Findings / Shell access

[llevi]

Hi,
I have a Tapo C100 camera.
You can get an uboot shell via grounding the CS pin of the spi flash, when it shows "autobooting" message.
After that, you can boot in to linux via init=/bin/sh bootarg.
You can even create a partition to sdcard and dd the mtdblock6 to it, and show the linux from uboot to get the rootfs from there.
I can provide the exact commands if you need it.
I want to get a root shell via telnet, when it is in the wall, assembled (not doing the CS pin grounding hack).
My problem is: I cannot write the rootfs, not only because its squashfs, but it
"doesn't start on an erase block boundary -- force read-only"
I am thinking about to write the boot - mtdblock partition to tell the 2nd uBoot to add root=/dev/mmcblkp1 to bootargs
Do you think we can cooperate with this experiment?

[nervous-inhuman]

Hi @llevi,
thanks for your help regarding getting a shell on the device!

I'll try to replicate your steps on my C200 camera.

Do you think we can cooperate with this experiment?

Gladly. What'd be the best way to contact you?

[llevi]

I'm on facebook messenger:
https://www.messenger.com/t/llevi95

[nervous-inhuman]

I'm on facebook messenger:
https://www.messenger.com/t/llevi95

You should have a message from me in your inbox.

[depau]

Hi @llevi,
I tried your approach but it seems like they disabled the u-boot shell on the C200, when the checksums fail it starts a HTTP server on the internal ethernet port instead of spawning the usual shell:

U-Boot 2014.01-v1.2 (Jul 20 2020 - 10:28:45)

Board: IPCAM RTS3903 CPU: 500M :rx5281 prid=0xdc02
force spi nor mode
DRAM:  64 MiB @ 1066 MHz
Skipping flash_init
Flash: 0 Bytes
flash status is 0, 0, 0
SF: Detected XM25QH64A with page size 256 Bytes, erase size 64 KiB, total 8 MiB
Using default environment

Autobooting in 1 seconds
copying flash to 0x81500000
flash status is 0, 0, 0
SF: Detected XM25QH64A with page size 256 Bytes, erase size 64 KiB, total 8 MiB
SF: 8388608 bytes @ 0x0 Read: OK

Firmware check failed!
Enter recovery mode.
In:    serial
Out:   serial
Err:   serial
Net:   Realtek PCIe GBE Family Controller mcfg = 0024
no hw config header
new_ethaddr = 00:00:23:34:45:66
r8168#0
Using default environment


Running command httpd!--Debug by Mazexiong
SF: Unsupported flash IDs: manuf 00, jedec 0000, ext_jedec 0040
flash status is 0, 0, 0
SF: Detected unknown with page size 256 Bytes, erase size 64 KiB, total 8 MiB
SF: 10240 bytes @ 0x1d800 Read: OK
NetReadAndSetEthaddr: no mac address found.
HTTP server is ready!

SF: Unsupported flash IDs: manuf 00, jedec 0000, ext_jedec 82fc
flash status is 0, 0, 0
SF: Detected unknown with page size 256 Bytes, erase size 64 KiB, total 8 MiB
SF: 10240 bytes @ 0x1d800 Read: OK
error: no mac address found
local info init failed, exit
Attaching option 01 to list
Attaching option 03 to list
Attaching option 06 to list
file: apps/dhcpd/dhcpd.c,line: 870==:dhcpd init OK. --debug by HouXB
HTTP server is starting at IP: 192.168.0.10
file: lib_uip.c,line: 115==:uip set a8c0-a00. --debug by HouXB
file: lib_uip.c,line: 130==:start infinite loop! --debug by HouXB

If I wait for it to load the second stage u-boot and then bring the chip select low when it says "autobooting", it will simply hang:

U-Boot 2014.01-v1.2 (Jul 20 2020 - 10:28:45)

Board: IPCAM RTS3903 CPU: 500M :rx5281 prid=0xdc02
force spi nor mode
DRAM:  64 MiB @ 1066 MHz
Skipping flash_init
Flash: 0 Bytes
flash status is 0, 0, 0
SF: Detected XM25QH64A with page size 256 Bytes, erase size 64 KiB, total 8 MiB
Using default environment

Autobooting in 1 seconds
copying flash to 0x81500000
flash status is 0, 0, 0
SF: Detected XM25QH64A with page size 256 Bytes, erase size 64 KiB, total 8 MiB
SF: 8388608 bytes @ 0x0 Read: OK
verifying uboot partition...
ok
verifying kernel and romfs partition...
ok
set watchdog, resetting...

U-Boot 2014.01-v1.2 (Sep 30 2020 - 07:11:39)

Board: IPCAM RTS3903 CPU: 500M :rx5281 prid=0xdc02
force spi nor mode
DRAM:  64 MiB @ 1066 MHz
flash status is 0, 0, 0
SF: Detected XM25QH64A with page size 256 Bytes, erase size 64 KiB, total 8 MiB
Flash: 0 Bytes
flash status is 0, 0, 0
SF: Detected XM25QH64A with page size 256 Bytes, erase size 64 KiB, total 8 MiB
Using default environment

In:    serial
Out:   serial
Err:   serial
Net:   Realtek PCIe GBE Family Controller mcfg = 0024
new_ethaddr = 00:00:00:00:00:00
r8168#0
Autobooting in 1 seconds
flash status is 0, 0, 0
SF: Detected XM25QH64A with page size 256 Bytes, erase size 64 KiB, total 8 MiB
SF: 3145728 bytes @ 0x60000 Read: OK
## Booting image at 82000000 ...
   Uncompressing Kernel Image ... OK

Starting kernel ...

[evoionosp]

I have C200 which got bricked while firmware update. I am getting same output as @depau posted in the first part of the boot log. However I don't ever get 2nd part of boot. I want to flash firmware again to make it working. I have a UART serial connection to camera using UART pads soldered and connected with GND, GPIO 14 and 15 pin. Please help if anyone knows the solution.

So far, I have tried to add init=/bin/sh in bootarg. but nothing happens. It just boots as is. and the changes to the bootarg is lost once rebooted.

[nervous-inhuman]

Hi @depau,

you can kill the httpd server by hitting Ctrl-C, I believe.

From there, you'll be dropped into the U-boot shell.

[depau]

Hi @depau,

you can kill the httpd server by hitting Ctrl-C, I believe.

From there, you'll be dropped into the U-boot shell.

I have no idea why I didn't even try 🤦‍♂️ it works, thanks!

Web failsafe mode aborted!

httpd - httpd	- start www server for firmware recovery

Usage:
httpd - No additional help available.
rlxboot# <INTERRUPT>
rlxboot# 

[nervous-inhuman]

To boot into a shell, you also need to set the init to /bin/sh as mentioned above, plus copy the "firmware" into memory and boot from it.

setenv bootargs 'console=ttyS1,57600 root=/dev/mtdblock6 rts-quadspi.channels=dual init=/bin/sh'
sf read 0x81500000 0x60000 0x300000
bootm

Please note, that devfs, sysfs aren't going to be mounted when you boot from memory, because init wasn't run.
Supposedly running /etc/preinit will mount them, but I haven't tested it, since I managed to fry my C200. 🤦‍♀️

[llevi]

@depau I have a working C100 (yet :D )
I have tried to modify the rootfs, but I could not, because "doesnt come with erase block boundary"
Maybe I could write the whole flash,I tried to use a ch341A programmer, but it ( via flashrom ) doesn't recognised it as an spi flash.

[depau]

To boot into a shell, you also need to set the init to /bin/sh as mentioned above, plus copy the "firmware" into memory and boot from it.

setenv bootargs 'console=ttyS1,57600 root=/dev/mtdblock6 rts-quadspi.channels=dual init=/bin/sh'
sf read 0x81500000 0x60000 0x300000
bootm

Please note, that devfs, sysfs aren't going to be mounted when you boot from memory, because init wasn't run.
Supposedly running /etc/preinit will mount them, but I haven't tested it, since I managed to fry my C200. woman_facepalming

I dumped the flash overnight, I'll inspect it today. I thought I'd be able to get root access over serial during normal operation but they disabled all accounts, I guess I'll have to find another way.

I did get all the binaries and the certificates though.

@depau I have a working C100 (yet :D )
I have tried to modify the rootfs, but I could not, because "doesnt come with erase block boundary"
Maybe I could write the whole flash,I tried to use a ch341A programmer, but it ( via flashrom ) doesn't recognised it as an spi flash.

I have a programmer compatible with minipro and it supports it. You need to desolder it though, they didn't put diodes in the power lines so it will power the whole board if you use a SOP8 clamp or SMD clips.

[llevi]

@depau If you have powerful enough computer, you can try to bruteforce the root password which is in /etc/passwd .
I dd-ed the rootfs to an sdcard and could successfully boot up with changed root pass. and voila - working system with root shell (tell this because they didn't disabled all accounts, they just password-protect the root acc)

[depau]

I tried with multiple wordlists but no such luck. Here's some info i gathered including the (uncracked) crypt md5 hash: https://md.depau.eu/mA9zdqPKTPCCz2sgWlh3_g

…

On Sun, Nov 29, 2020, 21:16 llevi ***@***.***> wrote: @depau <https://github.com/Depau> If you have powerful enough computer, you can try to bruteforce the root password which is in /etc/passwd . I dd-ed the rootfs to an sdcard and could successfully boot up with changed root pass. and voila - working system with root shell (tell this because they didn't disabled all accounts, they just password-protect the root acc) — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAIZCWKZLO73GCGWJ5E3CULSSKTY7ANCNFSM4SGEKLZA> .

[kubik369]

Hi, I was able to find the default root password in the released GPL code together with the sequence to stop autoboot and fall through into the uboot console. The default root password is slprealtek and the uboot stop keyword is slp.

You also don't really need to rewrite the flash with a programmer, you can use tftp to boot over Ethernet, I can whip up some pinout pictures if someone would be interested in this. I was also able to use the camera as a regular AP while connected over Ethernet, which is pretty nice.

[reinisb]

I was also able to use the camera as a regular AP while connected over Ethernet, which is pretty nice.

Hey @kubik369 ! Could you please elaborate on this? Is it possible to operate the camera using ethernet (via the header) instead of wifi? Or is the ethernet header meant for some special use case only? Thanks!

[nervous-inhuman]

Ahoj @kubik369,

I was able to find the default root password in the released GPL code together with the sequence to stop autoboot

would you mind linking to the GPL sources so I could document it in this repo?

you can use tftp to boot over Ethernet, I can whip up some pinout pictures if someone would be interested in this

I'd highly appreciate this, as it's been something I've been thinking about since I've seen the unused header

Thank you for your contribution!

[kubik369]

Ahoj @nervous-inhuman (si z CZ/SK? :) )

Here are the links for Tapo C100 and C200:

https://static.tp-link.com/resources/gpl/c100_GPL_v1.tar.bz2
https://static.tp-link.com/resources/gpl/camera_slp_realtek_c200.tar.bz2

However, they are the same thing, to the bit (at least the last time I checked). The C200 one has been published on the website when I checked, the C100 one I needed to request. Thankfully, TP-link support was really prompt and they provided me with the link basically the next day (they also put it up on the website). I am pretty sure that we can get C310 sources the same way. I don't own a C310 camera yet, only C100 and C200. Since C100 and C200 are basically identical and they have those unpopulated headers, I suspect that C310 will be also identical.

What do you think would be the best course of action for contributions? I think that we should try to team up with the people that are working on the pytapo library and aggregate all pieces of information that we were able to find out. We can either put everything into their repository wiki or add a link pointing to this repository from theirs. I am going to take a picture of my "setup" and annotate it and after we work out the best course of action, I will write down everything I know and commit it to the agreed repository :)

[nervous-inhuman]

Replying to @kubik369:

si z CZ/SK?

Yeah! The reason why I started this repo is because I found this camera for cheap on Alza, and wanted to get a root shell on it and to integrate it into my Home Assistant setup.

...

What do you think would be the best course of action for contributions?

I'm unsure, as far as I was aware some months ago, I was the only person/this was the only repository focused on Tapo C200/Cxxx research.

...

I think that we should try to team up with the people that are working on the pytapo library and aggregate all pieces of information that we were able to find out.

This sounds fantastic, I didn't know about their project. I believe this repo predates theirs by about a month.
Anyway, what's the best way to get in contact with you, and the folks over at pytapo?

[openone]

@openone I just had the same issue (only IR LEDs, no status light) on a C100. The easiest solution i found was to solder an Ethernet cable to the onboard connector according to the pinout

Thank you! Will try ASAP. Is this IR LED lighting up issue due to firmware corruption? What exactly causes this issue? I have around 10 Tapos in my hospital, one more is acting up the same way.

[cjj25]

Hello everyone!

I've recently added the C100 to my arsenal of PCBs that run the RTS3903N SoC, here's a list of the resources I've created over the last year or so.

• cjj25/Yi-RTS3903N-RTSPServer
• cjj25/RTS3903N-Tools
• cjj25/RTS3903N-rsdk-4.8.5-5281
• cjj25/RTS3903N-Tuya-RTSPServer

I'm planning on rewriting my RTSP Server implementation soon.

I have around 15 different PCBs with this SoC and have fair amount of experience with its quirks and the typical tricks the vendors implement.

What's everyone's current objectives with their camera?

[cjj25]

@openone I just had the same issue (only IR LEDs, no status light) on a C100. The easiest solution i found was to solder an Ethernet cable to the onboard connector according to the pinout

Thank you! Will try ASAP. Is this IR LED lighting up issue due to firmware corruption? What exactly causes this issue? I have around 10 Tapos in my hospital, one more is acting up the same way.

Edit: Try @Piets method FIRST, as its less intrusive and will keep your cameras vendor / meta data (such as MAC address etc)

I'd recommend taking a full flash dump of the non-functional camera and then flashing a working dump over it via the SOIC8 chip flash.

To obtain the working flash dump connect to the working camera via UART, grab a copy of the mtdblock0 (full flash), here's a little script that'll help you (comment out unneeded code). However, if you're confident grabbing it via reading the soic8 flash then go for it straight away.. just thinking of a less intrusive method for you working camera.

Check the IR LED problem, if its still causing a problem then it's a hardware fault. If they're functioning correctly then you know it's firmware.

Hopefully you're lucky and it's only firmware, then you'll need to flash the relevant mtdblockX block back with the original camera vendor config (mac address etc)... but we cross that bridge when you get there!

If you're feeling a little adventurous and are working on this damaged camera a fair bit, you setup and use a little SOIC8 adapter for quick flashing like I do here:

I hope this helps!

[openone]

Well It worked wonderfully. I was able to recover my camera and add it to app. Apart from mysterious disconnections Its been working nicely so far. Thank you so much @Piets
@cjj25 Thank you for letting me know this method. I will try this with one more camera that is bricked/dead (but no IR LED lighting up on this). One doubt though, do you need to solder the SOIC adapter once, recover and then remove it?

[liamjack]

It's possible to retrieve direct download links for firmware from the camera with the following API request:

POST https://[IP_ADDRESS]/stok=[TOKEN]/ds

{
	"method": "get",
	"cloud_config": {
		"name": ["upgrade_info"]
	}
}

Response:

{
  "cloud_config": {
    "upgrade_info": {
      ".name": "upgrade_info",
      ".type": "cloud_reply",
      "release_log_url": "undefined yet",
      "location": "0",
      "type": "3",
      "version": "1.3.0 Build 220909 Rel.43466n",
      "release_date": "2022-12-05",
      "download_url": "http:\/\/download.tplinkcloud.com\/firmware\/Tapo_C200v3_en_1.3.0_Build_220909_Rel.43466n_u_1670206040481.bin",
      "release_log": "Modifications and Bug Fixes:\\n1. Enhance connection stability.\\n2. Add support for Person Detection, Montion Tracking, Baby Crying Detection and Privacy Zones.\\n3. Fix some minor bugs."
    }
  },
  "error_code": 0
}

[torque0x972]

Hey all,

I am new to reverse engineering and I have downloaded the latest firmware for the Tapo C200v3 camera (Tapo_C200v3_en_1.3.0_Build_220909_Rel.43466n_u_1670206040481.bin). However, it seems to be encrypted and I am having trouble extracting it. I was able to extract previous firmware versions without issue.

Could you please guide me and explain what I might be missing here? I would appreciate any advice on how to extract this firmware.

Thank You !

[Abir-Das]

Hi, thanks to all for all the solutions but the credentials are not workings for the TPlink tapo C200 candidate. I tried -----

username: root
password : slprealtek

but it's now not working out!!!

[lenovomen]

Hi all,

I am new here on the forum. I bought a TP-Link c210 camera. My question is, if a hacker has placed malicious code through the motherboard connector interface, will the OTA update overwrite it? Is it worth taking the camera apart and overwriting the whole software? Or is an OTA update sufficient? Does the OTA update overwrite everything on all partitions?

[int2018]

Hi all,

some years ago this guy started a hack on a Xiaomi Webcam Dafang. It involved many of the issues you are trying to solve with the Tapo C200. Maybe you can work together or get some inspiration from him.
Have a look: https://github.com/EliasKotlyar/Xiaomi-Dafang-Hacks

Cheers

[hitesh9811]

Hi all,

I wanted to know how can I get the latest firmware image for C200 camera (1.3.9 Build 231019 Rel.29120n)

[b33fstrogan0ff]

You can get it via intercepting the HTTP requests via the app, this is the link for the latest firmware, but it looks to be encrypted, binwalk returns nothing, anyone got any ideas what to do next?

I'm guessing not much can be done from this point. Could probably try and reverse it in something like Ghidra, but not sure what CPU the C200 is running, I'm assuming MIPS but not sure on specifics.

[hitesh9811]

The only way I was able to obtain the latest firmware bin file was when there was an update pushed from the server otherwise there is no way for someone to capture the download link, or is there a way to retreive the firmware via intercepting requests?

[b33fstrogan0ff]

Yeah you can intercept the requests and get the URL for the latest firmware. Mine did need a firmware update so not sure if the URL can always be intercepted or not, but that's how I got the link I shared above in the first place. That is the latest firmware.

[JayFoxRox]

but it looks to be encrypted

Yes. Unfortunately

It would be good if someone would install one of the most recent (encrypted) firmwares and, once installed, dump the flash or filesystem via a hw shell (so we can have a new OTA RCE for shell access).
(Edit: Thanks @najashark in https://github.com/najashark/tplink-tapo-c225-re/issues/1#issuecomment-1844397957 )

I moved a bunch of firmware URLs from this discussion to https://github.com/DrmnSamoLiu/Tapo_Camera_Firmware/issues

Those unencrypted firmwares have a bunch of security flaws, so I have a handful of RCEs for older firmwares... but they don't work on my camera anymore (C220.. which is quite recent and seems to have gotten a few security related patches).

not sure what CPU the C200 is running

I could imagine that it depends on the hw version. But the tapo cameras I've looked at (C100, C200, C210, C220, C310) all run either MIPS or ARM and they basically run the same software.

[JayFoxRox]

Some update:

• I have Python code to download the latest device firmware from tplink servers; it needs the camera model, MAC and device ID (which uniquely identifies you). Currently it only works with unbound devices. The server only gives you the latest URL.
• I have Python code to decrypt firmware images, however, binwalk still doesn't like (at least) the recent C220 / C225 images (only one squashfs is found and it's incomplete / doesn't match the image size). The flasher in the firmware is still somewhat trivial (so I don't expect much structure). My images should be decrypted fine, because enough checksums match. They might shuffle some data around though.
• I have Python code to download the configuration and some logs from the device. I didn't try the upload-configuration call yet. It's possible that some config option is exploitable if it gets plugged into a dangerous syscall.
• The firmware images contain a list of supported OEM IDs and HW IDs in their header, so it's fairly easy to enumerate all devices.
• There are hints in the old flasher that older firmwares also differ between different vendor-IDs (tplink is vendor 0x0, but there are also other vendor IDs).
• Newer firmwares are monolithic (most tplink stuff is in a single binary) which is probably bad for reliability; it also means most security issues stemming from system, fork/exec and popen are gone.
• Newer firmwares contain tmp (see https://github.com/ropbear/tmpcli); I have started documenting some of it but was too scared to try it. There's a business ID which allows to run scripts from /etc/scripts (an empty folder on the filesystem?); it might be exploitable.
• Once booted into linux, firmware upgrades can be done in these ways (all untested):
  • From SD card (firmware image stored on SD)
  • By modifying download_url and triggering a fw update (camera downloads image)
  • By HTTP request (firmware image attached to request)
• Particularily with at least the SD upgrade method - if I read the code correctly - the camera also runs a shell script from SD after installation (!), this seems to happen independently of success (I'd prefer a way which works OTA, but SD is a fallback for me). I have yet to try this. (Edit: https://github.com/najashark/tplink-tapo-c225-re/issues/1#issuecomment-1853203007 @najashark also found this and created a payload)
• The camera has a capable ONVIF interface which allows some features which aren't exposed in the app (the ONVIF is mostly talking to the DS services though).
• There might be bugs in P2P and relayd which could be exploited, but I haven't had time (or motivation) to look.

I hope I get around to cleaning up my code and notes sometime around Christmas.
I plan to set up a GitHub Actions daily CI task to fetch the latest firmware by using donor device IDs.
Note that it might be easy to hack your device if your device ID is public.

Generally I'm confident this could make a good cloud-less camera now:

• You can probably upgrade after downloading images with your PC
• We can analyze firmware images before installation
• There might be ways to gain shell access (still)

[hitesh9811]

Hey can we connect over a call today I would really like to understand few of the stuff that you mentioned since I am new in IoT and hardware pentesting

[b33fstrogan0ff]

Wow nice work, I'll never get to that level. Amazing stuff 🙌

[PrennerProducts]

could you tell me how i can download the firmare Tapo C100(EU)_V4_1.3.9 Build 231019
My mac: 5C-9E-31-00-02-9A
S/N: 22382T1004649
I am not shure what my DeviceId is or wher i find it.
Thank you for your help and support.
kind regards

[PrennerProducts]

for my tapo C100 (V4) the username root dose not work.
Does anybody know the login for my device?
Or how to download the firmware so that i can search it in the firmware.

[b33fstrogan0ff]

Read the posts here and what I said above, you need to intercept the requests from the mobile app, then you'll be able to find the URL download link for the firmware, otherwise just look at the link I shared above, I don't think there would be much difference between the C100 and C200 firmware.

[PrennerProducts]

ok i will try to catch the downloadurl, i dont know about the diferences, at least the login shell username and password is not suitable for the c100 V4.

[JayFoxRox]

You didn't even say which login you attempted (username/password and how/where).

There's different passwords, probably depending on the chipset.
The passwords for the root user that I'm aware of are:

• slprealtek
• slplzgjipc (unconfirmed)
• slpmstar

Those should be the login for the shell / local telnet.
The ds/ endpoint and camera specific functionality have different accounts that are at least partially controlled by the app.

For documenting the firmware URL (which you should still do) you can repeat my steps from DrmnSamoLiu/Tapo_Camera_Firmware#9 (although I would recommend to avoid startFirmwareUpgrade) using pytapo.
I then suggest to submit your firmware URL at DrmnSamoLiu/Tapo_Camera_Firmware#11.
Even if you download a recent firmware, it will be encrypted (and my tool to decrypt the firmwares is not public yet).

[polpilt]

On a C100 v1 I have the same symptom after failed firmware upgrade, only IR leds on. I've followed your instructions but setting the range in the 192.168.0.0/24 doesn't work. Nothing there. So I've tried DHCP and it turns that the camera assignes my computer a 192.168.1.12 adress with a default route 192.168.1.1. But that's all, it doesn't respond to ping in that adress. I've scanned the range with nmap and it's empty. Is there a way to flash the firmware through telnet?

[DrmnSamoLiu]

Updates on shell access for who's interested in it:

I confirmed that on a Tapo C210 v2 running firmware v1.3.11 (latest as of today), serial console login is disabled by TP-Link.
The credential is still root/slplzgjipc, but you will get Login incorrect right after entering username, even without the chance to enter a password.

Another thing is that the "Bypass login by modifying Uboot env" way mentioned at the beginning of this thread and in my blog won't work too, because someone stole it for a CVE

TP-Link patched how the busybox login and Uboot works, which I won't elaborate here so I don't give them more ideas. Just to let anyone here and in the future know that things had changed a bit and previous discussions in this thread might not work anymore.