Annke WZ500 info

TO be honest I would do a Factory Reset, Change the VBR to CBR and change H.265 to 264, Only other change I make is turning off Wifi just as extra security measure. I also leave the FPS as it comes setup even though it can go higher. My guess is there is a known issue in that department and that is why it start after Reset at 15fps. After a day or 2 of a Reset the OSD of time and date is removed. Where the first month it wasn't removed it would just auto change to a time zone I am not in and again I think Annke sent some command to the camera that has removed it. So I just leave it gone once it goes.. Then the camera will last a few months before it gets Crazy and I have to Reset it again. Out of the blue it will fall off all recorders including Blue Iris. I can still access it from WebUI but I can't keep it in Blue Iris or have the recorders log in to it. After a Reset and changing the password it is back on recorders and Blue Iris without fail. I have some remote PTZ cameras from Amcrest and Hikvision that have not been reset for over 2 years and they are still stable. The WZ500 is only camera I have ever had this much issue with..
 
btw. you know this trick about going to http://<CAMERA_IP>:10081/OwnUserInfo.txt ?

Sure, but it isn't really helpful as the HANKVISION user doesn't seem to work (which, in a security context, is good).

Yesterday I gained access via UART to the camera. Unfortunately the root file system is read-only and so seems the Server.tar.gz which seems to hold the /etc/passwd file, so it is no easily possible to change the root password. Browsed through the folders and files and also found the encrypted / hashed root password:

root:$1$0Me7S3z5$.uQ4Pr/QjJQ/0JUZI0w4m.:0:0::/root:/bin/sh/etc

The hash shows up in google search, but it seems no one found the password yet.

I also found out that you can run custom commands that you put into a file called debug_run.sh - the file needs to be placed on a FAT32 formatted SD card. Somehow after executing the commands in debug_run.sh the bootup script seems to stop, so maybe there needs to be some addition into the debug_run.sh like an exit code or else in order to let the bootup script do the rest of its job. You can also put some binaries on it and let the script execute them, like dropbear (SSH daemon, i got it from here: https://github.com/ant-thomas/zsgx1hacks), but it still needs the root password to connect via SSH.

If you want to try for yourself, here are some pictures and description of the UART port. Just use some USB-to-UART dongle and connect accordingly. I used Putty as terminal, you need to set COM speed in Putty to 115200. When closing the camera up please watch out for the insulation rubber that lines the camera on the inside. Fit it into the spacing that surrounds the camera casing, so that when closing the camera the insulation rubber will seal the inside from water.

Don'f forget to disconnect both motor cables on the board (to identify them: they both comprise of a blue cable and lead to the sides of the cameras casing) so the cam doesn't move around when powering on!

When you power the camera you almost immedately need to hit a key on your keyboard, as otherwise autoboot will take place around 2-3 seconds after powering on. When you interrupted the boot process by hitting a key you can enter "printenv". Copy the line with "bootargs", then enter "setenv bootargs mem=......" (use the values printenv provided you). Note that you need to remove the = between bootargs and mem. At the end of the bootargs line you need to add "init=/bin/sh". Hit enter and then copy the values behind "bootcmd=", paste it and hit enter.

After a short boot process you are in the shell as root :) In order to have the filesystems mounted etc. you need to enter "/etc/init.d/rcS" which runs the whole bunch of bootup scripts. Then you can browse through the filesystem, where /mnt/flash seems to hold all the interesting stuff.

Here are the values of my camera (could be different from yours!):

bootargs=mem=48M console=ttyAMA0,115200 root=/dev/mtdblock3 rootfstype=squashfs mtdparts=sfc:192K(boot),64K(bootargs),1920K(kernel),1408K(rootfs),384K(config),11392K(data),1024K(huiyun)
bootcmd=sf probe 0;sf read 0x41000000 0x40000 0x1E0000;bootm 0x41000000

--> so in order to make it boot to root shell (remember, could be different from yours!)

1. setenv bootargs mem=48M console=ttyAMA0,115200 root=/dev/mtdblock3 rootfstype=squashfs mtdparts=sfc:192K(boot),64K(bootargs),1920K(kernel),1408K(rootfs),384K(config),11392K(data),1024K(huiyun) init=/bin/sh
2. sf probe 0;sf read 0x41000000 0x40000 0x1E0000;bootm 0x41000000
3. (after a short boot) /etc/init.d/rcS

An example for the whole process is here, but please use the values "printenv" provides you and not the ones in the example: https://sergei.nz/ildvr-inc-mh40d06-or-hacking-cheap-chinese-camera/

UART.jpg Cam2.jpg

Motorcables (disconnect before powering on!)
Motorcables.jpg
 
Last edited:
  • Like
Reactions: vasycara
What I found out too:

There is an interesting script in the filesystem called update_partition.sh - if I get it right this is able to write certain files into the otherwise read-only filesystem by flashing it directly into the memory blocks. So if anyone is familiar with flashcp one could easily change the password in the /etc/passwd file by just flashing a new one with a password (hash) of your choosing and reboot. That should work permanently.
 
Last edited:
  • Like
Reactions: vasycara
So, there seems not much to do as most stuff is read-only (maybe I'll poke around with flashcp later). One thing you can do though, is disabling cloud functionality:

-> vi /mnt/flash/productinfo/tuya_p2p.cfg
(or use the debug_run.sh to copy/edit/copy back the file)

There you can set "enable" to 0, so it won't connect to the Tuya cloud platform anymore. You still can access it via ONVIF, RTSP etc.

Unfortunately features like switching the IR mode or lights on/off seems only be possible via cloud or possibly the web interface.

Instead of editing the tuya_p2p.cfg you also could block certain domains on your router/firewall. The camera is connecting to the following domains:

a.tuyaeu.com
a2.tuyaeu.com
m2.tuyaeu.com
baal.tuyaeu.com
h2.iot-dns.com
 
Last edited:
  • Like
Reactions: vasycara
I also found out that the camera has Telnet enabled by default. If the hash is figured out, it might be pretty easy to connect and change the behavior. I installed one of these cameras a few days ago and am a little bit disappointed by the resets. The most annoying part are the resets of the quality settings.
btw. is it safe to upgrade to that OpenIPC firmware? It's kind of hard to get to my camera, so I would like to use the coupler version, if that changes the software problems.
 
I also found out that the camera has Telnet enabled by default. If the hash is figured out, it might be pretty easy to connect and change the behavior. I installed one of these cameras a few days ago and am a little bit disappointed by the resets. The most annoying part are the resets of the quality settings.
btw. is it safe to upgrade to that OpenIPC firmware? It's kind of hard to get to my camera, so I would like to use the coupler version, if that changes the software problems.

Yeah, if anyone can crack the hash, it would make life a bit easier.

When does your camera reset the quality settings? Only observed this when the cam loses power.

I think no one tried the OpenIPC firmware yet. The chipset seems supported though, but I don't know even if OpenIPC works, will it offer zoom functions etc.
 
I have this camera too. Initially I was really happy because the optical quality is good for a cheap PTZ. I setup in Blue Iris but I have the issue with loosing the image quality settings on reboot.

Also when you change the CBR bitrate back to the higher rate that you want, it does NOT work UNTIL you then change to VBR and then back to CBR. Then you can see in BI camera stats that it is streaming at 10000kps rather than 2000kps. But its a constant issue that needs to be monitored, There is a big different in image quality between the 1530kps default bit rate and for example 6144 or even 10000kps.

I then tried to update the camera using the phone app ... what a terrible experience that was .. but in the end the firmware was already up to date. The latest version is full of bugs.

I hope they can fix their stuff ... because its like alpha firmware. I was planning on getting several more Annke cameras but that is now on hold. I also have a ticket in with them but nothing heard so far.
 
Last edited:
When does your camera reset the quality settings? Only observed this when the cam loses power.

I think no one tried the OpenIPC firmware yet. The chipset seems supported though, but I don't know even if OpenIPC works, will it offer zoom functions etc.

The camera resets the quality settings after even the smallest voltage drop. I'm also a bit worried that the OpenIPC firmware won't have PTZ, zoom, etc. and only improve the camera functions...
 
Wow, I was not aware about that ?! What a poor device... It shows my admin account and password in clear...

Yeah, comes in handy when you forget your password... ;)

Jokes aside: no matter which manufacturer, all those IP cams are not very security hardened. I really recommend putting them in another subnet or VLAN with no access to your router or home network, only access from your home network / mobile devices to them.
 
Is there anyway we could fire a curl command to set the parameters of the video information ? We could then setup a scheduled batch job to run the command every 15 minutes to ensure that the video setting don't stay defaulted when it restarts. Mine often, but no always, restarts at 1am.
 
Is there anyway we could fire a curl command to set the parameters of the video information ? We could then setup a scheduled batch job to run the command every 15 minutes to ensure that the video setting don't stay defaulted when it restarts. Mine often, but no always, restarts at 1am.
I think it should be possible. The problem is the lack of the root password. Without the password everyone has to open their camera up and connect to those pads via serial. If possible, it should be able to be done without opening it, like with uploading a new firmware. If anyone has any information about the camera with OpenIPC, it would be very helpful. Then others could decide, if the slight risk is worth it or not.
 
Oh, wait a minute. You mean from outside. I don't know. I used curl and thus XML for some HikVision cameras, branded as Annke, but this one isn't one of them. I don't know enough to make a definitive answer here. If someone has the knowledge, I would appreciate it and help testing.
 
I didn't notice it but will check again. I was hoping that the curl -u admin would work. btw One of the problems when these cameras restart is the the admin password goes to blank - not good.
 
Mine restarts every day 1am and 1pm and the password after first time being changed it has stayed the same. About Burp there are a few different ways you can go about things. However for best results I crawl using the current user and password to get the most out of the Crawl and Audit.
One thing I am interested in. If you add your camera to have your internet IP does the camera connect when you use your ISP IP? Doing some testing of different systems I did a control connection to the internet with the WZ500 and know for sure that it was connected correctly because I removed another camera and added the Annke camera to the same path Meaning changed the rule in my router from 1 local IP to the WZ500 local IP and when I did a can you see me look up port 80 and the others added they all returned connected however if I then go to my IP address the camera WebUI fails to load and all other connected ports are rejected. Yet they show they are online with can you see me..
 
Hello friends, I am sending my working link to the camera, maybe it will be useful to someone.
':pass'- your own or blank password

To reboot
curl -s --user 'admin:pass' '192.161.10.241/form/reboot?language=en&_=1753482839367'

To main stream

To sub stream:
curl -s --user 'admin:pass' '192.161.10.241/form/ExtVideoparaCfg?ie6need=on&Payload=0&resolution=37&framerate=25&IPRate=50&BitRateControlSelect=0&quality=4&BitRate=2048000&_=1703415212493'

led light off:
curl -s --user 'admin:' '192.161.10.241/form/IRset/IRmode=1&c2bwthr=0&bw2cthr=21&Dualenable=0&luminval=50&IRenable=0&IRdelay=3'
 
  • Like
Reactions: ocenak and lovert