LSC Indoor IP Camera Firmware v7.6.32

[BreadJS]

Hey there!

I have bought this LSC Indoor IP Camera on the 30th of August 2022 and tried this method (combined with the Merkury720P method) with no success.

I have literally tried everything that was stated in the documentation. Also switching between SD cards. I also ready some other issues but nothing seems to help. I even tried the custom QR code that somebody in the issues stated but no lucky. I think they have patched out some things in this firmware version as this one is pretty high compared to all the other versions I saw wondering on Github.

The only ports that are open are:

• 80 (DoorBird video doorbell rtspd)
• 835
• 6668
• 8554 (DoorBird video doorbell rtspd)

Port 80 and 8554 showed "version" DoorBird video doorbell rtspd in nmap. I have no idea why it is also saying that on port 80 as that should be an HTTP server.

I also get no positive response from the HTTP requests I'm doing. I tried the admin:admin but also admin:056565099. They all returned ERR_CONNECTION_REFUSED. I checked the SD card but no new folders or files have been created.

It's a cheap camera with a pretty decent lens on it and would love to see this work in my setup. I do NOT want to build one my own (for cheap) or buy an expensive set.

If you have any idea what I can do, let me know! :)

[guino]

@OfficialDevvCat if the Merkury1080, Merkury720 and BazzDoorBell process didn't work with different SD cards then it may have a different address or not be linux OS. Usually ppsFactoryTool.txt allows the HTTP responses to work, but like you said, it is possible they closed some things or changed the user/password.

Until someone with the right tools can open it up and read the firmware (or connect to UART) we won't know -- I have the tools but no device, so I have no way of helping right now.

[BreadJS]

@OfficialDevvCat if the Merkury1080, Merkury720 and BazzDoorBell process didn't work with different SD cards then it may have a different address or not be linux OS. Usually ppsFactoryTool.txt allows the HTTP responses to work, but like you said, it is possible they closed some things or changed the user/password.

Until someone with the right tools can open it up and read the firmware (or connect to UART) we won't know -- I have the tools but no device, so I have no way of helping right now.

100% true! What do you exactly need to use the uart port? I have soldering skills, yet I have no idea what I need. Would a Raspberry Pi 4 work? Because I have that laying around. Let me know. Maybe you want to discuss this on discord? DevvCat#0880

[guino]

@OfficialDevvCat if you're willing to open your device and solder wires to it I can help trying to figure out if we can root it.

The first step would be to open your device and take some good pictures of the board so we can identify the UART pins.

The second step will be to solder some wires to the UART pins and connect GND, RX and TX to the GND, RX, TX of the pi board (GPIO15 and GPIO14 pins on the header). You may need to swap the RX/TX around as we won't know which is RX/TX by looking at the board.

Once you have it all connected you should see some messages on the pi terminal when you power on the device -- ideally you should be able to interrupt the boot of the device by pressing a key when the first messages show up and it will either give you a bootloader prompt or ask for a password. Whatever messages show up may help in figuring out if we can even do anything.

[BreadJS]

@OfficialDevvCat if you're willing to open your device and solder wires to it I can help trying to figure out if we can root it.

The first step would be to open your device and take some good pictures of the board so we can identify the UART pins.

The second step will be to solder some wires to the UART pins and connect GND, RX and TX to the GND, RX, TX of the pi board (GPIO15 and GPIO14 pins on the header). You may need to swap the RX/TX around as we won't know which is RX/TX by looking at the board.

Once you have it all connected you should see some messages on the pi terminal when you power on the device -- ideally you should be able to interrupt the boot of the device by pressing a key when the first messages show up and it will either give you a bootloader prompt or ask for a password. Whatever messages show up may help in figuring out if we can even do anything.

Okay! I'm 100% be willing to open up the device but currently I'm in the middle of a move so that have to wait until I've got all my stuff! I will let you know as soon as possible when I got everything and ready to the hacking! :)

[aleksandersmolowik]

I have the same issue and the same camera.

[guino]

Flash Chip is in marked in RED UART pins are marked in BLUE

Either we need a copy of the firmware (using hardware programmer on the flash chip) OR we need someone to connect to the UART pins (TTL 3V) to capture an output log and/or see if there's any access to the bootloader.

[BreadJS]

Flash Chip is in marked in RED UART pins are marked in BLUE

Either we need a copy of the firmware (using hardware programmer on the flash chip) OR we need someone to connect to the UART pins (TTL 3V) to capture an output log and/or see if there's any access to the bootloader.

I ordered a SPI flasher and it will arrive in a few hours. When it is here I can dump the firmware and upload it so you guys can take a look at it! Give me a few hours and I will get back to you guys.

To be specific, this is the one I ordered: https://www.amazon.nl/gp/product/B08TVNPTQK/

[guino]

@OfficialDevvCat I have that flash programmer and you need to be aware of 2 things: 1-It says it is compatible with 3.3V chips but it outputs 5V on some pins -- you should check it before you fry your chip/board. There's a 'mod' you can do on it to make it output 3.3V on all pins (I did the mod on mine and it works correctly) 2-You most likely will need to remove the chip from the board (OR at least disconnect PIN 6 in my experience) before you can read/write the flash. If you don't have a heat gun it may be easier to cut the pin 6 (with needle cut pliers) and solder it back afterward than trying to remove the whole chip (trying to disconnect pin 6 with a soldering iron will likely damage the board) -- learned the hard way.

IF you're going to do any cut/solder work: I recommend practicing on any old/broken board laying around first

[BreadJS]

@OfficialDevvCat I have that flash programmer and you need to be aware of 2 things: 1-It says it is compatible with 3.3V chips but it outputs 5V on some pins -- you should check it before you fry your chip/board. There's a 'mod' you can do on it to make it output 3.3V on all pins (I did the mod on mine and it works correctly) 2-You most likely will need to remove the chip from the board (OR at least disconnect PIN 6 in my experience) before you can read/write the flash. If you don't have a heat gun it may be easier to cut the pin 6 (with needle cut pliers) and solder it back afterward than trying to remove the whole chip (trying to disconnect pin 6 with a soldering iron will likely damage the board) -- learned the hard way.

IF you're going to do any cut/solder work: I recommend practicing on any old/broken board laying around first

Okay so wait. The camera needs to be turned on right? And then the clip needs to be attached before i turn it on. (If it outputs the same voltage) and then i need them both turned on and read the data? Or does rhe camera needs to be off and then attach the clip and read the data? Cause if the clip outputs 5v. I can make sure the clip does not output power and then connect the clip and turn on the camera to extract the data. Or is that not going to work? I do not have a heatgun or soldering station on hand.

[guino]

@OfficialDevvCat a flash programmer will read (and later write - if desired) the built in firmware on the device -- to be clear: it won't do anything with UART. For reading/writing the flash you don't turn on the device at all, you just plug the flash programmer on the chip and read (or write) its contents (like a USB drive). The issue is that (from experience) connecting the flash programmer to the chip without removing it from the board doesn't work (fails to read/write). As long as you verify the output is 3.3V (on all pins like VCC, RX, TX) then it should be safe to try and read the flash while connected to the board (but from experience it is likely going to fail, but who knows board design changes). If you plug the programmer to the chip while on board and you output 5V to any pin you may fry the device (fair warning).

The only type of connection we do with the board/device powered ON is when using the UART/TTL adapter where we connect it then power on the device to capture the boot output log. UART connections require a USB/TTL UART/SERIAL adapter (3.3V), which is a different thing than the flash programmer.

[BreadJS]

@OfficialDevvCat a flash programmer will read (and later write - if desired) the built in firmware on the device -- to be clear: it won't do anything with UART. For reading/writing the flash you don't turn on the device at all, you just plug the flash programmer on the chip and read (or write) its contents (like a USB drive). The issue is that (from experience) connecting the flash programmer to the chip without removing it from the board doesn't work (fails to read/write). As long as you verify the output is 3.3V (on all pins like VCC, RX, TX) then it should be safe to try and read the flash while connected to the board (but from experience it is likely going to fail, but who knows board design changes). If you plug the programmer to the chip while on board and you output 5V to any pin you may fry the device (fair warning).

The only type of connection we do with the board/device powered ON is when using the UART/TTL adapter where we connect it then power on the device to capture the boot output log. UART connections require a USB/TTL UART/SERIAL adapter (3.3V), which is a different thing than the flash programmer.

Okay that is clear. Could you take a look at the picture and tell me what the best solution could be? It has a jumper for maybe possible ttls fu functinality?

https://imgur.com/a/I0ZPCF0

[guino]

@OfficialDevvCat the chip should connect on the ‘25’ section, but like I said: this programmer has a 3.3V/5V jumper but when you set it to 3.3V it still outputs 5V on some pins ( RX/TX pins I think ). If you connect it without the mod to fix the voltage you may damage the board/chip (you have been warned).

[BreadJS]

Okay, I will find online if there a different way to do that. What about the TTL functionality? Does that also output 5v? Or is it just a reading pin?

[guino]

@OfficialDevvCat that flash programmer only has TTL functionality - in 3.3V or 5V selected by jumper switch, but this is only for flash chip read/write. The UART pins require a UART TTL (3.3V) adapter which is mostly available as a USB adapter. There’s no way (that I know) to use a flash programmer on the UART TTL pins, and there’s no way (that I know) to use the he UART TTL adapter on the flash chip.

[BreadJS]

@OfficialDevvCat that flash programmer only has TTL functionality - in 3.3V or 5V selected by jumper switch, but this is only for flash chip read/write. The UART pins require a UART TTL (3.3V) adapter which is mostly available as a USB adapter. There’s no way (that I know) to use a flash programmer on the UART TTL pins, and there’s no way (that I know) to use the he UART TTL adapter on the flash chip.

I just check the datasheet of a old 25xx chip from a dead GPU and it was a 3.6 max volt chip. And it i got to read the chip without issues and even got to write to it. I also looked up and this is an improved revision of the board with the 3.3v fix. Should I now extract the data from the camera?

[guino]

@OfficialDevvCat sounds good if you say it’s a fixed version you can try - again, from my experience it may not work while the chip is soldered on the board. I would avoid keeping the flash programmer hooked up for a long period just in case the voltage is wrong, so hook it up, try to read, remove it if fails, wait a bit hook up, try reading again, etc

[BreadJS]

@guino I just dumped the chip, I did that exactly. Read, verified and disconnected. You can download the dumped bin file from here https://www.mediafire.com/file/31ms1k4kgqxxlh6/Smart_Indoor_IP_Camera.bin/file Let me know what I can do or what you're planning to do.

[guino]

@OfficialDevvCat well, assuming your camera still works normally, I would try this first:

Follow the steps from: https://github.com/guino/Merkury1080P#conclusion USING THE ATTACHED 3 files: 7632.zip -- that is, instead of what's posted on the link (I changed the address changed to A0008000 on env and ppsMmcTool.txt files). Assuming the internals didn't change a lot this may allow you to root device.

Binwalk didn't give me a lot of information to work with, so let's hope this works.

[BreadJS]

@guino Just one more question. Do I have to flash the chip afterwards to make it work?? Cause the issue is that the SPI Flasher does not work anymore for some reason?! The Red power light is on and so is the Yellow RUN led. And it is not found by windows anymore?! I don't hear a USB Connected sound. Very very strange. So I'm going to return it tomorrow and ask for a new one which will take a few days... Unless you know what I can do about it?

[guino]

@OfficialDevvCat If you tried A0008000 and it didn't work I'll have to try and dig out more from this firmware file.

Is the camera still working ? (boots up, etc) ? if not you may have damaged it somehow. It may just need a power cycle of your machine to reset the USB bus (if it used too much power).

[BreadJS]

@OfficialDevvCat If you tried A0008000 and it didn't work I'll have to try and dig out more from this firmware file.

Is the camera still working ? (boots up, etc) ? if not you may have damaged it somehow. It may just need a power cycle of your machine to reset the USB bus (if it used too much power).

Camera works perfectly fine! I can try rebooting my PC but I don't think it's really going to work as it was plugged in a powered hub. Tried a different pc and used my powerbank. Yellow light stays solid and not connected.

[BreadJS]

But again, Do I need to flash stuff again onto the chip? Cause I can't read anywhere what to do after the edit. I assume it has to

[guino]

@OfficialDevvCat the 'Read' process doesn't change anything in the chip, so to work 'normally' you won't have to flash anything back. If I can unpack the firmware we may be able to find something to change to root the device (I haven't been able to do it yet) -- in that case you would need to be able to write the changes with the programmer (meaning it would need to work again).

[BreadJS]

I tried to find some variables from the link you sent me but it can't even find the "Loadable segment". Maybe you could take a look at it if you've got the time for it? Would appreciate it!

[BreadJS]

@guino Let me know if I can do anything as I'm a programmer and know my way around some of this stuff! Would be very cool to get this thing streaming a signal outside the app. :) Have a great weekend in advance and lets hope for some good results on this thing

[guino]

@OfficialDevvCat I will try to see if I can get anything out of it - may need to try a different tool.

[guino]

@OfficialDevvCat I downloaded a different tool and then I noticed there's an issue with your flash file -- it's only 2Mb when it should be at least 8Mb (some devices have 16Mb) -- this is likely the reason why I could not extract anything out of it. This may have been something like selecting the wrong size of chip when you did the 'read' or perhaps an issue identifying the chip size (or even just an upload issue), Do you happen to have the /proc/cmdline for this device ? thay may help me extract the bootloader from the section you provided (so I can try to double check the load address).

[BreadJS]

@OfficialDevvCat I downloaded a different tool and then I noticed there's an issue with your flash file -- it's only 2Mb when it should be at least 8Mb (some devices have 16Mb) -- this is likely the reason why I could not extract anything out of it. This may have been something like selecting the wrong size of chip when you did the 'read' or perhaps an issue identifying the chip size (or even just an upload issue), Do you happen to have the /proc/cmdline for this device ? thay may help me extract the bootloader from the section you provided (so I can try to double check the load address).

I did not have any success with that sadly. The http server is sadly disabled to get any kind of useful info from it.

U have to wait until sunday until I got my new reader to try it out once again.

[BreadJS]

@guino I just received my new SPI flasher. I will dump the whole chip (8MB) in an hour or so. I will lookup the chip model number and see what settings I need.

[BreadJS]

@guino I just noticed the TX/RX rail is on 4.5V. I will have to wait until Wednesday till I got my soldering station.

[BreadJS]

@guino I just made a new dump! Desoldered the chip as I was having issues. And dumped the whole 8MByte/64MBit https://www.mediafire.com/file/toofgq5d16pgdf5/ipcam_new.bin/file

[guino]

@OfficialDevvCat At a quick first look this device seems very different than what I have seen before -- I'll have to dig in with more time to see if there's anything we can do -- since you have a programmer and the chip outside, I likely can modify the firmware so you can flash it back and have it 'rooted' but I'm not sure what all is available on it yet. I assume you'd like to enable RTSP if possible ? I also assume you have tried the normal rtsp urls like rtsp://IP:8554 and had no success ?

[BreadJS]

@OfficialDevvCat At a quick first look this device seems very different than what I have seen before -- I'll have to dig in with more time to see if there's anything we can do -- since you have a programmer and the chip outside, I likely can modify the firmware so you can flash it back and have it 'rooted' but I'm not sure what all is available on it yet. I assume you'd like to enable RTSP if possible ? I also assume you have tried the normal rtsp urls like rtsp://IP:8554 and had no success ?

I would like to have rtsp only. I think thats the most simple and will use external software to manage it all. I did try rtsp urls and that didn't work eighter. If you want we can go into a discord call (if you have the time) so we both can take a look at it and talk about it if you want?

[guino]

@OfficialDevvCat Can you try using https://sourceforge.net/projects/onvifdm/ with user admin and password 12345678 ? may be worth trying the RTSP urls with admin:12345678 as well? I would also try admin with password 123456 (on onvif and rtsp) as I have seen references to these in the code. Additionally if there's any username/password you configured in the app (for anything) I'd try that as well (and with admin and whatever password).

You may also want to check if this works: https://ipc-us.ismartlife.me/login (scan it with your tuya app on your 'Me' section) -- I remember reading about streaming from that interface.

[BreadJS]

@OfficialDevvCat Can you try using https://sourceforge.net/projects/onvifdm/ with user admin and password 12345678 ? may be worth trying the RTSP urls with admin:12345678 as well? I would also try admin with password 123456 (on onvif and rtsp) as I have seen references to these in the code. Additionally if there's any username/password you configured in the app (for anything) I'd try that as well (and with admin and whatever password).

You may also want to check if this works: https://ipc-us.ismartlife.me/login (scan it with your tuya app on your 'Me' section) -- I remember reading about streaming from that interface.

So you want me to solder the chip back on and try that?

Btw, i cannot add it to the tuya app. I tried but it didn't work

[guino]

@OfficialDevvCat If the chip is out, lets hold out on that request. I'm still trying to find something we can try to change on the firmware.

On the https://ipc-us.ismartlife.me/login -- when I log in with the tuya app it shows my cameras in it, but it shows 'No WebRTC support' for both of them -- so it logs in but my devices don't support it. What did you get when you tried to login ? if you're in europe you may need to use this one instead: https://ipc-eu.ismartlife.me/ -- any information on the exact issue you get would be helpful -- for now I'm interested in knowing it it shows 'No WebRTC supported' when you hover your camera name.

[BreadJS]

@OfficialDevvCat If the chip is out, lets hold out on that request. I'm still trying to find something we can try to change on the firmware.

On the https://ipc-us.ismartlife.me/login -- when I log in with the tuya app it shows my cameras in it, but it shows 'No WebRTC support' for both of them -- so it logs in but my devices don't support it. What did you get when you tried to login ? if you're in europe you may need to use this one instead: https://ipc-eu.ismartlife.me/ -- any information on the exact issue you get would be helpful -- for now I'm interested in knowing it it shows 'No WebRTC supported' when you hover your camera name.

The thing is that i have my camera not connected to the tuya app. I used the LSC app and i removed it on there as well... I can still try to login but not a lot would happen

[guino]

@OfficialDevvCat most tuya compatible apps are basically just a rebrand of the tuya app (have similar look and feel, features, etc). On the tuya app I click on the "Me" section at the bottom as seen here:

then click on a little bar code scanning icon at the top like on this image:

that's where I scan the QR for login on https://ipc-eu.ismartlife.me/

If you don't have that on the lsc app we may need to wait till you solder the chip back to remove the device from the lsc app and try it on the tuya app (by enrolling it on it).

[BreadJS]

@guino we're in luck! The camera is still in the LSC app and I can scan the qr code. I will do that in an hour or so as >mI'm not home yet

[BreadJS]

I kust did it quickly on my phone and this is what I see https://imgur.com/a/xNmpztr

[guino]

@OfficialDevvCat If you hover on that text ‘LDC Smart Indoor Camera’ and it doesn’t display a popup like ‘WebRTC not supported’ then most likely you can use that page to view the camera feed when it’s online. I believe some people got a way to extract that feed and re-stream it elsewhere (my devices are not compatible so I don’t know much about it).

[BreadJS]

@guino i just tried the site on my pc and it said "Cross region login not supported" ...

[BreadJS]

@guino on my phone it does not seem it is showing a popup. I don't know for sure though but I want to look at it on the pc. I kinda want to solder the chip back on tomorrow and see if that page works and to see if I can connect it to tuya. But I don't want to use cloud based stuff... I want to use it localy if that is possible.

[EpicLPer]

I just got a LSC Outdoor one and haven't tried any of the methods yet, but I doubt it'll work. Just had to update the camera to even use it, but I'd also be willing to try and hack it since I have soldering skills and so on in case you need dumps or anything :)

EDIT: Yeah, just tried and it didn't work. My firmware version is 2.10.36, but I'll create a separate issue for this model.

[BreadJS]

I just got a LSC Outdoor one and haven't tried any of the methods yet, but I doubt it'll work. Just had to update the camera to even use it, but I'd also be willing to try and hack it since I have soldering skills and so on in case you need dumps or anything :)

EDIT: Yeah, just tried and it didn't work. My firmware version is 2.10.36, but I'll create a separate issue for this model.

@EpicLPer I think you should wait for us to complete this one. It's most likely they patched all the LSC cameras the same way.

[guino]

@OfficialDevvCat I will rebuild a firmware for you to try with the following: 1-root password changed 2-telnet started by default 3-patched ppsapp (to hopefully enable RTSP though I am not sure it will work as the code is all different) 4-a command to call custom.sh from the sd card

I just have to find a bit of time to work on it.

[BreadJS]

@OfficialDevvCat I will rebuild a firmware for you to try with the following: 1-root password changed 2-telnet started by default 3-patched ppsapp (to hopefully enable RTSP though I am not sure it will work as the code is all different) 4-a command to call custom.sh from the sd card

I just have to find a bit of time to work on it.

Awesome! I would really appreciate it! If you got something. Let me know so we can test it out! :)

[guino]

ipcam_hack.zip

The above firmware has a new rootfs with these changes: 1-added a user/password: hack/telnet (root password is unchanged) 2-telnet should start by default on port 24 (no user password required) 3-patched ppsapp so it force-runs the RTSP start code (unsure if it will make a difference) 4-a command to call custom.sh from the SD card every 10 seconds (like other hacks I made)

I found that there's possibly a way to enable telnet on these devices by creating a file called product.cof -- possibly with a content like this:

[DEFAULT_SETTING]
telnet=1

It could be confirmed by checking if port 23 opens with the file above on the SD card's root during boot.

Try it out when you have a chance and let me know what you find -- if for some reason your device doesn't boot I'd advise trying to flash your original firmware to see if it boots (I understand this requires de-solder/soldering but there's not much else we can do to check if the issue is the hardware or the firmware I made).

[BreadJS]

Thank you very very much! I will be flashing it right away and putting back the chip on the system! I will notify you by editing this message!

Update: I cannot seem to write to the chip, It reads a lot of garbage data...

Update: I'm using the "CH341A programmer" program and I use the chip config of ST M25P64 cause the original XM25QH64C chip is not in the list. When I program the chip and read it again will show me only FFFF... I found a different compatible programmer software called "AsProgrammer" and there I can set SREG's. Do I need to set those? Cause I read something about OTP sections. If I program using "AsProgrammer" and using the 'Verify' option this is the log I will get

Programming memory(verifying)...
Verification error on address: 00000000

[guino]

@OfficialDevvCat it sounds like you could be having an issue with cable, programmer or chip. We have your original flash, writing should have been as easy as reading it. I am unfamiliar with the tools you’re using, but if it is not able to verify the data it is likely not writing it correctly - you may want to try selecting a different 25/64 chip from the list if available. You may also want to check the voltage on the pins - if it has 5v on any pin it could have damaged the chip. These 25/64 spi flash chips are very common and mostly compatible so if that chip is bad you could potentially try to get a new one to replace it, they are also common on some motherboards so you could find it on scrap boards. I would not bother soldering it back unless you are able to write and verify it.