Wansview W6 disassembly, finding serial console & a question ...

[postmortempriester]

Hello,

I just disassembled my W6 and found ... a serial port and U-boot (see attached picture).

The env-print:

isvp_t21# env print
baudrate=115200
bootargs=console=ttyS1,115200n8 mem=43M@0x0 rmem=21M@0x2B00000 init=/linuxrc rootfstype=squashfs root=/dev/mtdblock2 rw
mtdparts=jz_sfc:256k(boot),2560k(kernel),9088k(root),320k(syscfg),320k(sysbak),1472k(minikernel),2304k(minirootfs),64k(upgrade),-(appfs) init=/bin/sh
bootcmd=sf probe;sf read 0x80600000 0x40000 0x280000; bootm 0x80600000
bootdelay=1
ethact=Jz4775-9161
ethaddr=xx:xx:xx:yy:zz:zz
gatewayip=193.169.4.1
ipaddr=193.169.4.81
loads_echo=1
netmask=255.255.255.0
serverip=193.169.4.2
stderr=serial
stdin=serial
stdout=serial

Environment size: 569/16380 bytes

Then I came across a nice guide ... Hacking IP-Camera Digoo BB-M2 – Part 3 – Getting root access – NM-Projects

This was really helpfull .. I just extended my bootargs by 'init=/bin/sh' and booted straight into a root shell ... BUT ... read-only because it's squashfs ...

Anybody - any idea how to turn this into RW?





(the 4 grey wires represent the serial port RX TX GND +3,3V)

Thanks in advance!

 

[holiday]

i don't have a wanscam, but someone was talking about wanscam here recently.. maybe u can link up with him.

Attempting to enable Telnet on a IPC 18 M V2.0 (Hi3516) IP Camera Board

IP Camera ($200) e/w PTZF failed (Zoom and Focus motors stopped moving) shortly after 90 days ... Seller refused to replace or refund the purchase Ultimately, I want this camera to work again ... $200 for 3 months of use is just a bit hard to take ... I have tried to get support from the...

ipcamtalk.com

 

[postmortempriester]

Thanks for the hint!

TFTP sounds like a beginning to me ... but I got stuck again ...

After setting my ip in u-boot

setenv ipaddr 192.168.178.66
setenv serverip 192.168.178.43

i started ...

isvp_t21# sf probe 0

the manufacturer c8

SF: Detected GD25Q128


--->probe spend 5 ms

isvp_t21# sf read 0x82000000 0x0 0x1000000

SF: 16777216 bytes @ 0x0 Read: OK

--->read spend 5372 ms

isvp_t21# tftp 0x82000000 firmware.bin 0x1000000


tftpboot - boot image via network using TFTP protocol


Usage:

tftpboot [loadAddress] [[hostIPaddr:]bootfilename]

.. that's it - no further progress ... and 'yes' - my tftp-server (ubuntu, 192.168.178.43) is up & running ...




Back to my first idea:

Is it possible to copy the squashfs to my sd-card, open/modify it and copy it back?

____

Some more -maybe helpfull- information:

U-Boot 2013.07 (Dec 11 2019 - 14:20:59)

Board: ISVP (Ingenic XBurst T21 SoC)
DRAM:  64 MiB
Top of RAM usable for U-Boot at: 84000000
Reserving 442k for U-Boot at: 83f90000
Reserving 32784k for malloc() at: 81f8c000
Reserving 32 Bytes for Board Info at: 81f8bfe0
Reserving 124 Bytes for Global Data at: 81f8bf64
Reserving 128k for boot params() at: 81f6bf64
Stack Pointer at: 81f6bf48
Now running in RAM - U-Boot at: 83f90000
MMC:   msc: 0
the manufacturer c8
SF: Detected GD25Q128

*** Warning - bad CRC, using default environment

In:    serial
Out:   serial
Err:   serial
Net:   cpm_mphyc_rst = 0x01000000 cpm_mphyc = 0x00000000
Jz4775-9161
the manufacturer c8
SF: Detected GD25Q128

ReadFlashData ret=0
****Enter into Check Update:1 ******
** Bad device mmc 0 **
** Bad device mmc 0 **
### main_loop: bootcmd="sf probe;sf read 0x80600000 0x40000 0x280000; bootm 0x80600000"
Hit any key to stop autoboot:  0
isvp_t21#

 

[TheSwede]

Funny Nick with a dead CAM

Anyway, welcome here !

TheSwede

 

[postmortempriester]

Luckily it's not dead ... till now ... - working (way) better than expected ... but I'm missing some features (like telnet/ssh/webserver/ftp) badly ...

&thx!

Funny Nick with a dead CAM

Anyway, welcome here !

TheSwede

 

[r1n4x]

Hey,

I stumbled across this thread while poking my W6. Hope it's not too old

I found a way to gain root access on the console: GitHub - R1N4x/Wansview_Root: Gain root access on Wansview W6 camera

Simply place a file "facDiag" on a SD card and boot the cam with it.
The cam will execute whatever you put in this file.

you need to put line 108 in "facDiag" - or the camera will not continue to initialize its functionality.

Reason why is the "ipc_start.sh" (line 100):

#2016-7-2 new vg_boot.sh

mdev -s
#cat /proc/modules


#mkdir -p /var/spool/cron/crontabs
#crond
mkdir -p /var/tmp/
cp -rp /etc/* /var/tmp/
busybox mount -t tmpfs -o mode=0755 tmpfs /etc
cp -rp /var/tmp/* /etc/


mkdir -p /var/etc/
mkdir -p /var/net/

mkdir -p /var/spool/
mkdir -p /var/spool/boa/
touch /var/spool/boa/dircache
if [ ! -p /var/sycfg/conf.d ];then
        mkdir -p /var/syscfg/conf.d
fi
if [ ! -f /var/syscfg/conf.d/mime.types ];then
        touch /var/syscfg/conf.d/mime.types
fi



size=$(stat -c %s /var/syscfg/syscfg.ini)
if [ $size = "0" ]; then
echo "syscfg.ini size:$size"
cp /var/syscfg/def_syscfg.ini /var/syscfg/syscfg.ini
fi

if [ -f /var/sysbak/ircutOppsite ]; then
insmod  /mnt/mtd/module/peripher_drv.ko ircut_opposite=1
else
insmod  /mnt/mtd/module/peripher_drv.ko ircut_opposite=0
fi

insmod /mnt/mtd/module/tx-isp-t21.ko
insmod /mnt/mtd/module/audio.ko sign_mode=1

/sbin/insmod /lib/modules/mt7601Usta.ko

ip link set dev wlan0  name ra0

insmod  /mnt/mtd/module/reset_drv.ko
insmod  /mnt/mtd/module/NetLED_drv.ko

key=hw_func_params
bSyncEeprom=0
if [ -f /var/sysbak/faccfg_eeprom ];then
read eepromVal  < /var/sysbak/faccfg_eeprom
echo $eepromVal
if [ $eepromVal = 1 ];then
bSyncEeprom=1
fi
fi

while read line
  do
    k=${line%=*}
    v=${line#*=}
    if [ "$k" == "$key" ];then
        echo "$k :  $v"
        if [ ${v:10:1} = 1 ] && [ "$bSyncEeprom" != "1" ];then
                echo "insmod eeprom.ko"
                                insmod  /mnt/mtd/module/eeprom_drv.ko retry_num=2
        fi
        break
    fi
done  < /var/sysbak/faccfg.ini


ifconfig lo 127.0.0.1
ifconfig eth0 0.0.0.0
ifconfig ra0 0.0.0.0
export LD_LIBRARY_PATH=/mnt/mtd/lib:/lib
export PATH=/gm/bin:/bin:/sbin:/usr/bin:/usr/sbin:$PATH

echo 512 > /proc/sys/vm/min_free_kbytes
#insmod /lib/modules/mmc_core.ko
#insmod /lib/modules/mmc_block.ko
#insmod /lib/modules/jzmmc_v12.ko
#sleep 1
#mount /dev/mmcblk0p1 /mnt/mmc


sh /memmonitor.sh &
sh /run_cmd.sh &

while true;do
if [ -f /var/cloud/firmware.bin ];then
cp /mnt/mtd/app/initApp /var/cloud/initApp
/var/cloud/initApp
elif [ -f /mnt/mmc/facDiag ];then
touch /mnt/mmc/diagLog.txt
/mnt/mmc/facDiag &> /mnt/mmc/diagLog.txt
elif [ -f /mnt/mmc/testMode ] || [ -f /var/syscfg/testMode ];then
if [ -f /mnt/mmc/testApp_t21 ];then
/mnt/mmc/testApp_t21
else
/mnt/mtd/app/testApp_t21
fi
else
/mnt/mtd/app/initApp


OPID=`ps |grep net_run.sh|grep -v 'grep'|awk '{print $1}'`
kill $OPID

OPID=`ps |grep udhcpc|grep -v 'grep'|awk '{print $1}'`
kill $OPID

OPID=`ps |grep wpa_supplicant|grep -v 'grep'|awk '{print $1}'`
kill $OPID

OPID=`ps |grep group-calendar|grep -v 'grep'|awk '{print $1}'`
kill $OPID
OPID=`ps |grep group-list|grep -v 'grep'|awk '{print $1}'`
kill $OPID
OPID=`ps |grep lan-probe|grep -v 'grep'|awk '{print $1}'`
kill $OPID
OPID=`ps |grep media|grep -v 'grep'|awk '{print $1}'`
kill $OPID
OPID=`ps |grep remove-groups|grep -v 'grep'|awk '{print $1}'`
kill $OPID
OPID=`ps |grep snap|grep -v 'grep'|awk '{print $1}'`
kill $OPID

OPID=`ps |grep boa|grep -v 'grep'|awk '{print $1}'`
kill $OPID

fi
sleep 2
echo 3 > /proc/sys/vm/drop_caches
sleep 3
done

Cheers


EDIT: tested on Firmware 07.26100.07.12


EDIT 2 UPDATE:

I poked around in the Firmware and found more interesting things.
The firmware executes some boot scripts and looks for additional scripts.

Most interesting find IMHO: ipc_start.sh (in the root) looks for a ipc_after.sh in /var/syscfg/ wich is mounted rw by ipc_start.sh.
I placed a chpasswd script in there. This is persistent, even after "factory reset" (via button hold).
The camera will also update the syscfg.ini on every boot if there is an syscfg.ini on the sd-card. Place a [Telnet] enable=1 in there and you got Telnet access.
I found the best way to do so is grabbing the existing syscfg.ini from the cam, so you don't loose all other settings like ONVIF etc.

Something I haven't figured out yet is the setup process.
If you reset the camera via button hold it wipes a few files like "register.ini" and "wpa_supplicant.conf".
Cloning those files didn't work, the "initApp" (compiled binary that does all the camera magic) misses something and does not start properly. If you place a QR-Code in front of the camera it decodes it. I prepared a code like the app generates, the cam will then connect to the provided wifi but after reboot its gone again.

I need to poke around more, somehow it has to be possible to set it up without the dang app...


I'm also pretty astonished that I can't find any more projects or details about this camera online, it's dead cheap (37€) and actually pretty good IMHO. Just the whole cloud thing is very annoying.


EDIT 3 UPDATE:

Got a second camera and it got the firmware 05.16 - I've updated my repo with an example.
This "older" firmware looks a lot cleaner, but is still flawed and easy to break in...

I got it working via ethernet completely without the app or cloud connection.

Only downside so far: I'm unable to change the default credentials for ONVIF and RTSP. I can add new users via ONVIF Device Manager but not delete users. (I'm okay-ish with that, since the camera is locked in its own network...)

 

[DxHum]

I'd be interesting in learning if there is a way to enable continuous recording to the SD card on this camera.

I own (4) W6 cameras and installed 125 Gig SD cards. But I can't record continuously and tech support said it is disabled on this camera.

I'm hoping to find my way in to the camera and enable this feature.

Am I chasing my tail on this?