Converting EZVIZ C6TC from Chinese to English

rikochet

n3wb
Joined
Sep 28, 2019
Messages
13
Reaction score
3
Location
/dev/null
Wow!
That's a great result, well done.

I'm curious what the tinkering consisted of.
Was it a matter of changing the devType held in mtdblock2 ?
So the current working camera has US firmware and mtdblock2 has the following mods;
-- 0x10 = 02 (Chinese)
-- 0x55 = 0D (RR region)
-- 0x80 -> 0x91 = 43 53 2D 43 56 32 34 38 2D 41 30 2D 33 32 57 46 52
CS-CS248-A0-32WFR (Model string)
-- 0x04 & 0x05 = Checksum-16 of 0x09 -> 0xFC

When making the same mods on my second C6Tc it is unable to register on the EZVIZ network.

So I wonder if during the course of changing the devType at one point, trying different regions EU, US, RR etc.. at some point it was able to register with the EZVIZ network.
 

rikochet

n3wb
Joined
Sep 28, 2019
Messages
13
Reaction score
3
Location
/dev/null
I'm still trying to figure this out..

If I write the paraBlock from the first CN camera to the second CN camera it connects to the EZVIZ network perfectly..
This isn't a solution as you can't have 2 devices with the same serial registered on the EZVIZ network.
It's as if at some point I changed something which allowed that serial number to register with the US servers..
I even tried modifying the date on the second CN camera's serial code in case my serial had become black listed but no luck.
 

rikochet

n3wb
Joined
Sep 28, 2019
Messages
13
Reaction score
3
Location
/dev/null
So I went out and bought a CS-CV248-A0-32WFR (US model) and ripped mtdblock2..

The byte values were:
0x10 = 01 (English)
0x55 = C6 (Brazil) - strange as I bought it in Hong Kong
0X64 = D722 (same as CN)

The main things that were different were:
0x1E > 0x23 - Challenge Code
0x35 > 0x3A - Device Mac Address
0x40 > 0x52 - Serial String
0x80 > 0x90 - Model Number String

You can change the device mac, the date part of the serial string and the model number and the device will continue to register on the EZIVZ network.

However if you change the 6 character challenge code or the subserial D4####### then the firmware won't register on with the ML (Amazon AWS) server.. Which makes me think that the challenge code is generated based upon subserial string.

I still don't know what is different about my first CN device that allowed it to authenticate with it's original subserial and challenge key..

I have tried using Ettercap and Wireshark to packet sniff the network traffic but the packets didn't contain any readable strings except for the recurring subserial D4####### which is what makes me believe that it's important.

I guess I'll keep soldiering on..
 

superhache

n3wb
Joined
Apr 25, 2020
Messages
1
Reaction score
0
Location
Argentina
hello, i just found this forum, i also have an Ezviz CS-CV248-A0-32WFR camera, but it is bound to another account, i am wondering i i can change the sserial number so i ll be able to bind it to another ezviz account? thanks
 

JosQi

n3wb
Joined
Jun 29, 2021
Messages
2
Reaction score
0
Location
Malaysia
Same here. Now is my turn to try play here and there.... Kida big challenge for someone non programmer background
 

piterus90

n3wb
Joined
May 18, 2022
Messages
5
Reaction score
3
Location
Poland
I went thru whole thread and im under huge impression what kind of tricks you guys were doing - especially omitting RO property :)
I was wondering, if that could not rescue blocked by previous owner camz. When I took QR code, and changed serial number to something else, it allowed me to register new device (obviously without connecting it - it wanted to connect to wifi

Did anyone scanned what camera is speaking via https with external servers? Or is it not https but some different proto?
 
Top