EYEPLUS CIPC-GC13H

README.md

@@ -1,15 +1,17 @@
 # ZS-GX1 Hacks
 Record of attempted hacks on the ZS-GX1 IP Camera
 
-Confirmed working on the following camera models
+Confirmed working on the following camer
+a models
  * ZS-GX1
  * Snowman SRC-001
  * GUUDGO GD-SC01
  * GUUDGO GD-SC03
  * GUUDGO GD-SC11
  * Digoo DG-W01F
  * YSA CIPC-GC13H
-
+ * EYEPLUS CIPC-GC13H (read-only version)
+ * KERUI CIPC-GC15HE (read-only version)
 
 Disclaimer - I'm not a programmer, just a hobbyist that likes poking around with things like this. You use the software here at your own risk. If your camera isn't listed as supported you may break your camera.
 

bootdump-CIPC-GC13H

@@ -0,0 +1,228 @@
+# Cloud IP-Camera
+# Model CIPC-GC13H
+# Standards: GB8898-2011
+# Production Date 201803
+# recorded over serial 115200 8N1
+console init done
+
+
+U-Boot 2012.10 (Aug 25 2017 - 03:19:41) for GK7102S rb-sc1045-v2.0 (GOKE)
+
+HAL:  20160804 
+DRAM:  64 MiB
+Flash: [4X mode] 16 MiB
+NAND:  [No SPI nand] 
+SD/MMC: 0
+SF:    16 MiB [page:256 Bytes] [sector:64 KiB] [count:256] (MX25L12845)
+In:    serial
+Out:   serial
+Err:   serial
+Net:   Int PHY 
+Hit any key to stop autoboot:  1  0 
+[PROCESS_SEPARATORS] sf probe;sf read 0xc1000000 0x50000 0x1A0000;bootm 0xc1000000;
+SF:    16 MiB [page:256 Bytes] [sector:64 KiB] [count:256] (MX25L12845)
+put param to memory
+mem size (40)
+total mem size (64)
+bsb size (1)
+usr size (0)
+## Booting kernel from Legacy Image at c1000000 ...
+   Image Name:   Linux-3.4.43-gk
+   Image Type:   ARM Linux Kernel Image (uncompressed)
+   Data Size:    1655280 Bytes = 1.6 MiB
+   Load Address: c0208000
+   Entry Point:  c0208000
+   Verifying Checksum ... OK
+   Loading Kernel Image ... OK
+OK
+entry = 0xc0208000 
+## Transferring control to Linux (at address c0208000)...
+
+Starting kernel ...
+
+machid = 3988 r2 = 0xc0000100 
+Uncompressing Linux... done, booting the kernel.
+[    0.000000] Booting Linux on physical CPU 0
+[    0.000000] Linux version 3.4.43-gk (song@fc12_song) (gcc version 4.6.1 (crosstool-NG 1.18.0) ) #23 PREEMPT Tue Nov 7 19:31:20 CST 2017
+[    0.000000] CPU: ARMv6-compatible processor [410fb767] revision 7 (ARMv7), cr=00c5387d
+[    0.000000] CPU: VIPT aliasing data cache, VIPT aliasing instruction cache
+[    0.000000] Machine: Goke IPC Board
+[    0.000000] Memory policy: ECC disabled, Data cache writeback
+[    0.000000] AHB: 0x90000000  0xf2000000  -- 0x1000000
+[    0.000000] APB: 0xa0000000  0xf3000000  -- 0x1000000
+[    0.000000] PPM: 0xc0000000  0xc0000000  -- 0x200000
+[    0.000000] BSB: 0xc2a00000  0xf5000000  -- 0x100000
+[    0.000000] DSP: 0xc2b00000  0xf6000000  -- 0x14f0000
+[    0.000000] USR: 0xc3ff0000  0xfe000000  -- 0x10000
+[    0.000000] hal version = 20160804 
+[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 10160
+[    0.000000] Kernel command line: console=ttySGK0,115200 mem=40M rootfstype=squashfs root=/dev/mtdblock2 init=linuxrc mtdparts=gk_flash:320K(U),1664K(K),896K(R),-(A)
+[    0.000000] PID hash table entries: 256 (order: -2, 1024 bytes)
+[    0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
+[    0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
+[    0.000000] Memory: 40MB = 40MB total
+[    0.000000] Memory: 35868k/35868k available, 5092k reserved, 0K highmem
+[    0.000000] Virtual kernel memory layout:
+[    0.000000]     vector  : 0xffff0000 - 0xffff1000   (   4 kB)
+[    0.000000]     fixmap  : 0xfff00000 - 0xfffe0000   ( 896 kB)
+[    0.000000]     DMA     : 0xff600000 - 0xffe00000   (   8 MB)
+[    0.000000]     vmalloc : 0x83000000 - 0xff000000   (1984 MB)
+[    0.000000]     lowmem  : 0x80000000 - 0x82800000   (  40 MB)
+[    0.000000]     modules : 0x7f000000 - 0x80000000   (  16 MB)
+[    0.000000]       .text : 0x80008000 - 0x8040e000   (4120 kB)
+[    0.000000]       .init : 0x8040e000 - 0x8042d000   ( 124 kB)
+[    0.000000]       .data : 0x8042e000 - 0x80455ba0   ( 159 kB)
+[    0.000000]        .bss : 0x80455bc4 - 0x80487e28   ( 201 kB)
+[    0.000000] NR_IRQS:128
+[    0.000000] >> gk init irq vic1...
+[    0.000000] >> gk init irq vic2...
+[    0.000000] gk init vic...
+[    0.000000] mach gk init timer...
+[    0.000000] sched_clock: 32 bits at 256 Hz, resolution 3906250ns, wraps every 3892314108ms
+[    0.000000] Console: colour dummy device 80x30
+[    0.000000] console [ttySGK0] enabled
+[    0.007812] Calibrating delay loop... 597.40 BogoMIPS (lpj=1167360)
+[    0.039062] pid_max: default: 32768 minimum: 301
+[    0.042968] Mount-cache hash table entries: 512
+[    0.046875] CPU: Testing write buffer coherency: ok
+[    0.050781] Setting up static identity map for 0xc0543658 - 0xc0543690
+[    0.058593] NET: Registered protocol family 16
+[    0.066406] init timer...
+[    0.070312] Init HW timer for DSP communication
+[    0.074218] init gpio...
+[    0.078125] ###################################
+[    0.082031] [BOOT VERSION] GK7102S rb-sc1045-v2.0 v2.0 
+[    0.085937] [NET  INT_CLK] Internal PHY clock 
+[    0.089843] [GPIO]#############################
+[    0.093750] [GPIO] gpio map get from uboot
+[    0.097656] [GPIO CFG] gpio   count = 61
+[    0.101562] [GPIO CFG] intphy count = 2
+[    0.105468] [GPIO CFG] extphy count = 2
+[    0.109375] [GPIO CFG] IR LED CTL    (53)
+[    0.113281] [GPIO CFG] IR CUT1       (53)
+[    0.117187] [GPIO CFG] IR CUT2       (53)
+[    0.121093] [GPIO CFG] SENSOR Reset  (10)
+[    0.125000] [GPIO CFG] PHY Reset     (53)
+[    0.128906] [GPIO CFG] PHY Speed Led (53)
+[    0.132812] [GPIO CFG] SPI0 EN       (53)
+[    0.136718] [GPIO CFG] SPI1 EN       (53)
+[    0.140625] [GPIO CFG] USB HOST      (11)
+[    0.144531] [GPIO CFG] SD Detect     (35)
+[    0.148437] [GPIO CFG] SD Power      (53)
+[    0.152343] [GPIO CFG] SD1 Detect    (63)
+[    0.156250] [GPIO CFG] SD1 Power     (63)
+[    0.160156] [GPIO]#############################
+[    0.164062] gpiochip_add: registered GPIOs 0 to 63 on device: gk-gpio0
+[    0.167968] create proc dir
+[    0.171875] gk register devices 10
+[    0.175781] gk register I2C
+[    0.191406] bio: create slab <bio-0> at 0
+[    0.195312] spi spi.0: gk SPI Controller 0 created 
+[    0.199218] spi spi.0: master is unqueued, this is deprecated
+[    0.203125] spi spi.1: gk SPI Controller 1 created 
+[    0.207031] spi spi.1: master is unqueued, this is deprecated
+[    0.210937] usbcore: registered new interface driver usbfs
+[    0.214843] usbcore: registered new interface driver hub
+[    0.218750] usbcore: registered new device driver usb
+[    0.222656] i2c regbase: 0xf3003000 
+[    0.226562] i2c i2c.0: i2c irq:registers 9
+[    0.234375] i2c i2c.0: GK I2C[0] adapter[i2c-0] probed!
+[    0.238281] i2c regbase: 0xf3004000 
+[    0.242187] i2c i2c.1: i2c irq:registers 58
+[    0.246093] i2c i2c.1: GK I2C[1] adapter[i2c-1] probed!
+[    0.253906] cfg80211: Calling CRDA to update world regulatory domain
+[    0.261718] FS-Cache: Loaded
+[    0.265625] CacheFiles: Loaded
+[    0.277343] gk-sd gk-sd.0: Slot0 req_size=0x00010000, segs=16, seg_size=0x00010000
+[    0.289062] gk-sd gk-sd.0: GK SD/MMC[0] has 1 slots @ 50181818Hz, [0x09e130b0:0x00000000]
+[    0.292968] NET: Registered protocol family 2
+[    0.296875] IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
+[    0.300781] TCP established hash table entries: 2048 (order: 2, 16384 bytes)
+[    0.304687] TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
+[    0.308593] TCP: Hash tables configured (established 2048 bind 2048)
+[    0.312500] TCP: reno registered
+[    0.316406] UDP hash table entries: 256 (order: 0, 4096 bytes)
+[    0.320312] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
+[    0.328125] NET: Registered protocol family 1
+[    0.332031] RPC: Registered named UNIX socket transport module.
+[    0.335937] RPC: Registered udp transport module.
+[    0.339843] RPC: Registered tcp transport module.
+[    0.343750] RPC: Registered tcp NFSv4.1 backchannel transport module.
+[    0.351562] mdma init...
+[    0.355468] mdma request irq: 54 
+[    0.367187] squashfs: version 4.0 (2009/01/31) Phillip Lougher
+[    0.375000] NFS: Registering the id_resolver key type
+[    0.382812] jffs2: version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
+[    0.390625] msgmni has been set to 70
+[    0.398437] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 253)
+[    0.402343] io scheduler noop registered
+[    0.406250] io scheduler deadline registered
+[    0.410156] io scheduler cfq registered (default)
+[    0.414062] uart.0: ttySGK0 at MMIO 0xa0005000 (irq = 31) is a gkuart
+[    0.417968] uart.1: ttySGK1 at MMIO 0xa001f000 (irq = 15) is a gkuart
+[    0.421875] uart.2: ttySGK2 at MMIO 0xa001e000 (irq = 27) is a gkuart
+[    0.437500] brd: module loaded
+[    0.445312] loop: module loaded
+[    0.449218] adc initialized (10:11)
+[    0.453125] speed_mod is 0
+[    0.457031] USE 1X mode read and 1X mode write
+[    0.460937] support 4X mode read:0xe520f1ff
+[    0.464843] mmc0: new high speed SDHC card at address 0007
+[    0.468750] gk_flash gk_flash.0: MX25L12845 (16384 Kbytes)
+[    0.472656] 4 cmdlinepart partitions found on MTD device gk_flash
+[    0.476562] Creating 4 MTD partitions on "gk_flash":
+[    0.480468] 0x000000000000-0x000000050000 : "U"
+[    0.488281] 0x000000050000-0x0000001f0000 : "K"
+[    0.492187] 0x0000001f0000-0x0000002d0000 : "R"
+[    0.496093] 0x0000002d0000-0x000001000000 : "A"
+[    0.503906] slram: not enough parameters.
+[    0.507812] GKETH_init
+[    0.511718] [GKETH_drv_probe] eth_base = 0xf200e000
+[    0.515625] mii id = 0 
+[    0.519531] ###### PHY Reset.1.0.2
+[    0.636718] mdiobus_register: PHY[0] whose id 0x00000000 
+[    0.644531] goke MII Bus: probed
+[    0.648437] gk-eth gk-eth.0: MAC Address[02:11:22:a3:a0:00].
+[    0.652343] musb-hdrc: version 6.0, ?dma?, otg (peripheral+host)
+[    0.656250] musb phy Begin initial sequence ...
+[    0.964843] gk musb init end...
+[    0.968750] dma_controller_create_non_init ok
+[    0.972656] musb-hdrc musb-hdrc: MUSB HDRC host driver
+[    0.976562] musb-hdrc musb-hdrc: new USB bus registered, assigned bus number 1
+[    0.984375] hub 1-0:1.0: USB hub found
+[    0.988281] hub 1-0:1.0: 1 port detected
+[    0.992187] musb-hdrc musb-hdrc: USB Host mode controller at f2006000 using DMA, IRQ 26
+[    0.996093] platform add gk musb...
+[    1.003906] mousedev: PS/2 mouse device common for all mice
+[    1.007812] input: GKInput as /devices/virtual/input/input0
+[    1.011718] Protocol NEC[0]
+[    1.015625] ir request irq: 62 
+[    1.019531] IR Host Controller probed!
+[    1.023437] gk rtc init...
+[    1.023437] rtc base: 0xf2080000 
+[    1.027343] os read tm: t=0 
+[    1.031250] gk-rtc gk-rtc: rtc core: registered gk-rtc as rtc0
+[    1.035156] i2c /dev entries driver
+[    1.039062] gk_wdt_v1_00: GK Watchdog Timer, (c) 2014 Goke Microelectronics
+[    1.042968] [gk_wdt_init]: init
+[    1.046875] [gk_wdt_probe]: probe
+[    1.050781] [gk_wdt_probe]: probe mapped wdt_base=f3006000
+[    1.058593] watchdog inactive, reset disabled, irq disabled
+[    1.062500] mmcblk0: mmc0:0007 SD16G 14.4 GiB 
+[    1.066406]  mmcblk0: p1
+[    1.070312] IPv4 over IPv4 tunneling driver
+[    1.074218] gre: GRE over IPv4 demultiplexor driver
+[    1.078125] ip_gre: GRE over IPv4 tunneling driver
+[    1.082031] TCP: cubic registered
+[    1.085937] Initializing XFRM netlink socket
+[    1.089843] NET: Registered protocol family 10
+[    1.093750] IPv6 over IPv4 tunneling driver
+[    1.097656] NET: Registered protocol family 17
+[    1.101562] NET: Registered protocol family 15
+[    1.105468] Registering the dns_resolver key type
+[    1.109375] VFP support v0.3: implementor 41 architecture 1 part 20 variant b rev 5
+[    1.117187] os read tm: t=0 
+[    1.121093] gk-rtc gk-rtc: setting system clock to 1970-01-01 00:00:00 UTC (0)
+[    1.132812] VFS: Mounted root (squashfs filesystem) readonly on device 31:2.
+[    1.136718] Freeing init memory: 124K
+[    1.359375] usb 1-1: new high-speed USB device number 2 using musb-hdrc

environemt-CIPC-GC13H

@@ -0,0 +1,58 @@
+Starting Nmap 7.60 ( https://nmap.org ) at 2018-08-04 21:56 CEST
+Nmap scan report for 10.0.0.2
+Host is up (0.0067s latency).
+Not shown: 995 closed ports
+PORT     STATE SERVICE
+23/tcp   open  telnet
+80/tcp   open  http
+554/tcp  open  rtsp
+7103/tcp open  unknown
+8001/tcp open  vcom-tunnel
+MAC Address: 00:0C:43:xx:xx:xx (Ralink Technology)
+
+# cat /proc/cpuinfo 
+Processor       : ARMv6-compatible processor rev 7 (v6l)
+BogoMIPS        : 597.40
+Features        : swp half fastmult vfp edsp java tls 
+CPU implementer : 0x41
+CPU architecture: 7
+CPU variant     : 0x0
+CPU part        : 0xb76
+CPU revision    : 7
+
+Hardware        : Goke IPC Board
+Revision        : 0000
+Serial          : 0000000000000000
+
+lsmod
+    Tainted: P  
+gkptz 16301 0 - Live 0x7f1bb000 (O)
+8188fu 932958 0 - Live 0x7f0a7000 (O)
+exfat 88974 0 - Live 0x7f08c000 (O)
+gio 1587 1 - Live 0x7f088000 (O)
+sensor 155912 0 - Live 0x7f05e000 (PO)
+audio 8700 4 - Live 0x7f058000 (PO)
+media 259569 7 sensor, Live 0x7f010000 (PO)
+hw_crypto 1948 1 media, Live 0x7f00c000 (PO)
+hal 31555 1 media, Live 0x7f000000 (PO)
+
+cat /etc/passwd
+root:yE7gW4O0CSXXg:0:0::/root:/bin/sh
+# root pwd cxlinux
+daemon:x:1:1:daemon:/usr/sbin:/bin/sh
+bin:x:2:2:bin:/bin:/bin/sh
+sys:x:3:3:sys:/dev:/bin/sh
+sync:x:4:100:sync:/bin:/bin/sync
+mail:x:8:8:mail:/var/spool/mail:/bin/sh
+proxy:x:13:13:proxy:/bin:/bin/sh
+www-data:x:33:33:www-data:/var/www:/bin/sh
+backup:x:34:34:backup:/var/backups:/bin/sh
+operator:x:37:37:Operator:/var:/bin/sh
+haldaemon:x:68:68:hald:/:/bin/sh
+dbus:x:81:81:dbus:/var/run/dbus:/bin/sh
+ftp:x:83:83:ftp:/home/ftp:/bin/sh
+nobody:x:99:99:nobody:/home:/bin/sh
+sshd:x:103:99:Operator:/var:/bin/sh
+default:x:1000:1000:Default non-root user:/home/default:/bin/sh
+
+