Just an idea regarding psh, has anyone tried command injection using semicolons after the psh command to send raw commands to bash?
eg. using the ping command within psh you could do: ping 192.168.1.1;bash_command_here;another_command -x some_parms
or even this: ping 192.168.1.1;killall psh
This may work because some psh commands invoke the equivalent busybox commands in the background and print out the result. However I cant test this until I get my next lot of cameras, the last lot I had access to have been sold to one of our customers.