I’ll do a better write up at some point (and maybe even whip up a few scripts to make it a bit more user friendly?), but you can read it raw here: Enable telnet without using NFS? · Issue #64 · HclX/WyzeHacks · GitHub
Here’s a quick summary (I did this all on my Mac, but any *nix like system should work)
- Download GitHub - HclX/WyzeUpdater: A tool to push arbitrary update to wyze devices.
- Authenticate wyze_updater.py and enumerate your camera by running:
./wyze_updater.py --user {WYZE_email} --password ${WYZE_password} list -
./wyze_updater.py update -p 18080 -d YOUR_SN_FROM_STEP_2 -f firmwares/camera_telnet.binAfter a few seconds you can ctrl-c to exit. (This step uses Wyze’s update mechanism to run a small script that blanks out the root password and starts telnet so we can access the system) -
telnet ip.address.of.camera(login as root with no password) - Use vi on your camera to add
/system/init/custom_init.sh &to the beginning of the existing init script:vi /system/init/app_init.sh - On your computer (not on the camera, it doesn’t have openssl), generate a password hash to store on your camera so you can login with your own password in the future:
openssl passwd -1 -salt <YOUR SALT> <YOUR PASSWORD> - Create your custom init script:
vi /system/init/custom_init.shYou can paste in this as a starting point, swap in the output from step 6 for the placeholder below:
#!/bin/sh
echo "Starting telnet..." > /tmp/custom_init.log
killall -9 telnetd
busybox telnetd &
echo "Sleeping 31s so SD can mount..." >> /tmp/custom_init.log
sleep 31
echo "Setting root password..." >> /tmp/custom_init.log
umount /etc
rm -rf /tmp/etc
cp -r /etc /tmp/
echo 'root:$1$MYSALT$1Sy1OLRk2kTa7P6fvzwp71:10933:0:99999:7:::' > /tmp/etc/shadow
mount -o bind /tmp/etc /etc
echo "Starting bftpd..." >> /tmp/custom_init.log
/media/mmc/bin/bftpd -d -c /media/mmc/bin/bftpd.conf
echo "Custom init complete..." >> /tmp/custom_init.log
chmod +x /system/init/custom_init.sh- (someone should just host this on a non-https site so we can just wget it directly from the internet…) Download bftpd from here and copy the file over to your SD card at /media/mmc/bin/bftpd : Xiaomi-Dafang-Hacks/bftpd at master · EliasKotlyar/Xiaomi-Dafang-Hacks · GitHub
- Download the bftpd config file from here and copy the file over to your SD card at /media/mmc/bin/bftpd.conf : Xiaomi-Dafang-Hacks/bftpd.conf at master · EliasKotlyar/Xiaomi-Dafang-Hacks · GitHub
(Note, for steps 9 and 10 I just served the files locally with python and downloaded them on the camera via wget,python -m http.server 8000 chmod +x /media/mmc/bin/bftpdreboot
That’s it, now every time the camera starts, it will enable telnet, set the password you specified for the root password, and start bftpd. You can now access the cameras filesystem (and SD card) with any FTP client!