_Original of these scripts can be found here _
I've been poking at the Denver SHO-110 Wifi camera. This GOKE GK7102 powered camera features Wifi, infrared, two-way sound (which I don't use) and UTP. NO tilt or zoom.
Disclaimer - I'm not a programmer, just a hobbyist that likes poking around. You use the software here at your own risk. If you try this on a different camera you may break (brick) your camera. You may even break your camera due to a variety of firmware versions available. DO NOT EVER make changes to the /home/start.sh script. Any mistake here WILL brick your camera.
As opposed to some other camera's (see link to Ant-Thomes above), this camera has a read-only filesystem although the /home is writeable - lucky us. This enables us to tweak the filesystem ans software to our needs.
- Create network connection
- WiFi - setup camera via app
- Ethernet - plug in to network (doesn't need app setup)
- Download hack for your camera
Apperently it is possible to create a working Wifi connection without using the app. I've not tried this myself, but it is pretty easy to try for yourself:
- Connect the camera to your network by UTP cable
- Telnet into the device, port 23 is open by default
- Use default credentials: root/cxlinux
- vi /home/cls.conf
[cls_server]
ssid = WIFI_ID
passwd = PASSWORD
------ BELOW NEEDS TO BE REWRITTEN -----
- Download zip file - zsgx1hacks-v0.4.zip
- Extract the contents of the zip file to a vfat/fat32 formatted microSD card
- Change options in
config.txt
- Option for persistent hack without SD card
- Default - run off SD Card
- If in doubt, run it off the SD Card
- Option to restore original state of camera without hack
- Option to silence the voices
- This may be causing issues on some cameras so use at your own risk
- Option for persistent hack without SD card
- Download zip file - readonlyhack-v0.1.zip
- Extract the contents of the zip file to a vfat/fat32 formatted microSD card
- Insert microSD card into camera and boot
- Result should be
- No communication to cloud services
- RTSP/onvif server on the IP address of the camera
- SSH server
- R/W version - user/pass
root/cxlinux
- R-O version - user
root
no password
- R/W version - user/pass
- Telnet server - user/pass
root/cxlinux
- Updated busybox
- Annoying whining noise reduced (RW version only currently)
- WebUI accessible - http://IPAddress:8080/cgi-bin/webui
- FTP Server pointing to the root file system - no username or password
debug_cmd.sh
on an SD card enables commands to be run- Change root password to enable telnet login
- Telnet/root password found
cxlinux
(thanks 1sttommy2guns) - Upgrade busybox
- Add dropbear SSH server
- RTSP server accessible - rtsp://IPADDRESS/
- user/pass admin/admin
- user/pass on a non-setup camera is sometimes admin with no password
- Different camera models may have different RTSP credentials eg
dg20160404
or12345
- Block cloud services via hosts file
- Some GPIO functions found (IR LEDs and IR Cut)
- WebUI - http://IPAddress:8080/cgi-bin/webui
- PTZ control via command line or WebUI
- FTP server - no username or password
- Figure out GPIO control for Light sensor
- Change bitrate of RTSP stream
- Get rid of
p2pcam
and use an alternative RTSP server - Find method to enable WiFi connection without using the app
- Read-only hack created to enable cameras with a newer firmware to have extra features and turn off cloud connections.
- SSH server has no password. It wasn't working with a password so I enabled no password logins. Hopefully be able to get that fixed.
- Updated sdcard zip - zsgx1hacks-v0.4.zip
config.txt
file to change some options- Option for persistent or SD card install - default is SD card
- Option to remove hack and restore camera to before hack
- Updated sdcard zip - zsgx1hacks-v0.3.zip
- Hack no longer requires micro SD card to be present. Once installed the micro SD card can be removed.
- If anyone wants a version that doesn't make any permanent changes to the camera let me know.
- Very simple WebUI created - to be improved - using busybox httpd.
- WebUI has PTZ controls - massive thanks to phaeilo.
- New VOICE.tgz file with empty audio files to silence the voices on boot.
- FTP Server added.
- Documented PTZ driver interface
- Added additional pictures of hardware
- Requesting excessively long URLs on port 80 will cause
p2pcam
to segfault...
- RTSP streams with sound
rtsp://ipaddress/0/av0
av0
- high res stream with soundav1
- low res stream with sound
- Script updates time
- Removed password update sections - use
cxlinux
as password - Updated hosts file with more addresses to block
- Telnet/root password found by 1sttommy2guns -
cxlinux
- Pan/Tilt works via onvif - tested on TinyCam Free on Android. Hopefully this can be exploited otherwise using a webUI or other means if it sticks to the onvif api.
./goke_p2pcam_param --wifissid=mywifiap --wifipass=8chrpass
- Also see the other options for
goke_p2pcam_param
by executing the following command:goke_p2pcam_param -h
goke_volume
allows you to make the camera much quieter.
./goke_volume -s 0
- Observations compared to the Xiaofang camera
- Image quality is generally better than the Xiaofang camera, much sharper at distance
- FOV is not as wide as the Xiaofang camera
- An increase in bitrate would produce a decent quality stream
- I am not saying the closed source p2pcam blob looks dodgy or anything but this did make me smile (from
/home/factory_tool.sh
)
#avoid p2pcam auto format tf card!!!
rm -f /bin/mkdosfs
rm -f /sbin/mkdosfs
That feels like the right way to work around some awesome design considerations :).
- Firmware can be updated from a
firmware.bin
file on the root of the SD card (formatted vfat). This is a JFFS2 image structured much like other generic cameras based on the GOKE SoC's and a good few better know brands.- Suspect this will be distrbuted as one section per partition. With the kernel and uboot not normally being flashed.
- The tool used to flash the images is
sdc_tool
. - https://github.com/zzerrg/gmfwtools should be usable with the right key and board ident (1003) to unpack and repack the userspace firmware into something we can flash. It may also make cross flashing userspaces possible. Right now however you may well end up with a bricked camera or at least needing serial so try at your own risk.
- IR Cut and IR LED GPIOs found and controllable
gio -s 40 1
IR Cut - nightgio -s 40 0
IR Cut - daygio -s 46 1
IR LEDs - ongio -s 46 0
IR LEDs - off
- SD card contents moved to SD card folder
- Updated hosts file included which looks like it prevents the camera from contacting the cloud services. The app shows the camera as disconnected and I'm seeing no activity on my router. RTSP server remains active.
- RTSP server user/pass - admin/admin - Presents a 1920x1080 12fps stream on rtsp://IPADDRESS/ (no audio)
- Attempted to not run
p2pcam
by editing out specific parts ofstart.sh
, this resulting in the WiFi connection not being created. Maybe runningwpa_supplicant
viadebug_cmd.sh
may fix that. - As the RTSP server seems to be created by
p2pcam
it might be possible to prevent the cloud software communicating outwards by using various hosts file listings.
- home folder uploaded
- p2pcam.tar.gz is the interesting file - this gets extracted on boot and p2pcam is the camera software.
- Photos of box and dismantled camera in the photo folder
- Initial process was to download the app via the QR code in the instructions, this gave it WIFI details to logon to, possibly this could be prevented using ethernet.
- Update: The need for the app can be bypassed completely by plugging directly into an ethernet connection and not setting up wifi initially as the camera will bring up eth0 via DHCP - Ignore the spoken messages about WiFi.
- Camera dismantled and serial pins found
- Boot output from serial dumped (uploaded)
- The serial interface auto-logs in as root - very useful, but I've been unable to find the root password
- Via serial interface you can add a new user - meaning you can then login via telnet with new user, or change the root password
passwd root
- /home/start.sh looks for /mnt/debug_cmd.sh which would be placed on a micro SD card - this should be the way to hack the camera.
- Due to the earlier "adduser" or "passwd root" not being persistent through reboots I added the following to debug_cmd.sh
(sleep 20 && echo "root:o.eyOMtPAPfbg:0:0:root:/root/:/bin/sh" > /etc/passwd )&
- The long sleep is required because the command has to be run after busybox has started - this updates the root password to "root"
- I made a quick attempt to upgrade busybox with a prebuilt binary but the autologin fails on serial - used debug_cmd.sh to copy new version over existing located at /bin/busybox - but having already updated the root password you can login over telnet
- nmap shows the following open ports
Starting Nmap 7.40 ( https://nmap.org ) at 2017-10-21 15:55 BST
Nmap scan report for ipc (192.168.1.147)
Host is up (0.035s latency).
Not shown: 65525 closed ports
PORT STATE SERVICE
23/tcp open telnet
80/tcp open http
554/tcp open rtsp
843/tcp open unknown
3201/tcp open unknown
5050/tcp open mmcc
6670/tcp open irc
7101/tcp open elcn
7103/tcp open unknown
8001/tcp open vcom-tunnel
- There is an RTSP server running, but it is password protected