MI-CW051, any clues?

[dougalcampbell]

My device is MI-CW051, and apparently it's different enough that your hack isn't working on it. I see somebody else has already extracted the firmware, would that help you open this sucker up?

[guino]

@dougalcampbell sorry for the late reply (busy with the holidays)...

I don't have this camera, but @tyleracopeland has extracted the firmware and found that the device looks for ahelloworld.sh script in the root of the SD card during boot and executes it instead of the main application (if found).

@tyleracopeland also created/verified the below helloworld.sh script works to start a password-less telnet on the device (while also starting the device normally):

#!/bin/sh

SD_CARD=$(sed -n 's/^\/dev\/mmcblk0[a-zA-Z0-9]\{0,2\} \([^ ]*\) .*$/\1/p' /proc/mounts | head -n 1)
$SD_CARD/busybox telnetd -p 23 -l /bin/sh &
/usr/stream/start.sh & #continue normal boot

The above start script could be used as the custom.sh script we made for other devices (to start telnet/http server, etc), but someone needs to dig into the stream application to see if there's anything we can use/modify (i.e. enable RTSP, snapshot, etc) -- I have not found time to look into the stream application yet.

[tyleracopeland]

Full disclosure: the specific camera model this information pertains to is the Merkury MI-CW057 (firmware version 2.1.10-release as reported by the Merkury app). However, it could also work on the MI-CW051. The process isn't destructive, so it shouldn't hurt to try.

@dougalcampbell all you need to do is place a copy of Busybox (found here) and a file named helloworld.sh in the root of a FAT32-formatted SD card. This is the content of my helloworld.sh file:

#!/bin/sh

SD_CARD=$(sed -n 's/^\/dev\/mmcblk0[a-zA-Z0-9]\{0,2\} \([^ ]*\) .*$/\1/p' /proc/mounts | head -n 1)
$SD_CARD/busybox telnetd -p 23 -l /bin/sh & #Password-less Telnet server
$SD_CARD/busybox tcpsvd 0 21 $SD_CARD/busybox ftpd -w / -t 600 & #Anonymous FTP server

/usr/stream/start.sh & #Continue normal boot

The last line is important as it contains the call that launches the stream ELF file. This executable seems to handle all network configuration, so the device will not connect to the network if it isn't called.

The script above enables password-less Telnet and anonymous FTP servers with root access. However, I haven't been able to do much beyond that due to all of the main networking and video streaming functions being hard-coded into a single ELF executable named stream. I haven't had much time to dig into that file in Ghidra, but it seems to be connecting to an AWS endpoint to stream the video. If anyone is interested, a copy of the stream file can be found here, along with the external dependencies (located in the lib folder).

[hmnityty]

I have the cw-051 as well. Tried de-compiling the stream executable with ghidra. It failed. Turns out its compressed using UPXhttps://github.com/upx/upx had to use version 3.95 (version it was compressed with) to get it to decompress. Going to try analyzing it again

[hmnityty]

Uart is on the front of the board