Shell Access

[llevi]

Hi, I have a Tapo C100 camera. You can get an uboot shell via grounding the CS pin of the spi flash, when it shows "autobooting" message. After that, you can boot in to linux via init=/bin/sh bootarg. You can even create a partition to sdcard and dd the mtdblock6 to it, and show the linux from uboot to get the rootfs from there. I can provide the exact commands if you need it. I want to get a root shell via telnet, when it is in the wall, assembled (not doing the CS pin grounding hack). My problem is: I cannot write the rootfs, not only because its squashfs, but it "doesn't start on an erase block boundary -- force read-only" I am thinking about to write the boot - mtdblock partition to tell the 2nd uBoot to add root=/dev/mmcblkp1 to bootargs Do you think we can cooperate with this experiment?

[nervous-inhuman]

Hi @llevi, thanks for your help regarding getting a shell on the device!

I'll try to replicate your steps on my C200 camera.

Do you think we can cooperate with this experiment?

Gladly. What'd be the best way to contact you?

[llevi]

I'm on facebook messenger: https://www.messenger.com/t/llevi95

[nervous-inhuman]

I'm on facebook messenger: https://www.messenger.com/t/llevi95

You should have a message from me in your inbox.

[depau]

Hi @llevi, I tried your approach but it seems like they disabled the u-boot shell on the C200, when the checksums fail it starts a HTTP server on the internal ethernet port instead of spawning the usual shell:

U-Boot 2014.01-v1.2 (Jul 20 2020 - 10:28:45)

Board: IPCAM RTS3903 CPU: 500M :rx5281 prid=0xdc02
force spi nor mode
DRAM:  64 MiB @ 1066 MHz
Skipping flash_init
Flash: 0 Bytes
flash status is 0, 0, 0
SF: Detected XM25QH64A with page size 256 Bytes, erase size 64 KiB, total 8 MiB
Using default environment

Autobooting in 1 seconds
copying flash to 0x81500000
flash status is 0, 0, 0
SF: Detected XM25QH64A with page size 256 Bytes, erase size 64 KiB, total 8 MiB
SF: 8388608 bytes @ 0x0 Read: OK

Firmware check failed!
Enter recovery mode.
In:    serial
Out:   serial
Err:   serial
Net:   Realtek PCIe GBE Family Controller mcfg = 0024
no hw config header
new_ethaddr = 00:00:23:34:45:66
r8168#0
Using default environment

Running command httpd!--Debug by Mazexiong
SF: Unsupported flash IDs: manuf 00, jedec 0000, ext_jedec 0040
flash status is 0, 0, 0
SF: Detected unknown with page size 256 Bytes, erase size 64 KiB, total 8 MiB
SF: 10240 bytes @ 0x1d800 Read: OK
NetReadAndSetEthaddr: no mac address found.
HTTP server is ready!

SF: Unsupported flash IDs: manuf 00, jedec 0000, ext_jedec 82fc
flash status is 0, 0, 0
SF: Detected unknown with page size 256 Bytes, erase size 64 KiB, total 8 MiB
SF: 10240 bytes @ 0x1d800 Read: OK
error: no mac address found
local info init failed, exit
Attaching option 01 to list
Attaching option 03 to list
Attaching option 06 to list
file: apps/dhcpd/dhcpd.c,line: 870==:dhcpd init OK. --debug by HouXB
HTTP server is starting at IP: 192.168.0.10
file: lib_uip.c,line: 115==:uip set a8c0-a00. --debug by HouXB
file: lib_uip.c,line: 130==:start infinite loop! --debug by HouXB

If I wait for it to load the second stage u-boot and then bring the chip select low when it says "autobooting", it will simply hang:

U-Boot 2014.01-v1.2 (Jul 20 2020 - 10:28:45)

Board: IPCAM RTS3903 CPU: 500M :rx5281 prid=0xdc02
force spi nor mode
DRAM:  64 MiB @ 1066 MHz
Skipping flash_init
Flash: 0 Bytes
flash status is 0, 0, 0
SF: Detected XM25QH64A with page size 256 Bytes, erase size 64 KiB, total 8 MiB
Using default environment

Autobooting in 1 seconds
copying flash to 0x81500000
flash status is 0, 0, 0
SF: Detected XM25QH64A with page size 256 Bytes, erase size 64 KiB, total 8 MiB
SF: 8388608 bytes @ 0x0 Read: OK
verifying uboot partition...
ok
verifying kernel and romfs partition...
ok
set watchdog, resetting...

U-Boot 2014.01-v1.2 (Sep 30 2020 - 07:11:39)

Board: IPCAM RTS3903 CPU: 500M :rx5281 prid=0xdc02
force spi nor mode
DRAM:  64 MiB @ 1066 MHz
flash status is 0, 0, 0
SF: Detected XM25QH64A with page size 256 Bytes, erase size 64 KiB, total 8 MiB
Flash: 0 Bytes
flash status is 0, 0, 0
SF: Detected XM25QH64A with page size 256 Bytes, erase size 64 KiB, total 8 MiB
Using default environment

In:    serial
Out:   serial
Err:   serial
Net:   Realtek PCIe GBE Family Controller mcfg = 0024
new_ethaddr = 00:00:00:00:00:00
r8168#0
Autobooting in 1 seconds
flash status is 0, 0, 0
SF: Detected XM25QH64A with page size 256 Bytes, erase size 64 KiB, total 8 MiB
SF: 3145728 bytes @ 0x60000 Read: OK
## Booting image at 82000000 ...
   Uncompressing Kernel Image ... OK

Starting kernel ...

[nervous-inhuman]

Hi @Depau,

you can kill the httpd server by hitting Ctrl-C, I believe.

From there, you'll be dropped into the U-boot shell.

[depau]

Hi @Depau,

you can kill the httpd server by hitting Ctrl-C, I believe.

From there, you'll be dropped into the U-boot shell.

I have no idea why I didn't even try 🤦‍♂️ it works, thanks!

Web failsafe mode aborted!

httpd - httpd   - start www server for firmware recovery

Usage:
httpd - No additional help available.
rlxboot# <INTERRUPT>
rlxboot# 

[nervous-inhuman]

To boot into a shell, you also need to set the init to /bin/sh as mentioned above, plus copy the "firmware" into memory and boot from it.

setenv bootargs 'console=ttyS1,57600 root=/dev/mtdblock6 rts-quadspi.channels=dual init=/bin/sh'
sf read 0x81500000 0x60000 0x300000
bootm

Please note, that devfs, sysfs aren't going to be mounted when you boot from memory, because init wasn't run. Supposedly running /etc/preinit will mount them, but I haven't tested it, since I managed to fry my C200. 🤦‍♀️

[llevi]

@Depau I have a working C100 (yet :D ) I have tried to modify the rootfs, but I could not, because "doesnt come with erase block boundary" Maybe I could write the whole flash,I tried to use a ch341A programmer, but it ( via flashrom ) doesn't recognised it as an spi flash.

[depau]

To boot into a shell, you also need to set the init to /bin/sh as mentioned above, plus copy the "firmware" into memory and boot from it.

setenv bootargs 'console=ttyS1,57600 root=/dev/mtdblock6 rts-quadspi.channels=dual init=/bin/sh'
sf read 0x81500000 0x60000 0x300000
bootm

Please note, that devfs, sysfs aren't going to be mounted when you boot from memory, because init wasn't run. Supposedly running /etc/preinit will mount them, but I haven't tested it, since I managed to fry my C200. woman_facepalming

I dumped the flash overnight, I'll inspect it today. I thought I'd be able to get root access over serial during normal operation but they disabled all accounts, I guess I'll have to find another way.

I did get all the binaries and the certificates though.

@Depau I have a working C100 (yet :D ) I have tried to modify the rootfs, but I could not, because "doesnt come with erase block boundary" Maybe I could write the whole flash,I tried to use a ch341A programmer, but it ( via flashrom ) doesn't recognised it as an spi flash.

I have a programmer compatible with minipro and it supports it. You need to desolder it though, they didn't put diodes in the power lines so it will power the whole board if you use a SOP8 clamp or SMD clips.

[llevi]

@Depau If you have powerful enough computer, you can try to bruteforce the root password which is in /etc/passwd . I dd-ed the rootfs to an sdcard and could successfully boot up with changed root pass. and voila - working system with root shell (tell this because they didn't disabled all accounts, they just password-protect the root acc)

[depau]

I tried with multiple wordlists but no such luck. Here's some info i gathered including the (uncracked) crypt md5 hash: https://md.depau.eu/mA9zdqPKTPCCz2sgWlh3_g

On Sun, Nov 29, 2020, 21:16 llevi notifications@github.com wrote:

@Depau https://github.com/Depau If you have powerful enough computer, you can try to bruteforce the root password which is in /etc/passwd . I dd-ed the rootfs to an sdcard and could successfully boot up with changed root pass. and voila - working system with root shell (tell this because they didn't disabled all accounts, they just password-protect the root acc)

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/nervous-inhuman/tplink-tapo-c200-re/issues/1#issuecomment-735447585, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAIZCWKZLO73GCGWJ5E3CULSSKTY7ANCNFSM4SGEKLZA .

[kubik369]

Hi, I was able to find the default root password in the released GPL code together with the sequence to stop autoboot and fall through into the uboot console. The default root password is slprealtek and the uboot stop keyword is slp.

You also don't really need to rewrite the flash with a programmer, you can use tftp to boot over Ethernet, I can whip up some pinout pictures if someone would be interested in this. I was also able to use the camera as a regular AP while connected over Ethernet, which is pretty nice.

[nervous-inhuman]

Ahoj @kubik369,

I was able to find the default root password in the released GPL code together with the sequence to stop autoboot

would you mind linking to the GPL sources so I could document it in this repo?

you can use tftp to boot over Ethernet, I can whip up some pinout pictures if someone would be interested in this

I'd highly appreciate this, as it's been something I've been thinking about since I've seen the unused header

Thank you for your contribution!

[kubik369]

Ahoj @nervous-inhuman (si z CZ/SK? :) )

Here are the links for Tapo C100 and C200:

https://static.tp-link.com/resources/gpl/c100_GPL_v1.tar.bz2
https://static.tp-link.com/resources/gpl/camera_slp_realtek_c200.tar.bz2

However, they are the same thing, to the bit (at least the last time I checked). The C200 one has been published on the website when I checked, the C100 one I needed to request. Thankfully, TP-link support was really prompt and they provided me with the link basically the next day (they also put it up on the website). I am pretty sure that we can get C310 sources the same way. I don't own a C310 camera yet, only C100 and C200. Since C100 and C200 are basically identical and they have those unpopulated headers, I suspect that C310 will be also identical.

What do you think would be the best course of action for contributions? I think that we should try to team up with the people that are working on the pytapo library and aggregate all pieces of information that we were able to find out. We can either put everything into their repository wiki or add a link pointing to this repository from theirs. I am going to take a picture of my "setup" and annotate it and after we work out the best course of action, I will write down everything I know and commit it to the agreed repository :)

[nervous-inhuman]

Replying to @kubik369:

si z CZ/SK?

Yeah! The reason why I started this repo is because I found this camera for cheap on Alza, and wanted to get a root shell on it and to integrate it into my Home Assistant setup.

...

What do you think would be the best course of action for contributions?

I'm unsure, as far as I was aware some months ago, I was the only person/this was the only repository focused on Tapo C200/Cxxx research.

...

I think that we should try to team up with the people that are working on the pytapo library and aggregate all pieces of information that we were able to find out.

This sounds fantastic, I didn't know about their project. I believe this repo predates theirs by about a month. Anyway, what's the best way to get in contact with you, and the folks over at pytapo?

[kubik369]

Cool, so we have a common goal, I want to do literally the same thing :D It just so happened that I also need to do a diploma thesis from security, so hopefully it will also fit that use case.

Here is the Ethernet pinout annotation, the connector should be Molex Picoblade, 1.27mm pitch, 4-pin. I haven't received the cables for it, so I cannot say for sure, but I was able to solder the cables to the connector and it works. The numbering is T-568A.

I think we can create an issue over on their repo and try to start a collaboration. Send me an email to kubik ~ at ~ ksp.sk and we will try to find a common communication channel for the two of us for now :)

[depau]

I can confirm that the password and the uboot stop keyword work ;)

I'm collecting RE info (mainly regarding the app) here: https://md.depau.eu/mA9zdqPKTPCCz2sgWlh3_g

[gsmortimer]

Hi,

I'm keen to improve Pytapo (or at least my fork, sorry, Github noob) by adding in any additional (including undocumented features). I downloaded the GPL for the C200 (my camera) and found a few custom config files referring to the On Screen Display (OSD) and now I have translucent, black, and white text options (not the most exciting feature) but I'm keen to discover more hidden features. sadly, I cannot find any other Camera-specific files or configs in the GPL, it simply seems to be a custom modified buildchain for OpenWRT, but (almost) all the interesting custom files seem to be stripped - bar the root password in .config and some very sparse files in:

camera_slp_realtek_c200\torchlight\product_config\ALL\isp_config\Default-devName_Default-hwVer\uci

Has anyone managed to dump the filesystem directly off the camera? I would have a go myself but I can't seem to crack the C200 open without destroying it. Huge thanks to everyone's efforts so far - Thanks Depau for the collection of RE info, although I don't understand where you got most of it from?

I'm so impressed with the hardware and (potential) functionality you get for such a low price (how do they do it?) - camera, IR illuminator and automatic filter, motor drives, speaker, microphone, sd slot, led, and wifi. With some work, it could be a good choice to become the "hacker's choice of camera", provided they don't discontinue it.

[kubik369]

Hi @gsmortimer,

you can find all of the firmwares I was able to obtain here: https://drive.google.com/drive/folders/1_aJHhIYNdESZZMYEvmLOdNwQWA8BRLcE .

The .bin files are the whole firmware images, as downloaded from the TP-Link servers. rootfs-1.0.16.img is the rootfs part of the 1.0.16.bin file, it has been created by using dd to cut out bytes in the range indicated by binwalk. This rootfs image is a basic squashfs image from openWRT, you can unpack it with unsquashfs. squashfs-root.zip contains the unpacked rootfs I obtained directly from the camera, you can find all of the partitions in the firmware-c100/1.0.0/ folder. The zip also contains files in /tmp from my camera, those are presumably loaded from the config partition and are not totally stock, but very close to it. If you would be interested, I can write down the scripts required to unpack it from the stock image, I just haven't bothered yet (mostly one-liners).

If I got it right, I think Depau started by decompiling the Android app. I'm personally looking into first trying to find out whether firmware uses any form of signing. If not, then we should be able to at least include our own lua scripts in repacked images. I have been also looking into porting modern openWRT to the camera, but the SoC used (RTS3903 from Realtek) uses a CPU with Lexra cores, which are not supported in the mainline kernel. I was able to find some patches on the lkml [1], I have contacted the author and he said that it is mostly done, so I might try looking into it. He added support for LX5280, RTS3903 uses RLX5280, I haven't yet found out whether they are the same core, but even if they were, I have literally no idea if there is any possibility of writing drivers for the video encoders. So far, I was able to find only a few hints that RLX5280 is a newer generation, but the instruction set could be the same.

I hope this helps you in some way :)

[1] https://lore.kernel.org/patchwork/project/lkml/list/?series=367909&state=*

[gsmortimer]

Thank you! This is fantastic, I will have a good look tonight. While I've been a user of openWRT since White Russian, I'm not a developer and the buildchain is still a bit of an enigma to me past fiddling with settings in make menuconfig. But I will try to contribute anything useful I (struggle to) find out back to this thread.

I was also thinking it would be awesome to build a complete custom FW for these cams but thought it might be a bit unrealistic (too much effort and not enough following?) But seeing as they are already running OpenWRT maybe it's not just a pipe dream?

[kubik369]

I mean, we have the Realtek SDK from the sources, so we might be able to cook something up, but it certainly won't be running mainline kernel anytime soon. I cautiously think of it in the pipe dream territory, as there are many routers out there which use the same Lexra CPU core and they are not supported in OpenWRT. Ironically, this family of cameras and those routers usually run on some ancient fork of OpenWRT. Just like you said, a lot of the software written by TP-Link is missing from the sources, so it's a little hard to recreate it, at least the important parts. I will be pretty happy if we are able to create a neutered version of the official firmware, one which only runs the RTSP/ONVIF server and possibly some config website which just executes uci commands (which is basically luci)

[DrmnSamoLiu]

Just stumbled upon your repo and I'm really glad someone else is trying to RE the tapo C200 too. My friend and I have done some research on it too and here's some documentation of it, if it can be of any help :) (https://drmnsamoliu.github.io/)

My web frontend skill sucks so maybe try to zoom in and out on the page so you won't miss some tabs!

[gsmortimer]

Hi DrmnSamoLiu,

That's a fantastic amount of info you've collected together there, good work! Thanks to your guide on opening the C200 without destroying it, i've just this second finally soldered a header on and got shell access (I note you didn't have the password - see Depau's link above it is listed there). I'm a beginner at reverse engineering but the others on here seem to be very knowledgeable and have got a great deal of info on the C100 (which is almost identical firmware but without motors I think). I'm keep to stop the "cloud" access and improve the PYTAPO python library so it can be controlled and accessed completely locally. I can probably do that via the serial interface, but it would be nice to do it via a software only method, it looks like you are a master of that side of things! I don't get much of a chance to work on this, but I'll contribute anything I find back here.

Edit: I've dumped a load of stuff from my C200 camera, UCI says the FW is 1.0.14 but it might actually be 1.0.17 and they just forgot to rename it https://georgeimmi.com/download/tapo/c200/. Feel free to use.

The UCI dump might be interesting - much of the config is persistent between boots (unlike the root fs, the overlayfs is not persistent), and some of the entries might be unintentionally writeable via the JSON interface?

[tglaria]

Just stumbled upon your repo and I'm really glad someone else is trying to RE the tapo C200 too. My friend and I have done some research on it too and here's some documentation of it, if it can be of any help :) (https://drmnsamoliu.github.io/)

My web frontend skill sucks so maybe try to zoom in and out on the page so you won't miss some tabs!

Wow, this is a lot of info. ¡Great!

Personally, I'm only trying to be able to download the stored files in the µSD card to an external drive (I see that you could get to stream them, but I see no use in waiting 3h to download a 3 hour video file).

Is there a know way for this? I saw that Telnet is could be enabled, so maybe an FTP server could be installed (or a shared folder).

[gsmortimer]

Using physical UART access, you can run telnet (rather than suffering the UART shell), but there's no ftp software, and the http server installed has been too heavily modified as far as I can gather. however, there is wget which is a quick way to get additional software onto it (instead of sd card). The Realtek MIPS SDK includes a toolchain allowing compiling of code which I've had a lot of success for, so you can simply cross-compile your favourite http or ftp server and wget it across and run it.

The problem is saving the state between reboots. (yes, I have it on a UPS currently). As is stands, the filesystem is read-only (OverlayFS is used but never written to flash (and I don't think it can be as the misaligned flash block boundaries seem to have forced read-only on those blocks). The only thing that is saved to flash is 64KB of config data, which is just the UCI configuration files. This is done via a program called "uc_convert", which I am using as my first ever reverse engineering challenge. 3 or so weeks in, I've picked through a snowman decompilation, and getting close to 50% of the important stuff rewritten and compiled. My hope is that I can find a way to generate a config file that "overwrites" some system files and allow shell access automatically just after boot, such that the device is sort of "soft rooted". Once I get my findings organised I'll link them here.

If anyone fancies contacting me directly (this issues post is not the most convenient way to communicate!), use e m a i l - t a p o @ g e o r g e i m m i dot com. Especially if you can tell me how on earth you set the "des_min_do() function in libsecuirty.so to "decrypt mode" (not critical, it's just driving me up the wall not knowing).

[DrmnSamoLiu]

@gsmortimer Not sure if you read it or not, but there's actually a way to exploit a command injection vulnerability to enable telnet even after reboots, which we also documented: https://drmnsamoliu.github.io/telnet.html If you haven't read it I suppose it's my crappy web frontend skill that failed to scale the webpage according to screen size and it hides the "telnet" tab from view :p Again you might want to zoom in or out on the page so you can see all the available tabs.

About the des_min_do() problem, maybe this post can help you: https://malware.news/t/tp-link-cpe-510-520-new-config-bin-structure-decryption-modify-re-encryption/38451

[kubik369]

@DrmnSamoLiu I have found out an interesting thing: my camera (C100) didn't have telnet on 1.0 firmware, busybox wasn't compiled with it. Your findings came as a quite a surprise to me, but I just chalked it up to you having a C200. However, I have started digging around and I found out, that the 1.0 firmware (at least the backup of my partitions) indeed does not have telnet present. The earliest firmware update I have available (1.0.10) does contain all the telnet files (service file, telnet symlink) and after updating, the files are indeed present. Sadly, the service file does not seem to be usable, as it starts up the telnet daemon bound to 127.0.0.1 .

Btw, if any of you would be interested, I was able to find a way how to easily downgrade the firmware, at least with the official updates for now :)

[hacefresko]

Hey there! Thanks for the info to all of you guys. It's my first time dealing with UART and hardware and thanks to this issue it has been great. I have managed to get the shell. Since I know a little bit of web application and wifi security, my intention was to look for any vulnerabilities in the device related to these topics. I have never really dealt with reversing but, with all the information available in this post, I may dare to do it. Anyway, I won't probably find nothing too crazy but I will post every interesting discovery I find :)

[d0mnik]

Hi DrmnSamoLiu,

That's a fantastic amount of info you've collected together there, good work! Thanks to your guide on opening the C200 without destroying it, i've just this second finally soldered a header on and got shell access (I note you didn't have the password - see Depau's link above it is listed there). I'm a beginner at reverse engineering but the others on here seem to be very knowledgeable and have got a great deal of info on the C100 (which is almost identical firmware but without motors I think). I'm keep to stop the "cloud" access and improve the PYTAPO python library so it can be controlled and accessed completely locally. I can probably do that via the serial interface, but it would be nice to do it via a software only method, it looks like you are a master of that side of things! I don't get much of a chance to work on this, but I'll contribute anything I find back here.

Edit: I've dumped a load of stuff from my C200 camera, UCI says the FW is 1.0.14 but it might actually be 1.0.17 and they just forgot to rename it https://georgeimmi.com/download/tapo/c200/. Feel free to use.

The UCI dump might be interesting - much of the config is persistent between boots (unlike the root fs, the overlayfs is not persistent), and some of the entries might be unintentionally writeable via the JSON interface?

Hi, I am also looking to reverse the firmware as well. May I know if this is the latest firmware available?

[CoYoNq]

Hi Ppl! I love the idea of a custom firmware for this devices. TP-Link make great hardware, but really ugly software. I own C100 and C310 cams. My skills are not very valuables, but if you give me some orientation, maybe i can help in some way. Even, i can help with some funds. I love to fully integrate this devices to Home Assistant. There is an unofficial project that allows it, but with limited functions (based on pytapo). No way to read SD content, or use 2 way audio, ie. Let me know if i can help/colaborate with this project. coyote (at) urbanterror.com.ar

[abubakerbaig]

hey guys, I could see really great work you all have been doing and its fascinating.. I am currently working on V380 pro security cameras. I was able to get the read-only root shell of one of the camera... where I was able to read Shadow and Passwd files. Unfortunately I failed to crack the password using Rockyou.txt. here is the content of the shadow file. My goal is to get privileged access to the root shell, to extract firmware and if possible open ports such as telnet. Can anyone suggest me some dictionary text files I could try. help will be highly appreciated.....

[antonhagg]

Has there been any News regarding acces to the recorded files?

[DrmnSamoLiu]

@alloygoh I finally got some time to revisit this tapo camera after a year. I've created a repo that I'll update with download URL to the latest firmware. https://github.com/DrmnSamoLiu/Tapo_C100v2_Firmware Note that I'm now working on C100 v2 instead of C200 v1 so the link is for C100 v2. Although I don't think there will be much difference in most of the binaries.

@kubik369 I am very interested in how to downgrade the FW! For now I soldered an SOP8 socket to the PCB so I can remove the chip and flash it with old dump whenever I needed. But I do love to know if there are any other ways.

[kubik369]

Sorry for a late reply :sweat_smile:

This is an excerpt from my notes relating to it:

Take SD card with at least two partitions. First partition needs to be FAT32. Put the firmware file
into the root of the partition and name it `factory_up_boot.bin`. It is possible to downgrade this
way, at least with the official firmware.

You should be able to find the short script which does the update by just grepping the unpacked squashfs from an update file, can't recall the name at the moment. Hope it simplifies your workflow :)

[DrmnSamoLiu]

@kubik369 Nice discovery! I do found this script before but don't know why, I always assumed the "Update via sdcard" method is for the engineers and require the file (factory_up_boot.bin) to be in a special format. So I never bothered trying it out.... However now I've also tried it and can confirm it works :)

Only thing that I found troublesome is that you can't use the sdcard that's been formatted by the camera for updating. The script looks for /dev/mmcblk0p1, mount it under /tmp/sdcard and check for factory_up_boot.bin. However if the sdcard have been formatted by the camera, the FAT32 partition will be mounted in a different place (/tmp/mnt/harddisk_1) therefore the update script will be bypassed.

So if anyone wants to use the sdcard method to downgrade your firmware, either use an sdcard that is not formatted by the camera before, or zero out the sdcard and re-format it to FAT32.

[kubik369]

Great, good to know that it works. It is interesting that you mention that it mounts it at /tmp/mnt/harddisk01, I don't recall encountering this. The only problem I remember is if you only have a single partition, kernel does not enumerate the partitions and it just does a /dev/mmcblk0, while the script expects the pX suffix.

I have also found that the bootloader has an integrated recovery web server, so unless you bork your bootloader, you are only soft-bricked and can recover without a hw flasher. However, it requires connecting the ethernet port, which requires a disassembly of the device ☹️ but still, it is way better than connecting a flasher or desoldering the rom.

Recently, I have also bought C110 camera. It seems much more interesting, as it uses a regular ARM processor instead of the Lexra travesty used in C100/C200. It seems that the C110/C210/C310 family all use that. OpenIPC [0] seems to support that chip, so I will be trying to get that running on it, as one of my goals is getting a camera which is fully controlled by me and not reliant on cloud/goodwill of the manufacturer.

[0] https://openipc.github.io

[CoYoNq]

Totally agree! Let me know if i can collaborate in some way with this goal. This hardware deserves an open version. The TAPO Cs series are amazing pieces of hard with a lot of potential but the "manufacturer managed system" sucks.

El 4/2/22 a las 11:57, Jakub Šimo escribió:

one of my goals is getting a camera which is fully controlled by me and not reliant on cloud/goodwill of the manufacturer.

[kubik369]

@CoYoNq I have been poking around in the C110, but I wasn't able to find UART pads yet, so no progress on that front. However when I find it, I would love to try porting the openIPC stuff, it looks up my alley :)

[DrmnSamoLiu]

@kubik369 This is the first time I've heard about the new CX10 product line and it sure sounds interesting! I will purchase one as soon as possible and maybe create a repo about the hardware stuff I discovered :)

[antonhagg]

A bit off topic maybe, but have you guys heard of the eufy 2k camera. Seems like a desent alternative to the tapo camera. https://eu.eufylife.com/collections/indoor-cam

[DrmnSamoLiu]

@kubik369 Great news, I found the UART pads for C110 and the serial console is actually not password protected :) I posted a pic of the pads in this repo : https://github.com/DrmnSamoLiu/Tapo_c110_Info

[kubik369]

Wow, great job, thanks for that :bow: I was just trying to trace the pads with multimeter so far as I don't have any proper equipment with me as my lab is closed due to covid :D I will finish up my uni work and be right on that, thanks again a bunch! :smiley:

Btw the ethernet port has the same pinout as Cx00 and seems to be working the same way :)

[FragAverage]

Is the research on these devices still active? I would love to get involved somehow.

I have a C100v2 and I am currently poking my way through the firmware in Ghidra.

Links to any discussion discords etc would be welcome :)

[vbogoev]

I am very interested in how to downgrade the FW! For now I soldered an SOP8 socket to the PCB so I can remove the chip and flash it with old dump whenever I needed. But I do love to know if there are any other ways.

@DrmnSamoLiu are you doing something else other than flashing the XMC chip with the desired firmware? I bought bricked Tapo C200(EU)/1.0. When I connect through TTL there's a message "Firmware check failed". I found at least 3 versions of the firmware over the internet but none of them work for me... All I get when I reflash with the new firmware is the inverted question mark at the top... One of the .bin files I found is even larger than the chip itself and it is for C200v1, not sure how this is possible...

[DrmnSamoLiu]

Hi @vbogoev Let me first be sure, how do you "flash" your chip? It seems the flash chip on your PCB had not been touched. Do you mean you tried to upgrade/downgrade with tftp / sdcard or something like that? Also which "firmware" do you use and where did you get them? If you really meant to re-flash your flash chip, you'll need a whole flash chip dump instead of firmware file.

I have a repo containing URLs that you can download legit firmware file from tplink cloud, maybe you can try it out. https://github.com/DrmnSamoLiu/Tapo_Camera_Firmware

[vbogoev]

Hey, @DrmnSamoLiu . Thanks for the fast response.

1st I used the firmware from here: https://drmnsamoliu.github.io/firmware.html Then I tried C200_v1 from the link you provided. Then I tried the firmware from this link: https://georgeimmi.com/download/tapo/c200/

For the reflash I am using CH341A programmer which is working good with this chip. I made a backup of the original content and then after every reflash from the firmwares above I soldered back the chip and all I get is the reversed question mark from the image. Once I reflash the original corrupted firmware I get everything else, so I am assuming the programmer is OK. But obviously I am doing something wrong...

I am using Arduino as TTL converter. I managed to get to rlxboot, but all I want is to get the camera working, at this point I don't care what will be the firmware version...

[DrmnSamoLiu]

@vbogoev I replied with a lengthy tutorial about how to modify flash dump, but I realize it is way more complicated than that so I decided to delete the post. In short, what you did wrong is you try to flash your chip with only the firmware file you found online. But actually the flash chip contains a lot more than just firmware file. There are bootloader, configs..... etc., and they all needed to be in a special order. From what I can see in your bootlog, your bootloader is fine. It will verify various things in the boot process as shown here: https://drmnsamoliu.github.io/assets/img/bootprocess.jpg

So either it's the linux kernel or rootfs is corrupted, maybe you can send me your flash dump and I'll try and see what I can do to fix it: drmnsamoliu at ( the google domain )

[jagheterfredrik]

Does anyone have C100v2 firmware 1.1.14? (Or below)

[calvinytt]

Does anyone have C100v2 firmware 1.1.14? (Or below)

@DrmnSamoLiu did upload the old exploitable firmware in his website. Take a look there!

[calvinytt]

Thankyou @DrmnSamoLiu for making great tutorial for my very first ip camera journey! Meanwhile I want to share the video access in RTSP is possible upon capturing packets using https://github.com/volvet/h264extractor. And thus we can successfully obtain videos from building "localhost" connection.