Firmware version 5.2.0? about merkury720 HOT 49 OPEN

@dehness I have not seen any 5.x firmware before so I can’t tell much from experience. That said it makes sense for the camera to format the SD card once during boot (to ensure it is ready to be used), but it makes no sense for it to format the SD card on every boot otherwise you would lose previous recordings. I would let it boot up/format once then reboot (without changes) to verify it doesn’t reformat it, then only add the files and see if it reformats (I would expect it should not format it). Then you can try the hack to see if it works, if the hardware is the same I would expect it to work but it is possible for the camera to look the same and have different hardware inside, so unless you opened and took some pictures I can’t say for sure. Alternatively if you can get the /devices/deviceinfo URL to work on this camera it should say the hardware model without having to open it.

from merkury720.

Hello,

I got a newer version camera here (Same as the OP) currently being sold as "LSC Outdoor camera"

/devices/deviceinfo

devname | "Smart Home Camera" model | "Bullet 4S" serialno | "100197759" softwareversion | "5.0.5" hardwareversion | "B4S_V10_S1_GC1" firmwareversion | "ppstrong-c71-tuya2_lsc-5.0.5.20210301" identity | "M1M001AA3202007801" authkey | "xxxxxxxxxxxx" deviceid | "xxxxxxxxxxxxxxxxxx" pid | "aaa" WiFi MAC | "b4:fb:e3:fc:8d:60" ETH MAC | "b4:fb:e3:fc:8d:60"

/proc/cmdline:

console=/dev/null LX_MEM=0x3fe0000 mma_heap=mma_heap_name0,miu=0,sz=0x1d00000 pcbversion=B3S_S1_V10 sensor=gc2063mipi

/proc/self/root/home/cfg/tuya_config.json

{ "version": 0, "sleep_mode": 0, "alarm_fun_onoff": 0, "alarm_fun_sensitivity": 1, "alarm_fun_mode_switch": 0, "alarm_fun_time_start": 0, "alarm_fun_time_end": 0, "flip_onoff": 0, "light_onoff": 1, "night_mode": 0, "sound_detect_onoff": 0, "sound_detect_sensitivity": 0, "watermark_onoff": 1, "event_record_time": 60, "enable_event_record": 2, "record_enable": 1, "motion_trace": 1, "motion_area_switch": 0, "motion_area": "", "motion_tracking": 0, "cry_detection_switch": 0, "humanoid_filter": 0, "loudspeaker_vol_pct": 100, "onvif_enable": 0, "onvif_pwd": "admin" }

Only port open by default was 6668
Got port 8090 to open with the ppsFactoryTool.txt

but cant get any of the rest to work, anyone got an idea?

from merkury720.

@damiantof7 que the fact you got /proc/xxxxx to work is a good sign. You could try guino/BazzDoorbell#13 and/or guino/BazzDoorbell#11 to see if it works. If it doesn’t the only way to move forward would be opening the device and connecting a UART-TTL adapter or a hardware programmer.
I would be more than glad to look at the device myself but they’re not available here.

from merkury720.

Yeah it's a sub-brand from the store itself, They sell all kinds of Tuya Products under "LSC", I got a LSC Doorbell here aswell that worked perfectly with the Bazz Doorbell hack

I tried most methods but it doesnt seem to want to execute the ssh file in any way or form, the /proc/cmdline is way different aswell

from merkury720.

@damiantof7 it’s a different hardware so likely different bootloader, different OS, different drivers but the application is likely similar so it may be possible to enable rtsp/onvif if we can get access to it. There are probably similar cameras here with different brand name but it would be hard to spot it.

from merkury720.

Do u think i would be able to do guino/BazzDoorbell#11 with windows? as it seems to be just formatting to fat? i got no linux box laying around

from merkury720.

@damiantof7 you may be able to find the same tools for windows but it would be way easier to boot from a live USB/CD/DVD and do it from there than trying to figure it out in windows. If you have a raspberry pi or similar it should also work (you may need a usb-SD card adapter).

from merkury720.

Oh and this one guino/BazzDoorbell#13 i couldn't really try as none of it seems to match up with the firmware on my camera, such as /proc/self/root/etc/init.d/S90PPStrong doesnt return anything and the bootargs part etc is nowhere near the same

from merkury720.

@damiantof7 it sounds like we would have to use something entirely new on that firmware (or may be they just moved files around and we just need to find the new locations). Only way to find out is to open and connect to UART or use hardware programmer to read the firmware.

from merkury720.

Never done it before haha, Maybe it's time to learn

from merkury720.

So, I opened up the camera (It was really tough to put it back together)

This is what the board looks like, There are multiple unused connections on the board

Does it look like anything usefull to you?

from merkury720.

@damiantof7 UART is likely the four pads on the bottom left above the hole. I would discourage you from doing any solder work if you’re not experienced with it (fragile board). The flash chip is probably on the other side of the board (not pictured).

from merkury720.

Hmm what do you think is the smartest thing to do in this case as i've never done this before haha

from merkury720.

and what would be the best way to connect to the UART port?

from merkury720.

@damiantof7 there's no 'best' way, just one way: soldering wires into a TTL-UART adapter (USB or SERIAL) -- I do not recommend this unless you're familiar with this type of thing OR have someone familiar to help you with it -- these boards are very fragile so the lightest tug/pull on the wire will get the pads right off the board.

from merkury720.

i'm always willing to learn :) + i've soldered in the past (The good old Xbox 360 RGH Days)

from merkury720.

and this might be a really stupid question but wouldn't wire clamps work instead of soldering it to the board?

from merkury720.

@damiantof7 as long as you can connect wires to pads and into the UART-TTL adapter it should work. The pads are tiny so I have never seen anything that could connect to that without soldering but I'm sure that's possible.

PS: Learning is always a good thing I just make a point to warn people about potentially damaging their hardware.

from merkury720.

Good thing i got 2 ;)

from merkury720.

I checked the pads which you mentioned with a multimeter and all of them seem to be giving off 3.27-3.33v which makes me think it's not the UART port

from merkury720.

@damiantof7 usually out of 4 pads one of the outside ones is ground (which you can check by testing resistance/continuity between the pad and a ground point like one of the screw holes). Out of the other 3 one is RX, another TX and one is 3.3v — from ground ALL 3 will measure 3.3v with a multimeter (which is normal). You don’t need to solder anything to the 3.3v pad but it may be difficult to determine which one that is.

Assuming you connect ground correctly you will not damage anything by mixing RX, TX or 3.3v on the TTL-UART adapter — you’ll only get output when it’s connected correctly (RX side on host) and you’re only going to be able to send data to the terminal if connected correctly (TX side on host).

The bootloader on these boards usually shows a countdown where you can press a key to stop it and will prompt for a password - that could be used to determine the connections are correct.

if you do get to that point let me know and I can send you a few things to try.

from merkury720.

Hmm, So the one in the top (On the picture) is the ground, I've tried each pad to look for output, no output is being given

from merkury720.

@damiantof7 When I talked about the boot counter I should have been more specific: these boards only output anything on the UART during power on (while booting). So you have to turn it off, connect the pins and turn it on. If it doesn’t show anything you have to turn off, connect it a different way and try again.

from merkury720.

Which baudrate did you use? (Just to be sure before i start trying again)

from merkury720.

@damiantof7 pretty sure I use 115200 8N1

from merkury720.

Hmm, Either i'm doing something wrong or something is wrong with putty or my TTL adapter

from merkury720.

I am constantly pinging the device so i know it's actually booting and not broken but yet no output

from merkury720.

So if you got any other idea i would love to hear it

from merkury720.

@damiantof7 I have done some work with another user on guino/BazzDoorbell#34 and on that camera there’s no output to the UART except for a few lines during power up — I am saying this to make sure you try to see if you get any output during power up as after that it goes completely silent (unlike other cameras). It was also discovered on the other camera there’s a /sys/console URL which allows the UART to receive a few basic ‘console’ terminals - tou should definitely try it.

You may also want to try powering up with the reset button pressed to see if you get any output.

The camera I mentioned above does NOT run Linux and instead runs RTOS so the only way to customize it is by writing a modded flash - the fact that your camera returns something for /proc/cmdline suggests it runs linux (better) but we won’t know much you get the UART working or use a programmer to read the flash.

from merkury720.

Update: Tried everything with the UART Ports to no avail, no output at all (Litteraly tried it all) /sys/console isn't present on this device.

Put it back together, LED Stays red, Connection through the app doesnt work anymore, Device does still connect when the Micro SD Card is in with the PPSFactory text file, Guess it's kind of dead

from merkury720.

@damiantof7 that seems like the reason why you aren't getting any output.. in any case if this device has a battery you should most definitely make sure you remove it to force a full power off then power it back on again to see. Do any of the URLs like /proc/cmdline and such (which you posted earler) still work (even if with ppsFactoryTool.txt) ? you may want to try to factory reset your device and re-do the enrollment process to see if it does anything.

from merkury720.

with the ppsfactorytool.txt all the urls etc work, Did a full factory reset to try and get it to connect to the app again (Hear all the tones, reset, connecting and the such) it's simply not doing anything (almost like it's blocked from using cloud services)

device doesnt have a battery

from merkury720.

As there's no visual damage i might just return it to the store, get a new one and retry the process -_-'

from merkury720.

and right as i type that the camera connected to the app again, guess it's not dead yet

from merkury720.

could have just been coincidence with the timeing and some connectivity issues with their server.

from merkury720.

Yeah could be, Btw, Quick update on the doorbell, They released an update to enable onvif (It's now a setting in the menu to enable it) Same manufacturer

from merkury720.

But well, You got any idea why the device would include the OEM UID and the OEM Authkey?
This is found under /flash/encryption

from merkury720.

If only there was an URL to backup the currenty image/firmware on the device, that would make all of this a lot easier

from merkury720.

or to have the "Firmware Update" feature turn into an RCE for a reverse shell

from merkury720.

Wait a second

If it saves to a file...and it doesnt actually check the contents (Cause it doesnt, I uploaded a random ssh file)

The question is, Does it execute and where does it save the file + can the path where it saves be modified?

from merkury720.

there are only 2 ways to backup firmware: 1-getting UART to work and use the commands to backup to SD card. 2-Using a hardware programmer (which may require moving the flash chip from the device).

Tuya makes the platform (servers, api, interface, app) and sells that to product manufacturers, each of them gets licenses to use the Tuya platform so they have to be identified somehow (likely OEM ID/KEY().

If you got the UART working you'd be able to log the ppsapp output during the firmware update which displays the URL to download the firmware update (which can be downloaded directly if you know the URL). That said the firmware update file has a specific format required for the device to read/accept it, so we can't just modify it and flash it as it would fail validation. Reverse engineering the format would only be a matter of patience and time but it is way faster to go in with UART/Programmer and use bootloader options to mod the device (it's just different for every device).

The upgrade URL most definitely checks the format of the file and validates the data like I mentioned above, so it will probably allow you to upload anything but just ignore invalid format data.

from merkury720.

After some googling i believe i did the find the chip used
http://bbs.16rd.com/shop_product-1-1062.html
http://bbs.16rd.com/thread-563950-1-1.html

I dont speak or read chinese but from what i can understand the chip actually has 2 UART Ports
LSC has given their own twitst to it tho

from merkury720.

@damiantof7
Were you able to make some progress with the outdoor cam of LSC? I've bought the same one but wasn't able to hack it in any way

from merkury720.

@FringeScientist unfortunately not

from merkury720.

@damiantof7 Any new progress ?
I got the same camera and would love to get RSTP working

from merkury720.

I have got OEM Tuya MINI7S-A5MB_F37 REV 1_0 2021-06-11 and this rooting method did not work.
Firmware version: 5.2.1

from merkury720.

I accidentally found your another repo and seems like this is exactly similar device. Going to read that one
https://github.com/guino/Merkury1080P

from merkury720.

@tosiara that is the repo that has worked for some 5.2.x firmware, let us know if it worked for you.

from merkury720.

Moved discussion here: guino/Merkury1080P#46

from merkury720.