guino / BazzDoorbell

128 stars 22 forks source link

Attempting to hack Bullet 4S [B4S_V10_S1_GC1] w/ findings #47

Open Nigel1992 opened 3 years ago

Nigel1992 commented 3 years ago

I had to follow the steps from "Special note for 4.0.x firmware" in order to get access trough HTTP. For whatever reason, the login for this specific device is admin:admin

Here's the device info: {"devname":"Smart Home Camera","model":"Bullet 4S","serialno":"100192327","softwareversion":"5.0.5","hardwareversion":"B4S_V10_S1_GC1","firmwareversion":"ppstrong-c71-tuya2_lsc-5.0.5.20210301","identity":"M1M001AA3202018818","authkey":"TIiZAi5qoAhO5uM8emvS94EmhMsXPXOm","deviceid":"pp012b51c61aef6473f3","pid":"aaa","WiFi MAC":"b4:fb:e3:fd:2f:47","ETH MAC":"b4:fb:e3:fd:2f:47"}

Proc/cmdline returns: console=/dev/null LX_MEM=0x3fe0000 mma_heap=mma_heap_name0,miu=0,sz=0x1d00000 pcbversion=B3S_S1_V10 sensor=gc2063mipi

I then follow step 1.2 http://admin:admin@ip:8090/proc/self/root/etc/init.d/S90PPStrong but this gives me an error 500. I assume "S90PPStrong" is different on this camera. Any help?

guino commented 3 years ago

@Nigel1992 5.x firmware does not run linux so none of the mods work on it.

Nigel1992 commented 3 years ago

@guino So there's no way I can get rtsp to work ?

guino commented 3 years ago

@Nigel1992 the only way to make any changes to this camera is to use a hardware programmer and even then we have no confirmed way to modify the firmware to enable rtsp. So right now we the answer is no. I would not expect a hack for this camera to be made available (from me at least).

Nigel1992 commented 3 years ago

@guino how about downgrading using this

https://developer.tuya.com/en/docs/iot/firmware-upgrade-operation-guide?id=K93ixsft1w3to

Also... I saw a guy here in this repo who has my camera but runs an older firmware. Slightly different Hardware type, but same camera from looks

https://github.com/guino/ppsapp-rtsp/issues/2

guino commented 3 years ago

I have no familiarity on the tuya sdk but I believe most of their sdk is for non-camera devices but if you figure something out with that feel free to share your results.

while I would not be surprised if the same camera/model would work on an older firmware it is possible/likely that some cameras have the same information on /devices/deviceinfo but run on different boards which may or may not be similar enough to allow using different firmware. The only real way of knowing would be to swap the flash chip between camera with old and new firmware and see if both or either would work. If the old firmware works on the new firmware device you could potentially flash it with the old firmware and keep it offline as I doubt it would work on the tuya cloud with the old firmware due to the different settings/files in the device.

guino commented 2 years ago

@Nigel1992 Your device seems similar to #62 where the only way currently to root the device is with a hardware programmer, and there's currently no support for play/mpeg/snap (only onvif/rtsp). If we make any progress with that we'll be sure to post our findings publicly.

Nigel1992 commented 2 years ago

@guino Thanks for the update! How much are these hardware programmers, and where to buy it ? Aliexpress? Maybe you can link me an example?

guino commented 2 years ago

@Nigel1992 you can get flash programmers on amazon, aliexpress, etc. But before you spend the money on this you should think about the following:

So really you have to think of the big-picture: how much time/money are you going to spend on this which may not even have a positive outcome (if you do something wrong) compared to possibly just getting something that does what you need out of the box. If you already have the equipment, sure it's worth a shot but I would not justify getting the equipment to make changes to 1 device.

Nigel1992 commented 2 years ago

@guino Any progress on this ? Can it be modded just like the doorbell?

guino commented 2 years ago

@Nigel1992 without the device for research and testing we'll not have a SD card method anytime soon as it will require someone with the device and the knowledge to see what can be done (if at all possible).

Nigel1992 commented 2 years ago

Alright thanks for letting me know.

Op wo 6 jul. 2022 om 6:15 PM schreef Wagner @.***>

@Nigel1992 https://github.com/Nigel1992 without the device for research and testing we'll not have a SD card method anytime soon as it will require someone with the device and the knowledge to see what can be done (if at all possible).

— Reply to this email directly, view it on GitHub https://github.com/guino/BazzDoorbell/issues/47#issuecomment-1176417487, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABJ4ZWX6D3RHIPN3LLQLWULVSWWIPANCNFSM5DAN66ZA . You are receiving this because you were mentioned.Message ID: @.***>