zsgx1hacks
zsgx1hacks copied to clipboard
ant-thomas
Bought Silvercrest IP CAM S-K 1920 Version 1.1.1.13 Model WAPP-JS (LIDL) MCU Version Z1709250
Hello I have bought some of the cameras at Lidl Online in Germany, Unfortunately, I have not been able to somehow find the video stream so that I can use the camera with another software. The camera apparently uses the cloud and an app on the smartphone. The app "Silvercrest IP CAM S-K 1920" is available in the Playstore. So I can show a picture but I would like to use the IP CAM with another software directly on the PC. The camera only responds to ping, Telnet is not possible. A Portscann did not result in open ports on the IP Cam. An idea how to get further here or where to start with the research.
Per Ideström Email [email protected]
Best Regards
Per
HI I did test the hack with the SD card but did not workbest Regards PerManuel Rösel [email protected] hat am 2. Juni 2019 um 17:57 geschrieben: Did you test the hack with the SDCARD?—You are receiving this because you authored the thread.Reply to this email directly, view it on GitHub, or mute the thread.
Okay. If the sdcard dump didnt work for you, so you can create a custom rootfs. I can help you, but i need a dump or firmware image from the SPI flash. I can unpack and repack the image for you.
Hi Manuel, that sound great. How to dump the firmware from the device ?best RegadsPer
Manuel Rösel [email protected] hat am 3. Juni 2019 um 18:39 geschrieben:
Okay. If the sdcard dump didnt work for you, so you can create a custom rootfs. I can help you, but i need a dump or firmware image from the SPI flash. I can unpack and repack the image for you. —You are receiving this because you authored the thread.Reply to this email directly, view it on GitHub, or mute the thread.
Hi pai68! I have send you an email with some instructions. Today, i have analyzed a cheap cam from chineese (unitoptek)
I have created a small python script to extract the partitions like uboot, kernel, home, etc, modify and repack the image. At the moment i am working on a script for the sdcard, to flash the home and root partition without flashrom tool.
This weekend i will publish the scripts on my github account
Hi Manuel, that sounds good, I´m looking forward to test the script as soon it is finish. best RegardsPer ( pai68)Manuel Rösel [email protected] hat am 6. Juni 2019 um 22:50 geschrieben: Hi pai68! I have send you an email with some instructions. Today, i have analyzed a cheap cam from chineese (unitoptek)I have created a small python script to extract the partitions like uboot, kernel, home, etc, modify and repack the image. At the moment i am working on a script for the sdcard, to flash the home and root partition without flashrom tool.This weekend i will publish the scripts on my githut side...—You are receiving this because you authored the thread.Reply to this email directly, view it on GitHub, or mute the thread.
Hi Roema. I have a camera with the same Model and MCU version referenced in this thread. I am also encountering the same problem. Would you be willing to send me the same instructions so that I can use it with another system? Thanks so much for your help:) L
Hi Springfieldsmith!
Wich model do you have?
Most models have an SPI flash. It is very easy to read. If the SDCARD hack doesn't work, you can use a miniftdi module to read the flash. There may be a firmware update for your camera online. It would also be possible to modify this.
Send me the name of the model, then i will check it.
Hi there. Thank you so much for your help! The model is either WAPP-JS or AWS53 depending on where you look. I didn’t try the sdcard hack yet because I don’t know how. There is a firmware update for my camera which I have not yet downloaded too.
Can you send me a link from the firmware file? I cant find anything about WAPP-JS or AWS53..
I am having trouble locating it, but I think you already solved this issue for the other person on this thread... the title says “IP CAM Model WAPP-JS MCU Version Z1709250” my camera is the same. You previously said, “Hi pai68! I have send you an email with some instructions. Today, i have analyzed a cheap cam from chineese (unitoptek) I have created a small python script to extract the partitions like uboot, kernel, home, etc, modify and repack the image. At the moment i am working on a script for the sdcard, to flash the home and root partition without flashrom tool. This weekend i will publish the scripts on my github account”
Would you be willing to send me the same instructions?
Thanks so much :)
On Tue, Dec 17, 2019 at 12:04 PM Manuel Rösel [email protected] wrote:
Can you send me a link from the firmware file? I cant find anything about WAPP-JS or AWS53..
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/ant-thomas/zsgx1hacks/issues/115?email_source=notifications&email_token=AOB3FRY2VTPSWZIDIU55QBTQZEWDXA5CNFSM4HLFZGC2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEHDZBBI#issuecomment-566726789, or unsubscribe https://github.com/notifications/unsubscribe-auth/AOB3FRZKWHXOSYJS2IJ2GDTQZEWDXANCNFSM4HLFZGCQ .
Okay, you can test the readonly hack with a small modification. Append the following at the end of debug_cmd.sh
`/media/hack/busybox-armv6l nanddump -f /media/hack/BLOCK0 /dev/mtd0
/media/hack/busybox-armv6l nanddump -f /media/hack/BLOCK1 /dev/mtd1
/media/hack/busybox-armv6l nanddump -f /media/hack/BLOCK2 /dev/mtd2
/media/hack/busybox-armv6l nanddump -f /media/hack/BLOCK3 /dev/mtd3
/media/hack/busybox-armv6l nanddump -f /media/hack/BLOCK4 /dev/mtd4`
Insert the sdcard and boot the cam. It may take a while to create a DUMP from the mtd devices. After that, poweroff the cam an combine the files BLOCK0 to BLOCK4 with
cat BLOCK0 BLOCK1 BLOCK2 BLOCK3 BLOCK4 > image.bin
Now you have a full image from the cam. Binwalk should give some informatioan about the filesystem..
I found the firmware files! https://www.dropbox.com/sh/bchmsn552qfe4mo/AAAvl5LQTPmnmZ7vv-YmZVfxa?dl=0
On Fri, Apr 10, 2020 at 12:25 PM Lee Springfield! < [email protected]> wrote:
I think I found the firmware files! I am unsure how to modify them though. Would you be willing to help me? I wish to add this ip camera to my primary surveillance (lorex) system, but it doesn't come up in a device search.
On Tue, Dec 17, 2019 at 12:04 PM Manuel Rösel [email protected] wrote:
Can you send me a link from the firmware file? I cant find anything about WAPP-JS or AWS53..
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/ant-thomas/zsgx1hacks/issues/115?email_source=notifications&email_token=AOB3FRY2VTPSWZIDIU55QBTQZEWDXA5CNFSM4HLFZGC2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEHDZBBI#issuecomment-566726789, or unsubscribe https://github.com/notifications/unsubscribe-auth/AOB3FRZKWHXOSYJS2IJ2GDTQZEWDXANCNFSM4HLFZGCQ .
Would you be willing to help me modify the firmware so I can use the camera with another system?
On Fri, Apr 10, 2020 at 6:26 PM Lee Springfield! [email protected] wrote:
I found the firmware files! https://www.dropbox.com/sh/bchmsn552qfe4mo/AAAvl5LQTPmnmZ7vv-YmZVfxa?dl=0
On Fri, Apr 10, 2020 at 12:25 PM Lee Springfield! < [email protected]> wrote:
I think I found the firmware files! I am unsure how to modify them though. Would you be willing to help me? I wish to add this ip camera to my primary surveillance (lorex) system, but it doesn't come up in a device search.
On Tue, Dec 17, 2019 at 12:04 PM Manuel Rösel [email protected] wrote:
Can you send me a link from the firmware file? I cant find anything about WAPP-JS or AWS53..
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/ant-thomas/zsgx1hacks/issues/115?email_source=notifications&email_token=AOB3FRY2VTPSWZIDIU55QBTQZEWDXA5CNFSM4HLFZGC2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEHDZBBI#issuecomment-566726789, or unsubscribe https://github.com/notifications/unsubscribe-auth/AOB3FRZKWHXOSYJS2IJ2GDTQZEWDXANCNFSM4HLFZGCQ .
this one https://www.dropbox.com/sh/iri0eoaor3388s1/AABDrkgPtOmSb2XofPNcuQA8a?dl=0
On Sun, Apr 26, 2020 at 1:25 AM Manuel Rösel [email protected] wrote:
Yes. wich file is the correct one? There are many files on dropbox
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/ant-thomas/zsgx1hacks/issues/115#issuecomment-619508518, or unsubscribe https://github.com/notifications/unsubscribe-auth/AOB3FR3ORN4AKNIA7X4R7CLROPVY7ANCNFSM4HLFZGCQ .
ok. thats are the original firmware files? if so, its easy, you can unpack rootfs with
unsquashfs rootfs-cpio_master.squashfs.img
Now take a look at the files and make you changes to enable telnet or dropbear ssh server..
Take a look at the file check_new_fw.sh ... The update uri is https://fw.omguard.com/download/IPCAM/CGAG/WAPP-CS/version.xml The firmware file is https://fw.omguard.com/download/IPCAM/CGAG/WAPP-CS/GM8136-1.1.1.66.zip
Take a look at the file init, in rootfs, append the following
/gm/bin/busybox telnetd
then create new rootfs like
mksquashfs squashfs-root rootfs_new -comp xz -b 131072 -all-root
create new md5sum with
md5sum rootfs_new
and change the checksum in rootfs-cpio_master.squashfs.md5 to the new one
Now Update your cam and check port 23.
Hallo Manuel
hat sich was getan mit der IP Cam von Lidl ?
Gruß Per
Manuel Rösel [email protected] hat am 26. April 2020 um 12:40 geschrieben:
ok. thats are the original firmware files?if so, its easy, you can unpack rootfs with unsquashfs rootfs-cpio_master.squashfs.img Now take a look at the files and make you changes to enable telnet or dropbear ssh server.. —You are receiving this because you authored the thread.Reply to this email directly, view it on GitHub, or unsubscribe.
Hi, fyi, i am also interested in getting a (rtsp) stream from this Lidl camera. Keep up the good work. Some background information regarding JSW.
JSW aka Secufirst. https://www.jswpac.com
Head Office 3F-3, NO. 700, Zhongzheng Rd., Zhonghe District, New Taipei City, Taiwan
Manufacturing Center NO. 138, Sanjiang lndustrial Park, Hengli Town, Dongguan City, Guangdong Province, China
http://www.secufirst.com.tw/
https://ch.marketscreener.com/JSW-PACIFIC-CORPORATION-20706834/unternehmen/
Contact in Europe (Netherlands) https://www.secufirst.eu/ Ericssonstraat 2, 5121 ML, Rijen The Netherlands 31 (0) 85 00 80 888 (Mon to Friday 9:00 am - 5:00 pm)
I’m from Holland, if needed i can call them.
Regards Frank
SecuFirst Expert Official Product Expert: Dutch forum: http://diy-nl-nl.forum.ibood.com/products/202662-190527/ip-buitencamera-met-nachtzicht/
Google translate: Our cameras have a very high security level. Everything revolves around quality and IT security.
We want to keep hackers out at all costs.
This means that you will not find an IP address of our camera visible in your router. You can also not access the camera via an IP address. This is all shielded to ensure your safety. You can only access and install the camera with the Android or Apple app. In addition, we have a Windows PC program, UGRS player, with which you can also view the images live on your PC.
This is the reason that we use a program for the PC instead of an IP address which can be entered in the address bar.
It's all about your safety. We want you to be the only one who can access the images.
Let's prove them wrong.
Regards Frank
To be clear, it’s (also) referring to our cameras: https://www.secufirst.eu/collections/draadloze-ip-cameras-zonder-verborgen-kosten-secufirst/products/draadloze-ip-beveiligingscamera-pan-tilt-outdoor-cam214
They are most likely using the Mac-address of the camera to find them. Remember that the first 3 hex digits of a Mac-address are a vendor assigned number and they could well be using some other protocol than IP to communicate between devices. To prove this you need to get Wireshark running on the same network and look at what is passing between the devices. Beware that network switches might make it difficult to see traffic between other devices. Regardless, such protocols do not route over the internet so they would have to encapsulate them in a tunnel of some sort to achieve that.
I have no camera from lidl to test it. But i can make a test rootfs.
Take a look at the zip file. https://ros-it.ch/rootfs-cpio_master.squashfs.zip
Now i have the busybox telnet server enabled on boot. If everything okay, camera should open port 23.
I am not responsible for any damage!!!
Wow! Thank you so much! I will report back soon with the results. —Also, no big deal if damage occurs to the camera; it’s practically unusable in its current state... And I made the mistake of buying 2, so if it doesn’t work we can try again :)
Cheers mate!
On Mon, Apr 27, 2020 at 9:41 AM Manuel Rösel [email protected] wrote:
I have no camera from lidl to test it. But i can make a test rootfs.
Take a look at the zip file. https://ros-it.ch/rootfs-cpio_master.squashfs.zip
Now i have the busybox telnet server enabled on boot. If everything okay, camera should open port 23.
I am not responsible for any damage!!!
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/ant-thomas/zsgx1hacks/issues/115#issuecomment-620100113, or unsubscribe https://github.com/notifications/unsubscribe-auth/AOB3FRZNRNCPWGGCGOZ7NILROWYSLANCNFSM4HLFZGCQ .
No Problem. You can recover the camera if everthing goes wrong. On the mainboard, there should be a spi-flash. With a simple ftdi-mini interface you can read and write the flash....
If port 23 is open, connect on it. User should be root with no password. After that, we can take a look at the system configuration.
I’m a bit lost on some of this. If I understand correctly, it’s not possible to use a silvercrest camera as a ‘normal’ IP camera out of the box, right?
I see some stuff here that suggests it’s possible to hack the firmware to change that, but has anyone succeeded? If so, could you help this n00b out with a step by step kind of guide?
Hi,
I have a fullDump.bin for my camera that I need to flash. Can someone tell me the command to flash it via ftdi connection?
