Root without SD card (V2.10.45 and possibly others)

[isotherm]

I have been working on this, trying to get root shell and possibly RTSP without permanently needing SD card.

Please note that I have firmware V2.10.45, but looking at the squashfs, it seems very similar to V2.10.30. I think the below might still work, modifying wifi_driver.sh instead of wifi_driver_new.sh.

Here's what I have so far:

1. Follow instructions at https://github.com/guino/Merkury1080P/issues/42#issuecomment-1317802613 to get a root shell.
2. Log in to the camera via telnet.
3. vi /etc/config/passwd and change the x between the colons to 20zVXVMtkhCxI. (This password is telnet. To do something else, run mkpasswd -m des, enter your desired password, and use that output instead.)
4. vi /etc/config/wifi_driver_new.sh and add these two lines at the top of the driver_install() function, so it's like this:

   driver_install()                     
   {                                                                  
      tcpsvd 0 21 ftpd -w / -t 1800 &
      telnetd
      wifi_stop

5. Upon rebooting even without the SD card, telnet and FTP are available.

I'm working on RTSP next.

[guino]

@isotherm this is cool. With RTSP the issue is that I had to write out a whole new function into the main application, and I only did that to the specific version I posted. In theory it should be possible to do it with other versions of the main application, but it is just easier/faster to use the version I already patched.

In theory it is also possible to write a script/tool that loads the main application to memory, patches it, then executes it (so you can fit everything in the config partition), but again that requires a lot of extra time.

You could potentially just download the patched main application from somewhere on the network, but either you need to use the ram (which is limited), flash (which doesn't have enough space) or some network mount (which may be limited by kernel), so using the SD card is the simplest/easiest way to do it.

I understand the benefit of not needing SD cards (believe me I prefer that as well), but I also see the benefit in being able to just remove the SD card and running the device in 'stock' mode.

[isotherm]

Thank you for this explanation. While experimenting, I did have a case of the device no longer connecting to wireless. Without UART, I had to build an update.tar to reflash the /etc/config partition to a known state. If modifying anything in that script on the config partition, adding a failsafe to uninstall the hack (e.g. if a certain file exists on SD card) would be a good idea.

The following works to enable RTSP server via SD card without patching, and also avoid connecting to Tuya cloud at all:

1. On SD card, make empty file named _ht_ap_mode.conf.
2. On SD card, make file named hostapd with the following contents:

   #!/bin/sh
   killall udhcpd
   ifconfig wlan0 up
   /usr/bin/wpa_supplicant -Dwext -i wlan0 -c /mnt/wpa_supplicant.conf -B
   /sbin/udhcpc -i wlan0 -t 10 -A 5 -q &
   grep -q "root:x:" /etc/config/passwd && sed -i "s/root:x:/root:20zVXVMtkhCxI:/" /etc/config/passwd

   (If you want a different root password than telnet, run mkpasswd -m des, enter your desired password, and use that output instead between the colons in the last line.)

3. On SD card, make file named wpa_supplicant.conf with the following contents (adjusted for local network):

   network={
       ssid="SSID"
       psk="PASSWORD"
   }

4. Reboot. Only open ports are 23 (telnet) and 554 (rtsp).

This could also be implemented, as above, to work without any SD card. The advantage is either not to need SD card at all, or not to worry about the hack being erased when the recorded video rolls over.

I'm still working on things like two way audio and the notifications. Also, I need to make sure wireless reconnects properly if the connection is lost.