Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merkury720P 2.7.10 firmware rooting struggle #29

Closed
mascencerro opened this issue Mar 14, 2023 · 11 comments
Closed

Merkury720P 2.7.10 firmware rooting struggle #29

mascencerro opened this issue Mar 14, 2023 · 11 comments

Comments

@mascencerro
Copy link

I'm not sure if this is a me issue, card issue, or issue issue.

This is a "new" device that has never been connected to a capable internet connection or the app. I have connected UART for logging via FTDI USB.

Here is the output from /devices/deviceinfo:

{
"devname":"Smart Home Camera",
"model":"Mini 7C",
"serialno":"1050xxxxx",
"softwareversion":"2.7.10",
"hardwareversion":"M7C_AK_V10_GC4",
"firmwareversion":"ppstrong-a2-tuya2_geeni-2.7.10.20220105",
"authkey":"u1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"deviceid":"tstj4xxxxxxxxxxxxxxx",
"pid":"aaa",
"WiFi MAC":"30:8e:xx:xx:xx:xx"
}

/proc/cpuinfo:

Processor	: ARM926EJ-S rev 5 (v5l)
BogoMIPS	: 199.06
Features	: swp half fastmult edsp java 
CPU implementer	: 0x41
CPU architecture: 5TEJ
CPU variant	: 0x0
CPU part	: 0x926
CPU revision	: 5

Hardware	: SKY39EV2_AK3918E80PIN_MNBD
Revision	: 0000
Serial		: 0000000000000000

/proc/mounts:

rootfs / rootfs rw 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0
tmpfs /dev tmpfs rw,relatime 0 0
devpts /dev/pts devpts rw,relatime,mode=600,ptmxmode=000 0 0
/dev/mtdblock6 /home/cfg jffs2 rw,relatime 0 0
/dev/mmc01 /mnt/mmc01 vfat rw,relatime,fmask=0022,dmask=0022,codepage=cp437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro 0 0

/proc/cmdline (missing exploit content):
mem=64M console=ttySAK0,115200n8 mtdparts=spi0.0:256k(bld)ro,64k(env)ro,64k(enc)ro,64k(sysflg)ro,2496k(sys),4608k(app),640k(cfg) ppsAppParts=5 ip=192.168.1.99:::255.255.255.0 eth=00:55:7b:b5:7d:f7

I have tried multiple env and ppsMmcTool.txt combinations and modifications to addresses and the like.

Following the instructions along, it appears I may be having issues with the SD card not booting, but I want to check for insight.

I've also tried reading the flash with info gathered from BazzDoorbell #2 and BazzDoorbell #11 .

When trying to boot to root the device by holding reset while powering up, I have the following output consistently:

U-Boot 2013.10.0-AK_V2.0.03 (Jan 05 2022 - 14:37:18)

DRAM:  64 MiB
8 MiB
ANYKA SDHC/MMC4.0: 0
PPS:Jan  5 2022 14:37:31   anyka_c2button
cmd:fatload mmc 0 0x81808000 ppsMmcTool.txt 3FC
send cmd 8 error, status = 2004
block rw command 8 is failed!
MMC: ak mmc mmc_send_if_cond Err!
** Bad device mmc 0 **
resetting ...
heartbeat = 1
m▒

U-Boot 2013.10.0-AK_V2.0.03 (Jan 05 2022 - 14:37:18)

DRAM:  64 MiB
8 MiB
ANYKA SDHC/MMC4.0: 0
PPS:Jan  5 2022 14:37:31   anyka_c2magic err
magic err
## Booting kernel from Legacy Image at 81808000 ...
   Image Name:   Linux-3.4.35
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    2084672 Bytes = 2 MiB
   Load Address: 81808000
   Entry Point:  81808040
   Verifying Checksum ... OK
   XIP Kernel Image ... OK

Starting kernel ...

Uncompressing Linux... done, booting the kernel.
Meari Linux Kernel Version: 2.5.02

I'm able to add ppsFactoryTool.txt to the root of the drive and it connects to my AP of choice, so it is able to read the card. However any attempt to make it read the flash or access /proc/self/root/mnt/mmc01/hack with results have been fruitless.

I have tried partitioning and formatting combinations using windows and linux with no change in results.

Would it be safe to assume from the following that the card may be having boot issues and I need to try a different card or is this device one that would require programmer to root? I had seen another issue with what appeared to be the same firmware, and their device was farther along in the process with patching issues.

cmd:fatload mmc 0 0x81808000 ppsMmcTool.txt 3FC
send cmd 8 error, status = 2004
block rw command 8 is failed!
MMC: ak mmc mmc_send_if_cond Err!
** Bad device mmc 0 **
resetting ...
@mascencerro mascencerro changed the title Merkury720P 2.7.10 firmware booting struggle Merkury720P 2.7.10 firmware rooting struggle Mar 14, 2023
@guino
Copy link
Owner

guino commented Mar 14, 2023

@mascencerro from your outputs this does look like a bad/incompatible SD card. I have seen many cases of devices not liking specific brands or even just the partitioning/formatting on the SD card. Please try a different SD card and make sure it is formatted as FAT32 (you can also try formatting it from the phone app but you said you have not connected it).

In the UART log, do you see the 'countdown' where you can press a key to stop booting ? if so, send me an email (my address is in my github profile) and I can give you some pointers.

I'll tell you in advance that once the device is rooted, it will not fully boot the application until it has been paired with the phone app (even if we make an offline patch for it). The phone pairing does some registration/preparation of the device required for it to boot 100% otherwise it just stays in some 'factory mode' waiting for setup. I do not believe this has anything to do with your SD card issue but wanted to make sure you know about it.

@mascencerro
Copy link
Author

mascencerro commented Mar 14, 2023

@mascencerro from your outputs this does look like a bad/incompatible SD card. I have seen many cases of devices not liking specific brands or even just the partitioning/formatting on the SD card. Please try a different SD card and make sure it is formatted as FAT32 (you can also try formatting it from the phone app but you said you have not connected it).

I'm sure its formatted as FAT32, have tried within windows with GUI an from command line, as well as in linux with mkfs.vfat.
I was hesitant to set it up with the app to prevent irreversible changes from some some auto update, but from the sound of it pairing will be required anyway for functionality. I'm working on some other Tuya devices with Beken chips that have a tendency to make it more difficult to exploit the device once paired and they update. I will set it up with the app after bit when I work on it again and see where it can lead.
The card I'm currently using is a Lexar C10/UHS-I 32G card, for reference.

In the UART log, do you see the 'countdown' where you can press a key to stop booting ? if so, send me an email (my address is in my github profile) and I can give you some pointers.

What I posted from the UART output is all there is. No countdown, no prompt, nothing. It attempts to boot, fails with the block rw command 8 is failed! error, then immediately continues to the rest to the end of the log and no further messages. It doesn't matter if I hold reset during initial power, or hold it in resetting the device and continue to hold till boot, I get the same output.

I'll tell you in advance that once the device is rooted, it will not fully boot the application until it has been paired with the phone app (even if we make an offline patch for it). The phone pairing does some registration/preparation of the device required for it to boot 100% otherwise it just stays in some 'factory mode' waiting for setup. I do not believe this has anything to do with your SD card issue but wanted to make sure you know about it.

I was hoping to be able to read the firmware prior to pairing and investigate the pairing requirement, but have had no luck reading as you can see. I'll see if I can find a different brand/model of SD card, then move onto pairing the device and see what I can turn up from that.

I don't have a programmer, but do have a rPI I can use if you happen to know a method to pull the firmware that way through SPIO.

@guino
Copy link
Owner

guino commented Mar 14, 2023

@mascencerro The countdown I mentioned is something that should show up on 'normal' boot (without pressing reset), it only shows something like 'some message 2..1..0' <- if you press a key there it may show a prompt.

You should be able to root it and get a copy of the flash (i.e. guino/BazzDoorbell#11) before first registration, that is: if you can get your SD card working in the boot loader. I have a device which doesn't like the 'best' SD card I have (Industrial grade) but works fine with the cheaper ones, so you never now (the cheap Samsung cards seem to work on most of my devices) -- all my cards seem to work after the device boots, it is just the boot loader that is picky.

At least on the tuya cameras, it seems that the 'reset' procedure does a decent job in reverting the device 'factory' state -- it may not be perfect but there's no 'visible' difference between a device that is brand new and a device that's just been reset.

@mascencerro
Copy link
Author

mascencerro commented Mar 14, 2023

@mascencerro The countdown I mentioned is something that should show up on 'normal' boot (without pressing reset), it only shows something like 'some message 2..1..0' <- if you press a key there it may show a prompt.

Yeah, I get no countdown on normal boot, just loads directly but without the section where the fail occurs.

You should be able to root it and get a copy of the flash (i.e. guino/BazzDoorbell#11) before first registration, that is: if you can get your SD card working in the boot loader. I have a device which doesn't like the 'best' SD card I have (Industrial grade) but works fine with the cheaper ones, so you never now (the cheap Samsung cards seem to work on most of my devices) -- all my cards seem to work after the device boots, it is just the boot loader that is picky.

I've tried several different methods and changes mentioned in the BazzDoorbell issue, along with address changes and adjustments, but always with same result. I'm thinking it doesn't like this cheapo card and I'll look around town for a different brand to try.

@mascencerro
Copy link
Author

Update: with a different card (PNY) I am able to make some progress. I think it read the flash and binwalk is doing its thing now extracting. There were some messages in UART output while reading flash that led me to believe there might be problems with the read, but I'll see what extraction produces and get back.

@mascencerro
Copy link
Author

It appears using a different card (slightly more expensive card) was the ticket.
Output from tree after extraction for those interested:

.
├── 2E0000.cramfs
├── 7365F.xz
├── 7373C
├── _7373C.extracted
│   ├── 3034BC
│   ├── _3034BC.extracted
│   │   ├── 0.cpio
│   │   └── cpio-root
│   │       ├── bin
│   │       │   ├── ash -> busybox
│   │       │   ├── busybox
│   │       │   ├── cat -> busybox
│   │       │   ├── chgrp -> busybox
│   │       │   ├── chmod -> busybox
│   │       │   ├── chown -> busybox
│   │       │   ├── cp -> busybox
│   │       │   ├── date -> busybox
│   │       │   ├── df -> busybox
│   │       │   ├── dmesg -> busybox
│   │       │   ├── echo -> busybox
│   │       │   ├── false -> busybox
│   │       │   ├── grep -> busybox
│   │       │   ├── iostat -> busybox
│   │       │   ├── kill -> busybox
│   │       │   ├── ln -> busybox
│   │       │   ├── login -> busybox
│   │       │   ├── ls -> busybox
│   │       │   ├── mkdir -> busybox
│   │       │   ├── mknod -> busybox
│   │       │   ├── mount -> busybox
│   │       │   ├── mv -> busybox
│   │       │   ├── netstat -> busybox
│   │       │   ├── ping -> busybox
│   │       │   ├── ping6 -> busybox
│   │       │   ├── printenv -> busybox
│   │       │   ├── ps -> busybox
│   │       │   ├── pwd -> busybox
│   │       │   ├── rm -> busybox
│   │       │   ├── sed -> busybox
│   │       │   ├── sh -> busybox
│   │       │   ├── sleep -> busybox
│   │       │   ├── stat -> busybox
│   │       │   ├── tar -> busybox
│   │       │   ├── touch -> busybox
│   │       │   ├── udevadm
│   │       │   ├── udevd
│   │       │   ├── umount -> busybox
│   │       │   └── vi -> busybox
│   │       ├── boot
│   │       ├── dev
│   │       ├── etc
│   │       │   ├── fstab
│   │       │   ├── fs-version
│   │       │   ├── group
│   │       │   ├── init.d
│   │       │   │   ├── rcS
│   │       │   │   ├── S00devs
│   │       │   │   ├── S01mdev
│   │       │   │   ├── S01udev
│   │       │   │   ├── S80network
│   │       │   │   └── S90PPStrong
│   │       │   ├── inittab
│   │       │   ├── mdev.conf
│   │       │   ├── passwd
│   │       │   ├── profile
│   │       │   ├── protocols
│   │       │   ├── services
│   │       │   ├── shadow
│   │       │   ├── TZ
│   │       │   └── udev
│   │       │       ├── firmware.sh
│   │       │       ├── rules.d
│   │       │       │   ├── 50-firmware.rules
│   │       │       │   ├── 75-cd-aliases-generator.rules.optional
│   │       │       │   ├── 75-persistent-net-generator.rules.optional
│   │       │       │   ├── 90-hal.rules
│   │       │       │   ├── 99-fuse.rules
│   │       │       │   └── device-mapper.rules
│   │       │       └── udev.conf
│   │       ├── home
│   │       ├── init -> sbin/init
│   │       ├── lib
│   │       │   ├── ld-uClibc-0.9.33.2.so
│   │       │   ├── ld-uClibc.so.0 -> ld-uClibc-0.9.33.2.so
│   │       │   ├── libcrypt-0.9.33.2.so
│   │       │   ├── libcrypt.so.0 -> libcrypt-0.9.33.2.so
│   │       │   ├── libc.so.0 -> libuClibc-0.9.33.2.so
│   │       │   ├── libdl-0.9.33.2.so
│   │       │   ├── libdl.so.0 -> libdl-0.9.33.2.so
│   │       │   ├── libgcc_s.so -> libgcc_s.so.1
│   │       │   ├── libgcc_s.so.1
│   │       │   ├── libm-0.9.33.2.so
│   │       │   ├── libm.so.0 -> libm-0.9.33.2.so
│   │       │   ├── libnsl-0.9.33.2.so
│   │       │   ├── libnsl.so.0 -> libnsl-0.9.33.2.so
│   │       │   ├── libpthread-0.9.33.2.so
│   │       │   ├── libpthread.so.0 -> libpthread-0.9.33.2.so
│   │       │   ├── libresolv-0.9.33.2.so
│   │       │   ├── libresolv.so.0 -> libresolv-0.9.33.2.so
│   │       │   ├── librt-0.9.33.2.so
│   │       │   ├── librt.so.0 -> librt-0.9.33.2.so
│   │       │   ├── libthread_db-0.9.33.2.so
│   │       │   ├── libthread_db.so.1 -> libthread_db-0.9.33.2.so
│   │       │   ├── libuClibc-0.9.33.2.so
│   │       │   ├── libutil-0.9.33.2.so
│   │       │   └── libutil.so.0 -> libutil-0.9.33.2.so
│   │       ├── linuxrc -> bin/busybox
│   │       ├── mnt
│   │       ├── nfsroot
│   │       ├── opt
│   │       ├── proc
│   │       ├── root
│   │       ├── sbin
│   │       │   ├── getty -> ../bin/busybox
│   │       │   ├── halt -> ../bin/busybox
│   │       │   ├── ifconfig -> ../bin/busybox
│   │       │   ├── init -> ../bin/busybox
│   │       │   ├── insmod -> ../bin/busybox
│   │       │   ├── lsmod -> ../bin/busybox
│   │       │   ├── mdev -> ../bin/busybox
│   │       │   ├── modinfo -> ../bin/busybox
│   │       │   ├── poweroff -> ../bin/busybox
│   │       │   ├── reboot -> ../bin/busybox
│   │       │   ├── rmmod -> ../bin/busybox
│   │       │   ├── route -> ../bin/busybox
│   │       │   ├── setconsole -> ../bin/busybox
│   │       │   └── udhcpc -> ../bin/busybox
│   │       ├── sys
│   │       ├── tmp
│   │       ├── usr
│   │       │   ├── bin
│   │       │   │   ├── [ -> ../../bin/busybox
│   │       │   │   ├── [[ -> ../../bin/busybox
│   │       │   │   ├── arping -> ../../bin/busybox
│   │       │   │   ├── awk -> ../../bin/busybox
│   │       │   │   ├── cryptpw -> ../../bin/busybox
│   │       │   │   ├── cut -> ../../bin/busybox
│   │       │   │   ├── dirname -> ../../bin/busybox
│   │       │   │   ├── env -> ../../bin/busybox
│   │       │   │   ├── expr -> ../../bin/busybox
│   │       │   │   ├── groups -> ../../bin/busybox
│   │       │   │   ├── hostid -> ../../bin/busybox
│   │       │   │   ├── id -> ../../bin/busybox
│   │       │   │   ├── ifplugd -> ../../bin/busybox
│   │       │   │   ├── lsof -> ../../bin/busybox
│   │       │   │   ├── mkpasswd -> ../../bin/busybox
│   │       │   │   ├── passwd -> ../../bin/busybox
│   │       │   │   ├── pstree -> ../../bin/busybox
│   │       │   │   ├── setsid -> ../../bin/busybox
│   │       │   │   ├── test -> ../../bin/busybox
│   │       │   │   ├── top -> ../../bin/busybox
│   │       │   │   ├── udhcpc6 -> ../../bin/busybox
│   │       │   │   └── xargs -> ../../bin/busybox
│   │       │   ├── lib
│   │       │   ├── sbin
│   │       │   │   ├── brctl -> ../../bin/busybox
│   │       │   │   ├── chpasswd -> ../../bin/busybox
│   │       │   │   └── chroot -> ../../bin/busybox
│   │       │   └── share
│   │       └── var
│   │           └── run
│   │               └── utmp
│   ├── 3034BC.xz
│   ├── 36C674
│   ├── _36C674.extracted
│   │   ├── 0.cpio
│   │   └── cpio-root
│   │       ├── bin
│   │       │   ├── ash -> busybox
│   │       │   ├── busybox
│   │       │   ├── cat -> busybox
│   │       │   ├── chgrp -> busybox
│   │       │   ├── chmod -> busybox
│   │       │   ├── chown -> busybox
│   │       │   ├── cp -> busybox
│   │       │   ├── date -> busybox
│   │       │   ├── df -> busybox
│   │       │   ├── dmesg -> busybox
│   │       │   ├── echo -> busybox
│   │       │   ├── false -> busybox
│   │       │   ├── grep -> busybox
│   │       │   ├── iostat -> busybox
│   │       │   ├── kill -> busybox
│   │       │   ├── ln -> busybox
│   │       │   ├── login -> busybox
│   │       │   ├── ls -> busybox
│   │       │   ├── mkdir -> busybox
│   │       │   ├── mknod -> busybox
│   │       │   ├── mount -> busybox
│   │       │   ├── mv -> busybox
│   │       │   ├── netstat -> busybox
│   │       │   ├── ping -> busybox
│   │       │   ├── ping6 -> busybox
│   │       │   ├── printenv -> busybox
│   │       │   ├── ps -> busybox
│   │       │   ├── pwd -> busybox
│   │       │   ├── rm -> busybox
│   │       │   ├── sed -> busybox
│   │       │   ├── sh -> busybox
│   │       │   ├── sleep -> busybox
│   │       │   ├── stat -> busybox
│   │       │   ├── tar -> busybox
│   │       │   ├── touch -> busybox
│   │       │   ├── udevadm
│   │       │   ├── udevd
│   │       │   ├── umount -> busybox
│   │       │   └── vi -> busybox
│   │       ├── boot
│   │       ├── dev
│   │       ├── etc
│   │       │   ├── fstab
│   │       │   ├── fs-version
│   │       │   ├── group
│   │       │   ├── init.d
│   │       │   │   ├── rcS
│   │       │   │   ├── S00devs
│   │       │   │   ├── S01mdev
│   │       │   │   ├── S01udev
│   │       │   │   ├── S80network
│   │       │   │   └── S90PPStrong
│   │       │   ├── inittab
│   │       │   ├── mdev.conf
│   │       │   ├── passwd
│   │       │   ├── profile
│   │       │   ├── protocols
│   │       │   ├── services
│   │       │   ├── shadow
│   │       │   ├── TZ
│   │       │   └── udev
│   │       │       ├── firmware.sh
│   │       │       ├── rules.d
│   │       │       │   ├── 50-firmware.rules
│   │       │       │   ├── 75-cd-aliases-generator.rules.optional
│   │       │       │   ├── 75-persistent-net-generator.rules.optional
│   │       │       │   ├── 90-hal.rules
│   │       │       │   ├── 99-fuse.rules
│   │       │       │   └── device-mapper.rules
│   │       │       └── udev.conf
│   │       ├── home
│   │       ├── init -> sbin/init
│   │       ├── lib
│   │       │   ├── ld-uClibc-0.9.33.2.so
│   │       │   ├── ld-uClibc.so.0 -> ld-uClibc-0.9.33.2.so
│   │       │   ├── libcrypt-0.9.33.2.so
│   │       │   ├── libcrypt.so.0 -> libcrypt-0.9.33.2.so
│   │       │   ├── libc.so.0 -> libuClibc-0.9.33.2.so
│   │       │   ├── libdl-0.9.33.2.so
│   │       │   ├── libdl.so.0 -> libdl-0.9.33.2.so
│   │       │   ├── libgcc_s.so -> libgcc_s.so.1
│   │       │   ├── libgcc_s.so.1
│   │       │   ├── libm-0.9.33.2.so
│   │       │   ├── libm.so.0 -> libm-0.9.33.2.so
│   │       │   ├── libnsl-0.9.33.2.so
│   │       │   ├── libnsl.so.0 -> libnsl-0.9.33.2.so
│   │       │   ├── libpthread-0.9.33.2.so
│   │       │   ├── libpthread.so.0 -> libpthread-0.9.33.2.so
│   │       │   ├── libresolv-0.9.33.2.so
│   │       │   ├── libresolv.so.0 -> libresolv-0.9.33.2.so
│   │       │   ├── librt-0.9.33.2.so
│   │       │   ├── librt.so.0 -> librt-0.9.33.2.so
│   │       │   ├── libthread_db-0.9.33.2.so
│   │       │   ├── libthread_db.so.1 -> libthread_db-0.9.33.2.so
│   │       │   ├── libuClibc-0.9.33.2.so
│   │       │   ├── libutil-0.9.33.2.so
│   │       │   └── libutil.so.0 -> libutil-0.9.33.2.so
│   │       ├── linuxrc -> bin/busybox
│   │       ├── mnt
│   │       ├── nfsroot
│   │       ├── opt
│   │       ├── proc
│   │       ├── root
│   │       ├── sbin
│   │       │   ├── getty -> ../bin/busybox
│   │       │   ├── halt -> ../bin/busybox
│   │       │   ├── ifconfig -> ../bin/busybox
│   │       │   ├── init -> ../bin/busybox
│   │       │   ├── insmod -> ../bin/busybox
│   │       │   ├── lsmod -> ../bin/busybox
│   │       │   ├── mdev -> ../bin/busybox
│   │       │   ├── modinfo -> ../bin/busybox
│   │       │   ├── poweroff -> ../bin/busybox
│   │       │   ├── reboot -> ../bin/busybox
│   │       │   ├── rmmod -> ../bin/busybox
│   │       │   ├── route -> ../bin/busybox
│   │       │   ├── setconsole -> ../bin/busybox
│   │       │   └── udhcpc -> ../bin/busybox
│   │       ├── sys
│   │       ├── tmp
│   │       ├── usr
│   │       │   ├── bin
│   │       │   │   ├── [ -> ../../bin/busybox
│   │       │   │   ├── [[ -> ../../bin/busybox
│   │       │   │   ├── arping -> ../../bin/busybox
│   │       │   │   ├── awk -> ../../bin/busybox
│   │       │   │   ├── cryptpw -> ../../bin/busybox
│   │       │   │   ├── cut -> ../../bin/busybox
│   │       │   │   ├── dirname -> ../../bin/busybox
│   │       │   │   ├── env -> ../../bin/busybox
│   │       │   │   ├── expr -> ../../bin/busybox
│   │       │   │   ├── groups -> ../../bin/busybox
│   │       │   │   ├── hostid -> ../../bin/busybox
│   │       │   │   ├── id -> ../../bin/busybox
│   │       │   │   ├── ifplugd -> ../../bin/busybox
│   │       │   │   ├── lsof -> ../../bin/busybox
│   │       │   │   ├── mkpasswd -> ../../bin/busybox
│   │       │   │   ├── passwd -> ../../bin/busybox
│   │       │   │   ├── pstree -> ../../bin/busybox
│   │       │   │   ├── setsid -> ../../bin/busybox
│   │       │   │   ├── test -> ../../bin/busybox
│   │       │   │   ├── top -> ../../bin/busybox
│   │       │   │   ├── udhcpc6 -> ../../bin/busybox
│   │       │   │   └── xargs -> ../../bin/busybox
│   │       │   ├── lib
│   │       │   ├── sbin
│   │       │   │   ├── brctl -> ../../bin/busybox
│   │       │   │   ├── chpasswd -> ../../bin/busybox
│   │       │   │   └── chroot -> ../../bin/busybox
│   │       │   └── share
│   │       └── var
│   │           └── run
│   │               └── utmp
│   ├── 433F1B
│   └── 433F1B.7z
├── 7373C.xz
├── 760C00.jffs2
├── 7D7000.jffs2
├── 7D9CE4.jffs2
├── 7DC26C.jffs2
├── 7DE000.jffs2
├── 7DF900.jffs2
├── 7E9D8C.jffs2
├── 7F8228.jffs2
├── app.tar.gz
├── _app.tar.gz.extracted
│   ├── 0
│   ├── _0.extracted
│   │   ├── 0.tar
│   │   ├── bin
│   │   │   ├── cmd_router
│   │   │   ├── himm
│   │   │   ├── iwconfig
│   │   │   ├── lookup_proc
│   │   │   └── ppsconfig
│   │   ├── etc
│   │   │   └── ssv6x5x-wifi.cfg
│   │   ├── home
│   │   │   ├── anyka
│   │   │   │   ├── akcamera.ko
│   │   │   │   ├── ak_info_dump.ko
│   │   │   │   ├── isp_1034_dvp_101602.conf
│   │   │   │   ├── isp_h62.conf
│   │   │   │   ├── isp_sc1245.conf
│   │   │   │   ├── loadanyka3918
│   │   │   │   ├── sensor_gc1034.ko
│   │   │   │   ├── sensor_h62.ko
│   │   │   │   └── sensor_sc1245.ko
│   │   │   ├── app
│   │   │   │   ├── network
│   │   │   │   ├── ppsapp
│   │   │   │   └── ppsdsry
│   │   │   ├── ASC16
│   │   │   ├── ca.crt
│   │   │   ├── drv
│   │   │   │   ├── 8188fu.ko
│   │   │   │   ├── atbm603x_wifi_usb.ko
│   │   │   │   ├── motor.ko
│   │   │   │   ├── otg-hs.ko
│   │   │   │   ├── ssv6x5x.ko
│   │   │   │   └── Strnio.ko
│   │   │   ├── init.d
│   │   │   │   ├── initS
│   │   │   │   ├── S00config
│   │   │   │   ├── S01loadpps
│   │   │   │   ├── S20cmd_router
│   │   │   │   ├── S23hostapd_conf
│   │   │   │   ├── S24udhcpd
│   │   │   │   ├── S25ppsdsry
│   │   │   │   └── S60ppsapp
│   │   │   ├── platform.env
│   │   │   └── sound
│   │   │       ├── dingdong.wav
│   │   │       ├── login.wav
│   │   │       └── restart.wav
│   │   └── lib
│   │       ├── libakaudiocodec.so
│   │       ├── libakaudiofilter.so
│   │       ├── libakispsdk.so
│   │       ├── libakmedia.so
│   │       ├── libak_mt.so
│   │       ├── libakstreamenc.so
│   │       └── libakuio.so
│   └── 0.gz
├── cramfs-root
│   ├── app.tar.gz
│   └── initrun.sh
├── initrun.sh
├── jffs2-root
│   ├── sys_time
│   ├── tuya_enckey.db
│   ├── tuya_user.db
│   └── tuya_user.db_bak
├── jffs2-root-0
├── jffs2-root-1
├── jffs2-root-2
├── jffs2-root-3
├── jffs2-root-4
├── jffs2-root-5
└── jffs2-root-6

74 directories, 335 files

@guino
Copy link
Owner

guino commented Mar 15, 2023

@mascencerro looks good. FYI you are working on a device that already has an update released for it (2.7.12) -- that obviously won't matter if you just want to use it offline.

@mascencerro
Copy link
Author

@mascencerro looks good. FYI you are working on a device that already has an update released for it (2.7.12) -- that obviously won't matter if you just want to use it offline.

Does the device auto-update in the event that I connect it with the app? And is the 2.7.12 version patched where it no longer works with this exploit?

@guino
Copy link
Owner

guino commented Mar 15, 2023

@mascencerro some apps will auto-update -- I use the tuya app and it doesn't automatically update (there's an option to turn automatic updates off). It is also possible that depending on the app and account region you won't get the 2.7.12 update offered to your device.

2.7.12 does not remove or prevent using the boot loader exploit, so you can update it after installing it, and/or you can update it and apply the exploit just the same.

@mascencerro
Copy link
Author

@mascencerro some apps will auto-update -- I use the tuya app and it doesn't automatically update (there's an option to turn automatic updates off). It is also possible that depending on the app and account region you won't get the 2.7.12 update offered to your device.

2.7.12 does not remove or prevent using the boot loader exploit, so you can update it after installing it, and/or you can update it and apply the exploit just the same.

Ok, I was worried if/when I do associate it with the app, the 2.7.12 update would kill the boot loader exploit. Basically the version will just determine which ppsapp I need for that firmware version streaming functionality, correct?

Now on to cross compiling some stuff for this thing and seeing what I can break. 🙂

@guino
Copy link
Owner

guino commented Mar 15, 2023

Ok, I was worried if/when I do associate it with the app, the 2.7.12 update would kill the boot loader exploit. Basically the version will just determine which ppsapp I need for that firmware version streaming functionality, correct?

Correct -- and both 2.7.10 and 2.7.12 have patches available.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants