmallocUsed: 3684 kB VmallocChunk: 1038272 kB drop_caches [2015-10-24 10:28:1.692 tid(481) tycam_devcom_inf.c tycam_logmonitor(463) Debug] start log moniot...

SDCard plugged in with original payload from this rep:

mmc0: new high speed SDHC card at address 5048 mmcblk0: mmc0:5048 SD32G 28.8 GiB mmcblk0: p1 /dev/mmcblk0 /dev/mmcblk0p1 /dev/mmcblk0 /dev/mmcblk0p1 FAT-fs (mmcblk0p1): Volume was not properly unmounted. Some data may be corrupt. Please run fsck. [2015-10-24 10:24:51.540 tid(481) tycam_devcom_inf.c tycam_log_monitor(463) Debug] start log moniot... MemTotal: 38264 kB MemFree: 13256 kB Buffers: 420 kB Cached: 7144 kB SwapCached: 0 kB Active: 5296 kB Inactive: 6832 kB Active(anon): 4564 kB Inactive(anon): 0 kB Active(file): 732 kB Inactive(file): 6832 kB Unevictable: 0 kB Mlocked: 0 kB SwapTotal: 0 kB SwapFree: 0 kB Dirty: 0 kB Writeback: 0 kB AnonPages: 4568 kB Mapped: 3140 kB Shmem: 0 kB Slab: 6636 kB SReclaimable: 768 kB SUnreclaim: 5868 kB KernelStack: 512 kB PageTables: 200 kB NFS_Unstable: 0 kB Bounce: 0 kB WritebackTmp: 0 kB CommitLimit: 19132 kB Committed_AS: 54928 kB VmallocTotal: 1048372 kB VmallocUsed: 3684 kB VmallocChunk: 1038272 kB drop_caches mmc0: card 5048 removed

[cjj25]

Great pictures! Could you try the same as before (sc002wa2v5.zip filenames on sdcard) but without attached, then once booted plug the SD card in.

It looks like the script gets fired on the hotplug event.

[frankol]

doesnt look like it does something..

after reset. plugged sdcard after first boot:

[01-01 18:18:42-- TUYA Debug][wf_nw_cfg.c:100] Set New Channel 1

mmc0: new high speed SDHC card at address 5048 mmcblk0: mmc0:5048 SD32G 28.8 GiB mmcblk0: p1 [01-01 18:18:42-- TUYA Debug][wf_nw_cfg.c:100] Set New Channel 6

/dev/mmcblk0 /dev/mmcblk0p1 /dev/mmcblk0 /dev/mmcblk0p1 FAT-fs (mmcblk0p1): Volume was not properly unmounted. Some data may be corrupt. Please run fsck. [01-01 18:18:42-- TUYA Debug][wf_nw_cfg.c:100] Set New Channel 1

[01-01 18:18:43-- TUYA Debug][wf_nw_cfg.c:100] Set New Channel 6

[01-01 18:18:43-- TUYA Debug][wf_nw_cfg.c:100] Set New Channel 1

[01-01 18:18:44-- TUYA Debug][wf_nw_cfg.c:100] Set New Channel 6

[01-01 18:18:44-- TUYA Debug][wf_nw_cfg.c:100] Set New Channel 1

[2015-10-24 10:30:41.664 tid(523) tycam_devcom_inf.c tycam_log_monitor(463) Debug] start log moniot... [01-01 18:18:44-- TUYA Debug][wf_nw_cfg.c:100] Set New Channel 6

[01-01 18:18:45-- TUYA Debug][wf_nw_cfg.c:100] Set New Channel 1

[01-01 18:18:45-- TUYA Debug][wf_nw_cfg.c:100] Set New Channel 6

[01-01 18:18:46-- TUYA Debug][wf_nw_cfg.c:100] Set New Channel 1

after reset with sdcard plugged in:

begin___, action: 0Started watchdog timer

Started watchdog timer mmc0: new high speed SDHC card at address 5048 mmcblk0: mmc0:5048 SD32G 28.8 GiB mmcblk0: p1 /dev/mmcblk0 /dev/mmcblk0p1 /dev/mmcblk0 /dev/mmcblk0p1 FAT-fs (mmcblk0p1): Volume was not properly unmounted. Some data may be corrupt. Please run fsck. insmod: can't insert '/drv/modules/8188fu.ko': File exists killall: tymaster: no process killed 2, /tmp/tymaster, /tmp/tycam, (null) tymaster begin tcgetattr TIOCGWINSZ error ptyMasterOpen 3 slname=/dev/pts/0 ptyFork:tcsetattr Run2 parent:/tmp/tymaster brefore ttySetRaw... ttySetRaw... Child executes command execvp:/tmp/tycam [2015-10-24 10:24:11.446 tid(522) main.c main(85) Debug] begin [2015-10-24 10:24:11.447 tid(522) tycam_devcom_inf.c tycam_devcom_start(684) Debug] begin_ [2015-10-24 10:24:11.448 tid(522) tycam_devcom_inf.c tycam_devcom_start(690) Debug] dev abi md[1] m/dev/pts/0d_track[0] pir[0] ptz[0] isp_ver[] [2015-10-24 10:24:11.449 tid(522) ty_wifi.c ty_hwl_wifiinit(653) Debug] bigin [2015-10-24 10:24:11.450 tid(522) ty_wifi.c ty_hwl_wifi_init(667) Debug] end___ creat offset.info write SD! [2015-10-24 10:24:11.522 tid(522) tuya_ipc_mgr_utils.c TUYA_IPC_SDK_INIT(152) Debug] SDK Version:

< TUYA IOT SDK V:4.1.1 BS:30.01_PT:2.2_LAN:3.3_CAD:1.0.1_CD:1.0.0 >

IPC DEFS < ENABLE_ECHO_SHOW:1 ENABLE_CHROMECAST:1 ENABLE_CLOUD_ST/dev/pts/0ORAGE:1 >'

< BUILD AT:2020_12_26_23_34_33 BY weihm FOR linux_wifi AT rts3903 >

[frankol]

i managed to modify ty_monitor.sh to start a script from sdcard. First identify squashfs with binwalk. The last one was the one with all the ty_xxx scripts

131072 0x20000 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 763634 bytes 2555904 0x270000 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 626986 bytes 3276800 0x320000 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 2339162 bytes

Then extract with dd like

dd if=Littlelf_camera.bin of=03_sqashfs bs=1 skip=3276800 count=2339150

unsquashfs 03_sqashfs

modify ty_monitor.sh

resquash with mksquashfs ./squashfs-root/ 003_littleelf0.squashfs -b 131072 -comp xz

and replace modified squashfs within bin file with

dd if=003_littleelf0.squashfs of=Littlelf_camera.bin bs=1 seek=3276800 conv=notrunc

Telnet is starting now, but still want a password :-(

also i noticed the modified tycam can not be started.

./tycam: can't load library 'libasound.so.2'

[frankol]

ok, was able to change root password with this:

/opt/skyeye/bin/ty_passwd -u 0 -a password -f /etc/tuya/shadow

can you patch my tycam binary like you did with the others please? tycam

[justadri]

hi, just wondering if there's been any progress on this model since the last post. i've also got 2 of these cameras (with v1.1.6 firmware) and have been trying to get an rtsp stream out of them for months. i'm happy to test or help in any way i can.

[jcconnell]

I'm in the same boat. 2 cameras. Would love to have an RTSP stream.

[cjj25]

Could someone provide me with a dump of the 1.1.6 firmware, I'll then patch the binaries.

Follow the instructions on the homepage of the repo and see if you can gain telnet access, then you'll have a non invasive way of dumping the firmware.

[jcconnell]

@cjj25 I can help with a bit more instruction. I imagine I'd need to the directions listed here using the latest patched binary.

Assuming I have telnet access, what are the next steps?

[cjj25]

That's great! You can use the script here and then send the mtdblock0 over.. I can then patch the binary for you.

I'm currently working on an auto patcher on boot that'll work for all the different versions.

[jcconnell]

Finally circling back to this - I'm not sure this is working for me. I'm not able to get telnet access, and the sd card doesn't have any logs that indicate the scripts or hack attempted to start. I've tried both of the high-resolution patched binaries without success. Any ideas?