Shell Access

[llevi]

Hi,
I have a Tapo C100 camera.
You can get an uboot shell via grounding the CS pin of the spi flash, when it shows "autobooting" message.
After that, you can boot in to linux via init=/bin/sh bootarg.
You can even create a partition to sdcard and dd the mtdblock6 to it, and show the linux from uboot to get the rootfs from there.
I can provide the exact commands if you need it.
I want to get a root shell via telnet, when it is in the wall, assembled (not doing the CS pin grounding hack).
My problem is: I cannot write the rootfs, not only because its squashfs, but it
"doesn't start on an erase block boundary -- force read-only"
I am thinking about to write the boot - mtdblock partition to tell the 2nd uBoot to add root=/dev/mmcblkp1 to bootargs
Do you think we can cooperate with this experiment?

[nervous-inhuman]

Hi @llevi,
thanks for your help regarding getting a shell on the device!

I'll try to replicate your steps on my C200 camera.

Do you think we can cooperate with this experiment?

Gladly. What'd be the best way to contact you?

[llevi]

I'm on facebook messenger:
https://www.messenger.com/t/llevi95

[nervous-inhuman]

I'm on facebook messenger:
https://www.messenger.com/t/llevi95

You should have a message from me in your inbox.

[depau]

Hi @llevi,
I tried your approach but it seems like they disabled the u-boot shell on the C200, when the checksums fail it starts a HTTP server on the internal ethernet port instead of spawning the usual shell:

U-Boot 2014.01-v1.2 (Jul 20 2020 - 10:28:45)

Board: IPCAM RTS3903 CPU: 500M :rx5281 prid=0xdc02
force spi nor mode
DRAM:  64 MiB @ 1066 MHz
Skipping flash_init
Flash: 0 Bytes
flash status is 0, 0, 0
SF: Detected XM25QH64A with page size 256 Bytes, erase size 64 KiB, total 8 MiB
Using default environment

Autobooting in 1 seconds
copying flash to 0x81500000
flash status is 0, 0, 0
SF: Detected XM25QH64A with page size 256 Bytes, erase size 64 KiB, total 8 MiB
SF: 8388608 bytes @ 0x0 Read: OK

Firmware check failed!
Enter recovery mode.
In:    serial
Out:   serial
Err:   serial
Net:   Realtek PCIe GBE Family Controller mcfg = 0024
no hw config header
new_ethaddr = 00:00:23:34:45:66
r8168#0
Using default environment


Running command httpd!--Debug by Mazexiong
SF: Unsupported flash IDs: manuf 00, jedec 0000, ext_jedec 0040
flash status is 0, 0, 0
SF: Detected unknown with page size 256 Bytes, erase size 64 KiB, total 8 MiB
SF: 10240 bytes @ 0x1d800 Read: OK
NetReadAndSetEthaddr: no mac address found.
HTTP server is ready!

SF: Unsupported flash IDs: manuf 00, jedec 0000, ext_jedec 82fc
flash status is 0, 0, 0
SF: Detected unknown with page size 256 Bytes, erase size 64 KiB, total 8 MiB
SF: 10240 bytes @ 0x1d800 Read: OK
error: no mac address found
local info init failed, exit
Attaching option 01 to list
Attaching option 03 to list
Attaching option 06 to list
file: apps/dhcpd/dhcpd.c,line: 870==:dhcpd init OK. --debug by HouXB
HTTP server is starting at IP: 192.168.0.10
file: lib_uip.c,line: 115==:uip set a8c0-a00. --debug by HouXB
file: lib_uip.c,line: 130==:start infinite loop! --debug by HouXB

If I wait for it to load the second stage u-boot and then bring the chip select low when it says "autobooting", it will simply hang:

U-Boot 2014.01-v1.2 (Jul 20 2020 - 10:28:45)

Board: IPCAM RTS3903 CPU: 500M :rx5281 prid=0xdc02
force spi nor mode
DRAM:  64 MiB @ 1066 MHz
Skipping flash_init
Flash: 0 Bytes
flash status is 0, 0, 0
SF: Detected XM25QH64A with page size 256 Bytes, erase size 64 KiB, total 8 MiB
Using default environment

Autobooting in 1 seconds
copying flash to 0x81500000
flash status is 0, 0, 0
SF: Detected XM25QH64A with page size 256 Bytes, erase size 64 KiB, total 8 MiB
SF: 8388608 bytes @ 0x0 Read: OK
verifying uboot partition...
ok
verifying kernel and romfs partition...
ok
set watchdog, resetting...

U-Boot 2014.01-v1.2 (Sep 30 2020 - 07:11:39)

Board: IPCAM RTS3903 CPU: 500M :rx5281 prid=0xdc02
force spi nor mode
DRAM:  64 MiB @ 1066 MHz
flash status is 0, 0, 0
SF: Detected XM25QH64A with page size 256 Bytes, erase size 64 KiB, total 8 MiB
Flash: 0 Bytes
flash status is 0, 0, 0
SF: Detected XM25QH64A with page size 256 Bytes, erase size 64 KiB, total 8 MiB
Using default environment

In:    serial
Out:   serial
Err:   serial
Net:   Realtek PCIe GBE Family Controller mcfg = 0024
new_ethaddr = 00:00:00:00:00:00
r8168#0
Autobooting in 1 seconds
flash status is 0, 0, 0
SF: Detected XM25QH64A with page size 256 Bytes, erase size 64 KiB, total 8 MiB
SF: 3145728 bytes @ 0x60000 Read: OK
## Booting image at 82000000 ...
   Uncompressing Kernel Image ... OK

Starting kernel ...

[nervous-inhuman]

Hi @depau,

you can kill the httpd server by hitting Ctrl-C, I believe.

From there, you'll be dropped into the U-boot shell.

[depau]

Hi @depau,

you can kill the httpd server by hitting Ctrl-C, I believe.

From there, you'll be dropped into the U-boot shell.

I have no idea why I didn't even try 🤦‍♂️ it works, thanks!

Web failsafe mode aborted!

httpd - httpd	- start www server for firmware recovery

Usage:
httpd - No additional help available.
rlxboot# <INTERRUPT>
rlxboot# 

[nervous-inhuman]

To boot into a shell, you also need to set the init to /bin/sh as mentioned above, plus copy the "firmware" into memory and boot from it.

setenv bootargs 'console=ttyS1,57600 root=/dev/mtdblock6 rts-quadspi.channels=dual init=/bin/sh'
sf read 0x81500000 0x60000 0x300000
bootm

Please note, that devfs, sysfs aren't going to be mounted when you boot from memory, because init wasn't run.
Supposedly running /etc/preinit will mount them, but I haven't tested it, since I managed to fry my C200. 🤦‍♀️

[llevi]

@depau I have a working C100 (yet :D )
I have tried to modify the rootfs, but I could not, because "doesnt come with erase block boundary"
Maybe I could write the whole flash,I tried to use a ch341A programmer, but it ( via flashrom ) doesn't recognised it as an spi flash.

[depau]

To boot into a shell, you also need to set the init to /bin/sh as mentioned above, plus copy the "firmware" into memory and boot from it.

setenv bootargs 'console=ttyS1,57600 root=/dev/mtdblock6 rts-quadspi.channels=dual init=/bin/sh'
sf read 0x81500000 0x60000 0x300000
bootm

Please note, that devfs, sysfs aren't going to be mounted when you boot from memory, because init wasn't run.
Supposedly running /etc/preinit will mount them, but I haven't tested it, since I managed to fry my C200. woman_facepalming

I dumped the flash overnight, I'll inspect it today. I thought I'd be able to get root access over serial during normal operation but they disabled all accounts, I guess I'll have to find another way.

I did get all the binaries and the certificates though.

@depau I have a working C100 (yet :D )
I have tried to modify the rootfs, but I could not, because "doesnt come with erase block boundary"
Maybe I could write the whole flash,I tried to use a ch341A programmer, but it ( via flashrom ) doesn't recognised it as an spi flash.

I have a programmer compatible with minipro and it supports it. You need to desolder it though, they didn't put diodes in the power lines so it will power the whole board if you use a SOP8 clamp or SMD clips.

[llevi]

@depau If you have powerful enough computer, you can try to bruteforce the root password which is in /etc/passwd .
I dd-ed the rootfs to an sdcard and could successfully boot up with changed root pass. and voila - working system with root shell (tell this because they didn't disabled all accounts, they just password-protect the root acc)

[depau]

I tried with multiple wordlists but no such luck. Here's some info i gathered including the (uncracked) crypt md5 hash: https://md.depau.eu/mA9zdqPKTPCCz2sgWlh3_g

…

On Sun, Nov 29, 2020, 21:16 llevi ***@***.***> wrote: @depau <https://github.com/Depau> If you have powerful enough computer, you can try to bruteforce the root password which is in /etc/passwd . I dd-ed the rootfs to an sdcard and could successfully boot up with changed root pass. and voila - working system with root shell (tell this because they didn't disabled all accounts, they just password-protect the root acc) — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAIZCWKZLO73GCGWJ5E3CULSSKTY7ANCNFSM4SGEKLZA> .

[kubik369]

Hi, I was able to find the default root password in the released GPL code together with the sequence to stop autoboot and fall through into the uboot console. The default root password is slprealtek and the uboot stop keyword is slp.

You also don't really need to rewrite the flash with a programmer, you can use tftp to boot over Ethernet, I can whip up some pinout pictures if someone would be interested in this. I was also able to use the camera as a regular AP while connected over Ethernet, which is pretty nice.

[nervous-inhuman]

Ahoj @kubik369,

I was able to find the default root password in the released GPL code together with the sequence to stop autoboot

would you mind linking to the GPL sources so I could document it in this repo?

you can use tftp to boot over Ethernet, I can whip up some pinout pictures if someone would be interested in this

I'd highly appreciate this, as it's been something I've been thinking about since I've seen the unused header

Thank you for your contribution!