Open christau opened 10 months ago
I don't understand at all how did you do it?
Hi, I've 2 recent PTZ rotatable cameras that I bought early 2024 (France) with firmware version 3.10.6x . Both work with the method from this post to flash them to 2.10.36 firmware.
I uploaded the contents of my micro SD cards on mediafire, I didn't create an account so the files will be deleted automatically after 14 days of inactivity.
https://www.mediafire.com/file/q4r2wi007ijimwh/Camera_PTZ.7z/file
Maybe you can try it on your camera ?
Hi, I've 2 recent PTZ rotatable cameras that I bought early 2024 (France) with firmware version 3.10.6x . Both work with the method from this post to flash them to 2.10.36 firmware.
I uploaded the contents of my micro SD cards on mediafire, I didn't create an account so the files will be deleted automatically after 14 days of inactivity.
https://www.mediafire.com/file/q4r2wi007ijimwh/Camera_PTZ.7z/file
Maybe you can try it on your camera ?
Mirrored in case your file gets deleted
https://drive.google.com/file/d/10CGjcy7vbp_VGV3v-P2p3URLxt-vBysh/view?usp=sharing
EDIT: will buy a cam soon and test.
Hi @byXav, thanks for the upload. Sadly my cam got bricked. It only shows.
Wait input password...:
Timout Exit.
SUNDANCEH3B_Massboot>
I didn't find any resources on that problem and couldn't figure out how fix it. But recently a friend of recently mine passed me his cam. So I'm gonna try it again. What I do not understand is how you downgraded the firmware. I couldn't find a link to the 2.10 firmware. Can you help out with this problem? Did I overlook something?
Best regards, -chris-
Hi,
I used this tutorial to downgrade the firmware, like you share on your first post. It worked on the first try for me, I didn't have your error message. That's strange, yours have 3.10.6x firmware actually ? The link for the 2.10.36 firmware is on the same page option 3.
Thanks @byXav, found the link. I must have been blind not to see it. I'll check that out and let y'all know about the results.
Hi @byXav, I unpacked the firmware
tar -xf 165966791961ed11009a7.bin
which created a squashfs file, a version and a m5 file
4349952 Aug 5 2022 usr.sqsh4
33 Aug 5 2022 usr.sqsh4.md5
9 Aug 5 2022 version
Do you tried to inject the hacked anyka binaries directly into the sqsh file? I guess this should be possible, if there's no validation check, maybe except for the md5. This should make everything easier.
I didn't unpack the firmware through tar, I don't have the equipment or the skills to flash anything into anything.
I just did it with binwalk to retrieve 2 files :
After, you put them on the micro SD (overwriting the originals).
Do you follow to whole procedure ?
Option 1 1, 2, 3, 4, 5, 6.
Option 3 1, 2, 3, 4, 5, 6.
Option 1 again 7, 8, 9, 10... 16.
You have to do everything, the first time I juste forgot to rename the file following the point 12.
Edit : But I just thought of something, my camera was connected on Tuya app (or LSC Smart Connect) since the beginning. That have maybe helped in some point for the flash but I don't see where... maybe for the internet configuration ?
Ok, tried to install the firmware (had to rename it ti update.tar). But sadly it didn't work. So I reactivated (soldered) the RX/TX connector on the new cam and I could see the reason.
Current Bundle: HT_IPC208KM_TUYA_AK3918EV330
TF-Card F/W Bundle: HT_IPC178KM_TUYA_AK3918EV330
F/W Bundle Not Matchable
But anyway, that might be a good start. Many thanks for your input!
That's seems to help a lot to have a RX/TX connector for some cases. Maybe I'll pull the trigger on AliExpress if a need it one day. So finally we don't have the same camera. No problem for the "help" I did nothing.
But I don't understand your last read from the camera : does that mean that the hardware isn't the same or the firmware isn't the same ?
Hi @byXav, just the camera app binaries are different and some shell scripts. But since they both use the same Anyka AK3918EV330 SOC, it actually should work.
I found out that the last 1024 bytes of this *.bin file contain those information. Maybe I will risk this cam and modify the firmware file so the update will go through.
Hi All, I recently bought a LSC Smart Connect indoor 1080p Rotatable Camera. The old hack with placing a file onto the sd card sadly did'nt work for me in any way. So I soldered some wires onto the RX/TX pins and I was presented with the terminal
When I let it boot, it asked for a login. I tried many different passwords for root, but it simply wasn't working.
So I gave up on this path and tried to get a 'root' shell. I fumbled some time, but then I got it working with this bootargs
This presented me a busybox shell. Then I found out about the partitioning
So, digging into the partitions turned out, that the config partition was the one I should get into At first prepare a tmpfs so we could mount it
and then mount this config partition
Listing the contents of this folder
Looking at the passwd file
Since this partition is mounted r/w, I thought I just could replace the password hash for root. But here my journey ended for now. There was no
shadow
file I could create a shadow file, but I don't know which format this must have. After rebooting several times and redoing the above steps, suddenly a shadow file was showing up in this folder with this contentBut I still don't know about this format. When reading on the net about the shadow format, they all talk about that this line should contain '$' chars which is not the case here. Maybe someone of you can help me to find out the root password, or how to create a new one, since I'm stuck. Many thanks in advance
Edit: I got it working. In this thread I found help. I had to place the two contained files in this zip to the SD card. After this I was able to login with root/telnet. Now I can try to hack this thingy.