LSC Smart Outdoor (IP) Camera - Hack not working

[EpicLPer]

Heya!

Bought a LSC Smart Outdoor (IP) Camera yesterday and tried this hack, but sadly it didn't seem to work. I added the camera to Tuya and had to update it before being able to use it (which probably was a mistake in hindsight).

The Firmware version on it right now is 2.10.36, and the only open ports I see are 53 and 6668.

If you need anything, I'm willing to open the camera up and do have soldering skills, I've also helped to dump the Sonoff cam a few years back and then figuring some things out :)

Thanks already for your help!

[guino]

@EpicLPer If it has 2.10x firmware you need to try this one: https://github.com/guino/BazzDoorbell/issues/13 -- did you try that one already ?

[EpicLPer]

@EpicLPer If it has 2.10x firmware you need to try this one: guino/BazzDoorbell#13 -- did you try that one already ?

Not exactly sure what I should try there from that issue? Or do you mean instructions from the repo itself?

[guino]

@EpicLPer there's a 'Process' section on that issue, just follow it and see if it works -- that's the process that has worked for 2.9.x and 2.10.x firmware to root the device and get a ppsapp file we can patch for RTSP.

[EpicLPer]

When doing the above via the URL http://admin:056565099@10.1.0.215/proc/cmdline it simply says "Connection Refused".

[guino]

@EpicLPer did you do it after creating a ppsFactoryTool.txt file? 2.10 firmware is know to require that file before URLs work.

[EpicLPer]

Is it possible to just leave it empty? Afaik I have one on the SD Card right now yes, but I'm not entirely sure what to do or what to put in it sorry ^^" Those cams seem very different from other cameras so far.

[guino]

@EpicLPer this is the information regarding ppsFactoryTool.txt : if you don’t do it correctly it wont work. It may be worth trying port 8090 as well (from 4.x firmware) - it’s always a surprise with tuya firmware.

Special note for 2.10.0 firmwae: This firmware (and newer) have port 80 closed by default -- so to use the http://admin:05656... links below you have to RIGHT CLICK this link: https://github.com/guino/Merkury720/raw/main/ppsFactoryTool.txt select "Save as.." and save this file to the root of the SD card. EDIT the file (avoid copy/paste the contents of it) and modify only the ssid and password as the file requires specific format to work. When the device detects the file (in the right format) it will disconnect and re-connect the wifi (to the ssid specified) and will OPEN port 80 so the http://admin:05656... links work.

Special note for 4.0.x firmwae: This firmware (and newer) have port 80 closed by default -- so to use the http://admin:05656... links below you have to RIGHT CLICK this link: https://github.com/guino/Merkury720/raw/main/ppsFactoryTool.txt select "Save as.." and save this file to the root of the SD card. EDIT the file (avoid copy/paste the contents of it) and modify only the ssid and password as the file requires specific format to work. When the device detects the file (in the right format) it will disconnect and re-connect the wifi (to the ssid specified) and will OPEN port 8090 so the http://admin:05656... links work but you have to add :8090 to every URL, for instance: http://admin:056565099@192.168.x.x:8090/devices/deviceinfo. Depending on the device you have you may need to use the information and files from https://github.com/guino/Merkury1080P#conclusion

[EpicLPer]

Will try this once I'm home, thanks! :)

[EpicLPer]

@EpicLPer this is the information regarding ppsFactoryTool.txt : if you don’t do it correctly it wont work. It may be worth trying port 8090 as well (from 4.x firmware) - it’s always a surprise with tuya firmware.

Special note for 2.10.0 firmwae: This firmware (and newer) have port 80 closed by default -- so to use the http://admin:05656... links below you have to RIGHT CLICK this link: https://github.com/guino/Merkury720/raw/main/ppsFactoryTool.txt select "Save as.." and save this file to the root of the SD card. EDIT the file (avoid copy/paste the contents of it) and modify only the ssid and password as the file requires specific format to work. When the device detects the file (in the right format) it will disconnect and re-connect the wifi (to the ssid specified) and will OPEN port 80 so the http://admin:05656... links work.

Special note for 4.0.x firmwae: This firmware (and newer) have port 80 closed by default -- so to use the http://admin:05656... links below you have to RIGHT CLICK this link: https://github.com/guino/Merkury720/raw/main/ppsFactoryTool.txt select "Save as.." and save this file to the root of the SD card. EDIT the file (avoid copy/paste the contents of it) and modify only the ssid and password as the file requires specific format to work. When the device detects the file (in the right format) it will disconnect and re-connect the wifi (to the ssid specified) and will OPEN port 8090 so the http://admin:05656... links work but you have to add :8090 to every URL, for instance: http://admin:056565099@192.168.x.x:8090/devices/deviceinfo. Depending on the device you have you may need to use the information and files from https://github.com/guino/Merkury1080P#conclusion

Sadly this didn't seem to work :( The Camera still connects to my IOT WiFi instead of the normal one, despite me putting my normal one into the config to check if it even seems to read the file. The SD Card is properly detected in Tuya tho and shows up just fine, so I doubt it's an incompatible SD Card.

[EpicLPer]

Tried a different SD Card now too, sadly same result.

[guino]

@EpicLPer sorry you had no success, every now and then we have reports of issues like this where multiple SD cards and multiple attempts don't work. Many people have reported success after repartitioning/reformatting the SD Card (trying windows/linux/etc). In any case you're welcome to post the SD card contents (from your attempt) so I can review to check if there's anything wrong.

[EpicLPer]

The SD Card contents are just the ppsFactory file and nothing else. Or do I need more? And of course also the files and folders the camera puts on it when turning the cam on.

[guino]

@EpicLPer for 2.10.x firmware the ppsFactoryTool.txt file is all you need to enable URLs like (adjust IP accordingly): http://admin:056565099@192.168.x.x/proc/cmdline (port 80 -- most devices) http://admin:056565099@192.168.x.x:8090/proc/cmdline (port 8090 -- some devices)

If you can get one of the two above working then we can try adding more files to see if it can be rooted. If neither above works then there's no way to move forward (other than opening the device).

I still would recommend you post a ZIP of your ppsFactoryTool.txt file (from the SD card) so I can review it -- a lot of times people make mistakes because windows hides file extensions, etc.

[EpicLPer]

Will try one more time, I don't have to hold the Reset button or anything right?

[EpicLPer]

Just tried again holding no buttons or anything, and it still doesn't connect to my normal WiFi and instead stays on the IoT one.

Here's the ZIP (with changed credentials): cam_sd.zip

[guino]

@EpicLPer your ppsFactoryTool.txt file is fine -- are you sure the SD card if FAT32 formatted ? maybe try to use the phone app to format it then copy the ppsFactoryTool.txt file to it. If the SD card isn't formatted in a compatible format the device will simply ignore it.

[EpicLPer]

Did format via the app yeah, but sadly still doesn't seem to work.

[guino]

@EpicLPer it looks like 2.10.6 is the last 2.10.x version we had rooted, They may have made more changes in this 2.10.36 to block more things -- there's no way of knowing for sure unless someone gets a firmware dump (which requires opening device + removing the flash chip to read it).

[EpicLPer]

@guino I'm "okay" when it comes to hot air soldering, but I'd have to buy some hardware to read the flash then, but would be willing to :) Always love some challenges!

If you tell me what hardware to get to read the flash and all I'll try so.

[guino]

@EpicLPer if you get the firmware I can definitely look at it. Just be careful when selecting/using a flash programmer to make sure it doesn't have 5V on 3.3V pins (many CH341a programmers out there have this issue -- and there's a mod to fix them).

[EpicLPer]

Would something like this work then?

https://www.amazon.de/DollaTek-Programmierer-ch341a-Adapter-Buchse/dp/B08HP4X326/ref=sr_1_4?keywords=CH341a&qu=eyJxc2MiOiI0LjgwIiwicXNhIjoiNC4zNyIsInFzcCI6IjQuMjQifQ%3D%3D

[guino]

@EpicLPer that is basically what I have and I did have to fix the programmer like this: https://www.youtube.com/watch?v=-ln3VIZKKaE

[EpicLPer]

I also have a ST-LINK and JR Programmer 2 still laying around from other projects but doubt I can reuse them here? I'm quite a beginner with these kind of things

[EpicLPer]

Took the camera apart now, already ordered the flasher :)

Noticed it has TX and RX on it tho, is there no possibility to connect vis serial and dump it?

[EpicLPer]

I've read up on this a bit and apparently it's also able to dump such chips via an Arduino? If so could try that, or wait on proper hardware and be less likely to damage things ^^"

[guino]

@EpicLPer great pictures. The XMC chip beside the RX/TX pads is the flash chip you need to read. The RX/TX pads (along with GND at the bottom would be for TTL-UART access which can sometimes be helpful, but you would need a TTL-UART 3.3V adapter (USB or serial), or a board with serial TTL connections (i.e. Raspberry Pi, etc).

[EpicLPer]

Do have that :)

Do you have Discord or Telegram by any chance to maybe easier talk there for a bit until I have some results I can post here again? Normal conversation always bloats issues up a bit.

[guino]

@EpicLPer if you have a Pi and you're willing to solder some wires to the board we can try to dump the flash to a SD card using the bootloader. Send me an email directly (my email is on my github profile) and we can exchange contacts.

[mrwiwi]

Exact same results with LSC Smart Doorbell ! Will follow your progress with attention :)

[EpicLPer]

Exact same results with LSC Smart Doorbell ! Will follow your progress with attention :)

We already got RTSP with Audio working, but it's via a test-mode of that camera.
You can test and see if yours is the same as mine (which we used to test this on) by creating a file called _ak39_factory.ini with nothing inside it on the root of the SD, and see if it screams at you in Chinese then which means it entered "Factory Test Mode".

Nothing will work tho and it won't connect to WiFi, this is literally only to see if your camera is similarly built than mine is, so then chances are high once we release a working version yours will work with it too! Please do report your results :)

[mrwiwi]

Will try when i'm home with some time, thank you !!

[qba89]

I confirm, after placing the _ak39_factory.ini file when launched, the camera screams in Chinese and does not connect to any Wi-Fi. This applies to a camera like in 1 comment. I am waiting for a working version, and thank you for your work

[EpicLPer]

I confirm, after placing the _ak39_factory.ini file when launched, the camera screams in Chinese and does not connect to any Wi-Fi. This applies to a camera like in 1 comment. I am waiting for a working version, and thank you for your work

That's good news!
There's another file called _ht_ap_mode.conf which then tries to load a hostapd binary from the SD Card, which @guino all figured out and built a custom one that in turn then loads a script off of the card too to further load things :)

I'll try to create a "proof of concept" script that loads RTSP up and all at some point when I have time, it's a bit hard tho cause hostapd gets killed when the camera starts the WiFi driver for whatever reason and in turn also kills all Telnet servers via Busybox we tried, so the current workaround is to modify the WiFi driver start file to simply comment out the hostapd killall line. I want to find another solution for this tho to not modify anyone's cam files internally and risking a brick.

[guino]

@EpicLPer I was in Europe this past week and was able to buy one of these cameras, so I should be able to do some more testing/tweaking to iron out the rooting/setup of this device (after I get myself some EU plug adapters).

[EpicLPer]

@EpicLPer I was in Europe this past week and was able to buy one of these cameras, so I should be able to do some more testing/tweaking to iron out the rooting/setup of this device (after I get myself some EU plug adapters).

It's just 5V, if you have a soldering iron and a spare USB cable you could just snip it and solder it directly to the cam.

[jonesMeUp]

My colleague bought this device today. He also has 2.10.36, but the app wants to update to 4.8.8 I told him not to do the update and wait for your progress here, becaue I think a newer version will make more trouble. So another one is awaiting a solution for breaking the china chain.

I really learned a lot from this project, but there is so much left to learn...

[guino]

@jonesMeUp we have an exploit for this device but it needs tweaking and some work before making it available. I have the device in hands so I should be able to do some testing and publish it when it's working well.

[jonesMeUp]

Super Will it be for 2.10.36 only, or will there also be a hack for 4.8.8? (I think 2.10.36 will be replaced in the store soon) thx!

[guino]

@jonesMeUp I have 2.10.36, so that's what I'll work on first. If my device can be upgraded to 4.8 later I can look into it as well.

[mikonline]

Bought three of these cameras without doing any research before. Can't wait for this exploit :)

[guino]

So I have an interesting development on this device... I spent hours yesterday trying to replicate the hack we did on EpicLPer's device without success. Only then I realized my device is running older firmware (2.10.22) -- so I backtracked on other exploits that didn't work on his device and one of them worked on both my Outdoor camera (2.10.22 firmware) and on my Rotating camera (2.10.28 firmware).

After I had root access I noticed they changed some things between 2.10.22 and 2.10.36 that explained why the hostapd hack didn't work, and after knowing the differences I was able to make it work on my devices as well.

I would like someone with 2.10.36 (or newer) to try the below and report back if possible -- this is only for ROOTING (no RTSP/mods yet):

1. Unzip this into the root of a FAT32 SD card: 210root.zip

(It should create two files: _ht_av_tuning.conf and shadow)

2. Eject the SD card properly (using eject function in windows or umount command in linux)
3. Insert the SD card on the device while POWERED OFF, then power on the device with the SD card in it
4. Let it boot normally (it should still connect to the phone app when done).

Try to telnet and/or FTP into the device with user: root password: telnet (please note this password is defined on the SD card file I provided -- it is not part of the firmware).

I will use the above information to leverage our options if it works on 2.10.36 and/or newer.

[mikonline]

It works. I am able to telnet into the camera:

☁ ~ telnet 192.168.201.77
Trying 192.168.201.77... Connected to 192.168.201.77. Escape character is '^]'.

anyka login: root Password: welcome to file system [root@anyka ~]$ [root@anyka ~]$ [root@anyka ~]$ ls bin data dev etc lib linuxrc mnt proc sbin sys tmp usr var [root@anyka ~]$

[qba89]

Hello, first, I would like to thank you for the work you put into this, which brings results.

Core Module: V2.10.36 MCU module: V2.10.36 Telnet access FTP access Works from the phone app too

[guino]

@mikonline just to confirm: your firmware is 2.10.36 ? @qba89 Thanks for posting your positive results.

[mikonline]

@guino Yes 2.10.36

[McPrapor]

Can confirm telnet works for LSC Smart Connect rotatable camera as well. Any clue how to get rtsp from it?

[guino]

@McPrapor I have a LSC rotating camera on 2.10.28 -- can you confirm the firmware on yours ?

I just finalized what we need to run our scripts from the device without needing to modify the flash or use telnet. The next step is putting in the right set of tools in it (busybox, telnet, upload, download) and allowing to use a main application from the SD card, only then I can start looking into patch the main application to enable RTSP.

I will likely need to patch each individual version of the main application to make it work, so I'll do mine first (2.10.22 and 2.10.28) then will need a copy of other versions to make a patch for people to try. I believe I also have a copy of 2.10.36 but I'd like to confirm at least by checking md5sum.

This will definitely take a few more days of work at least.

[McPrapor]

I have 2.10.28. It offered me upgrade to some newer version, but I rejected. Interesting fact, with the 2file fix above it says now there are no updates available.

On Sat, Nov 19, 2022, 00:31 Wagner @.***> wrote:

@McPrapor https://github.com/McPrapor I have a LSC rotating camera on 2.10.28 -- can you confirm the firmware on yours ?

I just finalized what we need to run our scripts from the device without needing to modify the flash or use telnet. The next step is putting in the right set of tools in it (busybox, telnet, upload, download) and allowing to use a main application from the SD card, only then I can start looking into patch the main application to enable RTSP.

I will likely need to patch each individual version of the main application to make it work, so I'll do mine first (2.10.22 and 2.10.28) then will need a copy of other versions to make a patch for people to try. I believe I also have a copy of 2.10.36 but I'd like to confirm at least by checking md5sum.

This will definitely take a few more days of work at least.

— Reply to this email directly, view it on GitHub https://github.com/guino/Merkury1080P/issues/42#issuecomment-1320652037, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHBD57YKYWJ66RTUYFQJZPTWJAGWTANCNFSM6AAAAAAQVDYH5U . You are receiving this because you were mentioned.Message ID: @.***>

[guino]

So an update on this device, my outdoor camera has 2.10.22 (no update offered in tuya app). I have managed to get it booting correctly with a (heavily) patched application that has RTSP working. The same files also work on my Rotating camera running 2.10.28.

Worth mentioning:

• 2.10.22 and 2.10.28 firmware don't have the RTSP audio support so basically I'm running 2.10.36 application on the older firmware (without any issues).
• I'm trying to work a way to make both the tuya app and RTSP to work -- right now I can only use the phone app in SD/low resolution and if I try to switch to HD it fails because it is 'in use' by the RTSP server.
• I still have to do a few tweaks (disable some chinese start sound + make sure it can boot offline) and clean up the scripts before I make it available.
• There's no way to make snap/mjpeg work on these devices because they don't have a dedicated JPEG buffer like older devices (they only allocate a buffer when needed to transmit a picture to the server), so the only way to make snap/mjpeg for these devices will be using ffmpeg like here: https://github.com/guino/rtsp2jpeg

I will probably publish what I have in the next few days (even if I don't get the tuya app + RTSP working together), just wanted to provide an update.

[jonesMeUp]

wow, you did it again! sorry to hear about the missing jpeg buffer. i can't wait to see if i can run my common offline initrun.sh on it.