AqaraCameraHubfw icon indicating copy to clipboard operation
AqaraCameraHubfw copied to clipboard
verified publisher icon niceboygithub

aQrootG3

Open Wh1terat opened this issue 7 months ago • 12 comments

Hey,

You may remember me from a while ago, I discovered the qrcode exploit in the G3. Well it seems those nice people at Aqara introduced a new flaw in the QRCode handling at some point in 4.x 😆

My G3 refuses to update past 4.1.4 (despite 4.3.6 being available) and works in that, suspect it works in later versions and likely other models.

Before I update my repo, wanted to see if I can reach out to you and do some testing, perhaps on other models too?

If so, let me know how to reach you 👍

Wh1terat avatar Sep 02 '25 01:09 Wh1terat

I know you of course.

There are many problems in Aqara Camera G3. I have four G3 cameras and got the following problems for around three years.

  1. The rotation of ptz is broken.
  2. The charger port is melt.
  3. Sometimes it can not connect to WiFi after reboot.
  4. The upgrade firmware was pulled by lumi cause issues frequently.

As I known, the version 4.3.6 was removed in Aqara App. And what kind of test you want to test?

niceboygithub avatar Sep 02 '25 02:09 niceboygithub

😁

Sounds about right, I have seen the PTZ issue before too - even after changing the motor. 4.3.6 still shows as an update in my app, it downloads but G3 reboots part way through and gives up - tried manually and it just triggers a reboot mid-upgrade, such is life.

So I wanted to see if you had other cameras (doorbell?) to see if this method works on those too - and also to discuss a practical payload since post_init inclusion is commented out for many versions now.

Current test payload just invokes /usr/factory_test/bin/wifi_test_station.sh to join wifi and then fw_manager.sh -t -k to start telnet - which works, but device is in limbo, you can access telnet but device is not provisioned of course and will eventually timeout after a few minutes and close wifi,etc.

Thoughts were around writing out /res/passwd so the button press combo to enable telnet works without password, or to dump agetprop props to sdcard so you can reconstruct the default telnet password using mac, key, did.

Open to ideas.

Wh1terat avatar Sep 02 '25 11:09 Wh1terat

What is the logs while update?

I got such issue that reboot while updating before. It was cause the ram is ran out. After reboot, the update can be finished.

If you only add WiFi and telnet, it may be not enough. You need to check the watchdog.

The method to enable telnet is the same in every lumi products. Just press button 5-2-2-2-2-2.

I have no idea that get the did, key, mac without telnet.

niceboygithub avatar Sep 02 '25 12:09 niceboygithub

I'm not too bothered about actually upgrading it, I just got bored and took it out of the draw to try some new attacks 😆

Indeed, the button press enables telnet but I believe on some products that whilst telnet is enabled, root password is generated by did, key and mac by /usr/factory_test/bin/generate_pswd.sh ?

Like I see you mention about needing uart for the G4 doorbell, assuming it too uses a qrcode for setup then I think we can get past that need on later firmwares.

Anyway, if interested let me know how to speak - would prefer to discuss privately until tested otherwise it'll jut get fixed again.

Wh1terat avatar Sep 02 '25 12:09 Wh1terat

The old method to generate password of root is using generate_pswd.sh with "did, mac and key". The new method for new products is using generate_pswd.sh with "did, mac and dac_crt_md5", like G5Pro, G410, M100 etc.

I think or guess that to generat the password of root is get the "did, mac, key or dac_crt_md5" from iOS/Andorid app. But due to my limitated knowledge, I can not find the way from disassemble Android apk.

Anyway, if interested let me know how to speak - would prefer to discuss privately until tested otherwise it'll jut get fixed again.

What instant messaging app you use?

niceboygithub avatar Sep 03 '25 00:09 niceboygithub

I remember when looking at the old method that there was no way to get all 3 from any of the Aqara endpoints used by the app so I don't think the app route will gain results unfortunately.

But if this is on the device (maybe as a prop, like "key") then this "new" method can retrieve them.

I wish Github had the notion of private messaging, it would make life easier. But I do use Telegram.

Wh1terat avatar Sep 03 '25 00:09 Wh1terat

Hmm so i grabbed a few firmwares: lumi.camera.acn005 - V4.0.1 lumi.camera.acn017 - V4.3.3 lumi.camera.agl003 - V4.3.4

All seem to use the old pswd generation? does it start on a specific version? or model?

Also a cursory glance seems to show that they aren't vulnerable to the bug that was introduced into the g3 weirdly :/ not checked g2 etc.

There does seem like there might be a few other avenues to investigate for these devices though.

Just a little surprised that they differ so much, hate to think what code management at aqara is like.

Wh1terat avatar Sep 03 '25 01:09 Wh1terat

I remember when looking at the old method that there was no way to get all 3 from any of the Aqara endpoints used by the app so I don't think the app route will gain results unfortunately.

The developer of lumi shall be have a way to get these 3 properties. Maybe from the app or the cloud.

lumi.camera.acn005 - V4.0.1

Doorbell G4 use old

lumi.camera.acn017 - V4.3.3

Doorbell G410 use new

lumi.camera.agl003 - V4.3.4

Camera G5 Pro Wifi use new

If the did of the product is start as 'lumi3", it use the new method.

Most lumi products have a key, but not all of them have the sdcard.

niceboygithub avatar Sep 03 '25 04:09 niceboygithub

There is a interest repo which also play G3. https://github.com/sdavides/AqaraPOST-Homeassistant

Another repo is good. https://github.com/stackia/aqara-agent2mqtt

niceboygithub avatar Sep 03 '25 07:09 niceboygithub

I apologize for the inconvenience. When I attempted to use aQrootG3 to crack aqara g3, the camera was unable to read the generated QR code. I have tried all versions from v0.1 to v0.3, but I am unsure if the issue is with the camera. After downgrading to firmware version 3.3.4, the official QR code was also unreadable, forcing me to revert to a firmware version later than 3.3.9. After searching online, I found that many others have encountered this issue. Is there a solution? Thank you. @Wh1terat @niceboygithub

moliiiiiii avatar Sep 29 '25 13:09 moliiiiiii

Can I know the account and password for pure telnet, which cannot be changed by firmware or QR code? I'm only able to connect to Telnet via the physical button. I have an OEM version that doesn't have an SD card slot.

GalaxyGiant avatar Dec 03 '25 03:12 GalaxyGiant

@GalaxyGiant No SD slot? That's interesting.

Could try my 4.xx PoC script to get temporary root and have a look around the camera, see what's in /res/passwd or dump everything from agetprop so you can work out the default password.

https://github.com/Wh1terat/aQRootG3/tree/dev

Edit: You probably need to modify if it you model differs from gwpgl1 or gwpagl01

Wh1terat avatar Dec 10 '25 17:12 Wh1terat