Greetings! I recently rolled the dice on an eBay purchase for a Light L16 camera. The device appears to have had some serious OS problems/botched root/adb commands/I am honestly not quite sure what has gone wrong with it, but it is not even showing the OS as LightOS (the camera OS). I was wondering if any of you might have the firmware laying around somewhere, or any experience flashing these devices with AOSP/variants?
Light L16 Firmware
- Thread starter Sormaus
- Start date
Mine still works with Lumen. The most important features released later are the ability to record video (1080p30fps) and install sideloaded apps. The patch notes page is still up here:
support.light.co
Light support - L16 Software Release Notes - Camera and Lumen | Light
Always improving Every week, we make the Light L16 a little better. That's the beauty of a camera built on software: the experience never stops improving.
support.light.co
Is the inability to side-load apps because you don't have root? I understand the firmware update may have added the ability to do so without needing root, but would root effectively let you side-load?
Has anyone tried finding a root exploit in the stock firmware?
Has anyone tried finding a root exploit in the stock firmware?
Last edited:
It's possible the features already exist on the phone and that root access can simply enable them, although they may not be as well-tested as the released version.
Some things:
Swipe down from the main screen three times to bring down the system menu. You can click the settings gear in the top right to get to the device settings. You can enable Developer Mode from here the normal way.
Once enabled, you can log into the camera using 'adb shell' but you aren't root yet. This is such an old kernel, I'm sure there will be a kernel exploit that could give us root. Otherwise, they may have left an insecure script or another way to escalate your privs to root. I'm not a pro Android hacker.
Swipe down from the main screen three times to bring down the system menu. You can click the settings gear in the top right to get to the device settings. You can enable Developer Mode from here the normal way.
Once enabled, you can log into the camera using 'adb shell' but you aren't root yet. This is such an old kernel, I'm sure there will be a kernel exploit that could give us root. Otherwise, they may have left an insecure script or another way to escalate your privs to root. I'm not a pro Android hacker.
Last edited:
Perhaps https://bugs.chromium.org/p/project-zero/issues/detail?id=1942 would get root.
the IMAGE_CAPTURE intent works over adb but not the VIDEO_CAPTURE. That doesn't mean anything particularly bad though.
the IMAGE_CAPTURE intent works over adb but not the VIDEO_CAPTURE. That doesn't mean anything particularly bad though.
I was able to sideload the Google Play Services APK for Nougat last night without root. So with devmode enabled, you can perform some sideloading as long as the app doesn't require kernel permissions or access, or other elevated access such as high ports.
If you brick it, power it off. Hold the shutter button and then hold the power button until the Light logo appears. You can use the shutter button to navigate the boot menu and factory reset the camera. Press the power button to select the menu item.
If you brick it, power it off. Hold the shutter button and then hold the power button until the Light logo appears. You can use the shutter button to navigate the boot menu and factory reset the camera. Press the power button to select the menu item.
Just FYI.
You may be able to sideload another camera app and have video recording at 1080p Just Work(tm). I'm not sure.
It should be possible to extract the file system and firmware with root. Then a package could be made containing the drivers and Camera app Light uses which captures and writes in the .lri format that the Lumen app uses.
Once the "special sauce" is separated from the basic OS, I would imagine (but perhaps not bet) that you could install whatever android you want on here, then load the drivers and Camera app from the OG firmware. Then you'd have a modern device with the same image capability, but with the extensibility of a DIY device.
Linux localhost 3.18.20-perf-g6ec34d3 #1 SMP PREEMPT Fri Nov 24 11:49:25 PST 2017 aarch64
You may be able to sideload another camera app and have video recording at 1080p Just Work(tm). I'm not sure.
It should be possible to extract the file system and firmware with root. Then a package could be made containing the drivers and Camera app Light uses which captures and writes in the .lri format that the Lumen app uses.
Once the "special sauce" is separated from the basic OS, I would imagine (but perhaps not bet) that you could install whatever android you want on here, then load the drivers and Camera app from the OG firmware. Then you'd have a modern device with the same image capability, but with the extensibility of a DIY device.
I was also able to sideload without root the latest version of SimpleSSHD which allows remote access to the same shell that adb shell gives, but over the configured wifi interface.
Last edited:
I compiled and installed qu1ckr00t which implements the exploit I linked above to get root but unsurprisingly it didn't immediately work.
github.com
GitHub - grant-h/qu1ckr00t: A PoC application demonstrating the power of an Android kernel arbitrary R/W.
A PoC application demonstrating the power of an Android kernel arbitrary R/W. - GitHub - grant-h/qu1ckr00t: A PoC application demonstrating the power of an Android kernel arbitrary R/W.
github.com
This isn't 100% true. For instance, running the image capture intent over SSh does not work immediately, but does work over adb shell. I expect this is because sshd has not been granted access to the camera, though.
There is an issue installing Termux.
You need an older version of Termux, 0.73 is what I'm testing as it targets Android 6.0.1. Any Termux version after 73 will target android 7.0 and fail to install.
The older Termux installers bootstrap from the internet, and the termux app gets installed on the camera to a location Termux doesn't have write-access to. This causes bootstrapping to fail and termux to fail to start. Later Termux installers are offline.
github.com
Building a new version of SimpleSSHD with a manifest that asks for CAMERA permission is also not being straightforward.
Root would be nice.
You need an older version of Termux, 0.73 is what I'm testing as it targets Android 6.0.1. Any Termux version after 73 will target android 7.0 and fail to install.
The older Termux installers bootstrap from the internet, and the termux app gets installed on the camera to a location Termux doesn't have write-access to. This causes bootstrapping to fail and termux to fail to start. Later Termux installers are offline.
"termux was unable to install the bootstrap packages" when I open Termux · Issue #1761 · termux/termux-packages
It happens all time when i try to open Termux highscreen pure android 5.0.2 with kernel 3.10.54
github.com
Building a new version of SimpleSSHD with a manifest that asks for CAMERA permission is also not being straightforward.
Root would be nice.
I'm close to having a root exploit. There's possibly an easier way through a kernel exploit so any thoughts are appreciated. I don't want to mess with kernel pointers unless I have to.
In /system/bin/fw_update.sh, there are some possible race conditions that can be performed to achieve root code execution. I expect it will require proxying the camera and returning a specific response to the firmware updates check.
In /system/bin/fw_update.sh, there are some possible race conditions that can be performed to achieve root code execution. I expect it will require proxying the camera and returning a specific response to the firmware updates check.
Last edited:
Specifically:
If we can initiate fw_upgrade.sh, then we can overwrite one of the bin files (prog_app_p2 looks like best) and have it run as root.
It's difficult because there is SSL verification. Proxying the update check request fails without having a root cert installed.
cp /system/etc/prog_app_p2 $camera_directory/prog_app_p2
chmod 777 $camera_directory/prog_app_p2
cp /system/etc/lcc $camera_directory/lcc
chmod 777 $camera_directory/lcc
cp /system/etc/prog_app.config $camera_directory/prog_app.config
chmod 777 $camera_directory/prog_app.config
If we can initiate fw_upgrade.sh, then we can overwrite one of the bin files (prog_app_p2 looks like best) and have it run as root.
It's difficult because there is SSL verification. Proxying the update check request fails without having a root cert installed.
If you run the following, you can begin proxying the firmware update requests.
am broadcast -a 'com.fihtdc.OTAUpdate.SET_SERVER_URL' -n 'com.fihtdc.OTAUpdate/.OTAReceiver' --es URL http://www.c2dms.com
am broadcast -a 'com.fihtdc.OTAUpdate.SET_SERVER_URL' -n 'com.fihtdc.OTAUpdate/.OTAReceiver' --es URL http://www.c2dms.com
There are two options so far in this route.
A) Basically create a new service that repros the firmware update responses until it wants to download a firmware that we control and have rooted somehow. Need a copy of a firmware to do this but it would be easier for others going forward I expect.
B) Go the route I was intending and try to initiate a firmware upgrade and exploit a race condition in fw_upgrade.sh to execute arbitrary code as root. There could be an intent I'm missing that would kick off the shell script without the HTTP nonsense. I'm also seeing if the script is kicked off with any regularity automatically.
B) may be required in order for A) to be possible.
A) Basically create a new service that repros the firmware update responses until it wants to download a firmware that we control and have rooted somehow. Need a copy of a firmware to do this but it would be easier for others going forward I expect.
B) Go the route I was intending and try to initiate a firmware upgrade and exploit a race condition in fw_upgrade.sh to execute arbitrary code as root. There could be an intent I'm missing that would kick off the shell script without the HTTP nonsense. I'm also seeing if the script is kicked off with any regularity automatically.
B) may be required in order for A) to be possible.
Last edited:
This is a much easier method for root. I can confirm it works.
uid=0(root) gid=0(root) groups=0(root) context=u:r:qti_init_shell:s0
github.com
uid=0(root) gid=0(root) groups=0(root) context=u:r:qti_init_shell:s0
GitHub - hyln9/VIKIROOT: CVE-2016-5195 (Dirty COW) PoC for Android 6.0.1 Marshmallow
CVE-2016-5195 (Dirty COW) PoC for Android 6.0.1 Marshmallow - GitHub - hyln9/VIKIROOT: CVE-2016-5195 (Dirty COW) PoC for Android 6.0.1 Marshmallow
github.com
This is very exciting! I will have to have a closer look through your posts when I find time. Thanks for your hard work and taking the time to post them.
I think many of us here were looking for the latest firmware in order to get the latest 'camera' app to unlock all of the photography features rather then your goal of a smart time lapse camera (I have only seen your YouTube video for now), while the root exploit would open up the device for users, without the Light Camera APK I am not sure anyone here would get anything out of root access.
I think many of us here were looking for the latest firmware in order to get the latest 'camera' app to unlock all of the photography features rather then your goal of a smart time lapse camera (I have only seen your YouTube video for now), while the root exploit would open up the device for users, without the Light Camera APK I am not sure anyone here would get anything out of root access.
Similar threads
Top Liked Posts
-
There are no posts matching your filters.
-
1Hi there L16 owners! I've picked up one of these cameras, and I'm super interested in tinkering around with, and as some others have mentioned, dig around the camera to escape LightOS.
I am curious though, would anyone be interested in using a Discord server to share around findings/work/photography from their camera? Currently, finding resources for this camera is a little all over the place, so I'd love to see a centralized spot with all the information!1
I think this would be great to get set up! Please let me know about the details. -
6I have got the firmware for 1.3.5.1.
I have added it to the GitHub repository here, under releases.
(BTW anyone can upload to this repo, please add anything that might be of use to other users)
Backstory about this:
A user called Jerome2023 joined XDA and posted in this thread that he had the firmware and would share it for $30 transfer via PayPal, obviously this screams of scam.
The only evidence was a screenshot of a zip file (not even the files inside).
When I asked for more info or photos as proof it was legit (Like the ones I have included below), he refused claiming he was insulted by my lack of trust... on the internet...
He was then banned from the forum by admins.
He claimed the total cost to get the updater was $150 from a local camera store, I already know of 2 other people who have sent him $30 so if it really did cost $150 then at least he has made $90 back.
Honestly I don't know why he want about it in this way, I am sure everyone here would have got together the reimburse him for the cost and effort he went to get it.
I do not want anyone to be out of pocket for finding the firmware, especially since that firmware should have been made available for free by Light, but I suspect he was trying to make some money out of it.
I have heard that he did genuinely wanted to help people but sending the money was a 'trust' exercise.3Hi!
I recently purchased a cheap brand new L16 as well. It came with version 1.3.0.5. I have also been searching everywhere for a newer firmware. So far the only lead I found is a Bilibili video of a person demonstrating how to offline update the camera. They seem to have a copy of firmware 1.3.5.1 and could simply update the camera by placing the firmware file into the internal storage(which is how HMD/Nokia devices update as well).
I have DM'd the video host to see if he is willing to share or sell the firmware package. Will report back once I get a reply. Here a link to the video in case you are curious: 【Light L16相机 固件升级指南】 https://www.bilibili.com/video/BV1J...eb&vd_source=ee675b02079b99672e60053aa4c88611
Please do not harass the video host, last thing we want is to piss off that one guy who might have the firmware files.3Alright I confirmed I was completely incorrect in my first post about unlocking the bootloader
this will work to unlock the bootloader/install twrp/magisk root
You might need to reset the camera, so back up your pictures/data
setup adb and fastboot (guide)
download and extract VIKIROOT from here
download magisk apk from here
download material files apk from here
download twrp.imgfrom this postfrom here
put all the files in the same folder as the adb command
open a terminal/cmd window in the adb folder
adb push exploit /data/local/tmp
adb shell
cd /data/local/tmp
chmod +x exploit
./exploit 2222
you need to toggle Bluetooth if it is stuck on "waiting for reverse connect shell"
if you get "unknown kernel" reboot and try again
It will say ===TERMINAL=== if it worked, whoami should return root.
the prompt will probably be blank
dd if=/dev/block/bootdevice/by-name/boot of=/storage/emulated/0/boot.img
dd if=/dev/block/bootdevice/by-name/recovery of=/storage/emulated/0/recovery.img (for safety)
exit
exit
If the camera becomes disconnected before you exit the root prompt, temporary root does not appear to work until the camera is factory reset from recovery. This is not necessary if boot.img was dumped successfully as temporary root is not needed again.
adb install Magisk-v25.2.apk
adb install "Material Files_1.5.2_Apkpure.apk"
Open the Magisk app on the camera and press install near the top left. Press next, select and patch a file, open the menu on the left and select material files, scroll down and select boot.img, and then press LET'S GO ->
after it completes check what file name it saved as and change the file name bolded below
(or open material files and check the download folder if you closed Magisk)
adb pull /storage/emulated/0/Download/magisk_patched-XXXXX_YYYYY.img magisk_patched.img
adb reboot bootloader
fastboot oem devlock off
fastboot reboot bootloader
fastboot flash boot magisk_patched.img
fastboot flash recovery twrp.img (not required but nice to have)
fastboot reboot
The camera will reboot to android, and magisk should have the superuser tab available.
Changing to root in adb shell now can be done with su instead of the temporary root (there will be an approval prompt on the camera)
The bootloader will now allow flashing different system versions
please tell me if you have any problems
(to just unlock the bootloader)
adb reboot bootloader
fastboot oem devlock off
fastboot reboot2I have a damaged production unit with 1.3.0.3-57 ( i see now that
V1.3.4.1 (1341) - May 2019 - is last release in the light website release notes )
at point where I have vikiroot on it.
have older unit with old firmware... is defaulted to root on debug shell.
so i guess the plan is try to sideload a rom app and pull a backup rom of the older firmware then update the older unit. anyone been down this route yet? pitfalls / successes to share?
older firmware on 'good' unit is 1.2.2_1
newer firmware on damaged unit is 1.3.0.3-57
EDIT:
Into recovery mode on both units. No fastboot =/
God I really dislike how android OS builders always go out of their way to screw over their customers.
EDIT 2:
Initial plan is to side load busybox as static compiled target to 1.3.0.3-57 unit. execute VIKIROOT exploit to escalate to root. And do a netcat dump of the OS disk block to another node. IF that works I'll do the same for the older node. At least have a full image dump of both devices.
I am tempted to attempt to do an overwrite of the disk block on the older device with the newer firmware exported image. But that's chancey. If it goes wrong the device will brick. =/2I will also mention I have a few of these devices on the way that claim to have the latest firmware. If they do, I'll happily work on cloning them and post it.
