Closed tosiara closed 1 year ago
@tosiara at a quick look at 2.7.x firmware we could probably make a patch to allow it to connect to the mqtt server without SSL. If you tell me the firmware you're using I can try to make a patch for you to test.
I'm using 5.2.1 and this is ppsapp: https://github.com/guino/Merkury1080P/files/10140862/squashfs-root.zip
I was thinking to make x509_verify_cert
always return 0
, but unfortunately I'm not that much proficient with Ghidra.
Also, I tried to change all m2.tuyaeu.com
and a2.tuyaeu.com
to my controlled domain names using hex editor, but it still tries to connect to them, don't know where does it take those domains from
@tosiara to redirect the URL your best/simplest option is to edit /etc/hosts so it overrides the IP that the server resolves onto, like we do here but with the IP of your server (see relevant info here too: https://github.com/guino/BazzDoorbell/wiki/%5BHow-to%5D-Use-the-device-OFFLINE-(disconnected-from-tuya-servers)-%3F).
It seems easier in the code to modify it to NOT use https/ssl at all than to try to force it to 'think' the certificate is good, so that's what I would recommend trying first.
I can redirect all the traffic without any problem, but ppsapp fails to validate my ssl cert. So, I'm looking for a way to either force use of plain HTTP or patch cert validation function to always bypass. Will read you provided link meanwhile
Scrolled briefly through that enormous "Off-cloud" thread. Wanted to try to patch that while loop that may be blocking other services when there is no internet (comment). I couldn't find the main function in ghidra as per your instructions. The closest thing is this one, but it is grayed out and has no references:
Also, I patched ppsapp to contain http:// only urls, but ppsapp still uses the original urls. Where does it take them from???
$ strings ppsapp_patched | grep tuyaeu
http://a2.tuyaeu.com/d.json
https://a2-weaz.tuyaeu.com/d.json
*.tuyaeu.com1
*.tuyaeu.com1
*.tuyaeu.com1
*.tuyaeu.com1
[root@Meari /mnt/mmc01]$ ./ppsapp_patched
...
[01-01 02:00:11:473 TUYA Debug][mqtt_client.c:828] mqtt over TLS is enabled. Host:m2.tuyaeu.com Port:8883
...
[01-01 02:00:14:595 TUYA Debug][iot_httpc.c:920] Post URL: https://a2.tuyaeu.com/d.json?
Could you please help me to force plain HTTP for both MQTT and API? :pray:
UPDATE
I managed to solve this problem. Now I'm able to see all the traffic that the camera sends over SSL/TLS (MQTT and HTTPS). This can be done by patching ppsapp
using hex editor.
You should now see the API traffic:
And I can confirm that only MQTT is required for camera to startup and enable RTSP. So, I will try wirite a dummy MQTT server that allows the camera to register itself with fake responses and continue booting.
@tosiara
I replaced the patched ppsapp in the squashfs and flashed it back. Also did the following change to initrun.sh
:
#!/bin/sh
echo "192.168.2.1 m2.tuyaeu.com" > /etc/hosts
echo "127.0.0.1 a2.tuyaeu.com" >> /etc/hosts
sleep 30 && killall -9 ppsapp && sleep 5 && /opt/pps/app/appfiles/app/ppsapp &
...
.
192.168.2.1 is my raspberry in the same network that will run a fake MQTT server (in progress)
With this config the camera starts offline and RTSP is available
Made a successful PoC: https://github.com/tosiara/fake_mqtt_tuya Now the camera boots into local RTSP completely offline :partying_face:
@tosiara this is a pretty cool project - I wonder if we can’t make a separate application to replace the CA certificate in the running ppsapp (memory) without having to kill (or even patch) it. I expect it should not be hard to automatically find and replace the CA certificate in memory so it works with any ppsapp version.
@guino have you had a chance to work on this project? It would be great to make these devices completely offline.
@xraive I have not worked and have no plans of working on this. I just threw the idea out there in case anyone wanted to pursue it.
@tosiara, I can see you have hardcoded certificates to application. I extracted mitm_srv.crt from ssl_server.c and when converted to DER it is 827 bytes long. Would you mind sharing DER certificate you were mentioning in: https://github.com/guino/ppsapp-rtsp/issues/47#issuecomment-1359460388
I'd like to inspect the traffic camera sends. Maybe you have tried that before? Is it possible?