Skip to content

Commit

Permalink
modified: README.md
Browse files Browse the repository at this point in the history 
	new file:   readonlyhack-v0.1.zip
	new file:   readonlysd/debug_cmd.sh
	new file:   readonlysd/hack/VOICE-new.tgz
	new file:   readonlysd/hack/busybox
	new file:   readonlysd/hack/busybox-armv6l
	new file:   readonlysd/hack/dropbear_ecdsa_host_key
	new file:   readonlysd/hack/dropbearmulti
	new file:   readonlysd/hack/goke_p2pcam_param
	new file:   readonlysd/hack/goke_volume
	new file:   readonlysd/hack/group
	new file:   readonlysd/hack/hosts.new
	new file:   readonlysd/hack/passwd
	new file:   readonlysd/hack/profile
	new file:   readonlysd/hack/ptz
	new file:   readonlysd/hack/ptz-ctrl
	new file:   readonlysd/hack/shadow
	new file:   readonlysd/hack/www/cgi-bin/webui
  • Loading branch information
@ant-thomas
ant-thomas committed Aug 5, 2018
1 parent 6fc3edf commit 0348815
Show file tree
Hide file tree
Showing 18 changed files with 374 additions and 4 deletions.
38 changes: 34 additions & 4 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,10 @@ Confirmed working on the following camera models
* GUUDGO GD-SC11
* Digoo DG-W01F
* YSA CIPC-GC13H
* KERUI CIPC-GC15HE (read-only version)


Disclaimer - I'm not a programmer, just a hobbyist that likes poking around with things like this. You use the software here at your own risk. If your camera isn't listed as supported you may break your camera.
Disclaimer - I'm not a programmer, just a hobbyist that likes poking around with things like this. You use the software here at your own risk. If your camera isn't listed as supported you may break your camera. You may even break your camera if it is listed due to a variety of firmware versions available.

A few people have asked if they can donate something, you probably have much better things to spend your money on, but if you insist you can on [PayPal](http://paypal.me/antthomascouk) [![Donate](https://www.paypalobjects.com/webstatic/en_US/i/buttons/pp-acceptance-small.png)](http://paypal.me/antthomascouk)

Expand All @@ -23,26 +24,52 @@ This is a cheap Pan Tilt IP Camera (supposedly 1080p) that for a time was availa

[Sensor - SC2135 - supposedly capable of 1080p 30fps](https://www.unifore.net/product-highlights/ip-camera-smartsens-cmos-image-sensors.html)


### Instructions
There's a few different varieties of firmware across various brands of cameras which means it is impossible to know which version of the hack is the best for your camera. Older firmware are more hackable because the root filesystem is mounted read/write, new firmwares need the hack applying differently because the root filesystem is mounted read-only but the ```/home``` directory is writeable.

For example
Version 3.1.1.0908 is read-write and can use [zsgx1hacks-v0.4.zip](https://github.com/ant-thomas/zsgx1hacks/raw/master/zsgx1hacks-v0.4.zip)
Version 3.2.8.0121 is read-only and can only use [readonlyhack-v0.1.zip](https://github.com/ant-thomas/zsgx1hacks/raw/master/readonlyhack-v0.1.zip)
If in doubt use the read-only hack as that is more likely to work across more cameras.

#### How to check version
If you have already configured the camera with the cloud app there should be some info within the app showing firmware version.
Using an onvif tool/app like Onvifer (Android) should give firmware version.
You should also be able to find the firmware version by logging in via telnet and excuting the command ```ls /tmp | grep -F 3.``` or ```ls /tmp | head -1```

#### Steps
* Create network connection
* WiFi - setup camera via app
* Ethernet - plug in to network (doesn't need app setup)
* Download [zsgx1hacks-v0.4.zip](https://github.com/ant-thomas/zsgx1hacks/raw/master/zsgx1hacks-v0.4.zip) and extract the contents of the zip file to a vfat/fat32 formatted microSD card
* Download hack for your camera

#### Older firmware - read/write
* Download zip file - [zsgx1hacks-v0.4.zip](https://github.com/ant-thomas/zsgx1hacks/raw/master/zsgx1hacks-v0.4.zip)
* Extract the contents of the zip file to a vfat/fat32 formatted microSD card
* Change options in `config.txt`
* Option for persistent hack without SD card
* Default - run off SD Card
* If in doubt, run it off the SD Card
* Option to restore original state of camera without hack
* Option to silence the voices
* This may be causing issues on some cameras so use at your own risk

#### Newer firmware - read-only
* Download zip file - [readonlyhack-v0.1.zip](https://github.com/ant-thomas/zsgx1hacks/raw/master/readonlyhack-v0.1.zip)
* Extract the contents of the zip file to a vfat/fat32 formatted microSD card

#### All
* Insert microSD card into camera and boot
* Result should be
* No communication to cloud services
* RTSP/onvif server on the IP address of the camera
* SSH server - user/pass ```root/cxlinux```
* SSH server
* R/W version - user/pass ```root/cxlinux```
* R-O version - user ```root``` no password
* Telnet server - user/pass ```root/cxlinux```
* Updated busybox
* Annoying whining noise reduced
* Annoying whining noise reduced (RW version only currently)
* WebUI accessible - http://IPAddress:8080/cgi-bin/webui
* FTP Server pointing to the root file system - no username or password

Expand All @@ -68,6 +95,9 @@ This is a cheap Pan Tilt IP Camera (supposedly 1080p) that for a time was availa
* Get rid of ```p2pcam``` and use an alternative RTSP server
* Find method to enable WiFi connection without using the app

#### 2018-08-05 - Update 17 (ant-thomas)
* Read-only hack created to enable cameras with a newer firmware to have extra features and turn off cloud connections.

#### 2018-03-30 - Update 16 (ant-thomas)
* Updated sdcard zip - [zsgx1hacks-v0.4.zip](https://github.com/ant-thomas/zsgx1hacks/raw/master/zsgx1hacks-v0.4.zip)
* `config.txt` file to change some options
Expand Down
Binary file added readonlyhack-v0.1.zip
View file
Binary file not shown.
54 changes: 54 additions & 0 deletions readonlysd/debug_cmd.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
#!/bin/sh

# ANT-THOMAS
############
# HACKS HERE

# mount sd card to separate location
if [ -b /dev/mmcblk0p1 ]; then
mount -t vfat /dev/mmcblk0p1 /media
elif [ -b /dev/mmcblk0 ]; then
mount -t vfat /dev/mmcblk0 /media
fi

# confirm hack type
touch /home/HACKSD

mkdir -p /home/busybox

# install updated version of busybox
mount --bind /media/hack/busybox /bin/busybox
/bin/busybox --install -s /home/busybox

# set new env
mount --bind /media/hack/profile /etc/profile

# possibly needed but may not be
mount --bind /media/hack/group /etc/group
mount --bind /media/hack/passwd /etc/passwd
mount --bind /media/hack/shadow /etc/shadow

# update hosts file to prevent communication
mount --bind /media/hack/hosts.new /etc/hosts

# busybox httpd
/home/busybox/httpd -p 8080 -h /media/hack/www

# setup and install dropbear ssh server - no password login
/media/hack/dropbearmulti dropbear -r /media/hack/dropbear_ecdsa_host_key -B

# start ftp server
(/home/busybox/tcpsvd -E 0.0.0.0 21 ftpd -w / ) &

# sync the time
(sleep 20 && /home/busybox/ntpd -q -p 0.uk.pool.ntp.org ) &

# silence the voices - uncomment if needed
#if [ ! -f /home/VOICE-orig.tgz ]; then
# cp /home/VOICE.tgz /home/VOICE-orig.tgz
#fi
#
#cp /media/hack/VOICE-new.tgz /home/VOICE.tgz

#
############
Binary file added readonlysd/hack/VOICE-new.tgz
View file
Binary file not shown.
Binary file added readonlysd/hack/busybox
View file
Binary file not shown.
Binary file added readonlysd/hack/busybox-armv6l
View file
Binary file not shown.
Binary file added readonlysd/hack/dropbear_ecdsa_host_key
View file
Binary file not shown.
Binary file added readonlysd/hack/dropbearmulti
View file
Binary file not shown.
Binary file added readonlysd/hack/goke_p2pcam_param
View file
Binary file not shown.
Binary file added readonlysd/hack/goke_volume
View file
Binary file not shown.
21 changes: 21 additions & 0 deletions readonlysd/hack/group
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
wheel:x:10:
audio:x:29:
www-data:x:33:
utmp:x:43:
staff:x:50:
lock:x:54:
haldaemon:x:68:
dbus:x:81:
netdev:x:82:
ftp:x:83:
nobody:x:99:
nogroup:x:99:
users:x:100:
default:x:1000:
29 changes: 29 additions & 0 deletions readonlysd/hack/hosts.new
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
127.0.0.1 localhost
127.0.1.1 goke

127.0.0.1 arcsoft.com
127.0.0.1 xmpp.icloseli.cn
127.0.0.1 relaycn.arcsoftcloud.com
127.0.0.1 update.icloseli.cn

127.0.0.1 esd.icloseli.cn
127.0.0.1 upns.icloseli.cn


127.0.0.1 argus.icloseli.cn
127.0.0.1 relay.icloseli.cn
127.0.0.1 stun.icloseli.cn
127.0.0.1 api.icloseli.cn


127.0.0.1 xmpp.icloseli.com
127.0.0.1 relayus-w.arcsoftcloud.com
127.0.0.1 update.icloseli.com
127.0.0.1 esd.icloseli.com
127.0.0.1 upns.icloseli.com

127.0.0.1 xmpp.icloseli.com
127.0.0.1 argus.icloseli.com

127.0.0.1 relay.icloseli.com
127.0.0.1 api.icloseli.com
16 changes: 16 additions & 0 deletions readonlysd/hack/passwd
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
root:yE7gW4O0CSXXg:0:0::/root:/bin/sh
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:100:sync:/bin:/bin/sync
mail:x:8:8:mail:/var/spool/mail:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
operator:x:37:37:Operator:/var:/bin/sh
haldaemon:x:68:68:hald:/:/bin/sh
dbus:x:81:81:dbus:/var/run/dbus:/bin/sh
ftp:x:83:83:ftp:/home/ftp:/bin/sh
nobody:x:99:99:nobody:/home:/bin/sh
sshd:x:103:99:Operator:/var:/bin/sh
default:x:1000:1000:Default non-root user:/home/default:/bin/sh
57 changes: 57 additions & 0 deletions readonlysd/hack/profile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
# ~/.bashrc: executed by bash(1) for non-login interactive shells.

export PATH=\
/home/busybox:\
/media/hack/hackenv:\
/bin:\
/sbin:\
/usr/bin:\
/usr/sbin:\
/usr/bin/X11:\
/usr/local/bin

# If running interactively, then:
if [ "$PS1" ]; then

if [ "$BASH" ]; then
export PS1="[\u@\h \W]\\$ "
alias ll='/bin/ls --color=tty -laFh'
alias ls='/bin/ls --color=tty -F'
export LS_COLORS='no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.jpg=01;35:*.jpeg=01;35:*.png=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.mpg=01;35:*.mpeg=01;35:*.avi=01;35:*.fli=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:';
else
if [ "`id -u`" -eq 0 ]; then
export PS1='# '
else
export PS1='$ '
fi
fi

export USER=`id -un`
export LOGNAME=$USER
export HOSTNAME=`/bin/hostname`
export HISTSIZE=1000
export HISTFILESIZE=1000
export PAGER='/bin/more '
export EDITOR='/bin/vi'
export INPUTRC=/etc/inputrc
export DMALLOC_OPTIONS=debug=0x34f47d83,inter=100,log=logfile

### Some aliases
alias ps2='ps facux '
alias ps1='ps faxo "%U %t %p %a" '
alias af='ps af'
alias cls='clear'
alias df='df -h'
alias indent='indent -bad -bap -bbo -nbc -br -brs -c33 -cd33 -ncdb -ce -ci4 -cli0 -cp33 -cs -d0 -di1 -nfc1 -nfca -hnl -i4 -ip0 -l75 -lp -npcs -npsl -nsc -nsob -nss -ts4 '
#alias bc='bc -l'
alias minicom='minicom -c on'
alias calc='calc -Cd '
alias bc='calc -Cd '
fi;

# Source configuration files from /etc/profile.d
for i in /etc/profile.d/*.sh ; do
if [ -r "$i" ]; then
. $i
fi
done
Binary file added readonlysd/hack/ptz
View file
Binary file not shown.
42 changes: 42 additions & 0 deletions readonlysd/hack/ptz-ctrl
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
#!/bin/sh
#

if [ -f /home/HACKP ]; then
ptzfolder="/home/hack"
elif [ -f /home/HACKSD ]; then
ptzfolder="/media/hack"
fi

if [ $1 = "u" ];
then
$ptzfolder/ptz 0x65 0x14 && sleep 0.5 && $ptzfolder/ptz 0x64 0x14
fi
if [ $1 = "d" ];
then
$ptzfolder/ptz 0x66 0x14 && sleep 0.5 && $ptzfolder/ptz 0x64 0x14
fi
if [ $1 = "l" ];
then
$ptzfolder/ptz 0x67 0x14 && sleep 0.5 && $ptzfolder/ptz 0x64 0x14
fi
if [ $1 = "r" ];
then
$ptzfolder/ptz 0x68 0x14 && sleep 0.5 && $ptzfolder/ptz 0x64 0x14
fi
if [ $1 = "lu" ];
then
$ptzfolder/ptz 0x69 0x200020 && sleep 0.5 && $ptzfolder/ptz 0x64 0x14
fi
if [ $1 = "ld" ];
then
$ptzfolder/ptz 0x6a 0x200020 && sleep 0.5 && $ptzfolder/ptz 0x64 0x14
fi
if [ $1 = "ru" ];
then
$ptzfolder/ptz 0x6b 0x200020 && sleep 0.5 && $ptzfolder/ptz 0x64 0x14
fi
if [ $1 = "rd" ];
then
$ptzfolder/ptz 0x6c 0x200020 && sleep 0.5 && $ptzfolder/ptz 0x64 0x14
fi

13 changes: 13 additions & 0 deletions readonlysd/hack/shadow
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
root::10933:0:99999:7:::
bin:*:10933:0:99999:7:::
daemon:*:10933:0:99999:7:::
adm:*:10933:0:99999:7:::
lp:*:10933:0:99999:7:::
sync:*:10933:0:99999:7:::
shutdown:*:10933:0:99999:7:::
halt:*:10933:0:99999:7:::
uucp:*:10933:0:99999:7:::
operator:*:10933:0:99999:7:::
ftp:*:10933:0:99999:7:::
nobody:*:10933:0:99999:7:::
default::10933:0:99999:7:::
Loading

0 comments on commit 0348815

Please sign in to comment.