GK7102 NON BRANDED

README.md

@@ -9,9 +9,10 @@ Confirmed working on the following camera models
  * GUUDGO GD-SC11
  * Digoo DG-W01F
  * YSA CIPC-GC13H
+ * KERUI CIPC-GC15HE (read-only version)
 
 
-Disclaimer - I'm not a programmer, just a hobbyist that likes poking around with things like this. You use the software here at your own risk. If your camera isn't listed as supported you may break your camera.
+Disclaimer - I'm not a programmer, just a hobbyist that likes poking around with things like this. You use the software here at your own risk. If your camera isn't listed as supported you may break your camera. You may even break your camera if it is listed due to a variety of firmware versions available.
 
 A few people have asked if they can donate something, you probably have much better things to spend your money on, but if you insist you can on [PayPal](http://paypal.me/antthomascouk) [![Donate](https://www.paypalobjects.com/webstatic/en_US/i/buttons/pp-acceptance-small.png)](http://paypal.me/antthomascouk)
 
@@ -23,19 +24,53 @@ This is a cheap Pan Tilt IP Camera (supposedly 1080p) that for a time was availa
 
 [Sensor - SC2135 - supposedly capable of 1080p 30fps](https://www.unifore.net/product-highlights/ip-camera-smartsens-cmos-image-sensors.html)
 
+
 ### Instructions
+There's a few different varieties of firmware across various brands of cameras which means it is impossible to know which version of the hack is the best for your camera. Older firmware are more hackable because the root filesystem is mounted read/write, new firmwares need the hack applying differently because the root filesystem is mounted read-only but the ```/home``` directory is writeable.
+
+For example  
+Version 3.1.1.0908 is read-write and can use [zsgx1hacks-v0.4.zip](https://github.com/ant-thomas/zsgx1hacks/raw/master/zsgx1hacks-v0.4.zip)  
+Version 3.2.8.0121 is read-only and can only use [readonlyhack-v0.1.zip](https://github.com/ant-thomas/zsgx1hacks/raw/master/readonlyhack-v0.1.zip)  
+If in doubt use the read-only hack as that is more likely to work across more cameras.
+
+#### How to check version
+If you have already configured the camera with the cloud app there should be some info within the app showing firmware version.  
+Using an onvif tool/app like Onvifer (Android) should give firmware version.  
+You should also be able to find the firmware version by logging in via telnet and excuting the command  
+```ls /tmp | grep -F 3.``` or ```ls /tmp | head -1```
+
+#### Steps
 * Create network connection
   * WiFi - setup camera via app
   * Ethernet - plug in to network (doesn't need app setup)
-* Download [zsgx1hacks-v0.3.zip](https://github.com/ant-thomas/zsgx1hacks/raw/master/zsgx1hacks-v0.3.zip) and extract the contents of the zip file to a vfat/fat32 formatted microSD card
+* Download hack for your camera
+
+#### Older firmware - read/write
+* Download zip file - [zsgx1hacks-v0.4.zip](https://github.com/ant-thomas/zsgx1hacks/raw/master/zsgx1hacks-v0.4.zip) 
+* Extract the contents of the zip file to a vfat/fat32 formatted microSD card
+* Change options in `config.txt`
+  * Option for persistent hack without SD card
+    * Default - run off SD Card
+    * If in doubt, run it off the SD Card
+  * Option to restore original state of camera without hack
+  * Option to silence the voices
+    * This may be causing issues on some cameras so use at your own risk
+
+#### Newer firmware - read-only
+* Download zip file - [readonlyhack-v0.1.zip](https://github.com/ant-thomas/zsgx1hacks/raw/master/readonlyhack-v0.1.zip)
+* Extract the contents of the zip file to a vfat/fat32 formatted microSD card
+
+#### All
 * Insert microSD card into camera and boot
 * Result should be
   * No communication to cloud services
   * RTSP/onvif server on the IP address of the camera
-  * SSH server - user/pass ```root/cxlinux```
+  * SSH server
+    * R/W version - user/pass ```root/cxlinux```
+    * R-O version - user ```root``` no password
   * Telnet server - user/pass ```root/cxlinux```
   * Updated busybox
-  * Annoying whining noise reduced
+  * Annoying whining noise reduced (RW version only currently)
   * WebUI accessible - http://IPAddress:8080/cgi-bin/webui
   * FTP Server pointing to the root file system - no username or password
 
@@ -48,18 +83,32 @@ This is a cheap Pan Tilt IP Camera (supposedly 1080p) that for a time was availa
 * RTSP server accessible - rtsp://IPADDRESS/ 
   * user/pass admin/admin
   * user/pass on a non-setup camera is sometimes admin with no password
-  * Different camera models may have different RTSP credentials eg ```dg20160404```
+  * Different camera models may have different RTSP credentials eg ```dg20160404``` or ```12345```
 * Block cloud services via hosts file
 * Some GPIO functions found (IR LEDs and IR Cut)
 * WebUI - http://IPAddress:8080/cgi-bin/webui
 * PTZ control via command line or WebUI
 * FTP server - no username or password
+* WiFi Connection without inital setup with app in cls.conf
+
 
 ### ToDo
 * Figure out GPIO control for Light sensor
 * Change bitrate of RTSP stream
 * Get rid of ```p2pcam``` and use an alternative RTSP server
-* Find method to enable WiFi connection without using the app
+
+#### 2019-22-05 - Update 18 (susw12)
+* Adds the ability to have camera connect to WiFi without needing to setup the camera using the app/software.
+
+#### 2018-08-05 - Update 17 (ant-thomas)
+* Read-only hack created to enable cameras with a newer firmware to have extra features and turn off cloud connections.
+* SSH server has no password. It wasn't working with a password so I enabled no password logins. Hopefully be able to get that fixed.
+
+#### 2018-03-30 - Update 16 (ant-thomas)
+* Updated sdcard zip - [zsgx1hacks-v0.4.zip](https://github.com/ant-thomas/zsgx1hacks/raw/master/zsgx1hacks-v0.4.zip)
+* `config.txt` file to change some options
+* Option for persistent or SD card install - default is SD card
+* Option to remove hack and restore camera to before hack
 
 #### 2018-03-24 - Update 15 (ant-thomas)
 * Updated sdcard zip - [zsgx1hacks-v0.3.zip](https://github.com/ant-thomas/zsgx1hacks/raw/master/zsgx1hacks-v0.3.zip)

readonlysd/cls.conf

@@ -0,0 +1,3 @@
+[cls_server]
+ssid = WIFI_ID
+passwd = PASSWORD

readonlysd/debug_cmd.sh

@@ -0,0 +1,58 @@
+#!/bin/sh
+
+# ANT-THOMAS
+############
+# HACKS HERE
+
+# mount sd card to separate location
+if [ -b /dev/mmcblk0p1 ]; then
+	mount -t vfat /dev/mmcblk0p1  /media
+elif [ -b /dev/mmcblk0 ]; then
+	mount -t vfat /dev/mmcblk0 /media
+fi
+
+# confirm hack type
+touch /home/HACKSD
+
+mkdir -p /home/busybox
+
+# install updated version of busybox
+mount --bind /media/hack/busybox /bin/busybox
+/bin/busybox --install -s /home/busybox
+
+#symlink to dropbear's ssh client and the scp
+ln -s /media/hack/dropbearmulti /bin/ssh
+ln -s /media/hack/dropbearmulti /bin/scp
+
+# set new env
+mount --bind /media/hack/profile /etc/profile
+
+# possibly needed but may not be
+mount --bind /media/hack/group /etc/group
+mount --bind /media/hack/passwd /etc/passwd
+mount --bind /media/hack/shadow /etc/shadow
+
+# update hosts file to prevent communication
+mount --bind /media/hack/hosts.new /etc/hosts
+
+# busybox httpd
+/home/busybox/httpd -p 8080 -h /media/hack/www
+
+# setup and install dropbear ssh server - no password login
+/media/hack/dropbearmulti dropbear -r /media/hack/dropbear_ecdsa_host_key -B
+
+# start ftp server
+(/home/busybox/tcpsvd -E 0.0.0.0 21 /home/busybox/ftpd -w / ) &
+
+# sync the time
+(sleep 20 && /home/busybox/ntpd -q -p 0.uk.pool.ntp.org ) &
+
+# silence the voices - uncomment if needed
+#if [ ! -f /home/VOICE-orig.tgz ]; then
+#    cp /home/VOICE.tgz /home/VOICE-orig.tgz
+#fi
+#
+#cp /media/hack/VOICE-new.tgz /home/VOICE.tgz
+
+#
+############

readonlysd/hack/group

@@ -0,0 +1,21 @@
+root:x:0:
+daemon:x:1:
+bin:x:2:
+sys:x:3:
+adm:x:4:
+tty:x:5:
+disk:x:6:
+wheel:x:10:
+audio:x:29:
+www-data:x:33:
+utmp:x:43:
+staff:x:50:
+lock:x:54:
+haldaemon:x:68:
+dbus:x:81:
+netdev:x:82:
+ftp:x:83:
+nobody:x:99:
+nogroup:x:99:
+users:x:100:
+default:x:1000:

readonlysd/hack/hosts.new

@@ -0,0 +1,29 @@
+127.0.0.1       localhost
+127.0.1.1       goke
+
+127.0.0.1 arcsoft.com
+127.0.0.1 xmpp.icloseli.cn
+127.0.0.1 relaycn.arcsoftcloud.com
+127.0.0.1 update.icloseli.cn
+
+127.0.0.1 esd.icloseli.cn
+127.0.0.1 upns.icloseli.cn
+
+
+127.0.0.1 argus.icloseli.cn
+127.0.0.1 relay.icloseli.cn
+127.0.0.1 stun.icloseli.cn
+127.0.0.1 api.icloseli.cn
+
+
+127.0.0.1 xmpp.icloseli.com
+127.0.0.1 relayus-w.arcsoftcloud.com
+127.0.0.1 update.icloseli.com
+127.0.0.1 esd.icloseli.com
+127.0.0.1 upns.icloseli.com
+
+127.0.0.1 xmpp.icloseli.com
+127.0.0.1 argus.icloseli.com
+
+127.0.0.1 relay.icloseli.com
+127.0.0.1 api.icloseli.com

readonlysd/hack/passwd

@@ -0,0 +1,16 @@
+root:yE7gW4O0CSXXg:0:0::/root:/bin/sh
+daemon:x:1:1:daemon:/usr/sbin:/bin/sh
+bin:x:2:2:bin:/bin:/bin/sh
+sys:x:3:3:sys:/dev:/bin/sh
+sync:x:4:100:sync:/bin:/bin/sync
+mail:x:8:8:mail:/var/spool/mail:/bin/sh
+proxy:x:13:13:proxy:/bin:/bin/sh
+www-data:x:33:33:www-data:/var/www:/bin/sh
+backup:x:34:34:backup:/var/backups:/bin/sh
+operator:x:37:37:Operator:/var:/bin/sh
+haldaemon:x:68:68:hald:/:/bin/sh
+dbus:x:81:81:dbus:/var/run/dbus:/bin/sh
+ftp:x:83:83:ftp:/home/ftp:/bin/sh
+nobody:x:99:99:nobody:/home:/bin/sh
+sshd:x:103:99:Operator:/var:/bin/sh
+default:x:1000:1000:Default non-root user:/home/default:/bin/sh

readonlysd/hack/profile

@@ -0,0 +1,57 @@
+# ~/.bashrc: executed by bash(1) for non-login interactive shells.
+
+export PATH=\
+/home/busybox:\
+/media/hack/hackenv:\
+/bin:\
+/sbin:\
+/usr/bin:\
+/usr/sbin:\
+/usr/bin/X11:\
+/usr/local/bin
+
+# If running interactively, then:
+if [ "$PS1" ]; then
+
+    if [ "$BASH" ]; then
+	export PS1="[\u@\h \W]\\$ "
+	alias ll='/bin/ls --color=tty -laFh'
+	alias ls='/bin/ls --color=tty -F'
+	export LS_COLORS='no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.jpg=01;35:*.jpeg=01;35:*.png=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.mpg=01;35:*.mpeg=01;35:*.avi=01;35:*.fli=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:';
+    else
+      if [ "`id -u`" -eq 0 ]; then 
+	export PS1='# '
+      else
+	export PS1='$ '
+      fi
+    fi
+
+    export USER=`id -un`
+    export LOGNAME=$USER
+    export HOSTNAME=`/bin/hostname`
+    export HISTSIZE=1000
+    export HISTFILESIZE=1000
+    export PAGER='/bin/more '
+    export EDITOR='/bin/vi'
+    export INPUTRC=/etc/inputrc
+    export DMALLOC_OPTIONS=debug=0x34f47d83,inter=100,log=logfile
+
+    ### Some aliases
+    alias ps2='ps facux '
+    alias ps1='ps faxo "%U %t %p %a" '
+    alias af='ps af'
+    alias cls='clear'
+    alias df='df -h'
+    alias indent='indent -bad -bap -bbo -nbc -br -brs -c33 -cd33 -ncdb -ce -ci4 -cli0 -cp33 -cs -d0 -di1 -nfc1 -nfca -hnl -i4 -ip0 -l75 -lp -npcs -npsl -nsc -nsob -nss -ts4 '
+    #alias bc='bc -l'
+    alias minicom='minicom -c on'
+    alias calc='calc -Cd '
+    alias bc='calc -Cd '
+fi;
+
+# Source configuration files from /etc/profile.d
+for i in /etc/profile.d/*.sh ; do
+    if [ -r "$i" ]; then
+        . $i
+    fi
+done

readonlysd/hack/ptz-ctrl

@@ -0,0 +1,42 @@
+#!/bin/sh
+#
+
+if [ -f /home/HACKP ]; then
+ptzfolder="/home/hack"
+elif [ -f /home/HACKSD ]; then
+ptzfolder="/media/hack"
+fi
+
+if [ $1 = "u" ];
+then
+$ptzfolder/ptz 0x65 0x14 && sleep 0.5 && $ptzfolder/ptz 0x64 0x14
+fi
+if [ $1 = "d" ];
+then
+$ptzfolder/ptz 0x66 0x14 && sleep 0.5 && $ptzfolder/ptz 0x64 0x14
+fi
+if [ $1 = "l" ];
+then
+$ptzfolder/ptz 0x67 0x14 && sleep 0.5 && $ptzfolder/ptz 0x64 0x14
+fi
+if [ $1 = "r" ];
+then
+$ptzfolder/ptz 0x68 0x14 && sleep 0.5 && $ptzfolder/ptz 0x64 0x14
+fi
+if [ $1 = "lu" ];                                                                                      
+then                                                                                                  
+$ptzfolder/ptz 0x69 0x200020 && sleep 0.5 && $ptzfolder/ptz 0x64 0x14                                       
+fi 
+if [ $1 = "ld" ];                                                                                      
+then                                                                                                  
+$ptzfolder/ptz 0x6a 0x200020 && sleep 0.5 && $ptzfolder/ptz 0x64 0x14                                       
+fi 
+if [ $1 = "ru" ];                                                                                      
+then                                                                                                  
+$ptzfolder/ptz 0x6b 0x200020 && sleep 0.5 && $ptzfolder/ptz 0x64 0x14                                       
+fi 
+if [ $1 = "rd" ];                                                                                      
+then                                                                                                  
+$ptzfolder/ptz 0x6c 0x200020 && sleep 0.5 && $ptzfolder/ptz 0x64 0x14                                       
+fi 
+

readonlysd/hack/shadow

@@ -0,0 +1,13 @@
+root::10933:0:99999:7:::
+bin:*:10933:0:99999:7:::
+daemon:*:10933:0:99999:7:::
+adm:*:10933:0:99999:7:::
+lp:*:10933:0:99999:7:::
+sync:*:10933:0:99999:7:::
+shutdown:*:10933:0:99999:7:::
+halt:*:10933:0:99999:7:::
+uucp:*:10933:0:99999:7:::
+operator:*:10933:0:99999:7:::
+ftp:*:10933:0:99999:7:::
+nobody:*:10933:0:99999:7:::
+default::10933:0:99999:7:::