Got Remote Shell in Gear 360 (SM-C200)

[usumfabricae]

I finally could get a shell on the camera it was a 2 step process.

• First step to get a shell with camera in recovery mode: created info.tg and nx_cs.adj as in nx500 modding on the sdcard. added on the sdcard telnetd (copy of busybox) and wpa_supplicant.conf (in order to connect to my home wifi) test.sh has been modified in order to set up networking and start telnet as follows: wlan.sh start
  ifconfig wlan0 up wpa_supplicant /mnt/mmc/wpa_supplicant.conf

  then I set up a fixed IP address and the default route

  telnetd

• Second step is a little bit more tricky since the camera always restarts from hibernate and first attempt to change root filesystems resulted in filesystem corruption.

In the end since there's a lot of free space under /opt/usr I created a folder /opt/usr/bin with busybox (telnetd) on the device and made a small change in /usr/lib/systemd/system/factory_check.sh to start telnetd

It is mandatory to shut the device forcing the full restart and a rebuild of the hibernate image otherwise when camera reboots the hibernate state and the filesystem state will be not consistent Not writing the details here since this step is quite risky....

[KieronQuinn]

I've tried to replicate this but it doesn't seem to be working properly on my 360.

Adding the files correctly (they needed contents, shown here: https://www.dpreview.com/forums/thread/3971805), and put the test.sh file in, as well as a supplicant file for my WiFi network, doesn't connect.

I also tried adding piping of the outputs to a log file, to no avail, no log is created

What firmware is your camera using, has this maybe been patched?

EDIT: never mind, I've got it to execute shell now so it's not been patched. Working on getting telnet now as well

EDIT2: I got busybox and wpa_supplicant from the NX300 source (my camera didn't have wpa_supplicant, strange), and even with a valid config file it won't connect to the WiFi. wpa_supplicant returns:

Hardware Model=Samsung-DRIMe5-ES

But doesn't do anything. Did your camera have the binary already?

[usumfabricae]

yes wpa_supplicant is already installed and is at: /usr/sbin/wpa_supplicant Enclosed the test.sh and wpa_supplicant.conf I used.

my wpa_supplicant.conf ########################### update_config=1 ap_scan=1 device_name=Terminal-2 device_type=1-0050F204-1 driver_param=use_p2p_group_interface=1

network={ ssid="name of WIFI network" psk="password of WIFI network" } ##############################

my test.sh ############################## echo "START " > /mnt/mmc/log

killall wpa_supplicant >> /mnt/mmc/log killall udhcpc >> /mnt/mmc/log

interface=wlan0 echo "PATH $PATH" >> /mnt/mmc/log echo "pwd $PWD" >> /mnt/mmc/log echo "INTERFACE: $interface" >> /mnt/mmc/log

echo "Start ps" >> /mnt/mmc/log ps -ef >> /mnt/mmc/log echo "PS -ef" >> /mnt/mmc/log

echo "wlan.sh start" >> /mnt/mmc/log wlan.sh start >> /mnt/mmc/log 2>&1

ifconfig wlan0 up >> /mnt/mmc/log 2>&1 ifconfig p2p0 up >> /mnt/mmc/log 2>&1

sleep 2

ifconfig wlan0 >> /mnt/mmc/log ifconfig p2p0 >> /mnt/mmc/log

echo "WPA_SUPPLICANT" >> /mnt/mmc/log wpa_supplicant -i wlan0 -c /mnt/mmc/wpa_supplicant.conf >>/mnt/mmc/log & sleep 10 udhcpc -i wlan0 >> /mnt/mmc/log 2>&1 & echo "UDHCPC " >> /mnt/mmc/log sleep 5

ifconfig wlan0 >> /mnt/mmc/log ifconfig p2p0 >> /mnt/mmc/log

echo "SET IFCONFIG" >> /mnt/mmc/log

Fore some obscure reason udhcpc does not seem to do a complete config

so I forced a IP and default route manually

"192.168.1.74 is a free IP on my WIFI router and 192.168.1.254 is the router IP as gateway"

ifconfig wlan0 192.168.1.74 netmask 255.255.255.0 >> /mnt/mmc/log

echo "SET DEFAULT ROUTE" >> /mnt/mmc/log ip route add default via 192.168.1.254 >> /mnt/mmc/log

echo "netstat rn" >> /mnt/mmc/log netstat -rn >> /mnt/mmc/log

echo "telnet" >> /mnt/mmc/log /mnt/mmc/telnetd -F >> /mnt/mmc/log & sleep 5

echo "DONE " >> /mnt/mmc/log ####################################################

[KieronQuinn]

Thanks, those helped

It appears in the newer firmware (I'm on the latest) the path no longer contains /usr/sbin. The PATH is now: /usr/share/scripts:/usr/gnu/bin:/usr/local/bin:/bin:/usr/bin:.

I edited the sh file, to direct it to the binaries. I could have edited the path, but this was just to test (only other change was switching telnet's directory as mine's in a scripts folder, as well as changing the IPs to fit my router of course):

echo "START " > /mnt/mmc/log

killall wpa_supplicant >> /mnt/mmc/log killall udhcpc >> /mnt/mmc/log

interface=wlan0 echo "PATH $PATH" >> /mnt/mmc/log echo "pwd $PWD" >> /mnt/mmc/log echo "INTERFACE: $interface" >> /mnt/mmc/log

echo "Start ps" >> /mnt/mmc/log ps -ef >> /mnt/mmc/log echo "PS -ef" >> /mnt/mmc/log

echo "wlan.sh start" >> /mnt/mmc/log wlan.sh start >> /mnt/mmc/log 2>&1

/sbin/ifconfig wlan0 up >> /mnt/mmc/log 2>&1 /sbin/ifconfig p2p0 up >> /mnt/mmc/log 2>&1

sleep 2

/sbin/ifconfig wlan0 >> /mnt/mmc/log 2>&1 /sbin/ifconfig p2p0 >> /mnt/mmc/log 2>&1

echo "WPA_SUPPLICANT" >> /mnt/mmc/log /usr/sbin/wpa_supplicant -i wlan0 -c /mnt/mmc/wpa_supplicant.conf >>/mnt/mmc/log 2>&1 & sleep 10 /sbin/ifconfig wlan0 192.168.1.74 netmask 255.255.255.0 >> /mnt/mmc/log 2>&1

echo "SET DEFAULT ROUTE" >> /mnt/mmc/log /usr/sbin/ip route add default via 192.168.1.254 >> /mnt/mmc/log 2>&1

echo "netstat rn" >> /mnt/mmc/log netstat -rn >> /mnt/mmc/log 2>&1

echo "telnet" >> /mnt/mmc/log /mnt/mmc/scripts/telnetd -F >> /mnt/mmc/log 2>&1 & sleep 5

/sbin/ifconfig wlan0 >> /mnt/mmc/log 2>&1 /sbin/ifconfig p2p0 >> /mnt/mmc/log 2>&1

And this works!

[usumfabricae]

Perfect :) Unfortunatly it seems that everything is managed by a single executable di-app... And I was not able to find a way to programmatically interact with the camera to take a snap, tecord a video ...

[usumfabricae]

[root@drime5 ~]# cat /proc/cpuinfo Processor : ARMv7 Processor rev 1 (v7l) BogoMIPS : 1594.16 Features : swp half thumb fastmult vfp edsp neon vfpv3 tls CPU implementer : 0x41 CPU architecture: 7 CPU variant : 0x4 CPU part : 0xc09 CPU revision : 1

Hardware : Samsung-DRIMe5-ES Revision : 0000 Serial : 0000000000000000

2018-01-04 19:26 GMT+01:00 utack notifications@github.com:

Could you be so kind and let us know the /proc/cpuinfo on this thing? Thank you

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/ultramango/gear360reveng/issues/7#issuecomment-355359890, or mute the thread https://github.com/notifications/unsubscribe-auth/AEZ2amFzaHSPNjYaSW92Km0ynDNW_lodks5tHRe6gaJpZM4RPruE .

[KieronQuinn]

Unfortunatly it seems that everything is managed by a single executable di-app...

di-camera-app? I've just poked around in that file, and all its resources. It looks awfully like it's for one of the other Samsung cameras that shares the similar OS (there's hundreds of icon resources that are for their UI), are you sure it's that binary?

It would be useful to find what command starts the device as normal, so we can have it boot in "root" mode whilst keeping normal function

[KieronQuinn]

From the NX1 modding repo here: https://github.com/ottokiksmaler/nx500_nx1_modding/ 's SD zip, I found the "st" binary. This allows control for loads of stuff, but I've only got LEDs to work tonight:

---LEDs--- POWER (on/off/blink): RED: st led 0 on GREEN: st led 1 on BLUE: st led 2 on YELLOW: st led 0 on, st led 1 on PURPLE: st led 0 on, st led 2 on L BLUE: st led 1 on, st led 2 on

REAR: st led 3 on FRONT: st led 4 on

[usumfabricae]

on my camera st app does not seem to work and if I try: st app nx capture single my camera reboots :(

[usumfabricae]

I'm using the st command already included in the camera.

[ultramango]

I was also able to have the command line - thanks a lot for the instructions - I suspect that the script itself has to be named test.sh, with other name it didn't work (or I did something else wrong).

Unfortunately there's nothing to debug on the filesystem itself, but using busybox and static strace helps (I guess having an Ubuntu ARM filesystem on the card would help as well). I only learned that the Samsung binary is accessing MIPI interface (/dev/d5_mipi and others).

[usumfabricae]

Yes as you said everything seems to be managed by the binary camera app . I was wondering to use ltrace (instead of strace) to analyze library calls to "capture shared lib" to see if we can reuse it directly. It looks like that app binary is modular and links many different shared libraries, one for each one of the capability (i.e. wifi, bluetooth, caprture, image stitching,...) My first attempt failed since ltrace has some bugs on ARM and dumps. The dump signal gets trapped (custom libc configuration) and forces a immediate reboot of the camera... so I didn't have a chance to get the core file and fix it. To avoid the sudden reboot I should change libc configuration in the root device and I hadn't a chance to analyze the risk related to an missconfig .... On the other side, source of the kernel driver for d5_mipi and other d5 devices are available. They are part of the kernel package. I had a quick look but since there're almost no comments inside them it is pretty hard to understand how they work. Maybe someone with more skills in kernel and device programming could help. I have built a small busybox, to avoid wasting memory, with "httpd, sshd, ftpd, telnetd". I was wondering to set up a httpd service to download directly the images from the camera. It is attached to this e-mail but I didn't have a chance to test it. Due to work activities I am stuck....... at least for a couple of months:(

2018-01-23 9:23 GMT+01:00 ultramango notifications@github.com:

I was also able to have the command line - thanks a lot for the instructions - I suspect that the script itself has to be named test.sh, with other name it didn't work (or I did something else wrong).

Unfortunately there's nothing to debug on the filesystem itself, but using busybox and static strace helps (I guess having an Ubuntu ARM filesystem on the card would help as well). I only learned that the Samsung binary is accessing MIPI interface (/dev/d5_mipi and others).

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/ultramango/gear360reveng/issues/7#issuecomment-359712518, or mute the thread https://github.com/notifications/unsubscribe-auth/AEZ2aryC0vp3aIG_hGDMghBsAGg-EkaEks5tNZb5gaJpZM4RPruE .

[dragokenlancer]

when i try it it seems to half work but the log give me this

p2p0 Link encap:Ethernet HWaddr 00:90:4C:33:22:11
BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

[WL_WPA_SUPPL] Failed to open config file '/opt/usr/media/cred.conf', error: No such file or directory [WL_WPA_SUPPL] Error!!! dbus_connection_send_with_reply_and_block() failed. dbus error [org.freedesktop.DBus.GLib.UnmappedError.NetconfigError.Code11: net.netconfig.Error.FailGetSimImsi] [WL_WPA_SUPPL] _net_dbus_get_sim_imsi() return fail [WL_WPA_SUPPL] Interworking config: - SIM READ ERROR [WL_WPA_SUPPL] Could not set interface wlan0 flags (UP): Operation not permitted [WL_WPA_SUPPL] nl80211: Could not set interface 'wlan0' UP [WL_WPA_SUPPL] Failed to initialize driver interface

[TecCheck]

I think i managed to get a filsystem coruption: if i whant to ls in a folder that i created it cant list the two files inside it, because of an Input/Output error. My Terminal:

[root@drime5 /]# ls bin boot csa dev etc home lib lost+found media mnt network opt pref proc root run sbin sdcard smack srv sys tmp usr var [root@drime5 /]# cd /usr [root@drime5 usr]# ls apps bin etc games lib libexec local mod sbin share src ssl tmp ug [root@drime5 usr]# cd mod [root@drime5 mod]# ls ls: cannot access factory_check_script.sh: Input/output error ls: cannot access autostart_script.sh: Input/output error autostart_script.sh factory_check_script.sh [root@drime5 mod]# ls -laiB ls: cannot access factory_check_script.sh: Input/output error ls: cannot access autostart_script.sh: Input/output error total 8 14706 drwxr-xr-x 2 root root 4096 Oct 27 20:54 . 16 drwxr-xr-x 14 root root 4096 Nov 21 2017 .. 1711 -????????? ? ? ? ? ? autostart_script.sh 1710 -????????? ? ? ? ? ? factory_check_script.sh [root@drime5 mod]#

---

Can someone help me please, i don´t know how to fix that. Thanks

[TecCheck]

Ok, good news: if you have a corrupted filesystem you can execute th script /usr/bin/erase_snapshot.sh and the after the camera reboots make_snapshot.sh.

[rroseirac]

Hi guys, I have a SM-C200 and after loading, it has entered an infinite restart loop. I read the post but did not find a way to reset via the card in the SD card. If you can help me, I'm happy. Or if you have a way to make it come back to life.

[TecCheck]

Have you tried getting the battery and the sd card out and then reinserting the battery?

[wrecche]

I found the modded files from https://www.dpreview.com/forums/thread/4204521 which links to the files, and everything works as stated. Telnet, a minimalist web interface, etc.. But how do I make it so I can connect to it from my wifi, rather than having to connect to it's own?

I think that's what you guys were doing at the top? I do have the wpa_supplicant file in /usr/sbin but not being greatly familiary with nix, I have no clue..

To think I can do more with a small script than what Samsung allows me to do with a galaxy tab, because they deem it not compatible...

Getting it over to my wifi would be nifty!!

[TecCheck]

What Camera do you have? The 2017 or the 2016 model?

[TecCheck]

I moded the script a bit: G360POWE_G360POW.sh.txt wpa_supplicant.conf.txt

Just remove the .txt from both files. Then move the wpa_supplicant.conf into the root of your sdcard and the G360POWE_G360POW.sh into the mods folder.

Have fun.

[Zlikster]

@TecCheck so u have managed to run script to take snapshot (with custom ISO, shutter parameters?)? On 2016. model?

[TecCheck]

I didn't test the whole script. I ran it in recovery mode and it connected to my wifi. Telnet worked fine.

[Zlikster]

2016. model?

[TecCheck]

Yes

[jelbo]

Has anyone succeeded in adjusting the max ISO? That's the only thing I'd like to achieve really. But even though the command might work, I'm not sure if it will stick because the camera will boot into recovery mode when using the script.

[kjuanman]

Ok, good news: if you have a corrupted filesystem you can execute th script /usr/bin/erase_snapshot.sh and the after the camera reboots make_snapshot.sh.

Hi @TecCheck , I tried the bluetooth method of nx500/nx1 (https://github.com/ottokiksmaler/nx500_nx1_modding/blob/master/Running_scripts_without_factory_mode_BT.md) and I get the filesystem corrupted too: [root@drime5 /]# ls -l /usr/etc/bluetooth/bt-stack-up* ls: cannot access /usr/etc/bluetooth/bt-stack-up.sh.bak: Input/output error ls: cannot access /usr/etc/bluetooth/bt-stack-up.sh: Input/output error -????????? ? ? ? ? ? bt-stack-up.sh -????????? ? ? ? ? ? bt-stack-up.sh.bak

I tried the /usr/bin/erase_snapshot.sh and the after the camera reboots make_snapshot.sh, but not worked for me. Did you take any more steps? Where did you find info about that commands?

Thanks!

[kjuanman]

Well, I recovered my bluetooth. This steps works for me to modify the root filesystem without corruption: Warning, Danger: this can brick your camera. You are modifying your internal root read only filesystem and is very easy to get corrupted 1) Login in telnet in factory mode 2) mount -o remount,rw / 3) edit some files 4) sync;sync;sync 5) mount -o remount,ro / 6) /usr/bin/erase_snapshot.sh 7) Wait after reboot 8) Login in telnet in factory mode 9) /usr/bin/make_snapshot.sh 10) Wait after reboot 11) Power off camera 12) You can mv info.tg and boot normally

[pensadorxx]

Hi guys, I have a SM-C200 and after loading, it has entered an infinite restart loop. I read the post but did not find a way to reset via the card in the SD card. If you can help me, I'm happy. Or if you have a way to make it come back to life.

I have the same problem = / Did you solve it?