Support for V30 doorbell

[mshuflin]

I am looking at tuya-based video doorbells available in my region and this one seems quite common. https://shopee.com.my/product/361966449/8762138469?smtt=0.208419637-1628041873.9

Is there a possibility that these doorbells can be rooted? Thanks!

[guino]

@mshuflin hard to say without seeing the url responses. I would stay away from battery powered devices because they are more likely to be running RTOS than linux and they’re possibly not going to be always on.

I am not sure if you have specific reasons to root the device but if you’re still shopping I always recommend buying a device that has all features you need instead of trying to mod it. I understand there are factors such as price and availability but I would only go thru the trouble of rooting if I had to.

[mshuflin]

Thanks @guino for your quick reply. I am looking for a fully cloudless option that can integrate with Home Assistant, node red, and/or MQTT.

[guino]

@mshuflin the only cameras that would allow for that without rooting would be the ones that have the 'remote event log' or 'event server' feature which allow you to enter the ip address of a server to receive camera events (including motion detection) which you could create in the same computer/server that runs home assistant.

Obviously many people have done what you want with a range of tuya cameras (using with the posted information) but it can be a gamble finding a device with a rootable version. If you're going to buy without knowing details I would recommend buying from place where you can easily return the camera if it isn't what you need.

[mshuflin]

Thanks for the advice, I will order (and return if it does not work) and report back here

[mshuflin]

Here are my results: I could not get any response from any port other than 6668.

from http://192.168.0.170:6668/devices/deviceinfo I received:

��Uª����������û����3.3������PÖ���
Æ¥¿LˆÂéά<[•Çl¬MBxpsÀdW:4ågAb¢%ªäËCžuHÈŤ“iÐ.Þë}´iñç?|šl޾زTƒÃ”ËÿcŠï'owp†äý3#.ž²TS­F!¾úŒ†û~ïP¾ÙÚ©Ä(SñA€x4R“}[@/pQçD‹+Ÿ®ŸÑöaåÕEÇÆZøÕßÙ¯ËÙç‚73vÕØ|ŸRß¾
I]bd¬x’26ŽIÓª¼ê£+ž|1¢¦:¹Øq¶’±ÁÇTËþ‹€Fò¥}¬¥ÜÕ%wïÏPôì
¨†��ªU

and similarly garbled text from other urls.

[guino]

@mshuflin did you add in ppsFactoryTool.txt to the SD card to see if any other ports open (80 or 8090) ?

The output you got for port 6668 id the standard tuya api port which isn't useful for anything else.

[mshuflin]

It turns out this model does not have an SD card. The back has a USB port.

[guino]

@mshuflin it most likely has a SD card slot inside (if you open it) - I have no way to tell how easy it is to access it.

[mshuflin]

I was able to open it fairly easily, here is what it looks like:

[guino]

@mshuflin Your UART is likely the top left 4 holes on the 2nd picture posted (and flash chip looks like the one next to the holes --I couldn't read the numbers on it from the picture). If there's any SD card slot it would likely be behind the top board (where the camera lens are mounted). Without a SD card slot the only hope of making any mods would be using a UART/hardware programmer to read the firmware, modify it and flash it back. Depending on the bootloader it may only be possible to do it with the hardware programmer and having no SD card storage would limit you to AT MOST enabling RTSP/ONVIF (if included in the code at all).

If you have a heat-gun and programmer you can read the flash and I can review it to tell you what is possible to do. If you don't have the tools or familiarity with it I would stop now before risking breaking the device -- you could sell/return it and get another if you really require extra features.

[paulloft]

I have the same doorbell. All ports on the device are closed, I tried all your options with ppsFactoryTool.txt and none worked. I connected to the UART pin, but it seems to be a dead end, since I cannot send commands, and the output to the console looks like this:

I managed to connect with clamps to the XM25QH64AHIG chip and download the firmware from it (https://drive.google.com/file/d/1I0fIbhhVVQDAoBq6kRFSbFJtjyMji2IE/view?usp=sharing) Next, I ran binwalk -e -M like in your example

its output under the spoiler:

``` pi@raspberrypi:~ $ binwalk -e -M ./doorbell_v30.bin Scan Time: 2022-01-05 22:41:48 Target File: /home/pi/doorbell_v30.bin MD5 Checksum: 904f0a83916fa3477f51d17ed13e676e Signatures: 411 DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 18160 0x46F0 gzip compressed data, has original file name: "u-boot.bin", from Unix, last modified: 2020-07-07 03:29:15 327696 0x50010 gzip compressed data, has original file name: "EasyCam.bin", from Unix, last modified: 2021-04-01 07:14:22 5308419 0x510003 MySQL ISAM compressed data file Version 5 5395045 0x525265 MySQL MISAM index file Version 10 5418378 0x52AD8A MySQL ISAM index file Version 2 5444208 0x531270 MySQL MISAM compressed data file Version 4 5444412 0x53133C MySQL MISAM index file Version 5 5514744 0x5425F8 MySQL MISAM index file Version 10 5535950 0x5478CE MySQL MISAM index file Version 5 5547885 0x54A76D MySQL MISAM index file Version 6 5593564 0x5559DC MySQL ISAM index file Version 7 5602202 0x557B9A MySQL ISAM compressed data file Version 8 5641461 0x5614F5 MySQL MISAM compressed data file Version 7 5644284 0x561FFC MySQL MISAM index file Version 1 5706578 0x571352 MySQL ISAM index file Version 2 5711276 0x5725AC MySQL MISAM compressed data file Version 4 5721427 0x574D53 MySQL MISAM compressed data file Version 4 5739140 0x579284 MySQL ISAM compressed data file Version 6 5741912 0x579D58 MySQL ISAM compressed data file Version 5 5748403 0x57B6B3 MySQL MISAM compressed data file Version 10 5753885 0x57CC1D MySQL MISAM index file Version 7 5757997 0x57DC2D MySQL ISAM compressed data file Version 6 5763292 0x57F0DC MySQL ISAM index file Version 2 5764060 0x57F3DC MySQL ISAM index file Version 8 5769029 0x580745 MySQL MISAM index file Version 2 5771205 0x580FC5 MySQL MISAM index file Version 4 5793662 0x58677E MySQL MISAM compressed data file Version 10 5798838 0x587BB6 MySQL MISAM index file Version 5 5806306 0x5898E2 MySQL MISAM index file Version 6 5810993 0x58AB31 MySQL MISAM index file Version 7 5822940 0x58D9DC MySQL MISAM index file Version 1 5825339 0x58E33B MySQL MISAM compressed data file Version 2 5827436 0x58EB6C MySQL MISAM index file Version 8 5827991 0x58ED97 MySQL MISAM index file Version 1 5830225 0x58F651 MySQL ISAM index file Version 3 5831459 0x58FB23 MySQL ISAM index file Version 3 5837622 0x591336 MySQL MISAM index file Version 3 6007679 0x5BAB7F MySQL ISAM index file Version 11 6088525 0x5CE74D MySQL MISAM index file Version 6 6342707 0x60C833 MySQL ISAM compressed data file Version 5 6429333 0x621A95 MySQL MISAM index file Version 10 6452666 0x6275BA MySQL ISAM index file Version 2 6478496 0x62DAA0 MySQL MISAM compressed data file Version 4 6478700 0x62DB6C MySQL MISAM index file Version 5 6549032 0x63EE28 MySQL MISAM index file Version 10 6570238 0x6440FE MySQL MISAM index file Version 5 6582173 0x646F9D MySQL MISAM index file Version 6 6627852 0x65220C MySQL ISAM index file Version 7 6636490 0x6543CA MySQL ISAM compressed data file Version 8 6675749 0x65DD25 MySQL MISAM compressed data file Version 7 6678572 0x65E82C MySQL MISAM index file Version 1 6740866 0x66DB82 MySQL ISAM index file Version 2 6745564 0x66EDDC MySQL MISAM compressed data file Version 4 6755715 0x671583 MySQL MISAM compressed data file Version 4 6773428 0x675AB4 MySQL ISAM compressed data file Version 6 6776200 0x676588 MySQL ISAM compressed data file Version 5 6782691 0x677EE3 MySQL MISAM compressed data file Version 10 6788173 0x67944D MySQL MISAM index file Version 7 6792285 0x67A45D MySQL ISAM compressed data file Version 6 6797580 0x67B90C MySQL ISAM index file Version 2 6798348 0x67BC0C MySQL ISAM index file Version 8 6803317 0x67CF75 MySQL MISAM index file Version 2 6805493 0x67D7F5 MySQL MISAM index file Version 4 6827950 0x682FAE MySQL MISAM compressed data file Version 10 6833126 0x6843E6 MySQL MISAM index file Version 5 6840594 0x686112 MySQL MISAM index file Version 6 6845281 0x687361 MySQL MISAM index file Version 7 6857228 0x68A20C MySQL MISAM index file Version 1 6859627 0x68AB6B MySQL MISAM compressed data file Version 2 6861724 0x68B39C MySQL MISAM index file Version 8 6862279 0x68B5C7 MySQL MISAM index file Version 1 6864513 0x68BE81 MySQL ISAM index file Version 3 6865747 0x68C353 MySQL ISAM index file Version 3 6871910 0x68DB66 MySQL MISAM index file Version 3 7041967 0x6B73AF MySQL ISAM index file Version 11 7122813 0x6CAF7D MySQL MISAM index file Version 6 Scan Time: 2022-01-05 22:42:02 Target File: /home/pi/_doorbell_v30.bin.extracted/u-boot.bin MD5 Checksum: f5146fcb9bb95cfcccf06d6faf1e2770 Signatures: 411 DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- Scan Time: 2022-01-05 22:42:03 Target File: /home/pi/_doorbell_v30.bin.extracted/EasyCam.bin MD5 Checksum: bf182f36049b3be16c66b1a0410c9288 Signatures: 411 DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 2107497 0x202869 Certificate in DER format (x509 v3), header length: 4, sequence length: 1284 2107501 0x20286D Certificate in DER format (x509 v3), header length: 4, sequence length: 1288 2729989 0x29A805 Certificate in DER format (x509 v3), header length: 4, sequence length: 5380 3851565 0x3AC52D Certificate in DER format (x509 v3), header length: 4, sequence length: 5380 4866933 0x4A4375 Certificate in DER format (x509 v3), header length: 4, sequence length: 13692 5837312 0x591200 Unix path: /home/ad/work/sdk/Hi3518EV300_SHC_SDK_V1.0.0.5/osdrv/platform/liteos/liteos/kernel/base/core/los_task.c 5839948 0x591C4C Unix path: /home/ad/work/sdk/Hi3518EV300_SHC_SDK_V1.0.0.5/osdrv/platform/liteos/liteos/kernel/base/mem/mem_bestfit/los_memory.c 5841436 0x59221C Unix path: /home/ad/work/sdk/Hi3518EV300_SHC_SDK_V1.0.0.5/osdrv/platform/liteos/liteos/kernel/base/ipc/los_mux.c 5843928 0x592BD8 Unix path: /home/ad/work/sdk/Hi3518EV300_SHC_SDK_V1.0.0.5/osdrv/platform/liteos/liteos/fs/vfs/inode/fs_inode.c 5844332 0x592D6C Unix path: /home/ad/work/sdk/Hi3518EV300_SHC_SDK_V1.0.0.5/osdrv/platform/liteos/liteos/fs/vfs/driver/fs_blockproxy.c 5846972 0x5937BC Unix path: /home/ad/work/sdk/Hi3518EV300_SHC_SDK_V1.0.0.5/osdrv/platform/liteos/liteos/fs/vfs/bch/src/bchlib_sem.c 6055316 0x5C6594 Unix path: /home/ad/work/sdk/Hi3518EV300_SHC_SDK_V1.0.0.5/osdrv/platform/liteos/liteos/platform/bsp/board/hi3518ev300/include/hisoc/spi.h 6056028 0x5C685C Unix path: /home/ad/work/sdk/Hi3518EV300_SHC_SDK_V1.0.0.5/osdrv/platform/liteos/liteos/platform/bsp/board/hi3518ev300/include/hisoc/uart.h 6067212 0x5C940C eCos RTOS string reference: "ECOST CPUUSE CPUUSE10s CPUUSE1s mode" 6219524 0x5EE704 CRC32 polynomial table, little endian 6231772 0x5F16DC Base64 standard index table 6237932 0x5F2EEC Base64 standard index table 6238256 0x5F3030 AES S-Box 6242668 0x5F416C AES Inverse S-Box 6252400 0x5F6770 Unix path: /home/ywx389445/z_ss/a_spc010/c_sdk/source/wifi_project/drv/sdio_hi1131sv100/hi1131_driver/driver/platform/inc/oal/liteos/arch/o 6252688 0x5F6890 Unix path: /home/ywx389445/z_ss/a_spc010/c_sdk/source/wifi_project/drv/sdio_hi1131sv100/hi1131_driver/driver/platform/inc/oal/liteos/arch/o 6376495 0x614C2F Copyright string: "copyright holder(s) nor the" 6377000 0x614E28 Copyright string: "copyright" 6377135 0x614EAF Copyright string: "copyright" 6377628 0x61509C Copyright string: "Copyright (c) 2003-2014, Jouni Malinen and contributors" 6438224 0x623D50 Neighborly text, "Neighboring BSS: freq=%dd" 6446336 0x625D00 Neighborly text, "neighboring BSSes ret=%d (%s) - try to scan again (attempt %d)" 6447301 0x6260C5 Neighborly text, "neighboring BSSes prior to enabling 40 MHz channelquest a scan of neighboring BSSes ret=%d (%s) - try to scan again" 6447380 0x626114 Neighborly text, "neighboring BSSes ret=%d (%s) - try to scan againequest a scan of neighboring BSSes ret=%d (%s)" 6447460 0x626164 Neighborly text, "neighboring BSSes ret=%d (%s)rdware channel/rate support not supported." 6448480 0x626560 Neighborly text, "Neighboring BSS: %02x:%02x:%02x:%02x:%02x:%02x freq=%d pri=%d sec=%dec=%d" 6493640 0x6315C8 AES Inverse S-Box 6495412 0x631CB4 SHA256 hash constants, little endian 6690356 0x661634 AES Inverse S-Box 6690612 0x661734 AES S-Box 6706936 0x6656F8 Unix path: /var/lib/jenkins/workspace/Release_IPC_SDK/src/tuya_ipc_sdk/tuya_ipc_api.c 6708388 0x665CA4 Unix path: /var/lib/jenkins/workspace/Release_IPC_SDK/src/tuya_ipc_sdk/cloud_storage/tuya_ipc_cloud_storage.c 6712756 0x666DB4 Unix path: /var/lib/jenkins/workspace/Release_IPC_SDK/src/tuya_ipc_sdk/encrypt/tuya_ipc_encrypt.c 6714228 0x667374 Unix path: /var/lib/jenkins/workspace/Release_IPC_SDK/src/tuya_ipc_sdk/tuya_ipc_notification.c 6719664 0x6688B0 Unix path: /var/lib/jenkins/workspace/Release_IPC_SDK/src/tuya_ipc_sdk/p2p/ppcs/tuya_ipc_p2p.c 6723824 0x6698F0 Unix path: /var/lib/jenkins/workspace/Release_IPC_SDK/src/tuya_ipc_sdk/skill/tuya_ipc_skill.c 6724268 0x669AAC Unix path: /var/lib/jenkins/workspace/Release_IPC_SDK/src/tuya_ipc_sdk/TStreamer/tuya_ipc_streamer.c 6725516 0x669F8C Unix path: /home/cj/workspace/test/testStreamer.bin 6726992 0x66A550 Unix path: /var/lib/jenkins/workspace/Release_IPC_SDK/src/tuya_ipc_sdk/p2p/ppcs/tuya_ipc_webrtc.c 6728240 0x66AA30 Unix path: /var/lib/jenkins/workspace/Release_IPC_SDK/src/tuya_ipc_sdk/ring_buffer/tuya_ring_buffer.c 6748600 0x66F9B8 Base64 standard index table 6749552 0x66FD70 Unix path: /var/lib/jenkins/workspace/Release_IPC_SDK/src/tuya_adapter/utilities/uni_time.c 6750740 0x670214 Unix path: /var/lib/jenkins/workspace/Release_IPC_SDK/src/tuya_iot_sdk/wifi_cfg_serv/wf_sniffer_intf.c 6756740 0x671984 Unix path: /var/lib/jenkins/workspace/Release_IPC_SDK/src/tuya_iot_sdk/tuya_cloud/cloud_operation.c 6758956 0x67222C Unix path: /var/lib/jenkins/workspace/Release_IPC_SDK/src/tuya_iot_sdk/tuya_cloud/com_protocol.c 6760248 0x672738 CRC32 polynomial table, little endian 6761528 0x672C38 Unix path: /var/lib/jenkins/workspace/Release_IPC_SDK/src/tuya_iot_sdk/wifi_cfg_serv/ez_mc.c 6766936 0x674158 Unix path: /var/lib/jenkins/workspace/Release_IPC_SDK/src/tuya_iot_sdk/tuya_cloud/gw_intf.c 6769004 0x67496C CRC32 polynomial table, little endian 6770816 0x675080 Unix path: /var/lib/jenkins/workspace/Release_IPC_SDK/src/tuya_middleware/httpc/httpc.c 6774292 0x675E14 Unix path: /var/lib/jenkins/workspace/Release_IPC_SDK/src/tuya_middleware/httpc/http_inf.c 6777444 0x676A64 Unix path: /var/lib/jenkins/workspace/Release_IPC_SDK/src/tuya_iot_sdk/tuya_cloud/iot_httpc.c 6787668 0x679254 Unix path: /var/lib/jenkins/workspace/Release_IPC_SDK/src/tuya_middleware/mqtt/mqtt_client.c 6795304 0x67B028 AES Inverse S-Box 6799708 0x67C15C Unix path: /var/lib/jenkins/workspace/Release_IPC_SDK/src/tuya_iot_sdk/tuya_cloud/smart_frame.c 6805652 0x67D894 Unix path: /var/lib/jenkins/workspace/Release_IPC_SDK/src/tuya_base/sys_serv/sys_timer.c 6806244 0x67DAE4 Unix path: /var/lib/jenkins/workspace/Release_IPC_SDK/src/tuya_iot_sdk/tuya_cloud/thing_config.c 6808336 0x67E310 Unix path: /var/lib/jenkins/workspace/Release_IPC_SDK/src/tuya_iot_sdk/wifi_cfg_serv/tlink_bc.c 6811112 0x67EDE8 Unix path: /var/lib/jenkins/workspace/Release_IPC_SDK/src/tuya_iot_sdk/com_sdk/tuya_iot_com_api.c 6812092 0x67F1BC Unix path: /var/lib/jenkins/workspace/Release_IPC_SDK/src/tuya_iot_sdk/wifi_sdk/tuya_iot_wifi_api.c 6812468 0x67F334 Unix path: /var/lib/jenkins/workspace/Release_IPC_SDK/src/tuya_ipc_sdk/p2p/ppcs/tuya_ipc_aac_rtp.c 6812752 0x67F450 Unix path: /var/lib/jenkins/workspace/Release_IPC_SDK/src/tuya_ipc_sdk/p2p/ppcs/tuya_ipc_g711_rtp.c 6813020 0x67F55C Unix path: /var/lib/jenkins/workspace/Release_IPC_SDK/src/tuya_ipc_sdk/p2p/ppcs/tuya_ipc_h264_rtp.c 6813296 0x67F670 Unix path: /var/lib/jenkins/workspace/Release_IPC_SDK/src/tuya_ipc_sdk/moto_mqtt/tuya_ipc_moto_mqtt.c 6814184 0x67F9E8 Unix path: /var/lib/jenkins/workspace/Release_IPC_SDK/src/tuya_ipc_sdk/p2p/common/tuya_ipc_p2p_common.c 6822136 0x6818F8 Unix path: /var/lib/jenkins/workspace/Release_IPC_SDK/src/tuya_middleware/tls/tuya_tls.c 6822296 0x681998 Certificate in DER format (x509 v3), header length: 4, sequence length: 1998 6825664 0x6826C0 Unix path: /var/lib/jenkins/workspace/Release_IPC_SDK/src/tuya_iot_sdk/tuya_cloud/tuya_ws_db.c 6828452 0x6831A4 Unix path: /var/lib/jenkins/workspace/Release_IPC_SDK/src/tuya_iot_sdk/wifi_cfg_serv/ak_lan_protocol.c 6830032 0x6837D0 Unix path: /var/lib/jenkins/workspace/Release_IPC_SDK/src/tuya_middleware/mqtt/libemqtt.c 6830620 0x683A1C Unix path: /var/lib/jenkins/workspace/Release_IPC_SDK/src/tuya_base/kv_storge/flash/simple_flash_app.c 6831164 0x683C3C Unix path: /var/lib/jenkins/workspace/Release_IPC_SDK/src/tuya_base/kv_storge/flash/simple_flash.c 6842112 0x686700 AES S-Box 6852584 0x688FE8 Unix path: /usr/local/etc/zoneinfo 6853652 0x689414 Unix path: /home/ad/work/sdk/Hi3518EV300_SHC_SDK_V1.0.0.5/osdrv/platform/liteos/liteos/lib/libc/src/time/time64.c 6855008 0x689960 Unix path: /home/ad/work/sdk/Hi3518EV300_SHC_SDK_V1.0.0.5/osdrv/platform/liteos/liteos/compat/posix/src/pthread_mutex.c 6855640 0x689BD8 Unix path: /home/ad/work/sdk/Hi3518EV300_SHC_SDK_V1.0.0.5/osdrv/platform/liteos/liteos/compat/linux/src/completion.c 6858960 0x68A8D0 Unix path: /home/ad/work/sdk/Hi3518EV300_SHC_SDK_V1.0.0.5/osdrv/platform/liteos/liteos/platform/bsp/board/hi3518ev300/include/hisoc/i2c.h 7227486 0x6E485E TIFF image data, big-endian, offset of first image directory: 8 7228944 0x6E4E10 TIFF image data, big-endian, offset of first image directory: 8 7266396 0x6EE05C Base64 standard index table 7278260 0x6F0EB4 PEM RSA private key 7278324 0x6F0EF4 PEM EC private key 7278796 0x6F10CC PEM RSA private key 7278864 0x6F1110 PEM EC private key 7278960 0x6F1170 SHA256 hash constants, little endian 7281332 0x6F1AB4 Unix path: /var/lib/jenkins/workspace/Release_IPC_SDK/src/tuya_middleware/tls/mbedtls/ssl_srv.c 7290308 0x6F3DC4 Unix path: /var/lib/jenkins/workspace/Release_IPC_SDK/src/tuya_middleware/tls/mbedtls/ssl_tls.c 7291332 0x6F41C4 PEM certificate 7291528 0x6F4288 PEM certificate 7302488 0x6F6D58 Unix path: /var/lib/jenkins/workspace/Release_IPC_SDK/src/tuya_middleware/tls/mbedtls/ssl_cli.c 7521948 0x72C69C CRC32 polynomial table, little endian 7565712 0x737190 CRC32 polynomial table, little endian 7570620 0x7384BC CRC32 polynomial table, little endian 7640972 0x74978C Base64 standard index table 7695060 0x756AD4 AES S-Box 7696916 0x757214 AES Inverse S-Box 7827092 0x776E94 CRC32 polynomial table, little endian ```

When unpacking it, I received only two files u-boot.bin and EasyCam.bin, which are not further unpacked. It seems their structure is different from what you had. Unfortunately, I have no experience in decompiling and changing firmware, please tell me what steps can I try next?

Just in case, I attach a photo of the main module from both sides.

 

[guino]

Taking a quick look at the binwalk output it seems to confirm this device runs RTOS which greatly limits the options for making any changes (only hardware programmer would work for minimal changes). Did you try typing anything on the UART to see if there was any way to interact with it? Usually the RTOS application has some sort of pseudo terminal which allows a few basic commands but I would not expect anything useful from it.

[rossrosh007]

This maybe crazy. But I remember the old 720p doorbell camera had a sticker on the circuit modules with "admin" and "password". The sticker was behind the board, unscrew the board and check behind it. I can't recall if that was for connecting with a NVR or to login to a config.

The login info on that sticker was not the same as the sticker under the battery cover, which had the wifi AP login info