New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Meco J5 Plus - Finding the password #35
Comments
@realroywalker did you try http://admin:admin@:8090/devices/deviceinfo ? I know some Mercury 1080P cameras use that instead of admin:056565099. If you post the firmware dump we should be able to extract ppsapp from it and use ghidra to look at whatever password it may be expecting, that said -- if #11 worked chances are the hack (root) would also work in which case you could get ppsapp that way and we could just see if it can be patched for RTSP/ONVIF (Whatever available, if any). |
Thanks, yes I've tried admin:admin, admin:blank etc. but unfortunately no luck. My camera actually has Onvif by default on the firmware (4.3x) but I'd like to use MQTT to Home Assistant and maybe disable the cloud elements at some point. |
@realroywalker I'm taking a quick look in ghidra -- did you by any chance try: admin:SERIALNUMBER (using the serial number of your camera ? I would also try using the serial number as both user and password. I'm not saying it will work but it's worth a shot. I'll let you know if I find something in ghidra to try. |
@realroywalker It looks like http://IP:8090/tvclient and http://IP:8090/search should work without user:password -- the port may be a different number than 8090 (i.e. 80). I see a specific check for user+password admin:admin in basic authentication (not digest authentication) but it is to actually FAIL if that combination is used -- I am not sure there's a way to force firefox/chrome to use basic auth, but I believe you can do it with curl (linux) -- all I am saying is that the type of authentication might make a difference. Alas, you should try these user:password combinations that seem to be hard-coded in ppsapp: |
@guino Thanks so much - http://WeEyE:&$ChuTian_91@ip:8090/devices/deviceinfo works 👍 Firmware version comes back as ppstrong-c5-s_meco-4.3.0.20200811. |
Seems the hack works just fine, I now have telnet access to the doorbell 😄 I started poking around and noted some subtle differences (for example my config is /home/cfg/dev_settings.json) - but the majority look the same. I am seeing some problems when trying to use the logparser script from #4 (comment) though. Or more accurately, when I try to run ppsapp from the sdcard - looking at custom.sh it seems it checks for a copy of ppsapp at /mnt/mmc01 and kills the running copy if it finds it, then launches from the SD card instead. So I copied the ppsapp from /mnt/mmc01/home/app into the sdcard root, and fired up the doorbell (without any of the MQTT log parser stuff added) - the doorbell light goes blue to show it connected, then after about 10 seconds it seems to reboot, and just sits in that cycle. I added the logparser script to the launch command for ppsapp (just to check it was getting as far as launching ppsapp) and it starts ok and talks to my MQTT broker just fine (for around 10 seconds), then the doorbell reboots like without the logparser added. Seems like there is maybe some check regarding where the ppsapp runs from and causes a reboot just after it starts? Any tips on how to figure out what's going on? |
@realroywalker glad you got it rooted. Regarding the reboot issue -- there are some known issues with killing ppsapp and running it again (even if you don't modify ppsapp) that cause the device to reboot on some versions and some hardware combinations (ie Speed 9X + 2.9.0 firmware). This is likely caused because of poorly written code and drivers which can't be stopped/started correctly like on other hardware/firmware. The solution is to adjust the boot scripts so the only ppsapp executed is the one from the SD card (with your parameters to use the log parser). There's some information on #2 regarding firmware 2.9.0 which you should review then you should compare the S90PPStrong boot script in your firmware with the contents of the S90PPStrong-290 he provided to make sure they're similar enough (you may need to add/remove stuff so it works on yours) but I would expect you should be able to make it work since you're using the hack from #13 The bottom line is that as long as you don't have to 'kill' and 're-run' ppsapp I expect it should work just fine. You obviously would have the option to modify the firmware itself if you have a hardware programmer but that's a much harder way of messing with it. |
Ah ok that sounds promising, I was thinking it was some kind of protection in the app rather than just bad coding 😆 Thanks for the tips, I will check out the init scripts tonight and see if I have better luck! |
I am happy to report that using the tweaks you linked @guino I now have ppsapp running from the SD card without any crashing 👍 I've managed to update the logparser script to work for my bell (log messages seemed to be different for motion) and have updated the custom.sh to setup MQTT discovery of the motion and button events to HomeAssistant. I did notice that when trawling the logs of ppsapp while looking for the motion events, that it spams with:-
Oddly the character 'n' doesn't print for some reason! Is it normal that ppsapp spams with this ? - I checked fstab and it doesn't mention the SD card, so I guess ppsapp itself scans for the card and tries to mount it? |
@realroywalker glad you got it working - if you made any changes for your camera it would be cool if you posted a zip with the files you changed (so future users could get it). Even if you just updated log_parser it would be nice to post it. Regarding the SD card mount, yes ppsapp monitors and mounts it as it sees fit. I don’t know how “normal” it is for it to spam the log with messages about the SD card mount state but if it’s not affecting anything I would just ignore it. I do know for a fact it expects /mnt/mmc01 to be a directory where the SD card is mounted so if that’s not what you have you could tweak your boot scripts so that directory exists and so the SD card is mounted there (obviously make a backup of your work before making any changes since it works right now). Did you want to use snap/mjpeg? I don’t know if your camera has support for it already and I did not look for it in ppsapp but I thought I would check anyway. |
@guino Yes, absolutely - I'm thinking of cleaning up the modifications to make it reusable and documenting exactly the steps for this specific bell, since it seems to vary slightly from the Tuya models. I see no obvious side effects from the log spam apart from SD capacity cannot report in the CloudEdge app (not sure if the event recording to SD can work, as I don't have that turned on at the moment). Snap/mjpeg wasn't something I looked at, as the bell has onvif out of the box so I can get the feed to HomeAssistant and I'm happy with that 😄 |
I have uploaded a copy of the files used here (to be merged with the files from github as per the instructions). As a summary for hacking and use with Home Assistant, the Meco J5 uses (at least on firmware 4.3.0 and 4.3.3) WeEyE as the username and &$ChuTian_91 as the password, however http is disabled by default, so requires booting with the attached ppsFactory file from the 'Wifi' folder on your SD, this will enable HTTP on port 8090 on the doorbell. The firmware can successfully be dumped using #11 To root the device follow the instructions on #13 however for step 2 you should include additional parts to the 'env' as described by https://github.com/DanTLehman/orion_sc008ha#first-success (you can also reference the one included in the attachment here) but essentially you need to add: You should also enable a password as per the hack guidance and set it in passwd on the SD. If that works, you can run; Now wait, hopefully the doorbell boots ok (if not remove the SD and just delete ppsapp-custom) |
@realroywalker Thank you for sharing the files and details. I'll be sure to mention it to others that have the same device. |
Hi! { i'm pretty new in this. Can you please help me so i can send the images to my nas? Thanks so much! |
@kurtqwerty if you don't get a response from /devices/deviceinfo or /proc/cmdline I suspect your camera would be too different to work with the existing hacks. If that's the case the only way to move forward would be to open the device to either connect a UART-TTL adapter OR plug in a hardware programmer to read the flash. What app do you use with this camera anyway (just curious) ? |
I use the LSC app, its a doorbell from a dutch shop called the Action. I do get a prompt to log in, but all the previous users and password (and variations on that to try :) ) didn't work. The app tells me i'm running V5.0.5 |
@kurtqwerty the newest versions of firmware I have seen are 4.x so 5.0.5 is not something I've ever seen. There are plenty of people here that have patched LSC 'Bell 8S' devices but they were all on 2.9.x-2.10.x firmware as far as I know. My doorbell is also labeled as 'Bell 8S' and it runs 2.9.6 firmware. If you haven't yet, please try: #11 to see if you can read your flash -- if you are able to do that I can review the firmware to see what we can do. If #11 doesn't work the only way to go forward is to open the device and hook up a programmer or UART-TTL adapter. |
I have tried to backup the firmware but no succes the bin file is empty. |
@dexternl when #11 doesn't work (with either set of files)l it usually means you have a different bootloader or load address -- the only way to find out is by opening and connecting a UART-TTL adapter or downloading the flash with a hardware programmer. |
Did you try admin:admin? I've got a V5.0.5 LCS doorbell and admin:admin worked for me. I did not try the next steps though but I'm sceptical because my /proc/cmdline looks like this: |
@bertbijnens I haven't seen a cmdline like that either -- all 5.x firmware I have seen runs RTOS (LiteOS) instead of linux and none of them (till now) returned anything /proc/cmdline as far as I heard. You can try #13 but even if the address is correct and it updates the bootloader I expect it just won't work. If you want to try something that doesn't modify the device in any way I would try #11 to see if you can read the flash and that would tell us if it's running linux or something else. |
I have applied the hack using #2 on my ieGeek camera, but realised that I would need to apply #13 as killing the ppsapp restarts the camera. What's the process to follow? Do I need to revert #2 then reapply #13 ?
|
@trizmark you should be able to apply #13 directly as long as you use the original /proc/cmdline (URL response) information in Step 1 (don't use the information from after applying #2). You can reverse #2 first if you want/prefer, then aaply #13 -- it will have the same effect. If the hack is working with #2 the only reason to switch to #13 would be if you wanted the device to work without the SD card, everything else is basically the same (there's no difference in behavior with ppsapp). Killing ppsapp causes most devices to reboot but it usually takes a few seconds for it to happen,-- normally there's enough time to start another ppsapp to prevent a reboot. The only way to prevent the device from rebooting when ppsapp is not running is to disable the watchdog or feed the watch dog -- I remember someone made a watchdog feeder application in the #4 thread awhile back but that's only useful for development/testing since there's hardly any reason to run the device without ppsapp running (since that's what controls most functions of the device). I don't think we have any way to 'disable' the watchdog as of writing this (and I probably wouldn't recommend it either). |
Hi guys, can anyone help me with accessing device webpage please. I am trying to use ieGeek J5 Video Doorbell Camera(Wired) which looks exactly same as Meco J5 doorbell with device version 4.3.3.20210122 using CloudEdge. I bought it from Amazon https://www.amazon.co.uk/ieGeek-Upgraded-Doorbell-Detection-Waterproof-Grey/dp/B093WHLHW8/ref=asc_df_B093WHLHW8/?tag=googshopuk-21&linkCode=df0&hvadid=499306924014&hvpos=&hvnetw=g&hvrand=2472949296402291497&hvpone=&hvptwo=&hvqmt=&hvdev=c&hvdvcmdl=&hvlocint=&hvlocphy=1007895&hvtargid=pla-1261682709005&psc=1 I successfully dumped the firmware (using #11) but I am unable to access device webpage. here is a link of bin file saved in outlook.
I saved ppsFactoryTool in the root directory of the SD card and changed the wifi credential still unable to access the device webpage. I read here thank you in advance for looking into it.. |
@pioneershahid post a zip of your SD Card files (without the SDT folder) and I can take a look to see if there's anything wrong -- I will still take a look at the firmware too. |
Hi @guino thank you for the reply. I think i started from a wrong place at first. I followed #11 first and loaded ppsFactoryTool into the root directory. i think this is why i was not able to access the webpage. However, I started over again format the sd card via cloudege app. I placed ppsFactoryTool into the root directory first. To my surprise i was able to access webpage.
Instead of using #11 I directly used #13 and completed steps 1 to 7 with result done at the end. no issue. see result of the script using
Next step would be to access telenet and link it with thome assistant. however, when i open the app to view if everything is working, I cannot access doorbell live stream via cloud edge app. it is not loading the stream and says "establishing encrypted channel" - see snip below and content of sd card SD Card content onedrive like Any advice please where i went wrong.. thank you in advance. appreciate all your help. |
I think I cracked this one! The issue seems to be that when psapp is killed, not all resources are released, so the newly started psapp is unable to bind to the ports that were already in use by the previous instance. |
@trizmark That's great news! I was going to suggest you to use Dan's changes to start ppsapp right away (without ever needing to kill it). There's a watchdog feeder in the off-line cloud issue which you can try: #4 (comment) , just unzip it onto the SD card and add: The only thing with this watchdog feeder is that it was compiled for armv7 and if your device has older hardware (armv5) then it won't run -- you can test to see if it works on telnet: just run Some firmware versions also have a 'watchdog_feeder' tool in /sbin -- which would be worth a shot if it's available. |
@guino I didn't try the WDT feeder as I can accept the possible restart once the device boots. It's not really an issue. The doorbell has been working fine for the last 2 days. |
@trizmark you would need to compile the tool with the right toolchain (armv5 uclibc) so it runs correctly. Definitely try a hello world first then try something bigger. Here’s the link to the toolchain I used to compile for armv5: The Merkury720 repository has the source code and binary file for jpegarm available to compare/test - just run it without parameters and it should show a usage message if it works. Thanks for the beers! |
@trizmark I have posted an armv5 mqtt publisher tool in the repos recently -- just thought I'd let you know: #59 (comment) |
Thank you @guino ! With the toolchain I managed to compile the MQTT subscriber, which I needed to properly integrate the doorbell with Home Assistant. (Auto-configured entities need reconfiguring if HA is restarted.) Oh, and I also resolved the disappearing cgi-bin directory issue. Lessons learnt: always, always, always throw away the SD card that comes with the device and replace it with one from a reliable/reputable brand. Simple as that. |
In case anyone finds this thread and is bummed out they have to go through all the trouble of cross compiling mosquitto for Armv5 because they need a username and password for publishing to work right in their environment... fear not. |
I'm back. 😞 So my doorbell has been working fine for a few weeks. Got nicely integrated with HA, push notifications to Telegram/Pushover, got ssh running on it with sftp. Came home from my morning walk and it's flashing red. Took it off, can't see anything wrong on the card. Put ppsFactoryTool.txt back and it boots fine. Connects to WiFi, starts telnet/ssh. Remove ppsFactoryTool and nothing. Just flashing red. |
@trizmark Did you try booting without the SD card at all ? If you get red blinking light booting without the SD card it could only be because of internet connection issues (to tuya servers) or hardware issues (i.e. flash memory corruption, issues with the video capture sensor, etc). Since you said it boots in factory mode (ppsFactoryTool.txt present) the underlying hardware may be ok but it may be failing when trying to start other hardware features not initialized while in factory mode (i.e. the audio+video capture). I also recommend total power off, waiting a few minutes then power on (not just a reboot) -- one of my cheap indoor cameras freezes every now and then and if I just reboot it doesn't completely start again, but if I power off, wait a few minutes and power back on it usually boots normally (sometimes takes a few tries). I have heard of at least 1 user who had a flash memory corruption due to powering the device on/off numerous times -- flash memory is susceptible to corruption if the device is writing at the moment power is cut off, these devices don't write frequently to the flash but it's possible (and only way to know for sure is with a hardware programmer). |
@guino The camera doesn't start without the SD card as the hack I applied the hack from #2 . I added some debug messages to initrun.sh and custom.sh and everything seems to be executed, but the camera does not connect to wifi. I even added a netstat to custom.sh and I can see ssh/telnet/www all listening. Not sure where to go from here. |
@trizmark if the startup sound changed, the camera ma y have gotten an update (without your permission) -- try removing the ppsapp file and the 'home' folder from the SD card and let it boot to see if it works. Regardless of working or not check if the ppsapp in the home folder (will be recreated) is the same as the one you had before. There are 'troubleshooting' steps to 'remove' the hack on #2 which you can use to allow the camera to start normally (without SD card), you try that and re-apply the hack later if you wish to try but I'd check the above first -- chances are it got an update and the old ppsapp (from SD card) may not run correctly with the new firmware and you just need to use the new one. |
@guino The changed startup tone is a red herring - it's probably my memory failing me. I removed the home folder and booted the camera, but the two ppsapp binaries have the same MD5, so there was no update. |
@trizmark if the camera booted and created the home directory but didn’t start ppsapp completely (red light) it could be something wrong with the video hardware. If you have restored the original settings (troubleshooting steps on #2) and it is not booting then either the reversal didn’t work or there’s something wrong with the hardware. Can you try to get a current /proc/cmdline from the device using ppsFactoryTool.txt? That would tell us the current state. Alternatively you can simply apply #13 and see if you can enable telnet (this may work even though ppsapp isn’t starting completely). It is ppsapp that controls the led state, so if it doesn’t turn blue it means ppsapp may not be finishing the startup process but it doesn’t mean it isn’t running ( The reset button on power on simply tells the device to read ppsMmcTool.txt which sets the boot command line using the env file. I think it may blink blue briefly when it is reading ppsMmcTool.txt but it may be different on some devices. When not using reset button it would probably stay red until later in the boot process. The 5 seconds is just enough time to make sure the device started to boot after power on. Anyway, the only thing to compare is boot without holding reset vs boot holding reset to see if there’s any LED status difference during the first few seconds. You could also try using ppsFactoryTool.txt and holding reset button after it has been powered on for a few minutes to see if it can reset it back to factory state. you are welcome to post a zip of the files you’re using to restore original boot settings and/or apply #13 and I will be happy to review. Lastly if you changed SD cards after you originally applied the hack, there’s a chance the new SD card may not be working (during boot) to change the boot settings — most SD cards work after boot of the device but many don’t work with the boot loader (first few seconds after power on). |
@guino So, after everything was working, the first thing that went was the video stream. One morning the red light was flashing on the doorbell and it would simply not boot up properly. |
@trizmark your files look fine. If the device isn't connecting to the wifi with ppsFactoryTool.txt the only thing you can do is try different SD cards to do the restore (using the files you just posted) -- if one SD card works the device should boot completely (at least to the point of hearing the startup sound). It would not hurt to keep the initrun.sh from #2 in the SD card just in case the hack from #2 is still installed (and hasn't been removed by your attempts). If you exhaust your SD card options I'd repartition+reformat the SD cards available and try again just to be sure. If your device is still under the warranty period I'd try to get a replacement under warranty (as the changes you have performed should have not damaged the hardware in any way -- but this is sounding like a hardware issue). |
@guino ok, I am totally embarrassed. I really should read the manual before posting stuff. I've been pressing the doorbell button instead of reset. Guess what? As soon as you start doing the right things, you end up with a working doorbell. 😭 |
@trizmark I am just glad your device is working, hopefully you can set it up like you wanted again. |
@guino It only took 20 mins to get it back to a state I wanted. Everything is working well again. |
@trizmark Glad you got it all working. The resolution of the jpeg images is fixed by the device (hardware encoder) and are always low resolution. You can get a high-resolution snapshot using something like this https://github.com/guino/rtsp2jpeg but it will add considerable delays unless you're constantly taking snapshots. I have tried to change the code to see if I could make high-res JPG snapshots but was not successful. |
folks, i am back with another query and hope if anyone can help me.. Problem: when I connect doorbell to power and it turns on fine. it detects motions and sends trigger to Ha. However, within few seconds, it restarts and stays connected. when i try to press the button, nothing registers in doorbell.. if i restarts doorbell via telenet or powercycle it. same things happens again. i know there is somewhere minor issue with the code and cannot seem to comprehend what needs to be fixed .. here is the content of my sd card please thank you. |
@pioneershahid "However, within few seconds, it restarts and stays connected. " --> you're saying the doorbell is restarting after you get a motion trigger from the doorbell ? if so, that's not normal. The image you posted suggests you 'received' some doorbell button and motion notifications in HA ? (maybe you were testing by hand) I would advise you to do the following:
-execute (replace user+password accordingly):
The above commands should allow you to test if HA is receiving the notifications correctly and/or/if any of the above commands is causing the device to restart. If the commands work correctly on telnet and HA receives the notifications correctly without causing the device to restart we may just need to review the otutput.log file -- the one on the link you posted didn't seem to have any motion/button events in it (so you'd have to create one and upload it for review). |
Hi @guino, Apologies for the late reply. yes, this is what happening.. its stays connected after it restarts. when i attempt to press button, nothing happen. I test the MQTT message and the commands are sent to HA without issue .. i have used the code and it is receiving in HA without issue. please see attached snip and output log. The issue appears to be on the doorbell side i think. Thanks once again for your time. |
@guino just trying over again.. the output of each commands are as follows after placing ppsFactoryTool in the root. I hope this may help? http://WeEyE:&$ChuTian_91@192.168.xx.xx:8090/devices/deviceinfo
http://WeEyE:&$ChuTian_91@192.168.xx.xx:8090/proc/cmdline output as follows, http://WeEyE:&$ChuTian_91@192.168.xx.xx:8090/proc/self/root/etc/init.d/S90PPStrong
|
@pioneershahid did you have to patch ppsapp ? I see one on the root of your SD card and from the output.log it looks like your device is not liking it when we kill ppsapp and run it again. I would check if this information helps you: If you had to patch ppsapp then you'd have to use Dan's changes to run the patched ppsapp directly (without having to kill it first): https://github.com/DanTLehman/orion_sc008ha |
@guino no, i am not using any patched ppsap. I followed the steps detailed in the forum mentioned in last post or start of this thread wiht same result .. not sure what exactly is happening.. i can send commands to HA from telenet. whenever button is pressed, no notification is sent. I tried over and over again several time with same result. i restore the and started all over again using https://github.com/guino/BazzDoorbell/issues/2 without any successes.. |
@pioneershahid can you post a zip of your SD card files without the SDT folder ? I can review to see what's happening and what may be wrong. |
Hi all,
I have a Meco J5 doorbell (seems to be another spin on the same ppstrong hardware) - however this one runs using CloudEdge app (not Tuya).
However, I've played around and have dumped the firmware (using #11) and it seems that its running ppsapp etc. the same as the Tuya models.
The doorbell has port 80 disabled by default, so I've used the ppsFactoryTool trick to get port 8090 open, I can connect to http://admin:056565099@:8090/devices/deviceinfo the connection works, but the login credentials fail (they just keep popping back up).
I tried Firefox and Chrome but same result, so I guess the password may be different for this unit.
Does anyone know if I might be able to find the password within the firmware dump ? - I've run it through binwalk and extracted the contents, but not sure where it may be buried.
The text was updated successfully, but these errors were encountered: