-
Notifications
You must be signed in to change notification settings - Fork 10
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Shell Access #1
Comments
Hi @llevi, I'll try to replicate your steps on my C200 camera.
Gladly. What'd be the best way to contact you? |
I'm on facebook messenger: |
You should have a message from me in your inbox. |
Hi @llevi,
If I wait for it to load the second stage u-boot and then bring the chip select low when it says "autobooting", it will simply hang:
|
Hi @depau, you can kill the httpd server by hitting From there, you'll be dropped into the U-boot shell. |
I have no idea why I didn't even try 🤦♂️ it works, thanks!
|
To boot into a shell, you also need to set the init to
Please note, that devfs, sysfs aren't going to be mounted when you boot from memory, because |
@depau I have a working C100 (yet :D ) |
I dumped the flash overnight, I'll inspect it today. I thought I'd be able to get root access over serial during normal operation but they disabled all accounts, I guess I'll have to find another way. I did get all the binaries and the certificates though.
I have a programmer compatible with |
@depau If you have powerful enough computer, you can try to bruteforce the root password which is in /etc/passwd . |
I tried with multiple wordlists but no such luck.
Here's some info i gathered including the (uncracked) crypt md5 hash:
https://md.depau.eu/mA9zdqPKTPCCz2sgWlh3_g
…On Sun, Nov 29, 2020, 21:16 llevi ***@***.***> wrote:
@depau <https://github.com/Depau> If you have powerful enough computer,
you can try to bruteforce the root password which is in /etc/passwd .
I dd-ed the rootfs to an sdcard and could successfully boot up with
changed root pass. and voila - working system with root shell (tell this
because they didn't disabled all accounts, they just password-protect the
root acc)
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAIZCWKZLO73GCGWJ5E3CULSSKTY7ANCNFSM4SGEKLZA>
.
|
Hi, I was able to find the default root password in the released GPL code together with the sequence to stop autoboot and fall through into the uboot console. The default root password is You also don't really need to rewrite the flash with a programmer, you can use tftp to boot over Ethernet, I can whip up some pinout pictures if someone would be interested in this. I was also able to use the camera as a regular AP while connected over Ethernet, which is pretty nice. |
Ahoj @kubik369,
would you mind linking to the GPL sources so I could document it in this repo?
I'd highly appreciate this, as it's been something I've been thinking about since I've seen the unused header Thank you for your contribution! |
Ahoj @nervous-inhuman (si z CZ/SK? :) ) Here are the links for Tapo C100 and C200:
However, they are the same thing, to the bit (at least the last time I checked). The C200 one has been published on the website when I checked, the C100 one I needed to request. Thankfully, TP-link support was really prompt and they provided me with the link basically the next day (they also put it up on the website). I am pretty sure that we can get C310 sources the same way. I don't own a C310 camera yet, only C100 and C200. Since C100 and C200 are basically identical and they have those unpopulated headers, I suspect that C310 will be also identical. What do you think would be the best course of action for contributions? I think that we should try to team up with the people that are working on the pytapo library and aggregate all pieces of information that we were able to find out. We can either put everything into their repository wiki or add a link pointing to this repository from theirs. I am going to take a picture of my "setup" and annotate it and after we work out the best course of action, I will write down everything I know and commit it to the agreed repository :) |
Replying to @kubik369:
Yeah! The reason why I started this repo is because I found this camera for cheap on Alza, and wanted to get a root shell on it and to integrate it into my Home Assistant setup. ...
I'm unsure, as far as I was aware some months ago, I was the only person/this was the only repository focused on Tapo C200/Cxxx research. ...
This sounds fantastic, I didn't know about their project. I believe this repo predates theirs by about a month. |
Cool, so we have a common goal, I want to do literally the same thing :D It just so happened that I also need to do a diploma thesis from security, so hopefully it will also fit that use case. Here is the Ethernet pinout annotation, the connector should be Molex Picoblade, 1.27mm pitch, 4-pin. I haven't received the cables for it, so I cannot say for sure, but I was able to solder the cables to the connector and it works. The numbering is T-568A. I think we can create an issue over on their repo and try to start a collaboration. Send me an email to kubik ~ at ~ ksp.sk and we will try to find a common communication channel for the two of us for now :) |
I can confirm that the password and the uboot stop keyword work ;) I'm collecting RE info (mainly regarding the app) here: https://md.depau.eu/mA9zdqPKTPCCz2sgWlh3_g |
Hi, I'm keen to improve Pytapo (or at least my fork, sorry, Github noob) by adding in any additional (including undocumented features). I downloaded the GPL for the C200 (my camera) and found a few custom config files referring to the On Screen Display (OSD) and now I have translucent, black, and white text options (not the most exciting feature) but I'm keen to discover more hidden features. sadly, I cannot find any other Camera-specific files or configs in the GPL, it simply seems to be a custom modified buildchain for OpenWRT, but (almost) all the interesting custom files seem to be stripped - bar the root password in .config and some very sparse files in:
Has anyone managed to dump the filesystem directly off the camera? I would have a go myself but I can't seem to crack the C200 open without destroying it. Huge thanks to everyone's efforts so far - Thanks Depau for the collection of RE info, although I don't understand where you got most of it from? I'm so impressed with the hardware and (potential) functionality you get for such a low price (how do they do it?) - camera, IR illuminator and automatic filter, motor drives, speaker, microphone, sd slot, led, and wifi. With some work, it could be a good choice to become the "hacker's choice of camera", provided they don't discontinue it. |
Hi @gsmortimer, you can find all of the firmwares I was able to obtain here: https://drive.google.com/drive/folders/1_aJHhIYNdESZZMYEvmLOdNwQWA8BRLcE . The .bin files are the whole firmware images, as downloaded from the TP-Link servers. If I got it right, I think Depau started by decompiling the Android app. I'm personally looking into first trying to find out whether firmware uses any form of signing. If not, then we should be able to at least include our own lua scripts in repacked images. I have been also looking into porting modern openWRT to the camera, but the SoC used (RTS3903 from Realtek) uses a CPU with Lexra cores, which are not supported in the mainline kernel. I was able to find some patches on the lkml [1], I have contacted the author and he said that it is mostly done, so I might try looking into it. He added support for LX5280, RTS3903 uses RLX5280, I haven't yet found out whether they are the same core, but even if they were, I have literally no idea if there is any possibility of writing drivers for the video encoders. So far, I was able to find only a few hints that RLX5280 is a newer generation, but the instruction set could be the same. I hope this helps you in some way :) [1] https://lore.kernel.org/patchwork/project/lkml/list/?series=367909&state=* |
Thank you! This is fantastic, I will have a good look tonight. While I've been a user of openWRT since White Russian, I'm not a developer and the buildchain is still a bit of an enigma to me past fiddling with settings in make menuconfig. But I will try to contribute anything useful I (struggle to) find out back to this thread. I was also thinking it would be awesome to build a complete custom FW for these cams but thought it might be a bit unrealistic (too much effort and not enough following?) But seeing as they are already running OpenWRT maybe it's not just a pipe dream? |
I mean, we have the Realtek SDK from the sources, so we might be able to cook something up, but it certainly won't be running mainline kernel anytime soon. I cautiously think of it in the pipe dream territory, as there are many routers out there which use the same Lexra CPU core and they are not supported in OpenWRT. Ironically, this family of cameras and those routers usually run on some ancient fork of OpenWRT. Just like you said, a lot of the software written by TP-Link is missing from the sources, so it's a little hard to recreate it, at least the important parts. I will be pretty happy if we are able to create a neutered version of the official firmware, one which only runs the RTSP/ONVIF server and possibly some config website which just executes |
Just stumbled upon your repo and I'm really glad someone else is trying to RE the tapo C200 too. My web frontend skill sucks so maybe try to zoom in and out on the page so you won't miss some tabs! |
Hi DrmnSamoLiu, That's a fantastic amount of info you've collected together there, good work! Thanks to your guide on opening the C200 without destroying it, i've just this second finally soldered a header on and got shell access (I note you didn't have the password - see Depau's link above it is listed there). I'm a beginner at reverse engineering but the others on here seem to be very knowledgeable and have got a great deal of info on the C100 (which is almost identical firmware but without motors I think). I'm keep to stop the "cloud" access and improve the PYTAPO python library so it can be controlled and accessed completely locally. I can probably do that via the serial interface, but it would be nice to do it via a software only method, it looks like you are a master of that side of things! I don't get much of a chance to work on this, but I'll contribute anything I find back here. Edit: I've dumped a load of stuff from my C200 camera, UCI says the FW is 1.0.14 but it might actually be 1.0.17 and they just forgot to rename it https://georgeimmi.com/download/tapo/c200/. Feel free to use. The UCI dump might be interesting - much of the config is persistent between boots (unlike the root fs, the overlayfs is not persistent), and some of the entries might be unintentionally writeable via the JSON interface? |
Wow, this is a lot of info. Personally, I'm only trying to be able to download the stored files in the µSD card to an external drive (I see that you could get to stream them, but I see no use in waiting 3h to download a 3 hour video file). Is there a know way for this? |
Using physical UART access, you can run telnet (rather than suffering the UART shell), but there's no ftp software, and the http server installed has been too heavily modified as far as I can gather. however, there is wget which is a quick way to get additional software onto it (instead of sd card). The Realtek MIPS SDK includes a toolchain allowing compiling of code which I've had a lot of success for, so you can simply cross-compile your favourite http or ftp server and wget it across and run it. The problem is saving the state between reboots. (yes, I have it on a UPS currently). As is stands, the filesystem is read-only (OverlayFS is used but never written to flash (and I don't think it can be as the misaligned flash block boundaries seem to have forced read-only on those blocks). The only thing that is saved to flash is 64KB of config data, which is just the UCI configuration files. This is done via a program called "uc_convert", which I am using as my first ever reverse engineering challenge. 3 or so weeks in, I've picked through a snowman decompilation, and getting close to 50% of the important stuff rewritten and compiled. My hope is that I can find a way to generate a config file that "overwrites" some system files and allow shell access automatically just after boot, such that the device is sort of "soft rooted". Once I get my findings organised I'll link them here. If anyone fancies contacting me directly (this issues post is not the most convenient way to communicate!), use e m a i l - t a p o @ g e o r g e i m m i dot com. Especially if you can tell me how on earth you set the "des_min_do() function in libsecuirty.so to "decrypt mode" (not critical, it's just driving me up the wall not knowing). |
@gsmortimer Not sure if you read it or not, but there's actually a way to exploit a command injection vulnerability to enable telnet even after reboots, which we also documented: https://drmnsamoliu.github.io/telnet.html About the des_min_do() problem, maybe this post can help you: https://malware.news/t/tp-link-cpe-510-520-new-config-bin-structure-decryption-modify-re-encryption/38451 |
@DrmnSamoLiu I have found out an interesting thing: my camera (C100) didn't have telnet on 1.0 firmware, busybox wasn't compiled with it. Your findings came as a quite a surprise to me, but I just chalked it up to you having a C200. However, I have started digging around and I found out, that the 1.0 firmware (at least the backup of my partitions) indeed does not have telnet present. The earliest firmware update I have available (1.0.10) does contain all the telnet files (service file, telnet symlink) and after updating, the files are indeed present. Sadly, the service file does not seem to be usable, as it starts up the telnet daemon bound to 127.0.0.1 . Btw, if any of you would be interested, I was able to find a way how to easily downgrade the firmware, at least with the official updates for now :) |
Hey there! Thanks for the info to all of you guys. It's my first time dealing with UART and hardware and thanks to this issue it has been great. I have managed to get the shell. |
A bit off topic maybe, but have you guys heard of the eufy 2k camera. Seems like a desent alternative to the tapo camera. https://eu.eufylife.com/collections/indoor-cam |
@kubik369 |
Wow, great job, thanks for that 🙇 I was just trying to trace the pads with multimeter so far as I don't have any proper equipment with me as my lab is closed due to covid :D I will finish up my uni work and be right on that, thanks again a bunch! 😃 Btw the ethernet port has the same pinout as Cx00 and seems to be working the same way :) |
Is the research on these devices still active? I would love to get involved somehow. I have a C100v2 and I am currently poking my way through the firmware in Ghidra. Links to any discussion discords etc would be welcome :) |
@DrmnSamoLiu are you doing something else other than flashing the XMC chip with the desired firmware? I bought bricked Tapo C200(EU)/1.0. When I connect through TTL there's a message "Firmware check failed". I found at least 3 versions of the firmware over the internet but none of them work for me... All I get when I reflash with the new firmware is the inverted question mark at the top... One of the .bin files I found is even larger than the chip itself and it is for C200v1, not sure how this is possible... |
Hi @vbogoev I have a repo containing URLs that you can download legit firmware file from tplink cloud, maybe you can try it out. |
Hey, @DrmnSamoLiu . Thanks for the fast response. 1st I used the firmware from here: https://drmnsamoliu.github.io/firmware.html For the reflash I am using CH341A programmer which is working good with this chip. I made a backup of the original content and then after every reflash from the firmwares above I soldered back the chip and all I get is the reversed question mark from the image. Once I reflash the original corrupted firmware I get everything else, so I am assuming the programmer is OK. But obviously I am doing something wrong... I am using Arduino as TTL converter. I managed to get to rlxboot, but all I want is to get the camera working, at this point I don't care what will be the firmware version... |
@vbogoev So either it's the linux kernel or rootfs is corrupted, maybe you can send me your flash dump and I'll try and see what I can do to fix it: |
Does anyone have C100v2 firmware 1.1.14? (Or below) |
@DrmnSamoLiu did upload the old exploitable firmware in his website. |
Thankyou @DrmnSamoLiu for making great tutorial for my very first ip camera journey! |
@calvinytt Could you elaborate on what you mean by that? The RTSP stream is accessible as per instructions from TP-Link [0] after setting up the "third account" in the mobile app without any modifications or anything of the sort. |
@calvinytt Thank you for letting me know about h264extractor! I'll definitely give it a try and see if I can get something out of it :) @kubik369 I believe @calvinytt is talking about the "RTSP auth bypass" ( which TPlink secretly patched 😛) I mentioned in my site: In short, the RTSP server won't check the credential if request URL contains "localhost" or "127.0.0.1", before it was patched. |
That’s only for C200 though, right? |
Yep, it is exactly what @DrmnSamoLiu say so. Too bad the localhost vulnerbility is fixed. |
Well I am now working on the Tapo C210, it is very similar to C110 as far as I know. |
Is there any in-progress effort to reverse engineer the 2 way audio (backchannel)? |
Can you please guide me how to use ch341a to reflash the xmc chip ? I tried using flashrom on my c100 but it does not recognise the chip. |
@openone I just had the same issue (only IR LEDs, no status light) on a C100. The easiest solution i found was to solder an Ethernet cable to the onboard connector according to the pinout from #1 (comment) |
Thank you! Will try ASAP. Is this IR LED lighting up issue due to firmware corruption? What exactly causes this issue? I have around 10 Tapos in my hospital, one more is acting up the same way. |
Hello everyone! I've recently added the C100 to my arsenal of PCBs that run the RTS3903N SoC, here's a list of the resources I've created over the last year or so.
I'm planning on rewriting my RTSP Server implementation soon. I have around 15 different PCBs with this SoC and have fair amount of experience with its quirks and the typical tricks the vendors implement. What's everyone's current objectives with their camera? |
Edit: Try @Piets method FIRST, as its less intrusive and will keep your cameras vendor / meta data (such as MAC address etc) I'd recommend taking a full flash dump of the non-functional camera and then flashing a working dump over it via the SOIC8 chip flash. To obtain the working flash dump connect to the working camera via UART, grab a copy of the mtdblock0 (full flash), here's a little script that'll help you (comment out unneeded code). However, if you're confident grabbing it via reading the soic8 flash then go for it straight away.. just thinking of a less intrusive method for you working camera. Check the IR LED problem, if its still causing a problem then it's a hardware fault. If they're functioning correctly then you know it's firmware. Hopefully you're lucky and it's only firmware, then you'll need to flash the relevant mtdblockX block back with the original camera vendor config (mac address etc)... but we cross that bridge when you get there! If you're feeling a little adventurous and are working on this damaged camera a fair bit, you setup and use a little SOIC8 adapter for quick flashing like I do here: I hope this helps! |
Well It worked wonderfully. I was able to recover my camera and add it to app. Apart from mysterious disconnections Its been working nicely so far. Thank you so much @Piets |
It's possible to retrieve direct download links for firmware from the camera with the following API request:
Response: {
"cloud_config": {
"upgrade_info": {
".name": "upgrade_info",
".type": "cloud_reply",
"release_log_url": "undefined yet",
"location": "0",
"type": "3",
"version": "1.3.0 Build 220909 Rel.43466n",
"release_date": "2022-12-05",
"download_url": "http:\/\/download.tplinkcloud.com\/firmware\/Tapo_C200v3_en_1.3.0_Build_220909_Rel.43466n_u_1670206040481.bin",
"release_log": "Modifications and Bug Fixes:\\n1. Enhance connection stability.\\n2. Add support for Person Detection, Montion Tracking, Baby Crying Detection and Privacy Zones.\\n3. Fix some minor bugs."
}
},
"error_code": 0
} |
Hey all, I am new to reverse engineering and I have downloaded the latest firmware for the Tapo C200v3 camera (Tapo_C200v3_en_1.3.0_Build_220909_Rel.43466n_u_1670206040481.bin). However, it seems to be encrypted and I am having trouble extracting it. I was able to extract previous firmware versions without issue. Could you please guide me and explain what I might be missing here? I would appreciate any advice on how to extract this firmware. Thank You ! |
Hi, thanks to all for all the solutions but the credentials are not workings for the TPlink tapo C200 candidate. I tried ----- username: root but it's now not working out!!! |
|
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
Hi,
I have a Tapo C100 camera.
You can get an uboot shell via grounding the CS pin of the spi flash, when it shows "autobooting" message.
After that, you can boot in to linux via init=/bin/sh bootarg.
You can even create a partition to sdcard and dd the mtdblock6 to it, and show the linux from uboot to get the rootfs from there.
I can provide the exact commands if you need it.
I want to get a root shell via telnet, when it is in the wall, assembled (not doing the CS pin grounding hack).
My problem is: I cannot write the rootfs, not only because its squashfs, but it
"doesn't start on an erase block boundary -- force read-only"
I am thinking about to write the boot - mtdblock partition to tell the 2nd uBoot to add root=/dev/mmcblkp1 to bootargs
Do you think we can cooperate with this experiment?
The text was updated successfully, but these errors were encountered: