Hacking a LSC Smart connect rotatable camera from 2023

[christau]

Hi All, I recently bought a LSC Smart Connect indoor 1080p Rotatable Camera. The old hack with placing a file onto the sd card sadly did'nt work for me in any way. So I soldered some wires onto the RX/TX pins and I was presented with the terminal

U-Boot 2013.10.0-V3.1.27 (Aug 30 2021 - 22:43:40)␍␊
DRAM:  64 MiB␍␊
init led gpio␍␊
efuse_read:0x00000007␍␊
8 MiB␍␊
sd detect gpio mode:84!␍␊
mmc_sd: 0␍␊
In:    serial␍␊
Out:   serial␍␊
Err:   serial␍␊
Net:   eth-0␊
␍␊
Hit any key to stop autoboot:  1 ␍␊`

When I let it boot, it asked for a login. I tried many different passwords for root, but it simply wasn't working.

Login: root
Password: ***
Login incorrect

So I gave up on this path and tried to get a 'root' shell. I fumbled some time, but then I got it working with this bootargs

env set bootargs console=ttySAK0,115200n8 root=/dev/mtdblock5 rootfstype=squashfs init=/bin/sh ${mtdparts} ${mem} ${memsize}; run read_kernel; bootm ${loadaddr} - ${fdtcontroladdr}

This presented me a busybox shell. Then I found out about the partitioning

mount -t proc none /proc
cat /proc/mdt
...
dev:    size   erasesize  name␍␊
mtd0: 00032000 00001000 "UBOOT"␍␊
mtd1: 00001000 00001000 "ENV"␍␊
mtd2: 00001000 00001000 "ENVBK"␍␊
mtd3: 0000c000 00001000 "DTB"␍␊
mtd4: 00180000 00001000 "KERNEL"␍␊
mtd5: 00100000 00001000 "ROOTFS"␍␊
mtd6: 00040000 00001000 "CONFIG"␍␊
mtd7: 00500000 00001000 "APP"␍␊

So, digging into the partitions turned out, that the config partition was the one I should get into At first prepare a tmpfs so we could mount it

mount -t tmpfs tmpfs /tmp

and then mount this config partition

mount -t jffs2 /dev/mtdblock6 /tmp/

Listing the contents of this folder

-rwxrwxrwx      271 Nov 18 12:11 hostapd.conf
-rw-r--r--     2048 Nov 18 12:11 _ht_encrypt.bin
-rwxr-xr-x     3028 Nov 18 12:11 _ht_hw_settings.ini
-rw-r--r--      831 Nov 18 12:11 _ht_sw_settings.ini
-rw-r--r--      155 Nov 18 12:11 _ht_uuid.ini
-r-xr--r--   114740 Nov 18 12:11 isp_mis2006_mipi_2lane_h3b.conf
-rw-r--r--       64 Nov 18 12:11 log_seq_stat
-rwxrwxrwx      128 Nov 18 12:11 passwd
-rw-rw-rw-       38 Nov 18 12:11 resolv.conf
-rwxrwxrwx      782 Nov 18 12:11 sensor_driver.sh
-rwxrwxrwx     2124 Nov 18 12:11 ssv6x5x-wifi.cfg
-rw-r--r--       16 Nov 18 12:11 tuya_enckey.db
-rw-r--r--    34464 Nov 18 12:11 tuya_user.db
-rw-r--r--    34464 Nov 18 12:11 tuya_user.db_bak
-rwxrwxrwx      173 Nov 18 12:11 udhcpd.conf
-rwxr-xr-x     1856 Nov 18 12:11 wifi_driver_new.sh
-rw-r--r--       18 Nov 18 12:11 wifimac.txt

Looking at the passwd file

root:x:0:0:root:/:/bin/sh
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
nobody:x:99:99:nobody:/home:/bin/sh

Since this partition is mounted r/w, I thought I just could replace the password hash for root. But here my journey ended for now. There was no shadow file I could create a shadow file, but I don't know which format this must have. After rebooting several times and redoing the above steps, suddenly a shadow file was showing up in this folder with this content

root:.gtzAwaNJy61IshgS1w30orTPKuc50t13ThV6XkyvKuIR.InDkP0Cc/:18542:0:99999:7:::

But I still don't know about this format. When reading on the net about the shadow format, they all talk about that this line should contain '$' chars which is not the case here. Maybe someone of you can help me to find out the root password, or how to create a new one, since I'm stuck. Many thanks in advance

Edit: I got it working. In this thread I found help. I had to place the two contained files in this zip to the SD card. After this I was able to login with root/telnet. Now I can try to hack this thingy.

[lucas4515]

I don't understand at all how did you do it?

[byXav]

Hi, I've 2 recent PTZ rotatable cameras that I bought early 2024 (France) with firmware version 3.10.6x . Both work with the method from this post to flash them to 2.10.36 firmware.

I uploaded the contents of my micro SD cards on mediafire, I didn't create an account so the files will be deleted automatically after 14 days of inactivity.

https://www.mediafire.com/file/q4r2wi007ijimwh/Camera_PTZ.7z/file

Maybe you can try it on your camera ?

[JeanneD4RK]

Hi, I've 2 recent PTZ rotatable cameras that I bought early 2024 (France) with firmware version 3.10.6x . Both work with the method from this post to flash them to 2.10.36 firmware.

I uploaded the contents of my micro SD cards on mediafire, I didn't create an account so the files will be deleted automatically after 14 days of inactivity.

https://www.mediafire.com/file/q4r2wi007ijimwh/Camera_PTZ.7z/file

Maybe you can try it on your camera ?

Mirrored in case your file gets deleted

https://drive.google.com/file/d/10CGjcy7vbp_VGV3v-P2p3URLxt-vBysh/view?usp=sharing

EDIT: will buy a cam soon and test.

[christau]

Hi @byXav, thanks for the upload. Sadly my cam got bricked. It only shows.

Wait input password...:
Timout Exit.

SUNDANCEH3B_Massboot>

I didn't find any resources on that problem and couldn't figure out how fix it. But recently a friend of recently mine passed me his cam. So I'm gonna try it again. What I do not understand is how you downgraded the firmware. I couldn't find a link to the 2.10 firmware. Can you help out with this problem? Did I overlook something?

Best regards, -chris-

[byXav]

Hi,

I used this tutorial to downgrade the firmware, like you share on your first post. It worked on the first try for me, I didn't have your error message. That's strange, yours have 3.10.6x firmware actually ? The link for the 2.10.36 firmware is on the same page option 3.

[christau]

Thanks @byXav, found the link. I must have been blind not to see it. I'll check that out and let y'all know about the results.

[christau]

Hi @byXav, I unpacked the firmware

tar -xf 165966791961ed11009a7.bin

which created a squashfs file, a version and a m5 file

4349952 Aug  5  2022 usr.sqsh4
33 Aug  5  2022 usr.sqsh4.md5
9 Aug  5  2022 version

Do you tried to inject the hacked anyka binaries directly into the sqsh file? I guess this should be possible, if there's no validation check, maybe except for the md5. This should make everything easier.

[byXav]

I didn't unpack the firmware through tar, I don't have the equipment or the skills to flash anything into anything.

I just did it with binwalk to retrieve 2 files :

• anyka_ipc
• libavssdkbeta.so

After, you put them on the micro SD (overwriting the originals).

Do you follow to whole procedure ?

Option 1 1, 2, 3, 4, 5, 6.

Option 3 1, 2, 3, 4, 5, 6.

Option 1 again 7, 8, 9, 10... 16.

You have to do everything, the first time I juste forgot to rename the file following the point 12.

Edit : But I just thought of something, my camera was connected on Tuya app (or LSC Smart Connect) since the beginning. That have maybe helped in some point for the flash but I don't see where... maybe for the internet configuration ?

[christau]

Ok, tried to install the firmware (had to rename it ti update.tar). But sadly it didn't work. So I reactivated (soldered) the RX/TX connector on the new cam and I could see the reason.

Current Bundle: HT_IPC208KM_TUYA_AK3918EV330
TF-Card F/W Bundle: HT_IPC178KM_TUYA_AK3918EV330
F/W Bundle Not Matchable

But anyway, that might be a good start. Many thanks for your input!

[byXav]

That's seems to help a lot to have a RX/TX connector for some cases. Maybe I'll pull the trigger on AliExpress if a need it one day. So finally we don't have the same camera. No problem for the "help" I did nothing.

But I don't understand your last read from the camera : does that mean that the hardware isn't the same or the firmware isn't the same ?

[christau]

Hi @byXav, just the camera app binaries are different and some shell scripts. But since they both use the same Anyka AK3918EV330 SOC, it actually should work.

I found out that the last 1024 bytes of this *.bin file contain those information. Maybe I will risk this cam and modify the firmware file so the update will go through.