Just an idea regarding psh, has anyone tried command injection using semicolons after the psh command to send raw commands to bash?
eg. using the ping command within psh you could do: ping 192.168.1.1;bash_command_here;another_command -x some_parms
or even this: ping 192.168.1.1;killall psh
This may work because some psh commands invoke the equivalent busybox commands in the background and print out the result. However I cant test this until I get my next lot of cameras, the last lot I had access to have been sold to one of our customers.
There was a time when using a backquote would work - but the last time I looked, for a while (and I don't know the dates or version numbers) psh has filtered all the special characters that I tried at least with a 'not allowed n' error.