diff --git a/README.md b/README.md index 1688c11..84f9f9d 100644 --- a/README.md +++ b/README.md @@ -9,9 +9,10 @@ Confirmed working on the following camera models * GUUDGO GD-SC11 * Digoo DG-W01F * YSA CIPC-GC13H + * KERUI CIPC-GC15HE (read-only version) -Disclaimer - I'm not a programmer, just a hobbyist that likes poking around with things like this. You use the software here at your own risk. If your camera isn't listed as supported you may break your camera. +Disclaimer - I'm not a programmer, just a hobbyist that likes poking around with things like this. You use the software here at your own risk. If your camera isn't listed as supported you may break your camera. You may even break your camera if it is listed due to a variety of firmware versions available. A few people have asked if they can donate something, you probably have much better things to spend your money on, but if you insist you can on [PayPal](http://paypal.me/antthomascouk) [![Donate](https://www.paypalobjects.com/webstatic/en_US/i/buttons/pp-acceptance-small.png)](http://paypal.me/antthomascouk) @@ -23,11 +24,29 @@ This is a cheap Pan Tilt IP Camera (supposedly 1080p) that for a time was availa [Sensor - SC2135 - supposedly capable of 1080p 30fps](https://www.unifore.net/product-highlights/ip-camera-smartsens-cmos-image-sensors.html) + ### Instructions +There's a few different varieties of firmware across various brands of cameras which means it is impossible to know which version of the hack is the best for your camera. Older firmware are more hackable because the root filesystem is mounted read/write, new firmwares need the hack applying differently because the root filesystem is mounted read-only but the ```/home``` directory is writeable. + +For example +Version 3.1.1.0908 is read-write and can use [zsgx1hacks-v0.4.zip](https://github.com/ant-thomas/zsgx1hacks/raw/master/zsgx1hacks-v0.4.zip) +Version 3.2.8.0121 is read-only and can only use [readonlyhack-v0.1.zip](https://github.com/ant-thomas/zsgx1hacks/raw/master/readonlyhack-v0.1.zip) +If in doubt use the read-only hack as that is more likely to work across more cameras. + +#### How to check version +If you have already configured the camera with the cloud app there should be some info within the app showing firmware version. +Using an onvif tool/app like Onvifer (Android) should give firmware version. +You should also be able to find the firmware version by logging in via telnet and excuting the command ```ls /tmp | grep -F 3.``` or ```ls /tmp | head -1``` + +#### Steps * Create network connection * WiFi - setup camera via app * Ethernet - plug in to network (doesn't need app setup) -* Download [zsgx1hacks-v0.4.zip](https://github.com/ant-thomas/zsgx1hacks/raw/master/zsgx1hacks-v0.4.zip) and extract the contents of the zip file to a vfat/fat32 formatted microSD card +* Download hack for your camera + +#### Older firmware - read/write +* Download zip file - [zsgx1hacks-v0.4.zip](https://github.com/ant-thomas/zsgx1hacks/raw/master/zsgx1hacks-v0.4.zip) +* Extract the contents of the zip file to a vfat/fat32 formatted microSD card * Change options in `config.txt` * Option for persistent hack without SD card * Default - run off SD Card @@ -35,14 +54,22 @@ This is a cheap Pan Tilt IP Camera (supposedly 1080p) that for a time was availa * Option to restore original state of camera without hack * Option to silence the voices * This may be causing issues on some cameras so use at your own risk + +#### Newer firmware - read-only +* Download zip file - [readonlyhack-v0.1.zip](https://github.com/ant-thomas/zsgx1hacks/raw/master/readonlyhack-v0.1.zip) +* Extract the contents of the zip file to a vfat/fat32 formatted microSD card + +#### All * Insert microSD card into camera and boot * Result should be * No communication to cloud services * RTSP/onvif server on the IP address of the camera - * SSH server - user/pass ```root/cxlinux``` + * SSH server + * R/W version - user/pass ```root/cxlinux``` + * R-O version - user ```root``` no password * Telnet server - user/pass ```root/cxlinux``` * Updated busybox - * Annoying whining noise reduced + * Annoying whining noise reduced (RW version only currently) * WebUI accessible - http://IPAddress:8080/cgi-bin/webui * FTP Server pointing to the root file system - no username or password @@ -68,6 +95,9 @@ This is a cheap Pan Tilt IP Camera (supposedly 1080p) that for a time was availa * Get rid of ```p2pcam``` and use an alternative RTSP server * Find method to enable WiFi connection without using the app +#### 2018-08-05 - Update 17 (ant-thomas) +* Read-only hack created to enable cameras with a newer firmware to have extra features and turn off cloud connections. + #### 2018-03-30 - Update 16 (ant-thomas) * Updated sdcard zip - [zsgx1hacks-v0.4.zip](https://github.com/ant-thomas/zsgx1hacks/raw/master/zsgx1hacks-v0.4.zip) * `config.txt` file to change some options diff --git a/readonlyhack-v0.1.zip b/readonlyhack-v0.1.zip new file mode 100644 index 0000000..deb925d Binary files /dev/null and b/readonlyhack-v0.1.zip differ diff --git a/readonlysd/debug_cmd.sh b/readonlysd/debug_cmd.sh new file mode 100644 index 0000000..d69e64b --- /dev/null +++ b/readonlysd/debug_cmd.sh @@ -0,0 +1,54 @@ +#!/bin/sh + +# ANT-THOMAS +############ +# HACKS HERE + +# mount sd card to separate location +if [ -b /dev/mmcblk0p1 ]; then + mount -t vfat /dev/mmcblk0p1 /media +elif [ -b /dev/mmcblk0 ]; then + mount -t vfat /dev/mmcblk0 /media +fi + +# confirm hack type +touch /home/HACKSD + +mkdir -p /home/busybox + +# install updated version of busybox +mount --bind /media/hack/busybox /bin/busybox +/bin/busybox --install -s /home/busybox + +# set new env +mount --bind /media/hack/profile /etc/profile + +# possibly needed but may not be +mount --bind /media/hack/group /etc/group +mount --bind /media/hack/passwd /etc/passwd +mount --bind /media/hack/shadow /etc/shadow + +# update hosts file to prevent communication +mount --bind /media/hack/hosts.new /etc/hosts + +# busybox httpd +/home/busybox/httpd -p 8080 -h /media/hack/www + +# setup and install dropbear ssh server - no password login +/media/hack/dropbearmulti dropbear -r /media/hack/dropbear_ecdsa_host_key -B + +# start ftp server +(/home/busybox/tcpsvd -E 0.0.0.0 21 ftpd -w / ) & + +# sync the time +(sleep 20 && /home/busybox/ntpd -q -p 0.uk.pool.ntp.org ) & + +# silence the voices - uncomment if needed +#if [ ! -f /home/VOICE-orig.tgz ]; then +# cp /home/VOICE.tgz /home/VOICE-orig.tgz +#fi +# +#cp /media/hack/VOICE-new.tgz /home/VOICE.tgz + +# +############ diff --git a/readonlysd/hack/VOICE-new.tgz b/readonlysd/hack/VOICE-new.tgz new file mode 100644 index 0000000..f386e0a Binary files /dev/null and b/readonlysd/hack/VOICE-new.tgz differ diff --git a/readonlysd/hack/busybox b/readonlysd/hack/busybox new file mode 100644 index 0000000..af43d46 Binary files /dev/null and b/readonlysd/hack/busybox differ diff --git a/readonlysd/hack/busybox-armv6l b/readonlysd/hack/busybox-armv6l new file mode 100644 index 0000000..af43d46 Binary files /dev/null and b/readonlysd/hack/busybox-armv6l differ diff --git a/readonlysd/hack/dropbear_ecdsa_host_key b/readonlysd/hack/dropbear_ecdsa_host_key new file mode 100644 index 0000000..c4dd30c Binary files /dev/null and b/readonlysd/hack/dropbear_ecdsa_host_key differ diff --git a/readonlysd/hack/dropbearmulti b/readonlysd/hack/dropbearmulti new file mode 100644 index 0000000..d13071b Binary files /dev/null and b/readonlysd/hack/dropbearmulti differ diff --git a/readonlysd/hack/goke_p2pcam_param b/readonlysd/hack/goke_p2pcam_param new file mode 100644 index 0000000..c590f78 Binary files /dev/null and b/readonlysd/hack/goke_p2pcam_param differ diff --git a/readonlysd/hack/goke_volume b/readonlysd/hack/goke_volume new file mode 100644 index 0000000..e3489a7 Binary files /dev/null and b/readonlysd/hack/goke_volume differ diff --git a/readonlysd/hack/group b/readonlysd/hack/group new file mode 100644 index 0000000..d6e79db --- /dev/null +++ b/readonlysd/hack/group @@ -0,0 +1,21 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +wheel:x:10: +audio:x:29: +www-data:x:33: +utmp:x:43: +staff:x:50: +lock:x:54: +haldaemon:x:68: +dbus:x:81: +netdev:x:82: +ftp:x:83: +nobody:x:99: +nogroup:x:99: +users:x:100: +default:x:1000: diff --git a/readonlysd/hack/hosts.new b/readonlysd/hack/hosts.new new file mode 100644 index 0000000..8062260 --- /dev/null +++ b/readonlysd/hack/hosts.new @@ -0,0 +1,29 @@ +127.0.0.1 localhost +127.0.1.1 goke + +127.0.0.1 arcsoft.com +127.0.0.1 xmpp.icloseli.cn +127.0.0.1 relaycn.arcsoftcloud.com +127.0.0.1 update.icloseli.cn + +127.0.0.1 esd.icloseli.cn +127.0.0.1 upns.icloseli.cn + + +127.0.0.1 argus.icloseli.cn +127.0.0.1 relay.icloseli.cn +127.0.0.1 stun.icloseli.cn +127.0.0.1 api.icloseli.cn + + +127.0.0.1 xmpp.icloseli.com +127.0.0.1 relayus-w.arcsoftcloud.com +127.0.0.1 update.icloseli.com +127.0.0.1 esd.icloseli.com +127.0.0.1 upns.icloseli.com + +127.0.0.1 xmpp.icloseli.com +127.0.0.1 argus.icloseli.com + +127.0.0.1 relay.icloseli.com +127.0.0.1 api.icloseli.com diff --git a/readonlysd/hack/passwd b/readonlysd/hack/passwd new file mode 100644 index 0000000..860fdeb --- /dev/null +++ b/readonlysd/hack/passwd @@ -0,0 +1,16 @@ +root:yE7gW4O0CSXXg:0:0::/root:/bin/sh +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:100:sync:/bin:/bin/sync +mail:x:8:8:mail:/var/spool/mail:/bin/sh +proxy:x:13:13:proxy:/bin:/bin/sh +www-data:x:33:33:www-data:/var/www:/bin/sh +backup:x:34:34:backup:/var/backups:/bin/sh +operator:x:37:37:Operator:/var:/bin/sh +haldaemon:x:68:68:hald:/:/bin/sh +dbus:x:81:81:dbus:/var/run/dbus:/bin/sh +ftp:x:83:83:ftp:/home/ftp:/bin/sh +nobody:x:99:99:nobody:/home:/bin/sh +sshd:x:103:99:Operator:/var:/bin/sh +default:x:1000:1000:Default non-root user:/home/default:/bin/sh diff --git a/readonlysd/hack/profile b/readonlysd/hack/profile new file mode 100644 index 0000000..8c24e12 --- /dev/null +++ b/readonlysd/hack/profile @@ -0,0 +1,57 @@ +# ~/.bashrc: executed by bash(1) for non-login interactive shells. + +export PATH=\ +/home/busybox:\ +/media/hack/hackenv:\ +/bin:\ +/sbin:\ +/usr/bin:\ +/usr/sbin:\ +/usr/bin/X11:\ +/usr/local/bin + +# If running interactively, then: +if [ "$PS1" ]; then + + if [ "$BASH" ]; then + export PS1="[\u@\h \W]\\$ " + alias ll='/bin/ls --color=tty -laFh' + alias ls='/bin/ls --color=tty -F' + export LS_COLORS='no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.jpg=01;35:*.jpeg=01;35:*.png=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.mpg=01;35:*.mpeg=01;35:*.avi=01;35:*.fli=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:'; + else + if [ "`id -u`" -eq 0 ]; then + export PS1='# ' + else + export PS1='$ ' + fi + fi + + export USER=`id -un` + export LOGNAME=$USER + export HOSTNAME=`/bin/hostname` + export HISTSIZE=1000 + export HISTFILESIZE=1000 + export PAGER='/bin/more ' + export EDITOR='/bin/vi' + export INPUTRC=/etc/inputrc + export DMALLOC_OPTIONS=debug=0x34f47d83,inter=100,log=logfile + + ### Some aliases + alias ps2='ps facux ' + alias ps1='ps faxo "%U %t %p %a" ' + alias af='ps af' + alias cls='clear' + alias df='df -h' + alias indent='indent -bad -bap -bbo -nbc -br -brs -c33 -cd33 -ncdb -ce -ci4 -cli0 -cp33 -cs -d0 -di1 -nfc1 -nfca -hnl -i4 -ip0 -l75 -lp -npcs -npsl -nsc -nsob -nss -ts4 ' + #alias bc='bc -l' + alias minicom='minicom -c on' + alias calc='calc -Cd ' + alias bc='calc -Cd ' +fi; + +# Source configuration files from /etc/profile.d +for i in /etc/profile.d/*.sh ; do + if [ -r "$i" ]; then + . $i + fi +done diff --git a/readonlysd/hack/ptz b/readonlysd/hack/ptz new file mode 100644 index 0000000..18982db Binary files /dev/null and b/readonlysd/hack/ptz differ diff --git a/readonlysd/hack/ptz-ctrl b/readonlysd/hack/ptz-ctrl new file mode 100644 index 0000000..b3a1d4d --- /dev/null +++ b/readonlysd/hack/ptz-ctrl @@ -0,0 +1,42 @@ +#!/bin/sh +# + +if [ -f /home/HACKP ]; then +ptzfolder="/home/hack" +elif [ -f /home/HACKSD ]; then +ptzfolder="/media/hack" +fi + +if [ $1 = "u" ]; +then +$ptzfolder/ptz 0x65 0x14 && sleep 0.5 && $ptzfolder/ptz 0x64 0x14 +fi +if [ $1 = "d" ]; +then +$ptzfolder/ptz 0x66 0x14 && sleep 0.5 && $ptzfolder/ptz 0x64 0x14 +fi +if [ $1 = "l" ]; +then +$ptzfolder/ptz 0x67 0x14 && sleep 0.5 && $ptzfolder/ptz 0x64 0x14 +fi +if [ $1 = "r" ]; +then +$ptzfolder/ptz 0x68 0x14 && sleep 0.5 && $ptzfolder/ptz 0x64 0x14 +fi +if [ $1 = "lu" ]; +then +$ptzfolder/ptz 0x69 0x200020 && sleep 0.5 && $ptzfolder/ptz 0x64 0x14 +fi +if [ $1 = "ld" ]; +then +$ptzfolder/ptz 0x6a 0x200020 && sleep 0.5 && $ptzfolder/ptz 0x64 0x14 +fi +if [ $1 = "ru" ]; +then +$ptzfolder/ptz 0x6b 0x200020 && sleep 0.5 && $ptzfolder/ptz 0x64 0x14 +fi +if [ $1 = "rd" ]; +then +$ptzfolder/ptz 0x6c 0x200020 && sleep 0.5 && $ptzfolder/ptz 0x64 0x14 +fi + diff --git a/readonlysd/hack/shadow b/readonlysd/hack/shadow new file mode 100644 index 0000000..67b67c1 --- /dev/null +++ b/readonlysd/hack/shadow @@ -0,0 +1,13 @@ +root::10933:0:99999:7::: +bin:*:10933:0:99999:7::: +daemon:*:10933:0:99999:7::: +adm:*:10933:0:99999:7::: +lp:*:10933:0:99999:7::: +sync:*:10933:0:99999:7::: +shutdown:*:10933:0:99999:7::: +halt:*:10933:0:99999:7::: +uucp:*:10933:0:99999:7::: +operator:*:10933:0:99999:7::: +ftp:*:10933:0:99999:7::: +nobody:*:10933:0:99999:7::: +default::10933:0:99999:7::: diff --git a/readonlysd/hack/www/cgi-bin/webui b/readonlysd/hack/www/cgi-bin/webui new file mode 100644 index 0000000..66e1b0d --- /dev/null +++ b/readonlysd/hack/www/cgi-bin/webui @@ -0,0 +1,108 @@ +#!/bin/sh +# +echo "Content-type: text/html" +echo "" +command=`echo "$QUERY_STRING" | awk '{split($0,array,"&")} END{print array[1]}' | awk '{split($0,array,"=")} END{print array[2]}'` +date=`date` +ipadd=`ip route get 1 | awk '{print $NF;exit}'` +uptime=`uptime` + +if [ -f /home/HACKP ]; then +hacktype="PERSISTENT" +elif [ -f /home/HACKSD ]; then +hacktype="SD CARD" +fi + + +cat < + + +zsgx1hacks UI + + + +
+ +
+
+ +
+ +
+
+ +
+ + + + + + + + + + + + + + + + +
PTZ
+
+Date - $date +
+IP Address - $ipadd +
+Uptime - $uptime +
+Hack Type - $hacktype +
+ZS-GX1 Hacks - Github + + +EOT + +if [ -f /home/HACKP ]; then +ptzfolder="/home/hack" +elif [ -f /home/HACKSD ]; then +ptzfolder="/media/hack" +fi + + + if [ "$command" = "iron" ]; then + gio -s 46 1 > /dev/null + fi + if [ "$command" = "iroff" ]; then + gio -s 46 0 > /dev/null + fi + if [ "$command" = "ptzu" ]; then + $ptzfolder/ptz-ctrl u > /dev/null + fi + if [ "$command" = "ptzd" ]; then + $ptzfolder/ptz-ctrl d > /dev/null + fi + if [ "$command" = "ptzl" ]; then + $ptzfolder/ptz-ctrl l > /dev/null + fi + if [ "$command" = "ptzr" ]; then + $ptzfolder/ptz-ctrl r > /dev/null + fi + if [ "$command" = "ptzlu" ]; then + $ptzfolder/ptz-ctrl lu > /dev/null + fi + if [ "$command" = "ptzld" ]; then + $ptzfolder/ptz-ctrl ld > /dev/null + fi + if [ "$command" = "ptzru" ]; then + $ptzfolder/ptz-ctrl ru > /dev/null + fi + if [ "$command" = "ptzrd" ]; then + $ptzfolder/ptz-ctrl rd > /dev/null + fi