/tplink-tapo-c200-re

Reverse Engineering the TP-Link Tapo C200 camera

Primary LanguageShell

tplink-tapo-c200-re

Reverse Engineering the TP-Link Tapo C200 camera

Components

Name Component Description
SoC Realtek RTS3903 CPU: 500MHz :rx5281 prid=0xdc02
RAM x 64 MiB @ 1066 MHz
Serial Flash XMC XM25QH64A with page size 256 Bytes, erase size 64 KiB, total 8 MiB.
Sensor SC2232H

Flash Layout

dev start end size erasesize name
mtd0 0x000000000000 0x00000001d800 x x factory_boot
mtd1 0x00000001d800 0x000000020000 x x factory_info
mtd2 0x000000020000 0x000000040000 x x art
mtd3 0x000000040000 0x000000050000 x x config
mtd4 0x000000050000 0x000000060000 x x boot
mtd5 0x000000060000 0x0000001c6400 x x kernel
mtd6 0x0000001c6400 0x000000710000 x x rootfs
mtd7 0x000000710000 0x000000800000 x x rootfs_data
mtd8 0x000000060000 0x000000800000 x x firmware

Notes

Turning on Diagnostics in the Tapo app results in a root login on pts/0

TODOs:

  • Do we need an internet connection to trigger this, can we do the same from local network without internet access ?
[   58.336000] Erase from 0X40000 to 0X50000:
[   58.348000] .
[   58.353000] Program from 0X40000 to 0X50000:
[   58.560000] .
write successfully
1600115448305|696|3|cloud_interface.c:720:tlcc_refresh_helloCloud| - tlcc_refresh_helloCloud called
1600115448307|543|3|cloud_client_handle.c:1087:cloud_client_handle_refresh_helloCloud| - cloud_client_handle_refresh_helloCloud called
1600115448343|696|3|cloud_register.c:847:register_handle_refresh_hellocloud_request| - register_handle_refresh_hellocloud_request called
Sep 14 22:30:48 login[1274]: root login on 'pts/0'
  • Dump the Flash (CLIP + Flash Reader, or can we get somehow access to the U-Boot console and read it out?)

MTD investigation from C100 dump (thanks to @kubik369 )

MTD0 - Factory Boot

0x6000 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 218916 bytes

MTD1 - Factory Info

00000000: 4d31 4354 048f 0001 7b6d 6163 3a1c 3bf3  M1CT....{mac:.;.
00000010: fb60 3c2c 7069 6e3a 0000 0000 0000 0000  .`<,pin:........
00000020: 2c64 6576 4964 3a38 3032 3142 4541 3035  ,devId:8021BEA05
00000030: 4330 4339 4536 3732 3236 3338 3242 4336  C0C9E67226382BC6
00000040: 3132 3642 3046 3331 4342 4632 3041 392c  126B0F31CBF20A9,
00000050: 6877 4964 3a16 f34f c28e 5c7c d422 498e  hwId:..O..\|."I.
00000060: 7ef0 c4a6 9f2c 6877 4964 4465 733a 4857  ~....,hwIdDes:HW
00000070: 4445 5343 0000 0000 0000 0000 0001 0000  DESC............
00000080: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000090: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000000a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000000b0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000000c0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000000d0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000000e0: 0000 0000 0000 0000 0000 0000 0000 2c66  ..............,f
000000f0: 6c61 7368 5369 676e 3a00 0000 0000 0000  lashSign:.......
00000100: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000110: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000120: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000130: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000140: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000150: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000160: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000170: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000180: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000190: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000001a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000001b0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000001c0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000001d0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000001e0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000001f0: 0000 0000 0000 0000 002c 6465 764e 616d  .........,devNam
00000200: 653a 4331 3030 0000 0000 3533 3433 3030  e:C100....534300
00000210: 3030 3030 3030 3030 3030 3030 3030 3030  0000000000000000
00000220: 3031 0000 0000 3230 4139 0000 0000 0000  01....20A9......
00000230: 0000 0000 0000 0000 002c 6877 5665 723a  .........,hwVer:
00000240: 312e 3000 0000 0000 3533 3433 3030 2c51  1.0.....534300,Q
00000250: 5243 6f64 653a 0000 0000 0000 0000 0000  RCode:..........
00000260: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000270: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000280: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000290: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000002a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000002b0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000002c0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000002d0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000002e0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000002f0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000300: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000310: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000320: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000330: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000340: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000350: 0000 0000 0000 2c74 6573 7449 6e66 6f3a  ......,testInfo:
00000360: 5354 4152 543a 3935 2c31 3136 2c31 3537  START:95,116,157
00000370: 2c31 3633 2c31 3637 2c31 3532 2c31 3633  ,163,167,152,163
00000380: 2c39 322c 3131 382c 666f 633a 503b 696d  ,92,118,foc:P;im
00000390: 673a 503b 0000 0000 0000 0000 0000 0000  g:P;............
000003a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000003b0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000003c0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000003d0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000003e0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000003f0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000400: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000410: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000420: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000430: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000440: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000450: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000460: 2c66 6f63 616c 4c65 6e67 7468 3a00 0000  ,focalLength:...
00000470: 0000 0000 006f 656d 4964 3aed cf1d 3789  .....oemId:...7.
00000480: 0c9d 554b 594b 8f56 7946 d22c 7265 6769  ..UKYK.VyF.,regi
00000490: 6f6e 3a45 552c 7d4f d786 07c9 859a 87b5  on:EU,}O........

MTD2 - ART

0x100 gzip compressed data, from Unix, last modified: 2019-11-08 06:54:02

Tar Archive containing folders: base-files, radio, uci. Total 9 files, 134KB.

MTD3 - Config

MTD4 - Boot

0x6000 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 111364 bytes

Appears to be: U-Boot 2014.01-v1.2 (Nov 08 2019 - 09:13:14)

MTD5 - Kernel

0x200 LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 4342112 bytes

Kernel: Linux version 3.10.27 (server@ubuntu14) (gcc version 4.8.5 20150209 (prerelease) (Realtek RSDK-4.8.5p1 Build 2521) ) #2 PREEMPT Fri Nov 8 14:53:46 CST 2019 Build folder appears to be: /home/server/Projects/ipc/Camera_SLP/slp-sp-target-src/rts3903/linux-3.10/

MTD6 - RootFS

0x0 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 5405292 bytes, 1016 inodes, blocksize: 262144 bytes, created: 2019-11-08 06:53:59

Root filesystem (Read-only partition)

MTD7 - RootFS data

JFFS2, Blank from factory.(0xFFFF....)

MTD8 - Firmware

0x200 LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 4342112 bytes

0x166000 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 5405292 bytes, 1016 inodes, blocksize: 262144 bytes, created: 2019-11-08 06:53:59

LZMA data appears to be exact copy of Kernel in MTD5

SquashFS filesystem appears to be exact copy of that found in MTD6

Links

TE7C200 - FCCid.io