Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Cameras? #4

Open
omniparker opened this issue Jan 2, 2019 · 244 comments
Open

Security Cameras? #4

omniparker opened this issue Jan 2, 2019 · 244 comments

Comments

@omniparker
Copy link

I was wondering if the Tuya Security Camera's may be possible. They work within the same app and I am able to get id and key in the normal manner. I tried to get the signature but don't see it in my logs.
I bought the Mercury Security Camera from Walmart. It adds to the Tuya App like everything else. Would it be possible? What can I provide to help if it would be possible.
@EvolvingParty
Copy link

EvolvingParty commented Jan 2, 2019 via email

@omniparker
Copy link
Author

Where did you get the log?

@EvolvingParty
Copy link

I followed these instructions https://github.com/AMoo-Miki/homebridge-tuya-lan/wiki/Setup-Instructions It was a little complicated getting the Certificate installed on my Mac, scanning the QR code, setting up the proxy in the iPhone internet settings, trusting the certificate in the general settings, then Open the Tuya Smart app; if it was already open, pull the screen down to refresh. In a few seconds, you would be shown an error dialog about your network connection; that is exactly what we want. A bunch of id and key combinations will be shown on the terminal;, below the QR code you scanned earlier.

It is time consuming and I was using a Mac and an iPhone, If your on windows or something it won't be the same.

@EvolvingParty
Copy link

EvolvingParty commented Jan 2, 2019
edited
Loading

Check out my issue over here - #2
Shows what I provided and how he made it work within a few days. He was great.

@AMoo-Miki
Copy link
Owner

Cameras would need some more tinkering than normal devices. The Walmart near me seems to have this in stock. I will try to get one and see what I can get from it.

Just to make sure, is it Merkury Innovations Smart WiFi 720P Camera for $25-ish?

@EvolvingParty
Copy link

EvolvingParty commented Jan 2, 2019 via email

@omniparker
Copy link
Author

Yeah that is the one. It’s a decent little one that works well in the main app. And I have a ton of other outlets and bulbs it’s getting the signature that I’m having trouble with.

@AMoo-Miki
Copy link
Owner

AMoo-Miki commented Jan 2, 2019
edited
Loading

Just got back from Walmart with the camera :) I will fiddle with it tonight so don't worry about the signature.

PS. the camera is very unstable; I get encryption errors every other time I try to open it in the app. I will keep digging.

Update 1: This camera doesn't advertise itself; it might make sense for no Tuya cameras to advertise their existence as they all seem to use static passwords that are the same across the a brand or model. Because of this, it is necessary to identify the IP address of the camera manually. While I am able to communicate with the camera, I havn't been able to pull the stream with the credentials if admin/root with ad2c6d47 as it doesn't accept my credentials. I will need some time to figure this out.

Note to self
Exposed params are:
101 LED Indicator (Boolean)
103 Flip (Boolean)
104 Watermark (Boolean)
106 Motion Sensitivity (Enum of 0, 1, 2)
109 SD Size Total|Used|Remaining
110 SD Status (Enum of 1: Normal, 2: Fault, 3: Low Space, 4: Formatting, 5: Missing)
111 SD Format command
115 Alert Image
117 SD Format Status (-2000: Busy Formatting, -2001: Formatting Error, -2002: No Card, -2003: Access Fault, any +ve number Busy)
134 Motion Detection (Boolean)

Open ports: 80, 6668, 8554
Common password: ad2c6d47 (doesn't work with usernames root or admin)

@omniparker
Copy link
Author

omniparker commented Jan 2, 2019 via email
edited
Loading

@AMoo-Miki
Copy link
Owner

:) thanks. If only I find a way to break into my camera, all will be fine. I will keep you posted.

@omniparker
Copy link
Author

I was just wondering if the QR code is giving the username and password to communicate with the camera. instead of being a preset user name and password it would be the account username and password or an auto generated username and password linked to the user account.

@AMoo-Miki
Copy link
Owner

The QR gives information from the phone to the camera for initialization and it is not the same as the one used for communicating with the camera. From what I have learned, it is probably going to take some time before I can find a way to pull the AV stream; I have reached out to the manufacturer but havn't heard back. As soon as I hear anything, I will implement it and post here to let you know.

@AMoo-Miki
Copy link
Owner

The support guys from the manufacturer replied to me, essentially saying they won't provide the access mechanism. I will leave this open till I find a way.

@mdm007oh
Copy link

Just an FYI I purchased a couple Geeni cameras from Walmart and tried to install them on the TuyaSmart app and I was able to view live footage but when I tried to view them thru playback they would not work. Although I have 15 Geeni lights that work flawlessly with the TuyaSmart app along with tuya light platform.

@omniparker
Copy link
Author

Yes. It only does the recorded playback in the Geeni app. Which also does not use a QR code to pair it just locates the camera the same way as other devices. I was able to catch the traffic and add the ID and key from the geeni app and homebridge now recognizes them but can not connect to the device. It gives the same error as an unplugged outlet.

@AMoo-Miki
Copy link
Owner

I have been too lazy and occupied with a couple of other projects. Having a mac would help; a friend will be giving me one tomorrow, if they remember.

@THALLIVA
Copy link

Hello @AMoo-Miki, were you able to pull the stream from Tuya Camera ?
I think this would help..
http://helpdesk.cctvdiscover.com/network/rtsp_stream.html

@Benni1982
Copy link

Benni1982 commented May 7, 2019
edited
Loading

would love to hear you successed with it ;)
keeping an eye on it.

@AMoo-Miki
Copy link
Owner

Bad news. The cameras that I got my hands on, don't even respond over LAN.

To see if yours do, on your phone, edit your WiFi settings by hitting the tiny blue i on the right side.

  1. Tap on Configure DNS
  2. Change to Manual
  3. Delete all the entries under the DNS Servers
  4. Add some fake IP like 10.0.0.253
    This will prevent your phone from being able to talk to Tuya's Cloud network, forcing it to communicate with your devices over your LAN.
  5. Now close the Tuya app if it was open and reopen it.
  6. Open your camera.

If it works, please let me know the model so that I can buy it and see if I can make it work.

Don't forget to change your WiFi's DNS configuration back to Automatic after you are done testing.

@ankurp
Copy link

ankurp commented Nov 2, 2019

Let me know if I can help. I want to be able to stream the tuya camera and maybe also get motion detection so can make it work as motion detection device also in homekit. I have the following camera and can help debug as it prompt for username and password when trying to access the camera via IP address. https://www.walmart.com/ip/Merkury-Innovations-Smart-WiFi-720P-Camera-with-Voice-Control/835969619

@Axehole54
Copy link

Guys, I have searched for information on how to add my Geeni (Merkury offshoot) doorbell camera to my camera monitoring software (ISpy) exhaustively. My workaround was to use the Geeni app to setup the camera and connect it to my router. Once connected and working through their terrible app I was able to find the IP with Search tool and load it in the browser. User ID is "Admin" Password "admin". I suspect all of Merkury products would share similar characteristics.
Screenshot_20191118-131338_Chrome

@ankurp
Copy link

ankurp commented Nov 18, 2019 via email

@Jordan-Jarvis
Copy link

Jordan-Jarvis commented Feb 1, 2020
edited
Loading

So on the back of the PCB there are four UART pads. You can see them directly above the sd-card slot, I connected to them with an arduino during boot using 115200 baud and got the following output:

U-Boot 2013.10.0-AK_V2.0.03 (Jul 31 2019 - 16:11:47)

DRAM:  64 MiB
8 MiB
ANYKA SDHC/MMC4.0: 0
PPS:Jul 31 2019 16:11:49   anyka_c2:  1 ��� 0 
magic err
magic err
 Booting kernel from Legacy Image at 81808000 ...
   Image Name:   Linux-3.4.35
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    2076240 Bytes = 2 MiB
   Load Address: 81808000
   Entry Point:  81808040
   Verifying Checksum ... OK
   XIP Kernel Image ... OK

Starting kernel ...

Uncompressing Linux... done, booting the kernel.
Meari Linux Kernel Version: 2.5.02

Unfortunately, it was not the gold mine I was hoping for. I am unable to send commands as I think this interface is locked down.
Then I looked up the FCC filing and found some useful information about the chips used as my camera had the markings smudged and I couldn't read it.
Link to the listing here.
I found that the storage was a 64byte wide 8 MB chip that I was able to dump using a ch341a USB to serial converter.
Attached is the dump, I can open it with 7-zip and see a lot of files including init stuff and other Linux related things. The problem is I don't see a shadow or passwd file anywhere. If someone knows more about Linux than I do please let me know. I would love to make a custom bin file to flash to the chip to gain more access. If we can get in and enable something like telnet then we would be able to get the hashes and run it through John the Ripper. If anyone wants to look at the bin file for themselves you can download it here.

Another note, it looks like a user named fjb is the owner of the files. Maybe a lead on a username?

Last thing. The SOC used in this camera is actually used in a lot of cameras, modifying a firmware of another camera that has onvif may also be an option. Just a thought.

@Jordan-Jarvis
Copy link

Good news! I was able to find the hash in a jffs2 filesystem using binwalk. Luckily it is MD5 which is pretty weak. I don't have access to massive amounts of computing power to crack this password so let me know if you do and are willing to help out and hopefully we can get in to these things. I also found another hash for an Apache login. Probably the password we are looking for to enable an onvif stream. In any case. I will make the extracted bin available as soon as I can.

With this dump we can also dig around for other vulnerable areas like specific sites or ip's it gives extra access to or firmware update sites it may have. In any case. This thing shouldn't be too tough to crack wide open. For the now 19$ camera, I am hopeful it can act more like a 100$ camera with a little help from the community.

@cbytestech
Copy link

SO GLAD I FINALLY FOUND THIS THREAD! Only found after wireshark the geeni cam and finding port 8554 was open(hidden from nmap..)

@Jordan-Jarvis
Copy link

https://github.com/da-ha3ker/Merkury-Smart_cam-720p-work
I uploaded the extracted bin. I am not super good at extracting data from these types of files and I am sure there is more that I have not found. I had to compress the folder named _7373C.extracted to upload it to GitHub, but if you use 7zip or WinRar you can extract it again. The hard part of aligning the partitions was already done so they are just the files. Please dig into these files. The hash is available in the _7373C.extracted/etc/passwd file. There is only one user, that being root. I think there are more jffs2 files we don't have access to though, including JSON files and web configuration information.

@cbytestech
Copy link

cbytestech commented Feb 7, 2020
edited
Loading

ok so I dont know if I'm behind the curve or not but here's what I've found

@Jordan-Jarvis
Copy link

Jordan-Jarvis commented Feb 8, 2020
edited
Loading

Cbytestech, I did not know about the ftp port and I will check it today, thank you for the help and keep up the good work. So I have an idea that probably won't work but if anyone knows please tell me. Can I just replace the root hash and salt with my own if I generate it using Linux md5 settings? Like if I change it in the passed file then flash the bin back to the camera then try logging in with my own password? The partitions aren't encrypted and I am not super familiar with how Linux password management works.

Also, CBytesTech, if you want to have the hash cracking go faster than 300ish kilohashes per second, Hashcat may be a better option. It is one of the fastest windows hash crackers available, you can probably get around 1megahash per second on CPU alone. You can also enable GPU acceleration to get between 2 and 25ish megahashes per second per GPU. I only have a laptop for school and it overheats when I try to crack a pass for more than about 10 minutes so your help is greatly appreciated, and if you are more comfortable with what you are using then just stick with that. If you want the link to Hashcat it is https://hashcat.net/hashcat/ it is free as well. I know the software you are using has limitations unless you pay as I have tried using it a few times in the past due to its friendly interface.
In any case, thank you for pitching in, it is greatly appreciated.

@scoobaspeaz
Copy link

Following this because im thinking about getting one of these cameras if someone can make it work.

@cbytestech
Copy link

Thanks man for the tip! its running right now! had to get rid of the intel OpenCL stuff but its up and running. found it to be a bit salty md5.
hashcat64.exe -m500 -a3 -o cracked.txt hash.txt

its going through right now.

Honestly linux is pretty user friendly contrary to popular belief. I believe IF YOU CAN flash it back to the cam, a custom password would work, BUT if not it'll prob rewrite it back to default.. so no pain if you try it... let me know!

@russinnes
Copy link

Everything mostly works fine on the Energizer Connect doorbell (bell5s clone). The ppsapp / ppsapp-rtsp in the repo caused a kernel panic I'm assuming, device frozen. The referenced ppsapp with rtsp for 720p cams would crash, but continually get reloaded via the ./config.sh loop, so the device doesnt freeze up at least. In the latter scenario, the device had to be re-paired with the app, like it lost its config contents. This worked a few times, now does not. This has however created an interesting problem, the device (which was registered in tuya/energizer connect (same service)), now shows as registered to another user and needs to be unbound from that user before I can pair it again to my app(s). I havn't had a chance to dig in to it, perhaps ppsapp updates the tuya .db located on the device. I'll dig in to it and report what I find.

@lesleyvanrijn lesleyvanrijn mentioned this issue Dec 12, 2020
Open
@ghost
Copy link

ghost commented Dec 13, 2020

Commenting to follow. i want my geeni cams in ispy!

@guino
Copy link

guino commented Dec 20, 2020

@ADLARSystems did you check guino/BazzDoorbell#2 ? Depending on the firmware there's a good chance that it would work (and I would like to know if it does).

@ghost
Copy link

ghost commented Dec 20, 2020

It does not, I have the 720p wifi merkury cams. They are compatible with the tuya app but that did not work sadly.

@guino
Copy link

guino commented Dec 20, 2020

@ADLARSystems I assume you tried it and the process failed in some step, do you mind sharing what step failed? If steps 1-6 worked but step 7 failed (the script didn’t run) I may have an alternate solution to work on.

@ghost
Copy link

ghost commented Dec 21, 2020

Step one was a failure. Tried to go to the address of the camera using the given string reference and was given an error instead of the code.

@ghost
Copy link

ghost commented Dec 21, 2020

To be more specific error was connection refused.

@guino
Copy link

guino commented Dec 21, 2020

@adamsweet Thanks for the feedback, I may try to redesign the whole thing to support more devices.

@guino
Copy link

guino commented Jan 4, 2021
edited
Loading

@ADLARSystems check out https://github.com/guino/Merkury720 for your merkury 720P cameras -- that may work even if you get no response on the browser (worth a shot).

@StuDaBaiker
Copy link

@ADLARSystems check out https://github.com/guino/Merkury720 for your merkury 720P cameras -- that may work even if you get no response on the browser (worth a shot).

Thanks for this! I will be picking up a microSD and taking a shot at it

@norbeta
Copy link

norbeta commented Jan 27, 2021

I have the Nedis SmartLife Pan/Tilt outside 1080p camera.
It got a new firmware today, version 2.9.8. The release notes stated that it should now have ONVIF support.
It's detected in the ONVIF device manager, but unable to show settings or stream.

model: Speed 2S softwareversion: 2.9.8 hardwareversion: S2S_H1_V10_2063 firmwareversion: ppstrong-c51-tuya2_teco-2.9.8.20201120

@guino
Copy link

guino commented Jan 27, 2021

@norbeta I would try the admin:admin as user:password along with the URLs posted here guino/BazzDoorbell#2 (comment) to see if ONVIF/RTSP works out of the box. Did you see anything in the app to configure the user/password for ONVIF ? If so I would try whatever is configured in the app with the mentioned URLs too.

I wouldn't mind getting a copy of that ppsapp/firmware to see what else they may have changed but many users already use ONVIF/RTSP with 2.9.7 by editing the tuya_config.json file in the device (requires hack/rooting as described in guino/BazzDoorbell#2).

@guino
Copy link

guino commented Feb 9, 2021

@ADLARSystems @norbeta @StuDaBaiker We found a way to get the firmware to open port 80 that may work on your devices to display the settings using links such as http://admin:056565099@IP/devices/deviceinfo -- here's what you can try:

RIGHT CLICK this link: https://github.com/guino/Merkury720/raw/main/ppsFactoryTool.txt select "Save as.." and save this file to the root of the fat32 formatted SD card. EDIT the file (do NOT create it new and do NOT copy/paste the contents of it) and modify only the ssid and password (the file requires specific format to work). When the device detects the file (in the right format) it will disconnect and re-connect the wifi (to the wifi specified) and will OPEN port 80 so the http://admin:05656... links work.

If the above works there's a good chance you can enable RTSP on your device using either https://github.com/guino/Merkury720 (2.7.x firmware) or guino/BazzDoorbell#2 (2.9.x and 2.10.x firmware).

@norbeta
Copy link

norbeta commented Feb 9, 2021

@ADLARSystems @norbeta @StuDaBaiker We found a way to get the firmware to open port 80 that may work on your devices to display the settings using links such as http://admin:056565099@IP/devices/deviceinfo -- here's what you can try:

This already works in my camera. I've done some research on my camera with regards to the ONVIF support, but still no luck there.
I don't have the possibility to root my camera as the SD-card is soldered on the board.

@guino
Copy link

guino commented Feb 9, 2021
edited
Loading

@norbeta I suppose the only option to get into your camera would be to open it and insert an SD card -- a lot of 'bullet' and 'outdoor' devices require opening the device to insert the SD card (some have an access panel just for that - which also requires removing screws.

@Sirezul
Copy link

Sirezul commented Mar 6, 2021
edited
Loading

Does anyone have some information about this type of firmware? It seems like RTSP is activated by default, as it's asking for a password. But neither 'admin:admin' or 'admin:5...' are working.
Thanks in advance :)

{
	"devname":	"Smart Home Camera",
	"model":	"Speed 2S",
	"serialno":	"057042399",
	"softwareversion":	"2.1.9",
	"hardwareversion":	"S2S_V14_2235",
	"firmwareversion":	"ppstrong-c2-tuya2_pearl-2.1.9.20190413",
	"uuid":	"DTT3VN12PCBE4RAA111A",
}

@guino
Copy link

guino commented Mar 6, 2021

@Sirezul I would try admin:057042399 (your serial number). Not having a copy of that firmware it is hard to know what could be used as password on such “older” version (granted the date is not so old).

@guino
Copy link

guino commented May 31, 2021

@MarcusAlmert I have looked at the code from their devices main application (ppsapp) and the last I remember the rtsp feed used from the cloud is encrypted, so just having the URL would not be enough to make it work. If you want to go that route your best bet is to decompile the phone app and copy the decryption code from there.

In my case (and many other models) where standard non-encrypted RTSP or ONVIF was just disabled in the app it was far simpler to just modify ppsapp to enable it than trying to write code to decrypt it (which bear in mind would not make it compatible to homebridge or any other software unless you wrote some sort of bridge connection). We have now dozens of models and and numerous firmware versions patched working with RTSP and/or ONVIF, adding more models is just a matter of having a sample device available to work on a solution.

@guino
Copy link

guino commented May 31, 2021

@MarcusAlmert at this time I have not seen anyone open/fiddle with that board/firmware. Assuming ppsFactoryTool.txt and ppsMmcTool.txt don’t work someone would have to open a device and connect to the serial port and/or use a hardware programmer to try and gain access.

@braidenwhite
Copy link

@misterdubs Did you ever get the RTSP stream working? I have been looking for a solution for the MI-CW017, but have had no luck with what I have tried. Do you care to point me in the right direction or give me the steps that worked for you? Thanks!

@cbytestech
Copy link

https://searchsecurity.techtarget.com/definition/Wi-Fi-Pineapple

Has anyone tried using a pineapple to capture packets from the time it starts up?

@sk3pt1kul
Copy link

Actually I have a pineapple sitting on the desk. Give me a few days and I'll link a packet capture if you want. I only have the $25 720p Mercury camera with all firmware updates installed.

@cbytestech
Copy link

cbytestech commented Jul 29, 2021 via email

@Justin-secure
Copy link

Not sure what device you might be working with or what version of the firmware, but this looks promising.
https://research.fit.edu/media/site-specific/researchfitedu/iot-lab/Geeni_Disclosures.pdf

@cbytestech
Copy link

cbytestech commented Jul 30, 2021 via email

@Justin-secure
Copy link

https://github.com/sk3ptikul/Geenie-vulnerability.git
no doubt. I grabbed screen shots of it...

https://github.com/sk3ptikul/Geenie-vulnerability.git

@Justin-secure
Copy link

You may have a different device or firmware, but the backdoor wasn't accidental, I'd be willing to bet that it's still present, only harder to find or with different credentials.

@cbytestech
Copy link

cbytestech commented Jul 31, 2021 via email

@cjj25
Copy link

cjj25 commented May 21, 2022

@Mrdindon or anyone wanting to enable RTSP on a Realtek RTS3903N camera, I've created a backdoor patch that will enable the service here: cjj25/RTS3903N-Tuya-RTSPServer

The vulnerability / payload (see /sdcard/tuya) folder might work on other Tuya cameras?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests