LucasMedeiros-dev commented 2 months ago

Intro

Hi, I've managed to access the u-boot and shell via uart from my generic tuya doorbell with rf433 chime.

Here's the log I've managed to extract.

I'd like some help on how to enable onvif & rtsp and how to make it persistent.

Logs

U-Boot 2010.06 (Aug 10 2022 - 17:37:59)

DRAM:  64 MiB

MMC:   

spi_flash_probe_default multi wire open flag is 0

*** Warning - bad CRC, using default environment

In:    serial

Out:   serial

Err:   serial

Net:   FH EMAC

Hit any key to stop autoboot:  1  0 

U-Boot> [1~getev-  nv

Unknown command '[1~getenv' - try 'help'

U-Boot> help

?       - alias for 'help'

arc_go  - start application at address 'addr'

base    - print or set address offset

bdinfo  - print Board Info structure

boot    - boot default, i.e., run 'bootcmd'

bootd   - boot default, i.e., run 'bootcmd'

bootm   - boot application image from memory

bootp   - boot image via network using BOOTP/TFTP protocol

chpart  - change active partition

cmp     - memory compare

coninfo - print console devices and information

cp      - memory copy

crc32   - checksum calculation

date    - get/set/reset date & time

dhcp    - boot image via network using DHCP/TFTP protocol

dma_cp  - dma memory copy

dump_phy_reg- dump phy reg

echo    - echo args to console

editenv - edit environment variable

fastbootcmd- set boot command

fatinfo - print information about filesystem

fatload - load binary file from a dos filesystem

fatls   - list files in a directory (default /)

go      - start application at address 'addr'

help    - print command description/usage

iminfo  - print header information for application image

imxtract- extract a part of a multi-image

itest   - return true/false on integer compare

loadb   - load binary file over serial line (kermit mode)

loads   - load S-Record file over serial line

loady   - load binary file over serial line (ymodem mode)

loop    - infinite loop on address range

md      - memory display

mii     - MII utility commands

mm      - memory modify (auto-incrementing address)

mmc     - MMC sub system

mmcinfo - mmcinfo <dev num>-- display MMC info

mtdparts- define flash/nand partitions

mtest   - simple RAM read/write test

mw      - memory write (fill)

nfs     - boot image via network using NFS protocol

nm      - memory modify (constant address)

pinctrl - Pin Ctrl

ping    - send ICMP ECHO_REQUEST to network host

printenv- print environment variables

rarpboot- boot image via network using RARP/TFTP protocol

reset   - Perform RESET of the CPU

run     - run commands in an environment variable

saveenv - save environment variables to persistent storage

setenv  - set environment variables

sf      - SPI flash sub-system

sleep   - delay execution for some time

source  - run script from memory

sspi    - SPI utility commands

tftpboot- boot image via network using TFTP protocol

usb     - USB sub-system

version - print monitor version

wdt     - WDT utility commands

U-Boot> version

U-Boot 2010.06 (Aug 10 2022 - 17:37:59)

U-Boot> 

U-Boot> boot

spi_flash_probe_default multi wire open flag is 0

8192 KiB default_flash at 0:0 is now current device

## Booting kernel from Legacy Image at a1000000 ...

   Image Name:   Linux-4.9.129

   Created:      2023-02-07   7:18:39 UTC

   Image Type:   ARM Linux Kernel Image (uncompressed)

   Data Size:    1375768 Bytes = 1.3 MiB

   Load Address: a0008000

   Entry Point:  a0008000

   Verifying Checksum ... OK

   Loading Kernel Image ... OK

OK

prepare atags

Starting kernel ...

starting pid 70, tty '': '/etc/init.d/rcS'
[RCS]: /etc/init.d/S01udev
Starting udev:      [ OK ]
load_modules_RH8852.sh start
loadNetwork.sh script*****
load_modules_RH8852.sh end

starting pid 156, tty '': '/sbin/inetd -f -e /etc/inetd.conf'

starting pid 157, tty '': '-/bin/sh'

BusyBox v1.26.2 (2021-09-11 10:51:52 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

fh-linux# *****autorun script*****
[dsp] version: V1.3.0.P5(ge091dd7),build: 2021-06-15
sh: write error: Device or resource busy
[isp] version:  V1.3.0.P6(gbfb91d2),build: 2021-06-30
[ispcore] version:  V1.3.0.P6(gbfb91d2),build: 2021-06-30
ADV_ISP version:        V1.3.0.P3(ga56c28c), build: 2021-04-07
[sensor] version:   V1.3.0(g00cc9fa),build: 2020-12-23
probe sensor: jxf37p_mipi
[mipi] version: V1.3.0(g00cc9fa),build: 2020-12-23
[sensor] version:   V1.3.0(g00cc9fa),build: 2020-12-23
[sensor] version:   V1.3.0(g00cc9fa),build: 2020-12-23

jxf37p ver 20210629
sh: write error: Device or resource busy
unm_set_dns_cache_priority ->0
unm_set_dns_region 2
isp param version is not compitable with current setting!

jxf37p ver 20210629
isp param version is not compitable with current setting!
ADV_SMARTIR version:        V1.3.0.P3(ga56c28c), build: 2021-04-07
ADV_OSD version:        V1.3.0.P3(ga56c28c),build: 2021-04-07
[ACW_MPI] version: V1.3.0(g986a3cb),build: 2020-12-23
MD version:         V1.3.0.P3(ga56c28c), build: 2021-04-07
Configuration file: /tmp/etc/Wireless/hostapd.conf
Failed to create interface mon.ap0: -95 (Operation not supported)
ap0: Could not connect to kernel driver
Using interface ap0 with hwaddr 60:fb:00:49:18:c7 and ssid "SmartLife_hwxd333e9ad043a78775"
ap0: interface state UNINITIALIZED->ENABLED
ap0: AP-ENABLED 
^C
fh-linux# s[Jls
[1;34mautorun[0m      [1;34mhome[0m         [1;34mopt[0m          [1;34msd[0m           [1;34mtuya_config[0m
[1;34mbin[0m          [1;36minit[0m         [1;34mproc[0m         [1;34msrv[0m          [1;34musr[0m
[1;34mdev[0m          [1;34mlib[0m          [1;34mroot[0m         [1;34msys[0m          [1;34mvar[0m
[1;34metc[0m          [1;34mmnt[0m          [1;34msbin[0m         [1;34mtmp[0m          [1;34mvendor[0m
fh-linux# /[Jcat /i
fh-linux# cat /init [J[J[J[J
fh-linux# cat /init [J 
autorun/      home/         opt/          sd/           tuya_config/
bin/          init          proc/         srv/          usr/
dev/          lib/          root/         sys/          var/
etc/          mnt/          sbin/         tmp/          vendor/

fh-linux# cat /init [J
autorun/      home/         opt/          sd/           tuya_config/
bin/          init          proc/         srv/          usr/
dev/          lib/          root/         sys/          var/
etc/          mnt/          sbin/         tmp/          vendor/

fh-linux# cat /init [J[J[J[J[J[J/[Js 
fh-linux# cat /s[Jb
fh-linux# cat /sbin/[J 
dhcprelay       hwclock         mkdosfs         route           udhcpc
dnsmasq         ifconfig        mkfs.vfat       sample_wifi     udhcpd
fdisk           inetd           modprobe        sh_for_telnet
flash_eraseall  init            poweroff        telnetd
flashcp         insmod          reboot          udevadm
halt            lsmod           rmmod           udevd

fh-linux# cat /sbin/[J[J[J[J[J[J[J[J[J[J[Jcd [J[J[Jcd sb
fh-linux# cd sbin/[J
fh-linux# dir
-/bin/sh: dir: not found
fh-linux# ls
[1;36mdhcprelay[0m       [1;36mhwclock[0m         [1;36mmkdosfs[0m         [1;36mroute[0m           [1;36mudhcpc[0m
[1;32mdnsmasq[0m         [1;36mifconfig[0m        [1;36mmkfs.vfat[0m       [1;32msample_wifi[0m     [1;36mudhcpd[0m
[1;36mfdisk[0m           [1;36minetd[0m           [1;36mmodprobe[0m        [1;32msh_for_telnet[0m
[1;36mflash_eraseall[0m  [1;36minit[0m            [1;36mpoweroff[0m        [1;36mtelnetd[0m
[1;32mflashcp[0m         [1;36minsmod[0m          [1;36mreboot[0m          [1;32mudevadm[0m
[1;36mhalt[0m            [1;36mlsmod[0m           [1;36mrmmod[0m           [1;32mudevd[0m
fh-linux# tel
fh-linux# telnetd [J[J[J[J[J[J[J[J[Jsh 
fh-linux# sh[J_[J_
fh-linux# sh_for_telnet [J

BusyBox v1.26.2 (2021-09-11 10:51:52 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

fh-linux# tel
fh-linux# telnetd [J-h
telnetd: invalid option -- h
BusyBox v1.26.2 (2021-09-11 10:51:52 CST) multi-call binary.

Usage: telnetd [OPTIONS]

Handle incoming telnet connections

    -l LOGIN    Exec LOGIN on connect
    -f ISSUE_FILE   Display ISSUE_FILE instead of /etc/issue
    -K      Close connection as soon as login exits
            (normally wait until all programs close slave pty)
    -p PORT     Port to listen on
    -b ADDR[:PORT]  Address to bind to
    -F      Run in foreground
    -i      Inetd mode
    -w SEC      Inetd 'wait' mode, linger time SEC
    -S      Log to syslog (implied by -i or without -F and -w)
fh-linux# cd ..
fh-linux# cat /ho
fh-linux# cat /home/[J
fh-linux# cat /home/shellpid [J [J[J[J[J[J[J[J[J[J[J[J[J[J[J h
fh-linux# cat /home/[J
fh-linux# cat /home/shellpid [J
1
fh-linux# ac[J[Jcat/ [J[J /h
fh-linux# cat /home/[J[J[J[J[J[Jsu[J[Jus
fh-linux# cat /usr/[J h o [J[J[J
fh-linux# cat /usr/[J 
attr/    bin/     driver/  lib/     share/

fh-linux# cat /usr/[J
attr/    bin/     driver/  lib/     share/

fh-linux# cat /usr/[Jb
fh-linux# cat /usr/bin/[J 
EasyCam  RShell

fh-linux# cat /usr/bin/[J
EasyCam  RShell

Sorry for the logging bugs.

guino commented 2 months ago

@LucasMedeiros-dev looks like you already have root access - that's great!

On most of the newer devices you can enable onvif/rtsp by editing /home/cfg/tuya_config.json -- execute cat /home/cfg/tuya_config.json to see the file contents on your terminal.

You should be able edit the file on your computer with the following steps: 1-Insert SD card FAT32 formatted, power on device 2-on your shell (above), execute: cp /home/cfg/tuya_config.json /mnt/mmc01/; sync, power off device 3-Take the SD card out, put it on your computer and edit the tuya_config.json file to have onvif_enable set to 1, save/eject SD card 4-put the file back onto the device, power it on again 5-on your shell, execute: cp /mnt/mmc01/tuya_config.json /home/cfg; sync 6-reboot the device to use the new config file

It may be helpful to know what version of ppsapp you're running (usually shows in the phone app somewhere), you can alretnatively copy ppsapp to the SD card executing this after step 1 above: mount -t cramfs /dev/mtdblock5 /opt/pps; cp /opt/app/app* /mnt/mmc01/ -- the app.tar.* file should be in the root of the SD card (and ppsapp is inside of it), so feel free to post a zip of if for review and we can go from there.

LucasMedeiros-dev commented 2 months ago

Hi! I got to work on the camera today, there's no CFG folder nor tuya_config.json, there's a folder named Tuya_config with the following files log_seq_stat tuya_enckey.db tuya_user.db tuya_user.db_bak

Also found the command getVersion and it returns

************************************************
FW compile date =[May 27 2023 11:41:17]
  BUILD_FW_TYPE_VER: 1
  FW_VER_CODE      : 1631
  modelName        : D1
  customerName     : WXD
*************************************************

The mount command to mount ppsapp doesn't work

LucasMedeiros-dev commented 2 months ago

After running something like get_burn_file, this file was present in the sdcard

Flash_ACdoorbell_D1_WXD_P20_V1.6.3.1_Tuya.zip

guino commented 1 week ago

The zip file provided seems to be a full firmware dump file (8Mb). The main application seems to be 'EasyCam', and seems to be very different from the other 'ppsapp' files we've seen.

I opened the easeycam file in ghidra and the code did not seem to have any tuya_config.json references as you pointed out. It seems to be just reading any settings from the cloud server. The only reference to RTSP features I found seemed to be initiated from the cloud (mqtt) server, but it didn't seem like there was anything that would initialize it, so doesn't seem like RTSP is available in any fashion.

This being a newer camera you may be able to use the WebRTC interface (https://www.reddit.com/r/smartlife/comments/oyqvdv/webrtc_stream_terminal_for_tuya_smartlife_cameras/) , if so you may be able to use https://www.scrypted.app/ to convert from WebRtc to RTSP, but that would be all.

guino / BazzDoorbell

Need Help With Generic Tuya Doorbell #117

Intro

Logs