WyzeHacks
WyzeHacks copied to clipboard
HclX
remote_install.sh RuntimeError
Wyze Cam v2 with FW: 4.9.6.241 Failed with wyze_hacks_0_5_07 and wyze_hacks_0_5_08
Pushing firmware to this device? [y/N]:y
INFO:root:Serving firmware file './firmware.bin' as 'http://192.168.0.1:11808/firmware.bin', md5=11567104604de4f4cc8f4633bc6c33f4
Traceback (most recent call last):
File "./wyze_updater.py", line 362, in
Same here on a V2 and V3, most current firmware for both (4.9.6.241 and 4.36.2.5)
I'm also encountering this on v2,v3, and Pan. Rebooting didn't help me.
I'm encountering the same error on a wyze cam v3 with firmware version 4.36.1.4, and rebooting the camera didn't help. The failed request appears to be a POST to https://api.wyzecam.com/app/v2/auto/run_action
Also just ran into this. Tried on V3 cam with firmware version 4.36.0.280, which worked on a second camera just a few days ago.
I'm seeing the same issue. I have one v3 on firmware version 4.36.2.5, plugin version 1.7.0.33 activation date 5/11/2021 and it's currently working with wyzehacks. I just tried to run this on two cameras I got today, same firmware version and plugin version, and I get the 3005:UnauthorizedOperation message.
I'm having the same issue on WyzeCam2 Device type: Camera (WYZE_CAKP2JFUS) Firmware: 4.36.2.5
Traceback (most recent call last):
File "/home/mandusm/Builder/WyzeHacks/installer/./wyze_updater.py", line 362, in <module>
args.action(creds, args)
File "/home/mandusm/Builder/WyzeHacks/installer/./wyze_updater.py", line 260, in update_devices
push_update(creds, dev_info['product_model'], mac, url, md5)
File "/home/mandusm/Builder/WyzeHacks/installer/./wyze_updater.py", line 163, in push_update
return run_action(creds, model, "upgrade", mac, {"url": update_url, "md5": md5, "model": model})
File "/home/mandusm/Builder/WyzeHacks/installer/./wyze_updater.py", line 157, in run_action
return device_api(
File "/home/mandusm/Builder/WyzeHacks/installer/./wyze_updater.py", line 140, in device_api
raise RuntimeError('Request failed, error %s:%s' % (rsp['code'], rsp['msg']))
RuntimeError: Request failed, error 3005:UnauthorizedOperation
Looks to be related to this: https://github.com/elahd/esp2ino/issues/16#issuecomment-879454907
And related to this specifically https://github.com/HclX/WyzeUpdater/issues/9
As an EXTREMELY hacky way to make this work I Changed a few lines in the wyze_updater.py file.
Line 256 Specifically
if not server:
if not args.addr:
args.addr = get_host_ip(dev_info['ip'])
#url = build_url(args.addr, args.ssl, args.port)
url = "http://s3-us-west-2.amazonaws.com/wuv2/upgrade/WLPP1/firmware/1.2.0.80a.bin"
server = start_http_server(firmware_data, args.addr, args.port, args.ssl)
logging.info("Serving firmware file '%s' as '%s', md5=%s" % (args.firmware, url, md5))
I won't be covering any details on how to do this, but I was able to give the Wyze camera a custom response to the dns lookup for s3-us-west-2.amazonaws.com to simply point to the IP address of the host the script is running on. I used dnsmasq to achieve this on my network. There are many other ways to do this.
@mandusm's method works but here are some missing details. IP address of Mac I used was 192.168.11.4. IP Address of DNS serving raspberry pi was 192.168.11.11 (adjust according to your method and values).
- run dnsmasq or some other DNS server and spoof s3-us-west-2.amazonaws.com to the computer you will run the script from. In my case, I used a rasbperry pi for dns serving. This involved (1) adding a line to hosts of s3-us-west-2.amazonaws.com 192.168.11.4 (2) changing the DNS server choice on the DHCP server to the ip of your spoofing DNS server (in my case 192.168.11.11)
- Manually set the url to http://s3-us-west-2.amazonaws.com/wuv2/upgrade/WLPP1/firmware/1.2.0.80a.bin
- The port used must be port 80 (since it's checking urls I doubt it will work with another port). Note that the default port if you use remote_install.sh is not 80 On OSX, I had to use sudo to avoid getting "PermissionError: [Errno 13] Permission Denied"
So at least on my OSX computer the functioning command was:
sudo python3 ./wyze_updater.py --token ~/.wyze_token --debug update
-m WYZEC1-JZ -m WYZECP1_JEF -m WYZE_CAKP2JFUS -m WYZEDB3 -f ./firmware.bin -p 80
tried with a local DNS server on mac (NEMO) but the fw update gets stuck endlessly. any advise ?
Device type: Camera (WYZE_CAKP2JFUS)
Device name: Cam1
Firmware version: 4.36.2.5
IP Address: 192.168.4.169
Pushing firmware to this device? [y/N]:y
..
..
DEBUG:urllib3.connectionpool:https://api.wyzecam.com:443 "POST /app/v2/auto/run_action HTTP/1.1" 200 171
DEBUG:root:{'ts': 1626661091247, 'code': '1', 'msg': '', 'data': {'session_id': '0ae72167051e4bb0bc64d4c4e33bbd60', 'action_session_id': '645d36d0dafa4acea9485a6cac19aef9', 'custom_string': ''}}
DEBUG:root:request received, path=/wuv2/upgrade/WLPP1/firmware/1.2.0.80a.bin
192.168.4.169 - - [18/Jul/2021 22:18:13] "GET /wuv2/upgrade/WLPP1/firmware/1.2.0.80a.bin HTTP/1.1" 200 -
Press Ctrl+C when all the updates are done.....
....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
INFO:root:Stopping http server...
Traceback (most recent call last):
File "./wyze_updater.py", line 365, in <module>
{"mode":"full","isActive":false}
NameError: name 'false' is not defined
Since you have the line: 192.168.4.169 - - [18/Jul/2021 22:18:13] "GET /wuv2/upgrade/WLPP1/firmware/1.2.0.80a.bin HTTP/1.1" 200 it looks like it's getting served correctly to your device by your computer.
- does your camera reboot?
- did you try using telnet to login to the camera? (if it's a v3 it won't make any noises indicating success).
It's a v3 - the camera flashed blue / red and then rebooted. I can NOT get access with telnet user root / no pass
yes, but does telnet let you enter a username / password? If so, you've already succeeded in adding wyzehacks. the default password for V3 is WYom2020 . Did you try that?
Note that I miswrote this initially as WYom2021
I get user/pass prompt but can't login with root/WYom2021.
Trying 192.168.4.177...
Connected to 192.168.4.177.
Escape character is '^]'.
WyzeCamV3-7F10 login: root
Password:
Login incorrect
Unless the password changed very recently, I believe pass should be WYom2020 for v3 On Jul 19, 2021, 08:02 -0700, nadigo @.***>, wrote:
can't login yet I have the telnet prompt .. I used fw FIRMWARE_660R.bin — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.
I think I saw a beta version v3 firmware with different root password. Wyze is definitely trying to block this (which I totally understand). I can get the hash so if someone has a powerful gpu can run hash cat to get the new root password.
Team, there is a big Wyze update coming out next week that may try to stop all these hacks. They are trying to force even the app to be updated so tread lightly before you update your cams to latest firmware as it might close up all the insecurities that these hacks work on, including the update URL method that WyzeHacks uses. I’m still on version 228 for V3 but they may force cam firmware updates, too, which they systematically can. :(
Hello folks, Does this hack work on v2 with Firmware version: 4.9.6.241? I had couple of error and fixed it with helps above, but now I don't have any error anymore but seems that it's stucked in a loop.
Am I missing something? What can I check?
- Cam : V2
- Firmware : 4.9.6.241
- Python version : python3 -V Python 3.7.3
- Using a Raspberry Pi 2
- NFS : mounted (192.168.X.X:/nfsshare 7.1G 1.7G 5.1G 25% /mnt/nfs - Is there a way to check if it works btw?)
- I don't hear any sound saying "Installation starts" or something like that
Let me know, Thanks,
can't use remote_install.sh to hack this because it will set the port 11808 and then that won't match what you're asking the camera to update against (port 80)
instead run the wyze_updater directly : sudo python3 ./wyze_updater.py --token ~/.wyze_token --debug update -m WYZEC1-JZ -m WYZECP1_JEF -m WYZE_CAKP2JFUS -m WYZEDB3 -f ./firmware.bin -p 80
sign of success is a row like: 192.168.4.169 - - [18/Jul/2021 22:18:13] "GET /wuv2/upgrade/WLPP1/firmware/1.2.0.80a.bin HTTP/1.1" 200 -
[IP address should be the IP of your camera]
I think I saw a beta version v3 firmware with different root password. Wyze is definitely trying to block this (which I totally understand). I can get the hash so if someone has a powerful gpu can run hash cat to get the new root password.
@HclX Lemme take a crack at it if you've got it.
@julxb neither of those lines is an indication that the camera is trying to download a firmware from your computer. It should be a GET request with the path to the firmware that you sent in the modified version of wyze_updater.py .
Are you sure you've DNS spoofed your wyze cam and not just your computer? For starters you can see if you've spoofed the DNS on your own computer by trying a traceroute there on s3-us-west-2.amazonaws.com . it should return the IP of the computer you're trying to update the firmware from. No way to directly test spoofing from an unhacked camera but you will need to have the DNS server set at the router level to accomplish this.
Today I received the official push notification of the v2 update, and of course they have changed their root password. Here are the ones I'm seeing: v2 (4.9.7.798): root:$6$wyzecamv2$hvp6M6S2JI7vyyHfEDPWCYJ8N2r5B4ZzS8uZYwyMkoWyg90sCJzupBGD57CObtKonld0Yvr2B/ejt4l4/jryi.:10933:0:99999:7:::
v3 (4.36.3.19 beta): root:$6$wyzecamv3$8gyTEsAkm1d7wh12Eup5MMcxQwuA1n1FsRtQLUW8dZGo1b1pGRJgtSieTI02VPeFP9f4DodbIt2ePOLzwP0WI0:0:0:99999:7:::
@C1ARKGABLE can you help on those passwords? Look at the salt they are taking that seriously so these passwords might not be easy to crack.
Thanks
@HclX see ya in 2053... Oof
Anyone have a good dictionary to use? Or maybe a quantum computer? I'm asking for a friend...
I'm getting the 3005:UnauthorizedOperation error as well when trying to remote install v0_5_08 on a v2 Cam Pan.
This link has info about the API password is that what is needed?
md5(md5(md5(password)))
@jdkadel NO, that has nothing to do with this. You need to
- modify wyze_updater.py to replace the url line with url = "http://s3-us-west-2.amazonaws.com/wuv2/upgrade/WLPP1/firmware/1.2.0.80a.bin"
- Spoof the DNS so that your wyze cam thinks your local computer is s3-us-west-2.amazonaws.com (change the DNS server on your local network to accomplish this )
- Run wyze_updater.py directly to use port 80 (on my osx system I had to use sudo at the front but here's the basic command): python3 ./wyze_updater.py --token ~/.wyze_token --debug update -m WYZEC1-JZ -m WYZECP1_JEF -m WYZE_CAKP2JFUS -m WYZEDB3 -f ./firmware.bin -p 80
If you run it successfully, you'll see [IP of camera] - - [18/Jul/2021 22:18:13] "GET /wuv2/upgrade/WLPP1/firmware/1.2.0.80a.bin HTTP/1.1" 200
Thanks, just trying to help. I modified the .py file and verified that the DNS changes with a ping to ...amazonaws and it returned the local computer address. I didn't get a line with the "GET ...200". Here's the end of the command. I didn't get the response that the request was received. The camera did not reboot or was it accessible on SSH. I'll run thru the process again Sunday.
header: Connection: keep-alive DEBUG:urllib3.connectionpool:https://api.wyzecam.com:443 "POST /app/v2/auto/run_action HTTP/1.1" 200 182 DEBUG:root:{'ts': 1627012580075, 'code': '1', 'msg': '', 'data': {'session_id': '7e3d336635934cd293b884317d687cda', 'custom_string': '', 'action_session_id': 'f1be254581204f4b87eb00ffca8a8e36', 'result': 2}} Press Ctrl+C when all the updates are done...
- it won't ever work with ssh because there's no sshd on the device. Instead, you have to use telnet or netcat. on osx, this looks like: nc 192.168.3.101 23 (substitute ip as appropriate)
- Can you confirm that the camera is also operating from your spoofed DNS server and not just a change to the DNS on your computer (e.g. editing /etc/hosts on a desktop or laptop will only change the DNS for that local computer)?
- The camera should reboot either when it successfully gets the wyze_updater delivered firmware or after a few minutes automatically. If neither is happening...