Littlelf 1080p camera. Looks like a Tuya

[frankol]

i need some help getting root and/or telnet running here.
Can you take a look at the SPI dump? I guess this peace has a version of 1.3.1 as i have seen

im able to extract the filesystem und read the files, but im unable to squash it again. always different file size.

https://mega.nz/file/65kDiJoZ#OhMY9ewLdqlNyxwipeGVNkq9kr_k1tG8UPUNFkJC7EU firmware dump

and here a peace of the serial output:

`
U-Boot 2014.01-v1.2 (Nov 29 2019 - 20:40:59)

Board: IPCAM RTS3903 CPU: 500M :rx5281 prid=0xdc02

force spi nor mode

DRAM: 64 MiB @ 1066 MHz

Skipping flash_init

Flash: 0 Bytes

flash status is 0, 0, 0

SF: Detected GD25Q64C with page size 256 Bytes, erase size 64 KiB, total 8 MiB

Using default environment

In: serial

Out: serial

Err: serial

MMC: rtsmmc: 0

flash status is 0, 0, 0

SF: Detected GD25Q64C with page size 256 Bytes, erase size 64 KiB, total 8 MiB

KERNEL & DRV IS OK

USER IS OK

missing target file or read failed

tuya verify failed

boot kernel

flash status is 0, 0, 0

SF: Detected GD25Q64C with page size 256 Bytes, erase size 64 KiB, total 8 MiB

SF: 1507328 bytes @ 0x100000 Read: OK

Booting kernel from Legacy Image at 80100000 ...

get header OKimage_get_kernel check hcrc

image_get_kernel print contents

Image Name: linux_3.10

Created: 2019-05-11 8:41:43 UTC

Image Type: MIPS Linux Kernel Image (uncompressed)

Data Size: 1349581 Bytes = 1.3 MiB

Load Address: 80401510

Entry Point: 80401510

Verifying Checksum ... OK

Loading Kernel Image ... OK

Starting kernel ...

Linux version 3.10.27 (wenhe@embed) (gcc version 4.8.5 20150209 (prerelease) (Realtek RSDK-4.8.5p1 Build 2521) ) #2 PREEMPT Sat May 11 15:40:25 CST 2019
prom cpufreq = 500000000
prom memsize = 67108864
hw_ver: 0x2, hw_rev: 0x1, isp_ver: 0x1
prom eth mac = 00:00:00:00:00:00
bootconsole [early0] enabled
CPU revision is: 0000dc02
FPU revision is: 01730001
Determined physical RAM map:
memory: 04000000 @ 00000000 (usable)
Reserved contiguous memory at 0x423000(0x1618000)
Zone ranges:
Normal [mem 0x00000000-0x03ffffff]
Movable zone start for each node
Early memory node ranges
node 0: [mem 0x00000000-0x03ffffff]
icache: 32kB/32B, dcache: 16kB/32B, scache: 0kB/0B
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 16256
Kernel command line: console=ttyS1,57600 root=/dev/mtdblock2 rts_hconf.hconf_mtd_idx=1 rts-quadspi.channels=dual mtdparts=m25p80:8192k@0(global),128k@0k(boot),896k@128k(rootfs),1472k@1024k(kernel),704k@2496k(drv),2304k@3200k(user),2304k@5504k(backup),320k@7808k(mtd),64k@8128k(factory)
PID hash table entries: 256 (order: -2, 1024 bytes)
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
Memory: 38072k/65536k available (3321k kernel code, 27464k reserved, 581k data, 192k init, 0k highmem)
SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
Preemptible hierarchical RCU implementation.
NR_IRQS:57
Calibrating delay loop... 497.66 BogoMIPS (lpj=995328)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
pinctrl core: initialized pinctrl subsystem
NET: Registered protocol family 16
Init force reset registers
rtsxb2 registered with IRQs
INFO: initializing ISP memory ...
INFO: initializing ISP device ...
ISP camera platform devices added
INFO: initializing SD controller ...
INFO: initializing snd device ...
snd resvd mem size : 1048576
INFO: initializing USB host ...
INFO: initializing spi host ...0
spi platform id is ffffffff
INFO: initializing I2C master ...
INFO: initializing DMA controller ...
INFO: initializing pinctrl device ...
pinctrl_platform rts3903-pinctrl: rtspc registered with IRQs
INFO: initializing ethernet devices ...
INFO: initializing USB phy ...
INFO: initializing watchdog controller ...
INFO: initializing crypto device ...
INFO: initializing cpu dvfs device ...
bio: create slab at 0
rts_dmac rts3903-dmac: DesignWare DMA Controller, 4 channels
INFO: realtek DMA engine inited
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
usbphy-platform usbphy-platform: Initialized Realtek IPCam USB Phy module
Linux video capture interface: v2.00
Advanced Linux Sound Architecture Driver Initialized.
NET: Registered protocol family 2
TCP established hash table entries: 512 (order: 0, 4096 bytes)
TCP bind hash table entries: 512 (order: -1, 2048 bytes)
TCP: Hash tables configured (established 512 bind 512)
TCP: reno registered
UDP hash table entries: 256 (order: 0, 4096 bytes)
UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
NET: Registered protocol family 1
RPC: Registered named UNIX socket transport module.
RPC: Registered udp transport module.
RPC: Registered tcp transport module.
RPC: Registered tcp NFSv4.1 backchannel transport module.
squashfs: version 4.0 (2009/01/31) Phillip Lougher
NFS: Registering the id_resolver key type
Key type id_resolver registered
Key type id_legacy registered
jffs2: version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
msgmni has been set to 74
NET: Registered protocol family 38
Block layer SCSI generic (bsg) driver version 0.4 loaded (major 253)
io scheduler noop registered
io scheduler deadline registered
io scheduler cfq registered (default)
Serial: 8250/16550 driver, 3 ports, IRQ sharing disabled
serial8250: ttyS0 at MMIO 0x18810000 (irq = 6) is a 16550A
console [ttyS1] enabled, bootconsole disabled
console [ttyS1] enabled, bootconsole disabled
serial8250: ttyS1 at MMIO 0x18810100 (irq = 6) is a 16550A
serial8250: ttyS2 at MMIO 0x18810200 (irq = 6) is a 16550A
dbg_iomem initialized!
rts-quadspi rts3903-qspi: force to set channels from quad mode to dual mode
rts-quadspi rts3903-qspi: request 60000000 Hz, force to set 41666666 Hz
rts-quadspi rts3903-qspi: found gd25q64c, expected mx25l12835f
rts-quadspi rts3903-qspi: gd25q64c (8192 Kbytes)
9 cmdlinepart partitions found on MTD device m25p80
Creating 9 MTD partitions on "m25p80":
0x000000000000-0x000000800000 : "global"
0x000000000000-0x000000020000 : "boot"
0x000000020000-0x000000100000 : "rootfs"
0x000000100000-0x000000270000 : "kernel"
0x000000270000-0x000000320000 : "drv"
0x000000320000-0x000000560000 : "user"
0x000000560000-0x0000007a0000 : "backup"
0x0000007a0000-0x0000007f0000 : "mtd"
0x0000007f0000-0x000000800000 : "factory"
rts-quadspi rts3903-qspi: Realtek QSPI Controller at 0x18030000 (irq 5)
rtl8168 Gigabit Ethernet driver 8.038.00-NAPI loaded
rtl8168 rts3903-r8168 (unregistered net_device): Get invalid MAC address from flash!
eth%d: 0xb8400000, 00:00:00:00:00:00, IRQ 10
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
ehci-rts: ehci-rts platform driver
ehci-platform ehci-platform: EHCI Host Controller
ehci-platform ehci-platform: new USB bus registered, assigned bus number 1
ehci-platform ehci-platform: irq 11, io mem 0x18100000
ehci-platform ehci-platform: USB 2.0 started, EHCI 1.00
usb usb1: New USB device found, idVendor=1d6b, idProduct=0002
usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1
usb usb1: Product: EHCI Host Controller
usb usb1: Manufacturer: Linux 3.10.27 ehci_hcd
usb usb1: SerialNumber: ehci-platform
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
ohci-platform ohci-platform: Generic Platform OHCI Controller
ohci-platform ohci-platform: new USB bus registered, assigned bus number 2
ohci-platform ohci-platform: irq 11, io mem 0x18180000
usb usb2: New USB device found, idVendor=1d6b, idProduct=0001
usb usb2: New USB device strings: Mfr=3, Product=2, SerialNumber=1
usb usb2: Product: Generic Platform OHCI Controller
usb usb2: Manufacturer: Linux 3.10.27 ohci_hcd
usb usb2: SerialNumber: ohci-platform
hub 2-0:1.0: USB hub found
hub 2-0:1.0: 1 port detected
i2c /dev entries driver
Stopped watchdog timer
timer margin: 8 sec
TCP: cubic registered
NET: Registered protocol family 17
Key type dns_resolver registered
mtd1 name is boot
hconf init failed
ALSA device list:
No soundcards found.
VFS: Mounted root (squashfs filesystem) readonly on device 31:2.
Freeing unused kernel memory: 192K (803e0000 - 80410000)
usb 1-1: new high-speed USB device number 2 using ehci-platform
usb 1-1: New USB device found, idVendor=0bda, idProduct=f179
usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
usb 1-1: Product: 802.11n
usb 1-1: Manufacturer: Realtek
usb 1-1: SerialNumber: 508A06A1942C
Sat Oct 24 10:24:00 UTC 2015

---

| | | | | |
| | ___ | |__ | | ___ _ __
| | / _ | ' / | / _ \ '|
| || () | |) __ \ || / |
|_/|./|/___|_|

ntpclient: can't load library 'libsysconf.so'
jffs2: notice: (268) jffs2_build_xattr_subsystem: complete building xattr subsystem, 0 of xdatum (0 unchecked, 0 orphan) and 0 of xref (0 dead, 0 orphan) found.
rlx snd internal codec init
soc-audio soc-audio.0.auto: ASoC: machine RLX_INTERN_CARD should use snd_soc_register_card()
soc-audio soc-audio.0.auto: rlx-codec-digital <-> pcm-platform mapping ok
soc-audio soc-audio.0.auto: rlx-codec-analog <-> pcm-platform mapping ok
RTW: module init start
RTW: rtl8188fu v5.3.0.1_28034.20180525
RTW: build time: May 11 2019 15:41:23
RTW: HW EFUSE
RTW: 0x000: 29 81 00 CC 0B 00 00 00 00 0C 04 4C 10 0C 00 00
RTW: 0x010: 25 24 24 27 27 27 26 26 26 29 29 02 FF FF FF FF
RTW: 0x020: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x030: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x040: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x050: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x060: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x070: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x080: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x090: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x0A0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x0B0: FF FF FF FF FF FF FF FF 20 2A 20 00 00 00 00 FF
RTW: 0x0C0: FF 11 00 10 00 FF 00 FF 00 00 FF FF FF FF FF FF
RTW: 0x0D0: DA 0B 79 F1 42 66 40 50 8A 06 A1 94 2C 09 03 52
RTW: 0x0E0: 65 61 6C 74 65 6B 09 03 38 30 32 2E 31 31 6E 00
RTW: 0x0F0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x100: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x110: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x120: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x130: C1 AE FF FF FF FF FF FF FF FF 00 11 FF FF FF FF
RTW: 0x140: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x150: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x160: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x170: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x180: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x190: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x1A0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x1B0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x1C0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x1D0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x1E0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: 0x1F0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
RTW: hal_com_config_channel_plan chplan:0x20
RTW: rtw_regsty_chk_target_tx_power_valid return _FALSE for band:0, path:0, rs:0, t:-1
RTW: rtw_ndev_init(wlan0) if1 mac_addr=50:8a:06:a1:94:2c
RTW: rtw_ndev_init(wlan1) if2 mac_addr=52:8a:06:a1:94:2c
usbcore: registered new interface driver rtl8188fu
RTW: module init ret=0
rtscam:isp resvd mem addr : 0x00523000, size : 0x1518000
rtscam:rtscam_mem_init v:0xa0523000 p:0x00523000 s:0x00001518
rtscam:rtscam_lock_init
rtscam:rtscam_soc_probe
rtscam:rtscam_hx280_probe
rtscam:hx280enc:HW at base <0x18060000> with ID <0x48317011>
rtscam:rtscam_jpgenc_probe
rtscam:rtscam_osd2_probe
rtscam:rtstream_init
(none) login: status: active CC:
excute rts3903 platform script..rtscam:begin to load fw from isp.fw
`

[cjj25]

Could you provide a picture of what this camera looks like (for curiosity)?

• What's the current pairing status (is it paired to Tuya or simply connected via Ethernet / WiFi)?
• Have you tried running the payload from this repo? If so, is the log you attached related to it booting with this payload on the SD?

It looks like telnetd is starting on boot but is then immediately killed by ty_monitor.sh, I can see the typical method we use to has been disabled / commented out

 #[ -x ${SDCARDDIR}/ty_sdcard_check_upgrade.sh ] && ${SDCARDDIR}/ty_sdcard_check_upgrade.sh ${destdir_sd}

However, ty_sign still references this bash script and is executed at the point of mounting the sdcard.

I've had a quick look. Basically ty_sign looks for /mnt/sdcard/sc002wa2v5.zip and /mnt/sdcard/sc002wa2v5.zip.sign and verifies its hash, then calls the ty_sdcard_check_upgrade script.

Could you try create a dummy sc002wa2v5.zip and sc002wa2v5.zip.sign and put them on the root of your sdcard, then give me the output serial log?

It doesn't look too difficult to crack the hashing / signing (my initial impression). This is the first time I've actually seen the ty_sign binary being used.

[frankol]

attached you can find the images of the board and the cam.
UART: yellow [TX], orange[RX] and red [GND]



the cam is paired and connected to my wifi but i block internet access for it.

SDCard plugged in with sc002wa2v5.zip and sc002wa2v5.zip.sign (nothing special happens. After a reboot with plugged sdcard the same):

_mmc0: new high speed SDHC card at address 5048
mmcblk0: mmc0:5048 SD32G 28.8 GiB
mmcblk0: p1

/dev/mmcblk0 /dev/mmcblk0p1
/dev/mmcblk0 /dev/mmcblk0p1
MemTotal: 38264 kB
MemFree: 13080 kB
Buffers: 436 kB
Cached: 7296 kB
SwapCached: 0 kB
Active: 5288 kB
Inactive: 6996 kB
Active(anon): 4552 kB
Inactive(anon): 0 kB
Active(file): 736 kB
Inactive(file): 6996 kB
Unevictable: 0 kB
Mlocked: 0 kB
SwapTotal: 0 kB
SwapFree: 0 kB
Dirty: 0 kB
Writeback: 0 kB
AnonPages: 4568 kB
Mapped: 3168 kB
Shmem: 0 kB
Slab: 6636 kB
SReclaimable: 764 kB
SUnreclaim: 5872 kB
KernelStack: 520 kB
PageTables: 200 kB
NFS_Unstable: 0 kB
Bounce: 0 kB
WritebackTmp: 0 kB
CommitLimit: 19132 kB
Committed_AS: 54928 kB
VmallocTotal: 1048372 kB
VmallocUsed: 3684 kB
VmallocChunk: 1038272 kB
drop_caches
[2015-10-24 10:27:31.668 tid(481) tycam_devcom_inf.c tycam_log_monitor(463) Debug] start log moniot...
MemTotal: 38264 kB
MemFree: 13600 kB
Buffers: 324 kB
Cached: 6888 kB
SwapCached: 0 kB
Active: 5184 kB
Inactive: 6580 kB
Active(anon): 4552 kB
Inactive(anon): 0 kB
Active(file): 632 kB
Inactive(file): 6580 kB
Unevictable: 0 kB
Mlocked: 0 kB
SwapTotal: 0 kB
SwapFree: 0 kB
Dirty: 0 kB
Writeback: 0 kB
AnonPages: 4568 kB
Mapped: 3168 kB
Shmem: 0 kB
Slab: 6636 kB
SReclaimable: 764 kB
SUnreclaim: 5872 kB
KernelStack: 520 kB
PageTables: 200 kB
NFS_Unstable: 0 kB
Bounce: 0 kB
WritebackTmp: 0 kB
CommitLimit: 19132 kB
Committed_AS: 54928 kB
VmallocTotal: 1048372 kB
VmallocUsed: 3684 kB
VmallocChunk: 1038272 kB
drop_caches
[2015-10-24 10:27:41.676 tid(481) tycam_devcom_inf.c tycam_log_monitor(463) Debug] start log moniot...
total used free shared buffers
Mem: 38264 24656 13608 0 312
-/+ buffers: 24344 13920
Swap: 0 0 0
ip_addr: inet addr:192.168.200.10 Bcast:192.168.200.255 Mask:255.255.255.0
wifi_ssid:wlan0 IEEE 802.11bgn ESSID:"SH" Nickname:"WIFI@REALTEK"
route_info:default 192.168.200.254 0.0.0.0 UG 0 0 0 wlan0 192.168.200.0 bin dev drv etc init lib mnt opt proc root sys tmp usr var 255.255.255.0 U 0 0 0 wlan0
network ok
MemTotal: 38264 kB
MemFree: 13532 kB
Buffers: 312 kB
Cached: 6952 kB
SwapCached: 0 kB
Active: 5232 kB
Inactive: 6584 kB
Active(anon): 4552 kB
Inactive(anon): 0 kB
Active(file): 680 kB
Inactive(file): 6584 kB
Unevictable: 0 kB
Mlocked: 0 kB
SwapTotal: 0 kB
SwapFree: 0 kB
Dirty: 0 kB
Writeback: 0 kB
AnonPages: 4568 kB
Mapped: 3168 kB
Shmem: 0 kB
Slab: 6636 kB
SReclaimable: 764 kB
SUnreclaim: 5872 kB
KernelStack: 536 kB
PageTables: 200 kB
NFS_Unstable: 0 kB
Bounce: 0 kB
WritebackTmp: 0 kB
CommitLimit: 19132 kB
Committed_AS: 54928 kB
VmallocTotal: 1048372 kB
VmallocUsed: 3684 kB
VmallocChunk: 1038272 kB
drop_caches
[2015-10-24 10:27:51.684 tid(481) tycam_devcom_inf.c tycam_log_monitor(463) Debug] start log moniot...
MemTotal: 38264 kB
MemFree: 13608 kB
Buffers: 312 kB
Cached: 6892 kB
SwapCached: 0 kB
Active: 5216 kB
Inactive: 6540 kB
Active(anon): 4552 kB
Inactive(anon): 0 kB
Active(file): 664 kB
Inactive(file): 6540 kB
Unevictable: 0 kB
Mlocked: 0 kB
SwapTotal: 0 kB
SwapFree: 0 kB
Dirty: 0 kB
Writeback: 0 kB
AnonPages: 4568 kB
Mapped: 3168 kB
Shmem: 0 kB
Slab: 6636 kB
SReclaimable: 764 kB
SUnreclaim: 5872 kB
KernelStack: 520 kB
PageTables: 204 kB
NFS_Unstable: 0 kB
Bounce: 0 kB
WritebackTmp: 0 kB
CommitLimit: 19132 kB
Committed_AS: 54928 kB
VmallocTotal: 1048372 kB
VmallocUsed: 3684 kB
VmallocChunk: 1038272 kB
drop_caches
[2015-10-24 10:28:1.692 tid(481) tycam_devcom_inf.c tycam_log_monitor(463) Debug] start log moniot..._

SDCard plugged in with original payload from this rep:

mmc0: new high speed SDHC card at address 5048
mmcblk0: mmc0:5048 SD32G 28.8 GiB
mmcblk0: p1
/dev/mmcblk0 /dev/mmcblk0p1
/dev/mmcblk0 /dev/mmcblk0p1
FAT-fs (mmcblk0p1): Volume was not properly unmounted. Some data may be corrupt. Please run fsck.
[2015-10-24 10:24:51.540 tid(481) tycam_devcom_inf.c tycam_log_monitor(463) Debug] start log moniot...
MemTotal: 38264 kB
MemFree: 13256 kB
Buffers: 420 kB
Cached: 7144 kB
SwapCached: 0 kB
Active: 5296 kB
Inactive: 6832 kB
Active(anon): 4564 kB
Inactive(anon): 0 kB
Active(file): 732 kB
Inactive(file): 6832 kB
Unevictable: 0 kB
Mlocked: 0 kB
SwapTotal: 0 kB
SwapFree: 0 kB
Dirty: 0 kB
Writeback: 0 kB
AnonPages: 4568 kB
Mapped: 3140 kB
Shmem: 0 kB
Slab: 6636 kB
SReclaimable: 768 kB
SUnreclaim: 5868 kB
KernelStack: 512 kB
PageTables: 200 kB
NFS_Unstable: 0 kB
Bounce: 0 kB
WritebackTmp: 0 kB
CommitLimit: 19132 kB
Committed_AS: 54928 kB
VmallocTotal: 1048372 kB
VmallocUsed: 3684 kB
VmallocChunk: 1038272 kB
drop_caches
mmc0: card 5048 removed

[cjj25]

Great pictures! Could you try the same as before (sc002wa2v5.zip filenames on sdcard) but without attached, then once booted plug the SD card in.

It looks like the script gets fired on the hotplug event.

[frankol]

doesnt look like it does something..

after reset. plugged sdcard after first boot:

[01-01 18:18:42-- TUYA Debug][wf_nw_cfg.c:100] Set New Channel 1

mmc0: new high speed SDHC card at address 5048
mmcblk0: mmc0:5048 SD32G 28.8 GiB
mmcblk0: p1
[01-01 18:18:42-- TUYA Debug][wf_nw_cfg.c:100] Set New Channel 6

/dev/mmcblk0 /dev/mmcblk0p1
/dev/mmcblk0 /dev/mmcblk0p1
FAT-fs (mmcblk0p1): Volume was not properly unmounted. Some data may be corrupt. Please run fsck.
[01-01 18:18:42-- TUYA Debug][wf_nw_cfg.c:100] Set New Channel 1

[01-01 18:18:43-- TUYA Debug][wf_nw_cfg.c:100] Set New Channel 6

[01-01 18:18:43-- TUYA Debug][wf_nw_cfg.c:100] Set New Channel 1

[01-01 18:18:44-- TUYA Debug][wf_nw_cfg.c:100] Set New Channel 6

[01-01 18:18:44-- TUYA Debug][wf_nw_cfg.c:100] Set New Channel 1

[2015-10-24 10:30:41.664 tid(523) tycam_devcom_inf.c tycam_log_monitor(463) Debug] start log moniot...
[01-01 18:18:44-- TUYA Debug][wf_nw_cfg.c:100] Set New Channel 6

[01-01 18:18:45-- TUYA Debug][wf_nw_cfg.c:100] Set New Channel 1

[01-01 18:18:45-- TUYA Debug][wf_nw_cfg.c:100] Set New Channel 6

[01-01 18:18:46-- TUYA Debug][wf_nw_cfg.c:100] Set New Channel 1

after reset with sdcard plugged in:

begin___, action: 0Started watchdog timer

Started watchdog timer
mmc0: new high speed SDHC card at address 5048
mmcblk0: mmc0:5048 SD32G 28.8 GiB
mmcblk0: p1
/dev/mmcblk0 /dev/mmcblk0p1
/dev/mmcblk0 /dev/mmcblk0p1
FAT-fs (mmcblk0p1): Volume was not properly unmounted. Some data may be corrupt. Please run fsck.
insmod: can't insert '/drv/modules/8188fu.ko': File exists
killall: tymaster: no process killed
2, /tmp/tymaster, /tmp/tycam, (null)
tymaster begin__
tcgetattr
TIOCGWINSZ error
ptyMasterOpen 3 slname=/dev/pts/0
ptyFork:tcsetattr
Run2 parent:/tmp/tymaster
brefore ttySetRaw...
ttySetRaw...
Child executes command execvp:/tmp/tycam
[2015-10-24 10:24:11.446 tid(522) main.c main(85) Debug] begin__
[2015-10-24 10:24:11.447 tid(522) tycam_devcom_inf.c tycam_devcom_start(684) Debug] begin___
[2015-10-24 10:24:11.448 tid(522) tycam_devcom_inf.c tycam_devcom_start(690) Debug] dev abi md[1] m/dev/pts/0d_track[0] pir[0] ptz[0] isp_ver[]
[2015-10-24 10:24:11.449 tid(522) ty_wifi.c ty_hwl_wifi_init(653) Debug] bigin___
[2015-10-24 10:24:11.450 tid(522) ty_wifi.c ty_hwl_wifi_init(667) Debug] end___
creat offset.info write SD!
[2015-10-24 10:24:11.522 tid(522) tuya_ipc_mgr_utils.c TUYA_IPC_SDK_INIT(152) Debug] SDK Version:

< TUYA IOT SDK V:4.1.1 BS:30.01_PT:2.2_LAN:3.3_CAD:1.0.1_CD:1.0.0 >

IPC DEFS < ENABLE_ECHO_SHOW:1 ENABLE_CHROMECAST:1 ENABLE_CLOUD_ST/dev/pts/0ORAGE:1 >'

< BUILD AT:2020_12_26_23_34_33 BY weihm FOR linux_wifi AT rts3903 >

[frankol]

i managed to modify ty_monitor.sh to start a script from sdcard.
First identify squashfs with binwalk. The last one was the one with all the ty_xxx scripts

131072 0x20000 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 763634 bytes
2555904 0x270000 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 626986 bytes
3276800 0x320000 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 2339162 bytes

Then extract with dd like

dd if=Littlelf_camera.bin of=03_sqashfs bs=1 skip=3276800 count=2339150

unsquashfs 03_sqashfs

modify ty_monitor.sh

resquash with mksquashfs ./squashfs-root/ 003_littleelf0.squashfs -b 131072 -comp xz

and replace modified squashfs within bin file with

dd if=003_littleelf0.squashfs of=Littlelf_camera.bin bs=1 seek=3276800 conv=notrunc

Telnet is starting now, but still want a password :-(

also i noticed the modified tycam can not be started.

./tycam: can't load library 'libasound.so.2'

[frankol]

ok, was able to change root password with this:

/opt/skyeye/bin/ty_passwd -u 0 -a password -f /etc/tuya/shadow

can you patch my tycam binary like you did with the others please?
tycam

[justadri]

hi, just wondering if there's been any progress on this model since the last post. i've also got 2 of these cameras (with v1.1.6 firmware) and have been trying to get an rtsp stream out of them for months. i'm happy to test or help in any way i can.

[jcconnell]

I'm in the same boat. 2 cameras. Would love to have an RTSP stream.

[cjj25]

Could someone provide me with a dump of the 1.1.6 firmware, I'll then patch the binaries.

Follow the instructions on the homepage of the repo and see if you can gain telnet access, then you'll have a non invasive way of dumping the firmware.

[jcconnell]

@cjj25 I can help with a bit more instruction. I imagine I'd need to the directions listed here using the latest patched binary.

Assuming I have telnet access, what are the next steps?

[cjj25]

That's great! You can use the script here and then send the mtdblock0 over.. I can then patch the binary for you.

I'm currently working on an auto patcher on boot that'll work for all the different versions.

[jcconnell]

Finally circling back to this - I'm not sure this is working for me. I'm not able to get telnet access, and the sd card doesn't have any logs that indicate the scripts or hack attempted to start. I've tried both of the high-resolution patched binaries without success. Any ideas?