Merkury1080P
Merkury1080P copied to clipboard
guino
LSC Indoor IP Camera Firmware v7.6.32
Hey there!
I have bought this LSC Indoor IP Camera on the 30th of August 2022 and tried this method (combined with the Merkury720P method) with no success.
I have literally tried everything that was stated in the documentation. Also switching between SD cards. I also ready some other issues but nothing seems to help. I even tried the custom QR code that somebody in the issues stated but no lucky. I think they have patched out some things in this firmware version as this one is pretty high compared to all the other versions I saw wondering on Github.
The only ports that are open are:
- 80 (DoorBird video doorbell rtspd)
- 835
- 6668
- 8554 (DoorBird video doorbell rtspd)
Port 80 and 8554 showed "version" DoorBird video doorbell rtspd in nmap. I have no idea why it is also saying that on port 80 as that should be an HTTP server.
I also get no positive response from the HTTP requests I'm doing. I tried the admin:admin but also admin:056565099. They all returned ERR_CONNECTION_REFUSED. I checked the SD card but no new folders or files have been created.
It's a cheap camera with a pretty decent lens on it and would love to see this work in my setup. I do NOT want to build one my own (for cheap) or buy an expensive set.
If you have any idea what I can do, let me know! :)
@OfficialDevvCat if the Merkury1080, Merkury720 and BazzDoorBell process didn't work with different SD cards then it may have a different address or not be linux OS. Usually ppsFactoryTool.txt allows the HTTP responses to work, but like you said, it is possible they closed some things or changed the user/password.
Until someone with the right tools can open it up and read the firmware (or connect to UART) we won't know -- I have the tools but no device, so I have no way of helping right now.
@OfficialDevvCat if the Merkury1080, Merkury720 and BazzDoorBell process didn't work with different SD cards then it may have a different address or not be linux OS. Usually ppsFactoryTool.txt allows the HTTP responses to work, but like you said, it is possible they closed some things or changed the user/password.
Until someone with the right tools can open it up and read the firmware (or connect to UART) we won't know -- I have the tools but no device, so I have no way of helping right now.
100% true! What do you exactly need to use the uart port? I have soldering skills, yet I have no idea what I need. Would a Raspberry Pi 4 work? Because I have that laying around. Let me know. Maybe you want to discuss this on discord? DevvCat#0880
@OfficialDevvCat if you're willing to open your device and solder wires to it I can help trying to figure out if we can root it.
The first step would be to open your device and take some good pictures of the board so we can identify the UART pins.
The second step will be to solder some wires to the UART pins and connect GND, RX and TX to the GND, RX, TX of the pi board (GPIO15 and GPIO14 pins on the header). You may need to swap the RX/TX around as we won't know which is RX/TX by looking at the board.
Once you have it all connected you should see some messages on the pi terminal when you power on the device -- ideally you should be able to interrupt the boot of the device by pressing a key when the first messages show up and it will either give you a bootloader prompt or ask for a password. Whatever messages show up may help in figuring out if we can even do anything.
@OfficialDevvCat if you're willing to open your device and solder wires to it I can help trying to figure out if we can root it.
The first step would be to open your device and take some good pictures of the board so we can identify the UART pins.
The second step will be to solder some wires to the UART pins and connect GND, RX and TX to the GND, RX, TX of the pi board (GPIO15 and GPIO14 pins on the header). You may need to swap the RX/TX around as we won't know which is RX/TX by looking at the board.
Once you have it all connected you should see some messages on the pi terminal when you power on the device -- ideally you should be able to interrupt the boot of the device by pressing a key when the first messages show up and it will either give you a bootloader prompt or ask for a password. Whatever messages show up may help in figuring out if we can even do anything.
Okay! I'm 100% be willing to open up the device but currently I'm in the middle of a move so that have to wait until I've got all my stuff! I will let you know as soon as possible when I got everything and ready to the hacking! :)
Flash Chip is in marked in RED UART pins are marked in BLUE
Either we need a copy of the firmware (using hardware programmer on the flash chip) OR we need someone to connect to the UART pins (TTL 3V) to capture an output log and/or see if there's any access to the bootloader.
Flash Chip is in marked in RED UART pins are marked in BLUE
Either we need a copy of the firmware (using hardware programmer on the flash chip) OR we need someone to connect to the UART pins (TTL 3V) to capture an output log and/or see if there's any access to the bootloader.
I ordered a SPI flasher and it will arrive in a few hours. When it is here I can dump the firmware and upload it so you guys can take a look at it! Give me a few hours and I will get back to you guys.
To be specific, this is the one I ordered: https://www.amazon.nl/gp/product/B08TVNPTQK/
@OfficialDevvCat I have that flash programmer and you need to be aware of 2 things: 1-It says it is compatible with 3.3V chips but it outputs 5V on some pins -- you should check it before you fry your chip/board. There's a 'mod' you can do on it to make it output 3.3V on all pins (I did the mod on mine and it works correctly) 2-You most likely will need to remove the chip from the board (OR at least disconnect PIN 6 in my experience) before you can read/write the flash. If you don't have a heat gun it may be easier to cut the pin 6 (with needle cut pliers) and solder it back afterward than trying to remove the whole chip (trying to disconnect pin 6 with a soldering iron will likely damage the board) -- learned the hard way.
IF you're going to do any cut/solder work: I recommend practicing on any old/broken board laying around first
@OfficialDevvCat I have that flash programmer and you need to be aware of 2 things: 1-It says it is compatible with 3.3V chips but it outputs 5V on some pins -- you should check it before you fry your chip/board. There's a 'mod' you can do on it to make it output 3.3V on all pins (I did the mod on mine and it works correctly) 2-You most likely will need to remove the chip from the board (OR at least disconnect PIN 6 in my experience) before you can read/write the flash. If you don't have a heat gun it may be easier to cut the pin 6 (with needle cut pliers) and solder it back afterward than trying to remove the whole chip (trying to disconnect pin 6 with a soldering iron will likely damage the board) -- learned the hard way.
IF you're going to do any cut/solder work: I recommend practicing on any old/broken board laying around first
Okay so wait. The camera needs to be turned on right? And then the clip needs to be attached before i turn it on. (If it outputs the same voltage) and then i need them both turned on and read the data? Or does rhe camera needs to be off and then attach the clip and read the data? Cause if the clip outputs 5v. I can make sure the clip does not output power and then connect the clip and turn on the camera to extract the data. Or is that not going to work? I do not have a heatgun or soldering station on hand.
@OfficialDevvCat a flash programmer will read (and later write - if desired) the built in firmware on the device -- to be clear: it won't do anything with UART. For reading/writing the flash you don't turn on the device at all, you just plug the flash programmer on the chip and read (or write) its contents (like a USB drive). The issue is that (from experience) connecting the flash programmer to the chip without removing it from the board doesn't work (fails to read/write). As long as you verify the output is 3.3V (on all pins like VCC, RX, TX) then it should be safe to try and read the flash while connected to the board (but from experience it is likely going to fail, but who knows board design changes). If you plug the programmer to the chip while on board and you output 5V to any pin you may fry the device (fair warning).
The only type of connection we do with the board/device powered ON is when using the UART/TTL adapter where we connect it then power on the device to capture the boot output log. UART connections require a USB/TTL UART/SERIAL adapter (3.3V), which is a different thing than the flash programmer.
@OfficialDevvCat a flash programmer will read (and later write - if desired) the built in firmware on the device -- to be clear: it won't do anything with UART. For reading/writing the flash you don't turn on the device at all, you just plug the flash programmer on the chip and read (or write) its contents (like a USB drive). The issue is that (from experience) connecting the flash programmer to the chip without removing it from the board doesn't work (fails to read/write). As long as you verify the output is 3.3V (on all pins like VCC, RX, TX) then it should be safe to try and read the flash while connected to the board (but from experience it is likely going to fail, but who knows board design changes). If you plug the programmer to the chip while on board and you output 5V to any pin you may fry the device (fair warning).
The only type of connection we do with the board/device powered ON is when using the UART/TTL adapter where we connect it then power on the device to capture the boot output log. UART connections require a USB/TTL UART/SERIAL adapter (3.3V), which is a different thing than the flash programmer.
Okay that is clear. Could you take a look at the picture and tell me what the best solution could be? It has a jumper for maybe possible ttls fu functinality?
https://imgur.com/a/I0ZPCF0
@OfficialDevvCat the chip should connect on the ‘25’ section, but like I said: this programmer has a 3.3V/5V jumper but when you set it to 3.3V it still outputs 5V on some pins ( RX/TX pins I think ). If you connect it without the mod to fix the voltage you may damage the board/chip (you have been warned).
Okay, I will find online if there a different way to do that. What about the TTL functionality? Does that also output 5v? Or is it just a reading pin?
@OfficialDevvCat that flash programmer only has TTL functionality - in 3.3V or 5V selected by jumper switch, but this is only for flash chip read/write. The UART pins require a UART TTL (3.3V) adapter which is mostly available as a USB adapter. There’s no way (that I know) to use a flash programmer on the UART TTL pins, and there’s no way (that I know) to use the he UART TTL adapter on the flash chip.
@OfficialDevvCat that flash programmer only has TTL functionality - in 3.3V or 5V selected by jumper switch, but this is only for flash chip read/write. The UART pins require a UART TTL (3.3V) adapter which is mostly available as a USB adapter. There’s no way (that I know) to use a flash programmer on the UART TTL pins, and there’s no way (that I know) to use the he UART TTL adapter on the flash chip.
I just check the datasheet of a old 25xx chip from a dead GPU and it was a 3.6 max volt chip. And it i got to read the chip without issues and even got to write to it. I also looked up and this is an improved revision of the board with the 3.3v fix. Should I now extract the data from the camera?
@OfficialDevvCat sounds good if you say it’s a fixed version you can try - again, from my experience it may not work while the chip is soldered on the board. I would avoid keeping the flash programmer hooked up for a long period just in case the voltage is wrong, so hook it up, try to read, remove it if fails, wait a bit hook up, try reading again, etc
@guino I just dumped the chip, I did that exactly. Read, verified and disconnected. You can download the dumped bin file from here https://www.mediafire.com/file/31ms1k4kgqxxlh6/Smart_Indoor_IP_Camera.bin/file Let me know what I can do or what you're planning to do.
@OfficialDevvCat well, assuming your camera still works normally, I would try this first:
Follow the steps from: https://github.com/guino/Merkury1080P#conclusion USING THE ATTACHED 3 files: 7632.zip -- that is, instead of what's posted on the link (I changed the address changed to A0008000 on env and ppsMmcTool.txt files). Assuming the internals didn't change a lot this may allow you to root device.
Binwalk didn't give me a lot of information to work with, so let's hope this works.
@guino Just one more question. Do I have to flash the chip afterwards to make it work?? Cause the issue is that the SPI Flasher does not work anymore for some reason?! The Red power light is on and so is the Yellow RUN led. And it is not found by windows anymore?! I don't hear a USB Connected sound. Very very strange. So I'm going to return it tomorrow and ask for a new one which will take a few days... Unless you know what I can do about it?
@OfficialDevvCat If you tried A0008000 and it didn't work I'll have to try and dig out more from this firmware file.
Is the camera still working ? (boots up, etc) ? if not you may have damaged it somehow. It may just need a power cycle of your machine to reset the USB bus (if it used too much power).
@OfficialDevvCat If you tried A0008000 and it didn't work I'll have to try and dig out more from this firmware file.
Is the camera still working ? (boots up, etc) ? if not you may have damaged it somehow. It may just need a power cycle of your machine to reset the USB bus (if it used too much power).
Camera works perfectly fine! I can try rebooting my PC but I don't think it's really going to work as it was plugged in a powered hub. Tried a different pc and used my powerbank. Yellow light stays solid and not connected.
But again, Do I need to flash stuff again onto the chip? Cause I can't read anywhere what to do after the edit. I assume it has to
@OfficialDevvCat the 'Read' process doesn't change anything in the chip, so to work 'normally' you won't have to flash anything back. If I can unpack the firmware we may be able to find something to change to root the device (I haven't been able to do it yet) -- in that case you would need to be able to write the changes with the programmer (meaning it would need to work again).
I tried to find some variables from the link you sent me but it can't even find the "Loadable segment". Maybe you could take a look at it if you've got the time for it? Would appreciate it!
@guino Let me know if I can do anything as I'm a programmer and know my way around some of this stuff! Would be very cool to get this thing streaming a signal outside the app. :) Have a great weekend in advance and lets hope for some good results on this thing
@OfficialDevvCat I will try to see if I can get anything out of it - may need to try a different tool.
@OfficialDevvCat I downloaded a different tool and then I noticed there's an issue with your flash file -- it's only 2Mb when it should be at least 8Mb (some devices have 16Mb) -- this is likely the reason why I could not extract anything out of it. This may have been something like selecting the wrong size of chip when you did the 'read' or perhaps an issue identifying the chip size (or even just an upload issue), Do you happen to have the /proc/cmdline for this device ? thay may help me extract the bootloader from the section you provided (so I can try to double check the load address).
@OfficialDevvCat I downloaded a different tool and then I noticed there's an issue with your flash file -- it's only 2Mb when it should be at least 8Mb (some devices have 16Mb) -- this is likely the reason why I could not extract anything out of it. This may have been something like selecting the wrong size of chip when you did the 'read' or perhaps an issue identifying the chip size (or even just an upload issue), Do you happen to have the /proc/cmdline for this device ? thay may help me extract the bootloader from the section you provided (so I can try to double check the load address).
I did not have any success with that sadly. The http server is sadly disabled to get any kind of useful info from it.
U have to wait until sunday until I got my new reader to try it out once again.
@guino I just received my new SPI flasher. I will dump the whole chip (8MB) in an hour or so. I will lookup the chip model number and see what settings I need.
@guino I just noticed the TX/RX rail is on 4.5V. I will have to wait until Wednesday till I got my soldering station.