Open mungewell opened 7 years ago
Found out about the 'updatershell' and pulled the 'Backup.bin' file off my AS100V, once decoded I found this...
id=0x013e0002, size=0x05dc, attr=0x44:
01 00 00 01 05 44 49 52 45 43 54 2d 44 4f 4c 30 .....DIRECT-DOL0
3a 52 4d 2d 4c 56 52 31 00 00 00 00 00 00 00 00 :RM-LVR1........
00 00 00 00 00 00 12 76 7a 60 2a 15 49 52 2f 41 .......vz`*.IR/A
19 57 23 13 18 03 26 43 4e 05 25 10 19 5a 2f 46 .W#...&CN.%..Z/F
44 5b 29 13 40 01 21 1f 1f 00 74 1e 1c 51 77 42 D[).@.!...t..QwB
4e 50 26 4c 4e 06 23 1f 42 0e 2e 41 46 52 2a 42 NP&LN.#.B..AFR*B
1a 5c 26 1d 18 05 00 01 00 00 00 00 00 00 00 00 .\&.............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Pretty good chance that's the Multi-WiFi details, for connection to the LiveviewRemote.
Camera's own WiFi settings (ie. to connect to it's internal AP). Password without the '.' at the end.
id=0x013e000d, size=0x0009, attr=0x02:
32 38 63 4c 31 59 42 58 00 28cL1YBX.
id=0x013e000e, size=0x0001, attr=0x02:
01 .
id=0x013e000f, size=0x0021, attr=0x02:
44 49 52 45 43 54 2d 5a 6d 48 34 3a 48 44 52 2d DIRECT-ZmH4:HDR-
41 53 31 30 30 56 00 00 00 00 00 00 00 00 00 00 AS100V..........
00
Worth noting; that Multi-Wifi does function on the camera, just that it does not appear to be reported through these pmca-console calls.
https://www.sony.net/Products/actioncam/common/img/support/LVR/list_of_Compatibilty_Chart_lvr1.pdf https://www.sony.net/Products/actioncam/common/img/support/LVR/list_of_Compatibilty_Chart_lvr2.pdf
Of all the cameras supported by the LVRemote, the AS15 is the only one which does not support Multi-WiFi - Despite the AS30V also being Gen2...
Also supported are a number of 'proper' cameras, including the QX1 which does support Multi-WiFi.
Same id's on FDR-X3000 built-in wifi:
Multi-camera mode wifi name, however, is saved at id=0x013e002a - which is name of my wifi accesspoint SSID (not LVRemote). Along with what could be somehow encoded wifi password.
Thanks for the confirmation on the keys. The wifi mode (on AS100) seems to be stored in '0x01070d06', set 0x01 for normal or 0x02 for multi-wifi.
I figured out the 'encoding' of the password, at least to match what it stores what happens with a WPS push - don't know if there's a simpler form, but the attached script compute the values for the key allowing the camera to connect to a network without having to use WPS push.
$ python action_wifi.py linksys linksys1
Essid: linksys
Pass: linksys1
01 00 00 01 05 6c 69 6e 6b 73 79 73 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4d 79 76 38 3e 00 05 09 52 69 6b 62 21 10 18 53 21 10 18 53 21 10 18 53 21 10 18 53 21 10 18 53 21 10 18 53 21 10 18 53 21 10 18 53 21 10 18 53 21 10 18 53 21 10 18 53 21 10 18 53 21 10 18 53 00 01
Add a '-f' to get the full 1500 bytes.
At present a key this large doesn't work with updatershell's bk commands, hopefully that can be fixed soon. action_wifi.py.txt
I can confirm that your script generated the same output bytes 👍, for my custom multi-wifi ssid and password (not counting leading and trailing bytes) on FDR-X3000
id=0x013e002a, size=0x0096, attr=0x44:
XX XX XX XX XX XX XX XX XX 00 00 00 00 00 00 00 xxxxxxxxx.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 YY YY YY YY YY YY YY YY YY YY YY YY YY YY 18 .YYYYYYYYYYYYYY.
53 21 10 18 53 21 10 18 53 21 10 18 53 21 10 18 S!..S!..S!..S!..
53 21 10 18 53 21 10 18 53 21 10 18 53 21 10 18 S!..S!..S!..S!..
53 21 10 18 53 21 10 18 53 21 10 18 53 21 10 18 S!..S!..S!..S!..
53 00 05 00 00 00 00 00 00 00 00 00 00 00 00 00 S...............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 ......
action_wifi output
01 00 00 01 05 XX XX XX XX XX XX XX XX XX 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 YY YY YY YY YY YY YY YY YY YY YY YY YY YY 18 53 21 10 18 53 21 10 18 53 21 10 18 53 21 10 18 53 21 10 18 53 21 10 18 53 21 10 18 53 21 10 18 53 21 10 18 53 21 10 18 53 21 10 18 53 21 10 18 53 00 01
if only this could get me closer to obtaining shell on camera :)
Great that they use the same schema, not so great that the keys are slightly different. Beginning to think that the cameras just used their own set, and have little consistancy.
On getting shell: presumably you know about 'updateshell'. Wondering whether that's a way of forcing new code onto the camera, for running later when you reboot into the normal mode. I think that the X3000 is gen3, same as the QX1 - there was some discussion on that camera here: https://github.com/ma1co/OpenMemories-Tweak/issues/58
@whoever42 BTW do the pmca-console commands work for your F3000?
$ python3 pmca-console.py wifi -f wifi.cfg
pmca-console wifi command returns empty output for me, you can see my effors at issue #60
wrt to the code in Pull #53.
The MultiWifi config is non-functional in the AS100. It seems that the 'libInfraNetworkServiceInfo.so' file does not contain these calls: https://github.com/ma1co/Sony-PMCA-RE/blob/master/pmca/usb/sony.py#L158
Camera does support MultiWifi for use with the LiveViewRemote "Watch", config must be stored elsewhere.