Categories
Hardware

Tearing Apart the Wyze Outdoor Cam Base Station: Part 2

If you are starting here, go back to Part 1 to see what we have learned so far about the Wyze Outdoor Base Station.

We left Part 1 of the blog post at getting a UART connection to the base station, and learning about its hardware / software. Its based on a QCA9531 running OpenWRT. Because we dont know the OpenWRT password we are limited in how to proceed.

Enter, the Chip clip!

For 10.99 from Amazon I got this SOIC8 chip clip, and a CH341A programmer to read and write the Flash.

I have never used one of these devices before, but after some googling and watching a few videos its easy enough to figure out how to dump the ROM on the Outdoor Base Station

On the backside of the board with the Qualcomm processor we see this little flash chip. Its labeled CFeon QH128a, but I think this is a clone of the EN25QH128.

The dimple on the chip denotes pin 0, and that should be lined up with the red wire on the chip clip – seems obvious for anyone that has used these before but It was a learning experience for me 🙂

Using some russian software called AsProgrammer we are able to query the chip ID, and then dump the contents into a .bin file.

I did this a few times, because the device was powered on and the CPU was not in “reset” mode I wasn’t sure about consistency on the dump.

Using binwalk to extract the contents of the dumped bin I see that we have uboot partitions as well as some squashfs partitions

.\binwalk -Me wyzeoutdoorbase.bin

Lets start poking around and see if anything looks interesting!

Some files in the first squashroot partition?

The contents of the Wireless file are interesting, but I believe this changes once the device finishes its first boot – so this SSID isnt the same as what I see when the device boots up, at least not right now.

I also found this banner file login prompt, cant wait to figure out how to see it directly!

/**********************************************/
/**********************************************/
    \ \      / / \ \ / / |__  / | ____|
     \ \ /\ / /   \ V /    / /  |  _|  
      \ V  V /     | |    / /_  | |___ 
       \_/\_/      |_|   /____| |_____|
/----------------------------------------------/
     ____ _____  _  _____ ___ ___  _   _ 
    / ___|_   _|/ \|_   _|_ _/ _ \| \ | |
    \___ \ | | / _ \ | |  | | | | |  \| |
     ___) || |/ ___ \| |  | | |_| | |\  |
    |____/ |_/_/   \_\_| |___\___/|_| \_|
/----------------------------------------------/
   TIANJIN HuaLai Technology.
   Product:OutDoor Station.
                      Version:18-09-22.00.00.02
/**********************************************/       
                                     By:fythons
/**********************************************/                                   
                               

Someone posted the passwd and shadow file to pastebin, but the password is in MD5crypt format

https://pastebin.com/eT97ZQiJ

On the Squashfs-root-1 partition we see some of the Wyze / Hualai software in the /sbin folder

The sd_update.sh file, as well as the hualai_build_fw.sh contain some interesting stuff – Lets see whats in the sd_update.sh

This might be a way to load custom firmware on the device, not sure yet…

Contents of the readme file in squashfs-root-3

######################
## 华来科技 SDK 平台 #######
######################
一:编译说明
	顶层目录下的hualai_sdk_build.sh 为平台编译脚本执行以下命令
	./hualai_sdk_build.sh x86 
	在顶层目录下自动生成release 目录,该目录即为生成的framework 所在目录
	
	清除编译结果执行
	./hualai_sdk_build.sh x86 clean 即可

Contents of the readme.txt file in squashfs-root-1

/*
*  该文档为该模块说明
*/


1 总体说明:
该模块名称为APP, 是项目的应用层。所有该项目的功能部分均在这里实现

2 主要模块:
Include:头文件,包含Sdk.h及相关公用头
BaseServices:基础服务层,该层属于公用层
ProductServices:产品业务层,所有的需求君正这里实现
Makefiles:不同环境的Makefile
Main: 主模块,应用程序的启动
UnitTest 单元测试 所有APP相关的测试均在这里实现


3 具体模块说明:
1)Include模块:
  包含的文件:
  common.h:
  dataassist.h: 平台相关数据类型定义 localsdk.h中会使用到 
  localsdk.h:: 平台层api借口
  hllist.h: 链表,这部分来自内核
  pdatatype.h:  对基本数据类型进行重新定义 eg: uint8 等
  
2)main
  main.c: 包含main.c函数, 应用程序启动入口
  deviceapp: main函数需要的接口,该文件调用baseservices及productservices的相关API

3)baseservices: 支撑productservices相关的API   
  filerw: 文件读写
  ipc: 进程间通信
  log: 日志
  paracfg: 参数配置
  stream: 流缓冲
  syscall: 系统调用函数
  threadpool: 线程池
  tools: 常用的工具,如base64_encode/xxtea 等

4) productservices:产品的业务模块,不同产品根据需求修改
  alarm: 报警
  binding: 绑定模块
  client: 用户模块,包含tcp/udp/tutk
  communicate: 通信模块,如hlclient iot msg(消息队列)
  localstorage: 本地存储
  productinfo: 产品相关信息,如型号等
  transport: 设备相关,如sd卡/U盘/usb设备(pl2303)

5) unittest:单元测试模块
   单元测试   

I cant read Chinese and Google Translate wasn’t super useful, so YMMV

The contents of the station_wifi_config file (above) are also interesting, but its in a format I am not familiar with, or I am missing the symbols to decode. If anyone knows how to get this file into a readable format please let me know!

Github project with the dump is here: https://github.com/miniman13/wyzewhisperer

That’s all for now – I think the next steps to learning more about these devices is to get into u-boot and reset the root password, or perhaps a little birdie can whisper the cracked MD5crypt posted above.

Leave a Reply

Your email address will not be published. Required fields are marked *